Misc. fix.

Merged by Trez.One

.gitea/workflows/pr-cloudflare-docker-deploy.yml

@@ -25,6 +25,13 @@ jobs:
           uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
           name: 'tea'
           version: '0.9.2'
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Check'
+          notification_message: 'Checking for existing PR... 🔍'
       - name: Check if open PR exists
         id: check-opened-pr-step
         continue-on-error: true
@@ -39,6 +46,13 @@ jobs:
           pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
           pr_index_new=$(expr ${pr_index_old} + 1)
           tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Check'
+          notification_message: 'PR Created 🎟️'
   docker-compose-ansible-lints:
     name: Docker Compose & Ansible Lints
     needs: [check-and-create-pr]
@@ -65,6 +79,13 @@ jobs:
         uses: cpanato/vault-installer@main
       - name: Install hvac
         run: pip install hvac
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
+          notification_message: 'Starting Ansible dry run...'
       - name: Ansible Playbook Dry Run
         uses: dawidd6/action-ansible-playbook@v2
         with:
@@ -82,7 +103,7 @@ jobs:
           gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
-          notification_message: 'Ansible dry run completed successfully.'
+          notification_message: 'Ansible dry run completed successfully; starting Docker Compose'
       - name: Generate .env file for Docker Compose Dry Run
         run: |
           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
@@ -149,7 +170,7 @@ jobs:
           gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: Cloudflare Setup @ Rinoa'
-          notification_message: 'Starting Cloudflare setup'
+          notification_message: 'Starting Cloudflare DNS setup...'
       - name: Compare Subdomains
         id: compare-subdomains
         uses: LouisBrunner/diff-action@v2.2.0
@@ -203,6 +224,13 @@ jobs:
       #     modified_services=${egrep '^  [a-z]' changes.yml | sed -e 's|^  ||g' -e 's|:||g' | sed ':a;N;$!ba;s/\n/ /g'}
       #     echo "Modified services: $modified_services"
       #     echo "modified_services=$modified_services" >> $GITHUB_OUTPUT
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: README Update'
+          notification_message: 'Updating README...'
       - name: Generate service list
         run: |
           yq '.services | to_entries | map({"service": .key, "image": .value.image})' docker-compose.yml > services.yml
@@ -222,6 +250,13 @@ jobs:
         with:
           message: "chore: Update README"
           add: "README.md"
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: README Update'
+          notification_message: 'README updated'
   pr-merge:
     name: PR Merge
     needs: [regenerate-readme-modified-services]
@@ -278,6 +313,13 @@ jobs:
         uses: cpanato/vault-installer@main
       - name: Install hvac
         run: pip install hvac
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
+          notification_message: 'Starting config deployment with Ansible.'
       - name: Deploy Docker Configs via Ansible
         uses: dawidd6/action-ansible-playbook@v2
         with:
@@ -295,6 +337,13 @@ jobs:
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
           notification_message: 'Deployment completed successfully.'
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Docker Compose Deployment @ Rinoa'
+          notification_message: 'Starting Docker Compose run...'
       - name: Generate .env file for deployment
         run: |
            vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env

.gitignore

@@ -1,3 +1,4 @@
 **/.cache_ggshield
 ansible/collections/ansible_collections/
-**/.env
+**/.env
+**/netbird_openid-configuration.json.j2

