Switching Portainer from Docker Proxy to direct.

Auto Merge of PR 99 - garage-s3-config-deployment_2025-07-09T14-40-54
Merged by Trez.One
2025-07-11 09:37:24 -04:00 · 2025-07-10 21:44:23 -04:00 · 2025-07-09 15:31:56 -04:00 · 2025-07-09 15:18:31 -04:00 · 2025-07-08 18:41:29 -04:00 · 2025-07-06 11:59:54 -04:00
85 changed files with 4005 additions and 2557 deletions
@@ -1,10 +1,12 @@
 name: Gitea Branch PR & Ansible Deployment
 on:
+  workflow_dispatch:
  push:
    branches-ignore:
      - 'main'
    paths:
      - '**.j2'
+      - '**/pr-ansible-config-deployment.yaml'
      - 'ansible/**.yml'
 jobs:
  check-and-create-pr:
@@ -40,7 +42,7 @@ jobs:
        continue-on-error: true
        run: |
          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[ANSIBLE\].*${{ github.ref_name }}' | tail -1 | wc -l)
          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
      - name: Create PR
        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -48,7 +50,7 @@ jobs:
          tea login default gitea-rinoa
          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
+          tea pr c -r ${{ github.repository }} -t "[ANSIBLE] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -56,8 +58,8 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
-  ansible-linting:
-    name: Docker Compose & Ansible Lints
+  ansible-dry-run:
+    name: Ansible Dry Run
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
    env:
@@ -67,9 +69,6 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      - name: Fetch base branch
-        run: |
-          git fetch origin ${{ github.event.pull_request.base.ref }}
      - name: Cache Ansible Galaxy Collections
        uses: actions/cache@v3
        with:
@@ -80,11 +79,12 @@ jobs:
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
-          version: "11.0.0"
+          version: "11.4.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Install hvac
-        run: pip install hvac
+        run: |
+          pip install hvac
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -93,26 +93,26 @@ jobs:
          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
          notification_message: 'Starting Ansible dry run...'
      - name: Ansible Playbook Dry Run
-        uses: arillso/action.playbook@0.1.0
+        uses: dawidd6/action-ansible-playbook@v3
        with:
-          check: true
-          galaxy_collections_path: ansible/collections
-          galaxy_requirements_file: ansible/collections/requirements.yml
-          inventory: ansible/inventory/hosts.yml
-          playbook: ansible/docker_config_deploy.yml
-          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-          verbose: 0
+          requirements: collections/requirements.yml
+          options: |
+            --check
+            --inventory inventory/hosts.yml
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
-          notification_message: 'Docker Compose dry run completed successfully.'
+          notification_title: 'GITEA: Ansible Dry Run @ Rinoa'
+          notification_message: 'Ansible dry run completed successfully.'
  pr-merge:
    name: PR Merge
-    needs: [regenerate-readme-modified-services]
+    needs: [ansible-dry-run]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -139,8 +139,8 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Merge Successful'
          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-docker-compose-deploy:
-    name: Ansible Configs & Docker Compose Deployment
+  ansible-config-deploy:
+    name: Ansible Config Deployment
    runs-on: ubuntu-latest
    needs: [pr-merge]
    env:
@@ -152,6 +152,10 @@ jobs:
        uses: actions/checkout@v4
        with:
          ref: main
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.12
      - name: Cache Vault install
        id: cache-vault
        uses: actions/cache@v4
@@ -161,11 +165,12 @@ jobs:
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
-          version: "11.0.0"
+          version: "11.4.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Install hvac
-        run: pip install hvac
+        run: |
+          pip install hvac
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -173,16 +178,16 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
          notification_message: 'Starting config deployment with Ansible...'
-      - name: Ansible Playbook Dry Run
-        uses: arillso/action.playbook@0.1.0
+      - name: Ansible Playbook Config Deploy
+        uses: dawidd6/action-ansible-playbook@v3
        with:
-          check: false
-          galaxy_collections_path: ansible/collections
-          galaxy_requirements_file: ansible/collections/requirements.yml
-          inventory: ansible/inventory/hosts.yml
-          playbook: ansible/docker_config_deploy.yml
-          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+          requirements: collections/requirements.yml
+          options: |
+            --inventory inventory/hosts.yml
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -1,5 +1,6 @@
 name: Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment
 on:
+  workflow_dispatch:
  push:
    branches-ignore:
      - 'main'
@@ -41,7 +42,7 @@ jobs:
        continue-on-error: true
        run: |
          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[DOCKER\].*${{ github.ref_name }}' | tail -1 | wc -l)
          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
      - name: Create PR
        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -49,7 +50,7 @@ jobs:
          tea login default gitea-rinoa
          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
+          tea pr c -r ${{ github.repository }} -t "[DOCKER] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose"
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -57,25 +58,25 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
-  docker-compose-dry-run:
-    name: Docker Compose Dry Run
-    needs: [check-and-create-pr]
+  generate-service-list:
+    name: Generate list of added/modified/deleted services
    runs-on: ubuntu-latest
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_NAMESPACE: ""
+    needs: [check-and-create-pr]
    outputs:
-      svc_deploy_list: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
+      svc_deploy_list: ${{ steps.detect_services.outputs.docker_svc_list }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Fetch base branch
        run: |
          git fetch origin ${{ github.event.pull_request.base.ref }}
-      - name: Login to Gitea Container Registry
-        run: |
-          docker login -u gitea-sonarqube-bot -p ${{ secrets.BOT_GITEA_TOKEN }} https://git.trez.wtf
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Services TBD'
+          notification_message: 'Generating list of services to deploy...'
      - name: Save both versions of docker-compose.yml
        run: |
          git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
@@ -105,8 +106,29 @@ jobs:
          echo "Detected service changes:"
          cat service_changes.txt

-          svc_list=$(paste -sd '|' service_changes.txt)
-          echo "classified_services=$svc_list" >> "$GITHUB_OUTPUT"
+          mod_svcs=$(cut -d':' -f1 service_changes.txt | sort | uniq)
+          echo "docker_svc_list<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$mod_svcs" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+      - name: Testing service list output
+        run: |
+          echo -e "${{ steps.detect_services.outputs.docker_svc_list }}"
+  docker-compose-dry-run:
+    name: Docker Compose Dry Run
+    needs: [generate-service-list]
+    runs-on: ubuntu-latest
+    env:
+      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+      VAULT_NAMESPACE: ""
+      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
+      DOCKER_SVC_LIST: ${{ needs.generate-service-list.outputs.svc_deploy_list }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Login to Gitea Container Registry
+        run: |
+          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Gotify Notification
@@ -116,34 +138,20 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
          notification_message: 'Starting Docker Compose dry run...'
-      - name: Cache .env Files
-        uses: actions/cache@v4
-        with:
-          path: .env
-          key: ${{ runner.os }}-env-${{ hashFiles('docker-compose.yml') }}
-      - name: Generate modified services list & .env file for Docker Compose Dry Run
-        id: modded_svcs
+      - name: Generate .env file for Docker Compose
        run: |
-          mod_svcs=$(echo "${{ steps.detect_services.outputs.classified_services }}" | sed -e 's/|//g' -e 's/: \(add\|modifi\|delet\)ed/ /g')
-          echo ${mod_svcs}
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-          echo "rinoa_svcs=${mod_svcs}" >> "$GITHUB_OUTPUT"
-      - name: Testing service list output
-        run: |
-          echo ${{ steps.modded_svcs.outputs.rinoa_svcs }}
+          echo ${DOCKER_SVC_LIST}
      - name: Docker Compose Dry Run
-        timeout-minutes: 360
-        continue-on-error: true
-        uses: keatonLiu/docker-compose-remote-action@v1.2
-        with:
-          docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing ${{ steps.modded_svcs.outputs.rinoa_svcs }}
-          ssh_user: gitea-deploy
-          ssh_host: 192.168.1.254
-          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
-          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+        uses: hoverkraft-tech/compose-action@v2.2.0
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
+        with:
+          services: |
+            ${{ needs.generate-service-list.outputs.svc_deploy_list }}
+          up-flags: -d --remove-orphans --dry-run
+          down-flags: --dry-run
+          compose-flags: --dry-run
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -153,7 +161,7 @@ jobs:
          notification_message: 'Docker Compose dry run completed successfully.'
  cloudflare-dns-setup:
    name: Cloudflare DNS Setup
-    needs: [docker-compose-ansible-lints]
+    needs: [docker-compose-dry-run]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -294,11 +302,13 @@ jobs:
  docker-compose-deploy:
    name: Docker Compose Deployment
    runs-on: ubuntu-latest
-    needs: [pr-merge]
+    needs: [generate-service-list, docker-compose-dry-run, pr-merge]
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      DOCKER_HOST: tcp://dockerproxy:2375
+      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
+      DOCKER_SVC_LIST: ${{ needs.generate-service-list.outputs.svc_deploy_list }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -310,15 +320,11 @@ jobs:
        with:
          path: /opt/hostedtoolcache/vault/1.18.0/x64
          key: vault-${{ runner.os }}-1.18.0
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.0.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Login to Gitea Container Registry
        run: |
-          docker login -u gitea-sonarqube-bot -p ${{ secrets.BOT_GITEA_TOKEN }} http://gitea:3000
+          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -329,17 +335,22 @@ jobs:
      - name: Generate .env file for deployment
        run: |
           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
+           echo ${DOCKER_SVC_LIST}
      - name: Docker Compose Deployment
-        timeout-minutes: 360
-        continue-on-error: true
-        uses: keatonLiu/docker-compose-remote-action@v1.2
+        uses: hoverkraft-tech/compose-action@v2.2.0
+        env:
+          DOCKER_HOST: tcp://dockerproxy:2375
        with:
-          docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing ${{ docker-compose-dry-run.outputs.svc_deploy_list }}
-          ssh_user: gitea-deploy
-          ssh_host: 192.168.1.254
-          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
-          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          services: |
+            ${{ needs.generate-service-list.outputs.svc_deploy_list }}
+          up-flags: -d --remove-orphans
+          down-flags: --dry-run
+      - name: Check Services' Healthiness
+        uses: thegabriele97/dockercompose-health-action@main
+        with:
+          filename: 'docker-compose.yml'
+          timeout: '60'
+          workdir: '.'
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -1,7 +1,10 @@
 name: Auto-Unseal for Vault
+
 on:
+  workflow_dispatch:
  schedule:
-    - cron: "30 2 * * *"
+    - cron: "0 5 * * *"
+
 jobs:
  auto-unseal:
    name: Unseal Vault
@@ -9,9 +12,9 @@ jobs:
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_SHARDS: |
-        ${{ secrets.VAULT_UNSEAL_SHARDS }}
+      VAULT_SHARDS: ${{ secrets.VAULT_UNSEAL_SHARDS }}
      VAULT_NAMESPACE: ""
+
    steps:
      - name: Cache Vault install
        id: cache-vault
@@ -19,10 +22,15 @@ jobs:
        with:
          path: /opt/hostedtoolcache/vault/1.18.0/x64
          key: vault-${{ runner.os }}-1.18.0
-      - name: Install Vault
+
+      - name: Install Vault (only if not cached)
+        if: steps.cache-vault.outputs.cache-hit != 'true'
        uses: cpanato/vault-installer@main
+        with:
+          version: 1.18.0
+
      - name: Unseal Vault
        run: |
-          for vault_shard in $(echo ${VAULT_SHARDS}); do
-            vault operator unseal -address=${VAULT_ADDR} -non-interactive "${vault_shard}"
-          done
+          for vault_shard in $VAULT_SHARDS; do
+            vault operator unseal -address="${VAULT_ADDR}" -non-interactive "${vault_shard}"
+          done
@@ -8,9 +8,11 @@
 | adguard | adguard/adguardhome:latest |
 | apprise-api | lscr.io/linuxserver/apprise-api:latest |
 | archivebox | archivebox/archivebox:latest |
+| argus | quay.io/argus-io/argus:latest |
 | audiobookshelf | ghcr.io/advplyr/audiobookshelf:latest |
 | authelia | authelia/authelia:master |
 | authelia-pg | postgres:16-alpine |
+| authelia-valkey | docker.io/bitnami/valkey:latest |
 | bazarr | lscr.io/linuxserver/bazarr:latest |
 | beszel | henrygd/beszel:latest |
 | beszel-agent | henrygd/beszel-agent:latest |
@@ -19,6 +21,8 @@
 | browserless | ghcr.io/browserless/chromium:latest |
 | bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
+| castopod-valkey | docker.io/bitnami/valkey:latest |
+| chrome | gcr.io/zenika-hub/alpine-chrome:123 |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
 | convertx | ghcr.io/c4illin/convertx |
 | cronicle | elestio/cronicle:latest |
@@ -29,15 +33,18 @@
 | dawarich-app | freikin/dawarich:latest |
 | dawarich-pg-db | postgis/postgis:17-3.5-alpine |
 | dawarich-sidekiq | freikin/dawarich:latest |
+| dawarich-valkey | docker.io/bitnami/valkey:latest |
 | dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
+| dockflare | alplat/dockflare:stable |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
 | excalidraw | excalidraw/excalidraw:latest |
 | explo | ghcr.io/lumepart/explo:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
+| freescout | tiredofit/freescout:latest |
 | ghost | ghost:latest |
-| gitea | gitea/gitea:1.23.1 |
+| gitea | gitea/gitea:1.24.0 |
 | gitea-db | postgres:14 |
 | gitea-runner | gitea/act_runner:latest |
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
@@ -53,6 +60,7 @@
 | immich-pg-db | tensorchord/pgvecto-rs:pg14-v0.2.1 |
 | immich-public-proxy | alangrainger/immich-public-proxy:latest |
 | immich-power-tools | ghcr.io/varun-raj/immich-power-tools:latest |
+| immich-valkey | docker.io/bitnami/valkey:latest |
 | influxdb2 | influxdb:2-alpine |
 | invidious | quay.io/invidious/invidious:latest |
 | invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
@@ -70,10 +78,12 @@
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
+| karakeep | ghcr.io/karakeep-app/karakeep:release |
 | languagetool | elestio/languagetool:latest |
 | librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
-| librechat-vectordb | ankane/pgvector:latest |
 | librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
+| librechat-valkey | docker.io/bitnami/valkey:latest |
+| librechat-vectordb | ankane/pgvector:latest |
 | libretranslate | libretranslate/libretranslate |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
@@ -82,12 +92,22 @@
 | loggifly | ghcr.io/clemcer/loggifly:latest |
 | maloja | krateng/maloja:latest |
 | manyfold | lscr.io/linuxserver/manyfold:latest |
+| manyfold-valkey | docker.io/bitnami/valkey:latest |
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
-| meilisearch | getmeili/meilisearch:v1.12.3 |
-| minio | minio/minio |
+| mastodon-valkey | docker.io/bitnami/valkey:latest |
+| maxun-backend | getmaxun/maxun-backend:latest |
+| maxun-frontend | getmaxun/maxun-frontend:latest |
+| maxun-pg-db | postgres:13-alpine |
+| maxun-valkey | docker.io/bitnami/valkey:latest |
+| meilisearch | getmeili/meilisearch:v1.15 |
+| meme-search-pro | ghcr.io/neonwatty/meme_search_pro:latest |
+| meme-search-pro-img2txt-gen | ghcr.io/neonwatty/image_to_text_generator:latest |
+| meme-search-db | pgvector/pgvector:pg17 |
+| minio | minio/minio:RELEASE.2025-04-22T22-12-26Z |
 | mixpost | inovector/mixpost:latest |
+| mixpost-valkey | docker.io/bitnami/valkey:latest |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
 | n8n | docker.n8n.io/n8nio/n8n |
@@ -99,8 +119,18 @@
 | omni-tools | iib0011/omni-tools:latest |
 | omnipoly | kweg/omnipoly:latest |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
+| paperless-valkey | docker.io/bitnami/valkey:latest |
+| penpot-frontend | penpotapp/frontend:latest |
+| penpot-backend | penpotapp/backend:latest |
+| penpot-exporter | penpotapp/exporter:latest |
+| penpot-pg-db | postgres:15-alpine |
+| penpot-redis | redis:7.2 |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
+| planka | ghcr.io/plankanban/planka:2.0.0-rc.3 |
+| planka-pg-db | postgres:16-alpine |
+| plant-it | msdeluise/plant-it-server:latest |
+| plant-it-valkey | docker.io/bitnami/valkey:latest |
 | plantuml-server | plantuml/plantuml-server:jetty |
 | portainer | portainer/portainer-ce:alpine |
 | portnote-web | haedlessdev/portnote:latest |
@@ -110,30 +140,42 @@
 | postal-web | ghcr.io/postalserver/postal:latest |
 | postal-worker | ghcr.io/postalserver/postal:latest |
 | prowlarr | lscr.io/linuxserver/prowlarr:latest |
+| qbit-manage | ghcr.io/stuffanthings/qbit_manage:latest |
 | qbittorrentvpn | ghcr.io/binhex/arch-qbittorrentvpn:latest |
 | radarec | thewicklowwolf/radarec:latest |
 | radarr | lscr.io/linuxserver/radarr:latest |
 | reactive-resume | amruthpillai/reactive-resume:latest |
 | reactive-resume-pg | postgres:16-alpine |
 | readarr | lscr.io/linuxserver/readarr:develop |
-| redis | redis:alpine |
 | redlib | quay.io/redlib/redlib:latest |
 | rocketchat | registry.rocket.chat/rocketchat/rocket.chat:latest |
 | romm | rommapp/romm:latest |
+| romm-valkey | docker.io/bitnami/valkey:latest |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
 | sablier | sablierapp/sablier:latest |
-| scraperr | jpyles0524/scraperr:latest |
-| scraperr-api | jpyles0524/scraperr_api:latest |
+| scraparr | ghcr.io/thecfu/scraparr:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
+| searxng-valkey | docker.io/bitnami/valkey:latest |
 | semaphore | semaphoreui/semaphore:v2.12.14 |
+| signoz-app | signoz/signoz:v0.86.2 |
+| signoz-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| signoz-logspout | pavanputhra/logspout-signoz |
+| signoz-otel-collector | signoz/signoz-otel-collector:v0.111.42 |
+| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.111.42 |
+| signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.111.42 |
+| signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
 | sonashow | thewicklowwolf/sonashow:latest |
+| soularr | mrusse08/soularr:latest |
+| soularr-dashboard | git.trez.wtf/trez.one/soularr-dashboard:v0.1 |
+| soulseek | slskd/slskd |
 | speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
-| stable-diffusion-download | git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0 |
-| stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.1 |
+| stable-diffusion-download | git./trez.one/stable-diffusion-download:v9.0.0 |
+| stable-diffusion-webui | git./trez.one/stable-diffusion-ui:v9.0.1 |
 | stirling-pdf | docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest |
 | swag | lscr.io/linuxserver/swag:latest |
 | tandoor | vabene1111/recipes |
@@ -141,20 +183,10 @@
 | unmanic | josh5/unmanic:latest |
 | uptimekuma | louislam/uptime-kuma:latest |
 | vault | hashicorp/vault:latest |
-| wallabag | wallabag/wallabag |
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |
 | web-check | lissy93/web-check |
 | whodb | clidey/whodb |
+| wizarr | ghcr.io/wizarrrr/wizarr |
 | youtubedl | nbr23/youtube-dl-server:latest |
-| zammad-backup | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-elasticsearch | bitnami/elasticsearch:8.17.4 |
-| zammad-init | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-memcached | memcached:1.6.38-alpine |
-| zammad-nginx | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-postgresql | postgres:17.4-alpine |
-| zammad-railsserver | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-redis | redis:7.4.2-alpine |
-| zammad-scheduler | ghcr.io/zammad/zammad:6.5.0-15 |
-| zammad-websocket | ghcr.io/zammad/zammad:6.5.0-15 |

@@ -0,0 +1,199 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+http:
+  pprof:
+    port: 6060
+    enabled: false
+  address: 0.0.0.0:8008
+  session_ttl: 720h
+users:
+  - name: admin
+    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_BCRYPT'] }}
+auth_attempts: 5
+block_auth_min: 15
+http_proxy: ""
+language: ""
+theme: auto
+dns:
+  bind_hosts:
+    - 0.0.0.0
+  port: 53
+  anonymize_client_ip: false
+  ratelimit: 20
+  ratelimit_subnet_len_ipv4: 24
+  ratelimit_subnet_len_ipv6: 56
+  ratelimit_whitelist: []
+  refuse_any: true
+  upstream_dns:
+    - 94.140.14.14
+    - 94.140.15.15
+    - https://dns.adguard-dns.com/dns-query
+    - tls://dns.adguard-dns.com
+    - quic://dns.adguard-dns.com
+    - 1.1.1.1
+    - 1.0.0.1
+    - 1.1.1.2
+    - 1.0.0.2
+    - 185.228.168.9
+    - 185.228.169.9
+    - 76.76.2.3
+    - tls://getdnsapi.net
+    - 185.49.141.37
+    - tls://dot.seby.io
+  upstream_dns_file: ""
+  bootstrap_dns:
+    - 9.9.9.10
+    - 149.112.112.10
+    - 2620:fe::10
+    - 2620:fe::fe:10
+  fallback_dns: []
+  upstream_mode: load_balance
+  fastest_timeout: 1s
+  allowed_clients: []
+  disallowed_clients: []
+  blocked_hosts:
+    - version.bind
+    - id.server
+    - hostname.bind
+  trusted_proxies:
+    - 127.0.0.0/8
+    - ::1/128
+  cache_size: 4194304
+  cache_ttl_min: 0
+  cache_ttl_max: 0
+  cache_optimistic: false
+  bogus_nxdomain: []
+  aaaa_disabled: false
+  enable_dnssec: false
+  edns_client_subnet:
+    custom_ip: ""
+    enabled: false
+    use_custom: false
+  max_goroutines: 300
+  handle_ddr: true
+  ipset: []
+  ipset_file: ""
+  bootstrap_prefer_ipv6: false
+  upstream_timeout: 10s
+  private_networks: []
+  use_private_ptr_resolvers: false
+  local_ptr_upstreams: []
+  use_dns64: false
+  dns64_prefixes: []
+  serve_http3: false
+  use_http3_upstreams: false
+  serve_plain_dns: true
+  hostsfile_enabled: true
+  pending_requests:
+    enabled: true
+tls:
+  enabled: true
+  server_name: ""
+  force_https: false
+  port_https: 446
+  port_dns_over_tls: 853
+  port_dns_over_quic: 853
+  port_dnscrypt: 0
+  dnscrypt_config_file: ""
+  allow_unencrypted_doh: false
+  certificate_chain: ""
+  private_key: ""
+  certificate_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
+  private_key_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
+  strict_sni_check: false
+querylog:
+  dir_path: ""
+  ignored: []
+  interval: 2160h
+  size_memory: 1000
+  enabled: true
+  file_enabled: true
+statistics:
+  dir_path: ""
+  ignored: []
+  interval: 24h
+  enabled: true
+filters:
+  - enabled: true
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
+    name: AdGuard DNS filter
+    id: 1
+  - enabled: false
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
+    name: AdAway Default Blocklist
+    id: 2
+whitelist_filters: []
+user_rules: []
+dhcp:
+  enabled: false
+  interface_name: ""
+  local_domain_name: lan
+  dhcpv4:
+    gateway_ip: 192.168.1.1
+    subnet_mask: 255.255.255.0
+    range_start: 192.168.1.2
+    range_end: 192.168.1.240
+    lease_duration: 86400
+    icmp_timeout_msec: 1000
+    options: []
+  dhcpv6:
+    range_start: ""
+    lease_duration: 86400
+    ra_slaac_only: false
+    ra_allow_slaac: false
+filtering:
+  blocking_ipv4: ""
+  blocking_ipv6: ""
+  blocked_services:
+    schedule:
+      time_zone: America/New_York
+    ids: []
+  protection_disabled_until: null
+  safe_search:
+    enabled: false
+    bing: true
+    duckduckgo: true
+    ecosia: true
+    google: true
+    pixabay: true
+    yandex: true
+    youtube: true
+  blocking_mode: default
+  parental_block_host: family-block.dns.adguard.com
+  safebrowsing_block_host: standard-block.dns.adguard.com
+  rewrites: []
+  safe_fs_patterns:
+    - /opt/adguardhome/work/userfilters/*
+  safebrowsing_cache_size: 1048576
+  safesearch_cache_size: 1048576
+  parental_cache_size: 1048576
+  cache_time: 30
+  filters_update_interval: 24
+  blocked_response_ttl: 10
+  filtering_enabled: true
+  parental_enabled: false
+  safebrowsing_enabled: false
+  protection_enabled: true
+clients:
+  runtime_sources:
+    whois: true
+    arp: true
+    rdns: true
+    dhcp: true
+    hosts: true
+  persistent: []
+log:
+  enabled: true
+  file: ""
+  max_backups: 0
+  max_size: 100
+  max_age: 3
+  compress: false
+  local_time: false
+  verbose: false
+os:
+  group: ""
+  user: ""
+  rlimit_nofile: 0
+schema_version: 29
@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+urls:
+  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
+  - mailto://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-urls:
-  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
-  - mailtos://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
@@ -0,0 +1,337 @@
+settings:
+  log:
+    level: INFO
+    timestamps: true
+  data:
+    database_file: data/argus.db
+  web:
+    listen_host: 0.0.0.0
+    listen_port: 8080
+    route_prefix: /
+    basic_auth:
+      username: 'admin'
+      password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ARGUS_WEB_PASSWORD'] }}"
+  disabled_routes: []
+  favicon:
+    png: ''
+    svg: ''
+notify:
+  rinoa-gotify:
+    type: gotify
+    url_fields:
+      Host: gotify
+      Token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ARGUS_WEB_PASSWORD'] }}
+    params:
+      Title: Argus @ Rinoa
+service:
+  AdguardTeam/AdGuardHome:
+    latest_version:
+      type: github
+      url: AdguardTeam/AdGuardHome
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://adguard.trez.wtf/control/status"
+      basic_auth:
+        username: admin
+        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_PASSWORD'] }}
+      json: version
+      regex: v([0-9.]+)
+    dashboard:
+      web_url: "https://github.com/AdguardTeam/AdGuardHome/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://avatars.githubusercontent.com/u/8361145?s=200&v=4"
+  advplyr/audiobookshelf:
+    latest_version:
+      type: github
+      url: advplyr/audiobookshelf
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      method: GET
+      url: "https://abs.trez.wtf/status"
+      json: serverVersion
+    dashboard:
+      icon: "https://raw.githubusercontent.com/advplyr/audiobookshelf/master/client/static/icon.svg"
+      web_url: "https://github.com/advplyr/audiobookshelf/releases/tag/v{% raw %}{{ version }}{% endraw %}"
+  dani-garcia/vaultwarden:
+    latest_version:
+      type: github
+      url: dani-garcia/vaultwarden
+    deployed_version:
+      url: "https://bitwarden.trez.wtf/api/version"
+      regex: ([0-9.]+)
+    dashboard:
+      web_url: "https://github.com/dani-garcia/vaultwarden/releases/{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/src/static/images/vaultwarden-icon.png"
+  ellite/Wallos:
+    latest_version:
+      type: github
+      url: ellite/Wallos
+    deployed_version:
+      method: GET
+      url: http://wallos.com/api/status/version.php?api_key=xxx
+      json: version_number
+    dashboard:
+      icon: "https://github.com/ellite/Wallos/raw/main/images/siteicons/wallos.png"
+      web_url: "https://github.com/ellite/Wallos/releases"
+  FlareSolverr/FlareSolverr:
+    latest_version:
+      type: github
+      url: FlareSolverr/FlareSolverr
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      method: GET
+      url: "https://flaresolverr.trez.wtf"
+      json: version
+    dashboard:
+      icon: "https://raw.githubusercontent.com/FlareSolverr/FlareSolverr/master/resources/flaresolverr_logo.png"
+      web_url: "https://github.com/FlareSolverr/FlareSolverr/releases/tag/v{% raw %}{{ version }}{% endraw %}"
+  go-gitea/gitea:
+    latest_version:
+      type: github
+      url: go-gitea/gitea
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+      require:
+        regex_content: gitea-{% raw %}{{ version }}{% endraw %}-linux-amd64
+        regex_version: ^[0-9.]+[0-9]$
+    deployed_version:
+      url: "https://git.trez.wtf"
+      regex: 'Powered by Gitea\s+Version:\s+([0-9.]+) '
+    dashboard:
+      web_url: "https://github.com/go-gitea/gitea/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/logo.png"
+  gohugoio/hugo:
+    latest_version:
+      type: github
+      url: gohugoio/hugo
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+      require:
+        regex_content: hugo_{% raw %}{{ version }}{% endraw %}_Linux-64bit\.deb
+    dashboard:
+      web_url: "https://github.com/gohugoio/hugo/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/gohugoio/hugo/master/docs/static/img/hugo.png"
+  gotify/server:
+    latest_version:
+      type: github
+      url: gotify/server
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://gotify.trez.wtf/version"
+      json: version
+    dashboard:
+      web_url: "https://github.com/gotify/server/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://github.com/gotify/logo/raw/master/gotify-logo.png"
+  hashicorp/vault:
+    latest_version:
+      type: github
+      url: hashicorp/vault
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://vault.trez.wtf/v1/sys/health"
+      json: version
+    dashboard:
+      web_url: "https://github.com/hashicorp/vault/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/hashicorp/vault/main/ui/public/vault-logo.svg"
+  immich-app/immich:
+    latest_version:
+      type: github
+      url: immich-app/immich
+    deployed_version:
+      url: "https://pics.trez.wtf/api/server/about"
+      json: version
+      regex: ^v([0-9.]+)$
+      headers:
+        - key: x-api-key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IMMICH_POWER_TOOLS_KEY'] }}
+    dashboard:
+      icon: "https://raw.githubusercontent.com/immich-app/immich/main/web/static/immich-logo.svg"
+      web_url: "https://github.com/immich-app/immich/releases/tag/v{% raw %}{{ version }}{% endraw %}"
+  influxdata/influxdb:
+    latest_version:
+      type: github
+      url: influxdata/influxdb
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://influxdb.trez.wtf/health"
+      json: version
+    dashboard:
+      web_url: "https://github.com/influxdata/influxdb/releases/tag/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://github.com/influxdata/ui/raw/master/src/writeData/graphics/influxdb.svg"
+  jellyfin/jellyfin:
+    latest_version:
+      type: github
+      url: jellyfin/jellyfin
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://jellyfin.trez.wtf/System/Info/Public"
+      json: Version
+    dashboard:
+      web_url: "https://github.com/jellyfin/jellyfin/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://avatars.githubusercontent.com/u/45698031?s=200&v=4"
+  Lidarr/Lidarr:
+    options:
+      semantic_versioning: false
+    latest_version:
+      type: github
+      url: Lidarr/Lidarr
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      method: GET
+      url: "https://lidarr.trez.wtf/api/v1/system/status"
+      headers:
+        - key: X-Api-Key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
+      json: version
+    dashboard:
+      icon: "https://raw.githubusercontent.com/Lidarr/Lidarr/develop/Logo/1024.png"
+      web_url: "https://github.com/Lidarr/Lidarr/releases/v{% raw %}{{ version }}{% endraw %}"
+  louislam/uptime-kuma:
+    latest_version:
+      type: github
+      url: louislam/uptime-kuma
+    deployed_version:
+      url: "https://status.trez.wtf/metrics"
+      regex: app_version{version=\"([0-9.]+)\",major=\"[0-9]+\",minor=\"[0-9]+\",patch=\"[0-9]+\"}
+    dashboard:
+      web_url: "https://github.com/louislam/uptime-kuma/releases/{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/louislam/uptime-kuma/master/public/icon.png"
+  morpheus65535/bazarr:
+    latest_version:
+      type: github
+      url: morpheus65535/bazarr
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://bazarr.trez.wtf/api/system/status"
+      headers:
+        - key: X-API-KEY
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['BAZARR_API_KEY'] }}
+      json: data.bazarr_version
+    dashboard:
+      web_url: "https://github.com/morpheus65535/bazarr/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/morpheus65535/bazarr/master/frontend/public/images/logo128.png"
+  n8n-io/n8n:
+    latest_version:
+      type: url
+      url: "https://github.com/n8n-io/n8n/tags"
+      url_commands:
+        - type: regex
+          regex: n8n\%40([0-9.]+)
+    dashboard:
+      web_url: "https://github.com/n8n-io/n8n/blob/master/CHANGELOG.md"
+      icon: "https://raw.githubusercontent.com/n8n-io/n8n-docs/main/docs/_images/n8n-docs-icon.svg"
+  nextcloud/server:
+    latest_version:
+      type: github
+      url: nextcloud/server
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://cloud.trez.wtf/status.php"
+      json: versionstring
+    dashboard:
+      web_url: "https://nextcloud.com/changelog/"
+      icon: "https://github.com/nextcloud/server/raw/master/core/img/favicon.png"
+  Prowlarr/Prowlarr:
+    options:
+      semantic_versioning: false
+    latest_version:
+      type: github
+      url: Prowlarr/Prowlarr
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+      use_prerelease: true
+    deployed_version:
+      url: "https://prowlarr.trez.wtf/api/v1/system/status"
+      headers:
+        - key: X-Api-Key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}
+      json: version
+    dashboard:
+      web_url: "https://github.com/Prowlarr/Prowlarr/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://avatars.githubusercontent.com/u/73049443?s=200&v=4"
+  Radarr/Radarr:
+    options:
+      semantic_versioning: false
+    latest_version:
+      type: github
+      url: Radarr/Radarr
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://radarr.trez.wtf/api/v3/system/status"
+      headers:
+        - key: X-Api-Key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}
+      json: version
+    dashboard:
+      web_url: "https://github.com/Radarr/Radarr/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://avatars.githubusercontent.com/u/25025331?s=200&v=4"
+  Readarr/Readarr:
+    options:
+      semantic_versioning: false
+    latest_version:
+      type: github
+      url: Readarr/Readarr
+      use_prerelease: true
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      method: GET
+      url: "https://readarr.trez.wtf/api/v1/system/status"
+      headers:
+        - key: X-Api-Key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}
+      json: version
+    dashboard:
+      icon: "https://raw.githubusercontent.com/Readarr/Readarr/develop/Logo/1024.png"
+      web_url: "https://github.com/Readarr/Readarr/releases/v{% raw %}{{ version }}{% endraw %}"
+  Sonarr/Sonarr:
+    options:
+      semantic_versioning: false
+    latest_version:
+      type: url
+      url: "https://github.com/Sonarr/Sonarr/tags"
+      url_commands:
+        - type: regex
+          regex: \/releases\/tag\/v?([0-9.]+)\"
+    deployed_version:
+      url: "https://sonarr.trez.wtf/api/v3/system/status"
+      headers:
+        - key: X-Api-Key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}
+      json: version
+    dashboard:
+      web_url: "https://sonarr.trez.wtf/system/updates"
+      icon: "https://raw.githubusercontent.com/Sonarr/Sonarr/develop/Logo/256.png"
+  release-argus/argus:
+    latest_version:
+      type: github
+      url: release-argus/argus
+    dashboard:
+      icon: "https://raw.githubusercontent.com/release-argus/Argus/master/web/ui/react-app/public/favicon.svg"
+      icon_link-to: "https://release-argus.io"
+      web_url: "https://github.com/release-argus/Argus/blob/master/CHANGELOG.md"
@@ -102,6 +102,14 @@ access_control:
      policy: one_factor
      subject:
      - ['user:the.trezured.one']
+    - domain: wizarr.trez.wtf
+      resources:
+        - '^/join(/.*)?$'
+        - '^/j(/.*)?$'
+        - '^/static(/.*)?$'
+        - '^/setup(/.*)?$'
+        - '^/wizard(/.*)?$'
+      policy: bypass
 session:
  name: authelia_session
  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
@@ -112,8 +120,9 @@ session:
    - domain: 'trez.wtf'
      authelia_url: 'https://auth.trez.wtf'
  redis:
-    host: redis
+    host: authelia-valkey
    port: 6379
+    database_index: 0
 storage:
  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
  postgres:
@@ -0,0 +1,65 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+source: journalctl
+journalctl_filter:
+  - "--directory=/var/log/host/"
+labels:
+  type: syslog
+---
+filenames:
+  - /var/log/swag/*
+labels:
+  type: nginx
+---
+filenames:
+  - /var/log/auth/auth.log
+labels:
+  type: syslog
+---
+filenames:
+  - /var/lib/mysql/log/mysql/*
+  - /var/lib/mysql/databases/*.err
+  - /var/lib/mysql/databases/*.log
+labels:
+  type: mariadb
+---
+source: docker
+container_name:
+  - adguard
+labels:
+  type: adguardhome
+---
+source: docker
+container_name:
+ - mongodb
+labels:
+  type: mongodb
+---
+source: docker
+container_name:
+ - immich-server
+labels:
+  type: immich
+---
+source: docker
+container_name:
+ - uptimekuma
+labels:
+  type: uptime-kuma
+---
+source: docker
+container_name:
+ - jellyfin
+labels:
+  type: jellyfin
+---
+source: docker
+container_name:
+ - navidrome
+labels:
+  type: navidrome
+---
+filenames:
+  - /var/log/audiobookshelf/*.txt
+labels:
+  type: audiobookshelf
@@ -0,0 +1,51 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+common:
+  daemonize: false
+  log_media: stdout
+  log_level: info
+  log_dir: /var/log/
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: /var/lib/crowdsec/data/
+  simulation_path: /etc/crowdsec/simulation.yaml
+  hub_dir: /etc/crowdsec/hub/
+  index_path: /etc/crowdsec/hub/.index.json
+  notification_dir: /etc/crowdsec/notifications/
+  plugin_dir: /usr/local/lib/crowdsec/plugins/
+crowdsec_service:
+  acquisition_path: /etc/crowdsec/acquis.yaml
+  acquisition_dir: /etc/crowdsec/acquis.d
+  parser_routines: 1
+plugin_config:
+  user: nobody
+  group: nobody
+cscli:
+  output: human
+db_config:
+  log_level: info
+  type: sqlite
+  db_path: /var/lib/crowdsec/data/crowdsec.db
+  flush:
+    max_items: 5000
+    max_age: 7d
+  use_wal: false
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+  server:
+    log_level: info
+    listen_uri: 0.0.0.0:8080
+    profiles_path: /etc/crowdsec/profiles.yaml
+    trusted_ips: # IP ranges, or IPs which can have admin API access
+      - 127.0.0.1
+      - ::1
+    online_client: # Central API credentials (to push signals and receive bad IPs)
+      credentials_path: /etc/crowdsec/online_api_credentials.yaml
+    enable: true
+prometheus:
+  enabled: true
+  level: full
+  listen_addr: 0.0.0.0
+  listen_port: 6060
@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+url: https://api.crowdsec.net/
+login: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
+password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
@@ -1,15 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-
-source: journalctl
-journalctl_filter: 
-  - "--directory=/var/log/host/"
-labels:
-  type: syslog
---
-filenames:
-  - /var/log/swag/*
-labels:
-  type: nginx
---
@@ -0,0 +1,25 @@
+metadata_dir = "/var/lib/garage/meta"
+data_dir = "/var/lib/garage/data"
+db_engine = "lmdb"
+metadata_auto_snapshot_interval = "6h"
+
+replication_factor = 1
+
+compression_level = 10
+
+rpc_bind_addr = "[::]:3901"
+rpc_public_addr = "localhost:3901"
+rpc_secret = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_RPC_SECRET'] }}"
+
+[s3_api]
+s3_region = "us-east-fh-pln"
+api_bind_addr = "[::]:3900"
+root_domain = ".s3.trez.wtf"
+
+[s3_web]
+bind_addr = "[::]:3902"
+
+[admin]
+api_bind_addr = "[::]:3903"
+admin_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_ADMIN_TOKEN'] }}"
+metrics_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_METRICS_TOKEN'] }}"
@@ -26,7 +26,7 @@ layout:
    columns: 4
  Infrastructure/App Performance Monitoring:
    style: row
-    columns: 3
+    columns: 5
  Code/DevOps:
    style: row
    columns: 3
@@ -35,22 +35,25 @@ layout:
    columns: 4
  Lifestyle:
    style: row
-    columns: 3
+    columns: 5
  Automation:
    style: row
    columns: 5
  Privacy/Security:
    style: row
    columns: 5
-  Personal/Professional Services:
-    style: row
-    columns: 5
-  Servarr Stack:
+  Personal Tools:
    style: row
    columns: 3
+  Professional Services:
+    style: row
+    columns: 4
+  Servarr Stack:
+    style: row
+    columns: 5
  Downloaders:
    style: row
-    columns: 2
+    columns: 5
  Media Library:
    style: row
    columns: 3
@@ -1,26 +1,26 @@
-version: 1.0.0
+version: 1.2.8
 endpoints:
  custom:
-    - name: "ollama"
+    - name: "rinoa-ollama"
      apiKey: "ollama"
      baseURL: "http://ollama:11434/v1/chat/completions"
      models:
        default: [
-          "deepseek-r1:1.5b",
+          "codellama:7b",
          "deepseek-coder-v2:16b",
+          "deepseek-r1:1.5b",
          "deepseek-v3:671b",
+          "dolphin-mistral:7b",
+          "llama2:7b",
          "llama3.3:70b",
+          "mistral-openorca:7b",
+          "mistral:7b",
+          "orca-mini:3b",
          "phi4:14b",
          "qwen2.5",
-          "llama2:7b",
-          "mistral:7b",
-          "codellama:7b",
-          "tinyllama:1.1b",
-          "starcoder2:3b",
-          "dolphin-mistral:7b",
          "smollm2:1.7b",
-          "orca-mini:3b",
-          "mistral-openorca:7b"
+          "starcoder2:3b",
+          "tinyllama:1.1b",
        ]
 # fetching list of models is supported but the `name` field must start
 # with `ollama` (case-insensitive), as it does in this example.
@@ -1,550 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-#=====================================================================#
-#                       LibreChat Configuration                       #
-#=====================================================================#
-# Please refer to the reference documentation for assistance          #
-# with configuring your LibreChat environment.                        #
-#                                                                     #
-# https://www.librechat.ai/docs/configuration/dotenv                  #
-#=====================================================================#
-
-#==================================================#
-#               Server Configuration               #
-#==================================================#
-
-HOST=localhost
-PORT=3080
-
-MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
-
-DOMAIN_CLIENT=https://ai.trez.wtf
-DOMAIN_SERVER=https://ai.trez.wtf
-
-NO_INDEX=true
-# Use the address that is at most n number of hops away from the Express application.
-# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
-# A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
-# Defaulted to 1.
