+
+[Coder](https://github.com/coder/coder)をベースにしたクラウド開発環境プラットフォームです。AWSインフラストラクチャを活用して、セキュアでスケーラブルなリモート開発環境を提供します。
+
+## 💡 概要
+
+このプロジェクトは以下の機能を提供します:
+
+- 🏗️ Terraformを使用したAWSインフラストラクチャの自動構築
+- 🌐 CloudFrontを活用した高速なグローバルコンテンツ配信
+- 🔒 WAFとACMによるセキュアな通信
+- 🚀 Docker Composeによる簡単な環境セットアップ
+
+## 🏗️ インフラストラクチャ
+
+プロジェクトは2つの主要なTerraformモジュールで構成されています:
+
+### メインインフラストラクチャ (`terraform/main-infrastructure/`)
+- 基本的なAWSリソースの管理
+- 環境変数による設定管理
+- スクリプトによる自動セットアップ
+
+### CloudFrontインフラストラクチャ (`terraform/cloudfront-infrastructure/`)
+- CloudFrontディストリビューションの設定
+- Route 53によるDNS管理
+- ACM証明書の自動管理
+- WAFルールの設定
+
+## ⚙️ 必要要件
+
+- AWS CLI
+- Terraform
+- Docker & Docker Compose
+- VS Code または他の互換性のあるIDE
+
+## 📦 セットアップ
+
+1. AWSクレデンシャルの設定:
+```bash
+aws configure
+```
+
+2. Terraformの初期化と適用:
+```bash
+# メインインフラストラクチャ
+cd terraform/main-infrastructure
+cp terraform.tfvars.example terraform.tfvars
+terraform init
+terraform apply
+
+# CloudFrontインフラストラクチャ
+cd ../cloudfront-infrastructure
+cp terraform.tfvars.example terraform.tfvars
+terraform init
+terraform apply
+```
+
+3. Docker環境の起動:
+```bash
+docker-compose up -d
+```
+
+## 🔧 設定
+
+### 環境変数
+- メインインフラストラクチャの設定は `.env` ファイルで管理
+- CloudFrontの設定は `terraform.tfvars` で管理
+
+### インフラストラクチャの設定
+- `main.tf` - 主要なリソース定義
+- `variables.tf` - 変数定義
+- `outputs.tf` - 出力値の定義
+
+## 🤝 貢献
+
+1. このリポジトリをフォーク
+2. 新しいブランチを作成
+3. 変更をコミット
+4. プルリクエストを作成
+
+## 📝 ライセンス
+
+このプロジェクトはMITライセンスの下で公開されています。
+
+## 📚 参考リンク
+
+- [Terraform Documentation](https://www.terraform.io/docs)
+- [AWS Documentation](https://aws.amazon.com/documentation/)
+- [Docker Documentation](https://docs.docker.com/)
+- [Coder Documentation](https://coder.com/docs/coder-oss)
diff --git a/spellbook/coder/docker-compose.yaml b/spellbook/coder/docker-compose.yaml
new file mode 100644
index 00000000..c337c98a
--- /dev/null
+++ b/spellbook/coder/docker-compose.yaml
@@ -0,0 +1,50 @@
+version: "3.9"
+services:
+ coder:
+ image: ghcr.io/coder/coder:${CODER_VERSION:-latest}
+ group_add:
+ - "${DOCKER_GROUP_ID:-999}" # DockerグループIDを環境変数から設定
+ ports:
+ - "${CODER_HOST:-0.0.0.0}:${CODER_PORT:-7080}:7080"
+ environment:
+ CODER_PG_CONNECTION_URL: "postgresql://${POSTGRES_USER:-username}:${POSTGRES_PASSWORD:-password}@database/${POSTGRES_DB:-coder}?sslmode=disable"
+ CODER_HTTP_ADDRESS: "0.0.0.0:7080"
+ # ACCESS_URLをホスト名とポートで制御
+ CODER_ACCESS_URL: "http://${CODER_HOSTNAME:-localhost}:${CODER_PORT:-7080}"
+ CODER_TUNNEL_DISABLE: "${CODER_TUNNEL_DISABLE:-true}"
+ CODER_DEV_MODE: "${CODER_DEV_MODE:-true}"
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock
+ - coder_home:/home/coder
+ depends_on:
+ database:
+ condition: service_healthy
+ security_opt:
+ - no-new-privileges:true
+ mem_limit: ${CODER_MEMORY_LIMIT:-8g}
+ extra_hosts:
+ - "host.docker.internal:host-gateway"
+
+ database:
+ image: "postgres:16"
+ ports:
+ - "${POSTGRES_HOST:-127.0.0.1}:${POSTGRES_PORT:-5432}:5432"
+ environment:
+ POSTGRES_USER: ${POSTGRES_USER:-username}
+ POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-password}
+ POSTGRES_DB: ${POSTGRES_DB:-coder}
+ volumes:
+ - coder_data:/var/lib/postgresql/data
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-username} -d ${POSTGRES_DB:-coder}"]
+ interval: 5s
+ timeout: 5s
+ retries: 5
+ security_opt:
+ - no-new-privileges:true
+ mem_limit: ${POSTGRES_MEMORY_LIMIT:-1g}
+ extra_hosts:
+ - "host.docker.internal:host-gateway"
+volumes:
+ coder_data:
+ coder_home:
diff --git a/spellbook/coder/templates/docker/main.tf b/spellbook/coder/templates/docker/main.tf
new file mode 100644
index 00000000..e7652e9c
--- /dev/null
+++ b/spellbook/coder/templates/docker/main.tf
@@ -0,0 +1,248 @@
+terraform {
+ required_providers {
+ coder = {
+ source = "coder/coder"
+ }
+ docker = {
+ source = "kreuzwerker/docker"
+ }
+ }
+}
+
+locals {
+ username = data.coder_workspace_owner.me.name
+}
+
+variable "docker_socket" {
+ default = ""
+ description = "(Optional) Docker socket URI"
+ type = string
+}
+
+provider "docker" {
+ # Defaulting to null if the variable is an empty string lets us have an optional variable without having to set our own default
+ host = var.docker_socket != "" ? var.docker_socket : null
+}
+
+data "coder_provisioner" "me" {}
+data "coder_workspace" "me" {}
+data "coder_workspace_owner" "me" {}
+
+resource "coder_agent" "main" {
+ arch = data.coder_provisioner.me.arch
+ os = "linux"
+ startup_script = <<-EOT
+ set -e
+
+ # Remove symbolic link if exists
+ if [ -L "/home/coder" ]; then
+ sudo rm /home/coder
+ fi
+
+ # Create coder home if it doesn't exist
+ if [ ! -d "/home/coder" ]; then
+ sudo mkdir -p /home/coder
+ fi
+
+ # Set correct ownership
+ sudo chown -R coder:coder /home
+
+ # Copy skel files only if not initialized
+ if [ ! -f /home/coder/.init_done ]; then
+ cp -rT /etc/skel /home/coder
+ touch /home/coder/.init_done
+ fi
+
+ # Install Python and nmon
+ sudo apt-get update
+ sudo apt-get install -y python3 python3-pip nmon curl
+
+ # Set Python3 as default python
+ sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 1
+
+ # Install Node.js and npm
+ curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
+ sudo apt-get install -y nodejs
+
+ # Verify installations
+ node --version
+ npm --version
+
+ # Install the latest code-server.
+ # Append "--version x.x.x" to install a specific version of code-server.
+ curl -fsSL https://code-server.dev/install.sh | sh -s -- --method=standalone --prefix=/tmp/code-server
+
+ # Install VS Code extensions
+ /tmp/code-server/bin/code-server --install-extension ms-python.python
+ /tmp/code-server/bin/code-server --install-extension golang.go
+ /tmp/code-server/bin/code-server --install-extension esbenp.prettier-vscode
+ /tmp/code-server/bin/code-server --install-extension dbaeumer.vscode-eslint
+ /tmp/code-server/bin/code-server --install-extension hashicorp.terraform
+ /tmp/code-server/bin/code-server --install-extension redhat.vscode-yaml
+ /tmp/code-server/bin/code-server --install-extension rooveterinaryinc.roo-cline
+ /tmp/code-server/bin/code-server --install-extension ms-azuretools.vscode-docker
+ /tmp/code-server/bin/code-server --install-extension shalldie.background
+ /tmp/code-server/bin/code-server --install-extension buianhthang.gitflow
+ /tmp/code-server/bin/code-server --install-extension bierner.markdown-preview-github-styles
+ /tmp/code-server/bin/code-server --install-extension yzhang.markdown-all-in-one
+ /tmp/code-server/bin/code-server --install-extension jock.svg
+ /tmp/code-server/bin/code-server --install-extension mhutchie.git-graph
+ /tmp/code-server/bin/code-server --install-extension qwtel.sqlite-viewer
+
+ # Start code-server in the background.
+ /tmp/code-server/bin/code-server --ignore-last-opened --auth none --port 13337 >/tmp/code-server.log 2>&1 &
+ EOT
+
+ # Rest of the configuration remains the same...
+ env = {
+ GIT_AUTHOR_NAME = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
+ GIT_AUTHOR_EMAIL = "${data.coder_workspace_owner.me.email}"
+ GIT_COMMITTER_NAME = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
+ GIT_COMMITTER_EMAIL = "${data.coder_workspace_owner.me.email}"
+ }
+
+ metadata {
+ display_name = "CPU Usage"
+ key = "0_cpu_usage"
+ script = "coder stat cpu"
+ interval = 10
+ timeout = 1
+ }
+
+ metadata {
+ display_name = "RAM Usage"
+ key = "1_ram_usage"
+ script = "coder stat mem"
+ interval = 10
+ timeout = 1
+ }
+
+ metadata {
+ display_name = "Home Disk"
+ key = "3_home_disk"
+ script = "coder stat disk --path $${HOME}"
+ interval = 60
+ timeout = 1
+ }
+
+ metadata {
+ display_name = "CPU Usage (Host)"
+ key = "4_cpu_usage_host"
+ script = "coder stat cpu --host"
+ interval = 10
+ timeout = 1
+ }
+
+ metadata {
+ display_name = "Memory Usage (Host)"
+ key = "5_mem_usage_host"
+ script = "coder stat mem --host"
+ interval = 10
+ timeout = 1
+ }
+
+ metadata {
+ display_name = "Load Average (Host)"
+ key = "6_load_host"
+ script = <
+
+
+
+
+
+# AWS CloudFront Infrastructure Module
+
+このリポジトリは、AWSのCloudFrontディストリビューションを設定するための再利用可能なTerraformモジュールを提供します。
+
+## 🌟 主な機能
+
+- ✅ CloudFrontディストリビューションの作成(カスタムドメイン対応)
+- 🛡️ WAFv2によるIPホワイトリスト制御
+- 🌐 Route53でのDNSレコード自動設定
+- 🔒 ACM証明書の自動作成と検証
+
+## 📁 ディレクトリ構造
+
+```
+cloudfront-infrastructure/
+├── modules/
+│ └── cloudfront/ # メインモジュール
+│ ├── main.tf # リソース定義
+│ ├── variables.tf # 変数定義
+│ ├── outputs.tf # 出力定義
+│ └── README.md # モジュールのドキュメント
+└── examples/
+ └── complete/ # 完全な使用例
+ ├── main.tf
+ ├── variables.tf
+ ├── outputs.tf
+ ├── terraform.tfvars.example
+ └── whitelist-waf.csv.example
+```
+
+## 🚀 クイックスタート
+
+1. モジュールの使用例をコピーします:
+```bash
+cp -r examples/complete your-project/
+cd your-project
+```
+
+2. 設定ファイルを作成します:
+```bash
+cp terraform.tfvars.example terraform.tfvars
+cp whitelist-waf.csv.example whitelist-waf.csv
+```
+
+3. terraform.tfvarsを編集して必要な設定を行います:
+```hcl
+# AWSリージョン設定
+aws_region = "ap-northeast-1"
+
+# プロジェクト名
+project_name = "your-project-name"
+
+# オリジンサーバー設定(EC2インスタンス)
+origin_domain = "your-ec2-domain.compute.amazonaws.com"
+
+# ドメイン設定
+domain = "your-domain.com"
+subdomain = "your-subdomain"
+```
+
+4. whitelist-waf.csvを編集してIPホワイトリストを設定します:
+```csv
+ip,description
+192.168.1.1/32,Office Network
+10.0.0.1/32,Home Network
+```
+
+5. Terraformを実行します:
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+## 📚 より詳細な使用方法
+
+より詳細な使用方法については、[modules/cloudfront/README.md](modules/cloudfront/README.md)を参照してください。
+
+## 🔧 カスタマイズ
+
+このモジュールは以下の要素をカスタマイズできます:
+
+1. CloudFront設定
+ - キャッシュ動作
+ - オリジンの設定
+ - SSL/TLS設定
+
+2. WAF設定
+ - IPホワイトリストの管理
+ - セキュリティルールのカスタマイズ
+
+3. DNS設定
+ - カスタムドメインの設定
+ - Route53との連携
+
+## 📝 注意事項
+
+- CloudFrontのデプロイには時間がかかる場合があります(15-30分程度)
+- DNSの伝播には最大72時間かかる可能性があります
+- SSL証明書の検証には数分から数十分かかることがあります
+- WAFのIPホワイトリストは定期的なメンテナンスが必要です
+
+## 🔍 トラブルシューティング
+
+詳細なトラブルシューティングガイドについては、[modules/cloudfront/README.md](modules/cloudfront/README.md#トラブルシューティング)を参照してください。
diff --git a/spellbook/coder/terraform/cloudfront-infrastructure/main.tf b/spellbook/coder/terraform/cloudfront-infrastructure/main.tf
new file mode 100644
index 00000000..b11c9a84
--- /dev/null
+++ b/spellbook/coder/terraform/cloudfront-infrastructure/main.tf
@@ -0,0 +1,41 @@
+terraform {
+ required_version = ">= 0.12"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 4.0"
+ }
+ }
+
+ backend "local" {
+ path = "terraform.tfstate"
+ }
+}
+
+# デフォルトプロバイダー設定
+provider "aws" {
+ region = var.aws_region
+}
+
+# バージニアリージョン用のプロバイダー設定(CloudFront用)
+provider "aws" {
+ alias = "virginia"
+ region = "us-east-1"
+}
+
+# CloudFrontモジュールの呼び出し
+module "cloudfront" {
+ source = "../../../open-webui/terraform/cloudfront-infrastructure/modules"
+
+ project_name = var.project_name
+ aws_region = var.aws_region
+ origin_domain = var.origin_domain
+ domain = var.domain
+ subdomain = var.subdomain
+
+ providers = {
+ aws = aws
+ aws.virginia = aws.virginia
+ }
+}
diff --git a/spellbook/coder/terraform/cloudfront-infrastructure/outputs.tf b/spellbook/coder/terraform/cloudfront-infrastructure/outputs.tf
new file mode 100644
index 00000000..c3687573
--- /dev/null
+++ b/spellbook/coder/terraform/cloudfront-infrastructure/outputs.tf
@@ -0,0 +1,39 @@
+output "cloudfront_domain_name" {
+ description = "Domain name of the CloudFront distribution (*.cloudfront.net)"
+ value = module.cloudfront.cloudfront_domain_name
+}
+
+output "cloudfront_distribution_id" {
+ description = "ID of the CloudFront distribution"
+ value = module.cloudfront.cloudfront_distribution_id
+}
+
+output "cloudfront_arn" {
+ description = "ARN of the CloudFront distribution"
+ value = module.cloudfront.cloudfront_arn
+}
+
+output "cloudfront_url" {
+ description = "CloudFrontのURL"
+ value = module.cloudfront.cloudfront_url
+}
+
+output "subdomain_url" {
+ description = "サブドメインのURL"
+ value = module.cloudfront.subdomain_url
+}
+
+output "waf_web_acl_id" {
+ description = "ID of the WAF Web ACL"
+ value = module.cloudfront.waf_web_acl_id
+}
+
+output "waf_web_acl_arn" {
+ description = "ARN of the WAF Web ACL"
+ value = module.cloudfront.waf_web_acl_arn
+}
+
+output "certificate_arn" {
+ description = "ARN of the ACM certificate"
+ value = module.cloudfront.certificate_arn
+}
diff --git a/spellbook/coder/terraform/cloudfront-infrastructure/terraform.tfvars.example b/spellbook/coder/terraform/cloudfront-infrastructure/terraform.tfvars.example
new file mode 100644
index 00000000..45301723
--- /dev/null
+++ b/spellbook/coder/terraform/cloudfront-infrastructure/terraform.tfvars.example
@@ -0,0 +1,12 @@
+# AWSの設定
+aws_region = "ap-northeast-1"
+
+# プロジェクト名
+project_name = "example-project"
+
+# オリジンサーバー設定(EC2インスタンス)
+origin_domain = "ec2-xxx-xxx-xxx-xxx.compute.amazonaws.com"
+
+# ドメイン設定
+domain = "example.com"
+subdomain = "app" # 生成されるURL: app.example.com
diff --git a/spellbook/coder/terraform/cloudfront-infrastructure/variables.tf b/spellbook/coder/terraform/cloudfront-infrastructure/variables.tf
new file mode 100644
index 00000000..01576938
--- /dev/null
+++ b/spellbook/coder/terraform/cloudfront-infrastructure/variables.tf
@@ -0,0 +1,25 @@
+variable "project_name" {
+ description = "Name of the project"
+ type = string
+}
+
+variable "aws_region" {
+ description = "AWS region for the resources"
+ type = string
+ default = "ap-northeast-1"
+}
+
+variable "origin_domain" {
+ description = "Domain name of the origin (EC2 instance)"
+ type = string
+}
+
+variable "domain" {
+ description = "メインドメイン名"
+ type = string
+}
+
+variable "subdomain" {
+ description = "サブドメイン名"
+ type = string
+}
diff --git a/spellbook/coder/terraform/main-infrastructure/common_variables.tf b/spellbook/coder/terraform/main-infrastructure/common_variables.tf
new file mode 100644
index 00000000..31c9412c
--- /dev/null
+++ b/spellbook/coder/terraform/main-infrastructure/common_variables.tf
@@ -0,0 +1,119 @@
+# Common variable definitions
+
+# プロジェクト名(全リソースの接頭辞として使用)
+variable "project_name" {
+ description = "Name of the project (used as a prefix for all resources)"
+ type = string
+}
+
+# AWSリージョン
+variable "aws_region" {
+ description = "AWS region where resources will be created"
+ type = string
+ default = "ap-northeast-1"
+}
+
+# 既存のVPC ID
+variable "vpc_id" {
+ description = "ID of the existing VPC"
+ type = string
+}
+
+# VPCのCIDRブロック
+variable "vpc_cidr" {
+ description = "CIDR block for the VPC"
+ type = string
+}
+
+# 第1パブリックサブネットのID
+variable "public_subnet_id" {
+ description = "ID of the first public subnet"
+ type = string
+}
+
+# 第2パブリックサブネットのID
+variable "public_subnet_2_id" {
+ description = "ID of the second public subnet"
+ type = string
+}
+
+# セキュリティグループID
+variable "security_group_ids" {
+ description = "List of security group IDs to attach to the instance"
+ type = list(string)
+}
+
+# ベースドメイン名
+variable "domain" {
+ description = "Base domain name for the application"
+ type = string
+ default = "sunwood-ai-labs.click"
+}
+
+# サブドメインプレフィックス
+variable "subdomain" {
+ description = "Subdomain prefix for the application"
+ type = string
+ default = "amaterasu-open-web-ui-dev"
+}
+
+# プライベートホストゾーンのドメイン名
+variable "domain_internal" {
+ description = "Domain name for private hosted zone"
+ type = string
+}
+
+# Route53のゾーンID
+variable "route53_internal_zone_id" {
+ description = "Zone ID for Route53 private hosted zone"
+ type = string
+}
+
+# EC2インスタンス関連の変数
+# EC2インスタンスのAMI ID
+variable "ami_id" {
+ description = "AMI ID for the EC2 instance (defaults to Ubuntu 22.04 LTS)"
+ type = string
+ default = "ami-0d52744d6551d851e" # Ubuntu 22.04 LTS in ap-northeast-1
+}
+
+# EC2インスタンスタイプ
+variable "instance_type" {
+ description = "Instance type for the EC2 instance"
+ type = string
+ default = "t3.medium"
+}
+
+# SSHキーペア名
+variable "key_name" {
+ description = "Name of the SSH key pair for EC2 instance"
+ type = string
+}
+
+# 環境変数ファイルのパス
+variable "env_file_path" {
+ description = "Absolute path to the .env file"
+ type = string
+}
+
+# セットアップスクリプトのパス
+variable "setup_script_path" {
+ description = "Absolute path to the setup_script.sh file"
+ type = string
+}
+
+# 共通のローカル変数
+locals {
+ # リソース命名用の共通プレフィックス
+ name_prefix = "${var.project_name}-"
+
+ # 完全修飾ドメイン名
+ fqdn = "${var.subdomain}.${var.domain}"
+
+ # 共通タグ
+ common_tags = {
+ Project = var.project_name
+ Environment = terraform.workspace
+ ManagedBy = "terraform"
+ }
+}
diff --git a/spellbook/coder/terraform/main-infrastructure/main.tf b/spellbook/coder/terraform/main-infrastructure/main.tf
new file mode 100644
index 00000000..07d3f6be
--- /dev/null
+++ b/spellbook/coder/terraform/main-infrastructure/main.tf
@@ -0,0 +1,72 @@
+terraform {
+ required_version = ">= 0.12"
+}
+
+# デフォルトプロバイダー設定
+provider "aws" {
+ region = var.aws_region
+}
+
+# CloudFront用のACM証明書のためのus-east-1プロバイダー
+provider "aws" {
+ alias = "us_east_1"
+ region = "us-east-1"
+}
+
+# IAM module
+module "iam" {
+ source = "../../../open-webui/terraform/main-infrastructure/modules/iam"
+
+ project_name = var.project_name
+}
+
+# Compute module
+module "compute" {
+ source = "../../../open-webui/terraform/main-infrastructure/modules/compute"
+
+ project_name = var.project_name
+ vpc_id = var.vpc_id
+ vpc_cidr = var.vpc_cidr
+ public_subnet_id = var.public_subnet_id
+ ami_id = var.ami_id
+ instance_type = var.instance_type
+ key_name = var.key_name
+ iam_instance_profile = module.iam.ec2_instance_profile_name
+ security_group_ids = var.security_group_ids
+ env_file_path = var.env_file_path
+ setup_script_path = var.setup_script_path
+
+ depends_on = [
+ module.iam
+ ]
+}
+
+# Networking module
+module "networking" {
+ source = "../../../open-webui/terraform/main-infrastructure/modules/networking"
+
+ project_name = var.project_name
+ aws_region = var.aws_region
+ vpc_id = var.vpc_id
+ vpc_cidr = var.vpc_cidr
+ public_subnet_id = var.public_subnet_id
+ public_subnet_2_id = var.public_subnet_2_id
+ security_group_ids = var.security_group_ids
+ domain = var.domain
+ subdomain = var.subdomain
+ domain_internal = var.domain_internal
+ route53_zone_id = var.route53_internal_zone_id
+ instance_id = module.compute.instance_id
+ instance_private_ip = module.compute.instance_private_ip
+ instance_private_dns = module.compute.instance_private_dns
+ instance_public_ip = module.compute.instance_public_ip
+
+ providers = {
+ aws = aws
+ aws.us_east_1 = aws.us_east_1
+ }
+
+ depends_on = [
+ module.compute
+ ]
+}
diff --git a/spellbook/coder/terraform/main-infrastructure/outputs.tf b/spellbook/coder/terraform/main-infrastructure/outputs.tf
new file mode 100644
index 00000000..75acfd5c
--- /dev/null
+++ b/spellbook/coder/terraform/main-infrastructure/outputs.tf
@@ -0,0 +1,34 @@
+output "instance_id" {
+ description = "ID of the EC2 instance"
+ value = module.compute.instance_id
+}
+
+output "instance_public_ip" {
+ description = "Public IP address of the EC2 instance"
+ value = module.compute.instance_public_ip
+}
+
+output "instance_private_ip" {
+ description = "Private IP address of the EC2 instance"
+ value = module.compute.instance_private_ip
+}
+
+output "instance_public_dns" {
+ description = "Public DNS name of the EC2 instance"
+ value = module.compute.instance_public_dns
+}
+
+output "vpc_id" {
+ description = "ID of the VPC"
+ value = module.networking.vpc_id
+}
+
+output "public_subnet_id" {
+ description = "ID of the public subnet"
+ value = module.networking.public_subnet_id
+}
+
+output "security_group_id" {
+ description = "ID of the security group"
+ value = module.networking.ec2_security_group_id
+}
diff --git a/spellbook/coder/terraform/main-infrastructure/scripts/setup_script.sh b/spellbook/coder/terraform/main-infrastructure/scripts/setup_script.sh
new file mode 100644
index 00000000..79a6001a
--- /dev/null
+++ b/spellbook/coder/terraform/main-infrastructure/scripts/setup_script.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# ベースのセットアップスクリプトをダウンロードして実行
+curl -fsSL https://raw.githubusercontent.com/Sunwood-ai-labs/AMATERASU/refs/heads/main/scripts/docker-compose_setup_script.sh -o /tmp/base_setup.sh
+chmod +x /tmp/base_setup.sh
+/tmp/base_setup.sh
+
+# AMATERASUリポジトリのクローン
+git clone https://github.com/Sunwood-ai-labs/AMATERASU.git /home/ubuntu/AMATERASU
+
+# Terraformから提供される環境変数ファイルの作成
+# 注: .envファイルの内容はTerraformから提供される
+echo "${env_content}" > /home/ubuntu/AMATERASU/spellbook/Coder/.env
+
+# ファイルの権限設定
+chmod 777 -R /home/ubuntu/AMATERASU
+
+# AMATERASUディレクトリに移動
+cd /home/ubuntu/AMATERASU/spellbook/Coder
+
+# 指定されたdocker-composeファイルでコンテナを起動
+sudo docker-compose up -d
+
+echo "AMATERASUのセットアップが完了し、docker-composeを起動しました!"
