Merge remote-tracking branch 'refs/remotes/origin/ansible-dry-fixes_5-20-25' into ansible-dry-fixes_5-20-25

Renaming Grafana alloy config.
2025-05-26 09:13:29 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00
44 changed files with 474 additions and 390 deletions
@@ -6,6 +6,7 @@ on:
    paths:
      - '**.j2'
      - 'ansible/**.yml'
+
 jobs:
  check-and-create-pr:
    if: github.ref != 'refs/heads/main'
@@ -57,7 +58,7 @@ jobs:
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
  ansible-linting:
-    name: Docker Compose & Ansible Lints
+    name: Ansible Linting
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
    env:
@@ -70,13 +71,13 @@ jobs:
      - name: Fetch base branch
        run: |
          git fetch origin ${{ github.event.pull_request.base.ref }}
-      - name: Cache Ansible Galaxy Collections
-        uses: actions/cache@v3
-        with:
-          path: ansible/collections
-          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
-          restore-keys: |
-            ${{ runner.os }}-ansible-
+      # - name: Cache Ansible Galaxy Collections
+      #   uses: actions/cache@v3
+      #   with:
+      #     path: ansible/collections
+      #     key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
+      #     restore-keys: |
+      #       ${{ runner.os }}-ansible-
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
@@ -112,7 +113,7 @@ jobs:
          notification_message: 'Docker Compose dry run completed successfully.'
  pr-merge:
    name: PR Merge
-    needs: [regenerate-readme-modified-services]
+    needs: [ansible-linting]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -139,8 +140,8 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Merge Successful'
          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-docker-compose-deploy:
-    name: Ansible Configs & Docker Compose Deployment
+  ansible-config-deploy:
+    name: Ansible Playbook Run (Service Configs)
    runs-on: ubuntu-latest
    needs: [pr-merge]
    env:
@@ -56,14 +56,16 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
-  docker-compose-ansible-lints:
-    name: Docker Compose & Ansible Lints
+  docker-compose-dry-run:
+    name: Docker Compose Dry Run
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      VAULT_NAMESPACE: ""
+    outputs:
+      svc_deploy_list: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -122,13 +124,16 @@ jobs:
          echo ${mod_svcs}
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
          echo "rinoa_svcs=${mod_svcs}" >> "$GITHUB_OUTPUT"
+      - name: Testing service list output
+        run: |
+          echo ${{ steps.modded_svcs.outputs.rinoa_svcs }}
      - name: Docker Compose Dry Run
        timeout-minutes: 360
        continue-on-error: true
        uses: keatonLiu/docker-compose-remote-action@v1.2
        with:
          docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing --no-recreate ${{ steps.modded_svcs.rinoa_svcs.output }}
+          docker_args: -d --remove-orphans --pull missing ${{ steps.modded_svcs.outputs.rinoa_svcs }}
          ssh_user: gitea-deploy
          ssh_host: 192.168.1.254
          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
@@ -282,8 +287,8 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Merge Successful'
          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-docker-compose-deploy:
-    name: Ansible Configs & Docker Compose Deployment
+  docker-compose-deploy:
+    name: Docker Compose Deployment
    runs-on: ubuntu-latest
    needs: [pr-merge]
    env:
@@ -310,7 +315,7 @@ jobs:
      - name: Login to Gitea Container Registry
        uses: docker/login-action@v3
        with:
-          registry: git.trez.wtf
+          registry: https://git.trez.wtf
          username: gitea-sonarqube-bot
          password: ${{ secrets.BOT_GITEA_TOKEN }}
      - name: Gotify Notification
@@ -329,7 +334,7 @@ jobs:
        uses: keatonLiu/docker-compose-remote-action@v1.2
        with:
          docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing --no-recreate
+          docker_args: -d --remove-orphans --pull missing ${{ docker-compose-dry-run.outputs.svc_deploy_list }}
          ssh_user: gitea-deploy
          ssh_host: 192.168.1.254
          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
@@ -14,14 +14,11 @@
 | bazarr | lscr.io/linuxserver/bazarr:latest |
 | beszel | henrygd/beszel:latest |
 | beszel-agent | henrygd/beszel-agent:latest |
-| bitmagnet | ghcr.io/bitmagnet-io/bitmagnet:latest |
-| bitmagnet-pg-db | postgres:17-alpine |
 | bitwarden | vaultwarden/server:latest |
 | bluesky-pds | code.modernleft.org/gravityfargo/bluesky-pds:v0.4.98 |
 | browserless | ghcr.io/browserless/chromium:latest |
 | bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
-| cloudflared | cloudflare/cloudflared:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
 | convertx | ghcr.io/c4illin/convertx |
 | cronicle | elestio/cronicle:latest |
@@ -33,7 +30,6 @@
 | dawarich-pg-db | postgis/postgis:17-3.5-alpine |
 | dawarich-sidekiq | freikin/dawarich:latest |
 | dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
-| delugevpn | ghcr.io/binhex/arch-delugevpn:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
 | excalidraw | excalidraw/excalidraw:latest |
@@ -114,6 +110,7 @@
 | postal-web | ghcr.io/postalserver/postal:latest |
 | postal-worker | ghcr.io/postalserver/postal:latest |
 | prowlarr | lscr.io/linuxserver/prowlarr:latest |
+| qbittorrentvpn | ghcr.io/binhex/arch-qbittorrentvpn:latest |
 | radarec | thewicklowwolf/radarec:latest |
 | radarr | lscr.io/linuxserver/radarr:latest |
 | reactive-resume | amruthpillai/reactive-resume:latest |
@@ -122,7 +119,9 @@
 | redis | redis:alpine |
 | redlib | quay.io/redlib/redlib:latest |
 | rocketchat | registry.rocket.chat/rocketchat/rocket.chat:latest |
+| romm | rommapp/romm:latest |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
+| sablier | sablierapp/sablier:latest |
 | scraperr | jpyles0524/scraperr:latest |
 | scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
@@ -2,5 +2,5 @@
 {% set secrets_path = 'rinoa-docker/env' %}

 urls:
-  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
-  - mailtos://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
+  - gotify://gotify/{{ vault_secrets['APPRISE_GOTIFY_TOKEN'] }}
+  - mailtos://{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}:{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
@@ -64,11 +64,11 @@ authentication_backend:
      mail: mail
      display_name: displayName
    user: uid=authelia,ou=people,dc=trez,dc=wtf
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
+    password: '{{ vault_secrets['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
  refresh_interval: 5m
 identity_validation:
  reset_password:
-    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
+    jwt_secret: '{{ vault_secrets['AUTHELIA_JWT_SECRET'] }}'
 password_policy:
  standard:
    enabled: true
@@ -104,7 +104,7 @@ access_control:
      - ['user:the.trezured.one']
 session:
  name: authelia_session
-  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
+  secret: '{{ vault_secrets['AUTHELIA_SESSION_SECRET'] }}'
  expiration: 1h
  inactivity: 5m
  remember_me: 1M
@@ -115,12 +115,12 @@ session:
    host: redis
    port: 6379
 storage:
-  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
+  encryption_key: '{{ vault_secrets['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
  postgres:
    address: 'tcp://authelia-pg:5432'
    database: authelia
    username: authelia
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
+    password: '{{ vault_secrets['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
    timeout: '5s'
 regulation:
  max_retries: 3
@@ -131,8 +131,8 @@ notifier:
  smtp:
    address: 'smtp://postal-smtp:25'
    timeout: '5s'
-    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
+    username: '{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}'
+    password: '{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}'
    sender: "Authelia <noreply@trez.wtf>"
    identifier: 'localhost'
    subject: "[Authelia] {title}"
@@ -142,10 +142,10 @@ notifier:
    disable_html_emails: false
 identity_providers:
  oidc:
-    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
+    hmac_secret: '{{ vault_secrets['AUTHELIA_OIDC_HMAC_SECRET'] }}'
    jwks:
      - key: |
-          {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
+          {{ vault_secrets["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
    cors:
      allowed_origins_from_client_redirect_uris: true
      endpoints:
@@ -157,7 +157,7 @@ identity_providers:
    clients:
      - client_id: 'netbird'
        client_name: 'NetBird'
-        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
+        client_secret: '{{ vault_secrets['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
        public: false
        authorization_policy: 'two_factor'
        redirect_uris:
@@ -1,7 +1,6 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}

-
 source: journalctl
 journalctl_filter: 
  - "--directory=/var/log/host/"
@@ -3,4 +3,4 @@

 url: http://0.0.0.0:8080
 login: localhost
-password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}
+password: {{ vault_secrets['CROWDSEC_LOCAL_API_KEY'] }}
@@ -9,7 +9,7 @@
      "host"     : "mariadb",
      "port"     : 3306,
      "user"     : "ghost",
-      "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
+      "password" : "{{ vault_secrets['GHOST_DB_PASSWORD'] }}",
      "database" : "ghost_db"
    }
  },
@@ -21,8 +21,8 @@
      "port": 25,
      "secure": false,
      "auth": {
-        "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
-        "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+        "user": "{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}",
+        "pass": "{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}"
      }
    }
  },
@@ -27,7 +27,7 @@ DISABLE_SSH = false
 SSH_PORT = 22
 SSH_LISTEN_PORT = 22
 LFS_START_SERVER = true
-LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }}
+LFS_JWT_SECRET = {{ vault_secrets['GITEA_LFS_JWT_SECRET'] }}
 OFFLINE_MODE = true

 [database]
@@ -36,7 +36,7 @@ DB_TYPE = postgres
 HOST = gitea-db:5432
 NAME = gitea
 USER = gitea
-PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }}
+PASSWD = {{ vault_secrets['GITEA_PG_DB_PASSWORD'] }}
 LOG_SQL = false
 SCHEMA =
 SSL_MODE = disable
@@ -70,7 +70,7 @@ INSTALL_LOCK = true
 SECRET_KEY =
 REVERSE_PROXY_LIMIT = 1
 REVERSE_PROXY_TRUSTED_PROXIES = *
-INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }}
+INTERNAL_TOKEN = {{ vault_secrets['GITEA_INTERNAL_TOKEN'] }}
 PASSWORD_HASH_ALGO = pbkdf2

