Adding Stable-Diffusion service for LibreChat.

Merged by Trez.One

.gitea/workflows/pr-ansible-config-only-deploy.yml

@@ -1,160 +0,0 @@
-name: Gitea Branch PR & Ansible Configurations Deployment
-on:
-  push:
-    branches:
-      - '**'
-    paths:
-      - '**.j2'
-jobs:
-  check-and-create-pr:
-    if: github.ref != 'refs/heads/main'
-    name: Check and Create PR
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-      - name: Cache tea CLI
-        id: cache-tea
-        uses: actions/cache@v4
-        with:
-          path: /opt/hostedtoolcache/tea/0.9.2/x64
-          key: tea-${{ runner.os }}-0.9.2
-      - name: Install tea
-        uses: supplypike/setup-bin@v4
-        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
-          name: 'tea'
-          version: '0.9.2'
-      - name: Check if open PR exists
-        id: check-opened-pr-step
-        continue-on-error: true
-        run: |
-          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
-          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
-      - name: Create PR
-        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
-        run: |
-          tea login default gitea-rinoa
-          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
-          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
-  ansible-lint:
-    name: Ansible Lint
-    needs: [check-and-create-pr]
-    runs-on: ubuntu-latest
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_NAMESPACE: ""
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Cache Ansible Galaxy Collections
-        uses: actions/cache@v3
-        with:
-          path: ansible/collections
-          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
-          restore-keys: |
-            ${{ runner.os }}-ansible-
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.0.0"
-      - name: Install Vault
-        uses: cpanato/vault-installer@main
-      - name: Install hvac
-        run: pip install hvac
-      - name: Ansible Playbook Dry Run
-        uses: dawidd6/action-ansible-playbook@v2
-        with:
-          directory: ansible/
-          playbook: docker_config_deploy.yml
-          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
-          options: |
-            --inventory inventory/hosts.yml
-            --check
-          requirements: collections/requirements.yml
-          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
-          notification_message: 'Ansible dry run completed successfully.'
-  pr-merge:
-    name: PR Merge
-    needs: [regenerate-readme-modified-services]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install tea
-        uses: supplypike/setup-bin@v4
-        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
-          name: 'tea'
-          version: '0.9.2'
-      - name: PR Merge
-        id: pr_merge
-        run: |
-          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          tea login default gitea-rinoa
-          echo "Merging PR..."
-          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
-          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
-          echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Merge Successful'
-          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-deploy:
-    name: Deploy via Ansible & Docker Compose
-    runs-on: ubuntu-latest
-    needs: [pr-merge]
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      DOCKER_HOST: tcp://dockerproxy:2375
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: main
-      - name: Cache Vault install
-        id: cache-vault
-        uses: actions/cache@v4
-        with:
-          path: /opt/hostedtoolcache/vault/1.18.0/x64
-          key: vault-${{ runner.os }}-1.18.0
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.0.0"
-      - name: Install Vault
-        uses: cpanato/vault-installer@main
-      - name: Install hvac
-        run: pip install hvac
-      - name: Deploy Docker Configs via Ansible
-        uses: dawidd6/action-ansible-playbook@v2
-        with:
-          directory: ansible/
-          playbook: docker_config_deploy.yml
-          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
-          options: |
-            --inventory inventory/hosts.yml
-          requirements: collections/requirements.yml
-          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
-          notification_message: 'Deployment completed successfully.'

.gitea/workflows/pr-cloudflare-docker-deploy.yml

@@ -1,10 +1,8 @@
 name: Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment
 on:
   push:
-    branches:
-      - '**'
-    paths:
-      - 'docker-compose.yml'
+    branches-ignore:
+      - 'main'
 jobs:
   check-and-create-pr:
     if: github.ref != 'refs/heads/main'
@@ -254,7 +252,7 @@ jobs:
           notification_title: 'GITEA: PR Merge Successful'
           notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
   ansible-config-docker-compose-deploy:
-    name: Deploy via Ansible & Docker Compose
+    name: Ansible Configs & Docker Compose Deployment
     runs-on: ubuntu-latest
     needs: [pr-merge]
     env:

README.md

@@ -6,6 +6,7 @@
 | --- | --- |
 | actual_server | docker.io/actualbudget/actual-server:latest |
 | adguard | adguard/adguardhome:latest |
+| archivebox | archivebox/archivebox:latest |
 | audiobookshelf | ghcr.io/advplyr/audiobookshelf:latest |
 | authelia | authelia/authelia:master |
 | authelia-pg | postgres:16-alpine |
@@ -17,6 +18,11 @@
 | bitwarden | vaultwarden/server:latest |
 | bluesky-pds | ghcr.io/bluesky-social/pds:latest |
 | browserless | ghcr.io/browserless/chromium:latest |
+| bunkerweb | bunkerity/bunkerweb:1.6.0 |
+| bunkerweb-scheduler | bunkerity/bunkerweb-scheduler:1.6.0 |
+| bunkerweb-autoconf | bunkerity/bunkerweb-autoconf:1.6.0 |
+| bunkerweb-ui | bunkerity/bunkerweb-ui:1.6.0 |
+| bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
 | cloudflared | cloudflare/cloudflared:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
@@ -24,6 +30,7 @@
 | cronicle | elestio/cronicle:latest |
 | crowdsec | crowdsecurity/crowdsec:latest |
 | crowdsec-dashboard | metabase/metabase |
+| cyber-chef | mpepping/cyberchef:latest |
 | czkawka | jlesage/czkawka |
 | dawarich-app | freikin/dawarich:latest |
 | dawarich-pg-db | postgis/postgis:17-3.5-alpine |
@@ -31,6 +38,7 @@
 | dbgate | dbgate/dbgate:alpine |
 | delugevpn | ghcr.io/binhex/arch-delugevpn:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
+| docker-volume-backup | offen/docker-volume-backup:v2 |
 | docuseal | docuseal/docuseal:latest |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
@@ -38,7 +46,6 @@
 | ghost | ghost:latest |
 | gitea | gitea/gitea:1.23.1 |
 | gitea-db | postgres:14 |
-| gitea-opengist | ghcr.io/thomiceli/opengist:latest |
 | gitea-runner | gitea/act_runner:latest |
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
 | gluetun | qmcgaw/gluetun:latest |
@@ -69,14 +76,19 @@
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
+| librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
+| librechat-vectordb | ankane/pgvector:latest |
+| librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
 | libretranslate | libretranslate/libretranslate |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
 | lldap | lldap/lldap:stable |
 | maloja | krateng/maloja:latest |
+| manyfold | lscr.io/linuxserver/manyfold:latest |
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
+| meilisearch | getmeili/meilisearch:v1.12.3 |
 | minio | minio/minio |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
@@ -91,7 +103,6 @@
 | nextcloud | nextcloud/all-in-one:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
-| open-webui | ghcr.io/open-webui/open-webui:main |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
 | parseable | containers.parseable.com/parseable/parseable:latest |
 | peppermint | pepperlabs/peppermint:latest |
@@ -102,7 +113,7 @@
 | plausible | ghcr.io/plausible/community-edition:v2.1.0 |
 | plausible_db | postgres:16-alpine |
 | plausible_events_db | clickhouse/clickhouse-server:24.3.3.102-alpine |
-| portainer | portainer/portainer-ce:alpine-sts |
+| portainer | portainer/portainer-ce:2.27.0-alpine |
 | portall | need4swede/portall:latest |
 | postal-smtp | ghcr.io/postalserver/postal:latest |
 | postal-web | ghcr.io/postalserver/postal:latest |
@@ -121,11 +132,13 @@
 | scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
+| semaphore | semaphoreui/semaphore:v2.12.14 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
 | sonashow | thewicklowwolf/sonashow:latest |
 | soularr | mrusse08/soularr:latest |
+| soularr-dashboard | git.trez.wtf/trez.one/soularr-dashboard:v0.1 |
 | soulseek | slskd/slskd |
 | sourcebot | ghcr.io/sourcebot-dev/sourcebot:latest |
 | speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
@@ -143,6 +156,4 @@
 | web-check | lissy93/web-check |
 | your_spotify | lscr.io/linuxserver/your_spotify:latest |
 | youtubedl | nbr23/youtube-dl-server:latest |
-| zitadel | ghcr.io/zitadel/zitadel:latest |
-| zitadel-pg-db | postgres:16-alpine |
 

ansible/app-configs/crowdsec_local-api-credentials.yaml.j2

@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+url: http://0.0.0.0:8080
+login: localhost
+password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}

