Merge remote-tracking branch 'refs/remotes/origin/ansible-dry-fixes_5-20-25' into ansible-dry-fixes_5-20-25

Renaming Grafana alloy config.
2025-05-26 09:13:29 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00
54 changed files with 663 additions and 2277 deletions
@@ -1,12 +1,12 @@
 name: Gitea Branch PR & Ansible Deployment
 on:
-  workflow_dispatch:
  push:
    branches-ignore:
      - 'main'
    paths:
      - '**.j2'
      - 'ansible/**.yml'
+
 jobs:
  check-and-create-pr:
    if: github.ref != 'refs/heads/main'
@@ -58,7 +58,7 @@ jobs:
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
  ansible-linting:
-    name: Docker Compose & Ansible Lints
+    name: Ansible Linting
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
    env:
@@ -71,13 +71,13 @@ jobs:
      - name: Fetch base branch
        run: |
          git fetch origin ${{ github.event.pull_request.base.ref }}
-      - name: Cache Ansible Galaxy Collections
-        uses: actions/cache@v3
-        with:
-          path: ansible/collections
-          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
-          restore-keys: |
-            ${{ runner.os }}-ansible-
+      # - name: Cache Ansible Galaxy Collections
+      #   uses: actions/cache@v3
+      #   with:
+      #     path: ansible/collections
+      #     key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
+      #     restore-keys: |
+      #       ${{ runner.os }}-ansible-
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
@@ -113,7 +113,7 @@ jobs:
          notification_message: 'Docker Compose dry run completed successfully.'
  pr-merge:
    name: PR Merge
-    needs: [regenerate-readme-modified-services]
+    needs: [ansible-linting]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -141,7 +141,7 @@ jobs:
          notification_title: 'GITEA: PR Merge Successful'
          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
  ansible-config-deploy:
-    name: Ansible Config Deployment
+    name: Ansible Playbook Run (Service Configs)
    runs-on: ubuntu-latest
    needs: [pr-merge]
    env:
@@ -174,7 +174,7 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
          notification_message: 'Starting config deployment with Ansible...'
-      - name: Ansible Playbook Config Deploy
+      - name: Ansible Playbook Dry Run
        uses: arillso/action.playbook@0.1.0
        with:
          check: false
@@ -1,12 +1,10 @@
 name: Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment
 on:
-  workflow_dispatch:
  push:
    branches-ignore:
      - 'main'
    paths:
      - '**/docker-compose.yml'
-      - '**/pr-cloudflare-docker-deploy.yml'
      - '!ansible/**.yml'
 jobs:
  check-and-create-pr:
@@ -66,7 +64,6 @@ jobs:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      VAULT_NAMESPACE: ""
-      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
    outputs:
      svc_deploy_list: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
    steps:
@@ -75,9 +72,6 @@ jobs:
      - name: Fetch base branch
        run: |
          git fetch origin ${{ github.event.pull_request.base.ref }}
-      - name: Login to Gitea Container Registry
-        run: |
-          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
      - name: Save both versions of docker-compose.yml
        run: |
          git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
@@ -301,7 +295,6 @@ jobs:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      DOCKER_HOST: tcp://dockerproxy:2375
-      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -320,8 +313,11 @@ jobs:
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Login to Gitea Container Registry
-        run: |
-          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
+        uses: docker/login-action@v3
+        with:
+          registry: https://git.trez.wtf
+          username: gitea-sonarqube-bot
+          password: ${{ secrets.BOT_GITEA_TOKEN }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -31,13 +31,11 @@
 | dawarich-sidekiq | freikin/dawarich:latest |
 | dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
-| dockflare | alplat/dockflare:stable |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
 | excalidraw | excalidraw/excalidraw:latest |
 | explo | ghcr.io/lumepart/explo:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
-| freescout | tiredofit/freescout:latest |
 | ghost | ghost:latest |
 | gitea | gitea/gitea:1.23.1 |
 | gitea-db | postgres:14 |
@@ -87,11 +85,8 @@
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
-| maxun-backend | getmaxun/maxun-backend:latest |
-| maxun-frontend | getmaxun/maxun-frontend:latest |
-| maxun-pg-db | postgres:13-alpine |
 | meilisearch | getmeili/meilisearch:v1.12.3 |
-| minio | minio/minio:RELEASE.2025-04-22T22-12-26Z |
+| minio | minio/minio |
 | mixpost | inovector/mixpost:latest |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
@@ -127,16 +122,11 @@
 | romm | rommapp/romm:latest |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
 | sablier | sablierapp/sablier:latest |
+| scraperr | jpyles0524/scraperr:latest |
+| scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
 | semaphore | semaphoreui/semaphore:v2.12.14 |
-| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
-| signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
-| signoz-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
-| signoz-app | signoz/signoz:v0.86.2 |
-| signoz-otel-collector | signoz/signoz-otel-collector:v0.111.42 |
-| signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.111.42 |
-| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.111.42 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
@@ -157,4 +147,14 @@
 | web-check | lissy93/web-check |
 | whodb | clidey/whodb |
 | youtubedl | nbr23/youtube-dl-server:latest |
+| zammad-backup | ghcr.io/zammad/zammad:6.5.0-15 |
+| zammad-elasticsearch | bitnami/elasticsearch:8.17.4 |
+| zammad-init | ghcr.io/zammad/zammad:6.5.0-15 |
+| zammad-memcached | memcached:1.6.38-alpine |
+| zammad-nginx | ghcr.io/zammad/zammad:6.5.0-15 |
+| zammad-postgresql | postgres:17.4-alpine |
+| zammad-railsserver | ghcr.io/zammad/zammad:6.5.0-15 |
+| zammad-redis | redis:7.4.2-alpine |
+| zammad-scheduler | ghcr.io/zammad/zammad:6.5.0-15 |
+| zammad-websocket | ghcr.io/zammad/zammad:6.5.0-15 |

