Merge remote-tracking branch 'refs/remotes/origin/main'

Updating group for Speedtest-Tracker.
Homepage layout change for Infra/App Monitoring group.
2025-03-03 12:32:27 -05:00 · 2025-03-03 12:31:52 -05:00 · 2025-03-03 12:30:24 -05:00 · 2025-03-03 12:03:23 -05:00 · 2025-03-02 21:07:37 -05:00 · 2025-03-02 11:56:18 -05:00
8 changed files with 945 additions and 283 deletions
@@ -1,160 +0,0 @@
-name: Gitea Branch PR & Ansible Configurations Deployment
-on:
-  push:
-    branches:
-      - '**'
-    paths:
-      - '**.j2'
-jobs:
-  check-and-create-pr:
-    if: github.ref != 'refs/heads/main'
-    name: Check and Create PR
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-      - name: Cache tea CLI
-        id: cache-tea
-        uses: actions/cache@v4
-        with:
-          path: /opt/hostedtoolcache/tea/0.9.2/x64
-          key: tea-${{ runner.os }}-0.9.2
-      - name: Install tea
-        uses: supplypike/setup-bin@v4
-        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
-          name: 'tea'
-          version: '0.9.2'
-      - name: Check if open PR exists
-        id: check-opened-pr-step
-        continue-on-error: true
-        run: |
-          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
-          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
-      - name: Create PR
-        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
-        run: |
-          tea login default gitea-rinoa
-          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
-          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
-  ansible-lint:
-    name: Ansible Lint
-    needs: [check-and-create-pr]
-    runs-on: ubuntu-latest
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_NAMESPACE: ""
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Cache Ansible Galaxy Collections
-        uses: actions/cache@v3
-        with:
-          path: ansible/collections
-          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
-          restore-keys: |
-            ${{ runner.os }}-ansible-
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.0.0"
-      - name: Install Vault
-        uses: cpanato/vault-installer@main
-      - name: Install hvac
-        run: pip install hvac
-      - name: Ansible Playbook Dry Run
-        uses: dawidd6/action-ansible-playbook@v2
-        with:
-          directory: ansible/
-          playbook: docker_config_deploy.yml
-          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
-          options: |
-            --inventory inventory/hosts.yml
-            --check
-          requirements: collections/requirements.yml
-          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
-          notification_message: 'Ansible dry run completed successfully.'
-  pr-merge:
-    name: PR Merge
-    needs: [regenerate-readme-modified-services]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install tea
-        uses: supplypike/setup-bin@v4
-        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
-          name: 'tea'
-          version: '0.9.2'
-      - name: PR Merge
-        id: pr_merge
-        run: |
-          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          tea login default gitea-rinoa
-          echo "Merging PR..."
-          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
-          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
-          echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Merge Successful'
-          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-deploy:
-    name: Ansible Config Deployment
-    runs-on: ubuntu-latest
-    needs: [pr-merge]
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      DOCKER_HOST: tcp://dockerproxy:2375
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: main
-      - name: Cache Vault install
-        id: cache-vault
-        uses: actions/cache@v4
-        with:
-          path: /opt/hostedtoolcache/vault/1.18.0/x64
-          key: vault-${{ runner.os }}-1.18.0
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.0.0"
-      - name: Install Vault
-        uses: cpanato/vault-installer@main
-      - name: Install hvac
-        run: pip install hvac
-      - name: Deploy Docker Configs via Ansible
-        uses: dawidd6/action-ansible-playbook@v2
-        with:
-          directory: ansible/
-          playbook: docker_config_deploy.yml
-          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
-          options: |
-            --inventory inventory/hosts.yml
-          requirements: collections/requirements.yml
-          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
-          notification_message: 'Deployment completed successfully.'
@@ -1,10 +1,8 @@
 name: Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment
 on:
  push:
-    branches:
-      - '**'
-    paths:
-      - 'docker-compose.yml'
+    branches-ignore:
+      - 'main'
 jobs:
  check-and-create-pr:
    if: github.ref != 'refs/heads/main'
@@ -6,6 +6,7 @@
 | --- | --- |
 | actual_server | docker.io/actualbudget/actual-server:latest |
 | adguard | adguard/adguardhome:latest |
+| archivebox | archivebox/archivebox:latest |
 | audiobookshelf | ghcr.io/advplyr/audiobookshelf:latest |
 | authelia | authelia/authelia:master |
 | authelia-pg | postgres:16-alpine |
@@ -17,6 +18,10 @@
 | bitwarden | vaultwarden/server:latest |
 | bluesky-pds | ghcr.io/bluesky-social/pds:latest |
 | browserless | ghcr.io/browserless/chromium:latest |
+| bunkerweb | bunkerity/bunkerweb:1.6.0 |
+| bunkerweb-scheduler | bunkerity/bunkerweb-scheduler:1.6.0 |
+| bunkerweb-autoconf | bunkerity/bunkerweb-autoconf:1.6.0 |
+| bunkerweb-ui | bunkerity/bunkerweb-ui:1.6.0 |
 | bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
 | cloudflared | cloudflare/cloudflared:latest |
@@ -33,6 +38,7 @@
 | dbgate | dbgate/dbgate:alpine |
 | delugevpn | ghcr.io/binhex/arch-delugevpn:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
+| docker-volume-backup | offen/docker-volume-backup:v2 |
 | docuseal | docuseal/docuseal:latest |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
@@ -70,15 +76,21 @@
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
+| librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
+| librechat-vectordb | ankane/pgvector:latest |
+| librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
 | libretranslate | libretranslate/libretranslate |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
 | lldap | lldap/lldap:stable |
 | maloja | krateng/maloja:latest |
+| manyfold | lscr.io/linuxserver/manyfold:latest |
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
+| meilisearch | getmeili/meilisearch:v1.12.3 |
 | minio | minio/minio |
+| mixpost | inovector/mixpost:latest |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
 | n8n | docker.n8n.io/n8nio/n8n |
@@ -92,7 +104,6 @@
 | nextcloud | nextcloud/all-in-one:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
-| open-webui | ghcr.io/open-webui/open-webui:main |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
 | parseable | containers.parseable.com/parseable/parseable:latest |
 | peppermint | pepperlabs/peppermint:latest |
@@ -103,7 +114,7 @@
 | plausible | ghcr.io/plausible/community-edition:v2.1.0 |
 | plausible_db | postgres:16-alpine |
