Adding Jinja macro for Vault lookup.

Merged by Trez.One

.gitea/workflows/pr-ansible-config-deployment.yaml

@@ -0,0 +1,198 @@
+name: Gitea Branch PR & Ansible Deployment
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - 'main'
+    paths:
+      - '**.j2'
+      - '**/pr-ansible-config-deployment.yaml'
+      - 'ansible/**.yml'
+jobs:
+  check-and-create-pr:
+    if: github.ref != 'refs/heads/main'
+    name: Check and Create PR
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+      - name: Cache tea CLI
+        id: cache-tea
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/tea/0.9.2/x64
+          key: tea-${{ runner.os }}-0.9.2
+      - name: Install tea
+        uses: supplypike/setup-bin@v4
+        with:
+          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
+          name: 'tea'
+          version: '0.9.2'
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Check'
+          notification_message: 'Checking for existing PR... 🔍'
+      - name: Check if open PR exists
+        id: check-opened-pr-step
+        continue-on-error: true
+        run: |
+          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[ANSIBLE\].*${{ github.ref_name }}' | tail -1 | wc -l)
+          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
+      - name: Create PR
+        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
+        run: |
+          tea login default gitea-rinoa
+          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
+          pr_index_new=$(expr ${pr_index_old} + 1)
+          tea pr c -r ${{ github.repository }} -t "[ANSIBLE] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Check'
+          notification_message: 'PR Created 🎟️'
+  ansible-linting:
+    name: Ansible Lint
+    needs: [check-and-create-pr]
+    runs-on: ubuntu-latest
+    env:
+      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+      VAULT_NAMESPACE: ""
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Cache Ansible Galaxy Collections
+        uses: actions/cache@v3
+        with:
+          path: ansible/collections
+          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-ansible-
+      - name: Install Ansible
+        uses: alex-oleshkevich/setup-ansible@v1.0.1
+        with:
+          version: "11.4.0"
+      - name: Install Vault
+        uses: cpanato/vault-installer@main
+      - name: Install hvac
+        run: |
+          pip install hvac
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
+          notification_message: 'Starting Ansible dry run...'
+      - name: Ansible Playbook Dry Run
+        uses: dawidd6/action-ansible-playbook@v3
+        with:
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
+          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+          requirements: collections/requirements.yml
+          options: |
+            --check
+            --inventory inventory/hosts.yml
+            -v
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
+          notification_message: 'Docker Compose dry run completed successfully.'
+  pr-merge:
+    name: PR Merge
+    needs: [regenerate-readme-modified-services]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install tea
+        uses: supplypike/setup-bin@v4
+        with:
+          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
+          name: 'tea'
+          version: '0.9.2'
+      - name: PR Merge
+        id: pr_merge
+        run: |
+          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
+          tea login default gitea-rinoa
+          echo "Merging PR..."
+          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
+          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
+          echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Merge Successful'
+          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
+  ansible-config-deploy:
+    name: Ansible Config Deployment
+    runs-on: ubuntu-latest
+    needs: [pr-merge]
+    env:
+      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+      DOCKER_HOST: tcp://dockerproxy:2375
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: main
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.12
+      - name: Cache Vault install
+        id: cache-vault
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/vault/1.18.0/x64
+          key: vault-${{ runner.os }}-1.18.0
+      - name: Install Ansible
+        uses: alex-oleshkevich/setup-ansible@v1.0.1
+        with:
+          version: "11.4.0"
+      - name: Install Vault
+        uses: cpanato/vault-installer@main
+      - name: Install hvac
+        run: |
+          pip install hvac
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
+          notification_message: 'Starting config deployment with Ansible...'
+      - name: Ansible Playbook Config Deploy
+        uses: dawidd6/action-ansible-playbook@v3
+        with:
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
+          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+          requirements: collections/requirements.yml
+          options: |
+            --inventory inventory/hosts.yml
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
+          notification_message: 'Deployment completed successfully.'

.gitea/workflows/pr-cloudflare-docker-deploy.yml

@@ -1,8 +1,13 @@
-name: Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment
+name: Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment
 on:
+  workflow_dispatch:
   push:
     branches-ignore:
       - 'main'
+    paths:
+      - '**/docker-compose.yml'
+      - '**/pr-cloudflare-docker-deploy.yml'
+      - '!ansible/**.yml'
 jobs:
   check-and-create-pr:
     if: github.ref != 'refs/heads/main'
@@ -37,7 +42,7 @@ jobs:
         continue-on-error: true
         run: |
           tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[DOCKER\].*${{ github.ref_name }}' | tail -1 | wc -l)
           echo "exists=$pr_exists" >> $GITHUB_OUTPUT
       - name: Create PR
         if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -45,7 +50,7 @@ jobs:
           tea login default gitea-rinoa
           pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
           pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
+          tea pr c -r ${{ github.repository }} -t "[DOCKER] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose"
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
@@ -53,73 +58,95 @@ jobs:
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: PR Check'
           notification_message: 'PR Created 🎟️'
-  docker-compose-ansible-lints:
-    name: Docker Compose & Ansible Lints
+  docker-compose-dry-run:
+    name: Docker Compose Dry Run
     needs: [check-and-create-pr]
     runs-on: ubuntu-latest
     env:
       VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
       VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
       VAULT_NAMESPACE: ""
+      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
+    outputs:
+      svc_deploy_list: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Cache Ansible Galaxy Collections
-        uses: actions/cache@v3
-        with:
-          path: ansible/collections
-          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
-          restore-keys: |
-            ${{ runner.os }}-ansible-
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.0.0"
+      - name: Fetch base branch
+        run: |
+          git fetch origin ${{ github.event.pull_request.base.ref }}
+      - name: Login to Gitea Container Registry
+        run: |
+          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
+      - name: Save both versions of docker-compose.yml
+        run: |
+          git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
+          cp docker-compose.yml docker-compose-head.yml
+      - name: Detect added, deleted, and modified services
+        id: detect_services
+        run: |
+          echo "Getting services from main and ${{ github.ref_name }}"
+          yq '.services | keys | .[]' docker-compose-main.yml | sort > services_main.txt
+          yq '.services | keys | .[]' docker-compose-head.yml | sort > services_head.txt
+
+          echo "Creating list of modified services..."
+          touch service_changes.txt
+
+          comm -13 services_main.txt services_head.txt | while read service; do
+            echo "$service: added" >> service_changes.txt
+          done
+
+          comm -12 services_main.txt services_head.txt | while read service; do
+            yq ".services[\"$service\"]" docker-compose-main.yml > tmp_main.yml
+            yq ".services[\"$service\"]" docker-compose-head.yml > tmp_head.yml
+            if ! diff -q tmp_main.yml tmp_head.yml > /dev/null; then
+              echo "$service: modified" >> service_changes.txt
+            fi
+          done
+
+          echo "Detected service changes:"
+          cat service_changes.txt
+
+          svc_list=$(paste -sd '|' service_changes.txt)
+          echo "classified_services=$svc_list" >> "$GITHUB_OUTPUT"
       - name: Install Vault
         uses: cpanato/vault-installer@main
-      - name: Install hvac
-        run: pip install hvac
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
           gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
-          notification_message: 'Starting Ansible dry run...'
-      - name: Ansible Playbook Dry Run
-        uses: dawidd6/action-ansible-playbook@v2
-        with:
-          directory: ansible/
-          playbook: docker_config_deploy.yml
-          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
-          options: |
-            --inventory inventory/hosts.yml
-            --check
-          requirements: collections/requirements.yml
-          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
-          notification_message: 'Ansible dry run completed successfully; starting Docker Compose'
-      - name: Generate .env file for Docker Compose Dry Run
-        run: |
-          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
+          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
+          notification_message: 'Starting Docker Compose dry run...'
       - name: Cache .env Files
         uses: actions/cache@v4
         with:
           path: .env
           key: ${{ runner.os }}-env-${{ hashFiles('docker-compose.yml') }}
+      - name: Generate modified services list & .env file for Docker Compose Dry Run
+        id: modded_svcs
+        run: |
+          mod_svcs=$(echo "${{ steps.detect_services.outputs.classified_services }}" | sed -e 's/|//g' -e 's/: \(add\|modifi\|delet\)ed/ /g')
+          echo ${mod_svcs}
+          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
+          echo "rinoa_svcs=${mod_svcs}" >> "$GITHUB_OUTPUT"
+      - name: Testing service list output
+        run: |
+          echo ${{ steps.modded_svcs.outputs.rinoa_svcs }}
       - name: Docker Compose Dry Run
-        uses: yu-ichiro/spin-up-docker-compose-action@v1
+        timeout-minutes: 360
+        continue-on-error: true
+        uses: chaplyk/docker-compose-remote-action@v1.1
         with:
-          file: docker-compose.yml
-          pull: true
-          pull-opts: --dry-run
-          up: true
-          up-opts: --dry-run -d --remove-orphans
+          ssh_host: 192.168.1.254
+          ssh_port: 22
+          ssh_user: gitea-deploy
+          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          service: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
+          compose_file: docker-compose.yml
+          pull: false
+          build: false
+          options: -d --remove-orphans
         env:
           DOCKER_HOST: tcp://dockerproxy:2375
       - name: Gotify Notification
@@ -202,28 +229,11 @@ jobs:
     name: Update README & Generate List of Modified Services
     runs-on: ubuntu-latest
     needs: [cloudflare-dns-setup]
-    # outputs:
-    #   pr-pushed: ${{ steps.commit-readme.outputs.pushed }}
-    #   modified_services: ${{ steps.compare-services.outputs.modified_services }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Install yq
         uses: dcarbone/install-yq-action@v1
-      # - name: Fetch main branch for comparison
-      #   run: |
-      #     git fetch origin main:main
-      # - name: Compare services using yq
-      #   continue-on-error: true
-      #   id: compare-services
-      #   run: |
-      #     current_services=$(yq '.services | to_entries' docker-compose.yml)
-      #     git show main:docker-compose.yml > main_compose.yml
-      #     main_services=$(yq '.services | to_entries' main_compose.yml)
-      #     modified_services_file=$(comm -13 <(echo "$main_services") <(echo "$current_services") > changes_compose.yml)
-      #     modified_services=${egrep '^  [a-z]' changes.yml | sed -e 's|^  ||g' -e 's|:||g' | sed ':a;N;$!ba;s/\n/ /g'}
-      #     echo "Modified services: $modified_services"
-      #     echo "modified_services=$modified_services" >> $GITHUB_OUTPUT
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
@@ -286,14 +296,16 @@ jobs:
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: PR Merge Successful'
           notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-docker-compose-deploy:
-    name: Ansible Configs & Docker Compose Deployment
+  docker-compose-deploy:
+    name: Docker Compose Deployment
     runs-on: ubuntu-latest
-    needs: [pr-merge]
+    needs: [docker-compose-dry-run, pr-merge]
     env:
       VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
       VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
       DOCKER_HOST: tcp://dockerproxy:2375
+      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
+      DOCKER_SVC_LIST: ${{ needs.docker-compose-dry-run.outputs.svc_deploy_list }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -305,38 +317,11 @@ jobs:
         with:
           path: /opt/hostedtoolcache/vault/1.18.0/x64
           key: vault-${{ runner.os }}-1.18.0
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.0.0"
       - name: Install Vault
         uses: cpanato/vault-installer@main
-      - name: Install hvac
-        run: pip install hvac
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
-          notification_message: 'Starting config deployment with Ansible.'
-      - name: Deploy Docker Configs via Ansible
-        uses: dawidd6/action-ansible-playbook@v2
-        with:
-          directory: ansible/
-          playbook: docker_config_deploy.yml
-          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
-          options: |
-            --inventory inventory/hosts.yml
-          requirements: collections/requirements.yml
-          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
-          notification_message: 'Deployment completed successfully.'
+      - name: Login to Gitea Container Registry
+        run: |
+          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
@@ -348,17 +333,21 @@ jobs:
         run: |
            vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
       - name: Docker Compose Deployment
-        # if: ${{ steps.regenerate-readme-modified-services.outputs.modified_services != '' }}
         timeout-minutes: 360
         continue-on-error: true
-        uses: keatonLiu/docker-compose-remote-action@v1.2
+        uses: chaplyk/docker-compose-remote-action@v1.1
+        env:
+          DOCKER_HOST: tcp://dockerproxy:2375
         with:
-          docker_compose_file: docker-compose.yml
-          docker_args: -d --remove-orphans --pull missing --no-recreate
-          ssh_user: gitea-deploy
           ssh_host: 192.168.1.254
-          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
-          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          ssh_port: 22
+          ssh_user: gitea-deploy
+          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          service: ${DOCKER_SVC_LIST}
+          compose_file: docker-compose.yml
+          pull: false
+          build: false
+          options: -d --remove-orphans
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:

.gitea/workflows/vault-auto-unseal-flow.yml

@@ -0,0 +1,29 @@
+name: Auto-Unseal for Vault
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 5 * * *"
+jobs:
+  auto-unseal:
+    name: Unseal Vault
+    runs-on: ubuntu-latest
+    env:
+      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+      VAULT_SHARDS: |
+        ${{ secrets.VAULT_UNSEAL_SHARDS }}
+      VAULT_NAMESPACE: ""
+    steps:
+      - name: Cache Vault install
+        id: cache-vault
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/vault/1.18.0/x64
+          key: vault-${{ runner.os }}-1.18.0
+      - name: Install Vault
+        uses: cpanato/vault-installer@main
+      - name: Unseal Vault
+        run: |
+          for vault_shard in $(echo ${VAULT_SHARDS}); do
+            vault operator unseal -address=${VAULT_ADDR} -non-interactive "${vault_shard}"
+          done

README.md

@@ -14,15 +14,11 @@
 | bazarr | lscr.io/linuxserver/bazarr:latest |
 | beszel | henrygd/beszel:latest |
 | beszel-agent | henrygd/beszel-agent:latest |
-| bitmagnet | ghcr.io/bitmagnet-io/bitmagnet:latest |
-| bitmagnet-pg-db | postgres:17-alpine |
 | bitwarden | vaultwarden/server:latest |
 | bluesky-pds | code.modernleft.org/gravityfargo/bluesky-pds:v0.4.98 |
 | browserless | ghcr.io/browserless/chromium:latest |
-| bytebase | bytebase/bytebase:3.5.0 |
 | bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
-| cloudflared | cloudflare/cloudflared:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
 | convertx | ghcr.io/c4illin/convertx |
 | cronicle | elestio/cronicle:latest |
@@ -33,15 +29,17 @@
 | dawarich-app | freikin/dawarich:latest |
 | dawarich-pg-db | postgis/postgis:17-3.5-alpine |
 | dawarich-sidekiq | freikin/dawarich:latest |
-| delugevpn | ghcr.io/binhex/arch-delugevpn:latest |
+| dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
-| docker-volume-backup | offen/docker-volume-backup:v2 |
+| dockflare | alplat/dockflare:stable |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
+| excalidraw | excalidraw/excalidraw:latest |
 | explo | ghcr.io/lumepart/explo:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
+| freescout | tiredofit/freescout:latest |
 | ghost | ghost:latest |
-| gitea | gitea/gitea:1.23.1 |
+| gitea | gitea/gitea:1.24.0 |
 | gitea-db | postgres:14 |
 | gitea-runner | gitea/act_runner:latest |
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
@@ -51,7 +49,7 @@
 | graylog-datanode | graylog/graylog-datanode:6.1 |
 | guacamole | flcontainers/guacamole:latest |
 | homepage | ghcr.io/gethomepage/homepage:latest |
-| hugo | hugomods/hugo:exts |
+| hugo | hugomods/hugo:exts-0.145.0 |
 | immich-server | ghcr.io/immich-app/immich-server:release |
 | immich-machine-learning | ghcr.io/immich-app/immich-machine-learning:release |
 | immich-pg-db | tensorchord/pgvecto-rs:pg14-v0.2.1 |
@@ -61,6 +59,8 @@
 | invidious | quay.io/invidious/invidious:latest |
 | invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
 | invidious-db | docker.io/library/postgres:14 |
+| invoice-ninja | invoiceninja/invoiceninja-debian:5 |
+| invoice-ninja_proxy | nginx |
 | it-tools | ghcr.io/corentinth/it-tools:latest |
 | jellyfin | jellyfin/jellyfin |
 | jitsi-etherpad | etherpad/etherpad:1.8.6 |
@@ -72,6 +72,7 @@
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
+| languagetool | elestio/languagetool:latest |
 | librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
 | librechat-vectordb | ankane/pgvector:latest |
 | librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
@@ -86,8 +87,11 @@
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
+| maxun-backend | getmaxun/maxun-backend:latest |
+| maxun-frontend | getmaxun/maxun-frontend:latest |
+| maxun-pg-db | postgres:13-alpine |
 | meilisearch | getmeili/meilisearch:v1.12.3 |
-| minio | minio/minio |
+| minio | minio/minio:RELEASE.2025-04-22T22-12-26Z |
 | mixpost | inovector/mixpost:latest |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
@@ -97,16 +101,21 @@
 | nextcloud | nextcloud/all-in-one:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
+| omni-tools | iib0011/omni-tools:latest |
+| omnipoly | kweg/omnipoly:latest |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
 | plantuml-server | plantuml/plantuml-server:jetty |
 | portainer | portainer/portainer-ce:alpine |
-| portall | need4swede/portall:latest |
+| portnote-web | haedlessdev/portnote:latest |
+| portnote-agent | haedlessdev/portnote-agent:latest |
+| portnote-pg-db | postgres:17-alpine |
 | postal-smtp | ghcr.io/postalserver/postal:latest |
 | postal-web | ghcr.io/postalserver/postal:latest |
 | postal-worker | ghcr.io/postalserver/postal:latest |
 | prowlarr | lscr.io/linuxserver/prowlarr:latest |
+| qbittorrentvpn | ghcr.io/binhex/arch-qbittorrentvpn:latest |
 | radarec | thewicklowwolf/radarec:latest |
 | radarr | lscr.io/linuxserver/radarr:latest |
 | reactive-resume | amruthpillai/reactive-resume:latest |
@@ -115,12 +124,19 @@
 | redis | redis:alpine |
 | redlib | quay.io/redlib/redlib:latest |
 | rocketchat | registry.rocket.chat/rocketchat/rocket.chat:latest |
+| romm | rommapp/romm:latest |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
-| scraperr | jpyles0524/scraperr:latest |
-| scraperr-api | jpyles0524/scraperr_api:latest |
+| sablier | sablierapp/sablier:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
 | semaphore | semaphoreui/semaphore:v2.12.14 |
+| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
+| signoz-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| signoz-app | signoz/signoz:v0.86.2 |
+| signoz-otel-collector | signoz/signoz-otel-collector:v0.111.42 |
+| signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.111.42 |
+| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.111.42 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
@@ -139,5 +155,6 @@
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |
 | web-check | lissy93/web-check |
+| whodb | clidey/whodb |
 | youtubedl | nbr23/youtube-dl-server:latest |
 

ansible/app-configs/adguardhome/AdGuardHome.yaml.j2

@@ -0,0 +1,200 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+http:
+  pprof:
+    port: 6060
+    enabled: false
+  address: 0.0.0.0:8008
+  session_ttl: 720h
+users:
+  - name: admin
+    password: {{ vault.vault_secret('env', 'ADGUARD_BCRYPT') }}
+auth_attempts: 5
+block_auth_min: 15
+http_proxy: ""
+language: ""
+theme: auto
+dns:
+  bind_hosts:
+    - 0.0.0.0
+  port: 53
+  anonymize_client_ip: false
+  ratelimit: 20
+  ratelimit_subnet_len_ipv4: 24
+  ratelimit_subnet_len_ipv6: 56
+  ratelimit_whitelist: []
+  refuse_any: true
+  upstream_dns:
+    - 94.140.14.14
+    - 94.140.15.15
+    - https://dns.adguard-dns.com/dns-query
+    - tls://dns.adguard-dns.com
+    - quic://dns.adguard-dns.com
+    - 1.1.1.1
+    - 1.0.0.1
+    - 1.1.1.2
+    - 1.0.0.2
+    - 185.228.168.9
+    - 185.228.169.9
+    - 76.76.2.3
+    - tls://getdnsapi.net
+    - 185.49.141.37
+    - tls://dot.seby.io
+  upstream_dns_file: ""
+  bootstrap_dns:
+    - 9.9.9.10
+    - 149.112.112.10
+    - 2620:fe::10
+    - 2620:fe::fe:10
+  fallback_dns: []
+  upstream_mode: load_balance
+  fastest_timeout: 1s
+  allowed_clients: []
+  disallowed_clients: []
+  blocked_hosts:
+    - version.bind
+    - id.server
+    - hostname.bind
+  trusted_proxies:
+    - 127.0.0.0/8
+    - ::1/128
+  cache_size: 4194304
+  cache_ttl_min: 0
+  cache_ttl_max: 0
+  cache_optimistic: false
+  bogus_nxdomain: []
+  aaaa_disabled: false
+  enable_dnssec: false
+  edns_client_subnet:
+    custom_ip: ""
+    enabled: false
+    use_custom: false
+  max_goroutines: 300
+  handle_ddr: true
+  ipset: []
+  ipset_file: ""
+  bootstrap_prefer_ipv6: false
+  upstream_timeout: 10s
+  private_networks: []
+  use_private_ptr_resolvers: false
+  local_ptr_upstreams: []
+  use_dns64: false
+  dns64_prefixes: []
+  serve_http3: false
+  use_http3_upstreams: false
+  serve_plain_dns: true
+  hostsfile_enabled: true
+  pending_requests:
+    enabled: true
+tls:
+  enabled: true
+  server_name: ""
+  force_https: false
+  port_https: 446
+  port_dns_over_tls: 853
+  port_dns_over_quic: 853
+  port_dnscrypt: 0
+  dnscrypt_config_file: ""
+  allow_unencrypted_doh: false
+  certificate_chain: ""
+  private_key: ""
+  certificate_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
+  private_key_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
+  strict_sni_check: false
+querylog:
+  dir_path: ""
+  ignored: []
+  interval: 2160h
+  size_memory: 1000
+  enabled: true
+  file_enabled: true
+statistics:
+  dir_path: ""
+  ignored: []
+  interval: 24h
+  enabled: true
+filters:
+  - enabled: true
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
+    name: AdGuard DNS filter
+    id: 1
+  - enabled: false
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
+    name: AdAway Default Blocklist
+    id: 2
+whitelist_filters: []
+user_rules: []
+dhcp:
+  enabled: false
+  interface_name: ""
+  local_domain_name: lan
+  dhcpv4:
+    gateway_ip: 192.168.1.1
+    subnet_mask: 255.255.255.0
+    range_start: 192.168.1.2
+    range_end: 192.168.1.240
+    lease_duration: 86400
+    icmp_timeout_msec: 1000
+    options: []
+  dhcpv6:
+    range_start: ""
+    lease_duration: 86400
+    ra_slaac_only: false
+    ra_allow_slaac: false
+filtering:
+  blocking_ipv4: ""
+  blocking_ipv6: ""
+  blocked_services:
+    schedule:
+      time_zone: America/New_York
+    ids: []
+  protection_disabled_until: null
+  safe_search:
+    enabled: false
+    bing: true
+    duckduckgo: true
+    ecosia: true
+    google: true
+    pixabay: true
+    yandex: true
+    youtube: true
+  blocking_mode: default
+  parental_block_host: family-block.dns.adguard.com
+  safebrowsing_block_host: standard-block.dns.adguard.com
+  rewrites: []
+  safe_fs_patterns:
+    - /opt/adguardhome/work/userfilters/*
+  safebrowsing_cache_size: 1048576
+  safesearch_cache_size: 1048576
+  parental_cache_size: 1048576
+  cache_time: 30
+  filters_update_interval: 24
+  blocked_response_ttl: 10
+  filtering_enabled: true
+  parental_enabled: false
+  safebrowsing_enabled: false
+  protection_enabled: true
+clients:
+  runtime_sources:
+    whois: true
+    arp: true
+    rdns: true
+    dhcp: true
+    hosts: true
+  persistent: []
+log:
+  enabled: true
+  file: ""
+  max_backups: 0
+  max_size: 100
+  max_age: 3
+  compress: false
+  local_time: false
+  verbose: false
+os:
+  group: ""
+  user: ""
+  rlimit_nofile: 0
+schema_version: 29

ansible/app-configs/apprise/apprise.yml.j2

@@ -0,0 +1,7 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+urls:
+  - gotify://gotify/{{ vault.vault_secret('env', 'APPRISE_GOTIFY_TOKEN') }}
+  - mailto://{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_USER') }}:{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf

ansible/app-configs/apprise_apprise.yml.j2

@@ -1,3 +0,0 @@
-urls:
-  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
-  - mailtos://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf

ansible/app-configs/authelia/configuration.yml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -64,11 +65,11 @@ authentication_backend:
       mail: mail
       display_name: displayName
     user: uid=authelia,ou=people,dc=trez,dc=wtf
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
+    password: '{{ vault.vault_secret('env', 'AUTHELIA_AUTH_BIND_LDAP_PASSWORD') }}'
   refresh_interval: 5m
 identity_validation:
   reset_password:
-    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
+    jwt_secret: '{{ vault.vault_secret('env', 'AUTHELIA_JWT_SECRET') }}'
 password_policy:
   standard:
     enabled: true
@@ -104,7 +105,7 @@ access_control:
       - ['user:the.trezured.one']
 session:
   name: authelia_session
-  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
+  secret: '{{ vault.vault_secret('env', 'AUTHELIA_SESSION_SECRET') }}'
   expiration: 1h
   inactivity: 5m
   remember_me: 1M
@@ -115,12 +116,12 @@ session:
     host: redis
     port: 6379
 storage:
-  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
+  encryption_key: '{{ vault.vault_secret('env', 'AUTHELIA_STORAGE_ENCRYPTION_KEY') }}'
   postgres:
     address: 'tcp://authelia-pg:5432'
     database: authelia
     username: authelia
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
+    password: '{{ vault.vault_secret('env', 'AUTHELIA_STORAGE_POSTGRES_PASSWORD') }}'
     timeout: '5s'
 regulation:
   max_retries: 3
@@ -131,8 +132,8 @@ notifier:
   smtp:
     address: 'smtp://postal-smtp:25'
     timeout: '5s'
-    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
+    username: '{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_USER') }}'
+    password: '{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }}'
     sender: "Authelia <noreply@trez.wtf>"
     identifier: 'localhost'
     subject: "[Authelia] {title}"
@@ -142,7 +143,7 @@ notifier:
     disable_html_emails: false
 identity_providers:
   oidc:
-    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
+    hmac_secret: '{{ vault.vault_secret('env', 'AUTHELIA_OIDC_HMAC_SECRET') }}'
     jwks:
       - key: |
           {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
@@ -157,7 +158,7 @@ identity_providers:
     clients:
       - client_id: 'netbird'
         client_name: 'NetBird'
-        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
+        client_secret: '{{ vault.vault_secret('env', 'AUTHELIA_NETBIRD_CLIENT_SECRET') }}'
         public: false
         authorization_policy: 'two_factor'
         redirect_uris:

ansible/app-configs/cloudflared/config.yml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/crowdsec/acquis.yaml.j2

@@ -0,0 +1,66 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+source: journalctl
+journalctl_filter:
+  - "--directory=/var/log/host/"
+labels:
+  type: syslog
+---
+filenames:
+  - /var/log/swag/*
+labels:
+  type: nginx
+---
+filenames:
+  - /var/log/auth/auth.log
+labels:
+  type: syslog
+---
+filenames:
+  - /var/lib/mysql/log/mysql/*
+  - /var/lib/mysql/databases/*.err
+  - /var/lib/mysql/databases/*.log
+labels:
+  type: mariadb
+---
+source: docker
+container_name:
+  - adguard
+labels:
+  type: adguardhome
+---
+source: docker
+container_name:
+ - mongodb
+labels:
+  type: mongodb
+---
+source: docker
+container_name:
+ - immich-server
+labels:
+  type: immich
+---
+source: docker
+container_name:
+ - uptimekuma
+labels:
+  type: uptime-kuma
+---
+source: docker
+container_name:
+ - jellyfin
+labels:
+  type: jellyfin
+---
+source: docker
+container_name:
+ - navidrome
+labels:
+  type: navidrome
+---
+filenames:
+  - /var/log/audiobookshelf/*.txt
+labels:
+  type: audiobookshelf

ansible/app-configs/crowdsec/config.yaml.j2

@@ -0,0 +1,52 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+common:
+  daemonize: false
+  log_media: stdout
+  log_level: info
+  log_dir: /var/log/
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: /var/lib/crowdsec/data/
+  simulation_path: /etc/crowdsec/simulation.yaml
+  hub_dir: /etc/crowdsec/hub/
+  index_path: /etc/crowdsec/hub/.index.json
+  notification_dir: /etc/crowdsec/notifications/
+  plugin_dir: /usr/local/lib/crowdsec/plugins/
+crowdsec_service:
+  acquisition_path: /etc/crowdsec/acquis.yaml
+  acquisition_dir: /etc/crowdsec/acquis.d
+  parser_routines: 1
+plugin_config:
+  user: nobody
+  group: nobody
+cscli:
+  output: human
+db_config:
+  log_level: info
+  type: sqlite
+  db_path: /var/lib/crowdsec/data/crowdsec.db
+  flush:
+    max_items: 5000
+    max_age: 7d
+  use_wal: false
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+  server:
+    log_level: info
+    listen_uri: 0.0.0.0:8080
+    profiles_path: /etc/crowdsec/profiles.yaml
+    trusted_ips: # IP ranges, or IPs which can have admin API access
+      - 127.0.0.1
+      - ::1
+    online_client: # Central API credentials (to push signals and receive bad IPs)
+      credentials_path: /etc/crowdsec/online_api_credentials.yaml
+    enable: true
+prometheus:
+  enabled: true
+  level: full
+  listen_addr: 0.0.0.0
+  listen_port: 6060

ansible/app-configs/crowdsec/local-api-credentials.yaml.j2

@@ -0,0 +1,7 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+url: http://0.0.0.0:8080
+login: localhost
+password: {{ vault.vault_secret('env', 'CROWDSEC_LOCAL_API_KEY') }}

ansible/app-configs/crowdsec/online-api-credentials.yaml.j2

@@ -0,0 +1,7 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+url: https://api.crowdsec.net/
+login: {{ vault.vault_secret('env', 'CROWDSEC_ONLINE_PASSWORD') }}
+password: {{ vault.vault_secret('env', 'CROWDSEC_ONLINE_PASSWORD') }}

ansible/app-configs/crowdsec/profiles.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/crowdsec_acquis.yaml.j2

@@ -1,15 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-
-source: journalctl
-journalctl_filter: 
-  - "--directory=/var/log/host/"
-labels:
-  type: syslog
----
-filenames:
-  - /var/log/swag/*
-labels:
-  type: nginx
----

ansible/app-configs/crowdsec_local-api-credentials.yaml.j2

@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-url: http://0.0.0.0:8080
-login: localhost
-password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}

ansible/app-configs/ghost/ghost_config.production.json.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -7,21 +8,22 @@
     "client": "mysql",
     "connection": {
       "host"     : "mariadb",
+      "port"     : 3306,
       "user"     : "ghost",
-      "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
+      "password" : "{{ vault.vault_secret('env', 'GHOST_DB_PASSWORD') }}",
       "database" : "ghost_db"
     }
   },
   "mail": {
-    "from": "'Ghost @ Rinoa' <noreply@trez.wtf>"
+    "from": "'Ghost @ Rinoa' <noreply@trez.wtf>",
     "transport": "SMTP",
     "options": {
       "host": "postal-smtp",
       "port": 25,
       "secure": false,
       "auth": {
-        "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
-        "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+        "user": "{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_USER') }}",
+        "pass": "{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }}"
       }
     }
   },

ansible/app-configs/gitea/act-runner/config.yaml.j2

@@ -0,0 +1,104 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 3
+  # Extra environment variables to run jobs.
+#   envs:
+#     A_TEST_ENV_NAME_1: a_test_env_value_1
+#     A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+#   env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # The timeout for the runner to wait for running jobs to finish when shutting down.
+  # Any running jobs that haven't finished after this timeout will be cancelled.
+  shutdown_timeout: 0s
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `daemon`, will use labels in `.runner` file.
+  labels:
+    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
+    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: "192.168.1.254"
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 63604
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: "compose_default"
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
+  # If the path starts with '/', the '/' will be trimmed.
+  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+  # Rebuild docker image(s) even if already present
+  force_rebuild: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

ansible/app-configs/gitea/app.ini.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -27,7 +28,7 @@ DISABLE_SSH = false
 SSH_PORT = 22
 SSH_LISTEN_PORT = 22
 LFS_START_SERVER = true
-LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }}
+LFS_JWT_SECRET = {{ vault.vault_secret('env', 'GITEA_LFS_JWT_SECRET') }}
 OFFLINE_MODE = true
 
 [database]
@@ -36,7 +37,7 @@ DB_TYPE = postgres
 HOST = gitea-db:5432
 NAME = gitea
 USER = gitea
-PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }}
+PASSWD = {{ vault.vault_secret('env', 'GITEA_PG_DB_PASSWORD') }}
 LOG_SQL = false
 SCHEMA =
 SSL_MODE = disable
@@ -70,7 +71,7 @@ INSTALL_LOCK = true
 SECRET_KEY =
 REVERSE_PROXY_LIMIT = 1
 REVERSE_PROXY_TRUSTED_PROXIES = *
-INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }}
+INTERNAL_TOKEN = {{ vault.vault_secret('env', 'GITEA_INTERNAL_TOKEN') }}
 PASSWORD_HASH_ALGO = pbkdf2
 
 [service]
@@ -89,7 +90,7 @@ NO_REPLY_ADDRESS = noreply@trez.wtf
 PATH = /data/git/lfs
 
 [mailer]
-PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+PASSWD = {{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }}
 PROTOCOL = smtp
 ENABLED = true
 FROM = '"Gitea" <noreply@trez.wtf>'
@@ -112,7 +113,7 @@ DEFAULT_MERGE_STYLE = merge
 DEFAULT_TRUST_MODEL = committer
 
 [oauth2]
-JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
+JWT_SECRET = {{ vault.vault_secret('env', 'GITEA_OAUTH2_JWT_SECRET') }}
 
 [ui]
 THEMES =

ansible/app-configs/gitea/gitea-sonarqube-bot/config.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -9,7 +10,7 @@ gitea:
   # Created access token for the user that shall be used as bot account.
   # User needs "Read project" permissions with access to "Pull Requests"
   token:
-    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
+    value: "{{ vault.vault_secret('env', 'GITEA_SONARQUBE_BOT_GITEA_TOKEN') }}"
     # # or path to file containing the plain text secret
     # file: /path/to/gitea/token
 
@@ -18,7 +19,7 @@ gitea:
   # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header
   # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated.
   webhook:
-    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
+    secret: "{{ vault.vault_secret('env', 'GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET') }}"
     # # or path to file containing the plain text secret
     # secretFile: /path/to/gitea/webhook/secret
 
@@ -35,7 +36,7 @@ sonarqube:
   # Created access token for the user that shall be used as bot account.
   # User needs "Browse on project" permissions
   token:
-    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
+    value: "{{ vault.vault_secret('env', 'GITEA_SONARQUBE_BOT_SQUBE_TOKEN') }}"
     # # or path to file containing the plain text secret
     # file: /path/to/sonarqube/token
 
@@ -45,7 +46,7 @@ sonarqube:
   # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be
   # validated.
   webhook:
-    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
+    secret: "{{ vault.vault_secret('env', 'GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET') }}"
     # # or path to file containing the plain text secret
     # secretFile: /path/to/sonarqube/webhook/secret
 

ansible/app-configs/grafana/alloy/alloy_endpoints.json.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/grafana/beyla/beyla.yml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/grafana/mimir/mimir.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/grafana/pyroscope/config.yaml.j2

