Typo in Scraperr.

Slight changes to Scraperr services.
Auto Merge of PR 38 - dawarich-misc-fixes
2025-04-20 09:55:23 -04:00 · 2025-04-20 08:12:16 -04:00 · 2025-04-17 12:12:41 -04:00 · 2025-04-17 16:08:36 +00:00 · 2025-04-17 10:55:04 -04:00 · 2025-04-17 09:53:32 -04:00
74 changed files with 12256 additions and 5993 deletions
@@ -1,75 +0,0 @@
 name: Gitea Branch PR, SonarQube Analyze, and Merge Workflow
 on:
  push:
    branches-ignore:
      - main
 jobs:
  # Job 1: Check if PR exists and create one if the branch is new
  check-and-create-pr:
    name: Check and Create PR
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4
      - name: PR list
        id: list-prs
        run: |
          curl -sSL https://dl.gitea.com/tea/main/tea-main-linux-amd64 -o /usr/local/bin/tea
          chmod +x /usr/local/bin/tea
          echo "Listing PRs..."
          tea login add --name gitea-rinoa --url ${{ vars.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
          pr_state=$(tea pr ls --repo ${{ github.repository }} --state open --output csv | egrep 'open|closed|merged' | awk -F, '{print $3}' | sed -e 's|"||g')
          echo "pr_state=$(echo ${pr_state})" >> "$GITHUB_OUTPUT"
      - name: Create PR
        if: steps.list-prs.outputs.pr_state == 'closed'
        uses: arifer612/Gitea-PR-action@v1.2.0
        with:
          url: ${{ gitea.server_url }}
          token: ${{ secrets.BOT_GITEA_TOKEN }}
          assignee: ${{ gitea.actor }}
  docker-compose-test:
    name: Docker Compose Test
    needs: [create-pr]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Generate ephemeral .env compose file
        id: generate-env-file-pr
        run: |
          echo "${{ secrets.RINOA_ENV }}" > .env
      - name: Docker Compose Lint
        uses: yu-ichiro/spin-up-docker-compose-action@v1
        with:
          file: docker-compose.yml
          pull: true
          pull-opts: --dry-run
          up: true
          up-opts: --dry-run -d --remove-orphans
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
  merge-pr:
    name: PR Merge
    runs-on: ubuntu-latest
    needs: [docker-compose-test]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Tea CLI Setup & PR Merge
        run: |
          curl -sSL https://dl.gitea.com/tea/main/tea-main-linux-amd64 -o /usr/local/bin/tea
          chmod +x /usr/local/bin/tea
          echo "Merging PR..."
          tea login add --name gitea-rinoa --url ${{ vars.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
          echo ${{ gitea.ref_name }}
          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ gitea.ref_name }} | awk -F, '{print $1}' | sed -e 's|"||g')
          tea pr m --repo ${{ github.repository }} --title "Auto Merge" --message "Merged by ${{ gitea.actor }}" --output table ${pr_index}
@@ -0,0 +1,368 @@
 name: Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment
 on:
  push:
    branches-ignore:
      - 'main'
 jobs:
  check-and-create-pr:
    if: github.ref != 'refs/heads/main'
    name: Check and Create PR
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          fetch-depth: 1
      - name: Cache tea CLI
        id: cache-tea
        uses: actions/cache@v4
        with:
          path: /opt/hostedtoolcache/tea/0.9.2/x64
          key: tea-${{ runner.os }}-0.9.2
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
          name: 'tea'
          version: '0.9.2'
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'Checking for existing PR... 🔍'
      - name: Check if open PR exists
        id: check-opened-pr-step
        continue-on-error: true
        run: |
          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
      - name: Create PR
        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
        run: |
          tea login default gitea-rinoa
          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
          pr_index_new=$(expr ${pr_index_old} + 1)
          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
  docker-compose-ansible-lints:
    name: Docker Compose & Ansible Lints
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      VAULT_NAMESPACE: ""
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Cache Ansible Galaxy Collections
        uses: actions/cache@v3
        with:
          path: ansible/collections
          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
          restore-keys: |
            ${{ runner.os }}-ansible-
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
          version: "11.0.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Install hvac
        run: pip install hvac
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
          notification_message: 'Starting Ansible dry run...'
      - name: Ansible Playbook Dry Run
        uses: dawidd6/action-ansible-playbook@v2
        with:
          directory: ansible/
          playbook: docker_config_deploy.yml
          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
          options: |
            --inventory inventory/hosts.yml
            --check
          requirements: collections/requirements.yml
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
          notification_message: 'Ansible dry run completed successfully; starting Docker Compose'
      - name: Generate .env file for Docker Compose Dry Run
        run: |
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
      - name: Cache .env Files
        uses: actions/cache@v4
        with:
          path: .env
          key: ${{ runner.os }}-env-${{ hashFiles('docker-compose.yml') }}
      - name: Docker Compose Dry Run
        uses: yu-ichiro/spin-up-docker-compose-action@v1
        with:
          file: docker-compose.yml
          pull: true
          pull-opts: --dry-run
          up: true
          up-opts: --dry-run -d --remove-orphans
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
          notification_message: 'Docker Compose dry run completed successfully.'
  cloudflare-dns-setup:
    name: Cloudflare DNS Setup
    needs: [docker-compose-ansible-lints]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 1
      - name: Cache flarectl CLI
        uses: actions/cache@v4
        with:
          path: ~/.flarectl
          key: flarectl-${{ runner.os }}-${{ hashFiles('workflow-config.yml') }}
      - name: Install flarectl
        uses: supplypike/setup-bin@v4
        with:
          uri: 'https://github.com/cloudflare/cloudflare-go/releases/download/v0.113.0/flarectl_0.113.0_linux_amd64.tar.gz'
          name: 'flarectl'
          version: '0.113.0'
      - name: Cache Subdomain Files
        uses: actions/cache@v4
        with:
          path: |
            compose_subdomains.txt
            cloudflare_subdomains.txt
          key: ${{ runner.os }}-subdomains-${{ hashFiles('docker-compose.yml') }}
      - name: Grab Subdomains from Docker Compose & Cloudflare
        id: grab-subdomains
        env:
          CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
          CF_API_EMAIL: ${{ secrets.CF_API_EMAIL }}
        run: |
          yq '.services[].labels.swag_url' docker-compose.yml | egrep -v 'null' | sed -e 's|"||g' | awk -F'.' '{print $1}' | sort > compose_subdomains.txt
          flarectl --json dns list --zone "trez.wtf" --type=CNAME --content "trez.wtf" | jq '.[].Name' | sed -e 's|"||g' | awk -F"." '{print $1}' | sort > cloudflare_subdomains.txt
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Cloudflare Setup @ Rinoa'
          notification_message: 'Starting Cloudflare DNS setup...'
      - name: Compare Subdomains
        id: compare-subdomains
        uses: LouisBrunner/diff-action@v2.2.0
        with:
          old: compose_subdomains.txt
          new: cloudflare_subdomains.txt
          mode: addition
          tolerance: mixed-better
          output: domain_compare.txt
      - name: Create Subdomains
        if: steps.compare-subdomains.outputs.output != ''
        continue-on-error: true
        env:
          CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
          CF_API_EMAIL: ${{ secrets.CF_API_EMAIL }}
        run: |
          cat domain_compare.txt | egrep '^-[a-z]' | sed -e 's|-||g' | while read -r subdomain; do
            echo "Creating $subdomain.trez.wtf..."
            flarectl dns create --zone "trez.wtf" --name "${subdomain}" --type=CNAME --content "trez.wtf" --proxy true
          done
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Cloudflare Setup @ Rinoa'
          notification_message: 'Cloudflare DNS setup completed successfully.'
  regenerate-readme-modified-services:
    name: Update README & Generate List of Modified Services
    runs-on: ubuntu-latest
    needs: [cloudflare-dns-setup]
    # outputs:
    #   pr-pushed: ${{ steps.commit-readme.outputs.pushed }}
    #   modified_services: ${{ steps.compare-services.outputs.modified_services }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install yq
        uses: dcarbone/install-yq-action@v1
      # - name: Fetch main branch for comparison
      #   run: |
      #     git fetch origin main:main
      # - name: Compare services using yq
      #   continue-on-error: true
      #   id: compare-services
      #   run: |
      #     current_services=$(yq '.services | to_entries' docker-compose.yml)
      #     git show main:docker-compose.yml > main_compose.yml
      #     main_services=$(yq '.services | to_entries' main_compose.yml)
      #     modified_services_file=$(comm -13 <(echo "$main_services") <(echo "$current_services") > changes_compose.yml)
      #     modified_services=${egrep '^  [a-z]' changes.yml | sed -e 's|^  ||g' -e 's|:||g' | sed ':a;N;$!ba;s/\n/ /g'}
      #     echo "Modified services: $modified_services"
      #     echo "modified_services=$modified_services" >> $GITHUB_OUTPUT
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: README Update'
          notification_message: 'Updating README...'
      - name: Generate service list
        run: |
          yq '.services | to_entries | map({"service": .key, "image": .value.image})' docker-compose.yml > services.yml
      - name: Generate Markdown Table
        uses: gazab/create-markdown-table@v1
        id: service-table
        with:
          file: ./services.yml
      - name: Regenerate README
        run: |
          echo "# List of Services" > README.md
          echo -e "\n\n" >> README.md
          echo "${{ steps.service-table.outputs.table }}" >> README.md
      - name: Add/Commit README.md
        id: commit-readme
        uses: EndBug/add-and-commit@v9
        with:
          message: "chore: Update README"
          add: "README.md"
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: README Update'
          notification_message: 'README updated'
  pr-merge:
    name: PR Merge
    needs: [regenerate-readme-modified-services]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
          name: 'tea'
          version: '0.9.2'
      - name: PR Merge
        id: pr_merge
        run: |
          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
          tea login default gitea-rinoa
          echo "Merging PR..."
          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
          echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Merge Successful'
          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
  ansible-config-docker-compose-deploy:
    name: Ansible Configs & Docker Compose Deployment
    runs-on: ubuntu-latest
    needs: [pr-merge]
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      DOCKER_HOST: tcp://dockerproxy:2375
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: main
      - name: Cache Vault install
        id: cache-vault
        uses: actions/cache@v4
        with:
          path: /opt/hostedtoolcache/vault/1.18.0/x64
          key: vault-${{ runner.os }}-1.18.0
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
          version: "11.0.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Install hvac
        run: pip install hvac
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
          notification_message: 'Starting config deployment with Ansible.'
      - name: Deploy Docker Configs via Ansible
        uses: dawidd6/action-ansible-playbook@v2
        with:
          directory: ansible/
          playbook: docker_config_deploy.yml
          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
          options: |
            --inventory inventory/hosts.yml
          requirements: collections/requirements.yml
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
          notification_message: 'Deployment completed successfully.'
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Docker Compose Deployment @ Rinoa'
          notification_message: 'Starting Docker Compose run...'
      - name: Generate .env file for deployment
        run: |
           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
      - name: Docker Compose Deployment
        # if: ${{ steps.regenerate-readme-modified-services.outputs.modified_services != '' }}
        timeout-minutes: 360
        continue-on-error: true
        uses: keatonLiu/docker-compose-remote-action@v1.2
        with:
          docker_compose_file: docker-compose.yml
          docker_args: -d --remove-orphans --pull missing --no-recreate
          ssh_user: gitea-deploy
          ssh_host: 192.168.1.254
          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Docker Compose Deployment @ Rinoa'
          notification_message: 'Deployment completed successfully.'
@@ -1,2 +1,4 @@
-**/.env*
+**/.cache_ggshield
-**/*env*
+ansible/collections/ansible_collections/
 **/.env
 **/netbird_openid-configuration.json.j2
@@ -0,0 +1,143 @@
 # List of Services
 | Service | Image |
 | --- | --- |
 | actual_server | docker.io/actualbudget/actual-server:latest |
 | adguard | adguard/adguardhome:latest |
 | apprise-api | lscr.io/linuxserver/apprise-api:latest |
 | archivebox | archivebox/archivebox:latest |
 | audiobookshelf | ghcr.io/advplyr/audiobookshelf:latest |
 | authelia | authelia/authelia:master |
 | authelia-pg | postgres:16-alpine |
 | bazarr | lscr.io/linuxserver/bazarr:latest |
 | beszel | henrygd/beszel:latest |
 | beszel-agent | henrygd/beszel-agent:latest |
 | bitmagnet | ghcr.io/bitmagnet-io/bitmagnet:latest |
 | bitmagnet-pg-db | postgres:17-alpine |
 | bitwarden | vaultwarden/server:latest |
 | bluesky-pds | code.modernleft.org/gravityfargo/bluesky-pds:v0.4.98 |
 | browserless | ghcr.io/browserless/chromium:latest |
 | bytebase | bytebase/bytebase:3.5.0 |
 | bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
 | cloudflared | cloudflare/cloudflared:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
 | convertx | ghcr.io/c4illin/convertx |
 | cronicle | elestio/cronicle:latest |
 | crowdsec | crowdsecurity/crowdsec:latest |
 | crowdsec-dashboard | metabase/metabase |
 | cyber-chef | mpepping/cyberchef:latest |
 | czkawka | jlesage/czkawka |
 | dawarich-app | freikin/dawarich:latest |
 | dawarich-pg-db | postgis/postgis:17-3.5-alpine |
 | dawarich-sidekiq | freikin/dawarich:latest |
 | delugevpn | ghcr.io/binhex/arch-delugevpn:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
 | docker-volume-backup | offen/docker-volume-backup:v2 |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
 | explo | ghcr.io/lumepart/explo:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
 | ghost | ghost:latest |
 | gitea | gitea/gitea:1.23.1 |
 | gitea-db | postgres:14 |
 | gitea-runner | gitea/act_runner:latest |
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
 | gluetun | qmcgaw/gluetun:latest |
 | gotify | gotify/server |
 | graylog | graylog/graylog:6.1 |
 | graylog-datanode | graylog/graylog-datanode:6.1 |
 | guacamole | flcontainers/guacamole:latest |
 | homepage | ghcr.io/gethomepage/homepage:latest |
 | hugo | hugomods/hugo:exts |
 | immich-server | ghcr.io/immich-app/immich-server:release |
 | immich-machine-learning | ghcr.io/immich-app/immich-machine-learning:release |
 | immich-pg-db | tensorchord/pgvecto-rs:pg14-v0.2.1 |
 | immich-public-proxy | alangrainger/immich-public-proxy:latest |
 | immich-power-tools | ghcr.io/varun-raj/immich-power-tools:latest |
 | influxdb2 | influxdb:2-alpine |
 | invidious | quay.io/invidious/invidious:latest |
 | invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
 | invidious-db | docker.io/library/postgres:14 |
 | it-tools | ghcr.io/corentinth/it-tools:latest |
 | jellyfin | jellyfin/jellyfin |
 | jitsi-etherpad | etherpad/etherpad:1.8.6 |
 | jitsi-jibri | jitsi/jibri:stable |
 | jitsi-jicofo | jitsi/jicofo:stable |
 | jitsi-jigasi | jitsi/jigasi:stable |
 | jitsi-jvb | jitsi/jvb:stable |
 | jitsi-prosody | jitsi/prosody:stable |
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
 | librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
 | librechat-vectordb | ankane/pgvector:latest |
 | librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
 | libretranslate | libretranslate/libretranslate |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
 | linkstack | linkstackorg/linkstack:latest |
 | lldap | lldap/lldap:stable |
 | loggifly | ghcr.io/clemcer/loggifly:latest |
 | maloja | krateng/maloja:latest |
 | manyfold | lscr.io/linuxserver/manyfold:latest |
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
 | meilisearch | getmeili/meilisearch:v1.12.3 |
 | minio | minio/minio |
 | mixpost | inovector/mixpost:latest |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
 | n8n | docker.n8n.io/n8nio/n8n |
 | navidrome | deluan/navidrome:latest |
 | netalertx | jokobsk/netalertx:latest |
 | nextcloud | nextcloud/all-in-one:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
 | plantuml-server | plantuml/plantuml-server:jetty |
 | portainer | portainer/portainer-ce:alpine |
 | portall | need4swede/portall:latest |
 | postal-smtp | ghcr.io/postalserver/postal:latest |
 | postal-web | ghcr.io/postalserver/postal:latest |
 | postal-worker | ghcr.io/postalserver/postal:latest |
 | prowlarr | lscr.io/linuxserver/prowlarr:latest |
 | radarec | thewicklowwolf/radarec:latest |
 | radarr | lscr.io/linuxserver/radarr:latest |
 | reactive-resume | amruthpillai/reactive-resume:latest |
 | reactive-resume-pg | postgres:16-alpine |
 | readarr | lscr.io/linuxserver/readarr:develop |
 | redis | redis:alpine |
 | redlib | quay.io/redlib/redlib:latest |
 | rocketchat | registry.rocket.chat/rocketchat/rocket.chat:latest |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
 | scraperr | jpyles0524/scraperr:latest |
 | scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
 | semaphore | semaphoreui/semaphore:v2.12.14 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
 | sonashow | thewicklowwolf/sonashow:latest |
 | speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
 | stable-diffusion-download | git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0 |
 | stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.1 |
 | stirling-pdf | docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest |
 | swag | lscr.io/linuxserver/swag:latest |
 | tandoor | vabene1111/recipes |
 | tandoor-pg | postgres:16-alpine |
 | unmanic | josh5/unmanic:latest |
 | uptimekuma | louislam/uptime-kuma:latest |
 | vault | hashicorp/vault:latest |
 | wallabag | wallabag/wallabag |
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |
 | web-check | lissy93/web-check |
 | youtubedl | nbr23/youtube-dl-server:latest |
@@ -0,0 +1,167 @@
 .logs/*
 *.retry
 *.vault
 # https://raw.githubusercontent.com/github/gitignore/main/Python.gitignore
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]
 *$py.class
 .cache_ggshield
 # Ansible Vault Password Files
 *.pass
 # C extensions
 *.so
 # Distribution / packaging
 .Python
 build/
 develop-eggs/
 dist/
 downloads/
 eggs/
 .eggs/
 lib/
 lib64/
 parts/
 sdist/
 var/
 wheels/
 share/python-wheels/
 *.egg-info/
 .installed.cfg
 *.egg
 MANIFEST
 # PyInstaller
 #  Usually these files are written by a python script from a template
 #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 *.manifest
 *.spec
 # Installer logs
 pip-log.txt
 pip-delete-this-directory.txt
 # Unit test / coverage reports
 htmlcov/
 .tox/
 .nox/
 .coverage
 .coverage.*
 .cache
 nosetests.xml
 coverage.xml
 *.cover
 *.py,cover
 .hypothesis/
 .pytest_cache/
 cover/
 # Translations
 *.mo
 *.pot
 # Django stuff:
 *.log
 local_settings.py
 db.sqlite3
 db.sqlite3-journal
 # Flask stuff:
 instance/
 .webassets-cache
 # Scrapy stuff:
 .scrapy
 # Sphinx documentation
 docs/_build/
 # PyBuilder
 .pybuilder/
 target/
 # Jupyter Notebook
 .ipynb_checkpoints
 # IPython
 profile_default/
 ipython_config.py
 # pyenv
 #   For a library or package, you might want to ignore these files since the code is
 #   intended to run in multiple environments; otherwise, check them in:
 # .python-version
 # pipenv
 #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
 #   However, in case of collaboration, if having platform-specific dependencies or dependencies
 #   having no cross-platform support, pipenv may install dependencies that don't work, or not
 #   install all needed dependencies.
 #Pipfile.lock
 # poetry
 #   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
 #   This is especially recommended for binary packages to ensure reproducibility, and is more
 #   commonly ignored for libraries.
 #   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
 #poetry.lock
 # pdm
 #   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
 #pdm.lock
 #   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
 #   in version control.
 #   https://pdm.fming.dev/#use-with-ide
 .pdm.toml
 # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
 __pypackages__/
 # Celery stuff
 celerybeat-schedule
 celerybeat.pid
 # SageMath parsed files
 *.sage.py
 # Environments
 .env
 .venv
 env/
 venv/
 ENV/
 env.bak/
 venv.bak/
 # Spyder project settings
 .spyderproject
 .spyproject
 # Rope project settings
 .ropeproject
 # mkdocs documentation
 /site
 # mypy
 .mypy_cache/
 .dmypy.json
 dmypy.json
 # Pyre type checker
 .pyre/
 # pytype static type analyzer
 .pytype/
 # Cython debug symbols
 cython_debug/
 # PyCharm
 #  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
 #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
@@ -0,0 +1,45 @@
 # Rinoa Docker_configs Ansible Project
 ## Included content/ Directory Structure
 The directory structure follows best practices recommended by the Ansible community. Feel free to customize this template according to your specific project requirements.
 ```
 ansible-project/
 |── .devcontainer/
 |    └── docker/
 |        └── devcontainer.json
 |    └── podman/
 |        └── devcontainer.json
 |    └── devcontainer.json
 |── .github/
 |    └── workflows/
 |        └── tests.yml
 |    └── ansible-code-bot.yml
 |── .vscode/
 |    └── extensions.json
 |── collections/
 |   └── requirements.yml
 |   └── ansible_collections/
 |       └── project_org/
 |           └── project_repo/
 |               └── README.md
 |               └── roles/sample_role/
 |                         └── README.md
 |                         └── tasks/main.yml
 |── inventory/
 |   └── groups_vars/
 |   └── host_vars/
 |   └── hosts.yml
 |── ansible-navigator.yml
 |── ansible.cfg
 |── devfile.yaml
 |── linux_playbook.yml
 |── network_playbook.yml
 |── README.md
 |── site.yml
 ```
 ## Compatible with Ansible-lint
 Tested with ansible-lint >=24.2.0 releases and the current development version of ansible-core.
@@ -0,0 +1,25 @@
 [defaults]
 # Specify the inventory file
 inventory = inventory/hosts.yml
 collections_path = ./collections
 # Set the logging verbosity level
 verbosity = 2
 # Set the default user for SSH connections
 remote_user = charish
 # Define the default become method
 become_method = sudo
 host_key_checking = false
 [persistent_connection]
 # Controls how long the persistent connection will remain idle before it is destroyed
 connect_timeout=30
 # Controls the amount of time to wait for response from remote device before timing out persistent connection
 command_timeout=30
 [hashi_vault_collection]
 auth_method = token
@@ -0,0 +1,3 @@
 urls:
  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
  - mailtos://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
@@ -0,0 +1,172 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 # yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json
 ---
 theme: auto
 default_2fa_method: "totp"
 server:
  address: '0.0.0.0:9091'
  endpoints:
    enable_pprof: false
    enable_expvars: false
  disable_healthcheck: false
  tls:
    key: ""
    certificate: ""
    client_certificates: []
  headers:
    csp_template: ""
 log:
  level: debug
 telemetry:
  metrics:
    enabled: true
    address: tcp://0.0.0.0:9959
 totp:
  disable: false
  issuer: authelia.com
  algorithm: sha256
  digits: 6
  period: 30
  skew: 1
  secret_size: 32
 webauthn:
  disable: false
  timeout: 60s
  display_name: Authelia
  attestation_conveyance_preference: indirect
  selection_criteria:
    user_verification: preferred
 ntp:
  address: "time.cloudflare.com:123"
  version: 4
  max_desync: 3s
  disable_startup_check: false
  disable_failure: false
 authentication_backend:
  password_reset:
    disable: false
    custom_url: ""
  ldap:
    implementation: custom
    address: ldap://lldap:3890
    timeout: 5s
    start_tls: false
    base_dn: dc=trez,dc=wtf
    additional_users_dn: ou=people
    users_filter: "(&({username_attribute}={input})(objectClass=person))"
    additional_groups_dn: ou=groups
    groups_filter: "(member={dn})"
    attributes:
      username: uid
      group_name: cn
      mail: mail
      display_name: displayName
    user: uid=authelia,ou=people,dc=trez,dc=wtf
    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
  refresh_interval: 5m
 identity_validation:
  reset_password:
    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
 password_policy:
  standard:
    enabled: true
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: false
  zxcvbn:
    enabled: false
    min_score: 3
 access_control:
  default_policy: deny
  networks:
    - name: 'internal'
      networks:
        - '172.17.0.0/16'
        - '172.18.0.0/16'
        - '192.168.1.0/24'
  rules:
    - domain_regex:
      - '^trez.wtf$'
      - ^www.trez.wtf$''
      policy: bypass
    - domain: '*.trez.wtf'
      policy: bypass
      networks:
        - 'internal'
    - domain: '*.trez.wtf'
      policy: one_factor
      subject:
      - ['user:the.trezured.one']
 session:
  name: authelia_session
  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
  expiration: 1h
  inactivity: 5m
  remember_me: 1M
  cookies:
    - domain: 'trez.wtf'
      authelia_url: 'https://auth.trez.wtf'
  redis:
    host: redis
    port: 6379
 storage:
  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
  postgres:
    address: 'tcp://authelia-pg:5432'
    database: authelia
    username: authelia
    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
    timeout: '5s'
 regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m
 notifier:
  disable_startup_check: true
  smtp:
    address: 'smtp://postal-smtp:25'
    timeout: '5s'
    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
    sender: "Authelia <noreply@trez.wtf>"
    identifier: 'localhost'
    subject: "[Authelia] {title}"
    startup_check_address: 'test@authelia.com'
    disable_require_tls: true
    disable_starttls: true
    disable_html_emails: false
 identity_providers:
  oidc:
    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
    jwks:
      - key: |
          {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
    cors:
      allowed_origins_from_client_redirect_uris: true
      endpoints:
        - 'userinfo'
        - 'authorization'
        - 'token'
        - 'revocation'
        - 'introspection'
    clients:
      - client_id: 'netbird'
        client_name: 'NetBird'
        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
        public: false
        authorization_policy: 'two_factor'
        redirect_uris:
          - 'https://vpn.trez.wtf/peers'
          - 'https://vpn.trez.wtf/add-peers'
          - 'http://localhost'
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
@@ -0,0 +1,16 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 tunnel: 52bdee6e-8ccb-47be-ba9e-f8010b905e41
 credentials-file: /etc/cloudflared/52bdee6e-8ccb-47be-ba9e-f8010b905e41.json
 warp-routing:
  enabled: true
 ingress:
  - hostname: git-ssh.trez.wtf
    service: ssh://gitea:22
  - hostname: gist-ssh.trez.wtf
    service: ssh://gitea-opengist:2222
  - hostname: ssh.trez.wtf
    service: ssh://192.168.1.254:22
  - service: http_status:404  # Default for unmatched requests
@@ -0,0 +1,15 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 source: journalctl
 journalctl_filter: 
  - "--directory=/var/log/host/"
 labels:
  type: syslog
 ---
 filenames:
  - /var/log/swag/*
 labels:
  type: nginx
 ---
@@ -0,0 +1,6 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 url: http://0.0.0.0:8080
 login: localhost
 password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}
@@ -0,0 +1,17 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 name: default_ip_remediation
 #debug: true
 filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
 decisions:
 - type: ban
   duration: 4h
 #duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
 # notifications:
 #   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
 #   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
 #   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
 #   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
 on_success: break
@@ -0,0 +1,41 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 {
  "url": "blog.trez.wtf",
  "database": {
    "client": "mysql",
    "connection": {
      "host"     : "mariadb",
      "user"     : "ghost",
      "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
      "database" : "ghost_db"
    }
  },
  "mail": {
    "from": "'Ghost @ Rinoa' <noreply@trez.wtf>"
    "transport": "SMTP",
    "options": {
      "host": "postal-smtp",
      "port": 25,
      "secure": false,
      "auth": {
        "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
        "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
      }
    }
  },
  "paths": {
    "contentPath": "content/"
  },
  "privacy": {
    "useGravatar": true
  },
  "logging": {
    "level": "info",
    "rotation": {
      "enabled": true
    },
    "transports": ["file"]
  }
 }
@@ -0,0 +1,125 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 APP_NAME = Gitea: Git with a cup of tea
 RUN_MODE = prod
 RUN_USER = git
 WORK_PATH = /data/gitea
 [repository]
 ROOT = /data/git/repositories
 DEFAULT_PRIVATE = last
 EMABLE_PUSH_CREATE_USER = true
 [repository.local]
 LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
 [repository.upload]
 TEMP_PATH = /data/gitea/uploads
 [server]
 APP_DATA_PATH = /data/gitea
 DOMAIN = git.trez.wtf
 SSH_DOMAIN = git-ssh.trez.wtf
 HTTP_PORT = 3000
 ROOT_URL = https://git.trez.wtf/
 DISABLE_SSH = false
 SSH_PORT = 22
 SSH_LISTEN_PORT = 22
 LFS_START_SERVER = true
 LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }}
 OFFLINE_MODE = true
 [database]
 PATH = /data/gitea/gitea.db
 DB_TYPE = postgres
 HOST = gitea-db:5432
 NAME = gitea
 USER = gitea
 PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }}
 LOG_SQL = false
 SCHEMA =
 SSL_MODE = disable
 [indexer]
 ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
 REPO_INDEXER_ENABLED = true
 REPO_INDEXER_PATH = indexers/repos.bleve
 MAX_FILE_SIZE = 1048576
 REPO_INDEXER_INCLUDE =
 REPO_INDEXER_EXCLUDE = resources/bin/**
 [session]
 PROVIDER_CONFIG = /data/gitea/sessions
 PROVIDER = file
 [picture]
 AVATAR_UPLOAD_PATH = /data/gitea/avatars
 REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
 [attachment]
 PATH = /data/gitea/attachments
 [log]
 MODE = console
 LEVEL = info
 ROOT_PATH = root
 [security]
 INSTALL_LOCK = true
 SECRET_KEY =
 REVERSE_PROXY_LIMIT = 1
 REVERSE_PROXY_TRUSTED_PROXIES = *
 INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }}
 PASSWORD_HASH_ALGO = pbkdf2
 [service]
 DISABLE_REGISTRATION = false
 REQUIRE_SIGNIN_VIEW = false
 REGISTER_EMAIL_CONFIRM = true
 ENABLE_NOTIFY_MAIL = true
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
 ENABLE_CAPTCHA = true
 DEFAULT_KEEP_EMAIL_PRIVATE = true
 DEFAULT_ALLOW_CREATE_ORGANIZATION = false
 DEFAULT_ENABLE_TIMETRACKING = false
 NO_REPLY_ADDRESS = noreply@trez.wtf
 [lfs]
 PATH = /data/git/lfs
 [mailer]
 PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
 PROTOCOL = smtp
 ENABLED = true
 FROM = '"Gitea" <noreply@trez.wtf>'
 SMTP_PORT = 25
 USER = rinoa/postal-smtp
 SMTP_ADDR = postal-smtp
 IS_TLS_ENABLED = faLse
 [openid]
 ENABLE_OPENID_SIGNIN = true
 ENABLE_OPENID_SIGNUP = true
 [cron.update_checker]
 ENABLED = false
 [repository.pull-request]
 DEFAULT_MERGE_STYLE = merge
 [repository.signing]
 DEFAULT_TRUST_MODEL = committer
 [oauth2]
 JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
 [ui]
 THEMES =
 [actions]
 ENABLED = true
 [webhook]
 ALLOWED_HOST_LIST = private,104.21.1.234,172.67.152.146
 SKIP_TLS_VERIFY = true
@@ -0,0 +1,81 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 # Gitea related configuration. Necessary for adding/updating comments on repository pull requests
 gitea:
  # Endpoint of your Gitea instance. Must be expandable by '/api/v1' to form the API base path as shown in Swagger UI.
  url: https://git.trez.wtf
  # Created access token for the user that shall be used as bot account.
  # User needs "Read project" permissions with access to "Pull Requests"
  token:
    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
    # # or path to file containing the plain text secret
    # file: /path/to/gitea/token
  # If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
  # request will be ignored.
  # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header
  # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated.
  webhook:
    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
    # # or path to file containing the plain text secret
    # secretFile: /path/to/gitea/webhook/secret
  # Pull Request status check settings.
  statusCheck:
    # Configure the label/name of the PR status check.
    name: "gitea-sonarqube-bot"
 # SonarQube related configuration. Necessary for requesting data from the API and processing the webhook.
 sonarqube:
  # Endpoint of your SonarQube instance. Must be expandable by '/api' to form the API base path.
  url: https://sqube.trez.wtf
  # Created access token for the user that shall be used as bot account.
  # User needs "Browse on project" permissions
  token:
    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
    # # or path to file containing the plain text secret
    # file: /path/to/sonarqube/token
  # If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
  # request will be ignored.
  # The bot looks for `X-Sonar-Webhook-HMAC-SHA256` header containing the sha256 hmac hash of the plain text secret.
  # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be
  # validated.
  webhook:
    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
    # # or path to file containing the plain text secret
    # secretFile: /path/to/sonarqube/webhook/secret
  # Some useful metrics depend on the edition in use. There are various ones like code_smells, vulnerabilities, bugs, etc.
  # By default, the bot will extract "bugs,vulnerabilities,code_smells"
  # Setting this option you can extend that default list by your own metrics.
  # additionalMetrics: []
  # - "new_security_hotspots"
 # List of project mappings to take care of. Webhooks for other projects will be ignored.
 # At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own.
 projects:
  - sonarqube:
      key: rinoa-docker
    # A repository specification contains the owner name and the repository name itself. The owner can be the name of a
    # real account or an organization in which the repository is located.
    gitea:
      owner: Trez.One
      name: rinoa-docker
 # Define pull request names from SonarScanner analysis. Default pattern matches the Jenkins Gitea plugin schema.
 namingPattern:
  # Regular expression that MUST HAVE exactly ONE GROUP that matches the integer part of the PR.
  # That integer part is identical to the pull request ID in Gitea.
  regex: "^.*$"
  # Valid Go format string. It MUST have one integer placeholder which will be replaced by the pull request ID.
  # See: https://pkg.go.dev/fmt#hdr-Printing
  template: "%s"
  # Example for integer-only names
  # # regex: "^(\\d+)$"
  # # template: "%d"
@@ -0,0 +1,404 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////
 // Agent globals
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////
 local.file "endpoints" {
    // The endpoints file is used to define the endpoints, credentials and options
    // for the Agent export to.
    filename = "/etc/alloy/endpoints.json"
 }
 discovery.docker "rinoadocker" {
        host = env("DOCKER_HOST")
 }
 tracing {
    write_to = [otelcol.exporter.otlp.tempo.input]
 }
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////
 // Metrics
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////
 prometheus.remote_write "mimir" {
  endpoint {
    url = json_path(local.file.endpoints.content, ".metrics.url")[0]
    basic_auth {
        username = json_path(local.file.endpoints.content, ".metrics.basicAuth.username")[0]
        password = json_path(local.file.endpoints.content, ".metrics.basicAuth.password")[0]
    }
  }
 }
 prometheus.scrape "prometheus" {
        targets = [{
                __address__ = "localhost:12345",
        }]
        forward_to = [prometheus.remote_write.mimir.receiver]
        job_name   = "prometheus"
 }
 prometheus.exporter.unix "rinoa" {
        procfs_path = "/host/proc"
        sysfs_path  = "/host/sys"
        rootfs_path = "/rootfs"
 }
 prometheus.scrape "rinoa" {
        targets    = prometheus.exporter.unix.rinoa.targets
        forward_to = [prometheus.remote_write.mimir.receiver]
        job_name   = "rinoa_host"
 }
 prometheus.exporter.cadvisor "docker" {
        docker_host      = env("DOCKER_HOST")
        storage_duration = "5m"
 }
 prometheus.scrape "docker" {
        targets    = prometheus.exporter.cadvisor.docker.targets
        forward_to = [prometheus.remote_write.mimir.receiver]
        job_name   = "docker_stats"
 }
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////
 // Logging
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////
 loki.write "loki" {
        endpoint {
                url = json_path(local.file.endpoints.content, ".logs.url")[0]
                basic_auth {
                        username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
                        password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
                }
        }
        external_labels = {}
 }
 loki.source.journal "hostjournal" {
        forward_to = [loki.write.loki.receiver]
        max_age = "24h"
        path = "/rootfs/var/log/journal/"
        labels = {
                job = "host-journal",
        }
 }
 local.file_match "system" {
        path_targets = [{
                __address__ = "localhost",
                __path__    = "/rootfs/var/log/*log",
                job         = "varlogs",
        }]
 }
 loki.source.file "system" {
        targets    = local.file_match.system.targets
        forward_to = [loki.write.loki.receiver]
 }
 loki.source.docker "containers" {
        host       = env("DOCKER_HOST")
        targets    = discovery.docker.rinoadocker.targets
        forward_to = [loki.write.loki.receiver]
        labels     = {
                job = "containerlogs",
        }
 }
 loki.process "containers" {
        forward_to = [loki.write.loki.receiver]
        // stage.docker {}
        stage.json {
 		expressions = {
 			attrs  = "",
 			output = "log",
 			stream = "stream",
 		}
 	}
 	stage.json {
 		expressions = {
 			tag = "",
 		}
 		source = "attrs"
 	}
 	stage.regex {
 		expression = "(?P<image_name>(?:[^|]*[^|])).(?P<container_name>(?:[^|]*[^|])).(?P<image_id>(?:[^|]*[^|])).(?P<container_id>(?:[^|]*[^|]))"
 		source     = "tag"
 	}
 	stage.timestamp {
 		source = "time"
 		format = "RFC3339Nano"
 	}
 	stage.labels {
 		values = {
 			container_id   = null,
 			container_name = null,
 			image_id       = null,
 			image_name     = null,
 			stream         = null,
 			tag            = null,
 		}
 	}
 	stage.output {
 		source = "output"
 	}
 }
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////
 // Traces
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////
 beyla.ebpf "rinoadocker" {
    open_port = "80-65535"
    routes {
        unmatched = "heauristic"
    }
    output {
        traces = [
            otelcol.connector.servicegraph.tracemetrics.input,
            otelcol.connector.spanmetrics.tracemetrics.input,
            otelcol.processor.batch.default.input,
            otelcol.connector.spanlogs.autologging.input,
        ]
    }
 }
 prometheus.scrape "beyla" { 
    targets = beyla.ebpf.rinoadocker.targets
    forward_to = [prometheus.remote_write.mimir.receiver]
 }
 otelcol.auth.headers "tempo" {
    header {
        key = "Authorization"
        value = join(["Basic ", json_path(local.file.endpoints.content, ".traces.basicAuthToken")[0]], "")
    }
 }
 otelcol.processor.batch "default" {
    // Wait until we've received 16K of data.
    send_batch_size = 16384
    send_batch_max_size = 16384
    // Or until 2 seconds have elapsed.
    timeout = "2s"
    // When the Agent has enough batched data, send it to the OpenTelemetry exporter named 'tempo'.
    output {
        traces = [otelcol.exporter.otlp.tempo.input]
    }
 }
 otelcol.exporter.otlp "tempo" {
    // Define the client for exporting.
    client {
        // Authentication block.
        auth = otelcol.auth.headers.tempo.handler
        // Send to the locally running Tempo instance, on port 4317 (OTLP gRPC).
        endpoint = json_path(local.file.endpoints.content, ".traces.url")[0]
        // Configure TLS settings for communicating with the endpoint.
        tls {
            // The connection is insecure.
            insecure = json_path(local.file.endpoints.content, ".traces.tls.insecure")[0]
            // Do not verify TLS certificates when connecting.
            insecure_skip_verify = json_path(local.file.endpoints.content, ".traces.tls.insecureSkipVerify")[0]
        }
    }
 }
 otelcol.connector.spanlogs "autologging" {
    // We only want to output a line for each root span (ie. every single trace), and not for every
    // process or span (outputting a line for every span would be extremely verbose).
    spans = false
    roots = true
    processes = false
    // We want to ensure that the following three span attributes are included in the log line, if
    // present.
    span_attributes = [ "http.method", "http.target", "http.status_code" ]
    // Overrides the default key in the log line to be `traceId`, which is then used by Grafana to
    // identify the trace ID for correlation with the Tempo datasource.
    overrides {
        trace_id_key = "traceId"
    }
    // Send to the OpenTelemetry Loki exporter.
    output {
        logs = [otelcol.exporter.loki.autologging.input]
    }
 }
 // Simply forwards the incoming OpenTelemetry log format out as a Loki log.
 // We need this stage to ensure we can then process the logline as a Loki object.
 otelcol.exporter.loki "autologging" {
    forward_to = [loki.process.autologging.receiver]
 }
 // The Loki processor allows us to accept a correctly formatted Loki log and mutate it into
 // a set of fields for output.
 loki.process "autologging" {
    // The JSON stage simply extracts the `body` (the actual logline) from the Loki log, ignoring
    // all other fields.
    stage.json {
        expressions = { "body" = "" }
    }
    // The output stage takes the body (the main logline) and uses this as the source for the output
    // logline. In this case, it essentially turns it into logfmt.
    stage.output {
        source = "body"
    }
    // Finally send the processed logline onto the Loki exporter.
    forward_to = [loki.write.autologging.receiver]
 }
 // The Loki writer receives a processed Loki log and then writes it to a Loki instance.
 loki.write "autologging" {
    // Add the `agent` value to the `job` label, so we can identify it as having been generated
    // by Grafana Agent when querying.
    external_labels = {
        job = "agent",
    }
    // Output the Loki log to the local Loki instance.
    endpoint {
        url = json_path(local.file.endpoints.content, ".logs.url")[0]
        // The basic auth credentials for the Loki instance.
        basic_auth {
            username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
            password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
        }
    }
 }
 // The Tail Sampling processor will use a set of policies to determine which received traces to keep
 // and send to Tempo.
 otelcol.processor.tail_sampling "errors" {
    // Total wait time from the start of a trace before making a sampling decision. Note that smaller time
    // periods can potentially cause a decision to be made before the end of a trace has occurred.
    decision_wait = "30s"
    // The following policies follow a logical OR pattern, meaning that if any of the policies match,
    // the trace will be kept. For logical AND, you can use the `and` policy. Every span of a trace is
    // examined by each policy in turn. A match will cause a short-circuit.
    // This policy defines that traces that contain errors should be kept.
    policy {
        // The name of the policy can be used for logging purposes.
        name = "sample-erroring-traces"
        // The type must match the type of policy to be used, in this case examing the status code
        // of every span in the trace.
        type = "status_code"
        // This block determines the error codes that should match in order to keep the trace,
        // in this case the OpenTelemetry 'ERROR' code.
        status_code {
            status_codes = [ "ERROR" ]
        }
    }
    // This policy defines that only traces that are longer than 200ms in total should be kept.
    policy {
        // The name of the policy can be used for logging purposes.
        name = "sample-long-traces"
        // The type must match the policy to be used, in this case the total latency of the trace.
        type = "latency"
        // This block determines the total length of the trace in milliseconds.
        latency {
            threshold_ms = 200
        }
    }
    // The output block forwards the kept traces onto the batch processor, which will marshall them
    // for exporting to Tempo.
    output {
        traces = [otelcol.processor.batch.default.input]
    }
 }
 // The Spanmetrics Connector will generate RED metrics based on the incoming trace span data.
 otelcol.connector.spanmetrics "tracemetrics" {
    // The namespace explicit adds a prefix to all the generated span metrics names.
    // In this case, we'll ensure they match as closely as possible those generated by Tempo.
    namespace = "traces.spanmetrics"
    // Each extra dimension (metrics label) to be added to the generated metrics from matching span attributes. These
    // need to be defined with a name and optionally a default value (in the following cases, we do not want a default
    // value if the span attribute is not present).
    dimension {
        name = "http.method"
    }
    dimension {
        name = "http.target"
    }
    dimension {
        name = "http.status_code"
    }
    dimension {
        name = "service.version"
    }
    // A histogram block must be present, either explicitly defining bucket values or via an exponential block.
    // We do the latter here.
    histogram {
        explicit {
        }
    }
    // The exemplar block is added to ensure we generate exemplars for traces on relevant metric values.
    exemplars {
        enabled = true
    }
    // Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
    // it gets transformed into Prometheus format data.
    output {
        metrics = [otelcol.exporter.prometheus.tracemetrics.input]
    }
 }
 // The Servicegraph Connector will generate service graph metrics (edges and nodes) based on incoming trace spans.
 otelcol.connector.servicegraph "tracemetrics" {
    // Extra dimensions (metrics labels) to be added to the generated metrics from matching span attributes.
    // For this component, this is defined as an array. There are no default values and the labels will not be generated
    // for missing span attributes.
    dimensions = [
        "http.method",
        "http.target",
        "http.status_code",
        "service.version",
    ]
    // Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
    // it gets transformed into Prometheus format data.
    output {
        metrics = [otelcol.exporter.prometheus.tracemetrics.input]
    }
 }
 otelcol.exporter.prometheus "tracemetrics" {
    // Forward to our local Prometheus remote writer which will send the metrics to Mimir.
    forward_to = [prometheus.remote_write.mimir.receiver]
 }
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////
 // Profiling
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////
 pyroscope.write "pyroscope" {
        endpoint {
                url = json_path(local.file.endpoints.content, ".profiles.url")[0]
                basic_auth {
                        username = json_path(local.file.endpoints.content, ".profiles.basicAuth.username")[0]
                        password = json_path(local.file.endpoints.content, ".profiles.basicAuth.password")[0]
                }
        }
        external_labels = {}
 }
 pyroscope.ebpf "rinoadocker" {
        forward_to = [pyroscope.write.pyroscope.receiver]
        targets = discovery.docker.rinoadocker.targets
 }
@@ -0,0 +1,34 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 {
    "metrics": {
        "url": "http://grafana-mimir:9009/api/v1/push",
        "basicAuth": {
            "username": "",
            "password": ""
        }
    },
    "logs": {
        "url": "http://grafana-loki:3100/loki/api/v1/push",
        "basicAuth": {
            "username": "",
            "password": ""
        }
    },
    "traces": {
        "url": "http://grafana-tempo:4317",
        "basicAuthToken": "",
        "tls": {
            "insecure": true,
            "insecureSkipVerify": true
        }
    },
    "profiles": {
        "url": "http://grafana-pyroscope:4040",
        "basicAuth": {
            "username": "",
            "password": ""
        }
    }
 }
@@ -0,0 +1,7 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 routes:
  patterns:
    - /*
  unmatched: heuristic
@@ -0,0 +1,77 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 multitenancy_enabled: false
 no_auth_tenant: rinoa_mimir
 # target: query-frontend
 # api:
 #   prometheus_http_prefix: '/prometheus'
 server:
  http_listen_port: 9009
 # frontend:
 #   split_queries_by_interval: 24h
 #   align_queries_with_step: true
  # cache_results: true
  # results_cache:
  #   backend: "memcached"
  #   memcached:
  #     addresses: "memcached-mimir:11211"
 #   downstream_url: http://grafana-agent:12345
 common:
  storage:
    backend: s3
    s3:
      endpoint: minio:9000
      access_key_id: "Q8KAihuXtGgmretKNh7C"
      secret_access_key: "hOlRODtnvFlNlL26Bj3GizZG6Ys3rlpG8p6Vo3NX"
      bucket_name: "mimir"
      insecure: true
 blocks_storage:
  storage_prefix: rinoa
  tsdb:
    dir: /tmp/mimir/tsdb
 memberlist:
  tls_enabled: false
 compactor:
  # Directory to temporarily store blocks underdoing compaction.
  data_dir: /tmp/mimir/compactor
  # The sharding ring type used to share the hashed ring for the compactor.
  sharding_ring:
    # Use memberlist backend store (the default).
    kvstore:
      store: memberlist
 # The distributor receives incoming metrics data for the system.
 distributor:
  # The ring to share hash ring data across instances.
  ring:
    # The address advertised in the ring. Localhost.
    instance_addr: 127.0.0.1
    # Use memberlist backend store (the default).
    kvstore:
      store: memberlist
 # The ingester receives data from the distributor and processes it into indices and blocks.
 ingester:
  # The ring to share hash ring data across instances.
  ring:
    # The address advertised in the ring. Localhost.
    instance_addr: 127.0.0.1
    # Use memberlist backend store (the default).
    kvstore:
      store: memberlist
    # Only run one instance of the ingesters.
    # Note: It is highly recommended to run more than one ingester in production, the default is an RF of 3.
    replication_factor: 1
 # The store gateway block configures gateway storage.
 store_gateway:
  # Configuration for the hash ring.
  sharding_ring:
