Merge remote-tracking branch 'refs/remotes/origin/ansible-dry-fixes_5-20-25' into ansible-dry-fixes_5-20-25

Renaming Grafana alloy config.
2025-05-26 09:13:29 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00 · 2025-05-26 09:12:02 -04:00
51 changed files with 1644 additions and 769 deletions
@@ -0,0 +1,193 @@
 name: Gitea Branch PR & Ansible Deployment
 on:
  push:
    branches-ignore:
      - 'main'
    paths:
      - '**.j2'
      - 'ansible/**.yml'
 jobs:
  check-and-create-pr:
    if: github.ref != 'refs/heads/main'
    name: Check and Create PR
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          fetch-depth: 1
      - name: Cache tea CLI
        id: cache-tea
        uses: actions/cache@v4
        with:
          path: /opt/hostedtoolcache/tea/0.9.2/x64
          key: tea-${{ runner.os }}-0.9.2
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
          name: 'tea'
          version: '0.9.2'
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'Checking for existing PR... 🔍'
      - name: Check if open PR exists
        id: check-opened-pr-step
        continue-on-error: true
        run: |
          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
      - name: Create PR
        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
        run: |
          tea login default gitea-rinoa
          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
          pr_index_new=$(expr ${pr_index_old} + 1)
          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
  ansible-linting:
    name: Ansible Linting
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      VAULT_NAMESPACE: ""
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Fetch base branch
        run: |
          git fetch origin ${{ github.event.pull_request.base.ref }}
      # - name: Cache Ansible Galaxy Collections
      #   uses: actions/cache@v3
      #   with:
      #     path: ansible/collections
      #     key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
      #     restore-keys: |
      #       ${{ runner.os }}-ansible-
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
          version: "11.0.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Install hvac
        run: pip install hvac
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
          notification_message: 'Starting Ansible dry run...'
      - name: Ansible Playbook Dry Run
        uses: arillso/action.playbook@0.1.0
        with:
          check: true
          galaxy_collections_path: ansible/collections
          galaxy_requirements_file: ansible/collections/requirements.yml
          inventory: ansible/inventory/hosts.yml
          playbook: ansible/docker_config_deploy.yml
          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
          verbose: 0
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
          notification_message: 'Docker Compose dry run completed successfully.'
  pr-merge:
    name: PR Merge
    needs: [ansible-linting]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
          name: 'tea'
          version: '0.9.2'
      - name: PR Merge
        id: pr_merge
        run: |
          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
          tea login default gitea-rinoa
          echo "Merging PR..."
          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
          echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Merge Successful'
          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
  ansible-config-deploy:
    name: Ansible Playbook Run (Service Configs)
    runs-on: ubuntu-latest
    needs: [pr-merge]
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      DOCKER_HOST: tcp://dockerproxy:2375
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: main
      - name: Cache Vault install
        id: cache-vault
        uses: actions/cache@v4
        with:
          path: /opt/hostedtoolcache/vault/1.18.0/x64
          key: vault-${{ runner.os }}-1.18.0
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
          version: "11.0.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Install hvac
        run: pip install hvac
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
          notification_message: 'Starting config deployment with Ansible...'
      - name: Ansible Playbook Dry Run
        uses: arillso/action.playbook@0.1.0
        with:
          check: false
          galaxy_collections_path: ansible/collections
          galaxy_requirements_file: ansible/collections/requirements.yml
          inventory: ansible/inventory/hosts.yml
          playbook: ansible/docker_config_deploy.yml
          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
          notification_message: 'Deployment completed successfully.'
@@ -1,8 +1,11 @@
-name: Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment
+name: Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment
 on:
  push:
    branches-ignore:
      - 'main'
    paths:
      - '**/docker-compose.yml'
      - '!ansible/**.yml'
 jobs:
  check-and-create-pr:
    if: github.ref != 'refs/heads/main'
@@ -53,73 +56,88 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
-  docker-compose-ansible-lints:
+  docker-compose-dry-run:
-    name: Docker Compose & Ansible Lints
+    name: Docker Compose Dry Run
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      VAULT_NAMESPACE: ""
    outputs:
      svc_deploy_list: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      - name: Cache Ansible Galaxy Collections
+      - name: Fetch base branch
-        uses: actions/cache@v3
+        run: |
-        with:
+          git fetch origin ${{ github.event.pull_request.base.ref }}
-          path: ansible/collections
+      - name: Save both versions of docker-compose.yml
-          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
+        run: |
-          restore-keys: |
+          git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
-            ${{ runner.os }}-ansible-
+          cp docker-compose.yml docker-compose-head.yml
-      - name: Install Ansible
+      - name: Detect added, deleted, and modified services
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
+        id: detect_services
-        with:
+        run: |
-          version: "11.0.0"
+          echo "Getting services from main and ${{ github.ref_name }}"
          yq '.services | keys | .[]' docker-compose-main.yml | sort > services_main.txt
          yq '.services | keys | .[]' docker-compose-head.yml | sort > services_head.txt
          echo "Creating list of modified services..."
          touch service_changes.txt
          comm -13 services_main.txt services_head.txt | while read service; do
            echo "$service: added" >> service_changes.txt
          done
          comm -12 services_main.txt services_head.txt | while read service; do
            yq ".services[\"$service\"]" docker-compose-main.yml > tmp_main.yml
            yq ".services[\"$service\"]" docker-compose-head.yml > tmp_head.yml
            if ! diff -q tmp_main.yml tmp_head.yml > /dev/null; then
              echo "$service: modified" >> service_changes.txt
            fi
          done
          echo "Detected service changes:"
          cat service_changes.txt
          svc_list=$(paste -sd '|' service_changes.txt)
          echo "classified_services=$svc_list" >> "$GITHUB_OUTPUT"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Install hvac
        run: pip install hvac
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
+          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
-          notification_message: 'Starting Ansible dry run...'
+          notification_message: 'Starting Docker Compose dry run...'
