Ansible private key fix (hopefully).

Removing Grafana stack; adding Jinja templates for Vector and Gitea Runner.
2025-02-15 20:58:42 -05:00 · 2025-02-15 19:49:26 -05:00
93 changed files with 5353 additions and 8881 deletions
@@ -1,197 +0,0 @@
-name: Gitea Branch PR & Ansible Deployment
-on:
-  workflow_dispatch:
-  push:
-    branches-ignore:
-      - 'main'
-    paths:
-      - '**.j2'
-      - '**/pr-ansible-config-deployment.yaml'
-      - 'ansible/**.yml'
-jobs:
-  check-and-create-pr:
-    if: github.ref != 'refs/heads/main'
-    name: Check and Create PR
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-      - name: Cache tea CLI
-        id: cache-tea
-        uses: actions/cache@v4
-        with:
-          path: /opt/hostedtoolcache/tea/0.9.2/x64
-          key: tea-${{ runner.os }}-0.9.2
-      - name: Install tea
-        uses: supplypike/setup-bin@v4
-        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
-          name: 'tea'
-          version: '0.9.2'
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Check'
-          notification_message: 'Checking for existing PR... 🔍'
-      - name: Check if open PR exists
-        id: check-opened-pr-step
-        continue-on-error: true
-        run: |
-          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[ANSIBLE\].*${{ github.ref_name }}' | tail -1 | wc -l)
-          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
-      - name: Create PR
-        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
-        run: |
-          tea login default gitea-rinoa
-          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
-          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "[ANSIBLE] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Check'
-          notification_message: 'PR Created 🎟️'
-  ansible-dry-run:
-    name: Ansible Dry Run
-    needs: [check-and-create-pr]
-    runs-on: ubuntu-latest
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_NAMESPACE: ""
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Cache Ansible Galaxy Collections
-        uses: actions/cache@v3
-        with:
-          path: ansible/collections
-          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
-          restore-keys: |
-            ${{ runner.os }}-ansible-
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.4.0"
-      - name: Install Vault
-        uses: cpanato/vault-installer@main
-      - name: Install hvac
-        run: |
-          pip install hvac
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
-          notification_message: 'Starting Ansible dry run...'
-      - name: Ansible Playbook Dry Run
-        uses: dawidd6/action-ansible-playbook@v3
-        with:
-          directory: ansible/
-          playbook: docker_config_deploy.yml
-          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
-          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-          requirements: collections/requirements.yml
-          options: |
-            --check
-            --inventory inventory/hosts.yml
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Dry Run @ Rinoa'
-          notification_message: 'Ansible dry run completed successfully.'
-  pr-merge:
-    name: PR Merge
-    needs: [ansible-dry-run]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install tea
-        uses: supplypike/setup-bin@v4
-        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
-          name: 'tea'
-          version: '0.9.2'
-      - name: PR Merge
-        id: pr_merge
-        run: |
-          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          tea login default gitea-rinoa
-          echo "Merging PR..."
-          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
-          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
-          echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Merge Successful'
-          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-deploy:
-    name: Ansible Config Deployment
-    runs-on: ubuntu-latest
-    needs: [pr-merge]
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      DOCKER_HOST: tcp://dockerproxy:2375
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: main
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: 3.12
-      - name: Cache Vault install
-        id: cache-vault
-        uses: actions/cache@v4
-        with:
-          path: /opt/hostedtoolcache/vault/1.18.0/x64
-          key: vault-${{ runner.os }}-1.18.0
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.4.0"
-      - name: Install Vault
-        uses: cpanato/vault-installer@main
-      - name: Install hvac
-        run: |
-          pip install hvac
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
-          notification_message: 'Starting config deployment with Ansible...'
-      - name: Ansible Playbook Config Deploy
-        uses: dawidd6/action-ansible-playbook@v3
-        with:
-          directory: ansible/
-          playbook: docker_config_deploy.yml
-          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
-          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-          requirements: collections/requirements.yml
-          options: |
-            --inventory inventory/hosts.yml
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
-          notification_message: 'Deployment completed successfully.'
@@ -1,20 +1,14 @@
-name: Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment
+name: Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment
 on:
-  workflow_dispatch:
  push:
    branches-ignore:
-      - 'main'
+      - main
    paths:
-      - '**/docker-compose.yml'
-      - '**/pr-cloudflare-docker-deploy.yml'
-      - '!ansible/**.yml'
-env:
-  FLARECTL_VERSION: '0.115.0'
-  HC_VAULT_VERSION: '1.20.0'
-  TEA_VERSION: '0.10.1'
+      - '**.yaml'
+      - '**.yml'
+      - '**.j2'
 jobs:
  check-and-create-pr:
-    if: github.ref != 'refs/heads/main'
    name: Check and Create PR
    runs-on: ubuntu-latest
    steps:
@@ -26,27 +20,22 @@ jobs:
        id: cache-tea
        uses: actions/cache@v4
        with:
-          path: /opt/hostedtoolcache/tea/${{ env.TEA_VERSION }}/x64
-          key: tea-${{ runner.os }}-${{ env.TEA_VERSION }}
+          path: /opt/hostedtoolcache/tea/0.9.2/x64
+          key: tea-${{ runner.os }}-0.9.2
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
-          uri: https://gitea.com/gitea/tea/releases/download/v${{ env.TEA_VERSION }}/tea-${{ env.TEA_VERSION }}-linux-amd64
-          name: tea
-          version: ${{ env.TEA_VERSION }}
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Check'
-          notification_message: 'Checking for existing PR... 🔍'
+          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
+          name: 'tea'
+          version: '0.9.2'
      - name: Check if open PR exists
        id: check-opened-pr-step
        continue-on-error: true
        run: |
          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[DOCKER\].*${{ github.ref_name }}' | tail -1 | wc -l)
+          tea pr list --repo ${{ github.repository }} --state all
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          echo ${pr_exists}
          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
      - name: Create PR
        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -54,117 +43,68 @@ jobs:
          tea login default gitea-rinoa
          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "[DOCKER] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose"
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Check'
-          notification_message: 'PR Created 🎟️'
-  generate-service-list:
-    name: Generate list of added/modified/deleted services
-    runs-on: ubuntu-latest
+          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }}
+  docker-compose-ansible-lints:
+    name: Docker Compose & Ansible Lints
    needs: [check-and-create-pr]
-    outputs:
-      svc_deploy_list: ${{ steps.detect_services.outputs.docker_svc_list }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Fetch base branch
-        run: |
-          git fetch origin ${{ github.event.pull_request.base.ref }}
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Services TBD'
-          notification_message: 'Generating list of services to deploy...'
-      - name: Save both versions of docker-compose.yml
-        run: |
-          git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
-          cp docker-compose.yml docker-compose-head.yml
-      - name: Detect added, deleted, and modified services
-        id: detect_services
-        run: |
-          echo "Getting services from main and ${{ github.ref_name }}"
-          yq '.services | keys | .[]' docker-compose-main.yml | sort > services_main.txt
-          yq '.services | keys | .[]' docker-compose-head.yml | sort > services_head.txt
-
-          echo "Creating list of modified services..."
-          touch service_changes.txt
-
-          comm -13 services_main.txt services_head.txt | while read service; do
-            echo "$service: added" >> service_changes.txt
-          done
-
-          comm -12 services_main.txt services_head.txt | while read service; do
-            yq ".services[\"$service\"]" docker-compose-main.yml > tmp_main.yml
-            yq ".services[\"$service\"]" docker-compose-head.yml > tmp_head.yml
-            if ! diff -q tmp_main.yml tmp_head.yml > /dev/null; then
-              echo "$service: modified" >> service_changes.txt
-            fi
-          done
-
-          echo "Detected service changes:"
-          cat service_changes.txt
-
-          mod_svcs=$(cut -d':' -f1 service_changes.txt | sort | uniq)
-          echo "docker_svc_list<<EOF" >> "$GITHUB_OUTPUT"
-          echo "$mod_svcs" >> "$GITHUB_OUTPUT"
-          echo "EOF" >> "$GITHUB_OUTPUT"
-      - name: List of Services for (Re)Deployment
-        run: |
-          echo -e "${{ steps.detect_services.outputs.docker_svc_list }}"
-  docker-compose-dry-run:
-    name: Docker Compose Dry Run
-    needs: [generate-service-list]
    runs-on: ubuntu-latest
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_NAMESPACE: ""
-      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
-      DOCKER_SVC_LIST: ${{ needs.generate-service-list.outputs.svc_deploy_list }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      - name: Login to Gitea Container Registry
-        run: |
-          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
-      - name: Cache Vault install
-        id: cache-vault
-        uses: actions/cache@v4
+      - name: Cache Ansible Galaxy Collections
+        uses: actions/cache@v3
        with:
-          path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64
-          key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }}
-      - name: Install Vault (only if not cached)
-        if: steps.cache-vault.outputs.cache-hit != 'true'
+          path: ansible/collections
+          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-ansible-
+      - name: Install Ansible
+        uses: alex-oleshkevich/setup-ansible@v1.0.1
+        with:
+          version: "11.0.0"
+      - name: Install Vault
        uses: cpanato/vault-installer@main
+      - name: Install hvac
+        run: pip install hvac
+      - name: Ansible Playbook Dry Run
+        uses: dawidd6/action-ansible-playbook@v2
        with:
-          version: ${{ env.HC_VAULT_VERSION }}
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_SSH_KEY}}
+          options: |
+            --inventory inventory/hosts.yml
+            --check
+          requirements: collections/requirements.yml
+          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
-          notification_message: 'Starting Docker Compose dry run...'
-      - name: Generate .env file for Docker Compose
+          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
+          notification_message: 'Ansible dry run completed successfully.'
+      - name: Generate .env file for Docker Compose Dry Run
        run: |
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-          echo ${DOCKER_SVC_LIST}
+      - name: Cache .env Files
+        uses: actions/cache@v4
+        with:
+          path: .env
+          key: ${{ runner.os }}-env-${{ hashFiles('docker-compose.yml') }}
      - name: Docker Compose Dry Run
-        uses: hoverkraft-tech/compose-action@v2.2.0
+        uses: yu-ichiro/spin-up-docker-compose-action@v1
+        with:
+          file: docker-compose.yml
+          pull: true
+          pull-opts: --dry-run
+          up: true
+          up-opts: --dry-run -d --remove-orphans
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
-        with:
-          services: |
-            ${{ needs.generate-service-list.outputs.svc_deploy_list }}
-          up-flags: -d --remove-orphans --dry-run
-          down-flags: --dry-run
-          compose-flags: --dry-run
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -174,7 +114,7 @@ jobs:
          notification_message: 'Docker Compose dry run completed successfully.'
  cloudflare-dns-setup:
    name: Cloudflare DNS Setup
-    needs: [docker-compose-dry-run]
+    needs: [docker-compose-ansible-lints]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -185,13 +125,13 @@ jobs:
        uses: actions/cache@v4
        with:
          path: ~/.flarectl
-          key: flarectl-${{ runner.os }}-${{ env.FLARECTL_VERSION }}-${{ hashFiles('workflow-config.yml') }}
+          key: flarectl-${{ runner.os }}-${{ hashFiles('workflow-config.yml') }}
      - name: Install flarectl
        uses: supplypike/setup-bin@v4
        with:
-          uri: https://github.com/cloudflare/cloudflare-go/releases/download/v${{ env.FLARECTL_VERSION }}/flarectl_${{ env.FLARECTL_VERSION }}_linux_amd64.tar.gz
-          name: flarectl
-          version: ${{ env.FLARECTL_VERSION }}
+          uri: 'https://github.com/cloudflare/cloudflare-go/releases/download/v0.113.0/flarectl_0.113.0_linux_amd64.tar.gz'
+          name: 'flarectl'
+          version: '0.113.0'
      - name: Cache Subdomain Files
        uses: actions/cache@v4
        with:
@@ -213,7 +153,7 @@ jobs:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Cloudflare Setup @ Rinoa'
-          notification_message: 'Starting Cloudflare DNS setup...'
+          notification_message: 'Starting Cloudflare setup'
      - name: Compare Subdomains
        id: compare-subdomains
        uses: LouisBrunner/diff-action@v2.2.0
@@ -245,18 +185,28 @@ jobs:
    name: Update README & Generate List of Modified Services
    runs-on: ubuntu-latest
    needs: [cloudflare-dns-setup]
+    # outputs:
+    #   pr-pushed: ${{ steps.commit-readme.outputs.pushed }}
+    #   modified_services: ${{ steps.compare-services.outputs.modified_services }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install yq
        uses: dcarbone/install-yq-action@v1
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: README Update'
-          notification_message: 'Updating README...'
+      # - name: Fetch main branch for comparison
+      #   run: |
+      #     git fetch origin main:main
+      # - name: Compare services using yq
+      #   continue-on-error: true
+      #   id: compare-services
+      #   run: |
+      #     current_services=$(yq '.services | to_entries' docker-compose.yml)
+      #     git show main:docker-compose.yml > main_compose.yml
+      #     main_services=$(yq '.services | to_entries' main_compose.yml)
+      #     modified_services_file=$(comm -13 <(echo "$main_services") <(echo "$current_services") > changes_compose.yml)
+      #     modified_services=${egrep '^  [a-z]' changes.yml | sed -e 's|^  ||g' -e 's|:||g' | sed ':a;N;$!ba;s/\n/ /g'}
+      #     echo "Modified services: $modified_services"
+      #     echo "modified_services=$modified_services" >> $GITHUB_OUTPUT
      - name: Generate service list
        run: |
          yq '.services | to_entries | map({"service": .key, "image": .value.image})' docker-compose.yml > services.yml
@@ -276,13 +226,6 @@ jobs:
        with:
          message: "chore: Update README"
          add: "README.md"
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: README Update'
-          notification_message: 'README updated'
  pr-merge:
    name: PR Merge
    needs: [regenerate-readme-modified-services]
@@ -290,18 +233,12 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      - name: Cache tea CLI
-        id: cache-tea
-        uses: actions/cache@v4
-        with:
-          path: /opt/hostedtoolcache/tea/${{ env.TEA_VERSION }}/x64
-          key: tea-${{ runner.os }}-${{ env.TEA_VERSION }}
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
-          uri: https://gitea.com/gitea/tea/releases/download/v${{ env.TEA_VERSION }}/tea-${{ env.TEA_VERSION }}-linux-amd64
-          name: tea
-          version: ${{ env.TEA_VERSION }}
+          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
+          name: 'tea'
+          version: '0.9.2'
      - name: PR Merge
        id: pr_merge
        run: |
@@ -318,16 +255,15 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Merge Successful'
          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  docker-compose-deploy:
-    name: Docker Compose Deployment
+  ansible-config-docker-compose-deploy:
+    name: Deploy via Ansible & Docker Compose
+    timeout-minutes: 360
    runs-on: ubuntu-latest
-    needs: [generate-service-list, docker-compose-dry-run, pr-merge]
+    needs: [pr-merge]
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      DOCKER_HOST: tcp://dockerproxy:2375
-      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
-      DOCKER_SVC_LIST: ${{ needs.generate-service-list.outputs.svc_deploy_list }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -337,44 +273,47 @@ jobs:
        id: cache-vault
        uses: actions/cache@v4
        with:
-          path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64
-          key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }}
-      - name: Install Vault (only if not cached)
-        if: steps.cache-vault.outputs.cache-hit != 'true'
-        uses: cpanato/vault-installer@main
+          path: /opt/hostedtoolcache/vault/1.18.0/x64
+          key: vault-${{ runner.os }}-1.18.0
+      - name: Install Ansible
+        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
-          version: ${{ env.HC_VAULT_VERSION }}
-      - name: Login to Gitea Container Registry
-        run: |
-          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
+          version: "11.0.0"
+      - name: Install Vault
+        uses: cpanato/vault-installer@main
+      - name: Install hvac
+        run: pip install hvac
+      - name: Deploy Docker Configs via Ansible
+        uses: dawidd6/action-ansible-playbook@v2
+        with:
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
+          options: |
+            --inventory inventory/hosts.yml
+          requirements: collections/requirements.yml
+          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Docker Compose Deployment @ Rinoa'
-          notification_message: 'Starting Docker Compose run...'
+          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
+          notification_message: 'Deployment completed successfully.'
      - name: Generate .env file for deployment
        run: |
           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-           echo ${DOCKER_SVC_LIST}
      - name: Docker Compose Deployment
-        uses: hoverkraft-tech/compose-action@v2.2.0
-        env:
-          DOCKER_HOST: tcp://dockerproxy:2375
+        # if: ${{ steps.regenerate-readme-modified-services.outputs.modified_services != '' }}
+        continue-on-error: true
+        uses: keatonLiu/docker-compose-remote-action@v1.2
        with:
-          services: |
-            ${{ needs.generate-service-list.outputs.svc_deploy_list }}
-          up-flags: -d --remove-orphans
-          down-flags: --dry-run
-      - name: Docker Compose Healthcheck
-        uses: jaracogmbh/docker-compose-health-check-action@v1.0.0
-        with:
-          max-retries: 30
-          retry-interval: 10
-          compose-file: "docker-compose.yml"
-          skip-exited: "true"
-          skip-no-healthcheck: "true"
+          docker_compose_file: docker-compose.yml
+          docker_args: -d --remove-orphans --pull missing
+          ssh_user: gitea-deploy
+          ssh_host: 192.168.1.254
+          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
+          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -1,47 +0,0 @@
-name: Auto-Unseal for Vault
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '30 5 * * *'
-env:
-  HC_VAULT_VERSION: '1.20.0'
-jobs:
-  auto-unseal:
-    name: Unseal Vault
-    runs-on: ubuntu-latest
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_SHARDS: ${{ secrets.VAULT_UNSEAL_SHARDS }}
-      VAULT_NAMESPACE: ""
-    steps:
-      - name: Vault Unseal Start
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: HC Vault @ Rinoa'
-          notification_message: 'Hashicorp Vault unsealing started... 🔐'
-      - name: Cache Vault install
-        id: cache-vault
-        uses: actions/cache@v4
-        with:
-          path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64
-          key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }}
-      - name: Install Vault (only if not cached)
-        if: steps.cache-vault.outputs.cache-hit != 'true'
-        uses: cpanato/vault-installer@main
-        with:
-          version: ${{ env.HC_VAULT_VERSION }}
-      - name: Unseal Vault
-        run: |
-          for vault_shard in $VAULT_SHARDS; do
-            vault operator unseal -address="${VAULT_ADDR}" -non-interactive "${vault_shard}"
-          done
-      - name: Vault Unseal Completion
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: HC Vault @ Rinoa'
-          notification_message: 'Hashicorp Vault unsealed! 🔓'
@@ -1,4 +1,3 @@
 **/.cache_ggshield
 ansible/collections/ansible_collections/
-**/.env
-**/netbird_openid-configuration.json.j2
+**/.env
@@ -4,72 +4,59 @@

 | Service | Image |
 | --- | --- |
-| 13ft | ghcr.io/wasi-master/13ft:latest |
 | actual_server | docker.io/actualbudget/actual-server:latest |
 | adguard | adguard/adguardhome:latest |
-| apprise-api | lscr.io/linuxserver/apprise-api:latest |
-| archivebox | archivebox/archivebox:latest |
-| argus | quay.io/argus-io/argus:latest |
 | audiobookshelf | ghcr.io/advplyr/audiobookshelf:latest |
 | authelia | authelia/authelia:master |
 | authelia-pg | postgres:16-alpine |
-| authelia-valkey | docker.io/bitnami/valkey:latest |
 | bazarr | lscr.io/linuxserver/bazarr:latest |
 | beszel | henrygd/beszel:latest |
 | beszel-agent | henrygd/beszel-agent:latest |
+| bitmagnet | ghcr.io/bitmagnet-io/bitmagnet:latest |
+| bitmagnet-pg-db | postgres:17-alpine |
 | bitwarden | vaultwarden/server:latest |
-| bluesky-pds | code.modernleft.org/gravityfargo/bluesky-pds:v0.4.98 |
+| bluesky-pds | ghcr.io/bluesky-social/pds:latest |
 | browserless | ghcr.io/browserless/chromium:latest |
-| bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
-| castopod-valkey | docker.io/bitnami/valkey:latest |
-| changedetection | ghcr.io/dgtlmoon/changedetection.io |
-| changedetection-chrome | dgtlmoon/sockpuppetbrowser:latest |
-| chrome | gcr.io/zenika-hub/alpine-chrome:123 |
-| clipcascade | sathvikrao/clipcascade:latest |
+| cloudflared | cloudflare/cloudflared:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
-| convertx | ghcr.io/c4illin/convertx |
+| cronicle | elestio/cronicle:latest |
 | crowdsec | crowdsecurity/crowdsec:latest |
 | crowdsec-dashboard | metabase/metabase |
-| cyber-chef | mpepping/cyberchef:latest |
 | czkawka | jlesage/czkawka |
-| dagu | ghcr.io/dagu-org/dagu:alpine |
-| dawarich-app | freikin/dawarich:latest |
-| dawarich-pg-db | postgis/postgis:17-3.5-alpine |
-| dawarich-sidekiq | freikin/dawarich:latest |
-| dawarich-valkey | docker.io/bitnami/valkey:latest |
-| dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
+| dbgate | dbgate/dbgate:alpine |
+| delugevpn | ghcr.io/binhex/arch-delugevpn:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
-| dockflare | alplat/dockflare:stable |
+| docuseal | docuseal/docuseal:latest |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
-| easyappointments | alextselegidis/easyappointments:1.5.1 |
-| excalidraw | excalidraw/excalidraw:latest |
-| explo | ghcr.io/lumepart/explo:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
-| garage | dxflrs/garage:v2.0.0 |
-| garage-webui | khairul169/garage-webui:latest |
 | ghost | ghost:latest |
-| gitea | gitea/gitea:1.24.3 |
+| gitea | gitea/gitea:1.23.1 |
 | gitea-db | postgres:14 |
+| gitea-opengist | ghcr.io/thomiceli/opengist:latest |
 | gitea-runner | gitea/act_runner:latest |
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
 | gluetun | qmcgaw/gluetun:latest |
 | gotify | gotify/server |
-| graylog | graylog/graylog:6.1 |
