Reorganizing configs.

Modifying Playbook to adhere to dir structure.
Auto Merge of PR 63 - crowdsec-clean-up
2025-06-11 20:17:16 -04:00 · 2025-06-11 20:17:16 -04:00 · 2025-06-11 18:26:24 -04:00 · 2025-06-11 18:11:57 -04:00 · 2025-06-11 16:39:15 -04:00 · 2025-06-11 16:21:48 -04:00
164 changed files with 25388 additions and 6248 deletions
@@ -1,163 +0,0 @@
-name: Gitea Branch PR, SonarQube Analyze, and Merge Workflow
-
-on:
-  push:
-    branches-ignore:
-      - main
-
-jobs:
-  # Job 1: Check if PR exists and create one if the branch is new
-  check-and-create-pr:
-    name: Check and Create PR
-    runs-on: ubuntu-latest
-    outputs:
-      pr_created: ${{ steps.cc-pr.outputs.pr_created }}
-      pr_number: ${{ steps.cc-pr.outputs.pr_index }}
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v4
-
-      - name: PR Check/Create
-        id: cc-pr
-        run: |
-          echo "Checking for existing PR..."
-          pr_check=$(curl ${{ vars.RINOA_GITEA_URL }}/api/v1/repos/${{ github.repository }}/pulls/main/${{ github.ref_name }} \
-            -X 'GET' \
-            -H 'Accept: application/json' \
-            -H 'Authorization: token ${{ secrets.BOT_GITEA_TOKEN }}' \
-            -s | jq '{index: .number, state: .state}')
-          pr_status=$(echo ${pr_check} | jq -r '.state')
-          if [ "${pr_status}" == "open" ]; then
-            echo "PR already exists. PR number: $(echo ${pr_check} | jq -r '.index')"
-            echo "pr_created=false" >> "$GITHUB_OUTPUT"
-            echo "pr_index=$(echo ${pr_check} | jq -r '.index')" >> "$GITHUB_OUTPUT"
-          elif [ "${pr_status}" == "closed" ]; then
-            echo "PR does not exist. Creating PR..."
-            pr_response=$(curl ${{ vars.RINOA_GITEA_URL }}/api/v1/repos/${{ github.repository }}/pulls -s \
-              -X 'POST' \
-              -H 'Accept: application/json' \
-              -H 'Authorization: token ${{ secrets.BOT_GITEA_TOKEN }}' \
-              -H 'Content-Type: application/json' \
-              -d '{
-                "base": "main",
-                "head": "'"${{ github.ref_name }}"'",
-                "title": "Automated PR for branch '"${{ github.ref_name }}"'",
-                "body": "This is an automated PR created for branch '"${{ github.ref_name }}"'."
-              }')
-            pr_index=$(echo ${pr_response} | jq -r '.number')
-            echo "PR created. PR number: ${pr_index}"
-            echo "pr_created=true" >> "$GITHUB_OUTPUT"
-            echo "pr_index=${pr_index}" >> "$GITHUB_OUTPUT"
-          else
-            echo "Error checking for existing PR. Exiting..."
-            exit 1
-          fi
-
-  sonarqube-analysis:
-    name: SonarQube Analysis
-    runs-on: ubuntu-latest
-    needs: check-and-create-pr
-    outputs:
-      qg_status: ${{ steps.quality-gate.outputs.quality-gate-status }}
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v4
-
-      - name: SonarQube Scan
-        uses: sonarsource/sonarqube-scan-action@v4.1.0
-        env:
-          SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }}
-          SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
-
-      - name: SonarQube Quality Gate
-        id: quality-gate
-        uses: sonarsource/sonarqube-quality-gate-action@v1.1.0
-        env:
-          SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }}
-          SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
-
-      - name: Custom Quality Gate Check
-        uses: DesarrolloORT/sonarqube-quality-gate-action@v1.0.1
-        id: quality-gate-check
-        with:
-          sonar-project-key: rinoa-docker
-          sonar-host-url: ${{ secrets.SONARQUBE_HOST }}
-          sonar-token: ${{ secrets.SONARQUBE_TOKEN }}
-
-      - name: JSON clean-up for proccessing...
-        id: json-cleanup
-        run: |
-          echo "Cleaning up quality gate response..."
-          echo '${{ steps.quality-gate-check.outputs.quality-gate-result }}' > qg_input.txt
-          sed -E 's/([a-zA-Z0-9_]+):/\\"\1\\":/g; s/:([^",{}\[\]]+)/:"\1"/g' qg_input.txt > qg_raw.json
-          jq -c '.' qg_raw.json > qg_fixed_json.json
-          projstatus=$(jq -r '.projectStatus.status' qg_fixed_json.json)
-          caycStatus=$(jq -r '.projectStatus.caycStatus' qg_fixed_json.json)
-          conditions=$(jq -c '.projectStatus.conditions' qg_fixed_json.json)
-          echo "projstatus=${projstatus}" >> $GITHUB_OUTPUT
-          echo "caycStatus=${caycStatus}" >> $GITHUB_OUTPUT
-          echo "conditions=${conditions}" >> $GITHUB_OUTPUT
-
-      - name: Convert JSON to Markdown Table
-        id: convert-json-to-md
-        uses: buildingcash/json-to-markdown-table-action@v1.1.0
-        with:
-          json: "${{ steps.json-cleanup.outputs.conditions }}"
-
-      - name: Post SonarQube Results as Comment
-        env:
-          PR_NUMBER: ${{ needs.check-and-create-pr.outputs.pr_number }}
-          SQ_RESULTS: ${{ steps.convert-json-to-md.outputs.table }}
-          QG_STATUS: ${{ steps.quality-gate.outputs.quality-gate-status }}
-          RINOA_GITEA_URL: ${{ vars.RINOA_GITEA_URL }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          BOT_GITEA_TOKEN: ${{ secrets.BOT_GITEA_TOKEN }}
-        run: |
-          formatted_results=$(echo "${SQ_RESULTS}" | sed 's/\\n/\
-          /g')
-          payload=$(jq -n \
-            --arg body "SonarQube analysis results:
-                <br>
-                ${{ env.SQ_RESULTS }}" \
-            '{ body: $body }')
-            
-          response=$(curl -s -o response.json -w "%{http_code}" \
-            -X POST \
-            -H "Accept: application/json" \
-            -H "Authorization: token ${BOT_GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            -d "$payload" \
-            "${RINOA_GITEA_URL}/api/v1/repos/${GITHUB_REPOSITORY}/pulls/${PR_NUMBER}/reviews")
-
-  dry-run-merge-pr:
-    runs-on: ubuntu-latest
-    name: Dry Run & PR Merge
-    needs: sonarqube-analysis
-    if: needs.sonarqube-analysis.outputs.qg_status == 'PASSED'
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v4
-        
-      - name: Generate Ephemeral .env for Docker Compose Dry Run
-        run: |
-          echo "${{ secrets.RINOA_ENV }}" > .env
-
-      - name: Docker Compose Dry Run
-        uses: s3i7h/spin-up-docker-compose-action@v1.2
-        env:
-          DOCKER_HOST: tcp://dockerproxy:2375
-        with:
-          file: docker-compose.yml
-          pull: true
-          pull-opts: --dry-run
-          up: true
-          up-opts: -d --dry-run
-
-      - name: Tea CLI Setup & PR Merge
-        run: |
-          curl -sSL https://dl.gitea.com/tea/main/tea-main-linux-amd64 -o /usr/local/bin/tea
-          chmod +x /usr/local/bin/tea
-          echo "Merging PR..."
-          tea login add --name gitea-rinoa --url "${{ vars.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token "${{ secrets.BOT_GITEA_TOKEN }}"
-          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --output csv | egrep "${{ gitea.ref_name }}" | awk -F, '{print $1}' | sed -e 's|"||g')
-          tea pr m --repo ${{ github.repository }} --title "Auto Merge" --message "Merged by ${{ gitea.actor }}" --output table ${pr_index}
@@ -0,0 +1,193 @@
+name: Gitea Branch PR & Ansible Deployment
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - 'main'
+    paths:
+      - '**.j2'
+      - 'ansible/**.yml'
+jobs:
+  check-and-create-pr:
+    if: github.ref != 'refs/heads/main'
+    name: Check and Create PR
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+      - name: Cache tea CLI
+        id: cache-tea
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/tea/0.9.2/x64
+          key: tea-${{ runner.os }}-0.9.2
+      - name: Install tea
+        uses: supplypike/setup-bin@v4
+        with:
+          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
+          name: 'tea'
+          version: '0.9.2'
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Check'
+          notification_message: 'Checking for existing PR... 🔍'
+      - name: Check if open PR exists
+        id: check-opened-pr-step
+        continue-on-error: true
+        run: |
+          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
+      - name: Create PR
+        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
+        run: |
+          tea login default gitea-rinoa
+          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
+          pr_index_new=$(expr ${pr_index_old} + 1)
+          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Check'
+          notification_message: 'PR Created 🎟️'
+  ansible-linting:
+    name: Docker Compose & Ansible Lints
+    needs: [check-and-create-pr]
+    runs-on: ubuntu-latest
+    env:
+      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+      VAULT_NAMESPACE: ""
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Fetch base branch
+        run: |
+          git fetch origin ${{ github.event.pull_request.base.ref }}
+      - name: Cache Ansible Galaxy Collections
+        uses: actions/cache@v3
+        with:
+          path: ansible/collections
+          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-ansible-
+      - name: Install Ansible
+        uses: alex-oleshkevich/setup-ansible@v1.0.1
+        with:
+          version: "11.0.0"
+      - name: Install Vault
+        uses: cpanato/vault-installer@main
+      - name: Install hvac
+        run: pip install hvac
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
+          notification_message: 'Starting Ansible dry run...'
+      - name: Ansible Playbook Dry Run
+        uses: arillso/action.playbook@0.1.0
+        with:
+          check: true
+          galaxy_collections_path: ansible/collections
+          galaxy_requirements_file: ansible/collections/requirements.yml
+          inventory: ansible/inventory/hosts.yml
+          playbook: ansible/docker_config_deploy.yml
+          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
+          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+          verbose: 0
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
+          notification_message: 'Docker Compose dry run completed successfully.'
+  pr-merge:
+    name: PR Merge
+    needs: [regenerate-readme-modified-services]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install tea
+        uses: supplypike/setup-bin@v4
+        with:
+          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
+          name: 'tea'
+          version: '0.9.2'
+      - name: PR Merge
+        id: pr_merge
+        run: |
+          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
+          tea login default gitea-rinoa
+          echo "Merging PR..."
+          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
+          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
+          echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Merge Successful'
+          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
+  ansible-config-deploy:
+    name: Ansible Config Deployment
+    runs-on: ubuntu-latest
+    needs: [pr-merge]
+    env:
+      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+      DOCKER_HOST: tcp://dockerproxy:2375
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: main
+      - name: Cache Vault install
+        id: cache-vault
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/vault/1.18.0/x64
+          key: vault-${{ runner.os }}-1.18.0
+      - name: Install Ansible
+        uses: alex-oleshkevich/setup-ansible@v1.0.1
+        with:
+          version: "11.0.0"
+      - name: Install Vault
+        uses: cpanato/vault-installer@main
+      - name: Install hvac
+        run: pip install hvac
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
+          notification_message: 'Starting config deployment with Ansible...'
+      - name: Ansible Playbook Config Deploy
+        uses: arillso/action.playbook@0.1.0
+        with:
+          check: false
+          galaxy_collections_path: ansible/collections
+          galaxy_requirements_file: ansible/collections/requirements.yml
+          inventory: ansible/inventory/hosts.yml
+          playbook: ansible/docker_config_deploy.yml
+          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
+          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
+          notification_message: 'Deployment completed successfully.'
@@ -0,0 +1,361 @@
+name: Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - 'main'
+    paths:
+      - '**/docker-compose.yml'
+      - '**/pr-cloudflare-docker-deploy.yml'
+      - '!ansible/**.yml'
+jobs:
+  check-and-create-pr:
+    if: github.ref != 'refs/heads/main'
+    name: Check and Create PR
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+      - name: Cache tea CLI
+        id: cache-tea
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/tea/0.9.2/x64
+          key: tea-${{ runner.os }}-0.9.2
+      - name: Install tea
+        uses: supplypike/setup-bin@v4
+        with:
+          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
+          name: 'tea'
+          version: '0.9.2'
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Check'
+          notification_message: 'Checking for existing PR... 🔍'
+      - name: Check if open PR exists
+        id: check-opened-pr-step
+        continue-on-error: true
+        run: |
+          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
+      - name: Create PR
+        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
+        run: |
+          tea login default gitea-rinoa
+          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
+          pr_index_new=$(expr ${pr_index_old} + 1)
+          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose"
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Check'
+          notification_message: 'PR Created 🎟️'
+  docker-compose-dry-run:
+    name: Docker Compose Dry Run
+    needs: [check-and-create-pr]
+    runs-on: ubuntu-latest
+    env:
+      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+      VAULT_NAMESPACE: ""
+      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
+    outputs:
+      svc_deploy_list: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Fetch base branch
+        run: |
+          git fetch origin ${{ github.event.pull_request.base.ref }}
+      - name: Login to Gitea Container Registry
+        run: |
+          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
+      - name: Save both versions of docker-compose.yml
+        run: |
+          git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
+          cp docker-compose.yml docker-compose-head.yml
+      - name: Detect added, deleted, and modified services
+        id: detect_services
+        run: |
+          echo "Getting services from main and ${{ github.ref_name }}"
+          yq '.services | keys | .[]' docker-compose-main.yml | sort > services_main.txt
+          yq '.services | keys | .[]' docker-compose-head.yml | sort > services_head.txt
+
+          echo "Creating list of modified services..."
+          touch service_changes.txt
+
+          comm -13 services_main.txt services_head.txt | while read service; do
+            echo "$service: added" >> service_changes.txt
+          done
+
+          comm -12 services_main.txt services_head.txt | while read service; do
+            yq ".services[\"$service\"]" docker-compose-main.yml > tmp_main.yml
+            yq ".services[\"$service\"]" docker-compose-head.yml > tmp_head.yml
+            if ! diff -q tmp_main.yml tmp_head.yml > /dev/null; then
+              echo "$service: modified" >> service_changes.txt
+            fi
+          done
+
+          echo "Detected service changes:"
+          cat service_changes.txt
+
+          svc_list=$(paste -sd '|' service_changes.txt)
+          echo "classified_services=$svc_list" >> "$GITHUB_OUTPUT"
+      - name: Install Vault
+        uses: cpanato/vault-installer@main
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
+          notification_message: 'Starting Docker Compose dry run...'
+      - name: Cache .env Files
+        uses: actions/cache@v4
+        with:
+          path: .env
+          key: ${{ runner.os }}-env-${{ hashFiles('docker-compose.yml') }}
+      - name: Generate modified services list & .env file for Docker Compose Dry Run
+        id: modded_svcs
+        run: |
+          mod_svcs=$(echo "${{ steps.detect_services.outputs.classified_services }}" | sed -e 's/|//g' -e 's/: \(add\|modifi\|delet\)ed/ /g')
+          echo ${mod_svcs}
+          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
+          echo "rinoa_svcs=${mod_svcs}" >> "$GITHUB_OUTPUT"
+      - name: Testing service list output
+        run: |
+          echo ${{ steps.modded_svcs.outputs.rinoa_svcs }}
+      - name: Docker Compose Dry Run
+        timeout-minutes: 360
+        continue-on-error: true
+        uses: chaplyk/docker-compose-remote-action@v1.1
+        with:
+          ssh_host: 192.168.1.254
+          ssh_port: 22
+          ssh_user: gitea-deploy
+          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          service: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
+          compose_file: docker-compose.yml
+          pull: false
+          build: false
+          options: -d --remove-orphans
+        env:
+          DOCKER_HOST: tcp://dockerproxy:2375
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
+          notification_message: 'Docker Compose dry run completed successfully.'
+  cloudflare-dns-setup:
+    name: Cloudflare DNS Setup
+    needs: [docker-compose-ansible-lints]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+      - name: Cache flarectl CLI
+        uses: actions/cache@v4
+        with:
+          path: ~/.flarectl
+          key: flarectl-${{ runner.os }}-${{ hashFiles('workflow-config.yml') }}
+      - name: Install flarectl
+        uses: supplypike/setup-bin@v4
+        with:
+          uri: 'https://github.com/cloudflare/cloudflare-go/releases/download/v0.113.0/flarectl_0.113.0_linux_amd64.tar.gz'
+          name: 'flarectl'
+          version: '0.113.0'
+      - name: Cache Subdomain Files
+        uses: actions/cache@v4
+        with:
+          path: |
+            compose_subdomains.txt
+            cloudflare_subdomains.txt
+          key: ${{ runner.os }}-subdomains-${{ hashFiles('docker-compose.yml') }}
+      - name: Grab Subdomains from Docker Compose & Cloudflare
+        id: grab-subdomains
+        env:
+          CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
+          CF_API_EMAIL: ${{ secrets.CF_API_EMAIL }}
+        run: |
+          yq '.services[].labels.swag_url' docker-compose.yml | egrep -v 'null' | sed -e 's|"||g' | awk -F'.' '{print $1}' | sort > compose_subdomains.txt
+          flarectl --json dns list --zone "trez.wtf" --type=CNAME --content "trez.wtf" | jq '.[].Name' | sed -e 's|"||g' | awk -F"." '{print $1}' | sort > cloudflare_subdomains.txt
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Cloudflare Setup @ Rinoa'
+          notification_message: 'Starting Cloudflare DNS setup...'
+      - name: Compare Subdomains
+        id: compare-subdomains
+        uses: LouisBrunner/diff-action@v2.2.0
+        with:
+          old: compose_subdomains.txt
+          new: cloudflare_subdomains.txt
+          mode: addition
+          tolerance: mixed-better
+          output: domain_compare.txt
+      - name: Create Subdomains
+        if: steps.compare-subdomains.outputs.output != ''
+        continue-on-error: true
+        env:
+          CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
+          CF_API_EMAIL: ${{ secrets.CF_API_EMAIL }}
+        run: |
+          cat domain_compare.txt | egrep '^-[a-z]' | sed -e 's|-||g' | while read -r subdomain; do
+            echo "Creating $subdomain.trez.wtf..."
+            flarectl dns create --zone "trez.wtf" --name "${subdomain}" --type=CNAME --content "trez.wtf" --proxy true
+          done
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Cloudflare Setup @ Rinoa'
+          notification_message: 'Cloudflare DNS setup completed successfully.'
+  regenerate-readme-modified-services:
+    name: Update README & Generate List of Modified Services
+    runs-on: ubuntu-latest
+    needs: [cloudflare-dns-setup]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install yq
+        uses: dcarbone/install-yq-action@v1
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: README Update'
+          notification_message: 'Updating README...'
+      - name: Generate service list
+        run: |
+          yq '.services | to_entries | map({"service": .key, "image": .value.image})' docker-compose.yml > services.yml
+      - name: Generate Markdown Table
+        uses: gazab/create-markdown-table@v1
+        id: service-table
+        with:
+          file: ./services.yml
+      - name: Regenerate README
+        run: |
+          echo "# List of Services" > README.md
+          echo -e "\n\n" >> README.md
+          echo "${{ steps.service-table.outputs.table }}" >> README.md
+      - name: Add/Commit README.md
+        id: commit-readme
+        uses: EndBug/add-and-commit@v9
+        with:
+          message: "chore: Update README"
+          add: "README.md"
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: README Update'
+          notification_message: 'README updated'
+  pr-merge:
+    name: PR Merge
+    needs: [regenerate-readme-modified-services]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install tea
+        uses: supplypike/setup-bin@v4
+        with:
+          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
+          name: 'tea'
+          version: '0.9.2'
+      - name: PR Merge
+        id: pr_merge
+        run: |
+          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
+          tea login default gitea-rinoa
+          echo "Merging PR..."
+          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
+          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
+          echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Merge Successful'
+          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
+  docker-compose-deploy:
+    name: Docker Compose Deployment
+    runs-on: ubuntu-latest
+    needs: [docker-compose-dry-run, pr-merge]
+    env:
+      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+      DOCKER_HOST: tcp://dockerproxy:2375
+      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
+      DOCKER_SVC_LIST: ${{ needs.docker-compose-dry-run.outputs.svc_deploy_list }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: main
+      - name: Cache Vault install
+        id: cache-vault
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/vault/1.18.0/x64
+          key: vault-${{ runner.os }}-1.18.0
+      - name: Install Ansible
+        uses: alex-oleshkevich/setup-ansible@v1.0.1
+        with:
+          version: "11.0.0"
+      - name: Install Vault
+        uses: cpanato/vault-installer@main
+      - name: Login to Gitea Container Registry
+        run: |
+          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Docker Compose Deployment @ Rinoa'
+          notification_message: 'Starting Docker Compose run...'
+      - name: Generate .env file for deployment
+        run: |
+           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
+      - name: Docker Compose Dry Run
+        timeout-minutes: 360
+        continue-on-error: true
+        uses: chaplyk/docker-compose-remote-action@v1.1
+        env:
+          DOCKER_HOST: tcp://dockerproxy:2375
+        with:
+          ssh_host: 192.168.1.254
+          ssh_port: 22
+          ssh_user: gitea-deploy
+          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          service: ${DOCKER_SVC_LIST}
+          compose_file: docker-compose.yml
+          pull: false
+          build: false
+          options: -d --remove-orphans
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Docker Compose Deployment @ Rinoa'
+          notification_message: 'Deployment completed successfully.'
@@ -0,0 +1,28 @@
+name: Auto-Unseal for Vault
+on:
+  schedule:
+    - cron: "30 2 * * *"
+jobs:
+  auto-unseal:
+    name: Unseal Vault
+    runs-on: ubuntu-latest
+    env:
+      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+      VAULT_SHARDS: |
+        ${{ secrets.VAULT_UNSEAL_SHARDS }}
+      VAULT_NAMESPACE: ""
+    steps:
+      - name: Cache Vault install
+        id: cache-vault
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/vault/1.18.0/x64
+          key: vault-${{ runner.os }}-1.18.0
+      - name: Install Vault
+        uses: cpanato/vault-installer@main
+      - name: Unseal Vault
+        run: |
+          for vault_shard in $(echo ${VAULT_SHARDS}); do
+            vault operator unseal -address=${VAULT_ADDR} -non-interactive "${vault_shard}"
+          done
@@ -1 +1,4 @@
-**/.env*
+**/.cache_ggshield
+ansible/collections/ansible_collections/
+**/.env
+**/netbird_openid-configuration.json.j2
@@ -0,0 +1,160 @@
+# List of Services
+
+
+
+| Service | Image |
+| --- | --- |
+| actual_server | docker.io/actualbudget/actual-server:latest |
+| adguard | adguard/adguardhome:latest |
+| apprise-api | lscr.io/linuxserver/apprise-api:latest |
+| archivebox | archivebox/archivebox:latest |
+| audiobookshelf | ghcr.io/advplyr/audiobookshelf:latest |
+| authelia | authelia/authelia:master |
+| authelia-pg | postgres:16-alpine |
+| bazarr | lscr.io/linuxserver/bazarr:latest |
+| beszel | henrygd/beszel:latest |
+| beszel-agent | henrygd/beszel-agent:latest |
+| bitwarden | vaultwarden/server:latest |
+| bluesky-pds | code.modernleft.org/gravityfargo/bluesky-pds:v0.4.98 |
+| browserless | ghcr.io/browserless/chromium:latest |
+| bytestash | ghcr.io/jordan-dalby/bytestash:latest |
+| castopod | castopod/castopod:latest |
+| cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
+| convertx | ghcr.io/c4illin/convertx |
+| cronicle | elestio/cronicle:latest |
+| crowdsec | crowdsecurity/crowdsec:latest |
+| crowdsec-dashboard | metabase/metabase |
+| cyber-chef | mpepping/cyberchef:latest |
+| czkawka | jlesage/czkawka |
+| dawarich-app | freikin/dawarich:latest |
+| dawarich-pg-db | postgis/postgis:17-3.5-alpine |
+| dawarich-sidekiq | freikin/dawarich:latest |
+| dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
+| docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
+| dockflare | alplat/dockflare:stable |
+| duplicati | lscr.io/linuxserver/duplicati:latest |
+| excalidraw | excalidraw/excalidraw:latest |
+| explo | ghcr.io/lumepart/explo:latest |
+| fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
+| flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
+| freescout | tiredofit/freescout:latest |
+| ghost | ghost:latest |
+| gitea | gitea/gitea:1.23.1 |
+| gitea-db | postgres:14 |
+| gitea-runner | gitea/act_runner:latest |
+| gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
+| gluetun | qmcgaw/gluetun:latest |
+| gotify | gotify/server |
+| graylog | graylog/graylog:6.1 |
+| graylog-datanode | graylog/graylog-datanode:6.1 |
+| guacamole | flcontainers/guacamole:latest |
+| homepage | ghcr.io/gethomepage/homepage:latest |
+| hugo | hugomods/hugo:exts-0.145.0 |
+| immich-server | ghcr.io/immich-app/immich-server:release |
+| immich-machine-learning | ghcr.io/immich-app/immich-machine-learning:release |
+| immich-pg-db | tensorchord/pgvecto-rs:pg14-v0.2.1 |
+| immich-public-proxy | alangrainger/immich-public-proxy:latest |
+| immich-power-tools | ghcr.io/varun-raj/immich-power-tools:latest |
+| influxdb2 | influxdb:2-alpine |
+| invidious | quay.io/invidious/invidious:latest |
+| invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
+| invidious-db | docker.io/library/postgres:14 |
+| invoice-ninja | invoiceninja/invoiceninja-debian:5 |
+| invoice-ninja_proxy | nginx |
+| it-tools | ghcr.io/corentinth/it-tools:latest |
+| jellyfin | jellyfin/jellyfin |
+| jitsi-etherpad | etherpad/etherpad:1.8.6 |
+| jitsi-jibri | jitsi/jibri:stable |
+| jitsi-jicofo | jitsi/jicofo:stable |
+| jitsi-jigasi | jitsi/jigasi:stable |
+| jitsi-jvb | jitsi/jvb:stable |
+| jitsi-prosody | jitsi/prosody:stable |
+| jitsi-web | jitsi/web:stable |
+| joplin-db | postgres:17-alpine |
+| joplin | joplin/server:latest |
+| languagetool | elestio/languagetool:latest |
+| librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
+| librechat-vectordb | ankane/pgvector:latest |
+| librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
+| libretranslate | libretranslate/libretranslate |
+| lidarr | lscr.io/linuxserver/lidarr:latest |
+| lidify | thewicklowwolf/lidify:latest |
+| linkstack | linkstackorg/linkstack:latest |
+| lldap | lldap/lldap:stable |
+| loggifly | ghcr.io/clemcer/loggifly:latest |
+| maloja | krateng/maloja:latest |
+| manyfold | lscr.io/linuxserver/manyfold:latest |
+| mariadb | linuxserver/mariadb |
+| mastodon | lscr.io/linuxserver/mastodon:latest |
+| mastodon-pg-db | postgres:17-alpine |
+| maxun-backend | getmaxun/maxun-backend:latest |
+| maxun-frontend | getmaxun/maxun-frontend:latest |
+| maxun-pg-db | postgres:13-alpine |
+| meilisearch | getmeili/meilisearch:v1.12.3 |
+| minio | minio/minio:RELEASE.2025-04-22T22-12-26Z |
+| mixpost | inovector/mixpost:latest |
+| mongodb | bitnami/mongodb:7.0 |
+| multi-scrobbler | foxxmd/multi-scrobbler |
+| n8n | docker.n8n.io/n8nio/n8n |
+| navidrome | deluan/navidrome:latest |
+| netalertx | jokobsk/netalertx:latest |
+| nextcloud | nextcloud/all-in-one:latest |
+| ollama | ollama/ollama |
+| ombi | lscr.io/linuxserver/ombi:latest |
+| omni-tools | iib0011/omni-tools:latest |
+| omnipoly | kweg/omnipoly:latest |
+| paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
+| pgbackweb | eduardolat/pgbackweb:latest |
+| pgbackweb-db | postgres:16-alpine |
+| plantuml-server | plantuml/plantuml-server:jetty |
+| portainer | portainer/portainer-ce:alpine |
+| portnote-web | haedlessdev/portnote:latest |
+| portnote-agent | haedlessdev/portnote-agent:latest |
+| portnote-pg-db | postgres:17-alpine |
+| postal-smtp | ghcr.io/postalserver/postal:latest |
+| postal-web | ghcr.io/postalserver/postal:latest |
+| postal-worker | ghcr.io/postalserver/postal:latest |
+| prowlarr | lscr.io/linuxserver/prowlarr:latest |
+| qbittorrentvpn | ghcr.io/binhex/arch-qbittorrentvpn:latest |
+| radarec | thewicklowwolf/radarec:latest |
+| radarr | lscr.io/linuxserver/radarr:latest |
+| reactive-resume | amruthpillai/reactive-resume:latest |
+| reactive-resume-pg | postgres:16-alpine |
+| readarr | lscr.io/linuxserver/readarr:develop |
+| redis | redis:alpine |
+| redlib | quay.io/redlib/redlib:latest |
+| rocketchat | registry.rocket.chat/rocketchat/rocket.chat:latest |
+| romm | rommapp/romm:latest |
+| sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
+| sablier | sablierapp/sablier:latest |
+| scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
+| searxng | searxng/searxng:latest |
+| semaphore | semaphoreui/semaphore:v2.12.14 |
+| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
+| signoz-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| signoz-app | signoz/signoz:v0.86.2 |
+| signoz-otel-collector | signoz/signoz-otel-collector:v0.111.42 |
+| signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.111.42 |
+| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.111.42 |
+| sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
+| sonarqube-pg-db | postgres:17-alpine |
+| sonarr | lscr.io/linuxserver/sonarr:latest |
+| sonashow | thewicklowwolf/sonashow:latest |
+| speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
+| stable-diffusion-download | git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0 |
+| stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.1 |
+| stirling-pdf | docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest |
+| swag | lscr.io/linuxserver/swag:latest |
+| tandoor | vabene1111/recipes |
+| tandoor-pg | postgres:16-alpine |
+| unmanic | josh5/unmanic:latest |
+| uptimekuma | louislam/uptime-kuma:latest |
+| vault | hashicorp/vault:latest |
+| wallabag | wallabag/wallabag |
+| wallos | bellamy/wallos:latest |
+| watchtower | ghcr.io/containrrr/watchtower:latest |
+| web-check | lissy93/web-check |
+| whodb | clidey/whodb |
+| youtubedl | nbr23/youtube-dl-server:latest |
+
@@ -0,0 +1,167 @@
+.logs/*
+*.retry
+*.vault
+# https://raw.githubusercontent.com/github/gitignore/main/Python.gitignore
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+.cache_ggshield
+# Ansible Vault Password Files
+*.pass
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
@@ -0,0 +1,45 @@
+# Rinoa Docker_configs Ansible Project
+
+## Included content/ Directory Structure
+
+The directory structure follows best practices recommended by the Ansible community. Feel free to customize this template according to your specific project requirements.
+
+```
+ ansible-project/
+ |── .devcontainer/
+ |    └── docker/
+ |        └── devcontainer.json
+ |    └── podman/
+ |        └── devcontainer.json
+ |    └── devcontainer.json
+ |── .github/
+ |    └── workflows/
+ |        └── tests.yml
+ |    └── ansible-code-bot.yml
+ |── .vscode/
+ |    └── extensions.json
+ |── collections/
+ |   └── requirements.yml
+ |   └── ansible_collections/
+ |       └── project_org/
+ |           └── project_repo/
+ |               └── README.md
+ |               └── roles/sample_role/
+ |                         └── README.md
+ |                         └── tasks/main.yml
+ |── inventory/
+ |   └── groups_vars/
+ |   └── host_vars/
+ |   └── hosts.yml
+ |── ansible-navigator.yml
+ |── ansible.cfg
+ |── devfile.yaml
+ |── linux_playbook.yml
+ |── network_playbook.yml
+ |── README.md
+ |── site.yml
+```
+
+## Compatible with Ansible-lint
+
+Tested with ansible-lint >=24.2.0 releases and the current development version of ansible-core.