@@ -1,199 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-http:
-  pprof:
-    port: 6060
-    enabled: false
-  address: 0.0.0.0:8008
-  session_ttl: 720h
-users:
-  - name: admin
-    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_BCRYPT'] }}
-auth_attempts: 5
-block_auth_min: 15
-http_proxy: ""
-language: ""
-theme: auto
-dns:
-  bind_hosts:
-    - 0.0.0.0
-  port: 53
-  anonymize_client_ip: false
-  ratelimit: 20
-  ratelimit_subnet_len_ipv4: 24
-  ratelimit_subnet_len_ipv6: 56
-  ratelimit_whitelist: []
-  refuse_any: true
-  upstream_dns:
-    - 94.140.14.14
-    - 94.140.15.15
-    - https://dns.adguard-dns.com/dns-query
-    - tls://dns.adguard-dns.com
-    - quic://dns.adguard-dns.com
-    - 1.1.1.1
-    - 1.0.0.1
-    - 1.1.1.2
-    - 1.0.0.2
-    - 185.228.168.9
-    - 185.228.169.9
-    - 76.76.2.3
-    - tls://getdnsapi.net
-    - 185.49.141.37
-    - tls://dot.seby.io
-  upstream_dns_file: ""
-  bootstrap_dns:
-    - 9.9.9.10
-    - 149.112.112.10
-    - 2620:fe::10
-    - 2620:fe::fe:10
-  fallback_dns: []
-  upstream_mode: load_balance
-  fastest_timeout: 1s
-  allowed_clients: []
-  disallowed_clients: []
-  blocked_hosts:
-    - version.bind
-    - id.server
-    - hostname.bind
-  trusted_proxies:
-    - 127.0.0.0/8
-    - ::1/128
-  cache_size: 4194304
-  cache_ttl_min: 0
-  cache_ttl_max: 0
-  cache_optimistic: false
-  bogus_nxdomain: []
-  aaaa_disabled: false
-  enable_dnssec: false
-  edns_client_subnet:
-    custom_ip: ""
-    enabled: false
-    use_custom: false
-  max_goroutines: 300
-  handle_ddr: true
-  ipset: []
-  ipset_file: ""
-  bootstrap_prefer_ipv6: false
-  upstream_timeout: 10s
-  private_networks: []
-  use_private_ptr_resolvers: false
-  local_ptr_upstreams: []
-  use_dns64: false
-  dns64_prefixes: []
-  serve_http3: false
-  use_http3_upstreams: false
-  serve_plain_dns: true
-  hostsfile_enabled: true
-  pending_requests:
-    enabled: true
-tls:
-  enabled: true
-  server_name: ""
-  force_https: false
-  port_https: 446
-  port_dns_over_tls: 853
-  port_dns_over_quic: 853
-  port_dnscrypt: 0
-  dnscrypt_config_file: ""
-  allow_unencrypted_doh: false
-  certificate_chain: ""
-  private_key: ""
-  certificate_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
-  private_key_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
-  strict_sni_check: false
-querylog:
-  dir_path: ""
-  ignored: []
-  interval: 2160h
-  size_memory: 1000
-  enabled: true
-  file_enabled: true
-statistics:
-  dir_path: ""
-  ignored: []
-  interval: 24h
-  enabled: true
-filters:
-  - enabled: true
-    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
-    name: AdGuard DNS filter
-    id: 1
-  - enabled: false
-    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
-    name: AdAway Default Blocklist
-    id: 2
-whitelist_filters: []
-user_rules: []
-dhcp:
-  enabled: false
-  interface_name: ""
-  local_domain_name: lan
-  dhcpv4:
-    gateway_ip: 192.168.1.1
-    subnet_mask: 255.255.255.0
-    range_start: 192.168.1.2
-    range_end: 192.168.1.240
-    lease_duration: 86400
-    icmp_timeout_msec: 1000
-    options: []
-  dhcpv6:
-    range_start: ""
-    lease_duration: 86400
-    ra_slaac_only: false
-    ra_allow_slaac: false
-filtering:
-  blocking_ipv4: ""
-  blocking_ipv6: ""
-  blocked_services:
-    schedule:
-      time_zone: America/New_York
-    ids: []
-  protection_disabled_until: null
-  safe_search:
-    enabled: false
-    bing: true
-    duckduckgo: true
-    ecosia: true
-    google: true
-    pixabay: true
-    yandex: true
-    youtube: true
-  blocking_mode: default
-  parental_block_host: family-block.dns.adguard.com
-  safebrowsing_block_host: standard-block.dns.adguard.com
-  rewrites: []
-  safe_fs_patterns:
-    - /opt/adguardhome/work/userfilters/*
-  safebrowsing_cache_size: 1048576
-  safesearch_cache_size: 1048576
-  parental_cache_size: 1048576
-  cache_time: 30
-  filters_update_interval: 24
-  blocked_response_ttl: 10
-  filtering_enabled: true
-  parental_enabled: false
-  safebrowsing_enabled: false
-  protection_enabled: true
-clients:
-  runtime_sources:
-    whois: true
-    arp: true
-    rdns: true
-    dhcp: true
-    hosts: true
-  persistent: []
-log:
-  enabled: true
-  file: ""
-  max_backups: 0
-  max_size: 100
-  max_age: 3
-  compress: false
-  local_time: false
-  verbose: false
-os:
-  group: ""
-  user: ""
-  rlimit_nofile: 0
-schema_version: 29
@@ -2,5 +2,5 @@
 {% set secrets_path = 'rinoa-docker/env' %}

 urls:
-  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
-  - mailtos://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
+  - gotify://gotify/{{ vault_secrets['APPRISE_GOTIFY_TOKEN'] }}
+  - mailtos://{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}:{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
@@ -64,11 +64,11 @@ authentication_backend:
      mail: mail
      display_name: displayName
    user: uid=authelia,ou=people,dc=trez,dc=wtf
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
+    password: '{{ vault_secrets['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
  refresh_interval: 5m
 identity_validation:
  reset_password:
-    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
+    jwt_secret: '{{ vault_secrets['AUTHELIA_JWT_SECRET'] }}'
 password_policy:
  standard:
    enabled: true
@@ -104,7 +104,7 @@ access_control:
      - ['user:the.trezured.one']
 session:
  name: authelia_session
-  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
+  secret: '{{ vault_secrets['AUTHELIA_SESSION_SECRET'] }}'
  expiration: 1h
  inactivity: 5m
  remember_me: 1M
@@ -115,12 +115,12 @@ session:
    host: redis
    port: 6379
 storage:
-  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
+  encryption_key: '{{ vault_secrets['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
  postgres:
    address: 'tcp://authelia-pg:5432'
    database: authelia
    username: authelia
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
+    password: '{{ vault_secrets['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
    timeout: '5s'
 regulation:
  max_retries: 3
@@ -131,8 +131,8 @@ notifier:
  smtp:
    address: 'smtp://postal-smtp:25'
    timeout: '5s'
-    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
+    username: '{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}'
+    password: '{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}'
    sender: "Authelia <noreply@trez.wtf>"
    identifier: 'localhost'
    subject: "[Authelia] {title}"
@@ -142,10 +142,10 @@ notifier:
    disable_html_emails: false
 identity_providers:
  oidc:
-    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
+    hmac_secret: '{{ vault_secrets['AUTHELIA_OIDC_HMAC_SECRET'] }}'
    jwks:
      - key: |
-          {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
+          {{ vault_secrets["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
    cors:
      allowed_origins_from_client_redirect_uris: true
      endpoints:
@@ -157,7 +157,7 @@ identity_providers:
    clients:
      - client_id: 'netbird'
        client_name: 'NetBird'
-        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
+        client_secret: '{{ vault_secrets['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
        public: false
        authorization_policy: 'two_factor'
        redirect_uris:
@@ -1,7 +1,6 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}

