Revision bump for Stable-Diffusion-UI.

Auto Merge of PR 26 - hugo-site-spinup
Merged by Trez.One
2025-03-12 07:48:14 -04:00 · 2025-03-11 18:36:17 -04:00 · 2025-03-11 22:35:40 +00:00 · 2025-03-11 15:58:38 -04:00 · 2025-03-11 15:53:28 -04:00 · 2025-03-11 14:17:24 -04:00
29 changed files with 4612 additions and 4518 deletions
@@ -1 +0,0 @@
 {"last_found_secrets": [{"name": "Generic Password - /home/charish/app-configs/searxng_settings.yml.j2", "match": "6e0d657eb1f0fbc40cf0b8f3c3873ef627cc9cb7c4108d1c07d979c04bc8a4bb"}]}
@@ -2,11 +2,10 @@ name: Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deplo
 on:
  push:
    branches-ignore:
-      - main
+      - 'main'
    paths:
      - '**.yml'
 jobs:
  check-and-create-pr:
    if: github.ref != 'refs/heads/main'
    name: Check and Create PR
    runs-on: ubuntu-latest
    steps:
@@ -32,7 +31,6 @@ jobs:
        run: |
          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
          echo ${pr_exists}
          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
      - name: Create PR
        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -40,7 +38,7 @@ jobs:
          tea login default gitea-rinoa
          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }}
+          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
  docker-compose-ansible-lints:
    name: Docker Compose & Ansible Lints
    needs: [check-and-create-pr]
@@ -48,21 +46,43 @@ jobs:
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      VAULT_NAMESPACE: ""
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      - name: Cache Vault install
+      - name: Cache Ansible Galaxy Collections
-        id: cache-vault
+        uses: actions/cache@v3
        uses: actions/cache@v4
        with:
-          path: /opt/hostedtoolcache/vault/1.18.0/x64
+          path: ansible/collections
-          key: vault-${{ runner.os }}-1.18.0
+          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
          restore-keys: |
            ${{ runner.os }}-ansible-
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
          version: "11.0.0"
      - name: Install Vault
-        uses: supplypike/setup-bin@v4
+        uses: cpanato/vault-installer@main
      - name: Install hvac
        run: pip install hvac
      - name: Ansible Playbook Dry Run
        uses: dawidd6/action-ansible-playbook@v2
        with:
-          uri: 'https://releases.hashicorp.com/vault/1.18.0/vault_1.18.0_linux_amd64.zip'
+          directory: ansible/
-          name: 'vault'
+          playbook: docker_config_deploy.yml
-          version: '1.18.0'
+          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
          options: |
            --inventory inventory/hosts.yml
            --check
          requirements: collections/requirements.yml
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
          notification_message: 'Ansible dry run completed successfully.'
      - name: Generate .env file for Docker Compose Dry Run
        run: |
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
@@ -81,6 +101,13 @@ jobs:
          up-opts: --dry-run -d --remove-orphans
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
          notification_message: 'Docker Compose dry run completed successfully.'
  cloudflare-dns-setup:
    name: Cloudflare DNS Setup
    needs: [docker-compose-ansible-lints]
@@ -116,6 +143,13 @@ jobs:
        run: |
          yq '.services[].labels.swag_url' docker-compose.yml | egrep -v 'null' | sed -e 's|"||g' | awk -F'.' '{print $1}' | sort > compose_subdomains.txt
          flarectl --json dns list --zone "trez.wtf" --type=CNAME --content "trez.wtf" | jq '.[].Name' | sed -e 's|"||g' | awk -F"." '{print $1}' | sort > cloudflare_subdomains.txt
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Cloudflare Setup @ Rinoa'
          notification_message: 'Starting Cloudflare setup'
      - name: Compare Subdomains
        id: compare-subdomains
        uses: LouisBrunner/diff-action@v2.2.0
@@ -136,17 +170,39 @@ jobs:
            echo "Creating $subdomain.trez.wtf..."
            flarectl dns create --zone "trez.wtf" --name "${subdomain}" --type=CNAME --content "trez.wtf" --proxy true
          done
-  regenerate-readme:
+      - name: Gotify Notification
-    name: Update README
+        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Cloudflare Setup @ Rinoa'
          notification_message: 'Cloudflare DNS setup completed successfully.'
  regenerate-readme-modified-services:
    name: Update README & Generate List of Modified Services
    runs-on: ubuntu-latest
    needs: [cloudflare-dns-setup]
-    outputs:
+    # outputs:
-      pr-pushed: ${{ steps.commit-readme.outputs.pushed }}
+    #   pr-pushed: ${{ steps.commit-readme.outputs.pushed }}
    #   modified_services: ${{ steps.compare-services.outputs.modified_services }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install yq
        uses: dcarbone/install-yq-action@v1
      # - name: Fetch main branch for comparison
      #   run: |
      #     git fetch origin main:main
      # - name: Compare services using yq
      #   continue-on-error: true
      #   id: compare-services
      #   run: |
      #     current_services=$(yq '.services | to_entries' docker-compose.yml)
      #     git show main:docker-compose.yml > main_compose.yml
      #     main_services=$(yq '.services | to_entries' main_compose.yml)
      #     modified_services_file=$(comm -13 <(echo "$main_services") <(echo "$current_services") > changes_compose.yml)
      #     modified_services=${egrep '^  [a-z]' changes.yml | sed -e 's|^  ||g' -e 's|:||g' | sed ':a;N;$!ba;s/\n/ /g'}
      #     echo "Modified services: $modified_services"
      #     echo "modified_services=$modified_services" >> $GITHUB_OUTPUT
      - name: Generate service list
        run: |
          yq '.services | to_entries | map({"service": .key, "image": .value.image})' docker-compose.yml > services.yml
@@ -168,7 +224,7 @@ jobs:
          add: "README.md"
  pr-merge:
    name: PR Merge
-    needs: [regenerate-readme]
+    needs: [regenerate-readme-modified-services]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -183,13 +239,20 @@ jobs:
        id: pr_merge
        run: |
          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
          echo "Setting default login for Gitea..."
          tea login default gitea-rinoa
-          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F, '{print $1}' | sed -e 's|"||g')
+          echo "Merging PR..."
-          echo "${pr_index}"
+          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
-          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR #${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" --output table ${pr_index}
+          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
          echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Merge Successful'
          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
  ansible-config-docker-compose-deploy:
-    name: Deploy via Ansible & Docker Compose
+    name: Ansible Configs & Docker Compose Deployment
    runs-on: ubuntu-latest
    needs: [pr-merge]
    env:
@@ -201,40 +264,56 @@ jobs:
        uses: actions/checkout@v4
        with:
          ref: main
      # - name: Gotify Notification
      #   uses: eikendev/gotify-action@master
      #   with:
      #     gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
      #     gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
      #     notification_title: 'Ansible Config Deployment @ Rinoa'
      #     notification_message: 'Deployment completed successfully.'
      - name: Cache Vault install
        id: cache-vault
        uses: actions/cache@v4
        with:
          path: /opt/hostedtoolcache/vault/1.18.0/x64
          key: vault-${{ runner.os }}-1.18.0
-      - name: Install Vault
+      - name: Install Ansible
-        uses: supplypike/setup-bin@v4
+        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
-          uri: 'https://releases.hashicorp.com/vault/1.18.0/vault_1.18.0_linux_amd64.zip'
+          version: "11.0.0"
-          name: 'vault'
+      - name: Install Vault
-          version: '1.18.0'
+        uses: cpanato/vault-installer@main
      - name: Install hvac
        run: pip install hvac
      - name: Deploy Docker Configs via Ansible
        uses: dawidd6/action-ansible-playbook@v2
        with:
          directory: ansible/
          playbook: docker_config_deploy.yml
          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
          options: |
            --inventory inventory/hosts.yml
          requirements: collections/requirements.yml
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
          notification_message: 'Deployment completed successfully.'
      - name: Generate .env file for deployment
        run: |
           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
      - name: Docker Compose Deployment
        # if: ${{ steps.regenerate-readme-modified-services.outputs.modified_services != '' }}
        timeout-minutes: 360
        continue-on-error: true
        uses: keatonLiu/docker-compose-remote-action@v1.2
        with:
          docker_compose_file: docker-compose.yml
          docker_args: -d --remove-orphans --pull missing --no-recreate
          ssh_user: gitea-deploy
          ssh_host: 192.168.1.254
          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
          docker_compose_file: docker-compose.yml
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
-          gotify_api_base: '${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}'
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'Docker Compose Deployment @ Rinoa'
+          notification_title: 'GITEA: Docker Compose Deployment @ Rinoa'
          notification_message: 'Deployment completed successfully.'
@@ -1,2 +1,3 @@
-**/.cache.ggshield
+**/.cache_ggshield
-ansible/collections/ansible_collections/
+ansible/collections/ansible_collections/
 **/.env
@@ -6,30 +6,39 @@
 | --- | --- |
 | actual_server | docker.io/actualbudget/actual-server:latest |
 | adguard | adguard/adguardhome:latest |
-| ansible0guy-webui | ansible0guy/webui:latest |
+| archivebox | archivebox/archivebox:latest |
 | apprise | lscr.io/linuxserver/apprise-api:latest |
 | audiobookshelf | ghcr.io/advplyr/audiobookshelf:latest |
 | authelia | authelia/authelia:master |
 | authelia-pg | postgres:16-alpine |
 | bazarr | lscr.io/linuxserver/bazarr:latest |
 | beszel | henrygd/beszel:latest |
 | beszel-agent | henrygd/beszel-agent:latest |
 | bitmagnet | ghcr.io/bitmagnet-io/bitmagnet:latest |
 | bitmagnet-pg-db | postgres:17-alpine |
 | bitwarden | vaultwarden/server:latest |
-| bluesky-pds | ghcr.io/bluesky-social/pds:latest |
+| bluesky-pds | code.modernleft.org/gravityfargo/bluesky-pds:v0.4.98 |
 | browserless | ghcr.io/browserless/chromium:latest |
-| bunkerweb | bunkerity/bunkerweb:latest |
+| bunkerweb | bunkerity/bunkerweb:1.6.0 |
-| bunkerweb-scheduler | bunkerity/bunkerweb-scheduler:latest |
+| bunkerweb-scheduler | bunkerity/bunkerweb-scheduler:1.6.0 |
-| bunkerweb-ui | bunkerity/bunkerweb-ui:latest |
+| bunkerweb-autoconf | bunkerity/bunkerweb-autoconf:1.6.0 |
 | bunkerweb-ui | bunkerity/bunkerweb-ui:1.6.0 |
 | bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
 | cloudflared | cloudflare/cloudflared:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
 | convertx | ghcr.io/c4illin/convertx |
 | cronicle | elestio/cronicle:latest |
 | crowdsec | crowdsecurity/crowdsec:latest |
 | crowdsec-dashboard | metabase/metabase |
 | cyber-chef | mpepping/cyberchef:latest |
 | czkawka | jlesage/czkawka |
-| dagu-scheduler | ghcr.io/dagu-org/dagu:latest |
+| dawarich-app | freikin/dawarich:latest |
-| dagu-server | ghcr.io/dagu-org/dagu:latest |
+| dawarich-pg-db | postgis/postgis:17-3.5-alpine |
 | dawarich-sidekiq | freikin/dawarich:latest |
 | dbgate | dbgate/dbgate:alpine |
 | delugevpn | ghcr.io/binhex/arch-delugevpn:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
 | docker-volume-backup | offen/docker-volume-backup:v2 |
 | docuseal | docuseal/docuseal:latest |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
@@ -37,26 +46,22 @@
 | ghost | ghost:latest |
 | gitea | gitea/gitea:1.23.1 |
 | gitea-db | postgres:14 |
 | gitea-opengist | ghcr.io/thomiceli/opengist:latest |
 | gitea-runner | gitea/act_runner:latest |
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
 | gluetun | qmcgaw/gluetun:latest |
 | gotify | gotify/server |
 | grafana | grafana/grafana-enterprise:latest |
 | grafana-alloy | grafana/alloy:latest |
 | grafana-loki | grafana/loki:latest |
 | grafana-mimir | grafana/mimir:latest |
 | grafana-mimir-memcached | memcached |
 | grafana-pyroscope | grafana/pyroscope:latest |
 | grafana-tempo | grafana/tempo:latest |
 | guacamole | flcontainers/guacamole:latest |
 | homepage | ghcr.io/gethomepage/homepage:latest |
 | hortusfox | ghcr.io/danielbrendel/hortusfox-web:latest |
 | hugo | hugomods/hugo:exts |
 | immich-server | ghcr.io/immich-app/immich-server:release |
 | immich-machine-learning | ghcr.io/immich-app/immich-machine-learning:release |
 | immich-pg-db | tensorchord/pgvecto-rs:pg14-v0.2.1 |
 | immich-public-proxy | alangrainger/immich-public-proxy:latest |
 | immich-power-tools | ghcr.io/varun-raj/immich-power-tools:latest |
 | influxdb2 | influxdb:2-alpine |
 | invidious | quay.io/invidious/invidious:latest |
 | invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
 | invidious-db | docker.io/library/postgres:14 |
 | invoice_ninja | invoiceninja/invoiceninja:5 |
 | invoice_ninja_proxy | nginx |
 | it-tools | ghcr.io/corentinth/it-tools:latest |
 | jellyfin | jellyfin/jellyfin |
 | jitsi-etherpad | etherpad/etherpad:1.8.6 |
@@ -68,30 +73,37 @@
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
 | librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
 | librechat-vectordb | ankane/pgvector:latest |
 | librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
 | libretranslate | libretranslate/libretranslate |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
 | linkstack | linkstackorg/linkstack:latest |
 | lldap | lldap/lldap:stable |
 | localai | localai/localai:latest-aio-cpu |
 | maloja | krateng/maloja:latest |
 | manyfold | lscr.io/linuxserver/manyfold:latest |
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
 | meilisearch | getmeili/meilisearch:v1.12.3 |
 | minio | minio/minio |
-| mongodb | mongo:7.0 |
+| mixpost | inovector/mixpost:latest |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
 | n8n | docker.n8n.io/n8nio/n8n |
 | navidrome | deluan/navidrome:latest |
-| netbox | lscr.io/linuxserver/netbox:latest |
+| netalertx | jokobsk/netalertx:latest |
-| netbox-db | postgres:17-alpine |
+| nextcloud | nextcloud/all-in-one:latest |
 | nextcloud | lscr.io/linuxserver/nextcloud:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
 | parseable | containers.parseable.com/parseable/parseable:latest |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
-| plausible | ghcr.io/plausible/community-edition:v2.1.0 |
+| plantuml-server | plantuml/plantuml-server:jetty |
-| plausible_db | postgres:16-alpine |
+| portainer | portainer/portainer-ce:2.27.0-alpine |
-| plausible_events_db | clickhouse/clickhouse-server:24.3.3.102-alpine |
+| portall | need4swede/portall:latest |
 | postal-smtp | ghcr.io/postalserver/postal:latest |
 | postal-web | ghcr.io/postalserver/postal:latest |
 | postal-worker | ghcr.io/postalserver/postal:latest |
@@ -103,58 +115,35 @@
 | readarr | lscr.io/linuxserver/readarr:develop |
 | redis | redis:alpine |
 | redlib | quay.io/redlib/redlib:latest |
-| rundeck | rundeck/rundeck:5.8.0 |
+| rocketchat | registry.rocket.chat/rocketchat/rocket.chat:latest |
 | rundeck-pg-db | postgres:16-alpine |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
 | scraperr | jpyles0524/scraperr:latest |
 | scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
-| semaphore | semaphoreui/semaphore:v2.10.32 |
+| semaphore | semaphoreui/semaphore:v2.12.14 |
 | slurpit-portal | slurpit/portal:latest |
 | slurpit-scanner | slurpit/scanner:latest |
 | slurpit-scraper | slurpit/scraper:latest |
 | slurpit-warehouse | slurpit/warehouse:latest |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
 | sonashow | thewicklowwolf/sonashow:latest |
 | soularr | mrusse08/soularr:latest |
 | soularr-dashboard | git.trez.wtf/trez.one/soularr-dashboard:v0.1 |
 | soulseek | slskd/slskd |
 | sourcebot | ghcr.io/sourcebot-dev/sourcebot:latest |
 | speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
-| spotisub | blastbeng/spotisub:latest |
+| stable-diffusion-download | git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0 |
 | stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.0 |
 | swag | lscr.io/linuxserver/swag:latest |
 | synapse | docker.io/matrixdotorg/synapse:latest |
 | synapse-db | postgres:16-alpine |
 | tandoor | vabene1111/recipes |
 | tandoor-pg | postgres:16-alpine |
 | traccar | traccar/traccar:latest |
 | traccar-pg | postgres:16-alpine |
 | unmanic | josh5/unmanic:latest |
 | uptimekuma | louislam/uptime-kuma:latest |
 | vault | hashicorp/vault:latest |
 | vector | timberio/vector:0.44.0-alpine |
 | wallabag | wallabag/wallabag |
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |
 | wazuh.agent | opennix/wazuh-agent:latest |
 | wazuh.dashboard | wazuh/wazuh-dashboard: |
 | wazuh.indexer | wazuh/wazuh-indexer: |
 | wazuh.manager | wazuh/wazuh-manager: |
 | web-check | lissy93/web-check |
 | whodb | clidey/whodb |
 | yacht | selfhostedpro/yacht |
 | your_spotify | lscr.io/linuxserver/your_spotify:latest |
 | youtubedl | nbr23/youtube-dl-server:latest |
 | zammad-backup | postgres: |
 | zammad-elasticsearch | bitnami/elasticsearch: |
 | zammad-init | : |
 | zammad-memcached | memcached: |
 | zammad-nginx | : |
 | zammad-postgresql | postgres: |
 | zammad-railsserver | : |
 | zammad-redis | redis: |
 | zammad-scheduler | : |
 | zammad-websocket | : |
 | zitadel | ghcr.io/zitadel/zitadel:latest |
 | zitadel-pg-db | postgres:16-alpine |
@@ -1,6 +1,6 @@
 [defaults]
 # Specify the inventory file
-inventory = hosts.yml
+inventory = inventory/hosts.yml
 collections_path = ./collections
 # Set the logging verbosity level
@@ -0,0 +1,6 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 url: http://0.0.0.0:8080
 login: localhost
 password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}
@@ -115,7 +115,7 @@ DEFAULT_TRUST_MODEL = committer
 JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
 [ui]
-THEMES = theme-catppuccin-blue-auto.css,theme-catppuccin-sapphire-auto.css,theme-catppuccin-yellow-auto.css,theme-catppuccin-maroon-auto.css,theme-catppuccin-mauve-auto.css,theme-catppuccin-peach-auto.css,theme-catppuccin-teal-auto.css,theme-catppuccin-flamingo-auto.css,theme-catppuccin-lavender-auto.css,theme-catppuccin-pink-auto.css,theme-catppuccin-red-auto.css,theme-catppuccin-rosewater-auto.css,theme-catppuccin-sky-auto.css,theme-catppuccin-green-auto.css
+THEMES =
 [actions]
 ENABLED = true
@@ -29,5 +29,5 @@
        widget:
            type: homeassistant
            url: http://192.168.1.252:8123
-            key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI5MTFlMDZiMzNlODc0MWYyYjM3Mzg0NDhiMzMyNzMxYiIsImlhdCI6MTcxMzEzODc3MiwiZXhwIjoyMDI4NDk4NzcyfQ.CXFBjf0sJAGdMrRd_PTCkkzU3LsCgkckG8HvbdSYEhs
+            key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
@@ -24,31 +24,27 @@ layout:
  System Administration:
    style: row
    columns: 4
    # fiveColumns: true
  Infrastructure/App Performance Monitoring:
    style: row
    columns: 4
  Automation:
    style: columns
    row: 2
  Code/DevOps:
-    style: columms
+    style: row
-    row: 2
+    columns: 4
  Privacy/Security:
    style: columns
    row: 5
  Social:
-    style: columns
+    style: row
-    row: 4
+    columns: 4
  Lifestyle:
    style: row
    columns: 4
  Personal Services:
    style: row
    columns: 4
  Professional Services:
    style: row
    columns: 3
  Automation:
    style: row
    columns: 5
  Privacy/Security:
    style: row
    columns: 5
  Personal/Professional Services:
    style: row
    columns: 5
  Servarr Stack:
    style: row
    columns: 3
@@ -57,4 +53,4 @@ layout:
    columns: 3
  Media Library:
    style: row
-    columns: 4
+    columns: 3
@@ -0,0 +1,949 @@
 #########################################
 #
 #  Database and other external servers
 #
 #########################################
 ##
 ## Database configuration with separate parameters.
 ## This setting is MANDATORY, unless 'database_url' is used.
 ##
 db:
  user: kemal
  host: invidious-db
  port: 5432
  dbname: invidious
  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
 ##
 ## Database configuration using a single URI. This is an
 ## alternative to the 'db' parameter above. If both forms
 ## are used, then only database_url is used.
 ## This setting is MANDATORY, unless 'db' is used.
 ##
 ## Note: The 'database_url' setting allows the use of UNIX
 ## sockets. To do so, remove the IP address (or FQDN) and port
 ## and append the 'host' parameter. E.g:
 ##   postgres://kemal:kemal@/invidious?host=/var/run/postgresql
 ##
 ## Accepted values: a postgres:// URI
 ## Default: postgres://kemal:kemal@localhost:5432/invidious
 ##
 #database_url: postgres://kemal:kemal@localhost:5432/invidious
 ##
 ## Enable automatic table integrity check. This will create
 ## the required tables and columns if anything is missing.
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 check_tables: true
 ##
 ## Path to an external signature resolver, used to emulate
 ## the Youtube client's Javascript. If no such server is
 ## available, some videos will not be playable.
 ##
 ## When this setting is commented out, no external
 ## resolver will be used.
 ##
 ## Accepted values: a path to a UNIX socket or "<IP>:<Port>"
 ## Default: <none>
 ##
 signature_server: invidious-sig-helper:12999
 #########################################
 #
 #  Server config
 #
 #########################################
 # -----------------------------
 #  Network (inbound)
 # -----------------------------
 ##
 ## Port to listen on for incoming connections.
 ##
 ## Note: Ports lower than 1024 requires either root privileges
 ## (not recommended) or the "CAP_NET_BIND_SERVICE" capability
 ## (See https://stackoverflow.com/a/414258 and `man capabilities`)
 ##
 ## Accepted values: 1-65535
 ## Default: 3000
 ##
 #port: 3000
 ##
 ## When the invidious instance is behind a proxy, and the proxy
 ## listens on a different port than the instance does, this lets
 ## invidious know about it. This is used to craft absolute URLs
 ## to the instance (e.g in the API).
 ##
 ## Note: This setting is MANDATORY if invidious is behind a
 ## reverse proxy.
 ##
 ## Accepted values: 1-65535
 ## Default: <none>
 ##
 #external_port:
 ##
 ## Interface address to listen on for incoming connections.
 ##
 ## Accepted values: a valid IPv4 or IPv6 address.
 ## default: 0.0.0.0  (listen on all interfaces)
 ##
 #host_binding: 0.0.0.0
 ##
 ## Domain name under which this instance is hosted. This is
 ## used to craft absolute URLs to the instance (e.g in the API).
 ## The domain MUST be defined if your instance is accessed from
 ## a domain name (like 'example.com').
 ##
 ## Accepted values: a fully qualified domain name (FQDN)
 ## Default: <none>
 ##
 # domain:
 ##
 ## Tell Invidious that it is behind a proxy that provides only
 ## HTTPS, so all links must use the https:// scheme. This
 ## setting MUST be set to true if invidious is behind a
 ## reverse proxy serving HTTPs.
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 https_only: false
 ##
 ## Enable/Disable 'Strict-Transport-Security'. Make sure that
 ## the domain specified under 'domain' is served securely.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #hsts: true
 # -----------------------------
 #  Network (outbound)
 # -----------------------------
 ##
 ## Disable proxying server-wide. Can be disable as a whole, or
 ## only for a single function.
 ##
 ## Accepted values: true, false, dash, livestreams, downloads, local
 ## Default: false
 ##
 #disable_proxy: false
 ##
 ## Size of the HTTP pool used to connect to youtube. Each
 ## domain ('youtube.com', 'ytimg.com', ...) has its own pool.
 ##
 ## Accepted values: a positive integer
 ## Default: 100
 ##
 #pool_size: 100
 ##
 ## Additional cookies to be sent when requesting the youtube API.
 ##
 ## Accepted values: a string in the format "name1=value1; name2=value2..."
 ## Default: <none>
 ##
 #cookies:
 ##
 ## Force connection to youtube over a specific IP family.
 ##
 ## Note: This may sometimes resolve issues involving rate-limiting.
 ## See https://github.com/ytdl-org/youtube-dl/issues/21729.
 ##
 ## Accepted values: ipv4, ipv6
 ## Default: <none>
 ##
 #force_resolve:
 ##
 ## Configuration for using a HTTP proxy
 ##
 ## If unset, then no HTTP proxy will be used.
 ## 
 #http_proxy:
 #  user:
 #  password:
 #  host:
 #  port:
 ##
 ## Use Innertube's transcripts API instead of timedtext for closed captions
 ##
 ## Useful for larger instances as InnerTube is **not ratelimited**. See https://github.com/iv-org/invidious/issues/2567
 ##
 ## Subtitle experience may differ slightly on Invidious.
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 # use_innertube_for_captions: false
 ##
 ## Send Google session informations. This is useful when Invidious is blocked
 ## by the message "This helps protect our community."
 ## See https://github.com/iv-org/invidious/issues/4734.
 ##
 ## Warning: These strings gives much more identifiable information to Google!
 ##
 ## Accepted values: String
 ## Default: <none>
 ##
 po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
 visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
 # -----------------------------
 #  Logging
 # -----------------------------
 ##
 ## Path to log file. Can be absolute or relative to the invidious
 ## binary. This is overridden if "-o OUTPUT" or "--output=OUTPUT"
 ## are passed on the command line.
 ##
 ## Accepted values: a filesystem path or 'STDOUT'
 ## Default: STDOUT
 ##
 #output: STDOUT
 ##
 ## Logging Verbosity. This is overridden if "-l LEVEL" or
 ## "--log-level=LEVEL" are passed on the command line.
 ##
 ## Accepted values: All, Trace, Debug, Info, Warn, Error, Fatal, Off
 ## Default: Info
 ##
 #log_level: Info
 ##
 ## Enables colors in logs. Useful for debugging purposes
 ## This is overridden if "-k" or "--colorize"
 ## are passed on the command line.
 ## Colors are also disabled if the environment variable
 ## NO_COLOR is present and has any value
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #colorize_logs: false
 # -----------------------------
 #  Features
 # -----------------------------
 ##
 ## Enable/Disable the "Popular" tab on the main page.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #popular_enabled: true
 ##
 ## Enable/Disable statstics (available at /api/v1/stats).
 ## The following data is available:
 ##   - Software name ("invidious") and version+branch (same data as
 ##     displayed in the footer, e.g: "2021.05.13-75e5b49" / "master")
 ##   - The value of the 'registration_enabled' config (true/false)
 ##   - Number of currently registered users
 ##   - Number of registered users who connected in the last month
 ##   - Number of registered users who connected in the last 6 months
 ##   - Timestamp of the last server restart
 ##   - Timestamp of the last "Channel Refresh" job execution
 ##
 ## Warning: This setting MUST be set to true if you plan to run
 ## a public instance. It is used by api.invidious.io to refresh
 ## your instance's status.
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 #statistics_enabled: false
 # -----------------------------
 #  Users and accounts
 # -----------------------------
 ##
 ## Allow/Forbid Invidious (local) account creation. Invidious
 ## accounts allow users to subscribe to channels and to create
 ## playlists without a Google account.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #registration_enabled: true
 ##
 ## Allow/Forbid users to log-in.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #login_enabled: true
 ##
 ## Enable/Disable the captcha challenge on the login page.
 ##
 ## Note: this is a basic captcha challenge that doesn't
 ## depend on any third parties.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #captcha_enabled: true
 ##
 ## List of usernames that will be granted administrator rights.
 ## A user with administrator rights will be able to change the
 ## server configuration options listed below in /preferences,
 ## in addition to the usual user preferences.
 ##
 ## Server-wide settings:
 ##   - popular_enabled
 ##   - captcha_enabled
 ##   - login_enabled
 ##   - registration_enabled
 ##   - statistics_enabled
 ## Default user preferences:
 ##   - default_home
 ##   - feed_menu
 ##
 ## Accepted values: an array of strings
 ## Default: [""]
 ##
 #admins: [""]
 ##
 ## Enable/Disable the user notifications for all users
 ##
 ## Note: On large instances, it is recommended to set this option to 'false'
 ## in order to reduce the amount of data written to the database, and hence
 ## improve the overall performance of the instance.
 ##
 ## Accepted values: true, false
 ## Default: true
 ##
 #enable_user_notifications: true
 # -----------------------------
 #  Background jobs
 # -----------------------------
 ##
 ## Number of threads to use when crawling channel videos (during
 ## subscriptions update).
 ##
 ## Notes: This setting is overridden if either "-c THREADS" or
 ## "--channel-threads=THREADS" is passed on the command line.
 ##
 ## Accepted values: a positive integer
 ## Default: 1
 ##
 channel_threads: 1
 ##
 ## Time interval between two executions of the job that crawls
 ## channel videos (subscriptions update).
 ##
 ## Accepted values: a valid time interval (like 1h30m or 90m)
 ## Default: 30m
 ##
 #channel_refresh_interval: 30m
 ##
 ## Forcefully dump and re-download the entire list of uploaded
 ## videos when crawling channel (during subscriptions update).
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 full_refresh: false
 ##
 ## Number of threads to use when updating RSS feeds.
 ##
 ## Notes: This setting is overridden if either "-f THREADS" or
 ## "--feed-threads=THREADS" is passed on the command line.
 ##
 ## Accepted values: a positive integer
 ## Default: 1
 ##
 feed_threads: 1
 jobs:
  ## Options for the database cleaning job
  clear_expired_items:
    ## Enable/Disable job
    ##
    ## Accepted values: true, false
    ## Default: true
    ##
    enable: true
  ## Options for the channels updater job
  refresh_channels:
    ## Enable/Disable job
    ##
    ## Accepted values: true, false
    ## Default: true
    ##
    enable: true
  ## Options for the RSS feeds updater job
  refresh_feeds:
    ## Enable/Disable job
    ##
    ## Accepted values: true, false
    ## Default: true
    ##
    enable: true
 # -----------------------------
 #  Miscellaneous
 # -----------------------------
 ##
 ## custom banner displayed at the top of every page. This can
 ## used for instance announcements, e.g.
 ##
 ## Accepted values: any string. HTML is accepted.
 ## Default: <none>
 ##
 #banner:
 ##
 ## Subscribe to channels using PubSubHub (Google PubSubHubbub service).
 ## PubSubHub allows Invidious to be instantly notified when a new video
 ## is published on any subscribed channels. When PubSubHub is not used,
 ## Invidious will check for new videos every minute.
 ##
 ## Note: This setting is recommended for public instances.
 ##
 ## Note 2:
 ##  - Requires a public instance (it uses /feed/webhook/v1)
 ##  - Requires 'domain' and 'hmac_key' to be set.
 ##  - Setting this parameter to any number greater than zero will
 ##    enable channel subscriptions via PubSubHub, but will limit the
 ##    amount of concurrent subscriptions.
 ##
 ## Accepted values: true, false, a positive integer
 ## Default: false
 ##
 #use_pubsub_feeds: false
 ##
 ## HMAC signing key used for CSRF tokens, cookies and pubsub
 ## subscriptions verification.
 ##
 ## Note: This parameter is mandatory and should be a random string.
 ## Such random string can be generated on linux with the following
 ## command: `pwgen 20 1`
 ##
 ## Accepted values: a string
 ## Default: <none>
 ##
 hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
 ##
 ## List of video IDs where the "download" widget must be
 ## disabled, in order to comply with DMCA requests.
 ##
 ## Accepted values: an array of string
 ## Default: <none>
 ##
 #dmca_content:
 ##
 ## Cache video annotations in the database.
 ##
 ## Warning: empty annotations or annotations that only contain
 ## cards won't be cached.
 ##
 ## Accepted values: true, false
 ## Default: false
 ##
 #cache_annotations: false
 ##
 ## Source code URL. If your instance is running a modified source
 ## code, you MUST publish it somewhere and set this option.
 ##
 ## Accepted values: a string
 ## Default: <none>
 ##
 #modified_source_code_url: ""
 ##
 ## Maximum custom playlist length limit.
 ##
 ## Accepted values: Integer
 ## Default: 500
 ##
 #playlist_length_limit: 500
 #########################################
 #
 #  Default user preferences
 #
 #########################################
 ##
 ## NOTE: All the settings below define the default user
 ## preferences. They will apply to ALL users connecting
 ## without a preferences cookie (so either on the first
 ## connection to the instance or after clearing the
 ## browser's cookies).
 ##
 default_user_preferences:
  # -----------------------------
  #  Internationalization
  # -----------------------------
  ##
  ## Default user interface language (locale).
  ##
  ## Note: When hosting a public instance, overriding the
  ## default (english) is not recommended, as it may
  ## people using other languages.
  ##
  ## Accepted values:
  ##   ar      (Arabic)
  ##   da      (Danish)
  ##   de      (German)
  ##   en-US   (english, US)
  ##   el      (Greek)
  ##   eo      (Esperanto)
  ##   es      (Spanish)
  ##   fa      (Persian)
  ##   fi      (Finnish)
  ##   fr      (French)
  ##   he      (Hebrew)
  ##   hr      (Hungarian)
  ##   id      (Indonesian)
  ##   is      (Icelandic)
  ##   it      (Italian)
  ##   ja      (Japanese)
  ##   nb-NO   (Norwegian, Bokmål)
  ##   nl      (Dutch)
  ##   pl      (Polish)
  ##   pt-BR   (Portuguese, Brazil)
  ##   pt-PT   (Portuguese, Portugal)
  ##   ro      (Romanian)
  ##   ru      (Russian)
  ##   sv      (Swedish)
  ##   tr      (Turkish)
  ##   uk      (Ukrainian)
  ##   zh-CN   (Chinese, China)  (a.k.a "Simplified Chinese")
  ##   zh-TW   (Chinese, Taiwan) (a.k.a "Traditional Chinese")
  ##
  ## Default: en-US
  ##
  #locale: en-US
  ##
  ## Default geographical location for content.
  ##
  ## Accepted values:
  ##   AE, AR, AT, AU, AZ, BA, BD, BE, BG, BH, BO, BR, BY, CA, CH, CL, CO, CR,
  ##   CY, CZ, DE, DK, DO, DZ, EC, EE, EG, ES, FI, FR, GB, GE, GH, GR, GT, HK,
  ##   HN, HR, HU, ID, IE, IL, IN, IQ, IS, IT, JM, JO, JP, KE, KR, KW, KZ, LB,
  ##   LI, LK, LT, LU, LV, LY, MA, ME, MK, MT, MX, MY, NG, NI, NL, NO, NP, NZ,
  ##   OM, PA, PE, PG, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, SA, SE, SG, SI,
  ##   SK, SN, SV, TH, TN, TR, TW, TZ, UA, UG, US, UY, VE, VN, YE, ZA, ZW
  ##
  ## Default: US
  ##
  #region: US
  ##
  ## Top 3 preferred languages for video captions.
  ##
  ## Note: overriding the default (no preferred
  ## caption language) is not recommended, in order
  ## to not penalize people using other languages.
  ##
  ## Accepted values: a three-entries array.
  ## Each entry can be one of:
  ##   "English", "English (auto-generated)",
  ##   "Afrikaans", "Albanian", "Amharic", "Arabic",
  ##   "Armenian", "Azerbaijani", "Bangla", "Basque",
  ##   "Belarusian", "Bosnian", "Bulgarian", "Burmese",
  ##   "Catalan", "Cebuano", "Chinese (Simplified)",
  ##   "Chinese (Traditional)", "Corsican", "Croatian",
  ##   "Czech", "Danish", "Dutch", "Esperanto", "Estonian",
  ##   "Filipino", "Finnish", "French", "Galician", "Georgian",
  ##   "German", "Greek", "Gujarati", "Haitian Creole", "Hausa",
  ##   "Hawaiian", "Hebrew", "Hindi", "Hmong", "Hungarian",
  ##   "Icelandic", "Igbo", "Indonesian", "Irish", "Italian",
  ##   "Japanese", "Javanese", "Kannada", "Kazakh", "Khmer",
  ##   "Korean", "Kurdish", "Kyrgyz", "Lao", "Latin", "Latvian",
  ##   "Lithuanian", "Luxembourgish", "Macedonian",
  ##   "Malagasy", "Malay", "Malayalam", "Maltese", "Maori",
  ##   "Marathi", "Mongolian", "Nepali", "Norwegian Bokmål",
  ##   "Nyanja", "Pashto", "Persian", "Polish", "Portuguese",
  ##   "Punjabi", "Romanian", "Russian", "Samoan",
  ##   "Scottish Gaelic", "Serbian", "Shona", "Sindhi",
  ##   "Sinhala", "Slovak", "Slovenian", "Somali",
  ##   "Southern Sotho", "Spanish", "Spanish (Latin America)",
  ##   "Sundanese",  "Swahili", "Swedish", "Tajik", "Tamil",
  ##   "Telugu", "Thai", "Turkish", "Ukrainian", "Urdu",
  ##   "Uzbek", "Vietnamese", "Welsh", "Western Frisian",
  ##   "Xhosa", "Yiddish", "Yoruba", "Zulu"
  ##
  ## Default: ["", "", ""]
  ##
  #captions: ["", "", ""]
  # -----------------------------
  #  Interface
  # -----------------------------
  ##
  ## Enable/Disable dark mode.
  ##
  ## Accepted values: "dark", "light", "auto"
  ## Default: "auto"
  ##
  #dark_mode: "auto"
  ##
  ## Enable/Disable thin mode (no video thumbnails).
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #thin_mode: false
  ##
  ## List of feeds available on the home page.
  ##
  ## Note: "Subscriptions" and "Playlists" are only visible
  ## when the user is logged in.
  ##
  ## Accepted values: A list of strings
  ## Each entry can be one of: "Popular", "Trending",
  ##    "Subscriptions", "Playlists"
  ##
  ## Default: ["Popular", "Trending", "Subscriptions", "Playlists"]  (show all feeds)
  ##
  #feed_menu: ["Popular", "Trending", "Subscriptions", "Playlists"]
  ##
  ## Default feed to display on the home page.
  ##
  ## Note: setting this option to "Popular" has no
  ## effect when 'popular_enabled' is set to false.
  ##
  ## Accepted values: Popular, Trending, Subscriptions, Playlists, <none>
  ## Default: Popular
  ##
  #default_home: Popular
  ##
  ## Default number of results to display per page.
  ##
  ## Note: this affects invidious-generated pages only, such
  ## as watch history and subscription feeds. Playlists, search
  ## results and channel videos depend on the data returned by
  ## the Youtube API.
  ##
  ## Accepted values: any positive integer
  ## Default: 40
  ##
  #max_results: 40
  ##
  ## Show/hide annotations.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #annotations: false
  ##
  ## Show/hide annotation.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #annotations_subscribed: false
  ##
  ## Type of comments to display below video.
  ##
  ## Accepted values: a two-entries array.
  ## Each entry can be one of: "youtube", "reddit", ""
  ##
  ## Default: ["youtube", ""]
  ##
  #comments: ["youtube", ""]
  ##
  ## Default player style.
  ##
  ## Accepted values: invidious, youtube
  ## Default: invidious
  ##
  #player_style: invidious
  ##
  ## Show/Hide the "related videos" sidebar when
  ## watching a video.
  ##
  ## Accepted values: true, false
  ## Default: true
  ##
  #related_videos: true
  # -----------------------------
  #  Video player behavior
  # -----------------------------
  ##
  ## This option controls the value of the HTML5 <video> element's
  ## "preload" attribute.
  ##
  ## If set to 'false', no video data will be loaded until the user
  ## explicitly starts the video by clicking the "Play" button.
  ## If set to 'true', the web browser will buffer some video data
  ## while the page is loading.
  ##
  ## See: https://www.w3schools.com/tags/att_video_preload.asp
  ##
  ## Accepted values: true, false
  ## Default: true
  ##
  #preload: true
  ##
  ## Automatically play videos on page load.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #autoplay: false
  ##
  ## Automatically load the "next" video (either next in
  ## playlist or proposed) when the current video ends.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #continue: false
  ##
  ## Autoplay next video by default.
  ##
  ## Note: Only effective if 'continue' is set to true.
  ##
  ## Accepted values: true, false
  ## Default: true
  ##
  #continue_autoplay: true
  ##
  ## Play videos in Audio-only mode by default.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #listen: false
  ##
  ## Loop videos automatically.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #video_loop: false
  # -----------------------------
  #  Video playback settings
  # -----------------------------
  ##
  ## Default video quality.
  ##
  ## Accepted values: dash, hd720, medium, small
  ## Default: hd720
  ##
  #quality: hd720
  ##
  ## Default dash video quality.
  ##
  ## Note: this setting only takes effet if the
  ## 'quality' parameter is set to "dash".
  ##
  ## Accepted values:
  ##    auto, best, 4320p, 2160p, 1440p, 1080p,
  ##    720p, 480p, 360p, 240p, 144p, worst
  ## Default: auto
  ##
  #quality_dash: auto
  ##
  ## Default video playback speed.
  ##
  ## Accepted values: 0.25, 0.5, 0.75, 1.0, 1.25, 1.5, 1.75, 2.0
  ## Default: 1.0
  ##
  #speed: 1.0
  ##
  ## Default volume.
  ##
  ## Accepted values: 0-100
  ## Default: 100
  ##
  #volume: 100
  ##
  ## Allow 360° videos to be played.
  ##
  ## Note: This feature requires a WebGL-enabled browser.
  ##
  ## Accepted values: true, false
  ## Default: true
  ##
  #vr_mode: true
  ##
  ## Save the playback position
  ## Allow to continue watching at the previous position when
  ## watching the same video.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #save_player_pos: false
  # -----------------------------
  #  Subscription feed
  # -----------------------------
  ##
  ## In the "Subscription" feed, only show the latest video
  ## of each channel the user is subscribed to.
  ##
  ## Note: when combined with 'unseen_only', the latest unseen
  ## video of each channel will be displayed instead of the
  ## latest by date.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #latest_only: false
  ##
  ## Enable/Disable user subscriptions desktop notifications.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #notifications_only: false
  ##
  ## In the "Subscription" feed, Only show the videos that the
  ## user haven't watched yet (i.e which are not in their watch
  ## history).
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #unseen_only: false
  ##
  ## Default sorting parameter for subscription feeds.
  ##
  ## Accepted values:
  ##   'alphabetically'
  ##   'alphabetically - reverse'
  ##   'channel name'
  ##   'channel name - reverse'
  ##   'published'
  ##   'published - reverse'
  ##
  ## Default: published
  ##
  #sort: published
  # -----------------------------
  #  Miscellaneous
  # -----------------------------
  ##
  ## Proxy videos through instance by default.
  ##
  ## Warning: As most users won't change this setting in their
  ## preferences, defaulting  to true will significantly
  ## increase the instance's network usage, so make sure that
  ## your server's connection can handle it.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #local: false
  ##
  ## Show the connected user's nick at the top right.
  ##
  ## Accepted values: true, false
  ## Default: true
  ##
  #show_nick: true
  ##
  ## Automatically redirect to a random instance when the user uses
  ## any "switch invidious instance" link (For videos, it's the plane
  ## icon, next to "watch on youtube" and "listen"). When set to false,
  ## the user is sent to https://redirect.invidious.io instead, where
  ## they can manually select an instance.
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #automatic_instance_redirect: false
  ##
  ## Show the entire video description by default (when set to 'false',
  ## only the first few lines of the description are shown and a
  ## "show more" button allows to expand it).
  ##
  ## Accepted values: true, false
  ## Default: false
  ##
  #extend_desc: false
@@ -1,477 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 ###########################
 # 🦎 KOMODO CORE CONFIG 🦎 #
 ###########################
 ## This is the offical "Default" config file for Komodo Core.
 ## It serves as documentation for the meaning of the fields.
 ## It is located at `https://github.com/mbecker20/komodo/blob/main/config/core.config.toml`.
 ## All fields with a "Default" provided are optional. If they are
 ## left out of the file, the "Default" value will be used.
 ## This file is bundled into the official image, `ghcr.io/mbecker20/komodo`,
 ## as the default config at `/config/config.toml`.
 ## Komodo can start with no external config file mounted.
 ## There is usually no need to create this file on your host.
 ## Most fields can instead be configured using environment variables.
 ## Environment variables will override values set in this file.
 ## This will be the document title on the web page.
 ## Env: KOMODO_TITLE
 ## Default: 'Komodo'
 title = "Komodo @ Rinoa"
 ## This should be the url used to access Komodo in browser, potentially behind DNS.
 ## Eg https://komodo.example.com or http://12.34.56.78:9120. This should match the address configured in your Oauth app.
 ## Env: KOMODO_HOST
 ## Required, no default.
 host = "https://komodo.trez.wtf"
 ## The port the core system will run on.
 ## Env: KOMODO_PORT
 ## Default: 9120
 port = 9120
 ## This is the token used to authenticate core requests to periphery.
 ## Ensure this matches a passkey in the connected periphery configs.
 ## If the periphery servers don't have passkeys configured, this doesn't need to be changed.
 ## Env: KOMODO_PASSKEY or KOMODO_PASSKEY_FILE
 ## Required, no default
 passkey = "JgzFdZYbE7JfH5zhrh5pWUEQEWA4MCXG"
 ## Ensure a server with this address exists on Core
 ## upon first startup. Example: `https://periphery:8120`
 ## Env: KOMODO_FIRST_SERVER
 ## Optional, no default.
 first_server = ""
 ## Disables write support on resources in the UI.
 ## This protects users that that would normally have write priviledges during their UI usage,
 ## when they intend to fully rely on ResourceSyncs to manage config.
 ## Env: KOMODO_UI_WRITE_DISABLED
 ## Default: false
 ui_write_disabled = false
 ## Disables the confirm dialogs on all actions. All buttons will now be double-click.
 ## Useful when only having http connection to core, as UI quick-copy button won't work.
 ## Env: KOMODO_DISABLE_CONFIRM_DIALOG
 ## Default: false
 disable_confirm_dialog = false
 ## Configure the directory for sync files (inside the container).
 ## There shouldn't be a need to change this, just mount a volume.
 ## Env: KOMODO_SYNC_DIRECTORY
 ## Default: /syncs
 sync_directory = "/syncs"
 ## Configure the repo directory (inside the container).
 ## There shouldn't be a need to change this, just mount a volume.
 ## Env: KOMODO_REPO_DIRECTORY
 ## Default: /repo-cache
 repo_directory = "/repo-cache"
 ## Configure the action directory (inside the container).
 ## There shouldn't be a need to change this, or even mount a volume.
 ## Env: KOMODO_ACTION_DIRECTORY
 ## Default: /action-cache
 action_directory = "/action-cache"
 ################
 # AUTH / LOGIN #
 ################
 ## Allow user login with a username / password.
 ## The password will be hashed and stored in the db for login comparison.
 ##
 ## NOTE:
 ## Komodo has no API to recover account logins, but if this happens you can doctor the database using Mongo Compass.
 ## Create a new Komodo user (Sign Up button), login to the database with Compass, note down your old users username and _id.
 ## Then delete the old user, and update the new user to have the same username and _id. 
 ## Make sure to set `enabled: true` and maybe `admin: true` on the new user as well, while using Compass.
 ##
 ## Env: KOMODO_LOCAL_AUTH
 ## Default: false
 local_auth = true
 ## Normally new users will be registered, but not enabled until an Admin enables them.
 ## With `disable_user_registration = true`, only the first user to log in will registered as a user.
 ## Env: KOMODO_DISABLE_USER_REGISTRATION
 ## Default: false
 disable_user_registration = false
 ## New users will be automatically enabled when they sign up.
 ## Otherwise, new users will be disabled on first login.
 ## The first user to login will always be enabled on creation.
 ## Env: KOMODO_ENABLE_NEW_USERS
 ## Default: false
 enable_new_users = false
 ## Allows all users to have Read level access to all resources.
 ## Env: KOMODO_TRANSPARENT_MODE
 ## Default: false
 transparent_mode = false
 ## Normally all enabled users can create resources.
 ## If `disable_non_admin_create = true`, only admin users can create resources.
 ## Env: KOMODO_DISABLE_NON_ADMIN_CREATE
 ## Default: false
 disable_non_admin_create = false
 ## Optionally provide a specific jwt secret.
 ## Passing nothing or an empty string will cause one to be generated on every startup.
 ## This means users will have to log in again if Komodo restarts.
 ## Env: KOMODO_JWT_SECRET or KOMODO_JWT_SECRET_FILE
 ## Default: empty string, meaning a random secret will be generated at startup.
 jwt_secret = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['KOMODO_JWT_SECRET'] }}"
 ## Specify how long a user can stay logged in before they have to log in again.
 ## All jwts are invalidated on application restart unless `jwt_secret` is set.
 ## Env: KOMODO_JWT_TTL
 ## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk, 30-day
 ## Default: 1-day. 
 jwt_ttl = "1-day"
 #############
 # OIDC Auth #
 #############
 ## Enable logins with configured OIDC provider.
 ## Env: KOMODO_OIDC_ENABLED
 ## Default: false
 oidc_enabled = false
 ## Give the provider address.
 ##
 ## The path, ie /application/o/komodo for Authentik,
 ## is provider and configuration specific.
 ##
 ## Note. this address must be reachable from Komodo Core container.
 ##
 ## Env: KOMODO_OIDC_PROVIDER
 ## Optional, no default.
 oidc_provider = "https://oidc.provider.internal/application/o/komodo"
 ## Configure OIDC user redirect host.
 ##
 ## This is the host address users are redirected to in their browser,
 ## and may be different from `oidc_provider` host depending on your networking.
 ## If not provided (or empty string ""), the `oidc_provider` will be used.
 ##
 ## Note. DO NOT include the `path` part of the URL.
 ## Example: `https://oidc.provider.external`
 ##
 ## Env: KOMODO_OIDC_REDIRECT_HOST
 ## Optional, no default.
 oidc_redirect_host = ""
 ## Give the OIDC Client ID.
 ## Env: KOMODO_OIDC_CLIENT_ID or KOMODO_OIDC_CLIENT_ID_FILE
 oidc_client_id = ""
 ## Give the OIDC Client Secret.
 ## Env: KOMODO_OIDC_CLIENT_SECRET or KOMODO_OIDC_CLIENT_SECRET_FILE
 oidc_client_secret = ""