@@ -0,0 +1,25 @@
+[defaults]
+# Specify the inventory file
+inventory = inventory/hosts.yml
+
+collections_path = ./collections
+# Set the logging verbosity level
+verbosity = 2
+
+# Set the default user for SSH connections
+remote_user = charish
+
+# Define the default become method
+become_method = sudo
+
+host_key_checking = false
+
+[persistent_connection]
+# Controls how long the persistent connection will remain idle before it is destroyed
+connect_timeout=30
+
+# Controls the amount of time to wait for response from remote device before timing out persistent connection
+command_timeout=30
+
+[hashi_vault_collection]
+auth_method = token
@@ -0,0 +1,199 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+http:
+  pprof:
+    port: 6060
+    enabled: false
+  address: 0.0.0.0:8008
+  session_ttl: 720h
+users:
+  - name: admin
+    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_BCRYPT'] }}
+auth_attempts: 5
+block_auth_min: 15
+http_proxy: ""
+language: ""
+theme: auto
+dns:
+  bind_hosts:
+    - 0.0.0.0
+  port: 53
+  anonymize_client_ip: false
+  ratelimit: 20
+  ratelimit_subnet_len_ipv4: 24
+  ratelimit_subnet_len_ipv6: 56
+  ratelimit_whitelist: []
+  refuse_any: true
+  upstream_dns:
+    - 94.140.14.14
+    - 94.140.15.15
+    - https://dns.adguard-dns.com/dns-query
+    - tls://dns.adguard-dns.com
+    - quic://dns.adguard-dns.com
+    - 1.1.1.1
+    - 1.0.0.1
+    - 1.1.1.2
+    - 1.0.0.2
+    - 185.228.168.9
+    - 185.228.169.9
+    - 76.76.2.3
+    - tls://getdnsapi.net
+    - 185.49.141.37
+    - tls://dot.seby.io
+  upstream_dns_file: ""
+  bootstrap_dns:
+    - 9.9.9.10
+    - 149.112.112.10
+    - 2620:fe::10
+    - 2620:fe::fe:10
+  fallback_dns: []
+  upstream_mode: load_balance
+  fastest_timeout: 1s
+  allowed_clients: []
+  disallowed_clients: []
+  blocked_hosts:
+    - version.bind
+    - id.server
+    - hostname.bind
+  trusted_proxies:
+    - 127.0.0.0/8
+    - ::1/128
+  cache_size: 4194304
+  cache_ttl_min: 0
+  cache_ttl_max: 0
+  cache_optimistic: false
+  bogus_nxdomain: []
+  aaaa_disabled: false
+  enable_dnssec: false
+  edns_client_subnet:
+    custom_ip: ""
+    enabled: false
+    use_custom: false
+  max_goroutines: 300
+  handle_ddr: true
+  ipset: []
+  ipset_file: ""
+  bootstrap_prefer_ipv6: false
+  upstream_timeout: 10s
+  private_networks: []
+  use_private_ptr_resolvers: false
+  local_ptr_upstreams: []
+  use_dns64: false
+  dns64_prefixes: []
+  serve_http3: false
+  use_http3_upstreams: false
+  serve_plain_dns: true
+  hostsfile_enabled: true
+  pending_requests:
+    enabled: true
+tls:
+  enabled: true
+  server_name: ""
+  force_https: false
+  port_https: 446
+  port_dns_over_tls: 853
+  port_dns_over_quic: 853
+  port_dnscrypt: 0
+  dnscrypt_config_file: ""
+  allow_unencrypted_doh: false
+  certificate_chain: ""
+  private_key: ""
+  certificate_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
+  private_key_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
+  strict_sni_check: false
+querylog:
+  dir_path: ""
+  ignored: []
+  interval: 2160h
+  size_memory: 1000
+  enabled: true
+  file_enabled: true
+statistics:
+  dir_path: ""
+  ignored: []
+  interval: 24h
+  enabled: true
+filters:
+  - enabled: true
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
+    name: AdGuard DNS filter
+    id: 1
+  - enabled: false
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
+    name: AdAway Default Blocklist
+    id: 2
+whitelist_filters: []
+user_rules: []
+dhcp:
+  enabled: false
+  interface_name: ""
+  local_domain_name: lan
+  dhcpv4:
+    gateway_ip: 192.168.1.1
+    subnet_mask: 255.255.255.0
+    range_start: 192.168.1.2
+    range_end: 192.168.1.240
+    lease_duration: 86400
+    icmp_timeout_msec: 1000
+    options: []
+  dhcpv6:
+    range_start: ""
+    lease_duration: 86400
+    ra_slaac_only: false
+    ra_allow_slaac: false
+filtering:
+  blocking_ipv4: ""
+  blocking_ipv6: ""
+  blocked_services:
+    schedule:
+      time_zone: America/New_York
+    ids: []
+  protection_disabled_until: null
+  safe_search:
+    enabled: false
+    bing: true
+    duckduckgo: true
+    ecosia: true
+    google: true
+    pixabay: true
+    yandex: true
+    youtube: true
+  blocking_mode: default
+  parental_block_host: family-block.dns.adguard.com
+  safebrowsing_block_host: standard-block.dns.adguard.com
+  rewrites: []
+  safe_fs_patterns:
+    - /opt/adguardhome/work/userfilters/*
+  safebrowsing_cache_size: 1048576
+  safesearch_cache_size: 1048576
+  parental_cache_size: 1048576
+  cache_time: 30
+  filters_update_interval: 24
+  blocked_response_ttl: 10
+  filtering_enabled: true
+  parental_enabled: false
+  safebrowsing_enabled: false
+  protection_enabled: true
+clients:
+  runtime_sources:
+    whois: true
+    arp: true
+    rdns: true
+    dhcp: true
+    hosts: true
+  persistent: []
+log:
+  enabled: true
+  file: ""
+  max_backups: 0
+  max_size: 100
+  max_age: 3
+  compress: false
+  local_time: false
+  verbose: false
+os:
+  group: ""
+  user: ""
+  rlimit_nofile: 0
+schema_version: 29
@@ -0,0 +1,199 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+http:
+  pprof:
+    port: 6060
+    enabled: false
+  address: 0.0.0.0:8008
+  session_ttl: 720h
+users:
+  - name: admin
+    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_BCRYPT'] }}
+auth_attempts: 5
+block_auth_min: 15
+http_proxy: ""
+language: ""
+theme: auto
+dns:
+  bind_hosts:
+    - 0.0.0.0
+  port: 53
+  anonymize_client_ip: false
+  ratelimit: 20
+  ratelimit_subnet_len_ipv4: 24
+  ratelimit_subnet_len_ipv6: 56
+  ratelimit_whitelist: []
+  refuse_any: true
+  upstream_dns:
+    - 94.140.14.14
+    - 94.140.15.15
+    - https://dns.adguard-dns.com/dns-query
+    - tls://dns.adguard-dns.com
+    - quic://dns.adguard-dns.com
+    - 1.1.1.1
+    - 1.0.0.1
+    - 1.1.1.2
+    - 1.0.0.2
+    - 185.228.168.9
+    - 185.228.169.9
+    - 76.76.2.3
+    - tls://getdnsapi.net
+    - 185.49.141.37
+    - tls://dot.seby.io
+  upstream_dns_file: ""
+  bootstrap_dns:
+    - 9.9.9.10
+    - 149.112.112.10
+    - 2620:fe::10
+    - 2620:fe::fe:10
+  fallback_dns: []
+  upstream_mode: load_balance
+  fastest_timeout: 1s
+  allowed_clients: []
+  disallowed_clients: []
+  blocked_hosts:
+    - version.bind
+    - id.server
+    - hostname.bind
+  trusted_proxies:
+    - 127.0.0.0/8
+    - ::1/128
+  cache_size: 4194304
+  cache_ttl_min: 0
+  cache_ttl_max: 0
+  cache_optimistic: false
+  bogus_nxdomain: []
+  aaaa_disabled: false
+  enable_dnssec: false
+  edns_client_subnet:
+    custom_ip: ""
+    enabled: false
+    use_custom: false
+  max_goroutines: 300
+  handle_ddr: true
+  ipset: []
+  ipset_file: ""
+  bootstrap_prefer_ipv6: false
+  upstream_timeout: 10s
+  private_networks: []
+  use_private_ptr_resolvers: false
+  local_ptr_upstreams: []
+  use_dns64: false
+  dns64_prefixes: []
+  serve_http3: false
+  use_http3_upstreams: false
+  serve_plain_dns: true
+  hostsfile_enabled: true
+  pending_requests:
+    enabled: true
+tls:
+  enabled: true
+  server_name: ""
+  force_https: false
+  port_https: 446
+  port_dns_over_tls: 853
+  port_dns_over_quic: 853
+  port_dnscrypt: 0
+  dnscrypt_config_file: ""
+  allow_unencrypted_doh: false
+  certificate_chain: ""
+  private_key: ""
+  certificate_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
+  private_key_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
+  strict_sni_check: false
+querylog:
+  dir_path: ""
+  ignored: []
+  interval: 2160h
+  size_memory: 1000
+  enabled: true
+  file_enabled: true
+statistics:
+  dir_path: ""
+  ignored: []
+  interval: 24h
+  enabled: true
+filters:
+  - enabled: true
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
+    name: AdGuard DNS filter
+    id: 1
+  - enabled: false
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
+    name: AdAway Default Blocklist
+    id: 2
+whitelist_filters: []
+user_rules: []
+dhcp:
+  enabled: false
+  interface_name: ""
+  local_domain_name: lan
+  dhcpv4:
+    gateway_ip: 192.168.1.1
+    subnet_mask: 255.255.255.0
+    range_start: 192.168.1.2
+    range_end: 192.168.1.240
+    lease_duration: 86400
+    icmp_timeout_msec: 1000
+    options: []
+  dhcpv6:
+    range_start: ""
+    lease_duration: 86400
+    ra_slaac_only: false
+    ra_allow_slaac: false
+filtering:
+  blocking_ipv4: ""
+  blocking_ipv6: ""
+  blocked_services:
+    schedule:
+      time_zone: America/New_York
+    ids: []
+  protection_disabled_until: null
+  safe_search:
+    enabled: false
+    bing: true
+    duckduckgo: true
+    ecosia: true
+    google: true
+    pixabay: true
+    yandex: true
+    youtube: true
+  blocking_mode: default
+  parental_block_host: family-block.dns.adguard.com
+  safebrowsing_block_host: standard-block.dns.adguard.com
+  rewrites: []
+  safe_fs_patterns:
+    - /opt/adguardhome/work/userfilters/*
+  safebrowsing_cache_size: 1048576
+  safesearch_cache_size: 1048576
+  parental_cache_size: 1048576
+  cache_time: 30
+  filters_update_interval: 24
+  blocked_response_ttl: 10
+  filtering_enabled: true
+  parental_enabled: false
+  safebrowsing_enabled: false
+  protection_enabled: true
+clients:
+  runtime_sources:
+    whois: true
+    arp: true
+    rdns: true
+    dhcp: true
+    hosts: true
+  persistent: []
+log:
+  enabled: true
+  file: ""
+  max_backups: 0
+  max_size: 100
+  max_age: 3
+  compress: false
+  local_time: false
+  verbose: false
+os:
+  group: ""
+  user: ""
+  rlimit_nofile: 0
+schema_version: 29
@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+urls:
+  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
+  - mailto://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+urls:
+  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
+  - mailto://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
@@ -0,0 +1,172 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json
+---
+theme: auto
+default_2fa_method: "totp"
+server:
+  address: '0.0.0.0:9091'
+  endpoints:
+    enable_pprof: false
+    enable_expvars: false
+  disable_healthcheck: false
+  tls:
+    key: ""
+    certificate: ""
+    client_certificates: []
+  headers:
+    csp_template: ""
+log:
+  level: debug
+telemetry:
+  metrics:
+    enabled: true
+    address: tcp://0.0.0.0:9959
+totp:
+  disable: false
+  issuer: authelia.com
+  algorithm: sha256
+  digits: 6
+  period: 30
+  skew: 1
+  secret_size: 32
+webauthn:
+  disable: false
+  timeout: 60s
+  display_name: Authelia
+  attestation_conveyance_preference: indirect
+  selection_criteria:
+    user_verification: preferred
+ntp:
+  address: "time.cloudflare.com:123"
+  version: 4
+  max_desync: 3s
+  disable_startup_check: false
+  disable_failure: false
+authentication_backend:
+  password_reset:
+    disable: false
+    custom_url: ""
+  ldap:
+    implementation: custom
+    address: ldap://lldap:3890
+    timeout: 5s
+    start_tls: false
+    base_dn: dc=trez,dc=wtf
+    additional_users_dn: ou=people
+    users_filter: "(&({username_attribute}={input})(objectClass=person))"
+    additional_groups_dn: ou=groups
+    groups_filter: "(member={dn})"
+    attributes:
+      username: uid
+      group_name: cn
+      mail: mail
+      display_name: displayName
+    user: uid=authelia,ou=people,dc=trez,dc=wtf
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
+  refresh_interval: 5m
+identity_validation:
+  reset_password:
+    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
+password_policy:
+  standard:
+    enabled: true
+    min_length: 8
+    max_length: 0
+    require_uppercase: true
+    require_lowercase: true
+    require_number: true
+    require_special: false
+  zxcvbn:
+    enabled: false
+    min_score: 3
+access_control:
+  default_policy: deny
+  networks:
+    - name: 'internal'
+      networks:
+        - '172.17.0.0/16'
+        - '172.18.0.0/16'
+        - '192.168.1.0/24'
+  rules:
+    - domain_regex:
+      - '^trez.wtf$'
+      - ^www.trez.wtf$''
+      policy: bypass
+    - domain: '*.trez.wtf'
+      policy: bypass
+      networks:
+        - 'internal'
+    - domain: '*.trez.wtf'
+      policy: one_factor
+      subject:
+      - ['user:the.trezured.one']
+session:
+  name: authelia_session
+  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
+  expiration: 1h
+  inactivity: 5m
+  remember_me: 1M
+  cookies:
+    - domain: 'trez.wtf'
+      authelia_url: 'https://auth.trez.wtf'
+  redis:
+    host: redis
+    port: 6379
+storage:
+  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
+  postgres:
+    address: 'tcp://authelia-pg:5432'
+    database: authelia
+    username: authelia
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
+    timeout: '5s'
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 5m
+notifier:
+  disable_startup_check: true
+  smtp:
+    address: 'smtp://postal-smtp:25'
+    timeout: '5s'
+    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
+    sender: "Authelia <noreply@trez.wtf>"
+    identifier: 'localhost'
+    subject: "[Authelia] {title}"
+    startup_check_address: 'test@authelia.com'
+    disable_require_tls: true
+    disable_starttls: true
+    disable_html_emails: false
+identity_providers:
+  oidc:
+    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
+    jwks:
+      - key: |
+          {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
+    cors:
+      allowed_origins_from_client_redirect_uris: true
+      endpoints:
+        - 'userinfo'
+        - 'authorization'
+        - 'token'
+        - 'revocation'
+        - 'introspection'
+    clients:
+      - client_id: 'netbird'
+        client_name: 'NetBird'
+        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
+        public: false
+        authorization_policy: 'two_factor'
+        redirect_uris:
+          - 'https://vpn.trez.wtf/peers'
+          - 'https://vpn.trez.wtf/add-peers'
+          - 'http://localhost'
+        scopes:
+          - 'openid'
+          - 'email'
+          - 'profile'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
@@ -0,0 +1,172 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json
+---
+theme: auto
+default_2fa_method: "totp"
+server:
+  address: '0.0.0.0:9091'
+  endpoints:
+    enable_pprof: false
+    enable_expvars: false
+  disable_healthcheck: false
+  tls:
+    key: ""
+    certificate: ""
+    client_certificates: []
+  headers:
+    csp_template: ""
+log:
+  level: debug
+telemetry:
+  metrics:
+    enabled: true
+    address: tcp://0.0.0.0:9959
+totp:
+  disable: false
+  issuer: authelia.com
+  algorithm: sha256
+  digits: 6
+  period: 30
+  skew: 1
+  secret_size: 32
+webauthn:
+  disable: false
+  timeout: 60s
+  display_name: Authelia
+  attestation_conveyance_preference: indirect
+  selection_criteria:
+    user_verification: preferred
+ntp:
+  address: "time.cloudflare.com:123"
+  version: 4
+  max_desync: 3s
+  disable_startup_check: false
+  disable_failure: false
+authentication_backend:
+  password_reset:
+    disable: false
+    custom_url: ""
+  ldap:
+    implementation: custom
+    address: ldap://lldap:3890
+    timeout: 5s
+    start_tls: false
+    base_dn: dc=trez,dc=wtf
+    additional_users_dn: ou=people
+    users_filter: "(&({username_attribute}={input})(objectClass=person))"
+    additional_groups_dn: ou=groups
+    groups_filter: "(member={dn})"
+    attributes:
+      username: uid
+      group_name: cn
+      mail: mail
+      display_name: displayName
+    user: uid=authelia,ou=people,dc=trez,dc=wtf
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
+  refresh_interval: 5m
+identity_validation:
+  reset_password:
+    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
+password_policy:
+  standard:
+    enabled: true
+    min_length: 8
+    max_length: 0
+    require_uppercase: true
+    require_lowercase: true
+    require_number: true
+    require_special: false
+  zxcvbn:
+    enabled: false
+    min_score: 3
+access_control:
+  default_policy: deny
+  networks:
+    - name: 'internal'
+      networks:
+        - '172.17.0.0/16'
+        - '172.18.0.0/16'
+        - '192.168.1.0/24'
+  rules:
+    - domain_regex:
+      - '^trez.wtf$'
+      - ^www.trez.wtf$''
+      policy: bypass
+    - domain: '*.trez.wtf'
+      policy: bypass
+      networks:
+        - 'internal'
+    - domain: '*.trez.wtf'
+      policy: one_factor
+      subject:
+      - ['user:the.trezured.one']
+session:
+  name: authelia_session
+  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
+  expiration: 1h
+  inactivity: 5m
+  remember_me: 1M
+  cookies:
+    - domain: 'trez.wtf'
+      authelia_url: 'https://auth.trez.wtf'
+  redis:
+    host: redis
+    port: 6379
+storage:
+  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
+  postgres:
+    address: 'tcp://authelia-pg:5432'
+    database: authelia
+    username: authelia
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
+    timeout: '5s'
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 5m
+notifier:
+  disable_startup_check: true
+  smtp:
+    address: 'smtp://postal-smtp:25'
+    timeout: '5s'
+    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
+    sender: "Authelia <noreply@trez.wtf>"
+    identifier: 'localhost'
+    subject: "[Authelia] {title}"
+    startup_check_address: 'test@authelia.com'
+    disable_require_tls: true
+    disable_starttls: true
+    disable_html_emails: false
+identity_providers:
+  oidc:
+    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
+    jwks:
+      - key: |
+          {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
+    cors:
+      allowed_origins_from_client_redirect_uris: true
+      endpoints:
+        - 'userinfo'
+        - 'authorization'
+        - 'token'
+        - 'revocation'
+        - 'introspection'
+    clients:
+      - client_id: 'netbird'
+        client_name: 'NetBird'
+        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
+        public: false
+        authorization_policy: 'two_factor'
+        redirect_uris:
+          - 'https://vpn.trez.wtf/peers'
+          - 'https://vpn.trez.wtf/add-peers'
+          - 'http://localhost'
+        scopes:
+          - 'openid'
+          - 'email'
+          - 'profile'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
@@ -0,0 +1,16 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+tunnel: 52bdee6e-8ccb-47be-ba9e-f8010b905e41
+credentials-file: /etc/cloudflared/52bdee6e-8ccb-47be-ba9e-f8010b905e41.json
+warp-routing:
+  enabled: true
+
+ingress:
+  - hostname: git-ssh.trez.wtf
+    service: ssh://gitea:22
+  - hostname: gist-ssh.trez.wtf
+    service: ssh://gitea-opengist:2222
+  - hostname: ssh.trez.wtf
+    service: ssh://192.168.1.254:22
+  - service: http_status:404  # Default for unmatched requests
@@ -0,0 +1,16 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+tunnel: 52bdee6e-8ccb-47be-ba9e-f8010b905e41
+credentials-file: /etc/cloudflared/52bdee6e-8ccb-47be-ba9e-f8010b905e41.json
+warp-routing:
+  enabled: true
+
+ingress:
+  - hostname: git-ssh.trez.wtf
+    service: ssh://gitea:22
+  - hostname: gist-ssh.trez.wtf
+    service: ssh://gitea-opengist:2222
+  - hostname: ssh.trez.wtf
+    service: ssh://192.168.1.254:22
+  - service: http_status:404  # Default for unmatched requests
@@ -0,0 +1,15 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+source: journalctl
+journalctl_filter: 
+  - "--directory=/var/log/host/"
+labels:
+  type: syslog
+---
+filenames:
+  - /var/log/swag/*
+labels:
+  type: nginx
+---
@@ -0,0 +1,49 @@
+common:
+  daemonize: false
+  log_media: stdout
+  log_level: info
+  log_dir: /var/log/
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: /var/lib/crowdsec/data/
+  simulation_path: /etc/crowdsec/simulation.yaml
+  hub_dir: /etc/crowdsec/hub/
+  index_path: /etc/crowdsec/hub/.index.json
+  notification_dir: /etc/crowdsec/notifications/
+  plugin_dir: /usr/local/lib/crowdsec/plugins/
+crowdsec_service:
+  acquisition_path: /etc/crowdsec/acquis.yaml
+  acquisition_dir: /etc/crowdsec/acquis.d
+  parser_routines: 1
+plugin_config:
+  user: nobody
+  group: nobody
+cscli:
+  output: human
+db_config:
+  log_level: info
+  type: sqlite
+  db_path: /var/lib/crowdsec/data/crowdsec.db
+  flush:
+    max_items: 5000
+    max_age: 7d
+  use_wal: false
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+  server:
+    log_level: info
+    listen_uri: 0.0.0.0:8080
+    profiles_path: /etc/crowdsec/profiles.yaml
+    trusted_ips: # IP ranges, or IPs which can have admin API access
+      - 127.0.0.1
+      - ::1
+    online_client: # Central API credentials (to push signals and receive bad IPs)
+      credentials_path: /etc/crowdsec/online_api_credentials.yaml
+    enable: true
+prometheus:
+  enabled: true
+  level: full
+  listen_addr: 0.0.0.0
+  listen_port: 6060
@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+url: http://0.0.0.0:8080
+login: localhost
+password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}
@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+url: https://api.crowdsec.net/
+login: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
+password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
@@ -0,0 +1,17 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+name: default_ip_remediation
+#debug: true
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: 4h
+#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
+# notifications:
+#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
+#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
+#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
+#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
+on_success: break
@@ -0,0 +1,15 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+source: journalctl
+journalctl_filter: 
+  - "--directory=/var/log/host/"
+labels:
+  type: syslog
+---
+filenames:
+  - /var/log/swag/*
+labels:
+  type: nginx
+---
@@ -0,0 +1,49 @@
+common:
+  daemonize: false
+  log_media: stdout
+  log_level: info
+  log_dir: /var/log/
+config_paths:
+  config_dir: /etc/crowdsec/
+  data_dir: /var/lib/crowdsec/data/
+  simulation_path: /etc/crowdsec/simulation.yaml
+  hub_dir: /etc/crowdsec/hub/
+  index_path: /etc/crowdsec/hub/.index.json
+  notification_dir: /etc/crowdsec/notifications/
+  plugin_dir: /usr/local/lib/crowdsec/plugins/
+crowdsec_service:
+  acquisition_path: /etc/crowdsec/acquis.yaml
+  acquisition_dir: /etc/crowdsec/acquis.d
+  parser_routines: 1
+plugin_config:
+  user: nobody
+  group: nobody
+cscli:
+  output: human
+db_config:
+  log_level: info
+  type: sqlite
+  db_path: /var/lib/crowdsec/data/crowdsec.db
+  flush:
+    max_items: 5000
+    max_age: 7d
+  use_wal: false
+api:
+  client:
+    insecure_skip_verify: false
+    credentials_path: /etc/crowdsec/local_api_credentials.yaml
+  server:
+    log_level: info
+    listen_uri: 0.0.0.0:8080
+    profiles_path: /etc/crowdsec/profiles.yaml
+    trusted_ips: # IP ranges, or IPs which can have admin API access
+      - 127.0.0.1
+      - ::1
+    online_client: # Central API credentials (to push signals and receive bad IPs)
+      credentials_path: /etc/crowdsec/online_api_credentials.yaml
+    enable: true
+prometheus:
+  enabled: true
+  level: full
+  listen_addr: 0.0.0.0
+  listen_port: 6060
@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+url: http://0.0.0.0:8080
+login: localhost
+password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}
@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+url: https://api.crowdsec.net/
+login: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
+password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
@@ -0,0 +1,17 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+name: default_ip_remediation
+#debug: true
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: 4h
+#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
+# notifications:
+#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
+#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
+#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
+#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
+on_success: break
@@ -0,0 +1,42 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+  "url": "blog.trez.wtf",
+  "database": {
+    "client": "mysql",
+    "connection": {
+      "host"     : "mariadb",
+      "port"     : 3306,
+      "user"     : "ghost",
+      "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
+      "database" : "ghost_db"
+    }
+  },
+  "mail": {
+    "from": "'Ghost @ Rinoa' <noreply@trez.wtf>",
+    "transport": "SMTP",
+    "options": {
+      "host": "postal-smtp",
+      "port": 25,
+      "secure": false,
+      "auth": {
+        "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
+        "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+      }
+    }
+  },
+  "paths": {
+    "contentPath": "content/"
+  },
+  "privacy": {
+    "useGravatar": true
+  },
+  "logging": {
+    "level": "info",
+    "rotation": {
+      "enabled": true
+    },
+    "transports": ["file"]
+  }
+}
@@ -0,0 +1,42 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+  "url": "blog.trez.wtf",
+  "database": {
+    "client": "mysql",
+    "connection": {
+      "host"     : "mariadb",
+      "port"     : 3306,
+      "user"     : "ghost",
+      "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
+      "database" : "ghost_db"
+    }
+  },
+  "mail": {
+    "from": "'Ghost @ Rinoa' <noreply@trez.wtf>",
+    "transport": "SMTP",
+    "options": {
+      "host": "postal-smtp",
+      "port": 25,
+      "secure": false,
+      "auth": {
+        "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
+        "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+      }
+    }
+  },
+  "paths": {
+    "contentPath": "content/"
+  },
+  "privacy": {
+    "useGravatar": true
+  },
+  "logging": {
+    "level": "info",
+    "rotation": {
+      "enabled": true
+    },
+    "transports": ["file"]
+  }
+}
@@ -0,0 +1,101 @@
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 3
+  # Extra environment variables to run jobs.
+#   envs:
+#     A_TEST_ENV_NAME_1: a_test_env_value_1
+#     A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+#   env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # The timeout for the runner to wait for running jobs to finish when shutting down.
+  # Any running jobs that haven't finished after this timeout will be cancelled.
+  shutdown_timeout: 0s
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `daemon`, will use labels in `.runner` file.
+  labels:
+    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
+    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: "192.168.1.254"
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 63604
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: "compose_default"
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
+  # If the path starts with '/', the '/' will be trimmed.
+  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+  # Rebuild docker image(s) even if already present
+  force_rebuild: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:
@@ -0,0 +1,125 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+APP_NAME = Gitea: Git with a cup of tea
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+DEFAULT_PRIVATE = last
+EMABLE_PUSH_CREATE_USER = true
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = git.trez.wtf
+SSH_DOMAIN = git-ssh.trez.wtf
+HTTP_PORT = 3000
+ROOT_URL = https://git.trez.wtf/
+DISABLE_SSH = false
+SSH_PORT = 22
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }}
+OFFLINE_MODE = true
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = postgres
+HOST = gitea-db:5432
+NAME = gitea
+USER = gitea
+PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }}
+LOG_SQL = false
+SCHEMA =
+SSL_MODE = disable
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+REPO_INDEXER_ENABLED = true
+REPO_INDEXER_PATH = indexers/repos.bleve
+MAX_FILE_SIZE = 1048576
+REPO_INDEXER_INCLUDE =
+REPO_INDEXER_EXCLUDE = resources/bin/**
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = root
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY =
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }}
+PASSWORD_HASH_ALGO = pbkdf2
+
+[service]
+DISABLE_REGISTRATION = false
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = true
+ENABLE_NOTIFY_MAIL = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = true
+DEFAULT_KEEP_EMAIL_PRIVATE = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING = false
+NO_REPLY_ADDRESS = noreply@trez.wtf
+
+[lfs]
+PATH = /data/git/lfs
+
+[mailer]
+PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+PROTOCOL = smtp
+ENABLED = true
+FROM = '"Gitea" <noreply@trez.wtf>'
+SMTP_PORT = 25
+USER = rinoa/postal-smtp
+SMTP_ADDR = postal-smtp
+IS_TLS_ENABLED = faLse
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = true
+
+[cron.update_checker]
+ENABLED = false
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[oauth2]
+JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
+
+[ui]
+THEMES =
+
+[actions]
+ENABLED = true
+
+[webhook]
+ALLOWED_HOST_LIST = private,104.21.1.234,172.67.152.146
+SKIP_TLS_VERIFY = true
@@ -0,0 +1,81 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# Gitea related configuration. Necessary for adding/updating comments on repository pull requests
+gitea:
+  # Endpoint of your Gitea instance. Must be expandable by '/api/v1' to form the API base path as shown in Swagger UI.
+  url: https://git.trez.wtf
+
+  # Created access token for the user that shall be used as bot account.
+  # User needs "Read project" permissions with access to "Pull Requests"
+  token:
+    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
+    # # or path to file containing the plain text secret
+    # file: /path/to/gitea/token
+
+  # If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
+  # request will be ignored.
+  # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header
+  # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated.
+  webhook:
+    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
+    # # or path to file containing the plain text secret
+    # secretFile: /path/to/gitea/webhook/secret
+
+  # Pull Request status check settings.
+  statusCheck:
+    # Configure the label/name of the PR status check.
+    name: "gitea-sonarqube-bot"
+
+# SonarQube related configuration. Necessary for requesting data from the API and processing the webhook.
+sonarqube:
+  # Endpoint of your SonarQube instance. Must be expandable by '/api' to form the API base path.
+  url: https://sqube.trez.wtf
+
+  # Created access token for the user that shall be used as bot account.
+  # User needs "Browse on project" permissions
+  token:
+    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
+    # # or path to file containing the plain text secret
+    # file: /path/to/sonarqube/token
+
+  # If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
+  # request will be ignored.
+  # The bot looks for `X-Sonar-Webhook-HMAC-SHA256` header containing the sha256 hmac hash of the plain text secret.
+  # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be
+  # validated.
+  webhook:
+    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
+    # # or path to file containing the plain text secret
+    # secretFile: /path/to/sonarqube/webhook/secret
+
+  # Some useful metrics depend on the edition in use. There are various ones like code_smells, vulnerabilities, bugs, etc.
+  # By default, the bot will extract "bugs,vulnerabilities,code_smells"
+  # Setting this option you can extend that default list by your own metrics.
+  # additionalMetrics: []
+  # - "new_security_hotspots"
+
+# List of project mappings to take care of. Webhooks for other projects will be ignored.
+# At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own.
+projects:
+  - sonarqube:
+      key: rinoa-docker
+    # A repository specification contains the owner name and the repository name itself. The owner can be the name of a
+    # real account or an organization in which the repository is located.
+    gitea:
+      owner: Trez.One
+      name: rinoa-docker
+
+# Define pull request names from SonarScanner analysis. Default pattern matches the Jenkins Gitea plugin schema.
+namingPattern:
+  # Regular expression that MUST HAVE exactly ONE GROUP that matches the integer part of the PR.
+  # That integer part is identical to the pull request ID in Gitea.
+  regex: "^.*$"
+
+  # Valid Go format string. It MUST have one integer placeholder which will be replaced by the pull request ID.
+  # See: https://pkg.go.dev/fmt#hdr-Printing
+  template: "%s"
+
+  # Example for integer-only names
+  # # regex: "^(\\d+)$"
+  # # template: "%d"
@@ -0,0 +1,101 @@
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 3
+  # Extra environment variables to run jobs.
+#   envs:
+#     A_TEST_ENV_NAME_1: a_test_env_value_1
+#     A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+#   env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # The timeout for the runner to wait for running jobs to finish when shutting down.
+  # Any running jobs that haven't finished after this timeout will be cancelled.
+  shutdown_timeout: 0s
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `daemon`, will use labels in `.runner` file.
+  labels:
+    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
+    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: "192.168.1.254"
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 63604
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: "compose_default"
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
+  # If the path starts with '/', the '/' will be trimmed.
+  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+  # Rebuild docker image(s) even if already present
+  force_rebuild: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:
@@ -0,0 +1,125 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+APP_NAME = Gitea: Git with a cup of tea
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+DEFAULT_PRIVATE = last
+EMABLE_PUSH_CREATE_USER = true
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = git.trez.wtf
+SSH_DOMAIN = git-ssh.trez.wtf
+HTTP_PORT = 3000
+ROOT_URL = https://git.trez.wtf/
+DISABLE_SSH = false
+SSH_PORT = 22
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }}
+OFFLINE_MODE = true
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = postgres
+HOST = gitea-db:5432
+NAME = gitea
+USER = gitea
+PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }}
+LOG_SQL = false
+SCHEMA =
+SSL_MODE = disable
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+REPO_INDEXER_ENABLED = true
+REPO_INDEXER_PATH = indexers/repos.bleve
+MAX_FILE_SIZE = 1048576
+REPO_INDEXER_INCLUDE =
+REPO_INDEXER_EXCLUDE = resources/bin/**
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = root
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY =
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }}
+PASSWORD_HASH_ALGO = pbkdf2
+
+[service]
+DISABLE_REGISTRATION = false
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = true
+ENABLE_NOTIFY_MAIL = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = true
+DEFAULT_KEEP_EMAIL_PRIVATE = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING = false
+NO_REPLY_ADDRESS = noreply@trez.wtf
+
+[lfs]
+PATH = /data/git/lfs
+
+[mailer]
+PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+PROTOCOL = smtp
+ENABLED = true
+FROM = '"Gitea" <noreply@trez.wtf>'
+SMTP_PORT = 25
+USER = rinoa/postal-smtp
+SMTP_ADDR = postal-smtp
+IS_TLS_ENABLED = faLse
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = true
+
+[cron.update_checker]
+ENABLED = false
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[oauth2]
+JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
+
+[ui]
+THEMES =
+
+[actions]
+ENABLED = true
+
+[webhook]
+ALLOWED_HOST_LIST = private,104.21.1.234,172.67.152.146
+SKIP_TLS_VERIFY = true
@@ -0,0 +1,81 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# Gitea related configuration. Necessary for adding/updating comments on repository pull requests
+gitea:
+  # Endpoint of your Gitea instance. Must be expandable by '/api/v1' to form the API base path as shown in Swagger UI.
+  url: https://git.trez.wtf
+
+  # Created access token for the user that shall be used as bot account.
+  # User needs "Read project" permissions with access to "Pull Requests"
+  token:
+    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
+    # # or path to file containing the plain text secret
+    # file: /path/to/gitea/token
+
+  # If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
+  # request will be ignored.
+  # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header
+  # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated.
+  webhook:
+    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
+    # # or path to file containing the plain text secret
+    # secretFile: /path/to/gitea/webhook/secret
+
+  # Pull Request status check settings.
+  statusCheck:
+    # Configure the label/name of the PR status check.
+    name: "gitea-sonarqube-bot"
+
+# SonarQube related configuration. Necessary for requesting data from the API and processing the webhook.
+sonarqube:
+  # Endpoint of your SonarQube instance. Must be expandable by '/api' to form the API base path.
+  url: https://sqube.trez.wtf
+
+  # Created access token for the user that shall be used as bot account.
+  # User needs "Browse on project" permissions
+  token:
+    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
+    # # or path to file containing the plain text secret
+    # file: /path/to/sonarqube/token
+
+  # If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
+  # request will be ignored.
+  # The bot looks for `X-Sonar-Webhook-HMAC-SHA256` header containing the sha256 hmac hash of the plain text secret.
+  # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be
+  # validated.
+  webhook:
+    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
+    # # or path to file containing the plain text secret
+    # secretFile: /path/to/sonarqube/webhook/secret
+
+  # Some useful metrics depend on the edition in use. There are various ones like code_smells, vulnerabilities, bugs, etc.
+  # By default, the bot will extract "bugs,vulnerabilities,code_smells"
+  # Setting this option you can extend that default list by your own metrics.
+  # additionalMetrics: []
+  # - "new_security_hotspots"
+
+# List of project mappings to take care of. Webhooks for other projects will be ignored.
+# At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own.
+projects:
+  - sonarqube:
+      key: rinoa-docker
+    # A repository specification contains the owner name and the repository name itself. The owner can be the name of a
+    # real account or an organization in which the repository is located.
+    gitea:
+      owner: Trez.One
+      name: rinoa-docker
+
+# Define pull request names from SonarScanner analysis. Default pattern matches the Jenkins Gitea plugin schema.
+namingPattern:
+  # Regular expression that MUST HAVE exactly ONE GROUP that matches the integer part of the PR.
+  # That integer part is identical to the pull request ID in Gitea.
+  regex: "^.*$"
+
+  # Valid Go format string. It MUST have one integer placeholder which will be replaced by the pull request ID.
+  # See: https://pkg.go.dev/fmt#hdr-Printing
+  template: "%s"
+
+  # Example for integer-only names
+  # # regex: "^(\\d+)$"
+  # # template: "%d"
@@ -0,0 +1,404 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Agent globals
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+local.file "endpoints" {
+    // The endpoints file is used to define the endpoints, credentials and options
+    // for the Agent export to.
+    filename = "/etc/alloy/endpoints.json"
+}
+
+discovery.docker "rinoadocker" {
+        host = env("DOCKER_HOST")
+}
+
+tracing {
+    write_to = [otelcol.exporter.otlp.tempo.input]
+}
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Metrics
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+prometheus.remote_write "mimir" {
+  endpoint {
+    url = json_path(local.file.endpoints.content, ".metrics.url")[0]
+    basic_auth {
+        username = json_path(local.file.endpoints.content, ".metrics.basicAuth.username")[0]
+        password = json_path(local.file.endpoints.content, ".metrics.basicAuth.password")[0]
+    }
+  }
+}
+
+prometheus.scrape "prometheus" {
+        targets = [{
+                __address__ = "localhost:12345",
+        }]
+        forward_to = [prometheus.remote_write.mimir.receiver]
+        job_name   = "prometheus"
+}
+
+prometheus.exporter.unix "rinoa" {
+        procfs_path = "/host/proc"
+        sysfs_path  = "/host/sys"
+        rootfs_path = "/rootfs"
+}
+
+prometheus.scrape "rinoa" {
+        targets    = prometheus.exporter.unix.rinoa.targets
+        forward_to = [prometheus.remote_write.mimir.receiver]
+        job_name   = "rinoa_host"
+}
+
+prometheus.exporter.cadvisor "docker" {
+        docker_host      = env("DOCKER_HOST")
+        storage_duration = "5m"
+}
+
+prometheus.scrape "docker" {
+        targets    = prometheus.exporter.cadvisor.docker.targets
+        forward_to = [prometheus.remote_write.mimir.receiver]
+        job_name   = "docker_stats"
+}
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Logging
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+loki.write "loki" {
+        endpoint {
+                url = json_path(local.file.endpoints.content, ".logs.url")[0]
+                basic_auth {
+                        username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
+                        password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
+                }
+        }
+        external_labels = {}
+}
+
+loki.source.journal "hostjournal" {
+        forward_to = [loki.write.loki.receiver]
+        max_age = "24h"
+        path = "/rootfs/var/log/journal/"
+        labels = {
+                job = "host-journal",
+        }
+}
+
+local.file_match "system" {
+        path_targets = [{
+                __address__ = "localhost",
+                __path__    = "/rootfs/var/log/*log",
+                job         = "varlogs",
+        }]
+}
+
+loki.source.file "system" {
+        targets    = local.file_match.system.targets
+        forward_to = [loki.write.loki.receiver]
+}
+
+loki.source.docker "containers" {
+        host       = env("DOCKER_HOST")
+        targets    = discovery.docker.rinoadocker.targets
+        forward_to = [loki.write.loki.receiver]
+        labels     = {
+                job = "containerlogs",
+        }
+}
+
+loki.process "containers" {
+        forward_to = [loki.write.loki.receiver]
+        // stage.docker {}
+        stage.json {
+		expressions = {
+			attrs  = "",
+			output = "log",
+			stream = "stream",
+		}
+	}
+
+	stage.json {
+		expressions = {
+			tag = "",
+		}
+		source = "attrs"
+	}
+
+	stage.regex {
+		expression = "(?P<image_name>(?:[^|]*[^|])).(?P<container_name>(?:[^|]*[^|])).(?P<image_id>(?:[^|]*[^|])).(?P<container_id>(?:[^|]*[^|]))"
+		source     = "tag"
+	}
+
+	stage.timestamp {
+		source = "time"
+		format = "RFC3339Nano"
+	}
+
+	stage.labels {
+		values = {
+			container_id   = null,
+			container_name = null,
+			image_id       = null,
+			image_name     = null,
+			stream         = null,
+			tag            = null,
+		}
+	}
+
+	stage.output {
+		source = "output"
+	}
+}
+
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Traces
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+beyla.ebpf "rinoadocker" {
+    open_port = "80-65535"
+    routes {
+        unmatched = "heauristic"
+    }
+    output {
+        traces = [
+            otelcol.connector.servicegraph.tracemetrics.input,
+            otelcol.connector.spanmetrics.tracemetrics.input,
+            otelcol.processor.batch.default.input,
+            otelcol.connector.spanlogs.autologging.input,
+        ]
+    }
+}
+
+prometheus.scrape "beyla" { 
+    targets = beyla.ebpf.rinoadocker.targets
+    forward_to = [prometheus.remote_write.mimir.receiver]
+}
+
+otelcol.auth.headers "tempo" {
+    header {
+        key = "Authorization"
+        value = join(["Basic ", json_path(local.file.endpoints.content, ".traces.basicAuthToken")[0]], "")
+    }
+}
+
+otelcol.processor.batch "default" {
+    // Wait until we've received 16K of data.
+    send_batch_size = 16384
+    send_batch_max_size = 16384
+    // Or until 2 seconds have elapsed.
+    timeout = "2s"
+    // When the Agent has enough batched data, send it to the OpenTelemetry exporter named 'tempo'.
+    output {
+        traces = [otelcol.exporter.otlp.tempo.input]
+    }
+}
+
+otelcol.exporter.otlp "tempo" {
+    // Define the client for exporting.
+    client {
+        // Authentication block.
+        auth = otelcol.auth.headers.tempo.handler
+
+        // Send to the locally running Tempo instance, on port 4317 (OTLP gRPC).
+        endpoint = json_path(local.file.endpoints.content, ".traces.url")[0]
+
+        // Configure TLS settings for communicating with the endpoint.
+        tls {
+            // The connection is insecure.
+            insecure = json_path(local.file.endpoints.content, ".traces.tls.insecure")[0]
+            // Do not verify TLS certificates when connecting.
+            insecure_skip_verify = json_path(local.file.endpoints.content, ".traces.tls.insecureSkipVerify")[0]
+        }
+    }
+}
+
+otelcol.connector.spanlogs "autologging" {
+    // We only want to output a line for each root span (ie. every single trace), and not for every
+    // process or span (outputting a line for every span would be extremely verbose).
+    spans = false
+    roots = true
+    processes = false
+    // We want to ensure that the following three span attributes are included in the log line, if
+    // present.
+    span_attributes = [ "http.method", "http.target", "http.status_code" ]
+
+    // Overrides the default key in the log line to be `traceId`, which is then used by Grafana to
+    // identify the trace ID for correlation with the Tempo datasource.
+    overrides {
+        trace_id_key = "traceId"
+    }
+    // Send to the OpenTelemetry Loki exporter.
+    output {
+        logs = [otelcol.exporter.loki.autologging.input]
+    }
+}
+
+// Simply forwards the incoming OpenTelemetry log format out as a Loki log.
+// We need this stage to ensure we can then process the logline as a Loki object.
+otelcol.exporter.loki "autologging" {
+    forward_to = [loki.process.autologging.receiver]
+}
+
+// The Loki processor allows us to accept a correctly formatted Loki log and mutate it into
+// a set of fields for output.
+loki.process "autologging" {
+    // The JSON stage simply extracts the `body` (the actual logline) from the Loki log, ignoring
+    // all other fields.
+    stage.json {
+        expressions = { "body" = "" }
+    }
+    // The output stage takes the body (the main logline) and uses this as the source for the output
+    // logline. In this case, it essentially turns it into logfmt.
+    stage.output {
+        source = "body"
+    }
+
+    // Finally send the processed logline onto the Loki exporter.
+    forward_to = [loki.write.autologging.receiver]
+}
+
+// The Loki writer receives a processed Loki log and then writes it to a Loki instance.
+loki.write "autologging" {
+    // Add the `agent` value to the `job` label, so we can identify it as having been generated
+    // by Grafana Agent when querying.
+    external_labels = {
+        job = "agent",
+    }
+
+    // Output the Loki log to the local Loki instance.
+    endpoint {
+        url = json_path(local.file.endpoints.content, ".logs.url")[0]
+
+        // The basic auth credentials for the Loki instance.
+        basic_auth {
+            username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
+            password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
+        }
+    }
+}
+
+// The Tail Sampling processor will use a set of policies to determine which received traces to keep
+// and send to Tempo.
+otelcol.processor.tail_sampling "errors" {
+    // Total wait time from the start of a trace before making a sampling decision. Note that smaller time
+    // periods can potentially cause a decision to be made before the end of a trace has occurred.
+    decision_wait = "30s"
+
+    // The following policies follow a logical OR pattern, meaning that if any of the policies match,
+    // the trace will be kept. For logical AND, you can use the `and` policy. Every span of a trace is
+    // examined by each policy in turn. A match will cause a short-circuit.
+
+    // This policy defines that traces that contain errors should be kept.
+    policy {
+        // The name of the policy can be used for logging purposes.
+        name = "sample-erroring-traces"
+        // The type must match the type of policy to be used, in this case examing the status code
+        // of every span in the trace.
+        type = "status_code"
+        // This block determines the error codes that should match in order to keep the trace,
+        // in this case the OpenTelemetry 'ERROR' code.
+        status_code {
+            status_codes = [ "ERROR" ]
+        }
+    }
+
+    // This policy defines that only traces that are longer than 200ms in total should be kept.
+    policy {
+        // The name of the policy can be used for logging purposes.
+        name = "sample-long-traces"
+        // The type must match the policy to be used, in this case the total latency of the trace.
+        type = "latency"
+        // This block determines the total length of the trace in milliseconds.
+        latency {
+            threshold_ms = 200
+        }
+    }
+
+    // The output block forwards the kept traces onto the batch processor, which will marshall them
+    // for exporting to Tempo.
+    output {
+        traces = [otelcol.processor.batch.default.input]
+    }
+}
+
+// The Spanmetrics Connector will generate RED metrics based on the incoming trace span data.
+otelcol.connector.spanmetrics "tracemetrics" {
+    // The namespace explicit adds a prefix to all the generated span metrics names.
+    // In this case, we'll ensure they match as closely as possible those generated by Tempo.
+    namespace = "traces.spanmetrics"
+
+    // Each extra dimension (metrics label) to be added to the generated metrics from matching span attributes. These
+    // need to be defined with a name and optionally a default value (in the following cases, we do not want a default
+    // value if the span attribute is not present).
+    dimension {
+        name = "http.method"
+    }
+    dimension {
+        name = "http.target"
+    }
+    dimension {
+        name = "http.status_code"
+    }
+    dimension {
+        name = "service.version"
+    }
+
+    // A histogram block must be present, either explicitly defining bucket values or via an exponential block.
+    // We do the latter here.
+    histogram {
+        explicit {
+        }
+    }
+
+    // The exemplar block is added to ensure we generate exemplars for traces on relevant metric values.
+    exemplars {
+        enabled = true
+    }
+
+    // Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
+    // it gets transformed into Prometheus format data.
+    output {
+        metrics = [otelcol.exporter.prometheus.tracemetrics.input]
+    }
+}
+
+// The Servicegraph Connector will generate service graph metrics (edges and nodes) based on incoming trace spans.
+otelcol.connector.servicegraph "tracemetrics" {
+    // Extra dimensions (metrics labels) to be added to the generated metrics from matching span attributes.
+    // For this component, this is defined as an array. There are no default values and the labels will not be generated
+    // for missing span attributes.
+    dimensions = [
+        "http.method",
+        "http.target",
+        "http.status_code",
+        "service.version",
+    ]
+
+    // Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
+    // it gets transformed into Prometheus format data.
+    output {
+        metrics = [otelcol.exporter.prometheus.tracemetrics.input]
+    }
+}
+
+otelcol.exporter.prometheus "tracemetrics" {
+    // Forward to our local Prometheus remote writer which will send the metrics to Mimir.
+    forward_to = [prometheus.remote_write.mimir.receiver]
+}
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Profiling
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+pyroscope.write "pyroscope" {
+        endpoint {
+                url = json_path(local.file.endpoints.content, ".profiles.url")[0]
+                basic_auth {
+                        username = json_path(local.file.endpoints.content, ".profiles.basicAuth.username")[0]
+                        password = json_path(local.file.endpoints.content, ".profiles.basicAuth.password")[0]
+                }
+        }
+        external_labels = {}
+}
+
+pyroscope.ebpf "rinoadocker" {
+        forward_to = [pyroscope.write.pyroscope.receiver]
+        targets = discovery.docker.rinoadocker.targets
+}
@@ -0,0 +1,34 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "metrics": {
+        "url": "http://grafana-mimir:9009/api/v1/push",
+        "basicAuth": {
+            "username": "",
+            "password": ""
+        }
+    },
+    "logs": {
+        "url": "http://grafana-loki:3100/loki/api/v1/push",
+        "basicAuth": {
+            "username": "",
+            "password": ""
+        }
+    },
+    "traces": {
+        "url": "http://grafana-tempo:4317",
+        "basicAuthToken": "",
+        "tls": {
+            "insecure": true,
+            "insecureSkipVerify": true
+        }
+    },
+    "profiles": {
+        "url": "http://grafana-pyroscope:4040",
+        "basicAuth": {
+            "username": "",
+            "password": ""
+        }
+    }
+}
@@ -0,0 +1,7 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+routes:
+  patterns:
+    - /*
+  unmatched: heuristic
@@ -0,0 +1,77 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+multitenancy_enabled: false
+no_auth_tenant: rinoa_mimir
+# target: query-frontend
+# api:
+#   prometheus_http_prefix: '/prometheus'
+server:
+  http_listen_port: 9009
+# frontend:
+#   split_queries_by_interval: 24h
+#   align_queries_with_step: true
+  # cache_results: true
+  # results_cache:
+  #   backend: "memcached"
+  #   memcached:
+  #     addresses: "memcached-mimir:11211"
+#   downstream_url: http://grafana-agent:12345
+
+common:
+  storage:
+    backend: s3
+    s3:
+      endpoint: minio:9000
+      access_key_id: "Q8KAihuXtGgmretKNh7C"
+      secret_access_key: "hOlRODtnvFlNlL26Bj3GizZG6Ys3rlpG8p6Vo3NX"
+      bucket_name: "mimir"
+      insecure: true
+
+blocks_storage:
+  storage_prefix: rinoa
+  tsdb:
+    dir: /tmp/mimir/tsdb
+
+memberlist:
+  tls_enabled: false
+
+compactor:
+  # Directory to temporarily store blocks underdoing compaction.
+  data_dir: /tmp/mimir/compactor
+  # The sharding ring type used to share the hashed ring for the compactor.
+  sharding_ring:
+    # Use memberlist backend store (the default).
+    kvstore:
+      store: memberlist
+
+# The distributor receives incoming metrics data for the system.
+distributor:
+  # The ring to share hash ring data across instances.
+  ring:
+    # The address advertised in the ring. Localhost.
+    instance_addr: 127.0.0.1
+    # Use memberlist backend store (the default).
+    kvstore:
+      store: memberlist
+
+# The ingester receives data from the distributor and processes it into indices and blocks.
+ingester:
+  # The ring to share hash ring data across instances.
+  ring:
+    # The address advertised in the ring. Localhost.
+    instance_addr: 127.0.0.1
+    # Use memberlist backend store (the default).
+    kvstore:
+      store: memberlist
+    # Only run one instance of the ingesters.
+    # Note: It is highly recommended to run more than one ingester in production, the default is an RF of 3.
+    replication_factor: 1
+
+# The store gateway block configures gateway storage.