 | plausible_events_db | clickhouse/clickhouse-server:24.3.3.102-alpine |
-| portainer | portainer/portainer-ce:alpine-sts |
+| portainer | portainer/portainer-ce:2.27.0-alpine |
 | portall | need4swede/portall:latest |
 | postal-smtp | ghcr.io/postalserver/postal:latest |
 | postal-web | ghcr.io/postalserver/postal:latest |
@@ -122,6 +133,7 @@
 | scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
+| semaphore | semaphoreui/semaphore:v2.12.14 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
@@ -132,6 +144,8 @@
 | sourcebot | ghcr.io/sourcebot-dev/sourcebot:latest |
 | speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
 | spotisub | blastbeng/spotisub:latest |
+| stable-diffusion-download | git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0 |
+| stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.0 |
 | swag | lscr.io/linuxserver/swag:latest |
 | tandoor | vabene1111/recipes |
 | tandoor-pg | postgres:16-alpine |
@@ -145,6 +159,4 @@
 | web-check | lissy93/web-check |
 | your_spotify | lscr.io/linuxserver/your_spotify:latest |
 | youtubedl | nbr23/youtube-dl-server:latest |
-| zitadel | ghcr.io/zitadel/zitadel:latest |
-| zitadel-pg-db | postgres:16-alpine |

@@ -23,33 +23,31 @@ provider: duckduckgo
 layout:
  System Administration:
    style: row
-    columns: 3
-    # fiveColumns: true
+    columns: 5
  Infrastructure/App Performance Monitoring:
    style: row
    columns: 3
  Code/DevOps:
    style: row
-    columns: 3
+    columns: 4
  Social:
    style: row
    columns: 3
  Lifestyle:
-    style: columns
-    row: 2
-    fiveColumns: true
+    style: row
+    columns: 5
  Automation:
-    style: columns
-    row: 2
+    style: row
+    columns: 5
  Privacy/Security:
-    style: columns
-    row: 5
+    style: row
+    columns: 3
  Personal Services:
    style: row
-    columns: 3
+    columns: 4
  Professional Services:
    style: row
-    columns: 3
+    columns: 5
  Servarr Stack:
    style: row
    columns: 3
@@ -0,0 +1,550 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+#=====================================================================#
+#                       LibreChat Configuration                       #
+#=====================================================================#
+# Please refer to the reference documentation for assistance          #
+# with configuring your LibreChat environment.                        #
+#                                                                     #
+# https://www.librechat.ai/docs/configuration/dotenv                  #
+#=====================================================================#
+
+#==================================================#
+#               Server Configuration               #
+#==================================================#
+
+HOST=localhost
+PORT=3080
+
+MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
+
+DOMAIN_CLIENT=https://ai.trez.wtf
+DOMAIN_SERVER=https://ai.trez.wtf
+
+NO_INDEX=true
+# Use the address that is at most n number of hops away from the Express application.
+# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
+# A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
+# Defaulted to 1.
+TRUST_PROXY=1
+
+#===============#
+# JSON Logging  #
+#===============#
+
+# Use when process console logs in cloud deployment like GCP/AWS
+CONSOLE_JSON=true
+
+#===============#
+# Debug Logging #
+#===============#
+
+DEBUG_LOGGING=true
+DEBUG_CONSOLE=false
+
+#=============#
+# Permissions #
+#=============#
+
+# UID=1000
+# GID=1000
+
+#===============#
+# Configuration #
+#===============#
+# Use an absolute path, a relative path, or a URL
+
+# CONFIG_PATH="/alternative/path/to/librechat.yaml"
+
+#===================================================#
+#                     Endpoints                     #
+#===================================================#
+
+# ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
+
+PROXY=
+
+#===================================#
+# Known Endpoints - librechat.yaml  #
+#===================================#
+# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
+
+# ANYSCALE_API_KEY=
+# APIPIE_API_KEY=
+# COHERE_API_KEY=
+DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
+# DATABRICKS_API_KEY=
+# FIREWORKS_API_KEY=
+# GROQ_API_KEY=
+# HUGGINGFACE_TOKEN=
+MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
+# OPENROUTER_KEY=
+# PERPLEXITY_API_KEY=
+# SHUTTLEAI_API_KEY=
+# TOGETHERAI_API_KEY=
+# UNIFY_API_KEY=
+# XAI_API_KEY=
+
+#============#
+# Anthropic  #
+#============#
+
+ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
+ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
+# ANTHROPIC_REVERSE_PROXY=
+
+#============#
+# Azure      #
+#============#
+
+# Note: these variables are DEPRECATED
+# Use the `librechat.yaml` configuration for `azureOpenAI` instead
+# You may also continue to use them if you opt out of using the `librechat.yaml` configuration
+
+# AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
+# AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
+# AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
+# AZURE_API_KEY= # Deprecated
+# AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
+# AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
+# AZURE_OPENAI_API_VERSION= # Deprecated
+# AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
+# AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
+# PLUGINS_USE_AZURE="true" # Deprecated
+
+#=================#
+#   AWS Bedrock   #
+#=================#
+
+# BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
+# BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
+# BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
+# BEDROCK_AWS_SESSION_TOKEN=someSessionToken
+
+# Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
+# BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
+
+# See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
+
+# Notes on specific models:
+# The following models are not support due to not supporting streaming:
+# ai21.j2-mid-v1
+
+# The following models are not support due to not supporting conversation history:
+# ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
+
+#============#
+# Google     #
+#============#
+
+{# GOOGLE_KEY=user_provided #}
+
+# GOOGLE_REVERSE_PROXY=
+# Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
+# GOOGLE_AUTH_HEADER=true
+
+# Gemini API (AI Studio)
+# GOOGLE_MODELS=gemini-2.0-flash-exp,gemini-2.0-flash-thinking-exp-1219,gemini-exp-1121,gemini-exp-1114,gemini-1.5-flash-latest,gemini-1.0-pro,gemini-1.0-pro-001,gemini-1.0-pro-latest,gemini-1.0-pro-vision-latest,gemini-1.5-pro-latest,gemini-pro,gemini-pro-vision
+
+# Vertex AI
+# GOOGLE_MODELS=gemini-1.5-flash-preview-0514,gemini-1.5-pro-preview-0514,gemini-1.0-pro-vision-001,gemini-1.0-pro-002,gemini-1.0-pro-001,gemini-pro-vision,gemini-1.0-pro
+
+# GOOGLE_TITLE_MODEL=gemini-pro
+
+# GOOGLE_LOC=us-central1
+
+# Google Safety Settings
+# NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
+#
+# For Vertex AI:
+# To use the BLOCK_NONE setting, you need either:
+# (a) Access through an allowlist via your Google account team, or
+# (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
+#
+# For Gemini API (AI Studio):
+# BLOCK_NONE is available by default, no special account requirements.