-
 source: journalctl
 journalctl_filter: 
  - "--directory=/var/log/host/"
@@ -3,4 +3,4 @@

 url: http://0.0.0.0:8080
 login: localhost
-password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}
+password: {{ vault_secrets['CROWDSEC_LOCAL_API_KEY'] }}
@@ -9,7 +9,7 @@
      "host"     : "mariadb",
      "port"     : 3306,
      "user"     : "ghost",
-      "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
+      "password" : "{{ vault_secrets['GHOST_DB_PASSWORD'] }}",
      "database" : "ghost_db"
    }
  },
@@ -21,8 +21,8 @@
      "port": 25,
      "secure": false,
      "auth": {
-        "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
-        "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+        "user": "{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}",
+        "pass": "{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}"
      }
    }
  },
@@ -27,7 +27,7 @@ DISABLE_SSH = false
 SSH_PORT = 22
 SSH_LISTEN_PORT = 22
 LFS_START_SERVER = true
-LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }}
+LFS_JWT_SECRET = {{ vault_secrets['GITEA_LFS_JWT_SECRET'] }}
 OFFLINE_MODE = true

 [database]
@@ -36,7 +36,7 @@ DB_TYPE = postgres
 HOST = gitea-db:5432
 NAME = gitea
 USER = gitea
-PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }}
+PASSWD = {{ vault_secrets['GITEA_PG_DB_PASSWORD'] }}
 LOG_SQL = false
 SCHEMA =
 SSL_MODE = disable
@@ -70,7 +70,7 @@ INSTALL_LOCK = true
 SECRET_KEY =
 REVERSE_PROXY_LIMIT = 1
 REVERSE_PROXY_TRUSTED_PROXIES = *
-INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }}
+INTERNAL_TOKEN = {{ vault_secrets['GITEA_INTERNAL_TOKEN'] }}
 PASSWORD_HASH_ALGO = pbkdf2

 [service]
@@ -89,7 +89,7 @@ NO_REPLY_ADDRESS = noreply@trez.wtf
 PATH = /data/git/lfs

 [mailer]
-PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+PASSWD = {{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
 PROTOCOL = smtp
 ENABLED = true
 FROM = '"Gitea" <noreply@trez.wtf>'
@@ -112,7 +112,7 @@ DEFAULT_MERGE_STYLE = merge
 DEFAULT_TRUST_MODEL = committer

 [oauth2]
-JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
+JWT_SECRET = {{ vault_secrets['GITEA_OAUTH2_JWT_SECRET'] }}

 [ui]
 THEMES =
@@ -9,7 +9,7 @@ gitea:
  # Created access token for the user that shall be used as bot account.
  # User needs "Read project" permissions with access to "Pull Requests"
  token:
-    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
+    value: "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
    # # or path to file containing the plain text secret
    # file: /path/to/gitea/token

@@ -18,7 +18,7 @@ gitea:
  # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header
  # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated.
  webhook:
-    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
+    secret: "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
    # # or path to file containing the plain text secret
    # secretFile: /path/to/gitea/webhook/secret

@@ -35,7 +35,7 @@ sonarqube:
  # Created access token for the user that shall be used as bot account.
  # User needs "Browse on project" permissions
  token:
-    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
+    value: "{{ vault_secrets['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
    # # or path to file containing the plain text secret
    # file: /path/to/sonarqube/token

@@ -45,7 +45,7 @@ sonarqube:
  # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be
  # validated.
  webhook:
-    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
+    secret: "{{ vault_secrets['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
    # # or path to file containing the plain text secret
    # secretFile: /path/to/sonarqube/webhook/secret

@@ -4,8 +4,8 @@ storage:
    bucket_name: pyroscope
    endpoint: minio:9000
    region: us-east-fh-pln
-    access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
-    secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
+    access_key_id: {{ vault_secrets['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
+    secret_access_key: {{ vault_secrets['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
    insecure: true

 analytics:
@@ -46,8 +46,8 @@ storage:
    s3:
      bucket: tempo                    # how to store data in s3
      endpoint: minio:9000
-      access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
-      secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
+      access_key: {{ vault_secrets['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
+      secret_key: {{ vault_secrets['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
      insecure: true

 usage_report:
@@ -29,5 +29,5 @@
        widget:
            type: homeassistant
            url: http://192.168.1.252:8123
-            key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
+            key: {{ vault_secrets['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}

@@ -6,7 +6,7 @@
 # https://gethomepage.dev/en/configs/settings

 providers:
-  openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+  openweathermap: {{ vault_secrets['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
  # weatherapi: weatherapiapikey
 title: Rinoa Dashboard (trez.WTF)
 headerStyle: underlined
@@ -16,7 +16,7 @@ db:
  host: invidious-db
  port: 5432
  dbname: invidious
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
+  password: {{ vault_secrets['INVID_PG_DB_PASSWORD'] }}

 ##
 ## Database configuration using a single URI. This is an
@@ -210,8 +210,8 @@ https_only: false
 ## Accepted values: String
 ## Default: <none>
 ##
-po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
-visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
+po_token: {{ vault_secrets['INVID_PO_TOKEN'] }}
+visitor_data: {{ vault_secrets['INVID_VISITOR_DATA'] }}

 # -----------------------------
 #  Logging
@@ -471,7 +471,7 @@ jobs:
 ## Accepted values: a string
 ## Default: <none>
 ##
-hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
+hmac_key: {{ vault_secrets['INVID_HMAC_KEY'] }}

 ##
 ## List of video IDs where the "download" widget must be
@@ -3,7 +3,7 @@

 # IN application vars
 IN_APP_URL=https://biz.trez.wtf
-IN_APP_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_APP_KEY'] }}
+IN_APP_KEY={{ vault_secrets['IN_APP_KEY'] }}
 IN_APP_DEBUG=true
 IN_REQUIRE_HTTPS=false
 IN_PHANTOMJS_PDF_GENERATION=false
@@ -18,7 +18,7 @@ IN_DB_HOST=mariadb
 IN_DB_PORT=3306
 IN_DB_DATABASE=invoice_ninja
 IN_DB_USERNAME=ininja
-IN_DB_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_MYSQL_PASSWORD'] }}
+IN_DB_PASSWORD={{ vault_secrets['IN_MYSQL_PASSWORD'] }}