+store_gateway:
+  # Configuration for the hash ring.
+  sharding_ring:
+    # Only run a single instance. In production setups, the replication factor must
+    # be set on the querier and ruler as well.
+    replication_factor: 1
@@ -0,0 +1,12 @@
+storage:
+  backend: s3
+  s3:
+    bucket_name: pyroscope
+    endpoint: minio:9000
+    region: us-east-fh-pln
+    access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
+    secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
+    insecure: true
+
+analytics:
+  reporting_enabled: false
@@ -0,0 +1,787 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+target: all
+http_api_prefix: ""
+autocomplete_filtering_enabled: true
+server:
+    http_listen_network: tcp
+    http_listen_address: ""
+    http_listen_port: 80
+    http_listen_conn_limit: 0
+    grpc_listen_network: tcp
+    grpc_listen_address: ""
+    grpc_listen_port: 9095
+    grpc_listen_conn_limit: 0
+    tls_cipher_suites: ""
+    tls_min_version: ""
+    http_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    grpc_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    register_instrumentation: true
+    report_grpc_codes_in_instrumentation_label_enabled: false
+    graceful_shutdown_timeout: 30s
+    http_server_read_timeout: 30s
+    http_server_read_header_timeout: 0s
+    http_server_write_timeout: 30s
+    http_server_idle_timeout: 2m0s
+    http_log_closed_connections_without_response_enabled: false
+    grpc_server_max_recv_msg_size: 16777216
+    grpc_server_max_send_msg_size: 16777216
+    grpc_server_max_concurrent_streams: 100
+    grpc_server_max_connection_idle: 2562047h47m16.854775807s
+    grpc_server_max_connection_age: 2562047h47m16.854775807s
+    grpc_server_max_connection_age_grace: 2562047h47m16.854775807s
+    grpc_server_keepalive_time: 2h0m0s
+    grpc_server_keepalive_timeout: 20s
+    grpc_server_min_time_between_pings: 10s
+    grpc_server_ping_without_stream_allowed: true
+    grpc_server_num_workers: 0
+    log_format: logfmt
+    log_level: info
+    log_source_ips_enabled: false
+    log_source_ips_header: ""
+    log_source_ips_regex: ""
+    log_request_headers: false
+    log_request_at_info_level_enabled: false
+    log_request_exclude_headers_list: ""
+    http_path_prefix: ""
+internal_server:
+    http_listen_network: tcp
+    http_listen_address: ""
+    http_listen_port: 3101
+    http_listen_conn_limit: 0
+    grpc_listen_network: ""
+    grpc_listen_address: ""
+    grpc_listen_port: 0
+    grpc_listen_conn_limit: 0
+    tls_cipher_suites: ""
+    tls_min_version: ""
+    http_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    grpc_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    register_instrumentation: false
+    report_grpc_codes_in_instrumentation_label_enabled: false
+    graceful_shutdown_timeout: 30s
+    http_server_read_timeout: 30s
+    http_server_read_header_timeout: 0s
+    http_server_write_timeout: 30s
+    http_server_idle_timeout: 2m0s
+    http_log_closed_connections_without_response_enabled: false
+    grpc_server_max_recv_msg_size: 0
+    grpc_server_max_send_msg_size: 0
+    grpc_server_max_concurrent_streams: 0
+    grpc_server_max_connection_idle: 0s
+    grpc_server_max_connection_age: 0s
+    grpc_server_max_connection_age_grace: 0s
+    grpc_server_keepalive_time: 0s
+    grpc_server_keepalive_timeout: 0s
+    grpc_server_min_time_between_pings: 0s
+    grpc_server_ping_without_stream_allowed: false
+    grpc_server_num_workers: 0
+    log_format: logfmt
+    log_level: info
+    log_source_ips_enabled: false
+    log_source_ips_header: ""
+    log_source_ips_regex: ""
+    log_request_headers: false
+    log_request_at_info_level_enabled: false
+    log_request_exclude_headers_list: ""
+    http_path_prefix: ""
+    enable: false
+distributor:
+    ring:
+        kvstore:
+            store: memberlist
+            prefix: collectors/
+            consul:
+                host: localhost:8500
+                acl_token: ""
+                http_client_timeout: 20s
+                consistent_reads: false
+                watch_rate_limit: 1
+                watch_burst_size: 1
+                cas_retry_delay: 1s
+            etcd:
+                endpoints: []
+                dial_timeout: 10s
+                max_retries: 10
+                tls_enabled: false
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: ""
+                username: ""
+                password: ""
+            multi:
+                primary: ""
+                secondary: ""
+                mirror_enabled: false
+                mirror_timeout: 2s
+        heartbeat_period: 5s
+        heartbeat_timeout: 5m0s
+        instance_id: local-instance
+        instance_interface_names:
+            - eth0
+            - en0
+        instance_port: 0
+        instance_addr: ""
+    receivers: {}
+    override_ring_key: distributor
+    forwarders: []
+    extend_writes: true
+    retry_after_on_resource_exhausted: 0s
+ingester_client:
+    pool_config:
+        checkinterval: 15s
+        healthcheckenabled: true
+        healthchecktimeout: 1s
+        maxconcurrenthealthchecks: 0
+    remote_timeout: 5s
+    grpc_client_config:
+        max_recv_msg_size: 104857600
+        max_send_msg_size: 104857600
+        grpc_compression: snappy
+        rate_limit: 0
+        rate_limit_burst: 0
+        backoff_on_ratelimits: false
+        backoff_config:
+            min_period: 100ms
+            max_period: 10s
+            max_retries: 10
+        initial_stream_window_size: 63KiB1023B
+        initial_connection_window_size: 63KiB1023B
+        tls_enabled: false
+        tls_cert_path: ""
+        tls_key_path: ""
+        tls_ca_path: ""
+        tls_server_name: ""
+        tls_insecure_skip_verify: false
+        tls_cipher_suites: ""
+        tls_min_version: ""
+        connect_timeout: 5s
+        connect_backoff_base_delay: 1s
+        connect_backoff_max_delay: 5s
+metrics_generator_client:
+    pool_config:
+        checkinterval: 15s
+        healthcheckenabled: true
+        healthchecktimeout: 1s
+        maxconcurrenthealthchecks: 0
+    remote_timeout: 5s
+    grpc_client_config:
+        max_recv_msg_size: 104857600
+        max_send_msg_size: 104857600
+        grpc_compression: snappy
+        rate_limit: 0
+        rate_limit_burst: 0
+        backoff_on_ratelimits: false
+        backoff_config:
+            min_period: 100ms
+            max_period: 10s
+            max_retries: 10
+        initial_stream_window_size: 63KiB1023B
+        initial_connection_window_size: 63KiB1023B
+        tls_enabled: false
+        tls_cert_path: ""
+        tls_key_path: ""
+        tls_ca_path: ""
+        tls_server_name: ""
+        tls_insecure_skip_verify: false
+        tls_cipher_suites: ""
+        tls_min_version: ""
+        connect_timeout: 5s
+        connect_backoff_base_delay: 1s
+        connect_backoff_max_delay: 5s
+querier:
+    search:
+        query_timeout: 30s
+        prefer_self: 10
+        external_hedge_requests_at: 8s
+        external_hedge_requests_up_to: 2
+        external_backend: ""
+        google_cloud_run: null
+        external_endpoints: []
+    trace_by_id:
+        query_timeout: 10s
+    max_concurrent_queries: 20
+    frontend_worker:
+        frontend_address: 127.0.0.1:9095
+        dns_lookup_duration: 10s
+        parallelism: 2
+        match_max_concurrent: true
+        id: ""
+        grpc_client_config:
+            max_recv_msg_size: 104857600
+            max_send_msg_size: 16777216
+            grpc_compression: gzip
+            rate_limit: 0
+            rate_limit_burst: 0
+            backoff_on_ratelimits: false
+            backoff_config:
+                min_period: 100ms
+                max_period: 1s
+                max_retries: 5
+            initial_stream_window_size: 0B
+            initial_connection_window_size: 0B
+            tls_enabled: false
+            tls_cert_path: ""
+            tls_key_path: ""
+            tls_ca_path: ""
+            tls_server_name: ""
+            tls_insecure_skip_verify: false
+            tls_cipher_suites: ""
+            tls_min_version: ""
+            connect_timeout: 0s
+            connect_backoff_base_delay: 0s
+            connect_backoff_max_delay: 0s
+    query_relevant_ingesters: false
+query_frontend:
+    max_outstanding_per_tenant: 2000
+    querier_forget_delay: 0s
+    max_batch_size: 5
+    max_retries: 2
+    search:
+        concurrent_jobs: 1000
+        target_bytes_per_job: 104857600
+        default_result_limit: 20
+        max_result_limit: 0
+        max_duration: 168h0m0s
+        query_backend_after: 15m0s
+        query_ingesters_until: 30m0s
+    trace_by_id:
+        query_shards: 50
+        hedge_requests_at: 2s
+        hedge_requests_up_to: 2
+    metrics:
+        concurrent_jobs: 1000
+        target_bytes_per_job: 104857600
+        max_duration: 0s
+        query_backend_after: 1h0m0s
+        interval: 5m0s
+    multi_tenant_queries_enabled: true
+compactor:
+    ring:
+        kvstore:
+            store: ""
+            prefix: collectors/
+            consul:
+                host: localhost:8500
+                acl_token: ""
+                http_client_timeout: 20s
+                consistent_reads: false
+                watch_rate_limit: 1
+                watch_burst_size: 1
+                cas_retry_delay: 1s
+            etcd:
+                endpoints: []
+                dial_timeout: 10s
+                max_retries: 10
+                tls_enabled: false
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: ""
+                username: ""
+                password: ""
+            multi:
+                primary: ""
+                secondary: ""
+                mirror_enabled: false
+                mirror_timeout: 2s
+        heartbeat_period: 5s
+        heartbeat_timeout: 1m0s
+        wait_stability_min_duration: 1m0s
+        wait_stability_max_duration: 5m0s
+        instance_id: local-instance
+        instance_interface_names:
+            - eth0
+            - en0
+        instance_port: 0
+        instance_addr: ""
+        enable_inet6: false
+        wait_active_instance_timeout: 10m0s
+    compaction:
+        v2_in_buffer_bytes: 5242880
+        v2_out_buffer_bytes: 20971520
+        v2_prefetch_traces_count: 1000
+        compaction_window: 1h0m0s
+        max_compaction_objects: 6000000
+        max_block_bytes: 107374182400
+        block_retention: 336h0m0s
+        compacted_block_retention: 1h0m0s
+        retention_concurrency: 10
+        max_time_per_tenant: 5m0s
+        compaction_cycle: 30s
+    override_ring_key: compactor
+ingester:
+    lifecycler:
+        ring:
+            kvstore:
+                store: inmemory
+                prefix: collectors/
+                consul:
+                    host: localhost:8500
+                    acl_token: ""
+                    http_client_timeout: 20s
+                    consistent_reads: false
+                    watch_rate_limit: 1
+                    watch_burst_size: 1
+                    cas_retry_delay: 1s
+                etcd:
+                    endpoints: []
+                    dial_timeout: 10s
+                    max_retries: 10
+                    tls_enabled: false
+                    tls_cert_path: ""
+                    tls_key_path: ""
+                    tls_ca_path: ""
+                    tls_server_name: ""
+                    tls_insecure_skip_verify: false
+                    tls_cipher_suites: ""
+                    tls_min_version: ""
+                    username: ""
+                    password: ""
+                multi:
+                    primary: ""
+                    secondary: ""
+                    mirror_enabled: false
+                    mirror_timeout: 2s
+            heartbeat_timeout: 5m0s
+            replication_factor: 1
+            zone_awareness_enabled: false
+            excluded_zones: ""
+        num_tokens: 128
+        heartbeat_period: 5s
+        heartbeat_timeout: 1m0s
+        observe_period: 0s
+        join_after: 0s
+        min_ready_duration: 15s
+        interface_names:
+            - en0
+            - bridge100
+        enable_inet6: false
+        final_sleep: 0s
+        tokens_file_path: ""
+        availability_zone: ""
+        unregister_on_shutdown: true
+        readiness_check_ring_health: true
+        address: 127.0.0.1
+        port: 0
+        id: local-instance
+    concurrent_flushes: 4
+    flush_check_period: 10s
+    flush_op_timeout: 5m0s
+    trace_idle_period: 10s
+    max_block_duration: 30m0s
+    max_block_bytes: 524288000
+    complete_block_timeout: 15m0s
+    override_ring_key: ring
+    flush_all_on_shutdown: false
+metrics_generator:
+    ring:
+        kvstore:
+            store: inmemory
+            prefix: collectors/
+            consul:
+                host: localhost:8500
+                acl_token: ""
+                http_client_timeout: 20s
+                consistent_reads: false
+                watch_rate_limit: 1
+                watch_burst_size: 1
+                cas_retry_delay: 1s
+            etcd:
+                endpoints: []
+                dial_timeout: 10s
+                max_retries: 10
+                tls_enabled: false
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: ""
+                username: ""
+                password: ""
+            multi:
+                primary: ""
+                secondary: ""
+                mirror_enabled: false
+                mirror_timeout: 2s
+        heartbeat_period: 5s
+        heartbeat_timeout: 1m0s
+        instance_id: local-instance
+        instance_interface_names:
+            - eth0
+            - en0
+        instance_addr: 127.0.0.1
+        instance_port: 0
+        enable_inet6: false
+    processor:
+        service_graphs:
+            wait: 10s
+            max_items: 10000
+            workers: 10
+            histogram_buckets:
+                - 0.1
+                - 0.2
+                - 0.4
+                - 0.8
+                - 1.6
+                - 3.2
+                - 6.4
+                - 12.8
+            dimensions: []
+            enable_client_server_prefix: false
+            peer_attributes:
+                - peer.service
+                - db.name
+                - db.system
+            span_multiplier_key: ""
+        span_metrics:
+            histogram_buckets:
+                - 0.002
+                - 0.004
+                - 0.008
+                - 0.016
+                - 0.032
+                - 0.064
+                - 0.128
+                - 0.256
+                - 0.512
+                - 1.024
+                - 2.048
+                - 4.096
+                - 8.192
+                - 16.384
+            intrinsic_dimensions:
+                service: true
+                span_name: true
+                span_kind: true
+                status_code: true
+            dimensions: []
+            dimension_mappings: []
+            enable_target_info: false
+            span_multiplier_key: ""
+            subprocessors:
+                0: true
+                1: true
+                2: true
+            filter_policies: []
+            target_info_excluded_dimensions: []
+        local_blocks:
+            block:
+                bloom_filter_false_positive: 0.01
+                bloom_filter_shard_size_bytes: 102400
+                version: vParquet3
+                search_encoding: snappy
+                search_page_size_bytes: 1048576
+                v2_index_downsample_bytes: 1048576
+                v2_index_page_size_bytes: 256000
+                v2_encoding: zstd
+                parquet_row_group_size_bytes: 100000000
+                parquet_dedicated_columns: []
+            search:
+                chunk_size_bytes: 1000000
+                prefetch_trace_count: 1000
+                read_buffer_count: 32
+                read_buffer_size_bytes: 1048576
+                cache_control:
+                    footer: false
+                    column_index: false
+                    offset_index: false
+            flush_check_period: 10s
+            trace_idle_period: 10s
+            max_block_duration: 1m0s
+            max_block_bytes: 500000000
+            complete_block_timeout: 1h0m0s
+            max_live_traces: 0
+            concurrent_blocks: 10
+            filter_server_spans: true
+    registry:
+        collection_interval: 15s
+        stale_duration: 15m0s
+        max_label_name_length: 1024
+        max_label_value_length: 2048
+    storage:
+        path: ""
+        wal:
+            wal_segment_size: 134217728
+            wal_compression: none
+            stripe_size: 16384
+            truncate_frequency: 2h0m0s
+            min_wal_time: 300000
+            max_wal_time: 14400000
+            no_lockfile: false
+        remote_write_flush_deadline: 1m0s
+        remote_write_add_org_id_header: true
+    traces_storage:
+        path: ""
+        completedfilepath: ""
+        blocksfilepath: ""
+        v2_encoding: none
+        search_encoding: none
+        ingestion_time_range_slack: 0s
+        version: vParquet3
+    metrics_ingestion_time_range_slack: 30s
+    query_timeout: 30s
+    override_ring_key: metrics-generator
+storage:
+    trace:
+        pool:
+            max_workers: 400
+            queue_depth: 20000
+        wal:
+            path: /tmp/tempo/wal
+            completedfilepath: /tmp/tempo/wal/completed
+            blocksfilepath: /tmp/tempo/wal/blocks
+            v2_encoding: snappy
+            search_encoding: none
+            ingestion_time_range_slack: 2m0s
+            version: vParquet3
+        block:
+            bloom_filter_false_positive: 0.01
+            bloom_filter_shard_size_bytes: 102400
+            version: vParquet3
+            search_encoding: snappy
+            search_page_size_bytes: 1048576
+            v2_index_downsample_bytes: 1048576
+            v2_index_page_size_bytes: 256000
+            v2_encoding: zstd
+            parquet_row_group_size_bytes: 100000000
+            parquet_dedicated_columns: []
+        search:
+            chunk_size_bytes: 1000000
+            prefetch_trace_count: 1000
+            read_buffer_count: 32
+            read_buffer_size_bytes: 1048576
+            cache_control:
+                footer: false
+                column_index: false
+                offset_index: false
+        blocklist_poll: 5m0s
+        blocklist_poll_concurrency: 50
+        blocklist_poll_fallback: true
+        blocklist_poll_tenant_index_builders: 2
+        blocklist_poll_stale_tenant_index: 0s
+        blocklist_poll_jitter_ms: 0
+        blocklist_poll_tolerate_consecutive_errors: 1
+        backend: local
+        local:
+            path: /tmp/tempo/traces
+        gcs:
+            bucket_name: ""
+            prefix: ""
+            chunk_buffer_size: 10485760
+            endpoint: ""
+            hedge_requests_at: 0s
+            hedge_requests_up_to: 2
+            insecure: false
+            object_cache_control: ""
+            object_metadata: {}
+            list_blocks_concurrency: 3
+        s3:
+            tls_cert_path: ""
+            tls_key_path: ""
+            tls_ca_path: ""
+            tls_server_name: ""
+            tls_insecure_skip_verify: false
+            tls_cipher_suites: ""
+            tls_min_version: VersionTLS12
+            bucket: ""
+            prefix: ""
+            endpoint: ""
+            region: ""
+            access_key: ""
+            secret_key: ""
+            session_token: ""
+            insecure: false
+            part_size: 0
+            hedge_requests_at: 0s
+            hedge_requests_up_to: 2
+            signature_v2: false
+            forcepathstyle: false
+            bucket_lookup_type: 0
+            tags: {}
+            storage_class: ""
+            metadata: {}
+            native_aws_auth_enabled: false
+            list_blocks_concurrency: 3
+        azure:
+            storage_account_name: ""
+            storage_account_key: ""
+            use_managed_identity: false
+            use_federated_token: false
+            user_assigned_id: ""
+            container_name: ""
+            prefix: ""
+            endpoint_suffix: blob.core.windows.net
+            max_buffers: 4
+            buffer_size: 3145728
+            hedge_requests_at: 0s
+            hedge_requests_up_to: 2
+            use_v2_sdk: false
+        cache: ""
+        background_cache:
+            writeback_goroutines: 10
+            writeback_buffer: 10000
+        memcached: null
+        redis: null
+        cache_min_compaction_level: 0
+        cache_max_block_age: 0s
+overrides:
+    defaults:
+        ingestion:
+            rate_strategy: local
+            rate_limit_bytes: 15000000
+            burst_size_bytes: 20000000
+            max_traces_per_user: 10000
+        read:
+            max_bytes_per_tag_values_query: 5000000
+        global:
+            max_bytes_per_trace: 5000000
+    per_tenant_override_config: ""
+    per_tenant_override_period: 10s
+    user_configurable_overrides:
+        enabled: false
+        poll_interval: 1m0s
+        client:
+            backend: ""
+            confirm_versioning: true
+            local:
+                path: ""
+            gcs:
+                bucket_name: ""
+                prefix: ""
+                chunk_buffer_size: 10485760
+                endpoint: ""
+                hedge_requests_at: 0s
+                hedge_requests_up_to: 2
+                insecure: false
+                object_cache_control: ""
+                object_metadata: {}
+                list_blocks_concurrency: 3
+            s3:
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: VersionTLS12
+                bucket: ""
+                prefix: ""
+                endpoint: ""
+                region: ""
+                access_key: ""
+                secret_key: ""
+                session_token: ""
+                insecure: false
+                part_size: 0
+                hedge_requests_at: 0s
+                hedge_requests_up_to: 2
+                signature_v2: false
+                forcepathstyle: false
+                bucket_lookup_type: 0
+                tags: {}
+                storage_class: ""
+                metadata: {}
+                native_aws_auth_enabled: false
+                list_blocks_concurrency: 3
+            azure:
+                storage_account_name: ""
+                storage_account_key: ""
+                use_managed_identity: false
+                use_federated_token: false
+                user_assigned_id: ""
+                container_name: ""
+                prefix: ""
+                endpoint_suffix: blob.core.windows.net
+                max_buffers: 4
+                buffer_size: 3145728
+                hedge_requests_at: 0s
+                hedge_requests_up_to: 2
+                use_v2_sdk: false
+        api:
+            check_for_conflicting_runtime_overrides: false
+memberlist:
+    node_name: ""
+    randomize_node_name: true
+    stream_timeout: 2s
+    retransmit_factor: 2
+    pull_push_interval: 30s
+    gossip_interval: 1s
+    gossip_nodes: 2
+    gossip_to_dead_nodes_time: 30s
+    dead_node_reclaim_time: 0s
+    compression_enabled: false
+    advertise_addr: ""
+    advertise_port: 7946
+    cluster_label: ""
+    cluster_label_verification_disabled: false
+    join_members: []
+    min_join_backoff: 1s
+    max_join_backoff: 1m0s
+    max_join_retries: 10
+    abort_if_cluster_join_fails: false
+    rejoin_interval: 0s
+    left_ingesters_timeout: 5m0s
+    leave_timeout: 20s
+    message_history_buffer_bytes: 0
+    bind_addr: []
+    bind_port: 7946
+    packet_dial_timeout: 2s
+    packet_write_timeout: 5s
+    tls_enabled: false
+    tls_cert_path: ""
+    tls_key_path: ""
+    tls_ca_path: ""
+    tls_server_name: ""
+    tls_insecure_skip_verify: false
+    tls_cipher_suites: ""
+    tls_min_version: ""
+usage_report:
+    reporting_enabled: true
+    backoff:
+        min_period: 100ms
+        max_period: 10s
+        max_retries: 0
+cache:
+    background:
+        writeback_goroutines: 10
+        writeback_buffer: 10000
+    caches: []
@@ -0,0 +1,54 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+server:
+  http_listen_port: 3200
+
+distributor:
+  receivers:                           # this configuration will listen on all ports and protocols that tempo is capable of.
+    jaeger:                            # the receives all come from the OpenTelemetry collector.  more configuration information can
+      protocols:                       # be found there: https://github.com/open-telemetry/opentelemetry-collector/tree/main/receiver
+        thrift_http:                   #
+        grpc:                          # for a production deployment you should only enable the receivers you need!
+        thrift_binary:
+        thrift_compact:
+    zipkin:
+    otlp:
+      protocols:
+        http:
+        grpc:
+    opencensus:
+
+ingester:
+  max_block_duration: 5m               # cut the headblock when this much time passes. this is being set for demo purposes and should probably be left alone normally
+
+compactor:
+  compaction:
+    block_retention: 1h                # overall Tempo trace retention. set for demo purposes
+
+# metrics_generator:
+#   registry:
+#     external_labels:
+#       source: tempo
+#       cluster: docker-compose
+#   storage:
+#     path: /tmp/tempo/generator/wal
+#     remote_write:
+#       - url: http://grafana-alloy:12345/api/v1/write
+#         send_exemplars: true
+
+storage:
+  trace:
+    backend: s3                        # backend configuration to use
+    wal:
+      path: /tmp/tempo/wal             # where to store the the wal locally
+    s3:
+      bucket: tempo                    # how to store data in s3
+      endpoint: minio:9000
+      access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
+      secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
+      insecure: true
+
+usage_report:
+  reporting_enabled: false
@@ -0,0 +1,404 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Agent globals
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+local.file "endpoints" {
+    // The endpoints file is used to define the endpoints, credentials and options
+    // for the Agent export to.
+    filename = "/etc/alloy/endpoints.json"
+}
+
+discovery.docker "rinoadocker" {
+        host = env("DOCKER_HOST")
+}
+
+tracing {
+    write_to = [otelcol.exporter.otlp.tempo.input]
+}
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Metrics
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+prometheus.remote_write "mimir" {
+  endpoint {
+    url = json_path(local.file.endpoints.content, ".metrics.url")[0]
+    basic_auth {
+        username = json_path(local.file.endpoints.content, ".metrics.basicAuth.username")[0]
+        password = json_path(local.file.endpoints.content, ".metrics.basicAuth.password")[0]
+    }
+  }
+}
+
+prometheus.scrape "prometheus" {
+        targets = [{
+                __address__ = "localhost:12345",
+        }]
+        forward_to = [prometheus.remote_write.mimir.receiver]
+        job_name   = "prometheus"
+}
+
+prometheus.exporter.unix "rinoa" {
+        procfs_path = "/host/proc"
+        sysfs_path  = "/host/sys"
+        rootfs_path = "/rootfs"
+}
+
+prometheus.scrape "rinoa" {
+        targets    = prometheus.exporter.unix.rinoa.targets
+        forward_to = [prometheus.remote_write.mimir.receiver]
+        job_name   = "rinoa_host"
+}
+
+prometheus.exporter.cadvisor "docker" {
+        docker_host      = env("DOCKER_HOST")
+        storage_duration = "5m"
+}
+
+prometheus.scrape "docker" {
+        targets    = prometheus.exporter.cadvisor.docker.targets
+        forward_to = [prometheus.remote_write.mimir.receiver]
+        job_name   = "docker_stats"
+}
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Logging
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+loki.write "loki" {
+        endpoint {
+                url = json_path(local.file.endpoints.content, ".logs.url")[0]
+                basic_auth {
+                        username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
+                        password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
+                }
+        }
+        external_labels = {}
+}
+
+loki.source.journal "hostjournal" {
+        forward_to = [loki.write.loki.receiver]
+        max_age = "24h"
+        path = "/rootfs/var/log/journal/"
+        labels = {
+                job = "host-journal",
+        }
+}
+
+local.file_match "system" {
+        path_targets = [{
+                __address__ = "localhost",
+                __path__    = "/rootfs/var/log/*log",
+                job         = "varlogs",
+        }]
+}
+
+loki.source.file "system" {
+        targets    = local.file_match.system.targets
+        forward_to = [loki.write.loki.receiver]
+}
+
+loki.source.docker "containers" {
+        host       = env("DOCKER_HOST")
+        targets    = discovery.docker.rinoadocker.targets
+        forward_to = [loki.write.loki.receiver]
+        labels     = {
+                job = "containerlogs",
+        }
+}
+
+loki.process "containers" {
+        forward_to = [loki.write.loki.receiver]
+        // stage.docker {}
+        stage.json {
+		expressions = {
+			attrs  = "",
+			output = "log",
+			stream = "stream",
+		}
+	}
+
+	stage.json {
+		expressions = {
+			tag = "",
+		}
+		source = "attrs"
+	}
+
+	stage.regex {
+		expression = "(?P<image_name>(?:[^|]*[^|])).(?P<container_name>(?:[^|]*[^|])).(?P<image_id>(?:[^|]*[^|])).(?P<container_id>(?:[^|]*[^|]))"
+		source     = "tag"
+	}
+
+	stage.timestamp {
+		source = "time"
+		format = "RFC3339Nano"
+	}
+
+	stage.labels {
+		values = {
+			container_id   = null,
+			container_name = null,
+			image_id       = null,
+			image_name     = null,
+			stream         = null,
+			tag            = null,
+		}
+	}
+
+	stage.output {
+		source = "output"
+	}
+}
+
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Traces
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+beyla.ebpf "rinoadocker" {
+    open_port = "80-65535"
+    routes {
+        unmatched = "heauristic"
+    }
+    output {
+        traces = [
+            otelcol.connector.servicegraph.tracemetrics.input,
+            otelcol.connector.spanmetrics.tracemetrics.input,
+            otelcol.processor.batch.default.input,
+            otelcol.connector.spanlogs.autologging.input,
+        ]
+    }
+}
+
+prometheus.scrape "beyla" { 
+    targets = beyla.ebpf.rinoadocker.targets
+    forward_to = [prometheus.remote_write.mimir.receiver]
+}
+
+otelcol.auth.headers "tempo" {
+    header {
+        key = "Authorization"
+        value = join(["Basic ", json_path(local.file.endpoints.content, ".traces.basicAuthToken")[0]], "")
+    }
+}
+
+otelcol.processor.batch "default" {
+    // Wait until we've received 16K of data.
+    send_batch_size = 16384
+    send_batch_max_size = 16384
+    // Or until 2 seconds have elapsed.
+    timeout = "2s"
+    // When the Agent has enough batched data, send it to the OpenTelemetry exporter named 'tempo'.
+    output {
+        traces = [otelcol.exporter.otlp.tempo.input]
+    }
+}
+
+otelcol.exporter.otlp "tempo" {
+    // Define the client for exporting.
+    client {
+        // Authentication block.
+        auth = otelcol.auth.headers.tempo.handler
+
+        // Send to the locally running Tempo instance, on port 4317 (OTLP gRPC).
+        endpoint = json_path(local.file.endpoints.content, ".traces.url")[0]
+
+        // Configure TLS settings for communicating with the endpoint.
+        tls {
+            // The connection is insecure.
+            insecure = json_path(local.file.endpoints.content, ".traces.tls.insecure")[0]
+            // Do not verify TLS certificates when connecting.
+            insecure_skip_verify = json_path(local.file.endpoints.content, ".traces.tls.insecureSkipVerify")[0]
+        }
+    }
+}
+
+otelcol.connector.spanlogs "autologging" {
+    // We only want to output a line for each root span (ie. every single trace), and not for every
+    // process or span (outputting a line for every span would be extremely verbose).
+    spans = false
+    roots = true
+    processes = false
+    // We want to ensure that the following three span attributes are included in the log line, if
+    // present.
+    span_attributes = [ "http.method", "http.target", "http.status_code" ]
+
+    // Overrides the default key in the log line to be `traceId`, which is then used by Grafana to
+    // identify the trace ID for correlation with the Tempo datasource.
+    overrides {
+        trace_id_key = "traceId"
+    }
+    // Send to the OpenTelemetry Loki exporter.
+    output {
+        logs = [otelcol.exporter.loki.autologging.input]
+    }
+}
+
+// Simply forwards the incoming OpenTelemetry log format out as a Loki log.
+// We need this stage to ensure we can then process the logline as a Loki object.
+otelcol.exporter.loki "autologging" {
+    forward_to = [loki.process.autologging.receiver]
+}
+
+// The Loki processor allows us to accept a correctly formatted Loki log and mutate it into
+// a set of fields for output.
+loki.process "autologging" {
+    // The JSON stage simply extracts the `body` (the actual logline) from the Loki log, ignoring
+    // all other fields.
+    stage.json {
+        expressions = { "body" = "" }
+    }
+    // The output stage takes the body (the main logline) and uses this as the source for the output
+    // logline. In this case, it essentially turns it into logfmt.
+    stage.output {
+        source = "body"
+    }
+
+    // Finally send the processed logline onto the Loki exporter.
+    forward_to = [loki.write.autologging.receiver]
+}
+
+// The Loki writer receives a processed Loki log and then writes it to a Loki instance.
+loki.write "autologging" {
+    // Add the `agent` value to the `job` label, so we can identify it as having been generated
+    // by Grafana Agent when querying.
+    external_labels = {
+        job = "agent",
+    }
+
+    // Output the Loki log to the local Loki instance.
+    endpoint {
+        url = json_path(local.file.endpoints.content, ".logs.url")[0]
+
+        // The basic auth credentials for the Loki instance.
+        basic_auth {
+            username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
+            password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
+        }
+    }
+}
+
+// The Tail Sampling processor will use a set of policies to determine which received traces to keep
+// and send to Tempo.
+otelcol.processor.tail_sampling "errors" {
+    // Total wait time from the start of a trace before making a sampling decision. Note that smaller time
+    // periods can potentially cause a decision to be made before the end of a trace has occurred.
+    decision_wait = "30s"
+
+    // The following policies follow a logical OR pattern, meaning that if any of the policies match,
+    // the trace will be kept. For logical AND, you can use the `and` policy. Every span of a trace is
+    // examined by each policy in turn. A match will cause a short-circuit.
+
+    // This policy defines that traces that contain errors should be kept.
+    policy {
+        // The name of the policy can be used for logging purposes.
+        name = "sample-erroring-traces"
+        // The type must match the type of policy to be used, in this case examing the status code
+        // of every span in the trace.
+        type = "status_code"
+        // This block determines the error codes that should match in order to keep the trace,
+        // in this case the OpenTelemetry 'ERROR' code.
+        status_code {
+            status_codes = [ "ERROR" ]
+        }
+    }
+
+    // This policy defines that only traces that are longer than 200ms in total should be kept.
+    policy {
+        // The name of the policy can be used for logging purposes.
+        name = "sample-long-traces"
+        // The type must match the policy to be used, in this case the total latency of the trace.
+        type = "latency"
+        // This block determines the total length of the trace in milliseconds.
+        latency {
+            threshold_ms = 200
+        }
+    }
+
+    // The output block forwards the kept traces onto the batch processor, which will marshall them
+    // for exporting to Tempo.
+    output {
+        traces = [otelcol.processor.batch.default.input]
+    }
+}
+
+// The Spanmetrics Connector will generate RED metrics based on the incoming trace span data.
+otelcol.connector.spanmetrics "tracemetrics" {
+    // The namespace explicit adds a prefix to all the generated span metrics names.
+    // In this case, we'll ensure they match as closely as possible those generated by Tempo.
+    namespace = "traces.spanmetrics"
+
+    // Each extra dimension (metrics label) to be added to the generated metrics from matching span attributes. These
+    // need to be defined with a name and optionally a default value (in the following cases, we do not want a default
+    // value if the span attribute is not present).
+    dimension {
+        name = "http.method"
+    }
+    dimension {
+        name = "http.target"
+    }
+    dimension {
+        name = "http.status_code"
+    }
+    dimension {
+        name = "service.version"
+    }
+
+    // A histogram block must be present, either explicitly defining bucket values or via an exponential block.
+    // We do the latter here.
+    histogram {
+        explicit {
+        }
+    }
+
+    // The exemplar block is added to ensure we generate exemplars for traces on relevant metric values.
+    exemplars {
+        enabled = true
+    }
+
+    // Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
+    // it gets transformed into Prometheus format data.
+    output {
+        metrics = [otelcol.exporter.prometheus.tracemetrics.input]
+    }
+}
+
+// The Servicegraph Connector will generate service graph metrics (edges and nodes) based on incoming trace spans.
+otelcol.connector.servicegraph "tracemetrics" {
+    // Extra dimensions (metrics labels) to be added to the generated metrics from matching span attributes.
+    // For this component, this is defined as an array. There are no default values and the labels will not be generated
+    // for missing span attributes.
+    dimensions = [
+        "http.method",
+        "http.target",
+        "http.status_code",
+        "service.version",
+    ]
+
+    // Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
+    // it gets transformed into Prometheus format data.
+    output {
+        metrics = [otelcol.exporter.prometheus.tracemetrics.input]
+    }
+}
+
+otelcol.exporter.prometheus "tracemetrics" {
+    // Forward to our local Prometheus remote writer which will send the metrics to Mimir.
+    forward_to = [prometheus.remote_write.mimir.receiver]
+}
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Profiling
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+pyroscope.write "pyroscope" {
+        endpoint {
+                url = json_path(local.file.endpoints.content, ".profiles.url")[0]
+                basic_auth {
+                        username = json_path(local.file.endpoints.content, ".profiles.basicAuth.username")[0]
+                        password = json_path(local.file.endpoints.content, ".profiles.basicAuth.password")[0]
+                }
+        }
+        external_labels = {}
+}
+
+pyroscope.ebpf "rinoadocker" {
+        forward_to = [pyroscope.write.pyroscope.receiver]
+        targets = discovery.docker.rinoadocker.targets
+}
@@ -0,0 +1,34 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "metrics": {
+        "url": "http://grafana-mimir:9009/api/v1/push",
+        "basicAuth": {
+            "username": "",
+            "password": ""
+        }
+    },
+    "logs": {
+        "url": "http://grafana-loki:3100/loki/api/v1/push",
+        "basicAuth": {
+            "username": "",
+            "password": ""
+        }
+    },
+    "traces": {
+        "url": "http://grafana-tempo:4317",
+        "basicAuthToken": "",
+        "tls": {
+            "insecure": true,
+            "insecureSkipVerify": true
+        }
+    },
+    "profiles": {
+        "url": "http://grafana-pyroscope:4040",
+        "basicAuth": {
+            "username": "",
+            "password": ""
+        }
+    }
+}
@@ -0,0 +1,7 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+routes:
+  patterns:
+    - /*
+  unmatched: heuristic
@@ -0,0 +1,77 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+multitenancy_enabled: false
+no_auth_tenant: rinoa_mimir
+# target: query-frontend
+# api:
+#   prometheus_http_prefix: '/prometheus'
+server:
+  http_listen_port: 9009
+# frontend:
+#   split_queries_by_interval: 24h
+#   align_queries_with_step: true
+  # cache_results: true
+  # results_cache:
+  #   backend: "memcached"
+  #   memcached:
+  #     addresses: "memcached-mimir:11211"
+#   downstream_url: http://grafana-agent:12345
+
+common:
+  storage:
+    backend: s3
+    s3:
+      endpoint: minio:9000
+      access_key_id: "Q8KAihuXtGgmretKNh7C"
+      secret_access_key: "hOlRODtnvFlNlL26Bj3GizZG6Ys3rlpG8p6Vo3NX"
+      bucket_name: "mimir"
+      insecure: true
+
+blocks_storage:
+  storage_prefix: rinoa
+  tsdb:
+    dir: /tmp/mimir/tsdb
+
+memberlist:
+  tls_enabled: false
+
+compactor:
+  # Directory to temporarily store blocks underdoing compaction.
+  data_dir: /tmp/mimir/compactor
+  # The sharding ring type used to share the hashed ring for the compactor.
+  sharding_ring:
+    # Use memberlist backend store (the default).
+    kvstore:
+      store: memberlist
+
+# The distributor receives incoming metrics data for the system.
+distributor:
+  # The ring to share hash ring data across instances.
+  ring:
+    # The address advertised in the ring. Localhost.
+    instance_addr: 127.0.0.1
+    # Use memberlist backend store (the default).
+    kvstore:
+      store: memberlist
+
+# The ingester receives data from the distributor and processes it into indices and blocks.
+ingester:
+  # The ring to share hash ring data across instances.
+  ring:
+    # The address advertised in the ring. Localhost.
+    instance_addr: 127.0.0.1
+    # Use memberlist backend store (the default).
+    kvstore:
+      store: memberlist
+    # Only run one instance of the ingesters.
+    # Note: It is highly recommended to run more than one ingester in production, the default is an RF of 3.
+    replication_factor: 1
+
+# The store gateway block configures gateway storage.
+store_gateway:
+  # Configuration for the hash ring.
+  sharding_ring:
+    # Only run a single instance. In production setups, the replication factor must
+    # be set on the querier and ruler as well.