 ## If true, use the full email for usernames.
 ## Otherwise, the @address will be stripped,
 ## making usernames more concise.
 ## Env: KOMODO_OIDC_USE_FULL_EMAIL
 ## Default: false.
 oidc_use_full_email = false
 ## Some providers attach other audiences in addition to the client_id.
 ## If you have this issue, `Invalid audiences: `...` is not a trusted audience"`,
 ## you can add the audience `...` to the list here (assuming it should be trusted).
 ## Env: KOMODO_OIDC_ADDITIONAL_AUDIENCES or KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
 ## Default: empty
 oidc_additional_audiences = []
 #########
 # OAUTH #
 #########
 ## Google
 ## Env: KOMODO_GOOGLE_OAUTH_ENABLED
 ## Default: false
 google_oauth.enabled = false
 ## Env: KOMODO_GOOGLE_OAUTH_ID or KOMODO_GOOGLE_OAUTH_ID_FILE
 ## Required if google_oauth is enabled.
 google_oauth.id = ""
 ## Env: KOMODO_GOOGLE_OAUTH_SECRET or KOMODO_GOOGLE_OAUTH_SECRET_FILE
 ## Required if google_oauth is enabled.
 google_oauth.secret = ""
 ## Github
 ## Env: KOMODO_GITHUB_OAUTH_ENABLED
 ## Default: false
 github_oauth.enabled = false
 ## Env: KOMODO_GITHUB_OAUTH_ID or KOMODO_GITHUB_OAUTH_ID_FILE
 ## Required if github_oauth is enabled.
 github_oauth.id = ""
 ## Env: KOMODO_GITHUB_OAUTH_SECRET or KOMODO_GITHUB_OAUTH_SECRET_FILE
 ## Required if github_oauth is enabled.
 github_oauth.secret = ""
 ############
 # Security #
 ############
 ## Enable HTTPS server using the given key and cert.
 ## Env: KOMODO_SSL_ENABLED
 ## Default: false
 ssl_enabled = false
 ## Path to the ssl key.
 ## Env: KOMODO_SSL_KEY_FILE
 ## Default: /config/ssl/key.pem
 ssl_key_file = "/config/ssl/key.pem"
 ## Path to the ssl cert.
 ## Env: KOMODO_SSL_CERT_FILE
 ## Default: /config/ssl/cert.pem
 ssl_cert_file = "/config/ssl/cert.pem"
 ############
 # DATABASE #
 ############
 ## Configure the database connection in one of the following ways:
 ## Pass a full Mongo URI to the database.
 ## Example: mongodb://username:password@localhost:27017
 ## Env: KOMODO_DATABASE_URI or KOMODO_DATABASE_URI_FILE
 ## Optional, can usually use `address`, `username`, `password` instead.
 database.uri = "mongodb://komodo:jtyl2U8KZPUe8V9MOTXQDYRlg7QemGuF@komodo-ferretdb:27017/komodo?authMechanism=PLAIN"
 ## ==== * OR * ==== ##
 # Construct the address as mongodb://{username}:{password}@{address}
 ## Env: KOMODO_DATABASE_ADDRESS
 # database.address = "localhost:27017"
 ## Env: KOMODO_DATABASE_USERNAME or KOMODO_DATABASE_USERNAME_FILE
 # database.username = ""
 ## Env: KOMODO_DATABASE_PASSWORD or KOMODO_DATABASE_PASSWORD_FILE
 # database.password = ""
 ## ==== other ====
 ## Komodo will create its collections under this database name.
 ## The only reason to change this is if multiple Komodo Cores share the same db.
 ## Env: KOMODO_DATABASE_DB_NAME
 ## Default: komodo.
 database.db_name = "komodo"
 ## This is the assigned app_name of the mongo client.
 ## The only reason to change this is if multiple Komodo Cores share the same db.
 ## Env: KOMODO_DATABASE_APP_NAME
 ## Default: komodo_core.
 database.app_name = "komodo_core"
 ############
 # WEBHOOKS #
 ############
 ## This token must be given to git provider during repo webhook config.
 ## The secret configured on the git provider side must match the secret configured here.
 ## If not provided, 
 ## Env: KOMODO_WEBHOOK_SECRET or KOMODO_WEBHOOK_SECRET_FILE
 ## Optional, no default.
 webhook_secret = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['KOMODO_WEBHOOK_SECRET'] }}"
 ## An alternate base url that is used to recieve git webhook requests.
 ## If empty or not specified, will use 'host' address as base.
 ## This is useful if Komodo is on an internal network, but can have a
 ## proxy just allowing through the webhook listener api using NGINX.
 ## Env: KOMODO_WEBHOOK_BASE_URL
 ## Default: empty (none)
 webhook_base_url = ""
 ## Configure Github webhook app. Enables webhook management apis.
 ## <INSERT LINK TO GUIDE>
 ## Env: KOMODO_GITHUB_WEBHOOK_APP_APP_ID or KOMODO_GITHUB_WEBHOOK_APP_APP_ID_FILE
 # github_webhook_app.app_id = 1234455 # Find on the app page.
 ## Env: 
 ##   - KOMODO_GITHUB_WEBHOOK_APP_INSTALLATIONS_IDS or KOMODO_GITHUB_WEBHOOK_APP_INSTALLATIONS_IDS_FILE
 ##   - KOMODO_GITHUB_WEBHOOK_APP_INSTALLATIONS_NAMESPACES
 # github_webhook_app.installations = [
 #   ## Find the id after installing the app to user / organization. "namespace" is the username / organization name.
 #   { id = 1234, namespace = "mbecker20" }
 # ]
 ## The path to Github webhook app private key. <INSERT LINK TO GUIDE>
 ## This is defaulted to `/github/private-key.pem`, and doesn't need to be changed if running core in Docker.
 ## Just mount the private key pem file on the host to `/github/private-key.pem` in the container.
 ## Eg. `/your/path/to/key.pem : /github/private-key.pem`
 ## Env: KOMODO_GITHUB_WEBHOOK_APP_PK_PATH
 # github_webhook_app.pk_path = "/path/to/pk.pem"
 ###########
 # LOGGING #
 ###########
 ## Specify the logging verbosity
 ## Env: KOMODO_LOGGING_LEVEL
 ## Options: off, error, warn, info, debug, trace
 ## Default: info
 logging.level = "info"
 ## Specify the logging format for stdout / stderr.
 ## Env: KOMODO_LOGGING_STDIO
 ## Options: standard, json, none
 ## Default: standard
 logging.stdio = "standard"
 ## Optionally specify a opentelemetry otlp endpoint to send traces to.
 ## Example: http://localhost:4317
 ## Env: KOMODO_LOGGING_OTLP_ENDPOINT
 logging.otlp_endpoint = ""
 ## Set the opentelemetry service name.
 ## This will be attached to the telemetry Komodo will send.
 ## Env: KOMODO_LOGGING_OPENTELEMETRY_SERVICE_NAME
 ## Default: "Komodo"
 logging.opentelemetry_service_name = "Komodo"
 ###########
 # PRUNING #
 ###########
 ## The number of days to keep historical system stats around, or 0 to disable pruning. 
 ## Stats older that are than this number of days are deleted on a daily cycle.
 ## Env: KOMODO_KEEP_STATS_FOR_DAYS
 ## Default: 14
 keep_stats_for_days = 14
 ## The number of days to keep alerts around, or 0 to disable pruning. 
 ## Alerts older that are than this number of days are deleted on a daily cycle.
 ## Env: KOMODO_KEEP_ALERTS_FOR_DAYS
 ## Default: 14
 keep_alerts_for_days = 14
 ##################
 # POLL INTERVALS #
 ##################
 ## Controls the rate at which servers are polled for health, system stats, and container status.
 ## This affects network usage, and the size of the stats stored in mongo.
 ## Env: KOMODO_MONITORING_INTERVAL
 ## Options: 1-sec, 5-sec, 15-sec, 30-sec, 1-min, 2-min, 5-min, 15-min
 ## Default: 15-sec
 monitoring_interval = "15-sec"
 ## Interval at which to poll Resources for any updates / automated actions.
 ## Env: KOMODO_RESOURCE_POLL_INTERVAL
 ## Options: `15-sec`, `1-min`, `5-min`, `15-min`, `1-hr`.
 ## Default: 5-min
 resource_poll_interval = "5-min"
 ###################
 # CLOUD PROVIDERS #
 ###################
 ## Komodo can build images by deploying AWS EC2 instances,
 ## running the build, and afterwards destroying the instance.
 ## Additionally, Komodo can deploy cloud VPS on AWS EC2 and Hetzner.
 ## Use the Template resource to configure launch preferences.
 ## Hetzner is not supported for builds as their pricing model is by the hour,
 ## while AWS is by the minute. This is very important for builds.
 ## Provide AWS api keys for ephemeral builders / server launch
 ## Env: KOMODO_AWS_ACCESS_KEY_ID or KOMODO_AWS_ACCESS_KEY_ID_FILE
 aws.access_key_id = ""
 ## Env: KOMODO_AWS_SECRET_ACCESS_KEY or KOMODO_AWS_SECRET_ACCESS_KEY_FILE
 aws.secret_access_key = ""
 ## Provide Hetzner api token for server launch
 ## Env: KOMODO_HETZNER_TOKEN or KOMODO_HETZNER_TOKEN_FILE
 hetzner.token = ""
 #################
 # GIT PROVIDERS #
 #################
 ## These will be available to attach to Builds, Repos, Stacks, and Syncs.
 ## They allow these Resources to clone private repositories.
 ## They cannot be configured on the environment.
 ## configure git providers
 # [[git_provider]]
 # domain = "github.com"
 # accounts = [
 # 	{ username = "mbecker20", token = "access_token_for_account" },
 # 	{ username = "moghtech", token = "access_token_for_other_account" },
 # ]
 # [[git_provider]]
 # domain = "git.mogh.tech" # use a custom provider, like self-hosted gitea
 # accounts = [
 # 	{ username = "mbecker20", token = "access_token_for_account" },
 # ]
 # [[git_provider]]
 # domain = "localhost:8000" # use a custom provider, like self-hosted gitea
 # https = false # use http://localhost:8000 as base-url for clone
 # accounts = [
 # 	{ username = "mbecker20", token = "access_token_for_account" },
 # ]
 ######################
 # REGISTRY PROVIDERS #
 ######################
 ## These will be available to attach to Builds and Stacks.
 ## They allow these Resources to pull private images.
 ## They cannot be configured on the environment.
 ## configure docker registries
 # [[docker_registry]]
 # domain = "docker.io"
 # accounts = [
 # 	{ username = "mbecker2020", token = "access_token_for_account" }
 # ]
 # organizations = ["DockerhubOrganization"]
 [[gitea_rinoa]]
 domain = "git.trez.wtf"
 accounts = [
 	{ username = "gitea-sonarqube-bot", token = "594a3a9611bdb508bd6a3575e2ddb3ac4922a4da" }
 ]
 [[gitea_rinoa_local]]
 domain = "http://gitea:3000"
 accounts = [
 	{ username = "gitea-sonarqube-bot", token = "594a3a9611bdb508bd6a3575e2ddb3ac4922a4da" }
 ]
 # [[docker_registry]]
 # domain = "git.mogh.tech" # use a custom provider, like self-hosted gitea
 # accounts = [
 # 	{ username = "mbecker20", token = "access_token_for_account" },
 # ]
 # organizations = ["Mogh"] # These become available in the UI
 ###########
 # SECRETS #
 ###########
 ## Provide Core based secrets.
 ## These will be available to interpolate into your Deployment / Stack environments,
 ## and will be hidden in the UI and logs.
 ## These are available to use on any Periphery (Server),
 ## but you can also limit access more by placing them in a single Periphery's config file instead.
 ## These cannot be configured in the Komodo Core environment, they must be passed in the file.
 # [secrets]
 # SECRET_1 = "value_1"
 # SECRET_2 = "value_2"
@@ -0,0 +1,550 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 #=====================================================================#
 #                       LibreChat Configuration                       #
 #=====================================================================#
 # Please refer to the reference documentation for assistance          #
 # with configuring your LibreChat environment.                        #
 #                                                                     #
 # https://www.librechat.ai/docs/configuration/dotenv                  #
 #=====================================================================#
 #==================================================#
 #               Server Configuration               #
 #==================================================#
 HOST=localhost
 PORT=3080
 MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
 DOMAIN_CLIENT=https://ai.trez.wtf
 DOMAIN_SERVER=https://ai.trez.wtf
 NO_INDEX=true
 # Use the address that is at most n number of hops away from the Express application.
 # req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
 # A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
 # Defaulted to 1.
 TRUST_PROXY=1
 #===============#
 # JSON Logging  #
 #===============#
 # Use when process console logs in cloud deployment like GCP/AWS
 CONSOLE_JSON=true
 #===============#
 # Debug Logging #
 #===============#
 DEBUG_LOGGING=true
 DEBUG_CONSOLE=false
 #=============#
 # Permissions #
 #=============#
 # UID=1000
 # GID=1000
 #===============#
 # Configuration #
 #===============#
 # Use an absolute path, a relative path, or a URL
 # CONFIG_PATH="/alternative/path/to/librechat.yaml"
 #===================================================#
 #                     Endpoints                     #
 #===================================================#
 # ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
 PROXY=
 #===================================#
 # Known Endpoints - librechat.yaml  #
 #===================================#
 # https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
 # ANYSCALE_API_KEY=
 # APIPIE_API_KEY=
 # COHERE_API_KEY=
 DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
 # DATABRICKS_API_KEY=
 # FIREWORKS_API_KEY=
 # GROQ_API_KEY=
 # HUGGINGFACE_TOKEN=
 MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
 # OPENROUTER_KEY=
 # PERPLEXITY_API_KEY=
 # SHUTTLEAI_API_KEY=
 # TOGETHERAI_API_KEY=
 # UNIFY_API_KEY=
 # XAI_API_KEY=
 #============#
 # Anthropic  #
 #============#
 ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
 ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
 # ANTHROPIC_REVERSE_PROXY=
 #============#
 # Azure      #
 #============#
 # Note: these variables are DEPRECATED
 # Use the `librechat.yaml` configuration for `azureOpenAI` instead
 # You may also continue to use them if you opt out of using the `librechat.yaml` configuration
 # AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
 # AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
 # AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
 # AZURE_API_KEY= # Deprecated
 # AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
 # AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
 # AZURE_OPENAI_API_VERSION= # Deprecated
 # AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
 # AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
 # PLUGINS_USE_AZURE="true" # Deprecated
 #=================#
 #   AWS Bedrock   #
 #=================#
 # BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
 # BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
 # BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
 # BEDROCK_AWS_SESSION_TOKEN=someSessionToken
 # Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
 # BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
 # See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
 # Notes on specific models:
 # The following models are not support due to not supporting streaming:
 # ai21.j2-mid-v1
 # The following models are not support due to not supporting conversation history:
 # ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
 #============#
 # Google     #
 #============#
 {# GOOGLE_KEY=user_provided #}
 # GOOGLE_REVERSE_PROXY=
 # Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
 # GOOGLE_AUTH_HEADER=true
 # Gemini API (AI Studio)
 # GOOGLE_MODELS=gemini-2.0-flash-exp,gemini-2.0-flash-thinking-exp-1219,gemini-exp-1121,gemini-exp-1114,gemini-1.5-flash-latest,gemini-1.0-pro,gemini-1.0-pro-001,gemini-1.0-pro-latest,gemini-1.0-pro-vision-latest,gemini-1.5-pro-latest,gemini-pro,gemini-pro-vision
 # Vertex AI
 # GOOGLE_MODELS=gemini-1.5-flash-preview-0514,gemini-1.5-pro-preview-0514,gemini-1.0-pro-vision-001,gemini-1.0-pro-002,gemini-1.0-pro-001,gemini-pro-vision,gemini-1.0-pro