ansible/app-configs/homepage_settings.yaml.j2

@@ -22,33 +22,32 @@ provider: duckduckgo
 
 layout:
   System Administration:
-    # style: row
-    # columns: 4
-    fiveColumns: true
+    style: row
+    columns: 5
   Infrastructure/App Performance Monitoring:
     style: row
-    columns: 3
+    columns: 4
   Code/DevOps:
     style: row
-    columns: 3
+    columns: 4
   Social:
     style: row
     columns: 3
   Lifestyle:
     style: row
-    columns: 3
+    columns: 5
   Automation:
-    style: columns
-    row: 2
+    style: row
+    columns: 5
   Privacy/Security:
-    style: columns
-    row: 5
+    style: row
+    columns: 3
   Personal Services:
     style: row
     columns: 3
   Professional Services:
     style: row
-    columns: 3
+    columns: 5
   Servarr Stack:
     style: row
     columns: 3

ansible/app-configs/librechat_librechat.env.j2

@@ -0,0 +1,550 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+#=====================================================================#
+#                       LibreChat Configuration                       #
+#=====================================================================#
+# Please refer to the reference documentation for assistance          #
+# with configuring your LibreChat environment.                        #
+#                                                                     #
+# https://www.librechat.ai/docs/configuration/dotenv                  #
+#=====================================================================#
+
+#==================================================#
+#               Server Configuration               #
+#==================================================#
+
+HOST=localhost
+PORT=3080
+
+MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
+
+DOMAIN_CLIENT=https://ai.trez.wtf
+DOMAIN_SERVER=https://ai.trez.wtf
+
+NO_INDEX=true
+# Use the address that is at most n number of hops away from the Express application.
+# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
+# A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
+# Defaulted to 1.
+TRUST_PROXY=1
+
+#===============#
+# JSON Logging  #
+#===============#
+
+# Use when process console logs in cloud deployment like GCP/AWS
+CONSOLE_JSON=true
+
+#===============#
+# Debug Logging #
+#===============#
+
+DEBUG_LOGGING=true
+DEBUG_CONSOLE=false
+
+#=============#
+# Permissions #
+#=============#
+
+# UID=1000
+# GID=1000
+
+#===============#
+# Configuration #
+#===============#
+# Use an absolute path, a relative path, or a URL
+
+# CONFIG_PATH="/alternative/path/to/librechat.yaml"
+
+#===================================================#
+#                     Endpoints                     #
+#===================================================#
+
+# ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
+
+PROXY=
+
+#===================================#
+# Known Endpoints - librechat.yaml  #
+#===================================#
+# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
+
+# ANYSCALE_API_KEY=
+# APIPIE_API_KEY=
+# COHERE_API_KEY=
+DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
+# DATABRICKS_API_KEY=
+# FIREWORKS_API_KEY=
+# GROQ_API_KEY=
+# HUGGINGFACE_TOKEN=
+MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
+# OPENROUTER_KEY=
+# PERPLEXITY_API_KEY=
+# SHUTTLEAI_API_KEY=
+# TOGETHERAI_API_KEY=
+# UNIFY_API_KEY=
+# XAI_API_KEY=
+
+#============#
+# Anthropic  #
+#============#
+
+ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
+ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
+# ANTHROPIC_REVERSE_PROXY=
+
+#============#
+# Azure      #
+#============#
+
+# Note: these variables are DEPRECATED
+# Use the `librechat.yaml` configuration for `azureOpenAI` instead
+# You may also continue to use them if you opt out of using the `librechat.yaml` configuration
+
+# AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
+# AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
+# AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
+# AZURE_API_KEY= # Deprecated
+# AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
+# AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
+# AZURE_OPENAI_API_VERSION= # Deprecated
+# AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
+# AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
+# PLUGINS_USE_AZURE="true" # Deprecated
+
+#=================#
+#   AWS Bedrock   #
+#=================#
+
+# BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
+# BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
+# BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
+# BEDROCK_AWS_SESSION_TOKEN=someSessionToken
+
+# Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
+# BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
+
+# See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
+
+# Notes on specific models:
+# The following models are not support due to not supporting streaming:
+# ai21.j2-mid-v1
+
+# The following models are not support due to not supporting conversation history:
+# ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
+
+#============#
+# Google     #
+#============#
+
+{# GOOGLE_KEY=user_provided #}
+
+# GOOGLE_REVERSE_PROXY=
+# Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
+# GOOGLE_AUTH_HEADER=true
+
+# Gemini API (AI Studio)
+# GOOGLE_MODELS=gemini-2.0-flash-exp,gemini-2.0-flash-thinking-exp-1219,gemini-exp-1121,gemini-exp-1114,gemini-1.5-flash-latest,gemini-1.0-pro,gemini-1.0-pro-001,gemini-1.0-pro-latest,gemini-1.0-pro-vision-latest,gemini-1.5-pro-latest,gemini-pro,gemini-pro-vision
+
+# Vertex AI
+# GOOGLE_MODELS=gemini-1.5-flash-preview-0514,gemini-1.5-pro-preview-0514,gemini-1.0-pro-vision-001,gemini-1.0-pro-002,gemini-1.0-pro-001,gemini-pro-vision,gemini-1.0-pro
+
+# GOOGLE_TITLE_MODEL=gemini-pro
+
+# GOOGLE_LOC=us-central1
+
+# Google Safety Settings
+# NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
+#
+# For Vertex AI:
+# To use the BLOCK_NONE setting, you need either:
+# (a) Access through an allowlist via your Google account team, or
+# (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
+#
+# For Gemini API (AI Studio):
+# BLOCK_NONE is available by default, no special account requirements.
+#
+# Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
+#
+# GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
+
+#============#
+# OpenAI     #
+#============#
+
+OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
+OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
+
+DEBUG_OPENAI=false
+
+# TITLE_CONVO=false
+# OPENAI_TITLE_MODEL=gpt-4o-mini
+
+# OPENAI_SUMMARIZE=true
+# OPENAI_SUMMARY_MODEL=gpt-4o-mini
+
+# OPENAI_FORCE_PROMPT=true
+
+# OPENAI_REVERSE_PROXY=
+
+# OPENAI_ORGANIZATION=
+
+#====================#
+#   Assistants API   #
+#====================#
+
+# ASSISTANTS_API_KEY=user_provided
+# ASSISTANTS_BASE_URL=
+# ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
+
+#==========================#
+#   Azure Assistants API   #
+#==========================#
+
+# Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
+# The models for Azure Assistants are also determined by your Azure OpenAI configuration.
+
+# More info, including how to enable use of Assistants with Azure here:
+# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
+
+#============#
+# OpenRouter #
+#============#
+# !!!Warning: Use the variable above instead of this one. Using this one will override the OpenAI endpoint
+# OPENROUTER_API_KEY=
+
+#============#
+# Plugins    #
+#============#
+
+# PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
+
+# DEBUG_PLUGINS=
+
+CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
+CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
+
+# Azure AI Search
+#-----------------
+# AZURE_AI_SEARCH_SERVICE_ENDPOINT=
+# AZURE_AI_SEARCH_INDEX_NAME=
+# AZURE_AI_SEARCH_API_KEY=
+
+# AZURE_AI_SEARCH_API_VERSION=
+# AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
+# AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
+# AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
+
+# DALL·E
+#----------------
+# DALLE_API_KEY=
+# DALLE3_API_KEY=
+# DALLE2_API_KEY=
+# DALLE3_SYSTEM_PROMPT=
+# DALLE2_SYSTEM_PROMPT=
+# DALLE_REVERSE_PROXY=
+# DALLE3_BASEURL=
+# DALLE2_BASEURL=
+
+# DALL·E (via Azure OpenAI)
+# Note: requires some of the variables above to be set
+#----------------
+# DALLE3_AZURE_API_VERSION=