+    replication_factor: 1
@@ -0,0 +1,12 @@
+storage:
+  backend: s3
+  s3:
+    bucket_name: pyroscope
+    endpoint: minio:9000
+    region: us-east-fh-pln
+    access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
+    secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
+    insecure: true
+
+analytics:
+  reporting_enabled: false
@@ -0,0 +1,787 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+target: all
+http_api_prefix: ""
+autocomplete_filtering_enabled: true
+server:
+    http_listen_network: tcp
+    http_listen_address: ""
+    http_listen_port: 80
+    http_listen_conn_limit: 0
+    grpc_listen_network: tcp
+    grpc_listen_address: ""
+    grpc_listen_port: 9095
+    grpc_listen_conn_limit: 0
+    tls_cipher_suites: ""
+    tls_min_version: ""
+    http_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    grpc_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    register_instrumentation: true
+    report_grpc_codes_in_instrumentation_label_enabled: false
+    graceful_shutdown_timeout: 30s
+    http_server_read_timeout: 30s
+    http_server_read_header_timeout: 0s
+    http_server_write_timeout: 30s
+    http_server_idle_timeout: 2m0s
+    http_log_closed_connections_without_response_enabled: false
+    grpc_server_max_recv_msg_size: 16777216
+    grpc_server_max_send_msg_size: 16777216
+    grpc_server_max_concurrent_streams: 100
+    grpc_server_max_connection_idle: 2562047h47m16.854775807s
+    grpc_server_max_connection_age: 2562047h47m16.854775807s
+    grpc_server_max_connection_age_grace: 2562047h47m16.854775807s
+    grpc_server_keepalive_time: 2h0m0s
+    grpc_server_keepalive_timeout: 20s
+    grpc_server_min_time_between_pings: 10s
+    grpc_server_ping_without_stream_allowed: true
+    grpc_server_num_workers: 0
+    log_format: logfmt
+    log_level: info
+    log_source_ips_enabled: false
+    log_source_ips_header: ""
+    log_source_ips_regex: ""
+    log_request_headers: false
+    log_request_at_info_level_enabled: false
+    log_request_exclude_headers_list: ""
+    http_path_prefix: ""
+internal_server:
+    http_listen_network: tcp
+    http_listen_address: ""
+    http_listen_port: 3101
+    http_listen_conn_limit: 0
+    grpc_listen_network: ""
+    grpc_listen_address: ""
+    grpc_listen_port: 0
+    grpc_listen_conn_limit: 0
+    tls_cipher_suites: ""
+    tls_min_version: ""
+    http_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    grpc_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    register_instrumentation: false
+    report_grpc_codes_in_instrumentation_label_enabled: false
+    graceful_shutdown_timeout: 30s
+    http_server_read_timeout: 30s
+    http_server_read_header_timeout: 0s
+    http_server_write_timeout: 30s
+    http_server_idle_timeout: 2m0s
+    http_log_closed_connections_without_response_enabled: false
+    grpc_server_max_recv_msg_size: 0
+    grpc_server_max_send_msg_size: 0
+    grpc_server_max_concurrent_streams: 0
+    grpc_server_max_connection_idle: 0s
+    grpc_server_max_connection_age: 0s
+    grpc_server_max_connection_age_grace: 0s
+    grpc_server_keepalive_time: 0s
+    grpc_server_keepalive_timeout: 0s
+    grpc_server_min_time_between_pings: 0s
+    grpc_server_ping_without_stream_allowed: false
+    grpc_server_num_workers: 0
+    log_format: logfmt
+    log_level: info
+    log_source_ips_enabled: false
+    log_source_ips_header: ""
+    log_source_ips_regex: ""
+    log_request_headers: false
+    log_request_at_info_level_enabled: false
+    log_request_exclude_headers_list: ""
+    http_path_prefix: ""
+    enable: false
+distributor:
+    ring:
+        kvstore:
+            store: memberlist
+            prefix: collectors/
+            consul:
+                host: localhost:8500
+                acl_token: ""
+                http_client_timeout: 20s
+                consistent_reads: false
+                watch_rate_limit: 1
+                watch_burst_size: 1
+                cas_retry_delay: 1s
+            etcd:
+                endpoints: []
+                dial_timeout: 10s
+                max_retries: 10
+                tls_enabled: false
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: ""
+                username: ""
+                password: ""
+            multi:
+                primary: ""
+                secondary: ""
+                mirror_enabled: false
+                mirror_timeout: 2s
+        heartbeat_period: 5s
+        heartbeat_timeout: 5m0s
+        instance_id: local-instance
+        instance_interface_names:
+            - eth0
+            - en0
+        instance_port: 0
+        instance_addr: ""
+    receivers: {}
+    override_ring_key: distributor
+    forwarders: []
+    extend_writes: true
+    retry_after_on_resource_exhausted: 0s
+ingester_client:
+    pool_config:
+        checkinterval: 15s
+        healthcheckenabled: true
+        healthchecktimeout: 1s
+        maxconcurrenthealthchecks: 0
+    remote_timeout: 5s
+    grpc_client_config:
+        max_recv_msg_size: 104857600
+        max_send_msg_size: 104857600
+        grpc_compression: snappy
+        rate_limit: 0
+        rate_limit_burst: 0
+        backoff_on_ratelimits: false
+        backoff_config:
+            min_period: 100ms
+            max_period: 10s
+            max_retries: 10
+        initial_stream_window_size: 63KiB1023B
+        initial_connection_window_size: 63KiB1023B
+        tls_enabled: false
+        tls_cert_path: ""
+        tls_key_path: ""
+        tls_ca_path: ""
+        tls_server_name: ""
+        tls_insecure_skip_verify: false
+        tls_cipher_suites: ""
+        tls_min_version: ""
+        connect_timeout: 5s
+        connect_backoff_base_delay: 1s
+        connect_backoff_max_delay: 5s
+metrics_generator_client:
+    pool_config:
+        checkinterval: 15s
+        healthcheckenabled: true
+        healthchecktimeout: 1s
+        maxconcurrenthealthchecks: 0
+    remote_timeout: 5s
+    grpc_client_config:
+        max_recv_msg_size: 104857600
+        max_send_msg_size: 104857600
+        grpc_compression: snappy
+        rate_limit: 0
+        rate_limit_burst: 0
+        backoff_on_ratelimits: false
+        backoff_config:
+            min_period: 100ms
+            max_period: 10s
+            max_retries: 10
+        initial_stream_window_size: 63KiB1023B
+        initial_connection_window_size: 63KiB1023B
+        tls_enabled: false
+        tls_cert_path: ""
+        tls_key_path: ""
+        tls_ca_path: ""
+        tls_server_name: ""
+        tls_insecure_skip_verify: false
+        tls_cipher_suites: ""
+        tls_min_version: ""
+        connect_timeout: 5s
+        connect_backoff_base_delay: 1s
+        connect_backoff_max_delay: 5s
+querier:
+    search:
+        query_timeout: 30s
+        prefer_self: 10
+        external_hedge_requests_at: 8s
+        external_hedge_requests_up_to: 2
+        external_backend: ""
+        google_cloud_run: null
+        external_endpoints: []
+    trace_by_id:
+        query_timeout: 10s
+    max_concurrent_queries: 20
+    frontend_worker:
+        frontend_address: 127.0.0.1:9095
+        dns_lookup_duration: 10s
+        parallelism: 2
+        match_max_concurrent: true
+        id: ""
+        grpc_client_config:
+            max_recv_msg_size: 104857600
+            max_send_msg_size: 16777216
+            grpc_compression: gzip
+            rate_limit: 0
+            rate_limit_burst: 0
+            backoff_on_ratelimits: false
+            backoff_config:
+                min_period: 100ms
+                max_period: 1s
+                max_retries: 5
+            initial_stream_window_size: 0B
+            initial_connection_window_size: 0B
+            tls_enabled: false
+            tls_cert_path: ""
+            tls_key_path: ""
+            tls_ca_path: ""
+            tls_server_name: ""
+            tls_insecure_skip_verify: false
+            tls_cipher_suites: ""
+            tls_min_version: ""
+            connect_timeout: 0s
+            connect_backoff_base_delay: 0s
+            connect_backoff_max_delay: 0s
+    query_relevant_ingesters: false
+query_frontend:
+    max_outstanding_per_tenant: 2000
+    querier_forget_delay: 0s
+    max_batch_size: 5
+    max_retries: 2
+    search:
+        concurrent_jobs: 1000
+        target_bytes_per_job: 104857600
+        default_result_limit: 20
+        max_result_limit: 0
+        max_duration: 168h0m0s
+        query_backend_after: 15m0s
+        query_ingesters_until: 30m0s
+    trace_by_id:
+        query_shards: 50
+        hedge_requests_at: 2s
+        hedge_requests_up_to: 2
+    metrics:
+        concurrent_jobs: 1000
+        target_bytes_per_job: 104857600
+        max_duration: 0s
+        query_backend_after: 1h0m0s
+        interval: 5m0s
+    multi_tenant_queries_enabled: true
+compactor:
+    ring:
+        kvstore:
+            store: ""
+            prefix: collectors/
+            consul:
+                host: localhost:8500
+                acl_token: ""
+                http_client_timeout: 20s
+                consistent_reads: false
+                watch_rate_limit: 1
+                watch_burst_size: 1
+                cas_retry_delay: 1s
+            etcd:
+                endpoints: []
+                dial_timeout: 10s
+                max_retries: 10
+                tls_enabled: false
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: ""
+                username: ""
+                password: ""
+            multi:
+                primary: ""
+                secondary: ""
+                mirror_enabled: false
+                mirror_timeout: 2s
+        heartbeat_period: 5s
+        heartbeat_timeout: 1m0s
+        wait_stability_min_duration: 1m0s
+        wait_stability_max_duration: 5m0s
+        instance_id: local-instance
+        instance_interface_names:
+            - eth0
+            - en0
+        instance_port: 0
+        instance_addr: ""
+        enable_inet6: false
+        wait_active_instance_timeout: 10m0s
+    compaction:
+        v2_in_buffer_bytes: 5242880
+        v2_out_buffer_bytes: 20971520
+        v2_prefetch_traces_count: 1000
+        compaction_window: 1h0m0s
+        max_compaction_objects: 6000000
+        max_block_bytes: 107374182400
+        block_retention: 336h0m0s
+        compacted_block_retention: 1h0m0s
+        retention_concurrency: 10
+        max_time_per_tenant: 5m0s
+        compaction_cycle: 30s
+    override_ring_key: compactor
+ingester:
+    lifecycler:
+        ring:
+            kvstore:
+                store: inmemory
+                prefix: collectors/
+                consul:
+                    host: localhost:8500
+                    acl_token: ""
+                    http_client_timeout: 20s
+                    consistent_reads: false
+                    watch_rate_limit: 1
+                    watch_burst_size: 1
+                    cas_retry_delay: 1s
+                etcd:
+                    endpoints: []
+                    dial_timeout: 10s
+                    max_retries: 10
+                    tls_enabled: false
+                    tls_cert_path: ""
+                    tls_key_path: ""
+                    tls_ca_path: ""
+                    tls_server_name: ""
+                    tls_insecure_skip_verify: false
+                    tls_cipher_suites: ""
+                    tls_min_version: ""
+                    username: ""
+                    password: ""
+                multi:
+                    primary: ""
+                    secondary: ""
+                    mirror_enabled: false
+                    mirror_timeout: 2s
+            heartbeat_timeout: 5m0s
+            replication_factor: 1
+            zone_awareness_enabled: false
+            excluded_zones: ""
+        num_tokens: 128
+        heartbeat_period: 5s
+        heartbeat_timeout: 1m0s
+        observe_period: 0s
+        join_after: 0s
+        min_ready_duration: 15s
+        interface_names:
+            - en0
+            - bridge100
+        enable_inet6: false
+        final_sleep: 0s
+        tokens_file_path: ""
+        availability_zone: ""
+        unregister_on_shutdown: true
+        readiness_check_ring_health: true
+        address: 127.0.0.1
+        port: 0
+        id: local-instance
+    concurrent_flushes: 4
+    flush_check_period: 10s
+    flush_op_timeout: 5m0s
+    trace_idle_period: 10s
+    max_block_duration: 30m0s
+    max_block_bytes: 524288000
+    complete_block_timeout: 15m0s
+    override_ring_key: ring
+    flush_all_on_shutdown: false
+metrics_generator:
+    ring:
+        kvstore:
+            store: inmemory
+            prefix: collectors/
+            consul:
+                host: localhost:8500
+                acl_token: ""
+                http_client_timeout: 20s
+                consistent_reads: false
+                watch_rate_limit: 1
+                watch_burst_size: 1
+                cas_retry_delay: 1s
+            etcd:
+                endpoints: []
+                dial_timeout: 10s
+                max_retries: 10
+                tls_enabled: false
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: ""
+                username: ""
+                password: ""
+            multi:
+                primary: ""
+                secondary: ""
+                mirror_enabled: false
+                mirror_timeout: 2s
+        heartbeat_period: 5s
+        heartbeat_timeout: 1m0s
+        instance_id: local-instance
+        instance_interface_names:
+            - eth0
+            - en0
+        instance_addr: 127.0.0.1
+        instance_port: 0
+        enable_inet6: false
+    processor:
+        service_graphs:
+            wait: 10s
+            max_items: 10000
+            workers: 10
+            histogram_buckets:
+                - 0.1
+                - 0.2
+                - 0.4
+                - 0.8
+                - 1.6
+                - 3.2
+                - 6.4
+                - 12.8
+            dimensions: []
+            enable_client_server_prefix: false
+            peer_attributes:
+                - peer.service
+                - db.name
+                - db.system
+            span_multiplier_key: ""
+        span_metrics:
+            histogram_buckets:
+                - 0.002
+                - 0.004
+                - 0.008
+                - 0.016
+                - 0.032
+                - 0.064
+                - 0.128
+                - 0.256
+                - 0.512
+                - 1.024
+                - 2.048
+                - 4.096
+                - 8.192
+                - 16.384
+            intrinsic_dimensions:
+                service: true
+                span_name: true
+                span_kind: true
+                status_code: true
+            dimensions: []
+            dimension_mappings: []
+            enable_target_info: false
+            span_multiplier_key: ""
+            subprocessors:
+                0: true
+                1: true
+                2: true
+            filter_policies: []
+            target_info_excluded_dimensions: []
+        local_blocks:
+            block:
+                bloom_filter_false_positive: 0.01
+                bloom_filter_shard_size_bytes: 102400
+                version: vParquet3
+                search_encoding: snappy
+                search_page_size_bytes: 1048576
+                v2_index_downsample_bytes: 1048576
+                v2_index_page_size_bytes: 256000
+                v2_encoding: zstd
+                parquet_row_group_size_bytes: 100000000
+                parquet_dedicated_columns: []
+            search:
+                chunk_size_bytes: 1000000
+                prefetch_trace_count: 1000
+                read_buffer_count: 32
+                read_buffer_size_bytes: 1048576
+                cache_control:
+                    footer: false
+                    column_index: false
+                    offset_index: false
+            flush_check_period: 10s
+            trace_idle_period: 10s
+            max_block_duration: 1m0s
+            max_block_bytes: 500000000
+            complete_block_timeout: 1h0m0s
+            max_live_traces: 0
+            concurrent_blocks: 10
+            filter_server_spans: true
+    registry:
+        collection_interval: 15s
+        stale_duration: 15m0s
+        max_label_name_length: 1024
+        max_label_value_length: 2048
+    storage:
+        path: ""
+        wal:
+            wal_segment_size: 134217728
+            wal_compression: none
+            stripe_size: 16384
+            truncate_frequency: 2h0m0s
+            min_wal_time: 300000
+            max_wal_time: 14400000
+            no_lockfile: false
+        remote_write_flush_deadline: 1m0s
+        remote_write_add_org_id_header: true
+    traces_storage:
+        path: ""
+        completedfilepath: ""
+        blocksfilepath: ""
+        v2_encoding: none
+        search_encoding: none
+        ingestion_time_range_slack: 0s
+        version: vParquet3
+    metrics_ingestion_time_range_slack: 30s
+    query_timeout: 30s
+    override_ring_key: metrics-generator
+storage:
+    trace:
+        pool:
+            max_workers: 400
+            queue_depth: 20000
+        wal:
+            path: /tmp/tempo/wal
+            completedfilepath: /tmp/tempo/wal/completed
+            blocksfilepath: /tmp/tempo/wal/blocks
+            v2_encoding: snappy
+            search_encoding: none
+            ingestion_time_range_slack: 2m0s
+            version: vParquet3
+        block:
+            bloom_filter_false_positive: 0.01
+            bloom_filter_shard_size_bytes: 102400
+            version: vParquet3
+            search_encoding: snappy
+            search_page_size_bytes: 1048576
+            v2_index_downsample_bytes: 1048576
+            v2_index_page_size_bytes: 256000
+            v2_encoding: zstd
+            parquet_row_group_size_bytes: 100000000
+            parquet_dedicated_columns: []
+        search:
+            chunk_size_bytes: 1000000
+            prefetch_trace_count: 1000
+            read_buffer_count: 32
+            read_buffer_size_bytes: 1048576
+            cache_control:
+                footer: false
+                column_index: false
+                offset_index: false
+        blocklist_poll: 5m0s
+        blocklist_poll_concurrency: 50
+        blocklist_poll_fallback: true
+        blocklist_poll_tenant_index_builders: 2
+        blocklist_poll_stale_tenant_index: 0s
+        blocklist_poll_jitter_ms: 0
+        blocklist_poll_tolerate_consecutive_errors: 1
+        backend: local
+        local:
+            path: /tmp/tempo/traces
+        gcs:
+            bucket_name: ""
+            prefix: ""
+            chunk_buffer_size: 10485760
+            endpoint: ""
+            hedge_requests_at: 0s
+            hedge_requests_up_to: 2
+            insecure: false
+            object_cache_control: ""
+            object_metadata: {}
+            list_blocks_concurrency: 3
+        s3:
+            tls_cert_path: ""
+            tls_key_path: ""
+            tls_ca_path: ""
+            tls_server_name: ""
+            tls_insecure_skip_verify: false
+            tls_cipher_suites: ""
+            tls_min_version: VersionTLS12
+            bucket: ""
+            prefix: ""
+            endpoint: ""
+            region: ""
+            access_key: ""
+            secret_key: ""
+            session_token: ""
+            insecure: false
+            part_size: 0
+            hedge_requests_at: 0s
+            hedge_requests_up_to: 2
+            signature_v2: false
+            forcepathstyle: false
+            bucket_lookup_type: 0
+            tags: {}
+            storage_class: ""
+            metadata: {}
+            native_aws_auth_enabled: false
+            list_blocks_concurrency: 3
+        azure:
+            storage_account_name: ""
+            storage_account_key: ""
+            use_managed_identity: false
+            use_federated_token: false
+            user_assigned_id: ""
+            container_name: ""
+            prefix: ""
+            endpoint_suffix: blob.core.windows.net
+            max_buffers: 4
+            buffer_size: 3145728
+            hedge_requests_at: 0s
+            hedge_requests_up_to: 2
+            use_v2_sdk: false
+        cache: ""
+        background_cache:
+            writeback_goroutines: 10
+            writeback_buffer: 10000
+        memcached: null
+        redis: null
+        cache_min_compaction_level: 0
+        cache_max_block_age: 0s
+overrides:
+    defaults:
+        ingestion:
+            rate_strategy: local
+            rate_limit_bytes: 15000000
+            burst_size_bytes: 20000000
+            max_traces_per_user: 10000
+        read:
+            max_bytes_per_tag_values_query: 5000000
+        global:
+            max_bytes_per_trace: 5000000
+    per_tenant_override_config: ""
+    per_tenant_override_period: 10s
+    user_configurable_overrides:
+        enabled: false
+        poll_interval: 1m0s
+        client:
+            backend: ""
+            confirm_versioning: true
+            local:
+                path: ""
+            gcs:
+                bucket_name: ""
+                prefix: ""
+                chunk_buffer_size: 10485760
+                endpoint: ""
+                hedge_requests_at: 0s
+                hedge_requests_up_to: 2
+                insecure: false
+                object_cache_control: ""
+                object_metadata: {}
+                list_blocks_concurrency: 3
+            s3:
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: VersionTLS12
+                bucket: ""
+                prefix: ""
+                endpoint: ""
+                region: ""
+                access_key: ""
+                secret_key: ""
+                session_token: ""
+                insecure: false
+                part_size: 0
+                hedge_requests_at: 0s
+                hedge_requests_up_to: 2
+                signature_v2: false
+                forcepathstyle: false
+                bucket_lookup_type: 0
+                tags: {}
+                storage_class: ""
+                metadata: {}
+                native_aws_auth_enabled: false
+                list_blocks_concurrency: 3
+            azure:
+                storage_account_name: ""
+                storage_account_key: ""
+                use_managed_identity: false
+                use_federated_token: false
+                user_assigned_id: ""
+                container_name: ""
+                prefix: ""
+                endpoint_suffix: blob.core.windows.net
+                max_buffers: 4
+                buffer_size: 3145728
+                hedge_requests_at: 0s
+                hedge_requests_up_to: 2
+                use_v2_sdk: false
+        api:
+            check_for_conflicting_runtime_overrides: false
+memberlist:
+    node_name: ""
+    randomize_node_name: true
+    stream_timeout: 2s
+    retransmit_factor: 2
+    pull_push_interval: 30s
+    gossip_interval: 1s
+    gossip_nodes: 2
+    gossip_to_dead_nodes_time: 30s
+    dead_node_reclaim_time: 0s
+    compression_enabled: false
+    advertise_addr: ""
+    advertise_port: 7946
+    cluster_label: ""
+    cluster_label_verification_disabled: false
+    join_members: []
+    min_join_backoff: 1s
+    max_join_backoff: 1m0s
+    max_join_retries: 10
+    abort_if_cluster_join_fails: false
+    rejoin_interval: 0s
+    left_ingesters_timeout: 5m0s
+    leave_timeout: 20s
+    message_history_buffer_bytes: 0
+    bind_addr: []
+    bind_port: 7946
+    packet_dial_timeout: 2s
+    packet_write_timeout: 5s
+    tls_enabled: false
+    tls_cert_path: ""
+    tls_key_path: ""
+    tls_ca_path: ""
+    tls_server_name: ""
+    tls_insecure_skip_verify: false
+    tls_cipher_suites: ""
+    tls_min_version: ""
+usage_report:
+    reporting_enabled: true
+    backoff:
+        min_period: 100ms
+        max_period: 10s
+        max_retries: 0
+cache:
+    background:
+        writeback_goroutines: 10
+        writeback_buffer: 10000
+    caches: []
@@ -0,0 +1,54 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+server:
+  http_listen_port: 3200
+
+distributor:
+  receivers:                           # this configuration will listen on all ports and protocols that tempo is capable of.
+    jaeger:                            # the receives all come from the OpenTelemetry collector.  more configuration information can
+      protocols:                       # be found there: https://github.com/open-telemetry/opentelemetry-collector/tree/main/receiver
+        thrift_http:                   #
+        grpc:                          # for a production deployment you should only enable the receivers you need!
+        thrift_binary:
+        thrift_compact:
+    zipkin:
+    otlp:
+      protocols:
+        http:
+        grpc:
+    opencensus:
+
+ingester:
+  max_block_duration: 5m               # cut the headblock when this much time passes. this is being set for demo purposes and should probably be left alone normally
+
+compactor:
+  compaction:
+    block_retention: 1h                # overall Tempo trace retention. set for demo purposes
+
+# metrics_generator:
+#   registry:
+#     external_labels:
+#       source: tempo
+#       cluster: docker-compose
+#   storage:
+#     path: /tmp/tempo/generator/wal
+#     remote_write:
+#       - url: http://grafana-alloy:12345/api/v1/write
+#         send_exemplars: true
+
+storage:
+  trace:
+    backend: s3                        # backend configuration to use
+    wal:
+      path: /tmp/tempo/wal             # where to store the the wal locally
+    s3:
+      bucket: tempo                    # how to store data in s3
+      endpoint: minio:9000
+      access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
+      secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
+      insecure: true
+
+usage_report:
+  reporting_enabled: false
@@ -0,0 +1,22 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/bookmarks
+
+#- Developer:
+#    - Github:
+#        - abbr: GH
+#          href: https://github.com/
+#
+#- Social:
+#    - Reddit:
+#        - abbr: RE
+#          href: https://reddit.com/
+#
+#- Entertainment:
+#    - YouTube:
+#        - abbr: YT
+#          href: https://youtube.com/
@@ -0,0 +1,15 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/docker/
+
+# my-docker:
+#   host: 127.0.0.1
+#   port: 2375
+
+ my-docker:
+   host: dockerproxy
+   port: 2375
@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+---
+# sample kubernetes config
@@ -0,0 +1,33 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/services
+
+#- My First Group:
+#    - My First Service:
+#        href: http://localhost/
+#        description: Homepage is awesome
+#
+#- My Second Group:
+#    - My Second Service:
+#        href: http://localhost/
+#        description: Homepage is the best
+#
+#- My Third Group:
+#    - My Third Service:
+#        href: http://localhost/
+#        description: Homepage is 😎
+
+- Automation:
+    - Home Assistant (Rikku):
+        href: https://ha.trez.wtf
+        description: Smart Home
+        icon: home-assistant.png
+        weight: 0
+        widget:
+            type: homeassistant
+            url: http://192.168.1.252:8123
+            key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
+
@@ -0,0 +1,56 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/settings
+
+providers:
+  openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+  # weatherapi: weatherapiapikey
+title: Rinoa Dashboard (trez.WTF)
+headerStyle: underlined
+color: slate
+showStats: false
+statusStyle: "dot"
+favicon: /icons/favicon.ico
+useEqualHeights: true
+hideErrors: false
+searchDescriptions: true
+showSearchSuggestions: true
+provider: duckduckgo
+
+layout:
+  System Administration:
+    style: row
+    columns: 4
+  Infrastructure/App Performance Monitoring:
+    style: row
+    columns: 3
+  Code/DevOps:
+    style: row
+    columns: 3
+  Social:
+    style: row
+    columns: 4
+  Lifestyle:
+    style: row
+    columns: 3
+  Automation:
+    style: row
+    columns: 5
+  Privacy/Security:
+    style: row
+    columns: 5
+  Personal/Professional Services:
+    style: row
+    columns: 5
+  Servarr Stack:
+    style: row
+    columns: 3
+  Downloaders:
+    style: row
+    columns: 2
+  Media Library:
+    style: row
+    columns: 3
@@ -0,0 +1,33 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/widgets
+
+- resources:
+    label: System
+    cpu: true
+    memory: true
+    cputemp: true
+    uptime: true
+
+- resources:
+    label: Storage
+    expanded: true
+    disk:
+        - /
+        - /rinoa-storage
+
+- search:
+    provider: custom
+    url: https://search.trez.wtf/search?q=
+    target: _blank
+
+- openweathermap:
+    label: New York
+    latitude: 40.72
+    longitude: -73.85
+    units: imperial
+    provider: openweathermap
+    cache: 10
@@ -0,0 +1,22 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/bookmarks
+
+#- Developer:
+#    - Github:
+#        - abbr: GH
+#          href: https://github.com/
+#
+#- Social:
+#    - Reddit:
+#        - abbr: RE
+#          href: https://reddit.com/
+#
+#- Entertainment:
+#    - YouTube:
+#        - abbr: YT
+#          href: https://youtube.com/
@@ -0,0 +1,15 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/docker/
+
+# my-docker:
+#   host: 127.0.0.1
+#   port: 2375
+
+ my-docker:
+   host: dockerproxy
+   port: 2375
@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+---
+# sample kubernetes config
@@ -0,0 +1,33 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/services
+
+#- My First Group:
+#    - My First Service:
+#        href: http://localhost/
+#        description: Homepage is awesome
+#
+#- My Second Group:
+#    - My Second Service:
+#        href: http://localhost/
+#        description: Homepage is the best
+#
+#- My Third Group:
+#    - My Third Service:
+#        href: http://localhost/
+#        description: Homepage is 😎
+
+- Automation:
+    - Home Assistant (Rikku):
+        href: https://ha.trez.wtf
+        description: Smart Home
+        icon: home-assistant.png
+        weight: 0
+        widget:
+            type: homeassistant
+            url: http://192.168.1.252:8123
+            key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
+
@@ -0,0 +1,56 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/settings
+
+providers:
+  openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+  # weatherapi: weatherapiapikey
+title: Rinoa Dashboard (trez.WTF)
+headerStyle: underlined
+color: slate
+showStats: false
+statusStyle: "dot"
+favicon: /icons/favicon.ico
+useEqualHeights: true
+hideErrors: false
+searchDescriptions: true
+showSearchSuggestions: true
+provider: duckduckgo
+
+layout:
+  System Administration:
+    style: row
+    columns: 4
+  Infrastructure/App Performance Monitoring:
+    style: row
+    columns: 3
+  Code/DevOps:
+    style: row
+    columns: 3
+  Social:
+    style: row
+    columns: 4
+  Lifestyle:
+    style: row
+    columns: 3
+  Automation:
+    style: row
+    columns: 5
+  Privacy/Security:
+    style: row
+    columns: 5
+  Personal/Professional Services:
+    style: row
+    columns: 5
+  Servarr Stack:
+    style: row
+    columns: 3
+  Downloaders:
+    style: row
+    columns: 2
+  Media Library:
+    style: row
+    columns: 3
@@ -0,0 +1,33 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/widgets
+
+- resources:
+    label: System
+    cpu: true
+    memory: true
+    cputemp: true
+    uptime: true
+
+- resources:
+    label: Storage
+    expanded: true
+    disk:
+        - /
+        - /rinoa-storage
+
+- search:
+    provider: custom
+    url: https://search.trez.wtf/search?q=
+    target: _blank
+
+- openweathermap:
+    label: New York
+    latitude: 40.72
+    longitude: -73.85
+    units: imperial
+    provider: openweathermap
+    cache: 10
@@ -0,0 +1,952 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+#########################################
+#
+#  Database and other external servers
+#
+#########################################
+
+##
+## Database configuration with separate parameters.
+## This setting is MANDATORY, unless 'database_url' is used.
+##
+db:
+  user: kemal
+  host: invidious-db
+  port: 5432
+  dbname: invidious
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
+
+##
+## Database configuration using a single URI. This is an
+## alternative to the 'db' parameter above. If both forms
+## are used, then only database_url is used.
+## This setting is MANDATORY, unless 'db' is used.
+##
+## Note: The 'database_url' setting allows the use of UNIX
+## sockets. To do so, remove the IP address (or FQDN) and port
+## and append the 'host' parameter. E.g:
+##   postgres://kemal:kemal@/invidious?host=/var/run/postgresql
+##
+## Accepted values: a postgres:// URI
+## Default: postgres://kemal:kemal@localhost:5432/invidious
+##
+#database_url: postgres://kemal:kemal@localhost:5432/invidious
+
+##
+## Enable automatic table integrity check. This will create
+## the required tables and columns if anything is missing.
+##
+## Accepted values: true, false
+## Default: false
+##
+check_tables: true
+
+
+##
+## Path to an external signature resolver, used to emulate
+## the Youtube client's Javascript. If no such server is
+## available, some videos will not be playable.
+##
+## When this setting is commented out, no external
+## resolver will be used.
+##
+## Accepted values: a path to a UNIX socket or "<IP>:<Port>"
+## Default: <none>
+##
+signature_server: invidious-sig-helper:12999
+
+
+#########################################
+#
+#  Server config
+#
+#########################################
+
+# -----------------------------
+#  Network (inbound)
+# -----------------------------
+
+##
+## Port to listen on for incoming connections.
+##
+## Note: Ports lower than 1024 requires either root privileges
+## (not recommended) or the "CAP_NET_BIND_SERVICE" capability
+## (See https://stackoverflow.com/a/414258 and `man capabilities`)
+##
+## Accepted values: 1-65535
+## Default: 3000
+##
+#port: 3000
+
+##
+## When the invidious instance is behind a proxy, and the proxy
+## listens on a different port than the instance does, this lets
+## invidious know about it. This is used to craft absolute URLs
+## to the instance (e.g in the API).
+##
+## Note: This setting is MANDATORY if invidious is behind a
+## reverse proxy.
+##
+## Accepted values: 1-65535
+## Default: <none>
+##
+#external_port:
+
+##
+## Interface address to listen on for incoming connections.
+##
+## Accepted values: a valid IPv4 or IPv6 address.
+## default: 0.0.0.0  (listen on all interfaces)
+##
+#host_binding: 0.0.0.0
+
+##
+## Domain name under which this instance is hosted. This is
+## used to craft absolute URLs to the instance (e.g in the API).
+## The domain MUST be defined if your instance is accessed from
+## a domain name (like 'example.com').
+##
+## Accepted values: a fully qualified domain name (FQDN)
+## Default: <none>
+##
+# domain:
+
+##
+## Tell Invidious that it is behind a proxy that provides only
+## HTTPS, so all links must use the https:// scheme. This
+## setting MUST be set to true if invidious is behind a
+## reverse proxy serving HTTPs.
+##
+## Accepted values: true, false
+## Default: false
+##
+https_only: false
+
+##
+## Enable/Disable 'Strict-Transport-Security'. Make sure that
+## the domain specified under 'domain' is served securely.
+##
+## Accepted values: true, false
+## Default: true
+##
+#hsts: true
+
+
+# -----------------------------
+#  Network (outbound)
+# -----------------------------
+
+##
+## Disable proxying server-wide. Can be disable as a whole, or
+## only for a single function.
+##
+## Accepted values: true, false, dash, livestreams, downloads, local
+## Default: false
+##
+#disable_proxy: false
+
+##
+## Size of the HTTP pool used to connect to youtube. Each
+## domain ('youtube.com', 'ytimg.com', ...) has its own pool.
+##
+## Accepted values: a positive integer
+## Default: 100
+##
+#pool_size: 100
+
+
+##
+## Additional cookies to be sent when requesting the youtube API.
+##
+## Accepted values: a string in the format "name1=value1; name2=value2..."
+## Default: <none>
+##
+#cookies:
+
+##
+## Force connection to youtube over a specific IP family.
+##
+## Note: This may sometimes resolve issues involving rate-limiting.
+## See https://github.com/ytdl-org/youtube-dl/issues/21729.
+##
+## Accepted values: ipv4, ipv6
+## Default: <none>
+##
+#force_resolve:
+
+##
+## Configuration for using a HTTP proxy
+##
+## If unset, then no HTTP proxy will be used.
+## 
+#http_proxy:
+#  user:
+#  password:
+#  host:
+#  port:
+
+
+##
+## Use Innertube's transcripts API instead of timedtext for closed captions
+##
+## Useful for larger instances as InnerTube is **not ratelimited**. See https://github.com/iv-org/invidious/issues/2567
+##
+## Subtitle experience may differ slightly on Invidious.
+##
+## Accepted values: true, false
+## Default: false
+##
+# use_innertube_for_captions: false
+
+##
+## Send Google session informations. This is useful when Invidious is blocked
+## by the message "This helps protect our community."
+## See https://github.com/iv-org/invidious/issues/4734.
+##
+## Warning: These strings gives much more identifiable information to Google!
+##
+## Accepted values: String
+## Default: <none>
+##
+po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
+visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
+
+# -----------------------------
+#  Logging
+# -----------------------------
+
+##
+## Path to log file. Can be absolute or relative to the invidious
+## binary. This is overridden if "-o OUTPUT" or "--output=OUTPUT"
+## are passed on the command line.
+##
+## Accepted values: a filesystem path or 'STDOUT'
+## Default: STDOUT
+##
+#output: STDOUT
+
+##
+## Logging Verbosity. This is overridden if "-l LEVEL" or
+## "--log-level=LEVEL" are passed on the command line.
+##
+## Accepted values: All, Trace, Debug, Info, Warn, Error, Fatal, Off
+## Default: Info
+##
+#log_level: Info
+
+##
+## Enables colors in logs. Useful for debugging purposes
+## This is overridden if "-k" or "--colorize"
+## are passed on the command line.
+## Colors are also disabled if the environment variable
+## NO_COLOR is present and has any value
+##
+## Accepted values: true, false
+## Default: true
+##
+#colorize_logs: false
+
+# -----------------------------
+#  Features
+# -----------------------------
+
+##
+## Enable/Disable the "Popular" tab on the main page.
+##
+## Accepted values: true, false
+## Default: true
+##
+#popular_enabled: true
+
+##
+## Enable/Disable statstics (available at /api/v1/stats).
+## The following data is available:
+##   - Software name ("invidious") and version+branch (same data as
+##     displayed in the footer, e.g: "2021.05.13-75e5b49" / "master")
+##   - The value of the 'registration_enabled' config (true/false)
+##   - Number of currently registered users
+##   - Number of registered users who connected in the last month
+##   - Number of registered users who connected in the last 6 months
+##   - Timestamp of the last server restart
+##   - Timestamp of the last "Channel Refresh" job execution
+##
+## Warning: This setting MUST be set to true if you plan to run
+## a public instance. It is used by api.invidious.io to refresh
+## your instance's status.
+##
+## Accepted values: true, false
+## Default: false
+##
+#statistics_enabled: false
+
+
+# -----------------------------
+#  Users and accounts
+# -----------------------------
+
+##
+## Allow/Forbid Invidious (local) account creation. Invidious
+## accounts allow users to subscribe to channels and to create
+## playlists without a Google account.
+##
+## Accepted values: true, false
+## Default: true
+##
+#registration_enabled: true
+
+##
+## Allow/Forbid users to log-in.
+##
+## Accepted values: true, false
+## Default: true
+##
+#login_enabled: true
+
+##
+## Enable/Disable the captcha challenge on the login page.
+##
+## Note: this is a basic captcha challenge that doesn't
+## depend on any third parties.
+##
+## Accepted values: true, false
+## Default: true
+##
+#captcha_enabled: true
+
+##
+## List of usernames that will be granted administrator rights.
+## A user with administrator rights will be able to change the
+## server configuration options listed below in /preferences,
+## in addition to the usual user preferences.
+##
+## Server-wide settings:
+##   - popular_enabled
+##   - captcha_enabled
+##   - login_enabled
+##   - registration_enabled
+##   - statistics_enabled
+## Default user preferences:
+##   - default_home
+##   - feed_menu
+##
+## Accepted values: an array of strings
+## Default: [""]
+##
+#admins: [""]
+
+##
+## Enable/Disable the user notifications for all users
+##
+## Note: On large instances, it is recommended to set this option to 'false'
+## in order to reduce the amount of data written to the database, and hence
+## improve the overall performance of the instance.
+##
+## Accepted values: true, false
+## Default: true
+##
+#enable_user_notifications: true
+
+# -----------------------------
+#  Background jobs
+# -----------------------------
+
+##
+## Number of threads to use when crawling channel videos (during
+## subscriptions update).
+##
+## Notes: This setting is overridden if either "-c THREADS" or
+## "--channel-threads=THREADS" is passed on the command line.
+##
+## Accepted values: a positive integer
+## Default: 1
+##
+channel_threads: 1
+
+##
+## Time interval between two executions of the job that crawls
+## channel videos (subscriptions update).
+##
+## Accepted values: a valid time interval (like 1h30m or 90m)
+## Default: 30m
+##
+#channel_refresh_interval: 30m
+
+##
+## Forcefully dump and re-download the entire list of uploaded
+## videos when crawling channel (during subscriptions update).
+##
+## Accepted values: true, false
+## Default: false
+##
+full_refresh: false
+
+##
+## Number of threads to use when updating RSS feeds.
+##
+## Notes: This setting is overridden if either "-f THREADS" or
+## "--feed-threads=THREADS" is passed on the command line.
+##
+## Accepted values: a positive integer
+## Default: 1
+##
+feed_threads: 1
+
+
+jobs:
+
+  ## Options for the database cleaning job
+  clear_expired_items:
+
+    ## Enable/Disable job
+    ##
+    ## Accepted values: true, false
+    ## Default: true
+    ##
+    enable: true
+
+  ## Options for the channels updater job
+  refresh_channels:
+
+    ## Enable/Disable job
+    ##
+    ## Accepted values: true, false
+    ## Default: true
+    ##
+    enable: true
+
+  ## Options for the RSS feeds updater job
+  refresh_feeds:
+
+    ## Enable/Disable job
+    ##
+    ## Accepted values: true, false
+    ## Default: true
+    ##
+    enable: true
+
+
+# -----------------------------
+#  Miscellaneous
+# -----------------------------
+
+##
+## custom banner displayed at the top of every page. This can
+## used for instance announcements, e.g.
+##
+## Accepted values: any string. HTML is accepted.
+## Default: <none>
+##
+#banner:
+
+##
+## Subscribe to channels using PubSubHub (Google PubSubHubbub service).
+## PubSubHub allows Invidious to be instantly notified when a new video
+## is published on any subscribed channels. When PubSubHub is not used,
+## Invidious will check for new videos every minute.
+##
+## Note: This setting is recommended for public instances.
+##
+## Note 2:
+##  - Requires a public instance (it uses /feed/webhook/v1)
+##  - Requires 'domain' and 'hmac_key' to be set.
+##  - Setting this parameter to any number greater than zero will
+##    enable channel subscriptions via PubSubHub, but will limit the
+##    amount of concurrent subscriptions.
+##
+## Accepted values: true, false, a positive integer
+## Default: false
+##
+#use_pubsub_feeds: false
+
+##
+## HMAC signing key used for CSRF tokens, cookies and pubsub
+## subscriptions verification.
+##
+## Note: This parameter is mandatory and should be a random string.
+## Such random string can be generated on linux with the following
+## command: `pwgen 20 1`
+##
+## Accepted values: a string
+## Default: <none>
+##
+hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
+
+##
+## List of video IDs where the "download" widget must be
+## disabled, in order to comply with DMCA requests.
+##
+## Accepted values: an array of string
+## Default: <none>
+##
+#dmca_content:
+
+##
+## Cache video annotations in the database.
+##
+## Warning: empty annotations or annotations that only contain
+## cards won't be cached.
+##
+## Accepted values: true, false
+## Default: false
+##
+#cache_annotations: false
+
+##
+## Source code URL. If your instance is running a modified source
+## code, you MUST publish it somewhere and set this option.
+##
+## Accepted values: a string
+## Default: <none>
+##
+#modified_source_code_url: ""
+
+##
+## Maximum custom playlist length limit.
+##
+## Accepted values: Integer
+## Default: 500
+##
+#playlist_length_limit: 500
+
+#########################################
+#
+#  Default user preferences
+#
+#########################################
+
+##
+## NOTE: All the settings below define the default user
+## preferences. They will apply to ALL users connecting
+## without a preferences cookie (so either on the first
+## connection to the instance or after clearing the
+## browser's cookies).
+##
+
+default_user_preferences:
+
+  # -----------------------------
+  #  Internationalization
+  # -----------------------------
+
+  ##
+  ## Default user interface language (locale).
+  ##
+  ## Note: When hosting a public instance, overriding the
+  ## default (english) is not recommended, as it may
+  ## people using other languages.
+  ##
+  ## Accepted values:
+  ##   ar      (Arabic)
+  ##   da      (Danish)
+  ##   de      (German)
+  ##   en-US   (english, US)
+  ##   el      (Greek)
+  ##   eo      (Esperanto)
+  ##   es      (Spanish)
+  ##   fa      (Persian)
+  ##   fi      (Finnish)
+  ##   fr      (French)
+  ##   he      (Hebrew)
+  ##   hr      (Hungarian)
+  ##   id      (Indonesian)
+  ##   is      (Icelandic)
+  ##   it      (Italian)
+  ##   ja      (Japanese)
+  ##   nb-NO   (Norwegian, Bokmål)
+  ##   nl      (Dutch)
+  ##   pl      (Polish)
+  ##   pt-BR   (Portuguese, Brazil)
+  ##   pt-PT   (Portuguese, Portugal)
+  ##   ro      (Romanian)
+  ##   ru      (Russian)
+  ##   sv      (Swedish)
+  ##   tr      (Turkish)
+  ##   uk      (Ukrainian)
+  ##   zh-CN   (Chinese, China)  (a.k.a "Simplified Chinese")
+  ##   zh-TW   (Chinese, Taiwan) (a.k.a "Traditional Chinese")
+  ##
+  ## Default: en-US
+  ##
+  #locale: en-US
+
+  ##
+  ## Default geographical location for content.
+  ##
+  ## Accepted values:
+  ##   AE, AR, AT, AU, AZ, BA, BD, BE, BG, BH, BO, BR, BY, CA, CH, CL, CO, CR,
+  ##   CY, CZ, DE, DK, DO, DZ, EC, EE, EG, ES, FI, FR, GB, GE, GH, GR, GT, HK,
+  ##   HN, HR, HU, ID, IE, IL, IN, IQ, IS, IT, JM, JO, JP, KE, KR, KW, KZ, LB,
+  ##   LI, LK, LT, LU, LV, LY, MA, ME, MK, MT, MX, MY, NG, NI, NL, NO, NP, NZ,
+  ##   OM, PA, PE, PG, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, SA, SE, SG, SI,
+  ##   SK, SN, SV, TH, TN, TR, TW, TZ, UA, UG, US, UY, VE, VN, YE, ZA, ZW
+  ##
+  ## Default: US
+  ##
+  #region: US
+
+  ##
+  ## Top 3 preferred languages for video captions.