README.md

@@ -16,7 +16,7 @@
 | bitmagnet | ghcr.io/bitmagnet-io/bitmagnet:latest |
 | bitmagnet-pg-db | postgres:17-alpine |
 | bitwarden | vaultwarden/server:latest |
-| bluesky-pds | ghcr.io/bluesky-social/pds:latest |
+| bluesky-pds | code.modernleft.org/gravityfargo/bluesky-pds:v0.4.98 |
 | browserless | ghcr.io/browserless/chromium:latest |
 | bunkerweb | bunkerity/bunkerweb:1.6.0 |
 | bunkerweb-scheduler | bunkerity/bunkerweb-scheduler:1.6.0 |
@@ -50,9 +50,10 @@
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
 | gluetun | qmcgaw/gluetun:latest |
 | gotify | gotify/server |
+| graylog | graylog/graylog:6.1 |
+| graylog-datanode | graylog/graylog-datanode:6.1 |
 | guacamole | flcontainers/guacamole:latest |
 | homepage | ghcr.io/gethomepage/homepage:latest |
-| hortusfox | ghcr.io/danielbrendel/hortusfox-web:latest |
 | hugo | hugomods/hugo:exts |
 | immich-server | ghcr.io/immich-app/immich-server:release |
 | immich-machine-learning | ghcr.io/immich-app/immich-machine-learning:release |
@@ -63,8 +64,6 @@
 | invidious | quay.io/invidious/invidious:latest |
 | invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
 | invidious-db | docker.io/library/postgres:14 |
-| invoice-ninja | invoiceninja/invoiceninja-debian:5 |
-| invoice-ninja_proxy | nginx |
 | it-tools | ghcr.io/corentinth/it-tools:latest |
 | jellyfin | jellyfin/jellyfin |
 | jitsi-etherpad | etherpad/etherpad:1.8.6 |
@@ -82,6 +81,7 @@
 | libretranslate | libretranslate/libretranslate |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
+| linkstack | linkstackorg/linkstack:latest |
 | lldap | lldap/lldap:stable |
 | maloja | krateng/maloja:latest |
 | manyfold | lscr.io/linuxserver/manyfold:latest |
@@ -90,6 +90,7 @@
 | mastodon-pg-db | postgres:17-alpine |
 | meilisearch | getmeili/meilisearch:v1.12.3 |
 | minio | minio/minio |
+| mixpost | inovector/mixpost:latest |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
 | n8n | docker.n8n.io/n8nio/n8n |
@@ -104,15 +105,9 @@
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
-| parseable | containers.parseable.com/parseable/parseable:latest |
-| peppermint | pepperlabs/peppermint:latest |
-| peppermint-pg-db | postgres:17-alpine |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
 | plantuml-server | plantuml/plantuml-server:jetty |
-| plausible | ghcr.io/plausible/community-edition:v2.1.0 |
-| plausible_db | postgres:16-alpine |
-| plausible_events_db | clickhouse/clickhouse-server:24.3.3.102-alpine |
 | portainer | portainer/portainer-ce:2.27.0-alpine |
 | portall | need4swede/portall:latest |
 | postal-smtp | ghcr.io/postalserver/postal:latest |
@@ -142,16 +137,14 @@
 | soulseek | slskd/slskd |
 | sourcebot | ghcr.io/sourcebot-dev/sourcebot:latest |
 | speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
-| spotisub | blastbeng/spotisub:latest |
 | stable-diffusion-download | git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0 |
-| stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.0 |
+| stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.1 |
 | swag | lscr.io/linuxserver/swag:latest |
 | tandoor | vabene1111/recipes |
 | tandoor-pg | postgres:16-alpine |
 | unmanic | josh5/unmanic:latest |
 | uptimekuma | louislam/uptime-kuma:latest |
 | vault | hashicorp/vault:latest |
-| vector | timberio/vector:0.44.0-alpine |
 | wallabag | wallabag/wallabag |
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |

ansible/app-configs/authelia_configuration.yml.j2

@@ -0,0 +1,174 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json
+---
+theme: auto
+default_2fa_method: "totp"
+server:
+  address: '0.0.0.0:9091'
+  endpoints:
+    enable_pprof: false
+    enable_expvars: false
+  disable_healthcheck: false
+  tls:
+    key: ""
+    certificate: ""
+    client_certificates: []
+  headers:
+    csp_template: ""
+log:
+  level: debug
+telemetry:
+  metrics:
+    enabled: true
+    address: tcp://0.0.0.0:9959
+totp:
+  disable: false
+  issuer: authelia.com
+  algorithm: sha256
+  digits: 6
+  period: 30
+  skew: 1
+  secret_size: 32
+webauthn:
+  disable: false
+  timeout: 60s
+  display_name: Authelia
+  attestation_conveyance_preference: indirect
+  user_verification: preferred
+ntp:
+  address: "time.cloudflare.com:123"
+  version: 4
+  max_desync: 3s
+  disable_startup_check: false
+  disable_failure: false
+authentication_backend:
+  password_reset:
+    disable: false
+    custom_url: ""
+  ldap:
+    implementation: custom
+    address: ldap://lldap:3890
+    timeout: 5s
+    start_tls: false
+    base_dn: dc=trez,dc=wtf
+    additional_users_dn: ou=people
+    users_filter: "(&({username_attribute}={input})(objectClass=person))"
+    additional_groups_dn: ou=groups
+    groups_filter: "(member={dn})"
+    attributes:
+      username: uid
+      group_name: cn
+      mail: mail
+      display_name: displayName
+    user: uid=authelia,ou=people,dc=trez,dc=wtf
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
+  refresh_interval: 5m
+identity_validation:
+  reset_password:
+    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
+password_policy:
+  standard:
+    enabled: true
+    min_length: 8
+    max_length: 0
+    require_uppercase: true
+    require_lowercase: true
+    require_number: true
+    require_special: false
+  zxcvbn:
+    enabled: false
+    min_score: 3
+access_control:
+  default_policy: deny
+  networks:
+    - name: 'internal'
+      networks:
+        - '172.17.0.0/16'
+        - '172.18.0.0/16'
+        - '192.168.1.0/24'
+  rules:
+    - domain_regex:
+      - '^trez.wtf$'
+      - ^www.trez.wtf$''
+      policy: bypass
+    - domain: '*.trez.wtf'
+      policy: bypass
+      networks:
+        - 'internal'
+    - domain: '*.trez.wtf'
+      policy: one_factor
+      subject:
+      - ['user:the.trezured.one']
+session:
+  name: authelia_session
+  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
+  expiration: 1h
+  inactivity: 5m
+  remember_me: 1M
+  cookies:
+    - domain: 'trez.wtf'
+      authelia_url: 'https://auth.trez.wtf'
+  redis:
+    host: redis
+    port: 6379
+storage:
+  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
+  postgres:
+    address: 'tcp://authelia-pg:5432'
+    database: authelia
+    username: authelia
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
+    timeout: '5s'
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 5m
+notifier:
+  disable_startup_check: true
+  smtp:
+    address: 'smtp://postal-smtp:25'
+    timeout: '5s'
+    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
+    sender: "Authelia <noreply@trez.wtf>"
+    identifier: 'localhost'
+    subject: "[Authelia] {title}"
+    startup_check_address: 'test@authelia.com'
+    disable_require_tls: true
+    disable_starttls: true
+    disable_html_emails: false
+identity_providers:
+  oidc:
+    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
+    jwks:
+      key_id: 'netbird'
+      key: |
+        {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(8) }}
+      certificate_chain: |
+        {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_CERT_CHAIN"] | replace("\\n", "\n") | indent(8) }}
+    cors:
+      allowed_origins_from_client_redirect_uris: true
+      endpoints:
+        - 'userinfo'
+        - 'authorization'
+        - 'token'
+        - 'revocation'
+        - 'introspection'
+    clients:
+      - client_id: 'netbird'
+        client_name: 'NetBird'
+        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
+        public: false
+        authorization_policy: 'two_factor'
+        redirect_uris:
+          - 'https://vpn.trez.wtf/peers'
+          - 'https://vpn.trez.wtf/add-peers'
+          - 'http://localhost'
+        scopes:
+          - 'openid'
+          - 'email'
+          - 'profile'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'