+# DALLE2_AZURE_API_VERSION=
+
+
+# Google
+#-----------------
+GOOGLE_SEARCH_API_KEY=
+GOOGLE_CSE_ID=
+
+# YOUTUBE
+#-----------------
+YOUTUBE_API_KEY=
+
+# SerpAPI
+#-----------------
+SERPAPI_API_KEY=
+
+# Stable Diffusion
+#-----------------
+SD_WEBUI_URL=http://stable-diffusion-webui:7860
+
+# Tavily
+#-----------------
+TAVILY_API_KEY=
+
+# Traversaal
+#-----------------
+TRAVERSAAL_API_KEY=
+
+# WolframAlpha
+#-----------------
+WOLFRAM_APP_ID=
+
+# Zapier
+#-----------------
+ZAPIER_NLA_API_KEY=
+
+#==================================================#
+#                      Search                      #
+#==================================================#
+
+SEARCH=true
+MEILI_NO_ANALYTICS=true
+MEILI_HOST=http://meilisearch:7700
+MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
+
+# Optional: Disable indexing, useful in a multi-node setup
+# where only one instance should perform an index sync.
+# MEILI_NO_SYNC=true
+
+#==================================================#
+#          Speech to Text & Text to Speech         #
+#==================================================#
+
+STT_API_KEY=
+TTS_API_KEY=
+
+#==================================================#
+#                        RAG                       #
+#==================================================#
+# More info: https://www.librechat.ai/docs/configuration/rag_api
+
+# RAG_OPENAI_BASEURL=
+# RAG_OPENAI_API_KEY=
+# RAG_USE_FULL_CONTEXT=
+# EMBEDDINGS_PROVIDER=openai
+# EMBEDDINGS_MODEL=text-embedding-3-small
+
+#===================================================#
+#                    User System                    #
+#===================================================#
+
+#========================#
+# Moderation             #
+#========================#
+
+OPENAI_MODERATION=false
+OPENAI_MODERATION_API_KEY=
+# OPENAI_MODERATION_REVERSE_PROXY=
+
+BAN_VIOLATIONS=true
+BAN_DURATION=1000 * 60 * 60 * 2
+BAN_INTERVAL=20
+
+LOGIN_VIOLATION_SCORE=1
+REGISTRATION_VIOLATION_SCORE=1
+CONCURRENT_VIOLATION_SCORE=1
+MESSAGE_VIOLATION_SCORE=1
+NON_BROWSER_VIOLATION_SCORE=20
+
+LOGIN_MAX=7
+LOGIN_WINDOW=5
+REGISTER_MAX=5
+REGISTER_WINDOW=60
+
+LIMIT_CONCURRENT_MESSAGES=true
+CONCURRENT_MESSAGE_MAX=2
+
+LIMIT_MESSAGE_IP=true
+MESSAGE_IP_MAX=40
+MESSAGE_IP_WINDOW=1
+
+LIMIT_MESSAGE_USER=false
+MESSAGE_USER_MAX=40
+MESSAGE_USER_WINDOW=1
+
+ILLEGAL_MODEL_REQ_SCORE=5
+
+#========================#
+# Balance                #
+#========================#
+
+CHECK_BALANCE=false
+# START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
+
+#========================#
+# Registration and Login #
+#========================#
+
+ALLOW_EMAIL_LOGIN=true
+ALLOW_REGISTRATION=true
+ALLOW_SOCIAL_LOGIN=false
+ALLOW_SOCIAL_REGISTRATION=false
+ALLOW_PASSWORD_RESET=false
+# ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
+ALLOW_UNVERIFIED_EMAIL_LOGIN=true
+
+SESSION_EXPIRY=1000 * 60 * 15
+REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
+
+JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
+JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
+
+
+# Discord
+DISCORD_CLIENT_ID=
+DISCORD_CLIENT_SECRET=
+DISCORD_CALLBACK_URL=/oauth/discord/callback
+
+# Facebook
+FACEBOOK_CLIENT_ID=
+FACEBOOK_CLIENT_SECRET=
+FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
+
+# GitHub
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_CALLBACK_URL=/oauth/github/callback
+# GitHub Enterprise
+# GITHUB_ENTERPRISE_BASE_URL=
+# GITHUB_ENTERPRISE_USER_AGENT=
+
+# Google
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_CALLBACK_URL=/oauth/google/callback
+
+# Apple
+APPLE_CLIENT_ID=
+APPLE_TEAM_ID=
+APPLE_KEY_ID=
+APPLE_PRIVATE_KEY_PATH=
+APPLE_CALLBACK_URL=/oauth/apple/callback
+
+# OpenID
+OPENID_CLIENT_ID=
+OPENID_CLIENT_SECRET=
+OPENID_ISSUER=
+OPENID_SESSION_SECRET=
+OPENID_SCOPE="openid profile email"
+OPENID_CALLBACK_URL=/oauth/openid/callback
+OPENID_REQUIRED_ROLE=
+OPENID_REQUIRED_ROLE_TOKEN_KIND=
+OPENID_REQUIRED_ROLE_PARAMETER_PATH=
+# Set to determine which user info property returned from OpenID Provider to store as the User's username
+OPENID_USERNAME_CLAIM=
+# Set to determine which user info property returned from OpenID Provider to store as the User's name
+OPENID_NAME_CLAIM=
+
+OPENID_BUTTON_LABEL=
+OPENID_IMAGE_URL=
+
+# LDAP
+# LDAP_URL=
+# LDAP_BIND_DN=
+# LDAP_BIND_CREDENTIALS=
+# LDAP_USER_SEARCH_BASE=
+# LDAP_SEARCH_FILTER=mail=
+# LDAP_CA_CERT_PATH=
+# LDAP_TLS_REJECT_UNAUTHORIZED=
+# LDAP_LOGIN_USES_USERNAME=true
+# LDAP_ID=
+# LDAP_USERNAME=
+# LDAP_EMAIL=
+# LDAP_FULL_NAME=
+
+#========================#
+# Email Password Reset   #
+#========================#
+
+EMAIL_SERVICE=
+EMAIL_HOST=postal-smtp
+EMAIL_PORT=25
+EMAIL_ENCRYPTION=
+EMAIL_ENCRYPTION_HOSTNAME=
+EMAIL_ALLOW_SELFSIGNED=
+EMAIL_USERNAME=
+EMAIL_PASSWORD=
+EMAIL_FROM_NAME=
+EMAIL_FROM=noreply@librechat.ai
+
+#========================#
+# Firebase CDN           #
+#========================#
+
+# FIREBASE_API_KEY=
+# FIREBASE_AUTH_DOMAIN=
+# FIREBASE_PROJECT_ID=
+# FIREBASE_STORAGE_BUCKET=
+# FIREBASE_MESSAGING_SENDER_ID=
+# FIREBASE_APP_ID=
+
+#========================#
+# Shared Links           #
+#========================#
+
+ALLOW_SHARED_LINKS=true
+ALLOW_SHARED_LINKS_PUBLIC=true
+
+#==============================#
+# Static File Cache Control    #
+#==============================#
+
+# Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
+# NODE_ENV must be set to production for these to take effect
+# STATIC_CACHE_MAX_AGE=172800
+# STATIC_CACHE_S_MAX_AGE=86400
+
+# If you have another service in front of your LibreChat doing compression, disable express based compression here
+# DISABLE_COMPRESSION=true
+
+#===================================================#
+#                        UI                         #
+#===================================================#
+
+APP_TITLE=LibreChat
+# CUSTOM_FOOTER="My custom footer"
+HELP_AND_FAQ_URL=https://librechat.ai
+
+# SHOW_BIRTHDAY_ICON=true
+
+# Google tag manager id
+#ANALYTICS_GTM_ID=user provided google tag manager id
+
+#===============#
+# REDIS Options #
+#===============#
+
+REDIS_URI=redis:6379
+USE_REDIS=true
+
+# USE_REDIS_CLUSTER=true
+# REDIS_CA=/path/to/ca.crt
+
+#==================================================#
+#                      Others                      #
+#==================================================#
+#   You should leave the following commented out   #
+
+# NODE_ENV=
+
+# E2E_USER_EMAIL=
+# E2E_USER_PASSWORD=
+
+#=====================================================#
+#                  Cache Headers                      #
+#=====================================================#
+#   Headers that control caching of the index.html    #
+#   Default configuration prevents caching to ensure  #
+#   users always get the latest version. Customize    #
+#   only if you understand caching implications.      #
+
+# INDEX_HTML_CACHE_CONTROL=no-cache, no-store, must-revalidate
+# INDEX_HTML_PRAGMA=no-cache
+# INDEX_HTML_EXPIRES=0
+
+# no-cache: Forces validation with server before using cached version
+# no-store: Prevents storing the response entirely
+# must-revalidate: Prevents using stale content when offline
+
+#=====================================================#
+#                  OpenWeather                        #
+#=====================================================#
+OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}

ansible/app-configs/librechat_librechat.yaml.j2

@@ -0,0 +1,32 @@
+endpoints:
+  custom:
+    - name: "Ollama"
+      apiKey: "ollama"
+      baseURL: "http://ollama:11434/v1/chat/completions"
+      models:
+        default: [
+          "deepseek-r1",
+          "deepseek-coder-v2",
+          "deepseek-v3",
+          "llama3.3",
+          "phi4",
+          "qwen2.5",
+          "llama2",
+          "mistral",
+          "codellama",
+          "tinyllama",
+          "starcoder2",
+          "dolphin-mixtral",
+          "smollm2",
+          "orca-mini",
+          "mistral-openorca"
+        ]
+# fetching list of models is supported but the `name` field must start
+# with `ollama` (case-insensitive), as it does in this example.
+        fetch: true
+      titleConvo: true
+      titleModel: "current_model"
+      summarize: false
+      summaryModel: "current_model"
+      forcePrompt: false
+      modelDisplayLabel: "Ollama"