 # Create initial user
 # Default to these values if empty
@@ -31,8 +31,8 @@ IN_PASSWORD=
 IN_MAIL_MAILER=log
 IN_MAIL_HOST=postal-smtp
 IN_MAIL_PORT=25
-IN_MAIL_USERNAME={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
-IN_MAIL_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+IN_MAIL_USERNAME={{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}
+IN_MAIL_PASSWORD={{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
 IN_MAIL_ENCRYPTION=null
 IN_MAIL_FROM_ADDRESS='noreply@trez.wtf'
 IN_MAIL_FROM_NAME='Treasured IT'
@@ -17,7 +17,7 @@
 HOST=localhost
 PORT=3080

-MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
+MONGO_URI=mongodb://librechat:{{ vault_secrets['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa

 DOMAIN_CLIENT=https://ai.trez.wtf
 DOMAIN_SERVER=https://ai.trez.wtf
@@ -73,12 +73,12 @@ PROXY=
 # ANYSCALE_API_KEY=
 # APIPIE_API_KEY=
 # COHERE_API_KEY=
-DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
+DEEPSEEK_API_KEY={{ vault_secrets['LIBRECHAT_DEEPSEEK_API_KEY'] }}
 # DATABRICKS_API_KEY=
 # FIREWORKS_API_KEY=
 # GROQ_API_KEY=
 # HUGGINGFACE_TOKEN=
-MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
+MISTRAL_API_KEY={{ vault_secrets['LIBRECHAT_MISTRAL_API_KEY'] }}
 # OPENROUTER_KEY=
 # PERPLEXITY_API_KEY=
 # SHUTTLEAI_API_KEY=
@@ -90,7 +90,7 @@ MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_m
 # Anthropic  #
 #============#

-ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
+ANTHROPIC_API_KEY={{ vault_secrets['LIBRECHAT_ANTHROPIC_API_KEY'] }}
 ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
 # ANTHROPIC_REVERSE_PROXY=

@@ -177,7 +177,7 @@ ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-
 # OpenAI     #
 #============#

-OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
+OPENAI_API_KEY={{ vault_secrets['LIBRECHAT_OPENAI_API_KEY'] }}
 OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k

 DEBUG_OPENAI=false
@@ -226,8 +226,8 @@ DEBUG_OPENAI=false

 # DEBUG_PLUGINS=

-CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
-CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
+CREDS_KEY={{ vault_secrets['LIBRECHAT_CREDS_KEY'] }}
+CREDS_IV={{ vault_secrets['LIBRECHAT_CREDS_IV'] }}

 # Azure AI Search
 #-----------------
@@ -298,7 +298,7 @@ ZAPIER_NLA_API_KEY=
 SEARCH=true
 MEILI_NO_ANALYTICS=true
 MEILI_HOST=http://meilisearch:7700
-MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
+MEILI_MASTER_KEY={{ vault_secrets['MEILISEARCH_MASTER_KEY'] }}

 # Optional: Disable indexing, useful in a multi-node setup
 # where only one instance should perform an index sync.
@@ -384,8 +384,8 @@ ALLOW_UNVERIFIED_EMAIL_LOGIN=true
 SESSION_EXPIRY=1000 * 60 * 15
 REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7

-JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
-JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
+JWT_SECRET={{ vault_secrets['LIBRECHAT_JWT_SECRET'] }}
+JWT_REFRESH_SECRET={{ vault_secrets['LIBRECHAT_JWT_REFRESH_SECRET'] }}


 # Discord
@@ -547,4 +547,4 @@ USE_REDIS=true
 #=====================================================#
 #                  OpenWeather                        #
 #=====================================================#
-OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+OPENWEATHER_API_KEY={{ vault_secrets['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -7,7 +7,7 @@
  <SslPort>6868</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['LIDARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <Branch>master</Branch>
  <LogLevel>trace</LogLevel>
@@ -3,11 +3,11 @@