 # GOOGLE_TITLE_MODEL=gemini-pro
 # GOOGLE_LOC=us-central1
 # Google Safety Settings
 # NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
 #
 # For Vertex AI:
 # To use the BLOCK_NONE setting, you need either:
 # (a) Access through an allowlist via your Google account team, or
 # (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
 #
 # For Gemini API (AI Studio):
 # BLOCK_NONE is available by default, no special account requirements.
 #
 # Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
 #
 # GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
 #============#
 # OpenAI     #
 #============#
 OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
 OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
 DEBUG_OPENAI=false
 # TITLE_CONVO=false
 # OPENAI_TITLE_MODEL=gpt-4o-mini
 # OPENAI_SUMMARIZE=true
 # OPENAI_SUMMARY_MODEL=gpt-4o-mini
 # OPENAI_FORCE_PROMPT=true
 # OPENAI_REVERSE_PROXY=
 # OPENAI_ORGANIZATION=
 #====================#
 #   Assistants API   #
 #====================#
 # ASSISTANTS_API_KEY=user_provided
 # ASSISTANTS_BASE_URL=
 # ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
 #==========================#
 #   Azure Assistants API   #
 #==========================#
 # Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
 # The models for Azure Assistants are also determined by your Azure OpenAI configuration.
 # More info, including how to enable use of Assistants with Azure here:
 # https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
 #============#
 # OpenRouter #
 #============#
 # !!!Warning: Use the variable above instead of this one. Using this one will override the OpenAI endpoint
 # OPENROUTER_API_KEY=
 #============#
 # Plugins    #
 #============#
 # PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
 # DEBUG_PLUGINS=
 CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
 CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
 # Azure AI Search
 #-----------------
 # AZURE_AI_SEARCH_SERVICE_ENDPOINT=
 # AZURE_AI_SEARCH_INDEX_NAME=
 # AZURE_AI_SEARCH_API_KEY=
 # AZURE_AI_SEARCH_API_VERSION=
 # AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
 # AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
 # AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
 # DALL·E
 #----------------
 # DALLE_API_KEY=
 # DALLE3_API_KEY=
 # DALLE2_API_KEY=
 # DALLE3_SYSTEM_PROMPT=
 # DALLE2_SYSTEM_PROMPT=
 # DALLE_REVERSE_PROXY=
 # DALLE3_BASEURL=
 # DALLE2_BASEURL=
 # DALL·E (via Azure OpenAI)
 # Note: requires some of the variables above to be set
 #----------------
 # DALLE3_AZURE_API_VERSION=
 # DALLE2_AZURE_API_VERSION=
 # Google
 #-----------------
 GOOGLE_SEARCH_API_KEY=
 GOOGLE_CSE_ID=
 # YOUTUBE
 #-----------------
 YOUTUBE_API_KEY=
 # SerpAPI
 #-----------------
 SERPAPI_API_KEY=
 # Stable Diffusion
 #-----------------
 SD_WEBUI_URL=http://stable-diffusion-webui:7860
 # Tavily
 #-----------------
 TAVILY_API_KEY=
 # Traversaal
 #-----------------
 TRAVERSAAL_API_KEY=
 # WolframAlpha
 #-----------------
 WOLFRAM_APP_ID=
 # Zapier
 #-----------------
 ZAPIER_NLA_API_KEY=
 #==================================================#
 #                      Search                      #
 #==================================================#
 SEARCH=true
 MEILI_NO_ANALYTICS=true
 MEILI_HOST=http://meilisearch:7700
 MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
 # Optional: Disable indexing, useful in a multi-node setup
 # where only one instance should perform an index sync.
 # MEILI_NO_SYNC=true
 #==================================================#
 #          Speech to Text & Text to Speech         #
 #==================================================#
 STT_API_KEY=
 TTS_API_KEY=
 #==================================================#
 #                        RAG                       #
 #==================================================#
 # More info: https://www.librechat.ai/docs/configuration/rag_api
 # RAG_OPENAI_BASEURL=
 # RAG_OPENAI_API_KEY=
 # RAG_USE_FULL_CONTEXT=
 # EMBEDDINGS_PROVIDER=openai
 # EMBEDDINGS_MODEL=text-embedding-3-small
 #===================================================#
 #                    User System                    #
 #===================================================#
 #========================#
 # Moderation             #
 #========================#
 OPENAI_MODERATION=false
 OPENAI_MODERATION_API_KEY=
 # OPENAI_MODERATION_REVERSE_PROXY=
 BAN_VIOLATIONS=true
 BAN_DURATION=1000 * 60 * 60 * 2
 BAN_INTERVAL=20
 LOGIN_VIOLATION_SCORE=1
 REGISTRATION_VIOLATION_SCORE=1
 CONCURRENT_VIOLATION_SCORE=1
 MESSAGE_VIOLATION_SCORE=1
 NON_BROWSER_VIOLATION_SCORE=20
 LOGIN_MAX=7
 LOGIN_WINDOW=5
 REGISTER_MAX=5
 REGISTER_WINDOW=60
 LIMIT_CONCURRENT_MESSAGES=true
 CONCURRENT_MESSAGE_MAX=2
 LIMIT_MESSAGE_IP=true
 MESSAGE_IP_MAX=40
 MESSAGE_IP_WINDOW=1
 LIMIT_MESSAGE_USER=false
 MESSAGE_USER_MAX=40
 MESSAGE_USER_WINDOW=1
 ILLEGAL_MODEL_REQ_SCORE=5
 #========================#
 # Balance                #
 #========================#
 CHECK_BALANCE=false
 # START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
 #========================#
 # Registration and Login #
 #========================#
 ALLOW_EMAIL_LOGIN=true
 ALLOW_REGISTRATION=true
 ALLOW_SOCIAL_LOGIN=false
 ALLOW_SOCIAL_REGISTRATION=false
 ALLOW_PASSWORD_RESET=false
 # ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
 ALLOW_UNVERIFIED_EMAIL_LOGIN=true
 SESSION_EXPIRY=1000 * 60 * 15
 REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
 JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
 JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
 # Discord
 DISCORD_CLIENT_ID=
 DISCORD_CLIENT_SECRET=
 DISCORD_CALLBACK_URL=/oauth/discord/callback
 # Facebook
 FACEBOOK_CLIENT_ID=
 FACEBOOK_CLIENT_SECRET=
 FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
 # GitHub
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
 GITHUB_CALLBACK_URL=/oauth/github/callback
 # GitHub Enterprise
 # GITHUB_ENTERPRISE_BASE_URL=
 # GITHUB_ENTERPRISE_USER_AGENT=
 # Google
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 GOOGLE_CALLBACK_URL=/oauth/google/callback
 # Apple
 APPLE_CLIENT_ID=
 APPLE_TEAM_ID=
 APPLE_KEY_ID=
 APPLE_PRIVATE_KEY_PATH=
 APPLE_CALLBACK_URL=/oauth/apple/callback
 # OpenID
 OPENID_CLIENT_ID=
 OPENID_CLIENT_SECRET=
 OPENID_ISSUER=
 OPENID_SESSION_SECRET=
 OPENID_SCOPE="openid profile email"
 OPENID_CALLBACK_URL=/oauth/openid/callback
 OPENID_REQUIRED_ROLE=
 OPENID_REQUIRED_ROLE_TOKEN_KIND=
 OPENID_REQUIRED_ROLE_PARAMETER_PATH=
 # Set to determine which user info property returned from OpenID Provider to store as the User's username
 OPENID_USERNAME_CLAIM=
 # Set to determine which user info property returned from OpenID Provider to store as the User's name
 OPENID_NAME_CLAIM=
 OPENID_BUTTON_LABEL=
 OPENID_IMAGE_URL=
 # LDAP
 # LDAP_URL=
 # LDAP_BIND_DN=
 # LDAP_BIND_CREDENTIALS=
 # LDAP_USER_SEARCH_BASE=
 # LDAP_SEARCH_FILTER=mail=
 # LDAP_CA_CERT_PATH=
 # LDAP_TLS_REJECT_UNAUTHORIZED=
 # LDAP_LOGIN_USES_USERNAME=true
 # LDAP_ID=
 # LDAP_USERNAME=
 # LDAP_EMAIL=
 # LDAP_FULL_NAME=
 #========================#
 # Email Password Reset   #
 #========================#
 EMAIL_SERVICE=
 EMAIL_HOST=postal-smtp
 EMAIL_PORT=25
 EMAIL_ENCRYPTION=
 EMAIL_ENCRYPTION_HOSTNAME=
 EMAIL_ALLOW_SELFSIGNED=
 EMAIL_USERNAME=
 EMAIL_PASSWORD=
 EMAIL_FROM_NAME=
 EMAIL_FROM=noreply@librechat.ai
 #========================#
 # Firebase CDN           #
 #========================#
 # FIREBASE_API_KEY=
 # FIREBASE_AUTH_DOMAIN=
 # FIREBASE_PROJECT_ID=
 # FIREBASE_STORAGE_BUCKET=
 # FIREBASE_MESSAGING_SENDER_ID=
 # FIREBASE_APP_ID=
 #========================#
 # Shared Links           #
 #========================#
 ALLOW_SHARED_LINKS=true
 ALLOW_SHARED_LINKS_PUBLIC=true
 #==============================#
 # Static File Cache Control    #
 #==============================#
 # Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
 # NODE_ENV must be set to production for these to take effect
 # STATIC_CACHE_MAX_AGE=172800
 # STATIC_CACHE_S_MAX_AGE=86400
 # If you have another service in front of your LibreChat doing compression, disable express based compression here
 # DISABLE_COMPRESSION=true
 #===================================================#
 #                        UI                         #
 #===================================================#
 APP_TITLE=LibreChat
 # CUSTOM_FOOTER="My custom footer"
 HELP_AND_FAQ_URL=https://librechat.ai
 # SHOW_BIRTHDAY_ICON=true
 # Google tag manager id
 #ANALYTICS_GTM_ID=user provided google tag manager id
 #===============#
 # REDIS Options #
 #===============#
 REDIS_URI=redis:6379
 USE_REDIS=true
 # USE_REDIS_CLUSTER=true
 # REDIS_CA=/path/to/ca.crt
 #==================================================#
 #                      Others                      #
 #==================================================#
 #   You should leave the following commented out   #
 # NODE_ENV=
 # E2E_USER_EMAIL=
 # E2E_USER_PASSWORD=
 #=====================================================#
 #                  Cache Headers                      #
 #=====================================================#
 #   Headers that control caching of the index.html    #
 #   Default configuration prevents caching to ensure  #
 #   users always get the latest version. Customize    #
 #   only if you understand caching implications.      #
 # INDEX_HTML_CACHE_CONTROL=no-cache, no-store, must-revalidate
 # INDEX_HTML_PRAGMA=no-cache
 # INDEX_HTML_EXPIRES=0
 # no-cache: Forces validation with server before using cached version
 # no-store: Prevents storing the response entirely
 # must-revalidate: Prevents using stale content when offline
 #=====================================================#
 #                  OpenWeather                        #
 #=====================================================#
 OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -0,0 +1,33 @@
 version: 1.0.0
 endpoints:
  custom:
    - name: "ollama"
      apiKey: "ollama"
      baseURL: "http://ollama:11434/v1/chat/completions"
      models:
        default: [
          "deepseek-r1:1.5b",
          "deepseek-coder-v2:16b",
          "deepseek-v3:671b",
          "llama3.3:70b",
          "phi4:14b",
          "qwen2.5",
          "llama2:7b",
          "mistral:7b",
          "codellama:7b",
          "tinyllama:1.1b",
          "starcoder2:3b",
          "dolphin-mistral:7b",
          "smollm2:1.7b",
          "orca-mini:3b",
          "mistral-openorca:7b"
        ]
 # fetching list of models is supported but the `name` field must start
 # with `ollama` (case-insensitive), as it does in this example.
        fetch: true
      titleConvo: true
      titleModel: "current_model"
      summarize: false
      summaryModel: "current_model"
      forcePrompt: false
      modelDisplayLabel: "Ollama"
@@ -0,0 +1,106 @@
 {
  "Stuns": [
    {
      "Proto": "udp",
      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
      "Username": "",
      "Password": null
    }
  ],
  "TURNConfig": {
    "Turns": [
      {
        "Proto": "udp",
        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
        "Username": "self",
        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
      }
    ],
    "CredentialsTTL": "12h",
    "Secret": "secret",
    "TimeBasedCredentials": false
  },
  "Relay": {
    "Addresses": [
      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
    ],
    "CredentialsTTL": "24h",
    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
  },
  "Signal": {
    "Proto": "https",
    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
    "Username": "",
    "Password": null
  },
  "ReverseProxy": {
    "TrustedHTTPProxies": [],
    "TrustedHTTPProxiesCount": 0,
    "TrustedPeers": [
      "0.0.0.0/0"
    ]
  },
  "Datadir": "",
  "DataStoreEncryptionKey": "",
  "StoreConfig": {
    "Engine": "sqlite"
  },
  "HttpConfig": {
    "Address": "0.0.0.0:33073",
    "AuthIssuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
    "AuthAudience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
    "AuthKeysLocation": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/keys",
    "AuthUserIDClaim": "",
    "CertFile": "",
    "CertKey": "",
    "IdpSignKeyRefreshEnabled": true,
    "OIDCConfigEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {
    "ManagerType": "zitadel",
    "ClientConfig": {
      "Issuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
      "ClientID": "netbird",
      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_SECRET'] }}",
      "GrantType": "client_credentials"
    },
    "ExtraConfig": {
      "ManagementEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/management/v1"
    },
    "Auth0ClientCredentials": null,
    "AzureClientCredentials": null,
    "KeycloakClientCredentials": null,
    "ZitadelClientCredentials": null
  },
  "DeviceAuthorizationFlow": {
    "Provider": "hosted",
    "ProviderConfig": {
      "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
      "AuthorizationEndpoint": "",
      "Domain": "",
      "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
      "ClientSecret": "",
      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
      "DeviceAuthEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/device_authorization",
      "Scope": "openid",
      "UseIDToken": false,
      "RedirectURLs": null
    }
  },
  "PKCEAuthorizationFlow": {
    "ProviderConfig": {
      "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
      "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
      "ClientSecret": "",
      "Domain": "",
      "AuthorizationEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/authorize",
      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
      "Scope": "openid profile email offline_access api",
      "RedirectURLs": [
        "http://localhost:53000"
      ],
      "UseIDToken": false
    }
  }
 }
@@ -0,0 +1,122 @@
 {
    "issuer": "https://id.trez.wtf",
    "authorization_endpoint": "https://id.trez.wtf/oauth/v2/authorize",
    "token_endpoint": "https://id.trez.wtf/oauth/v2/token",
    "introspection_endpoint": "https://id.trez.wtf/oauth/v2/introspect",
    "userinfo_endpoint": "https://id.trez.wtf/oidc/v1/userinfo",
    "revocation_endpoint": "https://id.trez.wtf/oauth/v2/revoke",
    "end_session_endpoint": "https://id.trez.wtf/oidc/v1/end_session",
    "device_authorization_endpoint": "https://id.trez.wtf/oauth/v2/device_authorization",
    "jwks_uri": "https://id.trez.wtf/oauth/v2/keys",
    "scopes_supported": [
        "openid",
        "profile",
        "email",
        "phone",
        "address",
        "offline_access"
    ],
    "response_types_supported": [
        "code",
        "id_token",
        "id_token token"
    ],
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "grant_types_supported": [
        "authorization_code",
        "implicit",
        "refresh_token",
        "client_credentials",
        "urn:ietf:params:oauth:grant-type:jwt-bearer",
        "urn:ietf:params:oauth:grant-type:device_code"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "request_object_signing_alg_values_supported": [
        "RS256"
    ],
    "token_endpoint_auth_methods_supported": [
        "none",
        "client_secret_basic",
        "client_secret_post",
        "private_key_jwt"
    ],
    "token_endpoint_auth_signing_alg_values_supported": [
        "RS256"
    ],
    "revocation_endpoint_auth_methods_supported": [
        "none",
        "client_secret_basic",
        "client_secret_post",
        "private_key_jwt"
    ],
    "revocation_endpoint_auth_signing_alg_values_supported": [
        "RS256"
    ],
    "introspection_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "private_key_jwt"
    ],
    "introspection_endpoint_auth_signing_alg_values_supported": [
        "RS256"
    ],
    "claims_supported": [
        "sub",
        "aud",
        "exp",
        "iat",
        "iss",
        "auth_time",
        "nonce",
        "acr",
        "amr",
        "c_hash",
        "at_hash",
        "act",
        "scopes",
        "client_id",
        "azp",
        "preferred_username",
        "name",
        "family_name",
        "given_name",
        "locale",
        "email",
        "email_verified",
        "phone_number",
        "phone_number_verified"
    ],
    "code_challenge_methods_supported": [
        "S256"
    ],
    "ui_locales_supported": [
        "bg",
        "cs",
        "de",
        "en",
        "es",
        "fr",
        "hu",
        "id",
        "it",
        "ja",
        "ko",
        "mk",
        "nl",
        "pl",
        "pt",
        "ru",
        "sv",
        "zh"