@@ -0,0 +1,13 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+storage:
+  backend: s3
+  s3:
+    bucket_name: pyroscope
+    endpoint: minio:9000
+    region: us-east-fh-pln
+    access_key_id: {{ vault.vault_secret('env', 'MINIO_PYROSCOPE_STORAGE_ACCESS_KEY') }}
+    secret_access_key: {{ vault.vault_secret('env', 'MINIO_PYROSCOPE_STORAGE_SECRET_KEY') }}
+    insecure: true
+
+analytics:
+  reporting_enabled: false

ansible/app-configs/grafana/tempo/config.yml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/grafana/tempo/tempo.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -46,8 +47,8 @@ storage:
     s3:
       bucket: tempo                    # how to store data in s3
       endpoint: minio:9000
-      access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
-      secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
+      access_key: {{ vault.vault_secret('env', 'MINIO_TEMPO_STORAGE_ACCESS_KEY') }}
+      secret_key: {{ vault.vault_secret('env', 'MINIO_TEMPO_STORAGE_SECRET_KEY') }}
       insecure: true
 
 usage_report:

ansible/app-configs/grafana_pyroscope_config.yaml.j2

@@ -1,12 +0,0 @@
-storage:
-  backend: s3
-  s3:
-    bucket_name: pyroscope
-    endpoint: minio:9000
-    region: us-east-fh-pln
-    access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
-    secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
-    insecure: true
-
-analytics:
-  reporting_enabled: false

ansible/app-configs/homepage/bookmarks.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/homepage/docker.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/homepage/kubernetes.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/homepage/services.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -29,5 +30,5 @@
         widget:
             type: homeassistant
             url: http://192.168.1.252:8123
-            key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
+            key: {{ vault.vault_secret('env', 'HOMEPAGE_HOME_ASSISTANT_API_KEY') }}
 

ansible/app-configs/homepage/settings.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -6,7 +7,7 @@
 # https://gethomepage.dev/en/configs/settings
 
 providers:
-  openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+  openweathermap: {{ vault.vault_secret('env', 'HOMEPAGE_OPENWEATHERMAP_API_KEY') }}
   # weatherapi: weatherapiapikey
 title: Rinoa Dashboard (trez.WTF)
 headerStyle: underlined
@@ -53,4 +54,4 @@ layout:
     columns: 2
   Media Library:
     style: row
-    columns: 4
+    columns: 3

ansible/app-configs/homepage/widgets.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/invidious/config.yml.j2

@@ -1,3 +1,7 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
 #########################################
 #
 #  Database and other external servers
@@ -13,7 +17,7 @@ db:
   host: invidious-db
   port: 5432
   dbname: invidious
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
+  password: {{ vault.vault_secret('env', 'INVID_PG_DB_PASSWORD') }}
 
 ##
 ## Database configuration using a single URI. This is an
@@ -207,8 +211,8 @@ https_only: false
 ## Accepted values: String
 ## Default: <none>
 ##
-po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
-visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
+po_token: {{ vault.vault_secret('env', 'INVID_PO_TOKEN') }}
+visitor_data: {{ vault.vault_secret('env', 'INVID_VISITOR_DATA') }}
 
 # -----------------------------
 #  Logging
@@ -468,7 +472,7 @@ jobs:
 ## Accepted values: a string
 ## Default: <none>
 ##
-hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
+hmac_key: {{ vault.vault_secret('env', 'INVID_HMAC_KEY') }}
 
 ##
 ## List of video IDs where the "download" widget must be

ansible/app-configs/invoice-ninja/invoice-ninja.env.j2

@@ -1,9 +1,10 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
 # IN application vars
-IN_APP_URL=http://in.localhost:8003
-IN_APP_KEY=<insert your generated key in here>
+IN_APP_URL=https://biz.trez.wtf
+IN_APP_KEY={{ vault.vault_secret('env', 'IN_APP_KEY') }}
 IN_APP_DEBUG=true
 IN_REQUIRE_HTTPS=false
 IN_PHANTOMJS_PDF_GENERATION=false
@@ -14,11 +15,11 @@ IN_TRUSTED_PROXIES='*'
 IN_QUEUE_CONNECTION=database
 
 # DB connection
-IN_DB_HOST=db
+IN_DB_HOST=mariadb
 IN_DB_PORT=3306
-IN_DB_DATABASE=ninja
-IN_DB_USERNAME=ninja
-IN_DB_PASSWORD=ninja
+IN_DB_DATABASE=invoice_ninja
+IN_DB_USERNAME=ininja
+IN_DB_PASSWORD={{ vault.vault_secret('env', 'IN_MYSQL_PASSWORD') }}
 
 # Create initial user
 # Default to these values if empty
@@ -29,13 +30,13 @@ IN_PASSWORD=
 
 # Mail options
 IN_MAIL_MAILER=log
-IN_MAIL_HOST=smtp.mailtrap.io
-IN_MAIL_PORT=2525
-IN_MAIL_USERNAME=null
-IN_MAIL_PASSWORD=null
+IN_MAIL_HOST=postal-smtp
+IN_MAIL_PORT=25
+IN_MAIL_USERNAME={{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_USER') }}
+IN_MAIL_PASSWORD={{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }}
 IN_MAIL_ENCRYPTION=null
-IN_MAIL_FROM_ADDRESS='user@example.com'
-IN_MAIL_FROM_NAME='Self Hosted User'
+IN_MAIL_FROM_ADDRESS='noreply@trez.wtf'
+IN_MAIL_FROM_NAME='Treasured IT'
 
 # MySQL
 IN_MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword

ansible/app-configs/librechat/librechat.env.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -17,7 +18,7 @@
 HOST=localhost
 PORT=3080
 
-MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
+MONGO_URI=mongodb://librechat:{{ vault.vault_secret('env', 'LIBRECHAT_MONGODB_PASSWORD') }}@mongodb:27017/librechat?replicaSet=rinoa
 
 DOMAIN_CLIENT=https://ai.trez.wtf
 DOMAIN_SERVER=https://ai.trez.wtf
@@ -73,12 +74,12 @@ PROXY=
 # ANYSCALE_API_KEY=
 # APIPIE_API_KEY=
 # COHERE_API_KEY=
-DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
+DEEPSEEK_API_KEY={{ vault.vault_secret('env', 'LIBRECHAT_DEEPSEEK_API_KEY') }}
 # DATABRICKS_API_KEY=
 # FIREWORKS_API_KEY=
 # GROQ_API_KEY=
 # HUGGINGFACE_TOKEN=
-MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
+MISTRAL_API_KEY={{ vault.vault_secret('env', 'LIBRECHAT_MISTRAL_API_KEY') }}
 # OPENROUTER_KEY=
 # PERPLEXITY_API_KEY=
 # SHUTTLEAI_API_KEY=
@@ -90,7 +91,7 @@ MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_m
 # Anthropic  #
 #============#
 
-ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
+ANTHROPIC_API_KEY={{ vault.vault_secret('env', 'LIBRECHAT_ANTHROPIC_API_KEY') }}
 ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
 # ANTHROPIC_REVERSE_PROXY=
 
@@ -177,7 +178,7 @@ ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-
 # OpenAI     #
 #============#
 
-OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
+OPENAI_API_KEY={{ vault.vault_secret('env', 'LIBRECHAT_OPENAI_API_KEY') }}
 OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
 
 DEBUG_OPENAI=false
@@ -226,8 +227,8 @@ DEBUG_OPENAI=false
 
 # DEBUG_PLUGINS=
 
-CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
-CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
+CREDS_KEY={{ vault.vault_secret('env', 'LIBRECHAT_CREDS_KEY') }}
+CREDS_IV={{ vault.vault_secret('env', 'LIBRECHAT_CREDS_IV') }}
 
 # Azure AI Search
 #-----------------
@@ -298,7 +299,7 @@ ZAPIER_NLA_API_KEY=
 SEARCH=true
 MEILI_NO_ANALYTICS=true
 MEILI_HOST=http://meilisearch:7700
-MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
+MEILI_MASTER_KEY={{ vault.vault_secret('env', 'MEILISEARCH_MASTER_KEY') }}
 
 # Optional: Disable indexing, useful in a multi-node setup
 # where only one instance should perform an index sync.
@@ -384,8 +385,8 @@ ALLOW_UNVERIFIED_EMAIL_LOGIN=true
 SESSION_EXPIRY=1000 * 60 * 15
 REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
 
-JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
-JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
+JWT_SECRET={{ vault.vault_secret('env', 'LIBRECHAT_JWT_SECRET') }}
+JWT_REFRESH_SECRET={{ vault.vault_secret('env', 'LIBRECHAT_JWT_REFRESH_SECRET') }}
 
 
 # Discord
@@ -547,4 +548,4 @@ USE_REDIS=true
 #=====================================================#
 #                  OpenWeather                        #
 #=====================================================#
-OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+OPENWEATHER_API_KEY={{ vault.vault_secret('env', 'HOMEPAGE_OPENWEATHERMAP_API_KEY') }}

ansible/app-configs/librechat/librechat.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 version: 1.0.0
 endpoints:
   custom:

ansible/app-configs/lidarr/config.xml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -7,7 +8,7 @@
   <SslPort>6868</SslPort>
   <EnableSsl>False</EnableSsl>
   <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault.vault_secret('env', 'LIDARR_API_KEY') }}</ApiKey>
   <AuthenticationMethod>Forms</AuthenticationMethod>
   <Branch>master</Branch>
   <LogLevel>trace</LogLevel>

ansible/app-configs/lidify/config.json.j2

@@ -0,0 +1,26 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "lidarr_address": "http://lidarr:8686",
+    "lidarr_api_key": "{{ vault.vault_secret('env', 'LIDARR_API_KEY') }}",
+    "spotify_client_secret": "{{ vault.vault_secret('env', 'YOUR_SPOTIFY_SECRET') }}",
+    "root_folder_path": "/data/media/music",
+    "spotify_client_id": "{{ vault.vault_secret('env', 'YOUR_SPOTIFY_ID') }}",
+    "spotify_client_secret": "{{ vault.vault_secret('env', 'YOUR_SPOTIFY_SECRET') }}",
+    "fallback_to_top_result": false,
+    "lidarr_api_timeout": 120.0,
+    "quality_profile_id": 1,
+    "metadata_profile_id": 1,
+    "search_for_missing_albums": false,
+    "dry_run_adding_to_lidarr": true,
+    "app_name": "lidify",
+    "app_rev": "0.09",
+    "app_url": "lidify.trez.wtf",
+    "last_fm_api_key": "{{ vault.vault_secret('env', 'LASTFM_API_KEY') }}",
+    "last_fm_api_secret": "{{ vault.vault_secret('env', 'LASTFM_API_SECRET') }}",
+    "mode": "LastFM",
+    "auto_start": false,
+    "auto_start_delay": 60
+}

ansible/app-configs/lidify_settings_config.json.j2

@@ -1,25 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-    "lidarr_address": "http://lidarr:8686",
-    "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}",
-    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
-    "root_folder_path": "/data/media/music",
-    "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
-    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
-    "fallback_to_top_result": false,
-    "lidarr_api_timeout": 120.0,
-    "quality_profile_id": 1,
-    "metadata_profile_id": 1,
-    "search_for_missing_albums": false,
-    "dry_run_adding_to_lidarr": true,
-    "app_name": "lidify",
-    "app_rev": "0.09",
-    "app_url": "lidify.trez.wtf",
-    "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-    "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-    "mode": "LastFM",
-    "auto_start": false,
-    "auto_start_delay": 60
-}

ansible/app-configs/loggifly/config.yaml.j2

@@ -1,8 +1,19 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
 containers:
+  ghost_blog:
+    action_keywords:
+      - restart:
+          regex: ':[0-9]{2}\] ERROR.*$'
   immich-server:
     action_keywords:
       - restart:
           regex: 'ADVICE:.*error'
+  invidious:
+    keywords:
+      - regex: 'Error reading.*Connection reset by peer trying to reconnect...'
 global_keywords:
   keywords:
     - panic
@@ -10,7 +21,7 @@ global_keywords:
     - fatal
 notifications:
   apprise:
-    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
+    url: gotify://gotify/{{ vault.vault_secret('env', 'APPRISE_GOTIFY_TOKEN') }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
 # settings are optional because they all have default values
 settings:
   log_level: INFO               # DEBUG, INFO, WARNING, ERROR