 [service]
@@ -89,7 +89,7 @@ NO_REPLY_ADDRESS = noreply@trez.wtf
 PATH = /data/git/lfs

 [mailer]
-PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+PASSWD = {{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
 PROTOCOL = smtp
 ENABLED = true
 FROM = '"Gitea" <noreply@trez.wtf>'
@@ -112,7 +112,7 @@ DEFAULT_MERGE_STYLE = merge
 DEFAULT_TRUST_MODEL = committer

 [oauth2]
-JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
+JWT_SECRET = {{ vault_secrets['GITEA_OAUTH2_JWT_SECRET'] }}

 [ui]
 THEMES =
@@ -9,7 +9,7 @@ gitea:
  # Created access token for the user that shall be used as bot account.
  # User needs "Read project" permissions with access to "Pull Requests"
  token:
-    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
+    value: "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
    # # or path to file containing the plain text secret
    # file: /path/to/gitea/token

@@ -18,7 +18,7 @@ gitea:
  # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header
  # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated.
  webhook:
-    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
+    secret: "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
    # # or path to file containing the plain text secret
    # secretFile: /path/to/gitea/webhook/secret

@@ -35,7 +35,7 @@ sonarqube:
  # Created access token for the user that shall be used as bot account.
  # User needs "Browse on project" permissions
  token:
-    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
+    value: "{{ vault_secrets['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
    # # or path to file containing the plain text secret
    # file: /path/to/sonarqube/token

@@ -45,7 +45,7 @@ sonarqube:
  # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be
  # validated.
  webhook:
-    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
+    secret: "{{ vault_secrets['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
    # # or path to file containing the plain text secret
    # secretFile: /path/to/sonarqube/webhook/secret

@@ -4,8 +4,8 @@ storage:
    bucket_name: pyroscope
    endpoint: minio:9000
    region: us-east-fh-pln
-    access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
-    secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
+    access_key_id: {{ vault_secrets['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
+    secret_access_key: {{ vault_secrets['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
    insecure: true

 analytics:
@@ -46,8 +46,8 @@ storage:
    s3:
      bucket: tempo                    # how to store data in s3
      endpoint: minio:9000
-      access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
-      secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
+      access_key: {{ vault_secrets['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
+      secret_key: {{ vault_secrets['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
      insecure: true

 usage_report:
@@ -29,5 +29,5 @@
        widget:
            type: homeassistant
            url: http://192.168.1.252:8123
-            key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
+            key: {{ vault_secrets['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}

@@ -6,7 +6,7 @@
 # https://gethomepage.dev/en/configs/settings

 providers:
-  openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+  openweathermap: {{ vault_secrets['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
  # weatherapi: weatherapiapikey
 title: Rinoa Dashboard (trez.WTF)
 headerStyle: underlined
@@ -53,4 +53,4 @@ layout:
    columns: 2
  Media Library:
    style: row
-    columns: 4
+    columns: 3
@@ -16,7 +16,7 @@ db:
  host: invidious-db
  port: 5432
  dbname: invidious
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
+  password: {{ vault_secrets['INVID_PG_DB_PASSWORD'] }}

 ##
 ## Database configuration using a single URI. This is an
@@ -210,8 +210,8 @@ https_only: false
 ## Accepted values: String
 ## Default: <none>
 ##
-po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
-visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
+po_token: {{ vault_secrets['INVID_PO_TOKEN'] }}
+visitor_data: {{ vault_secrets['INVID_VISITOR_DATA'] }}

 # -----------------------------
 #  Logging
@@ -471,7 +471,7 @@ jobs:
 ## Accepted values: a string
 ## Default: <none>
 ##
-hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
+hmac_key: {{ vault_secrets['INVID_HMAC_KEY'] }}

 ##
 ## List of video IDs where the "download" widget must be
@@ -3,7 +3,7 @@

 # IN application vars
 IN_APP_URL=https://biz.trez.wtf
-IN_APP_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_APP_KEY'] }}
+IN_APP_KEY={{ vault_secrets['IN_APP_KEY'] }}
 IN_APP_DEBUG=true
 IN_REQUIRE_HTTPS=false
 IN_PHANTOMJS_PDF_GENERATION=false
@@ -18,7 +18,7 @@ IN_DB_HOST=mariadb
 IN_DB_PORT=3306
 IN_DB_DATABASE=invoice_ninja
 IN_DB_USERNAME=ininja
-IN_DB_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_MYSQL_PASSWORD'] }}
+IN_DB_PASSWORD={{ vault_secrets['IN_MYSQL_PASSWORD'] }}

 # Create initial user
 # Default to these values if empty
@@ -31,8 +31,8 @@ IN_PASSWORD=
 IN_MAIL_MAILER=log
 IN_MAIL_HOST=postal-smtp
 IN_MAIL_PORT=25
-IN_MAIL_USERNAME={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
-IN_MAIL_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+IN_MAIL_USERNAME={{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}
+IN_MAIL_PASSWORD={{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
 IN_MAIL_ENCRYPTION=null
 IN_MAIL_FROM_ADDRESS='noreply@trez.wtf'
 IN_MAIL_FROM_NAME='Treasured IT'
@@ -17,7 +17,7 @@
 HOST=localhost
 PORT=3080

-MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
+MONGO_URI=mongodb://librechat:{{ vault_secrets['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa

 DOMAIN_CLIENT=https://ai.trez.wtf
 DOMAIN_SERVER=https://ai.trez.wtf
@@ -73,12 +73,12 @@ PROXY=
 # ANYSCALE_API_KEY=
 # APIPIE_API_KEY=
 # COHERE_API_KEY=
-DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
+DEEPSEEK_API_KEY={{ vault_secrets['LIBRECHAT_DEEPSEEK_API_KEY'] }}
 # DATABRICKS_API_KEY=
 # FIREWORKS_API_KEY=
 # GROQ_API_KEY=
 # HUGGINGFACE_TOKEN=
-MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
+MISTRAL_API_KEY={{ vault_secrets['LIBRECHAT_MISTRAL_API_KEY'] }}
 # OPENROUTER_KEY=
 # PERPLEXITY_API_KEY=
 # SHUTTLEAI_API_KEY=
@@ -90,7 +90,7 @@ MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_m
 # Anthropic  #
 #============#

-ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
+ANTHROPIC_API_KEY={{ vault_secrets['LIBRECHAT_ANTHROPIC_API_KEY'] }}
 ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
 # ANTHROPIC_REVERSE_PROXY=

@@ -177,7 +177,7 @@ ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-
 # OpenAI     #
 #============#

-OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
+OPENAI_API_KEY={{ vault_secrets['LIBRECHAT_OPENAI_API_KEY'] }}
 OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k

 DEBUG_OPENAI=false
@@ -226,8 +226,8 @@ DEBUG_OPENAI=false

 # DEBUG_PLUGINS=

-CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
-CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
+CREDS_KEY={{ vault_secrets['LIBRECHAT_CREDS_KEY'] }}
+CREDS_IV={{ vault_secrets['LIBRECHAT_CREDS_IV'] }}

 # Azure AI Search
 #-----------------
@@ -298,7 +298,7 @@ ZAPIER_NLA_API_KEY=
 SEARCH=true
 MEILI_NO_ANALYTICS=true
 MEILI_HOST=http://meilisearch:7700
-MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
+MEILI_MASTER_KEY={{ vault_secrets['MEILISEARCH_MASTER_KEY'] }}

 # Optional: Disable indexing, useful in a multi-node setup
 # where only one instance should perform an index sync.
@@ -384,8 +384,8 @@ ALLOW_UNVERIFIED_EMAIL_LOGIN=true
 SESSION_EXPIRY=1000 * 60 * 15
 REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7

-JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
-JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
+JWT_SECRET={{ vault_secrets['LIBRECHAT_JWT_SECRET'] }}
+JWT_REFRESH_SECRET={{ vault_secrets['LIBRECHAT_JWT_REFRESH_SECRET'] }}


 # Discord
@@ -547,4 +547,4 @@ USE_REDIS=true
 #=====================================================#
 #                  OpenWeather                        #
 #=====================================================#
-OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+OPENWEATHER_API_KEY={{ vault_secrets['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -7,7 +7,7 @@
  <SslPort>6868</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['LIDARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <Branch>master</Branch>
  <LogLevel>trace</LogLevel>
@@ -3,11 +3,11 @@