    # Only run a single instance. In production setups, the replication factor must
    # be set on the querier and ruler as well.
    replication_factor: 1
@@ -0,0 +1,12 @@
 storage:
  backend: s3
  s3:
    bucket_name: pyroscope
    endpoint: minio:9000
    region: us-east-fh-pln
    access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
    secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
    insecure: true
 analytics:
  reporting_enabled: false
@@ -0,0 +1,787 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 target: all
 http_api_prefix: ""
 autocomplete_filtering_enabled: true
 server:
    http_listen_network: tcp
    http_listen_address: ""
    http_listen_port: 80
    http_listen_conn_limit: 0
    grpc_listen_network: tcp
    grpc_listen_address: ""
    grpc_listen_port: 9095
    grpc_listen_conn_limit: 0
    tls_cipher_suites: ""
    tls_min_version: ""
    http_tls_config:
        cert: ""
        key: null
        client_ca: ""
        cert_file: ""
        key_file: ""
        client_auth_type: ""
        client_ca_file: ""
    grpc_tls_config:
        cert: ""
        key: null
        client_ca: ""
        cert_file: ""
        key_file: ""
        client_auth_type: ""
        client_ca_file: ""
    register_instrumentation: true
    report_grpc_codes_in_instrumentation_label_enabled: false
    graceful_shutdown_timeout: 30s
    http_server_read_timeout: 30s
    http_server_read_header_timeout: 0s
    http_server_write_timeout: 30s
    http_server_idle_timeout: 2m0s
    http_log_closed_connections_without_response_enabled: false
    grpc_server_max_recv_msg_size: 16777216
    grpc_server_max_send_msg_size: 16777216
    grpc_server_max_concurrent_streams: 100
    grpc_server_max_connection_idle: 2562047h47m16.854775807s
    grpc_server_max_connection_age: 2562047h47m16.854775807s
    grpc_server_max_connection_age_grace: 2562047h47m16.854775807s
    grpc_server_keepalive_time: 2h0m0s
    grpc_server_keepalive_timeout: 20s
    grpc_server_min_time_between_pings: 10s
    grpc_server_ping_without_stream_allowed: true
    grpc_server_num_workers: 0
    log_format: logfmt
    log_level: info
    log_source_ips_enabled: false
    log_source_ips_header: ""
    log_source_ips_regex: ""
    log_request_headers: false
    log_request_at_info_level_enabled: false
    log_request_exclude_headers_list: ""
    http_path_prefix: ""
 internal_server:
    http_listen_network: tcp
    http_listen_address: ""
    http_listen_port: 3101
    http_listen_conn_limit: 0
    grpc_listen_network: ""
    grpc_listen_address: ""
    grpc_listen_port: 0
    grpc_listen_conn_limit: 0
    tls_cipher_suites: ""
    tls_min_version: ""
    http_tls_config:
        cert: ""
        key: null
        client_ca: ""
        cert_file: ""
        key_file: ""
        client_auth_type: ""
        client_ca_file: ""
    grpc_tls_config:
        cert: ""
        key: null
        client_ca: ""
        cert_file: ""
        key_file: ""
        client_auth_type: ""
        client_ca_file: ""
    register_instrumentation: false
    report_grpc_codes_in_instrumentation_label_enabled: false
    graceful_shutdown_timeout: 30s
    http_server_read_timeout: 30s
    http_server_read_header_timeout: 0s
    http_server_write_timeout: 30s
    http_server_idle_timeout: 2m0s
    http_log_closed_connections_without_response_enabled: false
    grpc_server_max_recv_msg_size: 0
    grpc_server_max_send_msg_size: 0
    grpc_server_max_concurrent_streams: 0
    grpc_server_max_connection_idle: 0s
    grpc_server_max_connection_age: 0s
    grpc_server_max_connection_age_grace: 0s
    grpc_server_keepalive_time: 0s
    grpc_server_keepalive_timeout: 0s
    grpc_server_min_time_between_pings: 0s
    grpc_server_ping_without_stream_allowed: false
    grpc_server_num_workers: 0
    log_format: logfmt
    log_level: info
    log_source_ips_enabled: false
    log_source_ips_header: ""
    log_source_ips_regex: ""
    log_request_headers: false
    log_request_at_info_level_enabled: false
    log_request_exclude_headers_list: ""
    http_path_prefix: ""
    enable: false
 distributor:
    ring:
        kvstore:
            store: memberlist
            prefix: collectors/
            consul:
                host: localhost:8500
                acl_token: ""
                http_client_timeout: 20s
                consistent_reads: false
                watch_rate_limit: 1
                watch_burst_size: 1
                cas_retry_delay: 1s
            etcd:
                endpoints: []
                dial_timeout: 10s
                max_retries: 10
                tls_enabled: false
                tls_cert_path: ""
                tls_key_path: ""
                tls_ca_path: ""
                tls_server_name: ""
                tls_insecure_skip_verify: false
                tls_cipher_suites: ""
                tls_min_version: ""
                username: ""
                password: ""
            multi:
                primary: ""
                secondary: ""
                mirror_enabled: false
                mirror_timeout: 2s
        heartbeat_period: 5s
        heartbeat_timeout: 5m0s
        instance_id: local-instance
        instance_interface_names:
            - eth0
            - en0
        instance_port: 0
        instance_addr: ""
    receivers: {}
    override_ring_key: distributor
    forwarders: []
    extend_writes: true
    retry_after_on_resource_exhausted: 0s
 ingester_client:
    pool_config:
        checkinterval: 15s
        healthcheckenabled: true
        healthchecktimeout: 1s
        maxconcurrenthealthchecks: 0
    remote_timeout: 5s
    grpc_client_config:
        max_recv_msg_size: 104857600
        max_send_msg_size: 104857600
        grpc_compression: snappy
        rate_limit: 0
        rate_limit_burst: 0
        backoff_on_ratelimits: false
        backoff_config:
            min_period: 100ms
            max_period: 10s
            max_retries: 10
        initial_stream_window_size: 63KiB1023B
        initial_connection_window_size: 63KiB1023B
        tls_enabled: false
        tls_cert_path: ""
        tls_key_path: ""
        tls_ca_path: ""
        tls_server_name: ""
        tls_insecure_skip_verify: false
        tls_cipher_suites: ""
        tls_min_version: ""
        connect_timeout: 5s
        connect_backoff_base_delay: 1s
        connect_backoff_max_delay: 5s
 metrics_generator_client:
    pool_config:
        checkinterval: 15s
        healthcheckenabled: true
        healthchecktimeout: 1s
        maxconcurrenthealthchecks: 0
    remote_timeout: 5s
    grpc_client_config:
        max_recv_msg_size: 104857600
        max_send_msg_size: 104857600
        grpc_compression: snappy
        rate_limit: 0
        rate_limit_burst: 0
        backoff_on_ratelimits: false
        backoff_config:
            min_period: 100ms
            max_period: 10s
            max_retries: 10
        initial_stream_window_size: 63KiB1023B
        initial_connection_window_size: 63KiB1023B
        tls_enabled: false
        tls_cert_path: ""
        tls_key_path: ""
        tls_ca_path: ""
        tls_server_name: ""
        tls_insecure_skip_verify: false
        tls_cipher_suites: ""
        tls_min_version: ""
        connect_timeout: 5s
        connect_backoff_base_delay: 1s
        connect_backoff_max_delay: 5s
 querier:
    search:
        query_timeout: 30s
        prefer_self: 10
        external_hedge_requests_at: 8s
        external_hedge_requests_up_to: 2
        external_backend: ""
        google_cloud_run: null
        external_endpoints: []
    trace_by_id:
        query_timeout: 10s
    max_concurrent_queries: 20
    frontend_worker:
        frontend_address: 127.0.0.1:9095
        dns_lookup_duration: 10s
        parallelism: 2
        match_max_concurrent: true
        id: ""
        grpc_client_config:
            max_recv_msg_size: 104857600
            max_send_msg_size: 16777216
            grpc_compression: gzip
            rate_limit: 0
            rate_limit_burst: 0
            backoff_on_ratelimits: false
            backoff_config:
                min_period: 100ms
                max_period: 1s
                max_retries: 5
            initial_stream_window_size: 0B
            initial_connection_window_size: 0B
            tls_enabled: false
            tls_cert_path: ""
            tls_key_path: ""
            tls_ca_path: ""
            tls_server_name: ""
            tls_insecure_skip_verify: false
            tls_cipher_suites: ""
            tls_min_version: ""
            connect_timeout: 0s
            connect_backoff_base_delay: 0s
            connect_backoff_max_delay: 0s
    query_relevant_ingesters: false
 query_frontend:
    max_outstanding_per_tenant: 2000
    querier_forget_delay: 0s
    max_batch_size: 5
    max_retries: 2
    search:
        concurrent_jobs: 1000
        target_bytes_per_job: 104857600
        default_result_limit: 20
        max_result_limit: 0
        max_duration: 168h0m0s
        query_backend_after: 15m0s
        query_ingesters_until: 30m0s
    trace_by_id:
        query_shards: 50
        hedge_requests_at: 2s
        hedge_requests_up_to: 2
    metrics:
        concurrent_jobs: 1000
        target_bytes_per_job: 104857600
        max_duration: 0s
        query_backend_after: 1h0m0s
        interval: 5m0s
    multi_tenant_queries_enabled: true
 compactor:
    ring:
        kvstore:
            store: ""
            prefix: collectors/
            consul:
                host: localhost:8500
                acl_token: ""
                http_client_timeout: 20s
                consistent_reads: false
                watch_rate_limit: 1
                watch_burst_size: 1
                cas_retry_delay: 1s
            etcd:
                endpoints: []
                dial_timeout: 10s
                max_retries: 10
                tls_enabled: false
                tls_cert_path: ""
                tls_key_path: ""
                tls_ca_path: ""
                tls_server_name: ""
                tls_insecure_skip_verify: false
                tls_cipher_suites: ""
                tls_min_version: ""
                username: ""
                password: ""
            multi:
                primary: ""
                secondary: ""
                mirror_enabled: false
                mirror_timeout: 2s
        heartbeat_period: 5s
        heartbeat_timeout: 1m0s
        wait_stability_min_duration: 1m0s
        wait_stability_max_duration: 5m0s
        instance_id: local-instance
        instance_interface_names:
            - eth0
            - en0
        instance_port: 0
        instance_addr: ""
        enable_inet6: false
        wait_active_instance_timeout: 10m0s
    compaction:
        v2_in_buffer_bytes: 5242880
        v2_out_buffer_bytes: 20971520
        v2_prefetch_traces_count: 1000
        compaction_window: 1h0m0s
        max_compaction_objects: 6000000
        max_block_bytes: 107374182400
        block_retention: 336h0m0s
        compacted_block_retention: 1h0m0s
        retention_concurrency: 10
        max_time_per_tenant: 5m0s
        compaction_cycle: 30s
    override_ring_key: compactor
 ingester:
    lifecycler:
        ring:
            kvstore:
                store: inmemory
                prefix: collectors/
                consul:
                    host: localhost:8500
                    acl_token: ""
                    http_client_timeout: 20s
                    consistent_reads: false
                    watch_rate_limit: 1
                    watch_burst_size: 1
                    cas_retry_delay: 1s
                etcd:
                    endpoints: []
                    dial_timeout: 10s
                    max_retries: 10
                    tls_enabled: false
                    tls_cert_path: ""
                    tls_key_path: ""
                    tls_ca_path: ""
                    tls_server_name: ""
                    tls_insecure_skip_verify: false
                    tls_cipher_suites: ""
                    tls_min_version: ""
                    username: ""
                    password: ""
                multi:
                    primary: ""
                    secondary: ""
                    mirror_enabled: false
                    mirror_timeout: 2s
            heartbeat_timeout: 5m0s
            replication_factor: 1
            zone_awareness_enabled: false
            excluded_zones: ""
        num_tokens: 128
        heartbeat_period: 5s
        heartbeat_timeout: 1m0s
        observe_period: 0s
        join_after: 0s
        min_ready_duration: 15s
        interface_names:
            - en0
            - bridge100
        enable_inet6: false
        final_sleep: 0s
        tokens_file_path: ""
        availability_zone: ""
        unregister_on_shutdown: true
        readiness_check_ring_health: true
        address: 127.0.0.1
        port: 0
        id: local-instance
    concurrent_flushes: 4
    flush_check_period: 10s
    flush_op_timeout: 5m0s
    trace_idle_period: 10s
    max_block_duration: 30m0s
    max_block_bytes: 524288000
    complete_block_timeout: 15m0s
    override_ring_key: ring
    flush_all_on_shutdown: false
 metrics_generator:
    ring:
        kvstore:
            store: inmemory
            prefix: collectors/
            consul:
                host: localhost:8500
                acl_token: ""
                http_client_timeout: 20s
                consistent_reads: false
                watch_rate_limit: 1
                watch_burst_size: 1
                cas_retry_delay: 1s
            etcd:
                endpoints: []
                dial_timeout: 10s
                max_retries: 10
                tls_enabled: false
                tls_cert_path: ""
                tls_key_path: ""
                tls_ca_path: ""
                tls_server_name: ""
                tls_insecure_skip_verify: false
                tls_cipher_suites: ""
                tls_min_version: ""
                username: ""
                password: ""
            multi:
                primary: ""
                secondary: ""
                mirror_enabled: false
                mirror_timeout: 2s
        heartbeat_period: 5s
        heartbeat_timeout: 1m0s
        instance_id: local-instance
        instance_interface_names:
            - eth0
            - en0
        instance_addr: 127.0.0.1
        instance_port: 0
        enable_inet6: false
    processor:
        service_graphs:
            wait: 10s
            max_items: 10000
            workers: 10
            histogram_buckets:
                - 0.1
                - 0.2
                - 0.4
                - 0.8
                - 1.6
                - 3.2
                - 6.4
                - 12.8
            dimensions: []
            enable_client_server_prefix: false
            peer_attributes:
                - peer.service
                - db.name
                - db.system
            span_multiplier_key: ""
        span_metrics:
            histogram_buckets:
                - 0.002
                - 0.004
                - 0.008
                - 0.016
                - 0.032
                - 0.064
                - 0.128
                - 0.256
                - 0.512
                - 1.024
                - 2.048
                - 4.096
                - 8.192
                - 16.384
            intrinsic_dimensions:
                service: true
                span_name: true
                span_kind: true
                status_code: true
            dimensions: []
            dimension_mappings: []
            enable_target_info: false
            span_multiplier_key: ""
            subprocessors:
                0: true
                1: true
                2: true
            filter_policies: []
            target_info_excluded_dimensions: []
        local_blocks:
            block:
                bloom_filter_false_positive: 0.01
                bloom_filter_shard_size_bytes: 102400
                version: vParquet3
                search_encoding: snappy
                search_page_size_bytes: 1048576
                v2_index_downsample_bytes: 1048576
                v2_index_page_size_bytes: 256000
                v2_encoding: zstd
                parquet_row_group_size_bytes: 100000000
                parquet_dedicated_columns: []
            search:
                chunk_size_bytes: 1000000
                prefetch_trace_count: 1000
                read_buffer_count: 32
                read_buffer_size_bytes: 1048576
                cache_control:
                    footer: false
                    column_index: false
                    offset_index: false
            flush_check_period: 10s
            trace_idle_period: 10s
            max_block_duration: 1m0s
            max_block_bytes: 500000000
            complete_block_timeout: 1h0m0s
            max_live_traces: 0
            concurrent_blocks: 10
            filter_server_spans: true
    registry:
        collection_interval: 15s
        stale_duration: 15m0s
        max_label_name_length: 1024
        max_label_value_length: 2048
    storage:
        path: ""
        wal:
            wal_segment_size: 134217728
            wal_compression: none
            stripe_size: 16384
            truncate_frequency: 2h0m0s
            min_wal_time: 300000
            max_wal_time: 14400000
            no_lockfile: false
        remote_write_flush_deadline: 1m0s
        remote_write_add_org_id_header: true
    traces_storage:
        path: ""
        completedfilepath: ""
        blocksfilepath: ""
        v2_encoding: none
        search_encoding: none
        ingestion_time_range_slack: 0s
        version: vParquet3
    metrics_ingestion_time_range_slack: 30s
    query_timeout: 30s
    override_ring_key: metrics-generator
 storage:
    trace:
        pool:
            max_workers: 400
            queue_depth: 20000
        wal:
            path: /tmp/tempo/wal
            completedfilepath: /tmp/tempo/wal/completed
            blocksfilepath: /tmp/tempo/wal/blocks
            v2_encoding: snappy
            search_encoding: none
            ingestion_time_range_slack: 2m0s
            version: vParquet3
        block:
            bloom_filter_false_positive: 0.01
            bloom_filter_shard_size_bytes: 102400
            version: vParquet3
            search_encoding: snappy
            search_page_size_bytes: 1048576
            v2_index_downsample_bytes: 1048576
            v2_index_page_size_bytes: 256000
            v2_encoding: zstd
            parquet_row_group_size_bytes: 100000000
            parquet_dedicated_columns: []
        search:
            chunk_size_bytes: 1000000
            prefetch_trace_count: 1000
            read_buffer_count: 32
            read_buffer_size_bytes: 1048576
            cache_control:
                footer: false
                column_index: false
                offset_index: false
        blocklist_poll: 5m0s
        blocklist_poll_concurrency: 50
        blocklist_poll_fallback: true
        blocklist_poll_tenant_index_builders: 2
        blocklist_poll_stale_tenant_index: 0s
        blocklist_poll_jitter_ms: 0
        blocklist_poll_tolerate_consecutive_errors: 1
        backend: local
        local:
            path: /tmp/tempo/traces
        gcs:
            bucket_name: ""
            prefix: ""
            chunk_buffer_size: 10485760
            endpoint: ""
            hedge_requests_at: 0s
            hedge_requests_up_to: 2
            insecure: false
            object_cache_control: ""
            object_metadata: {}
            list_blocks_concurrency: 3
        s3:
            tls_cert_path: ""
            tls_key_path: ""
            tls_ca_path: ""
            tls_server_name: ""
            tls_insecure_skip_verify: false
            tls_cipher_suites: ""
            tls_min_version: VersionTLS12
            bucket: ""
            prefix: ""
            endpoint: ""
            region: ""
            access_key: ""
            secret_key: ""
            session_token: ""
            insecure: false
            part_size: 0
            hedge_requests_at: 0s
            hedge_requests_up_to: 2
            signature_v2: false
            forcepathstyle: false
            bucket_lookup_type: 0
            tags: {}
            storage_class: ""
            metadata: {}
            native_aws_auth_enabled: false
            list_blocks_concurrency: 3
        azure:
            storage_account_name: ""
            storage_account_key: ""
            use_managed_identity: false
            use_federated_token: false
            user_assigned_id: ""
            container_name: ""
            prefix: ""
            endpoint_suffix: blob.core.windows.net
            max_buffers: 4
            buffer_size: 3145728
            hedge_requests_at: 0s
            hedge_requests_up_to: 2
            use_v2_sdk: false
        cache: ""
        background_cache:
            writeback_goroutines: 10
            writeback_buffer: 10000
        memcached: null
        redis: null
        cache_min_compaction_level: 0
        cache_max_block_age: 0s
 overrides:
    defaults:
        ingestion:
            rate_strategy: local
            rate_limit_bytes: 15000000
            burst_size_bytes: 20000000
            max_traces_per_user: 10000
        read:
            max_bytes_per_tag_values_query: 5000000
        global:
            max_bytes_per_trace: 5000000
    per_tenant_override_config: ""
    per_tenant_override_period: 10s
    user_configurable_overrides:
        enabled: false
        poll_interval: 1m0s
        client:
            backend: ""
            confirm_versioning: true
            local:
                path: ""
            gcs:
                bucket_name: ""
                prefix: ""
                chunk_buffer_size: 10485760
                endpoint: ""
                hedge_requests_at: 0s
                hedge_requests_up_to: 2
                insecure: false
                object_cache_control: ""
                object_metadata: {}
                list_blocks_concurrency: 3
            s3:
                tls_cert_path: ""
                tls_key_path: ""
                tls_ca_path: ""
                tls_server_name: ""
                tls_insecure_skip_verify: false
                tls_cipher_suites: ""
                tls_min_version: VersionTLS12
                bucket: ""
                prefix: ""
                endpoint: ""
                region: ""
                access_key: ""
                secret_key: ""
                session_token: ""
                insecure: false
                part_size: 0
                hedge_requests_at: 0s
                hedge_requests_up_to: 2
                signature_v2: false
                forcepathstyle: false
                bucket_lookup_type: 0
                tags: {}
                storage_class: ""
                metadata: {}
                native_aws_auth_enabled: false
                list_blocks_concurrency: 3
            azure:
                storage_account_name: ""
                storage_account_key: ""
                use_managed_identity: false
                use_federated_token: false
                user_assigned_id: ""
                container_name: ""
                prefix: ""
                endpoint_suffix: blob.core.windows.net
                max_buffers: 4
                buffer_size: 3145728
                hedge_requests_at: 0s
                hedge_requests_up_to: 2
                use_v2_sdk: false
        api:
            check_for_conflicting_runtime_overrides: false
 memberlist:
    node_name: ""
    randomize_node_name: true
    stream_timeout: 2s
    retransmit_factor: 2
    pull_push_interval: 30s
    gossip_interval: 1s
    gossip_nodes: 2
    gossip_to_dead_nodes_time: 30s
    dead_node_reclaim_time: 0s
    compression_enabled: false
    advertise_addr: ""
    advertise_port: 7946
    cluster_label: ""
    cluster_label_verification_disabled: false
    join_members: []
    min_join_backoff: 1s
    max_join_backoff: 1m0s
    max_join_retries: 10
    abort_if_cluster_join_fails: false
    rejoin_interval: 0s
    left_ingesters_timeout: 5m0s
    leave_timeout: 20s
    message_history_buffer_bytes: 0
    bind_addr: []
    bind_port: 7946
    packet_dial_timeout: 2s
    packet_write_timeout: 5s
    tls_enabled: false
    tls_cert_path: ""
    tls_key_path: ""
    tls_ca_path: ""
    tls_server_name: ""
    tls_insecure_skip_verify: false
    tls_cipher_suites: ""
    tls_min_version: ""
 usage_report:
    reporting_enabled: true
    backoff:
        min_period: 100ms
        max_period: 10s
        max_retries: 0
 cache:
    background:
        writeback_goroutines: 10
        writeback_buffer: 10000
    caches: []
@@ -0,0 +1,54 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 server:
  http_listen_port: 3200
 distributor:
  receivers:                           # this configuration will listen on all ports and protocols that tempo is capable of.
    jaeger:                            # the receives all come from the OpenTelemetry collector.  more configuration information can
      protocols:                       # be found there: https://github.com/open-telemetry/opentelemetry-collector/tree/main/receiver
        thrift_http:                   #
        grpc:                          # for a production deployment you should only enable the receivers you need!
        thrift_binary:
        thrift_compact:
    zipkin:
    otlp:
      protocols:
        http:
        grpc:
    opencensus:
 ingester:
  max_block_duration: 5m               # cut the headblock when this much time passes. this is being set for demo purposes and should probably be left alone normally
 compactor:
  compaction:
    block_retention: 1h                # overall Tempo trace retention. set for demo purposes
 # metrics_generator:
 #   registry:
 #     external_labels:
 #       source: tempo
 #       cluster: docker-compose
 #   storage:
 #     path: /tmp/tempo/generator/wal
 #     remote_write:
 #       - url: http://grafana-alloy:12345/api/v1/write
 #         send_exemplars: true
 storage:
  trace:
    backend: s3                        # backend configuration to use
    wal:
      path: /tmp/tempo/wal             # where to store the the wal locally
    s3:
      bucket: tempo                    # how to store data in s3
      endpoint: minio:9000
      access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
      secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
      insecure: true
 usage_report:
  reporting_enabled: false
@@ -0,0 +1,22 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/en/configs/bookmarks
 #- Developer:
 #    - Github:
 #        - abbr: GH
 #          href: https://github.com/
 #
 #- Social:
 #    - Reddit:
 #        - abbr: RE
 #          href: https://reddit.com/
 #
 #- Entertainment:
 #    - YouTube:
 #        - abbr: YT
 #          href: https://youtube.com/
@@ -0,0 +1,15 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/en/configs/docker/
 # my-docker:
 #   host: 127.0.0.1
 #   port: 2375
 my-docker:
   host: dockerproxy
   port: 2375
@@ -0,0 +1,6 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 ---
 # sample kubernetes config
@@ -0,0 +1,33 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/en/configs/services
 #- My First Group:
 #    - My First Service:
 #        href: http://localhost/
 #        description: Homepage is awesome
 #
 #- My Second Group:
 #    - My Second Service:
 #        href: http://localhost/
 #        description: Homepage is the best
 #
 #- My Third Group:
 #    - My Third Service:
 #        href: http://localhost/
 #        description: Homepage is 😎
 - Automation:
    - Home Assistant (Rikku):
        href: https://ha.trez.wtf
        description: Smart Home
        icon: home-assistant.png
        weight: 0
        widget:
            type: homeassistant
            url: http://192.168.1.252:8123
            key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
@@ -0,0 +1,56 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/en/configs/settings
 providers:
  openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
  # weatherapi: weatherapiapikey
 title: Rinoa Dashboard (trez.WTF)
 headerStyle: underlined
 color: slate
 showStats: false
 statusStyle: "dot"
 favicon: /icons/favicon.ico
 useEqualHeights: true
 hideErrors: false
 searchDescriptions: true
 showSearchSuggestions: true
 provider: duckduckgo
 layout:
  System Administration:
    style: row
    columns: 4
  Infrastructure/App Performance Monitoring:
    style: row
    columns: 3
  Code/DevOps:
    style: row
    columns: 3
  Social:
    style: row
    columns: 4
  Lifestyle:
    style: row
    columns: 3
  Automation:
    style: row
    columns: 5
  Privacy/Security:
    style: row
    columns: 5
  Personal/Professional Services:
    style: row
    columns: 5
  Servarr Stack:
    style: row
    columns: 3
  Downloaders:
    style: row
    columns: 2
  Media Library:
    style: row
    columns: 4
@@ -0,0 +1,33 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/en/configs/widgets
 - resources:
    label: System
    cpu: true
    memory: true
    cputemp: true
    uptime: true
 - resources:
    label: Storage
    expanded: true
    disk:
        - /
        - /rinoa-storage
 - search:
    provider: custom
    url: https://search.trez.wtf/search?q=
    target: _blank
 - openweathermap:
    label: New York
    latitude: 40.72
    longitude: -73.85
    units: imperial
    provider: openweathermap
    cache: 10
@@ -0,0 +1,949 @@
 #########################################
 #
 #  Database and other external servers
 #
 #########################################
 ##
 ## Database configuration with separate parameters.
 ## This setting is MANDATORY, unless 'database_url' is used.
 ##
 db:
  user: kemal
  host: invidious-db
  port: 5432
  dbname: invidious
  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
 ##
 ## Database configuration using a single URI. This is an
 ## alternative to the 'db' parameter above. If both forms
 ## are used, then only database_url is used.
 ## This setting is MANDATORY, unless 'db' is used.
 ##
 ## Note: The 'database_url' setting allows the use of UNIX
 ## sockets. To do so, remove the IP address (or FQDN) and port
 ## and append the 'host' parameter. E.g:
 ##   postgres://kemal:kemal@/invidious?host=/var/run/postgresql
 ##
 ## Accepted values: a postgres:// URI
 ## Default: postgres://kemal:kemal@localhost:5432/invidious
 ##
 #database_url: postgres://kemal:kemal@localhost:5432/invidious
 ##
 ## Enable automatic table integrity check. This will create
 ## the required tables and columns if anything is missing.
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 check_tables: true
 ##
 ## Path to an external signature resolver, used to emulate
 ## the Youtube client's Javascript. If no such server is
 ## available, some videos will not be playable.
 ##
 ## When this setting is commented out, no external
 ## resolver will be used.
 ##
 ## Accepted values: a path to a UNIX socket or "<IP>:<Port>"
 ## Default: <none>
 ##
 signature_server: invidious-sig-helper:12999
 #########################################
 #
 #  Server config
 #
 #########################################
 # -----------------------------
 #  Network (inbound)
 # -----------------------------
 ##
 ## Port to listen on for incoming connections.
 ##
 ## Note: Ports lower than 1024 requires either root privileges
 ## (not recommended) or the "CAP_NET_BIND_SERVICE" capability
 ## (See https://stackoverflow.com/a/414258 and `man capabilities`)
 ##
 ## Accepted values: 1-65535
 ## Default: 3000
 ##
 #port: 3000
 ##
 ## When the invidious instance is behind a proxy, and the proxy
 ## listens on a different port than the instance does, this lets
 ## invidious know about it. This is used to craft absolute URLs
 ## to the instance (e.g in the API).
 ##
 ## Note: This setting is MANDATORY if invidious is behind a
 ## reverse proxy.
 ##
 ## Accepted values: 1-65535
 ## Default: <none>
 ##
 #external_port:
 ##
 ## Interface address to listen on for incoming connections.
 ##
 ## Accepted values: a valid IPv4 or IPv6 address.
 ## default: 0.0.0.0  (listen on all interfaces)
 ##
 #host_binding: 0.0.0.0
 ##
 ## Domain name under which this instance is hosted. This is
 ## used to craft absolute URLs to the instance (e.g in the API).
 ## The domain MUST be defined if your instance is accessed from
 ## a domain name (like 'example.com').
 ##
 ## Accepted values: a fully qualified domain name (FQDN)
 ## Default: <none>
 ##
 # domain:
 ##
 ## Tell Invidious that it is behind a proxy that provides only
 ## HTTPS, so all links must use the https:// scheme. This
 ## setting MUST be set to true if invidious is behind a
 ## reverse proxy serving HTTPs.
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 https_only: false
 ##
 ## Enable/Disable 'Strict-Transport-Security'. Make sure that
 ## the domain specified under 'domain' is served securely.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #hsts: true
 # -----------------------------
 #  Network (outbound)
 # -----------------------------
 ##
 ## Disable proxying server-wide. Can be disable as a whole, or
 ## only for a single function.
 ##
 ## Accepted values: true, false, dash, livestreams, downloads, local
 ## Default: false
 ##
 #disable_proxy: false
 ##
 ## Size of the HTTP pool used to connect to youtube. Each
 ## domain ('youtube.com', 'ytimg.com', ...) has its own pool.
 ##
 ## Accepted values: a positive integer
 ## Default: 100
 ##
 #pool_size: 100
 ##
 ## Additional cookies to be sent when requesting the youtube API.
 ##
 ## Accepted values: a string in the format "name1=value1; name2=value2..."
 ## Default: <none>
 ##
 #cookies:
 ##
 ## Force connection to youtube over a specific IP family.
 ##
 ## Note: This may sometimes resolve issues involving rate-limiting.
 ## See https://github.com/ytdl-org/youtube-dl/issues/21729.
 ##
 ## Accepted values: ipv4, ipv6
 ## Default: <none>
 ##
 #force_resolve:
 ##
 ## Configuration for using a HTTP proxy
 ##
 ## If unset, then no HTTP proxy will be used.
 ## 
 #http_proxy:
 #  user:
 #  password:
 #  host:
 #  port:
 ##
 ## Use Innertube's transcripts API instead of timedtext for closed captions
 ##
 ## Useful for larger instances as InnerTube is **not ratelimited**. See https://github.com/iv-org/invidious/issues/2567
 ##
 ## Subtitle experience may differ slightly on Invidious.
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 # use_innertube_for_captions: false