+  ##
+  ## Note: overriding the default (no preferred
+  ## caption language) is not recommended, in order
+  ## to not penalize people using other languages.
+  ##
+  ## Accepted values: a three-entries array.
+  ## Each entry can be one of:
+  ##   "English", "English (auto-generated)",
+  ##   "Afrikaans", "Albanian", "Amharic", "Arabic",
+  ##   "Armenian", "Azerbaijani", "Bangla", "Basque",
+  ##   "Belarusian", "Bosnian", "Bulgarian", "Burmese",
+  ##   "Catalan", "Cebuano", "Chinese (Simplified)",
+  ##   "Chinese (Traditional)", "Corsican", "Croatian",
+  ##   "Czech", "Danish", "Dutch", "Esperanto", "Estonian",
+  ##   "Filipino", "Finnish", "French", "Galician", "Georgian",
+  ##   "German", "Greek", "Gujarati", "Haitian Creole", "Hausa",
+  ##   "Hawaiian", "Hebrew", "Hindi", "Hmong", "Hungarian",
+  ##   "Icelandic", "Igbo", "Indonesian", "Irish", "Italian",
+  ##   "Japanese", "Javanese", "Kannada", "Kazakh", "Khmer",
+  ##   "Korean", "Kurdish", "Kyrgyz", "Lao", "Latin", "Latvian",
+  ##   "Lithuanian", "Luxembourgish", "Macedonian",
+  ##   "Malagasy", "Malay", "Malayalam", "Maltese", "Maori",
+  ##   "Marathi", "Mongolian", "Nepali", "Norwegian Bokmål",
+  ##   "Nyanja", "Pashto", "Persian", "Polish", "Portuguese",
+  ##   "Punjabi", "Romanian", "Russian", "Samoan",
+  ##   "Scottish Gaelic", "Serbian", "Shona", "Sindhi",
+  ##   "Sinhala", "Slovak", "Slovenian", "Somali",
+  ##   "Southern Sotho", "Spanish", "Spanish (Latin America)",
+  ##   "Sundanese",  "Swahili", "Swedish", "Tajik", "Tamil",
+  ##   "Telugu", "Thai", "Turkish", "Ukrainian", "Urdu",
+  ##   "Uzbek", "Vietnamese", "Welsh", "Western Frisian",
+  ##   "Xhosa", "Yiddish", "Yoruba", "Zulu"
+  ##
+  ## Default: ["", "", ""]
+  ##
+  #captions: ["", "", ""]
+
+
+  # -----------------------------
+  #  Interface
+  # -----------------------------
+
+  ##
+  ## Enable/Disable dark mode.
+  ##
+  ## Accepted values: "dark", "light", "auto"
+  ## Default: "auto"
+  ##
+  #dark_mode: "auto"
+
+  ##
+  ## Enable/Disable thin mode (no video thumbnails).
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #thin_mode: false
+
+  ##
+  ## List of feeds available on the home page.
+  ##
+  ## Note: "Subscriptions" and "Playlists" are only visible
+  ## when the user is logged in.
+  ##
+  ## Accepted values: A list of strings
+  ## Each entry can be one of: "Popular", "Trending",
+  ##    "Subscriptions", "Playlists"
+  ##
+  ## Default: ["Popular", "Trending", "Subscriptions", "Playlists"]  (show all feeds)
+  ##
+  #feed_menu: ["Popular", "Trending", "Subscriptions", "Playlists"]
+
+  ##
+  ## Default feed to display on the home page.
+  ##
+  ## Note: setting this option to "Popular" has no
+  ## effect when 'popular_enabled' is set to false.
+  ##
+  ## Accepted values: Popular, Trending, Subscriptions, Playlists, <none>
+  ## Default: Popular
+  ##
+  #default_home: Popular
+
+  ##
+  ## Default number of results to display per page.
+  ##
+  ## Note: this affects invidious-generated pages only, such
+  ## as watch history and subscription feeds. Playlists, search
+  ## results and channel videos depend on the data returned by
+  ## the Youtube API.
+  ##
+  ## Accepted values: any positive integer
+  ## Default: 40
+  ##
+  #max_results: 40
+
+  ##
+  ## Show/hide annotations.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #annotations: false
+
+  ##
+  ## Show/hide annotation.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #annotations_subscribed: false
+
+  ##
+  ## Type of comments to display below video.
+  ##
+  ## Accepted values: a two-entries array.
+  ## Each entry can be one of: "youtube", "reddit", ""
+  ##
+  ## Default: ["youtube", ""]
+  ##
+  #comments: ["youtube", ""]
+
+  ##
+  ## Default player style.
+  ##
+  ## Accepted values: invidious, youtube
+  ## Default: invidious
+  ##
+  #player_style: invidious
+
+  ##
+  ## Show/Hide the "related videos" sidebar when
+  ## watching a video.
+  ##
+  ## Accepted values: true, false
+  ## Default: true
+  ##
+  #related_videos: true
+
+
+  # -----------------------------
+  #  Video player behavior
+  # -----------------------------
+
+  ##
+  ## This option controls the value of the HTML5 <video> element's
+  ## "preload" attribute.
+  ##
+  ## If set to 'false', no video data will be loaded until the user
+  ## explicitly starts the video by clicking the "Play" button.
+  ## If set to 'true', the web browser will buffer some video data
+  ## while the page is loading.
+  ##
+  ## See: https://www.w3schools.com/tags/att_video_preload.asp
+  ##
+  ## Accepted values: true, false
+  ## Default: true
+  ##
+  #preload: true
+
+  ##
+  ## Automatically play videos on page load.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #autoplay: false
+
+  ##
+  ## Automatically load the "next" video (either next in
+  ## playlist or proposed) when the current video ends.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #continue: false
+
+  ##
+  ## Autoplay next video by default.
+  ##
+  ## Note: Only effective if 'continue' is set to true.
+  ##
+  ## Accepted values: true, false
+  ## Default: true
+  ##
+  #continue_autoplay: true
+
+  ##
+  ## Play videos in Audio-only mode by default.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #listen: false
+
+  ##
+  ## Loop videos automatically.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #video_loop: false
+
+
+  # -----------------------------
+  #  Video playback settings
+  # -----------------------------
+
+  ##
+  ## Default video quality.
+  ##
+  ## Accepted values: dash, hd720, medium, small
+  ## Default: hd720
+  ##
+  #quality: hd720
+
+  ##
+  ## Default dash video quality.
+  ##
+  ## Note: this setting only takes effet if the
+  ## 'quality' parameter is set to "dash".
+  ##
+  ## Accepted values:
+  ##    auto, best, 4320p, 2160p, 1440p, 1080p,
+  ##    720p, 480p, 360p, 240p, 144p, worst
+  ## Default: auto
+  ##
+  #quality_dash: auto
+
+  ##
+  ## Default video playback speed.
+  ##
+  ## Accepted values: 0.25, 0.5, 0.75, 1.0, 1.25, 1.5, 1.75, 2.0
+  ## Default: 1.0
+  ##
+  #speed: 1.0
+
+  ##
+  ## Default volume.
+  ##
+  ## Accepted values: 0-100
+  ## Default: 100
+  ##
+  #volume: 100
+
+  ##
+  ## Allow 360° videos to be played.
+  ##
+  ## Note: This feature requires a WebGL-enabled browser.
+  ##
+  ## Accepted values: true, false
+  ## Default: true
+  ##
+  #vr_mode: true
+  
+  ##
+  ## Save the playback position
+  ## Allow to continue watching at the previous position when
+  ## watching the same video.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #save_player_pos: false
+
+  # -----------------------------
+  #  Subscription feed
+  # -----------------------------
+
+  ##
+  ## In the "Subscription" feed, only show the latest video
+  ## of each channel the user is subscribed to.
+  ##
+  ## Note: when combined with 'unseen_only', the latest unseen
+  ## video of each channel will be displayed instead of the
+  ## latest by date.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #latest_only: false
+
+  ##
+  ## Enable/Disable user subscriptions desktop notifications.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #notifications_only: false
+
+  ##
+  ## In the "Subscription" feed, Only show the videos that the
+  ## user haven't watched yet (i.e which are not in their watch
+  ## history).
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #unseen_only: false
+
+  ##
+  ## Default sorting parameter for subscription feeds.
+  ##
+  ## Accepted values:
+  ##   'alphabetically'
+  ##   'alphabetically - reverse'
+  ##   'channel name'
+  ##   'channel name - reverse'
+  ##   'published'
+  ##   'published - reverse'
+  ##
+  ## Default: published
+  ##
+  #sort: published
+
+
+  # -----------------------------
+  #  Miscellaneous
+  # -----------------------------
+
+  ##
+  ## Proxy videos through instance by default.
+  ##
+  ## Warning: As most users won't change this setting in their
+  ## preferences, defaulting  to true will significantly
+  ## increase the instance's network usage, so make sure that
+  ## your server's connection can handle it.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #local: false
+
+  ##
+  ## Show the connected user's nick at the top right.
+  ##
+  ## Accepted values: true, false
+  ## Default: true
+  ##
+  #show_nick: true
+
+  ##
+  ## Automatically redirect to a random instance when the user uses
+  ## any "switch invidious instance" link (For videos, it's the plane
+  ## icon, next to "watch on youtube" and "listen"). When set to false,
+  ## the user is sent to https://redirect.invidious.io instead, where
+  ## they can manually select an instance.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #automatic_instance_redirect: false
+
+  ##
+  ## Show the entire video description by default (when set to 'false',
+  ## only the first few lines of the description are shown and a
+  ## "show more" button allows to expand it).
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #extend_desc: false
@@ -0,0 +1,952 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+#########################################
+#
+#  Database and other external servers
+#
+#########################################
+
+##
+## Database configuration with separate parameters.
+## This setting is MANDATORY, unless 'database_url' is used.
+##
+db:
+  user: kemal
+  host: invidious-db
+  port: 5432
+  dbname: invidious
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
+
+##
+## Database configuration using a single URI. This is an
+## alternative to the 'db' parameter above. If both forms
+## are used, then only database_url is used.
+## This setting is MANDATORY, unless 'db' is used.
+##
+## Note: The 'database_url' setting allows the use of UNIX
+## sockets. To do so, remove the IP address (or FQDN) and port
+## and append the 'host' parameter. E.g:
+##   postgres://kemal:kemal@/invidious?host=/var/run/postgresql
+##
+## Accepted values: a postgres:// URI
+## Default: postgres://kemal:kemal@localhost:5432/invidious
+##
+#database_url: postgres://kemal:kemal@localhost:5432/invidious
+
+##
+## Enable automatic table integrity check. This will create
+## the required tables and columns if anything is missing.
+##
+## Accepted values: true, false
+## Default: false
+##
+check_tables: true
+
+
+##
+## Path to an external signature resolver, used to emulate
+## the Youtube client's Javascript. If no such server is
+## available, some videos will not be playable.
+##
+## When this setting is commented out, no external
+## resolver will be used.
+##
+## Accepted values: a path to a UNIX socket or "<IP>:<Port>"
+## Default: <none>
+##
+signature_server: invidious-sig-helper:12999
+
+
+#########################################
+#
+#  Server config
+#
+#########################################
+
+# -----------------------------
+#  Network (inbound)
+# -----------------------------
+
+##
+## Port to listen on for incoming connections.
+##
+## Note: Ports lower than 1024 requires either root privileges
+## (not recommended) or the "CAP_NET_BIND_SERVICE" capability
+## (See https://stackoverflow.com/a/414258 and `man capabilities`)
+##
+## Accepted values: 1-65535
+## Default: 3000
+##
+#port: 3000
+
+##
+## When the invidious instance is behind a proxy, and the proxy
+## listens on a different port than the instance does, this lets
+## invidious know about it. This is used to craft absolute URLs
+## to the instance (e.g in the API).
+##
+## Note: This setting is MANDATORY if invidious is behind a
+## reverse proxy.
+##
+## Accepted values: 1-65535
+## Default: <none>
+##
+#external_port:
+
+##
+## Interface address to listen on for incoming connections.
+##
+## Accepted values: a valid IPv4 or IPv6 address.
+## default: 0.0.0.0  (listen on all interfaces)
+##
+#host_binding: 0.0.0.0
+
+##
+## Domain name under which this instance is hosted. This is
+## used to craft absolute URLs to the instance (e.g in the API).
+## The domain MUST be defined if your instance is accessed from
+## a domain name (like 'example.com').
+##
+## Accepted values: a fully qualified domain name (FQDN)
+## Default: <none>
+##
+# domain:
+
+##
+## Tell Invidious that it is behind a proxy that provides only
+## HTTPS, so all links must use the https:// scheme. This
+## setting MUST be set to true if invidious is behind a
+## reverse proxy serving HTTPs.
+##
+## Accepted values: true, false
+## Default: false
+##
+https_only: false
+
+##
+## Enable/Disable 'Strict-Transport-Security'. Make sure that
+## the domain specified under 'domain' is served securely.
+##
+## Accepted values: true, false
+## Default: true
+##
+#hsts: true
+
+
+# -----------------------------
+#  Network (outbound)
+# -----------------------------
+
+##
+## Disable proxying server-wide. Can be disable as a whole, or
+## only for a single function.
+##
+## Accepted values: true, false, dash, livestreams, downloads, local
+## Default: false
+##
+#disable_proxy: false
+
+##
+## Size of the HTTP pool used to connect to youtube. Each
+## domain ('youtube.com', 'ytimg.com', ...) has its own pool.
+##
+## Accepted values: a positive integer
+## Default: 100
+##
+#pool_size: 100
+
+
+##
+## Additional cookies to be sent when requesting the youtube API.
+##
+## Accepted values: a string in the format "name1=value1; name2=value2..."
+## Default: <none>
+##
+#cookies:
+
+##
+## Force connection to youtube over a specific IP family.
+##
+## Note: This may sometimes resolve issues involving rate-limiting.
+## See https://github.com/ytdl-org/youtube-dl/issues/21729.
+##
+## Accepted values: ipv4, ipv6
+## Default: <none>
+##
+#force_resolve:
+
+##
+## Configuration for using a HTTP proxy
+##
+## If unset, then no HTTP proxy will be used.
+## 
+#http_proxy:
+#  user:
+#  password:
+#  host:
+#  port:
+
+
+##
+## Use Innertube's transcripts API instead of timedtext for closed captions
+##
+## Useful for larger instances as InnerTube is **not ratelimited**. See https://github.com/iv-org/invidious/issues/2567
+##
+## Subtitle experience may differ slightly on Invidious.
+##
+## Accepted values: true, false
+## Default: false
+##
+# use_innertube_for_captions: false
+
+##
+## Send Google session informations. This is useful when Invidious is blocked
+## by the message "This helps protect our community."
+## See https://github.com/iv-org/invidious/issues/4734.
+##
+## Warning: These strings gives much more identifiable information to Google!
+##
+## Accepted values: String
+## Default: <none>
+##
+po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
+visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
+
+# -----------------------------
+#  Logging
+# -----------------------------
+
+##
+## Path to log file. Can be absolute or relative to the invidious
+## binary. This is overridden if "-o OUTPUT" or "--output=OUTPUT"
+## are passed on the command line.
+##
+## Accepted values: a filesystem path or 'STDOUT'
+## Default: STDOUT
+##
+#output: STDOUT
+
+##
+## Logging Verbosity. This is overridden if "-l LEVEL" or
+## "--log-level=LEVEL" are passed on the command line.
+##
+## Accepted values: All, Trace, Debug, Info, Warn, Error, Fatal, Off
+## Default: Info
+##
+#log_level: Info
+
+##
+## Enables colors in logs. Useful for debugging purposes
+## This is overridden if "-k" or "--colorize"
+## are passed on the command line.
+## Colors are also disabled if the environment variable
+## NO_COLOR is present and has any value
+##
+## Accepted values: true, false
+## Default: true
+##
+#colorize_logs: false
+
+# -----------------------------
+#  Features
+# -----------------------------
+
+##
+## Enable/Disable the "Popular" tab on the main page.
+##
+## Accepted values: true, false
+## Default: true
+##
+#popular_enabled: true
+
+##
+## Enable/Disable statstics (available at /api/v1/stats).
+## The following data is available:
+##   - Software name ("invidious") and version+branch (same data as
+##     displayed in the footer, e.g: "2021.05.13-75e5b49" / "master")
+##   - The value of the 'registration_enabled' config (true/false)
+##   - Number of currently registered users
+##   - Number of registered users who connected in the last month
+##   - Number of registered users who connected in the last 6 months
+##   - Timestamp of the last server restart
+##   - Timestamp of the last "Channel Refresh" job execution
+##
+## Warning: This setting MUST be set to true if you plan to run
+## a public instance. It is used by api.invidious.io to refresh
+## your instance's status.
+##
+## Accepted values: true, false
+## Default: false
+##
+#statistics_enabled: false
+
+
+# -----------------------------
+#  Users and accounts
+# -----------------------------
+
+##
+## Allow/Forbid Invidious (local) account creation. Invidious
+## accounts allow users to subscribe to channels and to create
+## playlists without a Google account.
+##
+## Accepted values: true, false
+## Default: true
+##
+#registration_enabled: true
+
+##
+## Allow/Forbid users to log-in.
+##
+## Accepted values: true, false
+## Default: true
+##
+#login_enabled: true
+
+##
+## Enable/Disable the captcha challenge on the login page.
+##
+## Note: this is a basic captcha challenge that doesn't
+## depend on any third parties.
+##
+## Accepted values: true, false
+## Default: true
+##
+#captcha_enabled: true
+
+##
+## List of usernames that will be granted administrator rights.
+## A user with administrator rights will be able to change the
+## server configuration options listed below in /preferences,
+## in addition to the usual user preferences.
+##
+## Server-wide settings:
+##   - popular_enabled
+##   - captcha_enabled
+##   - login_enabled
+##   - registration_enabled
+##   - statistics_enabled
+## Default user preferences:
+##   - default_home
+##   - feed_menu
+##
+## Accepted values: an array of strings
+## Default: [""]
+##
+#admins: [""]
+
+##
+## Enable/Disable the user notifications for all users
+##
+## Note: On large instances, it is recommended to set this option to 'false'
+## in order to reduce the amount of data written to the database, and hence
+## improve the overall performance of the instance.
+##
+## Accepted values: true, false
+## Default: true
+##
+#enable_user_notifications: true
+
+# -----------------------------
+#  Background jobs
+# -----------------------------
+
+##
+## Number of threads to use when crawling channel videos (during
+## subscriptions update).
+##
+## Notes: This setting is overridden if either "-c THREADS" or
+## "--channel-threads=THREADS" is passed on the command line.
+##
+## Accepted values: a positive integer
+## Default: 1
+##
+channel_threads: 1
+
+##
+## Time interval between two executions of the job that crawls
+## channel videos (subscriptions update).
+##
+## Accepted values: a valid time interval (like 1h30m or 90m)
+## Default: 30m
+##
+#channel_refresh_interval: 30m
+
+##
+## Forcefully dump and re-download the entire list of uploaded
+## videos when crawling channel (during subscriptions update).
+##
+## Accepted values: true, false
+## Default: false
+##
+full_refresh: false
+
+##
+## Number of threads to use when updating RSS feeds.
+##
+## Notes: This setting is overridden if either "-f THREADS" or
+## "--feed-threads=THREADS" is passed on the command line.
+##
+## Accepted values: a positive integer
+## Default: 1
+##
+feed_threads: 1
+
+
+jobs:
+
+  ## Options for the database cleaning job
+  clear_expired_items:
+
+    ## Enable/Disable job
+    ##
+    ## Accepted values: true, false
+    ## Default: true
+    ##
+    enable: true
+
+  ## Options for the channels updater job
+  refresh_channels:
+
+    ## Enable/Disable job
+    ##
+    ## Accepted values: true, false
+    ## Default: true
+    ##
+    enable: true
+
+  ## Options for the RSS feeds updater job
+  refresh_feeds:
+
+    ## Enable/Disable job
+    ##
+    ## Accepted values: true, false
+    ## Default: true
+    ##
+    enable: true
+
+
+# -----------------------------
+#  Miscellaneous
+# -----------------------------
+
+##
+## custom banner displayed at the top of every page. This can
+## used for instance announcements, e.g.
+##
+## Accepted values: any string. HTML is accepted.
+## Default: <none>
+##
+#banner:
+
+##
+## Subscribe to channels using PubSubHub (Google PubSubHubbub service).
+## PubSubHub allows Invidious to be instantly notified when a new video
+## is published on any subscribed channels. When PubSubHub is not used,
+## Invidious will check for new videos every minute.
+##
+## Note: This setting is recommended for public instances.
+##
+## Note 2:
+##  - Requires a public instance (it uses /feed/webhook/v1)
+##  - Requires 'domain' and 'hmac_key' to be set.
+##  - Setting this parameter to any number greater than zero will
+##    enable channel subscriptions via PubSubHub, but will limit the
+##    amount of concurrent subscriptions.
+##
+## Accepted values: true, false, a positive integer
+## Default: false
+##
+#use_pubsub_feeds: false
+
+##
+## HMAC signing key used for CSRF tokens, cookies and pubsub
+## subscriptions verification.
+##
+## Note: This parameter is mandatory and should be a random string.
+## Such random string can be generated on linux with the following
+## command: `pwgen 20 1`
+##
+## Accepted values: a string
+## Default: <none>
+##
+hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
+
+##
+## List of video IDs where the "download" widget must be
+## disabled, in order to comply with DMCA requests.
+##
+## Accepted values: an array of string
+## Default: <none>
+##
+#dmca_content:
+
+##
+## Cache video annotations in the database.
+##
+## Warning: empty annotations or annotations that only contain
+## cards won't be cached.
+##
+## Accepted values: true, false
+## Default: false
+##
+#cache_annotations: false
+
+##
+## Source code URL. If your instance is running a modified source
+## code, you MUST publish it somewhere and set this option.
+##
+## Accepted values: a string
+## Default: <none>
+##
+#modified_source_code_url: ""
+
+##
+## Maximum custom playlist length limit.
+##
+## Accepted values: Integer
+## Default: 500
+##
+#playlist_length_limit: 500
+
+#########################################
+#
+#  Default user preferences
+#
+#########################################
+
+##
+## NOTE: All the settings below define the default user
+## preferences. They will apply to ALL users connecting
+## without a preferences cookie (so either on the first
+## connection to the instance or after clearing the
+## browser's cookies).
+##
+
+default_user_preferences:
+
+  # -----------------------------
+  #  Internationalization
+  # -----------------------------
+
+  ##
+  ## Default user interface language (locale).
+  ##
+  ## Note: When hosting a public instance, overriding the
+  ## default (english) is not recommended, as it may
+  ## people using other languages.
+  ##
+  ## Accepted values:
+  ##   ar      (Arabic)
+  ##   da      (Danish)
+  ##   de      (German)
+  ##   en-US   (english, US)
+  ##   el      (Greek)
+  ##   eo      (Esperanto)
+  ##   es      (Spanish)
+  ##   fa      (Persian)
+  ##   fi      (Finnish)
+  ##   fr      (French)
+  ##   he      (Hebrew)
+  ##   hr      (Hungarian)
+  ##   id      (Indonesian)
+  ##   is      (Icelandic)
+  ##   it      (Italian)
+  ##   ja      (Japanese)
+  ##   nb-NO   (Norwegian, Bokmål)
+  ##   nl      (Dutch)
+  ##   pl      (Polish)
+  ##   pt-BR   (Portuguese, Brazil)
+  ##   pt-PT   (Portuguese, Portugal)
+  ##   ro      (Romanian)
+  ##   ru      (Russian)
+  ##   sv      (Swedish)
+  ##   tr      (Turkish)
+  ##   uk      (Ukrainian)
+  ##   zh-CN   (Chinese, China)  (a.k.a "Simplified Chinese")
+  ##   zh-TW   (Chinese, Taiwan) (a.k.a "Traditional Chinese")
+  ##
+  ## Default: en-US
+  ##
+  #locale: en-US
+
+  ##
+  ## Default geographical location for content.
+  ##
+  ## Accepted values:
+  ##   AE, AR, AT, AU, AZ, BA, BD, BE, BG, BH, BO, BR, BY, CA, CH, CL, CO, CR,
+  ##   CY, CZ, DE, DK, DO, DZ, EC, EE, EG, ES, FI, FR, GB, GE, GH, GR, GT, HK,
+  ##   HN, HR, HU, ID, IE, IL, IN, IQ, IS, IT, JM, JO, JP, KE, KR, KW, KZ, LB,
+  ##   LI, LK, LT, LU, LV, LY, MA, ME, MK, MT, MX, MY, NG, NI, NL, NO, NP, NZ,
+  ##   OM, PA, PE, PG, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, SA, SE, SG, SI,
+  ##   SK, SN, SV, TH, TN, TR, TW, TZ, UA, UG, US, UY, VE, VN, YE, ZA, ZW
+  ##
+  ## Default: US
+  ##
+  #region: US
+
+  ##
+  ## Top 3 preferred languages for video captions.
+  ##
+  ## Note: overriding the default (no preferred
+  ## caption language) is not recommended, in order
+  ## to not penalize people using other languages.
+  ##
+  ## Accepted values: a three-entries array.
+  ## Each entry can be one of:
+  ##   "English", "English (auto-generated)",
+  ##   "Afrikaans", "Albanian", "Amharic", "Arabic",
+  ##   "Armenian", "Azerbaijani", "Bangla", "Basque",
+  ##   "Belarusian", "Bosnian", "Bulgarian", "Burmese",
+  ##   "Catalan", "Cebuano", "Chinese (Simplified)",
+  ##   "Chinese (Traditional)", "Corsican", "Croatian",
+  ##   "Czech", "Danish", "Dutch", "Esperanto", "Estonian",
+  ##   "Filipino", "Finnish", "French", "Galician", "Georgian",
+  ##   "German", "Greek", "Gujarati", "Haitian Creole", "Hausa",
+  ##   "Hawaiian", "Hebrew", "Hindi", "Hmong", "Hungarian",
+  ##   "Icelandic", "Igbo", "Indonesian", "Irish", "Italian",
+  ##   "Japanese", "Javanese", "Kannada", "Kazakh", "Khmer",
+  ##   "Korean", "Kurdish", "Kyrgyz", "Lao", "Latin", "Latvian",
+  ##   "Lithuanian", "Luxembourgish", "Macedonian",
+  ##   "Malagasy", "Malay", "Malayalam", "Maltese", "Maori",
+  ##   "Marathi", "Mongolian", "Nepali", "Norwegian Bokmål",
+  ##   "Nyanja", "Pashto", "Persian", "Polish", "Portuguese",
+  ##   "Punjabi", "Romanian", "Russian", "Samoan",
+  ##   "Scottish Gaelic", "Serbian", "Shona", "Sindhi",
+  ##   "Sinhala", "Slovak", "Slovenian", "Somali",
+  ##   "Southern Sotho", "Spanish", "Spanish (Latin America)",
+  ##   "Sundanese",  "Swahili", "Swedish", "Tajik", "Tamil",
+  ##   "Telugu", "Thai", "Turkish", "Ukrainian", "Urdu",
+  ##   "Uzbek", "Vietnamese", "Welsh", "Western Frisian",
+  ##   "Xhosa", "Yiddish", "Yoruba", "Zulu"
+  ##
+  ## Default: ["", "", ""]
+  ##
+  #captions: ["", "", ""]
+
+
+  # -----------------------------
+  #  Interface
+  # -----------------------------
+
+  ##
+  ## Enable/Disable dark mode.
+  ##
+  ## Accepted values: "dark", "light", "auto"
+  ## Default: "auto"
+  ##
+  #dark_mode: "auto"
+
+  ##
+  ## Enable/Disable thin mode (no video thumbnails).
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #thin_mode: false
+
+  ##
+  ## List of feeds available on the home page.
+  ##
+  ## Note: "Subscriptions" and "Playlists" are only visible
+  ## when the user is logged in.
+  ##
+  ## Accepted values: A list of strings
+  ## Each entry can be one of: "Popular", "Trending",
+  ##    "Subscriptions", "Playlists"
+  ##
+  ## Default: ["Popular", "Trending", "Subscriptions", "Playlists"]  (show all feeds)
+  ##
+  #feed_menu: ["Popular", "Trending", "Subscriptions", "Playlists"]
+
+  ##
+  ## Default feed to display on the home page.
+  ##
+  ## Note: setting this option to "Popular" has no
+  ## effect when 'popular_enabled' is set to false.
+  ##
+  ## Accepted values: Popular, Trending, Subscriptions, Playlists, <none>
+  ## Default: Popular
+  ##
+  #default_home: Popular
+
+  ##
+  ## Default number of results to display per page.
+  ##
+  ## Note: this affects invidious-generated pages only, such
+  ## as watch history and subscription feeds. Playlists, search
+  ## results and channel videos depend on the data returned by
+  ## the Youtube API.
+  ##
+  ## Accepted values: any positive integer
+  ## Default: 40
+  ##
+  #max_results: 40
+
+  ##
+  ## Show/hide annotations.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #annotations: false
+
+  ##
+  ## Show/hide annotation.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #annotations_subscribed: false
+
+  ##
+  ## Type of comments to display below video.
+  ##
+  ## Accepted values: a two-entries array.
+  ## Each entry can be one of: "youtube", "reddit", ""
+  ##
+  ## Default: ["youtube", ""]
+  ##
+  #comments: ["youtube", ""]
+
+  ##
+  ## Default player style.
+  ##
+  ## Accepted values: invidious, youtube
+  ## Default: invidious
+  ##
+  #player_style: invidious
+
+  ##
+  ## Show/Hide the "related videos" sidebar when
+  ## watching a video.
+  ##
+  ## Accepted values: true, false
+  ## Default: true
+  ##
+  #related_videos: true
+
+
+  # -----------------------------
+  #  Video player behavior
+  # -----------------------------
+
+  ##
+  ## This option controls the value of the HTML5 <video> element's
+  ## "preload" attribute.
+  ##
+  ## If set to 'false', no video data will be loaded until the user
+  ## explicitly starts the video by clicking the "Play" button.
+  ## If set to 'true', the web browser will buffer some video data
+  ## while the page is loading.
+  ##
+  ## See: https://www.w3schools.com/tags/att_video_preload.asp
+  ##
+  ## Accepted values: true, false
+  ## Default: true
+  ##
+  #preload: true
+
+  ##
+  ## Automatically play videos on page load.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #autoplay: false
+
+  ##
+  ## Automatically load the "next" video (either next in
+  ## playlist or proposed) when the current video ends.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #continue: false
+
+  ##
+  ## Autoplay next video by default.
+  ##
+  ## Note: Only effective if 'continue' is set to true.
+  ##
+  ## Accepted values: true, false
+  ## Default: true
+  ##
+  #continue_autoplay: true
+
+  ##
+  ## Play videos in Audio-only mode by default.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #listen: false
+
+  ##
+  ## Loop videos automatically.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #video_loop: false
+
+
+  # -----------------------------
+  #  Video playback settings
+  # -----------------------------
+
+  ##
+  ## Default video quality.
+  ##
+  ## Accepted values: dash, hd720, medium, small
+  ## Default: hd720
+  ##
+  #quality: hd720
+
+  ##
+  ## Default dash video quality.
+  ##
+  ## Note: this setting only takes effet if the
+  ## 'quality' parameter is set to "dash".
+  ##
+  ## Accepted values:
+  ##    auto, best, 4320p, 2160p, 1440p, 1080p,
+  ##    720p, 480p, 360p, 240p, 144p, worst
+  ## Default: auto
+  ##
+  #quality_dash: auto
+
+  ##
+  ## Default video playback speed.
+  ##
+  ## Accepted values: 0.25, 0.5, 0.75, 1.0, 1.25, 1.5, 1.75, 2.0
+  ## Default: 1.0
+  ##
+  #speed: 1.0
+
+  ##
+  ## Default volume.
+  ##
+  ## Accepted values: 0-100
+  ## Default: 100
+  ##
+  #volume: 100
+
+  ##
+  ## Allow 360° videos to be played.
+  ##
+  ## Note: This feature requires a WebGL-enabled browser.
+  ##
+  ## Accepted values: true, false
+  ## Default: true
+  ##
+  #vr_mode: true
+  
+  ##
+  ## Save the playback position
+  ## Allow to continue watching at the previous position when
+  ## watching the same video.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #save_player_pos: false
+
+  # -----------------------------
+  #  Subscription feed
+  # -----------------------------
+
+  ##
+  ## In the "Subscription" feed, only show the latest video
+  ## of each channel the user is subscribed to.
+  ##
+  ## Note: when combined with 'unseen_only', the latest unseen
+  ## video of each channel will be displayed instead of the
+  ## latest by date.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #latest_only: false
+
+  ##
+  ## Enable/Disable user subscriptions desktop notifications.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #notifications_only: false
+
+  ##
+  ## In the "Subscription" feed, Only show the videos that the
+  ## user haven't watched yet (i.e which are not in their watch
+  ## history).
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #unseen_only: false
+
+  ##
+  ## Default sorting parameter for subscription feeds.
+  ##
+  ## Accepted values:
+  ##   'alphabetically'
+  ##   'alphabetically - reverse'
+  ##   'channel name'
+  ##   'channel name - reverse'
+  ##   'published'
+  ##   'published - reverse'
+  ##
+  ## Default: published
+  ##
+  #sort: published
+
+
+  # -----------------------------
+  #  Miscellaneous
+  # -----------------------------
+
+  ##
+  ## Proxy videos through instance by default.
+  ##
+  ## Warning: As most users won't change this setting in their
+  ## preferences, defaulting  to true will significantly
+  ## increase the instance's network usage, so make sure that
+  ## your server's connection can handle it.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #local: false
+
+  ##
+  ## Show the connected user's nick at the top right.
+  ##
+  ## Accepted values: true, false
+  ## Default: true
+  ##
+  #show_nick: true
+
+  ##
+  ## Automatically redirect to a random instance when the user uses
+  ## any "switch invidious instance" link (For videos, it's the plane
+  ## icon, next to "watch on youtube" and "listen"). When set to false,
+  ## the user is sent to https://redirect.invidious.io instead, where
+  ## they can manually select an instance.
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #automatic_instance_redirect: false
+
+  ##
+  ## Show the entire video description by default (when set to 'false',
+  ## only the first few lines of the description are shown and a
+  ## "show more" button allows to expand it).
+  ##
+  ## Accepted values: true, false
+  ## Default: false
+  ##
+  #extend_desc: false
@@ -0,0 +1,52 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# IN application vars
+IN_APP_URL=https://biz.trez.wtf
+IN_APP_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_APP_KEY'] }}
+IN_APP_DEBUG=true
+IN_REQUIRE_HTTPS=false
+IN_PHANTOMJS_PDF_GENERATION=false
+IN_PDF_GENERATOR=snappdf
+IN_TRUSTED_PROXIES='*'
+
+
+IN_QUEUE_CONNECTION=database
+
+# DB connection
+IN_DB_HOST=mariadb
+IN_DB_PORT=3306
+IN_DB_DATABASE=invoice_ninja
+IN_DB_USERNAME=ininja
+IN_DB_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_MYSQL_PASSWORD'] }}
+
+# Create initial user
+# Default to these values if empty
+# IN_USER_EMAIL=admin@example.com
+# IN_PASSWORD=changeme!
+IN_USER_EMAIL=
+IN_PASSWORD=
+
+# Mail options
+IN_MAIL_MAILER=log
+IN_MAIL_HOST=postal-smtp
+IN_MAIL_PORT=25
+IN_MAIL_USERNAME={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
+IN_MAIL_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+IN_MAIL_ENCRYPTION=null
+IN_MAIL_FROM_ADDRESS='noreply@trez.wtf'
+IN_MAIL_FROM_NAME='Treasured IT'
+
+# MySQL
+IN_MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword
+IN_MYSQL_USER=ninja
+IN_MYSQL_PASSWORD=ninja
+IN_MYSQL_DATABASE=ninja
+
+# GoCardless/Nordigen API key for banking integration
+NORDIGEN_SECRET_ID=
+NORDIGEN_SECRET_KEY=
+
+# V4 env vars
+# DB_STRICT=false
+# APP_CIPHER=AES-256-CBC
@@ -0,0 +1,52 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# IN application vars
+IN_APP_URL=https://biz.trez.wtf
+IN_APP_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_APP_KEY'] }}
+IN_APP_DEBUG=true
+IN_REQUIRE_HTTPS=false
+IN_PHANTOMJS_PDF_GENERATION=false
+IN_PDF_GENERATOR=snappdf
+IN_TRUSTED_PROXIES='*'
+
+
+IN_QUEUE_CONNECTION=database
+
+# DB connection
+IN_DB_HOST=mariadb
+IN_DB_PORT=3306
+IN_DB_DATABASE=invoice_ninja
+IN_DB_USERNAME=ininja
+IN_DB_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_MYSQL_PASSWORD'] }}
+
+# Create initial user
+# Default to these values if empty
+# IN_USER_EMAIL=admin@example.com
+# IN_PASSWORD=changeme!
+IN_USER_EMAIL=
+IN_PASSWORD=
+
+# Mail options
+IN_MAIL_MAILER=log
+IN_MAIL_HOST=postal-smtp
+IN_MAIL_PORT=25
+IN_MAIL_USERNAME={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
+IN_MAIL_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+IN_MAIL_ENCRYPTION=null
+IN_MAIL_FROM_ADDRESS='noreply@trez.wtf'
+IN_MAIL_FROM_NAME='Treasured IT'
+
+# MySQL
+IN_MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword
+IN_MYSQL_USER=ninja
+IN_MYSQL_PASSWORD=ninja
+IN_MYSQL_DATABASE=ninja
+
+# GoCardless/Nordigen API key for banking integration
+NORDIGEN_SECRET_ID=
+NORDIGEN_SECRET_KEY=
+
+# V4 env vars
+# DB_STRICT=false
+# APP_CIPHER=AES-256-CBC
@@ -0,0 +1,550 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+#=====================================================================#
+#                       LibreChat Configuration                       #
+#=====================================================================#
+# Please refer to the reference documentation for assistance          #
+# with configuring your LibreChat environment.                        #
+#                                                                     #
+# https://www.librechat.ai/docs/configuration/dotenv                  #
+#=====================================================================#
+
+#==================================================#
+#               Server Configuration               #
+#==================================================#
+
+HOST=localhost
+PORT=3080
+
+MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
+
+DOMAIN_CLIENT=https://ai.trez.wtf
+DOMAIN_SERVER=https://ai.trez.wtf
+
+NO_INDEX=true
+# Use the address that is at most n number of hops away from the Express application.
+# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
+# A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
+# Defaulted to 1.
+TRUST_PROXY=1
+
+#===============#
+# JSON Logging  #
+#===============#
+
+# Use when process console logs in cloud deployment like GCP/AWS
+CONSOLE_JSON=true
+
+#===============#
+# Debug Logging #
+#===============#
+
+DEBUG_LOGGING=true
+DEBUG_CONSOLE=false
+
+#=============#
+# Permissions #
+#=============#
+
+# UID=1000
+# GID=1000
+
+#===============#
+# Configuration #
+#===============#
+# Use an absolute path, a relative path, or a URL
+
+# CONFIG_PATH="/alternative/path/to/librechat.yaml"
+
+#===================================================#
+#                     Endpoints                     #
+#===================================================#
+
+# ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
+
+PROXY=
+
+#===================================#
+# Known Endpoints - librechat.yaml  #
+#===================================#
+# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
+
+# ANYSCALE_API_KEY=
+# APIPIE_API_KEY=
+# COHERE_API_KEY=
+DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
+# DATABRICKS_API_KEY=
+# FIREWORKS_API_KEY=
+# GROQ_API_KEY=
+# HUGGINGFACE_TOKEN=
+MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
+# OPENROUTER_KEY=
+# PERPLEXITY_API_KEY=
+# SHUTTLEAI_API_KEY=
+# TOGETHERAI_API_KEY=
+# UNIFY_API_KEY=
+# XAI_API_KEY=
+
+#============#
+# Anthropic  #
+#============#
+
+ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
+ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
+# ANTHROPIC_REVERSE_PROXY=
+
+#============#
+# Azure      #
+#============#
+
+# Note: these variables are DEPRECATED
+# Use the `librechat.yaml` configuration for `azureOpenAI` instead
+# You may also continue to use them if you opt out of using the `librechat.yaml` configuration
+
+# AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
+# AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
+# AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
+# AZURE_API_KEY= # Deprecated
+# AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
+# AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
+# AZURE_OPENAI_API_VERSION= # Deprecated
+# AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
+# AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
+# PLUGINS_USE_AZURE="true" # Deprecated
+
+#=================#
+#   AWS Bedrock   #
+#=================#
+
+# BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
+# BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
+# BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
+# BEDROCK_AWS_SESSION_TOKEN=someSessionToken
+
+# Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
+# BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
+
+# See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
+
+# Notes on specific models:
+# The following models are not support due to not supporting streaming:
+# ai21.j2-mid-v1
+
+# The following models are not support due to not supporting conversation history:
+# ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
+
+#============#
+# Google     #
+#============#
+
+{# GOOGLE_KEY=user_provided #}
+
+# GOOGLE_REVERSE_PROXY=
+# Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
+# GOOGLE_AUTH_HEADER=true
+
+# Gemini API (AI Studio)
+# GOOGLE_MODELS=gemini-2.0-flash-exp,gemini-2.0-flash-thinking-exp-1219,gemini-exp-1121,gemini-exp-1114,gemini-1.5-flash-latest,gemini-1.0-pro,gemini-1.0-pro-001,gemini-1.0-pro-latest,gemini-1.0-pro-vision-latest,gemini-1.5-pro-latest,gemini-pro,gemini-pro-vision
+
+# Vertex AI
+# GOOGLE_MODELS=gemini-1.5-flash-preview-0514,gemini-1.5-pro-preview-0514,gemini-1.0-pro-vision-001,gemini-1.0-pro-002,gemini-1.0-pro-001,gemini-pro-vision,gemini-1.0-pro
+
+# GOOGLE_TITLE_MODEL=gemini-pro
+
+# GOOGLE_LOC=us-central1
+
+# Google Safety Settings
+# NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
+#
+# For Vertex AI:
+# To use the BLOCK_NONE setting, you need either:
+# (a) Access through an allowlist via your Google account team, or
+# (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
+#
+# For Gemini API (AI Studio):
+# BLOCK_NONE is available by default, no special account requirements.