+
+# 一時ファイルの削除
+rm /tmp/base_setup.sh
diff --git a/spellbook/dify-beta1/.env.example b/spellbook/dify-beta1/.env.example
new file mode 100644
index 00000000..eb9b0b4a
--- /dev/null
+++ b/spellbook/dify-beta1/.env.example
@@ -0,0 +1,960 @@
+# ------------------------------
+# Environment Variables for API service & worker
+# ------------------------------
+
+# ------------------------------
+# Common Variables
+# ------------------------------
+
+# The backend URL of the console API,
+# used to concatenate the authorization callback.
+# If empty, it is the same domain.
+# Example: https://api.console.dify.ai
+CONSOLE_API_URL=
+
+# The front-end URL of the console web,
+# used to concatenate some front-end addresses and for CORS configuration use.
+# If empty, it is the same domain.
+# Example: https://console.dify.ai
+CONSOLE_WEB_URL=
+
+# Service API Url,
+# used to display Service API Base Url to the front-end.
+# If empty, it is the same domain.
+# Example: https://api.dify.ai
+SERVICE_API_URL=
+
+# WebApp API backend Url,
+# used to declare the back-end URL for the front-end API.
+# If empty, it is the same domain.
+# Example: https://api.app.dify.ai
+APP_API_URL=
+
+# WebApp Url,
+# used to display WebAPP API Base Url to the front-end.
+# If empty, it is the same domain.
+# Example: https://app.dify.ai
+APP_WEB_URL=
+
+# File preview or download Url prefix.
+# used to display File preview or download Url to the front-end or as Multi-model inputs;
+# Url is signed and has expiration time.
+FILES_URL=
+
+# ------------------------------
+# Server Configuration
+# ------------------------------
+
+# The log level for the application.
+# Supported values are `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`
+LOG_LEVEL=INFO
+# Log file path
+LOG_FILE=/app/logs/server.log
+# Log file max size, the unit is MB
+LOG_FILE_MAX_SIZE=20
+# Log file max backup count
+LOG_FILE_BACKUP_COUNT=5
+# Log dateformat
+LOG_DATEFORMAT=%Y-%m-%d %H:%M:%S
+# Log Timezone
+LOG_TZ=UTC
+
+# Debug mode, default is false.
+# It is recommended to turn on this configuration for local development
+# to prevent some problems caused by monkey patch.
+DEBUG=false
+
+# Flask debug mode, it can output trace information at the interface when turned on,
+# which is convenient for debugging.
+FLASK_DEBUG=false
+
+# A secretkey that is used for securely signing the session cookie
+# and encrypting sensitive information on the database.
+# You can generate a strong key using `openssl rand -base64 42`.
+SECRET_KEY=sk-9f73s3ljTXVcMT3Blb3ljTqtsKiGHXVcMT3BlbkFJLK7U
+
+# Password for admin user initialization.
+# If left unset, admin user will not be prompted for a password
+# when creating the initial admin account.
+# The length of the password cannot exceed 30 charactors.
+INIT_PASSWORD=
+
+# Deployment environment.
+# Supported values are `PRODUCTION`, `TESTING`. Default is `PRODUCTION`.
+# Testing environment. There will be a distinct color label on the front-end page,
+# indicating that this environment is a testing environment.
+DEPLOY_ENV=PRODUCTION
+
+# Whether to enable the version check policy.
+# If set to empty, https://updates.dify.ai will be called for version check.
+CHECK_UPDATE_URL=https://updates.dify.ai
+
+# Used to change the OpenAI base address, default is https://api.openai.com/v1.
+# When OpenAI cannot be accessed in China, replace it with a domestic mirror address,
+# or when a local model provides OpenAI compatible API, it can be replaced.
+OPENAI_API_BASE=https://api.openai.com/v1
+
+# When enabled, migrations will be executed prior to application startup
+# and the application will start after the migrations have completed.
+MIGRATION_ENABLED=true
+
+# File Access Time specifies a time interval in seconds for the file to be accessed.
+# The default value is 300 seconds.
+FILES_ACCESS_TIMEOUT=300
+
+# Access token expiration time in minutes
+ACCESS_TOKEN_EXPIRE_MINUTES=60
+
+# Refresh token expiration time in days
+REFRESH_TOKEN_EXPIRE_DAYS=30
+
+# The maximum number of active requests for the application, where 0 means unlimited, should be a non-negative integer.
+APP_MAX_ACTIVE_REQUESTS=0
+APP_MAX_EXECUTION_TIME=1200
+
+# ------------------------------
+# Container Startup Related Configuration
+# Only effective when starting with docker image or docker-compose.
+# ------------------------------
+
+# API service binding address, default: 0.0.0.0, i.e., all addresses can be accessed.
+DIFY_BIND_ADDRESS=0.0.0.0
+
+# API service binding port number, default 5001.
+DIFY_PORT=5001
+
+# The number of API server workers, i.e., the number of workers.
+# Formula: number of cpu cores x 2 + 1 for sync, 1 for Gevent
+# Reference: https://docs.gunicorn.org/en/stable/design.html#how-many-workers
+SERVER_WORKER_AMOUNT=1
+
+# Defaults to gevent. If using windows, it can be switched to sync or solo.
+SERVER_WORKER_CLASS=gevent
+
+# Default number of worker connections, the default is 10.
+SERVER_WORKER_CONNECTIONS=10
+
+# Similar to SERVER_WORKER_CLASS.
+# If using windows, it can be switched to sync or solo.
+CELERY_WORKER_CLASS=
+
+# Request handling timeout. The default is 200,
+# it is recommended to set it to 360 to support a longer sse connection time.
+GUNICORN_TIMEOUT=360
+
+# The number of Celery workers. The default is 1, and can be set as needed.
+CELERY_WORKER_AMOUNT=
+
+# Flag indicating whether to enable autoscaling of Celery workers.
+#
+# Autoscaling is useful when tasks are CPU intensive and can be dynamically
+# allocated and deallocated based on the workload.
+#
+# When autoscaling is enabled, the maximum and minimum number of workers can
+# be specified. The autoscaling algorithm will dynamically adjust the number
+# of workers within the specified range.
+#
+# Default is false (i.e., autoscaling is disabled).
+#
+# Example:
+# CELERY_AUTO_SCALE=true
+CELERY_AUTO_SCALE=false
+
+# The maximum number of Celery workers that can be autoscaled.
+# This is optional and only used when autoscaling is enabled.
+# Default is not set.
+CELERY_MAX_WORKERS=
+
+# The minimum number of Celery workers that can be autoscaled.
+# This is optional and only used when autoscaling is enabled.
+# Default is not set.
+CELERY_MIN_WORKERS=
+
+# API Tool configuration
+API_TOOL_DEFAULT_CONNECT_TIMEOUT=10
+API_TOOL_DEFAULT_READ_TIMEOUT=60
+
+
+# ------------------------------
+# Database Configuration
+# The database uses PostgreSQL. Please use the public schema.
+# It is consistent with the configuration in the 'db' service below.
+# ------------------------------
+
+DB_USERNAME=postgres
+DB_PASSWORD=difyai123456
+DB_HOST=db
+DB_PORT=5432
+DB_DATABASE=dify
+# The size of the database connection pool.
+# The default is 30 connections, which can be appropriately increased.
+SQLALCHEMY_POOL_SIZE=30
+# Database connection pool recycling time, the default is 3600 seconds.
+SQLALCHEMY_POOL_RECYCLE=3600
+# Whether to print SQL, default is false.
+SQLALCHEMY_ECHO=false
+
+# Maximum number of connections to the database
+# Default is 100
+#
+# Reference: https://www.postgresql.org/docs/current/runtime-config-connection.html#GUC-MAX-CONNECTIONS
+POSTGRES_MAX_CONNECTIONS=100
+
+# Sets the amount of shared memory used for postgres's shared buffers.
+# Default is 128MB
+# Recommended value: 25% of available memory
+# Reference: https://www.postgresql.org/docs/current/runtime-config-resource.html#GUC-SHARED-BUFFERS
+POSTGRES_SHARED_BUFFERS=128MB
+
+# Sets the amount of memory used by each database worker for working space.
+# Default is 4MB
+#
+# Reference: https://www.postgresql.org/docs/current/runtime-config-resource.html#GUC-WORK-MEM
+POSTGRES_WORK_MEM=4MB
+
+# Sets the amount of memory reserved for maintenance activities.
+# Default is 64MB
+#
+# Reference: https://www.postgresql.org/docs/current/runtime-config-resource.html#GUC-MAINTENANCE-WORK-MEM
+POSTGRES_MAINTENANCE_WORK_MEM=64MB
+
+# Sets the planner's assumption about the effective cache size.
+# Default is 4096MB
+#
+# Reference: https://www.postgresql.org/docs/current/runtime-config-query.html#GUC-EFFECTIVE-CACHE-SIZE
+POSTGRES_EFFECTIVE_CACHE_SIZE=4096MB
+
+# ------------------------------
+# Redis Configuration
+# This Redis configuration is used for caching and for pub/sub during conversation.
+# ------------------------------
+
+REDIS_HOST=redis
+REDIS_PORT=6379
+REDIS_USERNAME=
+REDIS_PASSWORD=difyai123456
+REDIS_USE_SSL=false
+REDIS_DB=0
+
+# Whether to use Redis Sentinel mode.
+# If set to true, the application will automatically discover and connect to the master node through Sentinel.
+REDIS_USE_SENTINEL=false
+
+# List of Redis Sentinel nodes. If Sentinel mode is enabled, provide at least one Sentinel IP and port.
+# Format: `:,:,:`
+REDIS_SENTINELS=
+REDIS_SENTINEL_SERVICE_NAME=
+REDIS_SENTINEL_USERNAME=
+REDIS_SENTINEL_PASSWORD=
+REDIS_SENTINEL_SOCKET_TIMEOUT=0.1
+
+# List of Redis Cluster nodes. If Cluster mode is enabled, provide at least one Cluster IP and port.
+# Format: `:,:,:`
+REDIS_USE_CLUSTERS=false
+REDIS_CLUSTERS=
+REDIS_CLUSTERS_PASSWORD=
+
+# ------------------------------
+# Celery Configuration
+# ------------------------------
+
+# Use redis as the broker, and redis db 1 for celery broker.
+# Format as follows: `redis://:@:/`
+# Example: redis://:difyai123456@redis:6379/1
+# If use Redis Sentinel, format as follows: `sentinel://:@:/`
+# Example: sentinel://localhost:26379/1;sentinel://localhost:26380/1;sentinel://localhost:26381/1
+CELERY_BROKER_URL=redis://:difyai123456@redis:6379/1
+BROKER_USE_SSL=false
+
+# If you are using Redis Sentinel for high availability, configure the following settings.
+CELERY_USE_SENTINEL=false
+CELERY_SENTINEL_MASTER_NAME=
+CELERY_SENTINEL_SOCKET_TIMEOUT=0.1
+
+# ------------------------------
+# CORS Configuration
+# Used to set the front-end cross-domain access policy.
+# ------------------------------
+
+# Specifies the allowed origins for cross-origin requests to the Web API,
+# e.g. https://dify.app or * for all origins.
+WEB_API_CORS_ALLOW_ORIGINS=*
+
+# Specifies the allowed origins for cross-origin requests to the console API,
+# e.g. https://cloud.dify.ai or * for all origins.
+CONSOLE_CORS_ALLOW_ORIGINS=*
+
+# ------------------------------
+# File Storage Configuration
+# ------------------------------
+
+# The type of storage to use for storing user files.
+STORAGE_TYPE=opendal
+
+# Apache OpenDAL Configuration
+# The configuration for OpenDAL consists of the following format: OPENDAL__.
+# You can find all the service configurations (CONFIG_NAME) in the repository at: https://github.com/apache/opendal/tree/main/core/src/services.
+# Dify will scan configurations starting with OPENDAL_ and automatically apply them.
+# The scheme name for the OpenDAL storage.
+OPENDAL_SCHEME=fs
+# Configurations for OpenDAL Local File System.
+OPENDAL_FS_ROOT=storage
+
+# S3 Configuration
+#
+S3_ENDPOINT=
+S3_REGION=us-east-1
+S3_BUCKET_NAME=difyai
+S3_ACCESS_KEY=
+S3_SECRET_KEY=
+# Whether to use AWS managed IAM roles for authenticating with the S3 service.
+# If set to false, the access key and secret key must be provided.
+S3_USE_AWS_MANAGED_IAM=false
+
+# Azure Blob Configuration
+#
+AZURE_BLOB_ACCOUNT_NAME=difyai
+AZURE_BLOB_ACCOUNT_KEY=difyai
+AZURE_BLOB_CONTAINER_NAME=difyai-container
+AZURE_BLOB_ACCOUNT_URL=https://.blob.core.windows.net
+
+# Google Storage Configuration
+#
+GOOGLE_STORAGE_BUCKET_NAME=your-bucket-name
+GOOGLE_STORAGE_SERVICE_ACCOUNT_JSON_BASE64=
+
+# The Alibaba Cloud OSS configurations,
+#
+ALIYUN_OSS_BUCKET_NAME=your-bucket-name
+ALIYUN_OSS_ACCESS_KEY=your-access-key
+ALIYUN_OSS_SECRET_KEY=your-secret-key
+ALIYUN_OSS_ENDPOINT=https://oss-ap-southeast-1-internal.aliyuncs.com
+ALIYUN_OSS_REGION=ap-southeast-1
+ALIYUN_OSS_AUTH_VERSION=v4
+# Don't start with '/'. OSS doesn't support leading slash in object names.