 {
    "lidarr_address": "http://lidarr:8686",
-    "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}",
-    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "lidarr_api_key": "{{ vault_secrets['LIDARR_API_KEY'] }}",
+    "spotify_client_secret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
    "root_folder_path": "/data/media/music",
-    "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
-    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "spotify_client_id": "{{ vault_secrets['YOUR_SPOTIFY_ID'] }}",
+    "spotify_client_secret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
    "fallback_to_top_result": false,
    "lidarr_api_timeout": 120.0,
    "quality_profile_id": 1,
@@ -17,8 +17,8 @@
    "app_name": "lidify",
    "app_rev": "0.09",
    "app_url": "lidify.trez.wtf",
-    "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-    "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+    "last_fm_api_key": "{{ vault_secrets['LASTFM_API_KEY'] }}",
+    "last_fm_api_secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
    "mode": "LastFM",
    "auto_start": false,
    "auto_start_delay": 60
@@ -20,7 +20,7 @@ global_keywords:
    - fatal
 notifications:
  apprise:
-    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
+    url: gotify://gotify/{{ vault_secrets['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
 # settings are optional because they all have default values
 settings:
  log_level: INFO               # DEBUG, INFO, WARNING, ERROR
@@ -27,8 +27,8 @@
      "clients": [],
      "name": "spotify",
      "data": {
-        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
-        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+        "clientId": "{{ vault_secrets['YOUR_SPOTIFY_ID'] }}",
+        "clientSecret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
        "redirectUri": "http://localhost:9078/callback"
      }
    },
@@ -38,8 +38,8 @@
      "clients": [],
      "name": "lastfm",
      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "apiKey": "{{ vault_secrets['LASTFM_API_KEY'] }}",
+        "secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
        "redirectUri": "http://localhost:9078/lastfm/callback"
      }
    },
@@ -49,7 +49,7 @@
      "clients": [],
      "name": "listenBrainz",
      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "token": "{{ vault_secrets['MALOJA_LISTENBRAINZ_TOKEN'] }}",
        "username": "Trez.One"
      }
    },
@@ -61,7 +61,7 @@
      "data": {
        "url": "http://navidrome:4533",
        "user": "admin",
-        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
+        "password": "{{ vault_secrets['NAVIDROME_PASSWORD'] }}"
      }
    }
  ],
@@ -71,8 +71,8 @@
      "enable": true,
      "name": "lastFmClient",
      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "apiKey": "{{ vault_secrets['LASTFM_API_KEY'] }}",
+        "secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
        "redirectUri": "http://localhost:9078/lastfm/callback"
      }
    },
@@ -81,7 +81,7 @@
      "enable": true,
      "name": "ListenBrainzClient",
      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "token": "{{ vault_secrets['MALOJA_LISTENBRAINZ_TOKEN'] }}",
        "username": "Trez.One"
      }
    },
@@ -91,7 +91,7 @@
      "name": "maloja",
      "data": {
        "url": "http://maloja:42010",
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
+        "apiKey": "{{ vault_secrets['MALOJA_API_KEY'] }}"
      }
    }
  ],
@@ -100,7 +100,7 @@
      "name": "Gotify",
      "type": "gotify",
      "url": "http://gotify",
-      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
+      "token": "{{ vault_secrets['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
      "priorities": {
        "info": 5,
        "warn": 7,
@@ -2,7 +2,7 @@
  "Stuns": [
    {
      "Proto": "udp",
-      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+      "URI": "stun:netbird.{{ vault_secrets['MY_TLD'] }}:3478",
      "Username": "",
      "Password": null
    }
@@ -11,9 +11,9 @@
    "Turns": [
      {
        "Proto": "udp",
-        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+        "URI": "turn:netbird.{{ vault_secrets['MY_TLD'] }}:3478",
        "Username": "self",
-        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
+        "Password": "{{ vault_secrets['NETBIRD_TURN_PASSWORD'] }}"
      }
    ],
    "CredentialsTTL": "12h",
@@ -22,14 +22,14 @@
  },
  "Relay": {
    "Addresses": [
-      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
+      "rel://netbird.{{ vault_secrets['MY_TLD'] }}:33080"
    ],
    "CredentialsTTL": "24h",
-    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
+    "Secret": "{{ vault_secrets['NETBIRD_RELAY_AUTH_SECRET'] }}"
  },
  "Signal": {
    "Proto": "https",
-    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
+    "URI": "netbird.{{ vault_secrets['MY_TLD'] }}:10001",
    "Username": "",
    "Password": null
  },
@@ -47,14 +47,14 @@
  },
  "HttpConfig": {
    "Address": "0.0.0.0:33073",
-    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
+    "AuthIssuer": "https://auth.{{ vault_secrets['MY_TLD'] }}",
    "AuthAudience": "netbird",
-    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
+    "AuthKeysLocation": "https://auth.{{ vault_secrets['MY_TLD'] }}/jwks.json",
    "AuthUserIDClaim": "",
    "CertFile": "",
    "CertKey": "",
    "IdpSignKeyRefreshEnabled": true,
-    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
+    "OIDCConfigEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {},
  "DeviceAuthorizationFlow": {},
@@ -62,10 +62,10 @@
    "ProviderConfig": {
      "Audience": "netbird",
      "ClientID": "netbird",
-      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
+      "ClientSecret": "{{ vault_secrets['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
      "Domain": "",
-      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
-      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
+      "AuthorizationEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/api/oidc/authorization",
+      "TokenEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/api/oidc/token",
      "Scope": "openid profile email offline_access api",
      "RedirectURLs": [
        "http://localhost:53000"
@@ -250,7 +250,7 @@ lt-cred-mech
 #user=username1:key1
 #user=username2:key2
 # OR:
-user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
+user=self:{{ vault_secrets['NETBIRD_TURN_PASSWORD'] }}
 #user=username2:password2
 #
 # Keys must be generated by turnadmin utility. The key value depends
@@ -18,13 +18,13 @@ web_server:
 main_db:
  host: mariadb
  username: postal
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  password: {{ vault_secrets['POSTAL_MYSQL_PASSWORD'] }}
  database: postal

 message_db:
  host: mariadb
  username: postal
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  password: {{ vault_secrets['POSTAL_MYSQL_PASSWORD'] }}
  prefix: postal

 smtp_server:
@@ -52,11 +52,11 @@ smtp:
  host: postal-smtp
  port: 25
  username: rinoa/postal-smtp
-  password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+  password: "{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}"
  from_name: Postal @ Rinoa
  from_address: noreply@trez.wtf

 rails:
  # This is generated automatically by the config initialization. It should be a random
  # string unique to your installation.
-  secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}"
+  secret_key: "{{ vault_secrets['POSTAL_RAILS_SECRET_KEY'] }}"
@@ -7,7 +7,7 @@
  <SslPort>6969</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['PROWLARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <AuthenticationRequired>Enabled</AuthenticationRequired>
  <Branch>master</Branch>
@@ -3,9 +3,9 @@

 {
    "radarr_address": "http://radarr:7878",
-    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
+    "radarr_api_key": "{{ vault_secrets['RADARR_API_KEY'] }}",
    "root_folder_path": "/data/media/movies",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "tmdb_api_key": "{{ vault_secrets['TMDB_API_KEY'] }}",
    "fallback_to_top_result": false,
    "radarr_api_timeout": 120.0,
    "quality_profile_id": 1,
@@ -8,7 +8,7 @@
  <SslCertPath></SslCertPath>
  <Port>7878</Port>
  <UrlBase></UrlBase>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['RADARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <UpdateMechanism>Docker</UpdateMechanism>
  <SslPort>9898</SslPort>
@@ -7,7 +7,7 @@
  <SslPort>6868</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['READARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <Branch>develop</Branch>
  <LogLevel>info</LogLevel>
@@ -0,0 +1,48 @@
+# This is a generic example of a configuration file
+# Rename this file to `config.yml`, copy it to a `config` folder, and mount that folder as per the docker-compose.example.yml
+# Only uncomment the lines you want to use/modify, or add new ones where needed
+
+exclude:
+  # Exclude platforms to be scanned
+  platforms: [] # ['my_excluded_platform_1', 'my_excluded_platform_2']
+
+  # Exclude roms or parts of roms to be scanned
+  roms:
+    # Single file games section.
+    # Will not apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
+    single_file:
+      # Exclude all files with certain extensions to be scanned
+      extensions: [] # ['xml', 'txt']
+
+      # Exclude matched file names to be scanned.
+      # Supports unix filename pattern matching
+      # Can also exclude files by extension
+      names: [] # ['info.txt', '._*', '*.nfo']
+
+    # Multi files games section
+    # Will apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
+    multi_file:
+      # Exclude matched 'folder' names to be scanned (RomM identifies folders as multi file games)
+      names: [] # ['my_multi_file_game', 'DLC']
+
+      # Exclude files within sub-folders.
+      parts:
+        # Exclude matched file names to be scanned from multi file roms
+        # Keep in mind that RomM doesn't scan folders inside multi files games,
+        # so there is no need to exclude folders from inside of multi files games.
+        names: [] # ['data.xml', '._*'] # Supports unix filename pattern matching
+
+        # Exclude all files with certain extensions to be scanned from multi file roms
+        extensions: [] # ['xml', 'txt']
+
+system:
+  # Asociate different platform names to your current file system platform names
+  # [your custom platform folder name]: [RomM platform name]
+  # In this example if you have a 'gc' folder, RomM will treat it like the 'ngc' folder and if you have a 'psx' folder, RomM will treat it like the 'ps' folder
+  platforms: {} # { gc: 'ngc', psx: 'ps' }
+
+  # Asociate one platform to it's main version
+  versions: {} # { naomi: 'arcade' }
+
+# The folder name where your roms are located
+filesystem: {} # { roms_folder: 'roms' } For example if your folder structure is /home/user/library/roms_folder
@@ -22,7 +22,7 @@ host = 0.0.0.0
 port = 8080
 https_port = 8090
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }}
+password = {{ vault_secrets['SABNZBDVPN_PASSWORD'] }}
 bandwidth_max = 1000M
 cache_limit = 1G
 web_dir = Glitter
@@ -33,7 +33,7 @@ https_chain = ""
 enable_https = 1
 inet_exposure = 0
 local_ranges = ,
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }}
+api_key = {{ vault_secrets['SABNZBDVPN_API_KEY'] }}
 nzb_key = 3c0fa874bb2748b58c1bd7512e649946
 permissions = 775
 download_dir = /storage/downloads/incomplete
@@ -342,7 +342,7 @@ host = news.newshosting.com
 port = 563
 timeout = 60
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+password = {{ vault_secrets['SLSK_USER_PASSWORD'] }}
 connections = 8
 ssl = 1
 ssl_verify = 3
@@ -363,7 +363,7 @@ host = news.easynews.com
 port = 443
 timeout = 60
 username = TrezOne
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
+password = {{ vault_secrets['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
 connections = 60
 ssl = 0
 ssl_verify = 3
@@ -82,7 +82,7 @@ server:
  # If your instance owns a /etc/searxng/settings.yml file, then set the following
  # values there.