+#
+# Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
+#
+# GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
+
+#============#
+# OpenAI     #
+#============#
+
+OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
+OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
+
+DEBUG_OPENAI=false
+
+# TITLE_CONVO=false
+# OPENAI_TITLE_MODEL=gpt-4o-mini
+
+# OPENAI_SUMMARIZE=true
+# OPENAI_SUMMARY_MODEL=gpt-4o-mini
+
+# OPENAI_FORCE_PROMPT=true
+
+# OPENAI_REVERSE_PROXY=
+
+# OPENAI_ORGANIZATION=
+
+#====================#
+#   Assistants API   #
+#====================#
+
+# ASSISTANTS_API_KEY=user_provided
+# ASSISTANTS_BASE_URL=
+# ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
+
+#==========================#
+#   Azure Assistants API   #
+#==========================#
+
+# Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
+# The models for Azure Assistants are also determined by your Azure OpenAI configuration.
+
+# More info, including how to enable use of Assistants with Azure here:
+# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
+
+#============#
+# OpenRouter #
+#============#
+# !!!Warning: Use the variable above instead of this one. Using this one will override the OpenAI endpoint
+# OPENROUTER_API_KEY=
+
+#============#
+# Plugins    #
+#============#
+
+# PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
+
+# DEBUG_PLUGINS=
+
+CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
+CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
+
+# Azure AI Search
+#-----------------
+# AZURE_AI_SEARCH_SERVICE_ENDPOINT=
+# AZURE_AI_SEARCH_INDEX_NAME=
+# AZURE_AI_SEARCH_API_KEY=
+
+# AZURE_AI_SEARCH_API_VERSION=
+# AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
+# AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
+# AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
+
+# DALL·E
+#----------------
+# DALLE_API_KEY=
+# DALLE3_API_KEY=
+# DALLE2_API_KEY=
+# DALLE3_SYSTEM_PROMPT=
+# DALLE2_SYSTEM_PROMPT=
+# DALLE_REVERSE_PROXY=
+# DALLE3_BASEURL=
+# DALLE2_BASEURL=
+
+# DALL·E (via Azure OpenAI)
+# Note: requires some of the variables above to be set
+#----------------
+# DALLE3_AZURE_API_VERSION=
+# DALLE2_AZURE_API_VERSION=
+
+
+# Google
+#-----------------
+GOOGLE_SEARCH_API_KEY=
+GOOGLE_CSE_ID=
+
+# YOUTUBE
+#-----------------
+YOUTUBE_API_KEY=
+
+# SerpAPI
+#-----------------
+SERPAPI_API_KEY=
+
+# Stable Diffusion
+#-----------------
+SD_WEBUI_URL=http://stable-diffusion-webui:7860
+
+# Tavily
+#-----------------
+TAVILY_API_KEY=
+
+# Traversaal
+#-----------------
+TRAVERSAAL_API_KEY=
+
+# WolframAlpha
+#-----------------
+WOLFRAM_APP_ID=
+
+# Zapier
+#-----------------
+ZAPIER_NLA_API_KEY=
+
+#==================================================#
+#                      Search                      #
+#==================================================#
+
+SEARCH=true
+MEILI_NO_ANALYTICS=true
+MEILI_HOST=http://meilisearch:7700
+MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
+
+# Optional: Disable indexing, useful in a multi-node setup
+# where only one instance should perform an index sync.
+# MEILI_NO_SYNC=true
+
+#==================================================#
+#          Speech to Text & Text to Speech         #
+#==================================================#
+
+STT_API_KEY=
+TTS_API_KEY=
+
+#==================================================#
+#                        RAG                       #
+#==================================================#
+# More info: https://www.librechat.ai/docs/configuration/rag_api
+
+# RAG_OPENAI_BASEURL=
+# RAG_OPENAI_API_KEY=
+# RAG_USE_FULL_CONTEXT=
+# EMBEDDINGS_PROVIDER=openai
+# EMBEDDINGS_MODEL=text-embedding-3-small
+
+#===================================================#
+#                    User System                    #
+#===================================================#
+
+#========================#
+# Moderation             #
+#========================#
+
+OPENAI_MODERATION=false
+OPENAI_MODERATION_API_KEY=
+# OPENAI_MODERATION_REVERSE_PROXY=
+
+BAN_VIOLATIONS=true
+BAN_DURATION=1000 * 60 * 60 * 2
+BAN_INTERVAL=20
+
+LOGIN_VIOLATION_SCORE=1
+REGISTRATION_VIOLATION_SCORE=1
+CONCURRENT_VIOLATION_SCORE=1
+MESSAGE_VIOLATION_SCORE=1
+NON_BROWSER_VIOLATION_SCORE=20
+
+LOGIN_MAX=7
+LOGIN_WINDOW=5
+REGISTER_MAX=5
+REGISTER_WINDOW=60
+
+LIMIT_CONCURRENT_MESSAGES=true
+CONCURRENT_MESSAGE_MAX=2
+
+LIMIT_MESSAGE_IP=true
+MESSAGE_IP_MAX=40
+MESSAGE_IP_WINDOW=1
+
+LIMIT_MESSAGE_USER=false
+MESSAGE_USER_MAX=40
+MESSAGE_USER_WINDOW=1
+
+ILLEGAL_MODEL_REQ_SCORE=5
+
+#========================#
+# Balance                #
+#========================#
+
+CHECK_BALANCE=false
+# START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
+
+#========================#
+# Registration and Login #
+#========================#
+
+ALLOW_EMAIL_LOGIN=true
+ALLOW_REGISTRATION=true
+ALLOW_SOCIAL_LOGIN=false
+ALLOW_SOCIAL_REGISTRATION=false
+ALLOW_PASSWORD_RESET=false
+# ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
+ALLOW_UNVERIFIED_EMAIL_LOGIN=true
+
+SESSION_EXPIRY=1000 * 60 * 15
+REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
+
+JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
+JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
+
+
+# Discord
+DISCORD_CLIENT_ID=
+DISCORD_CLIENT_SECRET=
+DISCORD_CALLBACK_URL=/oauth/discord/callback
+
+# Facebook
+FACEBOOK_CLIENT_ID=
+FACEBOOK_CLIENT_SECRET=
+FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
+
+# GitHub
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_CALLBACK_URL=/oauth/github/callback
+# GitHub Enterprise
+# GITHUB_ENTERPRISE_BASE_URL=
+# GITHUB_ENTERPRISE_USER_AGENT=
+
+# Google
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_CALLBACK_URL=/oauth/google/callback
+
+# Apple
+APPLE_CLIENT_ID=
+APPLE_TEAM_ID=
+APPLE_KEY_ID=
+APPLE_PRIVATE_KEY_PATH=
+APPLE_CALLBACK_URL=/oauth/apple/callback
+
+# OpenID
+OPENID_CLIENT_ID=
+OPENID_CLIENT_SECRET=
+OPENID_ISSUER=
+OPENID_SESSION_SECRET=
+OPENID_SCOPE="openid profile email"
+OPENID_CALLBACK_URL=/oauth/openid/callback
+OPENID_REQUIRED_ROLE=
+OPENID_REQUIRED_ROLE_TOKEN_KIND=
+OPENID_REQUIRED_ROLE_PARAMETER_PATH=
+# Set to determine which user info property returned from OpenID Provider to store as the User's username
+OPENID_USERNAME_CLAIM=
+# Set to determine which user info property returned from OpenID Provider to store as the User's name
+OPENID_NAME_CLAIM=
+
+OPENID_BUTTON_LABEL=
+OPENID_IMAGE_URL=
+
+# LDAP
+# LDAP_URL=
+# LDAP_BIND_DN=
+# LDAP_BIND_CREDENTIALS=
+# LDAP_USER_SEARCH_BASE=
+# LDAP_SEARCH_FILTER=mail=
+# LDAP_CA_CERT_PATH=
+# LDAP_TLS_REJECT_UNAUTHORIZED=
+# LDAP_LOGIN_USES_USERNAME=true
+# LDAP_ID=
+# LDAP_USERNAME=
+# LDAP_EMAIL=
+# LDAP_FULL_NAME=
+
+#========================#
+# Email Password Reset   #
+#========================#
+
+EMAIL_SERVICE=
+EMAIL_HOST=postal-smtp
+EMAIL_PORT=25
+EMAIL_ENCRYPTION=
+EMAIL_ENCRYPTION_HOSTNAME=
+EMAIL_ALLOW_SELFSIGNED=
+EMAIL_USERNAME=
+EMAIL_PASSWORD=
+EMAIL_FROM_NAME=
+EMAIL_FROM=noreply@librechat.ai
+
+#========================#
+# Firebase CDN           #
+#========================#
+
+# FIREBASE_API_KEY=
+# FIREBASE_AUTH_DOMAIN=
+# FIREBASE_PROJECT_ID=
+# FIREBASE_STORAGE_BUCKET=
+# FIREBASE_MESSAGING_SENDER_ID=
+# FIREBASE_APP_ID=
+
+#========================#
+# Shared Links           #
+#========================#
+
+ALLOW_SHARED_LINKS=true
+ALLOW_SHARED_LINKS_PUBLIC=true
+
+#==============================#
+# Static File Cache Control    #
+#==============================#
+
+# Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
+# NODE_ENV must be set to production for these to take effect
+# STATIC_CACHE_MAX_AGE=172800
+# STATIC_CACHE_S_MAX_AGE=86400
+
+# If you have another service in front of your LibreChat doing compression, disable express based compression here
+# DISABLE_COMPRESSION=true
+
+#===================================================#
+#                        UI                         #
+#===================================================#
+
+APP_TITLE=LibreChat
+# CUSTOM_FOOTER="My custom footer"
+HELP_AND_FAQ_URL=https://librechat.ai
+
+# SHOW_BIRTHDAY_ICON=true
+
+# Google tag manager id
+#ANALYTICS_GTM_ID=user provided google tag manager id
+
+#===============#
+# REDIS Options #
+#===============#
+
+REDIS_URI=redis:6379
+USE_REDIS=true
+
+# USE_REDIS_CLUSTER=true
+# REDIS_CA=/path/to/ca.crt
+
+#==================================================#
+#                      Others                      #
+#==================================================#
+#   You should leave the following commented out   #
+
+# NODE_ENV=
+
+# E2E_USER_EMAIL=
+# E2E_USER_PASSWORD=
+
+#=====================================================#
+#                  Cache Headers                      #
+#=====================================================#
+#   Headers that control caching of the index.html    #
+#   Default configuration prevents caching to ensure  #
+#   users always get the latest version. Customize    #
+#   only if you understand caching implications.      #
+
+# INDEX_HTML_CACHE_CONTROL=no-cache, no-store, must-revalidate
+# INDEX_HTML_PRAGMA=no-cache
+# INDEX_HTML_EXPIRES=0
+
+# no-cache: Forces validation with server before using cached version
+# no-store: Prevents storing the response entirely
+# must-revalidate: Prevents using stale content when offline
+
+#=====================================================#
+#                  OpenWeather                        #
+#=====================================================#
+OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -0,0 +1,33 @@
+version: 1.0.0
+endpoints:
+  custom:
+    - name: "ollama"
+      apiKey: "ollama"
+      baseURL: "http://ollama:11434/v1/chat/completions"
+      models:
+        default: [
+          "deepseek-r1",
+          "deepseek-coder-v2",
+          "deepseek-v3",
+          "llama3.3",
+          "phi4",
+          "qwen2.5",
+          "llama2",
+          "mistral",
+          "codellama",
+          "tinyllama",
+          "starcoder2",
+          "dolphin-mixtral",
+          "smollm2",
+          "orca-mini",
+          "mistral-openorca"
+        ]
+# fetching list of models is supported but the `name` field must start
+# with `ollama` (case-insensitive), as it does in this example.