    ],
    "request_parameter_supported": true,
    "request_uri_parameter_supported": false
 }
@@ -0,0 +1,725 @@
 # Coturn TURN SERVER configuration file
 #
 # Boolean values note: where a boolean value is supposed to be used,
 # you can use '0', 'off', 'no', 'false', or 'f' as 'false,
 # and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
 # If the value is missing, then it means 'true' by default.
 #
 # Listener interface device (optional, Linux only).
 # NOT RECOMMENDED.
 #
 #listening-device=eth0
 # TURN listener port for UDP and TCP (Default: 3478).
 # Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
 listening-port=3478
 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
 # port(s), too - if allowed by configuration. The TURN server
 # "automatically" recognizes the type of traffic. Actually, two listening
 # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
 # functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
 # For secure TCP connections, Coturn currently supports SSL version 3 and
 # TLS version 1.0, 1.1 and 1.2.
 # For secure UDP connections, Coturn supports DTLS version 1.
 #
 tls-listening-port=5349
 # Alternative listening port for UDP and TCP listeners;
 # default (or zero) value means "listening port plus one".
 # This is needed for RFC 5780 support
 # (STUN extension specs, NAT behavior discovery). The TURN Server
 # supports RFC 5780 only if it is started with more than one
 # listening IP address of the same family (IPv4 or IPv6).
 # RFC 5780 is supported only by UDP protocol, other protocols
 # are listening to that endpoint only for "symmetry".
 #
 #alt-listening-port=0
 # Alternative listening port for TLS and DTLS protocols.
 # Default (or zero) value means "TLS listening port plus one".
 #
 #alt-tls-listening-port=0
 # Some network setups will require using a TCP reverse proxy in front
 # of the STUN server. If the proxy port option is set a single listener
 # is started on the given port that accepts connections using the
 # haproxy proxy protocol v2.
 # (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
 #
 #tcp-proxy-port=5555
 # Listener IP address of relay server. Multiple listeners can be specified.
 # If no IP(s) specified in the config file or in the command line options,
 # then all IPv4 and IPv6 system IPs will be used for listening.
 #
 #listening-ip=172.17.19.101
 #listening-ip=10.207.21.238
 #listening-ip=2607:f0d0:1002:51::4
 # Auxiliary STUN/TURN server listening endpoint.
 # Aux servers have almost full TURN and STUN functionality.
 # The (minor) limitations are:
 #
 # 1) Auxiliary servers do not have alternative ports and
 # they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
 #
 # 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
 #
 # Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
 #
 # There may be multiple aux-server options, each will be used for listening
 # to client requests.
 #
 #aux-server=172.17.19.110:33478
 #aux-server=[2607:f0d0:1002:51::4]:33478
 # (recommended for older Linuxes only)
 # Automatically balance UDP traffic over auxiliary servers (if configured).
 # The load balancing is using the ALTERNATE-SERVER mechanism.
 # The TURN client must support 300 ALTERNATE-SERVER response for this
 # functionality.
 #
 #udp-self-balance
 # Relay interface device for relay sockets (optional, Linux only).
 # NOT RECOMMENDED.
 #
 #relay-device=eth1
 # Relay address (the local IP address that will be used to relay the
 # packets to the peer).
 # Multiple relay addresses may be used.
 # The same IP(s) can be used as both listening IP(s) and relay IP(s).
 #
 # If no relay IP(s) specified, then the turnserver will apply the default
 # policy: it will decide itself which relay addresses to be used, and it
 # will always be using the client socket IP address as the relay IP address
 # of the TURN session (if the requested relay address family is the same
 # as the family of the client socket).
 #
 #relay-ip=172.17.19.105
 #relay-ip=2607:f0d0:1002:51::5
 # For Amazon EC2 users:
 #
 # TURN Server public/private address mapping, if the server is behind NAT.
 # In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
 # as relay IP address of all allocations. This scenario works only in a simple case
 # when one single relay address is be used, and no RFC5780 functionality is required.
 # That single relay address must be mapped by NAT to the 'external' IP.
 # The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
 # For that 'external' IP, NAT must forward ports directly (relayed port 12345
 # must be always mapped to the same 'external' port 12345).
 #
 # In more complex case when more than one IP address is involved,
 # that option must be used several times, each entry must
 # have form "-X <public-ip/private-ip>", to map all involved addresses.
 # RFC5780 NAT discovery STUN functionality will work correctly,
 # if the addresses are mapped properly, even when the TURN server itself
 # is behind A NAT.
 #
 # By default, this value is empty, and no address mapping is used.
 #
 # external-ip=193.224.22.37
 #
 #OR:
 #
 #external-ip=60.70.80.91/172.17.19.101
 #external-ip=60.70.80.92/172.17.19.102
 external-ip=108.29.206.17
 # Number of the relay threads to handle the established connections
 # (in addition to authentication thread and the listener thread).
 # If explicitly set to 0 then application runs relay process in a
 # single thread, in the same thread with the listener process
 # (the authentication thread will still be a separate thread).
 #
 # If this parameter is not set, then the default OS-dependent
 # thread pattern algorithm will be employed. Usually the default
 # algorithm is optimal, so you have to change this option
 # if you want to make some fine tweaks.
 #
 # In the older systems (Linux kernel before 3.9),
 # the number of UDP threads is always one thread per network listening
 # endpoint - including the auxiliary endpoints - unless 0 (zero) or
 # 1 (one) value is set.
 #
 #relay-threads=0
 # Lower and upper bounds of the UDP relay endpoints:
 # (default values are 49152 and 65535)
 #
 min-port=49152
 max-port=65535
 # Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
 # By default the verbose mode is off.
 #verbose
 # Uncomment to run TURN server in 'extra' verbose mode.
 # This mode is very annoying and produces lots of output.
 # Not recommended under normal circumstances.
 #
 #Verbose
 # Uncomment to use fingerprints in the TURN messages.
 # By default the fingerprints are off.
 #
 fingerprint
 # Uncomment to use long-term credential mechanism.
 # By default no credentials mechanism is used (any user allowed).
 #
 lt-cred-mech
 # This option is the opposite of lt-cred-mech.
 # (TURN Server with no-auth option allows anonymous access).
 # If neither option is defined, and no users are defined,
 # then no-auth is default. If at least one user is defined,
 # in this file, in command line or in usersdb file, then
 # lt-cred-mech is default.
 #
 #no-auth
 # TURN REST API flag.
 # (Time Limited Long Term Credential)
 # Flag that sets a special authorization option that is based upon authentication secret.
 #
 # This feature's purpose is to support "TURN Server REST API", see
 # "TURN REST API" link in the project's page
 # https://github.com/coturn/coturn/
 #
 # This option is used with timestamp:
 #
 # usercombo -> "timestamp:userid"
 # turn user -> usercombo
 # turn password -> base64(hmac(secret key, usercombo))
 #
 # This allows TURN credentials to be accounted for a specific user id.
 # If you don't have a suitable id, then the timestamp alone can be used.
 # This option is enabled by turning on secret-based authentication.
 # The actual value of the secret is defined either by the option static-auth-secret,
 # or can be found in the turn_secret table in the database (see below).
 #
 # Read more about it:
 #  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
 #  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
 #
 # Be aware that use-auth-secret overrides some parts of lt-cred-mech.
 # The use-auth-secret feature depends internally on lt-cred-mech, so if you set
 # this option then it automatically enables lt-cred-mech internally
 # as if you had enabled both.
 #
 # Note that you can use only one auth mechanism at the same time! This is because,
 # both mechanisms conduct username and password validation in different ways.
 #
 # Use either lt-cred-mech or use-auth-secret in the conf
 # to avoid any confusion.
 #
 #use-auth-secret
 # 'Static' authentication secret value (a string) for TURN REST API only.
 # If not set, then the turn server
 # will try to use the 'dynamic' value in the turn_secret table
 # in the user database (if present). The database-stored  value can be changed on-the-fly
 # by a separate program, so this is why that mode is considered 'dynamic'.
 #
 #static-auth-secret=north
 # Server name used for
 # the oAuth authentication purposes.
 # The default value is the realm name.
 #
 # server-name=stun.wiretrustee.com
 # Flag that allows oAuth authentication.
 #
 #oauth
 # 'Static' user accounts for the long term credentials mechanism, only.
 # This option cannot be used with TURN REST API.
 # 'Static' user accounts are NOT dynamically checked by the turnserver process,
 # so they can NOT be changed while the turnserver is running.
 #
 #user=username1:key1
 #user=username2:key2
 # OR:
 user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
 #user=username2:password2
 #
 # Keys must be generated by turnadmin utility. The key value depends
 # on user name, realm, and password:
 #
 # Example:
 # $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
 # Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
 # ('0x' in the beginning of the key is what differentiates the key from
 # password. If it has 0x then it is a key, otherwise it is a password).
 #
 # The corresponding user account entry in the config file will be:
 #
 #user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
 # Or, equivalently, with open clear password (less secure):
 #user=ninefingers:youhavetoberealistic
 #
 # SQLite database file name.
 #
 # The default file name is /var/db/turndb or /usr/local/var/db/turndb or
 # /var/lib/turn/turndb.
 #
 #userdb=/var/db/turndb
 # PostgreSQL database connection string in the case that you are using PostgreSQL
 # as the user database.
 # This database can be used for the long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
 # versions connection string format, see
 # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
 # for 9.x and newer connection string formats.
 #
 #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
 # MySQL database connection string in the case that you are using MySQL
 # as the user database.
 # This database can be used for the long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 #
 # Optional connection string parameters for the secure communications (SSL):
 # ca, capath, cert, key, cipher
 # (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
 # command options description).
 #
 # Use the string format below (space separated parameters, all optional):
 #
 # mysql-userdb="host=mysql dbname=coturn user=coturn password=CHANGE_ME port=3306 connect_timeout=10 read_timeout=10"
 # If you want to use an encrypted password in the MySQL connection string,
 # then set the MySQL password encryption secret key file with this option.
 #
 # Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
 # If you want to use a cleartext password then do not set this option!
 #
 # This is the file path for the aes encrypted secret key used for password encryption.
 #
 #secret-key-file=/path/
 # MongoDB database connection string in the case that you are using MongoDB
 # as the user database.
 # This database can be used for long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 # Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
 #
 #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
 # Redis database connection string in the case that you are using Redis
 # as the user database.
 # This database can be used for long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 # Use the string format below (space separated parameters, all optional):
 #
 #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 # Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
 # This database keeps allocations status information, and it can be also used for publishing
 # and delivering traffic and allocation event notifications.
 # The connection string has the same parameters as redis-userdb connection string.
 # Use the string format below (space separated parameters, all optional):
 #
 #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 # The default realm to be used for the users when no explicit
 # origin/realm relationship is found in the database, or if the TURN
 # server is not using any database (just the commands-line settings
 # and the userdb file). Must be used with long-term credentials
 # mechanism or with TURN REST API.
 #
 # Note: If the default realm is not specified, then realm falls back to the host domain name.
 #       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
 #
 # realm=wiretrustee.com
 # This flag sets the origin consistency
 # check. Across the session, all requests must have the same
 # main ORIGIN attribute value (if the ORIGIN was
 # initially used by the session).
 #
 #check-origin-consistency
 # Per-user allocation quota.
 # default value is 0 (no quota, unlimited number of sessions per user).
 # This option can also be set through the database, for a particular realm.
 #
 #user-quota=0
 # Total allocation quota.
 # default value is 0 (no quota).
 # This option can also be set through the database, for a particular realm.
 #
 #total-quota=0
 # Max bytes-per-second bandwidth a TURN session is allowed to handle
 # (input and output network streams are treated separately). Anything above
 # that limit will be dropped or temporarily suppressed (within
 # the available buffer limits).
 # This option can also be set through the database, for a particular realm.
 #
 #max-bps=0
 #
 # Maximum server capacity.
 # Total bytes-per-second bandwidth the TURN server is allowed to allocate
 # for the sessions, combined (input and output network streams are treated separately).
 #
 # bps-capacity=0
 # Uncomment if no UDP client listener is desired.
 # By default UDP client listener is always started.
 #
 #no-udp
 # Uncomment if no TCP client listener is desired.
 # By default TCP client listener is always started.
 #
 #no-tcp
 # Uncomment if no TLS client listener is desired.
 # By default TLS client listener is always started.
 #
 #no-tls
 # Uncomment if no DTLS client listener is desired.
 # By default DTLS client listener is always started.
 #
 #no-dtls
 # Uncomment if no UDP relay endpoints are allowed.
 # By default UDP relay endpoints are enabled (like in RFC 5766).
 #
 #no-udp-relay
 # Uncomment if no TCP relay endpoints are allowed.
 # By default TCP relay endpoints are enabled (like in RFC 6062).
 #
 #no-tcp-relay
 # Uncomment if extra security is desired,
 # with nonce value having a limited lifetime.
 # The nonce value is unique for a session.
 # Set this option to limit the nonce lifetime.
 # Set it to 0 for unlimited lifetime.
 # It defaults to 600 secs (10 min) if no value is provided. After that delay,
 # the client will get 438 error and will have to re-authenticate itself.
 #
 #stale-nonce=600
 # Uncomment if you want to set the maximum allocation
 # time before it has to be refreshed.
 # Default is 3600s.
 #
 #max-allocate-lifetime=3600
 # Uncomment to set the lifetime for the channel.
 # Default value is 600 secs (10 minutes).
 # This value MUST not be changed for production purposes.
 #
 #channel-lifetime=600
 # Uncomment to set the permission lifetime.
 # Default to 300 secs (5 minutes).
 # In production this value MUST not be changed,
 # however it can be useful for test purposes.
 #
 #permission-lifetime=300
 # Certificate file.
 # Use an absolute path or path relative to the
 # configuration file.
 # Use PEM file format.
 #
 cert=/etc/coturn/certs/cert.pem
 # Private key file.
 # Use an absolute path or path relative to the
 # configuration file.
 # Use PEM file format.
 #
 pkey=/etc/coturn/private/privkey.pem
 # Private key file password, if it is in encoded format.
 # This option has no default value.
 #
 #pkey-pwd=...
 # Allowed OpenSSL cipher list for TLS/DTLS connections.
 # Default value is "DEFAULT".
 #
 #cipher-list="DEFAULT"