ansible/app-configs/mirotalk/src/config.js.j2

@@ -0,0 +1,160 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+'use strict';
+
+const packageJson = require('../../package.json');
+
+module.exports = {
+    // Branding and customizations require a license: https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661
+    brand: {
+        app: {
+            language: 'en', // https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes
+            name: 'MiroTalk',
+            title: '<h1>MiroTalk</h1/>Free browser based Real-time video calls.<br />Simple, Secure, Fast.',
+            description:
+                'Start your next video call with a single click. No download, plug-in, or login is required. Just get straight to talking, messaging, and sharing your screen.',
+            joinDescription: 'Pick a room name.<br />How about this one?',
+            joinButtonLabel: 'JOIN ROOM',
+            joinLastLabel: 'Your recent room:',
+        },
+        og: {
+            type: 'app-webrtc',
+            siteName: 'MiroTalk',
+            title: 'Click the link to make a call.',
+            description:
+                'MiroTalk calling provides real-time HD quality and latency simply not available with traditional technology.',
+            image: 'https://p2p.mirotalk.com/images/preview.png',
+            url: 'https://p2p.mirotalk.com',
+        },
+        site: {
+            shortcutIcon: '../images/logo.svg',
+            appleTouchIcon: '../images/logo.svg',
+            landingTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
+            newCallTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
+            newCallRoomTitle: 'Pick name. <br />Share URL. <br />Start conference.',
+            newCallRoomDescription:
+                "Each room has its disposable URL. Just pick a room name and share your custom URL. It's that easy.",
+            loginTitle: 'MiroTalk - Host Protected login required.',
+            clientTitle: 'MiroTalk WebRTC Video call, Chat Room & Screen Sharing.',
+            privacyPolicyTitle: 'MiroTalk - privacy and policy.',
+            stunTurnTitle: 'Test Stun/Turn Servers.',
+            notFoundTitle: 'MiroTalk - 404 Page not found.',
+        },
+        html: {
+            features: true,
+            browsers: true,
+            teams: true, // please keep me always true ;)
+            tryEasier: true,
+            poweredBy: true,
+            sponsors: true,
+            advertisers: true,
+            footer: true,
+        },
+        about: {
+            imageUrl: '../images/mirotalk-logo.gif',
+            title: `WebRTC P2P v${packageJson.version}`,
+            html: `
+                <button
+                    id="support-button"
+                    data-umami-event="Support button"
+                    onclick="window.open('https://codecanyon.net/user/miroslavpejic85')">
+                    <i class="fas fa-heart" ></i>&nbsp;Support
+                </button>
+                <br /><br /><br />
+                Author:<a
+                    id="linkedin-button"
+                    data-umami-event="Linkedin button"
+                    href="https://www.linkedin.com/in/miroslav-pejic-976a07101/" target="_blank">
+                    Miroslav Pejic
+                </a>
+                <br /><br />
+                Email:<a
+                    id="email-button"
+                    data-umami-event="Email button"
+                    href="mailto:miroslav.pejic.85@gmail.com?subject=MiroTalk P2P info">
+                    miroslav.pejic.85@gmail.com
+                </a>
+                <br /><br />
+                <hr />
+                <span>&copy; 2025 MiroTalk P2P, all rights reserved</span>
+                <hr />
+            `,
+        },
+        //...
+    },
+    /**
+     * Configuration for controlling the visibility of buttons in the MiroTalk P2P client.
+     * Set properties to true to show the corresponding buttons, or false to hide them.
+     * captionBtn, showSwapCameraBtn, showScreenShareBtn, showFullScreenBtn, showVideoPipBtn, showDocumentPipBtn -> (auto-detected).
+     */
+    buttons: {
+        main: {
+            showShareQr: true,
+            showShareRoomBtn: true, // For guests
+            showHideMeBtn: true,
+            showAudioBtn: true,
+            showVideoBtn: true,
+            showScreenBtn: true, // autodetected
+            showRecordStreamBtn: true,
+            showChatRoomBtn: true,
+            showCaptionRoomBtn: true,
+            showRoomEmojiPickerBtn: true,
+            showMyHandBtn: true,
+            showWhiteboardBtn: true,
+            showSnapshotRoomBtn: true,
+            showFileShareBtn: true,
+            showDocumentPipBtn: true,
+            showMySettingsBtn: true,
+            showAboutBtn: true, // Please keep me always true, Thank you!
+        },
+        chat: {
+            showTogglePinBtn: true,
+            showMaxBtn: true,
+            showSaveMessageBtn: true,
+            showMarkDownBtn: true,
+            showChatGPTBtn: true,
+            showFileShareBtn: true,
+            showShareVideoAudioBtn: true,
+            showParticipantsBtn: true,
+        },
+        caption: {
+            showTogglePinBtn: true,
+            showMaxBtn: true,
+        },
+        settings: {
+            showMicOptionsBtn: true,
+            showTabRoomPeerName: true,
+            showTabRoomParticipants: true,
+            showTabRoomSecurity: true,
+            showTabEmailInvitation: true,
+            showCaptionEveryoneBtn: true,
+            showMuteEveryoneBtn: true,
+            showHideEveryoneBtn: true,
+            showEjectEveryoneBtn: true,
+            showLockRoomBtn: true,
+            showUnlockRoomBtn: true,
+            showShortcutsBtn: true,
+        },
+        remote: {
+            showAudioVolume: true,
+            audioBtnClickAllowed: true,
+            videoBtnClickAllowed: true,
+            showVideoPipBtn: true,
+            showKickOutBtn: true,
+            showSnapShotBtn: true,
+            showFileShareBtn: true,
+            showShareVideoAudioBtn: true,
+            showPrivateMessageBtn: true,
+            showZoomInOutBtn: false,
+            showVideoFocusBtn: true,
+        },
+        local: {
+            showVideoPipBtn: true,
+            showSnapShotBtn: true,
+            showVideoCircleBtn: true,
+            showZoomInOutBtn: false,
+        },
+        whiteboard: {
+            whiteboardLockBtn: false,
+        },
+    },
+};

ansible/app-configs/multi-scrobbler/config.json.j2

@@ -0,0 +1,112 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+  "debugMode": false,
+  "disableWeb": false,
+  "sourceDefaults": {
+    "logPayload": false,
+    "logFilterFailure": "warn",
+    "logPlayerState": false,
+    "scrobbleThresholds": {
+      "duration": 30,
+      "percent": 20
+    },
+    "maxPollRetries": 1,
+    "maxRequestRetries": 1,
+    "retryMultiplier": 1.5
+  },
+  "clientDefaults": {
+    "maxRequestRetries": 1,
+    "retryMultiplier": 1.5
+  },
+  "sources": [
+    {
+      "type": "spotify",
+      "enable": true,
+      "clients": [],
+      "name": "spotify",
+      "data": {
+        "clientId": "{{ vault.vault_secret('env', 'YOUR_SPOTIFY_ID') }}",
+        "clientSecret": "{{ vault.vault_secret('env', 'YOUR_SPOTIFY_SECRET') }}",
+        "redirectUri": "http://localhost:9078/callback"
+      }
+    },
+    {
+      "type": "lastfm",
+      "enable": true,
+      "clients": [],
+      "name": "lastfm",
+      "data": {
+        "apiKey": "{{ vault.vault_secret('env', 'LASTFM_API_KEY') }}",
+        "secret": "{{ vault.vault_secret('env', 'LASTFM_API_SECRET') }}",
+        "redirectUri": "http://localhost:9078/lastfm/callback"
+      }
+    },
+    {
+      "type": "listenbrainz",
+      "enable": true,
+      "clients": [],
+      "name": "listenBrainz",
+      "data": {
+        "token": "{{ vault.vault_secret('env', 'MALOJA_LISTENBRAINZ_TOKEN') }}",
+        "username": "Trez.One"
+      }
+    },
+    {
+      "type": "subsonic",
+      "enable": true,
+      "clients": [],
+      "name": "navidrome",
+      "data": {
+        "url": "http://navidrome:4533",
+        "user": "admin",
+        "password": "{{ vault.vault_secret('env', 'NAVIDROME_PASSWORD') }}"
+      }
+    }
+  ],
+  "clients": [
+    {
+      "type": "lastfm",
+      "enable": true,
+      "name": "lastFmClient",
+      "data": {
+        "apiKey": "{{ vault.vault_secret('env', 'LASTFM_API_KEY') }}",
+        "secret": "{{ vault.vault_secret('env', 'LASTFM_API_SECRET') }}",
+        "redirectUri": "http://localhost:9078/lastfm/callback"
+      }
+    },
+    {
+      "type": "listenbrainz",
+      "enable": true,
+      "name": "ListenBrainzClient",
+      "data": {
+        "token": "{{ vault.vault_secret('env', 'MALOJA_LISTENBRAINZ_TOKEN') }}",
+        "username": "Trez.One"
+      }
+    },
+    {
+      "type": "maloja",
+      "enable": true,
+      "name": "maloja",
+      "data": {
+        "url": "http://maloja:42010",
+        "apiKey": "{{ vault.vault_secret('env', 'MALOJA_API_KEY') }}"
+      }
+    }
+  ],
+  "webhooks": [
+    {
+      "name": "Gotify",
+      "type": "gotify",
+      "url": "http://gotify",
+      "token": "{{ vault.vault_secret('env', 'MULTI_SCROBBLER_GOTIFY_TOKEN') }}",
+      "priorities": {
+        "info": 5,
+        "warn": 7,
+        "error": 10
+      }
+    }
+  ]
+}

ansible/app-configs/multi-scrobbler_config.json.j2

@@ -1,108 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-  "debugMode": false,
-  "disableWeb": false,
-  "sourceDefaults": {
-    "logPayload": false,
-    "logFilterFailure": "warn",
-    "logPlayerState": false,
-    "scrobbleThresholds": {
-      "duration": 30,
-      "percent": 20
-    },
-    "maxPollRetries": 1,
-    "maxRequestRetries": 1,
-    "retryMultiplier": 1.5
-  },
-  "clientDefaults": {
-    "maxRequestRetries": 1,
-    "retryMultiplier": 1.5
-  },
-  "sources": [
-    {
-      "type": "spotify",
-      "enable": true,
-      "clients": [],
-      "name": "spotify",
-      "data": {
-        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
-        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/callback"
-      }
-    },
-    {
-      "type:": "lastfm",
-      "name": "lastfm",
-      "enable": true,
-      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/lastfm/callback"
-      }
-    },
-    {
-      "type": "listenbrainz",
-      "name": "listenBrainz",
-      "enable": true,
-      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-        "username": "Trez.One"
-      }
-    },
-    {
-      "type": "subsonic",
-      "name": "navidrome",
-      "enable": true,
-      "data": {
-        "url": "http://navidrome:4533",
-        "user": "admin",
-        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
-      }
-    }
-  ],
-  "clients": [
-    {
-      "type": "lastfm",
-      "name": "lastFmClient",
-      "enable": true,
-      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/lastfm/callback"
-      }
-    },
-    {
-      "type": "listenbrainz",
-      "name": ";istenBrainzClient",
-      "enable": true,
-      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-        "username": "Trez.One"
-      }
-    },
-    {
-      "type": "maloja",
-      "enable": true,
-      "name": "maloja",
-      "data": {
-        "url": "http://maloja:42010",
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
-      }
-    }
-  ],
-  "webhooks": [
-    {
-      "name": "Gotify",
-      "type": "gotify",
-      "url": "http://gotify",
-      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
-      "priorities": {
-        "info": 5,
-        "warn": 7,
-        "error": 10
-      }
-    }
-  ]
-}

ansible/app-configs/netbird/management.json.j2

@@ -0,0 +1,77 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{
+  "Stuns": [
+    {
+      "Proto": "udp",
+      "URI": "stun:netbird.{{ vault.vault_secret('env', 'MY_TLD') }}:3478",
+      "Username": "",
+      "Password": null
+    }
+  ],
+  "TURNConfig": {
+    "Turns": [
+      {
+        "Proto": "udp",
+        "URI": "turn:netbird.{{ vault.vault_secret('env', 'MY_TLD') }}:3478",
+        "Username": "self",
+        "Password": "{{ vault.vault_secret('env', 'NETBIRD_TURN_PASSWORD') }}"
+      }
+    ],
+    "CredentialsTTL": "12h",
+    "Secret": "secret",
+    "TimeBasedCredentials": false
+  },
+  "Relay": {
+    "Addresses": [
+      "rel://netbird.{{ vault.vault_secret('env', 'MY_TLD') }}:33080"
+    ],
+    "CredentialsTTL": "24h",
+    "Secret": "{{ vault.vault_secret('env', 'NETBIRD_RELAY_AUTH_SECRET') }}"
+  },
+  "Signal": {
+    "Proto": "https",
+    "URI": "netbird.{{ vault.vault_secret('env', 'MY_TLD') }}:10001",
+    "Username": "",
+    "Password": null
+  },
+  "ReverseProxy": {
+    "TrustedHTTPProxies": [],
+    "TrustedHTTPProxiesCount": 0,
+    "TrustedPeers": [
+      "0.0.0.0/0"
+    ]
+  },
+  "Datadir": "",
+  "DataStoreEncryptionKey": "",
+  "StoreConfig": {
+    "Engine": "sqlite"
+  },
+  "HttpConfig": {
+    "Address": "0.0.0.0:33073",
+    "AuthIssuer": "https://auth.{{ vault.vault_secret('env', 'MY_TLD') }}",
+    "AuthAudience": "netbird",
+    "AuthKeysLocation": "https://auth.{{ vault.vault_secret('env', 'MY_TLD') }}/jwks.json",
+    "AuthUserIDClaim": "",
+    "CertFile": "",
+    "CertKey": "",
+    "IdpSignKeyRefreshEnabled": true,
+    "OIDCConfigEndpoint": "https://auth.{{ vault.vault_secret('env', 'MY_TLD') }}/.well-known/openid-configuration"
+  },
+  "IdpManagerConfig": {},
+  "DeviceAuthorizationFlow": {},
+  "PKCEAuthorizationFlow": {
+    "ProviderConfig": {
+      "Audience": "netbird",
+      "ClientID": "netbird",
+      "ClientSecret": "{{ vault.vault_secret('env', 'AUTHELIA_NETBIRD_CLIENT_SECRET') }}",
+      "Domain": "",
+      "AuthorizationEndpoint": "https://auth.{{ vault.vault_secret('env', 'MY_TLD') }}/api/oidc/authorization",
+      "TokenEndpoint": "https://auth.{{ vault.vault_secret('env', 'MY_TLD') }}/api/oidc/token",
+      "Scope": "openid profile email offline_access api",
+      "RedirectURLs": [
+        "http://localhost:53000"
+      ],
+      "UseIDToken": true
+    }
+  }
+}