+ALIYUN_OSS_PATH=your-path
+
+# Tencent COS Configuration
+#
+TENCENT_COS_BUCKET_NAME=your-bucket-name
+TENCENT_COS_SECRET_KEY=your-secret-key
+TENCENT_COS_SECRET_ID=your-secret-id
+TENCENT_COS_REGION=your-region
+TENCENT_COS_SCHEME=your-scheme
+
+# Oracle Storage Configuration
+#
+OCI_ENDPOINT=https://objectstorage.us-ashburn-1.oraclecloud.com
+OCI_BUCKET_NAME=your-bucket-name
+OCI_ACCESS_KEY=your-access-key
+OCI_SECRET_KEY=your-secret-key
+OCI_REGION=us-ashburn-1
+
+# Huawei OBS Configuration
+#
+HUAWEI_OBS_BUCKET_NAME=your-bucket-name
+HUAWEI_OBS_SECRET_KEY=your-secret-key
+HUAWEI_OBS_ACCESS_KEY=your-access-key
+HUAWEI_OBS_SERVER=your-server-url
+
+# Volcengine TOS Configuration
+#
+VOLCENGINE_TOS_BUCKET_NAME=your-bucket-name
+VOLCENGINE_TOS_SECRET_KEY=your-secret-key
+VOLCENGINE_TOS_ACCESS_KEY=your-access-key
+VOLCENGINE_TOS_ENDPOINT=your-server-url
+VOLCENGINE_TOS_REGION=your-region
+
+# Baidu OBS Storage Configuration
+#
+BAIDU_OBS_BUCKET_NAME=your-bucket-name
+BAIDU_OBS_SECRET_KEY=your-secret-key
+BAIDU_OBS_ACCESS_KEY=your-access-key
+BAIDU_OBS_ENDPOINT=your-server-url
+
+# Supabase Storage Configuration
+#
+SUPABASE_BUCKET_NAME=your-bucket-name
+SUPABASE_API_KEY=your-access-key
+SUPABASE_URL=your-server-url
+
+# ------------------------------
+# Vector Database Configuration
+# ------------------------------
+
+# The type of vector store to use.
+# Supported values are `weaviate`, `qdrant`, `milvus`, `myscale`, `relyt`, `pgvector`, `pgvecto-rs`, `chroma`, `opensearch`, `tidb_vector`, `oracle`, `tencent`, `elasticsearch`, `elasticsearch-ja`, `analyticdb`, `couchbase`, `vikingdb`, `oceanbase`.
+VECTOR_STORE=weaviate
+
+# The Weaviate endpoint URL. Only available when VECTOR_STORE is `weaviate`.
+WEAVIATE_ENDPOINT=http://weaviate:8080
+WEAVIATE_API_KEY=WVF5YThaHlkYwhGUSmCRgsX3tD5ngdN8pkih
+
+# The Qdrant endpoint URL. Only available when VECTOR_STORE is `qdrant`.
+QDRANT_URL=http://qdrant:6333
+QDRANT_API_KEY=difyai123456
+QDRANT_CLIENT_TIMEOUT=20
+QDRANT_GRPC_ENABLED=false
+QDRANT_GRPC_PORT=6334
+
+# Milvus configuration Only available when VECTOR_STORE is `milvus`.
+# The milvus uri.
+MILVUS_URI=http://127.0.0.1:19530
+MILVUS_TOKEN=
+MILVUS_USER=root
+MILVUS_PASSWORD=Milvus
+MILVUS_ENABLE_HYBRID_SEARCH=False
+
+# MyScale configuration, only available when VECTOR_STORE is `myscale`
+# For multi-language support, please set MYSCALE_FTS_PARAMS with referring to:
+# https://myscale.com/docs/en/text-search/#understanding-fts-index-parameters
+MYSCALE_HOST=myscale
+MYSCALE_PORT=8123
+MYSCALE_USER=default
+MYSCALE_PASSWORD=
+MYSCALE_DATABASE=dify
+MYSCALE_FTS_PARAMS=
+
+# Couchbase configurations, only available when VECTOR_STORE is `couchbase`
+# The connection string must include hostname defined in the docker-compose file (couchbase-server in this case)
+COUCHBASE_CONNECTION_STRING=couchbase://couchbase-server
+COUCHBASE_USER=Administrator
+COUCHBASE_PASSWORD=password
+COUCHBASE_BUCKET_NAME=Embeddings
+COUCHBASE_SCOPE_NAME=_default
+
+# pgvector configurations, only available when VECTOR_STORE is `pgvector`
+PGVECTOR_HOST=pgvector
+PGVECTOR_PORT=5432
+PGVECTOR_USER=postgres
+PGVECTOR_PASSWORD=difyai123456
+PGVECTOR_DATABASE=dify
+PGVECTOR_MIN_CONNECTION=1
+PGVECTOR_MAX_CONNECTION=5
+
+# pgvecto-rs configurations, only available when VECTOR_STORE is `pgvecto-rs`
+PGVECTO_RS_HOST=pgvecto-rs
+PGVECTO_RS_PORT=5432
+PGVECTO_RS_USER=postgres
+PGVECTO_RS_PASSWORD=difyai123456
+PGVECTO_RS_DATABASE=dify
+
+# analyticdb configurations, only available when VECTOR_STORE is `analyticdb`
+ANALYTICDB_KEY_ID=your-ak
+ANALYTICDB_KEY_SECRET=your-sk
+ANALYTICDB_REGION_ID=cn-hangzhou
+ANALYTICDB_INSTANCE_ID=gp-ab123456
+ANALYTICDB_ACCOUNT=testaccount
+ANALYTICDB_PASSWORD=testpassword
+ANALYTICDB_NAMESPACE=dify
+ANALYTICDB_NAMESPACE_PASSWORD=difypassword
+ANALYTICDB_HOST=gp-test.aliyuncs.com
+ANALYTICDB_PORT=5432
+ANALYTICDB_MIN_CONNECTION=1
+ANALYTICDB_MAX_CONNECTION=5
+
+# TiDB vector configurations, only available when VECTOR_STORE is `tidb`
+TIDB_VECTOR_HOST=tidb
+TIDB_VECTOR_PORT=4000
+TIDB_VECTOR_USER=
+TIDB_VECTOR_PASSWORD=
+TIDB_VECTOR_DATABASE=dify
+
+# Tidb on qdrant configuration, only available when VECTOR_STORE is `tidb_on_qdrant`
+TIDB_ON_QDRANT_URL=http://127.0.0.1
+TIDB_ON_QDRANT_API_KEY=dify
+TIDB_ON_QDRANT_CLIENT_TIMEOUT=20
+TIDB_ON_QDRANT_GRPC_ENABLED=false
+TIDB_ON_QDRANT_GRPC_PORT=6334
+TIDB_PUBLIC_KEY=dify
+TIDB_PRIVATE_KEY=dify
+TIDB_API_URL=http://127.0.0.1
+TIDB_IAM_API_URL=http://127.0.0.1
+TIDB_REGION=regions/aws-us-east-1
+TIDB_PROJECT_ID=dify
+TIDB_SPEND_LIMIT=100
+
+# Chroma configuration, only available when VECTOR_STORE is `chroma`
+CHROMA_HOST=127.0.0.1
+CHROMA_PORT=8000
+CHROMA_TENANT=default_tenant
+CHROMA_DATABASE=default_database
+CHROMA_AUTH_PROVIDER=chromadb.auth.token_authn.TokenAuthClientProvider
+CHROMA_AUTH_CREDENTIALS=
+
+# Oracle configuration, only available when VECTOR_STORE is `oracle`
+ORACLE_HOST=oracle
+ORACLE_PORT=1521
+ORACLE_USER=dify
+ORACLE_PASSWORD=dify
+ORACLE_DATABASE=FREEPDB1
+
+# relyt configurations, only available when VECTOR_STORE is `relyt`
+RELYT_HOST=db
+RELYT_PORT=5432
+RELYT_USER=postgres
+RELYT_PASSWORD=difyai123456
+RELYT_DATABASE=postgres
+
+# open search configuration, only available when VECTOR_STORE is `opensearch`
+OPENSEARCH_HOST=opensearch
+OPENSEARCH_PORT=9200
+OPENSEARCH_USER=admin
+OPENSEARCH_PASSWORD=admin
+OPENSEARCH_SECURE=true
+
+# tencent vector configurations, only available when VECTOR_STORE is `tencent`
+TENCENT_VECTOR_DB_URL=http://127.0.0.1
+TENCENT_VECTOR_DB_API_KEY=dify
+TENCENT_VECTOR_DB_TIMEOUT=30
+TENCENT_VECTOR_DB_USERNAME=dify
+TENCENT_VECTOR_DB_DATABASE=dify
+TENCENT_VECTOR_DB_SHARD=1
+TENCENT_VECTOR_DB_REPLICAS=2
+
+# ElasticSearch configuration, only available when VECTOR_STORE is `elasticsearch`
+ELASTICSEARCH_HOST=0.0.0.0
+ELASTICSEARCH_PORT=9200
+ELASTICSEARCH_USERNAME=elastic
+ELASTICSEARCH_PASSWORD=elastic
+KIBANA_PORT=5601
+
+# baidu vector configurations, only available when VECTOR_STORE is `baidu`
+BAIDU_VECTOR_DB_ENDPOINT=http://127.0.0.1:5287
+BAIDU_VECTOR_DB_CONNECTION_TIMEOUT_MS=30000
+BAIDU_VECTOR_DB_ACCOUNT=root
+BAIDU_VECTOR_DB_API_KEY=dify
+BAIDU_VECTOR_DB_DATABASE=dify
+BAIDU_VECTOR_DB_SHARD=1
+BAIDU_VECTOR_DB_REPLICAS=3
+
+# VikingDB configurations, only available when VECTOR_STORE is `vikingdb`
+VIKINGDB_ACCESS_KEY=your-ak
+VIKINGDB_SECRET_KEY=your-sk
+VIKINGDB_REGION=cn-shanghai
+VIKINGDB_HOST=api-vikingdb.xxx.volces.com
+VIKINGDB_SCHEMA=http
+VIKINGDB_CONNECTION_TIMEOUT=30
+VIKINGDB_SOCKET_TIMEOUT=30
+
+# Lindorm configuration, only available when VECTOR_STORE is `lindorm`
+LINDORM_URL=http://lindorm:30070
+LINDORM_USERNAME=lindorm
+LINDORM_PASSWORD=lindorm
+
+# OceanBase Vector configuration, only available when VECTOR_STORE is `oceanbase`
+OCEANBASE_VECTOR_HOST=oceanbase
+OCEANBASE_VECTOR_PORT=2881
+OCEANBASE_VECTOR_USER=root@test
+OCEANBASE_VECTOR_PASSWORD=difyai123456
+OCEANBASE_VECTOR_DATABASE=test
+OCEANBASE_CLUSTER_NAME=difyai
+OCEANBASE_MEMORY_LIMIT=6G
+
+# Upstash Vector configuration, only available when VECTOR_STORE is `upstash`
+UPSTASH_VECTOR_URL=https://xxx-vector.upstash.io
+UPSTASH_VECTOR_TOKEN=dify
+
+# ------------------------------
+# Knowledge Configuration
+# ------------------------------
+
+# Upload file size limit, default 15M.
+UPLOAD_FILE_SIZE_LIMIT=15
+
+# The maximum number of files that can be uploaded at a time, default 5.
+UPLOAD_FILE_BATCH_LIMIT=5
+
+# ETL type, support: `dify`, `Unstructured`
+# `dify` Dify's proprietary file extraction scheme
+# `Unstructured` Unstructured.io file extraction scheme
+ETL_TYPE=dify
+
+# Unstructured API path and API key, needs to be configured when ETL_TYPE is Unstructured
+# Or using Unstructured for document extractor node for pptx.
+# For example: http://unstructured:8000/general/v0/general
+UNSTRUCTURED_API_URL=
+UNSTRUCTURED_API_KEY=
+SCARF_NO_ANALYTICS=true
+
+# ------------------------------
+# Model Configuration
+# ------------------------------
+
+# The maximum number of tokens allowed for prompt generation.
+# This setting controls the upper limit of tokens that can be used by the LLM
+# when generating a prompt in the prompt generation tool.
+# Default: 512 tokens.
+PROMPT_GENERATION_MAX_TOKENS=512
+
+# The maximum number of tokens allowed for code generation.
+# This setting controls the upper limit of tokens that can be used by the LLM
+# when generating code in the code generation tool.
+# Default: 1024 tokens.
+CODE_GENERATION_MAX_TOKENS=1024
+
+# ------------------------------
+# Multi-modal Configuration
+# ------------------------------
+
+# The format of the image/video/audio/document sent when the multi-modal model is input,
+# the default is base64, optional url.
+# The delay of the call in url mode will be lower than that in base64 mode.
+# It is generally recommended to use the more compatible base64 mode.
+# If configured as url, you need to configure FILES_URL as an externally accessible address so that the multi-modal model can access the image/video/audio/document.
+MULTIMODAL_SEND_FORMAT=base64
+# Upload image file size limit, default 10M.
+UPLOAD_IMAGE_FILE_SIZE_LIMIT=10
+# Upload video file size limit, default 100M.
+UPLOAD_VIDEO_FILE_SIZE_LIMIT=100
+# Upload audio file size limit, default 50M.
+UPLOAD_AUDIO_FILE_SIZE_LIMIT=50
+
+# ------------------------------
+# Sentry Configuration
+# Used for application monitoring and error log tracking.
+# ------------------------------
+SENTRY_DSN=
+
+# API Service Sentry DSN address, default is empty, when empty,
+# all monitoring information is not reported to Sentry.
+# If not set, Sentry error reporting will be disabled.
+API_SENTRY_DSN=
+# API Service The reporting ratio of Sentry events, if it is 0.01, it is 1%.
+API_SENTRY_TRACES_SAMPLE_RATE=1.0
+# API Service The reporting ratio of Sentry profiles, if it is 0.01, it is 1%.
+API_SENTRY_PROFILES_SAMPLE_RATE=1.0
+
+# Web Service Sentry DSN address, default is empty, when empty,
+# all monitoring information is not reported to Sentry.
+# If not set, Sentry error reporting will be disabled.
+WEB_SENTRY_DSN=
+
+# ------------------------------
+# Notion Integration Configuration
+# Variables can be obtained by applying for Notion integration: https://www.notion.so/my-integrations
+# ------------------------------
+
+# Configure as "public" or "internal".
+# Since Notion's OAuth redirect URL only supports HTTPS,
+# if deploying locally, please use Notion's internal integration.
+NOTION_INTEGRATION_TYPE=public
+# Notion OAuth client secret (used for public integration type)
+NOTION_CLIENT_SECRET=
+# Notion OAuth client id (used for public integration type)
+NOTION_CLIENT_ID=
+# Notion internal integration secret.
+# If the value of NOTION_INTEGRATION_TYPE is "internal",
+# you need to configure this variable.
+NOTION_INTERNAL_SECRET=
+
+# ------------------------------
+# Mail related configuration
+# ------------------------------
+
+# Mail type, support: resend, smtp
+MAIL_TYPE=resend
+
+# Default send from email address, if not specified
+MAIL_DEFAULT_SEND_FROM=
+
+# API-Key for the Resend email provider, used when MAIL_TYPE is `resend`.
+RESEND_API_URL=https://api.resend.com
+RESEND_API_KEY=your-resend-api-key
+
+
+# SMTP server configuration, used when MAIL_TYPE is `smtp`
+SMTP_SERVER=
+SMTP_PORT=465
+SMTP_USERNAME=
+SMTP_PASSWORD=
+SMTP_USE_TLS=true
+SMTP_OPPORTUNISTIC_TLS=false
+
+# ------------------------------
+# Others Configuration
+# ------------------------------
+
+# Maximum length of segmentation tokens for indexing
+INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH=4000
+
+# Member invitation link valid time (hours),
+# Default: 72.
+INVITE_EXPIRY_HOURS=72
+
+# Reset password token valid time (minutes),
+RESET_PASSWORD_TOKEN_EXPIRY_MINUTES=5
+
+# The sandbox service endpoint.
+CODE_EXECUTION_ENDPOINT=http://sandbox:8194
+CODE_EXECUTION_API_KEY=dify-sandbox
+CODE_MAX_NUMBER=9223372036854775807
+CODE_MIN_NUMBER=-9223372036854775808
+CODE_MAX_DEPTH=5
+CODE_MAX_PRECISION=20
+CODE_MAX_STRING_LENGTH=80000
+CODE_MAX_STRING_ARRAY_LENGTH=30
+CODE_MAX_OBJECT_ARRAY_LENGTH=30
+CODE_MAX_NUMBER_ARRAY_LENGTH=1000
+CODE_EXECUTION_CONNECT_TIMEOUT=10
+CODE_EXECUTION_READ_TIMEOUT=60
+CODE_EXECUTION_WRITE_TIMEOUT=10
+TEMPLATE_TRANSFORM_MAX_LENGTH=80000
+
+# Workflow runtime configuration
+WORKFLOW_MAX_EXECUTION_STEPS=500
+WORKFLOW_MAX_EXECUTION_TIME=1200
+WORKFLOW_CALL_MAX_DEPTH=5
+MAX_VARIABLE_SIZE=204800
+WORKFLOW_PARALLEL_DEPTH_LIMIT=3
+WORKFLOW_FILE_UPLOAD_LIMIT=10
+
+# HTTP request node in workflow configuration
+HTTP_REQUEST_NODE_MAX_BINARY_SIZE=10485760
+HTTP_REQUEST_NODE_MAX_TEXT_SIZE=1048576
+
+# SSRF Proxy server HTTP URL
+SSRF_PROXY_HTTP_URL=http://ssrf_proxy:3128
+# SSRF Proxy server HTTPS URL
+SSRF_PROXY_HTTPS_URL=http://ssrf_proxy:3128
+
+# ------------------------------
+# Environment Variables for web Service
+# ------------------------------
+
+# The timeout for the text generation in millisecond
+TEXT_GENERATION_TIMEOUT_MS=60000
+
+# ------------------------------
+# Environment Variables for db Service
+# ------------------------------
+
+PGUSER=${DB_USERNAME}
+# The password for the default postgres user.
+POSTGRES_PASSWORD=${DB_PASSWORD}
+# The name of the default postgres database.
+POSTGRES_DB=${DB_DATABASE}
+# postgres data directory
+PGDATA=/var/lib/postgresql/data/pgdata
+
+# ------------------------------
+# Environment Variables for sandbox Service
+# ------------------------------
+
+# The API key for the sandbox service
+SANDBOX_API_KEY=dify-sandbox
+# The mode in which the Gin framework runs
+SANDBOX_GIN_MODE=release
+# The timeout for the worker in seconds
+SANDBOX_WORKER_TIMEOUT=15
+# Enable network for the sandbox service
+SANDBOX_ENABLE_NETWORK=true
+# HTTP proxy URL for SSRF protection
+SANDBOX_HTTP_PROXY=http://ssrf_proxy:3128
+# HTTPS proxy URL for SSRF protection
+SANDBOX_HTTPS_PROXY=http://ssrf_proxy:3128
+# The port on which the sandbox service runs
+SANDBOX_PORT=8194
+
+# ------------------------------
+# Environment Variables for weaviate Service
+# (only used when VECTOR_STORE is weaviate)
+# ------------------------------
+WEAVIATE_PERSISTENCE_DATA_PATH=/var/lib/weaviate
+WEAVIATE_QUERY_DEFAULTS_LIMIT=25
+WEAVIATE_AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED=true
+WEAVIATE_DEFAULT_VECTORIZER_MODULE=none
+WEAVIATE_CLUSTER_HOSTNAME=node1
+WEAVIATE_AUTHENTICATION_APIKEY_ENABLED=true
+WEAVIATE_AUTHENTICATION_APIKEY_ALLOWED_KEYS=WVF5YThaHlkYwhGUSmCRgsX3tD5ngdN8pkih
+WEAVIATE_AUTHENTICATION_APIKEY_USERS=hello@dify.ai
+WEAVIATE_AUTHORIZATION_ADMINLIST_ENABLED=true
+WEAVIATE_AUTHORIZATION_ADMINLIST_USERS=hello@dify.ai
+
+# ------------------------------
+# Environment Variables for Chroma
+# (only used when VECTOR_STORE is chroma)
+# ------------------------------
+
+# Authentication credentials for Chroma server
+CHROMA_SERVER_AUTHN_CREDENTIALS=difyai123456
+# Authentication provider for Chroma server
+CHROMA_SERVER_AUTHN_PROVIDER=chromadb.auth.token_authn.TokenAuthenticationServerProvider
+# Persistence setting for Chroma server
+CHROMA_IS_PERSISTENT=TRUE
+
+# ------------------------------
+# Environment Variables for Oracle Service
+# (only used when VECTOR_STORE is Oracle)
+# ------------------------------
+ORACLE_PWD=Dify123456
+ORACLE_CHARACTERSET=AL32UTF8
+
+# ------------------------------
+# Environment Variables for milvus Service
+# (only used when VECTOR_STORE is milvus)
+# ------------------------------
+# ETCD configuration for auto compaction mode
+ETCD_AUTO_COMPACTION_MODE=revision
+# ETCD configuration for auto compaction retention in terms of number of revisions
+ETCD_AUTO_COMPACTION_RETENTION=1000
+# ETCD configuration for backend quota in bytes
+ETCD_QUOTA_BACKEND_BYTES=4294967296
+# ETCD configuration for the number of changes before triggering a snapshot
+ETCD_SNAPSHOT_COUNT=50000
+# MinIO access key for authentication
+MINIO_ACCESS_KEY=minioadmin
+# MinIO secret key for authentication
+MINIO_SECRET_KEY=minioadmin
+# ETCD service endpoints
+ETCD_ENDPOINTS=etcd:2379
+# MinIO service address
+MINIO_ADDRESS=minio:9000
+# Enable or disable security authorization
+MILVUS_AUTHORIZATION_ENABLED=true
+
+# ------------------------------
+# Environment Variables for pgvector / pgvector-rs Service
+# (only used when VECTOR_STORE is pgvector / pgvector-rs)
+# ------------------------------
+PGVECTOR_PGUSER=postgres
+# The password for the default postgres user.