+#
+# Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
+#
+# GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
+
+#============#
+# OpenAI     #
+#============#
+
+OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
+OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
+
+DEBUG_OPENAI=false
+
+# TITLE_CONVO=false
+# OPENAI_TITLE_MODEL=gpt-4o-mini
+
+# OPENAI_SUMMARIZE=true
+# OPENAI_SUMMARY_MODEL=gpt-4o-mini
+
+# OPENAI_FORCE_PROMPT=true
+
+# OPENAI_REVERSE_PROXY=
+
+# OPENAI_ORGANIZATION=
+
+#====================#
+#   Assistants API   #
+#====================#
+
+# ASSISTANTS_API_KEY=user_provided
+# ASSISTANTS_BASE_URL=
+# ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
+
+#==========================#
+#   Azure Assistants API   #
+#==========================#
+
+# Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
+# The models for Azure Assistants are also determined by your Azure OpenAI configuration.
+
+# More info, including how to enable use of Assistants with Azure here:
+# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
+
+#============#
+# OpenRouter #
+#============#
+# !!!Warning: Use the variable above instead of this one. Using this one will override the OpenAI endpoint
+# OPENROUTER_API_KEY=
+
+#============#
+# Plugins    #
+#============#
+
+# PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
+
+# DEBUG_PLUGINS=
+
+CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
+CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
+
+# Azure AI Search
+#-----------------
+# AZURE_AI_SEARCH_SERVICE_ENDPOINT=
+# AZURE_AI_SEARCH_INDEX_NAME=
+# AZURE_AI_SEARCH_API_KEY=
+
+# AZURE_AI_SEARCH_API_VERSION=
+# AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
+# AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
+# AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
+
+# DALL·E
+#----------------
+# DALLE_API_KEY=
+# DALLE3_API_KEY=
+# DALLE2_API_KEY=
+# DALLE3_SYSTEM_PROMPT=
+# DALLE2_SYSTEM_PROMPT=
+# DALLE_REVERSE_PROXY=
+# DALLE3_BASEURL=
+# DALLE2_BASEURL=
+
+# DALL·E (via Azure OpenAI)
+# Note: requires some of the variables above to be set
+#----------------
+# DALLE3_AZURE_API_VERSION=
+# DALLE2_AZURE_API_VERSION=
+
+
+# Google
+#-----------------
+GOOGLE_SEARCH_API_KEY=
+GOOGLE_CSE_ID=
+
+# YOUTUBE
+#-----------------
+YOUTUBE_API_KEY=
+
+# SerpAPI
+#-----------------
+SERPAPI_API_KEY=
+
+# Stable Diffusion
+#-----------------
+SD_WEBUI_URL=http://stable-diffusion-webui:7860
+
+# Tavily
+#-----------------
+TAVILY_API_KEY=
+
+# Traversaal
+#-----------------
+TRAVERSAAL_API_KEY=
+
+# WolframAlpha
+#-----------------
+WOLFRAM_APP_ID=
+
+# Zapier
+#-----------------
+ZAPIER_NLA_API_KEY=
+
+#==================================================#
+#                      Search                      #
+#==================================================#
+
+SEARCH=true
+MEILI_NO_ANALYTICS=true
+MEILI_HOST=http://meilisearch:7700
+MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
+
+# Optional: Disable indexing, useful in a multi-node setup
+# where only one instance should perform an index sync.
+# MEILI_NO_SYNC=true
+
+#==================================================#
+#          Speech to Text & Text to Speech         #
+#==================================================#
+
+STT_API_KEY=
+TTS_API_KEY=
+
+#==================================================#
+#                        RAG                       #
+#==================================================#
+# More info: https://www.librechat.ai/docs/configuration/rag_api
+
+# RAG_OPENAI_BASEURL=
+# RAG_OPENAI_API_KEY=
+# RAG_USE_FULL_CONTEXT=
+# EMBEDDINGS_PROVIDER=openai
+# EMBEDDINGS_MODEL=text-embedding-3-small
+
+#===================================================#
+#                    User System                    #
+#===================================================#
+
+#========================#
+# Moderation             #
+#========================#
+
+OPENAI_MODERATION=false
+OPENAI_MODERATION_API_KEY=
+# OPENAI_MODERATION_REVERSE_PROXY=
+
+BAN_VIOLATIONS=true
+BAN_DURATION=1000 * 60 * 60 * 2
+BAN_INTERVAL=20
+
+LOGIN_VIOLATION_SCORE=1
+REGISTRATION_VIOLATION_SCORE=1
+CONCURRENT_VIOLATION_SCORE=1
+MESSAGE_VIOLATION_SCORE=1
+NON_BROWSER_VIOLATION_SCORE=20
+
+LOGIN_MAX=7
+LOGIN_WINDOW=5
+REGISTER_MAX=5
+REGISTER_WINDOW=60
+
+LIMIT_CONCURRENT_MESSAGES=true
+CONCURRENT_MESSAGE_MAX=2
+
+LIMIT_MESSAGE_IP=true
+MESSAGE_IP_MAX=40
+MESSAGE_IP_WINDOW=1
+
+LIMIT_MESSAGE_USER=false
+MESSAGE_USER_MAX=40
+MESSAGE_USER_WINDOW=1
+
+ILLEGAL_MODEL_REQ_SCORE=5
+
+#========================#
+# Balance                #
+#========================#
+
+CHECK_BALANCE=false
+# START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
+
+#========================#
+# Registration and Login #
+#========================#
+
+ALLOW_EMAIL_LOGIN=true
+ALLOW_REGISTRATION=true
+ALLOW_SOCIAL_LOGIN=false
+ALLOW_SOCIAL_REGISTRATION=false
+ALLOW_PASSWORD_RESET=false
+# ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
+ALLOW_UNVERIFIED_EMAIL_LOGIN=true
+
+SESSION_EXPIRY=1000 * 60 * 15
+REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
+
+JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
+JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
+
+
+# Discord
+DISCORD_CLIENT_ID=
+DISCORD_CLIENT_SECRET=
+DISCORD_CALLBACK_URL=/oauth/discord/callback
+
+# Facebook
+FACEBOOK_CLIENT_ID=
+FACEBOOK_CLIENT_SECRET=
+FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
+
+# GitHub
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_CALLBACK_URL=/oauth/github/callback
+# GitHub Enterprise
+# GITHUB_ENTERPRISE_BASE_URL=
+# GITHUB_ENTERPRISE_USER_AGENT=
+
+# Google
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_CALLBACK_URL=/oauth/google/callback
+
+# Apple
+APPLE_CLIENT_ID=
+APPLE_TEAM_ID=
+APPLE_KEY_ID=
+APPLE_PRIVATE_KEY_PATH=
+APPLE_CALLBACK_URL=/oauth/apple/callback
+
+# OpenID
+OPENID_CLIENT_ID=
+OPENID_CLIENT_SECRET=
+OPENID_ISSUER=
+OPENID_SESSION_SECRET=
+OPENID_SCOPE="openid profile email"
+OPENID_CALLBACK_URL=/oauth/openid/callback
+OPENID_REQUIRED_ROLE=
+OPENID_REQUIRED_ROLE_TOKEN_KIND=
+OPENID_REQUIRED_ROLE_PARAMETER_PATH=
+# Set to determine which user info property returned from OpenID Provider to store as the User's username
+OPENID_USERNAME_CLAIM=
+# Set to determine which user info property returned from OpenID Provider to store as the User's name
+OPENID_NAME_CLAIM=
+
+OPENID_BUTTON_LABEL=
+OPENID_IMAGE_URL=
+
+# LDAP
+# LDAP_URL=
+# LDAP_BIND_DN=
+# LDAP_BIND_CREDENTIALS=
+# LDAP_USER_SEARCH_BASE=
+# LDAP_SEARCH_FILTER=mail=
+# LDAP_CA_CERT_PATH=
+# LDAP_TLS_REJECT_UNAUTHORIZED=
+# LDAP_LOGIN_USES_USERNAME=true
+# LDAP_ID=
+# LDAP_USERNAME=
+# LDAP_EMAIL=
+# LDAP_FULL_NAME=
+
+#========================#
+# Email Password Reset   #
+#========================#
+
+EMAIL_SERVICE=
+EMAIL_HOST=postal-smtp
+EMAIL_PORT=25
+EMAIL_ENCRYPTION=
+EMAIL_ENCRYPTION_HOSTNAME=
+EMAIL_ALLOW_SELFSIGNED=
+EMAIL_USERNAME=
+EMAIL_PASSWORD=
+EMAIL_FROM_NAME=
+EMAIL_FROM=noreply@librechat.ai
+
+#========================#
+# Firebase CDN           #
+#========================#
+
+# FIREBASE_API_KEY=
+# FIREBASE_AUTH_DOMAIN=
+# FIREBASE_PROJECT_ID=
+# FIREBASE_STORAGE_BUCKET=
+# FIREBASE_MESSAGING_SENDER_ID=
+# FIREBASE_APP_ID=
+
+#========================#
+# Shared Links           #
+#========================#
+
+ALLOW_SHARED_LINKS=true
+ALLOW_SHARED_LINKS_PUBLIC=true
+
+#==============================#
+# Static File Cache Control    #
+#==============================#
+
+# Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
+# NODE_ENV must be set to production for these to take effect
+# STATIC_CACHE_MAX_AGE=172800
+# STATIC_CACHE_S_MAX_AGE=86400
+
+# If you have another service in front of your LibreChat doing compression, disable express based compression here
+# DISABLE_COMPRESSION=true
+
+#===================================================#
+#                        UI                         #
+#===================================================#
+
+APP_TITLE=LibreChat
+# CUSTOM_FOOTER="My custom footer"
+HELP_AND_FAQ_URL=https://librechat.ai
+
+# SHOW_BIRTHDAY_ICON=true
+
+# Google tag manager id
+#ANALYTICS_GTM_ID=user provided google tag manager id
+
+#===============#
+# REDIS Options #
+#===============#
+
+REDIS_URI=redis:6379
+USE_REDIS=true
+
+# USE_REDIS_CLUSTER=true
+# REDIS_CA=/path/to/ca.crt
+
+#==================================================#
+#                      Others                      #
+#==================================================#
+#   You should leave the following commented out   #
+
+# NODE_ENV=
+
+# E2E_USER_EMAIL=
+# E2E_USER_PASSWORD=
+
+#=====================================================#
+#                  Cache Headers                      #
+#=====================================================#
+#   Headers that control caching of the index.html    #
+#   Default configuration prevents caching to ensure  #
+#   users always get the latest version. Customize    #
+#   only if you understand caching implications.      #
+
+# INDEX_HTML_CACHE_CONTROL=no-cache, no-store, must-revalidate
+# INDEX_HTML_PRAGMA=no-cache
+# INDEX_HTML_EXPIRES=0
+
+# no-cache: Forces validation with server before using cached version
+# no-store: Prevents storing the response entirely
+# must-revalidate: Prevents using stale content when offline
+
+#=====================================================#
+#                  OpenWeather                        #
+#=====================================================#
+OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -0,0 +1,33 @@
+version: 1.0.0
+endpoints:
+  custom:
+    - name: "ollama"
+      apiKey: "ollama"
+      baseURL: "http://ollama:11434/v1/chat/completions"
+      models:
+        default: [
+          "deepseek-r1:1.5b",
+          "deepseek-coder-v2:16b",
+          "deepseek-v3:671b",
+          "llama3.3:70b",
+          "phi4:14b",
+          "qwen2.5",
+          "llama2:7b",
+          "mistral:7b",
+          "codellama:7b",
+          "tinyllama:1.1b",
+          "starcoder2:3b",
+          "dolphin-mistral:7b",
+          "smollm2:1.7b",
+          "orca-mini:3b",
+          "mistral-openorca:7b"
+        ]
+# fetching list of models is supported but the `name` field must start
+# with `ollama` (case-insensitive), as it does in this example.
+        fetch: true
+      titleConvo: true
+      titleModel: "current_model"
+      summarize: false
+      summaryModel: "current_model"
+      forcePrompt: false
+      modelDisplayLabel: "Ollama"
@@ -0,0 +1,550 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+#=====================================================================#
+#                       LibreChat Configuration                       #
+#=====================================================================#
+# Please refer to the reference documentation for assistance          #
+# with configuring your LibreChat environment.                        #
+#                                                                     #
+# https://www.librechat.ai/docs/configuration/dotenv                  #
+#=====================================================================#
+
+#==================================================#
+#               Server Configuration               #
+#==================================================#
+
+HOST=localhost
+PORT=3080
+
+MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
+
+DOMAIN_CLIENT=https://ai.trez.wtf
+DOMAIN_SERVER=https://ai.trez.wtf
+
+NO_INDEX=true
+# Use the address that is at most n number of hops away from the Express application.
+# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
+# A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
+# Defaulted to 1.
+TRUST_PROXY=1
+
+#===============#
+# JSON Logging  #
+#===============#
+
+# Use when process console logs in cloud deployment like GCP/AWS
+CONSOLE_JSON=true
+
+#===============#
+# Debug Logging #
+#===============#
+
+DEBUG_LOGGING=true
+DEBUG_CONSOLE=false
+
+#=============#
+# Permissions #
+#=============#
+
+# UID=1000
+# GID=1000
+
+#===============#
+# Configuration #
+#===============#
+# Use an absolute path, a relative path, or a URL
+
+# CONFIG_PATH="/alternative/path/to/librechat.yaml"
+
+#===================================================#
+#                     Endpoints                     #
+#===================================================#
+
+# ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
+
+PROXY=
+
+#===================================#
+# Known Endpoints - librechat.yaml  #
+#===================================#
+# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
+
+# ANYSCALE_API_KEY=
+# APIPIE_API_KEY=
+# COHERE_API_KEY=
+DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
+# DATABRICKS_API_KEY=
+# FIREWORKS_API_KEY=
+# GROQ_API_KEY=
+# HUGGINGFACE_TOKEN=
+MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
+# OPENROUTER_KEY=
+# PERPLEXITY_API_KEY=
+# SHUTTLEAI_API_KEY=
+# TOGETHERAI_API_KEY=
+# UNIFY_API_KEY=
+# XAI_API_KEY=
+
+#============#
+# Anthropic  #
+#============#
+
+ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
+ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
+# ANTHROPIC_REVERSE_PROXY=
+
+#============#
+# Azure      #
+#============#
+
+# Note: these variables are DEPRECATED
+# Use the `librechat.yaml` configuration for `azureOpenAI` instead
+# You may also continue to use them if you opt out of using the `librechat.yaml` configuration
+
+# AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
+# AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
+# AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
+# AZURE_API_KEY= # Deprecated
+# AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
+# AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
+# AZURE_OPENAI_API_VERSION= # Deprecated
+# AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
+# AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
+# PLUGINS_USE_AZURE="true" # Deprecated
+
+#=================#
+#   AWS Bedrock   #
+#=================#
+
+# BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
+# BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
+# BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
+# BEDROCK_AWS_SESSION_TOKEN=someSessionToken
+
+# Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
+# BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
+
+# See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
+
+# Notes on specific models:
+# The following models are not support due to not supporting streaming:
+# ai21.j2-mid-v1
+
+# The following models are not support due to not supporting conversation history:
+# ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
+
+#============#
+# Google     #
+#============#
+
+{# GOOGLE_KEY=user_provided #}
+
+# GOOGLE_REVERSE_PROXY=
+# Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
+# GOOGLE_AUTH_HEADER=true
+
+# Gemini API (AI Studio)
+# GOOGLE_MODELS=gemini-2.0-flash-exp,gemini-2.0-flash-thinking-exp-1219,gemini-exp-1121,gemini-exp-1114,gemini-1.5-flash-latest,gemini-1.0-pro,gemini-1.0-pro-001,gemini-1.0-pro-latest,gemini-1.0-pro-vision-latest,gemini-1.5-pro-latest,gemini-pro,gemini-pro-vision
+
+# Vertex AI
+# GOOGLE_MODELS=gemini-1.5-flash-preview-0514,gemini-1.5-pro-preview-0514,gemini-1.0-pro-vision-001,gemini-1.0-pro-002,gemini-1.0-pro-001,gemini-pro-vision,gemini-1.0-pro
+
+# GOOGLE_TITLE_MODEL=gemini-pro
+
+# GOOGLE_LOC=us-central1
+
+# Google Safety Settings
+# NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
+#
+# For Vertex AI:
+# To use the BLOCK_NONE setting, you need either:
+# (a) Access through an allowlist via your Google account team, or
+# (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
+#
+# For Gemini API (AI Studio):
+# BLOCK_NONE is available by default, no special account requirements.
+#
+# Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
+#
+# GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
+# GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
+
+#============#
+# OpenAI     #
+#============#
+
+OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
+OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
+
+DEBUG_OPENAI=false
+
+# TITLE_CONVO=false
+# OPENAI_TITLE_MODEL=gpt-4o-mini
+
+# OPENAI_SUMMARIZE=true
+# OPENAI_SUMMARY_MODEL=gpt-4o-mini
+
+# OPENAI_FORCE_PROMPT=true
+
+# OPENAI_REVERSE_PROXY=
+
+# OPENAI_ORGANIZATION=
+
+#====================#
+#   Assistants API   #
+#====================#
+
+# ASSISTANTS_API_KEY=user_provided
+# ASSISTANTS_BASE_URL=
+# ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
+
+#==========================#
+#   Azure Assistants API   #
+#==========================#
+
+# Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
+# The models for Azure Assistants are also determined by your Azure OpenAI configuration.
+
+# More info, including how to enable use of Assistants with Azure here:
+# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
+
+#============#
+# OpenRouter #
+#============#
+# !!!Warning: Use the variable above instead of this one. Using this one will override the OpenAI endpoint
+# OPENROUTER_API_KEY=
+
+#============#
+# Plugins    #
+#============#
+
+# PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
+
+# DEBUG_PLUGINS=
+
+CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
+CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
+
+# Azure AI Search
+#-----------------
+# AZURE_AI_SEARCH_SERVICE_ENDPOINT=
+# AZURE_AI_SEARCH_INDEX_NAME=
+# AZURE_AI_SEARCH_API_KEY=
+
+# AZURE_AI_SEARCH_API_VERSION=
+# AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
+# AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
+# AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
+
+# DALL·E
+#----------------
+# DALLE_API_KEY=
+# DALLE3_API_KEY=
+# DALLE2_API_KEY=
+# DALLE3_SYSTEM_PROMPT=
+# DALLE2_SYSTEM_PROMPT=
+# DALLE_REVERSE_PROXY=
+# DALLE3_BASEURL=
+# DALLE2_BASEURL=
+
+# DALL·E (via Azure OpenAI)
+# Note: requires some of the variables above to be set
+#----------------
+# DALLE3_AZURE_API_VERSION=
+# DALLE2_AZURE_API_VERSION=
+
+
+# Google
+#-----------------
+GOOGLE_SEARCH_API_KEY=
+GOOGLE_CSE_ID=
+
+# YOUTUBE
+#-----------------
+YOUTUBE_API_KEY=
+
+# SerpAPI
+#-----------------
+SERPAPI_API_KEY=
+
+# Stable Diffusion
+#-----------------
+SD_WEBUI_URL=http://stable-diffusion-webui:7860
+
+# Tavily
+#-----------------
+TAVILY_API_KEY=
+
+# Traversaal
+#-----------------
+TRAVERSAAL_API_KEY=
+
+# WolframAlpha
+#-----------------
+WOLFRAM_APP_ID=
+
+# Zapier
+#-----------------
+ZAPIER_NLA_API_KEY=
+
+#==================================================#
+#                      Search                      #
+#==================================================#
+
+SEARCH=true
+MEILI_NO_ANALYTICS=true
+MEILI_HOST=http://meilisearch:7700
+MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
+
+# Optional: Disable indexing, useful in a multi-node setup
+# where only one instance should perform an index sync.
+# MEILI_NO_SYNC=true
+
+#==================================================#
+#          Speech to Text & Text to Speech         #
+#==================================================#
+
+STT_API_KEY=
+TTS_API_KEY=
+
+#==================================================#
+#                        RAG                       #
+#==================================================#
+# More info: https://www.librechat.ai/docs/configuration/rag_api
+
+# RAG_OPENAI_BASEURL=
+# RAG_OPENAI_API_KEY=
+# RAG_USE_FULL_CONTEXT=
+# EMBEDDINGS_PROVIDER=openai
+# EMBEDDINGS_MODEL=text-embedding-3-small
+
+#===================================================#
+#                    User System                    #
+#===================================================#
+
+#========================#
+# Moderation             #
+#========================#
+
+OPENAI_MODERATION=false
+OPENAI_MODERATION_API_KEY=
+# OPENAI_MODERATION_REVERSE_PROXY=
+
+BAN_VIOLATIONS=true
+BAN_DURATION=1000 * 60 * 60 * 2
+BAN_INTERVAL=20
+
+LOGIN_VIOLATION_SCORE=1
+REGISTRATION_VIOLATION_SCORE=1
+CONCURRENT_VIOLATION_SCORE=1
+MESSAGE_VIOLATION_SCORE=1
+NON_BROWSER_VIOLATION_SCORE=20
+
+LOGIN_MAX=7
+LOGIN_WINDOW=5
+REGISTER_MAX=5
+REGISTER_WINDOW=60
+
+LIMIT_CONCURRENT_MESSAGES=true
+CONCURRENT_MESSAGE_MAX=2
+
+LIMIT_MESSAGE_IP=true
+MESSAGE_IP_MAX=40
+MESSAGE_IP_WINDOW=1
+
+LIMIT_MESSAGE_USER=false
+MESSAGE_USER_MAX=40
+MESSAGE_USER_WINDOW=1
+
+ILLEGAL_MODEL_REQ_SCORE=5
+
+#========================#
+# Balance                #
+#========================#
+
+CHECK_BALANCE=false
+# START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
+
+#========================#
+# Registration and Login #
+#========================#
+
+ALLOW_EMAIL_LOGIN=true
+ALLOW_REGISTRATION=true
+ALLOW_SOCIAL_LOGIN=false
+ALLOW_SOCIAL_REGISTRATION=false
+ALLOW_PASSWORD_RESET=false
+# ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
+ALLOW_UNVERIFIED_EMAIL_LOGIN=true
+
+SESSION_EXPIRY=1000 * 60 * 15
+REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
+
+JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
+JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
+
+
+# Discord
+DISCORD_CLIENT_ID=
+DISCORD_CLIENT_SECRET=
+DISCORD_CALLBACK_URL=/oauth/discord/callback
+
+# Facebook
+FACEBOOK_CLIENT_ID=
+FACEBOOK_CLIENT_SECRET=
+FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
+
+# GitHub
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_CALLBACK_URL=/oauth/github/callback
+# GitHub Enterprise
+# GITHUB_ENTERPRISE_BASE_URL=
+# GITHUB_ENTERPRISE_USER_AGENT=
+
+# Google
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_CALLBACK_URL=/oauth/google/callback
+
+# Apple
+APPLE_CLIENT_ID=
+APPLE_TEAM_ID=
+APPLE_KEY_ID=
+APPLE_PRIVATE_KEY_PATH=
+APPLE_CALLBACK_URL=/oauth/apple/callback
+
+# OpenID
+OPENID_CLIENT_ID=
+OPENID_CLIENT_SECRET=
+OPENID_ISSUER=
+OPENID_SESSION_SECRET=
+OPENID_SCOPE="openid profile email"
+OPENID_CALLBACK_URL=/oauth/openid/callback
+OPENID_REQUIRED_ROLE=
+OPENID_REQUIRED_ROLE_TOKEN_KIND=
+OPENID_REQUIRED_ROLE_PARAMETER_PATH=
+# Set to determine which user info property returned from OpenID Provider to store as the User's username
+OPENID_USERNAME_CLAIM=
+# Set to determine which user info property returned from OpenID Provider to store as the User's name
+OPENID_NAME_CLAIM=
+
+OPENID_BUTTON_LABEL=
+OPENID_IMAGE_URL=
+
+# LDAP
+# LDAP_URL=
+# LDAP_BIND_DN=
+# LDAP_BIND_CREDENTIALS=
+# LDAP_USER_SEARCH_BASE=
+# LDAP_SEARCH_FILTER=mail=
+# LDAP_CA_CERT_PATH=
+# LDAP_TLS_REJECT_UNAUTHORIZED=
+# LDAP_LOGIN_USES_USERNAME=true
+# LDAP_ID=
+# LDAP_USERNAME=
+# LDAP_EMAIL=
+# LDAP_FULL_NAME=
+
+#========================#
+# Email Password Reset   #
+#========================#
+
+EMAIL_SERVICE=
+EMAIL_HOST=postal-smtp
+EMAIL_PORT=25
+EMAIL_ENCRYPTION=
+EMAIL_ENCRYPTION_HOSTNAME=
+EMAIL_ALLOW_SELFSIGNED=
+EMAIL_USERNAME=
+EMAIL_PASSWORD=
+EMAIL_FROM_NAME=
+EMAIL_FROM=noreply@librechat.ai
+
+#========================#
+# Firebase CDN           #
+#========================#
+
+# FIREBASE_API_KEY=
+# FIREBASE_AUTH_DOMAIN=
+# FIREBASE_PROJECT_ID=
+# FIREBASE_STORAGE_BUCKET=
+# FIREBASE_MESSAGING_SENDER_ID=
+# FIREBASE_APP_ID=
+
+#========================#
+# Shared Links           #
+#========================#
+
+ALLOW_SHARED_LINKS=true
+ALLOW_SHARED_LINKS_PUBLIC=true
+
+#==============================#
+# Static File Cache Control    #
+#==============================#
+
+# Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
+# NODE_ENV must be set to production for these to take effect
+# STATIC_CACHE_MAX_AGE=172800
+# STATIC_CACHE_S_MAX_AGE=86400
+
+# If you have another service in front of your LibreChat doing compression, disable express based compression here
+# DISABLE_COMPRESSION=true
+
+#===================================================#
+#                        UI                         #
+#===================================================#
+
+APP_TITLE=LibreChat
+# CUSTOM_FOOTER="My custom footer"
+HELP_AND_FAQ_URL=https://librechat.ai
+
+# SHOW_BIRTHDAY_ICON=true
+
+# Google tag manager id
+#ANALYTICS_GTM_ID=user provided google tag manager id
+
+#===============#
+# REDIS Options #
+#===============#
+
+REDIS_URI=redis:6379
+USE_REDIS=true
+
+# USE_REDIS_CLUSTER=true
+# REDIS_CA=/path/to/ca.crt
+
+#==================================================#
+#                      Others                      #
+#==================================================#
+#   You should leave the following commented out   #
+
+# NODE_ENV=
+
+# E2E_USER_EMAIL=
+# E2E_USER_PASSWORD=
+
+#=====================================================#
+#                  Cache Headers                      #
+#=====================================================#
+#   Headers that control caching of the index.html    #
+#   Default configuration prevents caching to ensure  #
+#   users always get the latest version. Customize    #
+#   only if you understand caching implications.      #
+
+# INDEX_HTML_CACHE_CONTROL=no-cache, no-store, must-revalidate
+# INDEX_HTML_PRAGMA=no-cache
+# INDEX_HTML_EXPIRES=0
+
+# no-cache: Forces validation with server before using cached version
+# no-store: Prevents storing the response entirely
+# must-revalidate: Prevents using stale content when offline
+
+#=====================================================#
+#                  OpenWeather                        #
+#=====================================================#
+OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -0,0 +1,33 @@
+version: 1.0.0
+endpoints:
+  custom:
+    - name: "ollama"
+      apiKey: "ollama"
+      baseURL: "http://ollama:11434/v1/chat/completions"
+      models:
+        default: [
+          "deepseek-r1:1.5b",
+          "deepseek-coder-v2:16b",
+          "deepseek-v3:671b",
+          "llama3.3:70b",
+          "phi4:14b",
+          "qwen2.5",
+          "llama2:7b",
+          "mistral:7b",
+          "codellama:7b",
+          "tinyllama:1.1b",
+          "starcoder2:3b",
+          "dolphin-mistral:7b",
+          "smollm2:1.7b",
+          "orca-mini:3b",
+          "mistral-openorca:7b"
+        ]
+# fetching list of models is supported but the `name` field must start
+# with `ollama` (case-insensitive), as it does in this example.
+        fetch: true
+      titleConvo: true
+      titleModel: "current_model"
+      summarize: false
+      summaryModel: "current_model"
+      forcePrompt: false
+      modelDisplayLabel: "Ollama"
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>8686</Port>
+  <SslPort>6868</SslPort>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>True</LaunchBrowser>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <Branch>master</Branch>
+  <LogLevel>trace</LogLevel>
+  <SslCertPath></SslCertPath>
+  <SslCertPassword></SslCertPassword>
+  <UrlBase></UrlBase>
+  <InstanceName>Lidarr</InstanceName>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <Theme>auto</Theme>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+</Config>
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>8686</Port>
+  <SslPort>6868</SslPort>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>True</LaunchBrowser>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <Branch>master</Branch>
+  <LogLevel>trace</LogLevel>
+  <SslCertPath></SslCertPath>
+  <SslCertPassword></SslCertPassword>
+  <UrlBase></UrlBase>
+  <InstanceName>Lidarr</InstanceName>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <Theme>auto</Theme>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+</Config>
@@ -0,0 +1,25 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "lidarr_address": "http://lidarr:8686",
+    "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}",
+    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "root_folder_path": "/data/media/music",
+    "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
+    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "fallback_to_top_result": false,
+    "lidarr_api_timeout": 120.0,
+    "quality_profile_id": 1,
+    "metadata_profile_id": 1,
+    "search_for_missing_albums": false,
+    "dry_run_adding_to_lidarr": true,
+    "app_name": "lidify",
+    "app_rev": "0.09",
+    "app_url": "lidify.trez.wtf",
+    "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+    "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+    "mode": "LastFM",
+    "auto_start": false,
+    "auto_start_delay": 60
+}
@@ -0,0 +1,25 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "lidarr_address": "http://lidarr:8686",
+    "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}",
+    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "root_folder_path": "/data/media/music",
+    "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
+    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "fallback_to_top_result": false,
+    "lidarr_api_timeout": 120.0,
+    "quality_profile_id": 1,
+    "metadata_profile_id": 1,
+    "search_for_missing_albums": false,
+    "dry_run_adding_to_lidarr": true,
+    "app_name": "lidify",
+    "app_rev": "0.09",
+    "app_url": "lidify.trez.wtf",
+    "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+    "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+    "mode": "LastFM",
+    "auto_start": false,
+    "auto_start_delay": 60
+}
@@ -0,0 +1,33 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+containers:
+  ghost_blog:
+    action_keywords:
+      - restart:
+          regex: ':[0-9]{2}\] ERROR.*$'
+  immich-server:
+    action_keywords:
+      - restart:
+          regex: 'ADVICE:.*error'
+  invidious:
+    keywords:
+      - regex: 'Error reading.*Connection reset by peer trying to reconnect...'
+global_keywords:
+  keywords:
+    - panic
+  keywords_with_attachment:
+    - fatal
+notifications:
+  apprise:
+    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
+# settings are optional because they all have default values
+settings:
+  log_level: INFO               # DEBUG, INFO, WARNING, ERROR
+  notification_cooldown: 5      # Seconds between alerts for same keyword (per container)
+  attachment_lines: 20          # Number of Lines to include in log attachments
+  multi_line_entries: true      # Detect multi-line log entries
+  disable_restart: false        # Disable restart when a config change is detected
+  disable_start_message: false  # Suppress startup notification
+  disable_shutdown_message: false  # Suppress shutdown notification
+  disable_restart_message: false   # Suppress config reload notification
@@ -0,0 +1,33 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+containers:
+  ghost_blog:
+    action_keywords:
+      - restart:
+          regex: ':[0-9]{2}\] ERROR.*$'
+  immich-server:
+    action_keywords:
+      - restart:
+          regex: 'ADVICE:.*error'
+  invidious:
+    keywords:
+      - regex: 'Error reading.*Connection reset by peer trying to reconnect...'
+global_keywords:
+  keywords:
+    - panic
+  keywords_with_attachment:
+    - fatal
+notifications:
+  apprise:
+    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
+# settings are optional because they all have default values
+settings:
+  log_level: INFO               # DEBUG, INFO, WARNING, ERROR
+  notification_cooldown: 5      # Seconds between alerts for same keyword (per container)
+  attachment_lines: 20          # Number of Lines to include in log attachments
+  multi_line_entries: true      # Detect multi-line log entries
+  disable_restart: false        # Disable restart when a config change is detected
+  disable_start_message: false  # Suppress startup notification
+  disable_shutdown_message: false  # Suppress shutdown notification
+  disable_restart_message: false   # Suppress config reload notification
@@ -0,0 +1,159 @@
+'use strict';
+
+const packageJson = require('../../package.json');
+
+module.exports = {
+    // Branding and customizations require a license: https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661
+    brand: {
+        app: {
+            language: 'en', // https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes
+            name: 'MiroTalk',
+            title: '<h1>MiroTalk</h1/>Free browser based Real-time video calls.<br />Simple, Secure, Fast.',
+            description:
+                'Start your next video call with a single click. No download, plug-in, or login is required. Just get straight to talking, messaging, and sharing your screen.',
+            joinDescription: 'Pick a room name.<br />How about this one?',
+            joinButtonLabel: 'JOIN ROOM',
+            joinLastLabel: 'Your recent room:',
+        },
+        og: {
+            type: 'app-webrtc',
+            siteName: 'MiroTalk',
+            title: 'Click the link to make a call.',
+            description:
+                'MiroTalk calling provides real-time HD quality and latency simply not available with traditional technology.',
+            image: 'https://p2p.mirotalk.com/images/preview.png',
+            url: 'https://p2p.mirotalk.com',
+        },
+        site: {
+            shortcutIcon: '../images/logo.svg',
+            appleTouchIcon: '../images/logo.svg',
+            landingTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
+            newCallTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
+            newCallRoomTitle: 'Pick name. <br />Share URL. <br />Start conference.',
+            newCallRoomDescription:
+                "Each room has its disposable URL. Just pick a room name and share your custom URL. It's that easy.",
+            loginTitle: 'MiroTalk - Host Protected login required.',
+            clientTitle: 'MiroTalk WebRTC Video call, Chat Room & Screen Sharing.',
+            privacyPolicyTitle: 'MiroTalk - privacy and policy.',
+            stunTurnTitle: 'Test Stun/Turn Servers.',
+            notFoundTitle: 'MiroTalk - 404 Page not found.',
+        },
+        html: {
+            features: true,
+            browsers: true,
+            teams: true, // please keep me always true ;)
+            tryEasier: true,
+            poweredBy: true,
+            sponsors: true,
+            advertisers: true,
+            footer: true,
+        },
+        about: {
+            imageUrl: '../images/mirotalk-logo.gif',
+            title: `WebRTC P2P v${packageJson.version}`,
+            html: `
+                <button
+                    id="support-button"
+                    data-umami-event="Support button"
+                    onclick="window.open('https://codecanyon.net/user/miroslavpejic85')">
+                    <i class="fas fa-heart" ></i>&nbsp;Support
+                </button>
+                <br /><br /><br />
+                Author:<a
+                    id="linkedin-button"
+                    data-umami-event="Linkedin button"
+                    href="https://www.linkedin.com/in/miroslav-pejic-976a07101/" target="_blank">
+                    Miroslav Pejic
+                </a>
+                <br /><br />
+                Email:<a
+                    id="email-button"
+                    data-umami-event="Email button"
+                    href="mailto:miroslav.pejic.85@gmail.com?subject=MiroTalk P2P info">
+                    miroslav.pejic.85@gmail.com
+                </a>
+                <br /><br />
+                <hr />
+                <span>&copy; 2025 MiroTalk P2P, all rights reserved</span>
+                <hr />
+            `,
+        },
+        //...
+    },
+    /**
+     * Configuration for controlling the visibility of buttons in the MiroTalk P2P client.
+     * Set properties to true to show the corresponding buttons, or false to hide them.
+     * captionBtn, showSwapCameraBtn, showScreenShareBtn, showFullScreenBtn, showVideoPipBtn, showDocumentPipBtn -> (auto-detected).
+     */
+    buttons: {
+        main: {
+            showShareQr: true,
+            showShareRoomBtn: true, // For guests
+            showHideMeBtn: true,
+            showAudioBtn: true,
+            showVideoBtn: true,
+            showScreenBtn: true, // autodetected
+            showRecordStreamBtn: true,
+            showChatRoomBtn: true,
+            showCaptionRoomBtn: true,
+            showRoomEmojiPickerBtn: true,
+            showMyHandBtn: true,
+            showWhiteboardBtn: true,
+            showSnapshotRoomBtn: true,
+            showFileShareBtn: true,
+            showDocumentPipBtn: true,
+            showMySettingsBtn: true,
+            showAboutBtn: true, // Please keep me always true, Thank you!
+        },
+        chat: {
+            showTogglePinBtn: true,
+            showMaxBtn: true,
+            showSaveMessageBtn: true,
+            showMarkDownBtn: true,
+            showChatGPTBtn: true,
+            showFileShareBtn: true,
+            showShareVideoAudioBtn: true,
+            showParticipantsBtn: true,
+        },
+        caption: {
+            showTogglePinBtn: true,
+            showMaxBtn: true,
+        },
+        settings: {
+            showMicOptionsBtn: true,
+            showTabRoomPeerName: true,
+            showTabRoomParticipants: true,
+            showTabRoomSecurity: true,
+            showTabEmailInvitation: true,
+            showCaptionEveryoneBtn: true,
+            showMuteEveryoneBtn: true,
+            showHideEveryoneBtn: true,
+            showEjectEveryoneBtn: true,
+            showLockRoomBtn: true,
+            showUnlockRoomBtn: true,
+            showShortcutsBtn: true,
+        },
+        remote: {
+            showAudioVolume: true,
+            audioBtnClickAllowed: true,
+            videoBtnClickAllowed: true,
+            showVideoPipBtn: true,
+            showKickOutBtn: true,
+            showSnapShotBtn: true,
+            showFileShareBtn: true,
+            showShareVideoAudioBtn: true,
+            showPrivateMessageBtn: true,
+            showZoomInOutBtn: false,
+            showVideoFocusBtn: true,
+        },
+        local: {
+            showVideoPipBtn: true,
+            showSnapShotBtn: true,
+            showVideoCircleBtn: true,
+            showZoomInOutBtn: false,
+        },
+        whiteboard: {
+            whiteboardLockBtn: false,
+        },
+    },
+};
@@ -0,0 +1,159 @@
+'use strict';
+
+const packageJson = require('../../package.json');
+
+module.exports = {
+    // Branding and customizations require a license: https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661
+    brand: {
+        app: {
+            language: 'en', // https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes
+            name: 'MiroTalk',
+            title: '<h1>MiroTalk</h1/>Free browser based Real-time video calls.<br />Simple, Secure, Fast.',
+            description:
+                'Start your next video call with a single click. No download, plug-in, or login is required. Just get straight to talking, messaging, and sharing your screen.',
+            joinDescription: 'Pick a room name.<br />How about this one?',
+            joinButtonLabel: 'JOIN ROOM',
+            joinLastLabel: 'Your recent room:',
+        },
+        og: {
+            type: 'app-webrtc',
+            siteName: 'MiroTalk',
+            title: 'Click the link to make a call.',
+            description:
+                'MiroTalk calling provides real-time HD quality and latency simply not available with traditional technology.',
+            image: 'https://p2p.mirotalk.com/images/preview.png',
+            url: 'https://p2p.mirotalk.com',
+        },
+        site: {
+            shortcutIcon: '../images/logo.svg',
+            appleTouchIcon: '../images/logo.svg',
+            landingTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
+            newCallTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
+            newCallRoomTitle: 'Pick name. <br />Share URL. <br />Start conference.',
+            newCallRoomDescription:
+                "Each room has its disposable URL. Just pick a room name and share your custom URL. It's that easy.",
+            loginTitle: 'MiroTalk - Host Protected login required.',
+            clientTitle: 'MiroTalk WebRTC Video call, Chat Room & Screen Sharing.',
+            privacyPolicyTitle: 'MiroTalk - privacy and policy.',
+            stunTurnTitle: 'Test Stun/Turn Servers.',
+            notFoundTitle: 'MiroTalk - 404 Page not found.',
+        },
+        html: {
+            features: true,
+            browsers: true,
+            teams: true, // please keep me always true ;)
+            tryEasier: true,
+            poweredBy: true,
+            sponsors: true,
+            advertisers: true,
+            footer: true,
+        },
+        about: {
+            imageUrl: '../images/mirotalk-logo.gif',
+            title: `WebRTC P2P v${packageJson.version}`,
+            html: `
+                <button
+                    id="support-button"
+                    data-umami-event="Support button"
+                    onclick="window.open('https://codecanyon.net/user/miroslavpejic85')">
+                    <i class="fas fa-heart" ></i>&nbsp;Support
+                </button>
+                <br /><br /><br />
+                Author:<a
+                    id="linkedin-button"
+                    data-umami-event="Linkedin button"
+                    href="https://www.linkedin.com/in/miroslav-pejic-976a07101/" target="_blank">
+                    Miroslav Pejic
+                </a>
+                <br /><br />
+                Email:<a
+                    id="email-button"
+                    data-umami-event="Email button"
+                    href="mailto:miroslav.pejic.85@gmail.com?subject=MiroTalk P2P info">
+                    miroslav.pejic.85@gmail.com
+                </a>
+                <br /><br />
+                <hr />
+                <span>&copy; 2025 MiroTalk P2P, all rights reserved</span>
+                <hr />
+            `,
+        },
+        //...
+    },
+    /**
+     * Configuration for controlling the visibility of buttons in the MiroTalk P2P client.
+     * Set properties to true to show the corresponding buttons, or false to hide them.
+     * captionBtn, showSwapCameraBtn, showScreenShareBtn, showFullScreenBtn, showVideoPipBtn, showDocumentPipBtn -> (auto-detected).
+     */
+    buttons: {
+        main: {
+            showShareQr: true,
+            showShareRoomBtn: true, // For guests
+            showHideMeBtn: true,
+            showAudioBtn: true,
+            showVideoBtn: true,
+            showScreenBtn: true, // autodetected
+            showRecordStreamBtn: true,
+            showChatRoomBtn: true,
+            showCaptionRoomBtn: true,
+            showRoomEmojiPickerBtn: true,
+            showMyHandBtn: true,
+            showWhiteboardBtn: true,
+            showSnapshotRoomBtn: true,
+            showFileShareBtn: true,
+            showDocumentPipBtn: true,
+            showMySettingsBtn: true,
+            showAboutBtn: true, // Please keep me always true, Thank you!