-| graylog-datanode | graylog/graylog-datanode:6.1 |
+| grafana | grafana/grafana-enterprise:latest |
+| grafana-alloy | grafana/alloy:latest |
+| grafana-loki | grafana/loki:latest |
+| grafana-mimir | grafana/mimir:latest |
+| grafana-mimir-memcached | memcached |
+| grafana-pyroscope | grafana/pyroscope:latest |
+| grafana-tempo | grafana/tempo:latest |
 | guacamole | flcontainers/guacamole:latest |
 | homepage | ghcr.io/gethomepage/homepage:latest |
+| hortusfox | ghcr.io/danielbrendel/hortusfox-web:latest |
 | hugo | hugomods/hugo:exts |
 | immich-server | ghcr.io/immich-app/immich-server:release |
 | immich-machine-learning | ghcr.io/immich-app/immich-machine-learning:release |
 | immich-pg-db | tensorchord/pgvecto-rs:pg14-v0.2.1 |
 | immich-public-proxy | alangrainger/immich-public-proxy:latest |
 | immich-power-tools | ghcr.io/varun-raj/immich-power-tools:latest |
-| immich-valkey | docker.io/bitnami/valkey:latest |
 | influxdb2 | influxdb:2-alpine |
 | invidious | quay.io/invidious/invidious:latest |
-| invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
 | invidious-db | docker.io/library/postgres:14 |
 | invoice-ninja | invoiceninja/invoiceninja-debian:5 |
 | invoice-ninja_proxy | nginx |
@@ -84,134 +71,89 @@
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
-| karakeep | ghcr.io/karakeep-app/karakeep:release |
-| languagetool | elestio/languagetool:latest |
-| librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
-| librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
-| librechat-valkey | docker.io/bitnami/valkey:latest |
-| librechat-vectordb | ankane/pgvector:latest |
-| libretranslate | libretranslate/libretranslate |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
-| linkstack | linkstackorg/linkstack:latest |
 | lldap | lldap/lldap:stable |
-| loggifly | ghcr.io/clemcer/loggifly:latest |
 | maloja | krateng/maloja:latest |
-| manyfold | lscr.io/linuxserver/manyfold:latest |
-| manyfold-valkey | docker.io/bitnami/valkey:latest |
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
-| mastodon-valkey | docker.io/bitnami/valkey:latest |
-| maxun-backend | getmaxun/maxun-backend:latest |
-| maxun-frontend | getmaxun/maxun-frontend:latest |
-| maxun-pg-db | postgres:13-alpine |
-| maxun-valkey | docker.io/bitnami/valkey:latest |
-| meilisearch | getmeili/meilisearch:v1.15 |
-| meme-search-pro | ghcr.io/neonwatty/meme_search_pro:latest |
-| meme-search-pro-img2txt-gen | ghcr.io/neonwatty/image_to_text_generator:latest |
-| meme-search-db | pgvector/pgvector:pg17 |
-| mini-qr | ghcr.io/lyqht/mini-qr:latest |
-| minio | minio/minio:RELEASE.2025-04-22T22-12-26Z |
-| mixpost | inovector/mixpost:latest |
-| mixpost-valkey | docker.io/bitnami/valkey:latest |
+| minio | minio/minio |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
 | n8n | docker.n8n.io/n8nio/n8n |
 | navidrome | deluan/navidrome:latest |
 | netalertx | jokobsk/netalertx:latest |
+| netbird-dashboard | netbirdio/dashboard:latest |
+| netbird-signal | netbirdio/signal:latest |
+| netbird-relay | netbirdio/relay:latest |
+| netbird-management | netbirdio/management:latest |
+| netbird-coturn | coturn/coturn:latest |
 | nextcloud | nextcloud/all-in-one:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
-| omnitools | iib0011/omni-tools:latest |
-| omnipoly | kweg/omnipoly:latest |
+| open-webui | ghcr.io/open-webui/open-webui:main |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
-| paperless-valkey | docker.io/bitnami/valkey:latest |
-| patchman-server | ghcr.io/tigattack/patchman |
-| patchman-worker | ghcr.io/tigattack/patchman |
-| patchman-memcached | memcached:1.6-alpine |
-| patchman-valkey | docker.io/bitnami/valkey:latest |
-| penpot-frontend | penpotapp/frontend:latest |
-| penpot-backend | penpotapp/backend:latest |
-| penpot-exporter | penpotapp/exporter:latest |
-| penpot-pg-db | postgres:15-alpine |
-| penpot-redis | redis:7.2 |
+| parseable | containers.parseable.com/parseable/parseable:latest |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
-| planka | ghcr.io/plankanban/planka:2.0.0-rc.3 |
-| planka-pg-db | postgres:16-alpine |
-| plant-it | msdeluise/plant-it-server:latest |
-| plant-it-valkey | docker.io/bitnami/valkey:latest |
 | plantuml-server | plantuml/plantuml-server:jetty |
-| portainer | portainer/portainer-ce:alpine |
-| portchecker-web | ghcr.io/dsgnr/portcheckerio-web:latest |
-| portchecker-api | ghcr.io/dsgnr/portcheckerio-api:latest |
-| portnote-web | haedlessdev/portnote:latest |
-| portnote-agent | haedlessdev/portnote-agent:latest |
-| portnote-pg-db | postgres:17-alpine |
+| plausible | ghcr.io/plausible/community-edition:v2.1.0 |
+| plausible_db | postgres:16-alpine |
+| plausible_events_db | clickhouse/clickhouse-server:24.3.3.102-alpine |
+| portainer | portainer/portainer-ce:alpine-sts |
+| portall | need4swede/portall:latest |
 | postal-smtp | ghcr.io/postalserver/postal:latest |
 | postal-web | ghcr.io/postalserver/postal:latest |
 | postal-worker | ghcr.io/postalserver/postal:latest |
 | prowlarr | lscr.io/linuxserver/prowlarr:latest |
-| qbit-manage | ghcr.io/stuffanthings/qbit_manage:latest |
-| qbittorrentvpn | ghcr.io/binhex/arch-qbittorrentvpn:latest |
 | radarec | thewicklowwolf/radarec:latest |
 | radarr | lscr.io/linuxserver/radarr:latest |
 | reactive-resume | amruthpillai/reactive-resume:latest |
 | reactive-resume-pg | postgres:16-alpine |
 | readarr | lscr.io/linuxserver/readarr:develop |
+| redis | redis:alpine |
 | redlib | quay.io/redlib/redlib:latest |
 | rocketchat | registry.rocket.chat/rocketchat/rocket.chat:latest |
-| romm | rommapp/romm:latest |
-| romm-valkey | docker.io/bitnami/valkey:latest |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
-| sablier | sablierapp/sablier:latest |
-| scraparr | ghcr.io/thecfu/scraparr:latest |
+| scraperr | jpyles0524/scraperr:latest |
+| scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
-| searxng-valkey | docker.io/bitnami/valkey:latest |
-| semaphore-ui | semaphoreui/semaphore:v2.12.14 |
-| signoz-app | signoz/signoz:v0.91.0 |
-| signoz-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
-| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
-| signoz-logspout | pavanputhra/logspout-signoz |
-| signoz-otel-collector | signoz/signoz-otel-collector:v0.128.2 |
-| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.128.2 |
-| signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.128.2 |
-| signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
 | sonashow | thewicklowwolf/sonashow:latest |
 | soularr | mrusse08/soularr:latest |
-| soularr-dashboard | git.trez.wtf/trez.one/soularr-dashboard:v0.1 |
 | soulseek | slskd/slskd |
+| sourcebot | ghcr.io/sourcebot-dev/sourcebot:latest |
 | speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
-| stable-diffusion-download | git./trez.one/stable-diffusion-download:v9.0.0 |
-| stable-diffusion-webui | git./trez.one/stable-diffusion-ui:v9.0.1 |
-| stirling-pdf | docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest |
+| spotisub | blastbeng/spotisub:latest |
 | swag | lscr.io/linuxserver/swag:latest |
 | tandoor | vabene1111/recipes |
 | tandoor-pg | postgres:16-alpine |
-| umami | ghcr.io/umami-software/umami:postgresql-latest |
-| umami-pg-db | postgres:15-alpine |
+| traccar | traccar/traccar:latest |
+| traccar-pg | postgres:16-alpine |
 | unmanic | josh5/unmanic:latest |
 | uptimekuma | louislam/uptime-kuma:latest |
 | vault | hashicorp/vault:latest |
+| vector | timberio/vector:0.44.0-alpine |
+| wallabag | wallabag/wallabag |
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |
 | web-check | lissy93/web-check |
-| whodb | clidey/whodb |
-| wizarr | ghcr.io/wizarrrr/wizarr |
+| your_spotify | lscr.io/linuxserver/your_spotify:latest |
 | youtubedl | nbr23/youtube-dl-server:latest |
-| zammad-backup | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-elasticsearch | elasticsearch:8.18.0 |
-| zammad-init | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-memcached | memcached:1.6.38-alpine |
-| zammad-nginx | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-postgresql | postgres:17.5-alpine |
-| zammad-railsserver | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-redis | redis:7.4.2-alpine |
-| zammad-scheduler | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-websocket | ghcr.io/zammad/zammad:6.5.0-15 |
+| zammad-backup | postgres: |
+| zammad-elasticsearch | bitnami/elasticsearch: |
+| zammad-init | : |
+| zammad-memcached | memcached: |
+| zammad-nginx | : |
+| zammad-postgresql | postgres: |
+| zammad-railsserver | : |
+| zammad-redis | redis: |
+| zammad-scheduler | : |
+| zammad-websocket | : |
+| zitadel | ghcr.io/zitadel/zitadel:latest |
+| zitadel-pg-db | postgres:16-alpine |

@@ -0,0 +1,45 @@
+# Rinoa Docker_configs Ansible Project
+
+## Included content/ Directory Structure
+
+The directory structure follows best practices recommended by the Ansible community. Feel free to customize this template according to your specific project requirements.
+
+```
+ ansible-project/
+ |── .devcontainer/
+ |    └── docker/
+ |        └── devcontainer.json
+ |    └── podman/
+ |        └── devcontainer.json
+ |    └── devcontainer.json
+ |── .github/
+ |    └── workflows/
+ |        └── tests.yml
+ |    └── ansible-code-bot.yml
+ |── .vscode/
+ |    └── extensions.json
+ |── collections/
+ |   └── requirements.yml
+ |   └── ansible_collections/
+ |       └── project_org/
+ |           └── project_repo/
+ |               └── README.md
+ |               └── roles/sample_role/
+ |                         └── README.md
+ |                         └── tasks/main.yml
+ |── inventory/
+ |   └── groups_vars/
+ |   └── host_vars/
+ |   └── hosts.yml
+ |── ansible-navigator.yml
+ |── ansible.cfg
+ |── devfile.yaml
+ |── linux_playbook.yml
+ |── network_playbook.yml
+ |── README.md
+ |── site.yml
+```
+
+## Compatible with Ansible-lint
+
+Tested with ansible-lint >=24.2.0 releases and the current development version of ansible-core.
@@ -1,199 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-http:
-  pprof:
-    port: 6060
-    enabled: false
-  address: 0.0.0.0:8008
-  session_ttl: 720h
-users:
-  - name: admin
-    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_BCRYPT'] }}
-auth_attempts: 5
-block_auth_min: 15
-http_proxy: ""
-language: ""
-theme: auto
-dns:
-  bind_hosts:
-    - 0.0.0.0
-  port: 53
-  anonymize_client_ip: false
-  ratelimit: 20
-  ratelimit_subnet_len_ipv4: 24
-  ratelimit_subnet_len_ipv6: 56
-  ratelimit_whitelist: []
-  refuse_any: true
-  upstream_dns:
-    - 94.140.14.14
-    - 94.140.15.15
-    - https://dns.adguard-dns.com/dns-query
-    - tls://dns.adguard-dns.com
-    - quic://dns.adguard-dns.com
-    - 1.1.1.1
-    - 1.0.0.1
-    - 1.1.1.2
-    - 1.0.0.2
-    - 185.228.168.9
-    - 185.228.169.9
-    - 76.76.2.3
-    - tls://getdnsapi.net
-    - 185.49.141.37
-    - tls://dot.seby.io
-  upstream_dns_file: ""
-  bootstrap_dns:
-    - 9.9.9.10
-    - 149.112.112.10
-    - 2620:fe::10
-    - 2620:fe::fe:10
-  fallback_dns: []
-  upstream_mode: load_balance
-  fastest_timeout: 1s
-  allowed_clients: []
-  disallowed_clients: []
-  blocked_hosts:
-    - version.bind
-    - id.server
-    - hostname.bind
-  trusted_proxies:
-    - 127.0.0.0/8
-    - ::1/128
-  cache_size: 4194304
-  cache_ttl_min: 0
-  cache_ttl_max: 0
-  cache_optimistic: false
-  bogus_nxdomain: []
-  aaaa_disabled: false
-  enable_dnssec: false
-  edns_client_subnet:
-    custom_ip: ""
-    enabled: false
-    use_custom: false
-  max_goroutines: 300
-  handle_ddr: true
-  ipset: []
-  ipset_file: ""
-  bootstrap_prefer_ipv6: false
-  upstream_timeout: 10s
-  private_networks: []
-  use_private_ptr_resolvers: false
-  local_ptr_upstreams: []
-  use_dns64: false
-  dns64_prefixes: []
-  serve_http3: false
-  use_http3_upstreams: false
-  serve_plain_dns: true
-  hostsfile_enabled: true
-  pending_requests:
-    enabled: true
-tls:
-  enabled: true
-  server_name: ""
-  force_https: false
-  port_https: 446
-  port_dns_over_tls: 853
-  port_dns_over_quic: 853
-  port_dnscrypt: 0
-  dnscrypt_config_file: ""
-  allow_unencrypted_doh: false
-  certificate_chain: ""
-  private_key: ""
-  certificate_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
-  private_key_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
-  strict_sni_check: false
-querylog:
-  dir_path: ""
-  ignored: []
-  interval: 2160h
-  size_memory: 1000
-  enabled: true
-  file_enabled: true
-statistics:
-  dir_path: ""
-  ignored: []
-  interval: 24h
-  enabled: true
-filters:
-  - enabled: true
-    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
-    name: AdGuard DNS filter
-    id: 1
-  - enabled: false
-    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
-    name: AdAway Default Blocklist
-    id: 2
-whitelist_filters: []
-user_rules: []
-dhcp:
-  enabled: false
-  interface_name: ""
-  local_domain_name: lan
-  dhcpv4:
-    gateway_ip: 192.168.1.1
-    subnet_mask: 255.255.255.0
-    range_start: 192.168.1.2
-    range_end: 192.168.1.240
-    lease_duration: 86400
-    icmp_timeout_msec: 1000
-    options: []
-  dhcpv6:
-    range_start: ""
-    lease_duration: 86400
-    ra_slaac_only: false
-    ra_allow_slaac: false
-filtering:
-  blocking_ipv4: ""
-  blocking_ipv6: ""
-  blocked_services:
-    schedule:
-      time_zone: America/New_York
-    ids: []
-  protection_disabled_until: null
-  safe_search:
-    enabled: false
-    bing: true
-    duckduckgo: true
-    ecosia: true
-    google: true
-    pixabay: true
-    yandex: true
-    youtube: true
-  blocking_mode: default
-  parental_block_host: family-block.dns.adguard.com
-  safebrowsing_block_host: standard-block.dns.adguard.com
-  rewrites: []
-  safe_fs_patterns:
-    - /opt/adguardhome/work/userfilters/*
-  safebrowsing_cache_size: 1048576
-  safesearch_cache_size: 1048576
-  parental_cache_size: 1048576
-  cache_time: 30
-  filters_update_interval: 24
-  blocked_response_ttl: 10
-  filtering_enabled: true
-  parental_enabled: false
-  safebrowsing_enabled: false
-  protection_enabled: true
-clients:
-  runtime_sources:
-    whois: true
-    arp: true
-    rdns: true
-    dhcp: true
-    hosts: true
-  persistent: []
-log:
-  enabled: true
-  file: ""
-  max_backups: 0
-  max_size: 100
-  max_age: 3
-  compress: false
-  local_time: false
-  verbose: false
-os:
-  group: ""
-  user: ""
-  rlimit_nofile: 0
-schema_version: 29
@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-urls:
-  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
-  - mailto://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
@@ -1,337 +0,0 @@
-settings:
-  log:
-    level: INFO
-    timestamps: true
-  data:
-    database_file: data/argus.db
-  web:
-    listen_host: 0.0.0.0
-    listen_port: 8080
-    route_prefix: /
-    basic_auth:
-      username: 'admin'
-      password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ARGUS_WEB_PASSWORD'] }}"
-  disabled_routes: []
-  favicon:
-    png: ''
-    svg: ''
-notify:
-  rinoa-gotify:
-    type: gotify
-    url_fields:
-      Host: gotify
-      Token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ARGUS_WEB_PASSWORD'] }}
-    params:
-      Title: Argus @ Rinoa
-service:
-  AdguardTeam/AdGuardHome:
-    latest_version:
-      type: github
-      url: AdguardTeam/AdGuardHome
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      url: "https://adguard.trez.wtf/control/status"
-      basic_auth:
-        username: admin
-        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_PASSWORD'] }}
-      json: version
-      regex: v([0-9.]+)
-    dashboard:
-      web_url: "https://github.com/AdguardTeam/AdGuardHome/releases/v{% raw %}{{ version }}{% endraw %}"
-      icon: "https://avatars.githubusercontent.com/u/8361145?s=200&v=4"
-  advplyr/audiobookshelf:
-    latest_version:
-      type: github
-      url: advplyr/audiobookshelf
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      method: GET
-      url: "https://abs.trez.wtf/status"
-      json: serverVersion
-    dashboard:
-      icon: "https://raw.githubusercontent.com/advplyr/audiobookshelf/master/client/static/icon.svg"
-      web_url: "https://github.com/advplyr/audiobookshelf/releases/tag/v{% raw %}{{ version }}{% endraw %}"
-  dani-garcia/vaultwarden:
-    latest_version:
-      type: github
-      url: dani-garcia/vaultwarden
-    deployed_version:
-      url: "https://bitwarden.trez.wtf/api/version"
-      regex: ([0-9.]+)
-    dashboard:
-      web_url: "https://github.com/dani-garcia/vaultwarden/releases/{% raw %}{{ version }}{% endraw %}"
-      icon: "https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/src/static/images/vaultwarden-icon.png"
-  ellite/Wallos:
-    latest_version:
-      type: github
-      url: ellite/Wallos
-    deployed_version:
-      method: GET
-      url: http://wallos.com/api/status/version.php?api_key=xxx
-      json: version_number
-    dashboard:
-      icon: "https://github.com/ellite/Wallos/raw/main/images/siteicons/wallos.png"
-      web_url: "https://github.com/ellite/Wallos/releases"
-  FlareSolverr/FlareSolverr:
-    latest_version:
-      type: github
-      url: FlareSolverr/FlareSolverr
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      method: GET
-      url: "https://flaresolverr.trez.wtf"
-      json: version
-    dashboard:
-      icon: "https://raw.githubusercontent.com/FlareSolverr/FlareSolverr/master/resources/flaresolverr_logo.png"
-      web_url: "https://github.com/FlareSolverr/FlareSolverr/releases/tag/v{% raw %}{{ version }}{% endraw %}"
-  go-gitea/gitea:
-    latest_version:
-      type: github
-      url: go-gitea/gitea
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-      require:
-        regex_content: gitea-{% raw %}{{ version }}{% endraw %}-linux-amd64
-        regex_version: ^[0-9.]+[0-9]$
-    deployed_version:
-      url: "https://git.trez.wtf"
-      regex: 'Powered by Gitea\s+Version:\s+([0-9.]+) '
-    dashboard:
-      web_url: "https://github.com/go-gitea/gitea/releases/v{% raw %}{{ version }}{% endraw %}"
-      icon: "https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/logo.png"
-  gohugoio/hugo:
-    latest_version:
-      type: github
-      url: gohugoio/hugo
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-      require:
-        regex_content: hugo_{% raw %}{{ version }}{% endraw %}_Linux-64bit\.deb
-    dashboard:
-      web_url: "https://github.com/gohugoio/hugo/releases/v{% raw %}{{ version }}{% endraw %}"
-      icon: "https://raw.githubusercontent.com/gohugoio/hugo/master/docs/static/img/hugo.png"
-  gotify/server:
-    latest_version:
-      type: github
-      url: gotify/server
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      url: "https://gotify.trez.wtf/version"
-      json: version
-    dashboard:
-      web_url: "https://github.com/gotify/server/releases/v{% raw %}{{ version }}{% endraw %}"
-      icon: "https://github.com/gotify/logo/raw/master/gotify-logo.png"
-  hashicorp/vault:
-    latest_version:
-      type: github
-      url: hashicorp/vault
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      url: "https://vault.trez.wtf/v1/sys/health"
-      json: version
-    dashboard:
-      web_url: "https://github.com/hashicorp/vault/releases/v{% raw %}{{ version }}{% endraw %}"
-      icon: "https://raw.githubusercontent.com/hashicorp/vault/main/ui/public/vault-logo.svg"
-  immich-app/immich:
-    latest_version:
-      type: github
-      url: immich-app/immich
-    deployed_version:
-      url: "https://pics.trez.wtf/api/server/about"
-      json: version
-      regex: ^v([0-9.]+)$
-      headers:
-        - key: x-api-key
-          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IMMICH_POWER_TOOLS_KEY'] }}
-    dashboard:
-      icon: "https://raw.githubusercontent.com/immich-app/immich/main/web/static/immich-logo.svg"
-      web_url: "https://github.com/immich-app/immich/releases/tag/v{% raw %}{{ version }}{% endraw %}"
-  influxdata/influxdb:
-    latest_version:
-      type: github
-      url: influxdata/influxdb
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      url: "https://influxdb.trez.wtf/health"
-      json: version
-    dashboard:
-      web_url: "https://github.com/influxdata/influxdb/releases/tag/v{% raw %}{{ version }}{% endraw %}"
-      icon: "https://github.com/influxdata/ui/raw/master/src/writeData/graphics/influxdb.svg"
-  jellyfin/jellyfin:
-    latest_version:
-      type: github
-      url: jellyfin/jellyfin
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      url: "https://jellyfin.trez.wtf/System/Info/Public"
-      json: Version
-    dashboard:
-      web_url: "https://github.com/jellyfin/jellyfin/releases/v{% raw %}{{ version }}{% endraw %}"
-      icon: "https://avatars.githubusercontent.com/u/45698031?s=200&v=4"
-  Lidarr/Lidarr:
-    options:
-      semantic_versioning: false
-    latest_version:
-      type: github
-      url: Lidarr/Lidarr
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      method: GET
-      url: "https://lidarr.trez.wtf/api/v1/system/status"
-      headers:
-        - key: X-Api-Key
-          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
-      json: version
-    dashboard:
-      icon: "https://raw.githubusercontent.com/Lidarr/Lidarr/develop/Logo/1024.png"
-      web_url: "https://github.com/Lidarr/Lidarr/releases/v{% raw %}{{ version }}{% endraw %}"
-  louislam/uptime-kuma:
-    latest_version:
-      type: github
-      url: louislam/uptime-kuma
-    deployed_version:
-      url: "https://status.trez.wtf/metrics"
-      regex: app_version{version=\"([0-9.]+)\",major=\"[0-9]+\",minor=\"[0-9]+\",patch=\"[0-9]+\"}
-    dashboard:
-      web_url: "https://github.com/louislam/uptime-kuma/releases/{% raw %}{{ version }}{% endraw %}"
-      icon: "https://raw.githubusercontent.com/louislam/uptime-kuma/master/public/icon.png"
-  morpheus65535/bazarr:
-    latest_version:
-      type: github
-      url: morpheus65535/bazarr
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      url: "https://bazarr.trez.wtf/api/system/status"
-      headers:
-        - key: X-API-KEY
-          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['BAZARR_API_KEY'] }}
-      json: data.bazarr_version
-    dashboard:
-      web_url: "https://github.com/morpheus65535/bazarr/releases/v{% raw %}{{ version }}{% endraw %}"
-      icon: "https://raw.githubusercontent.com/morpheus65535/bazarr/master/frontend/public/images/logo128.png"
-  n8n-io/n8n:
-    latest_version:
-      type: url
-      url: "https://github.com/n8n-io/n8n/tags"
-      url_commands:
-        - type: regex
-          regex: n8n\%40([0-9.]+)
-    dashboard:
-      web_url: "https://github.com/n8n-io/n8n/blob/master/CHANGELOG.md"
-      icon: "https://raw.githubusercontent.com/n8n-io/n8n-docs/main/docs/_images/n8n-docs-icon.svg"
-  nextcloud/server:
-    latest_version:
-      type: github
-      url: nextcloud/server
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      url: "https://cloud.trez.wtf/status.php"
-      json: versionstring
-    dashboard:
-      web_url: "https://nextcloud.com/changelog/"
-      icon: "https://github.com/nextcloud/server/raw/master/core/img/favicon.png"
-  Prowlarr/Prowlarr:
-    options:
-      semantic_versioning: false
-    latest_version:
-      type: github
-      url: Prowlarr/Prowlarr
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-      use_prerelease: true
-    deployed_version:
-      url: "https://prowlarr.trez.wtf/api/v1/system/status"
-      headers:
-        - key: X-Api-Key
-          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}
-      json: version
-    dashboard:
-      web_url: "https://github.com/Prowlarr/Prowlarr/releases/v{% raw %}{{ version }}{% endraw %}"
-      icon: "https://avatars.githubusercontent.com/u/73049443?s=200&v=4"
-  Radarr/Radarr:
-    options:
-      semantic_versioning: false
-    latest_version:
-      type: github
-      url: Radarr/Radarr
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      url: "https://radarr.trez.wtf/api/v3/system/status"
-      headers:
-        - key: X-Api-Key
-          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}
-      json: version
-    dashboard:
-      web_url: "https://github.com/Radarr/Radarr/releases/v{% raw %}{{ version }}{% endraw %}"
-      icon: "https://avatars.githubusercontent.com/u/25025331?s=200&v=4"
-  Readarr/Readarr:
-    options:
-      semantic_versioning: false
-    latest_version:
-      type: github
-      url: Readarr/Readarr
-      use_prerelease: true
-      url_commands:
-        - type: regex
-          regex: v([0-9.]+)$
-    deployed_version:
-      method: GET
-      url: "https://readarr.trez.wtf/api/v1/system/status"
-      headers:
-        - key: X-Api-Key
-          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}
-      json: version
-    dashboard:
-      icon: "https://raw.githubusercontent.com/Readarr/Readarr/develop/Logo/1024.png"
-      web_url: "https://github.com/Readarr/Readarr/releases/v{% raw %}{{ version }}{% endraw %}"