      - name: Ansible Playbook Dry Run
        uses: dawidd6/action-ansible-playbook@v2
        with:
          directory: ansible/
          playbook: docker_config_deploy.yml
          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
          options: |
            --inventory inventory/hosts.yml
            --check
          requirements: collections/requirements.yml
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
          notification_message: 'Ansible dry run completed successfully; starting Docker Compose'
      - name: Generate .env file for Docker Compose Dry Run
        run: |
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
      - name: Cache .env Files
        uses: actions/cache@v4
        with:
          path: .env
          key: ${{ runner.os }}-env-${{ hashFiles('docker-compose.yml') }}
      - name: Generate modified services list & .env file for Docker Compose Dry Run
        id: modded_svcs
        run: |
          mod_svcs=$(echo "${{ steps.detect_services.outputs.classified_services }}" | sed -e 's/|//g' -e 's/: \(add\|modifi\|delet\)ed/ /g')
          echo ${mod_svcs}
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
          echo "rinoa_svcs=${mod_svcs}" >> "$GITHUB_OUTPUT"
      - name: Testing service list output
        run: |
          echo ${{ steps.modded_svcs.outputs.rinoa_svcs }}
      - name: Docker Compose Dry Run
-        uses: yu-ichiro/spin-up-docker-compose-action@v1
+        timeout-minutes: 360
        continue-on-error: true
        uses: keatonLiu/docker-compose-remote-action@v1.2
        with:
-          file: docker-compose.yml
+          docker_compose_file: docker-compose.yml
-          pull: true
+          docker_args: -d --remove-orphans --pull missing ${{ steps.modded_svcs.outputs.rinoa_svcs }}
-          pull-opts: --dry-run
+          ssh_user: gitea-deploy
-          up: true
+          ssh_host: 192.168.1.254
-          up-opts: --dry-run -d --remove-orphans
+          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
      - name: Gotify Notification
@@ -202,28 +220,11 @@ jobs:
    name: Update README & Generate List of Modified Services
    runs-on: ubuntu-latest
    needs: [cloudflare-dns-setup]
    # outputs:
    #   pr-pushed: ${{ steps.commit-readme.outputs.pushed }}
    #   modified_services: ${{ steps.compare-services.outputs.modified_services }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install yq
        uses: dcarbone/install-yq-action@v1
      # - name: Fetch main branch for comparison
      #   run: |
      #     git fetch origin main:main
      # - name: Compare services using yq
      #   continue-on-error: true
      #   id: compare-services
      #   run: |
      #     current_services=$(yq '.services | to_entries' docker-compose.yml)
      #     git show main:docker-compose.yml > main_compose.yml
      #     main_services=$(yq '.services | to_entries' main_compose.yml)
      #     modified_services_file=$(comm -13 <(echo "$main_services") <(echo "$current_services") > changes_compose.yml)
      #     modified_services=${egrep '^  [a-z]' changes.yml | sed -e 's|^  ||g' -e 's|:||g' | sed ':a;N;$!ba;s/\n/ /g'}
      #     echo "Modified services: $modified_services"
      #     echo "modified_services=$modified_services" >> $GITHUB_OUTPUT
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -286,8 +287,8 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Merge Successful'
          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-docker-compose-deploy:
+  docker-compose-deploy:
-    name: Ansible Configs & Docker Compose Deployment
+    name: Docker Compose Deployment
    runs-on: ubuntu-latest
    needs: [pr-merge]
    env:
@@ -311,32 +312,12 @@ jobs:
          version: "11.0.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
-      - name: Install hvac
+      - name: Login to Gitea Container Registry
-        run: pip install hvac
+        uses: docker/login-action@v3
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          registry: https://git.trez.wtf
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          username: gitea-sonarqube-bot
-          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
+          password: ${{ secrets.BOT_GITEA_TOKEN }}
          notification_message: 'Starting config deployment with Ansible.'
      - name: Deploy Docker Configs via Ansible
        uses: dawidd6/action-ansible-playbook@v2
        with:
          directory: ansible/
          playbook: docker_config_deploy.yml
          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
          options: |
            --inventory inventory/hosts.yml
          requirements: collections/requirements.yml
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
          notification_message: 'Deployment completed successfully.'
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -348,13 +329,12 @@ jobs:
        run: |
           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
      - name: Docker Compose Deployment
        # if: ${{ steps.regenerate-readme-modified-services.outputs.modified_services != '' }}
        timeout-minutes: 360
        continue-on-error: true
        uses: keatonLiu/docker-compose-remote-action@v1.2
        with:
          docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing --no-recreate
+          docker_args: -d --remove-orphans --pull missing ${{ docker-compose-dry-run.outputs.svc_deploy_list }}
          ssh_user: gitea-deploy
          ssh_host: 192.168.1.254
          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
@@ -0,0 +1,28 @@
 name: Auto-Unseal for Vault
 on:
  schedule:
    - cron: "30 2 * * *"
 jobs:
  auto-unseal:
    name: Unseal Vault
    runs-on: ubuntu-latest
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      VAULT_SHARDS: |
        ${{ secrets.VAULT_UNSEAL_SHARDS }}
      VAULT_NAMESPACE: ""
    steps:
      - name: Cache Vault install
        id: cache-vault
        uses: actions/cache@v4
        with:
          path: /opt/hostedtoolcache/vault/1.18.0/x64
          key: vault-${{ runner.os }}-1.18.0
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Unseal Vault
        run: |
          for vault_shard in $(echo ${VAULT_SHARDS}); do
            vault operator unseal -address=${VAULT_ADDR} -non-interactive "${vault_shard}"
          done
@@ -14,15 +14,11 @@
 | bazarr | lscr.io/linuxserver/bazarr:latest |
 | beszel | henrygd/beszel:latest |
 | beszel-agent | henrygd/beszel-agent:latest |
 | bitmagnet | ghcr.io/bitmagnet-io/bitmagnet:latest |
 | bitmagnet-pg-db | postgres:17-alpine |
 | bitwarden | vaultwarden/server:latest |
 | bluesky-pds | code.modernleft.org/gravityfargo/bluesky-pds:v0.4.98 |
 | browserless | ghcr.io/browserless/chromium:latest |
 | bytebase | bytebase/bytebase:3.5.0 |
 | bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
 | cloudflared | cloudflare/cloudflared:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
 | convertx | ghcr.io/c4illin/convertx |
 | cronicle | elestio/cronicle:latest |
@@ -33,10 +29,10 @@
 | dawarich-app | freikin/dawarich:latest |
 | dawarich-pg-db | postgis/postgis:17-3.5-alpine |
 | dawarich-sidekiq | freikin/dawarich:latest |
-| delugevpn | ghcr.io/binhex/arch-delugevpn:latest |
+| dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
 | docker-volume-backup | offen/docker-volume-backup:v2 |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
 | excalidraw | excalidraw/excalidraw:latest |
 | explo | ghcr.io/lumepart/explo:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
@@ -51,7 +47,7 @@
 | graylog-datanode | graylog/graylog-datanode:6.1 |
 | guacamole | flcontainers/guacamole:latest |
 | homepage | ghcr.io/gethomepage/homepage:latest |
-| hugo | hugomods/hugo:exts |
+| hugo | hugomods/hugo:exts-0.145.0 |
 | immich-server | ghcr.io/immich-app/immich-server:release |
 | immich-machine-learning | ghcr.io/immich-app/immich-machine-learning:release |
 | immich-pg-db | tensorchord/pgvecto-rs:pg14-v0.2.1 |
@@ -61,6 +57,8 @@
 | invidious | quay.io/invidious/invidious:latest |
 | invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
 | invidious-db | docker.io/library/postgres:14 |
 | invoice-ninja | invoiceninja/invoiceninja-debian:5 |
 | invoice-ninja_proxy | nginx |
 | it-tools | ghcr.io/corentinth/it-tools:latest |
 | jellyfin | jellyfin/jellyfin |
 | jitsi-etherpad | etherpad/etherpad:1.8.6 |
@@ -72,6 +70,7 @@
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
 | languagetool | elestio/languagetool:latest |
 | librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
 | librechat-vectordb | ankane/pgvector:latest |
 | librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
@@ -97,16 +96,21 @@
 | nextcloud | nextcloud/all-in-one:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
 | omni-tools | iib0011/omni-tools:latest |
 | omnipoly | kweg/omnipoly:latest |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
 | plantuml-server | plantuml/plantuml-server:jetty |
 | portainer | portainer/portainer-ce:alpine |