 # CA file in OpenSSL format.
 # Forces TURN server to verify the client SSL certificates.
 # By default this is not set: there is no default value and the client
 # certificate is not checked.
 #
 # Example:
 #CA-file=/etc/ssh/id_rsa.cert
 # Curve name for EC ciphers, if supported by OpenSSL
 # library (TLS and DTLS). The default value is prime256v1,
 # if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
 # an optimal curve will be automatically calculated, if not defined
 # by this option.
 #
 #ec-curve-name=prime256v1
 # Use 566 bits predefined DH TLS key. Default size of the key is 2066.
 #
 #dh566
 # Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
 #
 #dh1066
 # Use custom DH TLS key, stored in PEM format in the file.
 # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
 #
 #dh-file=<DH-PEM-file-name>
 # Flag to prevent stdout log messages.
 # By default, all log messages go to both stdout and to
 # the configured log file. With this option everything will
 # go to the configured log only (unless the log file itself is stdout).
 #
 #no-stdout-log
 # Option to set the log file name.
 # By default, the turnserver tries to open a log file in
 # /var/log, /var/tmp, /tmp and the current directory
 # (Whichever file open operation succeeds first will be used).
 # With this option you can set the definite log file name.
 # The special names are "stdout" and "-" - they will force everything
 # to the stdout. Also, the "syslog" name will force everything to
 # the system log (syslog).
 # In the runtime, the logfile can be reset with the SIGHUP signal
 # to the turnserver process.
 #
 log-file=stdout
 # Option to redirect all log output into system log (syslog).
 #
 # syslog
 # This flag means that no log file rollover will be used, and the log file
 # name will be constructed as-is, without PID and date appendage.
 # This option can be used, for example, together with the logrotate tool.
 #
 #simple-log
 # Option to set the "redirection" mode. The value of this option
 # will be the address of the alternate server for UDP & TCP service in the form of
 # <ip>[:<port>]. The server will send this value in the attribute
 # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
 # Client will receive only values with the same address family
 # as the client network endpoint address family.
 # See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
 # The client must use the obtained value for subsequent TURN communications.
 # If more than one --alternate-server option is provided, then the functionality
 # can be more accurately described as "load-balancing" than a mere "redirection".
 # If the port number is omitted, then the default port
 # number 3478 for the UDP/TCP protocols will be used.
 # Colon (:) characters in IPv6 addresses may conflict with the syntax of
 # the option. To alleviate this conflict, literal IPv6 addresses are enclosed
 # in square brackets in such resource identifiers, for example:
 # [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
 # Multiple alternate servers can be set. They will be used in the
 # round-robin manner. All servers in the pool are considered of equal weight and
 # the load will be distributed equally. For example, if you have 4 alternate servers,
 # then each server will receive 25% of ALLOCATE requests. A alternate TURN server
 # address can be used more than one time with the alternate-server option, so this
 # can emulate "weighting" of the servers.
 #
 # Examples:
 #alternate-server=1.2.3.4:5678
 #alternate-server=11.22.33.44:56789
 #alternate-server=5.6.7.8
 #alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
 # Option to set alternative server for TLS & DTLS services in form of
 # <ip>:<port>. If the port number is omitted, then the default port
 # number 5349 for the TLS/DTLS protocols will be used. See the previous
 # option for the functionality description.
 #
 # Examples:
 #tls-alternate-server=1.2.3.4:5678
 #tls-alternate-server=11.22.33.44:56789
 #tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
 # Option to suppress TURN functionality, only STUN requests will be processed.
 # Run as STUN server only, all TURN requests will be ignored.
 # By default, this option is NOT set.
 #
 #stun-only
 # Option to hide software version. Enhance security when used in production.
 # Revealing the specific software version of the agent through the
 # SOFTWARE attribute might allow them to become more vulnerable to
 # attacks against software that is known to contain security holes.
 # Implementers SHOULD make usage of the SOFTWARE attribute a
 # configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
 #
 no-software-attribute
 # Option to suppress STUN functionality, only TURN requests will be processed.
 # Run as TURN server only, all STUN requests will be ignored.
 # By default, this option is NOT set.
 #
 #no-stun
 # This is the timestamp/username separator symbol (character) in TURN REST API.
 # The default value is ':'.
 # rest-api-separator=:
 # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
 # This is an extra security measure.
 #
 # (To avoid any security issue that allowing loopback access may raise,
 # the no-loopback-peers option is replaced by allow-loopback-peers.)
 #
 # Allow it only for testing in a development environment!
 # In production it adds a possible security vulnerability, so for security reasons
 # it is not allowed using it together with empty cli-password.
 #
 #allow-loopback-peers
 # Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
 # This is an extra security measure.
 #
 #no-multicast-peers
 # Option to set the max time, in seconds, allowed for full allocation establishment.
 # Default is 60 seconds.
 #
 #max-allocate-timeout=60
 # Option to allow or ban specific ip addresses or ranges of ip addresses.
 # If an ip address is specified as both allowed and denied, then the ip address is
 # considered to be allowed. This is useful when you wish to ban a range of ip
 # addresses, except for a few specific ips within that range.
 #
 # This can be used when you do not want users of the turn server to be able to access
 # machines reachable by the turn server, but would otherwise be unreachable from the
 # internet (e.g. when the turn server is sitting behind a NAT)
 #
 # Examples:
 # denied-peer-ip=83.166.64.0-83.166.95.255
 # allowed-peer-ip=83.166.68.45
 # File name to store the pid of the process.
 # Default is /var/run/turnserver.pid (if superuser account is used) or
 # /var/tmp/turnserver.pid .
 #
 pidfile="/var/tmp/turnserver.pid"
 # Require authentication of the STUN Binding request.
 # By default, the clients are allowed anonymous access to the STUN Binding functionality.
 #
 #secure-stun
 # Mobility with ICE (MICE) specs support.
 #
 #mobility
 # Allocate Address Family according
 # If enabled then TURN server allocates address family according  the TURN
 # Client <=> Server communication address family.
 # (By default Coturn works according RFC 6156.)
 # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
 #
 #keep-address-family
 # User name to run the process. After the initialization, the turnserver process
 # will attempt to change the current user ID to that user.
 #
 #proc-user=<user-name>
 # Group name to run the process. After the initialization, the turnserver process
 # will attempt to change the current group ID to that group.
 #
 #proc-group=<group-name>
 # Turn OFF the CLI support.
 # By default it is always ON.
 # See also options cli-ip and cli-port.
 #
 no-cli
 #Local system IP address to be used for CLI server endpoint. Default value
 # is 127.0.0.1.
 #
 # cli-ip=127.0.0.1
 # CLI server port. Default is 5766.
 #
 # cli-port=5766
 # CLI access password. Default is empty (no password).
 # For the security reasons, it is recommended that you use the encrypted
 # form of the password (see the -P command in the turnadmin utility).
 #
 # Secure form for password 'qwerty':
 #
 #cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
 #
 # Or insecure form for the same password:
 #
 # cli-password=CHANGE_ME
 # Enable Web-admin support on https. By default it is Disabled.
 # If it is enabled it also enables a http a simple static banner page
 # with a small reminder that the admin page is available only on https.
 #
 #web-admin
 # Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
 #
 #web-admin-ip=127.0.0.1
 # Web-admin server port. Default is 8080.
 #
 #web-admin-port=8080
 # Web-admin server listen on STUN/TURN worker threads
 # By default it is disabled for security reasons! (Not recommended in any production environment!)
 #
 #web-admin-listen-on-workers
 # Server relay. NON-STANDARD AND DANGEROUS OPTION.
 # Only for those applications when you want to run
 # server applications on the relay endpoints.
 # This option eliminates the IP permissions check on
 # the packets incoming to the relay endpoints.
 #
 #server-relay
 # Maximum number of output sessions in ps CLI command.
 # This value can be changed on-the-fly in CLI. The default value is 256.
 #
 #cli-max-output-sessions
 # Set network engine type for the process (for internal purposes).
 #
 #ne=[1|2|3]
 # Do not allow an TLS/DTLS version of protocol
 #
 #no-tlsv1
 #no-tlsv1_1
 #no-tlsv1_2
@@ -30,6 +30,9 @@ message_db:
 smtp_server:
  default_port: 25
  default_bind_address: "::"
  tls_enabled: true
  tls_certificate_path: /config/certs/fullchain.pem
  tls_private_key_path: /config/certs/privkey.pem
 dns:
  # Specify the DNS records that you have configured. Refer to the documentation at
@@ -342,7 +342,7 @@ host = news.newshosting.com
 port = 563
 timeout = 60
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_PASSWORD'] }}
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
 connections = 8
 ssl = 1
 ssl_verify = 3
@@ -1,5 +1,5 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = rinoa-docker/env %}
+{% set secrets_path = 'rinoa-docker/env' %}
 <Config>
  <LogLevel>info</LogLevel>
@@ -8,7 +8,7 @@
  <SslPort>9898</SslPort>
  <UrlBase></UrlBase>
  <BindAddress>*</BindAddress>
-  <ApiKey>386baee1c0e741bea4a91f1f39c57f68</ApiKey>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <UpdateMechanism>Docker</UpdateMechanism>
  <LaunchBrowser>True</LaunchBrowser>
@@ -0,0 +1,76 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 [Lidarr]
 api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
 host_url = http://lidarr:8686
 #This should be the path mounted in lidarr that points to your slskd download directory.
 #If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
 download_dir = /storage
 [Slskd]
 #Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
 api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
 host_url = http://gluetun:5030
 #Slskd download directory. Should have set it up when installing Slskd.
 download_dir = /app/downloads
 #Removes searches from Slskd after the search finishes.
 delete_searches = False
 #Maximum time (in seconds) that the script will wait for downloads to complete.
 #This is used to prevent the script from running forever due to a stalled download. Defaults to 1 hour.
 stalled_timeout = 3600
 [Release Settings]
 #Selects the release with the most common amount of tracks out of all the releases.
 use_most_common_tracknum = True
 allow_multi_disc = True
 #See full list of countries below.
 accepted_countries = Europe,Japan,United Kingdom,United States,[Worldwide],Australia,Canada
 #See full list of formats below.
 accepted_formats = CD,Digital Media,Vinyl
 [Search Settings]
 search_timeout = 5000
 maximum_peer_queue = 50
 #Min upload speed in bit/s
 minimum_peer_upload_speed = 0
 #Min match ratio accepted when comparing lidarr track names to soulseek filenames.
 minimum_filename_match_ratio = 0.5
 #Specify the file types you prefer from most to least. As well as their attributes such as bitrate / samplerate / bitdepth.
 #For flacs you can choose the bitdepth/samplerate. And for mp3s the bitrate.
 #If you do not care about the specific quality you can still just put "flac" or "mp3".
 #Soularr will then just look at the filetype and ignore file attributes.
 allowed_filetypes = flac 24/192,flac 16/44.1,flac,mp3 320,mp3
 ignored_users = User1,User2,Fred,Bob
 #Set to False if you only want to search for complete albums
 search_for_tracks = True
 #Set to True if you want to add the artist's name to the beginning of the search for albums
 album_prepend_artist = False
 track_prepend_artist = True
 #Valid search types: all || incrementing_page || first_page
  #"all" will search for every wanted record everytime soularr is run.
  #"incrementing_page" will start with the first page and increment to the next on each run.
  #"first_page" will repeatedly search the first page.
 #If using the search type "first_page" remove_wanted_on_failure should be enabled.
 search_type = incrementing_page
 #How mancy records to grab each run, must be a number between 1 - 2,147,483,647
 number_of_albums_to_grab = 10
 #Unmonitors the album if Soularr can't find it and places it in "failure_list.txt".
 #Failed albums can be re monitored by filtering "Unmonitored" in the Lidarr wanted list.
 remove_wanted_on_failure = False
 #Comma separated list of words that can't be in the title of albums or tracks. Case insensitive.
 title_blacklist = BlacklistWord1,blacklistword2
 #Lidarr source to use for searching. Accepted values are "all", "missing", or "cutoff_unmet". If "all" is selected
 # then both missing and cutoff_unme will be searched. The default value is "missing".
 search_source = missing
 [Logging]
 #These options are passed into the logger's basicConfig() method as-is.
 #This means, if you're familiar with Python's logging module, you can configure
 #the logger with options beyond what's listed here by default.
 #For more information on available options  --  https://docs.python.org/3/library/logging.html#logging.basicConfig
 level = INFO
 # Format of log message  --  https://docs.python.org/3/library/logging.html#logrecord-attributes
 format = [%(levelname)s|%(module)s|L%(lineno)d] %(asctime)s: %(message)s
 # Format of datetimes  --  https://docs.python.org/3/library/time.html#time.strftime
 datefmt = %Y-%m-%dT%H:%M:%S%z
@@ -1,238 +1,212 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
-# debug: false
+directories:
-# remote_configuration: false
+  incomplete: /app/incomplete
-# remote_file_management: false
+  downloads: /app/downloads
-# instance_name: default
+shares:
-# flags:
+  directories:
-#   no_logo: false
+    - /music
-#   no_start: false
+rooms:
-#   no_config_watch: false
+  - '! meow chat :3'
-#   no_connect: false
+  - '#ANUS'
-#   no_share_scan: false
+  - '#CORONAVIRUS'
-#   force_share_scan: false
+  - '#Horrorcore'
-#   no_version_check: false
+  - '#La France'
-#   log_sql: false
+  - '#icilombre-hardcore'
-#   experimental: false
+  - '#polska'
-#   volatile: false
+  - '#vegan'
-#   case_sensitive_reg_ex: false
+  - $$RARE RAP MUSIC$$
-#   legacy_windows_tcp_keepalive: false
+  - ([6)]
-# relay:
+  - +Autism+
-#   enabled: false
+  - +BlackMetal+
-#   mode: controller # controller (default), agent, or debug (for local development)
+  - +HIP_HOP_SCENE_RELEASES+
-#   # controller config is required when running in 'agent' mode
+  - /mu/
-#   # this specifies the relay controller that will be controlling this agent
+  - 60lover
-#   controller:
+  - 60lover v2
-#     address: https://some.site.com:5000
+  - 70 Rare groove Soul Jazz
-#     ignore_certificate_errors: false
+  - 80's 12 Inches & More
-#     api_key: <a 16-255 character string corresponding to one of the controller's 'readwrite' or 'administrator' API keys>
+  - 90's Rare Riddim !!
-#     secret: <a 16-255 character shared secret matching the controller's config for this agent>
+  - 90's emo
-#     downloads: false
+  - <>Electronics Labels<>
-#   # agent config is optional when running in 'controller' mode
+  - ACID
-#   # this specifies all of the agents capable of connecting
+  - ARGENTINA
-#   agents:
+  - "ATLLUMINATI\u201Cawareness"
-#     my_agent:
+  - AUSTRALIA
-#       instance_name: my_agent # make sure the top-level instance_name of the agent matches!
+  - Alcohol
-#       secret: <a 16-255 character string unique to this agent>
+  - Ambient
-#       cidr: 0.0.0.0/0,::/0
+  - Anime
-# permissions:
+  - Audiobooks
-#   file:
+  - Avantgarde
-#     mode: ~ # not for Windows, chmod syntax, e.g. 644, 777. can't escalate beyond umask
+  - BDSM
-# directories:
+  - BLUES BUNKER MUSIC
-#   incomplete: ~
+  - BOB DYLAN ROOM
-#   downloads: ~
+  - BigEdsClassicRock
-# shares:
+  - BigedsSixties
-#   directories:
+  - Blues&Soul
-#     - ~
+  - Bootlegged concerts
-#   filters:
+  - Brasil
-#     - \.ini$
+  - Breakcore
-#     - Thumbs.db$
+  - CHILE
-#     - \.DS_Store$
+  - Canada
-#   cache:
+  - China Room
-#     storage_mode: memory
+  - Chiptunes
-#     workers: 16
+  - Christians
-#     retention: ~ # retain indefinitely (do not automatically re-scan)
+  - Classical
-# rooms:
+  - Come To The Sabbath !
-#   - ~
+  - Communism
-# global:
+  - DEATH METAL CLUB
-#   upload:
+  - Dark Ambient
-#     slots: 20
+  - De Koffie Shop
-#     speed_limit: 1000 # in kibibytes
+  - De Kroeg
-#   limits:
+  - Deathrock
-#     queued:
+  - DieMilitarmusik
-#       files: 500
+  - Disco Classics
-#       megabytes: 5000
+  - Doom Metal
-#     daily:
+  - Doujin Music
-#       files: 1000
+  - Dub Techno
-#       megabytes: 10000
+  - Dubstep
-#       failures: 200
+  - EBM-GOTHIC-INDUSTRIAL
-#     weekly:
+  - EBooks
-#       files: 5000
+  - Emo
-#       megabytes: 50000
+  - Eurodance
-#       failures: 1000
+  - Eurovision Song Contest
-#   download:
+  - Experimental Electronica
-#     slots: 500
+  - FOLK MUSIC
-#     speed_limit: 1000
+  - Free Jazz
-# groups:
+  - Furry
-#   default:
+  - Gay
-#     upload:
+  - Gothic
-#       priority: 500
+  - Greece
-#       strategy: roundrobin
+  - Grindcore
-#       slots: 10
+  - HEE cum eaters 1! !
-#     limits:
+  - HOUSE MUSIC LOVERS (AG)
-#       queued:
+  - Happy Hardcore
-#         files: 150
+  - Hardcore NL
-#         megabytes: 1500
+  - Hardcore/punk
-#       daily: ~ # no daily limits (weekly still apply)
+  - Hip Hop
-#       weekly:
+  - Horror movies
-#         files: 1500
+  - IDM
-#         megabytes: 15000
+  - INDUSTRIAL
-#         failures: 150
+  - IReGGaeGaLaXy
-#   leechers:
+  - Incredibly Strange Music
-#     thresholds:
+  - Israel
-#       files: 1
+  - Jaz (Full CDs)
-#       directories: 1
+  - Jazz
-#     upload:
+  - Jazz-Rock-Fusion-Guitar
-#       priority: 999
+  - Juggalo Family
-#       strategy: roundrobin
+  - Jungle
-#       slots: 1
+  - Korean Music
-#       speed_limit: 100
+  - LANGUAGE EXCHANGE here
-#     limits:
+  - LGBTQ+!!
-#       queued:
+  - Last.fm
-#         files: 15
+  - Linux
-#         megabytes: 150
+  - Lossless Scores
-#       daily:
+  - MOVIES
-#         files: 30
+  - Mac Users
-#         megabytes: 300
+  - Metal
-#         failures: 10
+  - MovieMusic
-#       weekly:
+  - NORWAY
-#         files: 150
+  - New Crystal Vibrations
-#         megabytes: 1500
+  - New Wave
-#         failures: 30
+  - New Zealand
-#   blacklisted:
+  - OLD SKOOL GANGSTA SHIT
-#     members:
+  - OLDSCHOOL 88-94
-#       - <username to blacklist>
+  - OLI SHOTA CUB ROOM!
-#     cidrs:
+  - Original Blues Bunker
-#       - <CIDR to blacklist, e.g. 255.255.255.255/32>
+  - PSYCHEDELIA
-#   user_defined:
+  - PUNK/HARDCORE/GRIND
-#     my_buddies:
+  - Portugal
-#       upload:
+  - Post Punk
-#         priority: 250
+  - Post-Hardcore (modern)
-#         strategy: firstinfirstout
+  - Progressive Rock
-#         slots: 10
+  - Psychedelic/Acid Rock
-#       limits:
+  - Psytrance
-#         queued:
+  - Quebec
-#           files: 1000 # override global default
+  - REGGAE
-#       members:
+  - Rare Music
-#         - alice
+  - RareVHS/DVD/Rips
-#         - bob
+  - Retro Gaming
-# blacklist:
+  - Romania
-#   enabled: true
+  - Room Name
-#   file: <path to file containing CIDRs to blacklist>
+  - SIsk Idiots !!
-# filters:
+  - SLUDGE!
-#   search:
+  - Slovenia
-#     request:
+  - Soundtracks&Scores
-#       - ^.{1,2}$
+  - Spain
-# web:
+  - Stoner HiVe
-#   port: 5030
+  - Stoner Rock
-#   https:
+  - Strange Music
-#     disabled: false
+  - TECHNO, Mixes and Tunes
-#     port: 5031
+  - THC
-#     force: false
+  - Talia
-#     certificate:
+  - The Dangerous Kitchen
-#       pfx: ~
+  - TheScoreZone
-#       password: ~
+  - Thrash Metal
-#   url_base: /
+  - Tinmans Movie Room
-#   content_path: wwwroot
+  - Trip-Hop
-#   logging: false
+  - Ttalian_dancefloor
-#   authentication:
+  - Twee Folks
-#     disabled: false
+  - UK DUB
-#     username: slskd
+  - URIDDIM!!