 ##
 ## Send Google session informations. This is useful when Invidious is blocked
 ## by the message "This helps protect our community."
 ## See https://github.com/iv-org/invidious/issues/4734.
 ##
 ## Warning: These strings gives much more identifiable information to Google!
 ##
 ## Accepted values: String
 ## Default: <none>
 ##
 po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
 visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
 # -----------------------------
 #  Logging
 # -----------------------------
 ##
 ## Path to log file. Can be absolute or relative to the invidious
 ## binary. This is overridden if "-o OUTPUT" or "--output=OUTPUT"
 ## are passed on the command line.
 ##
 ## Accepted values: a filesystem path or 'STDOUT'
 ## Default: STDOUT
 ##
 #output: STDOUT
 ##
 ## Logging Verbosity. This is overridden if "-l LEVEL" or
 ## "--log-level=LEVEL" are passed on the command line.
 ##
 ## Accepted values: All, Trace, Debug, Info, Warn, Error, Fatal, Off
 ## Default: Info
 ##
 #log_level: Info
 ##
 ## Enables colors in logs. Useful for debugging purposes
 ## This is overridden if "-k" or "--colorize"
 ## are passed on the command line.
 ## Colors are also disabled if the environment variable
 ## NO_COLOR is present and has any value
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #colorize_logs: false
 # -----------------------------
 #  Features
 # -----------------------------
 ##
 ## Enable/Disable the "Popular" tab on the main page.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #popular_enabled: true
 ##
 ## Enable/Disable statstics (available at /api/v1/stats).
 ## The following data is available:
 ##   - Software name ("invidious") and version+branch (same data as
 ##     displayed in the footer, e.g: "2021.05.13-75e5b49" / "master")
 ##   - The value of the 'registration_enabled' config (true/false)
 ##   - Number of currently registered users
 ##   - Number of registered users who connected in the last month
 ##   - Number of registered users who connected in the last 6 months
 ##   - Timestamp of the last server restart
 ##   - Timestamp of the last "Channel Refresh" job execution
 ##
 ## Warning: This setting MUST be set to true if you plan to run
 ## a public instance. It is used by api.invidious.io to refresh
 ## your instance's status.
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 #statistics_enabled: false
 # -----------------------------
 #  Users and accounts
 # -----------------------------
 ##
 ## Allow/Forbid Invidious (local) account creation. Invidious
 ## accounts allow users to subscribe to channels and to create
 ## playlists without a Google account.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #registration_enabled: true
 ##
 ## Allow/Forbid users to log-in.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #login_enabled: true
 ##
 ## Enable/Disable the captcha challenge on the login page.
 ##
 ## Note: this is a basic captcha challenge that doesn't
 ## depend on any third parties.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #captcha_enabled: true
 ##
 ## List of usernames that will be granted administrator rights.
 ## A user with administrator rights will be able to change the
 ## server configuration options listed below in /preferences,
 ## in addition to the usual user preferences.
 ##
 ## Server-wide settings:
 ##   - popular_enabled
 ##   - captcha_enabled
 ##   - login_enabled
 ##   - registration_enabled
 ##   - statistics_enabled
 ## Default user preferences:
 ##   - default_home
 ##   - feed_menu
 ##
 ## Accepted values: an array of strings
 ## Default: [""]
 ##
 #admins: [""]
 ##
 ## Enable/Disable the user notifications for all users
 ##
 ## Note: On large instances, it is recommended to set this option to 'false'
 ## in order to reduce the amount of data written to the database, and hence
 ## improve the overall performance of the instance.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #enable_user_notifications: true
 # -----------------------------
 #  Background jobs
 # -----------------------------
 ##
 ## Number of threads to use when crawling channel videos (during
 ## subscriptions update).
 ##
 ## Notes: This setting is overridden if either "-c THREADS" or
 ## "--channel-threads=THREADS" is passed on the command line.
 ##
 ## Accepted values: a positive integer
 ## Default: 1
 ##
 channel_threads: 1
 ##
 ## Time interval between two executions of the job that crawls
 ## channel videos (subscriptions update).
 ##
 ## Accepted values: a valid time interval (like 1h30m or 90m)
 ## Default: 30m
 ##
 #channel_refresh_interval: 30m
 ##
 ## Forcefully dump and re-download the entire list of uploaded
 ## videos when crawling channel (during subscriptions update).
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 full_refresh: false
 ##
 ## Number of threads to use when updating RSS feeds.
 ##
 ## Notes: This setting is overridden if either "-f THREADS" or
 ## "--feed-threads=THREADS" is passed on the command line.
 ##
 ## Accepted values: a positive integer
 ## Default: 1
 ##
 feed_threads: 1
 jobs:
  ## Options for the database cleaning job
  clear_expired_items:
    ## Enable/Disable job
    ##
    ## Accepted values: true, false
    ## Default: true
    ##
    enable: true
  ## Options for the channels updater job
  refresh_channels:
    ## Enable/Disable job
    ##
    ## Accepted values: true, false
    ## Default: true
    ##
    enable: true
  ## Options for the RSS feeds updater job
  refresh_feeds:
    ## Enable/Disable job
    ##
    ## Accepted values: true, false
    ## Default: true
    ##
    enable: true
 # -----------------------------
 #  Miscellaneous
 # -----------------------------
 ##
 ## custom banner displayed at the top of every page. This can
 ## used for instance announcements, e.g.
 ##
 ## Accepted values: any string. HTML is accepted.
 ## Default: <none>
 ##
 #banner:
 ##
 ## Subscribe to channels using PubSubHub (Google PubSubHubbub service).
 ## PubSubHub allows Invidious to be instantly notified when a new video
 ## is published on any subscribed channels. When PubSubHub is not used,
 ## Invidious will check for new videos every minute.
 ##
 ## Note: This setting is recommended for public instances.
 ##
 ## Note 2:
 ##  - Requires a public instance (it uses /feed/webhook/v1)
 ##  - Requires 'domain' and 'hmac_key' to be set.
 ##  - Setting this parameter to any number greater than zero will
 ##    enable channel subscriptions via PubSubHub, but will limit the
 ##    amount of concurrent subscriptions.
 ##
 ## Accepted values: true, false, a positive integer
 ## Default: false
 ##
 #use_pubsub_feeds: false
 ##
 ## HMAC signing key used for CSRF tokens, cookies and pubsub
 ## subscriptions verification.
 ##
 ## Note: This parameter is mandatory and should be a random string.
 ## Such random string can be generated on linux with the following
 ## command: `pwgen 20 1`
 ##
 ## Accepted values: a string
 ## Default: <none>
 ##
 hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
 ##
 ## List of video IDs where the "download" widget must be
 ## disabled, in order to comply with DMCA requests.
 ##
 ## Accepted values: an array of string
 ## Default: <none>
 ##
 #dmca_content:
 ##
 ## Cache video annotations in the database.
 ##
 ## Warning: empty annotations or annotations that only contain
 ## cards won't be cached.
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 #cache_annotations: false
 ##
 ## Source code URL. If your instance is running a modified source
 ## code, you MUST publish it somewhere and set this option.
 ##
 ## Accepted values: a string
 ## Default: <none>
 ##
 #modified_source_code_url: ""
 ##
 ## Maximum custom playlist length limit.
 ##
 ## Accepted values: Integer
 ## Default: 500
 ##
 #playlist_length_limit: 500
 #########################################
 #
 #  Default user preferences
 #
 #########################################
 ##
 ## NOTE: All the settings below define the default user
 ## preferences. They will apply to ALL users connecting
 ## without a preferences cookie (so either on the first
 ## connection to the instance or after clearing the
 ## browser's cookies).
 ##
 default_user_preferences:
  # -----------------------------
  #  Internationalization
  # -----------------------------
  ##
  ## Default user interface language (locale).
  ##
  ## Note: When hosting a public instance, overriding the
  ## default (english) is not recommended, as it may
  ## people using other languages.
  ##
  ## Accepted values:
  ##   ar      (Arabic)
  ##   da      (Danish)
  ##   de      (German)
  ##   en-US   (english, US)
  ##   el      (Greek)
  ##   eo      (Esperanto)
  ##   es      (Spanish)
  ##   fa      (Persian)
  ##   fi      (Finnish)
  ##   fr      (French)
  ##   he      (Hebrew)
  ##   hr      (Hungarian)
  ##   id      (Indonesian)
  ##   is      (Icelandic)
  ##   it      (Italian)
  ##   ja      (Japanese)
  ##   nb-NO   (Norwegian, Bokmål)
  ##   nl      (Dutch)
  ##   pl      (Polish)
  ##   pt-BR   (Portuguese, Brazil)
  ##   pt-PT   (Portuguese, Portugal)
  ##   ro      (Romanian)
  ##   ru      (Russian)
  ##   sv      (Swedish)
  ##   tr      (Turkish)
  ##   uk      (Ukrainian)
  ##   zh-CN   (Chinese, China)  (a.k.a "Simplified Chinese")
  ##   zh-TW   (Chinese, Taiwan) (a.k.a "Traditional Chinese")
  ##
  ## Default: en-US
  ##
  #locale: en-US
  ##
  ## Default geographical location for content.
  ##
  ## Accepted values:
  ##   AE, AR, AT, AU, AZ, BA, BD, BE, BG, BH, BO, BR, BY, CA, CH, CL, CO, CR,
  ##   CY, CZ, DE, DK, DO, DZ, EC, EE, EG, ES, FI, FR, GB, GE, GH, GR, GT, HK,
  ##   HN, HR, HU, ID, IE, IL, IN, IQ, IS, IT, JM, JO, JP, KE, KR, KW, KZ, LB,
  ##   LI, LK, LT, LU, LV, LY, MA, ME, MK, MT, MX, MY, NG, NI, NL, NO, NP, NZ,
  ##   OM, PA, PE, PG, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, SA, SE, SG, SI,
  ##   SK, SN, SV, TH, TN, TR, TW, TZ, UA, UG, US, UY, VE, VN, YE, ZA, ZW
  ##
  ## Default: US
  ##
  #region: US
  ##
  ## Top 3 preferred languages for video captions.
  ##
  ## Note: overriding the default (no preferred
  ## caption language) is not recommended, in order
  ## to not penalize people using other languages.
  ##
  ## Accepted values: a three-entries array.
  ## Each entry can be one of:
  ##   "English", "English (auto-generated)",
  ##   "Afrikaans", "Albanian", "Amharic", "Arabic",
  ##   "Armenian", "Azerbaijani", "Bangla", "Basque",
  ##   "Belarusian", "Bosnian", "Bulgarian", "Burmese",
  ##   "Catalan", "Cebuano", "Chinese (Simplified)",
  ##   "Chinese (Traditional)", "Corsican", "Croatian",
  ##   "Czech", "Danish", "Dutch", "Esperanto", "Estonian",
  ##   "Filipino", "Finnish", "French", "Galician", "Georgian",
  ##   "German", "Greek", "Gujarati", "Haitian Creole", "Hausa",
  ##   "Hawaiian", "Hebrew", "Hindi", "Hmong", "Hungarian",
  ##   "Icelandic", "Igbo", "Indonesian", "Irish", "Italian",
  ##   "Japanese", "Javanese", "Kannada", "Kazakh", "Khmer",
  ##   "Korean", "Kurdish", "Kyrgyz", "Lao", "Latin", "Latvian",
  ##   "Lithuanian", "Luxembourgish", "Macedonian",
  ##   "Malagasy", "Malay", "Malayalam", "Maltese", "Maori",
  ##   "Marathi", "Mongolian", "Nepali", "Norwegian Bokmål",
  ##   "Nyanja", "Pashto", "Persian", "Polish", "Portuguese",
  ##   "Punjabi", "Romanian", "Russian", "Samoan",
  ##   "Scottish Gaelic", "Serbian", "Shona", "Sindhi",
  ##   "Sinhala", "Slovak", "Slovenian", "Somali",
  ##   "Southern Sotho", "Spanish", "Spanish (Latin America)",
  ##   "Sundanese",  "Swahili", "Swedish", "Tajik", "Tamil",
  ##   "Telugu", "Thai", "Turkish", "Ukrainian", "Urdu",
  ##   "Uzbek", "Vietnamese", "Welsh", "Western Frisian",
  ##   "Xhosa", "Yiddish", "Yoruba", "Zulu"
  ##
  ## Default: ["", "", ""]
  ##
  #captions: ["", "", ""]
  # -----------------------------
  #  Interface
  # -----------------------------
  ##
  ## Enable/Disable dark mode.
  ##
  ## Accepted values: "dark", "light", "auto"
  ## Default: "auto"
  ##
  #dark_mode: "auto"
  ##
  ## Enable/Disable thin mode (no video thumbnails).
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #thin_mode: false
  ##
  ## List of feeds available on the home page.
  ##
  ## Note: "Subscriptions" and "Playlists" are only visible
  ## when the user is logged in.
  ##
  ## Accepted values: A list of strings
  ## Each entry can be one of: "Popular", "Trending",
  ##    "Subscriptions", "Playlists"
  ##
  ## Default: ["Popular", "Trending", "Subscriptions", "Playlists"]  (show all feeds)
  ##
  #feed_menu: ["Popular", "Trending", "Subscriptions", "Playlists"]
  ##
  ## Default feed to display on the home page.
  ##
  ## Note: setting this option to "Popular" has no
  ## effect when 'popular_enabled' is set to false.
  ##
  ## Accepted values: Popular, Trending, Subscriptions, Playlists, <none>
  ## Default: Popular
  ##
  #default_home: Popular
  ##
  ## Default number of results to display per page.
  ##
  ## Note: this affects invidious-generated pages only, such
  ## as watch history and subscription feeds. Playlists, search
  ## results and channel videos depend on the data returned by
  ## the Youtube API.
  ##
  ## Accepted values: any positive integer
  ## Default: 40
  ##
  #max_results: 40
  ##
  ## Show/hide annotations.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #annotations: false
  ##
  ## Show/hide annotation.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #annotations_subscribed: false
  ##
  ## Type of comments to display below video.
  ##
  ## Accepted values: a two-entries array.
  ## Each entry can be one of: "youtube", "reddit", ""
  ##
  ## Default: ["youtube", ""]
  ##
  #comments: ["youtube", ""]
  ##
  ## Default player style.
  ##
  ## Accepted values: invidious, youtube
  ## Default: invidious
  ##
  #player_style: invidious
  ##
  ## Show/Hide the "related videos" sidebar when
  ## watching a video.
  ##
  ## Accepted values: true, false
  ## Default: true
  ##
  #related_videos: true
  # -----------------------------
  #  Video player behavior
  # -----------------------------
  ##
  ## This option controls the value of the HTML5 <video> element's
  ## "preload" attribute.
  ##
  ## If set to 'false', no video data will be loaded until the user
  ## explicitly starts the video by clicking the "Play" button.
  ## If set to 'true', the web browser will buffer some video data
  ## while the page is loading.
  ##
  ## See: https://www.w3schools.com/tags/att_video_preload.asp
  ##
  ## Accepted values: true, false
  ## Default: true
  ##
  #preload: true
  ##
  ## Automatically play videos on page load.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #autoplay: false
  ##
  ## Automatically load the "next" video (either next in
  ## playlist or proposed) when the current video ends.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #continue: false
  ##
  ## Autoplay next video by default.
  ##
  ## Note: Only effective if 'continue' is set to true.
  ##
  ## Accepted values: true, false
  ## Default: true
  ##
  #continue_autoplay: true
  ##
  ## Play videos in Audio-only mode by default.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #listen: false
  ##
  ## Loop videos automatically.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #video_loop: false
  # -----------------------------
  #  Video playback settings
  # -----------------------------
  ##
  ## Default video quality.
  ##
  ## Accepted values: dash, hd720, medium, small
  ## Default: hd720
  ##
  #quality: hd720
  ##
  ## Default dash video quality.
  ##
  ## Note: this setting only takes effet if the
  ## 'quality' parameter is set to "dash".
  ##
  ## Accepted values:
  ##    auto, best, 4320p, 2160p, 1440p, 1080p,
  ##    720p, 480p, 360p, 240p, 144p, worst
  ## Default: auto
  ##
  #quality_dash: auto
  ##
  ## Default video playback speed.
  ##
  ## Accepted values: 0.25, 0.5, 0.75, 1.0, 1.25, 1.5, 1.75, 2.0
  ## Default: 1.0
  ##
  #speed: 1.0
  ##
  ## Default volume.
  ##
  ## Accepted values: 0-100
  ## Default: 100
  ##
  #volume: 100
  ##
  ## Allow 360° videos to be played.
  ##
  ## Note: This feature requires a WebGL-enabled browser.
  ##
  ## Accepted values: true, false
  ## Default: true
  ##
  #vr_mode: true
  ##
  ## Save the playback position
  ## Allow to continue watching at the previous position when
  ## watching the same video.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #save_player_pos: false
  # -----------------------------
  #  Subscription feed
  # -----------------------------
  ##
  ## In the "Subscription" feed, only show the latest video
  ## of each channel the user is subscribed to.
  ##
  ## Note: when combined with 'unseen_only', the latest unseen
  ## video of each channel will be displayed instead of the
  ## latest by date.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #latest_only: false
  ##
  ## Enable/Disable user subscriptions desktop notifications.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #notifications_only: false
  ##
  ## In the "Subscription" feed, Only show the videos that the
  ## user haven't watched yet (i.e which are not in their watch
  ## history).
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #unseen_only: false
  ##
  ## Default sorting parameter for subscription feeds.
  ##
  ## Accepted values:
  ##   'alphabetically'
  ##   'alphabetically - reverse'
  ##   'channel name'
  ##   'channel name - reverse'
  ##   'published'
  ##   'published - reverse'
  ##
  ## Default: published
  ##
  #sort: published
  # -----------------------------
  #  Miscellaneous
  # -----------------------------
  ##
  ## Proxy videos through instance by default.
  ##
  ## Warning: As most users won't change this setting in their
  ## preferences, defaulting  to true will significantly
  ## increase the instance's network usage, so make sure that
  ## your server's connection can handle it.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #local: false
  ##
  ## Show the connected user's nick at the top right.
  ##
  ## Accepted values: true, false
  ## Default: true
  ##
  #show_nick: true
  ##
  ## Automatically redirect to a random instance when the user uses
  ## any "switch invidious instance" link (For videos, it's the plane
  ## icon, next to "watch on youtube" and "listen"). When set to false,
  ## the user is sent to https://redirect.invidious.io instead, where
  ## they can manually select an instance.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #automatic_instance_redirect: false
  ##
  ## Show the entire video description by default (when set to 'false',
  ## only the first few lines of the description are shown and a
  ## "show more" button allows to expand it).
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #extend_desc: false
@@ -0,0 +1,52 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 # IN application vars
 IN_APP_URL=http://in.localhost:8003
 IN_APP_KEY=<insert your generated key in here>
 IN_APP_DEBUG=true
 IN_REQUIRE_HTTPS=false
 IN_PHANTOMJS_PDF_GENERATION=false
 IN_PDF_GENERATOR=snappdf
 IN_TRUSTED_PROXIES='*'
 IN_QUEUE_CONNECTION=database
 # DB connection
 IN_DB_HOST=db
 IN_DB_PORT=3306
 IN_DB_DATABASE=ninja
 IN_DB_USERNAME=ninja
 IN_DB_PASSWORD=ninja
 # Create initial user
 # Default to these values if empty
 # IN_USER_EMAIL=admin@example.com
 # IN_PASSWORD=changeme!
 IN_USER_EMAIL=
 IN_PASSWORD=
 # Mail options
 IN_MAIL_MAILER=log
 IN_MAIL_HOST=smtp.mailtrap.io
 IN_MAIL_PORT=2525
 IN_MAIL_USERNAME=null
 IN_MAIL_PASSWORD=null
 IN_MAIL_ENCRYPTION=null
 IN_MAIL_FROM_ADDRESS='user@example.com'
 IN_MAIL_FROM_NAME='Self Hosted User'
 # MySQL
 IN_MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword
 IN_MYSQL_USER=ninja
 IN_MYSQL_PASSWORD=ninja
 IN_MYSQL_DATABASE=ninja
 # GoCardless/Nordigen API key for banking integration
 NORDIGEN_SECRET_ID=
 NORDIGEN_SECRET_KEY=
 # V4 env vars
 # DB_STRICT=false
 # APP_CIPHER=AES-256-CBC
@@ -0,0 +1,550 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 #=====================================================================#
 #                       LibreChat Configuration                       #
 #=====================================================================#
 # Please refer to the reference documentation for assistance          #
 # with configuring your LibreChat environment.                        #
 #                                                                     #
 # https://www.librechat.ai/docs/configuration/dotenv                  #
 #=====================================================================#
 #==================================================#
 #               Server Configuration               #
 #==================================================#
 HOST=localhost
 PORT=3080
 MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
 DOMAIN_CLIENT=https://ai.trez.wtf
 DOMAIN_SERVER=https://ai.trez.wtf
 NO_INDEX=true
 # Use the address that is at most n number of hops away from the Express application.
 # req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
 # A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
 # Defaulted to 1.
 TRUST_PROXY=1
 #===============#
 # JSON Logging  #
 #===============#
 # Use when process console logs in cloud deployment like GCP/AWS
 CONSOLE_JSON=true
 #===============#
 # Debug Logging #
 #===============#
 DEBUG_LOGGING=true
 DEBUG_CONSOLE=false
 #=============#
 # Permissions #
 #=============#
 # UID=1000
 # GID=1000
 #===============#
 # Configuration #
 #===============#
 # Use an absolute path, a relative path, or a URL
 # CONFIG_PATH="/alternative/path/to/librechat.yaml"
 #===================================================#
 #                     Endpoints                     #
 #===================================================#
 # ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
 PROXY=
 #===================================#
 # Known Endpoints - librechat.yaml  #
 #===================================#
 # https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
 # ANYSCALE_API_KEY=
 # APIPIE_API_KEY=
 # COHERE_API_KEY=
 DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
 # DATABRICKS_API_KEY=
 # FIREWORKS_API_KEY=
 # GROQ_API_KEY=
 # HUGGINGFACE_TOKEN=
 MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
 # OPENROUTER_KEY=
 # PERPLEXITY_API_KEY=
 # SHUTTLEAI_API_KEY=
 # TOGETHERAI_API_KEY=
 # UNIFY_API_KEY=
 # XAI_API_KEY=
 #============#
 # Anthropic  #
 #============#
 ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
 ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
 # ANTHROPIC_REVERSE_PROXY=
 #============#
 # Azure      #
 #============#
 # Note: these variables are DEPRECATED
 # Use the `librechat.yaml` configuration for `azureOpenAI` instead
 # You may also continue to use them if you opt out of using the `librechat.yaml` configuration
 # AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
 # AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
 # AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
 # AZURE_API_KEY= # Deprecated
 # AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
 # AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
 # AZURE_OPENAI_API_VERSION= # Deprecated
 # AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
 # AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
 # PLUGINS_USE_AZURE="true" # Deprecated
 #=================#
 #   AWS Bedrock   #
 #=================#
 # BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
 # BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
 # BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
 # BEDROCK_AWS_SESSION_TOKEN=someSessionToken
 # Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
 # BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
 # See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
 # Notes on specific models:
 # The following models are not support due to not supporting streaming:
 # ai21.j2-mid-v1
 # The following models are not support due to not supporting conversation history:
 # ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
 #============#
 # Google     #
 #============#
 {# GOOGLE_KEY=user_provided #}
 # GOOGLE_REVERSE_PROXY=
 # Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
 # GOOGLE_AUTH_HEADER=true
 # Gemini API (AI Studio)
 # GOOGLE_MODELS=gemini-2.0-flash-exp,gemini-2.0-flash-thinking-exp-1219,gemini-exp-1121,gemini-exp-1114,gemini-1.5-flash-latest,gemini-1.0-pro,gemini-1.0-pro-001,gemini-1.0-pro-latest,gemini-1.0-pro-vision-latest,gemini-1.5-pro-latest,gemini-pro,gemini-pro-vision
 # Vertex AI
 # GOOGLE_MODELS=gemini-1.5-flash-preview-0514,gemini-1.5-pro-preview-0514,gemini-1.0-pro-vision-001,gemini-1.0-pro-002,gemini-1.0-pro-001,gemini-pro-vision,gemini-1.0-pro