-TRUST_PROXY=1
-
-#===============#
-# JSON Logging  #
-#===============#
-
-# Use when process console logs in cloud deployment like GCP/AWS
-CONSOLE_JSON=true
-
-#===============#
-# Debug Logging #
-#===============#
-
-DEBUG_LOGGING=true
-DEBUG_CONSOLE=false
-
-#=============#
-# Permissions #
-#=============#
-
-# UID=1000
-# GID=1000
-
-#===============#
-# Configuration #
-#===============#
-# Use an absolute path, a relative path, or a URL
-
-# CONFIG_PATH="/alternative/path/to/librechat.yaml"
-
-#===================================================#
-#                     Endpoints                     #
-#===================================================#
-
-# ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
-
-PROXY=
-
-#===================================#
-# Known Endpoints - librechat.yaml  #
-#===================================#
-# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
-
-# ANYSCALE_API_KEY=
-# APIPIE_API_KEY=
-# COHERE_API_KEY=
-DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
-# DATABRICKS_API_KEY=
-# FIREWORKS_API_KEY=
-# GROQ_API_KEY=
-# HUGGINGFACE_TOKEN=
-MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
-# OPENROUTER_KEY=
-# PERPLEXITY_API_KEY=
-# SHUTTLEAI_API_KEY=
-# TOGETHERAI_API_KEY=
-# UNIFY_API_KEY=
-# XAI_API_KEY=
-
-#============#
-# Anthropic  #
-#============#
-
-ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
-ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
-# ANTHROPIC_REVERSE_PROXY=
-
-#============#
-# Azure      #
-#============#
-
-# Note: these variables are DEPRECATED
-# Use the `librechat.yaml` configuration for `azureOpenAI` instead
-# You may also continue to use them if you opt out of using the `librechat.yaml` configuration
-
-# AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
-# AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
-# AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
-# AZURE_API_KEY= # Deprecated
-# AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
-# AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
-# AZURE_OPENAI_API_VERSION= # Deprecated
-# AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
-# AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
-# PLUGINS_USE_AZURE="true" # Deprecated
-
-#=================#
-#   AWS Bedrock   #
-#=================#
-
-# BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
-# BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
-# BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
-# BEDROCK_AWS_SESSION_TOKEN=someSessionToken
-
-# Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
-# BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
-
-# See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
-
-# Notes on specific models:
-# The following models are not support due to not supporting streaming:
-# ai21.j2-mid-v1
-
-# The following models are not support due to not supporting conversation history:
-# ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
-
-#============#
-# Google     #
-#============#
-
-{# GOOGLE_KEY=user_provided #}
-
-# GOOGLE_REVERSE_PROXY=
-# Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
-# GOOGLE_AUTH_HEADER=true
-
-# Gemini API (AI Studio)
-# GOOGLE_MODELS=gemini-2.0-flash-exp,gemini-2.0-flash-thinking-exp-1219,gemini-exp-1121,gemini-exp-1114,gemini-1.5-flash-latest,gemini-1.0-pro,gemini-1.0-pro-001,gemini-1.0-pro-latest,gemini-1.0-pro-vision-latest,gemini-1.5-pro-latest,gemini-pro,gemini-pro-vision
-
-# Vertex AI
-# GOOGLE_MODELS=gemini-1.5-flash-preview-0514,gemini-1.5-pro-preview-0514,gemini-1.0-pro-vision-001,gemini-1.0-pro-002,gemini-1.0-pro-001,gemini-pro-vision,gemini-1.0-pro
-
-# GOOGLE_TITLE_MODEL=gemini-pro
-
-# GOOGLE_LOC=us-central1
-
-# Google Safety Settings
-# NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
-#
-# For Vertex AI:
-# To use the BLOCK_NONE setting, you need either:
-# (a) Access through an allowlist via your Google account team, or
-# (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
-#
-# For Gemini API (AI Studio):
-# BLOCK_NONE is available by default, no special account requirements.
-#
-# Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
-#
-# GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
-
-#============#
-# OpenAI     #
-#============#
-
-OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
-OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
-
-DEBUG_OPENAI=false
-
-# TITLE_CONVO=false
-# OPENAI_TITLE_MODEL=gpt-4o-mini
-
-# OPENAI_SUMMARIZE=true
-# OPENAI_SUMMARY_MODEL=gpt-4o-mini
-
-# OPENAI_FORCE_PROMPT=true
-
-# OPENAI_REVERSE_PROXY=
-
-# OPENAI_ORGANIZATION=
-
-#====================#
-#   Assistants API   #
-#====================#
-
-# ASSISTANTS_API_KEY=user_provided
-# ASSISTANTS_BASE_URL=
-# ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
-
-#==========================#
-#   Azure Assistants API   #
-#==========================#
-
-# Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
-# The models for Azure Assistants are also determined by your Azure OpenAI configuration.
-
-# More info, including how to enable use of Assistants with Azure here:
-# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
-
-#============#
-# OpenRouter #
-#============#
-# !!!Warning: Use the variable above instead of this one. Using this one will override the OpenAI endpoint
-# OPENROUTER_API_KEY=
-
-#============#
-# Plugins    #
-#============#
-
-# PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
-
-# DEBUG_PLUGINS=
-
-CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
-CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
-
-# Azure AI Search
-#-----------------
-# AZURE_AI_SEARCH_SERVICE_ENDPOINT=
-# AZURE_AI_SEARCH_INDEX_NAME=
-# AZURE_AI_SEARCH_API_KEY=
-
-# AZURE_AI_SEARCH_API_VERSION=
-# AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
-# AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
-# AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
-
-# DALL·E
-#----------------
-# DALLE_API_KEY=
-# DALLE3_API_KEY=
-# DALLE2_API_KEY=
-# DALLE3_SYSTEM_PROMPT=
-# DALLE2_SYSTEM_PROMPT=
-# DALLE_REVERSE_PROXY=
-# DALLE3_BASEURL=
-# DALLE2_BASEURL=
-
-# DALL·E (via Azure OpenAI)
-# Note: requires some of the variables above to be set
-#----------------
-# DALLE3_AZURE_API_VERSION=
-# DALLE2_AZURE_API_VERSION=
-
-
-# Google
-#-----------------
-GOOGLE_SEARCH_API_KEY=
-GOOGLE_CSE_ID=
-
-# YOUTUBE
-#-----------------
-YOUTUBE_API_KEY=
-
-# SerpAPI
-#-----------------
-SERPAPI_API_KEY=
-
-# Stable Diffusion
-#-----------------
-SD_WEBUI_URL=http://stable-diffusion-webui:7860
-
-# Tavily
-#-----------------
-TAVILY_API_KEY=
-
-# Traversaal
-#-----------------
-TRAVERSAAL_API_KEY=
-
-# WolframAlpha
-#-----------------
-WOLFRAM_APP_ID=
-
-# Zapier
-#-----------------
-ZAPIER_NLA_API_KEY=
-
-#==================================================#
-#                      Search                      #
-#==================================================#
-
-SEARCH=true
-MEILI_NO_ANALYTICS=true
-MEILI_HOST=http://meilisearch:7700
-MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
-
-# Optional: Disable indexing, useful in a multi-node setup
-# where only one instance should perform an index sync.
-# MEILI_NO_SYNC=true
-
-#==================================================#
-#          Speech to Text & Text to Speech         #
-#==================================================#
-
-STT_API_KEY=
-TTS_API_KEY=
-
-#==================================================#
-#                        RAG                       #
-#==================================================#
-# More info: https://www.librechat.ai/docs/configuration/rag_api
-
-# RAG_OPENAI_BASEURL=
-# RAG_OPENAI_API_KEY=
-# RAG_USE_FULL_CONTEXT=
-# EMBEDDINGS_PROVIDER=openai
-# EMBEDDINGS_MODEL=text-embedding-3-small
-
-#===================================================#
-#                    User System                    #
-#===================================================#
-
-#========================#
-# Moderation             #
-#========================#
-
-OPENAI_MODERATION=false
-OPENAI_MODERATION_API_KEY=
-# OPENAI_MODERATION_REVERSE_PROXY=
-
-BAN_VIOLATIONS=true
-BAN_DURATION=1000 * 60 * 60 * 2
-BAN_INTERVAL=20
-
-LOGIN_VIOLATION_SCORE=1
-REGISTRATION_VIOLATION_SCORE=1
-CONCURRENT_VIOLATION_SCORE=1
-MESSAGE_VIOLATION_SCORE=1
-NON_BROWSER_VIOLATION_SCORE=20
-
-LOGIN_MAX=7
-LOGIN_WINDOW=5
-REGISTER_MAX=5
-REGISTER_WINDOW=60
-
-LIMIT_CONCURRENT_MESSAGES=true
-CONCURRENT_MESSAGE_MAX=2
-
-LIMIT_MESSAGE_IP=true
-MESSAGE_IP_MAX=40
-MESSAGE_IP_WINDOW=1
-
-LIMIT_MESSAGE_USER=false
-MESSAGE_USER_MAX=40
-MESSAGE_USER_WINDOW=1
-
-ILLEGAL_MODEL_REQ_SCORE=5
-
-#========================#
-# Balance                #
-#========================#
-
-CHECK_BALANCE=false
-# START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
-
-#========================#
-# Registration and Login #
-#========================#
-
-ALLOW_EMAIL_LOGIN=true
-ALLOW_REGISTRATION=true
-ALLOW_SOCIAL_LOGIN=false
-ALLOW_SOCIAL_REGISTRATION=false
-ALLOW_PASSWORD_RESET=false
-# ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
-ALLOW_UNVERIFIED_EMAIL_LOGIN=true
-
-SESSION_EXPIRY=1000 * 60 * 15
-REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
-
-JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
-JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
-
-
-# Discord
-DISCORD_CLIENT_ID=
-DISCORD_CLIENT_SECRET=
-DISCORD_CALLBACK_URL=/oauth/discord/callback
-
-# Facebook
-FACEBOOK_CLIENT_ID=
-FACEBOOK_CLIENT_SECRET=
-FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
-
-# GitHub
-GITHUB_CLIENT_ID=
-GITHUB_CLIENT_SECRET=
-GITHUB_CALLBACK_URL=/oauth/github/callback
-# GitHub Enterprise
-# GITHUB_ENTERPRISE_BASE_URL=
-# GITHUB_ENTERPRISE_USER_AGENT=
-
-# Google
-GOOGLE_CLIENT_ID=
-GOOGLE_CLIENT_SECRET=
-GOOGLE_CALLBACK_URL=/oauth/google/callback
-
-# Apple
-APPLE_CLIENT_ID=
-APPLE_TEAM_ID=
-APPLE_KEY_ID=
-APPLE_PRIVATE_KEY_PATH=
-APPLE_CALLBACK_URL=/oauth/apple/callback
-
-# OpenID
-OPENID_CLIENT_ID=
-OPENID_CLIENT_SECRET=
-OPENID_ISSUER=
-OPENID_SESSION_SECRET=
-OPENID_SCOPE="openid profile email"
-OPENID_CALLBACK_URL=/oauth/openid/callback
-OPENID_REQUIRED_ROLE=
-OPENID_REQUIRED_ROLE_TOKEN_KIND=
-OPENID_REQUIRED_ROLE_PARAMETER_PATH=
-# Set to determine which user info property returned from OpenID Provider to store as the User's username
-OPENID_USERNAME_CLAIM=
-# Set to determine which user info property returned from OpenID Provider to store as the User's name
-OPENID_NAME_CLAIM=
-
-OPENID_BUTTON_LABEL=
-OPENID_IMAGE_URL=
-
-# LDAP
-# LDAP_URL=
-# LDAP_BIND_DN=
-# LDAP_BIND_CREDENTIALS=
-# LDAP_USER_SEARCH_BASE=
-# LDAP_SEARCH_FILTER=mail=
-# LDAP_CA_CERT_PATH=
-# LDAP_TLS_REJECT_UNAUTHORIZED=
-# LDAP_LOGIN_USES_USERNAME=true
-# LDAP_ID=
-# LDAP_USERNAME=
-# LDAP_EMAIL=
-# LDAP_FULL_NAME=
-
-#========================#
-# Email Password Reset   #
-#========================#
-
-EMAIL_SERVICE=
-EMAIL_HOST=postal-smtp
-EMAIL_PORT=25
-EMAIL_ENCRYPTION=
-EMAIL_ENCRYPTION_HOSTNAME=
-EMAIL_ALLOW_SELFSIGNED=
-EMAIL_USERNAME=
-EMAIL_PASSWORD=
-EMAIL_FROM_NAME=
-EMAIL_FROM=noreply@librechat.ai
-
-#========================#
-# Firebase CDN           #
-#========================#
-
-# FIREBASE_API_KEY=
-# FIREBASE_AUTH_DOMAIN=
-# FIREBASE_PROJECT_ID=
-# FIREBASE_STORAGE_BUCKET=
-# FIREBASE_MESSAGING_SENDER_ID=
-# FIREBASE_APP_ID=
-
-#========================#
-# Shared Links           #
-#========================#
-
-ALLOW_SHARED_LINKS=true
-ALLOW_SHARED_LINKS_PUBLIC=true
-
-#==============================#
-# Static File Cache Control    #
-#==============================#
-
-# Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
-# NODE_ENV must be set to production for these to take effect
-# STATIC_CACHE_MAX_AGE=172800
-# STATIC_CACHE_S_MAX_AGE=86400
-
-# If you have another service in front of your LibreChat doing compression, disable express based compression here
-# DISABLE_COMPRESSION=true
-
-#===================================================#
-#                        UI                         #
-#===================================================#
-
-APP_TITLE=LibreChat
-# CUSTOM_FOOTER="My custom footer"
-HELP_AND_FAQ_URL=https://librechat.ai
-
-# SHOW_BIRTHDAY_ICON=true
-
-# Google tag manager id
-#ANALYTICS_GTM_ID=user provided google tag manager id
-
-#===============#
-# REDIS Options #
-#===============#
-
-REDIS_URI=redis:6379
-USE_REDIS=true
-
-# USE_REDIS_CLUSTER=true
-# REDIS_CA=/path/to/ca.crt
-
-#==================================================#
-#                      Others                      #
-#==================================================#
-#   You should leave the following commented out   #
-
-# NODE_ENV=
-
-# E2E_USER_EMAIL=
-# E2E_USER_PASSWORD=
-
-#=====================================================#
-#                  Cache Headers                      #
-#=====================================================#
-#   Headers that control caching of the index.html    #
-#   Default configuration prevents caching to ensure  #
-#   users always get the latest version. Customize    #
-#   only if you understand caching implications.      #
-
-# INDEX_HTML_CACHE_CONTROL=no-cache, no-store, must-revalidate
-# INDEX_HTML_PRAGMA=no-cache
-# INDEX_HTML_EXPIRES=0
-
-# no-cache: Forces validation with server before using cached version
-# no-store: Prevents storing the response entirely
-# must-revalidate: Prevents using stale content when offline
-
-#=====================================================#
-#                  OpenWeather                        #
-#=====================================================#
-OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -0,0 +1,102 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+containers:
+  ghost_blog:
+    action_keywords:
+      - restart:
+          regex: 'Connection Error.*ECONNRESET$'
+  immich-server:
+    action_keywords:
+      - restart:
+          regex: '(ENOTFOUND|Error|ECONNREFUSED)'
+  invidious:
+    action_keywords:
+      - restart:
+          regex: 'Error reading.*Connection reset by peer trying to reconnect\.\.\.'