ansible/app-configs/postal_postal.yml.j2

@@ -30,6 +30,9 @@ message_db:
 smtp_server:
   default_port: 25
   default_bind_address: "::"
+  tls_enabled: true
+  tls_certificate_path: /config/certs/fullchain.pem
+  tls_private_key_path: /config/certs/privkey.pem
 
 dns:
   # Specify the DNS records that you have configured. Refer to the documentation at

ansible/app-configs/sabnzbdvpn_sabnzbd.ini.j2

@@ -342,7 +342,7 @@ host = news.newshosting.com
 port = 563
 timeout = 60
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_PASSWORD'] }}
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
 connections = 8
 ssl = 1
 ssl_verify = 3

ansible/app-configs/soularr_config.ini.j2

@@ -0,0 +1,76 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+[Lidarr]
+api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
+host_url = http://lidarr:8686
+#This should be the path mounted in lidarr that points to your slskd download directory.
+#If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
+download_dir = /storage
+
+[Slskd]
+#Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
+api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
+host_url = http://gluetun:5030
+#Slskd download directory. Should have set it up when installing Slskd.
+download_dir = /app/downloads
+#Removes searches from Slskd after the search finishes.
+delete_searches = False
+#Maximum time (in seconds) that the script will wait for downloads to complete.
+#This is used to prevent the script from running forever due to a stalled download. Defaults to 1 hour.
+stalled_timeout = 3600
+
+[Release Settings]
+#Selects the release with the most common amount of tracks out of all the releases.
+use_most_common_tracknum = True
+allow_multi_disc = True
+#See full list of countries below.
+accepted_countries = Europe,Japan,United Kingdom,United States,[Worldwide],Australia,Canada
+#See full list of formats below.
+accepted_formats = CD,Digital Media,Vinyl
+
+[Search Settings]
+search_timeout = 5000
+maximum_peer_queue = 50
+#Min upload speed in bit/s
+minimum_peer_upload_speed = 0
+#Min match ratio accepted when comparing lidarr track names to soulseek filenames.
+minimum_filename_match_ratio = 0.5
+#Specify the file types you prefer from most to least. As well as their attributes such as bitrate / samplerate / bitdepth.
+#For flacs you can choose the bitdepth/samplerate. And for mp3s the bitrate.
+#If you do not care about the specific quality you can still just put "flac" or "mp3".
+#Soularr will then just look at the filetype and ignore file attributes.
+allowed_filetypes = flac 24/192,flac 16/44.1,flac,mp3 320,mp3
+ignored_users = User1,User2,Fred,Bob
+#Set to False if you only want to search for complete albums
+search_for_tracks = True
+#Set to True if you want to add the artist's name to the beginning of the search for albums
+album_prepend_artist = False
+track_prepend_artist = True
+#Valid search types: all || incrementing_page || first_page
+  #"all" will search for every wanted record everytime soularr is run.
+  #"incrementing_page" will start with the first page and increment to the next on each run.
+  #"first_page" will repeatedly search the first page.
+#If using the search type "first_page" remove_wanted_on_failure should be enabled.
+search_type = incrementing_page
+#How mancy records to grab each run, must be a number between 1 - 2,147,483,647
+number_of_albums_to_grab = 10
+#Unmonitors the album if Soularr can't find it and places it in "failure_list.txt".
+#Failed albums can be re monitored by filtering "Unmonitored" in the Lidarr wanted list.
+remove_wanted_on_failure = False
+#Comma separated list of words that can't be in the title of albums or tracks. Case insensitive.
+title_blacklist = BlacklistWord1,blacklistword2
+#Lidarr source to use for searching. Accepted values are "all", "missing", or "cutoff_unmet". If "all" is selected
+# then both missing and cutoff_unme will be searched. The default value is "missing".
+search_source = missing
+
+[Logging]
+#These options are passed into the logger's basicConfig() method as-is.
+#This means, if you're familiar with Python's logging module, you can configure
+#the logger with options beyond what's listed here by default.
+#For more information on available options  --  https://docs.python.org/3/library/logging.html#logging.basicConfig
+level = INFO
+# Format of log message  --  https://docs.python.org/3/library/logging.html#logrecord-attributes
+format = [%(levelname)s|%(module)s|L%(lineno)d] %(asctime)s: %(message)s
+# Format of datetimes  --  https://docs.python.org/3/library/time.html#time.strftime
+datefmt = %Y-%m-%dT%H:%M:%S%z