+PGVECTOR_POSTGRES_PASSWORD=difyai123456
+# The name of the default postgres database.
+PGVECTOR_POSTGRES_DB=dify
+# postgres data directory
+PGVECTOR_PGDATA=/var/lib/postgresql/data/pgdata
+
+# ------------------------------
+# Environment Variables for opensearch
+# (only used when VECTOR_STORE is opensearch)
+# ------------------------------
+OPENSEARCH_DISCOVERY_TYPE=single-node
+OPENSEARCH_BOOTSTRAP_MEMORY_LOCK=true
+OPENSEARCH_JAVA_OPTS_MIN=512m
+OPENSEARCH_JAVA_OPTS_MAX=1024m
+OPENSEARCH_INITIAL_ADMIN_PASSWORD=Qazwsxedc!@#123
+OPENSEARCH_MEMLOCK_SOFT=-1
+OPENSEARCH_MEMLOCK_HARD=-1
+OPENSEARCH_NOFILE_SOFT=65536
+OPENSEARCH_NOFILE_HARD=65536
+
+# ------------------------------
+# Environment Variables for Nginx reverse proxy
+# ------------------------------
+NGINX_SERVER_NAME=_
+NGINX_HTTPS_ENABLED=false
+# HTTP port
+NGINX_PORT=80
+# SSL settings are only applied when HTTPS_ENABLED is true
+NGINX_SSL_PORT=443
+# if HTTPS_ENABLED is true, you're required to add your own SSL certificates/keys to the `./nginx/ssl` directory
+# and modify the env vars below accordingly.
+NGINX_SSL_CERT_FILENAME=dify.crt
+NGINX_SSL_CERT_KEY_FILENAME=dify.key
+NGINX_SSL_PROTOCOLS=TLSv1.1 TLSv1.2 TLSv1.3
+
+# Nginx performance tuning
+NGINX_WORKER_PROCESSES=auto
+NGINX_CLIENT_MAX_BODY_SIZE=15M
+NGINX_KEEPALIVE_TIMEOUT=65
+
+# Proxy settings
+NGINX_PROXY_READ_TIMEOUT=3600s
+NGINX_PROXY_SEND_TIMEOUT=3600s
+
+# Set true to accept requests for /.well-known/acme-challenge/
+NGINX_ENABLE_CERTBOT_CHALLENGE=false
+
+# ------------------------------
+# Certbot Configuration
+# ------------------------------
+
+# Email address (required to get certificates from Let's Encrypt)
+CERTBOT_EMAIL=your_email@example.com
+
+# Domain name
+CERTBOT_DOMAIN=your_domain.com
+
+# certbot command options
+# i.e: --force-renewal --dry-run --test-cert --debug
+CERTBOT_OPTIONS=
+
+# ------------------------------
+# Environment Variables for SSRF Proxy
+# ------------------------------
+SSRF_HTTP_PORT=3128
+SSRF_COREDUMP_DIR=/var/spool/squid
+SSRF_REVERSE_PROXY_PORT=8194
+SSRF_SANDBOX_HOST=sandbox
+
+# ------------------------------
+# docker env var for specifying vector db type at startup
+# (based on the vector db type, the corresponding docker
+# compose profile will be used)
+# if you want to use unstructured, add ',unstructured' to the end
+# ------------------------------
+COMPOSE_PROFILES=${VECTOR_STORE:-weaviate}
+
+# ------------------------------
+# Docker Compose Service Expose Host Port Configurations
+# ------------------------------
+EXPOSE_NGINX_PORT=80
+EXPOSE_NGINX_SSL_PORT=443
+
+# ----------------------------------------------------------------------------
+# ModelProvider & Tool Position Configuration
+# Used to specify the model providers and tools that can be used in the app.
+# ----------------------------------------------------------------------------
+
+# Pin, include, and exclude tools
+# Use comma-separated values with no spaces between items.
+# Example: POSITION_TOOL_PINS=bing,google
+POSITION_TOOL_PINS=
+POSITION_TOOL_INCLUDES=
+POSITION_TOOL_EXCLUDES=
+
+# Pin, include, and exclude model providers
+# Use comma-separated values with no spaces between items.
+# Example: POSITION_PROVIDER_PINS=openai,openllm
+POSITION_PROVIDER_PINS=
+POSITION_PROVIDER_INCLUDES=
+POSITION_PROVIDER_EXCLUDES=
+
+# CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+CSP_WHITELIST=
+
+# Enable or disable create tidb service job
+CREATE_TIDB_SERVICE_JOB_ENABLED=false
+
+# Maximum number of submitted thread count in a ThreadPool for parallel node execution
+MAX_SUBMIT_COUNT=100
+
+# The maximum number of top-k value for RAG.
+TOP_K_MAX_VALUE=10
+
+# ------------------------------
+# Plugin Daemon Configuration
+# ------------------------------
+
+DB_PLUGIN_DATABASE=dify_plugin
+EXPOSE_PLUGIN_DAEMON_PORT=5002
+PLUGIN_DAEMON_PORT=5002
+PLUGIN_DAEMON_KEY=lYkiYYT6owG+71oLerGzA7GXCgOT++6ovaezWAjpCjf+Sjc3ZtU+qUEi
+PLUGIN_DAEMON_URL=http://plugin_daemon:5002
+PLUGIN_MAX_PACKAGE_SIZE=52428800
+PLUGIN_PPROF_ENABLED=false
+
+PLUGIN_DEBUGGING_HOST=0.0.0.0
+PLUGIN_DEBUGGING_PORT=5003
+EXPOSE_PLUGIN_DEBUGGING_HOST=localhost
+EXPOSE_PLUGIN_DEBUGGING_PORT=5003
+
+PLUGIN_DIFY_INNER_API_KEY=QaHbTe77CtuXmsfyhR7+vRjI/+XbV1AaFy691iy+kGDv2Jvy0/eAh8Y1
+PLUGIN_DIFY_INNER_API_URL=http://api:5001
+
+ENDPOINT_URL_TEMPLATE=http://localhost/e/{hook_id}
+
+MARKETPLACE_ENABLED=true
+MARKETPLACE_API_URL=https://marketplace-plugin.dify.dev
+
diff --git a/spellbook/dify-beta1/README.md b/spellbook/dify-beta1/README.md
new file mode 100644
index 00000000..be8d32c8
--- /dev/null
+++ b/spellbook/dify-beta1/README.md
@@ -0,0 +1,169 @@
+
+
+# AWS CloudFront Infrastructure Module
+
+このリポジトリは、AWSのCloudFrontディストリビューションを設定するための再利用可能なTerraformモジュールを提供します。
+
+## 🌟 主な機能
+
+- ✅ CloudFrontディストリビューションの作成(カスタムドメイン対応)
+- 🛡️ WAFv2によるIPホワイトリスト制御
+- 🌐 Route53でのDNSレコード自動設定
+- 🔒 ACM証明書の自動作成と検証
+
+## 📁 ディレクトリ構造
+
+```
+cloudfront-infrastructure/
+├── modules/
+│ └── cloudfront/ # メインモジュール
+│ ├── main.tf # リソース定義
+│ ├── variables.tf # 変数定義
+│ ├── outputs.tf # 出力定義
+│ └── README.md # モジュールのドキュメント
+└── examples/
+ └── complete/ # 完全な使用例
+ ├── main.tf
+ ├── variables.tf
+ ├── outputs.tf
+ ├── terraform.tfvars.example
+ └── whitelist-waf.csv.example
+```
+
+## 🚀 クイックスタート
+
+1. モジュールの使用例をコピーします:
+```bash
+cp -r examples/complete your-project/
+cd your-project
+```
+
+2. 設定ファイルを作成します:
+```bash
+cp terraform.tfvars.example terraform.tfvars
+cp whitelist-waf.csv.example whitelist-waf.csv
+```
+
+3. terraform.tfvarsを編集して必要な設定を行います:
+```hcl
+# AWSリージョン設定
+aws_region = "ap-northeast-1"
+
+# プロジェクト名
+project_name = "your-project-name"
+
+# オリジンサーバー設定(EC2インスタンス)
+origin_domain = "your-ec2-domain.compute.amazonaws.com"
+
+# ドメイン設定
+domain = "your-domain.com"
+subdomain = "your-subdomain"
+```
+
+4. whitelist-waf.csvを編集してIPホワイトリストを設定します:
+```csv
+ip,description
+192.168.1.1/32,Office Network
+10.0.0.1/32,Home Network
+```
+
+5. Terraformを実行します:
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+## 📚 より詳細な使用方法
+
+より詳細な使用方法については、[modules/cloudfront/README.md](modules/cloudfront/README.md)を参照してください。
+
+## 🔧 カスタマイズ
+
+このモジュールは以下の要素をカスタマイズできます:
+
+1. CloudFront設定
+ - キャッシュ動作
+ - オリジンの設定
+ - SSL/TLS設定
+
+2. WAF設定
+ - IPホワイトリストの管理
+ - セキュリティルールのカスタマイズ
+
+3. DNS設定
+ - カスタムドメインの設定
+ - Route53との連携
+
+## 📝 注意事項
+
+- CloudFrontのデプロイには時間がかかる場合があります(15-30分程度)
+- DNSの伝播には最大72時間かかる可能性があります
+- SSL証明書の検証には数分から数十分かかることがあります
+- WAFのIPホワイトリストは定期的なメンテナンスが必要です
+
+## 🔍 トラブルシューティング
+
+詳細なトラブルシューティングガイドについては、[modules/cloudfront/README.md](modules/cloudfront/README.md#トラブルシューティング)を参照してください。
diff --git a/spellbook/dify-beta1/terraform/cloudfront-infrastructure/main.tf b/spellbook/dify-beta1/terraform/cloudfront-infrastructure/main.tf
new file mode 100644
index 00000000..b11c9a84
--- /dev/null
+++ b/spellbook/dify-beta1/terraform/cloudfront-infrastructure/main.tf
@@ -0,0 +1,41 @@
+terraform {
+ required_version = ">= 0.12"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 4.0"
+ }
+ }
+
+ backend "local" {
+ path = "terraform.tfstate"
+ }
+}
+
+# デフォルトプロバイダー設定
+provider "aws" {
+ region = var.aws_region
+}
+
+# バージニアリージョン用のプロバイダー設定(CloudFront用)
+provider "aws" {
+ alias = "virginia"
+ region = "us-east-1"
+}
+
+# CloudFrontモジュールの呼び出し
+module "cloudfront" {
+ source = "../../../open-webui/terraform/cloudfront-infrastructure/modules"
+
+ project_name = var.project_name
+ aws_region = var.aws_region
+ origin_domain = var.origin_domain
+ domain = var.domain
+ subdomain = var.subdomain
+
+ providers = {
+ aws = aws
+ aws.virginia = aws.virginia
+ }
+}
diff --git a/spellbook/dify-beta1/terraform/cloudfront-infrastructure/outputs.tf b/spellbook/dify-beta1/terraform/cloudfront-infrastructure/outputs.tf
new file mode 100644
index 00000000..c3687573
--- /dev/null
+++ b/spellbook/dify-beta1/terraform/cloudfront-infrastructure/outputs.tf
@@ -0,0 +1,39 @@
+output "cloudfront_domain_name" {
+ description = "Domain name of the CloudFront distribution (*.cloudfront.net)"
+ value = module.cloudfront.cloudfront_domain_name
+}
+
+output "cloudfront_distribution_id" {
+ description = "ID of the CloudFront distribution"
+ value = module.cloudfront.cloudfront_distribution_id
+}
+
+output "cloudfront_arn" {
+ description = "ARN of the CloudFront distribution"
+ value = module.cloudfront.cloudfront_arn
+}
+
+output "cloudfront_url" {
+ description = "CloudFrontのURL"
+ value = module.cloudfront.cloudfront_url
+}
+
+output "subdomain_url" {
+ description = "サブドメインのURL"
+ value = module.cloudfront.subdomain_url
+}
+
+output "waf_web_acl_id" {
+ description = "ID of the WAF Web ACL"
+ value = module.cloudfront.waf_web_acl_id
+}
+
+output "waf_web_acl_arn" {
+ description = "ARN of the WAF Web ACL"
+ value = module.cloudfront.waf_web_acl_arn
+}
+
+output "certificate_arn" {
+ description = "ARN of the ACM certificate"
+ value = module.cloudfront.certificate_arn
+}
diff --git a/spellbook/dify-beta1/terraform/cloudfront-infrastructure/terraform.tfvars.example b/spellbook/dify-beta1/terraform/cloudfront-infrastructure/terraform.tfvars.example
new file mode 100644
index 00000000..45301723
--- /dev/null
+++ b/spellbook/dify-beta1/terraform/cloudfront-infrastructure/terraform.tfvars.example
@@ -0,0 +1,12 @@
+# AWSの設定
+aws_region = "ap-northeast-1"
+
+# プロジェクト名
+project_name = "example-project"
+
+# オリジンサーバー設定(EC2インスタンス)
+origin_domain = "ec2-xxx-xxx-xxx-xxx.compute.amazonaws.com"
+
+# ドメイン設定
+domain = "example.com"
+subdomain = "app" # 生成されるURL: app.example.com
diff --git a/spellbook/dify-beta1/terraform/cloudfront-infrastructure/variables.tf b/spellbook/dify-beta1/terraform/cloudfront-infrastructure/variables.tf
new file mode 100644
index 00000000..01576938
--- /dev/null
+++ b/spellbook/dify-beta1/terraform/cloudfront-infrastructure/variables.tf
@@ -0,0 +1,25 @@
+variable "project_name" {
+ description = "Name of the project"
+ type = string
+}
+
+variable "aws_region" {
+ description = "AWS region for the resources"
+ type = string
+ default = "ap-northeast-1"
+}
+
+variable "origin_domain" {
+ description = "Domain name of the origin (EC2 instance)"
+ type = string
+}
+
+variable "domain" {
+ description = "メインドメイン名"
+ type = string
+}
+
+variable "subdomain" {
+ description = "サブドメイン名"
+ type = string
+}
diff --git a/spellbook/dify-beta1/terraform/main-infrastructure/common_variables.tf b/spellbook/dify-beta1/terraform/main-infrastructure/common_variables.tf
new file mode 100644
index 00000000..31c9412c
--- /dev/null
+++ b/spellbook/dify-beta1/terraform/main-infrastructure/common_variables.tf
@@ -0,0 +1,119 @@
+# Common variable definitions
+
+# プロジェクト名(全リソースの接頭辞として使用)
+variable "project_name" {
+ description = "Name of the project (used as a prefix for all resources)"
+ type = string
+}
+
+# AWSリージョン
+variable "aws_region" {
+ description = "AWS region where resources will be created"
+ type = string
+ default = "ap-northeast-1"
+}
+
+# 既存のVPC ID
+variable "vpc_id" {
+ description = "ID of the existing VPC"
+ type = string
+}
+
+# VPCのCIDRブロック
+variable "vpc_cidr" {
+ description = "CIDR block for the VPC"
+ type = string
+}
+
+# 第1パブリックサブネットのID
+variable "public_subnet_id" {
+ description = "ID of the first public subnet"
+ type = string
+}
+
+# 第2パブリックサブネットのID
+variable "public_subnet_2_id" {
+ description = "ID of the second public subnet"
+ type = string
+}
+
+# セキュリティグループID
+variable "security_group_ids" {
+ description = "List of security group IDs to attach to the instance"
+ type = list(string)
+}
+
+# ベースドメイン名
+variable "domain" {
+ description = "Base domain name for the application"
+ type = string
+ default = "sunwood-ai-labs.click"
+}
+
+# サブドメインプレフィックス
+variable "subdomain" {
+ description = "Subdomain prefix for the application"
+ type = string
+ default = "amaterasu-open-web-ui-dev"
+}
+
+# プライベートホストゾーンのドメイン名
+variable "domain_internal" {
+ description = "Domain name for private hosted zone"
+ type = string
+}
+
+# Route53のゾーンID
+variable "route53_internal_zone_id" {
+ description = "Zone ID for Route53 private hosted zone"
+ type = string
+}
+
+# EC2インスタンス関連の変数
+# EC2インスタンスのAMI ID
+variable "ami_id" {
+ description = "AMI ID for the EC2 instance (defaults to Ubuntu 22.04 LTS)"
+ type = string
+ default = "ami-0d52744d6551d851e" # Ubuntu 22.04 LTS in ap-northeast-1
+}
+
+# EC2インスタンスタイプ
+variable "instance_type" {
+ description = "Instance type for the EC2 instance"
+ type = string
+ default = "t3.medium"
+}
+
+# SSHキーペア名
+variable "key_name" {
+ description = "Name of the SSH key pair for EC2 instance"
+ type = string
+}
+
+# 環境変数ファイルのパス
+variable "env_file_path" {
+ description = "Absolute path to the .env file"
+ type = string
+}
+
+# セットアップスクリプトのパス
+variable "setup_script_path" {
+ description = "Absolute path to the setup_script.sh file"
+ type = string
+}
+
+# 共通のローカル変数
+locals {
+ # リソース命名用の共通プレフィックス
+ name_prefix = "${var.project_name}-"
+
+ # 完全修飾ドメイン名
+ fqdn = "${var.subdomain}.${var.domain}"
+
+ # 共通タグ
+ common_tags = {
+ Project = var.project_name
+ Environment = terraform.workspace
+ ManagedBy = "terraform"
+ }
+}
diff --git a/spellbook/dify-beta1/terraform/main-infrastructure/main.tf b/spellbook/dify-beta1/terraform/main-infrastructure/main.tf
new file mode 100644
index 00000000..07d3f6be
--- /dev/null
+++ b/spellbook/dify-beta1/terraform/main-infrastructure/main.tf
@@ -0,0 +1,72 @@
+terraform {
+ required_version = ">= 0.12"
+}
+
+# デフォルトプロバイダー設定
+provider "aws" {
+ region = var.aws_region
+}
+
+# CloudFront用のACM証明書のためのus-east-1プロバイダー
+provider "aws" {
+ alias = "us_east_1"
+ region = "us-east-1"
+}
+
+# IAM module
+module "iam" {
+ source = "../../../open-webui/terraform/main-infrastructure/modules/iam"
+
+ project_name = var.project_name
+}
+
+# Compute module
+module "compute" {
+ source = "../../../open-webui/terraform/main-infrastructure/modules/compute"
+
+ project_name = var.project_name
+ vpc_id = var.vpc_id
+ vpc_cidr = var.vpc_cidr
+ public_subnet_id = var.public_subnet_id
+ ami_id = var.ami_id
+ instance_type = var.instance_type
+ key_name = var.key_name
+ iam_instance_profile = module.iam.ec2_instance_profile_name
+ security_group_ids = var.security_group_ids
+ env_file_path = var.env_file_path
+ setup_script_path = var.setup_script_path
+
+ depends_on = [
+ module.iam
+ ]
+}
+
+# Networking module
+module "networking" {
+ source = "../../../open-webui/terraform/main-infrastructure/modules/networking"
+
+ project_name = var.project_name
+ aws_region = var.aws_region
+ vpc_id = var.vpc_id
+ vpc_cidr = var.vpc_cidr
+ public_subnet_id = var.public_subnet_id
+ public_subnet_2_id = var.public_subnet_2_id
+ security_group_ids = var.security_group_ids
+ domain = var.domain
+ subdomain = var.subdomain
+ domain_internal = var.domain_internal
+ route53_zone_id = var.route53_internal_zone_id
+ instance_id = module.compute.instance_id
+ instance_private_ip = module.compute.instance_private_ip
+ instance_private_dns = module.compute.instance_private_dns
+ instance_public_ip = module.compute.instance_public_ip
+
+ providers = {
+ aws = aws
+ aws.us_east_1 = aws.us_east_1
+ }
+
+ depends_on = [
+ module.compute
+ ]
+}
diff --git a/spellbook/dify-beta1/terraform/main-infrastructure/outputs.tf b/spellbook/dify-beta1/terraform/main-infrastructure/outputs.tf
new file mode 100644
index 00000000..75acfd5c
--- /dev/null
+++ b/spellbook/dify-beta1/terraform/main-infrastructure/outputs.tf
@@ -0,0 +1,34 @@
+output "instance_id" {
+ description = "ID of the EC2 instance"
+ value = module.compute.instance_id
+}
+
+output "instance_public_ip" {
+ description = "Public IP address of the EC2 instance"
+ value = module.compute.instance_public_ip
+}
+
+output "instance_private_ip" {
+ description = "Private IP address of the EC2 instance"
+ value = module.compute.instance_private_ip
+}
+
+output "instance_public_dns" {
+ description = "Public DNS name of the EC2 instance"
+ value = module.compute.instance_public_dns
+}
+
+output "vpc_id" {
+ description = "ID of the VPC"
+ value = module.networking.vpc_id
+}
+
+output "public_subnet_id" {
+ description = "ID of the public subnet"
+ value = module.networking.public_subnet_id
+}
+
+output "security_group_id" {
+ description = "ID of the security group"
+ value = module.networking.ec2_security_group_id
+}
diff --git a/spellbook/litellm/terraform/main-infrastructure/scripts/setup_script.sh b/spellbook/dify-beta1/terraform/main-infrastructure/scripts/setup_script.sh
similarity index 100%
rename from spellbook/litellm/terraform/main-infrastructure/scripts/setup_script.sh
rename to spellbook/dify-beta1/terraform/main-infrastructure/scripts/setup_script.sh
diff --git a/spellbook/dify-beta1/volumes/myscale/config/users.d/custom_users_config.xml b/spellbook/dify-beta1/volumes/myscale/config/users.d/custom_users_config.xml
new file mode 100755
index 00000000..08b9dc22
--- /dev/null
+++ b/spellbook/dify-beta1/volumes/myscale/config/users.d/custom_users_config.xml
@@ -0,0 +1,17 @@
+
+
+
+
+
+ ::1
+ 127.0.0.1
+ 10.0.0.0/8
+ 172.16.0.0/12
+ 192.168.0.0/16
+
+ default
+ default
+ 1
+
+
+
\ No newline at end of file
diff --git a/spellbook/dify-beta1/volumes/oceanbase/init.d/vec_memory.sql b/spellbook/dify-beta1/volumes/oceanbase/init.d/vec_memory.sql
new file mode 100755
index 00000000..f4c283fd
--- /dev/null
+++ b/spellbook/dify-beta1/volumes/oceanbase/init.d/vec_memory.sql
@@ -0,0 +1 @@
+ALTER SYSTEM SET ob_vector_memory_limit_percentage = 30;
\ No newline at end of file
diff --git a/spellbook/dify-beta1/volumes/opensearch/opensearch_dashboards.yml b/spellbook/dify-beta1/volumes/opensearch/opensearch_dashboards.yml
new file mode 100755
index 00000000..ab3d14e2
--- /dev/null
+++ b/spellbook/dify-beta1/volumes/opensearch/opensearch_dashboards.yml
@@ -0,0 +1,222 @@
+---
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# Description:
+# Default configuration for OpenSearch Dashboards
+
+# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use.