+  maxun-backend:
+    action_keywords:
+      - restart:
+          regex: '[Ee]rror'
+  planka:
+    action_keywords:
+      - restart:
+          regex: 'Failed to lift app: Sails is taking too long to load.$'
+  scrutiny:
+    action_keywords:
+      - restart:
+          regex: '^s6-rc: fatal: timed out$'
+  swag:
+    action_keywords:
+      - restart:
+          regex: 's6-rc: fatal.*'
+  authelia-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  castopod-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  dawarich-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  immich-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  librechat-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  manyfold-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  mastodon-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  maxun-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  mixpost-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  paperless-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  plant-it-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  romm-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+  searxng-valkey:
+    action_keywords:
+    - restart:
+        regex: 'Asynchronous AOF fsync is taking too long.*slow down the server.$'
+global_keywords:
+  keywords:
+    - panic
+  keywords_with_attachment:
+    - fatal
+notifications:
+  apprise:
+    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
+# settings are optional because they all have default values
+settings:
+  log_level: INFO               # DEBUG, INFO, WARNING, ERROR
+  notification_cooldown: 5      # Seconds between alerts for same keyword (per container)
+  attachment_lines: 20          # Number of Lines to include in log attachments
+  multi_line_entries: true      # Detect multi-line log entries
+  disable_restart: false        # Disable restart when a config change is detected
+  disable_start_message: false  # Suppress startup notification
+  disable_shutdown_message: false  # Suppress shutdown notification
+  disable_restart_message: false   # Suppress config reload notification
@@ -1,33 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-containers:
-  ghost_blog:
-    action_keywords:
-      - restart:
-          regex: ':[0-9]{2}\] ERROR.*$'
-  immich-server:
-    action_keywords:
-      - restart:
-          regex: 'ADVICE:.*error'
-  invidious:
-    keywords:
-      - regex: 'Error reading.*Connection reset by peer trying to reconnect...'
-global_keywords:
-  keywords:
-    - panic
-  keywords_with_attachment:
-    - fatal
-notifications:
-  apprise:
-    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
-# settings are optional because they all have default values
-settings:
-  log_level: INFO               # DEBUG, INFO, WARNING, ERROR
-  notification_cooldown: 5      # Seconds between alerts for same keyword (per container)
-  attachment_lines: 20          # Number of Lines to include in log attachments
-  multi_line_entries: true      # Detect multi-line log entries
-  disable_restart: false        # Disable restart when a config change is detected
-  disable_start_message: false  # Suppress startup notification
-  disable_shutdown_message: false  # Suppress shutdown notification
-  disable_restart_message: false   # Suppress config reload notification
@@ -1,159 +0,0 @@
-'use strict';
-
-const packageJson = require('../../package.json');
-
-module.exports = {
-    // Branding and customizations require a license: https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661
-    brand: {
-        app: {
-            language: 'en', // https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes
-            name: 'MiroTalk',
-            title: '<h1>MiroTalk</h1/>Free browser based Real-time video calls.<br />Simple, Secure, Fast.',
-            description:
-                'Start your next video call with a single click. No download, plug-in, or login is required. Just get straight to talking, messaging, and sharing your screen.',
-            joinDescription: 'Pick a room name.<br />How about this one?',
-            joinButtonLabel: 'JOIN ROOM',
-            joinLastLabel: 'Your recent room:',
-        },
-        og: {
-            type: 'app-webrtc',
-            siteName: 'MiroTalk',
-            title: 'Click the link to make a call.',
-            description:
-                'MiroTalk calling provides real-time HD quality and latency simply not available with traditional technology.',
-            image: 'https://p2p.mirotalk.com/images/preview.png',
-            url: 'https://p2p.mirotalk.com',
-        },
-        site: {
-            shortcutIcon: '../images/logo.svg',
-            appleTouchIcon: '../images/logo.svg',
-            landingTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
-            newCallTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
-            newCallRoomTitle: 'Pick name. <br />Share URL. <br />Start conference.',
-            newCallRoomDescription:
-                "Each room has its disposable URL. Just pick a room name and share your custom URL. It's that easy.",
-            loginTitle: 'MiroTalk - Host Protected login required.',
-            clientTitle: 'MiroTalk WebRTC Video call, Chat Room & Screen Sharing.',
-            privacyPolicyTitle: 'MiroTalk - privacy and policy.',
-            stunTurnTitle: 'Test Stun/Turn Servers.',
-            notFoundTitle: 'MiroTalk - 404 Page not found.',
-        },
-        html: {
-            features: true,
-            browsers: true,
-            teams: true, // please keep me always true ;)
-            tryEasier: true,
-            poweredBy: true,
-            sponsors: true,
-            advertisers: true,
-            footer: true,
-        },
-        about: {
-            imageUrl: '../images/mirotalk-logo.gif',
-            title: `WebRTC P2P v${packageJson.version}`,
-            html: `
-                <button
-                    id="support-button"
-                    data-umami-event="Support button"
-                    onclick="window.open('https://codecanyon.net/user/miroslavpejic85')">
-                    <i class="fas fa-heart" ></i>&nbsp;Support
-                </button>
-                <br /><br /><br />
-                Author:<a
-                    id="linkedin-button"
-                    data-umami-event="Linkedin button"
-                    href="https://www.linkedin.com/in/miroslav-pejic-976a07101/" target="_blank">
-                    Miroslav Pejic
-                </a>
-                <br /><br />
-                Email:<a
-                    id="email-button"
-                    data-umami-event="Email button"
-                    href="mailto:miroslav.pejic.85@gmail.com?subject=MiroTalk P2P info">
-                    miroslav.pejic.85@gmail.com
-                </a>
-                <br /><br />
-                <hr />
-                <span>&copy; 2025 MiroTalk P2P, all rights reserved</span>
-                <hr />
-            `,
-        },
-        //...
-    },
-    /**
-     * Configuration for controlling the visibility of buttons in the MiroTalk P2P client.
-     * Set properties to true to show the corresponding buttons, or false to hide them.
-     * captionBtn, showSwapCameraBtn, showScreenShareBtn, showFullScreenBtn, showVideoPipBtn, showDocumentPipBtn -> (auto-detected).
-     */
-    buttons: {
-        main: {
-            showShareQr: true,
-            showShareRoomBtn: true, // For guests
-            showHideMeBtn: true,
-            showAudioBtn: true,
-            showVideoBtn: true,
-            showScreenBtn: true, // autodetected
-            showRecordStreamBtn: true,
-            showChatRoomBtn: true,
-            showCaptionRoomBtn: true,
-            showRoomEmojiPickerBtn: true,
-            showMyHandBtn: true,
-            showWhiteboardBtn: true,
-            showSnapshotRoomBtn: true,
-            showFileShareBtn: true,
-            showDocumentPipBtn: true,
-            showMySettingsBtn: true,
-            showAboutBtn: true, // Please keep me always true, Thank you!
-        },
-        chat: {
-            showTogglePinBtn: true,
-            showMaxBtn: true,
-            showSaveMessageBtn: true,
-            showMarkDownBtn: true,
-            showChatGPTBtn: true,
-            showFileShareBtn: true,
-            showShareVideoAudioBtn: true,
-            showParticipantsBtn: true,
-        },
-        caption: {
-            showTogglePinBtn: true,
-            showMaxBtn: true,
-        },
-        settings: {
-            showMicOptionsBtn: true,
-            showTabRoomPeerName: true,
-            showTabRoomParticipants: true,
-            showTabRoomSecurity: true,
-            showTabEmailInvitation: true,
-            showCaptionEveryoneBtn: true,
-            showMuteEveryoneBtn: true,
-            showHideEveryoneBtn: true,
-            showEjectEveryoneBtn: true,
-            showLockRoomBtn: true,
-            showUnlockRoomBtn: true,
-            showShortcutsBtn: true,
-        },
-        remote: {
-            showAudioVolume: true,
-            audioBtnClickAllowed: true,
-            videoBtnClickAllowed: true,
-            showVideoPipBtn: true,
-            showKickOutBtn: true,
-            showSnapShotBtn: true,
-            showFileShareBtn: true,
-            showShareVideoAudioBtn: true,
-            showPrivateMessageBtn: true,
-            showZoomInOutBtn: false,
-            showVideoFocusBtn: true,
-        },
-        local: {
-            showVideoPipBtn: true,
-            showSnapShotBtn: true,
-            showVideoCircleBtn: true,
-            showZoomInOutBtn: false,
-        },
-        whiteboard: {
-            whiteboardLockBtn: false,
-        },
-    },
-};
@@ -1,76 +0,0 @@
-{
-  "Stuns": [
-    {
-      "Proto": "udp",
-      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
-      "Username": "",
-      "Password": null
-    }
-  ],
-  "TURNConfig": {
-    "Turns": [
-      {
-        "Proto": "udp",
-        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
-        "Username": "self",
-        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
-      }
-    ],
-    "CredentialsTTL": "12h",
-    "Secret": "secret",
-    "TimeBasedCredentials": false
-  },
-  "Relay": {
-    "Addresses": [
-      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
-    ],
-    "CredentialsTTL": "24h",
-    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
-  },
-  "Signal": {
-    "Proto": "https",
-    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
-    "Username": "",
-    "Password": null
-  },
-  "ReverseProxy": {
-    "TrustedHTTPProxies": [],
-    "TrustedHTTPProxiesCount": 0,
-    "TrustedPeers": [
-      "0.0.0.0/0"
-    ]
-  },
-  "Datadir": "",
-  "DataStoreEncryptionKey": "",
-  "StoreConfig": {
-    "Engine": "sqlite"
-  },
-  "HttpConfig": {
-    "Address": "0.0.0.0:33073",
-    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
-    "AuthAudience": "netbird",
-    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
-    "AuthUserIDClaim": "",
-    "CertFile": "",
-    "CertKey": "",
-    "IdpSignKeyRefreshEnabled": true,
-    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
-  },
-  "IdpManagerConfig": {},
-  "DeviceAuthorizationFlow": {},
-  "PKCEAuthorizationFlow": {
-    "ProviderConfig": {
-      "Audience": "netbird",
-      "ClientID": "netbird",
-      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
-      "Domain": "",
-      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
-      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
-      "Scope": "openid profile email offline_access api",
-      "RedirectURLs": [
-        "http://localhost:53000"
-      ],
-      "UseIDToken": true
-    }
-  }
-}
@@ -1,122 +0,0 @@
-{
-    "issuer": "https://id.trez.wtf",
-    "authorization_endpoint": "https://id.trez.wtf/oauth/v2/authorize",
-    "token_endpoint": "https://id.trez.wtf/oauth/v2/token",
-    "introspection_endpoint": "https://id.trez.wtf/oauth/v2/introspect",
-    "userinfo_endpoint": "https://id.trez.wtf/oidc/v1/userinfo",
-    "revocation_endpoint": "https://id.trez.wtf/oauth/v2/revoke",
-    "end_session_endpoint": "https://id.trez.wtf/oidc/v1/end_session",
-    "device_authorization_endpoint": "https://id.trez.wtf/oauth/v2/device_authorization",
-    "jwks_uri": "https://id.trez.wtf/oauth/v2/keys",
-    "scopes_supported": [
-        "openid",
-        "profile",
-        "email",
-        "phone",
-        "address",
-        "offline_access"
-    ],
-    "response_types_supported": [
-        "code",
-        "id_token",
-        "id_token token"
-    ],
-    "response_modes_supported": [
-        "query",
-        "fragment",
-        "form_post"
-    ],
-    "grant_types_supported": [
-        "authorization_code",
-        "implicit",
-        "refresh_token",
-        "client_credentials",
-        "urn:ietf:params:oauth:grant-type:jwt-bearer",
-        "urn:ietf:params:oauth:grant-type:device_code"
-    ],
-    "subject_types_supported": [
-        "public"
-    ],
-    "id_token_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "request_object_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "token_endpoint_auth_methods_supported": [
-        "none",
-        "client_secret_basic",
-        "client_secret_post",
-        "private_key_jwt"
-    ],
-    "token_endpoint_auth_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "revocation_endpoint_auth_methods_supported": [
-        "none",
-        "client_secret_basic",
-        "client_secret_post",
-        "private_key_jwt"
-    ],
-    "revocation_endpoint_auth_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "introspection_endpoint_auth_methods_supported": [
-        "client_secret_basic",
-        "private_key_jwt"
-    ],
-    "introspection_endpoint_auth_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "claims_supported": [
-        "sub",
-        "aud",
-        "exp",
-        "iat",
-        "iss",
-        "auth_time",
-        "nonce",
-        "acr",
-        "amr",
-        "c_hash",
-        "at_hash",
-        "act",
-        "scopes",
-        "client_id",
-        "azp",
-        "preferred_username",
-        "name",
-        "family_name",
-        "given_name",
-        "locale",
-        "email",
-        "email_verified",
-        "phone_number",
-        "phone_number_verified"
-    ],
-    "code_challenge_methods_supported": [
-        "S256"
-    ],
-    "ui_locales_supported": [
-        "bg",
-        "cs",
-        "de",
-        "en",
-        "es",
-        "fr",
-        "hu",
-        "id",
-        "it",
-        "ja",
-        "ko",
-        "mk",
-        "nl",
-        "pl",
-        "pt",
-        "ru",
-        "sv",
-        "zh"
-    ],
-    "request_parameter_supported": true,
-    "request_uri_parameter_supported": false
-}
@@ -1,725 +0,0 @@
-# Coturn TURN SERVER configuration file
-#
-# Boolean values note: where a boolean value is supposed to be used,
-# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
-# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
-# If the value is missing, then it means 'true' by default.
-#
-
-# Listener interface device (optional, Linux only).
-# NOT RECOMMENDED.
-#
-#listening-device=eth0
-
-# TURN listener port for UDP and TCP (Default: 3478).
-# Note: actually, TLS & DTLS sessions can connect to the
-# "plain" TCP & UDP port(s), too - if allowed by configuration.
-#
-listening-port=3478
-
-# TURN listener port for TLS (Default: 5349).
-# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
-# port(s), too - if allowed by configuration. The TURN server
-# "automatically" recognizes the type of traffic. Actually, two listening
-# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
-# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
-# For secure TCP connections, Coturn currently supports SSL version 3 and
-# TLS version 1.0, 1.1 and 1.2.
-# For secure UDP connections, Coturn supports DTLS version 1.
-#
-tls-listening-port=5349
-
-# Alternative listening port for UDP and TCP listeners;
-# default (or zero) value means "listening port plus one".
-# This is needed for RFC 5780 support
-# (STUN extension specs, NAT behavior discovery). The TURN Server
-# supports RFC 5780 only if it is started with more than one
-# listening IP address of the same family (IPv4 or IPv6).
-# RFC 5780 is supported only by UDP protocol, other protocols
-# are listening to that endpoint only for "symmetry".
-#
-#alt-listening-port=0
-
-# Alternative listening port for TLS and DTLS protocols.
-# Default (or zero) value means "TLS listening port plus one".
-#
-#alt-tls-listening-port=0
-
-# Some network setups will require using a TCP reverse proxy in front
-# of the STUN server. If the proxy port option is set a single listener
-# is started on the given port that accepts connections using the
-# haproxy proxy protocol v2.
-# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
-#
-#tcp-proxy-port=5555
-
-# Listener IP address of relay server. Multiple listeners can be specified.
-# If no IP(s) specified in the config file or in the command line options,
-# then all IPv4 and IPv6 system IPs will be used for listening.
-#
-#listening-ip=172.17.19.101
-#listening-ip=10.207.21.238
-#listening-ip=2607:f0d0:1002:51::4
-
-# Auxiliary STUN/TURN server listening endpoint.
-# Aux servers have almost full TURN and STUN functionality.
-# The (minor) limitations are:
-#
-# 1) Auxiliary servers do not have alternative ports and
-# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
-#
-# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
-#
-# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
-#
-# There may be multiple aux-server options, each will be used for listening
-# to client requests.
-#
-#aux-server=172.17.19.110:33478
-#aux-server=[2607:f0d0:1002:51::4]:33478
-
-# (recommended for older Linuxes only)
-# Automatically balance UDP traffic over auxiliary servers (if configured).
-# The load balancing is using the ALTERNATE-SERVER mechanism.
-# The TURN client must support 300 ALTERNATE-SERVER response for this
-# functionality.
-#
-#udp-self-balance
-
-# Relay interface device for relay sockets (optional, Linux only).
-# NOT RECOMMENDED.
-#
-#relay-device=eth1
-
-# Relay address (the local IP address that will be used to relay the
-# packets to the peer).
-# Multiple relay addresses may be used.
-# The same IP(s) can be used as both listening IP(s) and relay IP(s).
-#
-# If no relay IP(s) specified, then the turnserver will apply the default
-# policy: it will decide itself which relay addresses to be used, and it
-# will always be using the client socket IP address as the relay IP address
-# of the TURN session (if the requested relay address family is the same
-# as the family of the client socket).
-#
-#relay-ip=172.17.19.105
-#relay-ip=2607:f0d0:1002:51::5
-
-# For Amazon EC2 users:
-#
-# TURN Server public/private address mapping, if the server is behind NAT.
-# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
-# as relay IP address of all allocations. This scenario works only in a simple case
-# when one single relay address is be used, and no RFC5780 functionality is required.
-# That single relay address must be mapped by NAT to the 'external' IP.
-# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
-# For that 'external' IP, NAT must forward ports directly (relayed port 12345
-# must be always mapped to the same 'external' port 12345).
-#
-# In more complex case when more than one IP address is involved,
-# that option must be used several times, each entry must
-# have form "-X <public-ip/private-ip>", to map all involved addresses.
-# RFC5780 NAT discovery STUN functionality will work correctly,
-# if the addresses are mapped properly, even when the TURN server itself
-# is behind A NAT.
-#
-# By default, this value is empty, and no address mapping is used.
-#
-# external-ip=193.224.22.37
-#
-#OR:
-#
-#external-ip=60.70.80.91/172.17.19.101
-#external-ip=60.70.80.92/172.17.19.102
-
-external-ip=108.29.206.17
-
-# Number of the relay threads to handle the established connections
-# (in addition to authentication thread and the listener thread).
-# If explicitly set to 0 then application runs relay process in a
-# single thread, in the same thread with the listener process
-# (the authentication thread will still be a separate thread).
-#
-# If this parameter is not set, then the default OS-dependent
-# thread pattern algorithm will be employed. Usually the default
-# algorithm is optimal, so you have to change this option
-# if you want to make some fine tweaks.
-#
-# In the older systems (Linux kernel before 3.9),
-# the number of UDP threads is always one thread per network listening
-# endpoint - including the auxiliary endpoints - unless 0 (zero) or
-# 1 (one) value is set.
-#
-#relay-threads=0
-
-# Lower and upper bounds of the UDP relay endpoints:
-# (default values are 49152 and 65535)
-#
-min-port=49152
-max-port=65535
-
-# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
-# By default the verbose mode is off.
-#verbose
-
-# Uncomment to run TURN server in 'extra' verbose mode.
-# This mode is very annoying and produces lots of output.
-# Not recommended under normal circumstances.
-#
-#Verbose
-
-# Uncomment to use fingerprints in the TURN messages.
-# By default the fingerprints are off.
-#
-fingerprint
-
-# Uncomment to use long-term credential mechanism.
-# By default no credentials mechanism is used (any user allowed).
-#
-lt-cred-mech
-
-# This option is the opposite of lt-cred-mech.
-# (TURN Server with no-auth option allows anonymous access).
-# If neither option is defined, and no users are defined,
-# then no-auth is default. If at least one user is defined,
-# in this file, in command line or in usersdb file, then
-# lt-cred-mech is default.
-#
-#no-auth
-
-# TURN REST API flag.
-# (Time Limited Long Term Credential)
-# Flag that sets a special authorization option that is based upon authentication secret.
-#
-# This feature's purpose is to support "TURN Server REST API", see
-# "TURN REST API" link in the project's page
-# https://github.com/coturn/coturn/
-#
-# This option is used with timestamp:
-#
-# usercombo -> "timestamp:userid"
-# turn user -> usercombo
-# turn password -> base64(hmac(secret key, usercombo))
-#
-# This allows TURN credentials to be accounted for a specific user id.
-# If you don't have a suitable id, then the timestamp alone can be used.
-# This option is enabled by turning on secret-based authentication.
-# The actual value of the secret is defined either by the option static-auth-secret,
-# or can be found in the turn_secret table in the database (see below).
-#
-# Read more about it:
-#  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
-#  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
-#
-# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
-# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
-# this option then it automatically enables lt-cred-mech internally
-# as if you had enabled both.
-#
-# Note that you can use only one auth mechanism at the same time! This is because,
-# both mechanisms conduct username and password validation in different ways.
-#
-# Use either lt-cred-mech or use-auth-secret in the conf
-# to avoid any confusion.
-#
-#use-auth-secret
-
-# 'Static' authentication secret value (a string) for TURN REST API only.
-# If not set, then the turn server
-# will try to use the 'dynamic' value in the turn_secret table
-# in the user database (if present). The database-stored  value can be changed on-the-fly
-# by a separate program, so this is why that mode is considered 'dynamic'.
-#
-#static-auth-secret=north
-
-# Server name used for
-# the oAuth authentication purposes.
-# The default value is the realm name.
-#
-# server-name=stun.wiretrustee.com
-
-# Flag that allows oAuth authentication.
-#
-#oauth
-
-# 'Static' user accounts for the long term credentials mechanism, only.
-# This option cannot be used with TURN REST API.
-# 'Static' user accounts are NOT dynamically checked by the turnserver process,
-# so they can NOT be changed while the turnserver is running.
-#
-#user=username1:key1
-#user=username2:key2
-# OR:
-user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
-#user=username2:password2
-#
-# Keys must be generated by turnadmin utility. The key value depends
-# on user name, realm, and password:
-#
-# Example:
-# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
-# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
-# ('0x' in the beginning of the key is what differentiates the key from
-# password. If it has 0x then it is a key, otherwise it is a password).
-#
-# The corresponding user account entry in the config file will be:
-#
-#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
-# Or, equivalently, with open clear password (less secure):
-#user=ninefingers:youhavetoberealistic
-#
-
-# SQLite database file name.
-#
-# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
-# /var/lib/turn/turndb.
-#
-#userdb=/var/db/turndb
-
-# PostgreSQL database connection string in the case that you are using PostgreSQL
-# as the user database.
-# This database can be used for the long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
-# versions connection string format, see
-# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
-# for 9.x and newer connection string formats.
-#
-#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
-
-# MySQL database connection string in the case that you are using MySQL
-# as the user database.
-# This database can be used for the long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-#
-# Optional connection string parameters for the secure communications (SSL):
-# ca, capath, cert, key, cipher
-# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
-# command options description).
-#
-# Use the string format below (space separated parameters, all optional):
-#
-# mysql-userdb="host=mysql dbname=coturn user=coturn password=CHANGE_ME port=3306 connect_timeout=10 read_timeout=10"
-
-# If you want to use an encrypted password in the MySQL connection string,
-# then set the MySQL password encryption secret key file with this option.
-#
-# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
-# If you want to use a cleartext password then do not set this option!
-#
-# This is the file path for the aes encrypted secret key used for password encryption.
-#
-#secret-key-file=/path/
-
-# MongoDB database connection string in the case that you are using MongoDB
-# as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
-#
-#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
-
-# Redis database connection string in the case that you are using Redis
-# as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# Use the string format below (space separated parameters, all optional):
-#
-#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
-
-# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
-# This database keeps allocations status information, and it can be also used for publishing
-# and delivering traffic and allocation event notifications.
-# The connection string has the same parameters as redis-userdb connection string.
-# Use the string format below (space separated parameters, all optional):
-#
-#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
-
-# The default realm to be used for the users when no explicit
-# origin/realm relationship is found in the database, or if the TURN
-# server is not using any database (just the commands-line settings
-# and the userdb file). Must be used with long-term credentials
-# mechanism or with TURN REST API.
-#
-# Note: If the default realm is not specified, then realm falls back to the host domain name.
-#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
-#
-# realm=wiretrustee.com
-# This flag sets the origin consistency
-# check. Across the session, all requests must have the same
-# main ORIGIN attribute value (if the ORIGIN was
-# initially used by the session).
-#
-#check-origin-consistency
-
-# Per-user allocation quota.
-# default value is 0 (no quota, unlimited number of sessions per user).
-# This option can also be set through the database, for a particular realm.
-#
-#user-quota=0
-
-# Total allocation quota.
-# default value is 0 (no quota).
-# This option can also be set through the database, for a particular realm.
-#
-#total-quota=0
-
-# Max bytes-per-second bandwidth a TURN session is allowed to handle
-# (input and output network streams are treated separately). Anything above
-# that limit will be dropped or temporarily suppressed (within
-# the available buffer limits).
-# This option can also be set through the database, for a particular realm.
-#
-#max-bps=0
-
-#
-# Maximum server capacity.
-# Total bytes-per-second bandwidth the TURN server is allowed to allocate
-# for the sessions, combined (input and output network streams are treated separately).
-#
-# bps-capacity=0
-
-# Uncomment if no UDP client listener is desired.
-# By default UDP client listener is always started.
-#
-#no-udp
-
-# Uncomment if no TCP client listener is desired.
-# By default TCP client listener is always started.
-#
-#no-tcp
-
-# Uncomment if no TLS client listener is desired.
-# By default TLS client listener is always started.
-#
-#no-tls
-
-# Uncomment if no DTLS client listener is desired.
-# By default DTLS client listener is always started.
-#
-#no-dtls
-
-# Uncomment if no UDP relay endpoints are allowed.
-# By default UDP relay endpoints are enabled (like in RFC 5766).
-#
-#no-udp-relay
-
-# Uncomment if no TCP relay endpoints are allowed.
-# By default TCP relay endpoints are enabled (like in RFC 6062).
-#
-#no-tcp-relay
-
-# Uncomment if extra security is desired,
-# with nonce value having a limited lifetime.
-# The nonce value is unique for a session.
-# Set this option to limit the nonce lifetime.
-# Set it to 0 for unlimited lifetime.
-# It defaults to 600 secs (10 min) if no value is provided. After that delay,
-# the client will get 438 error and will have to re-authenticate itself.
-#
-#stale-nonce=600
-
-# Uncomment if you want to set the maximum allocation
-# time before it has to be refreshed.
-# Default is 3600s.
-#
-#max-allocate-lifetime=3600
-
-
-# Uncomment to set the lifetime for the channel.
-# Default value is 600 secs (10 minutes).
-# This value MUST not be changed for production purposes.
-#
-#channel-lifetime=600
-
-# Uncomment to set the permission lifetime.
-# Default to 300 secs (5 minutes).
-# In production this value MUST not be changed,
-# however it can be useful for test purposes.
-#
-#permission-lifetime=300
-
-# Certificate file.
-# Use an absolute path or path relative to the
-# configuration file.
-# Use PEM file format.
-#
-cert=/etc/coturn/certs/cert.pem
-
-# Private key file.
-# Use an absolute path or path relative to the
-# configuration file.
-# Use PEM file format.
-#
-pkey=/etc/coturn/private/privkey.pem
-
-# Private key file password, if it is in encoded format.
-# This option has no default value.
-#
-#pkey-pwd=...
-
-# Allowed OpenSSL cipher list for TLS/DTLS connections.
-# Default value is "DEFAULT".
-#
-#cipher-list="DEFAULT"
-
-# CA file in OpenSSL format.
-# Forces TURN server to verify the client SSL certificates.
-# By default this is not set: there is no default value and the client
-# certificate is not checked.
-#
-# Example:
-#CA-file=/etc/ssh/id_rsa.cert
-
-# Curve name for EC ciphers, if supported by OpenSSL
-# library (TLS and DTLS). The default value is prime256v1,
-# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
-# an optimal curve will be automatically calculated, if not defined
-# by this option.
-#
-#ec-curve-name=prime256v1
-
-# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
-#
-#dh566
-
-# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
-#
-#dh1066
-
-# Use custom DH TLS key, stored in PEM format in the file.
-# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
-#
-#dh-file=<DH-PEM-file-name>
-
-# Flag to prevent stdout log messages.
-# By default, all log messages go to both stdout and to
-# the configured log file. With this option everything will
-# go to the configured log only (unless the log file itself is stdout).
-#
-#no-stdout-log
-
-# Option to set the log file name.
-# By default, the turnserver tries to open a log file in
-# /var/log, /var/tmp, /tmp and the current directory
-# (Whichever file open operation succeeds first will be used).
-# With this option you can set the definite log file name.
-# The special names are "stdout" and "-" - they will force everything
-# to the stdout. Also, the "syslog" name will force everything to
-# the system log (syslog).
-# In the runtime, the logfile can be reset with the SIGHUP signal
-# to the turnserver process.
-#
-log-file=stdout
-
-# Option to redirect all log output into system log (syslog).
-#
-# syslog
-
-# This flag means that no log file rollover will be used, and the log file
-# name will be constructed as-is, without PID and date appendage.
-# This option can be used, for example, together with the logrotate tool.
-#
-#simple-log
-
-# Option to set the "redirection" mode. The value of this option
-# will be the address of the alternate server for UDP & TCP service in the form of
-# <ip>[:<port>]. The server will send this value in the attribute
-# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
-# Client will receive only values with the same address family
-# as the client network endpoint address family.
-# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
-# The client must use the obtained value for subsequent TURN communications.
-# If more than one --alternate-server option is provided, then the functionality
-# can be more accurately described as "load-balancing" than a mere "redirection".
-# If the port number is omitted, then the default port
-# number 3478 for the UDP/TCP protocols will be used.