-  secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SEARXNG_SECRET_KEY'] }}  # Is overwritten by ${SEARXNG_SECRET}
+  secret_key: {{ vault_secrets['SEARXNG_SECRET_KEY'] }}  # Is overwritten by ${SEARXNG_SECRET}
  # Proxying image results through searx
  image_proxy: true
  # 1.0 and 1.1 are supported
@@ -8,7 +8,7 @@
  <SslPort>9898</SslPort>
  <UrlBase></UrlBase>
  <BindAddress>*</BindAddress>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['SONARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <UpdateMechanism>Docker</UpdateMechanism>
  <LaunchBrowser>True</LaunchBrowser>
@@ -3,10 +3,10 @@

 {
    "sonarr_address": "http://192.168.1.2:8989",
-    "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}",
+    "sonarr_api_key": "{{ vault_secrets['SONARR_API_KEY'] }}",
    "root_folder_path": "/data/media/shows",
    "tvdb_api_key": "",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "tmdb_api_key": "{{ vault_secrets['TMDB_API_KEY'] }}",
    "fallback_to_top_result": false,
    "sonarr_api_timeout": 120.0,
    "quality_profile_id": 1,
@@ -2,7 +2,7 @@
 {% set secrets_path = 'rinoa-docker/env' %}

 [Lidarr]
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
+api_key = {{ vault_secrets['LIDARR_API_KEY'] }}
 host_url = http://lidarr:8686
 #This should be the path mounted in lidarr that points to your slskd download directory.
 #If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
@@ -10,7 +10,7 @@ download_dir = /storage

 [Slskd]
 #Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
+api_key = {{ vault_secrets['SLSKD_API_KEY'] }}
 host_url = http://gluetun:5030
 #Slskd download directory. Should have set it up when installing Slskd.
 download_dir = /app/downloads
@@ -198,15 +198,15 @@ rooms:
 web:
  authentication:
    username: slskd
-    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
+    password: {{ vault_secrets['SLSKD_WEB_PASSSWORD'] }}
    api_keys:
      my_api_key:
-        key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
+        key: {{ vault_secrets['SLSKD_API_KEY'] }}
        role: readwrite
        cidr: 0.0.0.0/0,::/0
 soulseek:
  address: vps.slsknet.org
  port: 2271
  username: Trez.One
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+  password: {{ vault_secrets['SLSK_USER_PASSWORD'] }}
  diagnostic_level: Info
@@ -6,7 +6,7 @@
  "repos": [
      {
          "type": "gitea",
-          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
+          "token": "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
          "url": "https://git.trez.wtf",
          "revisions": {
              "branches": [
@@ -24,6 +24,6 @@
    <entry key='database.driver'>org.postgresql.Driver</entry>
    <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
    <entry key='database.user'>traccar</entry>
-    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
+    <entry key='database.password'>{{ vault_secrets['WAZUH_API_PASSWORD'] }}</entry>

 </properties>
@@ -21,7 +21,7 @@
      auth:
        strategy: basic
        user: admin
-        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
+        password: {{ vault_secrets['PARSEABLE_PASSWORD'] }}
      request:
        headers:
          X-P-Stream: rinoa-docker-logs
@@ -6,5 +6,5 @@ hosts:
      url: "https://wazuh.manager"
      port: 55000
      username: wazuh-wui
-      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
+      password: {{ vault_secrets['WAZUH_API_PASSWORD'] }}
      run_as: false
@@ -37,7 +37,7 @@ SMTPConfiguration:
    SMTP:
      # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
      Host: 'postal-smtp:25'
-      User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+      User: {{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}
+      Password: {{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
    From: 'noreply@trez.wtf'
    FromName: 'Zitadel @ Rinoa'
@@ -7,7 +7,7 @@ Database:
    User:
      # If the user doesn't exist already, it is created
      Username: 'zitadel'
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }}
+      Password: {{ vault_secrets['ZITADEL_DB_PASSWORD'] }}
    Admin:
      Username: 'root'
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }}
+      Password: {{ vault_secrets['ZITADEL_DB_ADMIN_PASSWORD'] }}
@@ -12,6 +12,12 @@
        mode: '0755'
      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"

