feat(trilium): release trilium

deployment notes: - oidc error (users cannot access at once, it needs login twice when using oidc
2026-05-09 22:38:57 +09:00
parent aceef4bdaa
commit 02fa912cb1
11 changed files with 203 additions and 3 deletions
@@ -185,6 +185,13 @@ services:
    ports:
      http: "3002"
    subuid: "100999"
  trilium:
    domain:
      public: "notes"
      internal: "notes.app"
    ports:
      http: "8004"
    subuid: "100999"
 version:
  packages:
@@ -226,3 +233,4 @@ version:
    ezbookkeeping: "1.4.0"
    sure: "0.7.0-hotfix.2"
    wikijs: "2.5.314"
    trilium: "v0.102.2"
@@ -265,6 +265,14 @@
          tags: ["site", "wikijs"]
      tags: ["site", "wikijs"]
    - name: Set trilium
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_trilium"
        apply:
          tags: ["site", "trilium"]
      tags: ["site", "trilium"]
    - name: Flush handlers right now
      ansible.builtin.meta: "flush_handlers"
@@ -158,3 +158,14 @@
  changed_when: false
  listen: "notification_restart_wikijs"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart trilium
  ansible.builtin.systemd:
    name: "trilium.service"
    state: "restarted"
    enabled: true
    scope: "user"
    daemon_reload: true
  changed_when: false
  listen: "notification_restart_trilium"
  ignore_errors: true # noqa: ignore-errors
@@ -0,0 +1,38 @@
 ---
 - name: Create trilium directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ services['trilium']['subuid'] }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/trilium"
    - "data/containers/trilium/data"
  become: true
 - name: Register secret value to podman secret
  containers.podman.podman_secret:
    name: "TRILIUM_OAUTH_CLIENT_SECRET"
    data: "{{ hostvars['console']['trilium']['oidc']['secret'] }}"
    state: "present"
    force: true
  notify: "notification_restart_trilium"
  no_log: true
 - name: Deploy trilium.container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/trilium/trilium.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/trilium.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_trilium"
 - name: Enable trilium.service
  ansible.builtin.systemd:
    name: "trilium.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
@@ -295,6 +295,14 @@ wikijs:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:rf52AKZDCNq9PVnAMnDXzw==,iv:+rT8sgcAz0LoeUcPgIrpSw/JWvk5agunnTkaWac16kU=,tag:SCyTu1rUNnmS2EFMeIvlCw==,type:comment]
 trilium:
    oidc:
        secret: ENC[AES256_GCM,data:EfKdxk/OBgQyGVwOnxMFS/HhucL5qicaB7HfWu4yNvmrqxU+ubkT62zJewQ=,iv:Ye4gNbyOuEaujGfxXYKg4GWDOP+cnTNL230t8B98WUY=,tag:B1YoabR7y8OVUKYj/aiSPA==,type:str]
        hash: ENC[AES256_GCM,data:QyU+leT28FY3nW+tIbnap2n52xw1bcb77ziFf6cW9gdwwhL6rJCEaTGQritpVsCH5C9ytxlV0Acn7dJbnYSHFtZ2jbuvYMSQR4ewtY+tFX1MdD9+FmtH8umb7PHbG6upXgrXRNRIglJ4U1BEfg0xkdzEPbJq+r13A1+cKESrewayae4=,iv:CUE6YjDzgoc017e8+dT1S956PwmOlb7h6dhnOpCr3iw=,tag:XGgpzuVZXJ8Axb4ib8anVQ==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
    password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -324,7 +332,7 @@ sops:
            UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
            k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-09T06:19:32Z"
+    lastmodified: "2026-05-09T12:29:30Z"
-    mac: ENC[AES256_GCM,data:XZQO+US/uCCngkzTi/C+shPw5kb3jWBwWbRd2eTwduBbuCMXUCiGPhPws27qMC3mCOmpr98AHJa5CS+chbC/bWwYqxwWPG03d6lN+EHJHPNiM6HBFhCIBv8d0+mNMlgQaS83Up+diSFliJZ54tOMYDvyj0iwYr1mVXN0QXHhAF4=,iv:e0spAJI5WETIxIpS7dmBwP/6eIrYaC37S8qXUtoE0Jw=,tag:GKlCgm/BAypbbe0S3OkObA==,type:str]
+    mac: ENC[AES256_GCM,data:ql3rWwdwJRn2nH0SLnjTaJK4NVemxG8T814VEDaHv38bc7A3aaMGuZ92mHY4z+5oNA+DpR/UjkGJ/NrckbURxY63BEcyVCsS4Rb95HTKjDOjf2g5rrohdgI3ZUE1jvlyf3tAh2ZYh1J8QddLKyLju/J43KcB+XRQKhJv4kubAQ0=,iv:4inRbBMuhB7Hzi8fGpqyC3juUqteZGLXX0GtnHusF7Y=,tag:ZxJ6iv8NxJr4rvCInml8dg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.1
@@ -0,0 +1,46 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=trilium
 After=network-online.target
 Wants=network-online.target
 [Container]
 Image=docker.io/triliumnext/trilium:{{ version['containers']['trilium'] }}
 ContainerName=trilium
 HostName=trilium
 PublishPort={{ services['trilium']['ports']['http'] }}:8080/tcp
 Volume=%h/data/containers/trilium/data:/home/node/trilium-data:rw
 # General
 Environment="TZ=Asia/Seoul"
 Environment="TRILIUM_DATA_DIR=/home/node/trilium-data"
 Environment="TRILIUM_NO_UPLOAD_LIMIT=true"