ansible/app-configs/soulseek_slskd.yml.j2

@@ -1,238 +1,212 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
-# debug: false
-# remote_configuration: false
-# remote_file_management: false
-# instance_name: default
-# flags:
-#   no_logo: false
-#   no_start: false
-#   no_config_watch: false
-#   no_connect: false
-#   no_share_scan: false
-#   force_share_scan: false
-#   no_version_check: false
-#   log_sql: false
-#   experimental: false
-#   volatile: false
-#   case_sensitive_reg_ex: false
-#   legacy_windows_tcp_keepalive: false
-# relay:
-#   enabled: false
-#   mode: controller # controller (default), agent, or debug (for local development)
-#   # controller config is required when running in 'agent' mode
-#   # this specifies the relay controller that will be controlling this agent
-#   controller:
-#     address: https://some.site.com:5000
-#     ignore_certificate_errors: false
-#     api_key: <a 16-255 character string corresponding to one of the controller's 'readwrite' or 'administrator' API keys>
-#     secret: <a 16-255 character shared secret matching the controller's config for this agent>
-#     downloads: false
-#   # agent config is optional when running in 'controller' mode
-#   # this specifies all of the agents capable of connecting
-#   agents:
-#     my_agent:
-#       instance_name: my_agent # make sure the top-level instance_name of the agent matches!
-#       secret: <a 16-255 character string unique to this agent>
-#       cidr: 0.0.0.0/0,::/0
-# permissions:
-#   file:
-#     mode: ~ # not for Windows, chmod syntax, e.g. 644, 777. can't escalate beyond umask
-# directories:
-#   incomplete: ~
-#   downloads: ~
-# shares:
-#   directories:
-#     - ~
-#   filters:
-#     - \.ini$
-#     - Thumbs.db$
-#     - \.DS_Store$
-#   cache:
-#     storage_mode: memory
-#     workers: 16
-#     retention: ~ # retain indefinitely (do not automatically re-scan)
-# rooms:
-#   - ~
-# global:
-#   upload:
-#     slots: 20
-#     speed_limit: 1000 # in kibibytes
-#   limits:
-#     queued:
-#       files: 500
-#       megabytes: 5000
-#     daily:
-#       files: 1000
-#       megabytes: 10000
-#       failures: 200
-#     weekly:
-#       files: 5000
-#       megabytes: 50000
-#       failures: 1000
-#   download:
-#     slots: 500
-#     speed_limit: 1000
-# groups:
-#   default:
-#     upload:
-#       priority: 500
-#       strategy: roundrobin
-#       slots: 10
-#     limits:
-#       queued:
-#         files: 150
-#         megabytes: 1500
-#       daily: ~ # no daily limits (weekly still apply)
-#       weekly:
-#         files: 1500
-#         megabytes: 15000
-#         failures: 150
-#   leechers:
-#     thresholds:
-#       files: 1
-#       directories: 1
-#     upload:
-#       priority: 999
-#       strategy: roundrobin
-#       slots: 1
-#       speed_limit: 100
-#     limits:
-#       queued:
-#         files: 15
-#         megabytes: 150
-#       daily:
-#         files: 30
-#         megabytes: 300
-#         failures: 10
-#       weekly:
-#         files: 150
-#         megabytes: 1500
-#         failures: 30
-#   blacklisted:
-#     members:
-#       - <username to blacklist>
-#     cidrs:
-#       - <CIDR to blacklist, e.g. 255.255.255.255/32>
-#   user_defined:
-#     my_buddies:
-#       upload:
-#         priority: 250
-#         strategy: firstinfirstout
-#         slots: 10
-#       limits:
-#         queued:
-#           files: 1000 # override global default
-#       members:
-#         - alice
-#         - bob
-# blacklist:
-#   enabled: true
-#   file: <path to file containing CIDRs to blacklist>
-# filters:
-#   search:
-#     request:
-#       - ^.{1,2}$
-# web:
-#   port: 5030
-#   https:
-#     disabled: false
-#     port: 5031
-#     force: false
-#     certificate:
-#       pfx: ~
-#       password: ~
-#   url_base: /
-#   content_path: wwwroot
-#   logging: false
-#   authentication:
-#     disabled: false
-#     username: slskd
-#     password: slskd
-#     jwt:
-#       key: ~
-#       ttl: 604800000
-#     api_keys:
-#       my_api_key:
-#         key: <some example string between 16 and 255 characters>
-#         role: readonly # readonly, readwrite, administrator
-#         cidr: 0.0.0.0/0,::/0
-# retention:
-#   transfers:
-#     upload:
-#       succeeded: 1440 # 1 day
-#       errored: 30
-#       cancelled: 5
-#     download:
-#       succeeded: 1440 # 1 day
-#       errored: 20160 # 2 weeks 
-#       cancelled: 5
-#   files:
-#     complete: 20160 # 2 weeks
-#     incomplete: 43200 # 30 days
-#   logs: 259200 # 180 days
-# logger:
-#   disk: false
-#   no_color: false
-#   loki: ~
-# metrics:
-#   enabled: false
-#   url: /metrics
-#   authentication:
-#     disabled: false
-#     username: slskd
-#     password: slskd
-# feature:
-#   swagger: false
-# soulseek:
-#   address: vps.slsknet.org
-#   port: 2271
-#   username: ~
-#   password: ~
-#   description: |
-#     A slskd user. https://github.com/slskd/slskd
-#   listen_ip_address: 0.0.0.0
-#   listen_port: 50300
-#   diagnostic_level: Info
-#   distributed_network:
-#     disabled: false
-#     disable_children: false
-#     child_limit: 25
-#     logging: false
-#   connection:
-#     timeout:
-#       connect: 10000
-#       inactivity: 15000
-#     buffer:
-#       read: 16384
-#       write: 16384
-#       transfer: 262144
-#       write_queue: 250
-#     proxy:
-#       enabled: false
-#       address: ~
-#       port: ~
-#       username: ~
-#       password: ~
-# integration:
-#   ftp:
-#     enabled: false
-#     address: ~
-#     port: ~
-#     username: ~
-#     password: ~
-#     remote_path: /
-#     encryption_mode: auto
-#     ignore_certificate_errors: false
-#     overwrite_existing: true
-#     connection_timeout: 5000
-#     retry_attempts: 3
-#   pushbullet:
-#     enabled: false
-#     access_token: ~
-#     notification_prefix: "From slskd:"
-#     notify_on_private_message: true
-#     notify_on_room_mention: true
-#     retry_attempts: 3
-#     cooldown_time: 900000
+directories:
+  incomplete: /app/incomplete
+  downloads: /app/downloads
+shares:
+  directories:
+    - /music
+rooms:
+  - '! meow chat :3'
+  - '#ANUS'
+  - '#CORONAVIRUS'
+  - '#Horrorcore'
+  - '#La France'
+  - '#icilombre-hardcore'
+  - '#polska'
+  - '#vegan'
+  - $$RARE RAP MUSIC$$
+  - ([6)]
+  - +Autism+
+  - +BlackMetal+
+  - +HIP_HOP_SCENE_RELEASES+
+  - /mu/
+  - 60lover
+  - 60lover v2
+  - 70 Rare groove Soul Jazz
+  - 80's 12 Inches & More
+  - 90's Rare Riddim !!
+  - 90's emo
+  - <>Electronics Labels<>
+  - ACID
+  - ARGENTINA
+  - "ATLLUMINATI\u201Cawareness"
+  - AUSTRALIA
+  - Alcohol
+  - Ambient
+  - Anime
+  - Audiobooks
+  - Avantgarde
+  - BDSM
+  - BLUES BUNKER MUSIC
+  - BOB DYLAN ROOM
+  - BigEdsClassicRock
+  - BigedsSixties
+  - Blues&Soul
+  - Bootlegged concerts
+  - Brasil
+  - Breakcore
+  - CHILE
+  - Canada
+  - China Room
+  - Chiptunes
+  - Christians
+  - Classical
+  - Come To The Sabbath !
+  - Communism
+  - DEATH METAL CLUB
+  - Dark Ambient
+  - De Koffie Shop
+  - De Kroeg
+  - Deathrock
+  - DieMilitarmusik
+  - Disco Classics
+  - Doom Metal
+  - Doujin Music
+  - Dub Techno
+  - Dubstep
+  - EBM-GOTHIC-INDUSTRIAL
+  - EBooks
+  - Emo
+  - Eurodance
+  - Eurovision Song Contest
+  - Experimental Electronica
+  - FOLK MUSIC
+  - Free Jazz
+  - Furry
+  - Gay
+  - Gothic
+  - Greece
+  - Grindcore
+  - HEE cum eaters 1! !
+  - HOUSE MUSIC LOVERS (AG)
+  - Happy Hardcore
+  - Hardcore NL
+  - Hardcore/punk
+  - Hip Hop
+  - Horror movies
+  - IDM
+  - INDUSTRIAL
+  - IReGGaeGaLaXy
+  - Incredibly Strange Music
+  - Israel
+  - Jaz (Full CDs)
+  - Jazz
+  - Jazz-Rock-Fusion-Guitar
+  - Juggalo Family
+  - Jungle
+  - Korean Music
+  - LANGUAGE EXCHANGE here
+  - LGBTQ+!!
+  - Last.fm
+  - Linux
+  - Lossless Scores
+  - MOVIES
+  - Mac Users
+  - Metal
+  - MovieMusic
+  - NORWAY
+  - New Crystal Vibrations
+  - New Wave
+  - New Zealand
+  - OLD SKOOL GANGSTA SHIT
+  - OLDSCHOOL 88-94
+  - OLI SHOTA CUB ROOM!
+  - Original Blues Bunker
+  - PSYCHEDELIA
+  - PUNK/HARDCORE/GRIND
+  - Portugal
+  - Post Punk
+  - Post-Hardcore (modern)
+  - Progressive Rock
+  - Psychedelic/Acid Rock
+  - Psytrance
+  - Quebec
+  - REGGAE
+  - Rare Music
+  - RareVHS/DVD/Rips
+  - Retro Gaming
+  - Romania
+  - Room Name
+  - SIsk Idiots !!
+  - SLUDGE!
+  - Slovenia
+  - Soundtracks&Scores
+  - Spain
+  - Stoner HiVe
+  - Stoner Rock
+  - Strange Music
+  - TECHNO, Mixes and Tunes
+  - THC
+  - Talia
+  - The Dangerous Kitchen
+  - TheScoreZone
+  - Thrash Metal
+  - Tinmans Movie Room
+  - Trip-Hop
+  - Ttalian_dancefloor
+  - Twee Folks
+  - UK DUB
+  - URIDDIM!!
+  - Ukraine
+  - Underground Hiphop
+  - VAPORWAVE
+  - Video Game Chat
+  - Vinyl Addicts
+  - Vocaloid
+  - WHATCDs
+  - World Music
+  - Yacht Rock
+  - '[German] [Deutsch]'
+  - abbey road Itd
+  - anime cunny
+  - bleeps&klonks
+  - breakbeat
+  - comics
+  - deep house connection
+  - drum'n'bass
+  - eesti mehed
+  - electro
+  - flacfield
+  - food
+  - for Losers
+  - hungary
+  - indie
+  - japanese music
+  - library music
+  - lossless
+  - minimal music
+  - museek
+  - noise
+  - 'on'
+  - postrock
+  - programming
+  - progressive house
+  - public porn
+  - r/musichoarder
+  - ru
+  - shoegaze
+  - tapekvit
+  - test
+  - trancEaddict
+  - trivia
+  - what.cd
+  - what.cd electronic
+  - what.cd-flac
+  - '{Italo Disco'
+web:
+  authentication:
+    username: slskd
+    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
+    api_keys:
+      my_api_key:
+        key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
+        role: readwrite
+        cidr: 0.0.0.0/0,::/0
+soulseek:
+  address: vps.slsknet.org
+  port: 2271
+  username: Trez.One
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+  diagnostic_level: Info