+# server.port: 5601
+
+# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values.
+# The default is 'localhost', which usually means remote machines will not be able to connect.
+# To allow connections from remote users, set this parameter to a non-loopback address.
+# server.host: "localhost"
+
+# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy.
+# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath
+# from requests it receives, and to prevent a deprecation warning at startup.
+# This setting cannot end in a slash.
+# server.basePath: ""
+
+# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with
+# `server.basePath` or require that they are rewritten by your reverse proxy.
+# server.rewriteBasePath: false
+
+# The maximum payload size in bytes for incoming server requests.
+# server.maxPayloadBytes: 1048576
+
+# The OpenSearch Dashboards server's name. This is used for display purposes.
+# server.name: "your-hostname"
+
+# The URLs of the OpenSearch instances to use for all your queries.
+# opensearch.hosts: ["http://localhost:9200"]
+
+# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and
+# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist.
+# opensearchDashboards.index: ".opensearch_dashboards"
+
+# The default application to load.
+# opensearchDashboards.defaultAppId: "home"
+
+# Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck.
+# This settings should be used for large clusters or for clusters with ingest heavy nodes.
+# It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes.
+#
+# It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting
+# This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up
+# e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id:
+# Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here
+# opensearch.optimizedHealthcheckId: "cluster_id"
+
+# If your OpenSearch is protected with basic authentication, these settings provide
+# the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards
+# index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which
+# is proxied through the OpenSearch Dashboards server.
+# opensearch.username: "opensearch_dashboards_system"
+# opensearch.password: "pass"
+
+# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
+# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser.
+# server.ssl.enabled: false
+# server.ssl.certificate: /path/to/your/server.crt
+# server.ssl.key: /path/to/your/server.key
+
+# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
+# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when
+# xpack.security.http.ssl.client_authentication in OpenSearch is set to required.
+# opensearch.ssl.certificate: /path/to/your/client.crt
+# opensearch.ssl.key: /path/to/your/client.key
+
+# Optional setting that enables you to specify a path to the PEM file for the certificate
+# authority for your OpenSearch instance.
+# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
+
+# To disregard the validity of SSL certificates, change this setting's value to 'none'.
+# opensearch.ssl.verificationMode: full
+
+# Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of
+# the opensearch.requestTimeout setting.
+# opensearch.pingTimeout: 1500
+
+# Time in milliseconds to wait for responses from the back end or OpenSearch. This value
+# must be a positive integer.
+# opensearch.requestTimeout: 30000
+
+# List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side
+# headers, set this value to [] (an empty list).
+# opensearch.requestHeadersWhitelist: [ authorization ]
+
+# Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten
+# by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration.
+# opensearch.customHeaders: {}
+
+# Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable.
+# opensearch.shardTimeout: 30000
+
+# Logs queries sent to OpenSearch. Requires logging.verbose set to true.
+# opensearch.logQueries: false
+
+# Specifies the path where OpenSearch Dashboards creates the process ID file.
+# pid.file: /var/run/opensearchDashboards.pid
+
+# Enables you to specify a file where OpenSearch Dashboards stores log output.
+# logging.dest: stdout
+
+# Set the value of this setting to true to suppress all logging output.
+# logging.silent: false
+
+# Set the value of this setting to true to suppress all logging output other than error messages.
+# logging.quiet: false
+
+# Set the value of this setting to true to log all events, including system usage information
+# and all requests.
+# logging.verbose: false
+
+# Set the interval in milliseconds to sample system and process performance
+# metrics. Minimum is 100ms. Defaults to 5000.
+# ops.interval: 5000
+
+# Specifies locale to be used for all localizable strings, dates and number formats.
+# Supported languages are the following: English - en , by default , Chinese - zh-CN .
+# i18n.locale: "en"
+
+# Set the allowlist to check input graphite Url. Allowlist is the default check list.
+# vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite']
+
+# Set the blocklist to check input graphite Url. Blocklist is an IP list.
+# Below is an example for reference
+# vis_type_timeline.graphiteBlockedIPs: [
+# //Loopback
+# '127.0.0.0/8',
+# '::1/128',
+# //Link-local Address for IPv6
+# 'fe80::/10',
+# //Private IP address for IPv4
+# '10.0.0.0/8',
+# '172.16.0.0/12',
+# '192.168.0.0/16',
+# //Unique local address (ULA)
+# 'fc00::/7',
+# //Reserved IP address
+# '0.0.0.0/8',
+# '100.64.0.0/10',
+# '192.0.0.0/24',
+# '192.0.2.0/24',
+# '198.18.0.0/15',
+# '192.88.99.0/24',
+# '198.51.100.0/24',
+# '203.0.113.0/24',
+# '224.0.0.0/4',
+# '240.0.0.0/4',
+# '255.255.255.255/32',
+# '::/128',
+# '2001:db8::/32',
+# 'ff00::/8',
+# ]
+# vis_type_timeline.graphiteBlockedIPs: []
+
+# opensearchDashboards.branding:
+# logo:
+# defaultUrl: ""
+# darkModeUrl: ""
+# mark:
+# defaultUrl: ""
+# darkModeUrl: ""
+# loadingLogo:
+# defaultUrl: ""
+# darkModeUrl: ""
+# faviconUrl: ""
+# applicationTitle: ""
+
+# Set the value of this setting to true to capture region blocked warnings and errors
+# for your map rendering services.
+# map.showRegionBlockedWarning: false%
+
+# Set the value of this setting to false to suppress search usage telemetry
+# for reducing the load of OpenSearch cluster.
+# data.search.usageTelemetry.enabled: false
+
+# 2.4 renames 'wizard.enabled: false' to 'vis_builder.enabled: false'
+# Set the value of this setting to false to disable VisBuilder
+# functionality in Visualization.
+# vis_builder.enabled: false
+
+# 2.4 New Experimental Feature
+# Set the value of this setting to true to enable the experimental multiple data source
+# support feature. Use with caution.
+# data_source.enabled: false
+# Set the value of these settings to customize crypto materials to encryption saved credentials
+# in data sources.
+# data_source.encryption.wrappingKeyName: 'changeme'
+# data_source.encryption.wrappingKeyNamespace: 'changeme'
+# data_source.encryption.wrappingKey: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+
+# 2.6 New ML Commons Dashboards Feature
+# Set the value of this setting to true to enable the ml commons dashboards
+# ml_commons_dashboards.enabled: false
+
+# 2.12 New experimental Assistant Dashboards Feature
+# Set the value of this setting to true to enable the assistant dashboards
+# assistant.chat.enabled: false
+
+# 2.13 New Query Assistant Feature
+# Set the value of this setting to false to disable the query assistant
+# observability.query_assist.enabled: false
+
+# 2.14 Enable Ui Metric Collectors in Usage Collector
+# Set the value of this setting to true to enable UI Metric collections
+# usageCollection.uiMetric.enabled: false
+
+opensearch.hosts: [https://localhost:9200]
+opensearch.ssl.verificationMode: none
+opensearch.username: admin
+opensearch.password: 'Qazwsxedc!@#123'
+opensearch.requestHeadersWhitelist: [authorization, securitytenant]
+
+opensearch_security.multitenancy.enabled: true
+opensearch_security.multitenancy.tenants.preferred: [Private, Global]
+opensearch_security.readonly_mode.roles: [kibana_read_only]
+# Use this setting if you are running opensearch-dashboards without https
+opensearch_security.cookie.secure: false
+server.host: '0.0.0.0'
diff --git a/spellbook/dify/.env.example b/spellbook/dify/.env.example
new file mode 100644
index 00000000..b21bdc70
--- /dev/null
+++ b/spellbook/dify/.env.example
@@ -0,0 +1,934 @@
+# ------------------------------
+# Environment Variables for API service & worker
+# ------------------------------
+
+# ------------------------------
+# Common Variables
+# ------------------------------
+
+# The backend URL of the console API,
+# used to concatenate the authorization callback.
+# If empty, it is the same domain.
+# Example: https://api.console.dify.ai
+CONSOLE_API_URL=
+
+# The front-end URL of the console web,
+# used to concatenate some front-end addresses and for CORS configuration use.
+# If empty, it is the same domain.
+# Example: https://console.dify.ai
+CONSOLE_WEB_URL=
+
+# Service API Url,
+# used to display Service API Base Url to the front-end.
+# If empty, it is the same domain.
+# Example: https://api.dify.ai
+SERVICE_API_URL=
+
+# WebApp API backend Url,
+# used to declare the back-end URL for the front-end API.
+# If empty, it is the same domain.
+# Example: https://api.app.dify.ai
+APP_API_URL=
+
+# WebApp Url,
+# used to display WebAPP API Base Url to the front-end.
+# If empty, it is the same domain.
+# Example: https://app.dify.ai
+APP_WEB_URL=
+
+# File preview or download Url prefix.
+# used to display File preview or download Url to the front-end or as Multi-model inputs;
+# Url is signed and has expiration time.
+FILES_URL=
+
+# ------------------------------
+# Server Configuration
+# ------------------------------
+
+# The log level for the application.
+# Supported values are `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`
+LOG_LEVEL=INFO
+# Log file path
+LOG_FILE=/app/logs/server.log
+# Log file max size, the unit is MB
+LOG_FILE_MAX_SIZE=20
+# Log file max backup count
+LOG_FILE_BACKUP_COUNT=5
+# Log dateformat
+LOG_DATEFORMAT=%Y-%m-%d %H:%M:%S
+# Log Timezone
+LOG_TZ=UTC
+
+# Debug mode, default is false.
+# It is recommended to turn on this configuration for local development
+# to prevent some problems caused by monkey patch.
+DEBUG=false
+
+# Flask debug mode, it can output trace information at the interface when turned on,
+# which is convenient for debugging.
+FLASK_DEBUG=false
+
+# A secretkey that is used for securely signing the session cookie
+# and encrypting sensitive information on the database.
+# You can generate a strong key using `openssl rand -base64 42`.
+SECRET_KEY=sk-9f73s3ljTXVcMT3Blb3ljTqtsKiGHXVcMT3BlbkFJLK7U
+
+# Password for admin user initialization.
+# If left unset, admin user will not be prompted for a password
+# when creating the initial admin account.
+# The length of the password cannot exceed 30 charactors.
+INIT_PASSWORD=
+
+# Deployment environment.
+# Supported values are `PRODUCTION`, `TESTING`. Default is `PRODUCTION`.
+# Testing environment. There will be a distinct color label on the front-end page,
+# indicating that this environment is a testing environment.
+DEPLOY_ENV=PRODUCTION
+
+# Whether to enable the version check policy.
+# If set to empty, https://updates.dify.ai will be called for version check.
+CHECK_UPDATE_URL=https://updates.dify.ai
+
+# Used to change the OpenAI base address, default is https://api.openai.com/v1.
+# When OpenAI cannot be accessed in China, replace it with a domestic mirror address,
+# or when a local model provides OpenAI compatible API, it can be replaced.
+OPENAI_API_BASE=https://api.openai.com/v1
+
+# When enabled, migrations will be executed prior to application startup
+# and the application will start after the migrations have completed.
+MIGRATION_ENABLED=true
+
+# File Access Time specifies a time interval in seconds for the file to be accessed.
+# The default value is 300 seconds.
+FILES_ACCESS_TIMEOUT=300
+
+# Access token expiration time in minutes
+ACCESS_TOKEN_EXPIRE_MINUTES=60
+
+# Refresh token expiration time in days
+REFRESH_TOKEN_EXPIRE_DAYS=30
+
+# The maximum number of active requests for the application, where 0 means unlimited, should be a non-negative integer.
+APP_MAX_ACTIVE_REQUESTS=0
+APP_MAX_EXECUTION_TIME=1200
+
+# ------------------------------
+# Container Startup Related Configuration
+# Only effective when starting with docker image or docker-compose.
+# ------------------------------
+
+# API service binding address, default: 0.0.0.0, i.e., all addresses can be accessed.
+DIFY_BIND_ADDRESS=0.0.0.0
+
+# API service binding port number, default 5001.
+DIFY_PORT=5001
+
+# The number of API server workers, i.e., the number of workers.
+# Formula: number of cpu cores x 2 + 1 for sync, 1 for Gevent
+# Reference: https://docs.gunicorn.org/en/stable/design.html#how-many-workers
+SERVER_WORKER_AMOUNT=1
+
+# Defaults to gevent. If using windows, it can be switched to sync or solo.
+SERVER_WORKER_CLASS=gevent
+
+# Default number of worker connections, the default is 10.
+SERVER_WORKER_CONNECTIONS=10
+
+# Similar to SERVER_WORKER_CLASS.
+# If using windows, it can be switched to sync or solo.
+CELERY_WORKER_CLASS=
+
+# Request handling timeout. The default is 200,
+# it is recommended to set it to 360 to support a longer sse connection time.
+GUNICORN_TIMEOUT=360
+
+# The number of Celery workers. The default is 1, and can be set as needed.
+CELERY_WORKER_AMOUNT=
+
+# Flag indicating whether to enable autoscaling of Celery workers.
+#
+# Autoscaling is useful when tasks are CPU intensive and can be dynamically
+# allocated and deallocated based on the workload.
+#
+# When autoscaling is enabled, the maximum and minimum number of workers can
+# be specified. The autoscaling algorithm will dynamically adjust the number
+# of workers within the specified range.
+#
+# Default is false (i.e., autoscaling is disabled).
+#
+# Example:
+# CELERY_AUTO_SCALE=true
+CELERY_AUTO_SCALE=false
+
+# The maximum number of Celery workers that can be autoscaled.
+# This is optional and only used when autoscaling is enabled.
+# Default is not set.
+CELERY_MAX_WORKERS=
+
+# The minimum number of Celery workers that can be autoscaled.
+# This is optional and only used when autoscaling is enabled.
+# Default is not set.
+CELERY_MIN_WORKERS=
+
+# API Tool configuration
+API_TOOL_DEFAULT_CONNECT_TIMEOUT=10
+API_TOOL_DEFAULT_READ_TIMEOUT=60
+
+
+# ------------------------------
+# Database Configuration
+# The database uses PostgreSQL. Please use the public schema.
+# It is consistent with the configuration in the 'db' service below.
+# ------------------------------
+
+DB_USERNAME=postgres
+DB_PASSWORD=difyai123456
+DB_HOST=db
+DB_PORT=5432
+DB_DATABASE=dify
+# The size of the database connection pool.
+# The default is 30 connections, which can be appropriately increased.
+SQLALCHEMY_POOL_SIZE=30
+# Database connection pool recycling time, the default is 3600 seconds.
+SQLALCHEMY_POOL_RECYCLE=3600
+# Whether to print SQL, default is false.
+SQLALCHEMY_ECHO=false
+
+# Maximum number of connections to the database
+# Default is 100
+#
+# Reference: https://www.postgresql.org/docs/current/runtime-config-connection.html#GUC-MAX-CONNECTIONS
+POSTGRES_MAX_CONNECTIONS=100
+
+# Sets the amount of shared memory used for postgres's shared buffers.
+# Default is 128MB
+# Recommended value: 25% of available memory
+# Reference: https://www.postgresql.org/docs/current/runtime-config-resource.html#GUC-SHARED-BUFFERS
+POSTGRES_SHARED_BUFFERS=128MB
+
+# Sets the amount of memory used by each database worker for working space.
+# Default is 4MB
+#
+# Reference: https://www.postgresql.org/docs/current/runtime-config-resource.html#GUC-WORK-MEM
+POSTGRES_WORK_MEM=4MB
+
+# Sets the amount of memory reserved for maintenance activities.
+# Default is 64MB
+#
+# Reference: https://www.postgresql.org/docs/current/runtime-config-resource.html#GUC-MAINTENANCE-WORK-MEM
+POSTGRES_MAINTENANCE_WORK_MEM=64MB
+
+# Sets the planner's assumption about the effective cache size.
+# Default is 4096MB
+#
+# Reference: https://www.postgresql.org/docs/current/runtime-config-query.html#GUC-EFFECTIVE-CACHE-SIZE
+POSTGRES_EFFECTIVE_CACHE_SIZE=4096MB
+
+# ------------------------------
+# Redis Configuration
+# This Redis configuration is used for caching and for pub/sub during conversation.
+# ------------------------------
+
+REDIS_HOST=redis
+REDIS_PORT=6379
+REDIS_USERNAME=
+REDIS_PASSWORD=difyai123456
+REDIS_USE_SSL=false
+REDIS_DB=0
+
+# Whether to use Redis Sentinel mode.