 # GOOGLE_TITLE_MODEL=gemini-pro
 # GOOGLE_LOC=us-central1
 # Google Safety Settings
 # NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
 #
 # For Vertex AI:
 # To use the BLOCK_NONE setting, you need either:
 # (a) Access through an allowlist via your Google account team, or
 # (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
 #
 # For Gemini API (AI Studio):
 # BLOCK_NONE is available by default, no special account requirements.
 #
 # Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
 #
 # GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
 #============#
 # OpenAI     #
 #============#
 OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
 OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
 DEBUG_OPENAI=false
 # TITLE_CONVO=false
 # OPENAI_TITLE_MODEL=gpt-4o-mini
 # OPENAI_SUMMARIZE=true
 # OPENAI_SUMMARY_MODEL=gpt-4o-mini
 # OPENAI_FORCE_PROMPT=true
 # OPENAI_REVERSE_PROXY=
 # OPENAI_ORGANIZATION=
 #====================#
 #   Assistants API   #
 #====================#
 # ASSISTANTS_API_KEY=user_provided
 # ASSISTANTS_BASE_URL=
 # ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
 #==========================#
 #   Azure Assistants API   #
 #==========================#
 # Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
 # The models for Azure Assistants are also determined by your Azure OpenAI configuration.
 # More info, including how to enable use of Assistants with Azure here:
 # https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
 #============#
 # OpenRouter #
 #============#
 # !!!Warning: Use the variable above instead of this one. Using this one will override the OpenAI endpoint
 # OPENROUTER_API_KEY=
 #============#
 # Plugins    #
 #============#
 # PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
 # DEBUG_PLUGINS=
 CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
 CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
 # Azure AI Search
 #-----------------
 # AZURE_AI_SEARCH_SERVICE_ENDPOINT=
 # AZURE_AI_SEARCH_INDEX_NAME=
 # AZURE_AI_SEARCH_API_KEY=
 # AZURE_AI_SEARCH_API_VERSION=
 # AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
 # AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
 # AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
 # DALL·E
 #----------------
 # DALLE_API_KEY=
 # DALLE3_API_KEY=
 # DALLE2_API_KEY=
 # DALLE3_SYSTEM_PROMPT=
 # DALLE2_SYSTEM_PROMPT=
 # DALLE_REVERSE_PROXY=
 # DALLE3_BASEURL=
 # DALLE2_BASEURL=
 # DALL·E (via Azure OpenAI)
 # Note: requires some of the variables above to be set
 #----------------
 # DALLE3_AZURE_API_VERSION=
 # DALLE2_AZURE_API_VERSION=
 # Google
 #-----------------
 GOOGLE_SEARCH_API_KEY=
 GOOGLE_CSE_ID=
 # YOUTUBE
 #-----------------
 YOUTUBE_API_KEY=
 # SerpAPI
 #-----------------
 SERPAPI_API_KEY=
 # Stable Diffusion
 #-----------------
 SD_WEBUI_URL=http://stable-diffusion-webui:7860
 # Tavily
 #-----------------
 TAVILY_API_KEY=
 # Traversaal
 #-----------------
 TRAVERSAAL_API_KEY=
 # WolframAlpha
 #-----------------
 WOLFRAM_APP_ID=
 # Zapier
 #-----------------
 ZAPIER_NLA_API_KEY=
 #==================================================#
 #                      Search                      #
 #==================================================#
 SEARCH=true
 MEILI_NO_ANALYTICS=true
 MEILI_HOST=http://meilisearch:7700
 MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
 # Optional: Disable indexing, useful in a multi-node setup
 # where only one instance should perform an index sync.
 # MEILI_NO_SYNC=true
 #==================================================#
 #          Speech to Text & Text to Speech         #
 #==================================================#
 STT_API_KEY=
 TTS_API_KEY=
 #==================================================#
 #                        RAG                       #
 #==================================================#
 # More info: https://www.librechat.ai/docs/configuration/rag_api
 # RAG_OPENAI_BASEURL=
 # RAG_OPENAI_API_KEY=
 # RAG_USE_FULL_CONTEXT=
 # EMBEDDINGS_PROVIDER=openai
 # EMBEDDINGS_MODEL=text-embedding-3-small
 #===================================================#
 #                    User System                    #
 #===================================================#
 #========================#
 # Moderation             #
 #========================#
 OPENAI_MODERATION=false
 OPENAI_MODERATION_API_KEY=
 # OPENAI_MODERATION_REVERSE_PROXY=
 BAN_VIOLATIONS=true
 BAN_DURATION=1000 * 60 * 60 * 2
 BAN_INTERVAL=20
 LOGIN_VIOLATION_SCORE=1
 REGISTRATION_VIOLATION_SCORE=1
 CONCURRENT_VIOLATION_SCORE=1
 MESSAGE_VIOLATION_SCORE=1
 NON_BROWSER_VIOLATION_SCORE=20
 LOGIN_MAX=7
 LOGIN_WINDOW=5
 REGISTER_MAX=5
 REGISTER_WINDOW=60
 LIMIT_CONCURRENT_MESSAGES=true
 CONCURRENT_MESSAGE_MAX=2
 LIMIT_MESSAGE_IP=true
 MESSAGE_IP_MAX=40
 MESSAGE_IP_WINDOW=1
 LIMIT_MESSAGE_USER=false
 MESSAGE_USER_MAX=40
 MESSAGE_USER_WINDOW=1
 ILLEGAL_MODEL_REQ_SCORE=5
 #========================#
 # Balance                #
 #========================#
 CHECK_BALANCE=false
 # START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
 #========================#
 # Registration and Login #
 #========================#
 ALLOW_EMAIL_LOGIN=true
 ALLOW_REGISTRATION=true
 ALLOW_SOCIAL_LOGIN=false
 ALLOW_SOCIAL_REGISTRATION=false
 ALLOW_PASSWORD_RESET=false
 # ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
 ALLOW_UNVERIFIED_EMAIL_LOGIN=true
 SESSION_EXPIRY=1000 * 60 * 15
 REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
 JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
 JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
 # Discord
 DISCORD_CLIENT_ID=
 DISCORD_CLIENT_SECRET=
 DISCORD_CALLBACK_URL=/oauth/discord/callback
 # Facebook
 FACEBOOK_CLIENT_ID=
 FACEBOOK_CLIENT_SECRET=
 FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
 # GitHub
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
 GITHUB_CALLBACK_URL=/oauth/github/callback
 # GitHub Enterprise
 # GITHUB_ENTERPRISE_BASE_URL=
 # GITHUB_ENTERPRISE_USER_AGENT=
 # Google
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 GOOGLE_CALLBACK_URL=/oauth/google/callback
 # Apple
 APPLE_CLIENT_ID=
 APPLE_TEAM_ID=
 APPLE_KEY_ID=
 APPLE_PRIVATE_KEY_PATH=
 APPLE_CALLBACK_URL=/oauth/apple/callback
 # OpenID
 OPENID_CLIENT_ID=
 OPENID_CLIENT_SECRET=
 OPENID_ISSUER=
 OPENID_SESSION_SECRET=
 OPENID_SCOPE="openid profile email"
 OPENID_CALLBACK_URL=/oauth/openid/callback
 OPENID_REQUIRED_ROLE=
 OPENID_REQUIRED_ROLE_TOKEN_KIND=
 OPENID_REQUIRED_ROLE_PARAMETER_PATH=
 # Set to determine which user info property returned from OpenID Provider to store as the User's username
 OPENID_USERNAME_CLAIM=
 # Set to determine which user info property returned from OpenID Provider to store as the User's name
 OPENID_NAME_CLAIM=
 OPENID_BUTTON_LABEL=
 OPENID_IMAGE_URL=
 # LDAP
 # LDAP_URL=
 # LDAP_BIND_DN=
 # LDAP_BIND_CREDENTIALS=
 # LDAP_USER_SEARCH_BASE=
 # LDAP_SEARCH_FILTER=mail=
 # LDAP_CA_CERT_PATH=
 # LDAP_TLS_REJECT_UNAUTHORIZED=
 # LDAP_LOGIN_USES_USERNAME=true
 # LDAP_ID=
 # LDAP_USERNAME=
 # LDAP_EMAIL=
 # LDAP_FULL_NAME=
 #========================#
 # Email Password Reset   #
 #========================#
 EMAIL_SERVICE=
 EMAIL_HOST=postal-smtp
 EMAIL_PORT=25
 EMAIL_ENCRYPTION=
 EMAIL_ENCRYPTION_HOSTNAME=
 EMAIL_ALLOW_SELFSIGNED=
 EMAIL_USERNAME=
 EMAIL_PASSWORD=
 EMAIL_FROM_NAME=
 EMAIL_FROM=noreply@librechat.ai
 #========================#
 # Firebase CDN           #
 #========================#
 # FIREBASE_API_KEY=
 # FIREBASE_AUTH_DOMAIN=
 # FIREBASE_PROJECT_ID=
 # FIREBASE_STORAGE_BUCKET=
 # FIREBASE_MESSAGING_SENDER_ID=
 # FIREBASE_APP_ID=
 #========================#
 # Shared Links           #
 #========================#
 ALLOW_SHARED_LINKS=true
 ALLOW_SHARED_LINKS_PUBLIC=true
 #==============================#
 # Static File Cache Control    #
 #==============================#
 # Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
 # NODE_ENV must be set to production for these to take effect
 # STATIC_CACHE_MAX_AGE=172800
 # STATIC_CACHE_S_MAX_AGE=86400
 # If you have another service in front of your LibreChat doing compression, disable express based compression here
 # DISABLE_COMPRESSION=true
 #===================================================#
 #                        UI                         #
 #===================================================#
 APP_TITLE=LibreChat
 # CUSTOM_FOOTER="My custom footer"
 HELP_AND_FAQ_URL=https://librechat.ai
 # SHOW_BIRTHDAY_ICON=true
 # Google tag manager id
 #ANALYTICS_GTM_ID=user provided google tag manager id
 #===============#
 # REDIS Options #
 #===============#
 REDIS_URI=redis:6379
 USE_REDIS=true
 # USE_REDIS_CLUSTER=true
 # REDIS_CA=/path/to/ca.crt
 #==================================================#
 #                      Others                      #
 #==================================================#
 #   You should leave the following commented out   #
 # NODE_ENV=
 # E2E_USER_EMAIL=
 # E2E_USER_PASSWORD=
 #=====================================================#
 #                  Cache Headers                      #
 #=====================================================#
 #   Headers that control caching of the index.html    #
 #   Default configuration prevents caching to ensure  #
 #   users always get the latest version. Customize    #
 #   only if you understand caching implications.      #
 # INDEX_HTML_CACHE_CONTROL=no-cache, no-store, must-revalidate
 # INDEX_HTML_PRAGMA=no-cache
 # INDEX_HTML_EXPIRES=0
 # no-cache: Forces validation with server before using cached version
 # no-store: Prevents storing the response entirely
 # must-revalidate: Prevents using stale content when offline
 #=====================================================#
 #                  OpenWeather                        #
 #=====================================================#
 OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -0,0 +1,33 @@
 version: 1.0.0
 endpoints:
  custom:
    - name: "ollama"
      apiKey: "ollama"
      baseURL: "http://ollama:11434/v1/chat/completions"
      models:
        default: [
          "deepseek-r1:1.5b",
          "deepseek-coder-v2:16b",
          "deepseek-v3:671b",
          "llama3.3:70b",
          "phi4:14b",
          "qwen2.5",
          "llama2:7b",
          "mistral:7b",
          "codellama:7b",
          "tinyllama:1.1b",
          "starcoder2:3b",
          "dolphin-mistral:7b",
          "smollm2:1.7b",
          "orca-mini:3b",
          "mistral-openorca:7b"
        ]
 # fetching list of models is supported but the `name` field must start
 # with `ollama` (case-insensitive), as it does in this example.
        fetch: true
      titleConvo: true
      titleModel: "current_model"
      summarize: false
      summaryModel: "current_model"
      forcePrompt: false
      modelDisplayLabel: "Ollama"
@@ -0,0 +1,21 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 <Config>
  <BindAddress>*</BindAddress>
  <Port>8686</Port>
  <SslPort>6868</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <Branch>master</Branch>
  <LogLevel>trace</LogLevel>
  <SslCertPath></SslCertPath>
  <SslCertPassword></SslCertPassword>
  <UrlBase></UrlBase>
  <InstanceName>Lidarr</InstanceName>
  <UpdateMechanism>Docker</UpdateMechanism>
  <Theme>auto</Theme>
  <AuthenticationRequired>Enabled</AuthenticationRequired>
 </Config>
@@ -0,0 +1,25 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 {
    "lidarr_address": "http://lidarr:8686",
    "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}",
    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
    "root_folder_path": "/data/media/music",
    "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
    "fallback_to_top_result": false,
    "lidarr_api_timeout": 120.0,
    "quality_profile_id": 1,
    "metadata_profile_id": 1,
    "search_for_missing_albums": false,
    "dry_run_adding_to_lidarr": true,
    "app_name": "lidify",
    "app_rev": "0.09",
    "app_url": "lidify.trez.wtf",
    "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
    "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
    "mode": "LastFM",
    "auto_start": false,
    "auto_start_delay": 60
 }
@@ -0,0 +1,23 @@
 containers:
  immich-server:
    action_keywords:
      - restart:
          regex: 'ADVICE:.*error'
 global_keywords:
  keywords:
    - panic
  keywords_with_attachment:
    - fatal
 notifications:
  apprise:
    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
 # settings are optional because they all have default values
 settings:
  log_level: INFO               # DEBUG, INFO, WARNING, ERROR
  notification_cooldown: 5      # Seconds between alerts for same keyword (per container)
  attachment_lines: 20          # Number of Lines to include in log attachments
  multi_line_entries: true      # Detect multi-line log entries
  disable_restart: false        # Disable restart when a config change is detected
  disable_start_message: false  # Suppress startup notification
  disable_shutdown_message: false  # Suppress shutdown notification
  disable_restart_message: false   # Suppress config reload notification
@@ -0,0 +1,108 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 {
  "debugMode": false,
  "disableWeb": false,
  "sourceDefaults": {
    "logPayload": false,
    "logFilterFailure": "warn",
    "logPlayerState": false,
    "scrobbleThresholds": {
      "duration": 30,
      "percent": 20
    },
    "maxPollRetries": 1,
    "maxRequestRetries": 1,
    "retryMultiplier": 1.5
  },
  "clientDefaults": {
    "maxRequestRetries": 1,
    "retryMultiplier": 1.5
  },
  "sources": [
    {
      "type": "spotify",
      "enable": true,
      "clients": [],
      "name": "spotify",
      "data": {
        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
        "redirectUri": "http://localhost:9078/callback"
      }
    },
    {
      "type:": "lastfm",
      "name": "lastfm",
      "enable": true,
      "data": {
        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
        "redirectUri": "http://localhost:9078/lastfm/callback"
      }
    },
    {
      "type": "listenbrainz",
      "name": "listenBrainz",
      "enable": true,
      "data": {
        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
        "username": "Trez.One"
      }
    },
    {
      "type": "subsonic",
      "name": "navidrome",
      "enable": true,
      "data": {
        "url": "http://navidrome:4533",
        "user": "admin",
        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
      }
    }
  ],
  "clients": [
    {
      "type": "lastfm",
      "name": "lastFmClient",
      "enable": true,
      "data": {
        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
        "redirectUri": "http://localhost:9078/lastfm/callback"
      }
    },
    {
      "type": "listenbrainz",
      "name": ";istenBrainzClient",
      "enable": true,
      "data": {
        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
        "username": "Trez.One"
      }
    },
    {
      "type": "maloja",
      "enable": true,
      "name": "maloja",
      "data": {
        "url": "http://maloja:42010",
        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
      }
    }
  ],
  "webhooks": [
    {
      "name": "Gotify",
      "type": "gotify",
      "url": "http://gotify",
      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
      "priorities": {
        "info": 5,
        "warn": 7,
        "error": 10
      }
    }
  ]
 }
@@ -0,0 +1,76 @@
 {
  "Stuns": [
    {
      "Proto": "udp",
      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
      "Username": "",
      "Password": null
    }
  ],
  "TURNConfig": {
    "Turns": [
      {
        "Proto": "udp",
        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
        "Username": "self",
        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
      }
    ],
    "CredentialsTTL": "12h",
    "Secret": "secret",
    "TimeBasedCredentials": false
  },
  "Relay": {
    "Addresses": [
      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
    ],
    "CredentialsTTL": "24h",
    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
  },
  "Signal": {
    "Proto": "https",
    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
    "Username": "",
    "Password": null
  },
  "ReverseProxy": {
    "TrustedHTTPProxies": [],
    "TrustedHTTPProxiesCount": 0,
    "TrustedPeers": [
      "0.0.0.0/0"
    ]
  },
  "Datadir": "",
  "DataStoreEncryptionKey": "",
  "StoreConfig": {
    "Engine": "sqlite"
  },
  "HttpConfig": {
    "Address": "0.0.0.0:33073",
    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
    "AuthAudience": "netbird",
    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
    "AuthUserIDClaim": "",
    "CertFile": "",
    "CertKey": "",
    "IdpSignKeyRefreshEnabled": true,
    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {},
  "DeviceAuthorizationFlow": {},
  "PKCEAuthorizationFlow": {
    "ProviderConfig": {
      "Audience": "netbird",
      "ClientID": "netbird",
      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
      "Domain": "",
      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
      "Scope": "openid profile email offline_access api",
      "RedirectURLs": [
        "http://localhost:53000"
      ],
      "UseIDToken": true
    }
  }
 }
@@ -0,0 +1,122 @@
 {
    "issuer": "https://id.trez.wtf",
    "authorization_endpoint": "https://id.trez.wtf/oauth/v2/authorize",
    "token_endpoint": "https://id.trez.wtf/oauth/v2/token",
    "introspection_endpoint": "https://id.trez.wtf/oauth/v2/introspect",
    "userinfo_endpoint": "https://id.trez.wtf/oidc/v1/userinfo",
    "revocation_endpoint": "https://id.trez.wtf/oauth/v2/revoke",
    "end_session_endpoint": "https://id.trez.wtf/oidc/v1/end_session",
    "device_authorization_endpoint": "https://id.trez.wtf/oauth/v2/device_authorization",
    "jwks_uri": "https://id.trez.wtf/oauth/v2/keys",
    "scopes_supported": [
        "openid",
        "profile",
        "email",
        "phone",
        "address",
        "offline_access"
    ],
    "response_types_supported": [
        "code",
        "id_token",
        "id_token token"
    ],
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "grant_types_supported": [
        "authorization_code",
        "implicit",
        "refresh_token",
        "client_credentials",
        "urn:ietf:params:oauth:grant-type:jwt-bearer",
        "urn:ietf:params:oauth:grant-type:device_code"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "request_object_signing_alg_values_supported": [
        "RS256"
    ],
    "token_endpoint_auth_methods_supported": [
        "none",
        "client_secret_basic",
        "client_secret_post",
        "private_key_jwt"
    ],
    "token_endpoint_auth_signing_alg_values_supported": [
        "RS256"
    ],
    "revocation_endpoint_auth_methods_supported": [
        "none",
        "client_secret_basic",
        "client_secret_post",
        "private_key_jwt"
    ],
    "revocation_endpoint_auth_signing_alg_values_supported": [
        "RS256"
    ],
    "introspection_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "private_key_jwt"
    ],
    "introspection_endpoint_auth_signing_alg_values_supported": [
        "RS256"
    ],
    "claims_supported": [
        "sub",
        "aud",
        "exp",
        "iat",
        "iss",
        "auth_time",
        "nonce",
        "acr",
        "amr",
        "c_hash",
        "at_hash",
        "act",
        "scopes",
        "client_id",
        "azp",
        "preferred_username",
        "name",
        "family_name",
        "given_name",
        "locale",
        "email",
        "email_verified",
        "phone_number",
        "phone_number_verified"
    ],
    "code_challenge_methods_supported": [
        "S256"
    ],
    "ui_locales_supported": [
        "bg",
        "cs",
        "de",
        "en",
        "es",
        "fr",
        "hu",
        "id",
        "it",
        "ja",
        "ko",
        "mk",
        "nl",
        "pl",
        "pt",
        "ru",
        "sv",
        "zh"
    ],
    "request_parameter_supported": true,
    "request_uri_parameter_supported": false
 }
@@ -0,0 +1,725 @@
 # Coturn TURN SERVER configuration file
 #
 # Boolean values note: where a boolean value is supposed to be used,
 # you can use '0', 'off', 'no', 'false', or 'f' as 'false,
 # and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
 # If the value is missing, then it means 'true' by default.
 #
 # Listener interface device (optional, Linux only).
 # NOT RECOMMENDED.
 #
 #listening-device=eth0
 # TURN listener port for UDP and TCP (Default: 3478).
 # Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
 listening-port=3478
 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
 # port(s), too - if allowed by configuration. The TURN server
 # "automatically" recognizes the type of traffic. Actually, two listening
 # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
 # functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
 # For secure TCP connections, Coturn currently supports SSL version 3 and
 # TLS version 1.0, 1.1 and 1.2.
 # For secure UDP connections, Coturn supports DTLS version 1.
 #
 tls-listening-port=5349
 # Alternative listening port for UDP and TCP listeners;
 # default (or zero) value means "listening port plus one".
 # This is needed for RFC 5780 support
 # (STUN extension specs, NAT behavior discovery). The TURN Server
 # supports RFC 5780 only if it is started with more than one
 # listening IP address of the same family (IPv4 or IPv6).
 # RFC 5780 is supported only by UDP protocol, other protocols
 # are listening to that endpoint only for "symmetry".
 #
 #alt-listening-port=0
 # Alternative listening port for TLS and DTLS protocols.
 # Default (or zero) value means "TLS listening port plus one".
 #
 #alt-tls-listening-port=0
 # Some network setups will require using a TCP reverse proxy in front
 # of the STUN server. If the proxy port option is set a single listener
 # is started on the given port that accepts connections using the
 # haproxy proxy protocol v2.
 # (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
 #
 #tcp-proxy-port=5555
 # Listener IP address of relay server. Multiple listeners can be specified.
 # If no IP(s) specified in the config file or in the command line options,
 # then all IPv4 and IPv6 system IPs will be used for listening.
 #
 #listening-ip=172.17.19.101
 #listening-ip=10.207.21.238
 #listening-ip=2607:f0d0:1002:51::4
 # Auxiliary STUN/TURN server listening endpoint.
 # Aux servers have almost full TURN and STUN functionality.
 # The (minor) limitations are:
 #
 # 1) Auxiliary servers do not have alternative ports and
 # they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
 #
 # 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
 #
 # Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
 #
 # There may be multiple aux-server options, each will be used for listening
 # to client requests.
 #
 #aux-server=172.17.19.110:33478
 #aux-server=[2607:f0d0:1002:51::4]:33478
 # (recommended for older Linuxes only)
 # Automatically balance UDP traffic over auxiliary servers (if configured).
 # The load balancing is using the ALTERNATE-SERVER mechanism.
 # The TURN client must support 300 ALTERNATE-SERVER response for this
 # functionality.
 #
 #udp-self-balance
 # Relay interface device for relay sockets (optional, Linux only).
 # NOT RECOMMENDED.
 #
 #relay-device=eth1
 # Relay address (the local IP address that will be used to relay the
 # packets to the peer).
 # Multiple relay addresses may be used.
 # The same IP(s) can be used as both listening IP(s) and relay IP(s).
 #
 # If no relay IP(s) specified, then the turnserver will apply the default
 # policy: it will decide itself which relay addresses to be used, and it
 # will always be using the client socket IP address as the relay IP address
 # of the TURN session (if the requested relay address family is the same
 # as the family of the client socket).
 #
 #relay-ip=172.17.19.105
 #relay-ip=2607:f0d0:1002:51::5
 # For Amazon EC2 users:
 #
 # TURN Server public/private address mapping, if the server is behind NAT.
 # In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
 # as relay IP address of all allocations. This scenario works only in a simple case
 # when one single relay address is be used, and no RFC5780 functionality is required.
 # That single relay address must be mapped by NAT to the 'external' IP.
 # The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
 # For that 'external' IP, NAT must forward ports directly (relayed port 12345
 # must be always mapped to the same 'external' port 12345).
 #
 # In more complex case when more than one IP address is involved,
 # that option must be used several times, each entry must
 # have form "-X <public-ip/private-ip>", to map all involved addresses.
 # RFC5780 NAT discovery STUN functionality will work correctly,
 # if the addresses are mapped properly, even when the TURN server itself
 # is behind A NAT.
 #
 # By default, this value is empty, and no address mapping is used.
 #
 # external-ip=193.224.22.37
 #
 #OR:
 #
 #external-ip=60.70.80.91/172.17.19.101
 #external-ip=60.70.80.92/172.17.19.102
 external-ip=108.29.206.17
 # Number of the relay threads to handle the established connections
 # (in addition to authentication thread and the listener thread).
 # If explicitly set to 0 then application runs relay process in a
 # single thread, in the same thread with the listener process
 # (the authentication thread will still be a separate thread).
 #
 # If this parameter is not set, then the default OS-dependent
 # thread pattern algorithm will be employed. Usually the default
 # algorithm is optimal, so you have to change this option
 # if you want to make some fine tweaks.
 #
 # In the older systems (Linux kernel before 3.9),
 # the number of UDP threads is always one thread per network listening
 # endpoint - including the auxiliary endpoints - unless 0 (zero) or
 # 1 (one) value is set.
 #
 #relay-threads=0
 # Lower and upper bounds of the UDP relay endpoints:
 # (default values are 49152 and 65535)
 #
 min-port=49152
 max-port=65535
 # Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
 # By default the verbose mode is off.
 #verbose
 # Uncomment to run TURN server in 'extra' verbose mode.
 # This mode is very annoying and produces lots of output.
 # Not recommended under normal circumstances.
 #
 #Verbose
 # Uncomment to use fingerprints in the TURN messages.
 # By default the fingerprints are off.
 #
 fingerprint
 # Uncomment to use long-term credential mechanism.
 # By default no credentials mechanism is used (any user allowed).
 #
 lt-cred-mech
 # This option is the opposite of lt-cred-mech.
 # (TURN Server with no-auth option allows anonymous access).
 # If neither option is defined, and no users are defined,
 # then no-auth is default. If at least one user is defined,
 # in this file, in command line or in usersdb file, then
 # lt-cred-mech is default.
 #
 #no-auth
 # TURN REST API flag.
 # (Time Limited Long Term Credential)
 # Flag that sets a special authorization option that is based upon authentication secret.
 #
 # This feature's purpose is to support "TURN Server REST API", see
 # "TURN REST API" link in the project's page
 # https://github.com/coturn/coturn/
 #
 # This option is used with timestamp:
 #
 # usercombo -> "timestamp:userid"
 # turn user -> usercombo
 # turn password -> base64(hmac(secret key, usercombo))
 #
 # This allows TURN credentials to be accounted for a specific user id.
 # If you don't have a suitable id, then the timestamp alone can be used.
 # This option is enabled by turning on secret-based authentication.
 # The actual value of the secret is defined either by the option static-auth-secret,
 # or can be found in the turn_secret table in the database (see below).
 #
 # Read more about it:
 #  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
 #  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
 #
 # Be aware that use-auth-secret overrides some parts of lt-cred-mech.
 # The use-auth-secret feature depends internally on lt-cred-mech, so if you set
 # this option then it automatically enables lt-cred-mech internally
 # as if you had enabled both.
 #
 # Note that you can use only one auth mechanism at the same time! This is because,
 # both mechanisms conduct username and password validation in different ways.
 #
 # Use either lt-cred-mech or use-auth-secret in the conf
 # to avoid any confusion.
 #
 #use-auth-secret
 # 'Static' authentication secret value (a string) for TURN REST API only.
 # If not set, then the turn server
 # will try to use the 'dynamic' value in the turn_secret table
 # in the user database (if present). The database-stored  value can be changed on-the-fly
 # by a separate program, so this is why that mode is considered 'dynamic'.
 #
 #static-auth-secret=north
 # Server name used for
 # the oAuth authentication purposes.
 # The default value is the realm name.
 #
 # server-name=stun.wiretrustee.com
 # Flag that allows oAuth authentication.
 #
 #oauth
 # 'Static' user accounts for the long term credentials mechanism, only.
 # This option cannot be used with TURN REST API.
 # 'Static' user accounts are NOT dynamically checked by the turnserver process,
 # so they can NOT be changed while the turnserver is running.
 #
 #user=username1:key1
 #user=username2:key2
 # OR:
 user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
 #user=username2:password2
 #
 # Keys must be generated by turnadmin utility. The key value depends
 # on user name, realm, and password:
 #
 # Example:
 # $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
 # Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
 # ('0x' in the beginning of the key is what differentiates the key from
 # password. If it has 0x then it is a key, otherwise it is a password).
 #
 # The corresponding user account entry in the config file will be:
 #
 #user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
 # Or, equivalently, with open clear password (less secure):
 #user=ninefingers:youhavetoberealistic
 #
 # SQLite database file name.
 #
 # The default file name is /var/db/turndb or /usr/local/var/db/turndb or
 # /var/lib/turn/turndb.
 #
 #userdb=/var/db/turndb
 # PostgreSQL database connection string in the case that you are using PostgreSQL
 # as the user database.
 # This database can be used for the long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
 # versions connection string format, see
 # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
 # for 9.x and newer connection string formats.
 #
 #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
 # MySQL database connection string in the case that you are using MySQL
 # as the user database.
 # This database can be used for the long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 #
 # Optional connection string parameters for the secure communications (SSL):
 # ca, capath, cert, key, cipher
 # (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
 # command options description).
 #
 # Use the string format below (space separated parameters, all optional):
 #
 # mysql-userdb="host=mysql dbname=coturn user=coturn password=CHANGE_ME port=3306 connect_timeout=10 read_timeout=10"
 # If you want to use an encrypted password in the MySQL connection string,
 # then set the MySQL password encryption secret key file with this option.
 #
 # Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
 # If you want to use a cleartext password then do not set this option!
 #
 # This is the file path for the aes encrypted secret key used for password encryption.
 #
 #secret-key-file=/path/
 # MongoDB database connection string in the case that you are using MongoDB
 # as the user database.
 # This database can be used for long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 # Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
 #
 #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
 # Redis database connection string in the case that you are using Redis
 # as the user database.
 # This database can be used for long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 # Use the string format below (space separated parameters, all optional):
 #
 #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 # Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
 # This database keeps allocations status information, and it can be also used for publishing
 # and delivering traffic and allocation event notifications.
 # The connection string has the same parameters as redis-userdb connection string.
 # Use the string format below (space separated parameters, all optional):
 #
 #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 # The default realm to be used for the users when no explicit
 # origin/realm relationship is found in the database, or if the TURN
 # server is not using any database (just the commands-line settings
 # and the userdb file). Must be used with long-term credentials
 # mechanism or with TURN REST API.
 #
 # Note: If the default realm is not specified, then realm falls back to the host domain name.
 #       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
 #
 # realm=wiretrustee.com
 # This flag sets the origin consistency
 # check. Across the session, all requests must have the same
 # main ORIGIN attribute value (if the ORIGIN was
 # initially used by the session).
 #
 #check-origin-consistency
 # Per-user allocation quota.
 # default value is 0 (no quota, unlimited number of sessions per user).
 # This option can also be set through the database, for a particular realm.
 #
 #user-quota=0
 # Total allocation quota.
 # default value is 0 (no quota).
 # This option can also be set through the database, for a particular realm.
 #
 #total-quota=0
 # Max bytes-per-second bandwidth a TURN session is allowed to handle
 # (input and output network streams are treated separately). Anything above
 # that limit will be dropped or temporarily suppressed (within
 # the available buffer limits).
 # This option can also be set through the database, for a particular realm.
 #
 #max-bps=0
 #
 # Maximum server capacity.
 # Total bytes-per-second bandwidth the TURN server is allowed to allocate
 # for the sessions, combined (input and output network streams are treated separately).
 #
 # bps-capacity=0
 # Uncomment if no UDP client listener is desired.
 # By default UDP client listener is always started.
 #
 #no-udp
 # Uncomment if no TCP client listener is desired.
 # By default TCP client listener is always started.
 #
 #no-tcp
 # Uncomment if no TLS client listener is desired.
 # By default TLS client listener is always started.
 #
 #no-tls
 # Uncomment if no DTLS client listener is desired.
 # By default DTLS client listener is always started.
 #
 #no-dtls
 # Uncomment if no UDP relay endpoints are allowed.
 # By default UDP relay endpoints are enabled (like in RFC 5766).
 #
 #no-udp-relay
 # Uncomment if no TCP relay endpoints are allowed.
 # By default TCP relay endpoints are enabled (like in RFC 6062).
 #
 #no-tcp-relay
 # Uncomment if extra security is desired,
 # with nonce value having a limited lifetime.
 # The nonce value is unique for a session.
 # Set this option to limit the nonce lifetime.
 # Set it to 0 for unlimited lifetime.
 # It defaults to 600 secs (10 min) if no value is provided. After that delay,
 # the client will get 438 error and will have to re-authenticate itself.
 #
 #stale-nonce=600
 # Uncomment if you want to set the maximum allocation
 # time before it has to be refreshed.
 # Default is 3600s.
 #
 #max-allocate-lifetime=3600
 # Uncomment to set the lifetime for the channel.
 # Default value is 600 secs (10 minutes).
 # This value MUST not be changed for production purposes.
 #
 #channel-lifetime=600
 # Uncomment to set the permission lifetime.
 # Default to 300 secs (5 minutes).
 # In production this value MUST not be changed,
 # however it can be useful for test purposes.
 #
 #permission-lifetime=300
 # Certificate file.
 # Use an absolute path or path relative to the
 # configuration file.
 # Use PEM file format.
 #
 cert=/etc/coturn/certs/cert.pem
 # Private key file.
 # Use an absolute path or path relative to the
 # configuration file.
 # Use PEM file format.
 #
 pkey=/etc/coturn/private/privkey.pem
 # Private key file password, if it is in encoded format.
 # This option has no default value.
 #
 #pkey-pwd=...