docker-compose.yml

@@ -1,4 +1,11 @@
 name: compose
+x-bw-ui-env: &bw-ui-env
+  # We anchor the environment variables to avoid duplication
+  AUTOCONF_MODE: yes
+  DATABASE_URI: "mariadb+pymysql://bunkerweb:${BUNKERWEB_DB_PASSWORD}@mariadb:3306/bunkerweb" # Remember to set a stronger password for the database
+  USE_REAL_IP: yes
+  REAL_IP_FROM: 172.18.0.0/16
+  REAL_IP_HEADER: 'X-Forwarded-For'
 networks:
   bitmagnet:
     driver: bridge
@@ -95,6 +102,37 @@ services:
         type: bind
         bind:
           create_host_path: true
+  archivebox:
+    container_name: archivebox
+    dns:
+      - adguard
+    environment:
+      ADMIN_USERNAME: admin            # creates an admin user on first run with the given user/pass combo
+      ADMIN_PASSWORD: ${ARCHIVEBOX_ADMIN_PASSWORD}
+      ALLOWED_HOSTS: '*'                   # set this to the hostname(s) you're going to serve the site from!
+      CSRF_TRUSTED_ORIGINS: http://localhost:8000  # you MUST set this to the server's URL for admin login and the REST API to work
+      PUBLIC_INDEX: false                 # set to False to prevent anonymous users from viewing snapshot list
+      PUBLIC_SNAPSHOTS: false             # set to False to prevent anonymous users from viewing snapshot content
+      PUBLIC_ADD_VIEW: false             # set to True to allow anonymous users to submit new URLs to archive
+      SEARCH_BACKEND_ENGINE: ripgrep       # tells ArchiveBox to use sonic container below for fast full-text search
+    image: archivebox/archivebox:latest
+    labels:
+      homepage.group: Personal Services
+      homepage.name: ArchiveBox
+      homepage.href: https://archive.${MY_TLD}
+      homepage.icon: archivebox.png
+      homepage.description: Podcasts, eBooks, & Audiobooks
+      swag: enable
+      swag_port: 8000
+      swag_proto: http
+      swag_url: archive.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://archive.${MY_TLD}
+    ports:
+      - 21324:8000
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/archivebox:/data
+      # ./data/personas/Default/chrome_profile/Default:/data/personas/Default/chrome_profile/Default
   audiobookshelf:
     container_name: audiobookshelf
     environment:
@@ -362,6 +400,7 @@ services:
     networks:
       bitmagnet:
         ipv4_address: 192.168.55.8
+      default: null
     restart: unless-stopped
     shm_size: 1g
     volumes:
@@ -477,6 +516,95 @@ services:
     networks:
       default: null
     restart: unless-stopped
+  bunkerweb:
+    container_name: bunkerweb
+    image: bunkerity/bunkerweb:1.6.0
+    environment:
+      AUTOCONF_MODE: yes
+      API_WHITELIST_IP: 127.0.0.0/8 172.18.0.0/16
+    labels:
+      bunkerweb.INSTANCE: yes
+    ports:
+      - 27002:8080
+      - 63824:8443
+    restart: unless-stopped
+  bunkerweb-scheduler:
+    container_name: bunkerweb-scheduler
+    environment:
+      <<: *bw-ui-env
+      BUNKERWEB_INSTANCES: bunkerweb
+      SERVER_NAME: bunker.trez.wtf
+      API_WHITELIST_IP: 127.0.0.0/8 172.18.0.0/16
+      MULTISITE: yes
+      UI_HOST: http://bunkerweb-ui:7000 # Change it if needed
+      SERVE_FILES: no
+      DISABLE_DEFAULT_SERVER: yes
+      USE_CLIENT_CACHE: yes
+      USE_GZIP: yes
+      USE_REVERSE_PROXY: yes
+      REVERSE_PROXY_URL: /
+      REVERSE_PROXY_HOST: http://swag:80
+    image: bunkerity/bunkerweb-scheduler:1.6.0
+    restart: unless-stopped
+    volumes:
+      - bunkerweb-storage:/data # This is used to persist the cache and other data like the backups
+  bunkerweb-autoconf:
+    container_name: bunkerweb-autoconf
+    depends_on:
+      - docker-socket-proxy
+    environment:
+      <<: *bw-ui-env
+      DOCKER_HOST: tcp://dockerproxy:2375
+    image: bunkerity/bunkerweb-autoconf:1.6.0
+    restart: unless-stopped
+  bunkerweb-ui:
+    container_name: bunkerweb-ui
+    environment:
+      <<: *bw-ui-env
+      TOTP_SECRETS: ${BUNKERWEB_TOTP_SECRETS}
+    expose:
+      - 7000
+    image: bunkerity/bunkerweb-ui:1.6.0
+    labels:
+      homepage.group: Privacy/Security
+      homepage.name: Bunker Web
+      homepage.href: https://bunker.${MY_TLD}
+      homepage.icon: bunkerweb.svg
+      homepage.description: Next-gen WAF
+      swag: enable
+      swag_port: 7000
+      swag_url: bunker.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://bunker.${MY_TLD}
+    restart: unless-stopped
+  bytestash:
+    container_name: bytestash
+    environment:
+      BASE_PATH:
+      JWT_SECRET: ${BYTESTASH_JWT_SECRET}
+      TOKEN_EXPIRY: 24h
+      ALLOW_NEW_ACCOUNTS: true
+      DEBUG: true
+      DISABLE_ACCOUNTS: false
+      DISABLE_INTERNAL_ACCOUNTS: false
+    image: ghcr.io/jordan-dalby/bytestash:latest
+    labels:
+      homepage.description: Code Gists/Snippets
+      homepage.group: Code/DevOps
+      homepage.href: https://gist.trez.wtf
+      homepage.icon: bytestash.svg
+      homepage.name: Bytestash
+      swag: enable
+      swag_port: 5000
+      swag_proto: http
+      swag_url: gist.trez.wtf
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://gist.trez.wtf
+    ports:
+      - 62139:5000
+    restart: always
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/bytestash:/data/snippets
   castopod:
     container_name: castopod
     depends_on:
@@ -696,10 +824,29 @@ services:
       - 8908:3000
     restart: always
     volumes:
+      - ${DOCKER_VOLUME_CONFIG}/crowdsec/local-api-credentials.yaml:/etc/crowdsec/local_api_credentials.yaml
       - source: crowdsec-db
         target: /data/
         type: volume
         volume: {}
+  cyber-chef:
+    container_name: cyber-chef
+    image: mpepping/cyberchef:latest
+    labels:
+      homepage.description: Web app for encryption, encoding, compression, and data analysis
+      homepage.group: Code/DevOps
+      homepage.href: https://cchef.trez.wtf
+      homepage.icon: cyberchef.svg
+      homepage.name: CyberChef
+      swag: enable
+      swag_port: 8000
+      swag_proto: http
+      swag_url: cchef.trez.wtf
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://gist.trez.wtf
+    ports:
+      - 20992:8000
+    restart: unless-stopped
   czkawka:
     container_name: czkawka
     environment:
@@ -1109,6 +1256,22 @@ services:
         source: /var/run/docker.sock
         target: /var/run/docker.sock
         type: bind
+  docker-volume-backup:
+    container_name: docker-volume-backup
+    image: offen/docker-volume-backup:v2
+    environment:
+      BACKUP_ARCHIVE: /archive
+      BACKUP_CRON_EXPRESSION: '@weekly'
+      BACKUP_COMPRESSION: zst
+      BACKUP_FILENAME: rinoa-docker-backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}
+      BACKUP_FILENAME_EXPAND: true
+      BACKUP_RETENTION_DAYS: 14
+      DOCKER_HOST: tcp://dockerproxy:2375
+      NOTIFICATION_URLS: gotify://gotify/${DV_BKUP_GOTIFY_TOKEN}
+    restart: always
+    volumes:
+      - docker-volume-bkup-data:/backup/my-app-backup:ro
+      - ${DOCKER_VOLUME_STORAGE}/backups/docker_volume_bkups:/archive
   docuseal:
     container_name: docuseal
     image: docuseal/docuseal:latest
@@ -1367,36 +1530,6 @@ services:
         target: /var/lib/postgresql/data
         type: volume
         volume: {}
-  gitea-opengist:
-    container_name: gitea-opengist
-    environment:
-      OG_LOG_LEVEL: warn
-      OG_EXTERNAL_URL: https://gist.trez.wtf
-      OG_GIT_DEFAULT_BRANCH: "main"
-      OG_GITEA_CLIENT_KEY: ${OPENGIST_GITEA_CLIENT_KEY}
-      OG_GITEA_SECRET: ${OPENGIST_GITEA_SECRET}
-      OG_GITEA_URL: https://git.trez.wtf