-| portall | need4swede/portall:latest |
+| portnote-web | haedlessdev/portnote:latest |
 | portnote-agent | haedlessdev/portnote-agent:latest |
 | portnote-pg-db | postgres:17-alpine |
 | postal-smtp | ghcr.io/postalserver/postal:latest |
 | postal-web | ghcr.io/postalserver/postal:latest |
 | postal-worker | ghcr.io/postalserver/postal:latest |
 | prowlarr | lscr.io/linuxserver/prowlarr:latest |
 | qbittorrentvpn | ghcr.io/binhex/arch-qbittorrentvpn:latest |
 | radarec | thewicklowwolf/radarec:latest |
 | radarr | lscr.io/linuxserver/radarr:latest |
 | reactive-resume | amruthpillai/reactive-resume:latest |
@@ -115,7 +119,9 @@
 | redis | redis:alpine |
 | redlib | quay.io/redlib/redlib:latest |
 | rocketchat | registry.rocket.chat/rocketchat/rocket.chat:latest |
 | romm | rommapp/romm:latest |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
 | sablier | sablierapp/sablier:latest |
 | scraperr | jpyles0524/scraperr:latest |
 | scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
@@ -139,5 +145,16 @@
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |
 | web-check | lissy93/web-check |
 | whodb | clidey/whodb |
 | youtubedl | nbr23/youtube-dl-server:latest |
 | zammad-backup | ghcr.io/zammad/zammad:6.5.0-15 |
 | zammad-elasticsearch | bitnami/elasticsearch:8.17.4 |
 | zammad-init | ghcr.io/zammad/zammad:6.5.0-15 |
 | zammad-memcached | memcached:1.6.38-alpine |
 | zammad-nginx | ghcr.io/zammad/zammad:6.5.0-15 |
 | zammad-postgresql | postgres:17.4-alpine |
 | zammad-railsserver | ghcr.io/zammad/zammad:6.5.0-15 |
 | zammad-redis | redis:7.4.2-alpine |
 | zammad-scheduler | ghcr.io/zammad/zammad:6.5.0-15 |
 | zammad-websocket | ghcr.io/zammad/zammad:6.5.0-15 |
@@ -1,3 +1,6 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 urls:
-  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
+  - gotify://gotify/{{ vault_secrets['APPRISE_GOTIFY_TOKEN'] }}
-  - mailtos://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
+  - mailtos://{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}:{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
@@ -64,11 +64,11 @@ authentication_backend:
      mail: mail
      display_name: displayName
    user: uid=authelia,ou=people,dc=trez,dc=wtf
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
+    password: '{{ vault_secrets['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
  refresh_interval: 5m
 identity_validation:
  reset_password:
-    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
+    jwt_secret: '{{ vault_secrets['AUTHELIA_JWT_SECRET'] }}'
 password_policy:
  standard:
    enabled: true
@@ -104,7 +104,7 @@ access_control:
      - ['user:the.trezured.one']
 session:
  name: authelia_session
-  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
+  secret: '{{ vault_secrets['AUTHELIA_SESSION_SECRET'] }}'
  expiration: 1h
  inactivity: 5m
  remember_me: 1M
@@ -115,12 +115,12 @@ session:
    host: redis
    port: 6379
 storage:
-  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
+  encryption_key: '{{ vault_secrets['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
  postgres:
    address: 'tcp://authelia-pg:5432'
    database: authelia
    username: authelia
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
+    password: '{{ vault_secrets['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
    timeout: '5s'
 regulation:
  max_retries: 3
@@ -131,8 +131,8 @@ notifier:
  smtp:
    address: 'smtp://postal-smtp:25'
    timeout: '5s'
-    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
+    username: '{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}'
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
+    password: '{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}'
    sender: "Authelia <noreply@trez.wtf>"
    identifier: 'localhost'
    subject: "[Authelia] {title}"
@@ -142,10 +142,10 @@ notifier:
    disable_html_emails: false
 identity_providers:
  oidc:
-    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
+    hmac_secret: '{{ vault_secrets['AUTHELIA_OIDC_HMAC_SECRET'] }}'
    jwks:
      - key: |
-          {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
+          {{ vault_secrets["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
    cors:
      allowed_origins_from_client_redirect_uris: true
      endpoints:
@@ -157,7 +157,7 @@ identity_providers:
    clients:
      - client_id: 'netbird'
        client_name: 'NetBird'
-        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
+        client_secret: '{{ vault_secrets['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
        public: false
        authorization_policy: 'two_factor'
        redirect_uris:
@@ -1,7 +1,6 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 source: journalctl
 journalctl_filter: 
  - "--directory=/var/log/host/"
@@ -3,4 +3,4 @@
 url: http://0.0.0.0:8080
 login: localhost
-password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}
+password: {{ vault_secrets['CROWDSEC_LOCAL_API_KEY'] }}
@@ -7,21 +7,22 @@
    "client": "mysql",
    "connection": {
      "host"     : "mariadb",
      "port"     : 3306,
      "user"     : "ghost",
-      "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
+      "password" : "{{ vault_secrets['GHOST_DB_PASSWORD'] }}",
      "database" : "ghost_db"
    }
  },
  "mail": {
-    "from": "'Ghost @ Rinoa' <noreply@trez.wtf>"
+    "from": "'Ghost @ Rinoa' <noreply@trez.wtf>",
    "transport": "SMTP",
    "options": {
      "host": "postal-smtp",
      "port": 25,
      "secure": false,
      "auth": {
-        "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
+        "user": "{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}",
-        "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+        "pass": "{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}"
      }
    }
  },
@@ -0,0 +1,101 @@
 # Example configuration file, it's safe to copy this as the default config file without any modification.
 # You don't have to copy this file to your instance,
 # just run `./act_runner generate-config > config.yaml` to generate a config file.
 log:
  # The level of logging, can be trace, debug, info, warn, error, fatal
  level: info
 runner:
  # Where to store the registration result.
  file: .runner
  # Execute how many tasks concurrently at the same time.
  capacity: 3
  # Extra environment variables to run jobs.
 #   envs:
 #     A_TEST_ENV_NAME_1: a_test_env_value_1
 #     A_TEST_ENV_NAME_2: a_test_env_value_2
  # Extra environment variables to run jobs from a file.
  # It will be ignored if it's empty or the file doesn't exist.
 #   env_file: .env
  # The timeout for a job to be finished.
  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
  timeout: 3h
  # The timeout for the runner to wait for running jobs to finish when shutting down.
  # Any running jobs that haven't finished after this timeout will be cancelled.
  shutdown_timeout: 0s
  # Whether skip verifying the TLS certificate of the Gitea instance.
  insecure: false
  # The timeout for fetching the job from the Gitea instance.
  fetch_timeout: 5s
  # The interval for fetching the job from the Gitea instance.
  fetch_interval: 2s
  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
  # If it's empty when registering, it will ask for inputting labels.
  # If it's empty when execute `daemon`, will use labels in `.runner` file.
  labels:
    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
 cache:
  # Enable cache server to use actions/cache.
  enabled: true
  # The directory to store the cache data.
  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
  dir: ""
  # The host of the cache server.
  # It's not for the address to listen, but the address to connect from job containers.
  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
  host: "192.168.1.254"
  # The port of the cache server.
  # 0 means to use a random available port.
  port: 63604
  # The external cache server URL. Valid only when enable is true.
  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
  # The URL should generally end with "/".
  external_server: ""
 container:
  # Specifies the network to which the container will connect.
  # Could be host, bridge or the name of a custom network.
  # If it's empty, act_runner will create a network automatically.
  network: "compose_default"
  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
  privileged: false
  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
  options:
  # The parent directory of a job's working directory.
  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
  # If the path starts with '/', the '/' will be trimmed.
  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
  # If it's empty, /workspace will be used.
  workdir_parent:
  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
  # valid_volumes:
  #   - data
  #   - /src/*.json
  # If you want to allow any volume, please use the following configuration:
  # valid_volumes:
  #   - '**'
  valid_volumes: []