 # Allowed OpenSSL cipher list for TLS/DTLS connections.
 # Default value is "DEFAULT".
 #
 #cipher-list="DEFAULT"
 # CA file in OpenSSL format.
 # Forces TURN server to verify the client SSL certificates.
 # By default this is not set: there is no default value and the client
 # certificate is not checked.
 #
 # Example:
 #CA-file=/etc/ssh/id_rsa.cert
 # Curve name for EC ciphers, if supported by OpenSSL
 # library (TLS and DTLS). The default value is prime256v1,
 # if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
 # an optimal curve will be automatically calculated, if not defined
 # by this option.
 #
 #ec-curve-name=prime256v1
 # Use 566 bits predefined DH TLS key. Default size of the key is 2066.
 #
 #dh566
 # Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
 #
 #dh1066
 # Use custom DH TLS key, stored in PEM format in the file.
 # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
 #
 #dh-file=<DH-PEM-file-name>
 # Flag to prevent stdout log messages.
 # By default, all log messages go to both stdout and to
 # the configured log file. With this option everything will
 # go to the configured log only (unless the log file itself is stdout).
 #
 #no-stdout-log
 # Option to set the log file name.
 # By default, the turnserver tries to open a log file in
 # /var/log, /var/tmp, /tmp and the current directory
 # (Whichever file open operation succeeds first will be used).
 # With this option you can set the definite log file name.
 # The special names are "stdout" and "-" - they will force everything
 # to the stdout. Also, the "syslog" name will force everything to
 # the system log (syslog).
 # In the runtime, the logfile can be reset with the SIGHUP signal
 # to the turnserver process.
 #
 log-file=stdout
 # Option to redirect all log output into system log (syslog).
 #
 # syslog
 # This flag means that no log file rollover will be used, and the log file
 # name will be constructed as-is, without PID and date appendage.
 # This option can be used, for example, together with the logrotate tool.
 #
 #simple-log
 # Option to set the "redirection" mode. The value of this option
 # will be the address of the alternate server for UDP & TCP service in the form of
 # <ip>[:<port>]. The server will send this value in the attribute
 # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
 # Client will receive only values with the same address family
 # as the client network endpoint address family.
 # See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
 # The client must use the obtained value for subsequent TURN communications.
 # If more than one --alternate-server option is provided, then the functionality
 # can be more accurately described as "load-balancing" than a mere "redirection".
 # If the port number is omitted, then the default port
 # number 3478 for the UDP/TCP protocols will be used.
 # Colon (:) characters in IPv6 addresses may conflict with the syntax of
 # the option. To alleviate this conflict, literal IPv6 addresses are enclosed
 # in square brackets in such resource identifiers, for example:
 # [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
 # Multiple alternate servers can be set. They will be used in the
 # round-robin manner. All servers in the pool are considered of equal weight and
 # the load will be distributed equally. For example, if you have 4 alternate servers,
 # then each server will receive 25% of ALLOCATE requests. A alternate TURN server
 # address can be used more than one time with the alternate-server option, so this
 # can emulate "weighting" of the servers.
 #
 # Examples:
 #alternate-server=1.2.3.4:5678
 #alternate-server=11.22.33.44:56789
 #alternate-server=5.6.7.8
 #alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
 # Option to set alternative server for TLS & DTLS services in form of
 # <ip>:<port>. If the port number is omitted, then the default port
 # number 5349 for the TLS/DTLS protocols will be used. See the previous
 # option for the functionality description.
 #
 # Examples:
 #tls-alternate-server=1.2.3.4:5678
 #tls-alternate-server=11.22.33.44:56789
 #tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
 # Option to suppress TURN functionality, only STUN requests will be processed.
 # Run as STUN server only, all TURN requests will be ignored.
 # By default, this option is NOT set.
 #
 #stun-only
 # Option to hide software version. Enhance security when used in production.
 # Revealing the specific software version of the agent through the
 # SOFTWARE attribute might allow them to become more vulnerable to
 # attacks against software that is known to contain security holes.
 # Implementers SHOULD make usage of the SOFTWARE attribute a
 # configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
 #
 no-software-attribute
 # Option to suppress STUN functionality, only TURN requests will be processed.
 # Run as TURN server only, all STUN requests will be ignored.
 # By default, this option is NOT set.
 #
 #no-stun
 # This is the timestamp/username separator symbol (character) in TURN REST API.
 # The default value is ':'.
 # rest-api-separator=:
 # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
 # This is an extra security measure.
 #
 # (To avoid any security issue that allowing loopback access may raise,
 # the no-loopback-peers option is replaced by allow-loopback-peers.)
 #
 # Allow it only for testing in a development environment!
 # In production it adds a possible security vulnerability, so for security reasons
 # it is not allowed using it together with empty cli-password.
 #
 #allow-loopback-peers
 # Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
 # This is an extra security measure.
 #
 #no-multicast-peers
 # Option to set the max time, in seconds, allowed for full allocation establishment.
 # Default is 60 seconds.
 #
 #max-allocate-timeout=60
 # Option to allow or ban specific ip addresses or ranges of ip addresses.
 # If an ip address is specified as both allowed and denied, then the ip address is
 # considered to be allowed. This is useful when you wish to ban a range of ip
 # addresses, except for a few specific ips within that range.
 #
 # This can be used when you do not want users of the turn server to be able to access
 # machines reachable by the turn server, but would otherwise be unreachable from the
 # internet (e.g. when the turn server is sitting behind a NAT)
 #
 # Examples:
 # denied-peer-ip=83.166.64.0-83.166.95.255
 # allowed-peer-ip=83.166.68.45
 # File name to store the pid of the process.
 # Default is /var/run/turnserver.pid (if superuser account is used) or
 # /var/tmp/turnserver.pid .
 #
 pidfile="/var/tmp/turnserver.pid"
 # Require authentication of the STUN Binding request.
 # By default, the clients are allowed anonymous access to the STUN Binding functionality.
 #
 #secure-stun
 # Mobility with ICE (MICE) specs support.
 #
 #mobility
 # Allocate Address Family according
 # If enabled then TURN server allocates address family according  the TURN
 # Client <=> Server communication address family.
 # (By default Coturn works according RFC 6156.)
 # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
 #
 #keep-address-family
 # User name to run the process. After the initialization, the turnserver process
 # will attempt to change the current user ID to that user.
 #
 #proc-user=<user-name>
 # Group name to run the process. After the initialization, the turnserver process
 # will attempt to change the current group ID to that group.
 #
 #proc-group=<group-name>
 # Turn OFF the CLI support.
 # By default it is always ON.
 # See also options cli-ip and cli-port.
 #
 no-cli
 #Local system IP address to be used for CLI server endpoint. Default value
 # is 127.0.0.1.
 #
 # cli-ip=127.0.0.1
 # CLI server port. Default is 5766.
 #
 # cli-port=5766
 # CLI access password. Default is empty (no password).
 # For the security reasons, it is recommended that you use the encrypted
 # form of the password (see the -P command in the turnadmin utility).
 #
 # Secure form for password 'qwerty':
 #
 #cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
 #
 # Or insecure form for the same password:
 #
 # cli-password=CHANGE_ME
 # Enable Web-admin support on https. By default it is Disabled.
 # If it is enabled it also enables a http a simple static banner page
 # with a small reminder that the admin page is available only on https.
 #
 #web-admin
 # Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
 #
 #web-admin-ip=127.0.0.1
 # Web-admin server port. Default is 8080.
 #
 #web-admin-port=8080
 # Web-admin server listen on STUN/TURN worker threads
 # By default it is disabled for security reasons! (Not recommended in any production environment!)
 #
 #web-admin-listen-on-workers
 # Server relay. NON-STANDARD AND DANGEROUS OPTION.
 # Only for those applications when you want to run
 # server applications on the relay endpoints.
 # This option eliminates the IP permissions check on
 # the packets incoming to the relay endpoints.
 #
 #server-relay
 # Maximum number of output sessions in ps CLI command.
 # This value can be changed on-the-fly in CLI. The default value is 256.
 #
 #cli-max-output-sessions
 # Set network engine type for the process (for internal purposes).
 #
 #ne=[1|2|3]
 # Do not allow an TLS/DTLS version of protocol
 #
 #no-tlsv1
 #no-tlsv1_1
 #no-tlsv1_2
@@ -0,0 +1,11 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 <clickhouse>
    <profiles>
        <default>
            <log_queries>0</log_queries>
            <log_query_threads>0</log_query_threads>
        </default>
    </profiles>
 </clickhouse>
@@ -0,0 +1,62 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 version: 2
 postal:
  web_hostname: post.trez.wtf
  web_protocol: http
  smtp_hostname: post.trez.wtf
  use_ip_pools: false
  signing_key_path: /config/signing.key
  trusted_proxies: [ "172.18.0.0/16" ]
 web_server:
  default_port: 5000
  default_bind_address: 0.0.0.0
 main_db:
  host: mariadb
  username: postal
  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
  database: postal
 message_db:
  host: mariadb
  username: postal
  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
  prefix: postal
 smtp_server:
  default_port: 25
  default_bind_address: "::"
  tls_enabled: true
  tls_certificate_path: /config/certs/fullchain.pem
  tls_private_key_path: /config/certs/privkey.pem
 dns:
  # Specify the DNS records that you have configured. Refer to the documentation at
  # https://github.com/atech/postal/wiki/Domains-&-DNS-Configuration for further
  # information about these.
  mx_records:
    - mx.post.trez.wtf
  spf_include: spf.post.trez.wtf
  return_path_domain: rp.post.trez.wtf
  route_domain: routes.post.trez.wtf
  track_domain: track.post.trez.wtf
 smtp:
  # Specify an SMTP server that can be used to send messages from the Postal management
  # system to users. You can configure this to use a Postal mail server once the
  # your installation has been set up.
  host: postal-smtp
  port: 25
  username: rinoa/postal-smtp
  password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
  from_name: Postal @ Rinoa
  from_address: noreply@trez.wtf
 rails:
  # This is generated automatically by the config initialization. It should be a random
  # string unique to your installation.
  secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}"
@@ -0,0 +1,21 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 <Config>
  <BindAddress>*</BindAddress>
  <Port>9696</Port>
  <SslPort>6969</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <AuthenticationRequired>Enabled</AuthenticationRequired>
  <Branch>master</Branch>
  <LogLevel>info</LogLevel>
  <SslCertPath></SslCertPath>
  <SslCertPassword></SslCertPassword>
  <UrlBase></UrlBase>
  <InstanceName>Prowlarr</InstanceName>
  <UpdateMechanism>Docker</UpdateMechanism>
  <Theme>light</Theme>
 </Config>
@@ -0,0 +1,20 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 {
    "radarr_address": "http://radarr:7878",
    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
    "root_folder_path": "/data/media/movies",
    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
    "fallback_to_top_result": false,
    "radarr_api_timeout": 120.0,
    "quality_profile_id": 1,
    "metadata_profile_id": 1,
    "search_for_movie": true,
    "dry_run_adding_to_radarr": false,
    "minimum_rating": 4.5,
    "minimum_votes": 50,
    "language_choice": "all",
    "auto_start": true,
    "auto_start_delay": 60.0
 }
@@ -0,0 +1,21 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 <Config>
  <LogLevel>info</LogLevel>
  <BindAddress>*</BindAddress>
  <EnableSsl>False</EnableSsl>
  <SslCertPath></SslCertPath>
  <Port>7878</Port>
  <UrlBase></UrlBase>
  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <UpdateMechanism>Docker</UpdateMechanism>
  <SslPort>9898</SslPort>
  <LaunchBrowser>True</LaunchBrowser>
  <Branch>master</Branch>
  <SslCertPassword></SslCertPassword>
  <InstanceName>Radarr</InstanceName>
  <Theme>auto</Theme>
  <AuthenticationRequired>Enabled</AuthenticationRequired>
 </Config>
@@ -0,0 +1,21 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 <Config>
  <BindAddress>*</BindAddress>
  <Port>8787</Port>
  <SslPort>6868</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <Branch>develop</Branch>
  <LogLevel>info</LogLevel>
  <SslCertPath></SslCertPath>
  <SslCertPassword></SslCertPassword>
  <UrlBase></UrlBase>
  <InstanceName>Readarr</InstanceName>
  <UpdateMechanism>Docker</UpdateMechanism>
  <Theme>auto</Theme>
  <AuthenticationRequired>Enabled</AuthenticationRequired>
 </Config>
@@ -0,0 +1,482 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 __version__ = 19
 __encoding__ = utf-8
 [misc]
 pre_script = None
 queue_complete = ""
 queue_complete_pers = 0
 bandwidth_perc = 0
 refresh_rate = 1
 queue_limit = 20
 config_lock = 0
 sched_converted = 2
 notified_new_skin = 2
 direct_unpack_tested = 1
 check_new_rel = 1
 auto_browser = 0
 language = en
 enable_https_verification = 1
 host = 0.0.0.0
 port = 8080
 https_port = 8090
 username = thetrezuredone
 password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }}
 bandwidth_max = 1000M
 cache_limit = 1G
 web_dir = Glitter
 web_color = Auto
 https_cert = server.cert
 https_key = server.key
 https_chain = ""
 enable_https = 1
 inet_exposure = 0
 local_ranges = ,
 api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }}
 nzb_key = 3c0fa874bb2748b58c1bd7512e649946
 permissions = 775
 download_dir = /storage/downloads/incomplete
 download_free = ""
 complete_dir = /storage/downloads/completed/nzb
 script_dir = ""
 nzb_backup_dir = ""
 admin_dir = admin
 dirscan_dir = /storage/downloads/watch
 dirscan_speed = 5
 password_file = ""
 log_dir = logs
 max_art_tries = 3
 load_balancing = 2
 top_only = 0
 sfv_check = 1
 quick_check_ext_ignore = nfo, sfv, srr
 script_can_fail = 0
 ssl_ciphers = ""
 enable_recursive = 1
 flat_unpack = 0
 par_option = ""
 pre_check = 1
 nice = ""
 win_process_prio = 3
 ionice = ""
 fail_hopeless_jobs = 1
 fast_fail = 1
 auto_disconnect = 1
 no_dupes = 3
 no_series_dupes = 0
 series_propercheck = 1
 pause_on_pwrar = 2
 ignore_samples = 1
 deobfuscate_final_filenames = 0
 auto_sort = ""
 direct_unpack = 1
 direct_unpack_threads = 3
 propagation_delay = 0
 folder_rename = 1
 replace_spaces = 1
 replace_dots = 1
 safe_postproc = 1
 pause_on_post_processing = 0
 sanitize_safe = 0
 cleanup_list = ,
 unwanted_extensions = ,
 action_on_unwanted_extensions = 0
 new_nzb_on_failure = 1
 history_retention = ""
 enable_meta = 1
 quota_size = ""
 quota_day = ""
 quota_resume = 0
 quota_period = m
 rating_enable = 0
 rating_host = ""
 rating_api_key = ""
 rating_filter_enable = 0
 rating_filter_abort_audio = 0
 rating_filter_abort_video = 0
 rating_filter_abort_encrypted = 0
 rating_filter_abort_encrypted_confirm = 0
 rating_filter_abort_spam = 0
 rating_filter_abort_spam_confirm = 0
 rating_filter_abort_downvoted = 0
 rating_filter_abort_keywords = ""
 rating_filter_pause_audio = 0
 rating_filter_pause_video = 0
 rating_filter_pause_encrypted = 0
 rating_filter_pause_encrypted_confirm = 0
 rating_filter_pause_spam = 0
 rating_filter_pause_spam_confirm = 0
 rating_filter_pause_downvoted = 0
 rating_filter_pause_keywords = ""
 enable_tv_sorting = 1
 tv_sort_string = %sn/Season %s/%sn - %sx%0e - %en.%ext
 tv_sort_countries = 1
 tv_categories = tv,
 enable_movie_sorting = 0
 movie_sort_string = ""
 movie_sort_extra = -cd%1
 movie_extra_folder = 0
 movie_categories = movies,
 enable_date_sorting = 0
 date_sort_string = ""
 date_categories = tv,
 schedlines = ,
 rss_rate = 60
 ampm = 0
 replace_illegal = 1
 start_paused = 0
 enable_all_par = 1
 enable_par_cleanup = 1
 enable_unrar = 1
 enable_unzip = 1
 enable_7zip = 1
 enable_filejoin = 1
 enable_tsjoin = 1
 overwrite_files = 0
 ignore_unrar_dates = 0
 backup_for_duplicates = 1
 empty_postproc = 0
 wait_for_dfolder = 0
 rss_filenames = 0
 api_logging = 1
 html_login = 1
 osx_menu = 1
 osx_speed = 1
 warn_dupl_jobs = 1
 helpfull_warnings = 1
 keep_awake = 1
 win_menu = 1
 allow_incomplete_nzb = 0
 enable_bonjour = 1
 max_art_opt = 0
 ipv6_hosting = 0
 fixed_ports = 1
 api_warnings = 1
 disable_api_key = 0
 no_penalties = 0
 x_frame_options = 1
 require_modern_tls = 0
 num_decoders = 3
 rss_odd_titles = nzbindex.nl/, nzbindex.com/, nzbclub.com/
 req_completion_rate = 100.2
 selftest_host = self-test.sabnzbd.org
 movie_rename_limit = 100M
 size_limit = 0
 show_sysload = 2
 history_limit = 10
 wait_ext_drive = 5
 max_foldername_length = 246
 nomedia_marker = ""
 ipv6_servers = 1
 url_base = /sabnzbd
 host_whitelist = rinoa, sabnzbd.trez.wtf
 max_url_retries = 10
 email_server = ""
 email_to = ,
 email_from = ""
 email_account = ""
 email_pwd = ""
 email_endjob = 0
 email_full = 0
 email_dir = ""
 email_rss = 0
 email_cats = *,
 interface_settings = '{"dateFormat":"fromNow","extraQueueColumns":["category"],"extraHistoryColumns":[],"displayCompact":false,"displayFullWidth":false,"confirmDeleteQueue":true,"confirmDeleteHistory":true,"keyboardShortcuts":true}'
 complete_free = ""
 fulldisk_autoresume = 0
 enable_broadcast = 1
 downloader_sleep_time = 10
 ssdp_broadcast_interval = 15
 unwanted_extensions_mode = 0
 process_unpacked_par2 = 1
 episode_rename_limit = 20M
 socks5_proxy_url = ""
 preserve_paused_state = 0
 helpful_warnings = 1
 allow_old_ssl_tls = 0
 num_simd_decoders = 2
 ext_rename_ignore = ,
 backup_dir = ""
 replace_underscores = 0
 tray_icon = 1
 sorters_converted = 1
 enable_season_sorting = 1
 receive_threads = 2
 switchinterval = 0.005
 end_queue_script = None
 no_smart_dupes = 1
 dupes_propercheck = 1
 enable_multipar = 1
 verify_xff_header = 0
 history_retention_option = all
 history_retention_number = 1
 ipv6_staging = 0
 disable_archive = 0
 config_conversion_version = 4
 disable_par2cmdline = 0
 [logging]
 log_level = 1
 max_log_size = 5242880
 log_backups = 5
 [ncenter]
 ncenter_enable = 0
 ncenter_cats = *,
 ncenter_prio_startup = 0
 ncenter_prio_download = 0
 ncenter_prio_pause_resume = 0
 ncenter_prio_pp = 0
 ncenter_prio_complete = 0
 ncenter_prio_failed = 0
 ncenter_prio_disk_full = 0
 ncenter_prio_new_login = 0
 ncenter_prio_warning = 0
 ncenter_prio_error = 0
 ncenter_prio_queue_done = 0
 ncenter_prio_other = 0
 [acenter]
 acenter_enable = 0
 acenter_cats = *,
 acenter_prio_startup = 0
 acenter_prio_download = 0
 acenter_prio_pause_resume = 0
 acenter_prio_pp = 0
 acenter_prio_complete = 0
 acenter_prio_failed = 0
 acenter_prio_disk_full = 0
 acenter_prio_new_login = 0
 acenter_prio_warning = 0
 acenter_prio_error = 0
 acenter_prio_queue_done = 0
 acenter_prio_other = 0
 [ntfosd]
 ntfosd_enable = 0
 ntfosd_cats = *,
 ntfosd_prio_startup = 0
 ntfosd_prio_download = 0
 ntfosd_prio_pause_resume = 0
 ntfosd_prio_pp = 0
 ntfosd_prio_complete = 0
 ntfosd_prio_failed = 0
 ntfosd_prio_disk_full = 0
 ntfosd_prio_new_login = 0
 ntfosd_prio_warning = 0
 ntfosd_prio_error = 0
 ntfosd_prio_queue_done = 0
 ntfosd_prio_other = 0
 [prowl]
 prowl_enable = 0
 prowl_cats = *,
 prowl_apikey = ""
 prowl_prio_startup = -3
 prowl_prio_download = -3
 prowl_prio_pause_resume = -3
 prowl_prio_pp = -3
 prowl_prio_complete = 0
 prowl_prio_failed = 1
 prowl_prio_disk_full = 1
 prowl_prio_new_login = -3
 prowl_prio_warning = -3
 prowl_prio_error = -3
 prowl_prio_queue_done = 0
 prowl_prio_other = -3
 [pushover]
 pushover_token = ""
 pushover_userkey = ""
 pushover_device = ""
 pushover_emergency_expire = 3600
 pushover_emergency_retry = 60
 pushover_enable = 0
 pushover_cats = *,
 pushover_prio_startup = -3
 pushover_prio_download = -2
 pushover_prio_pause_resume = -2
 pushover_prio_pp = -3
 pushover_prio_complete = -1
 pushover_prio_failed = -1
 pushover_prio_disk_full = 1
 pushover_prio_new_login = -3
 pushover_prio_warning = 1
 pushover_prio_error = 1
 pushover_prio_queue_done = -1
 pushover_prio_other = -3
 [pushbullet]
 pushbullet_enable = 0
 pushbullet_cats = *,
 pushbullet_apikey = ""
 pushbullet_device = ""
 pushbullet_prio_startup = 0
 pushbullet_prio_download = 0
 pushbullet_prio_pause_resume = 0
 pushbullet_prio_pp = 0
 pushbullet_prio_complete = 1
 pushbullet_prio_failed = 1
 pushbullet_prio_disk_full = 1
 pushbullet_prio_new_login = 0
 pushbullet_prio_warning = 0
 pushbullet_prio_error = 0
 pushbullet_prio_queue_done = 0
 pushbullet_prio_other = 0
 [nscript]
 nscript_enable = 0
 nscript_cats = *,
 nscript_script = None
 nscript_parameters = ""
 nscript_prio_startup = 1
 nscript_prio_download = 0
 nscript_prio_pause_resume = 0
 nscript_prio_pp = 0
 nscript_prio_complete = 1
 nscript_prio_failed = 1
 nscript_prio_disk_full = 1
 nscript_prio_new_login = 0
 nscript_prio_warning = 0
 nscript_prio_error = 0
 nscript_prio_queue_done = 1
 nscript_prio_other = 0
 [servers]
 [[news.newshosting.com]]
 name = news.newshosting.com
 displayname = Newshosting
 host = news.newshosting.com
 port = 563
 timeout = 60
 username = thetrezuredone
 password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
 connections = 8
 ssl = 1
 ssl_verify = 3
 ssl_ciphers = ""
 enable = 1
 required = 0
 optional = 0
 retention = 0
 expire_date = ""
 quota = ""
 usage_at_start = 0
 priority = 0
 notes = ""
 [[news.easynews.com]]
 name = news.easynews.com
 displayname = EasyNews
 host = news.easynews.com
 port = 443
 timeout = 60
 username = TrezOne
 password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
 connections = 60
 ssl = 0
 ssl_verify = 3
 ssl_ciphers = ""
 enable = 1
 required = 0
 optional = 0
 retention = 0
 expire_date = ""
 quota = ""
 usage_at_start = 0
 priority = 0
 notes = ""
 [categories]
 [[software]]
 name = software
 order = 0
 pp = ""
 script = Default
 dir = ""
 newzbin = ""
 priority = -100
 [[*]]
 name = *
 order = 0
 pp = 3
 script = Default
 dir = ""
 newzbin = ""
 priority = 0
 [[tv]]
 name = tv
 order = 0
 pp = ""
 script = Default
 dir = tv
 newzbin = ""
 priority = -100
 [[audio]]
 name = audio
 order = 0
 pp = 2
 script = Default
 dir = music
 newzbin = ""
 priority = 1
 [[movies]]
 name = movies
 order = 0
 pp = ""
 script = Default
 dir = movies
 newzbin = ""
 priority = -100
 [[ebook]]
 name = ebook
 order = 0
 pp = 2
 script = Default
 dir = ebooks
 newzbin = ""
 priority = -100
 [[prowlarr]]
 name = prowlarr
 order = 0
 pp = ""
 script = Default
 dir = ""
 newzbin = ""
 priority = -1
 [[sonarr]]
 name = sonarr
 order = 1
 pp = ""
 script = Default
 dir = tv
 newzbin = ""
 priority = -100
 [sorters]
 [[Series Sorting]]
 name = Series Sorting
 order = 0
 min_size = 20M
 multipart_label = ""
 sort_string = %sn/Season %s/%sn - %sx%0e - %en.%ext
 sort_cats = tv,
 sort_type = 1,
 is_active = 1
 [apprise]
 apprise_enable = 1
 apprise_cats = *,
 apprise_urls = apprise://apprise:8000/aef1ab3765b857585e13340f1f5f879b2babcc47b0eccead98a19e0a93fe1a35
 apprise_target_startup = ""
 apprise_target_startup_enable = 0
 apprise_target_download = ""
 apprise_target_download_enable = 0
 apprise_target_pause_resume = ""
 apprise_target_pause_resume_enable = 1
 apprise_target_pp = ""
 apprise_target_pp_enable = 0
 apprise_target_complete = ""
 apprise_target_complete_enable = 1
 apprise_target_failed = ""
 apprise_target_failed_enable = 1
 apprise_target_disk_full = ""
 apprise_target_disk_full_enable = 0
 apprise_target_new_login = ""
 apprise_target_new_login_enable = 1
 apprise_target_warning = ""
 apprise_target_warning_enable = 1
 apprise_target_error = ""
 apprise_target_error_enable = 1
 apprise_target_queue_done = ""
 apprise_target_queue_done_enable = 0
 apprise_target_other = ""
 apprise_target_other_enable = 1
@@ -0,0 +1,7 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 bolt-path: /opt/scrutiny/influxdb/influxd.bolt
 engine-path: /opt/scrutiny/influxdb/engine
 http-bind-address: ":8086"
 reporting-disabled: true
@@ -0,0 +1,49 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 [uwsgi]
 # Who will run the code
 uid = searxng
 gid = searxng
 # Number of workers (usually CPU count)
 workers = %k
 threads = 4
 # The right granted on the created socket
 chmod-socket = 666
 # Plugin to use and interpreter config
 single-interpreter = true
 master = true
 plugin = python3
 lazy-apps = true
 enable-threads = 4
 # Module to import
 module = searx.webapp
 # Virtualenv and python path
 pythonpath = /usr/local/searxng/
 chdir = /usr/local/searxng/searx/
 # automatically set processes name to something meaningful
 auto-procname = true
 # Disable request logging for privacy
 disable-logging = true
 log-5xx = true
 # Set the max size of a request (request-body excluded)
 buffer-size = 8192
 # No keep alive
 # See https://github.com/searx/searx-docker/issues/24
 add-header = Connection: close
 # uwsgi serves the static files
 static-map = /static=/usr/local/searxng/searx/static
 # expires set to one day
 static-expires = /* 86400
 static-gzip-all = True
 offload-threads = 4
@@ -0,0 +1,22 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 <Config>
  <LogLevel>info</LogLevel>
  <EnableSsl>False</EnableSsl>
  <Port>8989</Port>
  <SslPort>9898</SslPort>
  <UrlBase></UrlBase>
  <BindAddress>*</BindAddress>
  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <UpdateMechanism>Docker</UpdateMechanism>
  <LaunchBrowser>True</LaunchBrowser>
  <Branch>main</Branch>
  <InstanceName>Sonarr</InstanceName>
  <SyslogPort>514</SyslogPort>
  <AuthenticationRequired>Enabled</AuthenticationRequired>
  <SslCertPath></SslCertPath>
  <SslCertPassword></SslCertPassword>
  <Theme>auto</Theme>
 </Config>
@@ -0,0 +1,21 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 {
    "sonarr_address": "http://192.168.1.2:8989",
    "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}",
    "root_folder_path": "/data/media/shows",
    "tvdb_api_key": "",
    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
    "fallback_to_top_result": false,
    "sonarr_api_timeout": 120.0,
    "quality_profile_id": 1,
    "metadata_profile_id": 1,
    "search_for_missing_episodes": true,
    "dry_run_adding_to_sonarr": false,
    "minimum_rating": 4.5,
    "minimum_votes": 50,
    "language_choice": "all",
    "auto_start": true,
    "auto_start_delay": 60.0
 }
@@ -0,0 +1,76 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 [Lidarr]
 api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
 host_url = http://lidarr:8686
 #This should be the path mounted in lidarr that points to your slskd download directory.