ansible/app-configs/homepage_settings.yaml.j2

@@ -23,7 +23,7 @@ provider: duckduckgo
 layout:
   System Administration:
     style: row
-    columns: 5
+    columns: 4
   Infrastructure/App Performance Monitoring:
     style: row
     columns: 4
@@ -32,20 +32,17 @@ layout:
     columns: 4
   Social:
     style: row
-    columns: 3
+    columns: 4
   Lifestyle:
     style: row
-    columns: 5
+    columns: 3
   Automation:
     style: row
     columns: 5
   Privacy/Security:
     style: row
-    columns: 3
-  Personal Services:
-    style: row
-    columns: 4
-  Professional Services:
+    columns: 5
+  Personal/Professional Services:
     style: row
     columns: 5
   Servarr Stack:

ansible/app-configs/librechat_librechat.yaml.j2

@@ -6,21 +6,21 @@ endpoints:
       baseURL: "http://ollama:11434/v1/chat/completions"
       models:
         default: [
-          "deepseek-r1",
-          "deepseek-coder-v2",
-          "deepseek-v3",
-          "llama3.3",
-          "phi4",
+          "deepseek-r1:1.5b",
+          "deepseek-coder-v2:16b",
+          "deepseek-v3:671b",
+          "llama3.3:70b",
+          "phi4:14b",
           "qwen2.5",
-          "llama2",
-          "mistral",
-          "codellama",
-          "tinyllama",
-          "starcoder2",
-          "dolphin-mixtral",
-          "smollm2",
-          "orca-mini",
-          "mistral-openorca"
+          "llama2:7b",
+          "mistral:7b",
+          "codellama:7b",
+          "tinyllama:1.1b",
+          "starcoder2:3b",
+          "dolphin-mistral:7b",
+          "smollm2:1.7b",
+          "orca-mini:3b",
+          "mistral-openorca:7b"
         ]
 # fetching list of models is supported but the `name` field must start
 # with `ollama` (case-insensitive), as it does in this example.

ansible/app-configs/multi-scrobbler_config.json.j2

@@ -2,62 +2,107 @@
 {% set secrets_path = 'rinoa-docker/env' %}
 
 {
-    "sourceDefaults": {
-      "maxPollRetries": 0,          // optional, default # of automatic polling restarts on error. can be overridden by property in individual config
-      "maxRequestRetries": 1,       // optional, default # of http request retries a source can make before error is thrown. can be overridden by property in individual config
-      "retryMultiplier": 1.5       // optional, default retry delay multiplier (retry attempt * multiplier = # of seconds to wait before retrying). can be overridden by property in individual config
+  "debugMode": false,
+  "disableWeb": false,
+  "sourceDefaults": {
+    "logPayload": false,
+    "logFilterFailure": "warn",
+    "logPlayerState": false,
+    "scrobbleThresholds": {
+      "duration": 30,
+      "percent": 20
     },
-    "clientDefaults": {
-      "maxRequestRetries": 1,       // optional, default # of http request retries a client can make before error is thrown. can be overridden by property in individual config
-      "retryMultiplier": 1.5       // optional, default retry delay multiplier (retry attempt * multiplier = # of seconds to wait before retrying). can be overridden by property in individual config
+    "maxPollRetries": 1,
+    "maxRequestRetries": 1,
+    "retryMultiplier": 1.5
+  },
+  "clientDefaults": {
+    "maxRequestRetries": 1,
+    "retryMultiplier": 1.5
+  },
+  "sources": [
+    {
+      "type": "spotify",
+      "enable": true,
+      "clients": [],
+      "name": "Spotify",
+      "data": {
+        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
+        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/callback"
+      }
     },
-    "clients": [
-        {
-            "name": "Last.fm Client",
-            "enable": true,
-            "configureAs": "client",
-            "data": {
-            "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-            "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-            "redirectUri": "http://localhost:9078/lastfm/callback"
-            }
-        },
-        {
-            "name": "Last.fm Source",
-            "enable": true,
-            "configureAs": "source",
-            "data": {
-            "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-            "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-            "redirectUri": "http://localhost:9078/lastfm/callback"
-            }
-        },
-        {
-            "name": "Maloja",
-            "enable": true,
-            "data": {
-            "url": "http://maloja:42010",
-            "apiKey": "myMalojaKey"
-            }
-        },
-        {
-          "name": "ListenBrainz Client",
-          "enable": true,
-          "configureAs": "client",
-          "data": {
-            "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-            "username": "Trez.One"
-          }
-        },
-        {
-          "name": "ListenBrainz Source",
-          "enable": true,
-          "configureAs": "source",
-          "data": {
-            "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-            "username": "Trez.One"
-          }
-        }
-      ]
-  }
+    {
+      "type:": "lastfm",
+      "name": "Last.fm",
+      "enable": true,
+      "data": {
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/lastfm/callback"
+      }
+    },
+    {
+      "type": "listenbrainz",
+      "name": "ListenBrainz",
+      "enable": true,
+      "data": {
+        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "username": "Trez.One"
+      }
+    },
+    {
+      "type": "subsonic",
+      "name": "Navidrome",
+      "enable": true,
+      "data": {
+        "url": "http://navidrome:4533",
+        "user": "admin",
+        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
+      }
+    }
+  ],
+  "clients": [
+    {
+      "type": "lastfm",
+      "name": "Last.fm Client",
+      "enable": true,
+      "data": {
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/lastfm/callback"
+      }
+    },
+    {
+      "type": "listenbrainz",
+      "name": "ListenBrainz Client",
+      "enable": true,
+      "data": {
+        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "username": "Trez.One"
+      }
+    },
+    {
+      "type": "maloja",
+      "enable": true,
+      "name": "Maloja",
+      "data": {
+        "url": "http://maloja:42010",
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
+      }
+    }
+  ],
+  "webhooks": [
+    {
+      "name": "Gotify",
+      "type": "gotify",
+      "url": "http://gotify",
+      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
+      "priorities": {
+        "info": 5,
+        "warn": 7,
+        "error": 10
+      }
+    }
+  ]
 }