+        fetch: true
+      titleConvo: true
+      titleModel: "current_model"
+      summarize: false
+      summaryModel: "current_model"
+      forcePrompt: false
+      modelDisplayLabel: "Ollama"
@@ -30,6 +30,9 @@ message_db:
 smtp_server:
  default_port: 25
  default_bind_address: "::"
+  tls_enabled: true
+  tls_certificate_path: /config/certs/fullchain.pem
+  tls_private_key_path: /config/certs/privkey.pem

 dns:
  # Specify the DNS records that you have configured. Refer to the documentation at
@@ -1,4 +1,11 @@
 name: compose
+x-bw-ui-env: &bw-ui-env
+  # We anchor the environment variables to avoid duplication
+  AUTOCONF_MODE: yes
+  DATABASE_URI: "mariadb+pymysql://bunkerweb:${BUNKERWEB_DB_PASSWORD}@mariadb:3306/bunkerweb" # Remember to set a stronger password for the database
+  USE_REAL_IP: yes
+  REAL_IP_FROM: 172.18.0.0/16
+  REAL_IP_HEADER: 'X-Forwarded-For'
 networks:
  bitmagnet:
    driver: bridge
@@ -95,6 +102,36 @@ services:
        type: bind
        bind:
          create_host_path: true
+  archivebox:
+    container_name: archivebox
+    environment:
+      ADMIN_USERNAME: admin            # creates an admin user on first run with the given user/pass combo
+      ADMIN_PASSWORD: ${ARCHIVEBOX_ADMIN_PASSWORD}
+      ALLOWED_HOSTS: '*'                   # set this to the hostname(s) you're going to serve the site from!
+      CSRF_TRUSTED_ORIGINS: http://localhost:8000  # you MUST set this to the server's URL for admin login and the REST API to work
+      PUBLIC_INDEX: false                 # set to False to prevent anonymous users from viewing snapshot list
+      PUBLIC_SNAPSHOTS: false             # set to False to prevent anonymous users from viewing snapshot content
+      PUBLIC_ADD_VIEW: false             # set to True to allow anonymous users to submit new URLs to archive
+      SEARCH_BACKEND_ENGINE: ripgrep       # tells ArchiveBox to use sonic container below for fast full-text search
+    image: archivebox/archivebox:latest
+    labels:
+      homepage.group: Personal Services
+      homepage.name: ArchiveBox
+      homepage.href: https://archive.${MY_TLD}
+      homepage.icon: archivebox.png
+      homepage.description: Open-source and self-hosted web archiving
+      swag: enable
+      swag_port: 8000
+      swag_proto: http
+      swag_url: archive.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://archive.${MY_TLD}
+    ports:
+      - 21324:8000
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/archivebox:/data
+      # ./data/personas/Default/chrome_profile/Default:/data/personas/Default/chrome_profile/Default
  audiobookshelf:
    container_name: audiobookshelf
    environment:
@@ -478,6 +515,67 @@ services:
    networks:
      default: null
    restart: unless-stopped
+  bunkerweb:
+    container_name: bunkerweb
+    image: bunkerity/bunkerweb:1.6.0
+    environment:
+      AUTOCONF_MODE: yes
+      API_WHITELIST_IP: 127.0.0.0/8 172.18.0.0/16
+    labels:
+      bunkerweb.INSTANCE: yes
+    ports:
+      - 27002:8080
+      - 63824:8443
+    restart: unless-stopped
+  bunkerweb-scheduler:
+    container_name: bunkerweb-scheduler
+    environment:
+      <<: *bw-ui-env
+      BUNKERWEB_INSTANCES: bunkerweb
+      SERVER_NAME: bunker.trez.wtf
+      API_WHITELIST_IP: 127.0.0.0/8 172.18.0.0/16
+      MULTISITE: yes
+      UI_HOST: http://bunkerweb-ui:7000 # Change it if needed
+      SERVE_FILES: no
+      DISABLE_DEFAULT_SERVER: yes
+      USE_CLIENT_CACHE: yes
+      USE_GZIP: yes
+      USE_REVERSE_PROXY: yes
+      REVERSE_PROXY_URL: /
+      REVERSE_PROXY_HOST: http://swag:80
+    image: bunkerity/bunkerweb-scheduler:1.6.0
+    restart: unless-stopped
+    volumes:
+      - bunkerweb-storage:/data # This is used to persist the cache and other data like the backups
+  bunkerweb-autoconf:
+    container_name: bunkerweb-autoconf
+    depends_on:
+      - docker-socket-proxy
+    environment:
+      <<: *bw-ui-env
+      DOCKER_HOST: tcp://dockerproxy:2375
+    image: bunkerity/bunkerweb-autoconf:1.6.0
+    restart: unless-stopped
+  bunkerweb-ui:
+    container_name: bunkerweb-ui
+    environment:
+      <<: *bw-ui-env
+      TOTP_SECRETS: ${BUNKERWEB_TOTP_SECRETS}
+    expose:
+      - 7000
+    image: bunkerity/bunkerweb-ui:1.6.0
+    labels:
+      homepage.group: Privacy/Security
+      homepage.name: Bunker Web
+      homepage.href: https://bunker.${MY_TLD}
+      homepage.icon: bunkerweb.svg
+      homepage.description: Next-gen WAF
+      swag: enable
+      swag_port: 7000
+      swag_url: bunker.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://bunker.${MY_TLD}
+    restart: unless-stopped
  bytestash:
    container_name: bytestash
    environment:
@@ -744,7 +842,7 @@ services:
      swag_proto: http
      swag_url: cchef.trez.wtf
      swag.uptime-kuma.enabled: true
-      swag.uptime-kuma.monitor.url: https://gist.trez.wtf
+      swag.uptime-kuma.monitor.url: https://cchef.trez.wtf
    ports:
      - 20992:8000
    restart: unless-stopped
@@ -917,8 +1015,7 @@ services:
  dbgate:
    container_name: dbgate
    environment:
-      CONNECTIONS: authelia-pg,bitmagnet-pg-db,gitea-db,invidious-db,joplin-db,mariadb,mastodon-pg-db,mongodb,pgbackweb,pgbackweb-db,plausible-db,plausible-events-db,reactive-resume-pg,sonarqube-pg-db,synapse-db,tandoor-pg,traccar-pg,zitadel-pg-db