 {
    "lidarr_address": "http://lidarr:8686",
-    "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}",
-    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "lidarr_api_key": "{{ vault_secrets['LIDARR_API_KEY'] }}",
+    "spotify_client_secret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
    "root_folder_path": "/data/media/music",
-    "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
-    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "spotify_client_id": "{{ vault_secrets['YOUR_SPOTIFY_ID'] }}",
+    "spotify_client_secret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
    "fallback_to_top_result": false,
    "lidarr_api_timeout": 120.0,
    "quality_profile_id": 1,
@@ -17,8 +17,8 @@
    "app_name": "lidify",
    "app_rev": "0.09",
    "app_url": "lidify.trez.wtf",
-    "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-    "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+    "last_fm_api_key": "{{ vault_secrets['LASTFM_API_KEY'] }}",
+    "last_fm_api_secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
    "mode": "LastFM",
    "auto_start": false,
    "auto_start_delay": 60
@@ -20,7 +20,7 @@ global_keywords:
    - fatal
 notifications:
  apprise:
-    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
+    url: gotify://gotify/{{ vault_secrets['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
 # settings are optional because they all have default values
 settings:
  log_level: INFO               # DEBUG, INFO, WARNING, ERROR
@@ -27,8 +27,8 @@
      "clients": [],
      "name": "spotify",
      "data": {
-        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
-        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+        "clientId": "{{ vault_secrets['YOUR_SPOTIFY_ID'] }}",
+        "clientSecret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
        "redirectUri": "http://localhost:9078/callback"
      }
    },
@@ -38,8 +38,8 @@
      "clients": [],
      "name": "lastfm",
      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "apiKey": "{{ vault_secrets['LASTFM_API_KEY'] }}",
+        "secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
        "redirectUri": "http://localhost:9078/lastfm/callback"
      }
    },
@@ -49,7 +49,7 @@
      "clients": [],
      "name": "listenBrainz",
      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "token": "{{ vault_secrets['MALOJA_LISTENBRAINZ_TOKEN'] }}",
        "username": "Trez.One"
      }
    },
@@ -61,7 +61,7 @@
      "data": {
        "url": "http://navidrome:4533",
        "user": "admin",
-        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
+        "password": "{{ vault_secrets['NAVIDROME_PASSWORD'] }}"
      }
    }
  ],
@@ -71,8 +71,8 @@
      "enable": true,
      "name": "lastFmClient",
      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "apiKey": "{{ vault_secrets['LASTFM_API_KEY'] }}",
+        "secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
        "redirectUri": "http://localhost:9078/lastfm/callback"
      }
    },
@@ -81,7 +81,7 @@
      "enable": true,
      "name": "ListenBrainzClient",
      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "token": "{{ vault_secrets['MALOJA_LISTENBRAINZ_TOKEN'] }}",
        "username": "Trez.One"
      }
    },
@@ -91,7 +91,7 @@
      "name": "maloja",
      "data": {
        "url": "http://maloja:42010",
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
+        "apiKey": "{{ vault_secrets['MALOJA_API_KEY'] }}"
      }
    }
  ],
@@ -100,7 +100,7 @@
      "name": "Gotify",
      "type": "gotify",
      "url": "http://gotify",
-      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
+      "token": "{{ vault_secrets['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
      "priorities": {
        "info": 5,
        "warn": 7,
@@ -2,7 +2,7 @@
  "Stuns": [
    {
      "Proto": "udp",
-      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+      "URI": "stun:netbird.{{ vault_secrets['MY_TLD'] }}:3478",
      "Username": "",
      "Password": null
    }
@@ -11,9 +11,9 @@
    "Turns": [
      {
        "Proto": "udp",
-        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+        "URI": "turn:netbird.{{ vault_secrets['MY_TLD'] }}:3478",
        "Username": "self",
-        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
+        "Password": "{{ vault_secrets['NETBIRD_TURN_PASSWORD'] }}"
      }
    ],
    "CredentialsTTL": "12h",
@@ -22,14 +22,14 @@
  },
  "Relay": {
    "Addresses": [
-      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
+      "rel://netbird.{{ vault_secrets['MY_TLD'] }}:33080"
    ],
    "CredentialsTTL": "24h",
-    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
+    "Secret": "{{ vault_secrets['NETBIRD_RELAY_AUTH_SECRET'] }}"
  },
  "Signal": {
    "Proto": "https",
-    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
+    "URI": "netbird.{{ vault_secrets['MY_TLD'] }}:10001",
    "Username": "",
    "Password": null
  },
@@ -47,14 +47,14 @@
  },
  "HttpConfig": {
    "Address": "0.0.0.0:33073",
-    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
+    "AuthIssuer": "https://auth.{{ vault_secrets['MY_TLD'] }}",
    "AuthAudience": "netbird",
-    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
+    "AuthKeysLocation": "https://auth.{{ vault_secrets['MY_TLD'] }}/jwks.json",
    "AuthUserIDClaim": "",
    "CertFile": "",
    "CertKey": "",
    "IdpSignKeyRefreshEnabled": true,
-    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
+    "OIDCConfigEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {},
  "DeviceAuthorizationFlow": {},
@@ -62,10 +62,10 @@
    "ProviderConfig": {
      "Audience": "netbird",
      "ClientID": "netbird",
-      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
+      "ClientSecret": "{{ vault_secrets['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
      "Domain": "",
-      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
-      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
+      "AuthorizationEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/api/oidc/authorization",
+      "TokenEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/api/oidc/token",
      "Scope": "openid profile email offline_access api",
      "RedirectURLs": [
        "http://localhost:53000"
@@ -250,7 +250,7 @@ lt-cred-mech
 #user=username1:key1
 #user=username2:key2
 # OR:
-user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
+user=self:{{ vault_secrets['NETBIRD_TURN_PASSWORD'] }}
 #user=username2:password2
 #
 # Keys must be generated by turnadmin utility. The key value depends
@@ -18,13 +18,13 @@ web_server:
 main_db:
  host: mariadb
  username: postal
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  password: {{ vault_secrets['POSTAL_MYSQL_PASSWORD'] }}
  database: postal

 message_db:
  host: mariadb
  username: postal
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  password: {{ vault_secrets['POSTAL_MYSQL_PASSWORD'] }}
  prefix: postal

 smtp_server:
@@ -52,11 +52,11 @@ smtp:
  host: postal-smtp
  port: 25
  username: rinoa/postal-smtp
-  password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+  password: "{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}"
  from_name: Postal @ Rinoa
  from_address: noreply@trez.wtf

 rails:
  # This is generated automatically by the config initialization. It should be a random
  # string unique to your installation.
-  secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}"
+  secret_key: "{{ vault_secrets['POSTAL_RAILS_SECRET_KEY'] }}"
@@ -7,7 +7,7 @@
  <SslPort>6969</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['PROWLARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <AuthenticationRequired>Enabled</AuthenticationRequired>
  <Branch>master</Branch>
@@ -3,9 +3,9 @@

 {
    "radarr_address": "http://radarr:7878",
-    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
+    "radarr_api_key": "{{ vault_secrets['RADARR_API_KEY'] }}",
    "root_folder_path": "/data/media/movies",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "tmdb_api_key": "{{ vault_secrets['TMDB_API_KEY'] }}",
    "fallback_to_top_result": false,
    "radarr_api_timeout": 120.0,
    "quality_profile_id": 1,
@@ -8,7 +8,7 @@
  <SslCertPath></SslCertPath>
  <Port>7878</Port>
  <UrlBase></UrlBase>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['RADARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <UpdateMechanism>Docker</UpdateMechanism>
  <SslPort>9898</SslPort>
@@ -7,7 +7,7 @@
  <SslPort>6868</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['READARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <Branch>develop</Branch>
  <LogLevel>info</LogLevel>
@@ -22,7 +22,7 @@ host = 0.0.0.0
 port = 8080
 https_port = 8090
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }}
+password = {{ vault_secrets['SABNZBDVPN_PASSWORD'] }}
 bandwidth_max = 1000M
 cache_limit = 1G
 web_dir = Glitter
@@ -33,7 +33,7 @@ https_chain = ""
 enable_https = 1
 inet_exposure = 0
 local_ranges = ,
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }}
+api_key = {{ vault_secrets['SABNZBDVPN_API_KEY'] }}
 nzb_key = 3c0fa874bb2748b58c1bd7512e649946
 permissions = 775
 download_dir = /storage/downloads/incomplete
@@ -342,7 +342,7 @@ host = news.newshosting.com
 port = 563
 timeout = 60
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+password = {{ vault_secrets['SLSK_USER_PASSWORD'] }}
 connections = 8
 ssl = 1
 ssl_verify = 3
@@ -363,7 +363,7 @@ host = news.easynews.com
 port = 443
 timeout = 60
 username = TrezOne
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
+password = {{ vault_secrets['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
 connections = 60
 ssl = 0
 ssl_verify = 3
@@ -82,7 +82,7 @@ server:
  # If your instance owns a /etc/searxng/settings.yml file, then set the following
  # values there.