+        },
+        chat: {
+            showTogglePinBtn: true,
+            showMaxBtn: true,
+            showSaveMessageBtn: true,
+            showMarkDownBtn: true,
+            showChatGPTBtn: true,
+            showFileShareBtn: true,
+            showShareVideoAudioBtn: true,
+            showParticipantsBtn: true,
+        },
+        caption: {
+            showTogglePinBtn: true,
+            showMaxBtn: true,
+        },
+        settings: {
+            showMicOptionsBtn: true,
+            showTabRoomPeerName: true,
+            showTabRoomParticipants: true,
+            showTabRoomSecurity: true,
+            showTabEmailInvitation: true,
+            showCaptionEveryoneBtn: true,
+            showMuteEveryoneBtn: true,
+            showHideEveryoneBtn: true,
+            showEjectEveryoneBtn: true,
+            showLockRoomBtn: true,
+            showUnlockRoomBtn: true,
+            showShortcutsBtn: true,
+        },
+        remote: {
+            showAudioVolume: true,
+            audioBtnClickAllowed: true,
+            videoBtnClickAllowed: true,
+            showVideoPipBtn: true,
+            showKickOutBtn: true,
+            showSnapShotBtn: true,
+            showFileShareBtn: true,
+            showShareVideoAudioBtn: true,
+            showPrivateMessageBtn: true,
+            showZoomInOutBtn: false,
+            showVideoFocusBtn: true,
+        },
+        local: {
+            showVideoPipBtn: true,
+            showSnapShotBtn: true,
+            showVideoCircleBtn: true,
+            showZoomInOutBtn: false,
+        },
+        whiteboard: {
+            whiteboardLockBtn: false,
+        },
+    },
+};
@@ -0,0 +1,111 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+  "debugMode": false,
+  "disableWeb": false,
+  "sourceDefaults": {
+    "logPayload": false,
+    "logFilterFailure": "warn",
+    "logPlayerState": false,
+    "scrobbleThresholds": {
+      "duration": 30,
+      "percent": 20
+    },
+    "maxPollRetries": 1,
+    "maxRequestRetries": 1,
+    "retryMultiplier": 1.5
+  },
+  "clientDefaults": {
+    "maxRequestRetries": 1,
+    "retryMultiplier": 1.5
+  },
+  "sources": [
+    {
+      "type": "spotify",
+      "enable": true,
+      "clients": [],
+      "name": "spotify",
+      "data": {
+        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
+        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/callback"
+      }
+    },
+    {
+      "type": "lastfm",
+      "enable": true,
+      "clients": [],
+      "name": "lastfm",
+      "data": {
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/lastfm/callback"
+      }
+    },
+    {
+      "type": "listenbrainz",
+      "enable": true,
+      "clients": [],
+      "name": "listenBrainz",
+      "data": {
+        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "username": "Trez.One"
+      }
+    },
+    {
+      "type": "subsonic",
+      "enable": true,
+      "clients": [],
+      "name": "navidrome",
+      "data": {
+        "url": "http://navidrome:4533",
+        "user": "admin",
+        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
+      }
+    }
+  ],
+  "clients": [
+    {
+      "type": "lastfm",
+      "enable": true,
+      "name": "lastFmClient",
+      "data": {
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/lastfm/callback"
+      }
+    },
+    {
+      "type": "listenbrainz",
+      "enable": true,
+      "name": "ListenBrainzClient",
+      "data": {
+        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "username": "Trez.One"
+      }
+    },
+    {
+      "type": "maloja",
+      "enable": true,
+      "name": "maloja",
+      "data": {
+        "url": "http://maloja:42010",
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
+      }
+    }
+  ],
+  "webhooks": [
+    {
+      "name": "Gotify",
+      "type": "gotify",
+      "url": "http://gotify",
+      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
+      "priorities": {
+        "info": 5,
+        "warn": 7,
+        "error": 10
+      }
+    }
+  ]
+}
@@ -0,0 +1,111 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+  "debugMode": false,
+  "disableWeb": false,
+  "sourceDefaults": {
+    "logPayload": false,
+    "logFilterFailure": "warn",
+    "logPlayerState": false,
+    "scrobbleThresholds": {
+      "duration": 30,
+      "percent": 20
+    },
+    "maxPollRetries": 1,
+    "maxRequestRetries": 1,
+    "retryMultiplier": 1.5
+  },
+  "clientDefaults": {
+    "maxRequestRetries": 1,
+    "retryMultiplier": 1.5
+  },
+  "sources": [
+    {
+      "type": "spotify",
+      "enable": true,
+      "clients": [],
+      "name": "spotify",
+      "data": {
+        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
+        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/callback"
+      }
+    },
+    {
+      "type": "lastfm",
+      "enable": true,
+      "clients": [],
+      "name": "lastfm",
+      "data": {
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/lastfm/callback"
+      }
+    },
+    {
+      "type": "listenbrainz",
+      "enable": true,
+      "clients": [],
+      "name": "listenBrainz",
+      "data": {
+        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "username": "Trez.One"
+      }
+    },
+    {
+      "type": "subsonic",
+      "enable": true,
+      "clients": [],
+      "name": "navidrome",
+      "data": {
+        "url": "http://navidrome:4533",
+        "user": "admin",
+        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
+      }
+    }
+  ],
+  "clients": [
+    {
+      "type": "lastfm",
+      "enable": true,
+      "name": "lastFmClient",
+      "data": {
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/lastfm/callback"
+      }
+    },
+    {
+      "type": "listenbrainz",
+      "enable": true,
+      "name": "ListenBrainzClient",
+      "data": {
+        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "username": "Trez.One"
+      }
+    },
+    {
+      "type": "maloja",
+      "enable": true,
+      "name": "maloja",
+      "data": {
+        "url": "http://maloja:42010",
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
+      }
+    }
+  ],
+  "webhooks": [
+    {
+      "name": "Gotify",
+      "type": "gotify",
+      "url": "http://gotify",
+      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
+      "priorities": {
+        "info": 5,
+        "warn": 7,
+        "error": 10
+      }
+    }
+  ]
+}
@@ -0,0 +1,76 @@
+{
+  "Stuns": [
+    {
+      "Proto": "udp",
+      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+      "Username": "",
+      "Password": null
+    }
+  ],
+  "TURNConfig": {
+    "Turns": [
+      {
+        "Proto": "udp",
+        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+        "Username": "self",
+        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
+      }
+    ],
+    "CredentialsTTL": "12h",
+    "Secret": "secret",
+    "TimeBasedCredentials": false
+  },
+  "Relay": {
+    "Addresses": [
+      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
+    ],
+    "CredentialsTTL": "24h",
+    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
+  },
+  "Signal": {
+    "Proto": "https",
+    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
+    "Username": "",
+    "Password": null
+  },
+  "ReverseProxy": {
+    "TrustedHTTPProxies": [],
+    "TrustedHTTPProxiesCount": 0,
+    "TrustedPeers": [
+      "0.0.0.0/0"
+    ]
+  },
+  "Datadir": "",
+  "DataStoreEncryptionKey": "",
+  "StoreConfig": {
+    "Engine": "sqlite"
+  },
+  "HttpConfig": {
+    "Address": "0.0.0.0:33073",
+    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
+    "AuthAudience": "netbird",
+    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
+    "AuthUserIDClaim": "",
+    "CertFile": "",
+    "CertKey": "",
+    "IdpSignKeyRefreshEnabled": true,
+    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
+  },
+  "IdpManagerConfig": {},
+  "DeviceAuthorizationFlow": {},
+  "PKCEAuthorizationFlow": {
+    "ProviderConfig": {
+      "Audience": "netbird",
+      "ClientID": "netbird",
+      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
+      "Domain": "",
+      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
+      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
+      "Scope": "openid profile email offline_access api",
+      "RedirectURLs": [
+        "http://localhost:53000"
+      ],
+      "UseIDToken": true
+    }
+  }
+}
@@ -0,0 +1,122 @@
+{
+    "issuer": "https://id.trez.wtf",
+    "authorization_endpoint": "https://id.trez.wtf/oauth/v2/authorize",
+    "token_endpoint": "https://id.trez.wtf/oauth/v2/token",
+    "introspection_endpoint": "https://id.trez.wtf/oauth/v2/introspect",
+    "userinfo_endpoint": "https://id.trez.wtf/oidc/v1/userinfo",
+    "revocation_endpoint": "https://id.trez.wtf/oauth/v2/revoke",
+    "end_session_endpoint": "https://id.trez.wtf/oidc/v1/end_session",
+    "device_authorization_endpoint": "https://id.trez.wtf/oauth/v2/device_authorization",
+    "jwks_uri": "https://id.trez.wtf/oauth/v2/keys",
+    "scopes_supported": [
+        "openid",
+        "profile",
+        "email",
+        "phone",
+        "address",
+        "offline_access"
+    ],
+    "response_types_supported": [
+        "code",
+        "id_token",
+        "id_token token"
+    ],
+    "response_modes_supported": [
+        "query",
+        "fragment",
+        "form_post"
+    ],
+    "grant_types_supported": [
+        "authorization_code",
+        "implicit",
+        "refresh_token",
+        "client_credentials",
+        "urn:ietf:params:oauth:grant-type:jwt-bearer",
+        "urn:ietf:params:oauth:grant-type:device_code"
+    ],
+    "subject_types_supported": [
+        "public"
+    ],
+    "id_token_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "request_object_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "token_endpoint_auth_methods_supported": [
+        "none",
+        "client_secret_basic",
+        "client_secret_post",
+        "private_key_jwt"
+    ],
+    "token_endpoint_auth_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "revocation_endpoint_auth_methods_supported": [
+        "none",
+        "client_secret_basic",
+        "client_secret_post",
+        "private_key_jwt"
+    ],
+    "revocation_endpoint_auth_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "introspection_endpoint_auth_methods_supported": [
+        "client_secret_basic",
+        "private_key_jwt"
+    ],
+    "introspection_endpoint_auth_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "claims_supported": [
+        "sub",
+        "aud",
+        "exp",
+        "iat",
+        "iss",
+        "auth_time",
+        "nonce",
+        "acr",
+        "amr",
+        "c_hash",
+        "at_hash",
+        "act",
+        "scopes",
+        "client_id",
+        "azp",
+        "preferred_username",
+        "name",
+        "family_name",
+        "given_name",
+        "locale",
+        "email",
+        "email_verified",
+        "phone_number",
+        "phone_number_verified"
+    ],
+    "code_challenge_methods_supported": [
+        "S256"
+    ],
+    "ui_locales_supported": [
+        "bg",
+        "cs",
+        "de",
+        "en",
+        "es",
+        "fr",
+        "hu",
+        "id",
+        "it",
+        "ja",
+        "ko",
+        "mk",
+        "nl",
+        "pl",
+        "pt",
+        "ru",
+        "sv",
+        "zh"
+    ],
+    "request_parameter_supported": true,
+    "request_uri_parameter_supported": false
+}
@@ -0,0 +1,725 @@
+# Coturn TURN SERVER configuration file
+#
+# Boolean values note: where a boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
+# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
+# If the value is missing, then it means 'true' by default.
+#
+
+# Listener interface device (optional, Linux only).
+# NOT RECOMMENDED.
+#
+#listening-device=eth0
+
+# TURN listener port for UDP and TCP (Default: 3478).
+# Note: actually, TLS & DTLS sessions can connect to the
+# "plain" TCP & UDP port(s), too - if allowed by configuration.
+#
+listening-port=3478
+
+# TURN listener port for TLS (Default: 5349).
+# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
+# port(s), too - if allowed by configuration. The TURN server
+# "automatically" recognizes the type of traffic. Actually, two listening
+# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
+# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, Coturn currently supports SSL version 3 and
+# TLS version 1.0, 1.1 and 1.2.
+# For secure UDP connections, Coturn supports DTLS version 1.
+#
+tls-listening-port=5349
+
+# Alternative listening port for UDP and TCP listeners;
+# default (or zero) value means "listening port plus one".
+# This is needed for RFC 5780 support
+# (STUN extension specs, NAT behavior discovery). The TURN Server
+# supports RFC 5780 only if it is started with more than one
+# listening IP address of the same family (IPv4 or IPv6).
+# RFC 5780 is supported only by UDP protocol, other protocols
+# are listening to that endpoint only for "symmetry".
+#
+#alt-listening-port=0
+
+# Alternative listening port for TLS and DTLS protocols.
+# Default (or zero) value means "TLS listening port plus one".
+#
+#alt-tls-listening-port=0
+
+# Some network setups will require using a TCP reverse proxy in front
+# of the STUN server. If the proxy port option is set a single listener
+# is started on the given port that accepts connections using the
+# haproxy proxy protocol v2.
+# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
+#
+#tcp-proxy-port=5555
+
+# Listener IP address of relay server. Multiple listeners can be specified.
+# If no IP(s) specified in the config file or in the command line options,
+# then all IPv4 and IPv6 system IPs will be used for listening.
+#
+#listening-ip=172.17.19.101
+#listening-ip=10.207.21.238
+#listening-ip=2607:f0d0:1002:51::4
+
+# Auxiliary STUN/TURN server listening endpoint.
+# Aux servers have almost full TURN and STUN functionality.
+# The (minor) limitations are:
+#
+# 1) Auxiliary servers do not have alternative ports and
+# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
+#
+# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
+#
+# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
+#
+# There may be multiple aux-server options, each will be used for listening
+# to client requests.
+#
+#aux-server=172.17.19.110:33478
+#aux-server=[2607:f0d0:1002:51::4]:33478
+
+# (recommended for older Linuxes only)
+# Automatically balance UDP traffic over auxiliary servers (if configured).
+# The load balancing is using the ALTERNATE-SERVER mechanism.
+# The TURN client must support 300 ALTERNATE-SERVER response for this
+# functionality.
+#
+#udp-self-balance
+
+# Relay interface device for relay sockets (optional, Linux only).
+# NOT RECOMMENDED.
+#
+#relay-device=eth1
+
+# Relay address (the local IP address that will be used to relay the
+# packets to the peer).
+# Multiple relay addresses may be used.
+# The same IP(s) can be used as both listening IP(s) and relay IP(s).
+#
+# If no relay IP(s) specified, then the turnserver will apply the default
+# policy: it will decide itself which relay addresses to be used, and it
+# will always be using the client socket IP address as the relay IP address
+# of the TURN session (if the requested relay address family is the same
+# as the family of the client socket).
+#
+#relay-ip=172.17.19.105
+#relay-ip=2607:f0d0:1002:51::5
+
+# For Amazon EC2 users:
+#
+# TURN Server public/private address mapping, if the server is behind NAT.
+# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
+# as relay IP address of all allocations. This scenario works only in a simple case
+# when one single relay address is be used, and no RFC5780 functionality is required.
+# That single relay address must be mapped by NAT to the 'external' IP.
+# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
+# For that 'external' IP, NAT must forward ports directly (relayed port 12345
+# must be always mapped to the same 'external' port 12345).
+#
+# In more complex case when more than one IP address is involved,
+# that option must be used several times, each entry must
+# have form "-X <public-ip/private-ip>", to map all involved addresses.
+# RFC5780 NAT discovery STUN functionality will work correctly,
+# if the addresses are mapped properly, even when the TURN server itself
+# is behind A NAT.
+#
+# By default, this value is empty, and no address mapping is used.
+#
+# external-ip=193.224.22.37
+#
+#OR:
+#
+#external-ip=60.70.80.91/172.17.19.101
+#external-ip=60.70.80.92/172.17.19.102
+
+external-ip=108.29.206.17
+
+# Number of the relay threads to handle the established connections
+# (in addition to authentication thread and the listener thread).
+# If explicitly set to 0 then application runs relay process in a
+# single thread, in the same thread with the listener process
+# (the authentication thread will still be a separate thread).
+#
+# If this parameter is not set, then the default OS-dependent
+# thread pattern algorithm will be employed. Usually the default
+# algorithm is optimal, so you have to change this option
+# if you want to make some fine tweaks.
+#
+# In the older systems (Linux kernel before 3.9),
+# the number of UDP threads is always one thread per network listening
+# endpoint - including the auxiliary endpoints - unless 0 (zero) or
+# 1 (one) value is set.
+#
+#relay-threads=0
+
+# Lower and upper bounds of the UDP relay endpoints:
+# (default values are 49152 and 65535)
+#
+min-port=49152
+max-port=65535
+
+# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
+# By default the verbose mode is off.
+#verbose
+
+# Uncomment to run TURN server in 'extra' verbose mode.
+# This mode is very annoying and produces lots of output.
+# Not recommended under normal circumstances.
+#
+#Verbose
+
+# Uncomment to use fingerprints in the TURN messages.
+# By default the fingerprints are off.
+#
+fingerprint
+
+# Uncomment to use long-term credential mechanism.
+# By default no credentials mechanism is used (any user allowed).
+#
+lt-cred-mech
+
+# This option is the opposite of lt-cred-mech.
+# (TURN Server with no-auth option allows anonymous access).
+# If neither option is defined, and no users are defined,
+# then no-auth is default. If at least one user is defined,
+# in this file, in command line or in usersdb file, then
+# lt-cred-mech is default.
+#
+#no-auth
+
+# TURN REST API flag.
+# (Time Limited Long Term Credential)
+# Flag that sets a special authorization option that is based upon authentication secret.
+#
+# This feature's purpose is to support "TURN Server REST API", see
+# "TURN REST API" link in the project's page
+# https://github.com/coturn/coturn/
+#
+# This option is used with timestamp:
+#
+# usercombo -> "timestamp:userid"
+# turn user -> usercombo
+# turn password -> base64(hmac(secret key, usercombo))
+#
+# This allows TURN credentials to be accounted for a specific user id.
+# If you don't have a suitable id, then the timestamp alone can be used.
+# This option is enabled by turning on secret-based authentication.
+# The actual value of the secret is defined either by the option static-auth-secret,
+# or can be found in the turn_secret table in the database (see below).
+#
+# Read more about it:
+#  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
+#  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
+#
+# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
+# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
+# this option then it automatically enables lt-cred-mech internally
+# as if you had enabled both.
+#
+# Note that you can use only one auth mechanism at the same time! This is because,
+# both mechanisms conduct username and password validation in different ways.
+#
+# Use either lt-cred-mech or use-auth-secret in the conf
+# to avoid any confusion.
+#
+#use-auth-secret
+
+# 'Static' authentication secret value (a string) for TURN REST API only.
+# If not set, then the turn server
+# will try to use the 'dynamic' value in the turn_secret table
+# in the user database (if present). The database-stored  value can be changed on-the-fly
+# by a separate program, so this is why that mode is considered 'dynamic'.
+#
+#static-auth-secret=north
+
+# Server name used for
+# the oAuth authentication purposes.
+# The default value is the realm name.
+#
+# server-name=stun.wiretrustee.com
+
+# Flag that allows oAuth authentication.
+#
+#oauth
+
+# 'Static' user accounts for the long term credentials mechanism, only.
+# This option cannot be used with TURN REST API.
+# 'Static' user accounts are NOT dynamically checked by the turnserver process,
+# so they can NOT be changed while the turnserver is running.
+#
+#user=username1:key1
+#user=username2:key2
+# OR:
+user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
+#user=username2:password2
+#
+# Keys must be generated by turnadmin utility. The key value depends
+# on user name, realm, and password:
+#
+# Example:
+# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
+# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
+# ('0x' in the beginning of the key is what differentiates the key from
+# password. If it has 0x then it is a key, otherwise it is a password).
+#
+# The corresponding user account entry in the config file will be:
+#
+#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
+# Or, equivalently, with open clear password (less secure):
+#user=ninefingers:youhavetoberealistic
+#
+
+# SQLite database file name.
+#
+# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# /var/lib/turn/turndb.
+#
+#userdb=/var/db/turndb
+
+# PostgreSQL database connection string in the case that you are using PostgreSQL
+# as the user database.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
+# versions connection string format, see
+# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
+# for 9.x and newer connection string formats.
+#
+#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
+
+# MySQL database connection string in the case that you are using MySQL
+# as the user database.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+#
+# Optional connection string parameters for the secure communications (SSL):
+# ca, capath, cert, key, cipher
+# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
+# command options description).
+#
+# Use the string format below (space separated parameters, all optional):
+#
+# mysql-userdb="host=mysql dbname=coturn user=coturn password=CHANGE_ME port=3306 connect_timeout=10 read_timeout=10"
+
+# If you want to use an encrypted password in the MySQL connection string,
+# then set the MySQL password encryption secret key file with this option.
+#
+# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
+# If you want to use a cleartext password then do not set this option!
+#
+# This is the file path for the aes encrypted secret key used for password encryption.
+#
+#secret-key-file=/path/
+
+# MongoDB database connection string in the case that you are using MongoDB
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
+#
+#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
+
+# Redis database connection string in the case that you are using Redis
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format below (space separated parameters, all optional):
+#
+#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
+# This database keeps allocations status information, and it can be also used for publishing
+# and delivering traffic and allocation event notifications.
+# The connection string has the same parameters as redis-userdb connection string.
+# Use the string format below (space separated parameters, all optional):
+#
+#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# The default realm to be used for the users when no explicit
+# origin/realm relationship is found in the database, or if the TURN
+# server is not using any database (just the commands-line settings
+# and the userdb file). Must be used with long-term credentials
+# mechanism or with TURN REST API.
+#
+# Note: If the default realm is not specified, then realm falls back to the host domain name.
+#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
+#
+# realm=wiretrustee.com
+# This flag sets the origin consistency
+# check. Across the session, all requests must have the same
+# main ORIGIN attribute value (if the ORIGIN was
+# initially used by the session).
+#
+#check-origin-consistency
+
+# Per-user allocation quota.
+# default value is 0 (no quota, unlimited number of sessions per user).
+# This option can also be set through the database, for a particular realm.
+#
+#user-quota=0
+
+# Total allocation quota.
+# default value is 0 (no quota).
+# This option can also be set through the database, for a particular realm.
+#
+#total-quota=0
+
+# Max bytes-per-second bandwidth a TURN session is allowed to handle
+# (input and output network streams are treated separately). Anything above
+# that limit will be dropped or temporarily suppressed (within
+# the available buffer limits).
+# This option can also be set through the database, for a particular realm.
+#
+#max-bps=0
+
+#
+# Maximum server capacity.
+# Total bytes-per-second bandwidth the TURN server is allowed to allocate
+# for the sessions, combined (input and output network streams are treated separately).
+#
+# bps-capacity=0
+
+# Uncomment if no UDP client listener is desired.
+# By default UDP client listener is always started.
+#
+#no-udp
+
+# Uncomment if no TCP client listener is desired.
+# By default TCP client listener is always started.
+#
+#no-tcp
+
+# Uncomment if no TLS client listener is desired.
+# By default TLS client listener is always started.
+#
+#no-tls
+
+# Uncomment if no DTLS client listener is desired.
+# By default DTLS client listener is always started.
+#
+#no-dtls
+
+# Uncomment if no UDP relay endpoints are allowed.
+# By default UDP relay endpoints are enabled (like in RFC 5766).
+#
+#no-udp-relay
+
+# Uncomment if no TCP relay endpoints are allowed.
+# By default TCP relay endpoints are enabled (like in RFC 6062).
+#
+#no-tcp-relay
+
+# Uncomment if extra security is desired,
+# with nonce value having a limited lifetime.
+# The nonce value is unique for a session.
+# Set this option to limit the nonce lifetime.
+# Set it to 0 for unlimited lifetime.
+# It defaults to 600 secs (10 min) if no value is provided. After that delay,
+# the client will get 438 error and will have to re-authenticate itself.
+#
+#stale-nonce=600
+
+# Uncomment if you want to set the maximum allocation
+# time before it has to be refreshed.
+# Default is 3600s.
+#
+#max-allocate-lifetime=3600
+
+
+# Uncomment to set the lifetime for the channel.
+# Default value is 600 secs (10 minutes).
+# This value MUST not be changed for production purposes.
+#
+#channel-lifetime=600
+
+# Uncomment to set the permission lifetime.
+# Default to 300 secs (5 minutes).
+# In production this value MUST not be changed,
+# however it can be useful for test purposes.
+#
+#permission-lifetime=300
+
+# Certificate file.
+# Use an absolute path or path relative to the
+# configuration file.
+# Use PEM file format.
+#
+cert=/etc/coturn/certs/cert.pem
+
+# Private key file.
+# Use an absolute path or path relative to the
+# configuration file.
+# Use PEM file format.
+#
+pkey=/etc/coturn/private/privkey.pem
+
+# Private key file password, if it is in encoded format.
+# This option has no default value.
+#
+#pkey-pwd=...
+
+# Allowed OpenSSL cipher list for TLS/DTLS connections.
+# Default value is "DEFAULT".
+#
+#cipher-list="DEFAULT"
+
+# CA file in OpenSSL format.
+# Forces TURN server to verify the client SSL certificates.
+# By default this is not set: there is no default value and the client
+# certificate is not checked.
+#
+# Example:
+#CA-file=/etc/ssh/id_rsa.cert
+
+# Curve name for EC ciphers, if supported by OpenSSL
+# library (TLS and DTLS). The default value is prime256v1,
+# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+# an optimal curve will be automatically calculated, if not defined
+# by this option.
+#
+#ec-curve-name=prime256v1
+
+# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
+#
+#dh566
+
+# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
+#
+#dh1066
+
+# Use custom DH TLS key, stored in PEM format in the file.
+# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
+#
+#dh-file=<DH-PEM-file-name>
+
+# Flag to prevent stdout log messages.
+# By default, all log messages go to both stdout and to
+# the configured log file. With this option everything will
+# go to the configured log only (unless the log file itself is stdout).
+#
+#no-stdout-log
+
+# Option to set the log file name.
+# By default, the turnserver tries to open a log file in
+# /var/log, /var/tmp, /tmp and the current directory
+# (Whichever file open operation succeeds first will be used).
+# With this option you can set the definite log file name.
+# The special names are "stdout" and "-" - they will force everything
+# to the stdout. Also, the "syslog" name will force everything to
+# the system log (syslog).
+# In the runtime, the logfile can be reset with the SIGHUP signal
+# to the turnserver process.
+#
+log-file=stdout
+
+# Option to redirect all log output into system log (syslog).
+#
+# syslog
+
+# This flag means that no log file rollover will be used, and the log file
+# name will be constructed as-is, without PID and date appendage.
+# This option can be used, for example, together with the logrotate tool.
+#
+#simple-log
+
+# Option to set the "redirection" mode. The value of this option
+# will be the address of the alternate server for UDP & TCP service in the form of
+# <ip>[:<port>]. The server will send this value in the attribute
+# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
+# Client will receive only values with the same address family
+# as the client network endpoint address family.
+# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
+# The client must use the obtained value for subsequent TURN communications.
+# If more than one --alternate-server option is provided, then the functionality
+# can be more accurately described as "load-balancing" than a mere "redirection".
+# If the port number is omitted, then the default port
+# number 3478 for the UDP/TCP protocols will be used.
+# Colon (:) characters in IPv6 addresses may conflict with the syntax of
+# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
+# in square brackets in such resource identifiers, for example:
+# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
+# Multiple alternate servers can be set. They will be used in the
+# round-robin manner. All servers in the pool are considered of equal weight and
+# the load will be distributed equally. For example, if you have 4 alternate servers,
+# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
+# address can be used more than one time with the alternate-server option, so this
+# can emulate "weighting" of the servers.
+#
+# Examples:
+#alternate-server=1.2.3.4:5678
+#alternate-server=11.22.33.44:56789
+#alternate-server=5.6.7.8
+#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+
+# Option to set alternative server for TLS & DTLS services in form of
+# <ip>:<port>. If the port number is omitted, then the default port
+# number 5349 for the TLS/DTLS protocols will be used. See the previous
+# option for the functionality description.
+#
+# Examples:
+#tls-alternate-server=1.2.3.4:5678
+#tls-alternate-server=11.22.33.44:56789
+#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+
+# Option to suppress TURN functionality, only STUN requests will be processed.
+# Run as STUN server only, all TURN requests will be ignored.
+# By default, this option is NOT set.
+#
+#stun-only
+
+# Option to hide software version. Enhance security when used in production.
+# Revealing the specific software version of the agent through the
+# SOFTWARE attribute might allow them to become more vulnerable to
+# attacks against software that is known to contain security holes.
+# Implementers SHOULD make usage of the SOFTWARE attribute a
+# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
+#
+no-software-attribute
+
+# Option to suppress STUN functionality, only TURN requests will be processed.
+# Run as TURN server only, all STUN requests will be ignored.
+# By default, this option is NOT set.
+#
+#no-stun
+
+# This is the timestamp/username separator symbol (character) in TURN REST API.
+# The default value is ':'.
+# rest-api-separator=:
+
+# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
+# This is an extra security measure.
+#
+# (To avoid any security issue that allowing loopback access may raise,
+# the no-loopback-peers option is replaced by allow-loopback-peers.)
+#
+# Allow it only for testing in a development environment!
+# In production it adds a possible security vulnerability, so for security reasons
+# it is not allowed using it together with empty cli-password.
+#
+#allow-loopback-peers
+
+# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
+# This is an extra security measure.
+#
+#no-multicast-peers
+
+# Option to set the max time, in seconds, allowed for full allocation establishment.
+# Default is 60 seconds.
+#
+#max-allocate-timeout=60
+
+# Option to allow or ban specific ip addresses or ranges of ip addresses.
+# If an ip address is specified as both allowed and denied, then the ip address is
+# considered to be allowed. This is useful when you wish to ban a range of ip
+# addresses, except for a few specific ips within that range.
+#
+# This can be used when you do not want users of the turn server to be able to access
+# machines reachable by the turn server, but would otherwise be unreachable from the
+# internet (e.g. when the turn server is sitting behind a NAT)
+#
+# Examples:
+# denied-peer-ip=83.166.64.0-83.166.95.255
+# allowed-peer-ip=83.166.68.45
+
+# File name to store the pid of the process.
+# Default is /var/run/turnserver.pid (if superuser account is used) or
+# /var/tmp/turnserver.pid .
+#
+pidfile="/var/tmp/turnserver.pid"
+
+# Require authentication of the STUN Binding request.
+# By default, the clients are allowed anonymous access to the STUN Binding functionality.
+#
+#secure-stun
+
+# Mobility with ICE (MICE) specs support.
+#
+#mobility
+
+# Allocate Address Family according
+# If enabled then TURN server allocates address family according  the TURN
+# Client <=> Server communication address family.
+# (By default Coturn works according RFC 6156.)
+# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
+#
+#keep-address-family
+
+
+# User name to run the process. After the initialization, the turnserver process
+# will attempt to change the current user ID to that user.
+#
+#proc-user=<user-name>
+
+# Group name to run the process. After the initialization, the turnserver process
+# will attempt to change the current group ID to that group.
+#
+#proc-group=<group-name>
+
+# Turn OFF the CLI support.
+# By default it is always ON.
+# See also options cli-ip and cli-port.
+#
+no-cli
+
+#Local system IP address to be used for CLI server endpoint. Default value
+# is 127.0.0.1.
+#
+# cli-ip=127.0.0.1
+
+# CLI server port. Default is 5766.
+#
+# cli-port=5766
+
+# CLI access password. Default is empty (no password).
+# For the security reasons, it is recommended that you use the encrypted
+# form of the password (see the -P command in the turnadmin utility).
+#
+# Secure form for password 'qwerty':
+#
+#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
+#
+# Or insecure form for the same password:
+#
+# cli-password=CHANGE_ME
+
+# Enable Web-admin support on https. By default it is Disabled.
+# If it is enabled it also enables a http a simple static banner page
+# with a small reminder that the admin page is available only on https.
+#
+#web-admin
+
+# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
+#
+#web-admin-ip=127.0.0.1
+
+# Web-admin server port. Default is 8080.
+#
+#web-admin-port=8080
+
+# Web-admin server listen on STUN/TURN worker threads
+# By default it is disabled for security reasons! (Not recommended in any production environment!)
+#
+#web-admin-listen-on-workers
+
+# Server relay. NON-STANDARD AND DANGEROUS OPTION.
+# Only for those applications when you want to run
+# server applications on the relay endpoints.
+# This option eliminates the IP permissions check on
+# the packets incoming to the relay endpoints.
+#
+#server-relay
+
+# Maximum number of output sessions in ps CLI command.
+# This value can be changed on-the-fly in CLI. The default value is 256.
+#
+#cli-max-output-sessions
+
+# Set network engine type for the process (for internal purposes).
+#
+#ne=[1|2|3]
+
+# Do not allow an TLS/DTLS version of protocol
+#
+#no-tlsv1
+#no-tlsv1_1
+#no-tlsv1_2
@@ -0,0 +1,76 @@
+{
+  "Stuns": [
+    {
+      "Proto": "udp",
+      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+      "Username": "",
+      "Password": null
+    }
+  ],
+  "TURNConfig": {
+    "Turns": [
+      {
+        "Proto": "udp",
+        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
+        "Username": "self",
+        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
+      }
+    ],
+    "CredentialsTTL": "12h",
+    "Secret": "secret",
+    "TimeBasedCredentials": false
+  },
+  "Relay": {
+    "Addresses": [
+      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
+    ],
+    "CredentialsTTL": "24h",
+    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
+  },
+  "Signal": {
+    "Proto": "https",
+    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
+    "Username": "",
+    "Password": null
+  },
+  "ReverseProxy": {
+    "TrustedHTTPProxies": [],
+    "TrustedHTTPProxiesCount": 0,
+    "TrustedPeers": [
+      "0.0.0.0/0"
+    ]
+  },
+  "Datadir": "",
+  "DataStoreEncryptionKey": "",
+  "StoreConfig": {
+    "Engine": "sqlite"
+  },
+  "HttpConfig": {
+    "Address": "0.0.0.0:33073",
+    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
+    "AuthAudience": "netbird",
+    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
+    "AuthUserIDClaim": "",
+    "CertFile": "",
+    "CertKey": "",
+    "IdpSignKeyRefreshEnabled": true,
+    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
+  },
+  "IdpManagerConfig": {},
+  "DeviceAuthorizationFlow": {},
+  "PKCEAuthorizationFlow": {
+    "ProviderConfig": {
+      "Audience": "netbird",
+      "ClientID": "netbird",
+      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
+      "Domain": "",
+      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
+      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
+      "Scope": "openid profile email offline_access api",
+      "RedirectURLs": [
+        "http://localhost:53000"
+      ],
+      "UseIDToken": true
+    }
+  }
+}
@@ -0,0 +1,122 @@
+{
+    "issuer": "https://id.trez.wtf",
+    "authorization_endpoint": "https://id.trez.wtf/oauth/v2/authorize",
+    "token_endpoint": "https://id.trez.wtf/oauth/v2/token",
+    "introspection_endpoint": "https://id.trez.wtf/oauth/v2/introspect",
+    "userinfo_endpoint": "https://id.trez.wtf/oidc/v1/userinfo",
+    "revocation_endpoint": "https://id.trez.wtf/oauth/v2/revoke",
+    "end_session_endpoint": "https://id.trez.wtf/oidc/v1/end_session",
+    "device_authorization_endpoint": "https://id.trez.wtf/oauth/v2/device_authorization",
+    "jwks_uri": "https://id.trez.wtf/oauth/v2/keys",
+    "scopes_supported": [
+        "openid",
+        "profile",
+        "email",
+        "phone",
+        "address",
+        "offline_access"
+    ],
+    "response_types_supported": [
+        "code",
+        "id_token",
+        "id_token token"
+    ],
+    "response_modes_supported": [
+        "query",
+        "fragment",
+        "form_post"
+    ],
+    "grant_types_supported": [
+        "authorization_code",
+        "implicit",
+        "refresh_token",
+        "client_credentials",
+        "urn:ietf:params:oauth:grant-type:jwt-bearer",
+        "urn:ietf:params:oauth:grant-type:device_code"
+    ],
+    "subject_types_supported": [
+        "public"
+    ],
+    "id_token_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "request_object_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "token_endpoint_auth_methods_supported": [
+        "none",
+        "client_secret_basic",
+        "client_secret_post",
+        "private_key_jwt"
+    ],
+    "token_endpoint_auth_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "revocation_endpoint_auth_methods_supported": [
+        "none",
+        "client_secret_basic",
+        "client_secret_post",
+        "private_key_jwt"
+    ],
+    "revocation_endpoint_auth_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "introspection_endpoint_auth_methods_supported": [
+        "client_secret_basic",
+        "private_key_jwt"
+    ],
+    "introspection_endpoint_auth_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "claims_supported": [
+        "sub",
+        "aud",
+        "exp",
+        "iat",
+        "iss",
+        "auth_time",
+        "nonce",
+        "acr",
+        "amr",
+        "c_hash",
+        "at_hash",
+        "act",
+        "scopes",
+        "client_id",
+        "azp",
+        "preferred_username",
+        "name",
+        "family_name",
+        "given_name",
+        "locale",
+        "email",
+        "email_verified",
+        "phone_number",
+        "phone_number_verified"
+    ],
+    "code_challenge_methods_supported": [
+        "S256"
+    ],
+    "ui_locales_supported": [
+        "bg",
+        "cs",
+        "de",
+        "en",
+        "es",
+        "fr",
+        "hu",
+        "id",
+        "it",
+        "ja",
+        "ko",
+        "mk",
+        "nl",
+        "pl",
+        "pt",
+        "ru",
+        "sv",
+        "zh"
+    ],
+    "request_parameter_supported": true,
+    "request_uri_parameter_supported": false
+}
@@ -0,0 +1,725 @@
+# Coturn TURN SERVER configuration file
+#
+# Boolean values note: where a boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
+# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
+# If the value is missing, then it means 'true' by default.
+#
+
+# Listener interface device (optional, Linux only).
+# NOT RECOMMENDED.
+#
+#listening-device=eth0
+
+# TURN listener port for UDP and TCP (Default: 3478).
+# Note: actually, TLS & DTLS sessions can connect to the
+# "plain" TCP & UDP port(s), too - if allowed by configuration.
+#
+listening-port=3478
+
+# TURN listener port for TLS (Default: 5349).
+# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
+# port(s), too - if allowed by configuration. The TURN server
+# "automatically" recognizes the type of traffic. Actually, two listening
+# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
+# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, Coturn currently supports SSL version 3 and
+# TLS version 1.0, 1.1 and 1.2.
+# For secure UDP connections, Coturn supports DTLS version 1.
+#
+tls-listening-port=5349
+
+# Alternative listening port for UDP and TCP listeners;
+# default (or zero) value means "listening port plus one".
+# This is needed for RFC 5780 support
+# (STUN extension specs, NAT behavior discovery). The TURN Server
+# supports RFC 5780 only if it is started with more than one
+# listening IP address of the same family (IPv4 or IPv6).
+# RFC 5780 is supported only by UDP protocol, other protocols
+# are listening to that endpoint only for "symmetry".
+#
+#alt-listening-port=0
+
+# Alternative listening port for TLS and DTLS protocols.
+# Default (or zero) value means "TLS listening port plus one".
+#
+#alt-tls-listening-port=0
+
+# Some network setups will require using a TCP reverse proxy in front
+# of the STUN server. If the proxy port option is set a single listener
+# is started on the given port that accepts connections using the
+# haproxy proxy protocol v2.
+# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
+#
+#tcp-proxy-port=5555
+
+# Listener IP address of relay server. Multiple listeners can be specified.
+# If no IP(s) specified in the config file or in the command line options,
+# then all IPv4 and IPv6 system IPs will be used for listening.
+#
+#listening-ip=172.17.19.101
+#listening-ip=10.207.21.238
+#listening-ip=2607:f0d0:1002:51::4
+
+# Auxiliary STUN/TURN server listening endpoint.
+# Aux servers have almost full TURN and STUN functionality.
+# The (minor) limitations are:
+#
+# 1) Auxiliary servers do not have alternative ports and
+# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
+#
+# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
+#
+# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
+#
+# There may be multiple aux-server options, each will be used for listening
+# to client requests.
+#
+#aux-server=172.17.19.110:33478
+#aux-server=[2607:f0d0:1002:51::4]:33478
+
+# (recommended for older Linuxes only)
+# Automatically balance UDP traffic over auxiliary servers (if configured).
+# The load balancing is using the ALTERNATE-SERVER mechanism.
+# The TURN client must support 300 ALTERNATE-SERVER response for this
+# functionality.
+#
+#udp-self-balance
+
+# Relay interface device for relay sockets (optional, Linux only).
+# NOT RECOMMENDED.
+#
+#relay-device=eth1
+
+# Relay address (the local IP address that will be used to relay the
+# packets to the peer).
+# Multiple relay addresses may be used.
+# The same IP(s) can be used as both listening IP(s) and relay IP(s).
+#
+# If no relay IP(s) specified, then the turnserver will apply the default
+# policy: it will decide itself which relay addresses to be used, and it
+# will always be using the client socket IP address as the relay IP address
+# of the TURN session (if the requested relay address family is the same
+# as the family of the client socket).
+#
+#relay-ip=172.17.19.105
+#relay-ip=2607:f0d0:1002:51::5
+
+# For Amazon EC2 users:
+#
+# TURN Server public/private address mapping, if the server is behind NAT.
+# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
+# as relay IP address of all allocations. This scenario works only in a simple case
+# when one single relay address is be used, and no RFC5780 functionality is required.
+# That single relay address must be mapped by NAT to the 'external' IP.
+# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
+# For that 'external' IP, NAT must forward ports directly (relayed port 12345
+# must be always mapped to the same 'external' port 12345).
+#
+# In more complex case when more than one IP address is involved,
+# that option must be used several times, each entry must
+# have form "-X <public-ip/private-ip>", to map all involved addresses.
+# RFC5780 NAT discovery STUN functionality will work correctly,
+# if the addresses are mapped properly, even when the TURN server itself
+# is behind A NAT.
+#
+# By default, this value is empty, and no address mapping is used.
+#
+# external-ip=193.224.22.37
+#
+#OR:
+#
+#external-ip=60.70.80.91/172.17.19.101
+#external-ip=60.70.80.92/172.17.19.102
+
+external-ip=108.29.206.17
+
+# Number of the relay threads to handle the established connections
+# (in addition to authentication thread and the listener thread).
+# If explicitly set to 0 then application runs relay process in a
+# single thread, in the same thread with the listener process
+# (the authentication thread will still be a separate thread).
+#
+# If this parameter is not set, then the default OS-dependent
+# thread pattern algorithm will be employed. Usually the default
+# algorithm is optimal, so you have to change this option
+# if you want to make some fine tweaks.