-
+      CONNECTIONS: authelia-pg,bitmagnet-pg-db,gitea-db,invidious-db,joplin-db,mariadb,mastodon-pg-db,mongodb,peppermint-db,pgbackweb-db,plausible-db,plausible-events-db,reactive-resume-pg,sonarqube-pg-db,synapse-db,tandoor-pg,redis
      LOGIN: TrezOne
      PASSWORD: ${DBGATE_LOGIN_PASSWORD}

@@ -986,6 +1083,13 @@ services:
      # URI_mongodb: mongodb://root:${MONGO_INITDB_ROOT_PASSWORD}@mongodb:27017/admin?replicaSet=rinoa
      ENGINE_mongodb: mongo@dbgate-plugin-mongo-v2

+      LABEL_peppermint-db: peppermint-pg-db
+      SERVER_peppermint-db: peppermint-pg-db
+      USER_peppermint-db: peppermint
+      PASSWORD_peppermint-db: ${PEPPERMINT_PG_PASSWORD}
+      PORT_peppermint-db: 5432
+      ENGINE_peppermint-db: postgres@dbgate-plugin-postgres
+
      LABEL_pgbackweb-db: pgbackweb-db
      SERVER_pgbackweb-db: pgbackweb-db
      USER_pgbackweb-db: pgbackweb
@@ -1021,19 +1125,10 @@ services:
      PORT_tandoor-pg: 5432
      ENGINE_tandoor-pg: postgres@dbgate-plugin-postgres

-      LABEL_traccar-pg: traccar-pg
-      SERVER_traccar-pg: traccar-pg
-      USER_traccar-pg: ${TRACCAR_POSTGRES_USER}
-      PASSWORD_traccar-pg: ${TRACCAR_POSTGRES_PASSWORD}
-      PORT_traccar-pg: 5432
-      ENGINE_traccar-pg: postgres@dbgate-plugin-postgres
-
-      LABEL_zitadel-pg-db: zitadel-pg-db
-      SERVER_zitadel-pg-db: zitadel-pg-db
-      USER_zitadel-pg-db: root
-      PASSWORD_zitadel-pg-db: ${ZITADEL_DB_ADMIN_PASSWORD}
-      PORT_zitadel-pg-db: 5432
-      ENGINE_zitadel-pg-db: postgres@dbgate-plugin-postgres
+      LABEL_redis: redis
+      SERVER_redis: redis
+      PORT_redis: 6379
+      ENGINE_redis: redis@dbgate-plugin-redis
    image: dbgate/dbgate:alpine
    labels:
      homepage.group: System Administration
@@ -1157,6 +1252,22 @@ services:
        source: /var/run/docker.sock
        target: /var/run/docker.sock
        type: bind
+  docker-volume-backup:
+    container_name: docker-volume-backup
+    image: offen/docker-volume-backup:v2
+    environment:
+      BACKUP_ARCHIVE: /archive
+      BACKUP_CRON_EXPRESSION: '@weekly'
+      BACKUP_COMPRESSION: zst
+      BACKUP_FILENAME: rinoa-docker-backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}
+      BACKUP_FILENAME_EXPAND: true
+      BACKUP_RETENTION_DAYS: 14
+      DOCKER_HOST: tcp://dockerproxy:2375
+      NOTIFICATION_URLS: gotify://gotify/${DV_BKUP_GOTIFY_TOKEN}
+    restart: always
+    volumes:
+      - docker-volume-bkup-data:/backup/my-app-backup:ro
+      - ${DOCKER_VOLUME_STORAGE}/backups/docker_volume_bkups:/archive
  docuseal:
    container_name: docuseal
    image: docuseal/docuseal:latest
@@ -2689,6 +2800,67 @@ services:
    ports:
      - 22300:22300
    restart: unless-stopped
+  librechat-api:
+    container_name: librechat-api
+    depends_on:
+      - mongodb
+      - librechat-rag-api
+    environment:
+      CONFIG_PATH: /app/librechat.yaml
+      HOST: 0.0.0.0
+      MONGO_URI: mongodb://librechat:${LIBRECHAT_MONGODB_PASSWORD}@mongodb:27017/librechat?replicaSet=rinoa
+      MEILI_HOST: http://meilisearch:7700
+      RAG_PORT: 8000
+      RAG_API_URL: http://librechat-rag-api:8000
+    image: ghcr.io/danny-avila/librechat-dev:latest
+    labels:
+      homepage.group: Personal Services
+      homepage.name: LibreChat
+      homepage.href: https://ai.${MY_TLD}
+      homepage.icon: sh-librechat.svg
+      homepage.description: Local AI chat
+      swag: enable
+      swag_port: 3080
+      swag_proto: http
+      swag_url: ai.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://ai.${MY_TLD}
+    ports:
+      - 3080:3080
+    restart: always
+    user: ${PUID}:${PGID}
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/librechat/librechat.env:/app/.env
+      - ${DOCKER_VOLUME_CONFIG}/librechat/librechat.yaml:/app/librechat.yaml
+      - ${DOCKER_VOLUME_CONFIG}/librechat/images:/app/client/public/images
+      - ${DOCKER_VOLUME_CONFIG}/librechat/uploads:/app/uploads
+      - ${DOCKER_VOLUME_CONFIG}/librechat/logs:/app/api/logs
+  librechat-vectordb:
+    container_name: librechat-vectordb
+    environment:
+      POSTGRES_DB: librechat
+      POSTGRES_USER: librechat
+      POSTGRES_PASSWORD: ${LIBRECHAT_PG_DB_PASSWD}
+    expose:
+      - 5432
+    image: ankane/pgvector:latest
+    restart: always
+    volumes:
+      - librechat-pg-data:/var/lib/postgresql/data
+  librechat-rag-api:
+    container_name: librechat-rag-api
+    depends_on:
+      - librechat-vectordb
+    environment:
+      DB_HOST: librechat-vectordb
+      POSTGRES_DB: librechat
+      POSTGRES_USER: librechat
+      POSTGRES_PASSWORD: ${LIBRECHAT_PG_DB_PASSWD}
+      RAG_PORT: 8000
+    image: ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest
+    restart: always
+    # env_file:
+    #   - ${DOCKER_VOLUME_CONFIG}/librechat/librechat.env
  libretranslate:
    container_name: libretranslate
    # command: --ssl --ga-id MY-GA-ID --req-limit 100 --char-limit 500
@@ -2909,7 +3081,7 @@ services:
    labels:
      homepage.group: Lifestyle
      homepage.name: Manyfold
-      homepage.href: https://scrobble.${MY_TLD}
+      homepage.href: https://3dprint.${MY_TLD}