-  Sonarr/Sonarr:
-    options:
-      semantic_versioning: false
-    latest_version:
-      type: url
-      url: "https://github.com/Sonarr/Sonarr/tags"
-      url_commands:
-        - type: regex
-          regex: \/releases\/tag\/v?([0-9.]+)\"
-    deployed_version:
-      url: "https://sonarr.trez.wtf/api/v3/system/status"
-      headers:
-        - key: X-Api-Key
-          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}
-      json: version
-    dashboard:
-      web_url: "https://sonarr.trez.wtf/system/updates"
-      icon: "https://raw.githubusercontent.com/Sonarr/Sonarr/develop/Logo/256.png"
-  release-argus/argus:
-    latest_version:
-      type: github
-      url: release-argus/argus
-    dashboard:
-      icon: "https://raw.githubusercontent.com/release-argus/Argus/master/web/ui/react-app/public/favicon.svg"
-      icon_link-to: "https://release-argus.io"
-      web_url: "https://github.com/release-argus/Argus/blob/master/CHANGELOG.md"
@@ -1,181 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-# yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json
---
-theme: auto
-default_2fa_method: "totp"
-server:
-  address: '0.0.0.0:9091'
-  endpoints:
-    enable_pprof: false
-    enable_expvars: false
-  disable_healthcheck: false
-  tls:
-    key: ""
-    certificate: ""
-    client_certificates: []
-  headers:
-    csp_template: ""
-log:
-  level: debug
-telemetry:
-  metrics:
-    enabled: true
-    address: tcp://0.0.0.0:9959
-totp:
-  disable: false
-  issuer: authelia.com
-  algorithm: sha256
-  digits: 6
-  period: 30
-  skew: 1
-  secret_size: 32
-webauthn:
-  disable: false
-  timeout: 60s
-  display_name: Authelia
-  attestation_conveyance_preference: indirect
-  selection_criteria:
-    user_verification: preferred
-ntp:
-  address: "time.cloudflare.com:123"
-  version: 4
-  max_desync: 3s
-  disable_startup_check: false
-  disable_failure: false
-authentication_backend:
-  password_reset:
-    disable: false
-    custom_url: ""
-  ldap:
-    implementation: custom
-    address: ldap://lldap:3890
-    timeout: 5s
-    start_tls: false
-    base_dn: dc=trez,dc=wtf
-    additional_users_dn: ou=people
-    users_filter: "(&({username_attribute}={input})(objectClass=person))"
-    additional_groups_dn: ou=groups
-    groups_filter: "(member={dn})"
-    attributes:
-      username: uid
-      group_name: cn
-      mail: mail
-      display_name: displayName
-    user: uid=authelia,ou=people,dc=trez,dc=wtf
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
-  refresh_interval: 5m
-identity_validation:
-  reset_password:
-    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
-password_policy:
-  standard:
-    enabled: true
-    min_length: 8
-    max_length: 0
-    require_uppercase: true
-    require_lowercase: true
-    require_number: true
-    require_special: false
-  zxcvbn:
-    enabled: false
-    min_score: 3
-access_control:
-  default_policy: deny
-  networks:
-    - name: 'internal'
-      networks:
-        - '172.17.0.0/16'
-        - '172.18.0.0/16'
-        - '192.168.1.0/24'
-  rules:
-    - domain_regex:
-      - '^trez.wtf$'
-      - ^www.trez.wtf$''
-      policy: bypass
-    - domain: '*.trez.wtf'
-      policy: bypass
-      networks:
-        - 'internal'
-    - domain: '*.trez.wtf'
-      policy: one_factor
-      subject:
-      - ['user:the.trezured.one']
-    - domain: wizarr.trez.wtf
-      resources:
-        - '^/join(/.*)?$'
-        - '^/j(/.*)?$'
-        - '^/static(/.*)?$'
-        - '^/setup(/.*)?$'
-        - '^/wizard(/.*)?$'
-      policy: bypass
-session:
-  name: authelia_session
-  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
-  expiration: 1h
-  inactivity: 5m
-  remember_me: 1M
-  cookies:
-    - domain: 'trez.wtf'
-      authelia_url: 'https://auth.trez.wtf'
-  redis:
-    host: authelia-valkey
-    port: 6379
-    database_index: 0
-storage:
-  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
-  postgres:
-    address: 'tcp://authelia-pg:5432'
-    database: authelia
-    username: authelia
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
-    timeout: '5s'
-regulation:
-  max_retries: 3
-  find_time: 2m
-  ban_time: 5m
-notifier:
-  disable_startup_check: true
-  smtp:
-    address: 'smtp://postal-smtp:25'
-    timeout: '5s'
-    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
-    sender: "Authelia <noreply@trez.wtf>"
-    identifier: 'localhost'
-    subject: "[Authelia] {title}"
-    startup_check_address: 'test@authelia.com'
-    disable_require_tls: true
-    disable_starttls: true
-    disable_html_emails: false
-identity_providers:
-  oidc:
-    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
-    jwks:
-      - key: |
-          {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
-    cors:
-      allowed_origins_from_client_redirect_uris: true
-      endpoints:
-        - 'userinfo'
-        - 'authorization'
-        - 'token'
-        - 'revocation'
-        - 'introspection'
-    clients:
-      - client_id: 'netbird'
-        client_name: 'NetBird'
-        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
-        public: false
-        authorization_policy: 'two_factor'
-        redirect_uris:
-          - 'https://vpn.trez.wtf/peers'
-          - 'https://vpn.trez.wtf/add-peers'
-          - 'http://localhost'
-        scopes:
-          - 'openid'
-          - 'email'
-          - 'profile'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'client_secret_post'
@@ -1,65 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-source: journalctl
-journalctl_filter:
-  - "--directory=/var/log/host/"
-labels:
-  type: syslog
---
-filenames:
-  - /var/log/swag/*
-labels:
-  type: nginx
---
-filenames:
-  - /var/log/auth/auth.log
-labels:
-  type: syslog
---
-filenames:
-  - /var/lib/mysql/log/mysql/*
-  - /var/lib/mysql/databases/*.err
-  - /var/lib/mysql/databases/*.log
-labels:
-  type: mariadb
---
-source: docker
-container_name:
-  - adguard
-labels:
-  type: adguardhome
---
-source: docker
-container_name:
- - mongodb
-labels:
-  type: mongodb
---
-source: docker
-container_name:
- - immich-server
-labels:
-  type: immich
---
-source: docker
-container_name:
- - uptimekuma
-labels:
-  type: uptime-kuma
---
-source: docker
-container_name:
- - jellyfin
-labels:
-  type: jellyfin
---
-source: docker
-container_name:
- - navidrome
-labels:
-  type: navidrome
---
-filenames:
-  - /var/log/audiobookshelf/*.txt
-labels:
-  type: audiobookshelf
@@ -1,51 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-common:
-  daemonize: false
-  log_media: stdout
-  log_level: info
-  log_dir: /var/log/
-config_paths:
-  config_dir: /etc/crowdsec/
-  data_dir: /var/lib/crowdsec/data/
-  simulation_path: /etc/crowdsec/simulation.yaml
-  hub_dir: /etc/crowdsec/hub/
-  index_path: /etc/crowdsec/hub/.index.json
-  notification_dir: /etc/crowdsec/notifications/
-  plugin_dir: /usr/local/lib/crowdsec/plugins/
-crowdsec_service:
-  acquisition_path: /etc/crowdsec/acquis.yaml
-  acquisition_dir: /etc/crowdsec/acquis.d
-  parser_routines: 1
-plugin_config:
-  user: nobody
-  group: nobody
-cscli:
-  output: human
-db_config:
-  log_level: info
-  type: sqlite
-  db_path: /var/lib/crowdsec/data/crowdsec.db
-  flush:
-    max_items: 5000
-    max_age: 7d
-  use_wal: false
-api:
-  client:
-    insecure_skip_verify: false
-    credentials_path: /etc/crowdsec/local_api_credentials.yaml
-  server:
-    log_level: info
-    listen_uri: 0.0.0.0:8080
-    profiles_path: /etc/crowdsec/profiles.yaml
-    trusted_ips: # IP ranges, or IPs which can have admin API access
-      - 127.0.0.1
-      - ::1
-    online_client: # Central API credentials (to push signals and receive bad IPs)
-      credentials_path: /etc/crowdsec/online_api_credentials.yaml
-    enable: true
-prometheus:
-  enabled: true
-  level: full
-  listen_addr: 0.0.0.0
-  listen_port: 6060
@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-url: http://0.0.0.0:8080
-login: localhost
-password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}
@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-url: https://api.crowdsec.net/
-login: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
-password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
@@ -0,0 +1,15 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+source: journalctl
+journalctl_filter: 
+  - "--directory=/var/log/host/"
+labels:
+  type: syslog
+---
+filenames:
+  - /var/log/swag/*
+labels:
+  type: nginx
+---
@@ -1,25 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-EXPLO_SYSTEM: subsonic
-SYSTEM_URL: http://navidrome:4533
-SYSTEM_USERNAME: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_USERNAME'] }}
-SYSTEM_PASSWORD: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}
-DOWNLOAD_DIR: /downloads
-PLAYLIST_DIR: /playlists
-LISTENBRAINZ_USER: Trez.One
-YOUTUBE_API_KEY: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUTUBE_DATA_API_V3_KEY'] }}
-# Assign a custom path to yt-dlp
-# YTDLP_PATH=
-# Keywords to ignore on videos downloaded by youtube (separated by only commas)
-FILTER_LIST: live,remix,instrumental,extended
-# Define a custom filename sepatator for special characters
-# FILENAME_SEPARATOR=
-# true to keep pervious weeks discoveries, only set to false if the parent folder only contains discovered songs (deletes every file in folder)
-PERSIST: true
-# 'playlist' to get tracks from Weekly Exploration playlist, anything else gets it from API (not the best recommendations). 'test' will download 1 song
-LISTENBRAINZ_DISCOVERY: playlist
-# Time to sleep (in minutes) between scanning and querying tracks from your system (If using Subsonic, Jellyfin)
-SLEEP: 5
-# Whether to provide additional info for debugging
-DEBUG: true
-SINGLE_ARTIST: true
@@ -1,26 +0,0 @@
-metadata_dir = "/var/lib/garage/meta"
-data_dir = "/var/lib/garage/data"
-db_engine = "lmdb"
-metadata_auto_snapshot_interval = "6h"
-
-replication_factor = 1
-
-compression_level = 10
-
-rpc_bind_addr = "[::]:3901"
-rpc_public_addr = "localhost:3901"
-rpc_secret = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_RPC_SECRET'] }}"
-
-[s3_api]
-s3_region = "us-east-fh-pln"
-api_bind_addr = "[::]:3900"
-root_domain = ".s3.trez.wtf"
-
-[s3_web]
-bind_addr = "[::]:3902"
-root_domain = ".garage.trez.wtf"
-
-[admin]
-api_bind_addr = "[::]:3903"
-admin_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_ADMIN_TOKEN'] }}"
-metrics_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_METRICS_TOKEN'] }}"
@@ -1,42 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-  "url": "blog.trez.wtf",
-  "database": {
-    "client": "mysql",
-    "connection": {
-      "host"     : "mariadb",
-      "port"     : 3306,
-      "user"     : "ghost",
-      "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
-      "database" : "ghost_db"
-    }
-  },
-  "mail": {
-    "from": "'Ghost @ Rinoa' <noreply@trez.wtf>",
-    "transport": "SMTP",
-    "options": {
-      "host": "postal-smtp",
-      "port": 25,
-      "secure": false,
-      "auth": {
-        "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
-        "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
-      }
-    }
-  },
-  "paths": {
-    "contentPath": "content/"
-  },
-  "privacy": {
-    "useGravatar": true
-  },
-  "logging": {
-    "level": "info",
-    "rotation": {
-      "enabled": true
-    },
-    "transports": ["file"]
-  }
-}
@@ -1,101 +1,101 @@
-# Example configuration file, it's safe to copy this as the default config file without any modification.
-
-# You don't have to copy this file to your instance,
-# just run `./act_runner generate-config > config.yaml` to generate a config file.
-
-log:
-  # The level of logging, can be trace, debug, info, warn, error, fatal
-  level: info
-
-runner:
-  # Where to store the registration result.
-  file: .runner
-  # Execute how many tasks concurrently at the same time.
-  capacity: 3
-  # Extra environment variables to run jobs.
-#   envs:
-#     A_TEST_ENV_NAME_1: a_test_env_value_1
-#     A_TEST_ENV_NAME_2: a_test_env_value_2
-  # Extra environment variables to run jobs from a file.
-  # It will be ignored if it's empty or the file doesn't exist.
-#   env_file: .env
-  # The timeout for a job to be finished.
-  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
-  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
-  timeout: 3h
-  # The timeout for the runner to wait for running jobs to finish when shutting down.
-  # Any running jobs that haven't finished after this timeout will be cancelled.
-  shutdown_timeout: 0s
-  # Whether skip verifying the TLS certificate of the Gitea instance.
-  insecure: false
-  # The timeout for fetching the job from the Gitea instance.
-  fetch_timeout: 5s
-  # The interval for fetching the job from the Gitea instance.
-  fetch_interval: 2s
-  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
-  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
-  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
-  # If it's empty when registering, it will ask for inputting labels.
-  # If it's empty when execute `daemon`, will use labels in `.runner` file.
-  labels:
-    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
-    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
-    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
-
-cache:
-  # Enable cache server to use actions/cache.
-  enabled: true
-  # The directory to store the cache data.
-  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
-  dir: ""
-  # The host of the cache server.
-  # It's not for the address to listen, but the address to connect from job containers.
-  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
-  host: "192.168.1.254"
-  # The port of the cache server.
-  # 0 means to use a random available port.
-  port: 63604
-  # The external cache server URL. Valid only when enable is true.
-  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
-  # The URL should generally end with "/".
-  external_server: ""
-
-container:
-  # Specifies the network to which the container will connect.
-  # Could be host, bridge or the name of a custom network.
-  # If it's empty, act_runner will create a network automatically.
-  network: "compose_default"
-  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
-  privileged: false
-  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
-  options:
-  # The parent directory of a job's working directory.
-  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
-  # If the path starts with '/', the '/' will be trimmed.
-  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
-  # If it's empty, /workspace will be used.
-  workdir_parent:
-  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
-  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
-  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
-  # valid_volumes:
-  #   - data
-  #   - /src/*.json
-  # If you want to allow any volume, please use the following configuration:
-  # valid_volumes:
-  #   - '**'
-  valid_volumes: []
-  # overrides the docker client host with the specified one.
-  # If it's empty, act_runner will find an available docker host automatically.
-  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
-  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
-  docker_host: ""
-  # Pull docker image(s) even if already present
-  force_pull: false
-  # Rebuild docker image(s) even if already present
-  force_rebuild: false
-
-host:
-  # The parent directory of a job's working directory.
-  # If it's empty, $HOME/.cache/act/ will be used.
-  workdir_parent:
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 2
+  # Extra environment variables to run jobs.
+  envs:
+    A_TEST_ENV_NAME_1: a_test_env_value_1
+    A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # The timeout for the runner to wait for running jobs to finish when shutting down.
+  # Any running jobs that haven't finished after this timeout will be cancelled.
+  shutdown_timeout: 0s
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `daemon`, will use labels in `.runner` file.
+  labels:
+    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
+    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: "192.168.1.254"
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 63604
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: "compose_default"
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
+  # If the path starts with '/', the '/' will be trimmed.
+  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+  # Rebuild docker image(s) even if already present
+  force_rebuild: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:
@@ -1,22 +0,0 @@
-ui = true
-disable_clustering = true
-log_level = "debug"
-api_addr = "http://127.0.0.1:8200"
-// storage "raft" {
-//   path = "/path/to/raft/data"
-//   node_id = "raft_node_id"
-// }
-
-storage "s3" {
-    endpoint = "minio:9000"
-    bucket = "secrets-vault"
-    region = "us-east-fh-pln"
-    s3_force_path_style = "true"
-    disable_ssl = "true"
-}
-
-listener "tcp" {
-  address = "0.0.0.0:8200"
-  proxy_protocol_behavior = "use_always"
-  tls_disable = 1
-}
@@ -11,10 +11,10 @@ providers:
 title: Rinoa Dashboard (trez.WTF)
 headerStyle: underlined
 color: slate
-showStats: false
+showStats: true
 statusStyle: "dot"
 favicon: /icons/favicon.ico
-useEqualHeights: true
+useEqualHeights: false
 hideErrors: false
 searchDescriptions: true
 showSearchSuggestions: true
@@ -23,37 +23,38 @@ provider: duckduckgo
 layout:
  System Administration:
    style: row
-    columns: 5
+    columns: 4
+    # fiveColumns: true
  Infrastructure/App Performance Monitoring:
    style: row
-    columns: 5
+    columns: 3
  Code/DevOps:
    style: row
    columns: 3
  Social:
    style: row
-    columns: 4
+    columns: 3
  Lifestyle:
    style: row
-    columns: 5
+    columns: 3
  Automation:
-    style: row
-    columns: 5
+    style: columns
+    row: 2
  Privacy/Security:
-    style: row
-    columns: 5
-  Personal Tools:
+    style: columns
+    row: 5
+  Personal Services:
    style: row
    columns: 4
  Professional Services:
    style: row
-    columns: 5
+    columns: 3
  Servarr Stack:
    style: row
-    columns: 5
+    columns: 3
  Downloaders:
    style: row
-    columns: 5
+    columns: 3
  Media Library:
    style: row
    columns: 3
@@ -1,952 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-#########################################
-#
-#  Database and other external servers
-#
-#########################################
-
-##
-## Database configuration with separate parameters.
-## This setting is MANDATORY, unless 'database_url' is used.
-##
-db:
-  user: kemal
-  host: invidious-db
-  port: 5432
-  dbname: invidious
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
-
-##
-## Database configuration using a single URI. This is an
-## alternative to the 'db' parameter above. If both forms
-## are used, then only database_url is used.
-## This setting is MANDATORY, unless 'db' is used.
-##
-## Note: The 'database_url' setting allows the use of UNIX
-## sockets. To do so, remove the IP address (or FQDN) and port
-## and append the 'host' parameter. E.g:
-##   postgres://kemal:kemal@/invidious?host=/var/run/postgresql
-##
-## Accepted values: a postgres:// URI
-## Default: postgres://kemal:kemal@localhost:5432/invidious
-##
-#database_url: postgres://kemal:kemal@localhost:5432/invidious
-
-##
-## Enable automatic table integrity check. This will create
-## the required tables and columns if anything is missing.
-##
-## Accepted values: true, false
-## Default: false
-##
-check_tables: true
-
-
-##
-## Path to an external signature resolver, used to emulate
-## the Youtube client's Javascript. If no such server is
-## available, some videos will not be playable.
-##
-## When this setting is commented out, no external
-## resolver will be used.
-##
-## Accepted values: a path to a UNIX socket or "<IP>:<Port>"
-## Default: <none>
-##
-signature_server: invidious-sig-helper:12999
-
-
-#########################################
-#
-#  Server config
-#
-#########################################
-
-# -----------------------------
-#  Network (inbound)
-# -----------------------------
-
-##
-## Port to listen on for incoming connections.
-##
-## Note: Ports lower than 1024 requires either root privileges
-## (not recommended) or the "CAP_NET_BIND_SERVICE" capability
-## (See https://stackoverflow.com/a/414258 and `man capabilities`)
-##
-## Accepted values: 1-65535
-## Default: 3000
-##
-#port: 3000
-
-##
-## When the invidious instance is behind a proxy, and the proxy
-## listens on a different port than the instance does, this lets
-## invidious know about it. This is used to craft absolute URLs
-## to the instance (e.g in the API).
-##
-## Note: This setting is MANDATORY if invidious is behind a
-## reverse proxy.
-##
-## Accepted values: 1-65535
-## Default: <none>
-##
-#external_port:
-
-##
-## Interface address to listen on for incoming connections.
-##
-## Accepted values: a valid IPv4 or IPv6 address.
-## default: 0.0.0.0  (listen on all interfaces)
-##
-#host_binding: 0.0.0.0
-
-##
-## Domain name under which this instance is hosted. This is
-## used to craft absolute URLs to the instance (e.g in the API).
-## The domain MUST be defined if your instance is accessed from
-## a domain name (like 'example.com').
-##
-## Accepted values: a fully qualified domain name (FQDN)
-## Default: <none>
-##
-# domain:
-
-##
-## Tell Invidious that it is behind a proxy that provides only
-## HTTPS, so all links must use the https:// scheme. This
-## setting MUST be set to true if invidious is behind a
-## reverse proxy serving HTTPs.
-##
-## Accepted values: true, false
-## Default: false
-##
-https_only: false
-
-##
-## Enable/Disable 'Strict-Transport-Security'. Make sure that
-## the domain specified under 'domain' is served securely.
-##
-## Accepted values: true, false
-## Default: true
-##
-#hsts: true
-
-
-# -----------------------------
-#  Network (outbound)
-# -----------------------------
-
-##
-## Disable proxying server-wide. Can be disable as a whole, or
-## only for a single function.
-##
-## Accepted values: true, false, dash, livestreams, downloads, local
-## Default: false
-##
-#disable_proxy: false
-
-##
-## Size of the HTTP pool used to connect to youtube. Each
-## domain ('youtube.com', 'ytimg.com', ...) has its own pool.
-##
-## Accepted values: a positive integer
-## Default: 100
-##
-#pool_size: 100
-
-
-##
-## Additional cookies to be sent when requesting the youtube API.
-##
-## Accepted values: a string in the format "name1=value1; name2=value2..."
-## Default: <none>
-##
-#cookies:
-
-##
-## Force connection to youtube over a specific IP family.
-##
-## Note: This may sometimes resolve issues involving rate-limiting.
-## See https://github.com/ytdl-org/youtube-dl/issues/21729.
-##
-## Accepted values: ipv4, ipv6
-## Default: <none>
-##
-#force_resolve:
-
-##
-## Configuration for using a HTTP proxy
-##
-## If unset, then no HTTP proxy will be used.
-## 
-#http_proxy:
-#  user:
-#  password:
-#  host:
-#  port:
-
-
-##
-## Use Innertube's transcripts API instead of timedtext for closed captions
-##
-## Useful for larger instances as InnerTube is **not ratelimited**. See https://github.com/iv-org/invidious/issues/2567
-##
-## Subtitle experience may differ slightly on Invidious.
-##
-## Accepted values: true, false
-## Default: false
-##
-# use_innertube_for_captions: false
-
-##
-## Send Google session informations. This is useful when Invidious is blocked
-## by the message "This helps protect our community."
-## See https://github.com/iv-org/invidious/issues/4734.
-##
-## Warning: These strings gives much more identifiable information to Google!
-##
-## Accepted values: String
-## Default: <none>
-##
-po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
-visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
-
-# -----------------------------
-#  Logging
-# -----------------------------
-
-##
-## Path to log file. Can be absolute or relative to the invidious
-## binary. This is overridden if "-o OUTPUT" or "--output=OUTPUT"
-## are passed on the command line.
-##
-## Accepted values: a filesystem path or 'STDOUT'
-## Default: STDOUT
-##
-#output: STDOUT
-
-##
-## Logging Verbosity. This is overridden if "-l LEVEL" or
-## "--log-level=LEVEL" are passed on the command line.
-##
-## Accepted values: All, Trace, Debug, Info, Warn, Error, Fatal, Off
-## Default: Info
-##
-#log_level: Info
-
-##
-## Enables colors in logs. Useful for debugging purposes
-## This is overridden if "-k" or "--colorize"
-## are passed on the command line.
-## Colors are also disabled if the environment variable
-## NO_COLOR is present and has any value
-##
-## Accepted values: true, false
-## Default: true
-##
-#colorize_logs: false
-
-# -----------------------------
-#  Features
-# -----------------------------
-
-##
-## Enable/Disable the "Popular" tab on the main page.