+# If set to true, the application will automatically discover and connect to the master node through Sentinel.
+REDIS_USE_SENTINEL=false
+
+# List of Redis Sentinel nodes. If Sentinel mode is enabled, provide at least one Sentinel IP and port.
+# Format: `:,:,:`
+REDIS_SENTINELS=
+REDIS_SENTINEL_SERVICE_NAME=
+REDIS_SENTINEL_USERNAME=
+REDIS_SENTINEL_PASSWORD=
+REDIS_SENTINEL_SOCKET_TIMEOUT=0.1
+
+# List of Redis Cluster nodes. If Cluster mode is enabled, provide at least one Cluster IP and port.
+# Format: `:,:,:`
+REDIS_USE_CLUSTERS=false
+REDIS_CLUSTERS=
+REDIS_CLUSTERS_PASSWORD=
+
+# ------------------------------
+# Celery Configuration
+# ------------------------------
+
+# Use redis as the broker, and redis db 1 for celery broker.
+# Format as follows: `redis://:@:/`
+# Example: redis://:difyai123456@redis:6379/1
+# If use Redis Sentinel, format as follows: `sentinel://:@:/`
+# Example: sentinel://localhost:26379/1;sentinel://localhost:26380/1;sentinel://localhost:26381/1
+CELERY_BROKER_URL=redis://:difyai123456@redis:6379/1
+BROKER_USE_SSL=false
+
+# If you are using Redis Sentinel for high availability, configure the following settings.
+CELERY_USE_SENTINEL=false
+CELERY_SENTINEL_MASTER_NAME=
+CELERY_SENTINEL_SOCKET_TIMEOUT=0.1
+
+# ------------------------------
+# CORS Configuration
+# Used to set the front-end cross-domain access policy.
+# ------------------------------
+
+# Specifies the allowed origins for cross-origin requests to the Web API,
+# e.g. https://dify.app or * for all origins.
+WEB_API_CORS_ALLOW_ORIGINS=*
+
+# Specifies the allowed origins for cross-origin requests to the console API,
+# e.g. https://cloud.dify.ai or * for all origins.
+CONSOLE_CORS_ALLOW_ORIGINS=*
+
+# ------------------------------
+# File Storage Configuration
+# ------------------------------
+
+# The type of storage to use for storing user files.
+STORAGE_TYPE=opendal
+
+# Apache OpenDAL Configuration
+# The configuration for OpenDAL consists of the following format: OPENDAL__.
+# You can find all the service configurations (CONFIG_NAME) in the repository at: https://github.com/apache/opendal/tree/main/core/src/services.
+# Dify will scan configurations starting with OPENDAL_ and automatically apply them.
+# The scheme name for the OpenDAL storage.
+OPENDAL_SCHEME=fs
+# Configurations for OpenDAL Local File System.
+OPENDAL_FS_ROOT=storage
+
+# S3 Configuration
+#
+S3_ENDPOINT=
+S3_REGION=us-east-1
+S3_BUCKET_NAME=difyai
+S3_ACCESS_KEY=
+S3_SECRET_KEY=
+# Whether to use AWS managed IAM roles for authenticating with the S3 service.
+# If set to false, the access key and secret key must be provided.
+S3_USE_AWS_MANAGED_IAM=false
+
+# Azure Blob Configuration
+#
+AZURE_BLOB_ACCOUNT_NAME=difyai
+AZURE_BLOB_ACCOUNT_KEY=difyai
+AZURE_BLOB_CONTAINER_NAME=difyai-container
+AZURE_BLOB_ACCOUNT_URL=https://.blob.core.windows.net
+
+# Google Storage Configuration
+#
+GOOGLE_STORAGE_BUCKET_NAME=your-bucket-name
+GOOGLE_STORAGE_SERVICE_ACCOUNT_JSON_BASE64=
+
+# The Alibaba Cloud OSS configurations,
+#
+ALIYUN_OSS_BUCKET_NAME=your-bucket-name
+ALIYUN_OSS_ACCESS_KEY=your-access-key
+ALIYUN_OSS_SECRET_KEY=your-secret-key
+ALIYUN_OSS_ENDPOINT=https://oss-ap-southeast-1-internal.aliyuncs.com
+ALIYUN_OSS_REGION=ap-southeast-1
+ALIYUN_OSS_AUTH_VERSION=v4
+# Don't start with '/'. OSS doesn't support leading slash in object names.
+ALIYUN_OSS_PATH=your-path
+
+# Tencent COS Configuration
+#
+TENCENT_COS_BUCKET_NAME=your-bucket-name
+TENCENT_COS_SECRET_KEY=your-secret-key
+TENCENT_COS_SECRET_ID=your-secret-id
+TENCENT_COS_REGION=your-region
+TENCENT_COS_SCHEME=your-scheme
+
+# Oracle Storage Configuration
+#
+OCI_ENDPOINT=https://objectstorage.us-ashburn-1.oraclecloud.com
+OCI_BUCKET_NAME=your-bucket-name
+OCI_ACCESS_KEY=your-access-key
+OCI_SECRET_KEY=your-secret-key
+OCI_REGION=us-ashburn-1
+
+# Huawei OBS Configuration
+#
+HUAWEI_OBS_BUCKET_NAME=your-bucket-name
+HUAWEI_OBS_SECRET_KEY=your-secret-key
+HUAWEI_OBS_ACCESS_KEY=your-access-key
+HUAWEI_OBS_SERVER=your-server-url
+
+# Volcengine TOS Configuration
+#
+VOLCENGINE_TOS_BUCKET_NAME=your-bucket-name
+VOLCENGINE_TOS_SECRET_KEY=your-secret-key
+VOLCENGINE_TOS_ACCESS_KEY=your-access-key
+VOLCENGINE_TOS_ENDPOINT=your-server-url
+VOLCENGINE_TOS_REGION=your-region
+
+# Baidu OBS Storage Configuration
+#
+BAIDU_OBS_BUCKET_NAME=your-bucket-name
+BAIDU_OBS_SECRET_KEY=your-secret-key
+BAIDU_OBS_ACCESS_KEY=your-access-key
+BAIDU_OBS_ENDPOINT=your-server-url
+
+# Supabase Storage Configuration
+#
+SUPABASE_BUCKET_NAME=your-bucket-name
+SUPABASE_API_KEY=your-access-key
+SUPABASE_URL=your-server-url
+
+# ------------------------------
+# Vector Database Configuration
+# ------------------------------
+
+# The type of vector store to use.
+# Supported values are `weaviate`, `qdrant`, `milvus`, `myscale`, `relyt`, `pgvector`, `pgvecto-rs`, `chroma`, `opensearch`, `tidb_vector`, `oracle`, `tencent`, `elasticsearch`, `elasticsearch-ja`, `analyticdb`, `couchbase`, `vikingdb`, `oceanbase`.
+VECTOR_STORE=weaviate
+
+# The Weaviate endpoint URL. Only available when VECTOR_STORE is `weaviate`.
+WEAVIATE_ENDPOINT=http://weaviate:8080
+WEAVIATE_API_KEY=WVF5YThaHlkYwhGUSmCRgsX3tD5ngdN8pkih
+
+# The Qdrant endpoint URL. Only available when VECTOR_STORE is `qdrant`.
+QDRANT_URL=http://qdrant:6333
+QDRANT_API_KEY=difyai123456
+QDRANT_CLIENT_TIMEOUT=20
+QDRANT_GRPC_ENABLED=false
+QDRANT_GRPC_PORT=6334
+
+# Milvus configuration Only available when VECTOR_STORE is `milvus`.
+# The milvus uri.
+MILVUS_URI=http://127.0.0.1:19530
+MILVUS_TOKEN=
+MILVUS_USER=root
+MILVUS_PASSWORD=Milvus
+MILVUS_ENABLE_HYBRID_SEARCH=False
+
+# MyScale configuration, only available when VECTOR_STORE is `myscale`
+# For multi-language support, please set MYSCALE_FTS_PARAMS with referring to:
+# https://myscale.com/docs/en/text-search/#understanding-fts-index-parameters
+MYSCALE_HOST=myscale
+MYSCALE_PORT=8123
+MYSCALE_USER=default
+MYSCALE_PASSWORD=
+MYSCALE_DATABASE=dify
+MYSCALE_FTS_PARAMS=
+
+# Couchbase configurations, only available when VECTOR_STORE is `couchbase`
+# The connection string must include hostname defined in the docker-compose file (couchbase-server in this case)
+COUCHBASE_CONNECTION_STRING=couchbase://couchbase-server
+COUCHBASE_USER=Administrator
+COUCHBASE_PASSWORD=password
+COUCHBASE_BUCKET_NAME=Embeddings
+COUCHBASE_SCOPE_NAME=_default
+
+# pgvector configurations, only available when VECTOR_STORE is `pgvector`
+PGVECTOR_HOST=pgvector
+PGVECTOR_PORT=5432
+PGVECTOR_USER=postgres
+PGVECTOR_PASSWORD=difyai123456
+PGVECTOR_DATABASE=dify
+PGVECTOR_MIN_CONNECTION=1
+PGVECTOR_MAX_CONNECTION=5
+
+# pgvecto-rs configurations, only available when VECTOR_STORE is `pgvecto-rs`
+PGVECTO_RS_HOST=pgvecto-rs
+PGVECTO_RS_PORT=5432
+PGVECTO_RS_USER=postgres
+PGVECTO_RS_PASSWORD=difyai123456
+PGVECTO_RS_DATABASE=dify
+
+# analyticdb configurations, only available when VECTOR_STORE is `analyticdb`
+ANALYTICDB_KEY_ID=your-ak
+ANALYTICDB_KEY_SECRET=your-sk
+ANALYTICDB_REGION_ID=cn-hangzhou
+ANALYTICDB_INSTANCE_ID=gp-ab123456
+ANALYTICDB_ACCOUNT=testaccount
+ANALYTICDB_PASSWORD=testpassword
+ANALYTICDB_NAMESPACE=dify
+ANALYTICDB_NAMESPACE_PASSWORD=difypassword
+ANALYTICDB_HOST=gp-test.aliyuncs.com
+ANALYTICDB_PORT=5432
+ANALYTICDB_MIN_CONNECTION=1
+ANALYTICDB_MAX_CONNECTION=5
+
+# TiDB vector configurations, only available when VECTOR_STORE is `tidb`
+TIDB_VECTOR_HOST=tidb
+TIDB_VECTOR_PORT=4000
+TIDB_VECTOR_USER=
+TIDB_VECTOR_PASSWORD=
+TIDB_VECTOR_DATABASE=dify
+
+# Tidb on qdrant configuration, only available when VECTOR_STORE is `tidb_on_qdrant`
+TIDB_ON_QDRANT_URL=http://127.0.0.1
+TIDB_ON_QDRANT_API_KEY=dify
+TIDB_ON_QDRANT_CLIENT_TIMEOUT=20
+TIDB_ON_QDRANT_GRPC_ENABLED=false
+TIDB_ON_QDRANT_GRPC_PORT=6334
+TIDB_PUBLIC_KEY=dify
+TIDB_PRIVATE_KEY=dify
+TIDB_API_URL=http://127.0.0.1
+TIDB_IAM_API_URL=http://127.0.0.1
+TIDB_REGION=regions/aws-us-east-1
+TIDB_PROJECT_ID=dify
+TIDB_SPEND_LIMIT=100
+
+# Chroma configuration, only available when VECTOR_STORE is `chroma`
+CHROMA_HOST=127.0.0.1
+CHROMA_PORT=8000
+CHROMA_TENANT=default_tenant
+CHROMA_DATABASE=default_database
+CHROMA_AUTH_PROVIDER=chromadb.auth.token_authn.TokenAuthClientProvider
+CHROMA_AUTH_CREDENTIALS=
+
+# Oracle configuration, only available when VECTOR_STORE is `oracle`
+ORACLE_HOST=oracle
+ORACLE_PORT=1521
+ORACLE_USER=dify
+ORACLE_PASSWORD=dify
+ORACLE_DATABASE=FREEPDB1
+
+# relyt configurations, only available when VECTOR_STORE is `relyt`
+RELYT_HOST=db
+RELYT_PORT=5432
+RELYT_USER=postgres
+RELYT_PASSWORD=difyai123456
+RELYT_DATABASE=postgres
+
+# open search configuration, only available when VECTOR_STORE is `opensearch`
+OPENSEARCH_HOST=opensearch
+OPENSEARCH_PORT=9200
+OPENSEARCH_USER=admin
+OPENSEARCH_PASSWORD=admin
+OPENSEARCH_SECURE=true
+
+# tencent vector configurations, only available when VECTOR_STORE is `tencent`
+TENCENT_VECTOR_DB_URL=http://127.0.0.1
+TENCENT_VECTOR_DB_API_KEY=dify
+TENCENT_VECTOR_DB_TIMEOUT=30
+TENCENT_VECTOR_DB_USERNAME=dify
+TENCENT_VECTOR_DB_DATABASE=dify
+TENCENT_VECTOR_DB_SHARD=1
+TENCENT_VECTOR_DB_REPLICAS=2
+
+# ElasticSearch configuration, only available when VECTOR_STORE is `elasticsearch`
+ELASTICSEARCH_HOST=0.0.0.0
+ELASTICSEARCH_PORT=9200
+ELASTICSEARCH_USERNAME=elastic
+ELASTICSEARCH_PASSWORD=elastic
+KIBANA_PORT=5601
+
+# baidu vector configurations, only available when VECTOR_STORE is `baidu`
+BAIDU_VECTOR_DB_ENDPOINT=http://127.0.0.1:5287
+BAIDU_VECTOR_DB_CONNECTION_TIMEOUT_MS=30000
+BAIDU_VECTOR_DB_ACCOUNT=root
+BAIDU_VECTOR_DB_API_KEY=dify
+BAIDU_VECTOR_DB_DATABASE=dify
+BAIDU_VECTOR_DB_SHARD=1
+BAIDU_VECTOR_DB_REPLICAS=3
+
+# VikingDB configurations, only available when VECTOR_STORE is `vikingdb`
+VIKINGDB_ACCESS_KEY=your-ak
+VIKINGDB_SECRET_KEY=your-sk
+VIKINGDB_REGION=cn-shanghai
+VIKINGDB_HOST=api-vikingdb.xxx.volces.com
+VIKINGDB_SCHEMA=http
+VIKINGDB_CONNECTION_TIMEOUT=30
+VIKINGDB_SOCKET_TIMEOUT=30
+
+# Lindorm configuration, only available when VECTOR_STORE is `lindorm`
+LINDORM_URL=http://lindorm:30070
+LINDORM_USERNAME=lindorm
+LINDORM_PASSWORD=lindorm
+
+# OceanBase Vector configuration, only available when VECTOR_STORE is `oceanbase`
+OCEANBASE_VECTOR_HOST=oceanbase
+OCEANBASE_VECTOR_PORT=2881
+OCEANBASE_VECTOR_USER=root@test
+OCEANBASE_VECTOR_PASSWORD=difyai123456
+OCEANBASE_VECTOR_DATABASE=test
+OCEANBASE_CLUSTER_NAME=difyai
+OCEANBASE_MEMORY_LIMIT=6G
+
+# Upstash Vector configuration, only available when VECTOR_STORE is `upstash`
+UPSTASH_VECTOR_URL=https://xxx-vector.upstash.io
+UPSTASH_VECTOR_TOKEN=dify
+
+# ------------------------------
+# Knowledge Configuration
+# ------------------------------
+
+# Upload file size limit, default 15M.
+UPLOAD_FILE_SIZE_LIMIT=15
+
+# The maximum number of files that can be uploaded at a time, default 5.
+UPLOAD_FILE_BATCH_LIMIT=5
+
+# ETL type, support: `dify`, `Unstructured`
+# `dify` Dify's proprietary file extraction scheme
+# `Unstructured` Unstructured.io file extraction scheme
+ETL_TYPE=dify
+
+# Unstructured API path and API key, needs to be configured when ETL_TYPE is Unstructured
+# Or using Unstructured for document extractor node for pptx.
+# For example: http://unstructured:8000/general/v0/general
+UNSTRUCTURED_API_URL=
+UNSTRUCTURED_API_KEY=
+SCARF_NO_ANALYTICS=true
+
+# ------------------------------
+# Model Configuration
+# ------------------------------
+
+# The maximum number of tokens allowed for prompt generation.
+# This setting controls the upper limit of tokens that can be used by the LLM
+# when generating a prompt in the prompt generation tool.
+# Default: 512 tokens.
+PROMPT_GENERATION_MAX_TOKENS=512
+
+# The maximum number of tokens allowed for code generation.
+# This setting controls the upper limit of tokens that can be used by the LLM
+# when generating code in the code generation tool.
+# Default: 1024 tokens.
+CODE_GENERATION_MAX_TOKENS=1024
+
+# ------------------------------
+# Multi-modal Configuration
+# ------------------------------
+
+# The format of the image/video/audio/document sent when the multi-modal model is input,
+# the default is base64, optional url.
+# The delay of the call in url mode will be lower than that in base64 mode.
+# It is generally recommended to use the more compatible base64 mode.
+# If configured as url, you need to configure FILES_URL as an externally accessible address so that the multi-modal model can access the image/video/audio/document.
+MULTIMODAL_SEND_FORMAT=base64
+# Upload image file size limit, default 10M.
+UPLOAD_IMAGE_FILE_SIZE_LIMIT=10
+# Upload video file size limit, default 100M.
+UPLOAD_VIDEO_FILE_SIZE_LIMIT=100
+# Upload audio file size limit, default 50M.
+UPLOAD_AUDIO_FILE_SIZE_LIMIT=50
+
+# ------------------------------
+# Sentry Configuration
+# Used for application monitoring and error log tracking.
+# ------------------------------
+SENTRY_DSN=
+
+# API Service Sentry DSN address, default is empty, when empty,
+# all monitoring information is not reported to Sentry.
+# If not set, Sentry error reporting will be disabled.
+API_SENTRY_DSN=
+# API Service The reporting ratio of Sentry events, if it is 0.01, it is 1%.
+API_SENTRY_TRACES_SAMPLE_RATE=1.0
+# API Service The reporting ratio of Sentry profiles, if it is 0.01, it is 1%.
+API_SENTRY_PROFILES_SAMPLE_RATE=1.0
+
+# Web Service Sentry DSN address, default is empty, when empty,
+# all monitoring information is not reported to Sentry.
+# If not set, Sentry error reporting will be disabled.
+WEB_SENTRY_DSN=
+
+# ------------------------------
+# Notion Integration Configuration
+# Variables can be obtained by applying for Notion integration: https://www.notion.so/my-integrations
+# ------------------------------
+
+# Configure as "public" or "internal".
+# Since Notion's OAuth redirect URL only supports HTTPS,
+# if deploying locally, please use Notion's internal integration.
+NOTION_INTEGRATION_TYPE=public
+# Notion OAuth client secret (used for public integration type)
+NOTION_CLIENT_SECRET=
+# Notion OAuth client id (used for public integration type)
+NOTION_CLIENT_ID=
+# Notion internal integration secret.
+# If the value of NOTION_INTEGRATION_TYPE is "internal",
+# you need to configure this variable.
+NOTION_INTERNAL_SECRET=
+
+# ------------------------------
+# Mail related configuration
+# ------------------------------
+
+# Mail type, support: resend, smtp
+MAIL_TYPE=resend
+
+# Default send from email address, if not specified
+MAIL_DEFAULT_SEND_FROM=
+
+# API-Key for the Resend email provider, used when MAIL_TYPE is `resend`.
+RESEND_API_URL=https://api.resend.com
+RESEND_API_KEY=your-resend-api-key
+
+
+# SMTP server configuration, used when MAIL_TYPE is `smtp`
+SMTP_SERVER=
+SMTP_PORT=465
+SMTP_USERNAME=
+SMTP_PASSWORD=
+SMTP_USE_TLS=true
+SMTP_OPPORTUNISTIC_TLS=false
+
+# ------------------------------
+# Others Configuration
+# ------------------------------
+
+# Maximum length of segmentation tokens for indexing
+INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH=4000
+
+# Member invitation link valid time (hours),
+# Default: 72.