      homepage.icon: manyfold.svg
      homepage.description: Self-hosted digital asset manager for 3D print files
      swag: enable
@@ -2993,6 +3165,10 @@ services:
      SMTP_PASSWORD: ${POSTAL_SMTP_AUTH_PASSWORD}
      SMTP_FROM_ADDRESS: noreply@trez.wtf
      S3_ENABLED: true
+      S3_ENDPOINT: http://minio:9000
+      S3_REGION: us-east-fh-pln
+      S3_HOST: s3.trez.wtf
+      S3_PROTOCOL: https
      S3_BUCKET: mastodon
      AWS_ACCESS_KEY_ID: ${MASTODON_MINIO_ACCESS_KEY}
      AWS_SECRET_ACCESS_KEY: ${MASTODON_MINIO_SECRET_KEY}
@@ -3037,6 +3213,17 @@ services:
    restart: always
    volumes:
      - mastodon-pg-db:/var/lib/postgresql/data    
+  meilisearch:
+    container_name: meilisearch
+    environment:
+      MEILI_HOST: http://meilisearch:7700
+      MEILI_NO_ANALYTICS: true
+      MEILI_MASTER_KEY: ${MEILISEARCH_MASTER_KEY}
+    image: getmeili/meilisearch:v1.12.3
+    restart: always
+    user: ${PUID}:${PGID}
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/meilisearch:/meili_data
  minio:
    command: server --console-address ":9090" /mnt/data
    container_name: minio
@@ -3076,6 +3263,42 @@ services:
        type: bind
        bind:
          create_host_path: true
+  mixpost:
+    container_name: mixpost
+    image: inovector/mixpost:latest
+    depends_on:
+      - mariadb
+      - redis
+    environment:
+      APP_NAME: Mixpost
+      APP_KEY: ${MIXPOST_APP_KEY}
+      APP_DEBUG: true
+      APP_DOMAIN: social.trez.wtf
+      APP_URL: https://social.trez.wtf
+      DB_HOST: mariadb
+      DB_DATABASE: mixpost
+      DB_USERNAME: mixpost
+      DB_PASSWORD: ${MIXPOST_DB_PASSWORD}
+      REDIS_HOST: redis
+      REDIS_PORT: 6379
+    labels:
+      swag: enable
+      swag_port: 80
+      swag_proto: http
+      swag_url: social.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://social.${MY_TLD}
+      homepage.group: Social
+      homepage.name: Mixpost
+      homepage.href: https://social.${MY_TLD}
+      homepage.icon: mixpost.svg
+      homepage.description: Multi-channel social media manager
+    ports:
+      - 61757:80
+    restart: unless-stopped
+    volumes:
+        - mixpost-storage:/var/www/html/storage/app
+        - mixpost-logs:/var/www/html/storage/logs
  mongodb:
    container_name: mongodb
    environment:
@@ -3430,36 +3653,6 @@ services:
        source: /rinoa-storage
        target: /storage
        type: bind
-  open-webui:
-    container_name: open-webui
-    depends_on:
-      ollama:
-        condition: service_started
-        required: true
-        restart: true
-    environment:
-      ENABLE_SIGNUP: true
-      ENABLE_LOGIN_FORM: true
-      ENABLE_OLLAMA_API: true
-      OLLAMA_BASE_URLS: http://ollama:11434
-    image: ghcr.io/open-webui/open-webui:main
-    labels:
-      homepage.group: Personal Services
-      homepage.name: Open-WebUI
-      homepage.href: https://ai.${MY_TLD}
-      homepage.icon: open-webui.png
-      homepage.description: Local AI chat using Ollama-downloaded models
-      swag: enable
-      swag_port: 8080
-      swag_proto: http
-      swag_url: ai.${MY_TLD}
-      swag.uptime-kuma.enabled: true
-      swag.uptime-kuma.monitor.url: https://ai.${MY_TLD}
-    ports:
-      - 10863:8080
-    restart: unless-stopped
-    volumes:
-      - open-webui:/app/backend/data
  paperless-ngx:
    container_name: paperless-ngx
    depends_on:
@@ -3544,10 +3737,11 @@ services:
      swag_proto: http
      swag_port: 8000
      swag_url: logs.${MY_TLD}
-    volumes:
-      - ${DOCKER_VOLUME_CONFIG}/parseable/staging:/staging
    ports:
      - 14453:8000
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/parseable/staging:/staging
  peppermint:
    container_name: peppermint
    depends_on:
@@ -3724,7 +3918,7 @@ services:
    expose:
      - 9000
      - 9443
-    image: portainer/portainer-ce:alpine-sts
+    image: portainer/portainer-ce:2.27.0-alpine
    labels:
      swag: enable
      swag_proto: http
@@ -3779,11 +3973,8 @@ services:
      - 25:25
    restart: unless-stopped
    volumes:
-      - source: ${DOCKER_VOLUME_CONFIG}/postal
-        target: /config
-        type: bind
-        bind:
-          create_host_path: true
+      - ${DOCKER_VOLUME_CONFIG}/postal:/config
+      - ${DOCKER_VOLUME_CONFIG}/swag/etc/letsencrypt/live/trez.wtf:/config/certs
  postal-web:
    command: postal web-server
    container_name: postal-web
@@ -4374,6 +4565,43 @@ services:
        type: bind
        bind:
          create_host_path: true
+  semaphore:
+    container_name: semaphore
+    environment:
+      ANSIBLE_HOST_KEY_CHECKING: false
+      SEMAPHORE_ADMIN_PASSWORD: ${SEMAPHORE_ADMIN_PASSWORD}
+      SEMAPHORE_ADMIN_NAME: admin
+      SEMAPHORE_ADMIN_EMAIL: charish.patel@trez.wtf
+      SEMAPHORE_ADMIN: admin
+      SEMAPHORE_DB_DIALECT: bolt
+      SEMAPHORE_EMAIL_ALERT: true
+      SEMAPHORE_EMAIL_SENDER: noreply@trez.wtf
+      SEMAPHORE_EMAIL_HOST: postal-smtp
+      SEMAPHORE_EMAIL_PORT: 25
+      SEMAPHORE_EMAIL_USERNAME: ${POSTAL_SMTP_AUTH_USER}
+      SEMAPHORE_EMAIL_PASSWORD: ${POSTAL_SMTP_AUTH_PASSWORD}
+      SEMAPHORE_EMAIL_SECURE: false
+      SEMAPHORE_USE_REMOTE_RUNNER: true
+    image: semaphoreui/semaphore:v2.12.14
+    labels:
+      homepage.group: Code/DevOps