-##
-## Accepted values: true, false
-## Default: true
-##
-#popular_enabled: true
-
-##
-## Enable/Disable statstics (available at /api/v1/stats).
-## The following data is available:
-##   - Software name ("invidious") and version+branch (same data as
-##     displayed in the footer, e.g: "2021.05.13-75e5b49" / "master")
-##   - The value of the 'registration_enabled' config (true/false)
-##   - Number of currently registered users
-##   - Number of registered users who connected in the last month
-##   - Number of registered users who connected in the last 6 months
-##   - Timestamp of the last server restart
-##   - Timestamp of the last "Channel Refresh" job execution
-##
-## Warning: This setting MUST be set to true if you plan to run
-## a public instance. It is used by api.invidious.io to refresh
-## your instance's status.
-##
-## Accepted values: true, false
-## Default: false
-##
-#statistics_enabled: false
-
-
-# -----------------------------
-#  Users and accounts
-# -----------------------------
-
-##
-## Allow/Forbid Invidious (local) account creation. Invidious
-## accounts allow users to subscribe to channels and to create
-## playlists without a Google account.
-##
-## Accepted values: true, false
-## Default: true
-##
-#registration_enabled: true
-
-##
-## Allow/Forbid users to log-in.
-##
-## Accepted values: true, false
-## Default: true
-##
-#login_enabled: true
-
-##
-## Enable/Disable the captcha challenge on the login page.
-##
-## Note: this is a basic captcha challenge that doesn't
-## depend on any third parties.
-##
-## Accepted values: true, false
-## Default: true
-##
-#captcha_enabled: true
-
-##
-## List of usernames that will be granted administrator rights.
-## A user with administrator rights will be able to change the
-## server configuration options listed below in /preferences,
-## in addition to the usual user preferences.
-##
-## Server-wide settings:
-##   - popular_enabled
-##   - captcha_enabled
-##   - login_enabled
-##   - registration_enabled
-##   - statistics_enabled
-## Default user preferences:
-##   - default_home
-##   - feed_menu
-##
-## Accepted values: an array of strings
-## Default: [""]
-##
-#admins: [""]
-
-##
-## Enable/Disable the user notifications for all users
-##
-## Note: On large instances, it is recommended to set this option to 'false'
-## in order to reduce the amount of data written to the database, and hence
-## improve the overall performance of the instance.
-##
-## Accepted values: true, false
-## Default: true
-##
-#enable_user_notifications: true
-
-# -----------------------------
-#  Background jobs
-# -----------------------------
-
-##
-## Number of threads to use when crawling channel videos (during
-## subscriptions update).
-##
-## Notes: This setting is overridden if either "-c THREADS" or
-## "--channel-threads=THREADS" is passed on the command line.
-##
-## Accepted values: a positive integer
-## Default: 1
-##
-channel_threads: 1
-
-##
-## Time interval between two executions of the job that crawls
-## channel videos (subscriptions update).
-##
-## Accepted values: a valid time interval (like 1h30m or 90m)
-## Default: 30m
-##
-#channel_refresh_interval: 30m
-
-##
-## Forcefully dump and re-download the entire list of uploaded
-## videos when crawling channel (during subscriptions update).
-##
-## Accepted values: true, false
-## Default: false
-##
-full_refresh: false
-
-##
-## Number of threads to use when updating RSS feeds.
-##
-## Notes: This setting is overridden if either "-f THREADS" or
-## "--feed-threads=THREADS" is passed on the command line.
-##
-## Accepted values: a positive integer
-## Default: 1
-##
-feed_threads: 1
-
-
-jobs:
-
-  ## Options for the database cleaning job
-  clear_expired_items:
-
-    ## Enable/Disable job
-    ##
-    ## Accepted values: true, false
-    ## Default: true
-    ##
-    enable: true
-
-  ## Options for the channels updater job
-  refresh_channels:
-
-    ## Enable/Disable job
-    ##
-    ## Accepted values: true, false
-    ## Default: true
-    ##
-    enable: true
-
-  ## Options for the RSS feeds updater job
-  refresh_feeds:
-
-    ## Enable/Disable job
-    ##
-    ## Accepted values: true, false
-    ## Default: true
-    ##
-    enable: true
-
-
-# -----------------------------
-#  Miscellaneous
-# -----------------------------
-
-##
-## custom banner displayed at the top of every page. This can
-## used for instance announcements, e.g.
-##
-## Accepted values: any string. HTML is accepted.
-## Default: <none>
-##
-#banner:
-
-##
-## Subscribe to channels using PubSubHub (Google PubSubHubbub service).
-## PubSubHub allows Invidious to be instantly notified when a new video
-## is published on any subscribed channels. When PubSubHub is not used,
-## Invidious will check for new videos every minute.
-##
-## Note: This setting is recommended for public instances.
-##
-## Note 2:
-##  - Requires a public instance (it uses /feed/webhook/v1)
-##  - Requires 'domain' and 'hmac_key' to be set.
-##  - Setting this parameter to any number greater than zero will
-##    enable channel subscriptions via PubSubHub, but will limit the
-##    amount of concurrent subscriptions.
-##
-## Accepted values: true, false, a positive integer
-## Default: false
-##
-#use_pubsub_feeds: false
-
-##
-## HMAC signing key used for CSRF tokens, cookies and pubsub
-## subscriptions verification.
-##
-## Note: This parameter is mandatory and should be a random string.
-## Such random string can be generated on linux with the following
-## command: `pwgen 20 1`
-##
-## Accepted values: a string
-## Default: <none>
-##
-hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
-
-##
-## List of video IDs where the "download" widget must be
-## disabled, in order to comply with DMCA requests.
-##
-## Accepted values: an array of string
-## Default: <none>
-##
-#dmca_content:
-
-##
-## Cache video annotations in the database.
-##
-## Warning: empty annotations or annotations that only contain
-## cards won't be cached.
-##
-## Accepted values: true, false
-## Default: false
-##
-#cache_annotations: false
-
-##
-## Source code URL. If your instance is running a modified source
-## code, you MUST publish it somewhere and set this option.
-##
-## Accepted values: a string
-## Default: <none>
-##
-#modified_source_code_url: ""
-
-##
-## Maximum custom playlist length limit.
-##
-## Accepted values: Integer
-## Default: 500
-##
-#playlist_length_limit: 500
-
-#########################################
-#
-#  Default user preferences
-#
-#########################################
-
-##
-## NOTE: All the settings below define the default user
-## preferences. They will apply to ALL users connecting
-## without a preferences cookie (so either on the first
-## connection to the instance or after clearing the
-## browser's cookies).
-##
-
-default_user_preferences:
-
-  # -----------------------------
-  #  Internationalization
-  # -----------------------------
-
-  ##
-  ## Default user interface language (locale).
-  ##
-  ## Note: When hosting a public instance, overriding the
-  ## default (english) is not recommended, as it may
-  ## people using other languages.
-  ##
-  ## Accepted values:
-  ##   ar      (Arabic)
-  ##   da      (Danish)
-  ##   de      (German)
-  ##   en-US   (english, US)
-  ##   el      (Greek)
-  ##   eo      (Esperanto)
-  ##   es      (Spanish)
-  ##   fa      (Persian)
-  ##   fi      (Finnish)
-  ##   fr      (French)
-  ##   he      (Hebrew)
-  ##   hr      (Hungarian)
-  ##   id      (Indonesian)
-  ##   is      (Icelandic)
-  ##   it      (Italian)
-  ##   ja      (Japanese)
-  ##   nb-NO   (Norwegian, Bokmål)
-  ##   nl      (Dutch)
-  ##   pl      (Polish)
-  ##   pt-BR   (Portuguese, Brazil)
-  ##   pt-PT   (Portuguese, Portugal)
-  ##   ro      (Romanian)
-  ##   ru      (Russian)
-  ##   sv      (Swedish)
-  ##   tr      (Turkish)
-  ##   uk      (Ukrainian)
-  ##   zh-CN   (Chinese, China)  (a.k.a "Simplified Chinese")
-  ##   zh-TW   (Chinese, Taiwan) (a.k.a "Traditional Chinese")
-  ##
-  ## Default: en-US
-  ##
-  #locale: en-US
-
-  ##
-  ## Default geographical location for content.
-  ##
-  ## Accepted values:
-  ##   AE, AR, AT, AU, AZ, BA, BD, BE, BG, BH, BO, BR, BY, CA, CH, CL, CO, CR,
-  ##   CY, CZ, DE, DK, DO, DZ, EC, EE, EG, ES, FI, FR, GB, GE, GH, GR, GT, HK,
-  ##   HN, HR, HU, ID, IE, IL, IN, IQ, IS, IT, JM, JO, JP, KE, KR, KW, KZ, LB,
-  ##   LI, LK, LT, LU, LV, LY, MA, ME, MK, MT, MX, MY, NG, NI, NL, NO, NP, NZ,
-  ##   OM, PA, PE, PG, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, SA, SE, SG, SI,
-  ##   SK, SN, SV, TH, TN, TR, TW, TZ, UA, UG, US, UY, VE, VN, YE, ZA, ZW
-  ##
-  ## Default: US
-  ##
-  #region: US
-
-  ##
-  ## Top 3 preferred languages for video captions.
-  ##
-  ## Note: overriding the default (no preferred
-  ## caption language) is not recommended, in order
-  ## to not penalize people using other languages.
-  ##
-  ## Accepted values: a three-entries array.
-  ## Each entry can be one of:
-  ##   "English", "English (auto-generated)",
-  ##   "Afrikaans", "Albanian", "Amharic", "Arabic",
-  ##   "Armenian", "Azerbaijani", "Bangla", "Basque",
-  ##   "Belarusian", "Bosnian", "Bulgarian", "Burmese",
-  ##   "Catalan", "Cebuano", "Chinese (Simplified)",
-  ##   "Chinese (Traditional)", "Corsican", "Croatian",
-  ##   "Czech", "Danish", "Dutch", "Esperanto", "Estonian",
-  ##   "Filipino", "Finnish", "French", "Galician", "Georgian",
-  ##   "German", "Greek", "Gujarati", "Haitian Creole", "Hausa",
-  ##   "Hawaiian", "Hebrew", "Hindi", "Hmong", "Hungarian",
-  ##   "Icelandic", "Igbo", "Indonesian", "Irish", "Italian",
-  ##   "Japanese", "Javanese", "Kannada", "Kazakh", "Khmer",
-  ##   "Korean", "Kurdish", "Kyrgyz", "Lao", "Latin", "Latvian",
-  ##   "Lithuanian", "Luxembourgish", "Macedonian",
-  ##   "Malagasy", "Malay", "Malayalam", "Maltese", "Maori",
-  ##   "Marathi", "Mongolian", "Nepali", "Norwegian Bokmål",
-  ##   "Nyanja", "Pashto", "Persian", "Polish", "Portuguese",
-  ##   "Punjabi", "Romanian", "Russian", "Samoan",
-  ##   "Scottish Gaelic", "Serbian", "Shona", "Sindhi",
-  ##   "Sinhala", "Slovak", "Slovenian", "Somali",
-  ##   "Southern Sotho", "Spanish", "Spanish (Latin America)",
-  ##   "Sundanese",  "Swahili", "Swedish", "Tajik", "Tamil",
-  ##   "Telugu", "Thai", "Turkish", "Ukrainian", "Urdu",
-  ##   "Uzbek", "Vietnamese", "Welsh", "Western Frisian",
-  ##   "Xhosa", "Yiddish", "Yoruba", "Zulu"
-  ##
-  ## Default: ["", "", ""]
-  ##
-  #captions: ["", "", ""]
-
-
-  # -----------------------------
-  #  Interface
-  # -----------------------------
-
-  ##
-  ## Enable/Disable dark mode.
-  ##
-  ## Accepted values: "dark", "light", "auto"
-  ## Default: "auto"
-  ##
-  #dark_mode: "auto"
-
-  ##
-  ## Enable/Disable thin mode (no video thumbnails).
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #thin_mode: false
-
-  ##
-  ## List of feeds available on the home page.
-  ##
-  ## Note: "Subscriptions" and "Playlists" are only visible
-  ## when the user is logged in.
-  ##
-  ## Accepted values: A list of strings
-  ## Each entry can be one of: "Popular", "Trending",
-  ##    "Subscriptions", "Playlists"
-  ##
-  ## Default: ["Popular", "Trending", "Subscriptions", "Playlists"]  (show all feeds)
-  ##
-  #feed_menu: ["Popular", "Trending", "Subscriptions", "Playlists"]
-
-  ##
-  ## Default feed to display on the home page.
-  ##
-  ## Note: setting this option to "Popular" has no
-  ## effect when 'popular_enabled' is set to false.
-  ##
-  ## Accepted values: Popular, Trending, Subscriptions, Playlists, <none>
-  ## Default: Popular
-  ##
-  #default_home: Popular
-
-  ##
-  ## Default number of results to display per page.
-  ##
-  ## Note: this affects invidious-generated pages only, such
-  ## as watch history and subscription feeds. Playlists, search
-  ## results and channel videos depend on the data returned by
-  ## the Youtube API.
-  ##
-  ## Accepted values: any positive integer
-  ## Default: 40
-  ##
-  #max_results: 40
-
-  ##
-  ## Show/hide annotations.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #annotations: false
-
-  ##
-  ## Show/hide annotation.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #annotations_subscribed: false
-
-  ##
-  ## Type of comments to display below video.
-  ##
-  ## Accepted values: a two-entries array.
-  ## Each entry can be one of: "youtube", "reddit", ""
-  ##
-  ## Default: ["youtube", ""]
-  ##
-  #comments: ["youtube", ""]
-
-  ##
-  ## Default player style.
-  ##
-  ## Accepted values: invidious, youtube
-  ## Default: invidious
-  ##
-  #player_style: invidious
-
-  ##
-  ## Show/Hide the "related videos" sidebar when
-  ## watching a video.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #related_videos: true
-
-
-  # -----------------------------
-  #  Video player behavior
-  # -----------------------------
-
-  ##
-  ## This option controls the value of the HTML5 <video> element's
-  ## "preload" attribute.
-  ##
-  ## If set to 'false', no video data will be loaded until the user
-  ## explicitly starts the video by clicking the "Play" button.
-  ## If set to 'true', the web browser will buffer some video data
-  ## while the page is loading.
-  ##
-  ## See: https://www.w3schools.com/tags/att_video_preload.asp
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #preload: true
-
-  ##
-  ## Automatically play videos on page load.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #autoplay: false
-
-  ##
-  ## Automatically load the "next" video (either next in
-  ## playlist or proposed) when the current video ends.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #continue: false
-
-  ##
-  ## Autoplay next video by default.
-  ##
-  ## Note: Only effective if 'continue' is set to true.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #continue_autoplay: true
-
-  ##
-  ## Play videos in Audio-only mode by default.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #listen: false
-
-  ##
-  ## Loop videos automatically.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #video_loop: false
-
-
-  # -----------------------------
-  #  Video playback settings
-  # -----------------------------
-
-  ##
-  ## Default video quality.
-  ##
-  ## Accepted values: dash, hd720, medium, small
-  ## Default: hd720
-  ##
-  #quality: hd720
-
-  ##
-  ## Default dash video quality.
-  ##
-  ## Note: this setting only takes effet if the
-  ## 'quality' parameter is set to "dash".
-  ##
-  ## Accepted values:
-  ##    auto, best, 4320p, 2160p, 1440p, 1080p,
-  ##    720p, 480p, 360p, 240p, 144p, worst
-  ## Default: auto
-  ##
-  #quality_dash: auto
-
-  ##
-  ## Default video playback speed.
-  ##
-  ## Accepted values: 0.25, 0.5, 0.75, 1.0, 1.25, 1.5, 1.75, 2.0
-  ## Default: 1.0
-  ##
-  #speed: 1.0
-
-  ##
-  ## Default volume.
-  ##
-  ## Accepted values: 0-100
-  ## Default: 100
-  ##
-  #volume: 100
-
-  ##
-  ## Allow 360° videos to be played.
-  ##
-  ## Note: This feature requires a WebGL-enabled browser.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #vr_mode: true
-  
-  ##
-  ## Save the playback position
-  ## Allow to continue watching at the previous position when
-  ## watching the same video.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #save_player_pos: false
-
-  # -----------------------------
-  #  Subscription feed
-  # -----------------------------
-
-  ##
-  ## In the "Subscription" feed, only show the latest video
-  ## of each channel the user is subscribed to.
-  ##
-  ## Note: when combined with 'unseen_only', the latest unseen
-  ## video of each channel will be displayed instead of the
-  ## latest by date.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #latest_only: false
-
-  ##
-  ## Enable/Disable user subscriptions desktop notifications.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #notifications_only: false
-
-  ##
-  ## In the "Subscription" feed, Only show the videos that the
-  ## user haven't watched yet (i.e which are not in their watch
-  ## history).
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #unseen_only: false
-
-  ##
-  ## Default sorting parameter for subscription feeds.
-  ##
-  ## Accepted values:
-  ##   'alphabetically'
-  ##   'alphabetically - reverse'
-  ##   'channel name'
-  ##   'channel name - reverse'
-  ##   'published'
-  ##   'published - reverse'
-  ##
-  ## Default: published
-  ##
-  #sort: published
-
-
-  # -----------------------------
-  #  Miscellaneous
-  # -----------------------------
-
-  ##
-  ## Proxy videos through instance by default.
-  ##
-  ## Warning: As most users won't change this setting in their
-  ## preferences, defaulting  to true will significantly
-  ## increase the instance's network usage, so make sure that
-  ## your server's connection can handle it.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #local: false
-
-  ##
-  ## Show the connected user's nick at the top right.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #show_nick: true
-
-  ##
-  ## Automatically redirect to a random instance when the user uses
-  ## any "switch invidious instance" link (For videos, it's the plane
-  ## icon, next to "watch on youtube" and "listen"). When set to false,
-  ## the user is sent to https://redirect.invidious.io instead, where
-  ## they can manually select an instance.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #automatic_instance_redirect: false
-
-  ##
-  ## Show the entire video description by default (when set to 'false',
-  ## only the first few lines of the description are shown and a
-  ## "show more" button allows to expand it).
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #extend_desc: false
@@ -1,52 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-# IN application vars
-IN_APP_URL=https://biz.trez.wtf
-IN_APP_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_APP_KEY'] }}
-IN_APP_DEBUG=true
-IN_REQUIRE_HTTPS=false
-IN_PHANTOMJS_PDF_GENERATION=false
-IN_PDF_GENERATOR=snappdf
-IN_TRUSTED_PROXIES='*'
-
-
-IN_QUEUE_CONNECTION=database
-
-# DB connection
-IN_DB_HOST=mariadb
-IN_DB_PORT=3306
-IN_DB_DATABASE=invoice_ninja
-IN_DB_USERNAME=ininja
-IN_DB_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_MYSQL_PASSWORD'] }}
-
-# Create initial user
-# Default to these values if empty
-# IN_USER_EMAIL=admin@example.com
-# IN_PASSWORD=changeme!
-IN_USER_EMAIL=
-IN_PASSWORD=
-
-# Mail options
-IN_MAIL_MAILER=log
-IN_MAIL_HOST=postal-smtp
-IN_MAIL_PORT=25
-IN_MAIL_USERNAME={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
-IN_MAIL_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
-IN_MAIL_ENCRYPTION=null
-IN_MAIL_FROM_ADDRESS='noreply@trez.wtf'
-IN_MAIL_FROM_NAME='Treasured IT'
-
-# MySQL
-IN_MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword
-IN_MYSQL_USER=ninja
-IN_MYSQL_PASSWORD=ninja
-IN_MYSQL_DATABASE=ninja
-
-# GoCardless/Nordigen API key for banking integration
-NORDIGEN_SECRET_ID=
-NORDIGEN_SECRET_KEY=
-
-# V4 env vars
-# DB_STRICT=false
-# APP_CIPHER=AES-256-CBC
@@ -0,0 +1,52 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# IN application vars
+IN_APP_URL=http://in.localhost:8003
+IN_APP_KEY=<insert your generated key in here>
+IN_APP_DEBUG=true
+IN_REQUIRE_HTTPS=false
+IN_PHANTOMJS_PDF_GENERATION=false
+IN_PDF_GENERATOR=snappdf
+IN_TRUSTED_PROXIES='*'
+
+
+IN_QUEUE_CONNECTION=database
+
+# DB connection
+IN_DB_HOST=db
+IN_DB_PORT=3306
+IN_DB_DATABASE=ninja
+IN_DB_USERNAME=ninja
+IN_DB_PASSWORD=ninja
+
+# Create initial user
+# Default to these values if empty
+# IN_USER_EMAIL=admin@example.com
+# IN_PASSWORD=changeme!
+IN_USER_EMAIL=
+IN_PASSWORD=
+
+# Mail options
+IN_MAIL_MAILER=log
+IN_MAIL_HOST=smtp.mailtrap.io
+IN_MAIL_PORT=2525
+IN_MAIL_USERNAME=null
+IN_MAIL_PASSWORD=null
+IN_MAIL_ENCRYPTION=null
+IN_MAIL_FROM_ADDRESS='user@example.com'
+IN_MAIL_FROM_NAME='Self Hosted User'
+
+# MySQL
+IN_MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword
+IN_MYSQL_USER=ninja
+IN_MYSQL_PASSWORD=ninja
+IN_MYSQL_DATABASE=ninja
+
+# GoCardless/Nordigen API key for banking integration
+NORDIGEN_SECRET_ID=
+NORDIGEN_SECRET_KEY=
+
+# V4 env vars
+# DB_STRICT=false
+# APP_CIPHER=AES-256-CBC
@@ -1,33 +0,0 @@
-version: 1.2.8
-endpoints:
-  custom:
-    - name: "rinoa-ollama"
-      apiKey: "ollama"
-      baseURL: "http://ollama:11434/v1/chat/completions"
-      models:
-        default: [
-          "codellama:7b",
-          "deepseek-coder-v2:16b",
-          "deepseek-r1:1.5b",
-          "deepseek-v3:671b",
-          "dolphin-mistral:7b",
-          "llama2:7b",
-          "llama3.3:70b",
-          "mistral-openorca:7b",
-          "mistral:7b",
-          "orca-mini:3b",
-          "phi4:14b",
-          "qwen2.5",
-          "smollm2:1.7b",
-          "starcoder2:3b",
-          "tinyllama:1.1b",
-        ]
-# fetching list of models is supported but the `name` field must start
-# with `ollama` (case-insensitive), as it does in this example.
-        fetch: true
-      titleConvo: true
-      titleModel: "current_model"
-      summarize: false
-      summaryModel: "current_model"
-      forcePrompt: false
-      modelDisplayLabel: "Ollama"
@@ -1,124 +0,0 @@
-[app]
-# Log level: info, debug, warn, error, fatal
-log_level = "debug"
-# Environment: dev, prod.
-# Setting to "dev" will enable color logging in terminal.
-env = "dev"
-# Whether to automatically check for application updates on start up, app updates are shown as a banner in the admin panel.
-check_updates = true
-
-# HTTP server.
-[app.server]
-# Address to bind the HTTP server to.
-address = "0.0.0.0:9000"
-# Unix socket path (leave empty to use TCP address instead)
-socket = ""
-# Do NOT disable secure cookies in production environment if you don't know exactly what you're doing!
-disable_secure_cookies = false
-# Request read and write timeouts.
-read_timeout = "5s"
-write_timeout = "5s"
-# Maximum request body size in bytes (100MB)
-# If you are using proxy, you may need to configure them to allow larger request bodies.
-max_body_size = 104857600
-# Size of the read buffer for incoming requests
-read_buffer_size = 4096
-# Keepalive settings.
-keepalive_timeout = "10s"
-
-# File upload provider to use, either `fs` or `s3`.
-[upload]
-provider = "s3"
-
-# Filesystem provider.
-[upload.fs]
-# Directory where uploaded files are stored, make sure this directory exists and is writable by the application.
-upload_path = 'uploads'
-
-# S3 provider.
-[upload.s3]
-# S3 endpoint URL (required only for non-AWS S3-compatible providers like MinIO).
-# Leave empty to use default AWS endpoints.
-url = "http://minio:9000"
-
-# AWS S3 credentials, keep empty to use attached IAM roles.