+    - name: Fetch Vault secrets once
+      ansible.builtin.set_fact:
+        vault_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env',
+          engine_mount_point='rinoa-docker', url=vault_addr,
+          token=vault_token_cleaned)['secret'] }}"
+
    - name: Deploy configuration templates
      ansible.builtin.template:
        src: "{{ item }}"
@@ -423,80 +423,6 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /rinoa-storage:/extra-filesystems/rinoa-storage:ro
      - /dev/nvme0n1:/extra-filesystems/nvme0n1:ro
-  bitmagnet:
-    command:
-      - worker
-      - run
-      - --keys=http_server
-      - --keys=queue_server
-      - --keys=dht_crawler
-    container_name: bitmagnet
-    depends_on:
-      bitmagnet-pg-db:
-        condition: service_healthy
-        required: true
-      gluetun:
-        condition: service_started
-        required: true
-        restart: true
-    environment:
-      LOG_FILE_ROTATION_ENABLED: true
-      POSTGRES_HOST: bitmagnet-pg-db
-      POSTGRES_PASSWORD: ${BITMAGNET_POSTGRESQL_PASSWORD}
-      POSTGRES_USER: bitmagnet
-    image: ghcr.io/bitmagnet-io/bitmagnet:latest
-    labels:
-      homepage.group: Downloaders
-      homepage.name: Bitmagnet
-      homepage.href: https://btmag.${MY_TLD}
-      homepage.icon: sh-bitmagnet.png
-      homepage.description: Torrent indexer, DHT crawler, search engine, & content classifier
-      homepage.widget.type: gluetun
-      homepage.widget.url: http://gluetun:8000
-      swag: enable
-      swag_proto: http
-      swag_address: gluetun
-      swag_auth: authelia
-      swag_auth_bypass: /v1
-      swag_port: 3333
-      swag_url: btmag.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
-    network_mode: service:gluetun
-    restart: always
-    volumes:
-      - source: ${DOCKER_VOLUME_CONFIG}/bitmagnet
-        target: /root/.local/share/bitmagnet
-        type: bind
-        bind:
-          create_host_path: true
-  bitmagnet-pg-db:
-    container_name: bitmagnet-pg-db
-    environment:
-      POSTGRES_DB: bitmagnet
-      POSTGRES_PASSWORD: ${BITMAGNET_POSTGRESQL_PASSWORD}
-      POSTGRES_USER: bitmagnet
-    expose:
-      - 5432
-    healthcheck:
-      interval: 10s
-      start_period: 20s
-      test:
-        - CMD-SHELL
-        - pg_isready
-    image: postgres:17-alpine
-    networks:
-      bitmagnet:
-        ipv4_address: 192.168.55.8
-      default: null
-    restart: unless-stopped
-    shm_size: 1g
-    volumes:
-      - source: bitmagnet-pg-db
-        target: /var/lib/postgresql/data
-        type: volume
-        volume: {}
  bitwarden:
    container_name: bitwarden
    environment:
@@ -694,15 +620,6 @@ services:
    restart: unless-stopped
    volumes:
      - castopod-media:/var/www/castopod/public/media
-  cloudflared:
-    command: ['tunnel', '--no-autoupdate', 'run', '--token', '${CLOUDFLARED_TUNNEL_TOKEN}']
-    container_name: cloudflared
-    environment:
-      CLOUDFLARED_TUNNEL_KEY: ${CLOUDFLARED_TUNNEL_TOKEN}
-    image: 'cloudflare/cloudflared:latest'
-    restart: unless-stopped
-    volumes:
-      - ${DOCKER_VOLUME_CONFIG}/cloudflared:/etc/cloudflared
  cloudflareddns:
    container_name: cloudflareddns
    environment:
@@ -1088,83 +1005,29 @@ services:
      - ${DOCKER_VOLUME_CONFIG}/dawarich/sidekiq-entrypoint.sh:/usr/local/bin/sidekiq-entrypoint.sh
  dead-man-hand:
    container_name: dead-man-hand
+    image: ghcr.io/bkupidura/dead-man-hand:latest
    environment:
      DMH_CONFIG_FILE: /data/config.yaml
-    image: 'ghcr.io/bkupidura/dead-man-hand:latest'
-    ports:
-      - '8080:8080'
-    volumes:
-      - ${DOCKER_VOLUME_CONFIG}/dead-man-hand/data:/data
-  delugevpn:
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-    container_name: delugevpn
-    environment:
-      ENABLE_PRIVOXY: "no"
-      LAN_NETWORK: 192.168.1.0/24
-      NAME_SERVERS: 192.168.1.254,1.1.1.1
-      PGID: "1000"
-      PUID: "1000"
-      TZ: America/New_York
-      VPN_CLIENT: openvpn
-      VPN_ENABLED: "yes"
-      VPN_INPUT_PORTS: ""
-      VPN_OPTIONS: ""
-      VPN_OUTPUT_PORTS: ""
-      VPN_PASS: ${DELUGEVPN_ENVIRONMENT_VPN_PASS}
-      VPN_PROV: pia
-      VPN_USER: ${DELUGEVPN_ENVIRONMENT_VPN_USER}
-    hostname: Rinoa
-    image: ghcr.io/binhex/arch-delugevpn:latest
    labels:
-      homepage.group: Downloaders
-      homepage.name: DelugeVPN
-      homepage.href: https://deluge.${MY_TLD}
-      homepage.icon: deluge.png
-      homepage.description: Torrent over VPN
-      homepage.widget.type: deluge
-      homepage.widget.url: http://delugevpn:8112
-      homepage.widget.password: ${DELUGEVPN_PASSWORD}
+      # homepage.group: Personal/Professional Services
+      # homepage.name: Dawarich
+      # homepage.href: https://loc.${MY_TLD}
+      # homepage.icon: dawarich.svg
+      # homepage.description: Self-hosted alternative to Google Location History
      swag: enable
-      swag_port: 8112
+      swag_port: 8080
      swag_proto: http
-      swag_url: deluge.${MY_TLD}
+      swag_url: dms.${MY_TLD}
      swag_server_custom_directive: |
        access_log /config/log/$$host_access.log ;
        error_log /config/log/$$host_error.log ;
      swag.uptime-kuma.enabled: true
-      swag.uptime-kuma.monitor.url: https://deluge.${MY_TLD}
+      swag.uptime-kuma.monitor.url: https://dms.${MY_TLD}
      swag.uptime-kuma.monitor.interval: 300
-    networks:
-      default: null
    ports:
-      - 58846:58846
-      - 58946:58946
-      - 6881:6881
-      - 8112:8112
-      - 8118:8118
-    privileged: true
-    restart: unless-stopped
-    sysctls:
-      net.ipv4.conf.all.src_valid_mark: "1"
+      - 25807:8080
    volumes:
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /etc/localtime
-        target: /etc/localtime
-        type: bind
-      - bind:
-          create_host_path: true
-        source: ${DOCKER_VOLUME_CONFIG}/delugevpn
-        target: /config
-        type: bind
-      - bind:
-          create_host_path: true
-        source: /rinoa-storage
-        target: /storage
-        type: bind
+      - ${DOCKER_VOLUME_CONFIG}/dead-man-hand:/data
  docker-socket-proxy:
    container_name: dockerproxy
    environment:
@@ -1279,7 +1142,7 @@ services:
  explo:
    container_name: explo
    environment:
-      CRON_SCHEDULE: 15 00 * * 2 # Runs weekly, every Tuesday 15 minutes past midnight (UTC time)
+      CRON_SCHEDULE: 0 8 * * 2 # Runs weekly, every Tuesday 15 minutes past midnight (UTC time)
      # Music system you use (emby, jellyfin, mpd, plex or subsonic)
      EXPLO_SYSTEM: subsonic
      SYSTEM_URL: http://navidrome:4533
@@ -1300,9 +1163,9 @@ services:
      # 'playlist' to get tracks from Weekly Exploration playlist, anything else gets it from API (not the best recommendations). 'test' will download 1 song
      LISTENBRAINZ_DISCOVERY: playlist
      # Time to sleep (in minutes) between scanning and querying tracks from your system (If using Subsonic, Jellyfin)
-      # SLEEP=2
+      SLEEP: 5
      # Whether to provide additional info for debugging
-      # DEBUG=false
+      DEBUG: true
      SINGLE_ARTIST: true
    image: ghcr.io/lumepart/explo:latest
    restart: unless-stopped
@@ -2964,22 +2827,10 @@ services:
      - 8686:8686
    restart: unless-stopped
    volumes:
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /etc/localtime
-        target: /etc/localtime
-        type: bind
-      - bind:
-          create_host_path: true
-        source: ${DOCKER_VOLUME_CONFIG}/lidarr
-        target: /config
-        type: bind
-      - bind:
-          create_host_path: true
-        source: /rinoa-storage
-        target: /storage
-        type: bind
+      - /etc/localtime:/etc/localtime:ro
+      - ${DOCKER_VOLUME_CONFIG}/lidarr:/config
+      - /rinoa-storage:/storage
+      - ${DOCKER_VOLUME_STORAGE}/downloads/:/downloads
  lidify:
    container_name: lidify
    environment:
@@ -3344,7 +3195,7 @@ services:
      MINIO_ACCESS_KEY: ${MINIO_MIMIR_STORAGE_ACCESS_KEY}
      MINIO_SECRET_KEY: ${MINIO_MIMIR_STORAGE_SECRET_KEY}
    hostname: minio
-    image: minio/minio
+    image: minio/minio:RELEASE.2025-04-22T22-12-26Z
    labels:
      swag: enable
      swag_proto: http
@@ -3905,12 +3756,12 @@ services:
        access_log /config/log/$$host_access.log ;
        error_log /config/log/$$host_error.log ;
      swag.uptime-kuma.enabled: true
-      swag.uptime-kuma.monitor.url: https://portall.${MY_TLD}
+      swag.uptime-kuma.monitor.url: https://ports.${MY_TLD}
      swag.uptime-kuma.monitor.interval: 300
      homepage.group: System Administration
      homepage.name: PortNote
-      homepage.href: https://portall.${MY_TLD}
-      homepage.icon: /icons/portnote.png
+      homepage.href: https://ports.${MY_TLD}
+      homepage.icon: port-note.png
      homepage.description: Management for container ports
    ports:
      - 23186:3000
@@ -4048,6 +3899,64 @@ services:
        source: /rinoa-storage
        target: /storage
        type: bind
+  qbittorrentvpn:
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    container_name: qbittorrentvpn
+    environment:
+      ENABLE_PRIVOXY: yes
+      ENABLE_SOCKS: yes
+      LAN_NETWORK: 192.168.1.0/24
+      NAME_SERVERS: 192.168.1.254,1.1.1.1
+      PGID: ${PGID}
+      PUID: ${PUID}
+      SOCKS_USER: admin
+      SOCKS_PASS: socks
+      TZ: ${TZ}
+      VPN_CLIENT: openvpn
+      VPN_ENABLED: "yes"
+      VPN_INPUT_PORTS: ""
+      VPN_OPTIONS: ""
+      VPN_OUTPUT_PORTS: ""
+      VPN_PASS: ${DELUGEVPN_ENVIRONMENT_VPN_PASS}
+      VPN_PROV: pia
+      VPN_USER: ${DELUGEVPN_ENVIRONMENT_VPN_USER}
+      WEBUI_PORT: 8080
+    image: ghcr.io/binhex/arch-qbittorrentvpn:latest
+    labels:
+      homepage.group: Downloaders
+      homepage.name: qBittorrent
+      homepage.href: https://qbit.${MY_TLD}
+      homepage.icon: qBittorrent.svg
+      homepage.description: qbittorrentvpn over VPN
+      homepage.widget.type: qbittorrent
+      homepage.widget.url: http://qbittorrentvpn:8080
+      homepage.widget.user: admin
+      homepage.widget.password: ${DELUGEVPN_PASSWORD}