ansible/app-configs/netbird/openid-configuration.json.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {
     "issuer": "https://id.trez.wtf",
     "authorization_endpoint": "https://id.trez.wtf/oauth/v2/authorize",

ansible/app-configs/netbird/turnserver.conf.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 # Coturn TURN SERVER configuration file
 #
 # Boolean values note: where a boolean value is supposed to be used,
@@ -250,7 +251,7 @@ lt-cred-mech
 #user=username1:key1
 #user=username2:key2
 # OR:
-user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
+user=self:{{ vault.vault_secret('env', 'NETBIRD_TURN_PASSWORD') }}
 #user=username2:password2
 #
 # Keys must be generated by turnadmin utility. The key value depends

ansible/app-configs/netbird_management.json.j2

@@ -1,76 +0,0 @@
-{
-  "Stuns": [
-    {
-      "Proto": "udp",
-      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
-      "Username": "",
-      "Password": null
-    }
-  ],
-  "TURNConfig": {
-    "Turns": [
-      {
-        "Proto": "udp",
-        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
-        "Username": "self",
-        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
-      }
-    ],
-    "CredentialsTTL": "12h",
-    "Secret": "secret",
-    "TimeBasedCredentials": false
-  },
-  "Relay": {
-    "Addresses": [
-      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
-    ],
-    "CredentialsTTL": "24h",
-    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
-  },
-  "Signal": {
-    "Proto": "https",
-    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
-    "Username": "",
-    "Password": null
-  },
-  "ReverseProxy": {
-    "TrustedHTTPProxies": [],
-    "TrustedHTTPProxiesCount": 0,
-    "TrustedPeers": [
-      "0.0.0.0/0"
-    ]
-  },
-  "Datadir": "",
-  "DataStoreEncryptionKey": "",
-  "StoreConfig": {
-    "Engine": "sqlite"
-  },
-  "HttpConfig": {
-    "Address": "0.0.0.0:33073",
-    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
-    "AuthAudience": "netbird",
-    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
-    "AuthUserIDClaim": "",
-    "CertFile": "",
-    "CertKey": "",
-    "IdpSignKeyRefreshEnabled": true,
-    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
-  },
-  "IdpManagerConfig": {},
-  "DeviceAuthorizationFlow": {},
-  "PKCEAuthorizationFlow": {
-    "ProviderConfig": {
-      "Audience": "netbird",
-      "ClientID": "netbird",
-      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
-      "Domain": "",
-      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
-      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
-      "Scope": "openid profile email offline_access api",
-      "RedirectURLs": [
-        "http://localhost:53000"
-      ],
-      "UseIDToken": true
-    }
-  }
-}

ansible/app-configs/plausible/clickhouse-config.xml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/postal/postal.yml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -18,13 +19,13 @@ web_server:
 main_db:
   host: mariadb
   username: postal
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  password: {{ vault.vault_secret('env', 'POSTAL_MYSQL_PASSWORD') }}
   database: postal
 
 message_db:
   host: mariadb
   username: postal
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  password: {{ vault.vault_secret('env', 'POSTAL_MYSQL_PASSWORD') }}
   prefix: postal
 
 smtp_server:
@@ -52,11 +53,11 @@ smtp:
   host: postal-smtp
   port: 25
   username: rinoa/postal-smtp
-  password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+  password: "{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }}"
   from_name: Postal @ Rinoa
   from_address: noreply@trez.wtf
 
 rails:
   # This is generated automatically by the config initialization. It should be a random
   # string unique to your installation.
-  secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}"
+  secret_key: "{{ vault.vault_secret('env', 'POSTAL_RAILS_SECRET_KEY') }}"

ansible/app-configs/prowlarr/config.xml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -7,7 +8,7 @@
   <SslPort>6969</SslPort>
   <EnableSsl>False</EnableSsl>
   <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault.vault_secret('env', 'PROWLARR_API_KEY') }}</ApiKey>
   <AuthenticationMethod>Forms</AuthenticationMethod>
   <AuthenticationRequired>Enabled</AuthenticationRequired>
   <Branch>master</Branch>

ansible/app-configs/radarec/config.json.j2

@@ -1,11 +1,12 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
 {
     "radarr_address": "http://radarr:7878",
-    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
+    "radarr_api_key": "{{ vault.vault_secret('env', 'RADARR_API_KEY') }}",
     "root_folder_path": "/data/media/movies",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "tmdb_api_key": "{{ vault.vault_secret('env', 'TMDB_API_KEY') }}",
     "fallback_to_top_result": false,
     "radarr_api_timeout": 120.0,
     "quality_profile_id": 1,

ansible/app-configs/radarr/config.xml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -8,7 +9,7 @@
   <SslCertPath></SslCertPath>
   <Port>7878</Port>
   <UrlBase></UrlBase>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault.vault_secret('env', 'RADARR_API_KEY') }}</ApiKey>
   <AuthenticationMethod>Forms</AuthenticationMethod>
   <UpdateMechanism>Docker</UpdateMechanism>
   <SslPort>9898</SslPort>

ansible/app-configs/readarr/config.xml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -7,7 +8,7 @@
   <SslPort>6868</SslPort>
   <EnableSsl>False</EnableSsl>
   <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault.vault_secret('env', 'READARR_API_KEY') }}</ApiKey>
   <AuthenticationMethod>Forms</AuthenticationMethod>
   <Branch>develop</Branch>
   <LogLevel>info</LogLevel>

ansible/app-configs/romm/config.yml.j2

@@ -0,0 +1,49 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+# This is a generic example of a configuration file
+# Rename this file to `config.yml`, copy it to a `config` folder, and mount that folder as per the docker-compose.example.yml
+# Only uncomment the lines you want to use/modify, or add new ones where needed
+
+exclude:
+  # Exclude platforms to be scanned
+  platforms: [] # ['my_excluded_platform_1', 'my_excluded_platform_2']
+
+  # Exclude roms or parts of roms to be scanned
+  roms:
+    # Single file games section.
+    # Will not apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
+    single_file:
+      # Exclude all files with certain extensions to be scanned
+      extensions: [] # ['xml', 'txt']
+
+      # Exclude matched file names to be scanned.
+      # Supports unix filename pattern matching
+      # Can also exclude files by extension
+      names: [] # ['info.txt', '._*', '*.nfo']
+
+    # Multi files games section
+    # Will apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
+    multi_file:
+      # Exclude matched 'folder' names to be scanned (RomM identifies folders as multi file games)
+      names: [] # ['my_multi_file_game', 'DLC']
+
+      # Exclude files within sub-folders.
+      parts:
+        # Exclude matched file names to be scanned from multi file roms
+        # Keep in mind that RomM doesn't scan folders inside multi files games,
+        # so there is no need to exclude folders from inside of multi files games.
+        names: [] # ['data.xml', '._*'] # Supports unix filename pattern matching
+
+        # Exclude all files with certain extensions to be scanned from multi file roms
+        extensions: [] # ['xml', 'txt']
+
+system:
+  # Asociate different platform names to your current file system platform names
+  # [your custom platform folder name]: [RomM platform name]
+  # In this example if you have a 'gc' folder, RomM will treat it like the 'ngc' folder and if you have a 'psx' folder, RomM will treat it like the 'ps' folder
+  platforms: {} # { gc: 'ngc', psx: 'ps' }
+
+  # Asociate one platform to it's main version
+  versions: {} # { naomi: 'arcade' }
+
+# The folder name where your roms are located
+filesystem: {} # { roms_folder: 'roms' } For example if your folder structure is /home/user/library/roms_folder

ansible/app-configs/sabnzbdvpn/sabnzbd.ini.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -22,7 +23,7 @@ host = 0.0.0.0
 port = 8080
 https_port = 8090
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }}
+password = {{ vault.vault_secret('env', 'SABNZBDVPN_PASSWORD') }}
 bandwidth_max = 1000M
 cache_limit = 1G
 web_dir = Glitter
@@ -33,7 +34,7 @@ https_chain = ""
 enable_https = 1
 inet_exposure = 0
 local_ranges = ,
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }}
+api_key = {{ vault.vault_secret('env', 'SABNZBDVPN_API_KEY') }}
 nzb_key = 3c0fa874bb2748b58c1bd7512e649946
 permissions = 775
 download_dir = /storage/downloads/incomplete
@@ -342,7 +343,7 @@ host = news.newshosting.com
 port = 563
 timeout = 60
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+password = {{ vault.vault_secret('env', 'SLSK_USER_PASSWORD') }}
 connections = 8
 ssl = 1
 ssl_verify = 3
@@ -363,7 +364,7 @@ host = news.easynews.com
 port = 443
 timeout = 60
 username = TrezOne
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
+password = {{ vault.vault_secret('env', 'SABNZBDVPN_EASYNEWS_PASSWORD') }}
 connections = 60
 ssl = 0
 ssl_verify = 3

ansible/app-configs/scrutiny/config/config.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/searxng/settings.yml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -82,7 +83,7 @@ server:
   # If your instance owns a /etc/searxng/settings.yml file, then set the following
   # values there.
 
-  secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SEARXNG_SECRET_KEY'] }}  # Is overwritten by ${SEARXNG_SECRET}
+  secret_key: {{ vault.vault_secret('env', 'SEARXNG_SECRET_KEY') }}  # Is overwritten by ${SEARXNG_SECRET}
   # Proxying image results through searx
   image_proxy: true
   # 1.0 and 1.1 are supported
@@ -211,11 +212,13 @@ outgoing:
 
 # Comment or un-comment plugin to activate / deactivate by default.
 #
-# enabled_plugins:
+enabled_plugins:
 #   # these plugins are enabled if nothing is configured ..
-#   - 'Hash plugin'
-#   - 'Self Information'
-#   - 'Tracker URL remover'
+  - 'Hash plugin'
+  - 'Self Information'
+  - 'Tracker URL remover'
+  - 'Basic Calculator'
+  - 'Unit converter plugin'
 #   - 'Ahmia blacklist'  # activation depends on outgoing.using_tor_proxy
 #   # these plugins are disabled if nothing is configured ..
 #   - 'Hostname replace'  # see hostname_replace configuration below

ansible/app-configs/searxng/uwsgi.ini.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/signoz/clickhouse/cluster.ha.xml.j2