ansible/app-configs/netbird_management.json.j2

@@ -47,60 +47,30 @@
   },
   "HttpConfig": {
     "Address": "0.0.0.0:33073",
-    "AuthIssuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
-    "AuthAudience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
-    "AuthKeysLocation": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/keys",
+    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
+    "AuthAudience": "netbird",
+    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
     "AuthUserIDClaim": "",
     "CertFile": "",
     "CertKey": "",
     "IdpSignKeyRefreshEnabled": true,
-    "OIDCConfigEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
-  },
-  "IdpManagerConfig": {
-    "ManagerType": "zitadel",
-    "ClientConfig": {
-      "Issuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
-      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
-      "ClientID": "netbird",
-      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_SECRET'] }}",
-      "GrantType": "client_credentials"
-    },
-    "ExtraConfig": {
-      "ManagementEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/management/v1"
-    },
-    "Auth0ClientCredentials": null,
-    "AzureClientCredentials": null,
-    "KeycloakClientCredentials": null,
-    "ZitadelClientCredentials": null
-  },
-  "DeviceAuthorizationFlow": {
-    "Provider": "hosted",
-    "ProviderConfig": {
-      "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
-      "AuthorizationEndpoint": "",
-      "Domain": "",
-      "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
-      "ClientSecret": "",
-      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
-      "DeviceAuthEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/device_authorization",
-      "Scope": "openid",
-      "UseIDToken": false,
-      "RedirectURLs": null
-    }
+    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
   },
+  "IdpManagerConfig": {},
+  "DeviceAuthorizationFlow": {},
   "PKCEAuthorizationFlow": {
     "ProviderConfig": {
-      "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
-      "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
-      "ClientSecret": "",
+      "Audience": "netbird",
+      "ClientID": "netbird",
+      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
       "Domain": "",
-      "AuthorizationEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/authorize",
-      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
+      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
+      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
       "Scope": "openid profile email offline_access api",
       "RedirectURLs": [
         "http://localhost:53000"
       ],
-      "UseIDToken": false
+      "UseIDToken": true
     }
   }
 }