+      swag: enable
+      swag_port: 8080
+      swag_proto: http
+      swag_url: qbit.${MY_TLD}
+      swag_server_custom_directive: |
+        access_log /config/log/$$host_access.log ;
+        error_log /config/log/$$host_error.log ;
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://qbit.${MY_TLD}
+      swag.uptime-kuma.monitor.interval: 300
+    ports:
+      - 58846:58846
+      - 58946:58946/udp
+      - 8118:8118
+      - 9118:9118
+      - 38927:8080
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - ${DOCKER_VOLUME_CONFIG}/.openvpn:/config/openvpn
+      - ${DOCKER_VOLUME_CONFIG}/qbittorrent/:/config
+      - ${DOCKER_VOLUME_CONFIG}/qbittorrent/data:/data
+      - ${DOCKER_VOLUME_STORAGE}/downloads:/downloads
  radarec:
    container_name: radarec
    environment:
@@ -4136,22 +4045,10 @@ services:
      - 7878:7878
    restart: unless-stopped
    volumes:
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /etc/localtime
-        target: /etc/localtime
-        type: bind
-      - bind:
-          create_host_path: true
-        source: ${DOCKER_VOLUME_CONFIG}/radarr
-        target: /config
-        type: bind
-      - bind:
-          create_host_path: true
-        source: /rinoa-storage
-        target: /storage
-        type: bind
+      - /etc/localtime:/etc/localtime:ro
+      - ${DOCKER_VOLUME_CONFIG}/radarr:/config
+      - /rinoa-storage:/storage
+      - ${DOCKER_VOLUME_STORAGE}/downloads/:/downloads
  reactive-resume:
    container_name: reactive-resume
    depends_on:
@@ -4253,22 +4150,10 @@ services:
      - 8787:8787
    restart: unless-stopped
    volumes:
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /etc/localtime
-        target: /etc/localtime
-        type: bind
-      - bind:
-          create_host_path: true
-        source: ${DOCKER_VOLUME_CONFIG}/readarr
-        target: /config
-        type: bind
-      - bind:
-          create_host_path: true
-        source: /rinoa-storage
-        target: /storage
-        type: bind
+      - /etc/localtime:/etc/localtime:ro
+      - ${DOCKER_VOLUME_CONFIG}/readarr:/config
+      - /rinoa-storage:/storage
+      - ${DOCKER_VOLUME_STORAGE}/downloads/:/downloads
  redis:
    cap_add:
      - SETGID
@@ -4382,6 +4267,75 @@ services:
      swag.uptime-kuma.monitor.url: https://chat.${MY_TLD}
      swag.uptime-kuma.monitor.interval: 300
    restart: always
+  romm:
+    container_name: romm
+    depends_on:
+      mariadb:
+        condition: service_started
+        restart: true
+    image: rommapp/romm:latest
+    environment:
+      ROMM_DB_DRIVER: mariadb # mariadb | sqlite (default: sqlite)
+      ROMM_HOST: https://localhost:3000 # [Optional] your host ip or domain name (including http(s)://, subdomain and port if needed). Being used only for webRcade feed for now.
+      # [Optional] Only required if using MariaDB as the database
+      DB_HOST: mariadb
+      DB_PORT: 3306
+      DB_USER: romm
+      DB_NAME: romm # Should match the MYSQL_DATABASE value in the mariadb container
+      DB_PASSWD: ${ROMM_MARIADB_PASSWORD}
+      # [Optional WIP] Use SteamGridDB as a source for covers
+      # STEAMGRIDDB_API_KEY: <SteamGridDB api key>
+      # [Optional] Will enable user management and require authentication to access the interface (disabled by default)
+      ROMM_AUTH_ENABLED: true # default: false
+      ROMM_AUTH_SECRET_KEY: ${ROMM_AUTH_SECRET_KEY} # Generate a key with `openssl rand -hex 32`
+      ROMM_AUTH_USERNAME: admin # default: admin
+      ROMM_AUTH_PASSWORD: ${ROMM_AUTH_PASSWORD} # default: admin
+      # [Optional] Only required if authentication is enabled
+      ENABLE_EXPERIMENTAL_REDIS: false # default: false
+      # REDIS_HOST: redis # default: localhost
+      # REDIS_PORT: 6379 # default: 6379
+      # REDIS_PASSWORD: # [Optional] Support for secured redis
+      # [Optional] Will enable asynchronous tasks (all disabled by default)
+      # Important: Do NOT wrap the cron expression in quotes
+      ENABLE_RESCAN_ON_FILESYSTEM_CHANGE: true # Runs a quick scan on the library when a file is added or removed 
+      RESCAN_ON_FILESYSTEM_CHANGE_DELAY: 5 # Delay in seconds before running the quick scan (default: 5)
+      ENABLE_SCHEDULED_RESCAN: true # Runs a quick scan on the library at a given time
+      SCHEDULED_RESCAN_CRON: 0 3 * * * # Cron expression for the scheduled scan (default: 0 3 * * * At 3:00 AM every day)
+      ENABLE_SCHEDULED_UPDATE_SWITCH_TITLEDB: true # Updates the Switch TitleDB database at a given time
+      SCHEDULED_UPDATE_SWITCH_TITLEDB_CRON: 0 4 * * * # Cron expression for the scheduled update (default: 0 4 * * * At 4:00 AM every day)
+      ENABLE_SCHEDULED_UPDATE_MAME_XML: true # Updates the MAME XML database at a given time
+      SCHEDULED_UPDATE_MAME_XML_CRON: 0 5 * * * # Cron expression for the scheduled update (default: 0 5 * * * At 5:00 AM every day)
+      IGDB_CLIENT_ID:  ${ROMM_IGDB_CLIENT_ID} # Generate an ID and SECRET in IGDB
+      IGDB_CLIENT_SECRET: ${ROMM_IGDB_CLIENT_SECRET} # https://docs.romm.app/latest/Getting-Started/Generate-API-Keys/#igdb
+      MOBYGAMES_API_KEY:  # https://docs.romm.app/latest/Getting-Started/Generate-API-Keys/#mobygames
+      STEAMGRIDDB_API_KEY: ${ROMM_STEAMGRIDDB_API_KEY} # https://docs.romm.app/latest/Getting-Started/Generate-API-Keys/#steamgriddb
+      SCREENSCRAPER_USER: ${ROMM_SCREENSCRAPER_USERNAME} # Use your ScreenScraper username and password
+      SCREENSCRAPER_PASSWORD: ${ROMM_SCREENSCRAPER_PASSWORD} # https://docs.romm.app/latest/Getting-Started/Generate-API-Keys/#screenscraper
+    labels:
+      homepage.group: Media Library
+      homepage.name: RomM
+      homepage.href: https://romm.${MY_TLD}
+      homepage.icon: romm.svg
+      homepage.description: Beautiful, powerful, self-hosted ROM manager
+      homepage.widget.type: romm
+      homepage.widget.url: http://romm:8080
+      swag: enable
+      swag_proto: http
+      swag_url: romm.${MY_TLD}
+      swag_server_custom_directive: |
+        access_log /config/log/$$host_access.log ;
+        error_log /config/log/$$host_error.log ;
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://romm.${MY_TLD}
+      swag.uptime-kuma.monitor.interval: 300
+    ports:
+      - 30229:8080
+    restart: unless-stopped
+    volumes:
+      - romm_resources:/romm/resources # Resources fetched from IGDB (covers, screenshots, etc.)
+      - ${DOCKER_VOLUME_STORAGE}/roms:/romm/library # Your game library. Check https://github.com/rommapp/romm?tab=readme-ov-file#folder-structure for more details.
+      - ${DOCKER_VOLUME_STORAGE}/roms/assets:/romm/assets # Uploaded saves, states, etc.
+      - ${DOCKER_VOLUME_CONFIG}/romm:/romm/config # Path where config.yml is stored
  sabnzbdvpn:
    cap_add:
      - NET_ADMIN
@@ -4451,6 +4405,29 @@ services:
        source: /rinoa-storage
        target: /storage
        type: bind
+  sablier:
+    container_name: sablier
+    environment:
+      PROVIDER_NAME: docker
+      SERVER_PORT: 10000
+      SERVER_BASE_PATH: /
+      STORAGE_FILE: /opt/sablier/state
+      SESSIONS_DEFAULT_DURATION: 5m
+      SESSIONS_EXPIRATION_INTERVAL: 20s
+      LOGGING_LEVEL: trace
+      STRATEGY_DYNAMIC_CUSTOM_THEMES_PATH: /opt/sablier/custom_themes
+      STRATEGY_DYNAMIC_SHOW_DETAILS_BY_DEFAULT: false
+      STRATEGY_DYNAMIC_DEFAULT_THEME: hacker-terminal
+      STRATEGY_DYNAMIC_DEFAULT_REFRESH_FREQUENCY: 5s
+      STRATEGY_BLOCKING_DEFAULT_TIMEOUT: 1m
+    image: sablierapp/sablier:latest
+    ports:
+      - 19311:10000
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/sablier/state:/opt/sablier/state
+      - ${DOCKER_VOLUME_CONFIG}/sablier/custom_themes:/opt/sablier/custom_themes
+      - /var/run/docker.sock:/var/run/docker.sock
  scraperr:
    command:
      - npm
@@ -4490,6 +4467,7 @@ services:
      OLLAMA_URL: http://ollama:11434
      OLLAMA_MODEL: phi3
      MONGODB_URI: mongodb://scraperr:${SCRAPERR_MONGODB_PASSWORD}@mongodb:27017/scraperr?replicaSet=rinoa
+      REGISTRATION_ENABLED: true
      SECRET_KEY: ${SCRAPERR_SECRET_KEY}
      ALGORITHM: HS256
      ACCESS_TOKEN_EXPIRE_MINUTES: 600
@@ -4722,22 +4700,10 @@ services:
      - 8989:8989
    restart: unless-stopped
    volumes:
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /etc/localtime
-        target: /etc/localtime
-        type: bind
-      - bind:
-          create_host_path: true
-        source: ${DOCKER_VOLUME_CONFIG}/sonarr
-        target: /config
-        type: bind
-      - bind:
-          create_host_path: true
-        source: /rinoa-storage
-        target: /storage
-        type: bind
+      - /etc/localtime:/etc/localtime:ro
+      - ${DOCKER_VOLUME_CONFIG}/sonarr:/config
+      - /rinoa-storage:/storage
+      - ${DOCKER_VOLUME_STORAGE}/downloads/:/downloads
  sonashow:
    container_name: sonashow
    environment:
@@ -4847,6 +4813,7 @@ services:
      homepage.icon: /icons/stable-diffusion.png
      swag: enable
      swag_port: 7860
+      swag_auth: authelia
      swag_proto: http
      swag_url: sd.${MY_TLD}
      swag_server_custom_directive: |
@@ -4913,7 +4880,8 @@ services:
      VALIDATION: dns
      CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
      CROWDSEC_LAPI_URL: http://crowdsec:8080
-      DOCKER_MODS: linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-reload|linuxserver/mods:swag-auto-proxy|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-maxmind|linuxserver/mods:universal-stdout-logs #|ghcr.io/linuxserver/mods:swag-crowdsec#|linuxserver/mods:swag-auto-uptime-kuma
+      DOCKER_MODS: linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-reload|linuxserver/mods:swag-auto-proxy|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-maxmind|linuxserver/mods:universal-stdout-logs|linuxserver/mods:universal-package-install #|ghcr.io/linuxserver/mods:swag-crowdsec#|linuxserver/mods:swag-auto-uptime-kuma
+      INSTALL_PACKAGES: nginx-mod-http-js
      PROPAGATION: 30
      UPTIME_KUMA_PASSWORD: ${UPTIME_KUMA_PASSWORD}