-access_key = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_S3_ACCESS_KEY'] }}"
-secret_key = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_S3_SECRET_KEY'] }}"
-
-# AWS region, e.g., "us-east-1", "eu-west-1", etc.
-region = "us-east-fh-pln"
-# S3 bucket name where files will be stored.
-bucket = "libredesk"
-# Optional prefix path within the S3 bucket where files will be stored.
-# Example, if set to "uploads/media", files will be stored under that path.
-# Useful for organizing files inside a shared bucket.
-bucket_path = ""
-# S3 signed URL expiry duration (e.g., "30m", "1h")
-expiry = "30m"
-
-# Postgres.
-[db]
-# If running locally, use `localhost`.
-host = "libredesk-pg-db"
-# Database port, default is 5432.
-port = 5432
-# Update the following values with your database credentials.
-user = "libredesk"
-password = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_PG_DB_PASSWD'] }}"
-database = "libredesk"
-ssl_mode = "disable"
-# Maximum number of open database connections
-max_open = 30
-# Maximum number of idle connections in the pool
-max_idle = 30
-# Maximum time a connection can be reused before being closed
-max_lifetime = "300s"
-
-# Redis.
-[redis]
-# If running locally, use `localhost:6379`.
-address = "libredesk-valkey:6379"
-password = ""
-db = 0
-
-[message]
-# Number of workers processing outgoing message queue
-outgoing_queue_workers = 10
-# Number of workers processing incoming message queue
-incoming_queue_workers = 10
-# How often to scan for outgoing messages to process, keep it low to process messages quickly.
-message_outgoing_scan_interval = "50ms"
-# Maximum number of messages that can be queued for incoming processing
-incoming_queue_size = 5000
-# Maximum number of messages that can be queued for outgoing processing
-outgoing_queue_size = 5000
-
-[notification]
-# Number of concurrent notification workers
-concurrency = 2
-# Maximum number of notifications that can be queued
-queue_size = 2000
-
-[automation]
-# Number of workers processing automation rules
-worker_count = 10
-
-[autoassigner]
-# How often to run automatic conversation assignment
-autoassign_interval = "5m"
-
-[webhook]
-# Number of webhook delivery workers
-workers = 5
-# Maximum number of webhook deliveries that can be queued
-queue_size = 10000
-# HTTP timeout for webhook requests
-timeout = "15s"
-
-[conversation]
-# How often to check for conversations to unsnooze
-unsnooze_interval = "5m"
-
-[sla]
-# How often to evaluate SLA compliance for conversations
-evaluation_interval = "5m"
@@ -1,49 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-containers:
-  ghost_blog:
-    action_keywords:
-      - restart:
-          regex: 'Connection Error.*ECONNRESET$'
-  immich-server:
-    action_keywords:
-      - restart:
-          regex: '(ENOTFOUND|Error|ECONNREFUSED)'
-  invidious:
-    action_keywords:
-      - restart:
-          regex: 'Error reading.*Connection reset by peer trying to reconnect\.\.\.'
-  maxun-backend:
-    action_keywords:
-      - restart:
-          regex: '[Ee]rror'
-  planka:
-    action_keywords:
-      - restart:
-          regex: 'Failed to lift app: Sails is taking too long to load.$'
-  scrutiny:
-    action_keywords:
-      - restart:
-          regex: '^s6-.*: fatal.*$'
-  swag:
-    action_keywords:
-      - restart:
-          regex: '^s6-.*: fatal.*$'
-global_keywords:
-  keywords:
-    - panic
-  keywords_with_attachment:
-    - fatal
-notifications:
-  apprise:
-    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
-# settings are optional because they all have default values
-settings:
-  log_level: INFO               # DEBUG, INFO, WARNING, ERROR
-  notification_cooldown: 5      # Seconds between alerts for same keyword (per container)
-  attachment_lines: 20          # Number of Lines to include in log attachments
-  multi_line_entries: true      # Detect multi-line log entries
-  disable_restart: false        # Disable restart when a config change is detected
-  disable_start_message: false  # Suppress startup notification
-  disable_shutdown_message: false  # Suppress shutdown notification
-  disable_restart_message: false   # Suppress config reload notification
@@ -1,113 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-  "debugMode": false,
-  "disableWeb": false,
-  "sourceDefaults": {
-    "logPayload": false,
-    "logFilterFailure": "warn",
-    "logPlayerState": false,
-    "scrobbleThresholds": {
-      "duration": 30,
-      "percent": 20
-    },
-    "maxPollRetries": 1,
-    "maxRequestRetries": 1,
-    "retryMultiplier": 1.5
-  },
-  "clientDefaults": {
-    "maxRequestRetries": 1,
-    "retryMultiplier": 1.5
-  },
-  "sources": [
-    {
-      "type": "spotify",
-      "enable": true,
-      "clients": ["lastfmClient", "ListenBrainzClient", "maloja"],
-      "name": "spotifySource",
-      "data": {
-        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
-        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
-        "redirectUri": "https://scrobble.trez.wtf/callback"
-      }
-    },
-    {
-      "type": "lastfm",
-      "enable": true,
-      "clients": ["ListenBrainzClient", "maloja"],
-      "configureAs": "source",
-      "name": "lastfmSource",
-      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "https://scrobble.trez.wtf/lastfm/callback"
-      }
-    },
-    {
-      "type": "listenbrainz",
-      "enable": true,
-      "clients": ["lastfmClient", "maloja"],
-      "name": "listenBrainzSource",
-      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-        "username": "Trez.One"
-      }
-    },
-    {
-      "type": "subsonic",
-      "enable": true,
-      "clients": ["lastfmClient", "ListenBrainzClient", "maloja"],
-      "name": "navidromeSource",
-      "data": {
-        "url": "http://navidrome:4533",
-        "user": "admin",
-        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
-      }
-    }
-  ],
-  "clients": [
-    {
-      "type": "lastfm",
-      "enable": true,
-      "name": "lastFmClient",
-      "configureAs": "client",
-      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "https://scrobble.trez.wtf/lastfm/callback"
-      }
-    },
-    {
-      "type": "listenbrainz",
-      "enable": true,
-      "name": "ListenBrainzClient",
-      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-        "username": "Trez.One"
-      }
-    },
-    {
-      "type": "maloja",
-      "enable": true,
-      "name": "malojaClient",
-      "data": {
-        "url": "http://maloja:42010",
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
-      }
-    }
-  ],
-  "webhooks": [
-    {
-      "name": "Gotify",
-      "type": "gotify",
-      "url": "http://gotify",
-      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
-      "priorities": {
-        "info": 5,
-        "warn": 7,
-        "error": 10
-      }
-    }
-  ]
-}
@@ -0,0 +1,63 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "sourceDefaults": {
+      "maxPollRetries": 0,          // optional, default # of automatic polling restarts on error. can be overridden by property in individual config
+      "maxRequestRetries": 1,       // optional, default # of http request retries a source can make before error is thrown. can be overridden by property in individual config
+      "retryMultiplier": 1.5       // optional, default retry delay multiplier (retry attempt * multiplier = # of seconds to wait before retrying). can be overridden by property in individual config
+    },
+    "clientDefaults": {
+      "maxRequestRetries": 1,       // optional, default # of http request retries a client can make before error is thrown. can be overridden by property in individual config
+      "retryMultiplier": 1.5       // optional, default retry delay multiplier (retry attempt * multiplier = # of seconds to wait before retrying). can be overridden by property in individual config
+    },
+    "clients": [
+        {
+            "name": "Last.fm Client",
+            "enable": true,
+            "configureAs": "client",
+            "data": {
+            "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+            "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+            "redirectUri": "http://localhost:9078/lastfm/callback"
+            }
+        },
+        {
+            "name": "Last.fm Source",
+            "enable": true,
+            "configureAs": "source",
+            "data": {
+            "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+            "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+            "redirectUri": "http://localhost:9078/lastfm/callback"
+            }
+        },
+        {
+            "name": "Maloja",
+            "enable": true,
+            "data": {
+            "url": "http://maloja:42010",
+            "apiKey": "myMalojaKey"
+            }
+        },
+        {
+          "name": "ListenBrainz Client",
+          "enable": true,
+          "configureAs": "client",
+          "data": {
+            "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+            "username": "Trez.One"
+          }
+        },
+        {
+          "name": "ListenBrainz Source",
+          "enable": true,
+          "configureAs": "source",
+          "data": {
+            "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+            "username": "Trez.One"
+          }
+        }
+      ]
+  }
+}
@@ -0,0 +1,106 @@
+{
+  "Stuns": [
+    {
+      "Proto": "udp",
+      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+      "Username": "",
+      "Password": null
+    }
+  ],
+  "TURNConfig": {
+    "Turns": [
+      {
+        "Proto": "udp",
+        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+        "Username": "self",
+        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
+      }
+    ],
+    "CredentialsTTL": "12h",
+    "Secret": "secret",
+    "TimeBasedCredentials": false
+  },
+  "Relay": {
+    "Addresses": [
+      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
+    ],
+    "CredentialsTTL": "24h",
+    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
+  },
+  "Signal": {
+    "Proto": "https",
+    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
+    "Username": "",
+    "Password": null
+  },
+  "ReverseProxy": {
+    "TrustedHTTPProxies": [],
+    "TrustedHTTPProxiesCount": 0,
+    "TrustedPeers": [
+      "0.0.0.0/0"
+    ]
+  },
+  "Datadir": "",
+  "DataStoreEncryptionKey": "",
+  "StoreConfig": {
+    "Engine": "sqlite"
+  },
+  "HttpConfig": {
+    "Address": "0.0.0.0:33073",
+    "AuthIssuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
+    "AuthAudience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
+    "AuthKeysLocation": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/keys",
+    "AuthUserIDClaim": "",
+    "CertFile": "",
+    "CertKey": "",
+    "IdpSignKeyRefreshEnabled": true,
+    "OIDCConfigEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
+  },
+  "IdpManagerConfig": {
+    "ManagerType": "zitadel",
+    "ClientConfig": {
+      "Issuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
+      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
+      "ClientID": "netbird",
+      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_SECRET'] }}",
+      "GrantType": "client_credentials"
+    },
+    "ExtraConfig": {
+      "ManagementEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/management/v1"
+    },
+    "Auth0ClientCredentials": null,
+    "AzureClientCredentials": null,
+    "KeycloakClientCredentials": null,
+    "ZitadelClientCredentials": null
+  },
+  "DeviceAuthorizationFlow": {
+    "Provider": "hosted",
+    "ProviderConfig": {
+      "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
+      "AuthorizationEndpoint": "",
+      "Domain": "",
+      "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
+      "ClientSecret": "",
+      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
+      "DeviceAuthEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/device_authorization",
+      "Scope": "openid",
+      "UseIDToken": false,
+      "RedirectURLs": null
+    }
+  },
+  "PKCEAuthorizationFlow": {
+    "ProviderConfig": {
+      "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
+      "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
+      "ClientSecret": "",
+      "Domain": "",
+      "AuthorizationEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/authorize",
+      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
+      "Scope": "openid profile email offline_access api",
+      "RedirectURLs": [
+        "http://localhost:53000"
+      ],
+      "UseIDToken": false
+    }
+  }
+}
@@ -0,0 +1,122 @@
+{
+    "issuer": "https://id.trez.wtf",
+    "authorization_endpoint": "https://id.trez.wtf/oauth/v2/authorize",
+    "token_endpoint": "https://id.trez.wtf/oauth/v2/token",
+    "introspection_endpoint": "https://id.trez.wtf/oauth/v2/introspect",
+    "userinfo_endpoint": "https://id.trez.wtf/oidc/v1/userinfo",
+    "revocation_endpoint": "https://id.trez.wtf/oauth/v2/revoke",
+    "end_session_endpoint": "https://id.trez.wtf/oidc/v1/end_session",
+    "device_authorization_endpoint": "https://id.trez.wtf/oauth/v2/device_authorization",
+    "jwks_uri": "https://id.trez.wtf/oauth/v2/keys",
+    "scopes_supported": [
+        "openid",
+        "profile",
+        "email",
+        "phone",
+        "address",
+        "offline_access"
+    ],
+    "response_types_supported": [
+        "code",
+        "id_token",
+        "id_token token"
+    ],
+    "response_modes_supported": [
+        "query",
+        "fragment",
+        "form_post"
+    ],
+    "grant_types_supported": [
+        "authorization_code",
+        "implicit",
+        "refresh_token",
+        "client_credentials",
+        "urn:ietf:params:oauth:grant-type:jwt-bearer",
+        "urn:ietf:params:oauth:grant-type:device_code"
+    ],
+    "subject_types_supported": [
+        "public"
+    ],
+    "id_token_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "request_object_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "token_endpoint_auth_methods_supported": [
+        "none",
+        "client_secret_basic",
+        "client_secret_post",
+        "private_key_jwt"
+    ],
+    "token_endpoint_auth_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "revocation_endpoint_auth_methods_supported": [
+        "none",
+        "client_secret_basic",
+        "client_secret_post",
+        "private_key_jwt"
+    ],
+    "revocation_endpoint_auth_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "introspection_endpoint_auth_methods_supported": [
+        "client_secret_basic",
+        "private_key_jwt"
+    ],
+    "introspection_endpoint_auth_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "claims_supported": [
+        "sub",
+        "aud",
+        "exp",
+        "iat",
+        "iss",
+        "auth_time",
+        "nonce",
+        "acr",
+        "amr",
+        "c_hash",
+        "at_hash",
+        "act",
+        "scopes",
+        "client_id",
+        "azp",
+        "preferred_username",
+        "name",
+        "family_name",
+        "given_name",
+        "locale",
+        "email",
+        "email_verified",
+        "phone_number",
+        "phone_number_verified"
+    ],
+    "code_challenge_methods_supported": [
+        "S256"
+    ],
+    "ui_locales_supported": [
+        "bg",
+        "cs",
+        "de",
+        "en",
+        "es",
+        "fr",
+        "hu",
+        "id",
+        "it",
+        "ja",
+        "ko",
+        "mk",
+        "nl",
+        "pl",
+        "pt",
+        "ru",
+        "sv",
+        "zh"
+    ],
+    "request_parameter_supported": true,
+    "request_uri_parameter_supported": false
+}
@@ -0,0 +1,725 @@
+# Coturn TURN SERVER configuration file
+#
+# Boolean values note: where a boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
+# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
+# If the value is missing, then it means 'true' by default.
+#
+
+# Listener interface device (optional, Linux only).
+# NOT RECOMMENDED.
+#
+#listening-device=eth0
+
+# TURN listener port for UDP and TCP (Default: 3478).
+# Note: actually, TLS & DTLS sessions can connect to the
+# "plain" TCP & UDP port(s), too - if allowed by configuration.
+#
+listening-port=3478
+
+# TURN listener port for TLS (Default: 5349).
+# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
+# port(s), too - if allowed by configuration. The TURN server
+# "automatically" recognizes the type of traffic. Actually, two listening
+# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
+# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, Coturn currently supports SSL version 3 and
+# TLS version 1.0, 1.1 and 1.2.
+# For secure UDP connections, Coturn supports DTLS version 1.
+#
+tls-listening-port=5349
+
+# Alternative listening port for UDP and TCP listeners;
+# default (or zero) value means "listening port plus one".
+# This is needed for RFC 5780 support
+# (STUN extension specs, NAT behavior discovery). The TURN Server
+# supports RFC 5780 only if it is started with more than one
+# listening IP address of the same family (IPv4 or IPv6).
+# RFC 5780 is supported only by UDP protocol, other protocols
+# are listening to that endpoint only for "symmetry".
+#
+#alt-listening-port=0
+
+# Alternative listening port for TLS and DTLS protocols.
+# Default (or zero) value means "TLS listening port plus one".
+#
+#alt-tls-listening-port=0
+
+# Some network setups will require using a TCP reverse proxy in front
+# of the STUN server. If the proxy port option is set a single listener
+# is started on the given port that accepts connections using the
+# haproxy proxy protocol v2.
+# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
+#
+#tcp-proxy-port=5555
+
+# Listener IP address of relay server. Multiple listeners can be specified.
+# If no IP(s) specified in the config file or in the command line options,
+# then all IPv4 and IPv6 system IPs will be used for listening.
+#
+#listening-ip=172.17.19.101
+#listening-ip=10.207.21.238
+#listening-ip=2607:f0d0:1002:51::4
+
+# Auxiliary STUN/TURN server listening endpoint.
+# Aux servers have almost full TURN and STUN functionality.
+# The (minor) limitations are:
+#
+# 1) Auxiliary servers do not have alternative ports and
+# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
+#
+# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
+#
+# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
+#
+# There may be multiple aux-server options, each will be used for listening
+# to client requests.
+#
+#aux-server=172.17.19.110:33478
+#aux-server=[2607:f0d0:1002:51::4]:33478
+
+# (recommended for older Linuxes only)
+# Automatically balance UDP traffic over auxiliary servers (if configured).
+# The load balancing is using the ALTERNATE-SERVER mechanism.
+# The TURN client must support 300 ALTERNATE-SERVER response for this
+# functionality.
+#
+#udp-self-balance
+
+# Relay interface device for relay sockets (optional, Linux only).
+# NOT RECOMMENDED.
+#
+#relay-device=eth1
+
+# Relay address (the local IP address that will be used to relay the
+# packets to the peer).
+# Multiple relay addresses may be used.
+# The same IP(s) can be used as both listening IP(s) and relay IP(s).
+#
+# If no relay IP(s) specified, then the turnserver will apply the default
+# policy: it will decide itself which relay addresses to be used, and it
+# will always be using the client socket IP address as the relay IP address
+# of the TURN session (if the requested relay address family is the same
+# as the family of the client socket).
+#
+#relay-ip=172.17.19.105
+#relay-ip=2607:f0d0:1002:51::5
+
+# For Amazon EC2 users:
+#
+# TURN Server public/private address mapping, if the server is behind NAT.
+# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
+# as relay IP address of all allocations. This scenario works only in a simple case
+# when one single relay address is be used, and no RFC5780 functionality is required.
+# That single relay address must be mapped by NAT to the 'external' IP.
+# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
+# For that 'external' IP, NAT must forward ports directly (relayed port 12345
+# must be always mapped to the same 'external' port 12345).
+#
+# In more complex case when more than one IP address is involved,
+# that option must be used several times, each entry must
+# have form "-X <public-ip/private-ip>", to map all involved addresses.
+# RFC5780 NAT discovery STUN functionality will work correctly,
+# if the addresses are mapped properly, even when the TURN server itself
+# is behind A NAT.
+#
+# By default, this value is empty, and no address mapping is used.
+#
+# external-ip=193.224.22.37
+#
+#OR:
+#
+#external-ip=60.70.80.91/172.17.19.101
+#external-ip=60.70.80.92/172.17.19.102
+
+external-ip=108.29.206.17
+
+# Number of the relay threads to handle the established connections
+# (in addition to authentication thread and the listener thread).
+# If explicitly set to 0 then application runs relay process in a
+# single thread, in the same thread with the listener process
+# (the authentication thread will still be a separate thread).
+#
+# If this parameter is not set, then the default OS-dependent
+# thread pattern algorithm will be employed. Usually the default
+# algorithm is optimal, so you have to change this option
+# if you want to make some fine tweaks.
+#
+# In the older systems (Linux kernel before 3.9),
+# the number of UDP threads is always one thread per network listening
+# endpoint - including the auxiliary endpoints - unless 0 (zero) or
+# 1 (one) value is set.
+#
+#relay-threads=0
+
+# Lower and upper bounds of the UDP relay endpoints:
+# (default values are 49152 and 65535)
+#
+min-port=49152
+max-port=65535
+
+# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
+# By default the verbose mode is off.
+#verbose
+
+# Uncomment to run TURN server in 'extra' verbose mode.
+# This mode is very annoying and produces lots of output.
+# Not recommended under normal circumstances.
+#
+#Verbose
+
+# Uncomment to use fingerprints in the TURN messages.
+# By default the fingerprints are off.
+#
+fingerprint
+
+# Uncomment to use long-term credential mechanism.
+# By default no credentials mechanism is used (any user allowed).
+#
+lt-cred-mech
+
+# This option is the opposite of lt-cred-mech.
+# (TURN Server with no-auth option allows anonymous access).
+# If neither option is defined, and no users are defined,
+# then no-auth is default. If at least one user is defined,
+# in this file, in command line or in usersdb file, then
+# lt-cred-mech is default.
+#
+#no-auth
+
+# TURN REST API flag.
+# (Time Limited Long Term Credential)
+# Flag that sets a special authorization option that is based upon authentication secret.
+#
+# This feature's purpose is to support "TURN Server REST API", see
+# "TURN REST API" link in the project's page
+# https://github.com/coturn/coturn/
+#
+# This option is used with timestamp:
+#
+# usercombo -> "timestamp:userid"
+# turn user -> usercombo
+# turn password -> base64(hmac(secret key, usercombo))
+#
+# This allows TURN credentials to be accounted for a specific user id.
+# If you don't have a suitable id, then the timestamp alone can be used.
+# This option is enabled by turning on secret-based authentication.
+# The actual value of the secret is defined either by the option static-auth-secret,
+# or can be found in the turn_secret table in the database (see below).
+#
+# Read more about it:
+#  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
+#  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
+#
+# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
+# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
+# this option then it automatically enables lt-cred-mech internally
+# as if you had enabled both.
+#
+# Note that you can use only one auth mechanism at the same time! This is because,
+# both mechanisms conduct username and password validation in different ways.
+#
+# Use either lt-cred-mech or use-auth-secret in the conf
+# to avoid any confusion.
+#
+#use-auth-secret
+
+# 'Static' authentication secret value (a string) for TURN REST API only.
+# If not set, then the turn server
+# will try to use the 'dynamic' value in the turn_secret table
+# in the user database (if present). The database-stored  value can be changed on-the-fly
+# by a separate program, so this is why that mode is considered 'dynamic'.
+#
+#static-auth-secret=north
+
+# Server name used for
+# the oAuth authentication purposes.
+# The default value is the realm name.
+#
+# server-name=stun.wiretrustee.com
+
+# Flag that allows oAuth authentication.
+#
+#oauth
+
+# 'Static' user accounts for the long term credentials mechanism, only.
+# This option cannot be used with TURN REST API.
+# 'Static' user accounts are NOT dynamically checked by the turnserver process,
+# so they can NOT be changed while the turnserver is running.
+#
+#user=username1:key1
+#user=username2:key2
+# OR:
+user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
+#user=username2:password2
+#
+# Keys must be generated by turnadmin utility. The key value depends
+# on user name, realm, and password:
+#
+# Example:
+# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
+# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
+# ('0x' in the beginning of the key is what differentiates the key from
+# password. If it has 0x then it is a key, otherwise it is a password).
+#
+# The corresponding user account entry in the config file will be:
+#
+#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
+# Or, equivalently, with open clear password (less secure):
+#user=ninefingers:youhavetoberealistic
+#
+
+# SQLite database file name.
+#
+# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# /var/lib/turn/turndb.
+#
+#userdb=/var/db/turndb
+
+# PostgreSQL database connection string in the case that you are using PostgreSQL
+# as the user database.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
+# versions connection string format, see
+# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
+# for 9.x and newer connection string formats.
+#
+#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
+
+# MySQL database connection string in the case that you are using MySQL
+# as the user database.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+#
+# Optional connection string parameters for the secure communications (SSL):
+# ca, capath, cert, key, cipher
+# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
+# command options description).
+#
+# Use the string format below (space separated parameters, all optional):
+#
+# mysql-userdb="host=mysql dbname=coturn user=coturn password=CHANGE_ME port=3306 connect_timeout=10 read_timeout=10"
+
+# If you want to use an encrypted password in the MySQL connection string,
+# then set the MySQL password encryption secret key file with this option.
+#
+# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
+# If you want to use a cleartext password then do not set this option!
+#
+# This is the file path for the aes encrypted secret key used for password encryption.
+#
+#secret-key-file=/path/
+
+# MongoDB database connection string in the case that you are using MongoDB
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
+#
+#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
+
+# Redis database connection string in the case that you are using Redis
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format below (space separated parameters, all optional):
+#
+#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
+# This database keeps allocations status information, and it can be also used for publishing
+# and delivering traffic and allocation event notifications.