 #If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
 download_dir = /storage
 [Slskd]
 #Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
 api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
 host_url = http://gluetun:5030
 #Slskd download directory. Should have set it up when installing Slskd.
 download_dir = /app/downloads
 #Removes searches from Slskd after the search finishes.
 delete_searches = False
 #Maximum time (in seconds) that the script will wait for downloads to complete.
 #This is used to prevent the script from running forever due to a stalled download. Defaults to 1 hour.
 stalled_timeout = 3600
 [Release Settings]
 #Selects the release with the most common amount of tracks out of all the releases.
 use_most_common_tracknum = True
 allow_multi_disc = True
 #See full list of countries below.
 accepted_countries = Europe,Japan,United Kingdom,United States,[Worldwide],Australia,Canada
 #See full list of formats below.
 accepted_formats = CD,Digital Media,Vinyl
 [Search Settings]
 search_timeout = 5000
 maximum_peer_queue = 50
 #Min upload speed in bit/s
 minimum_peer_upload_speed = 0
 #Min match ratio accepted when comparing lidarr track names to soulseek filenames.
 minimum_filename_match_ratio = 0.5
 #Specify the file types you prefer from most to least. As well as their attributes such as bitrate / samplerate / bitdepth.
 #For flacs you can choose the bitdepth/samplerate. And for mp3s the bitrate.
 #If you do not care about the specific quality you can still just put "flac" or "mp3".
 #Soularr will then just look at the filetype and ignore file attributes.
 allowed_filetypes = flac 24/192,flac 16/44.1,flac,mp3 320,mp3
 ignored_users = User1,User2,Fred,Bob
 #Set to False if you only want to search for complete albums
 search_for_tracks = True
 #Set to True if you want to add the artist's name to the beginning of the search for albums
 album_prepend_artist = False
 track_prepend_artist = True
 #Valid search types: all || incrementing_page || first_page
  #"all" will search for every wanted record everytime soularr is run.
  #"incrementing_page" will start with the first page and increment to the next on each run.
  #"first_page" will repeatedly search the first page.
 #If using the search type "first_page" remove_wanted_on_failure should be enabled.
 search_type = incrementing_page
 #How mancy records to grab each run, must be a number between 1 - 2,147,483,647
 number_of_albums_to_grab = 10
 #Unmonitors the album if Soularr can't find it and places it in "failure_list.txt".
 #Failed albums can be re monitored by filtering "Unmonitored" in the Lidarr wanted list.
 remove_wanted_on_failure = False
 #Comma separated list of words that can't be in the title of albums or tracks. Case insensitive.
 title_blacklist = BlacklistWord1,blacklistword2
 #Lidarr source to use for searching. Accepted values are "all", "missing", or "cutoff_unmet". If "all" is selected
 # then both missing and cutoff_unme will be searched. The default value is "missing".
 search_source = missing
 [Logging]
 #These options are passed into the logger's basicConfig() method as-is.
 #This means, if you're familiar with Python's logging module, you can configure
 #the logger with options beyond what's listed here by default.
 #For more information on available options  --  https://docs.python.org/3/library/logging.html#logging.basicConfig
 level = INFO
 # Format of log message  --  https://docs.python.org/3/library/logging.html#logrecord-attributes
 format = [%(levelname)s|%(module)s|L%(lineno)d] %(asctime)s: %(message)s
 # Format of datetimes  --  https://docs.python.org/3/library/time.html#time.strftime
 datefmt = %Y-%m-%dT%H:%M:%S%z
@@ -0,0 +1,212 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 directories:
  incomplete: /app/incomplete
  downloads: /app/downloads
 shares:
  directories:
    - /music
 rooms:
  - '! meow chat :3'
  - '#ANUS'
  - '#CORONAVIRUS'
  - '#Horrorcore'
  - '#La France'
  - '#icilombre-hardcore'
  - '#polska'
  - '#vegan'
  - $$RARE RAP MUSIC$$
  - ([6)]
  - +Autism+
  - +BlackMetal+
  - +HIP_HOP_SCENE_RELEASES+
  - /mu/
  - 60lover
  - 60lover v2
  - 70 Rare groove Soul Jazz
  - 80's 12 Inches & More
  - 90's Rare Riddim !!
  - 90's emo
  - <>Electronics Labels<>
  - ACID
  - ARGENTINA
  - "ATLLUMINATI\u201Cawareness"
  - AUSTRALIA
  - Alcohol
  - Ambient
  - Anime
  - Audiobooks
  - Avantgarde
  - BDSM
  - BLUES BUNKER MUSIC
  - BOB DYLAN ROOM
  - BigEdsClassicRock
  - BigedsSixties
  - Blues&Soul
  - Bootlegged concerts
  - Brasil
  - Breakcore
  - CHILE
  - Canada
  - China Room
  - Chiptunes
  - Christians
  - Classical
  - Come To The Sabbath !
  - Communism
  - DEATH METAL CLUB
  - Dark Ambient
  - De Koffie Shop
  - De Kroeg
  - Deathrock
  - DieMilitarmusik
  - Disco Classics
  - Doom Metal
  - Doujin Music
  - Dub Techno
  - Dubstep
  - EBM-GOTHIC-INDUSTRIAL
  - EBooks
  - Emo
  - Eurodance
  - Eurovision Song Contest
  - Experimental Electronica
  - FOLK MUSIC
  - Free Jazz
  - Furry
  - Gay
  - Gothic
  - Greece
  - Grindcore
  - HEE cum eaters 1! !
  - HOUSE MUSIC LOVERS (AG)
  - Happy Hardcore
  - Hardcore NL
  - Hardcore/punk
  - Hip Hop
  - Horror movies
  - IDM
  - INDUSTRIAL
  - IReGGaeGaLaXy
  - Incredibly Strange Music
  - Israel
  - Jaz (Full CDs)
  - Jazz
  - Jazz-Rock-Fusion-Guitar
  - Juggalo Family
  - Jungle
  - Korean Music
  - LANGUAGE EXCHANGE here
  - LGBTQ+!!
  - Last.fm
  - Linux
  - Lossless Scores
  - MOVIES
  - Mac Users
  - Metal
  - MovieMusic
  - NORWAY
  - New Crystal Vibrations
  - New Wave
  - New Zealand
  - OLD SKOOL GANGSTA SHIT
  - OLDSCHOOL 88-94
  - OLI SHOTA CUB ROOM!
  - Original Blues Bunker
  - PSYCHEDELIA
  - PUNK/HARDCORE/GRIND
  - Portugal
  - Post Punk
  - Post-Hardcore (modern)
  - Progressive Rock
  - Psychedelic/Acid Rock
  - Psytrance
  - Quebec
  - REGGAE
  - Rare Music
  - RareVHS/DVD/Rips
  - Retro Gaming
  - Romania
  - Room Name
  - SIsk Idiots !!
  - SLUDGE!
  - Slovenia
  - Soundtracks&Scores
  - Spain
  - Stoner HiVe
  - Stoner Rock
  - Strange Music
  - TECHNO, Mixes and Tunes
  - THC
  - Talia
  - The Dangerous Kitchen
  - TheScoreZone
  - Thrash Metal
  - Tinmans Movie Room
  - Trip-Hop
  - Ttalian_dancefloor
  - Twee Folks
  - UK DUB
  - URIDDIM!!
  - Ukraine
  - Underground Hiphop
  - VAPORWAVE
  - Video Game Chat
  - Vinyl Addicts
  - Vocaloid
  - WHATCDs
  - World Music
  - Yacht Rock
  - '[German] [Deutsch]'
  - abbey road Itd
  - anime cunny
  - bleeps&klonks
  - breakbeat
  - comics
  - deep house connection
  - drum'n'bass
  - eesti mehed
  - electro
  - flacfield
  - food
  - for Losers
  - hungary
  - indie
  - japanese music
  - library music
  - lossless
  - minimal music
  - museek
  - noise
  - 'on'
  - postrock
  - programming
  - progressive house
  - public porn
  - r/musichoarder
  - ru
  - shoegaze
  - tapekvit
  - test
  - trancEaddict
  - trivia
  - what.cd
  - what.cd electronic
  - what.cd-flac
  - '{Italo Disco'
 web:
  authentication:
    username: slskd
    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
    api_keys:
      my_api_key:
        key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
        role: readwrite
        cidr: 0.0.0.0/0,::/0
 soulseek:
  address: vps.slsknet.org
  port: 2271
  username: Trez.One
  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
  diagnostic_level: Info
@@ -0,0 +1,19 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 {
  "$schema": "../schemas/v2/index.json",
  "repos": [
      {
          "type": "gitea",
          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
          "url": "https://git.trez.wtf",
          "revisions": {
              "branches": [
                  "main",
                  "*"
              ]
          }
      }
  ]
 }
@@ -0,0 +1,29 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 <?xml version='1.0' encoding='UTF-8'?>
 <!DOCTYPE properties SYSTEM 'http://java.sun.com/dtd/properties.dtd'>
 <properties>
    <entry key='config.default'>./conf/default.xml</entry>
    <!--
    This is the main configuration file. All your configuration parameters should be placed in this file.
    Default configuration parameters are located in the "default.xml" file. You should not modify it to avoid issues
    with upgrading to a new version. Parameters in the main config file override values in the default file. Do not
    remove "config.default" parameter from this file unless you know what you are doing.
    For list of available parameters see following page: https://www.traccar.org/configuration-file/
    -->
    <entry key='database.driver'>org.postgresql.Driver</entry>
    <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
    <entry key='database.user'>traccar</entry>
    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
 </properties>
@@ -0,0 +1,29 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 {
    "always_keep_failed_tasks": true,
    "auto_manage_completed_tasks": false,
    "cache_path": "/tmp/unmanic",
    "clear_pending_tasks_on_restart": false,
    "concurrent_file_testers": 2,
    "config_path": "/config/.unmanic/config",
    "debugging": false,
    "distributed_worker_count_target": 0,
    "enable_library_scanner": false,
    "first_run": false,
    "follow_symlinks": true,
    "installation_name": "Unmanic @ Rinoa",
    "library_path": "/library",
    "log_path": "/config/.unmanic/logs",
    "max_age_of_completed_tasks": 91,
    "number_of_workers": null,
    "plugins_path": "/config/.unmanic/plugins",
    "release_notes_viewed": "0.2.8",
    "remote_installations": [],
    "run_full_scan_on_start": false,
    "schedule_full_scan_minutes": 1440,
    "ui_port": 8888,
    "userdata_path": "/config/.unmanic/userdata",
    "worker_event_schedules": null
 }
@@ -0,0 +1,31 @@
  sources:
    rinoa_docker_logs:
      type: docker_logs
      exclude_containers:
        - vector
  sinks:
    parseable:
      type: http
      method: post
      batch:
        max_bytes: 10485760
        max_events: 1000
        timeout_secs: 10
      compression: gzip
      inputs:
        - rinoa_docker_logs
      encoding:
        codec: json
      uri: http://parseable:8000/api/v1/ingest'
      auth:
        strategy: basic
        user: admin
        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
      request:
        headers:
          X-P-Stream: rinoa-docker-logs
      healthcheck:
        enabled: true
        path: 'http://parseable:8000/api/v1/liveness'
        port: 80
@@ -0,0 +1,19 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 nodes:
  # Wazuh indexer server nodes
  indexer:
    - name: wazuh.indexer
      ip: wazuh.indexer
  # Wazuh server nodes
  # Use node_type only with more than one Wazuh manager
  server:
    - name: wazuh.manager
      ip: wazuh.manager
  # Wazuh dashboard node
  dashboard:
    - name: wazuh.dashboard
      ip: wazuh.dashboard
@@ -0,0 +1,33 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 network.host: "0.0.0.0"
 node.name: "wazuh.indexer"
 path.data: /var/lib/wazuh-indexer
 path.logs: /var/log/wazuh-indexer
 discovery.type: single-node
 http.port: 9200-9299
 transport.tcp.port: 9300-9399
 compatibility.override_main_response_version: true
 plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
 plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
 plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
 plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
 plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
 plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
 plugins.security.ssl.http.enabled: true
 plugins.security.ssl.transport.enforce_hostname_verification: false
 plugins.security.ssl.transport.resolve_hostname: false
 plugins.security.authcz.admin_dn:
 - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
 plugins.security.check_snapshot_restore_write_privileges: true
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.nodes_dn:
 - "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
 plugins.security.restapi.roles_enabled:
 - "all_access"
 - "security_rest_api_access"
 plugins.security.system_indices.enabled: true
 plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
 plugins.security.allow_default_init_securityindex: true
 cluster.routing.allocation.disk.threshold_enabled: false
@@ -0,0 +1,10 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 hosts:
  - 1513629884013:
      url: "https://wazuh.manager"
      port: 55000
      username: wazuh-wui
      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
      run_as: false
@@ -0,0 +1,19 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 ydl_server:   # youtube-dl-server specific settings
  port: 8080      # Port youtube-dl-server should listen on
  host: 0.0.0.0   # IP youtube-dl-server should bind to
  debug: False    # Enable/Disable debug mode
  metadata_db_path: '/youtube-dl/.ydl-metadata.db' # Path to metadata DB
  output_playlist: '/youtube-dl/%(title)s [%(id)s].%(ext)s' # Playlist output directory template
  update_poll_delay_min: 1440 # Automatically check for updates every 24h
  max_log_entries: 100 # Maximum number of job log history to keep
  forwarded_allow_ips: None # uvicorn Comma seperated list of IPs to trust with proxy headers.
  proxy_headers: True # uvicorn flag Enable/Disable X-Forwarded-Proto, X-Forwarded-For, X-Forwarded-Port to populate remote address info.
 ydl_options:  # youtube-dl options
  output: '/youtube-dl/%(title)s [%(id)s].%(ext)s' # output directory template
  cache-dir: '/youtube-dl/.cache' # youtube-dl cache directory
  ignore-errors: True # instruct youtube-dl to skip errors
  age-limit: 6 # minimal age requirement / parental control setting
@@ -0,0 +1,43 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 # All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
 Log:
  Level: 'debug'
 # Make ZITADEL accessible over HTTPs, not HTTP
 ExternalSecure: true
 ExternalDomain: 'id.trez.wtf'
 ExternalPort: 443
 # If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
 Database:
  postgres:
    Host: 'zitadel-pg-db'
    Port: 5432
    Database: zitadel
    User:
      SSL:
        Mode: 'disable'
    Admin:
      SSL:
        Mode: 'disable'
 DefaultInstance:
  DomainPolicy:
    UserLoginMustBeDomain: false
 LogStore:
  Access:
    Stdout:
      Enabled: true
 SMTPConfiguration:
    # Configuration of the host
    SMTP:
      # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
      Host: 'postal-smtp:25'
      User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
    From: 'noreply@trez.wtf'
    FromName: 'Zitadel @ Rinoa'
@@ -0,0 +1,13 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 # All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/setup/steps.yaml
 FirstInstance:
  Org:
    Human:
      # use the loginname root@my-org.my.domain
      Username: 'root'
      Password: 'RootPassword1!'