  # overrides the docker client host with the specified one.
  # If it's empty, act_runner will find an available docker host automatically.
  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
  docker_host: ""
  # Pull docker image(s) even if already present
  force_pull: false
  # Rebuild docker image(s) even if already present
  force_rebuild: false
 host:
  # The parent directory of a job's working directory.
  # If it's empty, $HOME/.cache/act/ will be used.
  workdir_parent:
@@ -27,7 +27,7 @@ DISABLE_SSH = false
 SSH_PORT = 22
 SSH_LISTEN_PORT = 22
 LFS_START_SERVER = true
-LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }}
+LFS_JWT_SECRET = {{ vault_secrets['GITEA_LFS_JWT_SECRET'] }}
 OFFLINE_MODE = true
 [database]
@@ -36,7 +36,7 @@ DB_TYPE = postgres
 HOST = gitea-db:5432
 NAME = gitea
 USER = gitea
-PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }}
+PASSWD = {{ vault_secrets['GITEA_PG_DB_PASSWORD'] }}
 LOG_SQL = false
 SCHEMA =
 SSL_MODE = disable
@@ -70,7 +70,7 @@ INSTALL_LOCK = true
 SECRET_KEY =
 REVERSE_PROXY_LIMIT = 1
 REVERSE_PROXY_TRUSTED_PROXIES = *
-INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }}
+INTERNAL_TOKEN = {{ vault_secrets['GITEA_INTERNAL_TOKEN'] }}
 PASSWORD_HASH_ALGO = pbkdf2
 [service]
@@ -89,7 +89,7 @@ NO_REPLY_ADDRESS = noreply@trez.wtf
 PATH = /data/git/lfs
 [mailer]
-PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+PASSWD = {{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
 PROTOCOL = smtp
 ENABLED = true
 FROM = '"Gitea" <noreply@trez.wtf>'
@@ -112,7 +112,7 @@ DEFAULT_MERGE_STYLE = merge
 DEFAULT_TRUST_MODEL = committer
 [oauth2]
-JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
+JWT_SECRET = {{ vault_secrets['GITEA_OAUTH2_JWT_SECRET'] }}
 [ui]
 THEMES =
@@ -9,7 +9,7 @@ gitea:
  # Created access token for the user that shall be used as bot account.
  # User needs "Read project" permissions with access to "Pull Requests"
  token:
-    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
+    value: "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
    # # or path to file containing the plain text secret
    # file: /path/to/gitea/token
@@ -18,7 +18,7 @@ gitea:
  # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header
  # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated.
  webhook:
-    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
+    secret: "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
    # # or path to file containing the plain text secret
    # secretFile: /path/to/gitea/webhook/secret
@@ -35,7 +35,7 @@ sonarqube:
  # Created access token for the user that shall be used as bot account.
  # User needs "Browse on project" permissions
  token:
-    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
+    value: "{{ vault_secrets['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
    # # or path to file containing the plain text secret
    # file: /path/to/sonarqube/token
@@ -45,7 +45,7 @@ sonarqube:
  # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be
  # validated.
  webhook:
-    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
+    secret: "{{ vault_secrets['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
    # # or path to file containing the plain text secret
    # secretFile: /path/to/sonarqube/webhook/secret
@@ -4,8 +4,8 @@ storage:
    bucket_name: pyroscope
    endpoint: minio:9000
    region: us-east-fh-pln
-    access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
+    access_key_id: {{ vault_secrets['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
-    secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
+    secret_access_key: {{ vault_secrets['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
    insecure: true
 analytics:
@@ -46,8 +46,8 @@ storage:
    s3:
      bucket: tempo                    # how to store data in s3
      endpoint: minio:9000
-      access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
+      access_key: {{ vault_secrets['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
-      secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
+      secret_key: {{ vault_secrets['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
      insecure: true
 usage_report:
@@ -29,5 +29,5 @@
        widget:
            type: homeassistant
            url: http://192.168.1.252:8123
-            key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
+            key: {{ vault_secrets['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
@@ -6,7 +6,7 @@
 # https://gethomepage.dev/en/configs/settings
 providers:
-  openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+  openweathermap: {{ vault_secrets['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
  # weatherapi: weatherapiapikey
 title: Rinoa Dashboard (trez.WTF)
 headerStyle: underlined
@@ -53,4 +53,4 @@ layout:
    columns: 2
  Media Library:
    style: row
-    columns: 4
+    columns: 3
@@ -1,3 +1,6 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 #########################################
 #
 #  Database and other external servers
@@ -13,7 +16,7 @@ db:
  host: invidious-db
  port: 5432
  dbname: invidious
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
+  password: {{ vault_secrets['INVID_PG_DB_PASSWORD'] }}
 ##
 ## Database configuration using a single URI. This is an
@@ -207,8 +210,8 @@ https_only: false
 ## Accepted values: String
 ## Default: <none>
 ##
-po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
+po_token: {{ vault_secrets['INVID_PO_TOKEN'] }}
-visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
+visitor_data: {{ vault_secrets['INVID_VISITOR_DATA'] }}
 # -----------------------------
 #  Logging
@@ -468,7 +471,7 @@ jobs:
 ## Accepted values: a string
 ## Default: <none>
 ##
-hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
+hmac_key: {{ vault_secrets['INVID_HMAC_KEY'] }}
 ##
 ## List of video IDs where the "download" widget must be
@@ -2,8 +2,8 @@
 {% set secrets_path = 'rinoa-docker/env' %}
 # IN application vars
-IN_APP_URL=http://in.localhost:8003
+IN_APP_URL=https://biz.trez.wtf
-IN_APP_KEY=<insert your generated key in here>
+IN_APP_KEY={{ vault_secrets['IN_APP_KEY'] }}
 IN_APP_DEBUG=true
 IN_REQUIRE_HTTPS=false
 IN_PHANTOMJS_PDF_GENERATION=false
@@ -14,11 +14,11 @@ IN_TRUSTED_PROXIES='*'
 IN_QUEUE_CONNECTION=database
 # DB connection
-IN_DB_HOST=db
+IN_DB_HOST=mariadb
 IN_DB_PORT=3306
-IN_DB_DATABASE=ninja
+IN_DB_DATABASE=invoice_ninja
-IN_DB_USERNAME=ninja
+IN_DB_USERNAME=ininja
-IN_DB_PASSWORD=ninja
+IN_DB_PASSWORD={{ vault_secrets['IN_MYSQL_PASSWORD'] }}
 # Create initial user
 # Default to these values if empty
@@ -29,13 +29,13 @@ IN_PASSWORD=
 # Mail options
 IN_MAIL_MAILER=log
-IN_MAIL_HOST=smtp.mailtrap.io
+IN_MAIL_HOST=postal-smtp
-IN_MAIL_PORT=2525
+IN_MAIL_PORT=25
-IN_MAIL_USERNAME=null
+IN_MAIL_USERNAME={{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}
-IN_MAIL_PASSWORD=null
+IN_MAIL_PASSWORD={{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
 IN_MAIL_ENCRYPTION=null
-IN_MAIL_FROM_ADDRESS='user@example.com'
+IN_MAIL_FROM_ADDRESS='noreply@trez.wtf'
-IN_MAIL_FROM_NAME='Self Hosted User'
+IN_MAIL_FROM_NAME='Treasured IT'
 # MySQL
 IN_MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword
@@ -17,7 +17,7 @@
 HOST=localhost
 PORT=3080
-MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
+MONGO_URI=mongodb://librechat:{{ vault_secrets['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
 DOMAIN_CLIENT=https://ai.trez.wtf
 DOMAIN_SERVER=https://ai.trez.wtf
@@ -73,12 +73,12 @@ PROXY=
 # ANYSCALE_API_KEY=
 # APIPIE_API_KEY=
 # COHERE_API_KEY=
-DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
+DEEPSEEK_API_KEY={{ vault_secrets['LIBRECHAT_DEEPSEEK_API_KEY'] }}
 # DATABRICKS_API_KEY=
 # FIREWORKS_API_KEY=
 # GROQ_API_KEY=
 # HUGGINGFACE_TOKEN=
-MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
+MISTRAL_API_KEY={{ vault_secrets['LIBRECHAT_MISTRAL_API_KEY'] }}