-      OG_GITEA_NAME: "Gitea @ Rinoa"
-      OG_SSH_EXTERNAL_DOMAIN: gist-ssh.trez.wtf
-    image: ghcr.io/thomiceli/opengist:latest
-    labels:
-      homepage.description: Private Code Gists
-      homepage.group: Code/DevOps
-      homepage.href: https://gist.trez.wtf
-      homepage.icon: sh-opengist.svg
-      homepage.name: Opengist
-      swag: enable
-      swag.uptime-kuma.enabled: "true"
-      swag.uptime-kuma.monitor.url: https://gist.trez.wtf
-      swag_port: "6157"
-      swag_proto: http
-      swag_url: gist.trez.wtf
-    ports:
-      - "6157:6157" # HTTP port
-      - "2222:2222" # SSH port, can be removed if you don't use SSH
-    restart: always
-    volumes:
-      - ${DOCKER_VOLUME_CONFIG}/gitea/opengist:/opengist
   gitea-runner:
     container_name: gitea-runner
     depends_on:
@@ -2671,6 +2804,67 @@ services:
     ports:
       - 22300:22300
     restart: unless-stopped
+  librechat-api:
+    container_name: librechat-api
+    depends_on:
+      - mongodb
+      - librechat-rag-api
+    environment:
+      CONFIG_PATH: /app/librechat.yaml
+      HOST: 0.0.0.0
+      MONGO_URI: mongodb://librechat:${LIBRECHAT_MONGODB_PASSWORD}@mongodb:27017/librechat?replicaSet=rinoa
+      MEILI_HOST: http://meilisearch:7700
+      RAG_PORT: 8000
+      RAG_API_URL: http://librechat-rag-api:8000
+    image: ghcr.io/danny-avila/librechat-dev:latest
+    labels:
+      homepage.group: Personal Services
+      homepage.name: LibreChat
+      homepage.href: https://ai.${MY_TLD}
+      homepage.icon: sh-librechat.svg
+      homepage.description: Local AI chat
+      swag: enable
+      swag_port: 3080
+      swag_proto: http
+      swag_url: ai.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://ai.${MY_TLD}
+    ports:
+      - 3080:3080
+    restart: always
+    user: ${PUID}:${PGID}
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/librechat/librechat.env:/app/.env
+      - ${DOCKER_VOLUME_CONFIG}/librechat/librechat.yaml:/app/librechat.yaml
+      - ${DOCKER_VOLUME_CONFIG}/librechat/images:/app/client/public/images
+      - ${DOCKER_VOLUME_CONFIG}/librechat/uploads:/app/uploads
+      - ${DOCKER_VOLUME_CONFIG}/librechat/logs:/app/api/logs
+  librechat-vectordb:
+    container_name: librechat-vectordb
+    environment:
+      POSTGRES_DB: librechat
+      POSTGRES_USER: librechat
+      POSTGRES_PASSWORD: ${LIBRECHAT_PG_DB_PASSWD}
+    expose:
+      - 5432
+    image: ankane/pgvector:latest
+    restart: always
+    volumes:
+      - librechat-pg-data:/var/lib/postgresql/data
+  librechat-rag-api:
+    container_name: librechat-rag-api
+    depends_on:
+      - librechat-vectordb
+    environment:
+      DB_HOST: librechat-vectordb
+      POSTGRES_DB: librechat
+      POSTGRES_USER: librechat
+      POSTGRES_PASSWORD: ${LIBRECHAT_PG_DB_PASSWD}
+      RAG_PORT: 8000
+    image: ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest
+    restart: always
+    # env_file:
+    #   - ${DOCKER_VOLUME_CONFIG}/librechat/librechat.env
   libretranslate:
     container_name: libretranslate
     # command: --ssl --ga-id MY-GA-ID --req-limit 100 --char-limit 500
@@ -2855,6 +3049,8 @@ services:
       swag_proto: http
       swag_port: 42010
       swag_url: scrobble.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://scrobble.${MY_TLD}
     networks:
       default: null
     ports:
@@ -2876,6 +3072,34 @@ services:
         type: bind
         bind:
           create_host_path: true
+  manyfold:
+    container_name: manyfold
+    environment:
+      PUID: ${PUID}
+      PGID: ${PGID}
+      TZ: ${TZ}
+      DATABASE_URL: sqlite3:/config/manyfold.sqlite3
+      REDIS_URL: redis://redis:6379/2
+      SECRET_KEY_BASE: ${MANYFOLD_SECRET_KEY_BASE}
+    image: lscr.io/linuxserver/manyfold:latest
+    labels:
+      homepage.group: Lifestyle
+      homepage.name: Manyfold
+      homepage.href: https://3dprint.${MY_TLD}
+      homepage.icon: manyfold.svg
+      homepage.description: Self-hosted digital asset manager for 3D print files
+      swag: enable
+      swag_proto: http
+      swag_port: 3214
+      swag_url: 3dprint.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://3dprint.${MY_TLD}
+    ports:
+      - 3214:3214
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/manyfold/config:/config
+      - ${DOCKER_VOLUME_CONFIG}/manyfold/library:/libraries #optional
   mariadb:
     container_name: mariadb
     environment:
@@ -2989,6 +3213,17 @@ services:
     restart: always
     volumes:
       - mastodon-pg-db:/var/lib/postgresql/data    
+  meilisearch:
+    container_name: meilisearch
+    environment:
+      MEILI_HOST: http://meilisearch:7700
+      MEILI_NO_ANALYTICS: true
+      MEILI_MASTER_KEY: ${MEILISEARCH_MASTER_KEY}
+    image: getmeili/meilisearch:v1.12.3
+    restart: always
+    user: ${PUID}:${PGID}
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/meilisearch:/meili_data
   minio:
     command: server --console-address ":9090" /mnt/data
     container_name: minio
@@ -3382,36 +3617,6 @@ services:
         source: /rinoa-storage
         target: /storage
         type: bind
-  open-webui:
-    container_name: open-webui
-    depends_on:
-      ollama:
-        condition: service_started
-        required: true
-        restart: true
-    environment:
-      ENABLE_SIGNUP: true
-      ENABLE_LOGIN_FORM: true
-      ENABLE_OLLAMA_API: true
-      OLLAMA_BASE_URLS: http://ollama:11434
-    image: ghcr.io/open-webui/open-webui:main
-    labels:
-      homepage.group: Personal Services
-      homepage.name: Open-WebUI
-      homepage.href: https://ai.${MY_TLD}
-      homepage.icon: open-webui.png
-      homepage.description: Local AI chat using Ollama-downloaded models
-      swag: enable
-      swag_port: 8080
-      swag_proto: http
-      swag_url: ai.${MY_TLD}
-      swag.uptime-kuma.enabled: true
-      swag.uptime-kuma.monitor.url: https://ai.${MY_TLD}
-    ports:
-      - 10863:8080
-    restart: unless-stopped
-    volumes:
-      - open-webui:/app/backend/data
   paperless-ngx:
     container_name: paperless-ngx
     depends_on:
@@ -3496,10 +3701,11 @@ services:
       swag_proto: http
       swag_port: 8000
       swag_url: logs.${MY_TLD}
-    volumes:
-      - ${DOCKER_VOLUME_CONFIG}/parseable/staging:/staging
     ports:
       - 14453:8000
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/parseable/staging:/staging
   peppermint:
     container_name: peppermint
     depends_on:
@@ -3676,7 +3882,7 @@ services:
     expose:
       - 9000
       - 9443
-    image: portainer/portainer-ce:alpine-sts
+    image: portainer/portainer-ce:2.27.0-alpine
     labels:
       swag: enable
       swag_proto: http
@@ -3731,11 +3937,8 @@ services:
       - 25:25
     restart: unless-stopped
     volumes:
-      - source: ${DOCKER_VOLUME_CONFIG}/postal
-        target: /config
-        type: bind
-        bind:
-          create_host_path: true
+      - ${DOCKER_VOLUME_CONFIG}/postal:/config
+      - ${DOCKER_VOLUME_CONFIG}/swag/etc/letsencrypt/live/trez.wtf:/config/certs
   postal-web:
     command: postal web-server
     container_name: postal-web
@@ -4326,6 +4529,43 @@ services:
         type: bind
         bind:
           create_host_path: true
+  semaphore:
+    container_name: semaphore
+    environment:
+      ANSIBLE_HOST_KEY_CHECKING: false
+      SEMAPHORE_ADMIN_PASSWORD: ${SEMAPHORE_ADMIN_PASSWORD}
+      SEMAPHORE_ADMIN_NAME: admin
+      SEMAPHORE_ADMIN_EMAIL: charish.patel@trez.wtf
+      SEMAPHORE_ADMIN: admin
+      SEMAPHORE_DB_DIALECT: bolt