-# Colon (:) characters in IPv6 addresses may conflict with the syntax of
-# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
-# in square brackets in such resource identifiers, for example:
-# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
-# Multiple alternate servers can be set. They will be used in the
-# round-robin manner. All servers in the pool are considered of equal weight and
-# the load will be distributed equally. For example, if you have 4 alternate servers,
-# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
-# address can be used more than one time with the alternate-server option, so this
-# can emulate "weighting" of the servers.
-#
-# Examples:
-#alternate-server=1.2.3.4:5678
-#alternate-server=11.22.33.44:56789
-#alternate-server=5.6.7.8
-#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
-
-# Option to set alternative server for TLS & DTLS services in form of
-# <ip>:<port>. If the port number is omitted, then the default port
-# number 5349 for the TLS/DTLS protocols will be used. See the previous
-# option for the functionality description.
-#
-# Examples:
-#tls-alternate-server=1.2.3.4:5678
-#tls-alternate-server=11.22.33.44:56789
-#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
-
-# Option to suppress TURN functionality, only STUN requests will be processed.
-# Run as STUN server only, all TURN requests will be ignored.
-# By default, this option is NOT set.
-#
-#stun-only
-
-# Option to hide software version. Enhance security when used in production.
-# Revealing the specific software version of the agent through the
-# SOFTWARE attribute might allow them to become more vulnerable to
-# attacks against software that is known to contain security holes.
-# Implementers SHOULD make usage of the SOFTWARE attribute a
-# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
-#
-no-software-attribute
-
-# Option to suppress STUN functionality, only TURN requests will be processed.
-# Run as TURN server only, all STUN requests will be ignored.
-# By default, this option is NOT set.
-#
-#no-stun
-
-# This is the timestamp/username separator symbol (character) in TURN REST API.
-# The default value is ':'.
-# rest-api-separator=:
-
-# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
-# This is an extra security measure.
-#
-# (To avoid any security issue that allowing loopback access may raise,
-# the no-loopback-peers option is replaced by allow-loopback-peers.)
-#
-# Allow it only for testing in a development environment!
-# In production it adds a possible security vulnerability, so for security reasons
-# it is not allowed using it together with empty cli-password.
-#
-#allow-loopback-peers
-
-# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
-# This is an extra security measure.
-#
-#no-multicast-peers
-
-# Option to set the max time, in seconds, allowed for full allocation establishment.
-# Default is 60 seconds.
-#
-#max-allocate-timeout=60
-
-# Option to allow or ban specific ip addresses or ranges of ip addresses.
-# If an ip address is specified as both allowed and denied, then the ip address is
-# considered to be allowed. This is useful when you wish to ban a range of ip
-# addresses, except for a few specific ips within that range.
-#
-# This can be used when you do not want users of the turn server to be able to access
-# machines reachable by the turn server, but would otherwise be unreachable from the
-# internet (e.g. when the turn server is sitting behind a NAT)
-#
-# Examples:
-# denied-peer-ip=83.166.64.0-83.166.95.255
-# allowed-peer-ip=83.166.68.45
-
-# File name to store the pid of the process.
-# Default is /var/run/turnserver.pid (if superuser account is used) or
-# /var/tmp/turnserver.pid .
-#
-pidfile="/var/tmp/turnserver.pid"
-
-# Require authentication of the STUN Binding request.
-# By default, the clients are allowed anonymous access to the STUN Binding functionality.
-#
-#secure-stun
-
-# Mobility with ICE (MICE) specs support.
-#
-#mobility
-
-# Allocate Address Family according
-# If enabled then TURN server allocates address family according  the TURN
-# Client <=> Server communication address family.
-# (By default Coturn works according RFC 6156.)
-# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
-#
-#keep-address-family
-
-
-# User name to run the process. After the initialization, the turnserver process
-# will attempt to change the current user ID to that user.
-#
-#proc-user=<user-name>
-
-# Group name to run the process. After the initialization, the turnserver process
-# will attempt to change the current group ID to that group.
-#
-#proc-group=<group-name>
-
-# Turn OFF the CLI support.
-# By default it is always ON.
-# See also options cli-ip and cli-port.
-#
-no-cli
-
-#Local system IP address to be used for CLI server endpoint. Default value
-# is 127.0.0.1.
-#
-# cli-ip=127.0.0.1
-
-# CLI server port. Default is 5766.
-#
-# cli-port=5766
-
-# CLI access password. Default is empty (no password).
-# For the security reasons, it is recommended that you use the encrypted
-# form of the password (see the -P command in the turnadmin utility).
-#
-# Secure form for password 'qwerty':
-#
-#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
-#
-# Or insecure form for the same password:
-#
-# cli-password=CHANGE_ME
-
-# Enable Web-admin support on https. By default it is Disabled.
-# If it is enabled it also enables a http a simple static banner page
-# with a small reminder that the admin page is available only on https.
-#
-#web-admin
-
-# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
-#
-#web-admin-ip=127.0.0.1
-
-# Web-admin server port. Default is 8080.
-#
-#web-admin-port=8080
-
-# Web-admin server listen on STUN/TURN worker threads
-# By default it is disabled for security reasons! (Not recommended in any production environment!)
-#
-#web-admin-listen-on-workers
-
-# Server relay. NON-STANDARD AND DANGEROUS OPTION.
-# Only for those applications when you want to run
-# server applications on the relay endpoints.
-# This option eliminates the IP permissions check on
-# the packets incoming to the relay endpoints.
-#
-#server-relay
-
-# Maximum number of output sessions in ps CLI command.
-# This value can be changed on-the-fly in CLI. The default value is 256.
-#
-#cli-max-output-sessions
-
-# Set network engine type for the process (for internal purposes).
-#
-#ne=[1|2|3]
-
-# Do not allow an TLS/DTLS version of protocol
-#
-#no-tlsv1
-#no-tlsv1_1
-#no-tlsv1_2
@@ -1,11 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-<clickhouse>
-    <profiles>
-        <default>
-            <log_queries>0</log_queries>
-            <log_query_threads>0</log_query_threads>
-        </default>
-    </profiles>
-</clickhouse>
@@ -100,7 +100,7 @@ server:
 redis:
  # URL to connect redis database. Is overwritten by ${SEARXNG_REDIS_URL}.
  # https://docs.searxng.org/admin/settings/settings_redis.html#settings-redis
-  url: redis://redis:6379/0
+  url: redis://searxng-valkey:6379/0

 ui:
  # Custom static path - leave it blank if you didn't change
@@ -0,0 +1,75 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
+         Optional. If you don't use replicated tables, you could omit that.
+
+         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
+      -->
+    <zookeeper>
+        <node index="1">
+            <host>signoz-zookeeper-1</host>
+            <port>2181</port>
+        </node>
+        <node index="2">
+            <host>zookeeper-2</host>
+            <port>2181</port>
+        </node>
+        <node index="3">
+            <host>zookeeper-3</host>
+            <port>2181</port>
+        </node>
+    </zookeeper>
+
+    <!-- Configuration of clusters that could be used in Distributed tables.
+         https://clickhouse.com/docs/en/operations/table_engines/distributed/
+      -->
+    <remote_servers>
+        <cluster>
+            <!-- Inter-server per-cluster secret for Distributed queries
+                 default: no secret (no authentication will be performed)
+
+                 If set, then Distributed queries will be validated on shards, so at least:
+                 - such cluster should exist on the shard,
+                 - such cluster should have the same secret.
+
+                 And also (and which is more important), the initial_user will
+                 be used as current user for the query.
+
+                 Right now the protocol is pretty simple and it only takes into account:
+                 - cluster name
+                 - query
+
+                 Also it will be nice if the following will be implemented:
+                 - source hostname (see interserver_http_host), but then it will depends from DNS,
+                   it can use IP address instead, but then the you need to get correct on the initiator node.
+                 - target hostname / ip address (same notes as for source hostname)
+                 - time-based security tokens
+            -->
+            <!-- <secret></secret> -->
+            <shard>
+                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
+                <!-- <internal_replication>false</internal_replication> -->
+                <!-- Optional. Shard weight when writing data. Default: 1. -->
+                <!-- <weight>1</weight> -->
+                <replica>
+                    <host>signoz-clickhouse</host>
+                    <port>9000</port>
+                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
+                    <!-- <priority>1</priority> -->
+                </replica>
+            </shard>
+            <shard>
+                <replica>
+                    <host>clickhouse-2</host>
+                    <port>9000</port>
+                </replica>
+            </shard>
+            <shard>
+                <replica>
+                    <host>clickhouse-3</host>
+                    <port>9000</port>
+                </replica>
+            </shard>
+        </cluster>
+    </remote_servers>
+</clickhouse>
@@ -0,0 +1,75 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
+         Optional. If you don't use replicated tables, you could omit that.
+
+         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
+      -->
+    <zookeeper>
+        <node index="1">
+            <host>signoz-zookeeper-1</host>
+            <port>2181</port>
+        </node>
+        <!-- <node index="2">
+            <host>zookeeper-2</host>
+            <port>2181</port>
+        </node>
+        <node index="3">
+            <host>zookeeper-3</host>
+            <port>2181</port>
+        </node> -->
+    </zookeeper>
+
+    <!-- Configuration of clusters that could be used in Distributed tables.
+         https://clickhouse.com/docs/en/operations/table_engines/distributed/
+      -->
+    <remote_servers>
+        <cluster>
+            <!-- Inter-server per-cluster secret for Distributed queries
+                 default: no secret (no authentication will be performed)
+
+                 If set, then Distributed queries will be validated on shards, so at least:
+                 - such cluster should exist on the shard,
+                 - such cluster should have the same secret.
+
+                 And also (and which is more important), the initial_user will
+                 be used as current user for the query.
+
+                 Right now the protocol is pretty simple and it only takes into account:
+                 - cluster name
+                 - query
+
+                 Also it will be nice if the following will be implemented:
+                 - source hostname (see interserver_http_host), but then it will depends from DNS,
+                   it can use IP address instead, but then the you need to get correct on the initiator node.
+                 - target hostname / ip address (same notes as for source hostname)
+                 - time-based security tokens
+            -->
+            <!-- <secret></secret> -->
+            <shard>
+                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
+                <!-- <internal_replication>false</internal_replication> -->
+                <!-- Optional. Shard weight when writing data. Default: 1. -->
+                <!-- <weight>1</weight> -->
+                <replica>
+                    <host>signoz-clickhouse</host>
+                    <port>9000</port>
+                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
+                    <!-- <priority>1</priority> -->
+                </replica>
+            </shard>
+            <!-- <shard>
+                <replica>
+                    <host>clickhouse-2</host>
+                    <port>9000</port>
+                </replica>
+            </shard>
+            <shard>
+                <replica>
+                    <host>clickhouse-3</host>
+                    <port>9000</port>
+                </replica>
+            </shard> -->
+        </cluster>
+    </remote_servers>
+</clickhouse>
@@ -0,0 +1,21 @@
+<functions>
+    <function>
+        <type>executable</type>
+        <name>histogramQuantile</name>
+        <return_type>Float64</return_type>
+        <argument>
+            <type>Array(Float64)</type>
+            <name>buckets</name>
+        </argument>
+        <argument>
+            <type>Array(Float64)</type>
+            <name>counts</name>
+        </argument>
+        <argument>
+            <type>Float64</type>
+            <name>quantile</name>
+        </argument>
+        <format>CSV</format>
+        <command>./histogramQuantile</command>
+    </function>
+</functions>
@@ -0,0 +1,41 @@
+<?xml version="1.0"?>
+<clickhouse>
+<storage_configuration>
+    <disks>
+        <default>
+            <keep_free_space_bytes>10485760</keep_free_space_bytes>
+        </default>
+        <s3>
+            <type>s3</type>
+            <!-- For S3 cold storage,
+                    if region is us-east-1, endpoint can be https://<bucket-name>.s3.amazonaws.com
+                    if region is not us-east-1, endpoint should be https://<bucket-name>.s3-<region>.amazonaws.com
+                For GCS cold storage,
+                    endpoint should be https://storage.googleapis.com/<bucket-name>/data/
+                -->
+            <endpoint>https://BUCKET-NAME.s3-REGION-NAME.amazonaws.com/data/</endpoint>
+            <access_key_id>ACCESS-KEY-ID</access_key_id>
+            <secret_access_key>SECRET-ACCESS-KEY</secret_access_key>
+            <!-- In case of S3, uncomment the below configuration in case you want to read
+                AWS credentials from the Environment variables if they exist. -->
+            <!-- <use_environment_credentials>true</use_environment_credentials> -->
+            <!-- In case of GCS, uncomment the below configuration, since GCS does
+                not support batch deletion and result in error messages in logs. -->
+            <!-- <support_batch_delete>false</support_batch_delete> -->
+        </s3>
+   </disks>
+   <policies>
+       <tiered>
+           <volumes>
+                <default>
+                    <disk>default</disk>
+                </default>
+                <s3>
+                    <disk>s3</disk>
+                    <perform_ttl_move_on_insert>0</perform_ttl_move_on_insert>
+                </s3>
+            </volumes>
+        </tiered>
+    </policies>
+</storage_configuration>
+</clickhouse>
@@ -0,0 +1,123 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <!-- See also the files in users.d directory where the settings can be overridden. -->
+
+    <!-- Profiles of settings. -->
+    <profiles>
+        <!-- Default settings. -->
+        <default>
+            <!-- Maximum memory usage for processing single query, in bytes. -->
+            <max_memory_usage>10000000000</max_memory_usage>
+
+            <!-- How to choose between replicas during distributed query processing.
+                 random - choose random replica from set of replicas with minimum number of errors
+                 nearest_hostname - from set of replicas with minimum number of errors, choose replica
+                  with minimum number of different symbols between replica's hostname and local hostname
+                  (Hamming distance).
+                 in_order - first live replica is chosen in specified order.
+                 first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
+            -->
+            <load_balancing>random</load_balancing>
+        </default>
+
+        <!-- Profile that allows only read queries. -->
+        <readonly>
+            <readonly>1</readonly>
+        </readonly>
+    </profiles>
+
+    <!-- Users and ACL. -->
+    <users>
+        <!-- If user name was not specified, 'default' user is used. -->
+        <default>
+            <!-- See also the files in users.d directory where the password can be overridden.
+
+                 Password could be specified in plaintext or in SHA256 (in hex format).
+
+                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
+                 Example: <password>qwerty</password>.
+                 Password could be empty.
+
+                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
+                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
+                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
+
+                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
+                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
+
+                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
+                  place its name in 'server' element inside 'ldap' element.
+                 Example: <ldap><server>my_ldap_server</server></ldap>
+
+                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
+                  place 'kerberos' element instead of 'password' (and similar) elements.
+                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
+                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
+                  whose initiator's realm matches it.
+                 Example: <kerberos />
+                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
+
+                 How to generate decent password:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
+                 In first line will be password and in second - corresponding SHA256.