 # OPENROUTER_KEY=
 # PERPLEXITY_API_KEY=
 # SHUTTLEAI_API_KEY=
@@ -90,7 +90,7 @@ MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_m
 # Anthropic  #
 #============#
-ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
+ANTHROPIC_API_KEY={{ vault_secrets['LIBRECHAT_ANTHROPIC_API_KEY'] }}
 ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
 # ANTHROPIC_REVERSE_PROXY=
@@ -177,7 +177,7 @@ ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-
 # OpenAI     #
 #============#
-OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
+OPENAI_API_KEY={{ vault_secrets['LIBRECHAT_OPENAI_API_KEY'] }}
 OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
 DEBUG_OPENAI=false
@@ -226,8 +226,8 @@ DEBUG_OPENAI=false
 # DEBUG_PLUGINS=
-CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
+CREDS_KEY={{ vault_secrets['LIBRECHAT_CREDS_KEY'] }}
-CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
+CREDS_IV={{ vault_secrets['LIBRECHAT_CREDS_IV'] }}
 # Azure AI Search
 #-----------------
@@ -298,7 +298,7 @@ ZAPIER_NLA_API_KEY=
 SEARCH=true
 MEILI_NO_ANALYTICS=true
 MEILI_HOST=http://meilisearch:7700
-MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
+MEILI_MASTER_KEY={{ vault_secrets['MEILISEARCH_MASTER_KEY'] }}
 # Optional: Disable indexing, useful in a multi-node setup
 # where only one instance should perform an index sync.
@@ -384,8 +384,8 @@ ALLOW_UNVERIFIED_EMAIL_LOGIN=true
 SESSION_EXPIRY=1000 * 60 * 15
 REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
-JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
+JWT_SECRET={{ vault_secrets['LIBRECHAT_JWT_SECRET'] }}
-JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
+JWT_REFRESH_SECRET={{ vault_secrets['LIBRECHAT_JWT_REFRESH_SECRET'] }}
 # Discord
@@ -547,4 +547,4 @@ USE_REDIS=true
 #=====================================================#
 #                  OpenWeather                        #
 #=====================================================#
-OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+OPENWEATHER_API_KEY={{ vault_secrets['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -7,7 +7,7 @@
  <SslPort>6868</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['LIDARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <Branch>master</Branch>
  <LogLevel>trace</LogLevel>
@@ -3,11 +3,11 @@
 {
    "lidarr_address": "http://lidarr:8686",
-    "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}",
+    "lidarr_api_key": "{{ vault_secrets['LIDARR_API_KEY'] }}",
-    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "spotify_client_secret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
    "root_folder_path": "/data/media/music",
-    "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
+    "spotify_client_id": "{{ vault_secrets['YOUR_SPOTIFY_ID'] }}",
-    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "spotify_client_secret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
    "fallback_to_top_result": false,
    "lidarr_api_timeout": 120.0,
    "quality_profile_id": 1,
@@ -17,8 +17,8 @@
    "app_name": "lidify",
    "app_rev": "0.09",
    "app_url": "lidify.trez.wtf",
-    "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+    "last_fm_api_key": "{{ vault_secrets['LASTFM_API_KEY'] }}",
-    "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+    "last_fm_api_secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
    "mode": "LastFM",
    "auto_start": false,
    "auto_start_delay": 60
@@ -1,8 +1,18 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 containers:
  ghost_blog:
    action_keywords:
      - restart:
          regex: ':[0-9]{2}\] ERROR.*$'
  immich-server:
    action_keywords:
      - restart:
          regex: 'ADVICE:.*error'
  invidious:
    keywords:
      - regex: 'Error reading.*Connection reset by peer trying to reconnect...'
 global_keywords:
  keywords:
    - panic
@@ -10,7 +20,7 @@ global_keywords:
    - fatal
 notifications:
  apprise:
-    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
+    url: gotify://gotify/{{ vault_secrets['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
 # settings are optional because they all have default values
 settings:
  log_level: INFO               # DEBUG, INFO, WARNING, ERROR
@@ -0,0 +1,159 @@
 'use strict';
 const packageJson = require('../../package.json');
 module.exports = {
    // Branding and customizations require a license: https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661
    brand: {
        app: {
            language: 'en', // https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes
            name: 'MiroTalk',
            title: '<h1>MiroTalk</h1/>Free browser based Real-time video calls.<br />Simple, Secure, Fast.',
            description:
                'Start your next video call with a single click. No download, plug-in, or login is required. Just get straight to talking, messaging, and sharing your screen.',
            joinDescription: 'Pick a room name.<br />How about this one?',
            joinButtonLabel: 'JOIN ROOM',
            joinLastLabel: 'Your recent room:',
        },
        og: {
            type: 'app-webrtc',
            siteName: 'MiroTalk',
            title: 'Click the link to make a call.',
            description:
                'MiroTalk calling provides real-time HD quality and latency simply not available with traditional technology.',
            image: 'https://p2p.mirotalk.com/images/preview.png',
            url: 'https://p2p.mirotalk.com',
        },
        site: {
            shortcutIcon: '../images/logo.svg',
            appleTouchIcon: '../images/logo.svg',
            landingTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
            newCallTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
            newCallRoomTitle: 'Pick name. <br />Share URL. <br />Start conference.',
            newCallRoomDescription:
                "Each room has its disposable URL. Just pick a room name and share your custom URL. It's that easy.",
            loginTitle: 'MiroTalk - Host Protected login required.',
            clientTitle: 'MiroTalk WebRTC Video call, Chat Room & Screen Sharing.',
            privacyPolicyTitle: 'MiroTalk - privacy and policy.',
            stunTurnTitle: 'Test Stun/Turn Servers.',
            notFoundTitle: 'MiroTalk - 404 Page not found.',
        },
        html: {
            features: true,
            browsers: true,
            teams: true, // please keep me always true ;)
            tryEasier: true,
            poweredBy: true,
            sponsors: true,
            advertisers: true,
            footer: true,
        },
        about: {
            imageUrl: '../images/mirotalk-logo.gif',
            title: `WebRTC P2P v${packageJson.version}`,
            html: `
                <button
                    id="support-button"
                    data-umami-event="Support button"
                    onclick="window.open('https://codecanyon.net/user/miroslavpejic85')">
                    <i class="fas fa-heart" ></i>&nbsp;Support
                </button>
                <br /><br /><br />
                Author:<a
                    id="linkedin-button"
                    data-umami-event="Linkedin button"
                    href="https://www.linkedin.com/in/miroslav-pejic-976a07101/" target="_blank">
                    Miroslav Pejic
                </a>
                <br /><br />
                Email:<a
                    id="email-button"
                    data-umami-event="Email button"
                    href="mailto:miroslav.pejic.85@gmail.com?subject=MiroTalk P2P info">
                    miroslav.pejic.85@gmail.com
                </a>
                <br /><br />
                <hr />
                <span>&copy; 2025 MiroTalk P2P, all rights reserved</span>
                <hr />
            `,
        },
        //...