+      SEMAPHORE_EMAIL_ALERT: true
+      SEMAPHORE_EMAIL_SENDER: noreply@trez.wtf
+      SEMAPHORE_EMAIL_HOST: postal-smtp
+      SEMAPHORE_EMAIL_PORT: 25
+      SEMAPHORE_EMAIL_USERNAME: ${POSTAL_SMTP_AUTH_USER}
+      SEMAPHORE_EMAIL_PASSWORD: ${POSTAL_SMTP_AUTH_PASSWORD}
+      SEMAPHORE_EMAIL_SECURE: false
+      SEMAPHORE_USE_REMOTE_RUNNER: true
+    image: semaphoreui/semaphore:v2.12.14
+    labels:
+      homepage.group: Code/DevOps
+      homepage.name: Semaphore
+      homepage.href: https://devops.${MY_TLD}
+      homepage.icon: semaphore.svg
+      homepage.description: Modern UI for Ansible, Terraform, OpenTofu, PowerShell and other DevOps tools
+      swag: enable
+      swag_port: 3000
+      swag_proto: http
+      swag_url: devops.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://devops.${MY_TLD}
+    ports:
+      - 3015:3000
+    restart: unless-stopped
+    volumes:
+      - semaphore_config:/etc/semaphore
+      - semaphore_data:/var/lib/semaphore
+      - semaphore_tmp:/tmp/semaphore
   sonarqube:
     container_name: sonarqube
     depends_on:
@@ -4497,6 +4737,32 @@ services:
       - ${DOCKER_VOLUME_STORAGE}/downloads:/downloads
       #Select where you are storing your config file. Leave "/data" since thats where the script expects the config file to be
       - ${DOCKER_VOLUME_CONFIG}/soularr:/data
+  soularr-dashboard:
+    container_name: soularr-dashboard
+    depends_on:
+      soularr:
+        condition: service_started
+        required: true
+    environment:
+      PUID: ${PUID}
+      PGID: ${PGID}
+      TZ: ${TZ}
+    labels:
+      homepage.name: Soularr
+      homepage.group: Downloaders
+      homepage.description: Dashboard for monitoring Soularr
+      homepage.href: https://slsk.${MY_TLD}
+      homepage.icon: /icons/soularr.png
+    image: git.trez.wtf/trez.one/soularr-dashboard:v0.1
+    ports:
+      - 18364:8080
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/soularr/dashboard:/app
+      - ${DOCKER_VOLUME_CONFIG}/soularr:/data
+      - ${DOCKER_VOLUME_CONFIG}/soularr/logs:/data/logs
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    working_dir: /app
   soulseek:
     container_name: soulseek
     depends_on:
@@ -4504,11 +4770,6 @@ services:
         condition: service_started
         required: true
         restart: true
-    environment:
-      SLSKD_PASSWORD: ${SLSKD_PASSWORD}
-      SLSKD_REMOTE_CONFIGURATION: true
-      SLSKD_SHARED_DIR: /music
-      SLSKD_USERNAME: slsk
     image: slskd/slskd
     labels:
       homepage.name: Soulseek
@@ -4526,16 +4787,10 @@ services:
     network_mode: service:gluetun
     restart: always
     volumes:
-      - source: ${DOCKER_VOLUME_CONFIG}/soulseek
-        target: /app
-        type: bind
-        bind:
-          create_host_path: true
-      - source: ${DOCKER_VOLUME_STORAGE}/Audio/Music
-        target: /music
-        type: bind
-        bind:
-          create_host_path: true
+      - ${DOCKER_VOLUME_CONFIG}/soulseek:/app
+      - ${DOCKER_VOLUME_STORAGE}/Audio/Music:/music
+      - ${DOCKER_VOLUME_STORAGE}/downloads/completed/slsk:/app/downloads/
+      - ${DOCKER_VOLUME_STORAGE}/downloads/incomplete/slsk:/app/incomplete
   sourcebot:
     container_name: sourcebot
     environment:
@@ -4607,6 +4862,36 @@ services:
     restart: always
     volumes:
       - ${DOCKER_VOLUME_CONFIG}/spotisub:/home/user/spotisub/cache
+  stable-diffusion-download:
+    container_name: stable-diffusion-download
+    image: git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/stable-diffusion-webui/data:/data
+  stable-diffusion-webui:
+    container_name: stable-diffusion-webui
+    image: git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.0
+    environment:
+      - CLI_ARGS=--allow-code --medvram --xformers --enable-insecure-extension-access --api
+    labels:
+      homepage.name: Stable-Diffusion WebUI
+      homepage.group: Personal Services
+      homepage.description: Deep learning, text-to-image model
+      homepage.href: https://sd.${MY_TLD}
+      homepage.icon: /icons/stable-diffusion.png
+      swag: enable
+      swag_port: 7860
+      swag_proto: http
+      swag_url: sd.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://sd.${MY_TLD}
+    ports:
+      - 7860:7860
+    restart: unless-stopped
+    tty: true
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/stable-diffusion-webui/data:/data
+      - ${DOCKER_VOLUME_CONFIG}/stable-diffusion-webui/output:/output
   swag:
     cap_add:
       - NET_ADMIN
@@ -4614,7 +4899,7 @@ services:
     environment:
       DNSPLUGIN: cloudflare
       EMAIL: charish.patel@trez.wtf
-      EXTRA_DOMAINS: 
+      EXTRA_DOMAINS:
       ONLY_SUBDOMAINS: false
       PGID: 1000
       PUID: 1000
@@ -5096,57 +5381,13 @@ services:
         source: /rinoa-storage
         target: /storage
         type: bind
-  zitadel:
-    container_name: zitadel
-    image: ghcr.io/zitadel/zitadel:latest
-    command: 'start-from-init --masterkeyFromEnv --config /config.yaml --config /secrets.yaml --config /init-steps.yaml --tlsMode external'
-    depends_on:
-      zitadel-pg-db:
-        condition: 'service_started'
-    environment:
-      ZITADEL_MASTERKEY: ${ZITADEL_MASTER_KEY}
-    expose:
-      - 8080
-    labels:
-      swag: enable
-      swag_proto: http
-      swag_port: 8080
-      swag_url: id.${MY_TLD}
-      swag_server_custom_directive: http2 on;
-      homepage.group: System Administration
-      homepage.name: Zitadel
-      homepage.href: https://id.${MY_TLD}
-      homepage.icon: zitadel.svg
-      homepage.description: Centralized authentication management
-    restart: unless-stopped
-    volumes:
-      - ${DOCKER_VOLUME_CONFIG}/zitadel/config.yaml:/config.yaml
-      - ${DOCKER_VOLUME_CONFIG}/zitadel/init-steps.yaml:/init-steps.yaml
-      - ${DOCKER_VOLUME_CONFIG}/zitadel/secrets.yaml:/secrets.yaml
-  zitadel-pg-db:
-    container_name: zitadel-pg-db
-    environment:
-      POSTGRES_USER: root
-      POSTGRES_PASSWORD: ${ZITADEL_DB_ADMIN_PASSWORD}
-    expose:
-      - 5432
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "root" ]
-      interval: '10s'
-      timeout: '30s'
-      retries: 5
-      start_period: '20s'
-    image: postgres:16-alpine
-    restart: unless-stopped
-    volumes:
-      - zitadel-pg-db:/var/lib/postgresql/data
 volumes:
   authelia-pg-db:
     name: authelia-pg-db
   bitmagnet-pg-db:
     name: bitmagnet-pg-db
-  bunkerweb-data:
-    name: bunkerweb-data
+  bunkerweb-storage:
+    name: bunkerweb-storage
   castopod-media:
     name: castopod-media
   crowdsec-config:
@@ -5163,6 +5404,8 @@ volumes:
     name: dawarich_watched
   dbgate-data:
     name: dbgate-data
+  docker-volume-bkup-data:
+    name: docker-volume-bkup-data
   fastenhealth-cache:
     name: fastenhealth-cache
   fastenhealth-db:
@@ -5205,6 +5448,8 @@ volumes:
     name: jitsi-web-admin-upload
   joplin_data:
     name: joplin_data
+  librechat-pg-data:
+    name: librechat-pg-data
   libretranslate_models:
     name: libretranslate_models
   lldap_data:
@@ -5249,6 +5494,12 @@ volumes:
     name: portainer-data
   reactive-resume-pg:
     name: reactive-resume-pg
+  semaphore_config:
+    name: semaphore_config
+  semaphore_data:
+    name: semaphore_data
+  semaphore_tmp:
+    name: semaphore_tmp
   sonarqube-data:
     name: sonarqube-data
   sonarqube-db:
@@ -5270,4 +5521,4 @@ volumes:
   wallos-logos:
     name: wallos-logos
   zitadel-pg-db:
-    name: zitadel-pg-db
+    name: zitadel-pg-db