+
+                 How to generate double SHA1:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
+                 In first line will be password and in second - corresponding double SHA1.
+            -->
+            <password></password>
+
+            <!-- List of networks with open access.
+
+                 To open access from everywhere, specify:
+                    <ip>::/0</ip>
+
+                 To open access only from localhost, specify:
+                    <ip>::1</ip>
+                    <ip>127.0.0.1</ip>
+
+                 Each element of list has one of the following forms:
+                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
+                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
+                 <host> Hostname. Example: server01.clickhouse.com.
+                     To check access, DNS query is performed, and all received addresses compared to peer address.
+                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
+                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
+                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
+                     Strongly recommended that regexp is ends with $
+                 All results of DNS requests are cached till server restart.
+            -->
+            <networks>
+                <ip>::/0</ip>
+            </networks>
+
+            <!-- Settings profile for user. -->
+            <profile>default</profile>
+
+            <!-- Quota for user. -->
+            <quota>default</quota>
+
+            <!-- User can create other users and grant rights to them. -->
+            <!-- <access_management>1</access_management> -->
+        </default>
+    </users>
+
+    <!-- Quotas. -->
+    <quotas>
+        <!-- Name of quota. -->
+        <default>
+            <!-- Limits for time interval. You could specify many intervals with different limits. -->
+            <interval>
+                <!-- Length of interval. -->
+                <duration>3600</duration>
+
+                <!-- No limits. Just calculate resource usage for time interval. -->
+                <queries>0</queries>
+                <errors>0</errors>
+                <result_rows>0</result_rows>
+                <read_rows>0</read_rows>
+                <execution_time>0</execution_time>
+            </interval>
+        </default>
+    </quotas>
+</clickhouse>
@@ -0,0 +1,106 @@
+receivers:
+  httplogreceiver/json:
+    endpoint: 0.0.0.0:8082
+    source: json
+  otlp:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:4317
+      http:
+        endpoint: 0.0.0.0:4318
+  prometheus:
+    config:
+      global:
+        scrape_interval: 60s
+      scrape_configs:
+        - job_name: otel-collector
+          static_configs:
+          - targets:
+              - localhost:8888
+            labels:
+              job_name: otel-collector
+processors:
+  batch:
+    send_batch_size: 10000
+    send_batch_max_size: 11000
+    timeout: 10s
+  resourcedetection:
+    # Using OTEL_RESOURCE_ATTRIBUTES envvar, env detector adds custom labels.
+    detectors: [env, system]
+    timeout: 2s
+  signozspanmetrics/delta:
+    metrics_exporter: clickhousemetricswrite, signozclickhousemetrics
+    metrics_flush_interval: 60s
+    latency_histogram_buckets: [100us, 1ms, 2ms, 6ms, 10ms, 50ms, 100ms, 250ms, 500ms, 1000ms, 1400ms, 2000ms, 5s, 10s, 20s, 40s, 60s ]
+    dimensions_cache_size: 100000
+    aggregation_temporality: AGGREGATION_TEMPORALITY_DELTA
+    enable_exp_histogram: true
+    dimensions:
+      - name: service.namespace
+        default: default
+      - name: deployment.environment
+        default: default
+      # This is added to ensure the uniqueness of the timeseries
+      # Otherwise, identical timeseries produced by multiple replicas of
+      # collectors result in incorrect APM metrics
+      - name: signoz.collector.id
+      - name: service.version
+      - name: browser.platform
+      - name: browser.mobile
+      - name: k8s.cluster.name
+      - name: k8s.node.name
+      - name: k8s.namespace.name
+      - name: host.name
+      - name: host.type
+      - name: container.name
+extensions:
+  health_check:
+    endpoint: 0.0.0.0:13133
+  pprof:
+    endpoint: 0.0.0.0:1777
+exporters:
+  clickhousetraces:
+    datasource: tcp://clickhouse:9000/signoz_traces
+    low_cardinal_exception_grouping: ${env:LOW_CARDINAL_EXCEPTION_GROUPING}
+    use_new_schema: true
+  clickhousemetricswrite:
+    endpoint: tcp://clickhouse:9000/signoz_metrics
+    disable_v2: true
+    resource_to_telemetry_conversion:
+      enabled: true
+  clickhousemetricswrite/prometheus:
+    endpoint: tcp://clickhouse:9000/signoz_metrics
+    disable_v2: true
+  signozclickhousemetrics:
+    dsn: tcp://clickhouse:9000/signoz_metrics
+  clickhouselogsexporter:
+    dsn: tcp://clickhouse:9000/signoz_logs
+    timeout: 10s
+    use_new_schema: true
+  # debug: {}
+service:
+  telemetry:
+    logs:
+      encoding: json
+    metrics:
+      address: 0.0.0.0:8888
+  extensions:
+    - health_check
+    - pprof
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [signozspanmetrics/delta, batch]
+      exporters: [clickhousetraces]
+    metrics:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [clickhousemetricswrite, signozclickhousemetrics]
+    metrics/prometheus:
+      receivers: [prometheus]
+      processors: [batch]
+      exporters: [clickhousemetricswrite/prometheus, signozclickhousemetrics]
+    logs:
+      receivers: [otlp, tcplog/docker, httplogreceiver/json]
+      processors: [batch]
+      exporters: [clickhouselogsexporter]
@@ -0,0 +1 @@
+server_endpoint: ws://signoz-app:4320/v1/opamp
@@ -0,0 +1,25 @@
+# my global config
+global:
+  scrape_interval:     5s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
+  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+  # scrape_timeout is set to the global default (10s).
+
+# Alertmanager configuration
+alerting:
+  alertmanagers:
+  - static_configs:
+    - targets:
+      - alertmanager:9093
+
+# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
+rule_files: []
+  # - "first_rules.yml"
+  # - "second_rules.yml"
+  # - 'alerts.yml'
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs: []
+
+remote_read:
+  - url: tcp://clickhouse:9000/signoz_metrics
@@ -1,19 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-  "$schema": "../schemas/v2/index.json",
-  "repos": [
-      {
-          "type": "gitea",
-          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
-          "url": "https://git.trez.wtf",
-          "revisions": {
-              "branches": [
-                  "main",
-                  "*"
-              ]
-          }
-      }
-  ]
-}
@@ -1,29 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-<?xml version='1.0' encoding='UTF-8'?>
-
-<!DOCTYPE properties SYSTEM 'http://java.sun.com/dtd/properties.dtd'>
-
-<properties>
-
-    <entry key='config.default'>./conf/default.xml</entry>
-
-    <!--
-
-    This is the main configuration file. All your configuration parameters should be placed in this file.
-
-    Default configuration parameters are located in the "default.xml" file. You should not modify it to avoid issues
-    with upgrading to a new version. Parameters in the main config file override values in the default file. Do not
-    remove "config.default" parameter from this file unless you know what you are doing.
-
-    For list of available parameters see following page: https://www.traccar.org/configuration-file/
-
-    -->
-
-    <entry key='database.driver'>org.postgresql.Driver</entry>
-    <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
-    <entry key='database.user'>traccar</entry>
-    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
-
-</properties>
@@ -1,31 +0,0 @@
-  sources:
-    rinoa_docker_logs:
-      type: docker_logs
-      exclude_containers:
-        - vector
-
-  sinks:
-    parseable:
-      type: http
-      method: post
-      batch:
-        max_bytes: 10485760
-        max_events: 1000
-        timeout_secs: 10
-      compression: gzip
-      inputs:
-        - rinoa_docker_logs
-      encoding:
-        codec: json
-      uri: http://parseable:8000/api/v1/ingest'
-      auth:
-        strategy: basic
-        user: admin
-        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
-      request:
-        headers:
-          X-P-Stream: rinoa-docker-logs
-      healthcheck:
-        enabled: true
-        path: 'http://parseable:8000/api/v1/liveness'
-        port: 80
@@ -1,19 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-nodes:
-  # Wazuh indexer server nodes
-  indexer:
-    - name: wazuh.indexer
-      ip: wazuh.indexer
-
-  # Wazuh server nodes
-  # Use node_type only with more than one Wazuh manager
-  server:
-    - name: wazuh.manager
-      ip: wazuh.manager
-
-  # Wazuh dashboard node
-  dashboard:
-    - name: wazuh.dashboard
-      ip: wazuh.dashboard
@@ -1,33 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-network.host: "0.0.0.0"
-node.name: "wazuh.indexer"
-path.data: /var/lib/wazuh-indexer
-path.logs: /var/log/wazuh-indexer
-discovery.type: single-node
-http.port: 9200-9299
-transport.tcp.port: 9300-9399
-compatibility.override_main_response_version: true
-plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
-plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
-plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
-plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
-plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
-plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
-plugins.security.ssl.http.enabled: true
-plugins.security.ssl.transport.enforce_hostname_verification: false
-plugins.security.ssl.transport.resolve_hostname: false
-plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
-plugins.security.check_snapshot_restore_write_privileges: true
-plugins.security.enable_snapshot_restore_privilege: true
-plugins.security.nodes_dn:
- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
-plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
-plugins.security.system_indices.enabled: true
-plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
-plugins.security.allow_default_init_securityindex: true
-cluster.routing.allocation.disk.threshold_enabled: false
@@ -1,10 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-hosts:
-  - 1513629884013:
-      url: "https://wazuh.manager"
-      port: 55000
-      username: wazuh-wui
-      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
-      run_as: false
@@ -1,43 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
-Log:
-  Level: 'debug'
-
-# Make ZITADEL accessible over HTTPs, not HTTP
-ExternalSecure: true
-ExternalDomain: 'id.trez.wtf'
-ExternalPort: 443
-
-# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
-Database:
-  postgres:
-    Host: 'zitadel-pg-db'
-    Port: 5432
-    Database: zitadel
-    User:
-      SSL:
-        Mode: 'disable'
-    Admin:
-      SSL:
-        Mode: 'disable'
-
-DefaultInstance:
-  DomainPolicy:
-    UserLoginMustBeDomain: false
-
-LogStore:
-  Access:
-    Stdout:
-      Enabled: true
-
-SMTPConfiguration:
-    # Configuration of the host
-    SMTP:
-      # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
-      Host: 'postal-smtp:25'
-      User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
-    From: 'noreply@trez.wtf'
-    FromName: 'Zitadel @ Rinoa'
@@ -1,13 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/setup/steps.yaml
-FirstInstance:
-  Org:
-    Human:
-      # use the loginname root@my-org.my.domain
-      Username: 'root'
-      Password: 'RootPassword1!'
-      Email:
-        Address: 'charish.patel@trez.wtf'
-        Verified: true
@@ -1,13 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
-Database:
-  postgres:
-    User:
-      # If the user doesn't exist already, it is created
-      Username: 'zitadel'
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }}
-    Admin:
-      Username: 'root'
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }}
@@ -1,20 +1,54 @@
 ---
- name: Deploy Docker Service Configurations
+- name: Deploy Docker Service Configurations (Modified in Last 10 Minutes)
  hosts: rinoa
  vars:
+    template_base_path: "{{ playbook_dir }}/app-configs"
    appdata_base_path: "~/.docker/config/appdata"

  tasks:
+    - name: Find all Jinja2 templates
+      ansible.builtin.find:
+        paths: "{{ template_base_path }}"
+        patterns: "*.j2"
+        recurse: yes
+      register: jinja_templates
+      delegate_to: localhost
+      run_once: true
+
+    - name: Get parent directories modified in the last 10 minutes
+      ansible.builtin.command: >
+        find {{ template_base_path }} -mindepth 1 -maxdepth 1
+        -type d -mmin -10
+      register: modified_dirs
+      changed_when: false
+      delegate_to: localhost
+      run_once: true
+
+    - name: Set fact for recent directories
+      ansible.builtin.set_fact:
+        recent_dirs: "{{ modified_dirs.stdout_lines }}"
+
+    - name: Filter templates within recently modified folders
+      ansible.builtin.set_fact:
+        selected_templates: >-
+          {{ jinja_templates.files
+             | selectattr('path', 'search', recent_dirs | map('regex_escape') | map('regex_replace', '^', '') | join('|'))
+             | list }}
+
    - name: Ensure target directories exist
      ansible.builtin.file:
-        path: "{{ appdata_base_path }}/{{ (item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') | regex_replace('/[^/]+$', '')) }}"
+        path: "{{ appdata_base_path }}/{{ item.path | regex_replace('^' + template_base_path + '/', '') | regex_replace('\\.j2$', '') | dirname }}"
        state: directory
        mode: '0755'
-      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
+      loop: "{{ selected_templates }}"
+      loop_control:
+        label: "{{ item.path }}"

-    - name: Deploy configuration templates
+    - name: Render and deploy templates
      ansible.builtin.template:
-        src: "{{ item }}"
-        dest: "{{ appdata_base_path }}/{{ item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') }}"
+        src: "{{ item.path }}"
+        dest: "{{ appdata_base_path }}/{{ item.path | regex_replace('^' + template_base_path + '/', '') | regex_replace('\\.j2$', '') }}"
        mode: '0644'
-      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
+      loop: "{{ selected_templates }}"
+      loop_control:
+        label: "{{ item.path }}"
@@ -1,14 +1,14 @@
 vault_addr: "https://vault.trez.wtf"
 vault_token: !vault |
  $ANSIBLE_VAULT;1.1;AES256
-  39306238386563313462666238333237346239326636633731326263653639646235363937386333
-  6138653434613437643134653463363230303038373765380a636162663734393632396638313261
-  39613730633935373063663030616131653731376461333762633131633066366165343536323031
-  3539373461383138310a383734313237313231363539383632323130336536656662313861336261
-  65393033633461363837366462656134386430353236343136616161663364376261623834366466
-  30303765393039376666303937663839663630623063666135313636353432396161333434653435
-  32623634313531343466613966663139333234616137646636636134373264333263343533393331
-  32313530373164653730656662383837626139643364376134376634613237323063343731663734
-  36306335303936633334353564306239663563366435316464343039373965383032
+  62353532343234343230663331623062376533346166343963383464303535646362376233663361
+  3532343530653365663331393339646337653564316337390a646264353561623132366635343032
+  63326535376434353837663334366336613631346161363034646134333439613531376362646161
+  6438316662626566340a346665666234386630633764376336333063363934643162393565386330
+  35333139303939613232303264646236326637613862303339353334623066393966353032333839
+  33323962303635333335376364366336663035303530396262356130373537363134303937353433
+  34393338336666396338616465666466613931373461663761366235643437646136373039353939
+  33643133313264303637646336653537383337336661313765663366356262343064316334313337
+  35306232303132653566356130343366313139336665313737363732613261623439
 vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
 secrets_path: "rinoa-docker/env"
				`@@ -0,0 +1 @@`
				`server_endpoint: ws://signoz-app:4320/v1/opamp`