+      homepage.name: Semaphore
+      homepage.href: https://devops.${MY_TLD}
+      homepage.icon: semaphore.svg
+      homepage.description: Modern UI for Ansible, Terraform, OpenTofu, PowerShell and other DevOps tools
+      swag: enable
+      swag_port: 3000
+      swag_proto: http
+      swag_url: devops.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://devops.${MY_TLD}
+    ports:
+      - 3015:3000
+    restart: unless-stopped
+    volumes:
+      - semaphore_config:/etc/semaphore
+      - semaphore_data:/var/lib/semaphore
+      - semaphore_tmp:/tmp/semaphore
  sonarqube:
    container_name: sonarqube
    depends_on:
@@ -4632,7 +4860,7 @@ services:
        SPEEDTEST_SCHEDULE: 15 */3 * * *
    labels:
      homepage.name: Speedtest Tracker
-      homepage.group: System Administration
+      homepage.group: Infrastructure/App Performance Monitoring
      homepage.description: Self-hosted internet performance tracking
      homepage.href: https://speed.${MY_TLD}
      homepage.icon: speedtest-tracker.png
@@ -4670,6 +4898,36 @@ services:
    restart: always
    volumes:
      - ${DOCKER_VOLUME_CONFIG}/spotisub:/home/user/spotisub/cache
+  stable-diffusion-download:
+    container_name: stable-diffusion-download
+    image: git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/stable-diffusion-webui/data:/data
+  stable-diffusion-webui:
+    container_name: stable-diffusion-webui
+    image: git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.0
+    environment:
+      - CLI_ARGS=--allow-code --medvram --xformers --enable-insecure-extension-access --api
+    labels:
+      homepage.name: Stable-Diffusion WebUI
+      homepage.group: Personal Services
+      homepage.description: Deep learning, text-to-image model
+      homepage.href: https://sd.${MY_TLD}
+      homepage.icon: /icons/stable-diffusion.png
+      swag: enable
+      swag_port: 7860
+      swag_proto: http
+      swag_url: sd.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://sd.${MY_TLD}
+    ports:
+      - 7860:7860
+    restart: unless-stopped
+    tty: true
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/stable-diffusion-webui/data:/data
+      - ${DOCKER_VOLUME_CONFIG}/stable-diffusion-webui/output:/output
  swag:
    cap_add:
      - NET_ADMIN
@@ -5159,57 +5417,13 @@ services:
        source: /rinoa-storage
        target: /storage
        type: bind
-  zitadel:
-    container_name: zitadel
-    image: ghcr.io/zitadel/zitadel:latest
-    command: 'start-from-init --masterkeyFromEnv --config /config.yaml --config /secrets.yaml --config /init-steps.yaml --tlsMode external'
-    depends_on:
-      zitadel-pg-db:
-        condition: 'service_started'
-    environment:
-      ZITADEL_MASTERKEY: ${ZITADEL_MASTER_KEY}
-    expose:
-      - 8080
-    labels:
-      swag: enable
-      swag_proto: http
-      swag_port: 8080
-      swag_url: id.${MY_TLD}
-      swag_server_custom_directive: http2 on;
-      homepage.group: System Administration
-      homepage.name: Zitadel
-      homepage.href: https://id.${MY_TLD}
-      homepage.icon: zitadel.svg
-      homepage.description: Centralized authentication management
-    restart: unless-stopped
-    volumes:
-      - ${DOCKER_VOLUME_CONFIG}/zitadel/config.yaml:/config.yaml
-      - ${DOCKER_VOLUME_CONFIG}/zitadel/init-steps.yaml:/init-steps.yaml
-      - ${DOCKER_VOLUME_CONFIG}/zitadel/secrets.yaml:/secrets.yaml
-  zitadel-pg-db:
-    container_name: zitadel-pg-db
-    environment:
-      POSTGRES_USER: root
-      POSTGRES_PASSWORD: ${ZITADEL_DB_ADMIN_PASSWORD}
-    expose:
-      - 5432
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "root" ]
-      interval: '10s'
-      timeout: '30s'
-      retries: 5
-      start_period: '20s'
-    image: postgres:16-alpine
-    restart: unless-stopped
-    volumes:
-      - zitadel-pg-db:/var/lib/postgresql/data
 volumes:
  authelia-pg-db:
    name: authelia-pg-db
  bitmagnet-pg-db:
    name: bitmagnet-pg-db
-  bunkerweb-data:
-    name: bunkerweb-data
+  bunkerweb-storage:
+    name: bunkerweb-storage
  castopod-media:
    name: castopod-media
  crowdsec-config:
@@ -5226,6 +5440,8 @@ volumes:
    name: dawarich_watched
  dbgate-data:
    name: dbgate-data
+  docker-volume-bkup-data:
+    name: docker-volume-bkup-data
  fastenhealth-cache:
    name: fastenhealth-cache
  fastenhealth-db:
@@ -5268,12 +5484,18 @@ volumes:
    name: jitsi-web-admin-upload
  joplin_data:
    name: joplin_data
+  librechat-pg-data:
+    name: librechat-pg-data
  libretranslate_models:
    name: libretranslate_models
  lldap_data:
    name: lldap_data
  mastodon-pg-db:
    name: mastodon-pg-db
+  mixpost-storage:
+    name: mixpost-storage
+  mixpost-logs:
+    name: mixpost-logs
  mongodb_config:
    name: mongodb_config
  mongodb_data:
@@ -5312,6 +5534,12 @@ volumes:
    name: portainer-data
  reactive-resume-pg:
    name: reactive-resume-pg
+  semaphore_config:
+    name: semaphore_config
+  semaphore_data:
+    name: semaphore_data
+  semaphore_tmp:
+    name: semaphore_tmp
  sonarqube-data:
    name: sonarqube-data
  sonarqube-db:
@@ -5333,4 +5561,4 @@ volumes:
  wallos-logos:
    name: wallos-logos
  zitadel-pg-db:
-    name: zitadel-pg-db
+    name: zitadel-pg-db