    },
    /**
     * Configuration for controlling the visibility of buttons in the MiroTalk P2P client.
     * Set properties to true to show the corresponding buttons, or false to hide them.
     * captionBtn, showSwapCameraBtn, showScreenShareBtn, showFullScreenBtn, showVideoPipBtn, showDocumentPipBtn -> (auto-detected).
     */
    buttons: {
        main: {
            showShareQr: true,
            showShareRoomBtn: true, // For guests
            showHideMeBtn: true,
            showAudioBtn: true,
            showVideoBtn: true,
            showScreenBtn: true, // autodetected
            showRecordStreamBtn: true,
            showChatRoomBtn: true,
            showCaptionRoomBtn: true,
            showRoomEmojiPickerBtn: true,
            showMyHandBtn: true,
            showWhiteboardBtn: true,
            showSnapshotRoomBtn: true,
            showFileShareBtn: true,
            showDocumentPipBtn: true,
            showMySettingsBtn: true,
            showAboutBtn: true, // Please keep me always true, Thank you!
        },
        chat: {
            showTogglePinBtn: true,
            showMaxBtn: true,
            showSaveMessageBtn: true,
            showMarkDownBtn: true,
            showChatGPTBtn: true,
            showFileShareBtn: true,
            showShareVideoAudioBtn: true,
            showParticipantsBtn: true,
        },
        caption: {
            showTogglePinBtn: true,
            showMaxBtn: true,
        },
        settings: {
            showMicOptionsBtn: true,
            showTabRoomPeerName: true,
            showTabRoomParticipants: true,
            showTabRoomSecurity: true,
            showTabEmailInvitation: true,
            showCaptionEveryoneBtn: true,
            showMuteEveryoneBtn: true,
            showHideEveryoneBtn: true,
            showEjectEveryoneBtn: true,
            showLockRoomBtn: true,
            showUnlockRoomBtn: true,
            showShortcutsBtn: true,
        },
        remote: {
            showAudioVolume: true,
            audioBtnClickAllowed: true,
            videoBtnClickAllowed: true,
            showVideoPipBtn: true,
            showKickOutBtn: true,
            showSnapShotBtn: true,
            showFileShareBtn: true,
            showShareVideoAudioBtn: true,
            showPrivateMessageBtn: true,
            showZoomInOutBtn: false,
            showVideoFocusBtn: true,
        },
        local: {
            showVideoPipBtn: true,
            showSnapShotBtn: true,
            showVideoCircleBtn: true,
            showZoomInOutBtn: false,
        },
        whiteboard: {
            whiteboardLockBtn: false,
        },
    },
 };
@@ -27,58 +27,61 @@
      "clients": [],
      "name": "spotify",
      "data": {
-        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
+        "clientId": "{{ vault_secrets['YOUR_SPOTIFY_ID'] }}",
-        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+        "clientSecret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
        "redirectUri": "http://localhost:9078/callback"
      }
    },
    {
-      "type:": "lastfm",
+      "type": "lastfm",
      "name": "lastfm",
      "enable": true,
      "clients": [],
      "name": "lastfm",
      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "apiKey": "{{ vault_secrets['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
        "redirectUri": "http://localhost:9078/lastfm/callback"
      }
    },
    {
      "type": "listenbrainz",
      "name": "listenBrainz",
      "enable": true,
      "clients": [],
      "name": "listenBrainz",
      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "token": "{{ vault_secrets['MALOJA_LISTENBRAINZ_TOKEN'] }}",
        "username": "Trez.One"
      }
    },
    {
      "type": "subsonic",
      "name": "navidrome",
      "enable": true,
      "clients": [],
      "name": "navidrome",
      "data": {
        "url": "http://navidrome:4533",
        "user": "admin",
-        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
+        "password": "{{ vault_secrets['NAVIDROME_PASSWORD'] }}"
      }
    }
  ],
  "clients": [
    {
      "type": "lastfm",
      "name": "lastFmClient",
      "enable": true,
      "name": "lastFmClient",
      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "apiKey": "{{ vault_secrets['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
        "redirectUri": "http://localhost:9078/lastfm/callback"
      }
    },
    {
      "type": "listenbrainz",
      "name": ";istenBrainzClient",
      "enable": true,
      "name": "ListenBrainzClient",
      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "token": "{{ vault_secrets['MALOJA_LISTENBRAINZ_TOKEN'] }}",
        "username": "Trez.One"
      }
    },
@@ -88,7 +91,7 @@
      "name": "maloja",
      "data": {
        "url": "http://maloja:42010",
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
+        "apiKey": "{{ vault_secrets['MALOJA_API_KEY'] }}"
      }
    }
  ],
@@ -97,7 +100,7 @@
      "name": "Gotify",
      "type": "gotify",
      "url": "http://gotify",
-      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
+      "token": "{{ vault_secrets['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
      "priorities": {
        "info": 5,
        "warn": 7,
@@ -2,7 +2,7 @@
  "Stuns": [
    {
      "Proto": "udp",
-      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+      "URI": "stun:netbird.{{ vault_secrets['MY_TLD'] }}:3478",
      "Username": "",
      "Password": null
    }
@@ -11,9 +11,9 @@
    "Turns": [
      {
        "Proto": "udp",
-        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+        "URI": "turn:netbird.{{ vault_secrets['MY_TLD'] }}:3478",
        "Username": "self",
-        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
+        "Password": "{{ vault_secrets['NETBIRD_TURN_PASSWORD'] }}"
      }
    ],
    "CredentialsTTL": "12h",
@@ -22,14 +22,14 @@
  },
  "Relay": {
    "Addresses": [
-      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
+      "rel://netbird.{{ vault_secrets['MY_TLD'] }}:33080"
    ],
    "CredentialsTTL": "24h",
-    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
+    "Secret": "{{ vault_secrets['NETBIRD_RELAY_AUTH_SECRET'] }}"
  },
  "Signal": {
    "Proto": "https",
-    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
+    "URI": "netbird.{{ vault_secrets['MY_TLD'] }}:10001",
    "Username": "",
    "Password": null
  },
@@ -47,14 +47,14 @@
  },
  "HttpConfig": {
    "Address": "0.0.0.0:33073",
-    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
+    "AuthIssuer": "https://auth.{{ vault_secrets['MY_TLD'] }}",
    "AuthAudience": "netbird",
-    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
+    "AuthKeysLocation": "https://auth.{{ vault_secrets['MY_TLD'] }}/jwks.json",
    "AuthUserIDClaim": "",
    "CertFile": "",
    "CertKey": "",
    "IdpSignKeyRefreshEnabled": true,
-    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
+    "OIDCConfigEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {},
  "DeviceAuthorizationFlow": {},
@@ -62,10 +62,10 @@
    "ProviderConfig": {
      "Audience": "netbird",
      "ClientID": "netbird",
-      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
+      "ClientSecret": "{{ vault_secrets['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
      "Domain": "",
-      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
+      "AuthorizationEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/api/oidc/authorization",
-      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
+      "TokenEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/api/oidc/token",
      "Scope": "openid profile email offline_access api",
      "RedirectURLs": [
        "http://localhost:53000"
@@ -250,7 +250,7 @@ lt-cred-mech
 #user=username1:key1
 #user=username2:key2
 # OR:
-user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
+user=self:{{ vault_secrets['NETBIRD_TURN_PASSWORD'] }}
 #user=username2:password2
 #
 # Keys must be generated by turnadmin utility. The key value depends
@@ -18,13 +18,13 @@ web_server:
 main_db:
  host: mariadb
  username: postal
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  password: {{ vault_secrets['POSTAL_MYSQL_PASSWORD'] }}
  database: postal
 message_db:
  host: mariadb
  username: postal
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  password: {{ vault_secrets['POSTAL_MYSQL_PASSWORD'] }}
  prefix: postal
 smtp_server:
@@ -52,11 +52,11 @@ smtp:
  host: postal-smtp
  port: 25
  username: rinoa/postal-smtp
-  password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+  password: "{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}"
  from_name: Postal @ Rinoa
  from_address: noreply@trez.wtf
 rails:
  # This is generated automatically by the config initialization. It should be a random
  # string unique to your installation.
-  secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}"
+  secret_key: "{{ vault_secrets['POSTAL_RAILS_SECRET_KEY'] }}"
@@ -7,7 +7,7 @@
  <SslPort>6969</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['PROWLARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <AuthenticationRequired>Enabled</AuthenticationRequired>
  <Branch>master</Branch>
@@ -3,9 +3,9 @@
 {
    "radarr_address": "http://radarr:7878",
-    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
+    "radarr_api_key": "{{ vault_secrets['RADARR_API_KEY'] }}",
    "root_folder_path": "/data/media/movies",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "tmdb_api_key": "{{ vault_secrets['TMDB_API_KEY'] }}",
    "fallback_to_top_result": false,
    "radarr_api_timeout": 120.0,
    "quality_profile_id": 1,
@@ -8,7 +8,7 @@
  <SslCertPath></SslCertPath>
  <Port>7878</Port>
  <UrlBase></UrlBase>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['RADARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <UpdateMechanism>Docker</UpdateMechanism>
  <SslPort>9898</SslPort>
@@ -7,7 +7,7 @@
  <SslPort>6868</SslPort>
  <EnableSsl>False</EnableSsl>
  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['READARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <Branch>develop</Branch>
  <LogLevel>info</LogLevel>
@@ -0,0 +1,48 @@
 # This is a generic example of a configuration file
 # Rename this file to `config.yml`, copy it to a `config` folder, and mount that folder as per the docker-compose.example.yml
 # Only uncomment the lines you want to use/modify, or add new ones where needed
 exclude:
  # Exclude platforms to be scanned
  platforms: [] # ['my_excluded_platform_1', 'my_excluded_platform_2']
  # Exclude roms or parts of roms to be scanned
  roms:
    # Single file games section.
    # Will not apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
    single_file:
      # Exclude all files with certain extensions to be scanned
      extensions: [] # ['xml', 'txt']
      # Exclude matched file names to be scanned.
      # Supports unix filename pattern matching
      # Can also exclude files by extension
      names: [] # ['info.txt', '._*', '*.nfo']
    # Multi files games section
    # Will apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
    multi_file:
      # Exclude matched 'folder' names to be scanned (RomM identifies folders as multi file games)
      names: [] # ['my_multi_file_game', 'DLC']
      # Exclude files within sub-folders.
      parts:
        # Exclude matched file names to be scanned from multi file roms
        # Keep in mind that RomM doesn't scan folders inside multi files games,
        # so there is no need to exclude folders from inside of multi files games.
        names: [] # ['data.xml', '._*'] # Supports unix filename pattern matching
        # Exclude all files with certain extensions to be scanned from multi file roms
        extensions: [] # ['xml', 'txt']
 system:
  # Asociate different platform names to your current file system platform names
  # [your custom platform folder name]: [RomM platform name]
  # In this example if you have a 'gc' folder, RomM will treat it like the 'ngc' folder and if you have a 'psx' folder, RomM will treat it like the 'ps' folder
  platforms: {} # { gc: 'ngc', psx: 'ps' }
  # Asociate one platform to it's main version
  versions: {} # { naomi: 'arcade' }
 # The folder name where your roms are located
 filesystem: {} # { roms_folder: 'roms' } For example if your folder structure is /home/user/library/roms_folder
@@ -22,7 +22,7 @@ host = 0.0.0.0
 port = 8080
 https_port = 8090
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }}
+password = {{ vault_secrets['SABNZBDVPN_PASSWORD'] }}
 bandwidth_max = 1000M
 cache_limit = 1G
 web_dir = Glitter
@@ -33,7 +33,7 @@ https_chain = ""
 enable_https = 1
 inet_exposure = 0
 local_ranges = ,
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }}
+api_key = {{ vault_secrets['SABNZBDVPN_API_KEY'] }}
 nzb_key = 3c0fa874bb2748b58c1bd7512e649946
 permissions = 775
 download_dir = /storage/downloads/incomplete
@@ -342,7 +342,7 @@ host = news.newshosting.com
 port = 563
 timeout = 60
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+password = {{ vault_secrets['SLSK_USER_PASSWORD'] }}
 connections = 8
 ssl = 1
 ssl_verify = 3
@@ -363,7 +363,7 @@ host = news.easynews.com
 port = 443
 timeout = 60
 username = TrezOne
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
+password = {{ vault_secrets['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
 connections = 60
 ssl = 0
 ssl_verify = 3
@@ -82,7 +82,7 @@ server:
  # If your instance owns a /etc/searxng/settings.yml file, then set the following
  # values there.
-  secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SEARXNG_SECRET_KEY'] }}  # Is overwritten by ${SEARXNG_SECRET}
+  secret_key: {{ vault_secrets['SEARXNG_SECRET_KEY'] }}  # Is overwritten by ${SEARXNG_SECRET}
  # Proxying image results through searx
  image_proxy: true
  # 1.0 and 1.1 are supported
@@ -211,11 +211,13 @@ outgoing:
 # Comment or un-comment plugin to activate / deactivate by default.
 #
-# enabled_plugins:
+enabled_plugins:
 #   # these plugins are enabled if nothing is configured ..
-#   - 'Hash plugin'
+  - 'Hash plugin'
-#   - 'Self Information'
+  - 'Self Information'
-#   - 'Tracker URL remover'
+  - 'Tracker URL remover'
  - 'Basic Calculator'
  - 'Unit converter plugin'
 #   - 'Ahmia blacklist'  # activation depends on outgoing.using_tor_proxy
 #   # these plugins are disabled if nothing is configured ..
 #   - 'Hostname replace'  # see hostname_replace configuration below
@@ -8,7 +8,7 @@
  <SslPort>9898</SslPort>
  <UrlBase></UrlBase>
  <BindAddress>*</BindAddress>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault_secrets['SONARR_API_KEY'] }}</ApiKey>
  <AuthenticationMethod>Forms</AuthenticationMethod>
  <UpdateMechanism>Docker</UpdateMechanism>
  <LaunchBrowser>True</LaunchBrowser>
@@ -3,10 +3,10 @@
 {
    "sonarr_address": "http://192.168.1.2:8989",
-    "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}",
+    "sonarr_api_key": "{{ vault_secrets['SONARR_API_KEY'] }}",
    "root_folder_path": "/data/media/shows",
    "tvdb_api_key": "",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "tmdb_api_key": "{{ vault_secrets['TMDB_API_KEY'] }}",
    "fallback_to_top_result": false,
    "sonarr_api_timeout": 120.0,
    "quality_profile_id": 1,
@@ -2,7 +2,7 @@
 {% set secrets_path = 'rinoa-docker/env' %}
 [Lidarr]
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
+api_key = {{ vault_secrets['LIDARR_API_KEY'] }}
 host_url = http://lidarr:8686
 #This should be the path mounted in lidarr that points to your slskd download directory.