+#
+# In the older systems (Linux kernel before 3.9),
+# the number of UDP threads is always one thread per network listening
+# endpoint - including the auxiliary endpoints - unless 0 (zero) or
+# 1 (one) value is set.
+#
+#relay-threads=0
+
+# Lower and upper bounds of the UDP relay endpoints:
+# (default values are 49152 and 65535)
+#
+min-port=49152
+max-port=65535
+
+# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
+# By default the verbose mode is off.
+#verbose
+
+# Uncomment to run TURN server in 'extra' verbose mode.
+# This mode is very annoying and produces lots of output.
+# Not recommended under normal circumstances.
+#
+#Verbose
+
+# Uncomment to use fingerprints in the TURN messages.
+# By default the fingerprints are off.
+#
+fingerprint
+
+# Uncomment to use long-term credential mechanism.
+# By default no credentials mechanism is used (any user allowed).
+#
+lt-cred-mech
+
+# This option is the opposite of lt-cred-mech.
+# (TURN Server with no-auth option allows anonymous access).
+# If neither option is defined, and no users are defined,
+# then no-auth is default. If at least one user is defined,
+# in this file, in command line or in usersdb file, then
+# lt-cred-mech is default.
+#
+#no-auth
+
+# TURN REST API flag.
+# (Time Limited Long Term Credential)
+# Flag that sets a special authorization option that is based upon authentication secret.
+#
+# This feature's purpose is to support "TURN Server REST API", see
+# "TURN REST API" link in the project's page
+# https://github.com/coturn/coturn/
+#
+# This option is used with timestamp:
+#
+# usercombo -> "timestamp:userid"
+# turn user -> usercombo
+# turn password -> base64(hmac(secret key, usercombo))
+#
+# This allows TURN credentials to be accounted for a specific user id.
+# If you don't have a suitable id, then the timestamp alone can be used.
+# This option is enabled by turning on secret-based authentication.
+# The actual value of the secret is defined either by the option static-auth-secret,
+# or can be found in the turn_secret table in the database (see below).
+#
+# Read more about it:
+#  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
+#  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
+#
+# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
+# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
+# this option then it automatically enables lt-cred-mech internally
+# as if you had enabled both.
+#
+# Note that you can use only one auth mechanism at the same time! This is because,
+# both mechanisms conduct username and password validation in different ways.
+#
+# Use either lt-cred-mech or use-auth-secret in the conf
+# to avoid any confusion.
+#
+#use-auth-secret
+
+# 'Static' authentication secret value (a string) for TURN REST API only.
+# If not set, then the turn server
+# will try to use the 'dynamic' value in the turn_secret table
+# in the user database (if present). The database-stored  value can be changed on-the-fly
+# by a separate program, so this is why that mode is considered 'dynamic'.
+#
+#static-auth-secret=north
+
+# Server name used for
+# the oAuth authentication purposes.
+# The default value is the realm name.
+#
+# server-name=stun.wiretrustee.com
+
+# Flag that allows oAuth authentication.
+#
+#oauth
+
+# 'Static' user accounts for the long term credentials mechanism, only.
+# This option cannot be used with TURN REST API.
+# 'Static' user accounts are NOT dynamically checked by the turnserver process,
+# so they can NOT be changed while the turnserver is running.
+#
+#user=username1:key1
+#user=username2:key2
+# OR:
+user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
+#user=username2:password2
+#
+# Keys must be generated by turnadmin utility. The key value depends
+# on user name, realm, and password:
+#
+# Example:
+# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
+# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
+# ('0x' in the beginning of the key is what differentiates the key from
+# password. If it has 0x then it is a key, otherwise it is a password).
+#
+# The corresponding user account entry in the config file will be:
+#
+#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
+# Or, equivalently, with open clear password (less secure):
+#user=ninefingers:youhavetoberealistic
+#
+
+# SQLite database file name.
+#
+# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# /var/lib/turn/turndb.
+#
+#userdb=/var/db/turndb
+
+# PostgreSQL database connection string in the case that you are using PostgreSQL
+# as the user database.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
+# versions connection string format, see
+# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
+# for 9.x and newer connection string formats.
+#
+#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
+
+# MySQL database connection string in the case that you are using MySQL
+# as the user database.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+#
+# Optional connection string parameters for the secure communications (SSL):
+# ca, capath, cert, key, cipher
+# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
+# command options description).
+#
+# Use the string format below (space separated parameters, all optional):
+#
+# mysql-userdb="host=mysql dbname=coturn user=coturn password=CHANGE_ME port=3306 connect_timeout=10 read_timeout=10"
+
+# If you want to use an encrypted password in the MySQL connection string,
+# then set the MySQL password encryption secret key file with this option.
+#
+# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
+# If you want to use a cleartext password then do not set this option!
+#
+# This is the file path for the aes encrypted secret key used for password encryption.
+#
+#secret-key-file=/path/
+
+# MongoDB database connection string in the case that you are using MongoDB
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
+#
+#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
+
+# Redis database connection string in the case that you are using Redis
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format below (space separated parameters, all optional):
+#
+#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
+# This database keeps allocations status information, and it can be also used for publishing
+# and delivering traffic and allocation event notifications.
+# The connection string has the same parameters as redis-userdb connection string.
+# Use the string format below (space separated parameters, all optional):
+#
+#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# The default realm to be used for the users when no explicit
+# origin/realm relationship is found in the database, or if the TURN
+# server is not using any database (just the commands-line settings
+# and the userdb file). Must be used with long-term credentials
+# mechanism or with TURN REST API.
+#
+# Note: If the default realm is not specified, then realm falls back to the host domain name.
+#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
+#
+# realm=wiretrustee.com
+# This flag sets the origin consistency
+# check. Across the session, all requests must have the same
+# main ORIGIN attribute value (if the ORIGIN was
+# initially used by the session).
+#
+#check-origin-consistency
+
+# Per-user allocation quota.
+# default value is 0 (no quota, unlimited number of sessions per user).
+# This option can also be set through the database, for a particular realm.
+#
+#user-quota=0
+
+# Total allocation quota.
+# default value is 0 (no quota).
+# This option can also be set through the database, for a particular realm.
+#
+#total-quota=0
+
+# Max bytes-per-second bandwidth a TURN session is allowed to handle
+# (input and output network streams are treated separately). Anything above
+# that limit will be dropped or temporarily suppressed (within
+# the available buffer limits).
+# This option can also be set through the database, for a particular realm.
+#
+#max-bps=0
+
+#
+# Maximum server capacity.
+# Total bytes-per-second bandwidth the TURN server is allowed to allocate
+# for the sessions, combined (input and output network streams are treated separately).
+#
+# bps-capacity=0
+
+# Uncomment if no UDP client listener is desired.
+# By default UDP client listener is always started.
+#
+#no-udp
+
+# Uncomment if no TCP client listener is desired.
+# By default TCP client listener is always started.
+#
+#no-tcp
+
+# Uncomment if no TLS client listener is desired.
+# By default TLS client listener is always started.
+#
+#no-tls
+
+# Uncomment if no DTLS client listener is desired.
+# By default DTLS client listener is always started.
+#
+#no-dtls
+
+# Uncomment if no UDP relay endpoints are allowed.
+# By default UDP relay endpoints are enabled (like in RFC 5766).
+#
+#no-udp-relay
+
+# Uncomment if no TCP relay endpoints are allowed.
+# By default TCP relay endpoints are enabled (like in RFC 6062).
+#
+#no-tcp-relay
+
+# Uncomment if extra security is desired,
+# with nonce value having a limited lifetime.
+# The nonce value is unique for a session.
+# Set this option to limit the nonce lifetime.
+# Set it to 0 for unlimited lifetime.
+# It defaults to 600 secs (10 min) if no value is provided. After that delay,
+# the client will get 438 error and will have to re-authenticate itself.
+#
+#stale-nonce=600
+
+# Uncomment if you want to set the maximum allocation
+# time before it has to be refreshed.
+# Default is 3600s.
+#
+#max-allocate-lifetime=3600
+
+
+# Uncomment to set the lifetime for the channel.
+# Default value is 600 secs (10 minutes).
+# This value MUST not be changed for production purposes.
+#
+#channel-lifetime=600
+
+# Uncomment to set the permission lifetime.
+# Default to 300 secs (5 minutes).
+# In production this value MUST not be changed,
+# however it can be useful for test purposes.
+#
+#permission-lifetime=300
+
+# Certificate file.
+# Use an absolute path or path relative to the
+# configuration file.
+# Use PEM file format.
+#
+cert=/etc/coturn/certs/cert.pem
+
+# Private key file.
+# Use an absolute path or path relative to the
+# configuration file.
+# Use PEM file format.
+#
+pkey=/etc/coturn/private/privkey.pem
+
+# Private key file password, if it is in encoded format.
+# This option has no default value.
+#
+#pkey-pwd=...
+
+# Allowed OpenSSL cipher list for TLS/DTLS connections.
+# Default value is "DEFAULT".
+#
+#cipher-list="DEFAULT"
+
+# CA file in OpenSSL format.
+# Forces TURN server to verify the client SSL certificates.
+# By default this is not set: there is no default value and the client
+# certificate is not checked.
+#
+# Example:
+#CA-file=/etc/ssh/id_rsa.cert
+
+# Curve name for EC ciphers, if supported by OpenSSL
+# library (TLS and DTLS). The default value is prime256v1,
+# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+# an optimal curve will be automatically calculated, if not defined
+# by this option.
+#
+#ec-curve-name=prime256v1
+
+# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
+#
+#dh566
+
+# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
+#
+#dh1066
+
+# Use custom DH TLS key, stored in PEM format in the file.
+# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
+#
+#dh-file=<DH-PEM-file-name>
+
+# Flag to prevent stdout log messages.
+# By default, all log messages go to both stdout and to
+# the configured log file. With this option everything will
+# go to the configured log only (unless the log file itself is stdout).
+#
+#no-stdout-log
+
+# Option to set the log file name.
+# By default, the turnserver tries to open a log file in
+# /var/log, /var/tmp, /tmp and the current directory
+# (Whichever file open operation succeeds first will be used).
+# With this option you can set the definite log file name.
+# The special names are "stdout" and "-" - they will force everything
+# to the stdout. Also, the "syslog" name will force everything to
+# the system log (syslog).
+# In the runtime, the logfile can be reset with the SIGHUP signal
+# to the turnserver process.
+#
+log-file=stdout
+
+# Option to redirect all log output into system log (syslog).
+#
+# syslog
+
+# This flag means that no log file rollover will be used, and the log file
+# name will be constructed as-is, without PID and date appendage.
+# This option can be used, for example, together with the logrotate tool.
+#
+#simple-log
+
+# Option to set the "redirection" mode. The value of this option
+# will be the address of the alternate server for UDP & TCP service in the form of
+# <ip>[:<port>]. The server will send this value in the attribute
+# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
+# Client will receive only values with the same address family
+# as the client network endpoint address family.
+# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
+# The client must use the obtained value for subsequent TURN communications.
+# If more than one --alternate-server option is provided, then the functionality
+# can be more accurately described as "load-balancing" than a mere "redirection".
+# If the port number is omitted, then the default port
+# number 3478 for the UDP/TCP protocols will be used.
+# Colon (:) characters in IPv6 addresses may conflict with the syntax of
+# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
+# in square brackets in such resource identifiers, for example:
+# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
+# Multiple alternate servers can be set. They will be used in the
+# round-robin manner. All servers in the pool are considered of equal weight and
+# the load will be distributed equally. For example, if you have 4 alternate servers,
+# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
+# address can be used more than one time with the alternate-server option, so this
+# can emulate "weighting" of the servers.
+#
+# Examples:
+#alternate-server=1.2.3.4:5678
+#alternate-server=11.22.33.44:56789
+#alternate-server=5.6.7.8
+#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+
+# Option to set alternative server for TLS & DTLS services in form of
+# <ip>:<port>. If the port number is omitted, then the default port
+# number 5349 for the TLS/DTLS protocols will be used. See the previous
+# option for the functionality description.
+#
+# Examples:
+#tls-alternate-server=1.2.3.4:5678
+#tls-alternate-server=11.22.33.44:56789
+#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+
+# Option to suppress TURN functionality, only STUN requests will be processed.
+# Run as STUN server only, all TURN requests will be ignored.
+# By default, this option is NOT set.
+#
+#stun-only
+
+# Option to hide software version. Enhance security when used in production.
+# Revealing the specific software version of the agent through the
+# SOFTWARE attribute might allow them to become more vulnerable to
+# attacks against software that is known to contain security holes.
+# Implementers SHOULD make usage of the SOFTWARE attribute a
+# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
+#
+no-software-attribute
+
+# Option to suppress STUN functionality, only TURN requests will be processed.
+# Run as TURN server only, all STUN requests will be ignored.
+# By default, this option is NOT set.
+#
+#no-stun
+
+# This is the timestamp/username separator symbol (character) in TURN REST API.
+# The default value is ':'.
+# rest-api-separator=:
+
+# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
+# This is an extra security measure.
+#
+# (To avoid any security issue that allowing loopback access may raise,
+# the no-loopback-peers option is replaced by allow-loopback-peers.)
+#
+# Allow it only for testing in a development environment!
+# In production it adds a possible security vulnerability, so for security reasons
+# it is not allowed using it together with empty cli-password.
+#
+#allow-loopback-peers
+
+# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
+# This is an extra security measure.
+#
+#no-multicast-peers
+
+# Option to set the max time, in seconds, allowed for full allocation establishment.
+# Default is 60 seconds.
+#
+#max-allocate-timeout=60
+
+# Option to allow or ban specific ip addresses or ranges of ip addresses.
+# If an ip address is specified as both allowed and denied, then the ip address is
+# considered to be allowed. This is useful when you wish to ban a range of ip
+# addresses, except for a few specific ips within that range.
+#
+# This can be used when you do not want users of the turn server to be able to access
+# machines reachable by the turn server, but would otherwise be unreachable from the
+# internet (e.g. when the turn server is sitting behind a NAT)
+#
+# Examples:
+# denied-peer-ip=83.166.64.0-83.166.95.255
+# allowed-peer-ip=83.166.68.45
+
+# File name to store the pid of the process.
+# Default is /var/run/turnserver.pid (if superuser account is used) or
+# /var/tmp/turnserver.pid .
+#
+pidfile="/var/tmp/turnserver.pid"
+
+# Require authentication of the STUN Binding request.
+# By default, the clients are allowed anonymous access to the STUN Binding functionality.
+#
+#secure-stun
+
+# Mobility with ICE (MICE) specs support.
+#
+#mobility
+
+# Allocate Address Family according
+# If enabled then TURN server allocates address family according  the TURN
+# Client <=> Server communication address family.
+# (By default Coturn works according RFC 6156.)
+# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
+#
+#keep-address-family
+
+
+# User name to run the process. After the initialization, the turnserver process
+# will attempt to change the current user ID to that user.
+#
+#proc-user=<user-name>
+
+# Group name to run the process. After the initialization, the turnserver process
+# will attempt to change the current group ID to that group.
+#
+#proc-group=<group-name>
+
+# Turn OFF the CLI support.
+# By default it is always ON.
+# See also options cli-ip and cli-port.
+#
+no-cli
+
+#Local system IP address to be used for CLI server endpoint. Default value
+# is 127.0.0.1.
+#
+# cli-ip=127.0.0.1
+
+# CLI server port. Default is 5766.
+#
+# cli-port=5766
+
+# CLI access password. Default is empty (no password).
+# For the security reasons, it is recommended that you use the encrypted
+# form of the password (see the -P command in the turnadmin utility).
+#
+# Secure form for password 'qwerty':
+#
+#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
+#
+# Or insecure form for the same password:
+#
+# cli-password=CHANGE_ME
+
+# Enable Web-admin support on https. By default it is Disabled.
+# If it is enabled it also enables a http a simple static banner page
+# with a small reminder that the admin page is available only on https.
+#
+#web-admin
+
+# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
+#
+#web-admin-ip=127.0.0.1
+
+# Web-admin server port. Default is 8080.
+#
+#web-admin-port=8080
+
+# Web-admin server listen on STUN/TURN worker threads
+# By default it is disabled for security reasons! (Not recommended in any production environment!)
+#
+#web-admin-listen-on-workers
+
+# Server relay. NON-STANDARD AND DANGEROUS OPTION.
+# Only for those applications when you want to run
+# server applications on the relay endpoints.
+# This option eliminates the IP permissions check on
+# the packets incoming to the relay endpoints.
+#
+#server-relay
+
+# Maximum number of output sessions in ps CLI command.
+# This value can be changed on-the-fly in CLI. The default value is 256.
+#
+#cli-max-output-sessions
+
+# Set network engine type for the process (for internal purposes).
+#
+#ne=[1|2|3]
+
+# Do not allow an TLS/DTLS version of protocol
+#
+#no-tlsv1
+#no-tlsv1_1
+#no-tlsv1_2
@@ -0,0 +1,11 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<clickhouse>
+    <profiles>
+        <default>
+            <log_queries>0</log_queries>
+            <log_query_threads>0</log_query_threads>
+        </default>
+    </profiles>
+</clickhouse>
@@ -0,0 +1,11 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<clickhouse>
+    <profiles>
+        <default>
+            <log_queries>0</log_queries>
+            <log_query_threads>0</log_query_threads>
+        </default>
+    </profiles>
+</clickhouse>
@@ -0,0 +1,62 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+version: 2
+
+postal:
+  web_hostname: post.trez.wtf
+  web_protocol: http
+  smtp_hostname: post.trez.wtf
+  use_ip_pools: false
+  signing_key_path: /config/signing.key
+  trusted_proxies: [ "172.18.0.0/16" ]
+
+web_server:
+  default_port: 5000
+  default_bind_address: 0.0.0.0
+
+main_db:
+  host: mariadb
+  username: postal
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  database: postal
+
+message_db:
+  host: mariadb
+  username: postal
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  prefix: postal
+
+smtp_server:
+  default_port: 25
+  default_bind_address: "::"
+  tls_enabled: true
+  tls_certificate_path: /config/certs/fullchain.pem
+  tls_private_key_path: /config/certs/privkey.pem
+
+dns:
+  # Specify the DNS records that you have configured. Refer to the documentation at
+  # https://github.com/atech/postal/wiki/Domains-&-DNS-Configuration for further
+  # information about these.
+  mx_records:
+    - mx.post.trez.wtf
+  spf_include: spf.post.trez.wtf
+  return_path_domain: rp.post.trez.wtf
+  route_domain: routes.post.trez.wtf
+  track_domain: track.post.trez.wtf
+
+smtp:
+  # Specify an SMTP server that can be used to send messages from the Postal management
+  # system to users. You can configure this to use a Postal mail server once the
+  # your installation has been set up.
+  host: postal-smtp
+  port: 25
+  username: rinoa/postal-smtp
+  password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+  from_name: Postal @ Rinoa
+  from_address: noreply@trez.wtf
+
+rails:
+  # This is generated automatically by the config initialization. It should be a random
+  # string unique to your installation.
+  secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}"
@@ -0,0 +1,62 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+version: 2
+
+postal:
+  web_hostname: post.trez.wtf
+  web_protocol: http
+  smtp_hostname: post.trez.wtf
+  use_ip_pools: false
+  signing_key_path: /config/signing.key
+  trusted_proxies: [ "172.18.0.0/16" ]
+
+web_server:
+  default_port: 5000
+  default_bind_address: 0.0.0.0
+
+main_db:
+  host: mariadb
+  username: postal
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  database: postal
+
+message_db:
+  host: mariadb
+  username: postal
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  prefix: postal
+
+smtp_server:
+  default_port: 25
+  default_bind_address: "::"
+  tls_enabled: true
+  tls_certificate_path: /config/certs/fullchain.pem
+  tls_private_key_path: /config/certs/privkey.pem
+
+dns:
+  # Specify the DNS records that you have configured. Refer to the documentation at
+  # https://github.com/atech/postal/wiki/Domains-&-DNS-Configuration for further
+  # information about these.
+  mx_records:
+    - mx.post.trez.wtf
+  spf_include: spf.post.trez.wtf
+  return_path_domain: rp.post.trez.wtf
+  route_domain: routes.post.trez.wtf
+  track_domain: track.post.trez.wtf
+
+smtp:
+  # Specify an SMTP server that can be used to send messages from the Postal management
+  # system to users. You can configure this to use a Postal mail server once the
+  # your installation has been set up.
+  host: postal-smtp
+  port: 25
+  username: rinoa/postal-smtp
+  password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+  from_name: Postal @ Rinoa
+  from_address: noreply@trez.wtf
+
+rails:
+  # This is generated automatically by the config initialization. It should be a random
+  # string unique to your installation.
+  secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}"
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>9696</Port>
+  <SslPort>6969</SslPort>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>True</LaunchBrowser>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+  <Branch>master</Branch>
+  <LogLevel>info</LogLevel>
+  <SslCertPath></SslCertPath>
+  <SslCertPassword></SslCertPassword>
+  <UrlBase></UrlBase>
+  <InstanceName>Prowlarr</InstanceName>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <Theme>light</Theme>
+</Config>
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>9696</Port>
+  <SslPort>6969</SslPort>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>True</LaunchBrowser>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+  <Branch>master</Branch>
+  <LogLevel>info</LogLevel>
+  <SslCertPath></SslCertPath>
+  <SslCertPassword></SslCertPassword>
+  <UrlBase></UrlBase>
+  <InstanceName>Prowlarr</InstanceName>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <Theme>light</Theme>
+</Config>
@@ -0,0 +1,20 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "radarr_address": "http://radarr:7878",
+    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
+    "root_folder_path": "/data/media/movies",
+    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "fallback_to_top_result": false,
+    "radarr_api_timeout": 120.0,
+    "quality_profile_id": 1,
+    "metadata_profile_id": 1,
+    "search_for_movie": true,
+    "dry_run_adding_to_radarr": false,
+    "minimum_rating": 4.5,
+    "minimum_votes": 50,
+    "language_choice": "all",
+    "auto_start": true,
+    "auto_start_delay": 60.0
+}
@@ -0,0 +1,20 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "radarr_address": "http://radarr:7878",
+    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
+    "root_folder_path": "/data/media/movies",
+    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "fallback_to_top_result": false,
+    "radarr_api_timeout": 120.0,
+    "quality_profile_id": 1,
+    "metadata_profile_id": 1,
+    "search_for_movie": true,
+    "dry_run_adding_to_radarr": false,
+    "minimum_rating": 4.5,
+    "minimum_votes": 50,
+    "language_choice": "all",
+    "auto_start": true,
+    "auto_start_delay": 60.0
+}
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <LogLevel>info</LogLevel>
+  <BindAddress>*</BindAddress>
+  <EnableSsl>False</EnableSsl>
+  <SslCertPath></SslCertPath>
+  <Port>7878</Port>
+  <UrlBase></UrlBase>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <SslPort>9898</SslPort>
+  <LaunchBrowser>True</LaunchBrowser>
+  <Branch>master</Branch>
+  <SslCertPassword></SslCertPassword>
+  <InstanceName>Radarr</InstanceName>
+  <Theme>auto</Theme>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+</Config>
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <LogLevel>info</LogLevel>
+  <BindAddress>*</BindAddress>
+  <EnableSsl>False</EnableSsl>
+  <SslCertPath></SslCertPath>
+  <Port>7878</Port>
+  <UrlBase></UrlBase>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <SslPort>9898</SslPort>
+  <LaunchBrowser>True</LaunchBrowser>
+  <Branch>master</Branch>
+  <SslCertPassword></SslCertPassword>
+  <InstanceName>Radarr</InstanceName>
+  <Theme>auto</Theme>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+</Config>
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>8787</Port>
+  <SslPort>6868</SslPort>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>True</LaunchBrowser>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <Branch>develop</Branch>
+  <LogLevel>info</LogLevel>
+  <SslCertPath></SslCertPath>
+  <SslCertPassword></SslCertPassword>
+  <UrlBase></UrlBase>
+  <InstanceName>Readarr</InstanceName>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <Theme>auto</Theme>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+</Config>
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>8787</Port>
+  <SslPort>6868</SslPort>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>True</LaunchBrowser>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <Branch>develop</Branch>
+  <LogLevel>info</LogLevel>
+  <SslCertPath></SslCertPath>
+  <SslCertPassword></SslCertPassword>
+  <UrlBase></UrlBase>
+  <InstanceName>Readarr</InstanceName>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <Theme>auto</Theme>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+</Config>
@@ -0,0 +1,48 @@
+# This is a generic example of a configuration file
+# Rename this file to `config.yml`, copy it to a `config` folder, and mount that folder as per the docker-compose.example.yml
+# Only uncomment the lines you want to use/modify, or add new ones where needed
+
+exclude:
+  # Exclude platforms to be scanned
+  platforms: [] # ['my_excluded_platform_1', 'my_excluded_platform_2']
+
+  # Exclude roms or parts of roms to be scanned
+  roms:
+    # Single file games section.
+    # Will not apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
+    single_file:
+      # Exclude all files with certain extensions to be scanned
+      extensions: [] # ['xml', 'txt']
+
+      # Exclude matched file names to be scanned.
+      # Supports unix filename pattern matching
+      # Can also exclude files by extension
+      names: [] # ['info.txt', '._*', '*.nfo']
+
+    # Multi files games section
+    # Will apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
+    multi_file:
+      # Exclude matched 'folder' names to be scanned (RomM identifies folders as multi file games)
+      names: [] # ['my_multi_file_game', 'DLC']
+
+      # Exclude files within sub-folders.
+      parts:
+        # Exclude matched file names to be scanned from multi file roms
+        # Keep in mind that RomM doesn't scan folders inside multi files games,
+        # so there is no need to exclude folders from inside of multi files games.
+        names: [] # ['data.xml', '._*'] # Supports unix filename pattern matching
+
+        # Exclude all files with certain extensions to be scanned from multi file roms
+        extensions: [] # ['xml', 'txt']
+
+system:
+  # Asociate different platform names to your current file system platform names
+  # [your custom platform folder name]: [RomM platform name]
+  # In this example if you have a 'gc' folder, RomM will treat it like the 'ngc' folder and if you have a 'psx' folder, RomM will treat it like the 'ps' folder
+  platforms: {} # { gc: 'ngc', psx: 'ps' }
+
+  # Asociate one platform to it's main version
+  versions: {} # { naomi: 'arcade' }
+
+# The folder name where your roms are located
+filesystem: {} # { roms_folder: 'roms' } For example if your folder structure is /home/user/library/roms_folder
@@ -0,0 +1,48 @@
+# This is a generic example of a configuration file
+# Rename this file to `config.yml`, copy it to a `config` folder, and mount that folder as per the docker-compose.example.yml
+# Only uncomment the lines you want to use/modify, or add new ones where needed
+
+exclude:
+  # Exclude platforms to be scanned
+  platforms: [] # ['my_excluded_platform_1', 'my_excluded_platform_2']
+
+  # Exclude roms or parts of roms to be scanned
+  roms:
+    # Single file games section.
+    # Will not apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
+    single_file:
+      # Exclude all files with certain extensions to be scanned
+      extensions: [] # ['xml', 'txt']
+
+      # Exclude matched file names to be scanned.
+      # Supports unix filename pattern matching
+      # Can also exclude files by extension
+      names: [] # ['info.txt', '._*', '*.nfo']
+
+    # Multi files games section
+    # Will apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
+    multi_file:
+      # Exclude matched 'folder' names to be scanned (RomM identifies folders as multi file games)
+      names: [] # ['my_multi_file_game', 'DLC']
+
+      # Exclude files within sub-folders.
+      parts:
+        # Exclude matched file names to be scanned from multi file roms
+        # Keep in mind that RomM doesn't scan folders inside multi files games,
+        # so there is no need to exclude folders from inside of multi files games.
+        names: [] # ['data.xml', '._*'] # Supports unix filename pattern matching
+
+        # Exclude all files with certain extensions to be scanned from multi file roms
+        extensions: [] # ['xml', 'txt']
+
+system:
+  # Asociate different platform names to your current file system platform names
+  # [your custom platform folder name]: [RomM platform name]
+  # In this example if you have a 'gc' folder, RomM will treat it like the 'ngc' folder and if you have a 'psx' folder, RomM will treat it like the 'ps' folder
+  platforms: {} # { gc: 'ngc', psx: 'ps' }
+
+  # Asociate one platform to it's main version
+  versions: {} # { naomi: 'arcade' }
+
+# The folder name where your roms are located
+filesystem: {} # { roms_folder: 'roms' } For example if your folder structure is /home/user/library/roms_folder
@@ -0,0 +1,482 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+__version__ = 19
+__encoding__ = utf-8
+[misc]
+pre_script = None
+queue_complete = ""
+queue_complete_pers = 0
+bandwidth_perc = 0
+refresh_rate = 1
+queue_limit = 20
+config_lock = 0
+sched_converted = 2
+notified_new_skin = 2
+direct_unpack_tested = 1
+check_new_rel = 1
+auto_browser = 0
+language = en
+enable_https_verification = 1
+host = 0.0.0.0
+port = 8080
+https_port = 8090
+username = thetrezuredone
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }}
+bandwidth_max = 1000M
+cache_limit = 1G
+web_dir = Glitter
+web_color = Auto
+https_cert = server.cert
+https_key = server.key
+https_chain = ""
+enable_https = 1
+inet_exposure = 0
+local_ranges = ,
+api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }}
+nzb_key = 3c0fa874bb2748b58c1bd7512e649946
+permissions = 775
+download_dir = /storage/downloads/incomplete
+download_free = ""
+complete_dir = /storage/downloads/completed/nzb
+script_dir = ""
+nzb_backup_dir = ""
+admin_dir = admin
+dirscan_dir = /storage/downloads/watch
+dirscan_speed = 5
+password_file = ""
+log_dir = logs
+max_art_tries = 3
+load_balancing = 2
+top_only = 0
+sfv_check = 1
+quick_check_ext_ignore = nfo, sfv, srr
+script_can_fail = 0
+ssl_ciphers = ""
+enable_recursive = 1
+flat_unpack = 0
+par_option = ""
+pre_check = 1
+nice = ""
+win_process_prio = 3
+ionice = ""
+fail_hopeless_jobs = 1
+fast_fail = 1
+auto_disconnect = 1
+no_dupes = 3
+no_series_dupes = 0
+series_propercheck = 1
+pause_on_pwrar = 2
+ignore_samples = 1
+deobfuscate_final_filenames = 0
+auto_sort = ""
+direct_unpack = 1
+direct_unpack_threads = 3
+propagation_delay = 0
+folder_rename = 1
+replace_spaces = 1
+replace_dots = 1
+safe_postproc = 1
+pause_on_post_processing = 0
+sanitize_safe = 0
+cleanup_list = ,
+unwanted_extensions = ,
+action_on_unwanted_extensions = 0
+new_nzb_on_failure = 1
+history_retention = ""
+enable_meta = 1
+quota_size = ""
+quota_day = ""
+quota_resume = 0
+quota_period = m
+rating_enable = 0
+rating_host = ""
+rating_api_key = ""
+rating_filter_enable = 0
+rating_filter_abort_audio = 0
+rating_filter_abort_video = 0
+rating_filter_abort_encrypted = 0
+rating_filter_abort_encrypted_confirm = 0
+rating_filter_abort_spam = 0
+rating_filter_abort_spam_confirm = 0
+rating_filter_abort_downvoted = 0
+rating_filter_abort_keywords = ""
+rating_filter_pause_audio = 0
+rating_filter_pause_video = 0
+rating_filter_pause_encrypted = 0
+rating_filter_pause_encrypted_confirm = 0
+rating_filter_pause_spam = 0
+rating_filter_pause_spam_confirm = 0
+rating_filter_pause_downvoted = 0
+rating_filter_pause_keywords = ""
+enable_tv_sorting = 1
+tv_sort_string = %sn/Season %s/%sn - %sx%0e - %en.%ext
+tv_sort_countries = 1
+tv_categories = tv,
+enable_movie_sorting = 0
+movie_sort_string = ""
+movie_sort_extra = -cd%1
+movie_extra_folder = 0
+movie_categories = movies,
+enable_date_sorting = 0
+date_sort_string = ""
+date_categories = tv,
+schedlines = ,
+rss_rate = 60
+ampm = 0
+replace_illegal = 1
+start_paused = 0
+enable_all_par = 1
+enable_par_cleanup = 1
+enable_unrar = 1
+enable_unzip = 1
+enable_7zip = 1
+enable_filejoin = 1
+enable_tsjoin = 1
+overwrite_files = 0
+ignore_unrar_dates = 0
+backup_for_duplicates = 1
+empty_postproc = 0
+wait_for_dfolder = 0
+rss_filenames = 0
+api_logging = 1
+html_login = 1
+osx_menu = 1
+osx_speed = 1
+warn_dupl_jobs = 1
+helpfull_warnings = 1
+keep_awake = 1
+win_menu = 1
+allow_incomplete_nzb = 0
+enable_bonjour = 1
+max_art_opt = 0
+ipv6_hosting = 0
+fixed_ports = 1
+api_warnings = 1
+disable_api_key = 0
+no_penalties = 0
+x_frame_options = 1
+require_modern_tls = 0
+num_decoders = 3
+rss_odd_titles = nzbindex.nl/, nzbindex.com/, nzbclub.com/
+req_completion_rate = 100.2
+selftest_host = self-test.sabnzbd.org
+movie_rename_limit = 100M
+size_limit = 0
+show_sysload = 2
+history_limit = 10
+wait_ext_drive = 5
+max_foldername_length = 246
+nomedia_marker = ""
+ipv6_servers = 1
+url_base = /sabnzbd
+host_whitelist = rinoa, sabnzbd.trez.wtf
+max_url_retries = 10
+email_server = ""
+email_to = ,
+email_from = ""
+email_account = ""
+email_pwd = ""
+email_endjob = 0
+email_full = 0
+email_dir = ""
+email_rss = 0
+email_cats = *,
+interface_settings = '{"dateFormat":"fromNow","extraQueueColumns":["category"],"extraHistoryColumns":[],"displayCompact":false,"displayFullWidth":false,"confirmDeleteQueue":true,"confirmDeleteHistory":true,"keyboardShortcuts":true}'
+complete_free = ""
+fulldisk_autoresume = 0
+enable_broadcast = 1
+downloader_sleep_time = 10
+ssdp_broadcast_interval = 15
+unwanted_extensions_mode = 0
+process_unpacked_par2 = 1
+episode_rename_limit = 20M
+socks5_proxy_url = ""
+preserve_paused_state = 0
+helpful_warnings = 1
+allow_old_ssl_tls = 0
+num_simd_decoders = 2
+ext_rename_ignore = ,
+backup_dir = ""
+replace_underscores = 0
+tray_icon = 1
+sorters_converted = 1
+enable_season_sorting = 1
+receive_threads = 2
+switchinterval = 0.005
+end_queue_script = None
+no_smart_dupes = 1
+dupes_propercheck = 1
+enable_multipar = 1
+verify_xff_header = 0
+history_retention_option = all
+history_retention_number = 1
+ipv6_staging = 0
+disable_archive = 0
+config_conversion_version = 4
+disable_par2cmdline = 0
+[logging]
+log_level = 1
+max_log_size = 5242880
+log_backups = 5
+[ncenter]
+ncenter_enable = 0
+ncenter_cats = *,
+ncenter_prio_startup = 0
+ncenter_prio_download = 0
+ncenter_prio_pause_resume = 0
+ncenter_prio_pp = 0
+ncenter_prio_complete = 0
+ncenter_prio_failed = 0
+ncenter_prio_disk_full = 0
+ncenter_prio_new_login = 0
+ncenter_prio_warning = 0
+ncenter_prio_error = 0
+ncenter_prio_queue_done = 0
+ncenter_prio_other = 0
+[acenter]
+acenter_enable = 0
+acenter_cats = *,
+acenter_prio_startup = 0
+acenter_prio_download = 0
+acenter_prio_pause_resume = 0
+acenter_prio_pp = 0
+acenter_prio_complete = 0
+acenter_prio_failed = 0
+acenter_prio_disk_full = 0
+acenter_prio_new_login = 0
+acenter_prio_warning = 0
+acenter_prio_error = 0
+acenter_prio_queue_done = 0
+acenter_prio_other = 0
+[ntfosd]
+ntfosd_enable = 0
+ntfosd_cats = *,
+ntfosd_prio_startup = 0
+ntfosd_prio_download = 0
+ntfosd_prio_pause_resume = 0
+ntfosd_prio_pp = 0
+ntfosd_prio_complete = 0
+ntfosd_prio_failed = 0
+ntfosd_prio_disk_full = 0
+ntfosd_prio_new_login = 0
+ntfosd_prio_warning = 0
+ntfosd_prio_error = 0
+ntfosd_prio_queue_done = 0
+ntfosd_prio_other = 0
+[prowl]
+prowl_enable = 0
+prowl_cats = *,
+prowl_apikey = ""
+prowl_prio_startup = -3
+prowl_prio_download = -3
+prowl_prio_pause_resume = -3
+prowl_prio_pp = -3
+prowl_prio_complete = 0
+prowl_prio_failed = 1
+prowl_prio_disk_full = 1
+prowl_prio_new_login = -3
+prowl_prio_warning = -3
+prowl_prio_error = -3
+prowl_prio_queue_done = 0
+prowl_prio_other = -3
+[pushover]
+pushover_token = ""
+pushover_userkey = ""
+pushover_device = ""
+pushover_emergency_expire = 3600
+pushover_emergency_retry = 60
+pushover_enable = 0
+pushover_cats = *,
+pushover_prio_startup = -3
+pushover_prio_download = -2
+pushover_prio_pause_resume = -2
+pushover_prio_pp = -3
+pushover_prio_complete = -1
+pushover_prio_failed = -1
+pushover_prio_disk_full = 1
+pushover_prio_new_login = -3
+pushover_prio_warning = 1
+pushover_prio_error = 1
+pushover_prio_queue_done = -1
+pushover_prio_other = -3
+[pushbullet]
+pushbullet_enable = 0
+pushbullet_cats = *,
+pushbullet_apikey = ""
+pushbullet_device = ""
+pushbullet_prio_startup = 0
+pushbullet_prio_download = 0
+pushbullet_prio_pause_resume = 0
+pushbullet_prio_pp = 0
+pushbullet_prio_complete = 1
+pushbullet_prio_failed = 1
+pushbullet_prio_disk_full = 1
+pushbullet_prio_new_login = 0
+pushbullet_prio_warning = 0
+pushbullet_prio_error = 0
+pushbullet_prio_queue_done = 0
+pushbullet_prio_other = 0
+[nscript]
+nscript_enable = 0
+nscript_cats = *,
+nscript_script = None
+nscript_parameters = ""
+nscript_prio_startup = 1
+nscript_prio_download = 0
+nscript_prio_pause_resume = 0
+nscript_prio_pp = 0
+nscript_prio_complete = 1
+nscript_prio_failed = 1
+nscript_prio_disk_full = 1
+nscript_prio_new_login = 0
+nscript_prio_warning = 0
+nscript_prio_error = 0
+nscript_prio_queue_done = 1
+nscript_prio_other = 0
+[servers]
+[[news.newshosting.com]]
+name = news.newshosting.com
+displayname = Newshosting
+host = news.newshosting.com
+port = 563
+timeout = 60
+username = thetrezuredone
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+connections = 8
+ssl = 1
+ssl_verify = 3
+ssl_ciphers = ""
+enable = 1
+required = 0
+optional = 0
+retention = 0
+expire_date = ""
+quota = ""
+usage_at_start = 0
+priority = 0
+notes = ""
+[[news.easynews.com]]
+name = news.easynews.com
+displayname = EasyNews
+host = news.easynews.com
+port = 443
+timeout = 60
+username = TrezOne
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
+connections = 60
+ssl = 0
+ssl_verify = 3
+ssl_ciphers = ""
+enable = 1
+required = 0
+optional = 0
+retention = 0
+expire_date = ""
+quota = ""
+usage_at_start = 0
+priority = 0
+notes = ""
+[categories]
+[[software]]
+name = software
+order = 0
+pp = ""
+script = Default
+dir = ""
+newzbin = ""
+priority = -100
+[[*]]
+name = *
+order = 0
+pp = 3
+script = Default
+dir = ""
+newzbin = ""
+priority = 0
+[[tv]]
+name = tv
+order = 0
+pp = ""
+script = Default
+dir = tv
+newzbin = ""
+priority = -100
+[[audio]]
+name = audio
+order = 0
+pp = 2
+script = Default
+dir = music
+newzbin = ""
+priority = 1
+[[movies]]
+name = movies
+order = 0
+pp = ""
+script = Default
+dir = movies
+newzbin = ""
+priority = -100
+[[ebook]]
+name = ebook
+order = 0
+pp = 2
+script = Default
+dir = ebooks
+newzbin = ""
+priority = -100
+[[prowlarr]]
+name = prowlarr
+order = 0
+pp = ""
+script = Default
+dir = ""
+newzbin = ""
+priority = -1
+[[sonarr]]
+name = sonarr
+order = 1
+pp = ""
+script = Default
+dir = tv
+newzbin = ""
+priority = -100
+[sorters]
+[[Series Sorting]]
+name = Series Sorting
+order = 0
+min_size = 20M
+multipart_label = ""
+sort_string = %sn/Season %s/%sn - %sx%0e - %en.%ext
+sort_cats = tv,
+sort_type = 1,
+is_active = 1
+[apprise]
+apprise_enable = 1
+apprise_cats = *,
+apprise_urls = apprise://apprise:8000/aef1ab3765b857585e13340f1f5f879b2babcc47b0eccead98a19e0a93fe1a35
+apprise_target_startup = ""
+apprise_target_startup_enable = 0
+apprise_target_download = ""
+apprise_target_download_enable = 0
+apprise_target_pause_resume = ""
+apprise_target_pause_resume_enable = 1
+apprise_target_pp = ""
+apprise_target_pp_enable = 0
+apprise_target_complete = ""
+apprise_target_complete_enable = 1
+apprise_target_failed = ""
+apprise_target_failed_enable = 1
+apprise_target_disk_full = ""
+apprise_target_disk_full_enable = 0
+apprise_target_new_login = ""
+apprise_target_new_login_enable = 1
+apprise_target_warning = ""
+apprise_target_warning_enable = 1
+apprise_target_error = ""
+apprise_target_error_enable = 1
+apprise_target_queue_done = ""
+apprise_target_queue_done_enable = 0
+apprise_target_other = ""
+apprise_target_other_enable = 1
--- a/Show More
+++ b/Show More