+INVITE_EXPIRY_HOURS=72
+
+# Reset password token valid time (minutes),
+RESET_PASSWORD_TOKEN_EXPIRY_MINUTES=5
+
+# The sandbox service endpoint.
+CODE_EXECUTION_ENDPOINT=http://sandbox:8194
+CODE_EXECUTION_API_KEY=dify-sandbox
+CODE_MAX_NUMBER=9223372036854775807
+CODE_MIN_NUMBER=-9223372036854775808
+CODE_MAX_DEPTH=5
+CODE_MAX_PRECISION=20
+CODE_MAX_STRING_LENGTH=80000
+CODE_MAX_STRING_ARRAY_LENGTH=30
+CODE_MAX_OBJECT_ARRAY_LENGTH=30
+CODE_MAX_NUMBER_ARRAY_LENGTH=1000
+CODE_EXECUTION_CONNECT_TIMEOUT=10
+CODE_EXECUTION_READ_TIMEOUT=60
+CODE_EXECUTION_WRITE_TIMEOUT=10
+TEMPLATE_TRANSFORM_MAX_LENGTH=80000
+
+# Workflow runtime configuration
+WORKFLOW_MAX_EXECUTION_STEPS=500
+WORKFLOW_MAX_EXECUTION_TIME=1200
+WORKFLOW_CALL_MAX_DEPTH=5
+MAX_VARIABLE_SIZE=204800
+WORKFLOW_PARALLEL_DEPTH_LIMIT=3
+WORKFLOW_FILE_UPLOAD_LIMIT=10
+
+# HTTP request node in workflow configuration
+HTTP_REQUEST_NODE_MAX_BINARY_SIZE=10485760
+HTTP_REQUEST_NODE_MAX_TEXT_SIZE=1048576
+
+# SSRF Proxy server HTTP URL
+SSRF_PROXY_HTTP_URL=http://ssrf_proxy:3128
+# SSRF Proxy server HTTPS URL
+SSRF_PROXY_HTTPS_URL=http://ssrf_proxy:3128
+
+# ------------------------------
+# Environment Variables for web Service
+# ------------------------------
+
+# The timeout for the text generation in millisecond
+TEXT_GENERATION_TIMEOUT_MS=60000
+
+# ------------------------------
+# Environment Variables for db Service
+# ------------------------------
+
+PGUSER=${DB_USERNAME}
+# The password for the default postgres user.
+POSTGRES_PASSWORD=${DB_PASSWORD}
+# The name of the default postgres database.
+POSTGRES_DB=${DB_DATABASE}
+# postgres data directory
+PGDATA=/var/lib/postgresql/data/pgdata
+
+# ------------------------------
+# Environment Variables for sandbox Service
+# ------------------------------
+
+# The API key for the sandbox service
+SANDBOX_API_KEY=dify-sandbox
+# The mode in which the Gin framework runs
+SANDBOX_GIN_MODE=release
+# The timeout for the worker in seconds
+SANDBOX_WORKER_TIMEOUT=15
+# Enable network for the sandbox service
+SANDBOX_ENABLE_NETWORK=true
+# HTTP proxy URL for SSRF protection
+SANDBOX_HTTP_PROXY=http://ssrf_proxy:3128
+# HTTPS proxy URL for SSRF protection
+SANDBOX_HTTPS_PROXY=http://ssrf_proxy:3128
+# The port on which the sandbox service runs
+SANDBOX_PORT=8194
+
+# ------------------------------
+# Environment Variables for weaviate Service
+# (only used when VECTOR_STORE is weaviate)
+# ------------------------------
+WEAVIATE_PERSISTENCE_DATA_PATH=/var/lib/weaviate
+WEAVIATE_QUERY_DEFAULTS_LIMIT=25
+WEAVIATE_AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED=true
+WEAVIATE_DEFAULT_VECTORIZER_MODULE=none
+WEAVIATE_CLUSTER_HOSTNAME=node1
+WEAVIATE_AUTHENTICATION_APIKEY_ENABLED=true
+WEAVIATE_AUTHENTICATION_APIKEY_ALLOWED_KEYS=WVF5YThaHlkYwhGUSmCRgsX3tD5ngdN8pkih
+WEAVIATE_AUTHENTICATION_APIKEY_USERS=hello@dify.ai
+WEAVIATE_AUTHORIZATION_ADMINLIST_ENABLED=true
+WEAVIATE_AUTHORIZATION_ADMINLIST_USERS=hello@dify.ai
+
+# ------------------------------
+# Environment Variables for Chroma
+# (only used when VECTOR_STORE is chroma)
+# ------------------------------
+
+# Authentication credentials for Chroma server
+CHROMA_SERVER_AUTHN_CREDENTIALS=difyai123456
+# Authentication provider for Chroma server
+CHROMA_SERVER_AUTHN_PROVIDER=chromadb.auth.token_authn.TokenAuthenticationServerProvider
+# Persistence setting for Chroma server
+CHROMA_IS_PERSISTENT=TRUE
+
+# ------------------------------
+# Environment Variables for Oracle Service
+# (only used when VECTOR_STORE is Oracle)
+# ------------------------------
+ORACLE_PWD=Dify123456
+ORACLE_CHARACTERSET=AL32UTF8
+
+# ------------------------------
+# Environment Variables for milvus Service
+# (only used when VECTOR_STORE is milvus)
+# ------------------------------
+# ETCD configuration for auto compaction mode
+ETCD_AUTO_COMPACTION_MODE=revision
+# ETCD configuration for auto compaction retention in terms of number of revisions
+ETCD_AUTO_COMPACTION_RETENTION=1000
+# ETCD configuration for backend quota in bytes
+ETCD_QUOTA_BACKEND_BYTES=4294967296
+# ETCD configuration for the number of changes before triggering a snapshot
+ETCD_SNAPSHOT_COUNT=50000
+# MinIO access key for authentication
+MINIO_ACCESS_KEY=minioadmin
+# MinIO secret key for authentication
+MINIO_SECRET_KEY=minioadmin
+# ETCD service endpoints
+ETCD_ENDPOINTS=etcd:2379
+# MinIO service address
+MINIO_ADDRESS=minio:9000
+# Enable or disable security authorization
+MILVUS_AUTHORIZATION_ENABLED=true
+
+# ------------------------------
+# Environment Variables for pgvector / pgvector-rs Service
+# (only used when VECTOR_STORE is pgvector / pgvector-rs)
+# ------------------------------
+PGVECTOR_PGUSER=postgres
+# The password for the default postgres user.
+PGVECTOR_POSTGRES_PASSWORD=difyai123456
+# The name of the default postgres database.
+PGVECTOR_POSTGRES_DB=dify
+# postgres data directory
+PGVECTOR_PGDATA=/var/lib/postgresql/data/pgdata
+
+# ------------------------------
+# Environment Variables for opensearch
+# (only used when VECTOR_STORE is opensearch)
+# ------------------------------
+OPENSEARCH_DISCOVERY_TYPE=single-node
+OPENSEARCH_BOOTSTRAP_MEMORY_LOCK=true
+OPENSEARCH_JAVA_OPTS_MIN=512m
+OPENSEARCH_JAVA_OPTS_MAX=1024m
+OPENSEARCH_INITIAL_ADMIN_PASSWORD=Qazwsxedc!@#123
+OPENSEARCH_MEMLOCK_SOFT=-1
+OPENSEARCH_MEMLOCK_HARD=-1
+OPENSEARCH_NOFILE_SOFT=65536
+OPENSEARCH_NOFILE_HARD=65536
+
+# ------------------------------
+# Environment Variables for Nginx reverse proxy
+# ------------------------------
+NGINX_SERVER_NAME=_
+NGINX_HTTPS_ENABLED=false
+# HTTP port
+NGINX_PORT=80
+# SSL settings are only applied when HTTPS_ENABLED is true
+NGINX_SSL_PORT=443
+# if HTTPS_ENABLED is true, you're required to add your own SSL certificates/keys to the `./nginx/ssl` directory
+# and modify the env vars below accordingly.
+NGINX_SSL_CERT_FILENAME=dify.crt
+NGINX_SSL_CERT_KEY_FILENAME=dify.key
+NGINX_SSL_PROTOCOLS=TLSv1.1 TLSv1.2 TLSv1.3
+
+# Nginx performance tuning
+NGINX_WORKER_PROCESSES=auto
+NGINX_CLIENT_MAX_BODY_SIZE=15M
+NGINX_KEEPALIVE_TIMEOUT=65
+
+# Proxy settings
+NGINX_PROXY_READ_TIMEOUT=3600s
+NGINX_PROXY_SEND_TIMEOUT=3600s
+
+# Set true to accept requests for /.well-known/acme-challenge/
+NGINX_ENABLE_CERTBOT_CHALLENGE=false
+
+# ------------------------------
+# Certbot Configuration
+# ------------------------------
+
+# Email address (required to get certificates from Let's Encrypt)
+CERTBOT_EMAIL=your_email@example.com
+
+# Domain name
+CERTBOT_DOMAIN=your_domain.com
+
+# certbot command options
+# i.e: --force-renewal --dry-run --test-cert --debug
+CERTBOT_OPTIONS=
+
+# ------------------------------
+# Environment Variables for SSRF Proxy
+# ------------------------------
+SSRF_HTTP_PORT=3128
+SSRF_COREDUMP_DIR=/var/spool/squid
+SSRF_REVERSE_PROXY_PORT=8194
+SSRF_SANDBOX_HOST=sandbox
+
+# ------------------------------
+# docker env var for specifying vector db type at startup
+# (based on the vector db type, the corresponding docker
+# compose profile will be used)
+# if you want to use unstructured, add ',unstructured' to the end
+# ------------------------------
+COMPOSE_PROFILES=${VECTOR_STORE:-weaviate}
+
+# ------------------------------
+# Docker Compose Service Expose Host Port Configurations
+# ------------------------------
+EXPOSE_NGINX_PORT=80
+EXPOSE_NGINX_SSL_PORT=443
+
+# ----------------------------------------------------------------------------
+# ModelProvider & Tool Position Configuration
+# Used to specify the model providers and tools that can be used in the app.
+# ----------------------------------------------------------------------------
+
+# Pin, include, and exclude tools
+# Use comma-separated values with no spaces between items.
+# Example: POSITION_TOOL_PINS=bing,google
+POSITION_TOOL_PINS=
+POSITION_TOOL_INCLUDES=
+POSITION_TOOL_EXCLUDES=
+
+# Pin, include, and exclude model providers
+# Use comma-separated values with no spaces between items.
+# Example: POSITION_PROVIDER_PINS=openai,openllm
+POSITION_PROVIDER_PINS=
+POSITION_PROVIDER_INCLUDES=
+POSITION_PROVIDER_EXCLUDES=
+
+# CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+CSP_WHITELIST=
+
+# Enable or disable create tidb service job
+CREATE_TIDB_SERVICE_JOB_ENABLED=false
+
+# Maximum number of submitted thread count in a ThreadPool for parallel node execution
+MAX_SUBMIT_COUNT=100
+
+# The maximum number of top-k value for RAG.
+TOP_K_MAX_VALUE=10
diff --git a/spellbook/dify/README.md b/spellbook/dify/README.md
new file mode 100644
index 00000000..b947969f
--- /dev/null
+++ b/spellbook/dify/README.md
@@ -0,0 +1,118 @@
+
+
+
+# AWS CloudFront Infrastructure Module
+
+このリポジトリは、AWSのCloudFrontディストリビューションを設定するための再利用可能なTerraformモジュールを提供します。
+
+## 🌟 主な機能
+
+- ✅ CloudFrontディストリビューションの作成(カスタムドメイン対応)
+- 🛡️ WAFv2によるIPホワイトリスト制御
+- 🌐 Route53でのDNSレコード自動設定
+- 🔒 ACM証明書の自動作成と検証
+
+## 📁 ディレクトリ構造
+
+```
+cloudfront-infrastructure/
+├── modules/
+│ └── cloudfront/ # メインモジュール
+│ ├── main.tf # リソース定義
+│ ├── variables.tf # 変数定義
+│ ├── outputs.tf # 出力定義
+│ └── README.md # モジュールのドキュメント
+└── examples/
+ └── complete/ # 完全な使用例
+ ├── main.tf
+ ├── variables.tf
+ ├── outputs.tf
+ ├── terraform.tfvars.example
+ └── whitelist-waf.csv.example
+```
+
+## 🚀 クイックスタート
+
+1. モジュールの使用例をコピーします:
+```bash
+cp -r examples/complete your-project/
+cd your-project
+```
+
+2. 設定ファイルを作成します:
+```bash
+cp terraform.tfvars.example terraform.tfvars
+cp whitelist-waf.csv.example whitelist-waf.csv
+```
+
+3. terraform.tfvarsを編集して必要な設定を行います:
+```hcl
+# AWSリージョン設定
+aws_region = "ap-northeast-1"
+
+# プロジェクト名
+project_name = "your-project-name"
+
+# オリジンサーバー設定(EC2インスタンス)
+origin_domain = "your-ec2-domain.compute.amazonaws.com"
+
+# ドメイン設定
+domain = "your-domain.com"
+subdomain = "your-subdomain"
+```
+
+4. whitelist-waf.csvを編集してIPホワイトリストを設定します:
+```csv
+ip,description
+192.168.1.1/32,Office Network
+10.0.0.1/32,Home Network
+```
+
+5. Terraformを実行します:
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+## 📚 より詳細な使用方法
+
+より詳細な使用方法については、[modules/cloudfront/README.md](modules/cloudfront/README.md)を参照してください。
+
+## 🔧 カスタマイズ
+
+このモジュールは以下の要素をカスタマイズできます:
+
+1. CloudFront設定
+ - キャッシュ動作
+ - オリジンの設定
+ - SSL/TLS設定
+
+2. WAF設定
+ - IPホワイトリストの管理
+ - セキュリティルールのカスタマイズ
+
+3. DNS設定
+ - カスタムドメインの設定
+ - Route53との連携
+
+## 📝 注意事項
+
+- CloudFrontのデプロイには時間がかかる場合があります(15-30分程度)
+- DNSの伝播には最大72時間かかる可能性があります
+- SSL証明書の検証には数分から数十分かかることがあります
+- WAFのIPホワイトリストは定期的なメンテナンスが必要です
+
+## 🔍 トラブルシューティング
+
+詳細なトラブルシューティングガイドについては、[modules/cloudfront/README.md](modules/cloudfront/README.md#トラブルシューティング)を参照してください。
diff --git a/spellbook/dify/terraform/cloudfront-infrastructure/main.tf b/spellbook/dify/terraform/cloudfront-infrastructure/main.tf
new file mode 100644
index 00000000..b11c9a84
--- /dev/null
+++ b/spellbook/dify/terraform/cloudfront-infrastructure/main.tf
@@ -0,0 +1,41 @@
+terraform {
+ required_version = ">= 0.12"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 4.0"
+ }
+ }
+
+ backend "local" {
+ path = "terraform.tfstate"
+ }
+}
+
+# デフォルトプロバイダー設定
+provider "aws" {
+ region = var.aws_region
+}
+
+# バージニアリージョン用のプロバイダー設定(CloudFront用)
+provider "aws" {
+ alias = "virginia"
+ region = "us-east-1"
+}
+
+# CloudFrontモジュールの呼び出し
+module "cloudfront" {
+ source = "../../../open-webui/terraform/cloudfront-infrastructure/modules"
+
+ project_name = var.project_name
+ aws_region = var.aws_region
+ origin_domain = var.origin_domain
+ domain = var.domain
+ subdomain = var.subdomain
+
+ providers = {
+ aws = aws
+ aws.virginia = aws.virginia
+ }
+}
diff --git a/spellbook/dify/terraform/cloudfront-infrastructure/outputs.tf b/spellbook/dify/terraform/cloudfront-infrastructure/outputs.tf
new file mode 100644
index 00000000..c3687573
--- /dev/null
+++ b/spellbook/dify/terraform/cloudfront-infrastructure/outputs.tf
@@ -0,0 +1,39 @@
+output "cloudfront_domain_name" {
+ description = "Domain name of the CloudFront distribution (*.cloudfront.net)"
+ value = module.cloudfront.cloudfront_domain_name
+}
+
+output "cloudfront_distribution_id" {
+ description = "ID of the CloudFront distribution"
+ value = module.cloudfront.cloudfront_distribution_id
+}
+
+output "cloudfront_arn" {
+ description = "ARN of the CloudFront distribution"
+ value = module.cloudfront.cloudfront_arn
+}
+
+output "cloudfront_url" {
+ description = "CloudFrontのURL"
+ value = module.cloudfront.cloudfront_url
+}
+
+output "subdomain_url" {
+ description = "サブドメインのURL"
+ value = module.cloudfront.subdomain_url
+}
+
+output "waf_web_acl_id" {
+ description = "ID of the WAF Web ACL"
+ value = module.cloudfront.waf_web_acl_id
+}
+
+output "waf_web_acl_arn" {
+ description = "ARN of the WAF Web ACL"
+ value = module.cloudfront.waf_web_acl_arn
+}
+
+output "certificate_arn" {
+ description = "ARN of the ACM certificate"
+ value = module.cloudfront.certificate_arn
+}
diff --git a/spellbook/dify/terraform/cloudfront-infrastructure/terraform.tfvars.example b/spellbook/dify/terraform/cloudfront-infrastructure/terraform.tfvars.example
new file mode 100644
index 00000000..45301723
--- /dev/null
+++ b/spellbook/dify/terraform/cloudfront-infrastructure/terraform.tfvars.example
@@ -0,0 +1,12 @@
+# AWSの設定
+aws_region = "ap-northeast-1"
+
+# プロジェクト名
+project_name = "example-project"
+
+# オリジンサーバー設定(EC2インスタンス)
+origin_domain = "ec2-xxx-xxx-xxx-xxx.compute.amazonaws.com"
+
+# ドメイン設定
+domain = "example.com"
+subdomain = "app" # 生成されるURL: app.example.com
diff --git a/spellbook/dify/terraform/cloudfront-infrastructure/variables.tf b/spellbook/dify/terraform/cloudfront-infrastructure/variables.tf
new file mode 100644
index 00000000..01576938
--- /dev/null
+++ b/spellbook/dify/terraform/cloudfront-infrastructure/variables.tf
@@ -0,0 +1,25 @@
+variable "project_name" {
+ description = "Name of the project"
+ type = string
+}
+
+variable "aws_region" {
+ description = "AWS region for the resources"
+ type = string
+ default = "ap-northeast-1"
+}
+
+variable "origin_domain" {
+ description = "Domain name of the origin (EC2 instance)"
+ type = string
+}
+
+variable "domain" {
+ description = "メインドメイン名"
+ type = string
+}
+
+variable "subdomain" {
+ description = "サブドメイン名"
+ type = string
+}
diff --git a/spellbook/dify/terraform/main-infrastructure/common_variables.tf b/spellbook/dify/terraform/main-infrastructure/common_variables.tf
new file mode 100644
index 00000000..31c9412c
--- /dev/null
+++ b/spellbook/dify/terraform/main-infrastructure/common_variables.tf
@@ -0,0 +1,119 @@
+# Common variable definitions
+
+# プロジェクト名(全リソースの接頭辞として使用)
+variable "project_name" {
+ description = "Name of the project (used as a prefix for all resources)"
+ type = string
+}
+
+# AWSリージョン
+variable "aws_region" {
+ description = "AWS region where resources will be created"
+ type = string
+ default = "ap-northeast-1"
+}
+
+# 既存のVPC ID
+variable "vpc_id" {
+ description = "ID of the existing VPC"
+ type = string
+}
+
+# VPCのCIDRブロック
+variable "vpc_cidr" {
+ description = "CIDR block for the VPC"
+ type = string
+}
+
+# 第1パブリックサブネットのID
+variable "public_subnet_id" {
+ description = "ID of the first public subnet"
+ type = string
+}
+
+# 第2パブリックサブネットのID
+variable "public_subnet_2_id" {
+ description = "ID of the second public subnet"
+ type = string
+}
+
+# セキュリティグループID
+variable "security_group_ids" {
+ description = "List of security group IDs to attach to the instance"
+ type = list(string)
+}
+
+# ベースドメイン名
+variable "domain" {
+ description = "Base domain name for the application"
+ type = string
+ default = "sunwood-ai-labs.click"
+}
+
+# サブドメインプレフィックス
+variable "subdomain" {
+ description = "Subdomain prefix for the application"
+ type = string
+ default = "amaterasu-open-web-ui-dev"
+}
+
+# プライベートホストゾーンのドメイン名
+variable "domain_internal" {
+ description = "Domain name for private hosted zone"
+ type = string
+}
+
+# Route53のゾーンID
+variable "route53_internal_zone_id" {
+ description = "Zone ID for Route53 private hosted zone"
+ type = string
+}
+
+# EC2インスタンス関連の変数
+# EC2インスタンスのAMI ID
+variable "ami_id" {
+ description = "AMI ID for the EC2 instance (defaults to Ubuntu 22.04 LTS)"
+ type = string
+ default = "ami-0d52744d6551d851e" # Ubuntu 22.04 LTS in ap-northeast-1
+}
+
+# EC2インスタンスタイプ
+variable "instance_type" {
+ description = "Instance type for the EC2 instance"
+ type = string
+ default = "t3.medium"
+}
+
+# SSHキーペア名
+variable "key_name" {
+ description = "Name of the SSH key pair for EC2 instance"
+ type = string
+}
+
+# 環境変数ファイルのパス
+variable "env_file_path" {
+ description = "Absolute path to the .env file"
+ type = string
+}
+
+# セットアップスクリプトのパス
+variable "setup_script_path" {
+ description = "Absolute path to the setup_script.sh file"
+ type = string
+}
+
+# 共通のローカル変数
+locals {
+ # リソース命名用の共通プレフィックス
+ name_prefix = "${var.project_name}-"
+
+ # 完全修飾ドメイン名
+ fqdn = "${var.subdomain}.${var.domain}"
+
+ # 共通タグ
+ common_tags = {
+ Project = var.project_name
+ Environment = terraform.workspace
+ ManagedBy = "terraform"
+ }
+}