 #If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
@@ -10,7 +10,7 @@ download_dir = /storage
 [Slskd]
 #Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
+api_key = {{ vault_secrets['SLSKD_API_KEY'] }}
 host_url = http://gluetun:5030
 #Slskd download directory. Should have set it up when installing Slskd.
 download_dir = /app/downloads
@@ -198,15 +198,15 @@ rooms:
 web:
  authentication:
    username: slskd
-    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
+    password: {{ vault_secrets['SLSKD_WEB_PASSSWORD'] }}
    api_keys:
      my_api_key:
-        key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
+        key: {{ vault_secrets['SLSKD_API_KEY'] }}
        role: readwrite
        cidr: 0.0.0.0/0,::/0
 soulseek:
  address: vps.slsknet.org
  port: 2271
  username: Trez.One
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+  password: {{ vault_secrets['SLSK_USER_PASSWORD'] }}
  diagnostic_level: Info
@@ -6,7 +6,7 @@
  "repos": [
      {
          "type": "gitea",
-          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
+          "token": "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
          "url": "https://git.trez.wtf",
          "revisions": {
              "branches": [
@@ -24,6 +24,6 @@
    <entry key='database.driver'>org.postgresql.Driver</entry>
    <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
    <entry key='database.user'>traccar</entry>
-    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
+    <entry key='database.password'>{{ vault_secrets['WAZUH_API_PASSWORD'] }}</entry>
 </properties>
@@ -21,7 +21,7 @@
      auth:
        strategy: basic
        user: admin
-        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
+        password: {{ vault_secrets['PARSEABLE_PASSWORD'] }}
      request:
        headers:
          X-P-Stream: rinoa-docker-logs
@@ -6,5 +6,5 @@ hosts:
      url: "https://wazuh.manager"
      port: 55000
      username: wazuh-wui
-      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
+      password: {{ vault_secrets['WAZUH_API_PASSWORD'] }}
      run_as: false
@@ -37,7 +37,7 @@ SMTPConfiguration:
    SMTP:
      # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
      Host: 'postal-smtp:25'
-      User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
+      User: {{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+      Password: {{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
    From: 'noreply@trez.wtf'
    FromName: 'Zitadel @ Rinoa'
@@ -7,7 +7,7 @@ Database:
    User:
      # If the user doesn't exist already, it is created
      Username: 'zitadel'
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }}
+      Password: {{ vault_secrets['ZITADEL_DB_PASSWORD'] }}
    Admin:
      Username: 'root'
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }}
+      Password: {{ vault_secrets['ZITADEL_DB_ADMIN_PASSWORD'] }}
@@ -12,6 +12,12 @@
        mode: '0755'
      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
    - name: Fetch Vault secrets once
      ansible.builtin.set_fact:
        vault_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env',
          engine_mount_point='rinoa-docker', url=vault_addr,
          token=vault_token_cleaned)['secret'] }}"
    - name: Deploy configuration templates
      ansible.builtin.template:
        src: "{{ item }}"
@@ -1,14 +1,14 @@
 vault_addr: "https://vault.trez.wtf"
 vault_token: !vault |
  $ANSIBLE_VAULT;1.1;AES256
-  61383638616263666539386332333638356662623166393234383666366265346537353533653833
+  39306238386563313462666238333237346239326636633731326263653639646235363937386333
-  3333313230636166663734356261316132393834613737630a386166376365333862383031343838
+  6138653434613437643134653463363230303038373765380a636162663734393632396638313261
-  35346338633530636463643165623432353466363230646239656463333263373738663639313136
+  39613730633935373063663030616131653731376461333762633131633066366165343536323031
-  3966633235393937350a343337613061616238323238386332363635623932333230323037353136
+  3539373461383138310a383734313237313231363539383632323130336536656662313861336261
-  66616561613038656462636565656361613065373238613862386235623265396133633034326563
+  65393033633461363837366462656134386430353236343136616161663364376261623834366466
-  32663532343137366334366630356232313865666661326337326263613262306637663434646639
+  30303765393039376666303937663839663630623063666135313636353432396161333434653435
-  61623030383963623332333135396363643036646461303438643233313136346139343232353535
+  32623634313531343466613966663139333234616137646636636134373264333263343533393331
-  39356432623161333661333266333937626364643964333839333934306364373234653761326638
+  32313530373164653730656662383837626139643364376134376634613237323063343731663734
-  33396534396163373034666164393039303639643431353662666265666264353062
+  36306335303936633334353564306239663563366435316464343039373965383032
 vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
 secrets_path: "rinoa-docker/env"
@@ -1,13 +1,13 @@
 rinoa:
-        ansible_host: 192.168.1.254
+  ansible_host: 192.168.1.254
-        ansible_python_interpreter: /usr/bin/python3
+  ansible_python_interpreter: /usr/bin/python3
-        ansible_ssh_port: 22
+  ansible_ssh_port: 22
-        ansible_ssh_user: charish
+  ansible_ssh_user: charish
-        ansible_ssh_pass: !vault |
+  ansible_ssh_pass: !vault |
-                $ANSIBLE_VAULT;1.1;AES256
+    $ANSIBLE_VAULT;1.1;AES256
-                38346631616139316365316566386362396661323163306339303635646331373061323531626431
+    32303262303733356636343163363062383539623938383439373166623236366664333830653163
-                3435373031363739356261656239633835393963636663370a613166653463656337666366633639
+    3134323461373461663638333265643631666437306362350a353632313337316535633838343137
-                37373637326633363430633336646165343764303063663636313835326130663532323037663331
+    37353139396531613763393139653231333666363935613462343831303866363863653161636138
-                6332353339656134370a353435396532663932313535646636333262353238386331313764633635
+    3438316261363139650a313161643039366438356462383730663839366562333464636130346132
-                63383065623930653134666261353439366535646661383434386261393232373432353937636535
+    31363235326362396630313966303064373532306638383739373739336661346438336534366537
-                3432336137393737643735346665303832653630316439333565
+    6565643866333964353563346433323861346262323933333732
@@ -1,7 +1,7 @@
 $ANSIBLE_VAULT;1.1;AES256
-65353131326537376561616630666531353731653835306564323565383332653437633533313932
+32303262303733356636343163363062383539623938383439373166623236366664333830653163
-6239663065306339366536326432323534303364663862350a353034623936363066303164333434
+3134323461373461663638333265643631666437306362350a353632313337316535633838343137
-32666331326332363463383234316136323031626330366132643034376439616339396662636236
+37353139396531613763393139653231333666363935613462343831303866363863653161636138
-3633393039376438630a326138653031656465373966356564336463643465613638313838393166
+3438316261363139650a313161643039366438356462383730663839366562333464636130346132
-36626366356266636535613862333631386231626134376264363731353264613261633037646662
+31363235326362396630313966303064373532306638383739373739336661346438336534366537
-6431393837653564366531316332616232336365636533643036
+6565643866333964353563346433323861346262323933333732