-  secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SEARXNG_SECRET_KEY'] }}  # Is overwritten by ${SEARXNG_SECRET}
+  secret_key: {{ vault_secrets['SEARXNG_SECRET_KEY'] }}  # Is overwritten by ${SEARXNG_SECRET}
  # Proxying image results through searx
  image_proxy: true
  # 1.0 and 1.1 are supported
@@ -1,75 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
-         Optional. If you don't use replicated tables, you could omit that.
-
-         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
-      -->
-    <zookeeper>
-        <node index="1">
-            <host>signoz-zookeeper-1</host>
-            <port>2181</port>
-        </node>
-        <node index="2">
-            <host>zookeeper-2</host>
-            <port>2181</port>
-        </node>
-        <node index="3">
-            <host>zookeeper-3</host>
-            <port>2181</port>
-        </node>
-    </zookeeper>
-
-    <!-- Configuration of clusters that could be used in Distributed tables.
-         https://clickhouse.com/docs/en/operations/table_engines/distributed/
-      -->
-    <remote_servers>
-        <cluster>
-            <!-- Inter-server per-cluster secret for Distributed queries
-                 default: no secret (no authentication will be performed)
-
-                 If set, then Distributed queries will be validated on shards, so at least:
-                 - such cluster should exist on the shard,
-                 - such cluster should have the same secret.
-
-                 And also (and which is more important), the initial_user will
-                 be used as current user for the query.
-
-                 Right now the protocol is pretty simple and it only takes into account:
-                 - cluster name
-                 - query
-
-                 Also it will be nice if the following will be implemented:
-                 - source hostname (see interserver_http_host), but then it will depends from DNS,
-                   it can use IP address instead, but then the you need to get correct on the initiator node.
-                 - target hostname / ip address (same notes as for source hostname)
-                 - time-based security tokens
-            -->
-            <!-- <secret></secret> -->
-            <shard>
-                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
-                <!-- <internal_replication>false</internal_replication> -->
-                <!-- Optional. Shard weight when writing data. Default: 1. -->
-                <!-- <weight>1</weight> -->
-                <replica>
-                    <host>signoz-clickhouse</host>
-                    <port>9000</port>
-                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
-                    <!-- <priority>1</priority> -->
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-2</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-3</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-        </cluster>
-    </remote_servers>
-</clickhouse>
@@ -1,75 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
-         Optional. If you don't use replicated tables, you could omit that.
-
-         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
-      -->
-    <zookeeper>
-        <node index="1">
-            <host>signoz-zookeeper-1</host>
-            <port>2181</port>
-        </node>
-        <!-- <node index="2">
-            <host>zookeeper-2</host>
-            <port>2181</port>
-        </node>
-        <node index="3">
-            <host>zookeeper-3</host>
-            <port>2181</port>
-        </node> -->
-    </zookeeper>
-
-    <!-- Configuration of clusters that could be used in Distributed tables.
-         https://clickhouse.com/docs/en/operations/table_engines/distributed/
-      -->
-    <remote_servers>
-        <cluster>
-            <!-- Inter-server per-cluster secret for Distributed queries
-                 default: no secret (no authentication will be performed)
-
-                 If set, then Distributed queries will be validated on shards, so at least:
-                 - such cluster should exist on the shard,
-                 - such cluster should have the same secret.
-
-                 And also (and which is more important), the initial_user will
-                 be used as current user for the query.
-
-                 Right now the protocol is pretty simple and it only takes into account:
-                 - cluster name
-                 - query
-
-                 Also it will be nice if the following will be implemented:
-                 - source hostname (see interserver_http_host), but then it will depends from DNS,
-                   it can use IP address instead, but then the you need to get correct on the initiator node.
-                 - target hostname / ip address (same notes as for source hostname)
-                 - time-based security tokens
-            -->
-            <!-- <secret></secret> -->
-            <shard>
-                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
-                <!-- <internal_replication>false</internal_replication> -->
-                <!-- Optional. Shard weight when writing data. Default: 1. -->
-                <!-- <weight>1</weight> -->
-                <replica>
-                    <host>signoz-clickhouse</host>
-                    <port>9000</port>
-                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
-                    <!-- <priority>1</priority> -->
-                </replica>
-            </shard>
-            <!-- <shard>
-                <replica>
-                    <host>clickhouse-2</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-3</host>
-                    <port>9000</port>
-                </replica>
-            </shard> -->
-        </cluster>
-    </remote_servers>
-</clickhouse>
@@ -1,21 +0,0 @@
-<functions>
-    <function>
-        <type>executable</type>
-        <name>histogramQuantile</name>
-        <return_type>Float64</return_type>
-        <argument>
-            <type>Array(Float64)</type>
-            <name>buckets</name>
-        </argument>
-        <argument>
-            <type>Array(Float64)</type>
-            <name>counts</name>
-        </argument>
-        <argument>
-            <type>Float64</type>
-            <name>quantile</name>
-        </argument>
-        <format>CSV</format>
-        <command>./histogramQuantile</command>
-    </function>
-</functions>
@@ -1,41 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-<storage_configuration>
-    <disks>
-        <default>
-            <keep_free_space_bytes>10485760</keep_free_space_bytes>
-        </default>
-        <s3>
-            <type>s3</type>
-            <!-- For S3 cold storage,
-                    if region is us-east-1, endpoint can be https://<bucket-name>.s3.amazonaws.com
-                    if region is not us-east-1, endpoint should be https://<bucket-name>.s3-<region>.amazonaws.com
-                For GCS cold storage,
-                    endpoint should be https://storage.googleapis.com/<bucket-name>/data/
-                -->
-            <endpoint>https://BUCKET-NAME.s3-REGION-NAME.amazonaws.com/data/</endpoint>
-            <access_key_id>ACCESS-KEY-ID</access_key_id>
-            <secret_access_key>SECRET-ACCESS-KEY</secret_access_key>
-            <!-- In case of S3, uncomment the below configuration in case you want to read
-                AWS credentials from the Environment variables if they exist. -->
-            <!-- <use_environment_credentials>true</use_environment_credentials> -->
-            <!-- In case of GCS, uncomment the below configuration, since GCS does
-                not support batch deletion and result in error messages in logs. -->
-            <!-- <support_batch_delete>false</support_batch_delete> -->
-        </s3>
-   </disks>
-   <policies>
-       <tiered>
-           <volumes>
-                <default>
-                    <disk>default</disk>
-                </default>
-                <s3>
-                    <disk>s3</disk>
-                    <perform_ttl_move_on_insert>0</perform_ttl_move_on_insert>
-                </s3>
-            </volumes>
-        </tiered>
-    </policies>
-</storage_configuration>
-</clickhouse>
@@ -1,123 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- See also the files in users.d directory where the settings can be overridden. -->
-
-    <!-- Profiles of settings. -->
-    <profiles>
-        <!-- Default settings. -->
-        <default>
-            <!-- Maximum memory usage for processing single query, in bytes. -->
-            <max_memory_usage>10000000000</max_memory_usage>
-
-            <!-- How to choose between replicas during distributed query processing.
-                 random - choose random replica from set of replicas with minimum number of errors
-                 nearest_hostname - from set of replicas with minimum number of errors, choose replica
-                  with minimum number of different symbols between replica's hostname and local hostname
-                  (Hamming distance).
-                 in_order - first live replica is chosen in specified order.
-                 first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
-            -->
-            <load_balancing>random</load_balancing>
-        </default>
-
-        <!-- Profile that allows only read queries. -->
-        <readonly>
-            <readonly>1</readonly>
-        </readonly>
-    </profiles>
-
-    <!-- Users and ACL. -->
-    <users>
-        <!-- If user name was not specified, 'default' user is used. -->
-        <default>
-            <!-- See also the files in users.d directory where the password can be overridden.
-
-                 Password could be specified in plaintext or in SHA256 (in hex format).
-
-                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
-                 Example: <password>qwerty</password>.
-                 Password could be empty.
-
-                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
-                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
-                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
-
-                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
-                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
-
-                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
-                  place its name in 'server' element inside 'ldap' element.
-                 Example: <ldap><server>my_ldap_server</server></ldap>
-
-                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
-                  place 'kerberos' element instead of 'password' (and similar) elements.
-                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
-                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
-                  whose initiator's realm matches it.
-                 Example: <kerberos />
-                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
-
-                 How to generate decent password:
-                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
-                 In first line will be password and in second - corresponding SHA256.
-
-                 How to generate double SHA1:
-                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
-                 In first line will be password and in second - corresponding double SHA1.
-            -->
-            <password></password>
-
-            <!-- List of networks with open access.
-
-                 To open access from everywhere, specify:
-                    <ip>::/0</ip>
-
-                 To open access only from localhost, specify:
-                    <ip>::1</ip>
-                    <ip>127.0.0.1</ip>
-
-                 Each element of list has one of the following forms:
-                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
-                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
-                 <host> Hostname. Example: server01.clickhouse.com.
-                     To check access, DNS query is performed, and all received addresses compared to peer address.
-                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
-                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
-                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
-                     Strongly recommended that regexp is ends with $
-                 All results of DNS requests are cached till server restart.
-            -->
-            <networks>
-                <ip>::/0</ip>
-            </networks>
-
-            <!-- Settings profile for user. -->
-            <profile>default</profile>
-
-            <!-- Quota for user. -->
-            <quota>default</quota>
-
-            <!-- User can create other users and grant rights to them. -->
-            <!-- <access_management>1</access_management> -->
-        </default>
-    </users>
-
-    <!-- Quotas. -->
-    <quotas>
-        <!-- Name of quota. -->
-        <default>
-            <!-- Limits for time interval. You could specify many intervals with different limits. -->
-            <interval>
-                <!-- Length of interval. -->
-                <duration>3600</duration>
-
-                <!-- No limits. Just calculate resource usage for time interval. -->
-                <queries>0</queries>
-                <errors>0</errors>
-                <result_rows>0</result_rows>
-                <read_rows>0</read_rows>
-                <execution_time>0</execution_time>
-            </interval>
-        </default>
-    </quotas>
-</clickhouse>
@@ -1 +0,0 @@
-server_endpoint: ws://signoz:4320/v1/opamp
@@ -1 +0,0 @@
-server_endpoint: ws://signoz:4320/v1/opamp
@@ -1,25 +0,0 @@
-# my global config
-global:
-  scrape_interval:     5s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
-  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
-  # scrape_timeout is set to the global default (10s).
-
-# Alertmanager configuration
-alerting:
-  alertmanagers:
-  - static_configs:
-    - targets:
-      - alertmanager:9093
-
-# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
-rule_files: []
-  # - "first_rules.yml"
-  # - "second_rules.yml"
-  # - 'alerts.yml'
-
-# A scrape configuration containing exactly one endpoint to scrape:
-# Here it's Prometheus itself.
-scrape_configs: []
-
-remote_read:
-  - url: tcp://clickhouse:9000/signoz_metrics
@@ -8,7 +8,7 @@
  <SslPort>9898</SslPort>
  <UrlBase></UrlBase>
  <BindAddress>*</BindAddress>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['SONARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <UpdateMechanism>Docker</UpdateMechanism>
  <LaunchBrowser>True</LaunchBrowser>
@@ -3,10 +3,10 @@