      UPTIME_KUMA_URL: http://uptimekuma:3001
@@ -4945,28 +4913,11 @@ services:
      - 81:81
    restart: unless-stopped
    volumes:
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /etc/localtime
-        target: /etc/localtime
-        type: bind
-      - bind:
-          create_host_path: true
-        source: ${DOCKER_VOLUME_CONFIG}/swag
-        target: /config
-        type: bind
-      - bind:
-          create_host_path: true
-        source: /rinoa-storage
-        target: /storage
-        type: bind
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /var/run/docker.sock
-        target: /var/run/docker.sock
-        type: bind
+      - /etc/localtime:/etc/localtime:ro
+      - ${DOCKER_VOLUME_CONFIG}/swag:/config
+      - ${DOCKER_VOLUME_CONFIG}/sablier/sablier.js:/etc/nginx/conf.d/sablier.js
+      - /rinoa-storage:/storage
+      - /var/run/docker.sock:/var/run/docker.sock:ro
  tandoor:
    container_name: tandoor-recipes
    depends_on:
@@ -5239,6 +5190,8 @@ services:
      homepage.href: https://subs.${MY_TLD}
      homepage.icon: wallos.png
      homepage.description: Subscription Tracking
+      sablier.enable: true
+      sablier.group: rinoa
      swag: enable
      swag_proto: http
      swag_url: subs.${MY_TLD}
@@ -5322,8 +5275,11 @@ services:
      swag_url: scan.${MY_TLD}
      swag_port: 3000
      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
+        include /config/nginx/sablier-server.conf;
+
+        location / {
+              proxy_pass http://immich-public-proxy:3000;
+        }
      swag.uptime-kuma.enabled: true
      swag.uptime-kuma.monitor.url: https://scan.${MY_TLD}
      swag.uptime-kuma.monitor.interval: 300
@@ -5336,9 +5292,82 @@ services:
    container_name: whodb
    image: clidey/whodb
    environment:
-      WHODB_POSTGRES_1: '[{"host":"authelia-pg","user":"authelia","password":"${AUTHELIA_STORAGE_POSTGRES_PASSWORD}","database":"authelia"},{"host":"bitmagnet-pg-db","user":"bitmagnet","password":"${BITMAGNET_POSTGRESQL_PASSWORD}","database":"bitmagnet"},{"host":"dawarich-pg-db","user":"dawarich","password":"${DAWARICH_PG_PASSWORD}","database":"dawarich"},{"host":"gitea-db","user":"gitea","password":"${GITEA_PG_DB_PASSWORD}","database":"gitea"},{"host":"immich-pg-db","user":"immich","password":"${IMMICH_DB_PASSWORD}","database":"immich"},{"host":"invidious-db","user":"kemal","password":"${INVID_PG_DB_PASSWORD}","database":"invidious"},{"host":"librechat-vectordb","user":"librechat","password":"${LIBRECHAT_PG_DB_PASSWD}","database":"librechat"},{"host":"mastodon-pg-db","user":"mastodon","password":"${MASTODON_PG_DB_PASSWORD}","database":"mastodon"},{"host":"reactive-resume-pg","user":"reactiveresume","password":"${REACTIVE_RESUME_PGSQL_PASSWORD}","database":"reactiveresume"},{"host":"sonarqube-pg-db","user":"sonar","password":"${SONARQUBE_POSTGRES_PASSWORD}","database":"sonar"},{"host":"tandoor-pg","user":"tandoor","password":"${TANDOOR_POSTGRES_PASSWORD}","database":"tandoor"},{"host":"zammad-postgresql","user":"zammad","password":"${ZAMMAD_POSTGRES_PASS}","database":"zammad_production"}]'
-      WHODB_MARIADB_1: '[{"host":"mariadb","user":"root","password":"${MARIADB_ENVIRONMENT_MYSQL_ROOT_PASSWORD}","database":"mysql"}]'
-      WHODB_MONGODB_1: '{"host":"mongodb:27017/admin?replicaSet=rinoa","user":"root","password":"${MONGO_INITDB_ROOT_PASSWORD}"}'
+      WHODB_POSTGRES_1: '{
+            "host": "authelia-pg",
+            "user": "authelia",
+            "password": "${AUTHELIA_STORAGE_POSTGRES_PASSWORD}",
+            "database": "authelia"
+          }'
+      WHODB_POSTGRES_2: '{
+            "host": "dawarich-pg-db",
+            "user": "dawarich",
+            "password": "${DAWARICH_PG_PASSWORD}",
+            "database": "authelia"
+          }'
+      WHODB_POSTGRES_3: '{
+            "host": "gitea-db",
+            "user": "gitea",
+            "password": "${GITEA_PG_DB_PASSWORD}",
+            "database": "gitea"
+          }'
+      WHODB_POSTGRES_4: '{
+            "host": "immich-pg-db",
+            "user": "immich",
+            "password": "${IMMICH_DB_PASSWORD}",
+            "database": "immich"
+          }'
+      WHODB_POSTGRES_5: '{
+            "host": "invidious-db",
+            "user": "kemal",
+            "password": "${INVID_PG_DB_PASSWORD}",
+            "database": "invidious"
+          }'
+      WHODB_POSTGRES_6: '{
+            "host": "librechat-vectordb",
+            "user": "librechat",
+            "password": "${LIBRECHAT_PG_DB_PASSWD}",
+            "database": "librechat"
+          }'
+      WHODB_POSTGRES_7: '{
+            "host": "mastodon-pg-db",
+            "user": "mastodon",
+            "password": "${MASTODON_PG_DB_PASSWORD}",
+            "database": "mastodon"
+          }'
+      WHODB_POSTGRES_8: '{
+            "host": "reactive-resume-pg",
+            "user": "reactiveresume",
+            "password": "${REACTIVE_RESUME_PGSQL_PASSWORD}",
+            "database": "reactiveresume"
+          }'
+      WHODB_POSTGRES_9: '{
+            "host": "sonarqube-pg-db",
+            "user": "sonar",
+            "password": "${SONARQUBE_POSTGRES_PASSWORD}",
+            "database": "sonar"
+          }'
+      WHODB_POSTGRES_10: '{
+            "host": "tandoor-pg",
+            "user": "tandoor",
+            "password": "${TANDOOR_POSTGRES_PASSWORD}",
+            "database": "tandoor"
+          }'
+      WHODB_POSTGRES_11: '{
+            "host": "zammad-postgresql",
+            "user": "zammad",
+            "password": "${ZAMMAD_POSTGRES_PASS}",
+            "database": "zammad_production"
+          }'
+      WHODB_MARIADB_1: '{
+          "host": "mariadb",
+          "user": "root",
+          "password": "${MARIADB_ENVIRONMENT_MYSQL_ROOT_PASSWORD}"
+        }'
+      WHODB_MONGODB_1: '{
+          "host": "mongodb:27017/admin?replicaSet=rinoa",
+          "user": "root",
+          "password": "${MONGO_INITDB_ROOT_PASSWORD}"
+        }'
      WHODB_OLLAMA_HOST: ollama
      WHODB_OLLAMA_PORT: 11434
      WHODB_ANTHROPIC_API_KEY: ${LIBRECHAT_ANTHROPIC_API_KEY}
@@ -5350,8 +5379,9 @@ services:
      homepage.name: WhoDB
      homepage.href: https://dbs.${MY_TLD}
      homepage.icon: whodb.png
-      homepage.description: Database-as-Code CI/CD
+      homepage.description: Lightweight next-gen database explorer
      swag: enable
+      swag_auth: authelia
      swag_port: 8080
      swag_proto: http
      swag_url: dbs.${MY_TLD}
@@ -5502,10 +5532,6 @@ services:
 volumes:
  authelia-pg-db:
    name: authelia-pg-db
-  bitmagnet-pg-db:
-    name: bitmagnet-pg-db
-  bunkerweb-storage:
-    name: bunkerweb-storage
  castopod-media:
    name: castopod-media
  crowdsec-config:
@@ -5520,8 +5546,6 @@ volumes:
    name: dawarich_public
  dawarich_watched:
    name: dawarich_watched
-  docker-volume-bkup-data:
-    name: docker-volume-bkup-data
  fastenhealth-cache:
    name: fastenhealth-cache
  fastenhealth-db:
@@ -5608,6 +5632,8 @@ volumes:
    name: portnote-db-data
  reactive-resume-pg:
    name: reactive-resume-pg
+  romm_resources:
+    name: romm_resources
  semaphore_config:
    name: semaphore_config
  semaphore_data:
Author	SHA1	Message	Date
Trez.One	b15306539f	Merge remote-tracking branch 'refs/remotes/origin/ansible-dry-fixes_5-20-25' into ansible-dry-fixes_5-20-25 Gitea Branch PR & Ansible Deployment / Check and Create PR (push) Has been cancelled Details Gitea Branch PR & Ansible Deployment / Ansible Linting (push) Has been cancelled Details Gitea Branch PR & Ansible Deployment / PR Merge (push) Has been cancelled Details Gitea Branch PR & Ansible Deployment / Ansible Playbook Run (Service Configs) (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Check and Create PR (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Dry Run (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Cloudflare DNS Setup (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Update README & Generate List of Modified Services (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / PR Merge (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Deployment (push) Has been cancelled Details	2025-05-26 09:13:29 -04:00
Trez.One	9b6aaacdac	Renaming Grafana alloy config.	2025-05-26 09:12:02 -04:00
Trez.One	22ba4743ef	Renaming Grafana alloy config.	2025-05-26 09:12:02 -04:00
Trez.One	a708d28446	Changing order of tasks in playbook.	2025-05-26 09:12:02 -04:00
Trez.One	2cf916fa05	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	05eb209229	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	9c30f3972b	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	f96433be4f	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	296d4b6c35	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	711d9cbfa9	Small fixes.	2025-05-26 09:12:02 -04:00
Trez.One	cd5f996f39	Ansible DRY fixes for Vault lookups.	2025-05-26 09:12:02 -04:00
Trez.One	fcf3687b25	Sablier testing with Web-Check. Auto-Unseal for Vault / Unseal Vault (push) Failing after 14m54s Details	2025-05-25 15:52:55 -04:00
Trez.One	189fe886b2	Reverting to earlier tag for MinIO due to license change.	2025-05-25 15:41:22 -04:00
gitea-sonarqube-bot	5227fde5f4	Auto Merge of PR 56 - sablier-swag-middleware-service-labels-arr-fixes Merged by Trez.One	2025-05-25 12:45:23 -04:00
Trez.One	b78eb5fd2e	Adding Sablier labels and configs for testing; fixing volumes for *arr services. Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Check and Create PR (push) Successful in 7m2s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Dry Run (push) Successful in 15m9s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Cloudflare DNS Setup (push) Successful in 8m22s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Update README & Generate List of Modified Services (push) Successful in 4m53s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / PR Merge (push) Successful in 47s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Deployment (push) Failing after 15m42s Details	2025-05-25 12:07:51 -04:00