+# The connection string has the same parameters as redis-userdb connection string.
+# Use the string format below (space separated parameters, all optional):
+#
+#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# The default realm to be used for the users when no explicit
+# origin/realm relationship is found in the database, or if the TURN
+# server is not using any database (just the commands-line settings
+# and the userdb file). Must be used with long-term credentials
+# mechanism or with TURN REST API.
+#
+# Note: If the default realm is not specified, then realm falls back to the host domain name.
+#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
+#
+# realm=wiretrustee.com
+# This flag sets the origin consistency
+# check. Across the session, all requests must have the same
+# main ORIGIN attribute value (if the ORIGIN was
+# initially used by the session).
+#
+#check-origin-consistency
+
+# Per-user allocation quota.
+# default value is 0 (no quota, unlimited number of sessions per user).
+# This option can also be set through the database, for a particular realm.
+#
+#user-quota=0
+
+# Total allocation quota.
+# default value is 0 (no quota).
+# This option can also be set through the database, for a particular realm.
+#
+#total-quota=0
+
+# Max bytes-per-second bandwidth a TURN session is allowed to handle
+# (input and output network streams are treated separately). Anything above
+# that limit will be dropped or temporarily suppressed (within
+# the available buffer limits).
+# This option can also be set through the database, for a particular realm.
+#
+#max-bps=0
+
+#
+# Maximum server capacity.
+# Total bytes-per-second bandwidth the TURN server is allowed to allocate
+# for the sessions, combined (input and output network streams are treated separately).
+#
+# bps-capacity=0
+
+# Uncomment if no UDP client listener is desired.
+# By default UDP client listener is always started.
+#
+#no-udp
+
+# Uncomment if no TCP client listener is desired.
+# By default TCP client listener is always started.
+#
+#no-tcp
+
+# Uncomment if no TLS client listener is desired.
+# By default TLS client listener is always started.
+#
+#no-tls
+
+# Uncomment if no DTLS client listener is desired.
+# By default DTLS client listener is always started.
+#
+#no-dtls
+
+# Uncomment if no UDP relay endpoints are allowed.
+# By default UDP relay endpoints are enabled (like in RFC 5766).
+#
+#no-udp-relay
+
+# Uncomment if no TCP relay endpoints are allowed.
+# By default TCP relay endpoints are enabled (like in RFC 6062).
+#
+#no-tcp-relay
+
+# Uncomment if extra security is desired,
+# with nonce value having a limited lifetime.
+# The nonce value is unique for a session.
+# Set this option to limit the nonce lifetime.
+# Set it to 0 for unlimited lifetime.
+# It defaults to 600 secs (10 min) if no value is provided. After that delay,
+# the client will get 438 error and will have to re-authenticate itself.
+#
+#stale-nonce=600
+
+# Uncomment if you want to set the maximum allocation
+# time before it has to be refreshed.
+# Default is 3600s.
+#
+#max-allocate-lifetime=3600
+
+
+# Uncomment to set the lifetime for the channel.
+# Default value is 600 secs (10 minutes).
+# This value MUST not be changed for production purposes.
+#
+#channel-lifetime=600
+
+# Uncomment to set the permission lifetime.
+# Default to 300 secs (5 minutes).
+# In production this value MUST not be changed,
+# however it can be useful for test purposes.
+#
+#permission-lifetime=300
+
+# Certificate file.
+# Use an absolute path or path relative to the
+# configuration file.
+# Use PEM file format.
+#
+cert=/etc/coturn/certs/cert.pem
+
+# Private key file.
+# Use an absolute path or path relative to the
+# configuration file.
+# Use PEM file format.
+#
+pkey=/etc/coturn/private/privkey.pem
+
+# Private key file password, if it is in encoded format.
+# This option has no default value.
+#
+#pkey-pwd=...
+
+# Allowed OpenSSL cipher list for TLS/DTLS connections.
+# Default value is "DEFAULT".
+#
+#cipher-list="DEFAULT"
+
+# CA file in OpenSSL format.
+# Forces TURN server to verify the client SSL certificates.
+# By default this is not set: there is no default value and the client
+# certificate is not checked.
+#
+# Example:
+#CA-file=/etc/ssh/id_rsa.cert
+
+# Curve name for EC ciphers, if supported by OpenSSL
+# library (TLS and DTLS). The default value is prime256v1,
+# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+# an optimal curve will be automatically calculated, if not defined
+# by this option.
+#
+#ec-curve-name=prime256v1
+
+# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
+#
+#dh566
+
+# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
+#
+#dh1066
+
+# Use custom DH TLS key, stored in PEM format in the file.
+# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
+#
+#dh-file=<DH-PEM-file-name>
+
+# Flag to prevent stdout log messages.
+# By default, all log messages go to both stdout and to
+# the configured log file. With this option everything will
+# go to the configured log only (unless the log file itself is stdout).
+#
+#no-stdout-log
+
+# Option to set the log file name.
+# By default, the turnserver tries to open a log file in
+# /var/log, /var/tmp, /tmp and the current directory
+# (Whichever file open operation succeeds first will be used).
+# With this option you can set the definite log file name.
+# The special names are "stdout" and "-" - they will force everything
+# to the stdout. Also, the "syslog" name will force everything to
+# the system log (syslog).
+# In the runtime, the logfile can be reset with the SIGHUP signal
+# to the turnserver process.
+#
+log-file=stdout
+
+# Option to redirect all log output into system log (syslog).
+#
+# syslog
+
+# This flag means that no log file rollover will be used, and the log file
+# name will be constructed as-is, without PID and date appendage.
+# This option can be used, for example, together with the logrotate tool.
+#
+#simple-log
+
+# Option to set the "redirection" mode. The value of this option
+# will be the address of the alternate server for UDP & TCP service in the form of
+# <ip>[:<port>]. The server will send this value in the attribute
+# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
+# Client will receive only values with the same address family
+# as the client network endpoint address family.
+# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
+# The client must use the obtained value for subsequent TURN communications.
+# If more than one --alternate-server option is provided, then the functionality
+# can be more accurately described as "load-balancing" than a mere "redirection".
+# If the port number is omitted, then the default port
+# number 3478 for the UDP/TCP protocols will be used.
+# Colon (:) characters in IPv6 addresses may conflict with the syntax of
+# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
+# in square brackets in such resource identifiers, for example:
+# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
+# Multiple alternate servers can be set. They will be used in the
+# round-robin manner. All servers in the pool are considered of equal weight and
+# the load will be distributed equally. For example, if you have 4 alternate servers,
+# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
+# address can be used more than one time with the alternate-server option, so this
+# can emulate "weighting" of the servers.
+#
+# Examples:
+#alternate-server=1.2.3.4:5678
+#alternate-server=11.22.33.44:56789
+#alternate-server=5.6.7.8
+#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+
+# Option to set alternative server for TLS & DTLS services in form of
+# <ip>:<port>. If the port number is omitted, then the default port
+# number 5349 for the TLS/DTLS protocols will be used. See the previous
+# option for the functionality description.
+#
+# Examples:
+#tls-alternate-server=1.2.3.4:5678
+#tls-alternate-server=11.22.33.44:56789
+#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+
+# Option to suppress TURN functionality, only STUN requests will be processed.
+# Run as STUN server only, all TURN requests will be ignored.
+# By default, this option is NOT set.
+#
+#stun-only
+
+# Option to hide software version. Enhance security when used in production.
+# Revealing the specific software version of the agent through the
+# SOFTWARE attribute might allow them to become more vulnerable to
+# attacks against software that is known to contain security holes.
+# Implementers SHOULD make usage of the SOFTWARE attribute a
+# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
+#
+no-software-attribute
+
+# Option to suppress STUN functionality, only TURN requests will be processed.
+# Run as TURN server only, all STUN requests will be ignored.
+# By default, this option is NOT set.
+#
+#no-stun
+
+# This is the timestamp/username separator symbol (character) in TURN REST API.
+# The default value is ':'.
+# rest-api-separator=:
+
+# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
+# This is an extra security measure.
+#
+# (To avoid any security issue that allowing loopback access may raise,
+# the no-loopback-peers option is replaced by allow-loopback-peers.)
+#
+# Allow it only for testing in a development environment!
+# In production it adds a possible security vulnerability, so for security reasons
+# it is not allowed using it together with empty cli-password.
+#
+#allow-loopback-peers
+
+# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
+# This is an extra security measure.
+#
+#no-multicast-peers
+
+# Option to set the max time, in seconds, allowed for full allocation establishment.
+# Default is 60 seconds.
+#
+#max-allocate-timeout=60
+
+# Option to allow or ban specific ip addresses or ranges of ip addresses.
+# If an ip address is specified as both allowed and denied, then the ip address is
+# considered to be allowed. This is useful when you wish to ban a range of ip
+# addresses, except for a few specific ips within that range.
+#
+# This can be used when you do not want users of the turn server to be able to access
+# machines reachable by the turn server, but would otherwise be unreachable from the
+# internet (e.g. when the turn server is sitting behind a NAT)
+#
+# Examples:
+# denied-peer-ip=83.166.64.0-83.166.95.255
+# allowed-peer-ip=83.166.68.45
+
+# File name to store the pid of the process.
+# Default is /var/run/turnserver.pid (if superuser account is used) or
+# /var/tmp/turnserver.pid .
+#
+pidfile="/var/tmp/turnserver.pid"
+
+# Require authentication of the STUN Binding request.
+# By default, the clients are allowed anonymous access to the STUN Binding functionality.
+#
+#secure-stun
+
+# Mobility with ICE (MICE) specs support.
+#
+#mobility
+
+# Allocate Address Family according
+# If enabled then TURN server allocates address family according  the TURN
+# Client <=> Server communication address family.
+# (By default Coturn works according RFC 6156.)
+# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
+#
+#keep-address-family
+
+
+# User name to run the process. After the initialization, the turnserver process
+# will attempt to change the current user ID to that user.
+#
+#proc-user=<user-name>
+
+# Group name to run the process. After the initialization, the turnserver process
+# will attempt to change the current group ID to that group.
+#
+#proc-group=<group-name>
+
+# Turn OFF the CLI support.
+# By default it is always ON.
+# See also options cli-ip and cli-port.
+#
+no-cli
+
+#Local system IP address to be used for CLI server endpoint. Default value
+# is 127.0.0.1.
+#
+# cli-ip=127.0.0.1
+
+# CLI server port. Default is 5766.
+#
+# cli-port=5766
+
+# CLI access password. Default is empty (no password).
+# For the security reasons, it is recommended that you use the encrypted
+# form of the password (see the -P command in the turnadmin utility).
+#
+# Secure form for password 'qwerty':
+#
+#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
+#
+# Or insecure form for the same password:
+#
+# cli-password=CHANGE_ME
+
+# Enable Web-admin support on https. By default it is Disabled.
+# If it is enabled it also enables a http a simple static banner page
+# with a small reminder that the admin page is available only on https.
+#
+#web-admin
+
+# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
+#
+#web-admin-ip=127.0.0.1
+
+# Web-admin server port. Default is 8080.
+#
+#web-admin-port=8080
+
+# Web-admin server listen on STUN/TURN worker threads
+# By default it is disabled for security reasons! (Not recommended in any production environment!)
+#
+#web-admin-listen-on-workers
+
+# Server relay. NON-STANDARD AND DANGEROUS OPTION.
+# Only for those applications when you want to run
+# server applications on the relay endpoints.
+# This option eliminates the IP permissions check on
+# the packets incoming to the relay endpoints.
+#
+#server-relay
+
+# Maximum number of output sessions in ps CLI command.
+# This value can be changed on-the-fly in CLI. The default value is 256.
+#
+#cli-max-output-sessions
+
+# Set network engine type for the process (for internal purposes).
+#
+#ne=[1|2|3]
+
+# Do not allow an TLS/DTLS version of protocol
+#
+#no-tlsv1
+#no-tlsv1_1
+#no-tlsv1_2
@@ -0,0 +1,11 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<clickhouse>
+    <profiles>
+        <default>
+            <log_queries>0</log_queries>
+            <log_query_threads>0</log_query_threads>
+        </default>
+    </profiles>
+</clickhouse>
@@ -30,9 +30,6 @@ message_db:
 smtp_server:
  default_port: 25
  default_bind_address: "::"
-  tls_enabled: true
-  tls_certificate_path: /config/certs/fullchain.pem
-  tls_private_key_path: /config/certs/privkey.pem

 dns:
  # Specify the DNS records that you have configured. Refer to the documentation at
@@ -1,225 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-# This is an example configuration file that documents all the options.
-# It will need to be modified for your specific use case.
-# These are not default values. You MUST review the config settings and properly configure this EXAMPLE file.
-# Please refer to the link below for more details on how to set up the configuration file
-# https://github.com/StuffAnThings/qbit_manage/wiki/Config-Setup
-
-commands:
-  # The commands defined below will OVERRIDE any commands used in command line and docker env variables.
-  dry_run: True
-  recheck: False
-  cat_update: False
-  tag_update: False
-  rem_unregistered: False
-  tag_tracker_error: False
-  rem_orphaned: False
-  tag_nohardlinks: False
-  share_limits: False
-  skip_qb_version_check: False
-  skip_cleanup: False
-
-qbt:
-  # qBittorrent parameters
-  # Pass environment variables to the config via !ENV tag
-  host: qbittorrentvpn:8080
-  user: admin
-  pass: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['DELUGEVPN_PASSWORD'] }}
-
-settings:
-  force_auto_tmm: False # Will force qBittorrent to enable Automatic Torrent Management for each torrent.
-  force_auto_tmm_ignore_tags: #Torrents with these tags will be ignored when force_auto_tmm is enabled.
-    - cross-seed
-    - Upload
-  tracker_error_tag: issue # Will set the tag of any torrents that do not have a working tracker.
-  nohardlinks_tag: noHL # Will set the tag of any torrents with no hardlinks.
-  stalled_tag: stalledDL # Will set the tag of any torrents stalled downloading.
-  share_limits_tag: ~share_limit # Will add this tag when applying share limits to provide an easy way to filter torrents by share limit group/priority for each torrent
-  share_limits_min_seeding_time_tag: MinSeedTimeNotReached # Tag to be added to torrents that have not yet reached the minimum seeding time
-  share_limits_min_num_seeds_tag: MinSeedsNotMet # Tag to be added to torrents that have not yet reached the minimum number of seeds
-  share_limits_last_active_tag: LastActiveLimitNotReached # Tag to be added to torrents that have not yet reached the last active limit
-  cat_filter_completed: True # Filters for completed torrents only when running cat_update command
-  share_limits_filter_completed: True # Filters for completed torrents only when running share_limits command
-  tag_nohardlinks_filter_completed: True # Filters for completed torrents only when running tag_nohardlinks command
-  rem_unregistered_filter_completed: False # Filters for completed torrents only when running rem_unregistered command
-  cat_update_all: True # Checks and updates all torrent categories if set to True when running cat_update command, otherwise only update torrents that are uncategorized
-  disable_qbt_default_share_limits: True # Allows QBM to handle share limits by disabling qBittorrents default Share limits. Only active when the share_limits command is set to True
-  tag_stalled_torrents: True # Tags any downloading torrents that are stalled with the `stalledDL` tag when running the tag_update command
-  rem_unregistered_ignore_list: # Ignores a list of words found in the status of the tracker when running rem_unregistered command and will not remove the torrent if matched
-    - example placeholder words
-    - ignore if found
-
-directory:
-  # Do not remove these
-  # root_dir var: </your/path/here/>  # Root downloads directory used to check for orphaned files, noHL, and RecycleBin.
-  # <OPTIONAL> remote_dir var: </your/path/here/>  # Path of docker host mapping of root_dir.
-  # remote_dir must be set if you're running qbit_manage locally and qBittorrent/cross_seed is in a docker
-  # remote_dir should not be set if qbit_manage is running in a container
-  # <OPTIONAL> recycle_bin var: </your/path/here/>   # Path of the RecycleBin folder. Default location is set to remote_dir/.RecycleBin
-  # <OPTIONAL> torrents_dir var: </your/path/here/>  # Path of the your qbittorrent torrents directory. Required for `save_torrents` attribute in recyclebin
-  # <OPTIONAL> orphaned_dir var: </your/path/here/>  # Path of the the Orphaned Data folder. This is similar to RecycleBin, but only for orphaned data.
-  root_dir: "/downloads"
-  # remote_dir: "/host/path/to/torrents/ifdocker/torrents/"
-  # recycle_bin: "/path/to/.RecycleBin"
-  torrents_dir: "/downloads/completed/torrent"
-
-cat:
-  # Category & Path Parameters
-  # All save paths in qbittorent must be populated below.
-  # If you want to leave a save_path as uncategorized you can use the key 'Uncategorized' as the name of the category.
-  # You can use Unix filename pattern matching as well when specifying the save_path
-  # <Category Name> : <save_path>  # Path of your save directory.
-  lidarr: "/downloads/completed/torrent/music"
-  # prowlarr: "/data/torrents"
-  radarr: "/downloads/completed/torrent/movies"
-  readarr: "/downloads/completed/torrent/ebooks"
-  tv-sonarr: "/downloads/completed/torrent//tv"
-
-cat_change:
-  # This moves all the torrents from one category to another category. This executes on --cat-update
-  # WARNING: if the paths are different and Default Torrent Management Mode is set to automatic the files could be moved !!!
-  # <Old Category Name> : <New Category>
-  CatA.cross-seed: CatA
-  CatB.cross-seed: CatB
-
-tracker:
-  # Mandatory
-  # Tag Parameters
-  # <Tracker URL Keyword>:    # <MANDATORY> This is the keyword in the tracker url. You can define multiple tracker urls by splitting with `|` delimiter
-  # <MANDATORY> Set tag name. Can be a list of tags or a single tag
-  #   tag: <Tag Name>
-  # <OPTIONAL> Set the category based on tracker URL. This category option takes priority over the category defined by save directory
-  #   cat: <Category Name>
-  # <OPTIONAL> Set this to the notifiarr react name. This is used to add indexer reactions to the notifications sent by Notifiarr
-  #   notifiarr: <notifiarr indexer>
-  animebytes.tv:
-    tag: AnimeBytes
-    notifiarr: animebytes
-  avistaz:
-    tag:
-      - Avistaz
-      - tag2
-      - tag3
-    notifiarr: avistaz
-  beyond-hd:
-    tag: [Beyond-HD, tag2, tag3]
-    cat: movies
-    notifiarr: beyondhd
-  blutopia:
-    tag: Blutopia
-    notifiarr: blutopia
-  cartoonchaos:
-    tag: CartoonChaos
-  digitalcore:
-    tag: DigitalCore
-    notifiarr: digitalcore
-  gazellegames:
-    tag: GGn
-  hdts:
-    tag: HDTorrents
-  landof.tv:
-    tag: BroadcasTheNet
-    notifiarr: broadcasthenet
-  myanonamouse:
-    tag: MaM
-  passthepopcorn:
-    tag: PassThePopcorn
-    notifiarr: passthepopcorn
-  privatehd:
-    tag: PrivateHD
-    notifiarr:
-  torrentdb:
-    tag: TorrentDB
-    notifiarr: torrentdb
-  torrentleech|tleechreload:
-    tag: TorrentLeech
-    notifiarr: torrentleech
-  tv-vault:
-    tag: TV-Vault
-  # The "other" key is a special keyword and if defined will tag any other trackers that don't match the above trackers into this tag
-  other:
-    tag: other
-
-nohardlinks:
-  # Tag Movies/Series that are not hard linked outside the root directory
-  # Mandatory to fill out directory parameter above to use this function (root_dir/remote_dir)
-  # This variable should be set to your category name of your completed movies/completed series in qbit. Acceptable variable can be any category you would like to tag if there are no hardlinks found
-  movies-completed-4k:
-  series-completed-4k:
-  movies-completed:
-    # <OPTIONAL> exclude_tags var: Will exclude torrents with any of the following tags when searching through the category.
-    exclude_tags:
-      - Beyond-HD
-      - AnimeBytes
-      - MaM
-    # <OPTIONAL> ignore_root_dir var: Will ignore any hardlinks detected in the same root_dir (Default True).
-    ignore_root_dir: true
-  # Can have additional categories set with separate ratio/seeding times defined.
-  series-completed:
-    # <OPTIONAL> exclude_tags var: Will exclude torrents with any of the following tags when searching through the category.
-    exclude_tags:
-      - Beyond-HD
-      - BroadcasTheNet
-    # <OPTIONAL> ignore_root_dir var: Will ignore any hardlinks detected in the same root_dir (Default True).
-    ignore_root_dir: true
-
-share_limits:
-  # Control how torrent share limits are set depending on the priority of your grouping
-  # Each torrent will be matched with the share limit group with the highest priority that meets the group filter criteria.
-  # Each torrent can only be matched with one share limit group
-  # This variable is mandatory and is a text defining the name of your grouping. This can be any string you want
-  spacesaver:
-    priority: 2
-    max_ratio: 3
-    min_last_active: 24h
-    cleanup: false
-  default:
-    priority: 999
-    max_ratio: -1
-    max_seeding_time: -1
-    cleanup: false
-recyclebin:
-  # Recycle Bin method of deletion will move files into the recycle bin (Located in /root_dir/.RecycleBin) instead of directly deleting them in qbit
-  # By default the Recycle Bin will be emptied on every run of the qbit_manage script if empty_after_x_days is defined.
-  enabled: true
-  # <OPTIONAL> empty_after_x_days var:
-  # Will automatically remove all files and folders in recycle bin after x days. (Checks every script run)
-  # If this variable is not defined it, the RecycleBin will never be emptied.
-  # WARNING: Setting this variable to 0 will delete all files immediately upon script run!
-  empty_after_x_days: 60
-  # <OPTIONAL> save_torrents var:
-  # If this option is set to true you MUST fill out the torrents_dir in the directory attribute.
-  # This will save a copy of your .torrent and .fastresume file in the recycle bin before deleting it from qbittorrent
-  save_torrents: true
-  # <OPTIONAL> split_by_category var:
-  # This will split the recycle bin folder by the save path defined in the `cat` attribute
-  # and add the base folder name of the recycle bin that was defined in the `recycle_bin` sub-attribute under directory.
-  split_by_category: false
-
-orphaned:
-  # Orphaned files are those in the root_dir download directory that are not referenced by any active torrents.
-  # Will automatically remove all files and folders in orphaned data after x days. (Checks every script run)
-  # If this variable is not defined it, the orphaned data will never be emptied.
-  # WARNING: Setting this variable to 0 will delete all files immediately upon script run!
-  empty_after_x_days: 60
-  # File patterns that will not be considered orphaned files. Handy for generated files that aren't part of the torrent but belong with the torrent's files
-  exclude_patterns:
-    - "**/.DS_Store"
-    - "**/Thumbs.db"
-    - "**/@eaDir"
-    - "/data/torrents/temp/**"
-    - "**/*.!qB"
-    - "**/*_unpackerred"
-  # Set your desired threshold for the maximum number of orphaned files qbm will delete in a single run. (-1 to disable safeguards)
-  # This will help reduce the number of accidental large amount orphaned deletions in a single run
-  # WARNING: Setting this variable to -1 will not safeguard against any deletions
-  max_orphaned_files_to_delete: 50
-
-apprise:
-  # Apprise integration with webhooks
-  # Leave Empty/Blank to disable
-  # Mandatory to fill out the url of your apprise API endpoint
-  api_url: http://apprise-api:8000
-  # Mandatory to fill out the notification url/urls based on the notification services provided by apprise. https://github.com/caronc/apprise/wiki
-  notify_url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
@@ -1,48 +0,0 @@
-# This is a generic example of a configuration file
-# Rename this file to `config.yml`, copy it to a `config` folder, and mount that folder as per the docker-compose.example.yml
-# Only uncomment the lines you want to use/modify, or add new ones where needed
-
-exclude:
-  # Exclude platforms to be scanned
-  platforms: [] # ['my_excluded_platform_1', 'my_excluded_platform_2']
-
-  # Exclude roms or parts of roms to be scanned
-  roms:
-    # Single file games section.
-    # Will not apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
-    single_file:
-      # Exclude all files with certain extensions to be scanned
-      extensions: [] # ['xml', 'txt']
-
-      # Exclude matched file names to be scanned.