 {
    "sonarr_address": "http://192.168.1.2:8989",
-    "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}",
+    "sonarr_api_key": "{{ vault_secrets['SONARR_API_KEY'] }}",
    "root_folder_path": "/data/media/shows",
    "tvdb_api_key": "",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "tmdb_api_key": "{{ vault_secrets['TMDB_API_KEY'] }}",
    "fallback_to_top_result": false,
    "sonarr_api_timeout": 120.0,
    "quality_profile_id": 1,
@@ -2,7 +2,7 @@
 {% set secrets_path = 'rinoa-docker/env' %}

 [Lidarr]
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
+api_key = {{ vault_secrets['LIDARR_API_KEY'] }}
 host_url = http://lidarr:8686
 #This should be the path mounted in lidarr that points to your slskd download directory.
 #If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
@@ -10,7 +10,7 @@ download_dir = /storage

 [Slskd]
 #Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
+api_key = {{ vault_secrets['SLSKD_API_KEY'] }}
 host_url = http://gluetun:5030
 #Slskd download directory. Should have set it up when installing Slskd.
 download_dir = /app/downloads
@@ -198,15 +198,15 @@ rooms:
 web:
  authentication:
    username: slskd
-    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
+    password: {{ vault_secrets['SLSKD_WEB_PASSSWORD'] }}
    api_keys:
      my_api_key:
-        key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
+        key: {{ vault_secrets['SLSKD_API_KEY'] }}
        role: readwrite
        cidr: 0.0.0.0/0,::/0
 soulseek:
  address: vps.slsknet.org
  port: 2271
  username: Trez.One
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+  password: {{ vault_secrets['SLSK_USER_PASSWORD'] }}
  diagnostic_level: Info
@@ -6,7 +6,7 @@
  "repos": [
      {
          "type": "gitea",
-          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
+          "token": "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
          "url": "https://git.trez.wtf",
          "revisions": {
              "branches": [
@@ -24,6 +24,6 @@
    <entry key='database.driver'>org.postgresql.Driver</entry>
    <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
    <entry key='database.user'>traccar</entry>
-    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
+    <entry key='database.password'>{{ vault_secrets['WAZUH_API_PASSWORD'] }}</entry>