@@ -0,0 +1,76 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+<?xml version="1.0"?>
+<clickhouse>
+    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
+         Optional. If you don't use replicated tables, you could omit that.
+
+         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
+      -->
+    <zookeeper>
+        <node index="1">
+            <host>signoz-zookeeper-1</host>
+            <port>2181</port>
+        </node>
+        <node index="2">
+            <host>zookeeper-2</host>
+            <port>2181</port>
+        </node>
+        <node index="3">
+            <host>zookeeper-3</host>
+            <port>2181</port>
+        </node>
+    </zookeeper>
+
+    <!-- Configuration of clusters that could be used in Distributed tables.
+         https://clickhouse.com/docs/en/operations/table_engines/distributed/
+      -->
+    <remote_servers>
+        <cluster>
+            <!-- Inter-server per-cluster secret for Distributed queries
+                 default: no secret (no authentication will be performed)
+
+                 If set, then Distributed queries will be validated on shards, so at least:
+                 - such cluster should exist on the shard,
+                 - such cluster should have the same secret.
+
+                 And also (and which is more important), the initial_user will
+                 be used as current user for the query.
+
+                 Right now the protocol is pretty simple and it only takes into account:
+                 - cluster name
+                 - query
+
+                 Also it will be nice if the following will be implemented:
+                 - source hostname (see interserver_http_host), but then it will depends from DNS,
+                   it can use IP address instead, but then the you need to get correct on the initiator node.
+                 - target hostname / ip address (same notes as for source hostname)
+                 - time-based security tokens
+            -->
+            <!-- <secret></secret> -->
+            <shard>
+                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
+                <!-- <internal_replication>false</internal_replication> -->
+                <!-- Optional. Shard weight when writing data. Default: 1. -->
+                <!-- <weight>1</weight> -->
+                <replica>
+                    <host>signoz-clickhouse</host>
+                    <port>9000</port>
+                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
+                    <!-- <priority>1</priority> -->
+                </replica>
+            </shard>
+            <shard>
+                <replica>
+                    <host>clickhouse-2</host>
+                    <port>9000</port>
+                </replica>
+            </shard>
+            <shard>
+                <replica>
+                    <host>clickhouse-3</host>
+                    <port>9000</port>
+                </replica>
+            </shard>
+        </cluster>
+    </remote_servers>
+</clickhouse>

ansible/app-configs/signoz/clickhouse/cluster.xml.j2

@@ -0,0 +1,76 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+<?xml version="1.0"?>
+<clickhouse>
+    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
+         Optional. If you don't use replicated tables, you could omit that.
+
+         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
+      -->
+    <zookeeper>
+        <node index="1">
+            <host>signoz-zookeeper-1</host>
+            <port>2181</port>
+        </node>
+        <!-- <node index="2">
+            <host>zookeeper-2</host>
+            <port>2181</port>
+        </node>
+        <node index="3">
+            <host>zookeeper-3</host>
+            <port>2181</port>
+        </node> -->
+    </zookeeper>
+
+    <!-- Configuration of clusters that could be used in Distributed tables.
+         https://clickhouse.com/docs/en/operations/table_engines/distributed/
+      -->
+    <remote_servers>
+        <cluster>
+            <!-- Inter-server per-cluster secret for Distributed queries
+                 default: no secret (no authentication will be performed)
+
+                 If set, then Distributed queries will be validated on shards, so at least:
+                 - such cluster should exist on the shard,
+                 - such cluster should have the same secret.
+
+                 And also (and which is more important), the initial_user will
+                 be used as current user for the query.
+
+                 Right now the protocol is pretty simple and it only takes into account:
+                 - cluster name
+                 - query
+
+                 Also it will be nice if the following will be implemented:
+                 - source hostname (see interserver_http_host), but then it will depends from DNS,
+                   it can use IP address instead, but then the you need to get correct on the initiator node.
+                 - target hostname / ip address (same notes as for source hostname)
+                 - time-based security tokens
+            -->
+            <!-- <secret></secret> -->
+            <shard>
+                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
+                <!-- <internal_replication>false</internal_replication> -->
+                <!-- Optional. Shard weight when writing data. Default: 1. -->
+                <!-- <weight>1</weight> -->
+                <replica>
+                    <host>signoz-clickhouse</host>
+                    <port>9000</port>
+                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
+                    <!-- <priority>1</priority> -->
+                </replica>
+            </shard>
+            <!-- <shard>
+                <replica>
+                    <host>clickhouse-2</host>
+                    <port>9000</port>
+                </replica>
+            </shard>
+            <shard>
+                <replica>
+                    <host>clickhouse-3</host>
+                    <port>9000</port>
+                </replica>
+            </shard> -->
+        </cluster>
+    </remote_servers>
+</clickhouse>

ansible/app-configs/signoz/clickhouse/custom-function.xml.j2

@@ -0,0 +1,22 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+<functions>
+    <function>
+        <type>executable</type>
+        <name>histogramQuantile</name>
+        <return_type>Float64</return_type>
+        <argument>
+            <type>Array(Float64)</type>
+            <name>buckets</name>
+        </argument>
+        <argument>
+            <type>Array(Float64)</type>
+            <name>counts</name>
+        </argument>
+        <argument>
+            <type>Float64</type>
+            <name>quantile</name>
+        </argument>
+        <format>CSV</format>
+        <command>./histogramQuantile</command>
+    </function>
+</functions>

ansible/app-configs/signoz/clickhouse/storage.xml.j2

@@ -0,0 +1,42 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+<?xml version="1.0"?>
+<clickhouse>
+<storage_configuration>
+    <disks>
+        <default>
+            <keep_free_space_bytes>10485760</keep_free_space_bytes>
+        </default>
+        <s3>
+            <type>s3</type>
+            <!-- For S3 cold storage,
+                    if region is us-east-1, endpoint can be https://<bucket-name>.s3.amazonaws.com
+                    if region is not us-east-1, endpoint should be https://<bucket-name>.s3-<region>.amazonaws.com
+                For GCS cold storage,
+                    endpoint should be https://storage.googleapis.com/<bucket-name>/data/
+                -->
+            <endpoint>https://BUCKET-NAME.s3-REGION-NAME.amazonaws.com/data/</endpoint>
+            <access_key_id>ACCESS-KEY-ID</access_key_id>
+            <secret_access_key>SECRET-ACCESS-KEY</secret_access_key>
+            <!-- In case of S3, uncomment the below configuration in case you want to read
+                AWS credentials from the Environment variables if they exist. -->
+            <!-- <use_environment_credentials>true</use_environment_credentials> -->
+            <!-- In case of GCS, uncomment the below configuration, since GCS does
+                not support batch deletion and result in error messages in logs. -->
+            <!-- <support_batch_delete>false</support_batch_delete> -->
+        </s3>
+   </disks>
+   <policies>
+       <tiered>
+           <volumes>
+                <default>
+                    <disk>default</disk>
+                </default>
+                <s3>
+                    <disk>s3</disk>
+                    <perform_ttl_move_on_insert>0</perform_ttl_move_on_insert>
+                </s3>
+            </volumes>
+        </tiered>
+    </policies>
+</storage_configuration>
+</clickhouse>

ansible/app-configs/signoz/clickhouse/users.xml.j2

@@ -0,0 +1,124 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+<?xml version="1.0"?>
+<clickhouse>
+    <!-- See also the files in users.d directory where the settings can be overridden. -->
+
+    <!-- Profiles of settings. -->
+    <profiles>
+        <!-- Default settings. -->
+        <default>
+            <!-- Maximum memory usage for processing single query, in bytes. -->
+            <max_memory_usage>10000000000</max_memory_usage>
+
+            <!-- How to choose between replicas during distributed query processing.
+                 random - choose random replica from set of replicas with minimum number of errors
+                 nearest_hostname - from set of replicas with minimum number of errors, choose replica
+                  with minimum number of different symbols between replica's hostname and local hostname
+                  (Hamming distance).
+                 in_order - first live replica is chosen in specified order.
+                 first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
+            -->
+            <load_balancing>random</load_balancing>
+        </default>
+
+        <!-- Profile that allows only read queries. -->
+        <readonly>
+            <readonly>1</readonly>
+        </readonly>
+    </profiles>
+
+    <!-- Users and ACL. -->
+    <users>
+        <!-- If user name was not specified, 'default' user is used. -->
+        <default>
+            <!-- See also the files in users.d directory where the password can be overridden.
+
+                 Password could be specified in plaintext or in SHA256 (in hex format).
+
+                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
+                 Example: <password>qwerty</password>.
+                 Password could be empty.
+
+                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
+                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
+                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
+
+                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
+                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
+
+                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
+                  place its name in 'server' element inside 'ldap' element.
+                 Example: <ldap><server>my_ldap_server</server></ldap>
+
+                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
+                  place 'kerberos' element instead of 'password' (and similar) elements.
+                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
+                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
+                  whose initiator's realm matches it.
+                 Example: <kerberos />
+                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
+
+                 How to generate decent password:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
+                 In first line will be password and in second - corresponding SHA256.
+
+                 How to generate double SHA1:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
+                 In first line will be password and in second - corresponding double SHA1.
+            -->
+            <password></password>
+
+            <!-- List of networks with open access.
+
+                 To open access from everywhere, specify:
+                    <ip>::/0</ip>
+
+                 To open access only from localhost, specify:
+                    <ip>::1</ip>
+                    <ip>127.0.0.1</ip>
+
+                 Each element of list has one of the following forms:
+                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
+                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
+                 <host> Hostname. Example: server01.clickhouse.com.
+                     To check access, DNS query is performed, and all received addresses compared to peer address.
+                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
+                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
+                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
+                     Strongly recommended that regexp is ends with $
+                 All results of DNS requests are cached till server restart.
+            -->
+            <networks>
+                <ip>::/0</ip>
+            </networks>
+
+            <!-- Settings profile for user. -->
+            <profile>default</profile>
+
+            <!-- Quota for user. -->
+            <quota>default</quota>
+
+            <!-- User can create other users and grant rights to them. -->
+            <!-- <access_management>1</access_management> -->
+        </default>
+    </users>
+
+    <!-- Quotas. -->
+    <quotas>
+        <!-- Name of quota. -->
+        <default>
+            <!-- Limits for time interval. You could specify many intervals with different limits. -->
+            <interval>
+                <!-- Length of interval. -->
+                <duration>3600</duration>
+
+                <!-- No limits. Just calculate resource usage for time interval. -->
+                <queries>0</queries>
+                <errors>0</errors>
+                <result_rows>0</result_rows>
+                <read_rows>0</read_rows>
+                <execution_time>0</execution_time>
+            </interval>
+        </default>
+    </quotas>
+</clickhouse>

ansible/app-configs/signoz/otel/otel-collector-config.yaml.j2

@@ -0,0 +1,104 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:4317
+      http:
+        endpoint: 0.0.0.0:4318
+  prometheus:
+    config:
+      global:
+        scrape_interval: 60s
+      scrape_configs:
+        - job_name: otel-collector
+          static_configs:
+          - targets:
+              - localhost:8888
+            labels:
+              job_name: otel-collector
+processors:
+  batch:
+    send_batch_size: 10000
+    send_batch_max_size: 11000
+    timeout: 10s
+  resourcedetection:
+    # Using OTEL_RESOURCE_ATTRIBUTES envvar, env detector adds custom labels.
+    detectors: [env, system]
+    timeout: 2s
+  signozspanmetrics/delta:
+    metrics_exporter: clickhousemetricswrite, signozclickhousemetrics
+    metrics_flush_interval: 60s
+    latency_histogram_buckets: [100us, 1ms, 2ms, 6ms, 10ms, 50ms, 100ms, 250ms, 500ms, 1000ms, 1400ms, 2000ms, 5s, 10s, 20s, 40s, 60s ]
+    dimensions_cache_size: 100000
+    aggregation_temporality: AGGREGATION_TEMPORALITY_DELTA
+    enable_exp_histogram: true
+    dimensions:
+      - name: service.namespace
+        default: default
+      - name: deployment.environment
+        default: default
+      # This is added to ensure the uniqueness of the timeseries
+      # Otherwise, identical timeseries produced by multiple replicas of
+      # collectors result in incorrect APM metrics
+      - name: signoz.collector.id
+      - name: service.version
+      - name: browser.platform
+      - name: browser.mobile
+      - name: k8s.cluster.name
+      - name: k8s.node.name
+      - name: k8s.namespace.name
+      - name: host.name
+      - name: host.type
+      - name: container.name
+extensions:
+  health_check:
+    endpoint: 0.0.0.0:13133
+  pprof:
+    endpoint: 0.0.0.0:1777
+exporters:
+  clickhousetraces:
+    datasource: tcp://clickhouse:9000/signoz_traces
+    low_cardinal_exception_grouping: ${env:LOW_CARDINAL_EXCEPTION_GROUPING}
+    use_new_schema: true
+  clickhousemetricswrite:
+    endpoint: tcp://clickhouse:9000/signoz_metrics
+    disable_v2: true
+    resource_to_telemetry_conversion:
+      enabled: true
+  clickhousemetricswrite/prometheus:
+    endpoint: tcp://clickhouse:9000/signoz_metrics
+    disable_v2: true
+  signozclickhousemetrics:
+    dsn: tcp://clickhouse:9000/signoz_metrics
+  clickhouselogsexporter:
+    dsn: tcp://clickhouse:9000/signoz_logs
+    timeout: 10s
+    use_new_schema: true
+  # debug: {}
+service:
+  telemetry:
+    logs:
+      encoding: json
+    metrics:
+      address: 0.0.0.0:8888
+  extensions:
+    - health_check
+    - pprof
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [signozspanmetrics/delta, batch]
+      exporters: [clickhousetraces]
+    metrics:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [clickhousemetricswrite, signozclickhousemetrics]
+    metrics/prometheus:
+      receivers: [prometheus]
+      processors: [batch]
+      exporters: [clickhousemetricswrite/prometheus, signozclickhousemetrics]
+    logs:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [clickhouselogsexporter]