diff --git a/spellbook/dify/terraform/main-infrastructure/main.tf b/spellbook/dify/terraform/main-infrastructure/main.tf
new file mode 100644
index 00000000..07d3f6be
--- /dev/null
+++ b/spellbook/dify/terraform/main-infrastructure/main.tf
@@ -0,0 +1,72 @@
+terraform {
+ required_version = ">= 0.12"
+}
+
+# デフォルトプロバイダー設定
+provider "aws" {
+ region = var.aws_region
+}
+
+# CloudFront用のACM証明書のためのus-east-1プロバイダー
+provider "aws" {
+ alias = "us_east_1"
+ region = "us-east-1"
+}
+
+# IAM module
+module "iam" {
+ source = "../../../open-webui/terraform/main-infrastructure/modules/iam"
+
+ project_name = var.project_name
+}
+
+# Compute module
+module "compute" {
+ source = "../../../open-webui/terraform/main-infrastructure/modules/compute"
+
+ project_name = var.project_name
+ vpc_id = var.vpc_id
+ vpc_cidr = var.vpc_cidr
+ public_subnet_id = var.public_subnet_id
+ ami_id = var.ami_id
+ instance_type = var.instance_type
+ key_name = var.key_name
+ iam_instance_profile = module.iam.ec2_instance_profile_name
+ security_group_ids = var.security_group_ids
+ env_file_path = var.env_file_path
+ setup_script_path = var.setup_script_path
+
+ depends_on = [
+ module.iam
+ ]
+}
+
+# Networking module
+module "networking" {
+ source = "../../../open-webui/terraform/main-infrastructure/modules/networking"
+
+ project_name = var.project_name
+ aws_region = var.aws_region
+ vpc_id = var.vpc_id
+ vpc_cidr = var.vpc_cidr
+ public_subnet_id = var.public_subnet_id
+ public_subnet_2_id = var.public_subnet_2_id
+ security_group_ids = var.security_group_ids
+ domain = var.domain
+ subdomain = var.subdomain
+ domain_internal = var.domain_internal
+ route53_zone_id = var.route53_internal_zone_id
+ instance_id = module.compute.instance_id
+ instance_private_ip = module.compute.instance_private_ip
+ instance_private_dns = module.compute.instance_private_dns
+ instance_public_ip = module.compute.instance_public_ip
+
+ providers = {
+ aws = aws
+ aws.us_east_1 = aws.us_east_1
+ }
+
+ depends_on = [
+ module.compute
+ ]
+}
diff --git a/spellbook/dify/terraform/main-infrastructure/outputs.tf b/spellbook/dify/terraform/main-infrastructure/outputs.tf
new file mode 100644
index 00000000..75acfd5c
--- /dev/null
+++ b/spellbook/dify/terraform/main-infrastructure/outputs.tf
@@ -0,0 +1,34 @@
+output "instance_id" {
+ description = "ID of the EC2 instance"
+ value = module.compute.instance_id
+}
+
+output "instance_public_ip" {
+ description = "Public IP address of the EC2 instance"
+ value = module.compute.instance_public_ip
+}
+
+output "instance_private_ip" {
+ description = "Private IP address of the EC2 instance"
+ value = module.compute.instance_private_ip
+}
+
+output "instance_public_dns" {
+ description = "Public DNS name of the EC2 instance"
+ value = module.compute.instance_public_dns
+}
+
+output "vpc_id" {
+ description = "ID of the VPC"
+ value = module.networking.vpc_id
+}
+
+output "public_subnet_id" {
+ description = "ID of the public subnet"
+ value = module.networking.public_subnet_id
+}
+
+output "security_group_id" {
+ description = "ID of the security group"
+ value = module.networking.ec2_security_group_id
+}
diff --git a/spellbook/dify/terraform/main-infrastructure/scripts/setup_script.sh b/spellbook/dify/terraform/main-infrastructure/scripts/setup_script.sh
new file mode 100644
index 00000000..6e94ea0d
--- /dev/null
+++ b/spellbook/dify/terraform/main-infrastructure/scripts/setup_script.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# ベースのセットアップスクリプトをダウンロードして実行
+curl -fsSL https://raw.githubusercontent.com/Sunwood-ai-labs/AMATERASU/refs/heads/main/scripts/docker-compose_setup_script.sh -o /tmp/base_setup.sh
+chmod +x /tmp/base_setup.sh
+/tmp/base_setup.sh
+
+# AMATERASUリポジトリのクローン
+git clone https://github.com/Sunwood-ai-labs/AMATERASU.git /home/ubuntu/AMATERASU
+
+# Terraformから提供される環境変数ファイルの作成
+# 注: .envファイルの内容はTerraformから提供される
+echo "${env_content}" > /home/ubuntu/AMATERASU/spellbook/litellm/.env
+
+# ファイルの権限設定
+chmod 777 -R /home/ubuntu/AMATERASU
+
+# AMATERASUディレクトリに移動
+cd /home/ubuntu/AMATERASU/spellbook/litellm
+
+# 指定されたdocker-composeファイルでコンテナを起動
+sudo docker-compose up -d
+
+echo "AMATERASUのセットアップが完了し、docker-composeを起動しました!"
+
+# 一時ファイルの削除
+rm /tmp/base_setup.sh
diff --git a/spellbook/dify/volumes/myscale/config/users.d/custom_users_config.xml b/spellbook/dify/volumes/myscale/config/users.d/custom_users_config.xml
new file mode 100644
index 00000000..67f24b69
--- /dev/null
+++ b/spellbook/dify/volumes/myscale/config/users.d/custom_users_config.xml
@@ -0,0 +1,17 @@
+
+
+
+
+
+ ::1
+ 127.0.0.1
+ 10.0.0.0/8
+ 172.16.0.0/12
+ 192.168.0.0/16
+
+ default
+ default
+ 1
+
+
+
\ No newline at end of file
diff --git a/spellbook/dify/volumes/oceanbase/init.d/vec_memory.sql b/spellbook/dify/volumes/oceanbase/init.d/vec_memory.sql
new file mode 100644
index 00000000..f4c283fd
--- /dev/null
+++ b/spellbook/dify/volumes/oceanbase/init.d/vec_memory.sql
@@ -0,0 +1 @@
+ALTER SYSTEM SET ob_vector_memory_limit_percentage = 30;
\ No newline at end of file
diff --git a/spellbook/dify/volumes/opensearch/opensearch_dashboards.yml b/spellbook/dify/volumes/opensearch/opensearch_dashboards.yml
new file mode 100644
index 00000000..f50d63bb
--- /dev/null
+++ b/spellbook/dify/volumes/opensearch/opensearch_dashboards.yml
@@ -0,0 +1,222 @@
+---
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+# Description:
+# Default configuration for OpenSearch Dashboards
+
+# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use.
+# server.port: 5601
+
+# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values.
+# The default is 'localhost', which usually means remote machines will not be able to connect.
+# To allow connections from remote users, set this parameter to a non-loopback address.
+# server.host: "localhost"
+
+# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy.
+# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath
+# from requests it receives, and to prevent a deprecation warning at startup.
+# This setting cannot end in a slash.
+# server.basePath: ""
+
+# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with
+# `server.basePath` or require that they are rewritten by your reverse proxy.
+# server.rewriteBasePath: false
+
+# The maximum payload size in bytes for incoming server requests.
+# server.maxPayloadBytes: 1048576
+
+# The OpenSearch Dashboards server's name. This is used for display purposes.
+# server.name: "your-hostname"
+
+# The URLs of the OpenSearch instances to use for all your queries.
+# opensearch.hosts: ["http://localhost:9200"]
+
+# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and
+# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist.
+# opensearchDashboards.index: ".opensearch_dashboards"
+
+# The default application to load.
+# opensearchDashboards.defaultAppId: "home"
+
+# Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck.
+# This settings should be used for large clusters or for clusters with ingest heavy nodes.
+# It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes.
+#
+# It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting
+# This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up
+# e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id:
+# Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here
+# opensearch.optimizedHealthcheckId: "cluster_id"
+
+# If your OpenSearch is protected with basic authentication, these settings provide
+# the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards
+# index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which
+# is proxied through the OpenSearch Dashboards server.
+# opensearch.username: "opensearch_dashboards_system"
+# opensearch.password: "pass"
+
+# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
+# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser.
+# server.ssl.enabled: false
+# server.ssl.certificate: /path/to/your/server.crt
+# server.ssl.key: /path/to/your/server.key
+
+# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
+# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when
+# xpack.security.http.ssl.client_authentication in OpenSearch is set to required.
+# opensearch.ssl.certificate: /path/to/your/client.crt
+# opensearch.ssl.key: /path/to/your/client.key
+
+# Optional setting that enables you to specify a path to the PEM file for the certificate
+# authority for your OpenSearch instance.
+# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
+
+# To disregard the validity of SSL certificates, change this setting's value to 'none'.
+# opensearch.ssl.verificationMode: full
+
+# Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of
+# the opensearch.requestTimeout setting.
+# opensearch.pingTimeout: 1500
+
+# Time in milliseconds to wait for responses from the back end or OpenSearch. This value
+# must be a positive integer.
+# opensearch.requestTimeout: 30000
+
+# List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side
+# headers, set this value to [] (an empty list).
+# opensearch.requestHeadersWhitelist: [ authorization ]
+
+# Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten
+# by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration.
+# opensearch.customHeaders: {}
+
+# Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable.
+# opensearch.shardTimeout: 30000
+
+# Logs queries sent to OpenSearch. Requires logging.verbose set to true.
+# opensearch.logQueries: false
+
+# Specifies the path where OpenSearch Dashboards creates the process ID file.
+# pid.file: /var/run/opensearchDashboards.pid
+
+# Enables you to specify a file where OpenSearch Dashboards stores log output.
+# logging.dest: stdout
+
+# Set the value of this setting to true to suppress all logging output.
+# logging.silent: false
+
+# Set the value of this setting to true to suppress all logging output other than error messages.
+# logging.quiet: false
+
+# Set the value of this setting to true to log all events, including system usage information
+# and all requests.
+# logging.verbose: false
+
+# Set the interval in milliseconds to sample system and process performance
+# metrics. Minimum is 100ms. Defaults to 5000.
+# ops.interval: 5000
+
+# Specifies locale to be used for all localizable strings, dates and number formats.
+# Supported languages are the following: English - en , by default , Chinese - zh-CN .
+# i18n.locale: "en"
+
+# Set the allowlist to check input graphite Url. Allowlist is the default check list.
+# vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite']
+
+# Set the blocklist to check input graphite Url. Blocklist is an IP list.
+# Below is an example for reference
+# vis_type_timeline.graphiteBlockedIPs: [
+# //Loopback
+# '127.0.0.0/8',
+# '::1/128',
+# //Link-local Address for IPv6
+# 'fe80::/10',
+# //Private IP address for IPv4
+# '10.0.0.0/8',
+# '172.16.0.0/12',
+# '192.168.0.0/16',
+# //Unique local address (ULA)
+# 'fc00::/7',
+# //Reserved IP address
+# '0.0.0.0/8',
+# '100.64.0.0/10',
+# '192.0.0.0/24',
+# '192.0.2.0/24',
+# '198.18.0.0/15',
+# '192.88.99.0/24',
+# '198.51.100.0/24',
+# '203.0.113.0/24',
+# '224.0.0.0/4',
+# '240.0.0.0/4',
+# '255.255.255.255/32',
+# '::/128',
+# '2001:db8::/32',
+# 'ff00::/8',
+# ]
+# vis_type_timeline.graphiteBlockedIPs: []
+
+# opensearchDashboards.branding:
+# logo:
+# defaultUrl: ""
+# darkModeUrl: ""
+# mark:
+# defaultUrl: ""
+# darkModeUrl: ""
+# loadingLogo:
+# defaultUrl: ""
+# darkModeUrl: ""
+# faviconUrl: ""
+# applicationTitle: ""
+
+# Set the value of this setting to true to capture region blocked warnings and errors
+# for your map rendering services.
+# map.showRegionBlockedWarning: false%
+
+# Set the value of this setting to false to suppress search usage telemetry
+# for reducing the load of OpenSearch cluster.
+# data.search.usageTelemetry.enabled: false
+
+# 2.4 renames 'wizard.enabled: false' to 'vis_builder.enabled: false'
+# Set the value of this setting to false to disable VisBuilder
+# functionality in Visualization.
+# vis_builder.enabled: false
+
+# 2.4 New Experimental Feature
+# Set the value of this setting to true to enable the experimental multiple data source
+# support feature. Use with caution.
+# data_source.enabled: false
+# Set the value of these settings to customize crypto materials to encryption saved credentials
+# in data sources.
+# data_source.encryption.wrappingKeyName: 'changeme'
+# data_source.encryption.wrappingKeyNamespace: 'changeme'
+# data_source.encryption.wrappingKey: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+
+# 2.6 New ML Commons Dashboards Feature
+# Set the value of this setting to true to enable the ml commons dashboards
+# ml_commons_dashboards.enabled: false
+
+# 2.12 New experimental Assistant Dashboards Feature
+# Set the value of this setting to true to enable the assistant dashboards
+# assistant.chat.enabled: false
+
+# 2.13 New Query Assistant Feature
+# Set the value of this setting to false to disable the query assistant
+# observability.query_assist.enabled: false
+
+# 2.14 Enable Ui Metric Collectors in Usage Collector
+# Set the value of this setting to true to enable UI Metric collections
+# usageCollection.uiMetric.enabled: false
+
+opensearch.hosts: [https://localhost:9200]
+opensearch.ssl.verificationMode: none
+opensearch.username: admin
+opensearch.password: 'Qazwsxedc!@#123'
+opensearch.requestHeadersWhitelist: [authorization, securitytenant]
+
+opensearch_security.multitenancy.enabled: true
+opensearch_security.multitenancy.tenants.preferred: [Private, Global]
+opensearch_security.readonly_mode.roles: [kibana_read_only]
+# Use this setting if you are running opensearch-dashboards without https
+opensearch_security.cookie.secure: false
+server.host: '0.0.0.0'
diff --git a/spellbook/dify/volumes/sandbox/conf/config.yaml b/spellbook/dify/volumes/sandbox/conf/config.yaml
new file mode 100644
index 00000000..8c1a1deb
--- /dev/null
+++ b/spellbook/dify/volumes/sandbox/conf/config.yaml
@@ -0,0 +1,14 @@
+app:
+ port: 8194
+ debug: True
+ key: dify-sandbox
+max_workers: 4
+max_requests: 50
+worker_timeout: 5
+python_path: /usr/local/bin/python3
+enable_network: True # please make sure there is no network risk in your environment
+allowed_syscalls: # please leave it empty if you have no idea how seccomp works
+proxy:
+ socks5: ''
+ http: ''
+ https: ''
diff --git a/spellbook/dify/volumes/sandbox/conf/config.yaml.example b/spellbook/dify/volumes/sandbox/conf/config.yaml.example
new file mode 100644
index 00000000..f92c19e5
--- /dev/null
+++ b/spellbook/dify/volumes/sandbox/conf/config.yaml.example
@@ -0,0 +1,35 @@
+app:
+ port: 8194
+ debug: True
+ key: dify-sandbox
+max_workers: 4
+max_requests: 50
+worker_timeout: 5
+python_path: /usr/local/bin/python3
+python_lib_path:
+ - /usr/local/lib/python3.10
+ - /usr/lib/python3.10
+ - /usr/lib/python3
+ - /usr/lib/x86_64-linux-gnu
+ - /etc/ssl/certs/ca-certificates.crt
+ - /etc/nsswitch.conf
+ - /etc/hosts
+ - /etc/resolv.conf
+ - /run/systemd/resolve/stub-resolv.conf
+ - /run/resolvconf/resolv.conf
+ - /etc/localtime
+ - /usr/share/zoneinfo
+ - /etc/timezone
+ # add more paths if needed
+python_pip_mirror_url: https://pypi.tuna.tsinghua.edu.cn/simple
+nodejs_path: /usr/local/bin/node
+enable_network: True
+allowed_syscalls:
+ - 1
+ - 2
+ - 3
+ # add all the syscalls which you require
+proxy:
+ socks5: ''
+ http: ''
+ https: ''
diff --git a/spellbook/dify/volumes/sandbox/dependencies/python-requirements.txt b/spellbook/dify/volumes/sandbox/dependencies/python-requirements.txt
new file mode 100644
index 00000000..e69de29b
diff --git a/spellbook/ee-llm-tester-gr/.SourceSageignore b/spellbook/ee-llm-tester-gr/.SourceSageignore
new file mode 100644
index 00000000..eb8a716c
--- /dev/null
+++ b/spellbook/ee-llm-tester-gr/.SourceSageignore
@@ -0,0 +1,43 @@
+# バージョン管理システム関連
+.git
+.gitignore
+
+# キャッシュファイル
+__pycache__
+.pytest_cache
+**/__pycache__/**
+*.pyc
+
+# ビルド・配布関連
+build
+dist
+*.egg-info
+node_modules
+
+# 一時ファイル・出力
+output
+output.md
+test_output
+.SourceSageAssets
+.SourceSageAssetsDemo
+
+# アセット
+*.png
+*.svg
+assets
+
+# その他
+LICENSE
+example
+folder
+package-lock.json
+.DS_Store
+
+*.exe
+terraform.tfstate.backup
+.terraform
+.terraform.lock.hcl
+terraform.tfstate
+
+venv
+.venv
diff --git a/spellbook/ee-llm-tester-gr/Dockerfile b/spellbook/ee-llm-tester-gr/Dockerfile
new file mode 100644
index 00000000..e818c21e
--- /dev/null
+++ b/spellbook/ee-llm-tester-gr/Dockerfile
@@ -0,0 +1,16 @@
+FROM python:3.11-slim
+
+WORKDIR /app
+
+# 必要なパッケージをインストール
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# アプリケーションのソースコードをコピー
+COPY . .
+
+# Gradioアプリを実行
+EXPOSE 80
+
+HEALTHCHECK CMD curl --fail http://localhost:80/healthz || exit 1
+ENTRYPOINT ["python", "app.py"]
diff --git a/spellbook/ee-llm-tester-gr/README.md b/spellbook/ee-llm-tester-gr/README.md
new file mode 100644
index 00000000..17e7bb69
--- /dev/null
+++ b/spellbook/ee-llm-tester-gr/README.md
@@ -0,0 +1,110 @@
+#