      Email:
        Address: 'charish.patel@trez.wtf'
        Verified: true
@@ -0,0 +1,13 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 # If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
 Database:
  postgres:
    User:
      # If the user doesn't exist already, it is created
      Username: 'zitadel'
      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }}
    Admin:
      Username: 'root'
      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }}
@@ -0,0 +1,4 @@
 ---
 collections:
  - name: community.hashi_vault
    version: 6.2.0
@@ -0,0 +1,20 @@
 ---
 - name: Deploy Docker Service Configurations
  hosts: rinoa
  vars:
    appdata_base_path: "~/.docker/config/appdata"
  tasks:
    - name: Ensure target directories exist
      ansible.builtin.file:
        path: "{{ appdata_base_path }}/{{ (item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') | regex_replace('/[^/]+$', '')) }}"
        state: directory
        mode: '0755'
      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
    - name: Deploy configuration templates
      ansible.builtin.template:
        src: "{{ item }}"
        dest: "{{ appdata_base_path }}/{{ item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') }}"
        mode: '0644'
      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
@@ -0,0 +1,14 @@
 vault_addr: "https://vault.trez.wtf"
 vault_token: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  61383638616263666539386332333638356662623166393234383666366265346537353533653833
  3333313230636166663734356261316132393834613737630a386166376365333862383031343838
  35346338633530636463643165623432353466363230646239656463333263373738663639313136
  3966633235393937350a343337613061616238323238386332363635623932333230323037353136
  66616561613038656462636565656361613065373238613862386235623265396133633034326563
  32663532343137366334366630356232313865666661326337326263613262306637663434646639
  61623030383963623332333135396363643036646461303438643233313136346139343232353535
  39356432623161333661333266333937626364643964333839333934306364373234653761326638
  33396534396163373034666164393039303639643431353662666265666264353062
 vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
 secrets_path: "rinoa-docker/env"
@@ -0,0 +1,13 @@
 rinoa:
        ansible_host: 192.168.1.254
        ansible_python_interpreter: /usr/bin/python3
        ansible_ssh_port: 22
        ansible_ssh_user: charish
        ansible_ssh_pass: !vault |
                $ANSIBLE_VAULT;1.1;AES256
                38346631616139316365316566386362396661323163306339303635646331373061323531626431
                3435373031363739356261656239633835393963636663370a613166653463656337666366633639
                37373637326633363430633336646165343764303063663636313835326130663532323037663331
                6332353339656134370a353435396532663932313535646636333262353238386331313764633635
                63383065623930653134666261353439366535646661383434386261393232373432353937636535
                3432336137393737643735346665303832653630316439333565
@@ -0,0 +1,12 @@
 ---
 all:
  hosts:
    benedikta:
      ansible_host: 192.168.1.241
      ansible_user: charish
    rikku:
      ansible_host: 192.168.1.253
      ansible_user: pi
    rinoa:
      ansible_host: 192.168.1.254
      ansible_user: charish
@@ -0,0 +1,7 @@
 $ANSIBLE_VAULT;1.1;AES256
 65353131326537376561616630666531353731653835306564323565383332653437633533313932
 6239663065306339366536326432323534303364663862350a353034623936363066303164333434
 32666331326332363463383234316136323031626330366132643034376439616339396662636236
 3633393039376438630a326138653031656465373966356564336463643465613638313838393166
 36626366356266636535613862333631386231626134376264363731353264613261633037646662
 6431393837653564366531316332616232336365636533643036
@@ -1,842 +0,0 @@
 # Global Settings
 COMPOSE_HTTP_TIMEOUT=''
 DOCKER_GID=''
 DOCKER_HOSTNAME=''
 DOCKER_VOLUME_CONFIG=''
 DOCKER_VOLUME_STORAGE=''
 PGID=''
 PUID=''
 TZ=''
 MY_TLD=''
 # END OF DEFAULT SETTINGS
 ##
 ## ADDY
 ##
 ADDY_ANONADDY_ADDITIONAL_USERNAME_LIMIT=''
 ADDY_ANONADDY_ADMIN_USERNAME=''
 ADDY_ANONADDY_ALL_DOMAINS=''
 ADDY_ANONADDY_BANDWIDTH_LIMIT=''
 ADDY_ANONADDY_DKIM_SELECTOR=''
 ADDY_ANONADDY_DKIM_SIGNING_KEY=''
 ADDY_ANONADDY_DNS_RESOLVER=''
 ADDY_ANONADDY_DOMAIN=''
 ADDY_ANONADDY_HOSTNAME=''
 ADDY_ANONADDY_LIMIT=''
 ADDY_ANONADDY_NEW_ALIAS_LIMIT=''
 ADDY_ANONADDY_RETURN_PATH=''
 ADDY_ANONADDY_SECRET=''
 ADDY_ANONADDY_SIGNING_KEY_FINGERPRINT=''
 ADDY_APP_KEY=''
 ADDY_APP_URL=''
 ADDY_DB_PASSWORD=''
 ADDY_MAIL_ENCRYPTION=''
 ADDY_MAIL_FROM_ADDRESS=''
 ADDY_MAIL_FROM_NAME=''
 ADDY_POSTFIX_DEBUG=''
 ADDY_POSTFIX_MESSAGE_SIZE_LIMIT=''
 ADDY_POSTFIX_RELAYHOST=''
 ADDY_POSTFIX_RELAYHOST_AUTH_ENABLE=''
 ADDY_POSTFIX_SMTPD_TLS_CERT_FILE=''
 ADDY_POSTFIX_SMTPD_TLS_KEY_FILE=''
 ADDY_POSTFIX_SPAMHAUS_DQS_KEY=''
 ADDY_REDIS_PASSWORD=''
 ADDY_RSPAMD_NO_LOCAL_ADDRS=''
 ADDY_RSPAMD_WEB_PASSWORD=''
 ##
 ## ADGUARD
 ##
 ADGUARD_CONTAINER_NAME=''
 ADGUARD_ENABLED=''
 ADGUARD_ENVIRONMENT_SERVERIP=''
 ADGUARD_NETWORK_MODE=''
 ADGUARD_PORT_3000=''
 ADGUARD_PORT_443=''
 ADGUARD_PORT_53=''
 ADGUARD_PORT_67=''
 ADGUARD_PORT_68=''
 ADGUARD_PORT_80=''
 ADGUARD_PORT_853=''
 ADGUARD_RESTART=''
 ADGUARD_TAG=''
 ##
 ## ADGUARD
 ##
 ADGUARD_CF_TUNNEL_PASSWORD=''
 ADGUARD_PASSWORD=''
 ##
 ## ANYTHINGLLM
 ##
 ANYTHINGLLM_JWT_SECRET=''
 ##
 ## APPRISE
 ##
 APPRISE_CONTAINER_NAME=''
 APPRISE_ENABLED=''
 APPRISE_NETWORK_MODE=''
 APPRISE_PORT_8000=''
 APPRISE_RESTART=''
 APPRISE_TAG=''
 ##
 ## AUDIOBOOKSHELF
 ##
 AUDIOBOOKSHELF_CONTAINER_NAME=''
 AUDIOBOOKSHELF_ENABLED=''
 AUDIOBOOKSHELF_NETWORK_MODE=''
 AUDIOBOOKSHELF_PORT_80=''
 AUDIOBOOKSHELF_RESTART=''
 AUDIOBOOKSHELF_TAG=''
 ##
 ## AUDIOBOOKSHELF
 ##
 AUDIOBOOKSHELF_ROOT_API_KEY=''
 ##
 ## AUTHELIA
 ##
 AUTHELIA_AUTH_BIND_LDAP_PASSWORD=''
 AUTHELIA_JWT_SECRET=''
 AUTHELIA_SESSION_SECRET=''
 AUTHELIA_STORAGE_ENCRYPTION_KEY=''
 AUTHELIA_STORAGE_POSTGRES_PASSWORD=''
 ##
 ## BAZARR
 ##
 BAZARR_CONTAINER_NAME=''
 BAZARR_ENABLED=''
 BAZARR_NETWORK_MODE=''
 BAZARR_PORT_6767=''
 BAZARR_RESTART=''
 BAZARR_TAG=''
 BAZARR_API_KEY=''
 ##
 ## BITMAGNET
 ##
 BITMAGNET_POSTGRESQL_PASSWORD=''
 ##
 ## BITWARDEN
 ##
 BITWARDEN_CONTAINER_NAME=''
 BITWARDEN_ENABLED=''
 BITWARDEN_ENVIRONMENT_ADMIN_TOKEN=''
 BITWARDEN_ENVIRONMENT_DATABASE_URL=''
 BITWARDEN_ENVIRONMENT_DISABLE_ADMIN_TOKEN=''
 BITWARDEN_ENVIRONMENT_DOMAIN=''
 BITWARDEN_ENVIRONMENT_ENABLE_DB_WAL=''
 BITWARDEN_ENVIRONMENT_INVITATIONS_ALLOWED=''
 BITWARDEN_ENVIRONMENT_SHOW_PASSWORD_HINT=''
 BITWARDEN_ENVIRONMENT_SIGNUPS_ALLOWED=''
 BITWARDEN_ENVIRONMENT_SIGNUPS_VERIFY=''
 BITWARDEN_ENVIRONMENT_WEBSOCKET_ENABLE=''
 BITWARDEN_NETWORK_MODE=''
 BITWARDEN_PORT_3012=''
 BITWARDEN_PORT_80=''
 BITWARDEN_RESTART=''
 BITWARDEN_TAG=''
 ##
 ## CHROMIUM
 ##
 CHROMIUM_TOKEN=''
 ##
 ## CLOUDFLARE
 ##
 CLOUDFLARE_ACCOUNT_ID=''
 CLOUDFLARE_DNS_API_TOKEN=''
 CLOUDFLARE_ZONE_ID=''
 ##
 ## CLOUDFLAREDDNS
 ##
 CLOUDFLAREDDNS_CONTAINER_NAME=''
 CLOUDFLAREDDNS_ENABLED=''
 CLOUDFLAREDDNS_ENVIRONMENT_APIKEY=''
 CLOUDFLAREDDNS_ENVIRONMENT_APITOKEN=''
 CLOUDFLAREDDNS_ENVIRONMENT_ARGS=''
 CLOUDFLAREDDNS_ENVIRONMENT_DETECTION_MODE=''
 CLOUDFLAREDDNS_ENVIRONMENT_HOSTS=''
 CLOUDFLAREDDNS_ENVIRONMENT_INTERVAL=''
 CLOUDFLAREDDNS_ENVIRONMENT_LOG_LEVEL=''
 CLOUDFLAREDDNS_ENVIRONMENT_RECORDTYPES=''
 CLOUDFLAREDDNS_ENVIRONMENT_USER=''
 CLOUDFLAREDDNS_ENVIRONMENT_ZONES=''
 CLOUDFLAREDDNS_RESTART=''
 CLOUDFLAREDDNS_TAG=''
 ##
 ## CROWDSEC
 ##
 CROWDSEC_API_KEY=''
 CROWDSEC_LOCAL_API_KEY=''
 ##
 ## DELUGEVPN
 ##
 DELUGEVPN_CONTAINER_NAME=''
 DELUGEVPN_ENABLED=''
 DELUGEVPN_ENVIRONMENT_ENABLE_PRIVOXY=''
 DELUGEVPN_ENVIRONMENT_LAN_NETWORK=''
 DELUGEVPN_ENVIRONMENT_NAME_SERVERS=''
 DELUGEVPN_ENVIRONMENT_VPN_CLIENT=''
 DELUGEVPN_ENVIRONMENT_VPN_ENABLE=''
 DELUGEVPN_ENVIRONMENT_VPN_INPUT_PORTS=''
 DELUGEVPN_ENVIRONMENT_VPN_OPTIONS=''
 DELUGEVPN_ENVIRONMENT_VPN_OUTPUT_PORTS=''
 DELUGEVPN_ENVIRONMENT_VPN_PASS=''
 DELUGEVPN_ENVIRONMENT_VPN_PROV=''
 DELUGEVPN_ENVIRONMENT_VPN_USER=''
 DELUGEVPN_NETWORK_MODE=''
 DELUGEVPN_PORT_58846=''
 DELUGEVPN_PORT_58946=''
 DELUGEVPN_PORT_8112=''
 DELUGEVPN_PORT_8118=''
 DELUGEVPN_RESTART=''
 DELUGEVPN_TAG=''
 ##
 ## DELUGEVPN
 ##
 DELUGEVPN_PASSWORD=''
 DELUGEVPN_PORT_51413=''
 DELUGEVPN_PORT_6881=''
 ##
 ## DUPLICATI
 ##
 DUPLICATI_CONTAINER_NAME=''
 DUPLICATI_ENABLED=''
 DUPLICATI_NETWORK_MODE=''
 DUPLICATI_PORT_8200=''
 DUPLICATI_RESTART=''
 DUPLICATI_TAG=''
 DUPLICATI_VOLUME_BACKUPSDIR=''
 DUPLICATI_VOLUME_SOURCEDIR=''
 ##
 ## DUPLICATI
 ##
 DUPLICATI_CF_TUNNEL_PASSWORD=''
 ##
 ## EMBY
 ##
 EMBY_CONTAINER_NAME=''
 EMBY_ENABLED=''
 EMBY_NETWORK_MODE=''
 EMBY_PORT_8096=''
 EMBY_PORT_8920=''
 EMBY_RESTART=''
 EMBY_TAG=''
 EMBY_VOLUME_TRANSCODEDIR=''
 ##
 ## EMBY
 ##
 EMBY_HOMEPAGE_API_KEY=''
 ##
 ## FLARESOLVERR
 ##
 FLARESOLVERR_CONTAINER_NAME=''
 FLARESOLVERR_ENABLED=''
 FLARESOLVERR_ENVIRONMENT_CAPTCHA_SOLVER=''
 FLARESOLVERR_ENVIRONMENT_LOG_HTML=''
 FLARESOLVERR_ENVIRONMENT_LOG_LEVEL=''
 FLARESOLVERR_NETWORK_MODE=''
 FLARESOLVERR_PORT_8191=''
 FLARESOLVERR_RESTART=''
 FLARESOLVERR_TAG=''
 ##
 ## GHOST
 ##
 GHOST_DB_PASSWORD=''
 GHOST_DB_USER=''
 ##
 ## GITEA
 ##
 GITEA_HOMEPAGE_API_KEY=''
 GITEA_PG_DB_PASSWORD=''
 GITEA_RUNNER_REGISTRATION_TOKEN=''
 ##
 ## GLUETUN
 ##
 GLUETUN_SERVER_REGIONS=''
 ##
 ## GOTIFY
 ##
 GOTIFY_HOMEPAGE_CLIENT_KEY=''
 GOTIFY_PASSWORD=''
 ##
 ## GRAFANA
 ##
 GRAFANA_CONTAINER_NAME=''
 GRAFANA_ENABLED=''
 GRAFANA_ENVIRONMENT_GF_INSTALL_PLUGINS=''
 GRAFANA_NETWORK_MODE=''
 GRAFANA_PORT_3000=''
 GRAFANA_RESTART=''
 GRAFANA_TAG=''
 ##
 ## GRAFANA
 ##
 GRAFANA_ADMIN_PASSWORD=''
 GRAFANA_MIMIR_HTTP_AUTH_PASSWORD=''
 ##
 ## GUID
 ##
 GUID=''
 ##
 ## HORTUSFOX
 ##
 HORTUSFOX_ADMIN_PASSWORD=''
 HORTUSFOX_DB_PASSWORD=''
 ##
 ## HUGINN
 ##
 HUGINN_CONTAINER_NAME=''
 HUGINN_ENABLED=''
 HUGINN_ENVIRONMENT_DATABASE_HOST=''
 HUGINN_ENVIRONMENT_DATABASE_NAME=''
 HUGINN_ENVIRONMENT_DATABASE_PASSWORD=''
 HUGINN_ENVIRONMENT_DATABASE_PORT=''
 HUGINN_ENVIRONMENT_DATABASE_USERNAME=''
 HUGINN_NETWORK_MODE=''
 HUGINN_PORT_3000=''
 HUGINN_RESTART=''
 HUGINN_TAG=''
 ##
 ## IN
 ##
 IN_APP_KEY=''
 IN_MYSQL_PASSWORD=''
 IN_PASSWORD=''
 ##
 ## JAN
 ##
 JAN_AI_S3_ACCESS_KEY=''
 JAN_AI_S3_SECRET_KEY=''
 ##
 ## JITSI
 ##
 JITSI__ADMIN_DB_PASSWORD=''
 JITSI__ADMIN_JWT_SECRET=''
 JITSI__ETHERPAD_DEFAULT_PAD_TEXT=''
 JITSI__ETHERPAD_SKIN_NAME=''
 JITSI__ETHERPAD_SKIN_VARIANTS=''
 JITSI__ETHERPAD_TITLE=''
 JITSI__ETHERPAD_URL_BASE=''
 JITSI__HTTP_PORT=''
 JITSI__HTTPS_PORT=''
 JITSI__JIBRI_RECORDER_PASSWORD=''
 JITSI__JIBRI_XMPP_PASSWORD=''
 JITSI__JICOFO_AUTH_PASSWORD=''
 JITSI__JIGAGI_SIP_PASSWORD=''
 JITSI__JIGAGI_SIP_PORT=''
 JITSI__JIGAGI_SIP_SERVER=''
 JITSI__JIGAGI_SIP_TRANSPORT=''
 JITSI__JIGAGI_SIP_URI=''
 JITSI__JIGASI_XMPP_PASSWORD=''
 JITSI__JVB_AUTH_PASSWORD=''
 JITSI__PUBLIC_URL=''
 JITSI__SIP_URI=''
 JITSI__TZ=''
 JITSI__WEBSOCKET_SECRET=''
 ##
 ## JOPLIN
 ##
 JOPLIN_APP_BASE_URL=''
 JOPLIN_APP_PORT=''
 JOPLIN_POSTGRES_DATABASE=''
 JOPLIN_POSTGRES_PASSWORD=''
 JOPLIN_POSTGRES_PORT=''
 JOPLIN_POSTGRES_USER=''
 JOPLIN_S3_ACCESS_KEY=''
 JOPLIN_S3_SECRET_KEY=''
 ##
 ## KEYCLOAK
 ##
 KEYCLOAK_ADMIN_PASSWORD=''
 ##
 ## LAN
 ##
 LAN_NETWORK=''
 ##
 ## LASTFM
 ##
 LASTFM_API_KEY=''
 LASTFM_API_SECRET=''
 LASTFM_PASSWORD=''
 LASTFM_USERNAME=''
 ##
 ## LIBRESPEED
 ##
 LIBRESPEED_CONTAINER_NAME=''
 LIBRESPEED_ENABLED=''
 LIBRESPEED_ENVIRONMENT_DB_HOSTNAME=''
 LIBRESPEED_ENVIRONMENT_DB_NAME=''
 LIBRESPEED_ENVIRONMENT_DB_PASSWORD=''
 LIBRESPEED_ENVIRONMENT_DB_TYPE=''
 LIBRESPEED_ENVIRONMENT_DB_USERNAME=''
 LIBRESPEED_ENVIRONMENT_PASSWORD=''
 LIBRESPEED_NETWORK_MODE=''
 LIBRESPEED_PORT_80=''
 LIBRESPEED_RESTART=''
 LIBRESPEED_TAG=''
 ##
 ## LIDARR
 ##
 LIDARR_CONTAINER_NAME=''
 LIDARR_ENABLED=''
 LIDARR_NETWORK_MODE=''
 LIDARR_PORT_8686=''
 LIDARR_RESTART=''
 LIDARR_TAG=''
 ##
 ## LIDARR
 ##
 LIDARR_API_KEY=''
 ##
 ## LLDAP
 ##
 LLDAP_JWT_SECRET=''
 LLDAP_KEY_SEED=''
 ##
 ## LOCALAI
 ##
 LOCALAI_API_KEY=''
 ##
 ## MALOJA
 ##
 MALOJA_FORCE_PASSWORD=''
 ##
 ## MARIADB
 ##
 MARIADB_CONTAINER_NAME=''
 MARIADB_ENABLED=''
 MARIADB_ENVIRONMENT_MYSQL_ROOT_PASSWORD=''
 MARIADB_NETWORK_MODE=''
 MARIADB_PORT_3306=''
 MARIADB_RESTART=''
 MARIADB_TAG=''
 ##
 ## MATTERMOST
 ##
 MATTERMOST_AWS_S3_ACCESSKEY=''
 MATTERMOST_AWS_S3_SECRETKEY=''
 MATTERMOST_POSTGRES_CONNECTION_URI=''
 MATTERMOST_POSTGRES_PASSWORD=''
 ##
 ## MAYBE
 ##
 MAYBE_POSTGRES_PASSWORD=''
 MAYBE_SECRET_KEY_BASE=''
 ##
 ## MEDUSAJS
 ##
 MEDUSAJS_COOKIE_SECRET=''
 MEDUSAJS_JWT_TOKEN=''
 MEDUSAJS_POSTGRES_PASSWORD=''
 MEDUSAJS_S3_ACCESS_KEY=''
 MEDUSAJS_S3_SECRET_KEY=''
 ##
 ## MINIO
 ##
 MINIO_MIMIR_STORAGE_ACCESS_KEY=''
 MINIO_MIMIR_STORAGE_SECRET_KEY=''
 MINIO_ROOT_PASSWORD=''
 ##
 ## MONGO
 ##
 MONGO_INITDB_ROOT_PASSWORD=''
 MONGO_INITDB_ROOT_USERNAME=''
 ##
 ## NAVIDROME
 ##
 NAVIDROME_PASSWORD=''
 NAVIDROME_USERNAME=''
 ##
 ## NEXTCLOUD
 ##
 NEXTCLOUD_CONTAINER_NAME=''
 NEXTCLOUD_ENABLED=''
 NEXTCLOUD_NETWORK_MODE=''
 NEXTCLOUD_PORT_443=''
 NEXTCLOUD_RESTART=''
 NEXTCLOUD_TAG=''
 NEXTCLOUD_VOLUME_DATADIR=''
 ##
 ## OMBI
 ##
 OMBI_CONTAINER_NAME=''
 OMBI_ENABLED=''
 OMBI_NETWORK_MODE=''
 OMBI_PORT_3579=''
 OMBI_RESTART=''
 OMBI_TAG=''
 OMBI_API_KEY=''
 ##
 ## OPENGIST
 ##
 OPENGIST_GITEA_CLIENT_KEY=''
 OPENGIST_GITEA_SECRET=''
 ##
 ## PAPERLESS
 ##
 PAPERLESS_DBPASS=''
 PAPERLESS_SECRET_KEY=''
 ##
 ## PLAUSIBLE
 ##
 PLAUSIBLE_PG_PASSWORD=''
 PLAUSIBLE_SECRET_KEY_BASE=''
 PLAUSIBLE_TOTP_VAULT_KEY=''
 ##
 ## PODINDEX
 ##
 PODINDEX_API_KEY=''
 PODINDEX_API_SECRET=''
 ##
 ## PORTAINER
 ##
 PORTAINER_CONTAINER_NAME=''
 PORTAINER_ENABLED=''
 PORTAINER_NETWORK_MODE=''
 PORTAINER_PORT_9000=''
 PORTAINER_RESTART=''
 PORTAINER_TAG=''
 PORTAINER_VOLUME_DOCKER_SOCKET=''
 PORTAINER_API_KEY=''
 ##
 ## POSTAL
 ##
 POSTAL_MYSQL_PASSWORD=''
 POSTAL_SMTP_AUTH_PASSWORD=''
 POSTAL_SMTP_AUTH_USER=''
 ##
 ## POSTGRES
 ##
 POSTGRES_HOST=''
 POSTGRES_PASSWORD=''
 POSTGRES_USER=''
 ##
 ## PROWLARR
 ##
 PROWLARR_CONTAINER_NAME=''
 PROWLARR_ENABLED=''
 PROWLARR_NETWORK_MODE=''
 PROWLARR_PORT_9696=''
 PROWLARR_RESTART=''
 PROWLARR_TAG=''
 PROWLARR_API_KEY=''
 ##
 ## RADARR
 ##
 RADARR_CONTAINER_NAME=''
 RADARR_ENABLED=''
 RADARR_NETWORK_MODE=''
 RADARR_PORT_7878=''
 RADARR_RESTART=''
 RADARR_TAG=''
 ##
 ## RADARR
 ##
 RADARR_API_KEY=''
 ##
 ## REACTIVE
 ##
 REACTIVE_RESUME_ACCESS_TOKEN_SECRET=''
 REACTIVE_RESUME_PGSQL_PASSWORD=''
 REACTIVE_RESUME_REFRESH_TOKEN_SECRET=''
 REACTIVE_RESUME_S3_ACCESS_KEY=''
 REACTIVE_RESUME_S3_SECRET_KEY=''
 ##
 ## READARR
 ##
 READARR_CONTAINER_NAME=''
 READARR_ENABLED=''
 READARR_NETWORK_MODE=''
 READARR_PORT_8787=''
 READARR_RESTART=''
 READARR_TAG=''
 READARR_API_KEY=''
 ##
 ## REMMINA
 ##
 REMMINA_CF_TUNNEL_ID=''
 REMMINA_CF_TUNNEL_PASSWORD=''
 REMMINA_USER_PASSWORD=''
 ##
 ## RUSTDESK
 ##
 RUSTDESK_CUSTOM_PASSWORD=''
 ##
 ## SABNZBDVPN
 ##
 SABNZBDVPN_CONTAINER_NAME=''
 SABNZBDVPN_ENABLED=''
 SABNZBDVPN_ENVIRONMENT_ENABLE_PRIVOXY=''
 SABNZBDVPN_ENVIRONMENT_LAN_NETWORK=''
 SABNZBDVPN_ENVIRONMENT_NAME_SERVERS=''
 SABNZBDVPN_ENVIRONMENT_VPN_CLIENT=''
 SABNZBDVPN_ENVIRONMENT_VPN_ENABLE=''
 SABNZBDVPN_ENVIRONMENT_VPN_INPUT_PORTS=''
 SABNZBDVPN_ENVIRONMENT_VPN_OPTIONS=''
 SABNZBDVPN_ENVIRONMENT_VPN_OUTPUT_PORTS=''
 SABNZBDVPN_ENVIRONMENT_VPN_PASS=''
 SABNZBDVPN_ENVIRONMENT_VPN_PROV=''
 SABNZBDVPN_ENVIRONMENT_VPN_USER=''
 SABNZBDVPN_NETWORK_MODE=''
 SABNZBDVPN_PORT_8080=''
 SABNZBDVPN_PORT_8090=''
 SABNZBDVPN_PORT_8118=''
 SABNZBDVPN_RESTART=''
 SABNZBDVPN_TAG=''
 SABNZBDVPN_API_KEY=''
 ##
 ## SCRAPERR
 ##
 SCRAPERR_SECRET_KEY=''
 ##
 ## SCRUTINY
 ##
 SCRUTINY_CF_TUNNEL_PASSWORD=''
 ##
 ## SEARXNG
 ##
 SEARXNG_BASE_URL=''
 ##
 ## SLSKD
 ##
 SLSKD_PASSWORD=''
 ##
 ## SONARQUBE
 ##
 SONARQUBE_POSTGRES_PASSWORD=''
 SONARQUBE_LDAP_BIND_PASSWORD=''
 ##
 ## SONARR
 ##
 SONARR_CONTAINER_NAME=''
 SONARR_ENABLED=''
 SONARR_NETWORK_MODE=''
 SONARR_PORT_8989=''
 SONARR_RESTART=''
 SONARR_TAG=''
 SONARR_API_KEY=''
 ##
 ## SWAG
 ##
 SWAG_CONTAINER_NAME=''
 SWAG_ENABLED=''
 SWAG_ENVIRONMENT_DNSPLUGIN=''
 SWAG_ENVIRONMENT_EMAIL=''
 SWAG_ENVIRONMENT_EXTRA_DOMAINS=''
 SWAG_ENVIRONMENT_ONLY_SUBDOMAINS=''
 SWAG_ENVIRONMENT_SUBDOMAINS=''
 SWAG_ENVIRONMENT_URL=''
 SWAG_ENVIRONMENT_VALIDATION=''
 SWAG_NETWORK_MODE=''
 SWAG_PORT_443=''
 SWAG_PORT_80=''
 SWAG_RESTART=''
 SWAG_TAG=''
 ##
 ## SWAG
 ##
 SWAG_CF_TUNNEL_ID=''
 SWAG_CF_TUNNEL_PASSWORD=''
 SWAG_DUCKDNSTOKEN=''
 SWAG_MAXMINDDB_LICENSE_KEY=''
 ##
 ## TANDOOR
 ##
 TANDOOR_API_TOKEN=''
 TANDOOR_POSTGRES_PASSWORD=''
 TANDOOR_SECRET_KEY=''
 ##
 ## TMDB
 ##
 TMDB_API_KEY=''
 ##
 ## TRACCAR
 ##
 TRACCAR_POSTGRES_DATABASE=''
 TRACCAR_POSTGRES_PASSWORD=''
 TRACCAR_POSTGRES_USER=''
 ##
 ## UPTIME
 ##
 UPTIME_KUMA_PASSWORD=''
 UPTIME_KUMA_USERNAME=''
 ##
 ## UPTIMEKUMA
 ##
 UPTIMEKUMA_CONTAINER_NAME=''
 UPTIMEKUMA_ENABLED=''
 UPTIMEKUMA_NETWORK_MODE=''
 UPTIMEKUMA_PORT_3001=''
 UPTIMEKUMA_RESTART=''
 UPTIMEKUMA_TAG=''
 ##
 ## VAULT
 ##
 VAULT_HASHICORP_AWS_ACCESS_KEY_ID=''
 VAULT_HASHICORP_AWS_SECRET_ACCESS_KEY=''
 ##
 ## VIRUS
 ##
 VIRUS_TOTAL_API_KEY=''
 ##
 ## WALLABAG
 ##
 WALLABAG_DB=''
 WALLABAG_DB_PASSWORD=''
 ##
 ## WATCHTOWER
 ##
 WATCHTOWER_CONTAINER_NAME=''
 WATCHTOWER_ENABLED=''
 WATCHTOWER_ENVIRONMENT_CLEANUP=''
 WATCHTOWER_ENVIRONMENT_INCLUDE_STOPPED=''
 WATCHTOWER_ENVIRONMENT_MONITOR_ONLY=''
 WATCHTOWER_ENVIRONMENT_NOTIFICATION_TEMPLATE=''
 WATCHTOWER_ENVIRONMENT_NOTIFICATION_URL=''
 WATCHTOWER_ENVIRONMENT_NOTIFICATIONS=''
 WATCHTOWER_ENVIRONMENT_NOTIFICATIONS_LEVEL=''
 WATCHTOWER_ENVIRONMENT_REPO_PASS=''
 WATCHTOWER_ENVIRONMENT_REPO_USER=''
 WATCHTOWER_ENVIRONMENT_SCHEDULE=''
 WATCHTOWER_ENVIRONMENT_TIMEOUT=''
 WATCHTOWER_NETWORK_MODE=''
 WATCHTOWER_RESTART=''
 WATCHTOWER_TAG=''
 WATCHTOWER_VOLUME_DOCKER_SOCKET=''
 ##
 ## WATCHTOWER
 ##
 WATCHTOWER_HTTP_API_TOKEN=''
 WATCHTOWER_NOTIFICATION_GOTIFY_TLS_SKIP_VERIFY=''
 WATCHTOWER_NOTIFICATION_GOTIFY_TOKEN=''
 WATCHTOWER_NOTIFICATION_GOTIFY_URL=''
 ##
 ## WAZUH
 ##
 WAZUH_API_PASSWORD=''
 WAZUH_INDEXER_PASSWORD=''
 WAZUH_KIBANA_PASSWORD=''
 WAZUH_VERSION=''
 ##
 ## YOUR
 ##
 YOUR_SPOTIFY_ID=''
 YOUR_SPOTIFY_PORT_443=''
 YOUR_SPOTIFY_PORT_80=''
 YOUR_SPOTIFY_SECRET=''
 ##
 ## YOUTUBEDL
 ##
 YOUTUBEDL_CONTAINER_NAME=''
 YOUTUBEDL_ENABLED=''
 YOUTUBEDL_ENVIRONMENT_CONFIG_PATH=''
 YOUTUBEDL_ENVIRONMENT_DEBUG=''
 YOUTUBEDL_NETWORK_MODE=''
 YOUTUBEDL_PORT_8080=''
 YOUTUBEDL_RESTART=''
 YOUTUBEDL_TAG=''
 ##
 ## ZAMMAD
 ##
 ZAMMAD_ELASTICSEARCH_VERSION=''
 ZAMMAD_IMAGE_REPO=''
 ZAMMAD_MEMCACHE_SERVERS=''
 ZAMMAD_MEMCACHE_VERSION=''
 ZAMMAD_POSTGRES_DB=''
 ZAMMAD_POSTGRES_HOST=''
 ZAMMAD_POSTGRES_PASS=''
 ZAMMAD_POSTGRES_PORT=''
 ZAMMAD_POSTGRES_USER=''
 ZAMMAD_POSTGRES_VERSION=''
 ZAMMAD_POSTGRESQL_OPTIONS=''
 ZAMMAD_REDIS_URL=''
 ZAMMAD_REDIS_VERSION=''
 ZAMMAD_RESTART=''
 ZAMMAD_S3_ACCESS_KEY=''
 ZAMMAD_S3_SECRET_KEY=''
 ZAMMAD_VERSION=''
@@ -1,2 +0,0 @@
 sonar.projectKey=rinoa-docker
 sonar.analysis.sqbot=
		`@@ -1,2 +0,0 @@`
			`sonar.projectKey=rinoa-docker`
			`sonar.analysis.sqbot=`