 # OIDC
 ## Short Alias doesn't work now.
 #Environment="TRILIUM_OAUTH_BASE_URL=https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}"
 #Environment="TRILIUM_OAUTH_CLIENT_ID=trilium"
 #Environment="TRILIUM_OAUTH_ISSUER_BASE_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
 #Environment="TRILIUM_OAUTH_ISSUER_NAME=Authelia"
 #Environment="TRILIUM_OAUTH_ISSUER_ICON=https://www.authelia.com/images/branding/logo-cropped.png"
 #Secret="TRILIUM_OAUTH_CLIENT_SECRET",type=env
 Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHBASEURL=https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHCLIENTID=trilium"
 Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERBASEURL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
 Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERNAME=Authelia"
 Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERICON=https://www.authelia.com/images/branding/logo-cropped.png"
 Secret="TRILIUM_OAUTH_CLIENT_SECRET",type=env,target=TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHCLIENTSECRET
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
@@ -93,6 +93,14 @@ notifier:
 identity_providers:
  oidc:
    hmac_secret: '' # $AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
    claims_policies:
      # trilium expects name/email value in id token, but authelia doesn't send it basically
      trilium:
        id_token:
          - email
          - email_verified
          - preferred_username
          - name
    # For the app which doesn't use secret.
    cors:
      endpoints:
@@ -452,3 +460,27 @@ identity_providers:
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
      # https://www.authelia.com/integration/openid-connect/clients/trillium/
      # The name is trilium, not trillium
      - client_id: 'trilium'
        client_name: 'Trilium Notes'
        client_secret: '{{ hostvars['console']['trilium']['oidc']['hash'] }}'
        public: false
        authorization_policy: 'one_factor'
        # claims policy above
        claims_policy: 'trilium'
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'
@@ -107,3 +107,9 @@
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 {{ services['trilium']['domain']['internal'] }}.{{ domain['internal'] }} {
        import private_tls
        reverse_proxy host.containers.internal:{{ services['trilium']['ports']['http'] }} {
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
@@ -181,6 +181,15 @@
                }
        }
 }
 {{ services['trilium']['domain']['public'] }}.{{ domain['public'] }} {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://{{services['trilium']['domain']['internal'] }}.{{ domain['internal'] }} {
                        header_up Host {http.reverse_proxy.upstream.host}
                }
        }
 }
 # Internal domain
 {{ node['name'] }}.{{ domain['internal'] }} {
@@ -0,0 +1,33 @@
 # trilium
 ## Prerequisite
 ### Create oidc secret and hash
 - Create the secret with `openssl rand -base64 32`
 - access to auth vm
  - `podman exec -it authelia sh`
  - `authelia crypto hash generate pbkdf2 --password 'trilium.oidc.secret'`
 - Save this value in secrets.yaml in `trilium.oidc.secret` and `trilium.oidc.hash`
 ## Configuration
 ### Access
 - https://notes.ilnmors.com
    - `[x]` I'm a new user, and I want to create a new Trilium document for my notes
    - Next
    - Password configuration
    - local password login
 ### OIDC
 - Menu: Options: MFA
    - `[x]` Enable MFA
    - `[x]` OAuth/OpenID
    - logout
 - Authelia
 ### about ERRORS
 - This is so unstable to use, especially OIDC is one of terrible experience.
@@ -133,7 +133,8 @@
            - sure is heavy, but it is not YNAB and it allows to share account the other users
        - [x] wiki.js
            - check wiki.js to use as base wiki of documents.
-        - [ ] TriliumNext
+        - [x] TriliumNext
            - UNSTABLE, it is impossible to use.
        - [ ] memos
        - WriteFreely or directus + frontend(Astro)
        - MediaCMS or PeerTube