-      # Supports unix filename pattern matching
-      # Can also exclude files by extension
-      names: [] # ['info.txt', '._*', '*.nfo']
-
-    # Multi files games section
-    # Will apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
-    multi_file:
-      # Exclude matched 'folder' names to be scanned (RomM identifies folders as multi file games)
-      names: [] # ['my_multi_file_game', 'DLC']
-
-      # Exclude files within sub-folders.
-      parts:
-        # Exclude matched file names to be scanned from multi file roms
-        # Keep in mind that RomM doesn't scan folders inside multi files games,
-        # so there is no need to exclude folders from inside of multi files games.
-        names: [] # ['data.xml', '._*'] # Supports unix filename pattern matching
-
-        # Exclude all files with certain extensions to be scanned from multi file roms
-        extensions: [] # ['xml', 'txt']
-
-system:
-  # Asociate different platform names to your current file system platform names
-  # [your custom platform folder name]: [RomM platform name]
-  # In this example if you have a 'gc' folder, RomM will treat it like the 'ngc' folder and if you have a 'psx' folder, RomM will treat it like the 'ps' folder
-  platforms: {} # { gc: 'ngc', psx: 'ps' }
-
-  # Asociate one platform to it's main version
-  versions: {} # { naomi: 'arcade' }
-
-# The folder name where your roms are located
-filesystem: {} # { roms_folder: 'roms' } For example if your folder structure is /home/user/library/roms_folder
@@ -342,7 +342,7 @@ host = news.newshosting.com
 port = 563
 timeout = 60
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_PASSWORD'] }}
 connections = 8
 ssl = 1
 ssl_verify = 3
@@ -100,7 +100,7 @@ server:
 redis:
  # URL to connect redis database. Is overwritten by ${SEARXNG_REDIS_URL}.
  # https://docs.searxng.org/admin/settings/settings_redis.html#settings-redis
-  url: redis://searxng-valkey:6379/0
+  url: redis://redis:6379/0

 ui:
  # Custom static path - leave it blank if you didn't change
@@ -211,13 +211,11 @@ outgoing:

 # Comment or un-comment plugin to activate / deactivate by default.
 #
-enabled_plugins:
+# enabled_plugins:
 #   # these plugins are enabled if nothing is configured ..
-  - 'Hash plugin'
-  - 'Self Information'
-  - 'Tracker URL remover'
-  - 'Basic Calculator'
-  - 'Unit converter plugin'
+#   - 'Hash plugin'
+#   - 'Self Information'
+#   - 'Tracker URL remover'
 #   - 'Ahmia blacklist'  # activation depends on outgoing.using_tor_proxy
 #   # these plugins are disabled if nothing is configured ..
 #   - 'Hostname replace'  # see hostname_replace configuration below
@@ -1,75 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
-         Optional. If you don't use replicated tables, you could omit that.
-
-         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
-      -->
-    <zookeeper>
-        <node index="1">
-            <host>signoz-zookeeper-1</host>
-            <port>2181</port>
-        </node>
-        <node index="2">
-            <host>zookeeper-2</host>
-            <port>2181</port>
-        </node>
-        <node index="3">
-            <host>zookeeper-3</host>
-            <port>2181</port>
-        </node>
-    </zookeeper>
-
-    <!-- Configuration of clusters that could be used in Distributed tables.
-         https://clickhouse.com/docs/en/operations/table_engines/distributed/
-      -->
-    <remote_servers>
-        <cluster>
-            <!-- Inter-server per-cluster secret for Distributed queries
-                 default: no secret (no authentication will be performed)
-
-                 If set, then Distributed queries will be validated on shards, so at least:
-                 - such cluster should exist on the shard,
-                 - such cluster should have the same secret.
-
-                 And also (and which is more important), the initial_user will
-                 be used as current user for the query.
-
-                 Right now the protocol is pretty simple and it only takes into account:
-                 - cluster name
-                 - query
-
-                 Also it will be nice if the following will be implemented:
-                 - source hostname (see interserver_http_host), but then it will depends from DNS,
-                   it can use IP address instead, but then the you need to get correct on the initiator node.
-                 - target hostname / ip address (same notes as for source hostname)
-                 - time-based security tokens
-            -->
-            <!-- <secret></secret> -->
-            <shard>
-                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
-                <!-- <internal_replication>false</internal_replication> -->
-                <!-- Optional. Shard weight when writing data. Default: 1. -->
-                <!-- <weight>1</weight> -->
-                <replica>
-                    <host>signoz-clickhouse</host>
-                    <port>9000</port>
-                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
-                    <!-- <priority>1</priority> -->
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-2</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-3</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-        </cluster>
-    </remote_servers>
-</clickhouse>
@@ -1,75 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
-         Optional. If you don't use replicated tables, you could omit that.
-
-         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
-      -->
-    <zookeeper>
-        <node index="1">
-            <host>signoz-zookeeper-1</host>
-            <port>2181</port>
-        </node>
-        <!-- <node index="2">
-            <host>zookeeper-2</host>
-            <port>2181</port>
-        </node>
-        <node index="3">
-            <host>zookeeper-3</host>
-            <port>2181</port>
-        </node> -->
-    </zookeeper>
-
-    <!-- Configuration of clusters that could be used in Distributed tables.
-         https://clickhouse.com/docs/en/operations/table_engines/distributed/
-      -->
-    <remote_servers>
-        <cluster>
-            <!-- Inter-server per-cluster secret for Distributed queries
-                 default: no secret (no authentication will be performed)
-
-                 If set, then Distributed queries will be validated on shards, so at least:
-                 - such cluster should exist on the shard,
-                 - such cluster should have the same secret.
-
-                 And also (and which is more important), the initial_user will
-                 be used as current user for the query.
-
-                 Right now the protocol is pretty simple and it only takes into account:
-                 - cluster name
-                 - query
-
-                 Also it will be nice if the following will be implemented:
-                 - source hostname (see interserver_http_host), but then it will depends from DNS,
-                   it can use IP address instead, but then the you need to get correct on the initiator node.
-                 - target hostname / ip address (same notes as for source hostname)
-                 - time-based security tokens
-            -->
-            <!-- <secret></secret> -->
-            <shard>
-                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
-                <!-- <internal_replication>false</internal_replication> -->
-                <!-- Optional. Shard weight when writing data. Default: 1. -->
-                <!-- <weight>1</weight> -->
-                <replica>
-                    <host>signoz-clickhouse</host>
-                    <port>9000</port>
-                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
-                    <!-- <priority>1</priority> -->
-                </replica>
-            </shard>
-            <!-- <shard>
-                <replica>
-                    <host>clickhouse-2</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-3</host>
-                    <port>9000</port>
-                </replica>
-            </shard> -->
-        </cluster>
-    </remote_servers>
-</clickhouse>
@@ -1,21 +0,0 @@
-<functions>
-    <function>
-        <type>executable</type>
-        <name>histogramQuantile</name>
-        <return_type>Float64</return_type>
-        <argument>
-            <type>Array(Float64)</type>
-            <name>buckets</name>
-        </argument>
-        <argument>
-            <type>Array(Float64)</type>
-            <name>counts</name>
-        </argument>
-        <argument>
-            <type>Float64</type>
-            <name>quantile</name>
-        </argument>
-        <format>CSV</format>
-        <command>./histogramQuantile</command>
-    </function>
-</functions>
@@ -1,41 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-<storage_configuration>
-    <disks>
-        <default>
-            <keep_free_space_bytes>10485760</keep_free_space_bytes>
-        </default>
-        <s3>
-            <type>s3</type>
-            <!-- For S3 cold storage,
-                    if region is us-east-1, endpoint can be https://<bucket-name>.s3.amazonaws.com
-                    if region is not us-east-1, endpoint should be https://<bucket-name>.s3-<region>.amazonaws.com
-                For GCS cold storage,
-                    endpoint should be https://storage.googleapis.com/<bucket-name>/data/
-                -->
-            <endpoint>https://BUCKET-NAME.s3-REGION-NAME.amazonaws.com/data/</endpoint>
-            <access_key_id>ACCESS-KEY-ID</access_key_id>
-            <secret_access_key>SECRET-ACCESS-KEY</secret_access_key>
-            <!-- In case of S3, uncomment the below configuration in case you want to read
-                AWS credentials from the Environment variables if they exist. -->
-            <!-- <use_environment_credentials>true</use_environment_credentials> -->
-            <!-- In case of GCS, uncomment the below configuration, since GCS does
-                not support batch deletion and result in error messages in logs. -->
-            <!-- <support_batch_delete>false</support_batch_delete> -->
-        </s3>
-   </disks>
-   <policies>
-       <tiered>
-           <volumes>
-                <default>
-                    <disk>default</disk>
-                </default>
-                <s3>
-                    <disk>s3</disk>
-                    <perform_ttl_move_on_insert>0</perform_ttl_move_on_insert>
-                </s3>
-            </volumes>
-        </tiered>
-    </policies>
-</storage_configuration>
-</clickhouse>
@@ -1,123 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- See also the files in users.d directory where the settings can be overridden. -->
-
-    <!-- Profiles of settings. -->
-    <profiles>
-        <!-- Default settings. -->
-        <default>
-            <!-- Maximum memory usage for processing single query, in bytes. -->
-            <max_memory_usage>10000000000</max_memory_usage>
-
-            <!-- How to choose between replicas during distributed query processing.
-                 random - choose random replica from set of replicas with minimum number of errors
-                 nearest_hostname - from set of replicas with minimum number of errors, choose replica
-                  with minimum number of different symbols between replica's hostname and local hostname
-                  (Hamming distance).
-                 in_order - first live replica is chosen in specified order.
-                 first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
-            -->
-            <load_balancing>random</load_balancing>
-        </default>
-
-        <!-- Profile that allows only read queries. -->
-        <readonly>
-            <readonly>1</readonly>
-        </readonly>
-    </profiles>
-
-    <!-- Users and ACL. -->
-    <users>
-        <!-- If user name was not specified, 'default' user is used. -->
-        <default>
-            <!-- See also the files in users.d directory where the password can be overridden.
-
-                 Password could be specified in plaintext or in SHA256 (in hex format).
-
-                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
-                 Example: <password>qwerty</password>.
-                 Password could be empty.
-
-                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
-                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
-                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
-
-                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
-                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
-
-                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
-                  place its name in 'server' element inside 'ldap' element.
-                 Example: <ldap><server>my_ldap_server</server></ldap>
-
-                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
-                  place 'kerberos' element instead of 'password' (and similar) elements.
-                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
-                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
-                  whose initiator's realm matches it.
-                 Example: <kerberos />
-                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
-
-                 How to generate decent password:
-                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
-                 In first line will be password and in second - corresponding SHA256.
-
-                 How to generate double SHA1:
-                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
-                 In first line will be password and in second - corresponding double SHA1.
-            -->
-            <password></password>
-
-            <!-- List of networks with open access.
-
-                 To open access from everywhere, specify:
-                    <ip>::/0</ip>
-
-                 To open access only from localhost, specify:
-                    <ip>::1</ip>
-                    <ip>127.0.0.1</ip>
-
-                 Each element of list has one of the following forms:
-                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
-                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
-                 <host> Hostname. Example: server01.clickhouse.com.
-                     To check access, DNS query is performed, and all received addresses compared to peer address.
-                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
-                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
-                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
-                     Strongly recommended that regexp is ends with $
-                 All results of DNS requests are cached till server restart.
-            -->
-            <networks>
-                <ip>::/0</ip>
-            </networks>
-
-            <!-- Settings profile for user. -->
-            <profile>default</profile>
-
-            <!-- Quota for user. -->
-            <quota>default</quota>
-
-            <!-- User can create other users and grant rights to them. -->
-            <!-- <access_management>1</access_management> -->
-        </default>
-    </users>
-
-    <!-- Quotas. -->
-    <quotas>
-        <!-- Name of quota. -->
-        <default>
-            <!-- Limits for time interval. You could specify many intervals with different limits. -->
-            <interval>
-                <!-- Length of interval. -->
-                <duration>3600</duration>
-
-                <!-- No limits. Just calculate resource usage for time interval. -->
-                <queries>0</queries>
-                <errors>0</errors>
-                <result_rows>0</result_rows>
-                <read_rows>0</read_rows>
-                <execution_time>0</execution_time>
-            </interval>
-        </default>
-    </quotas>
-</clickhouse>
@@ -1,222 +0,0 @@
-receivers:
-  httplogreceiver/json:
-    endpoint: 0.0.0.0:8082
-    source: json
-  otlp:
-    protocols:
-      grpc:
-        endpoint: 0.0.0.0:4317
-      http:
-        endpoint: 0.0.0.0:4318
-  hostmetrics:
-    collection_interval: 60s  # Frequency of metrics collection.
-    scrapers:
-      cpu: {}
-      load: {}
-      memory: {}
-      disk: {}
-      filesystem: {}
-      network: {}
-  docker_stats:
-    endpoint: unix:///var/run/docker.sock
-    collection_interval: 30s
-    timeout: 10s
-    api_version: "1.51"
-    metrics:
-      container.uptime:
-        enabled: true
-      container.restarts:
-        enabled: true
-      container.network.io.usage.rx_errors:
-        enabled: true
-      container.network.io.usage.tx_errors:
-        enabled: true
-      container.network.io.usage.rx_packets:
-        enabled: true
-      container.network.io.usage.tx_packets:
-        enabled: true
-  filelog/nginx-access-logs:
-    include: ["${env:NGINX_ACCESS_LOG_FILE}"]
-    operators:
-      # Parse the default nginx access log format. Nginx defaults to the "combined" log format
-      # $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
-      # For more details, see https://nginx.org/en/docs/http/ngx_http_log_module.html
-      - type: regex_parser
-        if: body matches '^(?P<remote_addr>[0-9\\.]+) - (?P<remote_user>[^\\s]+) \\[(?P<ts>.+)\\] "(?P<request_method>\\w+?) (?P<request_path>.+?)" (?P<status>[0-9]+) (?P<body_bytes_sent>[0-9]+) "(?P<http_referrer>.+?)" "(?P<http_user_agent>.+?)"$'
-        parse_from: body
-        parse_to: attributes
-        regex: '^(?P<remote_addr>[0-9\.]+) - (?P<remote_user>[^\s]+) \[(?P<ts>.+)\] "(?P<request_method>\w+?) (?P<request_path>.+?)" (?P<status>[0-9]+) (?P<body_bytes_sent>[0-9]+) "(?P<http_referrer>.+?)" "(?P<http_user_agent>.+?)"$'
-        timestamp:
-          parse_from: attributes.ts
-          layout: "02/Jan/2006:15:04:05 -0700"
-          layout_type: gotime
-        severity:
-          parse_from: attributes.status
-          overwrite_text: true
-          mapping:
-            debug: "1xx"
-            info:
-              - "2xx"
-              - "3xx"
-            warn: "4xx"
-            error: "5xx"
-      - type: remove
-        if: attributes.ts != nil
-        field: attributes.ts
-      - type: add
-        field: attributes.source
-        value: nginx
-
-  filelog/nginx-error-logs:
-    include: ["${env:NGINX_ERROR_LOG_FILE}"]
-    operators:
-      # Parse the default nginx error log format.
-      # YYYY/MM/DD HH:MM:SS [LEVEL] PID#TID: *CID MESSAGE
-      # For more details, see https://github.com/phusion/nginx/blob/master/src/core/ngx_log.c
-      - type: regex_parser
-        if: body matches '^(?P<ts>.+?) \\[(?P<log_level>\\w+)\\] (?P<pid>\\d+)#(?P<tid>\\d+). \\*(?P<cid>\\d+) (?P<message>.+)$'
-        parse_from: body
-        parse_to: attributes
-        regex: '^(?P<ts>.+?) \[(?P<log_level>\w+)\] (?P<pid>\d+)#(?P<tid>\d+). \*(?P<cid>\d+) (?P<message>.+)$'
-        timestamp:
-          parse_from: attributes.ts
-          layout: "2006/01/02 15:04:05"
-          layout_type: gotime
-        severity:
-          parse_from: attributes.log_level
-          overwrite_text: true
-          mapping:
-            debug: "debug"
-            info:
-              - "info"
-              - "notice"
-            warn: "warn"
-            error:
-              - "error"
-              - "crit"
-              - "alert"
-            fatal: "emerg"
-      - type: remove
-        if: attributes.ts != nil
-        field: attributes.ts
-      - type: move
-        if: attributes.message != nil
-        from: attributes.message
-        to: body
-      - type: add
-        field: attributes.source
-        value: nginx
-  prometheus:
-    config:
-      global:
-        scrape_interval: 60s
-      scrape_configs:
-        - job_name: otel-collector
-          static_configs:
-          - targets:
-              - localhost:8888
-            labels:
-              job_name: otel-collector
-processors:
-  batch:
-    send_batch_size: 10000
-    send_batch_max_size: 11000
-    timeout: 10s
-  resourcedetection:
-    detectors: [env, system]
-    system:
-      hostname_sources: [os]
-  resourcedetection/env:
-    detectors: [env]
-    timeout: 2s
-    override: false
-  resourcedetection/system:
-    detectors: ["system"]
-    system:
-      hostname_sources: ["dns", "os"]
-  resourcedetection/docker:
-    detectors: [env, docker]
-    timeout: 2s
-    override: false
-  signozspanmetrics/delta:
-    metrics_exporter: clickhousemetricswrite, signozclickhousemetrics
-    metrics_flush_interval: 60s
-    latency_histogram_buckets: [100us, 1ms, 2ms, 6ms, 10ms, 50ms, 100ms, 250ms, 500ms, 1000ms, 1400ms, 2000ms, 5s, 10s, 20s, 40s, 60s ]
-    dimensions_cache_size: 100000
-    aggregation_temporality: AGGREGATION_TEMPORALITY_DELTA
-    enable_exp_histogram: true
-    dimensions:
-      - name: service.namespace
-        default: default
-      - name: deployment.environment
-        default: default
-      # This is added to ensure the uniqueness of the timeseries
-      # Otherwise, identical timeseries produced by multiple replicas of
-      # collectors result in incorrect APM metrics
-      - name: signoz.collector.id
-      - name: service.version
-      - name: browser.platform
-      - name: browser.mobile
-      - name: k8s.cluster.name
-      - name: k8s.node.name
-      - name: k8s.namespace.name
-      - name: host.name
-      - name: host.type
-      - name: container.name
-extensions:
-  health_check:
-    endpoint: 0.0.0.0:13133
-  pprof:
-    endpoint: 0.0.0.0:1777
-exporters:
-  clickhousetraces:
-    datasource: tcp://clickhouse:9000/signoz_traces
-    low_cardinal_exception_grouping: ${env:LOW_CARDINAL_EXCEPTION_GROUPING}
-    use_new_schema: true
-  clickhousemetricswrite:
-    endpoint: tcp://clickhouse:9000/signoz_metrics
-    disable_v2: true
-    resource_to_telemetry_conversion:
-      enabled: true
-  clickhousemetricswrite/prometheus:
-    endpoint: tcp://clickhouse:9000/signoz_metrics
-    disable_v2: true
-  signozclickhousemetrics:
-    dsn: tcp://clickhouse:9000/signoz_metrics
-  clickhouselogsexporter:
-    dsn: tcp://clickhouse:9000/signoz_logs
-    timeout: 10s
-    use_new_schema: true
-  # debug: {}
-  otlp/nginx-logs:
-    endpoint: "localhost:4317"
-    tls:
-      insecure: true
-service:
-  telemetry:
-    logs:
-      encoding: json
-  extensions:
-    - health_check
-    - pprof
-  pipelines:
-    traces:
-      receivers: [otlp]
-      processors: [signozspanmetrics/delta, batch]
-      exporters: [clickhousetraces]
-    metrics:
-      receivers: [otlp]
-      processors: [batch]
-      exporters: [clickhousemetricswrite, signozclickhousemetrics, resourcedetection/docker, resourcedetection/system]
-    metrics/hostmetrics:
-      receivers: [hostmetrics]
-      processors: [resourcedetection, resource/env]
-      exporters: [otlp]
-    metrics/prometheus:
-      receivers: [prometheus]
-      processors: [batch]
-      exporters: [clickhousemetricswrite/prometheus, signozclickhousemetrics]
-    logs:
-      receivers: [otlp, tcplog/docker, httplogreceiver/json]
-      processors: [batch]
-      exporters: [clickhouselogsexporter]
@@ -1 +0,0 @@
-server_endpoint: ws://signoz-app:4320/v1/opamp
@@ -1,25 +0,0 @@
-# my global config
-global:
-  scrape_interval:     5s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
-  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
-  # scrape_timeout is set to the global default (10s).
-
-# Alertmanager configuration
-alerting:
-  alertmanagers:
-  - static_configs:
-    - targets:
-      - alertmanager:9093
-
-# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
-rule_files: []
-  # - "first_rules.yml"
-  # - "second_rules.yml"
-  # - 'alerts.yml'
-
-# A scrape configuration containing exactly one endpoint to scrape:
-# Here it's Prometheus itself.
-scrape_configs: []
-
-remote_read:
-  - url: tcp://clickhouse:9000/signoz_metrics
@@ -1,76 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-[Lidarr]
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
-host_url = http://lidarr:8686
-#This should be the path mounted in lidarr that points to your slskd download directory.
-#If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
-download_dir = /storage
-
-[Slskd]
-#Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
-host_url = http://gluetun:5030
-#Slskd download directory. Should have set it up when installing Slskd.
-download_dir = /app/downloads
-#Removes searches from Slskd after the search finishes.
-delete_searches = False
-#Maximum time (in seconds) that the script will wait for downloads to complete.
-#This is used to prevent the script from running forever due to a stalled download. Defaults to 1 hour.
-stalled_timeout = 3600
-
-[Release Settings]
-#Selects the release with the most common amount of tracks out of all the releases.
-use_most_common_tracknum = True
-allow_multi_disc = True
-#See full list of countries below.
-accepted_countries = Europe,Japan,United Kingdom,United States,[Worldwide],Australia,Canada
-#See full list of formats below.
-accepted_formats = CD,Digital Media,Vinyl
-
-[Search Settings]
-search_timeout = 5000
-maximum_peer_queue = 50
-#Min upload speed in bit/s
-minimum_peer_upload_speed = 0
-#Min match ratio accepted when comparing lidarr track names to soulseek filenames.
-minimum_filename_match_ratio = 0.5
-#Specify the file types you prefer from most to least. As well as their attributes such as bitrate / samplerate / bitdepth.
-#For flacs you can choose the bitdepth/samplerate. And for mp3s the bitrate.
-#If you do not care about the specific quality you can still just put "flac" or "mp3".
-#Soularr will then just look at the filetype and ignore file attributes.
-allowed_filetypes = flac 24/192,flac 16/44.1,flac,mp3 320,mp3
-ignored_users = User1,User2,Fred,Bob
-#Set to False if you only want to search for complete albums
-search_for_tracks = True
-#Set to True if you want to add the artist's name to the beginning of the search for albums
-album_prepend_artist = False
-track_prepend_artist = True
-#Valid search types: all || incrementing_page || first_page
-  #"all" will search for every wanted record everytime soularr is run.
-  #"incrementing_page" will start with the first page and increment to the next on each run.
-  #"first_page" will repeatedly search the first page.
-#If using the search type "first_page" remove_wanted_on_failure should be enabled.
-search_type = incrementing_page
-#How mancy records to grab each run, must be a number between 1 - 2,147,483,647
-number_of_albums_to_grab = 10
-#Unmonitors the album if Soularr can't find it and places it in "failure_list.txt".
-#Failed albums can be re monitored by filtering "Unmonitored" in the Lidarr wanted list.
-remove_wanted_on_failure = False
-#Comma separated list of words that can't be in the title of albums or tracks. Case insensitive.
-title_blacklist = BlacklistWord1,blacklistword2
-#Lidarr source to use for searching. Accepted values are "all", "missing", or "cutoff_unmet". If "all" is selected
-# then both missing and cutoff_unme will be searched. The default value is "missing".
-search_source = missing
-
-[Logging]
-#These options are passed into the logger's basicConfig() method as-is.
-#This means, if you're familiar with Python's logging module, you can configure
-#the logger with options beyond what's listed here by default.