ansible/app-configs/signoz/otel/otel-collector-opamp-config.yaml.j2

@@ -0,0 +1,2 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+server_endpoint: ws://signoz:4320/v1/opamp

ansible/app-configs/signoz/prometheus.yml.j2

@@ -0,0 +1,26 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+# my global config
+global:
+  scrape_interval:     5s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
+  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+  # scrape_timeout is set to the global default (10s).
+
+# Alertmanager configuration
+alerting:
+  alertmanagers:
+  - static_configs:
+    - targets:
+      - alertmanager:9093
+
+# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
+rule_files: []
+  # - "first_rules.yml"
+  # - "second_rules.yml"
+  # - 'alerts.yml'
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs: []
+
+remote_read:
+  - url: tcp://clickhouse:9000/signoz_metrics

ansible/app-configs/sonarr/config.xml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -8,7 +9,7 @@
   <SslPort>9898</SslPort>
   <UrlBase></UrlBase>
   <BindAddress>*</BindAddress>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ vault.vault_secret('env', 'SONARR_API_KEY') }}</ApiKey>
   <AuthenticationMethod>Forms</AuthenticationMethod>
   <UpdateMechanism>Docker</UpdateMechanism>
   <LaunchBrowser>True</LaunchBrowser>

ansible/app-configs/sonashow/config.json.j2

@@ -1,12 +1,13 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
 {
     "sonarr_address": "http://192.168.1.2:8989",
-    "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}",
+    "sonarr_api_key": "{{ vault.vault_secret('env', 'SONARR_API_KEY') }}",
     "root_folder_path": "/data/media/shows",
     "tvdb_api_key": "",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "tmdb_api_key": "{{ vault.vault_secret('env', 'TMDB_API_KEY') }}",
     "fallback_to_top_result": false,
     "sonarr_api_timeout": 120.0,
     "quality_profile_id": 1,

ansible/app-configs/soularr/config.ini.j2

@@ -1,8 +1,9 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
 [Lidarr]
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
+api_key = {{ vault.vault_secret('env', 'LIDARR_API_KEY') }}
 host_url = http://lidarr:8686
 #This should be the path mounted in lidarr that points to your slskd download directory.
 #If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
@@ -10,7 +11,7 @@ download_dir = /storage
 
 [Slskd]
 #Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
+api_key = {{ vault.vault_secret('env', 'SLSKD_API_KEY') }}
 host_url = http://gluetun:5030
 #Slskd download directory. Should have set it up when installing Slskd.
 download_dir = /app/downloads

ansible/app-configs/soulseek/slskd.yml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -198,15 +199,15 @@ rooms:
 web:
   authentication:
     username: slskd
-    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
+    password: {{ vault.vault_secret('env', 'SLSKD_WEB_PASSSWORD') }}
     api_keys:
       my_api_key:
-        key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
+        key: {{ vault.vault_secret('env', 'SLSKD_API_KEY') }}
         role: readwrite
         cidr: 0.0.0.0/0,::/0
 soulseek:
   address: vps.slsknet.org
   port: 2271
   username: Trez.One
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+  password: {{ vault.vault_secret('env', 'SLSK_USER_PASSWORD') }}
   diagnostic_level: Info

ansible/app-configs/sourcebot/config.json.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -6,7 +7,7 @@
   "repos": [
       {
           "type": "gitea",
-          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
+          "token": "{{ vault.vault_secret('env', 'GITEA_SONARQUBE_BOT_GITEA_TOKEN') }}",
           "url": "https://git.trez.wtf",
           "revisions": {
               "branches": [

ansible/app-configs/traccar/traccar.xml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -24,6 +25,6 @@
     <entry key='database.driver'>org.postgresql.Driver</entry>
     <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
     <entry key='database.user'>traccar</entry>
-    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
+    <entry key='database.password'>{{ vault.vault_secret('env', 'WAZUH_API_PASSWORD') }}</entry>
 
 </properties>

ansible/app-configs/unmanic/settings.json.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/vector/vector.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
   sources:
     rinoa_docker_logs:
       type: docker_logs
@@ -21,7 +22,7 @@
       auth:
         strategy: basic
         user: admin
-        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
+        password: {{ vault.vault_secret('env', 'PARSEABLE_PASSWORD') }}
       request:
         headers:
           X-P-Stream: rinoa-docker-logs

ansible/app-configs/wazuh/certs.yml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/wazuh/wazuh.indexer.yml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/wazuh/wazuh.yml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -6,5 +7,5 @@ hosts:
       url: "https://wazuh.manager"
       port: 55000
       username: wazuh-wui
-      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
+      password: {{ vault.vault_secret('env', 'WAZUH_API_PASSWORD') }}
       run_as: false

ansible/app-configs/youtubedl/config.yml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/zitadel/config.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
@@ -37,7 +38,7 @@ SMTPConfiguration:
     SMTP:
       # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
       Host: 'postal-smtp:25'
-      User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+      User: {{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_USER') }}
+      Password: {{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }}
     From: 'noreply@trez.wtf'
     FromName: 'Zitadel @ Rinoa'

ansible/app-configs/zitadel/init-steps.yaml.j2

@@ -1,3 +1,4 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 

ansible/app-configs/zitadel/secrets.yaml.j2

@@ -0,0 +1,14 @@
+{% import '../macros/rinoa-macros.j2' as vault %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
+Database:
+  postgres:
+    User:
+      # If the user doesn't exist already, it is created
+      Username: 'zitadel'
+      Password: {{ vault.vault_secret('env', 'ZITADEL_DB_PASSWORD') }}
+    Admin:
+      Username: 'root'
+      Password: {{ vault.vault_secret('env', 'ZITADEL_DB_ADMIN_PASSWORD') }}

ansible/app-configs/zitadel_secrets.yaml.j2

@@ -1,13 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
-Database:
-  postgres:
-    User:
-      # If the user doesn't exist already, it is created
-      Username: 'zitadel'
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }}
-    Admin:
-      Username: 'root'
-      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }}

ansible/docker_config_deploy.yml

@@ -1,20 +1,42 @@
----
 - name: Deploy Docker Service Configurations
   hosts: rinoa
   vars:
     appdata_base_path: "~/.docker/config/appdata"
+    template_base_path: "{{ playbook_dir }}/app-configs"
 
   tasks:
+    - name: Recursively collect all Jinja2 templates (*.j2)
+      ansible.builtin.find:
+        paths: "{{ template_base_path }}"
+        patterns: "*.j2"
+        recurse: true
+      register: template_files
+
+    - name: Set relative template path (without .j2) for each file
+      ansible.builtin.set_fact:
+        rel_template_path: >-
+          {{ item.path
+             | regex_replace('^' + (template_base_path | regex_escape) + '/', '')
+             | regex_replace('\\.j2$', '') }}
+      loop: "{{ template_files.files }}"
+      loop_control:
+        loop_var: item
+      register: rel_paths
+
     - name: Ensure target directories exist
       ansible.builtin.file:
-        path: "{{ appdata_base_path }}/{{ (item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') | regex_replace('/[^/]+$', '')) }}"
+        path: "{{ appdata_base_path }}/{{ item.ansible_facts.rel_template_path | dirname }}"
         state: directory
         mode: '0755'
-      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
+      loop: "{{ rel_paths.results }}"
+      loop_control:
+        label: "{{ item.ansible_facts.rel_template_path }}"
 
-    - name: Deploy configuration templates
+    - name: Deploy rendered templates
       ansible.builtin.template:
-        src: "{{ item }}"
-        dest: "{{ appdata_base_path }}/{{ item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') }}"
+        src: "{{ item.item.path | regex_replace('^' + (playbook_dir | regex_escape) + '/', '') }}"
+        dest: "{{ appdata_base_path }}/{{ item.ansible_facts.rel_template_path }}"
         mode: '0644'
-      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
+      loop: "{{ rel_paths.results }}"
+      loop_control:
+        label: "{{ item.ansible_facts.rel_template_path }}"

ansible/group_vars/all.yml

@@ -1,14 +1,14 @@
 vault_addr: "https://vault.trez.wtf"
 vault_token: !vault |
   $ANSIBLE_VAULT;1.1;AES256
-  61383638616263666539386332333638356662623166393234383666366265346537353533653833
-  3333313230636166663734356261316132393834613737630a386166376365333862383031343838
-  35346338633530636463643165623432353466363230646239656463333263373738663639313136
-  3966633235393937350a343337613061616238323238386332363635623932333230323037353136
-  66616561613038656462636565656361613065373238613862386235623265396133633034326563
-  32663532343137366334366630356232313865666661326337326263613262306637663434646639
-  61623030383963623332333135396363643036646461303438643233313136346139343232353535
-  39356432623161333661333266333937626364643964333839333934306364373234653761326638
-  33396534396163373034666164393039303639643431353662666265666264353062
+  62353532343234343230663331623062376533346166343963383464303535646362376233663361
+  3532343530653365663331393339646337653564316337390a646264353561623132366635343032
+  63326535376434353837663334366336613631346161363034646134333439613531376362646161
+  6438316662626566340a346665666234386630633764376336333063363934643162393565386330
+  35333139303939613232303264646236326637613862303339353334623066393966353032333839
+  33323962303635333335376364366336663035303530396262356130373537363134303937353433
+  34393338336666396338616465666466613931373461663761366235643437646136373039353939
+  33643133313264303637646336653537383337336661313765663366356262343064316334313337
+  35306232303132653566356130343366313139336665313737363732613261623439
 vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
 secrets_path: "rinoa-docker/env"

ansible/inventory/host_vars.yml

@@ -1,13 +1,13 @@
 rinoa:
-        ansible_host: 192.168.1.254
-        ansible_python_interpreter: /usr/bin/python3
-        ansible_ssh_port: 22
-        ansible_ssh_user: charish
-        ansible_ssh_pass: !vault |
-                $ANSIBLE_VAULT;1.1;AES256
-                38346631616139316365316566386362396661323163306339303635646331373061323531626431
-                3435373031363739356261656239633835393963636663370a613166653463656337666366633639
-                37373637326633363430633336646165343764303063663636313835326130663532323037663331
-                6332353339656134370a353435396532663932313535646636333262353238386331313764633635
-                63383065623930653134666261353439366535646661383434386261393232373432353937636535
-                3432336137393737643735346665303832653630316439333565
+  ansible_host: 192.168.1.254
+  ansible_python_interpreter: /usr/bin/python3
+  ansible_ssh_port: 22
+  ansible_ssh_user: charish
+  ansible_ssh_pass: !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    32303262303733356636343163363062383539623938383439373166623236366664333830653163
+    3134323461373461663638333265643631666437306362350a353632313337316535633838343137
+    37353139396531613763393139653231333666363935613462343831303866363863653161636138
+    3438316261363139650a313161643039366438356462383730663839366562333464636130346132
+    31363235326362396630313966303064373532306638383739373739336661346438336534366537
+    6565643866333964353563346433323861346262323933333732

ansible/macros/rinoa-macros.j2

@@ -0,0 +1,3 @@
+{% macro vault_secret(secret_path, key) %}
+{{ lookup('community.hashi_vault.vault_kv2_get', secret_path, engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret'][key] }}
+{% endmacro %}

ansible/ssh_pass.yml

@@ -1,7 +1,7 @@
 $ANSIBLE_VAULT;1.1;AES256
-65353131326537376561616630666531353731653835306564323565383332653437633533313932
-6239663065306339366536326432323534303364663862350a353034623936363066303164333434
-32666331326332363463383234316136323031626330366132643034376439616339396662636236
-3633393039376438630a326138653031656465373966356564336463643465613638313838393166
-36626366356266636535613862333631386231626134376264363731353264613261633037646662
-6431393837653564366531316332616232336365636533643036
+32303262303733356636343163363062383539623938383439373166623236366664333830653163
+3134323461373461663638333265643631666437306362350a353632313337316535633838343137
+37353139396531613763393139653231333666363935613462343831303866363863653161636138
+3438316261363139650a313161643039366438356462383730663839366562333464636130346132
+31363235326362396630313966303064373532306638383739373739336661346438336534366537
+6565643866333964353563346433323861346262323933333732