 </properties>
@@ -21,7 +21,7 @@
      auth:
        strategy: basic
        user: admin
-        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
+        password: {{ vault_secrets['PARSEABLE_PASSWORD'] }}
      request:
        headers:
          X-P-Stream: rinoa-docker-logs
@@ -6,5 +6,5 @@ hosts:
      url: "https://wazuh.manager"
      port: 55000
      username: wazuh-wui
-      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
+      password: {{ vault_secrets['WAZUH_API_PASSWORD'] }}
      run_as: false
@@ -37,7 +37,7 @@ SMTPConfiguration:
    SMTP:
      # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
      Host: 'postal-smtp:25'
-      User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+      User: {{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}
+      Password: {{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
    From: 'noreply@trez.wtf'
    FromName: 'Zitadel @ Rinoa'
@@ -7,7 +7,7 @@ Database:
    User:
      # If the user doesn't exist already, it is created
      Username: 'zitadel'
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }}
+      Password: {{ vault_secrets['ZITADEL_DB_PASSWORD'] }}
    Admin:
      Username: 'root'
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }}
+      Password: {{ vault_secrets['ZITADEL_DB_ADMIN_PASSWORD'] }}
@@ -12,6 +12,12 @@
        mode: '0755'
      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"

+    - name: Fetch Vault secrets once
+      ansible.builtin.set_fact:
+        vault_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env',
+          engine_mount_point='rinoa-docker', url=vault_addr,
+          token=vault_token_cleaned)['secret'] }}"
+
    - name: Deploy configuration templates
      ansible.builtin.template:
        src: "{{ item }}"
@@ -1,14 +1,14 @@
 vault_addr: "https://vault.trez.wtf"
 vault_token: !vault |
  $ANSIBLE_VAULT;1.1;AES256
-  62353532343234343230663331623062376533346166343963383464303535646362376233663361
-  3532343530653365663331393339646337653564316337390a646264353561623132366635343032
-  63326535376434353837663334366336613631346161363034646134333439613531376362646161
-  6438316662626566340a346665666234386630633764376336333063363934643162393565386330
-  35333139303939613232303264646236326637613862303339353334623066393966353032333839
-  33323962303635333335376364366336663035303530396262356130373537363134303937353433
-  34393338336666396338616465666466613931373461663761366235643437646136373039353939
-  33643133313264303637646336653537383337336661313765663366356262343064316334313337
-  35306232303132653566356130343366313139336665313737363732613261623439
+  39306238386563313462666238333237346239326636633731326263653639646235363937386333
+  6138653434613437643134653463363230303038373765380a636162663734393632396638313261
+  39613730633935373063663030616131653731376461333762633131633066366165343536323031
+  3539373461383138310a383734313237313231363539383632323130336536656662313861336261
+  65393033633461363837366462656134386430353236343136616161663364376261623834366466
+  30303765393039376666303937663839663630623063666135313636353432396161333434653435
+  32623634313531343466613966663139333234616137646636636134373264333263343533393331
+  32313530373164653730656662383837626139643364376134376634613237323063343731663734
+  36306335303936633334353564306239663563366435316464343039373965383032
 vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
 secrets_path: "rinoa-docker/env"
Author	SHA1	Message	Date
Trez.One	b15306539f	Merge remote-tracking branch 'refs/remotes/origin/ansible-dry-fixes_5-20-25' into ansible-dry-fixes_5-20-25 Gitea Branch PR & Ansible Deployment / Check and Create PR (push) Has been cancelled Details Gitea Branch PR & Ansible Deployment / Ansible Linting (push) Has been cancelled Details Gitea Branch PR & Ansible Deployment / PR Merge (push) Has been cancelled Details Gitea Branch PR & Ansible Deployment / Ansible Playbook Run (Service Configs) (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Check and Create PR (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Dry Run (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Cloudflare DNS Setup (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Update README & Generate List of Modified Services (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / PR Merge (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Deployment (push) Has been cancelled Details	2025-05-26 09:13:29 -04:00
Trez.One	9b6aaacdac	Renaming Grafana alloy config.	2025-05-26 09:12:02 -04:00
Trez.One	22ba4743ef	Renaming Grafana alloy config.	2025-05-26 09:12:02 -04:00
Trez.One	a708d28446	Changing order of tasks in playbook.	2025-05-26 09:12:02 -04:00
Trez.One	2cf916fa05	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	05eb209229	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	9c30f3972b	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	f96433be4f	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	296d4b6c35	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	711d9cbfa9	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	cd5f996f39	Ansible DRY fixes for Vault lookups.	2025-05-26 09:12:02 -04:00
Trez.One	305f81bbdc	Renaming Grafana alloy config. Gitea Branch PR & Ansible Deployment / Ansible Playbook Run (Service Configs) (push) Blocked by required conditions Details Gitea Branch PR & Ansible Deployment / Ansible Linting (push) Blocked by required conditions Details Gitea Branch PR & Ansible Deployment / PR Merge (push) Blocked by required conditions Details Gitea Branch PR & Ansible Deployment / Check and Create PR (push) Failing after 11m22s Details	2025-05-21 09:17:04 -04:00
Trez.One	77bb59f594	Renaming Grafana alloy config.	2025-05-21 09:16:28 -04:00
Trez.One	6245e88edc	Changing order of tasks in playbook. Gitea Branch PR & Ansible Deployment / Check and Create PR (push) Successful in 20m30s Details Gitea Branch PR & Ansible Deployment / Ansible Linting (push) Failing after 17m31s Details Gitea Branch PR & Ansible Deployment / PR Merge (push) Has been skipped Details Gitea Branch PR & Ansible Deployment / Ansible Playbook Run (Service Configs) (push) Has been skipped Details	2025-05-20 10:13:55 -04:00
Trez.One	48f9659ede	Small fixes.	2025-05-20 09:58:35 -04:00
Trez.One	6e5eb45ffe	Small fixes. Gitea Branch PR & Ansible Deployment / Check and Create PR (push) Successful in 8m19s Details Gitea Branch PR & Ansible Deployment / Ansible Linting (push) Failing after 11m55s Details Gitea Branch PR & Ansible Deployment / Ansible Playbook Run (Service Configs) (push) Has been skipped Details Gitea Branch PR & Ansible Deployment / PR Merge (push) Has been skipped Details	2025-05-20 09:22:50 -04:00
Trez.One	0c314a5000	Small fixes.	2025-05-20 09:19:04 -04:00
Trez.One	c443d73f6f	Small fixes.	2025-05-20 09:16:16 -04:00
Trez.One	124d4a86ba	Small fixes.	2025-05-20 09:16:00 -04:00
Trez.One	d08563b985	Small fixes.	2025-05-20 09:13:33 -04:00
Trez.One	6b37ad8ea4	Ansible DRY fixes for Vault lookups. Gitea Branch PR & Ansible Deployment / Check and Create PR (push) Failing after 3m6s Details Gitea Branch PR & Ansible Deployment / Docker Compose & Ansible Lints (push) Has been skipped Details Gitea Branch PR & Ansible Deployment / PR Merge (push) Failing after 9m4s Details Gitea Branch PR & Ansible Deployment / Ansible Configs & Docker Compose Deployment (push) Has been skipped Details	2025-05-20 09:06:49 -04:00