-#     password: slskd
+  - Ukraine
-#     jwt:
+  - Underground Hiphop
-#       key: ~
+  - VAPORWAVE
-#       ttl: 604800000
+  - Video Game Chat
-#     api_keys:
+  - Vinyl Addicts
-#       my_api_key:
+  - Vocaloid
-#         key: <some example string between 16 and 255 characters>
+  - WHATCDs
-#         role: readonly # readonly, readwrite, administrator
+  - World Music
-#         cidr: 0.0.0.0/0,::/0
+  - Yacht Rock
-# retention:
+  - '[German] [Deutsch]'
-#   transfers:
+  - abbey road Itd
-#     upload:
+  - anime cunny
-#       succeeded: 1440 # 1 day
+  - bleeps&klonks
-#       errored: 30
+  - breakbeat
-#       cancelled: 5
+  - comics
-#     download:
+  - deep house connection
-#       succeeded: 1440 # 1 day
+  - drum'n'bass
-#       errored: 20160 # 2 weeks 
+  - eesti mehed
-#       cancelled: 5
+  - electro
-#   files:
+  - flacfield
-#     complete: 20160 # 2 weeks
+  - food
-#     incomplete: 43200 # 30 days
+  - for Losers
-#   logs: 259200 # 180 days
+  - hungary
-# logger:
+  - indie
-#   disk: false
+  - japanese music
-#   no_color: false
+  - library music
-#   loki: ~
+  - lossless
-# metrics:
+  - minimal music
-#   enabled: false
+  - museek
-#   url: /metrics
+  - noise
-#   authentication:
+  - 'on'
-#     disabled: false
+  - postrock
-#     username: slskd
+  - programming
-#     password: slskd
+  - progressive house
-# feature:
+  - public porn
-#   swagger: false
+  - r/musichoarder
-# soulseek:
+  - ru
-#   address: vps.slsknet.org
+  - shoegaze
-#   port: 2271
+  - tapekvit
-#   username: ~
+  - test
-#   password: ~
+  - trancEaddict
-#   description: |
+  - trivia
-#     A slskd user. https://github.com/slskd/slskd
+  - what.cd
-#   listen_ip_address: 0.0.0.0
+  - what.cd electronic
-#   listen_port: 50300
+  - what.cd-flac
-#   diagnostic_level: Info
+  - '{Italo Disco'
-#   distributed_network:
+web:
-#     disabled: false
+  authentication:
-#     disable_children: false
+    username: slskd
-#     child_limit: 25
+    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
-#     logging: false
+    api_keys:
-#   connection:
+      my_api_key:
-#     timeout:
+        key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
-#       connect: 10000
+        role: readwrite
-#       inactivity: 15000
+        cidr: 0.0.0.0/0,::/0
-#     buffer:
+soulseek:
-#       read: 16384
+  address: vps.slsknet.org
-#       write: 16384
+  port: 2271
-#       transfer: 262144
+  username: Trez.One
-#       write_queue: 250
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
-#     proxy:
+  diagnostic_level: Info
 #       enabled: false
 #       address: ~
 #       port: ~
 #       username: ~
 #       password: ~
 # integration:
 #   ftp:
 #     enabled: false
 #     address: ~
 #     port: ~
 #     username: ~
 #     password: ~
 #     remote_path: /
 #     encryption_mode: auto
 #     ignore_certificate_errors: false
 #     overwrite_existing: true
 #     connection_timeout: 5000
 #     retry_attempts: 3
 #   pushbullet:
 #     enabled: false
 #     access_token: ~
 #     notification_prefix: "From slskd:"
 #     notify_on_private_message: true
 #     notify_on_room_mention: true
 #     retry_attempts: 3
 #     cooldown_time: 900000
@@ -0,0 +1,19 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 {
  "$schema": "../schemas/v2/index.json",
  "repos": [
      {
          "type": "gitea",
          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
          "url": "https://git.trez.wtf",
          "revisions": {
              "branches": [
                  "main",
                  "*"
              ]
          }
      }
  ]
 }
@@ -0,0 +1,31 @@
  sources:
    rinoa_docker_logs:
      type: docker_logs
      exclude_containers:
        - vector
  sinks:
    parseable:
      type: http
      method: post
      batch:
        max_bytes: 10485760
        max_events: 1000
        timeout_secs: 10
      compression: gzip
      inputs:
        - rinoa_docker_logs
      encoding:
        codec: json
      uri: http://parseable:8000/api/v1/ingest'
      auth:
        strategy: basic
        user: admin
        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
      request:
        headers:
          X-P-Stream: rinoa-docker-logs
      healthcheck:
        enabled: true
        path: 'http://parseable:8000/api/v1/liveness'
        port: 80
@@ -1,5 +1,5 @@
 ---
- name: Deploy config templates and trigger GitHub workflow
+- name: Deploy Docker Service Configurations
  hosts: rinoa
  vars:
    appdata_base_path: "~/.docker/config/appdata"
@@ -1,14 +1,14 @@
 vault_addr: "https://vault.trez.wtf"
 vault_token: !vault |
  $ANSIBLE_VAULT;1.1;AES256
-  66373236656261373330343233616231386539616566613864306436613635323533336365383232
+  30623330336664656231653066343930303830343530323930613666643863623837633738346639
-  6636653139393566643265303135343864363632393035380a643566373137316363626438356431
+  3734386663383333386635623931343361343363396434660a633637666539626264653437636134
-  64653237313866316537326565386164373564353166346334663638636531353337303937346466
+  36616334386264383330323164333432623538366234326563323664353338646331353233396161
-  3539366634393337620a653133336530333963343638643934303336653935363932643665353234
+  3030623162373232320a386432393337613431303432613065626163326363316365613937623031
-  63343565663632633563396131346139666236313863663332386131633831633566373366613738
+  39316566343238363934383833376136323461336666663762383663633531303138616132333938
-  63343634313539336534666632313736343338623538303434316230383764643432646663356238
+  30316334363436333164303035643835316238313038663761636338313433303766626238656234
-  61373132633062346436363036333533623931313037306633616662623032616137613734343638
+  34373436396430646339326361366634363735346637303865373164363663663263646661366663
-  63633031616161623437623935346366636433653435646333313638376161663237323130636433
+  36336334393535386332646461313262646131383932353534363936623961613761333762376561
-  31383031646666626163323966393738386233346137326231366263316532343563
+  31366662626231346638346339626565653831613865646436643233653066366534
 vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
 secrets_path: "rinoa-docker/env"
@@ -1,12 +1,13 @@
-ansible_host: 192.168.1.254
+rinoa:
-ansible_python_interpreter: /usr/bin/python3
+        ansible_host: 192.168.1.254
-ansible_ssh_port: 22
+        ansible_python_interpreter: /usr/bin/python3
-ansible_ssh_user: charish
+        ansible_ssh_port: 22
-ansible_ssh_pass: !vault |
+        ansible_ssh_user: charish
-        $ANSIBLE_VAULT;1.1;AES256
+        ansible_ssh_pass: !vault |
-        38346631616139316365316566386362396661323163306339303635646331373061323531626431
+                $ANSIBLE_VAULT;1.1;AES256
-        3435373031363739356261656239633835393963636663370a613166653463656337666366633639
+                38346631616139316365316566386362396661323163306339303635646331373061323531626431
-        37373637326633363430633336646165343764303063663636313835326130663532323037663331
+                3435373031363739356261656239633835393963636663370a613166653463656337666366633639
-        6332353339656134370a353435396532663932313535646636333262353238386331313764633635
+                37373637326633363430633336646165343764303063663636313835326130663532323037663331
-        63383065623930653134666261353439366535646661383434386261393232373432353937636535
+                6332353339656134370a353435396532663932313535646636333262353238386331313764633635
-        3432336137393737643735346665303832653630316439333565
+                63383065623930653134666261353439366535646661383434386261393232373432353937636535
                3432336137393737643735346665303832653630316439333565
@@ -1,135 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 61353462613766353733306330373236633138333538613634653533316430363930633630626631
 3035333733316133643133356134366366343337363032330a316536353561643436373536336563
 61343566373439376138393533313064313537343831386536623632353262386566633464633661
 6161396538323162310a333866383339393535303236633162303038343134623965646331653262
 35633466383131646465393338313036393164323865353366316366313263303735616539386334
 38666262373336326431306236633662666335303135633965326131663437356565613632636436
 32636362393939336636376363666461653563356431316161306631633634376132623636396461
 61353138323062333937313033313230343136343733303339386362616161383564653363383531
 34646463666166326131626361653666626633366535356534396239613838373063613136303034
 31623363633436303238646233363431343933393534346635383362336361323633396430366561
 30323035613132323634656531353831613961646534306636346466623932383637303830396239
 63646361386263316662393533336536396462623930646466393632363166353234383632313930
 31633030303961343830346334613765333039653734313733396533326434383838626537656564
 66646464616566356533653939333330376339666234656137336361633263396165323963343938
 32313261353237636233343238366334306665353333643933376130336331323132393037663461
 35653132333935636132666363333033396630643466303933393434646432336166633461386263
 66316433663831623730303838343566633237363832353933333063356661353564306461383662
 64646530336662346633616335313064663135613439653663653434623931303333613639356633
 64613639653065613962373233656663366462343663623964313338356462336239373830623466
 31316164346437333331336335613336333935323961353335313635636230386339363262616266
 30316533313664623966323230373137653533626563376638386430613465663937343939626661
 65663031663931383465366663383936343338383937356463623431656633653363363137336261
 31663762643132386461333732613330636433326139663133633462343435353065313431663834
 65616232353539653632393337653863346638316233656636383735386265343434613139636230
 62653232653430356539663334653134663536336136343133666461396232303038343934376463
 62623262356638663538343862376365333235366137383535643431353837303762306637653939
 35333130346237353432616130353261386237666366306436353439396630646430343739323330
 35373664656465626538313139383462356435396631343666623437343933393938666464383834
 36613363663534613566633434643466666365396238363837326362646430353034653133616438
 61336233663332336333643564663336333935343266353265376664666135396530656639623338
 34313462333563636564366330636464656263663236303437366564363439646430356338373337
 32353435313164323636336537386437656439306231656139633234303363623363303937383464
 38663736656663316334303937626264666138643434623736336630353663373035363938373630
 36303933613766613763646638316365306539373332623731373363643261373931393733323038
 61303966373733623362353963346433653931303334313664636531313531373932313465326162
 35366136386236613930663037353765393464366234303165636635393763363433316466363438
 33396334623764356362393035626631666363646433356561333633313837303438333734313836
 38343935626334313063316639356436303331643535633230653439326332386432333831336131
 36633732636537353936663838393937326135623261663565323963393335616665323233336435
 62663662303138643239313061323233316262333362323266333739333564316431303964643033
 62313134613031363063333731653634393363356238313463343066636234356239303139313065
 37346532383133323932323164626663663437313166343235653962383162383138373165663865
 61363237323662616634626137393934396131303934623865363133313863396635353964613863
 61376431663134303863663764353238626131623138623030363734366233613637623932356235
 32343664346566383939353137343434316532393639326435616365326565393736663163303861
 37316461303237333861306465613537626337396532356163356235626563356137316330613134
 65636131663633633936613736326338643133336636316461316335653062666631363933323465
 37656564396161363637363238373635626565373334626539633634336561643364316331633132
 32643431616432616562343538366638663238376332666566343237626539336534663162643062
 37376434363661323137356130623135346430633235643530356366343461326534656562363262
 61653365326363366336363933326232373363626430353561646339376236333639346130383537
 64323832323762353964346434313236613436643762306636666134373730646633313032346136
 37636564633365653234373034303933333864636139666132386665666430663136393939626332
 39343234363032646266323862663937626438623237313865656632306666373663633734353132
 33646531333363313031666565653662333039653866633563626564666434356364396530666532
 36326566663138663031616635366134666364656639313265643662633861353030373132306565
 34366665366562623230393066643538396337653361346130326630326338363937353834333664
 64343633373866333562313535386131323336643336376666663836343265306563356466636630
 65363239333937386161616638393464613339316261313764636535326137663861386330353464
 31653232313930663465663036336232306666363865646231643865316366303561303662383730
 38653566356331613430613462643235366636313961373535366639353565623836336637363233
 35333334613566326637633161346638663136666465356461383765663237623631663138613034
 63633766313032363366633838666131303335656139373661316333326661326238366138343435
 39363861393064333532666330313764316539636364393138613939366536653830653932326638
 63303338333934353536646637333065386532383239643933366438616234353839646533336236
 30633465353730653531663333356636393334616534616635333563363136306233323236653266
 39626434363862656465336364333737623461346231613139373031326531396633366432386561
 63363631376634373862646138363565366533636330623366393530306135363261333433303961
 31366362333263636265386434333566616264666562323762666133646139356364626563343663
 31313834303737356638393065336134323762663265623662333061626239393133363465663537
 37633436356631643465313665646365336134653436633762653430326263623230663335633531
 65313532616430616162386265333336323134393831613663386238383936376665346164646239
 65353362626336373661373364313034313533646132623638623063353937313337313539353134
 62623733363339386465633063306465333632353435363532316263303839343231643235313862
 65346137613863353364383430616465643435356162373731323035623431643639396162646139
 31376430386661303164366365653838636662373762623330306534376231313938633837353663
 30333661303961363434313166323933613131366162623466306133333032353035343836646631
 37336232386364663533313261376230336539303933353339323865363962303733316365316438
 30636235393735396637353331623532376534636465666234373231313039323638366631633234
 61353231666565373764663235313130303365613630393661653434383738333066663961366165
 37323334643932626136636631373761393537343764663931646261613361313261373462386430
 65623634303030366230373165623434316461656661336261626335653031633664336265633431
 63646534616438326139353030336236303734616365383166343537393732623930316235616330
 38366430633062313431396633626665376234626663336534643632616139373566303835303564
 32326363393535663137616430616233663463636133363231663739336264663862613832313663
 66343839323861646635666331613236356336316361376162323964313663393030633332313662
 63323634363435346536663637363935323266346639366161643535313031663261633865313936
 34643163323861663432393330663763346138343930313639613139376138376263323232656631
 66623065326336323631313564666430363836386439396533393665396233323465646636643532
 39666364643933643363666164633931333635313233323365373135363833663964333430653338
 39643961626336376539653461643263626635383662323965363233623435386630653464303938
 64633536386535363031333063353633643632666134323464336166653533396437316566373732
 38366465646165313563396363656266653233393965623036623533623638643166356131623338
 31393863346564303865336430376462333831623339653935353664376166636665626637313031
 33353166366634656333663461353631633837663934333737393366373364663833313230333735
 62333333353361653533643233613464616664633736613138636666613932613061666230373565
 37643634376363373031643731366262303733313534303661326462366632656163393532666265
 66383061363336343837373831326135383430383831366563376165303661663732323437623134
 66633763313336376262376233363862663132356164313336393566313062386231633635653332
 65616335343738663565623161383730643735323937316535653032633032363532633434393639
 30343635666162373762376131663336653838626331306365333234333438306433666434613938
 34346137326264633366663332666330646364333938663262633637356263643937343262623834
 32323835623061656535313766643437373066363832353562633463636530386235313365376561
 62303162316365396164333065653638643065633665646436386365323263366237616138636531
 35313337643361656166643036333631656438326365386161303635613363383636346437613434
 66313631343863343939333261396266346333323632623361656638306234656330633635333733
 38376531353230343933613961376638353063346435623366343930313237663733346531323135
 64336239396137353465393361346437383565393638343930356365313163363264333834326139
 30383763336137346530653961613434306664373264316434616263306562623335663330616564
 37346565653562363866343937653238353332336135663766383239653038643130373165353462
 62306238643536336235623638363734656366663530373264663861313438373437306666393731
 33333237636535623631303134303138353434323533653931653762323330643466306565313630
 35366663346165333833626630323330336336303166643463396437383730643166303965363838
 39313739333334613262393135616232316436643835636430653237383739653536373962346161
 30643639303938393266613734346234316331633834643337373265313763393766323431333439
 32353036326333356535633136376630623733306636663363393434653033636431643063393939
 63653164363435306232636536333739633832346137373130303265383135396334343062396463
 30303434613034316365653464343265393736386265623366643763386265316462396464346162
 32623138393363613636336435666233366630653030326561336338306339663837303033366134
 32616334313539653763396164656133613736303335646564633736393463313261613831623664
 38613032333766376135363437313561643863333036363766343333303664303738623738666634
 66623032306337326361383466303431616531313535316134336338656437653134653738393662
 64373437363762633261373533313730383932306161376636393261623534663737633639653462
 66663732306239313764383264663362346433346265303732333535613563613033616165343037
 62633565643433353332663534366564616132646337356265346234366537653561316531356366
 61666163303362666232613164373963383131616336613030626262306136636265633531306133
 64646332336137353765626439346162636233363463313437633763656361653565343835393762
 64343433373938636461646265303238646635346662626331333436343535636231666563326462
 35373435396233313464366636343165376662616134633037376161393565336164646663323266
 36386634383066383763353535616466396464623836646439323535323839646632323839653838
 35383136343333326565383261653763383639313631663631343730353532613764306630326262
 37363665313637633162373264623464346431306537386231613131663934623933353433623031
 66326331666132643637323937376164306565343035363032623231303962313433356362613362
 3233366530336137393333373639613864613561363465306239
		`@@ -1 +0,0 @@`
			`{"last_found_secrets": [{"name": "Generic Password - /home/charish/app-configs/searxng_settings.yml.j2", "match": "6e0d657eb1f0fbc40cf0b8f3c3873ef627cc9cb7c4108d1c07d979c04bc8a4bb"}]}`