gitea-sonarqube-bot	1047687a3e	Auto Merge of PR 55 - sablier-service-deployment Merged by Trez.One	2025-05-25 10:46:59 -04:00
Trez.One	d00fac81fd	chore: Update README	2025-05-25 14:44:45 +00:00
Trez.One	02799b4aa0	Adding Sablier service. Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Check and Create PR (push) Successful in 4m58s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Dry Run (push) Failing after 11m35s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Cloudflare DNS Setup (push) Successful in 47s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Update README & Generate List of Modified Services (push) Successful in 4m26s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / PR Merge (push) Successful in 4m40s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Deployment (push) Failing after 10m4s Details	2025-05-25 09:32:50 -04:00
gitea-sonarqube-bot	209da35c96	Auto Merge of PR 54 - romm-deployment-bitmagnet-removal_5-22-25 Auto-Unseal for Vault / Unseal Vault (push) Failing after 14m52s Details Merged by Trez.One	2025-05-24 13:41:52 -04:00
Trez.One	bcb9a51b7b	chore: Update README	2025-05-24 17:40:36 +00:00
Trez.One	6c655d113b	Authelia auth for Stable Diffusion. Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Check and Create PR (push) Successful in 1m31s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Dry Run (push) Successful in 9m0s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Cloudflare DNS Setup (push) Successful in 2m39s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Update README & Generate List of Modified Services (push) Successful in 8m1s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / PR Merge (push) Successful in 25s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Deployment (push) Failing after 24m41s Details	2025-05-24 12:45:25 -04:00
Trez.One	c5ea2abc66	Merge remote-tracking branch 'refs/remotes/origin/romm-deployment-bitmagnet-removal_5-22-25' into romm-deployment-bitmagnet-removal_5-22-25 Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Dry Run (push) Blocked by required conditions Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Cloudflare DNS Setup (push) Blocked by required conditions Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Update README & Generate List of Modified Services (push) Blocked by required conditions Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / PR Merge (push) Blocked by required conditions Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Deployment (push) Blocked by required conditions Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Check and Create PR (push) Has been cancelled Details	2025-05-24 12:41:41 -04:00
Trez.One	9ccefc8ed3	Pipeline fixes related to service list outputs.	2025-05-24 12:41:19 -04:00
Trez.One	e232b7099a	Removing Cloudflared.	2025-05-24 12:41:19 -04:00
Trez.One	0f696de680	chore: Update README	2025-05-24 15:26:49 +00:00
Trez.One	fe6a9e12bd	Fixing dependency for RomM. Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Check and Create PR (push) Successful in 15m21s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Cloudflare DNS Setup (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Dry Run (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Update README & Generate List of Modified Services (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / PR Merge (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose Deployment (push) Has been cancelled Details	2025-05-24 10:52:00 -04:00
Trez.One	ffe0ad3304	Renaming of some jobs, container registry login, and deploy args.	2025-05-24 10:11:30 -04:00
Trez.One	7f682dc66a	Adding RomM service.	2025-05-24 10:10:25 -04:00
Trez.One	3631009eba	WhoDB profile final touches and adding auth for WhoDB.	2025-05-24 08:28:58 -04:00
Trez.One	966323fa9e	WhoDB profile fixes (take #4 ).	2025-05-24 08:26:34 -04:00
Trez.One	25a0e65267	WhoDB profile fixes (take #4 ).	2025-05-24 08:21:16 -04:00
Trez.One	b28a609f77	WhoDB profile fixes (take #4 ).	2025-05-24 08:20:06 -04:00
Trez.One	a8c47eb96d	WhoDB profile fixes (take #4 ).	2025-05-24 08:12:44 -04:00
Trez.One	a8cb2974be	WhoDB profile fixes (take #4 ).	2025-05-24 07:53:08 -04:00
Trez.One	d1c3c51f9a	WhoDB profile fixes (take #4 ).	2025-05-24 06:28:44 -04:00
Trez.One	b91696275d	WhoDB profile fixes (take #4 ).	2025-05-24 06:26:20 -04:00
Trez.One	bb4f386989	WhoDB profile fixes (for real for real). Auto-Unseal for Vault / Unseal Vault (push) Failing after 13m53s Details	2025-05-23 21:07:00 -04:00
Trez.One	11043246cb	WhoDB profile fixes (for real for real).	2025-05-23 21:05:14 -04:00
Trez.One	7a259b340d	WhoDB profile fixes (for real for real).	2025-05-23 21:01:13 -04:00
Trez.One	32ccef63cf	WhoDB switch from port to expose.	2025-05-23 20:54:20 -04:00
Trez.One	20f40464c7	WhoDB profile fixes (for real).	2025-05-23 20:52:30 -04:00
Trez.One	abfd320791	WhoDB profile testing.	2025-05-23 20:25:28 -04:00
Trez.One	0efcf40812	WhoDB profile ports.	2025-05-23 09:33:16 -04:00
Trez.One	a27d66eab9	WhoDB profile ports.	2025-05-23 09:05:27 -04:00
Trez.One	a639afe90b	WhoDB profile ports.	2025-05-23 08:40:21 -04:00
Trez.One	69ee20aa75	WhoDB profile tweak.	2025-05-23 07:46:03 -04:00
Trez.One	16f94987a9	WhoDB env tweaks. Auto-Unseal for Vault / Unseal Vault (push) Failing after 14m43s Details	2025-05-22 20:34:47 -04:00
Trez.One	305f81bbdc	Renaming Grafana alloy config. Gitea Branch PR & Ansible Deployment / Ansible Playbook Run (Service Configs) (push) Blocked by required conditions Details Gitea Branch PR & Ansible Deployment / Ansible Linting (push) Blocked by required conditions Details Gitea Branch PR & Ansible Deployment / PR Merge (push) Blocked by required conditions Details Gitea Branch PR & Ansible Deployment / Check and Create PR (push) Failing after 11m22s Details	2025-05-21 09:17:04 -04:00
Trez.One	77bb59f594	Renaming Grafana alloy config.	2025-05-21 09:16:28 -04:00
Trez.One	9d672044cc	qBittorrent volume fixes. Auto-Unseal for Vault / Unseal Vault (push) Failing after 12m47s Details	2025-05-21 07:53:00 -04:00
Trez.One	9dc0495132	qBittorrent volume fixes.	2025-05-21 07:52:22 -04:00
Trez.One	e26d009253	qBittorrent volume fixes.	2025-05-21 07:23:53 -04:00
Trez.One	374dda540e	Scraperr registration.	2025-05-21 06:41:43 -04:00
Trez.One	c5da9593de	Label tweaks for Port-Note.	2025-05-21 06:27:51 -04:00
Trez.One	fde3a018b2	qBittorrent volume fixes. Auto-Unseal for Vault / Unseal Vault (push) Failing after 13m37s Details	2025-05-20 17:53:33 -04:00
Trez.One	a260c1f1ca	qBittorrent env fix.	2025-05-20 17:49:40 -04:00
gitea-sonarqube-bot	0d0cc5d1c3	Auto Merge of PR 53 - deluge-replacement-qbitorrent-deployment Merged by Trez.One	2025-05-20 13:10:03 -04:00
Trez.One	94d26e2af1	Merge remote-tracking branch 'refs/remotes/origin/deluge-replacement-qbitorrent-deployment' into deluge-replacement-qbitorrent-deployment Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Check and Create PR (push) Successful in 4m56s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose & Ansible Lints (push) Successful in 2m5s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Cloudflare DNS Setup (push) Successful in 1m15s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Update README & Generate List of Modified Services (push) Successful in 4m11s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / PR Merge (push) Successful in 4m14s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Failing after 13m36s Details	2025-05-20 12:53:02 -04:00
Trez.One	d74284eb65	Adjustments to qBittorrent.	2025-05-20 12:52:36 -04:00
Trez.One	692eef096b	chore: Update README	2025-05-20 16:38:12 +00:00
Trez.One	cada184738	Replacing DelugeVPN with qBittorrent. Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Check and Create PR (push) Successful in 17m39s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Docker Compose & Ansible Lints (push) Successful in 22m12s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Cloudflare DNS Setup (push) Successful in 9m49s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Update README & Generate List of Modified Services (push) Successful in 10m57s Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment / PR Merge (push) Has been cancelled Details	2025-05-20 11:43:13 -04:00
Trez.One	6245e88edc	Changing order of tasks in playbook. Gitea Branch PR & Ansible Deployment / Check and Create PR (push) Successful in 20m30s Details Gitea Branch PR & Ansible Deployment / Ansible Linting (push) Failing after 17m31s Details Gitea Branch PR & Ansible Deployment / PR Merge (push) Has been skipped Details Gitea Branch PR & Ansible Deployment / Ansible Playbook Run (Service Configs) (push) Has been skipped Details	2025-05-20 10:13:55 -04:00
Trez.One	48f9659ede	Small fixes.	2025-05-20 09:58:35 -04:00
Trez.One	6e5eb45ffe	Small fixes. Gitea Branch PR & Ansible Deployment / Check and Create PR (push) Successful in 8m19s Details Gitea Branch PR & Ansible Deployment / Ansible Linting (push) Failing after 11m55s Details Gitea Branch PR & Ansible Deployment / Ansible Playbook Run (Service Configs) (push) Has been skipped Details Gitea Branch PR & Ansible Deployment / PR Merge (push) Has been skipped Details	2025-05-20 09:22:50 -04:00
Trez.One	0c314a5000	Small fixes.	2025-05-20 09:19:04 -04:00
Trez.One	c443d73f6f	Small fixes.	2025-05-20 09:16:16 -04:00
Trez.One	124d4a86ba	Small fixes.	2025-05-20 09:16:00 -04:00
Trez.One	d08563b985	Small fixes.	2025-05-20 09:13:33 -04:00
Trez.One	6b37ad8ea4	Ansible DRY fixes for Vault lookups. Gitea Branch PR & Ansible Deployment / Check and Create PR (push) Failing after 3m6s Details Gitea Branch PR & Ansible Deployment / Docker Compose & Ansible Lints (push) Has been skipped Details Gitea Branch PR & Ansible Deployment / PR Merge (push) Failing after 9m4s Details Gitea Branch PR & Ansible Deployment / Ansible Configs & Docker Compose Deployment (push) Has been skipped Details	2025-05-20 09:06:49 -04:00
Trez.One	c804bb6dab	Explo changes.	2025-05-20 07:44:37 -04:00
Trez.One	9d45ee9e88	Explo modifications. Auto-Unseal for Vault / Unseal Vault (push) Waiting to run Details	2025-05-19 19:22:37 -04:00