-#For more information on available options  --  https://docs.python.org/3/library/logging.html#logging.basicConfig
-level = INFO
-# Format of log message  --  https://docs.python.org/3/library/logging.html#logrecord-attributes
-format = [%(levelname)s|%(module)s|L%(lineno)d] %(asctime)s: %(message)s
-# Format of datetimes  --  https://docs.python.org/3/library/time.html#time.strftime
-datefmt = %Y-%m-%dT%H:%M:%S%z
@@ -1,212 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-directories:
-  incomplete: /app/incomplete
-  downloads: /app/downloads
-shares:
-  directories:
-    - /music
-rooms:
-  - '! meow chat :3'
-  - '#ANUS'
-  - '#CORONAVIRUS'
-  - '#Horrorcore'
-  - '#La France'
-  - '#icilombre-hardcore'
-  - '#polska'
-  - '#vegan'
-  - $$RARE RAP MUSIC$$
-  - ([6)]
-  - +Autism+
-  - +BlackMetal+
-  - +HIP_HOP_SCENE_RELEASES+
-  - /mu/
-  - 60lover
-  - 60lover v2
-  - 70 Rare groove Soul Jazz
-  - 80's 12 Inches & More
-  - 90's Rare Riddim !!
-  - 90's emo
-  - <>Electronics Labels<>
-  - ACID
-  - ARGENTINA
-  - "ATLLUMINATI\u201Cawareness"
-  - AUSTRALIA
-  - Alcohol
-  - Ambient
-  - Anime
-  - Audiobooks
-  - Avantgarde
-  - BDSM
-  - BLUES BUNKER MUSIC
-  - BOB DYLAN ROOM
-  - BigEdsClassicRock
-  - BigedsSixties
-  - Blues&Soul
-  - Bootlegged concerts
-  - Brasil
-  - Breakcore
-  - CHILE
-  - Canada
-  - China Room
-  - Chiptunes
-  - Christians
-  - Classical
-  - Come To The Sabbath !
-  - Communism
-  - DEATH METAL CLUB
-  - Dark Ambient
-  - De Koffie Shop
-  - De Kroeg
-  - Deathrock
-  - DieMilitarmusik
-  - Disco Classics
-  - Doom Metal
-  - Doujin Music
-  - Dub Techno
-  - Dubstep
-  - EBM-GOTHIC-INDUSTRIAL
-  - EBooks
-  - Emo
-  - Eurodance
-  - Eurovision Song Contest
-  - Experimental Electronica
-  - FOLK MUSIC
-  - Free Jazz
-  - Furry
-  - Gay
-  - Gothic
-  - Greece
-  - Grindcore
-  - HEE cum eaters 1! !
-  - HOUSE MUSIC LOVERS (AG)
-  - Happy Hardcore
-  - Hardcore NL
-  - Hardcore/punk
-  - Hip Hop
-  - Horror movies
-  - IDM
-  - INDUSTRIAL
-  - IReGGaeGaLaXy
-  - Incredibly Strange Music
-  - Israel
-  - Jaz (Full CDs)
-  - Jazz
-  - Jazz-Rock-Fusion-Guitar
-  - Juggalo Family
-  - Jungle
-  - Korean Music
-  - LANGUAGE EXCHANGE here
-  - LGBTQ+!!
-  - Last.fm
-  - Linux
-  - Lossless Scores
-  - MOVIES
-  - Mac Users
-  - Metal
-  - MovieMusic
-  - NORWAY
-  - New Crystal Vibrations
-  - New Wave
-  - New Zealand
-  - OLD SKOOL GANGSTA SHIT
-  - OLDSCHOOL 88-94
-  - OLI SHOTA CUB ROOM!
-  - Original Blues Bunker
-  - PSYCHEDELIA
-  - PUNK/HARDCORE/GRIND
-  - Portugal
-  - Post Punk
-  - Post-Hardcore (modern)
-  - Progressive Rock
-  - Psychedelic/Acid Rock
-  - Psytrance
-  - Quebec
-  - REGGAE
-  - Rare Music
-  - RareVHS/DVD/Rips
-  - Retro Gaming
-  - Romania
-  - Room Name
-  - SIsk Idiots !!
-  - SLUDGE!
-  - Slovenia
-  - Soundtracks&Scores
-  - Spain
-  - Stoner HiVe
-  - Stoner Rock
-  - Strange Music
-  - TECHNO, Mixes and Tunes
-  - THC
-  - Talia
-  - The Dangerous Kitchen
-  - TheScoreZone
-  - Thrash Metal
-  - Tinmans Movie Room
-  - Trip-Hop
-  - Ttalian_dancefloor
-  - Twee Folks
-  - UK DUB
-  - URIDDIM!!
-  - Ukraine
-  - Underground Hiphop
-  - VAPORWAVE
-  - Video Game Chat
-  - Vinyl Addicts
-  - Vocaloid
-  - WHATCDs
-  - World Music
-  - Yacht Rock
-  - '[German] [Deutsch]'
-  - abbey road Itd
-  - anime cunny
-  - bleeps&klonks
-  - breakbeat
-  - comics
-  - deep house connection
-  - drum'n'bass
-  - eesti mehed
-  - electro
-  - flacfield
-  - food
-  - for Losers
-  - hungary
-  - indie
-  - japanese music
-  - library music
-  - lossless
-  - minimal music
-  - museek
-  - noise
-  - 'on'
-  - postrock
-  - programming
-  - progressive house
-  - public porn
-  - r/musichoarder
-  - ru
-  - shoegaze
-  - tapekvit
-  - test
-  - trancEaddict
-  - trivia
-  - what.cd
-  - what.cd electronic
-  - what.cd-flac
-  - '{Italo Disco'
-web:
-  authentication:
-    username: slskd
-    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
-    api_keys:
-      my_api_key:
-        key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
-        role: readwrite
-        cidr: 0.0.0.0/0,::/0
-soulseek:
-  address: vps.slsknet.org
-  port: 2271
-  username: Trez.One
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
-  diagnostic_level: Info
@@ -0,0 +1,238 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# debug: false
+# remote_configuration: false
+# remote_file_management: false
+# instance_name: default
+# flags:
+#   no_logo: false
+#   no_start: false
+#   no_config_watch: false
+#   no_connect: false
+#   no_share_scan: false
+#   force_share_scan: false
+#   no_version_check: false
+#   log_sql: false
+#   experimental: false
+#   volatile: false
+#   case_sensitive_reg_ex: false
+#   legacy_windows_tcp_keepalive: false
+# relay:
+#   enabled: false
+#   mode: controller # controller (default), agent, or debug (for local development)
+#   # controller config is required when running in 'agent' mode
+#   # this specifies the relay controller that will be controlling this agent
+#   controller:
+#     address: https://some.site.com:5000
+#     ignore_certificate_errors: false
+#     api_key: <a 16-255 character string corresponding to one of the controller's 'readwrite' or 'administrator' API keys>
+#     secret: <a 16-255 character shared secret matching the controller's config for this agent>
+#     downloads: false
+#   # agent config is optional when running in 'controller' mode
+#   # this specifies all of the agents capable of connecting
+#   agents:
+#     my_agent:
+#       instance_name: my_agent # make sure the top-level instance_name of the agent matches!
+#       secret: <a 16-255 character string unique to this agent>
+#       cidr: 0.0.0.0/0,::/0
+# permissions:
+#   file:
+#     mode: ~ # not for Windows, chmod syntax, e.g. 644, 777. can't escalate beyond umask
+# directories:
+#   incomplete: ~
+#   downloads: ~
+# shares:
+#   directories:
+#     - ~
+#   filters:
+#     - \.ini$
+#     - Thumbs.db$
+#     - \.DS_Store$
+#   cache:
+#     storage_mode: memory
+#     workers: 16
+#     retention: ~ # retain indefinitely (do not automatically re-scan)
+# rooms:
+#   - ~
+# global:
+#   upload:
+#     slots: 20
+#     speed_limit: 1000 # in kibibytes
+#   limits:
+#     queued:
+#       files: 500
+#       megabytes: 5000
+#     daily:
+#       files: 1000
+#       megabytes: 10000
+#       failures: 200
+#     weekly:
+#       files: 5000
+#       megabytes: 50000
+#       failures: 1000
+#   download:
+#     slots: 500
+#     speed_limit: 1000
+# groups:
+#   default:
+#     upload:
+#       priority: 500
+#       strategy: roundrobin
+#       slots: 10
+#     limits:
+#       queued:
+#         files: 150
+#         megabytes: 1500
+#       daily: ~ # no daily limits (weekly still apply)
+#       weekly:
+#         files: 1500
+#         megabytes: 15000
+#         failures: 150
+#   leechers:
+#     thresholds:
+#       files: 1
+#       directories: 1
+#     upload:
+#       priority: 999
+#       strategy: roundrobin
+#       slots: 1
+#       speed_limit: 100
+#     limits:
+#       queued:
+#         files: 15
+#         megabytes: 150
+#       daily:
+#         files: 30
+#         megabytes: 300
+#         failures: 10
+#       weekly:
+#         files: 150
+#         megabytes: 1500
+#         failures: 30
+#   blacklisted:
+#     members:
+#       - <username to blacklist>
+#     cidrs:
+#       - <CIDR to blacklist, e.g. 255.255.255.255/32>
+#   user_defined:
+#     my_buddies:
+#       upload:
+#         priority: 250
+#         strategy: firstinfirstout
+#         slots: 10
+#       limits:
+#         queued:
+#           files: 1000 # override global default
+#       members:
+#         - alice
+#         - bob
+# blacklist:
+#   enabled: true
+#   file: <path to file containing CIDRs to blacklist>
+# filters:
+#   search:
+#     request:
+#       - ^.{1,2}$
+# web:
+#   port: 5030
+#   https:
+#     disabled: false
+#     port: 5031
+#     force: false
+#     certificate:
+#       pfx: ~
+#       password: ~
+#   url_base: /
+#   content_path: wwwroot
+#   logging: false
+#   authentication:
+#     disabled: false
+#     username: slskd
+#     password: slskd
+#     jwt:
+#       key: ~
+#       ttl: 604800000
+#     api_keys:
+#       my_api_key:
+#         key: <some example string between 16 and 255 characters>
+#         role: readonly # readonly, readwrite, administrator
+#         cidr: 0.0.0.0/0,::/0
+# retention:
+#   transfers:
+#     upload:
+#       succeeded: 1440 # 1 day
+#       errored: 30
+#       cancelled: 5
+#     download:
+#       succeeded: 1440 # 1 day
+#       errored: 20160 # 2 weeks 
+#       cancelled: 5
+#   files:
+#     complete: 20160 # 2 weeks
+#     incomplete: 43200 # 30 days
+#   logs: 259200 # 180 days
+# logger:
+#   disk: false
+#   no_color: false
+#   loki: ~
+# metrics:
+#   enabled: false
+#   url: /metrics
+#   authentication:
+#     disabled: false
+#     username: slskd
+#     password: slskd
+# feature:
+#   swagger: false
+# soulseek:
+#   address: vps.slsknet.org
+#   port: 2271
+#   username: ~
+#   password: ~
+#   description: |
+#     A slskd user. https://github.com/slskd/slskd
+#   listen_ip_address: 0.0.0.0
+#   listen_port: 50300
+#   diagnostic_level: Info
+#   distributed_network:
+#     disabled: false
+#     disable_children: false
+#     child_limit: 25
+#     logging: false
+#   connection:
+#     timeout:
+#       connect: 10000
+#       inactivity: 15000
+#     buffer:
+#       read: 16384
+#       write: 16384
+#       transfer: 262144
+#       write_queue: 250
+#     proxy:
+#       enabled: false
+#       address: ~
+#       port: ~
+#       username: ~
+#       password: ~
+# integration:
+#   ftp:
+#     enabled: false
+#     address: ~
+#     port: ~
+#     username: ~
+#     password: ~
+#     remote_path: /
+#     encryption_mode: auto
+#     ignore_certificate_errors: false
+#     overwrite_existing: true
+#     connection_timeout: 5000
+#     retry_attempts: 3
+#   pushbullet:
+#     enabled: false
+#     access_token: ~
+#     notification_prefix: "From slskd:"
+#     notify_on_private_message: true
+#     notify_on_room_mention: true
+#     retry_attempts: 3
+#     cooldown_time: 900000
@@ -0,0 +1,19 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+  "$schema": "../schemas/v2/index.json",
+  "repos": [
+      {
+          "type": "gitea",
+          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
+          "url": "https://git.trez.wtf",
+          "revisions": {
+              "branches": [
+                  "main",
+                  "*"
+              ]
+          }
+      }
+  ]
+}
@@ -0,0 +1,29 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<?xml version='1.0' encoding='UTF-8'?>
+
+<!DOCTYPE properties SYSTEM 'http://java.sun.com/dtd/properties.dtd'>
+
+<properties>
+
+    <entry key='config.default'>./conf/default.xml</entry>
+
+    <!--
+
+    This is the main configuration file. All your configuration parameters should be placed in this file.
+
+    Default configuration parameters are located in the "default.xml" file. You should not modify it to avoid issues
+    with upgrading to a new version. Parameters in the main config file override values in the default file. Do not
+    remove "config.default" parameter from this file unless you know what you are doing.
+
+    For list of available parameters see following page: https://www.traccar.org/configuration-file/
+
+    -->
+
+    <entry key='database.driver'>org.postgresql.Driver</entry>
+    <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
+    <entry key='database.user'>traccar</entry>
+    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
+
+</properties>
@@ -0,0 +1,32 @@
+  sources:
+    rinoa_docker_logs:
+      type: docker_logs
+      exclude_containers:
+        - zammad-init
+        - vector
+
+  sinks:
+    parseable:
+      type: http
+      method: post
+      batch:
+        max_bytes: 10485760
+        max_events: 1000
+        timeout_secs: 10
+      compression: gzip
+      inputs:
+        - rinoa_docker_logs
+      encoding:
+        codec: json
+      uri: http://parseable:8000/api/v1/ingest'
+      auth:
+        strategy: basic
+        user: admin
+        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
+      request:
+        headers:
+          X-P-Stream: vectordemo
+      healthcheck:
+        enabled: true
+        path: 'http://parseable:8000/api/v1/liveness'
+        port: 80
@@ -0,0 +1,31 @@
+  sources:
+    rinoa_docker_logs:
+      type: docker_logs
+      exclude_containers:
+        - zammad-init
+
+  sinks:
+    parseable:
+      type: http
+      method: post
+      batch:
+        max_bytes: 10485760
+        max_events: 1000
+        timeout_secs: 10
+      compression: gzip
+      inputs:
+        - rinoa_docker_logs
+      encoding:
+        codec: json
+      uri: http://parseable:8000/api/v1/ingest'
+      auth:
+        strategy: basic
+        user: admin
+        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
+      request:
+        headers:
+          X-P-Stream: vectordemo
+      healthcheck:
+        enabled: true
+        path: 'http://parseable:8000/api/v1/liveness'
+        port: 80
@@ -0,0 +1,19 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+nodes:
+  # Wazuh indexer server nodes
+  indexer:
+    - name: wazuh.indexer
+      ip: wazuh.indexer
+
+  # Wazuh server nodes
+  # Use node_type only with more than one Wazuh manager
+  server:
+    - name: wazuh.manager
+      ip: wazuh.manager
+
+  # Wazuh dashboard node
+  dashboard:
+    - name: wazuh.dashboard
+      ip: wazuh.dashboard
@@ -0,0 +1,33 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+network.host: "0.0.0.0"
+node.name: "wazuh.indexer"
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+discovery.type: single-node
+http.port: 9200-9299
+transport.tcp.port: 9300-9399
+compatibility.override_main_response_version: true
+plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
+plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
+plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.authcz.admin_dn:
+- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.nodes_dn:
+- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.restapi.roles_enabled:
+- "all_access"
+- "security_rest_api_access"
+plugins.security.system_indices.enabled: true
+plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
+plugins.security.allow_default_init_securityindex: true
+cluster.routing.allocation.disk.threshold_enabled: false
@@ -0,0 +1,10 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+hosts:
+  - 1513629884013:
+      url: "https://wazuh.manager"
+      port: 55000
+      username: wazuh-wui
+      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
+      run_as: false
@@ -0,0 +1,43 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+Log:
+  Level: 'debug'
+
+# Make ZITADEL accessible over HTTPs, not HTTP
+ExternalSecure: true
+ExternalDomain: 'id.trez.wtf'
+ExternalPort: 443
+
+# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
+Database:
+  postgres:
+    Host: 'zitadel-pg-db'
+    Port: 5432
+    Database: zitadel
+    User:
+      SSL:
+        Mode: 'disable'
+    Admin:
+      SSL:
+        Mode: 'disable'
+
+DefaultInstance:
+  DomainPolicy:
+    UserLoginMustBeDomain: false
+
+LogStore:
+  Access:
+    Stdout:
+      Enabled: true
+
+SMTPConfiguration:
+    # Configuration of the host
+    SMTP:
+      # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
+      Host: 'postal-smtp:25'
+      User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+    From: 'noreply@trez.wtf'
+    FromName: 'Zitadel @ Rinoa'
@@ -0,0 +1,13 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/setup/steps.yaml
+FirstInstance:
+  Org:
+    Human:
+      # use the loginname root@my-org.my.domain
+      Username: 'root'
+      Password: 'RootPassword1!'
+      Email:
+        Address: 'charish.patel@trez.wtf'
+        Verified: true
@@ -0,0 +1,13 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
+Database:
+  postgres:
+    User:
+      # If the user doesn't exist already, it is created
+      Username: 'zitadel'
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }}
+    Admin:
+      Username: 'root'
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }}
@@ -1,54 +1,20 @@
 ---
- name: Deploy Docker Service Configurations (Modified in Last 10 Minutes)
+- name: Deploy Docker Service Configurations
  hosts: rinoa
  vars:
-    template_base_path: "{{ playbook_dir }}/app-configs"
    appdata_base_path: "~/.docker/config/appdata"

  tasks:
-    - name: Find all Jinja2 templates
-      ansible.builtin.find:
-        paths: "{{ template_base_path }}"
-        patterns: "*.j2"
-        recurse: yes
-      register: jinja_templates
-      delegate_to: localhost
-      run_once: true
-
-    - name: Get parent directories modified in the last 10 minutes
-      ansible.builtin.command: >
-        find {{ template_base_path }} -mindepth 1 -maxdepth 1
-        -type d -mmin -10
-      register: modified_dirs
-      changed_when: false
-      delegate_to: localhost
-      run_once: true
-
-    - name: Set fact for recent directories
-      ansible.builtin.set_fact:
-        recent_dirs: "{{ modified_dirs.stdout_lines }}"
-
-    - name: Filter templates within recently modified folders
-      ansible.builtin.set_fact:
-        selected_templates: >-
-          {{ jinja_templates.files
-             | selectattr('path', 'search', recent_dirs | map('regex_escape') | map('regex_replace', '^', '') | join('|'))
-             | list }}
-
    - name: Ensure target directories exist
      ansible.builtin.file:
-        path: "{{ appdata_base_path }}/{{ item.path | regex_replace('^' + template_base_path + '/', '') | regex_replace('\\.j2$', '') | dirname }}"
+        path: "{{ appdata_base_path }}/{{ (item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') | regex_replace('/[^/]+$', '')) }}"
        state: directory
        mode: '0755'
-      loop: "{{ selected_templates }}"
-      loop_control:
-        label: "{{ item.path }}"
+      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"

-    - name: Render and deploy templates
+    - name: Deploy configuration templates
      ansible.builtin.template:
-        src: "{{ item.path }}"
-        dest: "{{ appdata_base_path }}/{{ item.path | regex_replace('^' + template_base_path + '/', '') | regex_replace('\\.j2$', '') }}"
+        src: "{{ item }}"
+        dest: "{{ appdata_base_path }}/{{ item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') }}"
        mode: '0644'
-      loop: "{{ selected_templates }}"
-      loop_control:
-        label: "{{ item.path }}"
+      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
@@ -1,14 +1,14 @@
 vault_addr: "https://vault.trez.wtf"
 vault_token: !vault |
  $ANSIBLE_VAULT;1.1;AES256
-  31616264333530373062366539333738643937326562616130636266646532653862663966663862
-  6336343130363932316237373939656530663339383061360a626433656432633734363635313236
-  36646161663939393035333066656435663064313031636430386163653438336165663432393563
-  3032316331653662310a653930623965303835396239383663306438633738356563633834623036
-  35616132656166663233613937346364343439306561306661633239623837373564323430386635
-  31663762303234326363643262633761363661656538373333396139376132303564336635623632
-  30303166336432653038333733386334323262623736626435623933653035363035383930366166
-  64376639396664303034656533656339363436306638396462333230636136396538303638323338
-  3138
+  66373236656261373330343233616231386539616566613864306436613635323533336365383232
+  6636653139393566643265303135343864363632393035380a643566373137316363626438356431
+  64653237313866316537326565386164373564353166346334663638636531353337303937346466
+  3539366634393337620a653133336530333963343638643934303336653935363932643665353234
+  63343565663632633563396131346139666236313863663332386131633831633566373366613738
+  63343634313539336534666632313736343338623538303434316230383764643432646663356238
+  61373132633062346436363036333533623931313037306633616662623032616137613734343638
+  63633031616161623437623935346366636433653435646333313638376161663237323130636433
+  31383031646666626163323966393738386233346137326231366263316532343563
 vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
 secrets_path: "rinoa-docker/env"
@@ -1,13 +1,13 @@
 rinoa:
-  ansible_host: 192.168.1.254
-  ansible_python_interpreter: /usr/bin/python3
-  ansible_ssh_port: 22
-  ansible_ssh_user: charish
-  ansible_ssh_pass: !vault |
-    $ANSIBLE_VAULT;1.1;AES256
-    32303262303733356636343163363062383539623938383439373166623236366664333830653163
-    3134323461373461663638333265643631666437306362350a353632313337316535633838343137
-    37353139396531613763393139653231333666363935613462343831303866363863653161636138
-    3438316261363139650a313161643039366438356462383730663839366562333464636130346132
-    31363235326362396630313966303064373532306638383739373739336661346438336534366537
-    6565643866333964353563346433323861346262323933333732
+        ansible_host: 192.168.1.254
+        ansible_python_interpreter: /usr/bin/python3
+        ansible_ssh_port: 22
+        ansible_ssh_user: charish
+        ansible_ssh_pass: !vault |
+                $ANSIBLE_VAULT;1.1;AES256
+                38346631616139316365316566386362396661323163306339303635646331373061323531626431
+                3435373031363739356261656239633835393963636663370a613166653463656337666366633639
+                37373637326633363430633336646165343764303063663636313835326130663532323037663331
+                6332353339656134370a353435396532663932313535646636333262353238386331313764633635
+                63383065623930653134666261353439366535646661383434386261393232373432353937636535
+                3432336137393737643735346665303832653630316439333565
@@ -1,7 +1,7 @@
 $ANSIBLE_VAULT;1.1;AES256
-32303262303733356636343163363062383539623938383439373166623236366664333830653163
-3134323461373461663638333265643631666437306362350a353632313337316535633838343137
-37353139396531613763393139653231333666363935613462343831303866363863653161636138
-3438316261363139650a313161643039366438356462383730663839366562333464636130346132
-31363235326362396630313966303064373532306638383739373739336661346438336534366537
-6565643866333964353563346433323861346262323933333732
+65353131326537376561616630666531353731653835306564323565383332653437633533313932
+6239663065306339366536326432323534303364663862350a353034623936363066303164333434
+32666331326332363463383234316136323031626330366132643034376439616339396662636236
+3633393039376438630a326138653031656465373966356564336463643465613638313838393166
+36626366356266636535613862333631386231626134376264363731353264613261633037646662
+6431393837653564366531316332616232336365636533643036
Author	SHA1	Message	Date
Trez.One	401f6b68aa	Ansible private key fix (hopefully). Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Successful in 1m45s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Failing after 11m39s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Deploy via Ansible & Docker Compose (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Has been skipped Details	2025-02-15 20:58:42 -05:00
Trez.One	e9d1814784	Removing Grafana stack; adding Jinja templates for Vector and Gitea Runner. Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Failing after 5m6s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Deploy via Ansible & Docker Compose (push) Has been skipped Details	2025-02-15 19:49:26 -05:00
				`@@ -1 +0,0 @@`
				`server_endpoint: ws://signoz-app:4320/v1/opamp`