diff --git a/ansible/inventory/group_vars/all.yaml b/ansible/inventory/group_vars/all.yaml index e661915..d7351cd 100644 --- a/ansible/inventory/group_vars/all.yaml +++ b/ansible/inventory/group_vars/all.yaml @@ -109,13 +109,6 @@ services: immich-ml: ports: http: "3003" - actualbudget: - domain: - public: "actualbudget" - internal: "actualbudget.app" - ports: - http: "5006" - subuid: "101000" paperless: domain: public: "paperless" @@ -124,20 +117,6 @@ services: http: "8001" redis: "6380" subuid: "100999" - vikunja: - domain: - public: "vikunja" - internal: "vikunja.app" - ports: - http: "3456" - subuid: "100999" - opencloud: - domain: - public: "opencloud" - internal: "opencloud.app" - ports: - http: "9200" - subuid: "100999" manticore: subuid: "100998" affine: @@ -163,13 +142,6 @@ services: ports: http: "9980" subuid: "101000" - ezbookkeeping: - domain: - public: "budget" - internal: "budget.app" - ports: - http: "8003" - subuid: "100999" sure: domain: public: "sure" @@ -178,20 +150,6 @@ services: http: "3001" redis: "6383" subuid: "100999" - wikijs: - domain: - public: "wiki" - internal: "wiki.app" - ports: - http: "3002" - subuid: "100999" - trilium: - domain: - public: "notes" - internal: "notes.app" - ports: - http: "8004" - subuid: "100999" version: packages: @@ -222,15 +180,9 @@ version: gitea: "1.26.1" redis: "8.6.3" immich: "v2.7.5" - actualbudget: "26.3.0" paperless: "2.20.15" - vikunja: "2.2.2" - opencloud: "4.0.6" manticore: "25.0.0" affine: "0.26.3" nextcloud: "33.0.3" collabora: "25.04.9.4.1" - ezbookkeeping: "1.4.0" sure: "0.7.0-hotfix.2" - wikijs: "2.5.314" - trilium: "v0.102.2" diff --git a/ansible/playbooks/app/site.yaml b/ansible/playbooks/app/site.yaml index 0756fc4..3dc1c14 100644 --- a/ansible/playbooks/app/site.yaml +++ b/ansible/playbooks/app/site.yaml @@ -185,14 +185,6 @@ tags: ["site", "immich"] tags: ["site", "immich"] - - name: Set actual budget - ansible.builtin.include_role: - name: "app" - tasks_from: "services/set_actual-budget" - apply: - tags: ["site", "actual-budget"] - tags: ["site", "actual-budget"] - - name: Set paperless ansible.builtin.include_role: name: "app" @@ -201,22 +193,6 @@ tags: ["site", "paperless"] tags: ["site", "paperless"] - - name: Set vikunja - ansible.builtin.include_role: - name: "app" - tasks_from: "services/set_vikunja" - apply: - tags: ["site", "vikunja"] - tags: ["site", "vikunja"] - - - name: Set opencloud - ansible.builtin.include_role: - name: "app" - tasks_from: "services/set_opencloud" - apply: - tags: ["site", "opencloud"] - tags: ["site", "opencloud"] - - name: Set affine ansible.builtin.include_role: name: "app" @@ -241,14 +217,6 @@ tags: ["site", "collabora"] tags: ["site", "collabora"] - - name: Set ezbookkeeping - ansible.builtin.include_role: - name: "app" - tasks_from: "services/set_ezbookkeeping" - apply: - tags: ["site", "ezbookkeeping"] - tags: ["site", "ezbookkeeping"] - - name: Set sure ansible.builtin.include_role: name: "app" @@ -257,22 +225,6 @@ tags: ["site", "sure"] tags: ["site", "sure"] - - name: Set wiki.js - ansible.builtin.include_role: - name: "app" - tasks_from: "services/set_wikijs" - apply: - tags: ["site", "wikijs"] - tags: ["site", "wikijs"] - - - name: Set trilium - ansible.builtin.include_role: - name: "app" - tasks_from: "services/set_trilium" - apply: - tags: ["site", "trilium"] - tags: ["site", "trilium"] - - name: Flush handlers right now ansible.builtin.meta: "flush_handlers" diff --git a/ansible/roles/app/handlers/main.yaml b/ansible/roles/app/handlers/main.yaml index 2462299..877dfc7 100644 --- a/ansible/roles/app/handlers/main.yaml +++ b/ansible/roles/app/handlers/main.yaml @@ -43,17 +43,6 @@ listen: "notification_restart_immich-ml" ignore_errors: true # noqa: ignore-errors -- name: Restart actual-budget - ansible.builtin.systemd: - name: "actual-budget.service" - state: "restarted" - enabled: true - scope: "user" - daemon_reload: true - changed_when: false - listen: "notification_restart_actual-budget" - ignore_errors: true # noqa: ignore-errors - - name: Restart paperless ansible.builtin.systemd: name: "paperless.service" @@ -65,29 +54,6 @@ listen: "notification_restart_paperless" ignore_errors: true # noqa: ignore-errors -- name: Restart vikunja - ansible.builtin.systemd: - name: "vikunja.service" - state: "restarted" - enabled: true - scope: "user" - daemon_reload: true - changed_when: false - listen: "notification_restart_vikunja" - ignore_errors: true # noqa: ignore-errors - -- name: Restart opencloud - ansible.builtin.systemd: - name: "opencloud.service" - state: "restarted" - enabled: true - daemon_reload: true - scope: "user" - when: is_opencloud_init.stat.exists - changed_when: false - listen: "notification_restart_opencloud" - ignore_errors: true # noqa: ignore-errors - - name: Restart affine ansible.builtin.systemd: name: "affine.service" @@ -123,17 +89,6 @@ listen: "notification_restart_collabora" ignore_errors: true # noqa: ignore-errors -- name: Restart ezbookkeeping - ansible.builtin.systemd: - name: "ezbookkeeping.service" - state: "restarted" - enabled: true - scope: "user" - daemon_reload: true - changed_when: false - listen: "notification_restart_ezbookkeeping" - ignore_errors: true # noqa: ignore-errors - - name: Restart sure ansible.builtin.systemd: name: "{{ item }}" @@ -147,25 +102,3 @@ changed_when: false listen: "notification_restart_sure" ignore_errors: true # noqa: ignore-errors - -- name: Restart wikijs - ansible.builtin.systemd: - name: "wikijs.service" - state: "restarted" - enabled: true - scope: "user" - daemon_reload: true - changed_when: false - listen: "notification_restart_wikijs" - ignore_errors: true # noqa: ignore-errors - -- name: Restart trilium - ansible.builtin.systemd: - name: "trilium.service" - state: "restarted" - enabled: true - scope: "user" - daemon_reload: true - changed_when: false - listen: "notification_restart_trilium" - ignore_errors: true # noqa: ignore-errors diff --git a/ansible/roles/infra/tasks/services/set_postgresql.yaml b/ansible/roles/infra/tasks/services/set_postgresql.yaml index 4d9894a..35077d1 100644 --- a/ansible/roles/infra/tasks/services/set_postgresql.yaml +++ b/ansible/roles/infra/tasks/services/set_postgresql.yaml @@ -9,12 +9,9 @@ - "gitea" - "immich" - "paperless" - - "vikunja" - "affine" - "nextcloud" - - "ezbookkeeping" - "sure" - - "wikijs" - name: Create postgresql directory ansible.builtin.file: diff --git a/config/secrets/secrets.yaml b/config/secrets/secrets.yaml index 98286c2..3cc12a5 100644 --- a/config/secrets/secrets.yaml +++ b/config/secrets/secrets.yaml @@ -117,12 +117,9 @@ postgresql: gitea: ENC[AES256_GCM,data:l+pBCzyQa3000SE9z1R4htD0V0ONsBtKy92dfgsVYsZ3XlEyVJDIBOsugwM=,iv:5t/oHW1vFAmV/s2Ze/cV9Vuqo96Qu6QvZeRbio7VX2s=,tag:4zeQaXiXIzBpy+tXsxmN7Q==,type:str] immich: ENC[AES256_GCM,data:11jvxTKA/RL0DGL6y2/X092hnDohj6yTrYGK4IVojqBd1gCOBnDvUjgmx14=,iv:oBfHxsx9nxhyKY/WOuWfybxEX2bf+lHEtsaifFRS9lg=,tag:tAfkBdgQ8ZEkLIFcDICKDw==,type:str] paperless: ENC[AES256_GCM,data:6VBrBbjVoam7SkZCSvoBTdrfkUoDghdGTiBmFLul04X/okXOHeC5zusJffY=,iv:iZumcJ3TWwZD77FzYx8THwCqC+EbnXUBrEKuPh3zgV8=,tag:u2m8SppAdxZ/duNdpuS3oQ==,type:str] - vikunja: ENC[AES256_GCM,data:/+wQdoFPTBG2elI9kZbAVWrHZ0DhMaYr4dc+2z9QNdb3TcDS2PEia0JuSAg=,iv:MViZTyUD8YqMmxSTWCQpJ30f/KQdQGOzPlRHHsQ8lAw=,tag:zov3POno139dkMxFDpj2gg==,type:str] affine: ENC[AES256_GCM,data:XPXrcszsV06YqCJZ7CDqc4rCwqqNlbtLCFYfLAQ8jamLtft8L2UVrMA4WZo=,iv:vrWdBeckxB9tmEE628j4jhU+hSpE6TXYMGt0hh1Cg84=,tag:hlWwWUGht8NqWTZREMsa1Q==,type:str] nextcloud: ENC[AES256_GCM,data:ROsximNuWYMTZktmLJPx7W1Qol/uT+APgwoCtFO/6ZYYc3KxKvlk344eqEc=,iv:4d+MrfIHjJKAcwhvZ3g4go66uZcieuL7lngKErJd+fg=,tag:QbWOtxeCbiu62GyrE2atXg==,type:str] - ezbookkeeping: ENC[AES256_GCM,data:CYYQ5DVr8Na46QduvUNF6d0XBVSXTml34q3/PhIYIvUNviOVgCjqXA4wN7g=,iv:qRljohJ+wI50XxSgMElKp65HyV3mKRTqDGjw9C1S0d0=,tag:PClp7PRmC0+PV0SzZpJqqQ==,type:str] sure: ENC[AES256_GCM,data:FULJ2gjJ2gZC3s324itW+CjGRBHIP9RnOqw5TT1UaiUhb7UHAPm1na+LsZk=,iv:c0GnVZkxprJUzPPq3TCQaZvAes9QQuvDXqgVLLaiQIg=,tag:uDxy/Lkd2hNK4AWwMNMslw==,type:str] - wikijs: ENC[AES256_GCM,data:2drkkTevrcUrgxOHavIEPcemc2l5+/3GEAYNCYVL/63daVda5tzL61tPm2A=,iv:87qPrlRaosXO75eaxo4xjevVc1Pt9MiHv6lYFBB3MKU=,tag:SnVbVR4ZM0qvVmWpcgSKrg==,type:str] #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment] # # @@ -213,14 +210,6 @@ immich: #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment] # # -#ENC[AES256_GCM,data:bzMt0Ox0Za4dOhoo7S6dYCdK32JI9Q==,iv:PRTryIJk0tR545XY0LoHwklvsJp5+A5bEljNmzUvRhY=,tag:EVsjRUGMOadaNbMu0Xr4XA==,type:comment] -actualbudget: - oidc: - secret: ENC[AES256_GCM,data:TE2umZ9Vvr7cSfA2+TAfRadIWZN3hyOKQ6U9NqJFm5e9iiw1avI+QlnYcKI=,iv:rUWoclBRqh0tsGnMq29395Fn2NP7AXnSCd0s+S8jQ6I=,tag:qPX/TcdIo6BJeex7wmi02Q==,type:str] - hash: ENC[AES256_GCM,data:UjhNkGj+sxbnmPUx1V5kVYwZnzsB0aEvN8YV29lcvMbSnf9xpQWwD5C93Zu8SYrnS/p88qZpGBgAjr9Pcly3y0H1YMRt9zzbHZU3Uo0DPDrSWRQdeB/8LkcM/cwMAs8arS6PO03ECNnN5Z6aTmFdFnLjUkvUuSWMFscItAzMzhWCpeY=,iv:B06LI7Cq3NN8haOLfN3gWIpUFnvdUlq6D2XmARojDpk=,tag:MflE8qcY5j/aAA7xfPCqng==,type:str] -#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment] -# -# #ENC[AES256_GCM,data:McPUAbIUvtC1gdPaxTgAxAMCMWcLfg==,iv:Tp6idRf7he3sYzo8LW596C905JAaoTIhIoDUzSyRT0k=,tag:4mZQ0Swu1X9uuwjsRNhr2A==,type:comment] paperless: session_secret: ENC[AES256_GCM,data:siwCs2noeVpg9DCEZybnmo/oz11BdrHSTnHciMOu/6g=,iv:XVjhu10TIujIdUopN9+TVVqRade9EvItDWxym6YXnZs=,tag:TxLYm+4Bo7IMaTQBtMg9pQ==,type:str] @@ -232,22 +221,6 @@ paperless: #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment] # # -#ENC[AES256_GCM,data:V7DJHA2JQirfBsrCGhXrhg==,iv:+jYqX9hGNnuyYj9o9LpCYFVOoD6nSrtc4t40Ag0mMzo=,tag:1wSxKtkJm42reUxdwYDvlg==,type:comment] -vikunja: - session_secret: ENC[AES256_GCM,data:CMyw8JGHyTczGsrOJJwQBKfXMU4Sudvwkur1Lgx4o64=,iv:F2VmpqddiDT4jGaGDKGl6FARsQOt3lLz3X6TjC2MIVU=,tag:UJYyzrl/FX1BNwY4ROFncA==,type:str] - oidc: - secret: ENC[AES256_GCM,data:QwqndYsfr+fh9OLkHYtLYCa6WUdhnL7A4btz1d1eelTwq3Kps5S6BUN5qZg=,iv:51N8byIAAUh4ky7YBAuEJOBEWu1d9AX5W1m37/cLlCM=,tag:GD7jbxNGd748TCPgqsxyMg==,type:str] - hash: ENC[AES256_GCM,data:ORifyT4u1V2CyBCNBgF72wwS2i05mlzA4iIVEa1cH9aaE69PdiQvGGzMHK+tmlfpVaVQEENSt1QDUSSlMyeuZT/3a0JwAvlz+XDbpS7bicL2cB6DCa4JyEd/rbGRXs0/COfxPxXzYv7jq9gd2uSJ+cCGYb/93WuEXSEI6PHi+FF7N94=,iv:FVSGySa4YB2vwenqSagBzxeIexg91ewvcQMix+etmng=,tag:yyQtOgzOZypba+rV3A1K9g==,type:str] -#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment] -# -# -#ENC[AES256_GCM,data:EsRGZP7snPchEAMoQN5PoQpiOA==,iv:A/8POGq3pIw7aX5S2vyKtI2vPqH0FT6yZnpe/vVbifw=,tag:BgUYHX2zxIL7yLS0JbI1Yg==,type:comment] -opencloud: - admin: - password: ENC[AES256_GCM,data:VKG7sNTTLHCXRGf4SAlR91+hvc7PaNrnpJX/4kItVcT9W1Hdl/yKgHHD7M8=,iv:WwWnx9KuN+i/Ugwv+HY4IGDZrLHk71hsobGFOn9kml0=,tag:SS6ihrtZjLnlAJR59lw+gw==,type:str] -#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment] -# -# #ENC[AES256_GCM,data:k55osvepVeB1RC5hZ4IF,iv:AlhfmWwn/DiSESWc+ULJSOLUhnrKAIfWr7MeiwV8qc8=,tag:hOgptwUcY6nVxPIhu+DYgw==,type:comment] affine: secret_key: ENC[AES256_GCM,data:LLX78DpYnha1JWhgw0sHLzIVq/oIzvT+nB7zgli4mroGbnt7WZaXCx34zKkYRwYj/+0L4IFFVdkzKtK5DO84SgFkS2Bk2iNdCMqIx80CpyiD8IWAcyRu5d6hh82PlgyxU80T/4nbLbIn0GLubPTTeUX8GC3VxRU=,iv:DnmvbhlygSHes0jAkIm4+WXMUQLzr4R4dNa33rO67v8=,tag:+2wlh+/ekiTyShWM4XBbUw==,type:str] @@ -269,14 +242,6 @@ nextcloud: #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment] # # -#ENC[AES256_GCM,data:tMahvC9OLW4+AGLyx68SNsOPBezApw==,iv:WHx8ruuQ33J/8XtwyhvDy2cKqE7lAWvj/r5AUhdyssU=,tag:uRwheXUxqNSIhcPqGeMNog==,type:comment] -ezbookkeeping: - oidc: - secret: ENC[AES256_GCM,data:ZMIfRwXDT1ujGKoc7DGvc8/O+ciB+kajo9yOwVsMsbEjl6D8gl6I0Lbsta8=,iv:++p1TTW6gDUEvh56SjMgldrpob/VWNtiYGo6wNS8cz0=,tag:LQaW333UskiN4mtIjUAguA==,type:str] - hash: ENC[AES256_GCM,data:XyB1N3MUzBHWHAumat7/ASy/Aja/gLKmeTriOqLnMgZ9lBE1birYtFW+R0wZ+vyx79tHKVnRxzrWsxoD5jitCmHyMVrJmJKl5c4SYMhytKfBPgrNe3twcc06U+wONmgAuVpaEQlnnyzAz42SpOHbT55GegHjYzT5hXax8eRvdM6xJSY=,iv:R4+EdQuKo2JumY3cu8KPpeFezcLhlehXBxr2wVG5wHk=,tag:hpDX1x9NCCutUsnDKEf1Sg==,type:str] -#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment] -# -# #ENC[AES256_GCM,data:Fsqc2JDp9dvfgiCjdQ==,iv:3DALKKEXaP8hzXRvxD4CgfFpOiPPsOa16OB94n8WKp8=,tag:K+FF3zGrc0YLXWK/R2L3Ow==,type:comment] sure: session_secret: ENC[AES256_GCM,data:InHsz/jld8E9TwI8MWpxk9x2I7dxlIsY9R6jtDK2pBA=,iv:HY5yXEC2Dce26e9/vXTIWELvVd9ZjhcCwFD0jhz5pPw=,tag:LLSJovZ0RH3CUK+se7R4Ag==,type:str] @@ -286,23 +251,6 @@ sure: #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment] # # -#ENC[AES256_GCM,data:NkvAsD10P7qUvGPXeTY+rQ==,iv:GjsUk3Ht6RYW/rhkRhMSFEmtsAiS+dK7niYDJVBj2iE=,tag:8KnDcuRTm7P76Kh2hmWeXw==,type:comment] -wikijs: - il: ENC[AES256_GCM,data:gsAEHk4MI75EXIiqdb05RYSmlxaQ7mlYXTwTYYVJ20KC397T6xbHzvNojlI=,iv:iYc+BahiJ50LSr35/T1VCQsxsRen5rKLwQhfVQMkdz4=,tag:rscWcLWyTaSR4KEPJaes2A==,type:str] - oidc: - secret: ENC[AES256_GCM,data:+bmvyUkiQ+vnaJW7wgjohv4wdvliqx8whdSM8iBUJXGFy/QOs2oJm4FoUcA=,iv:U07y/+87zbXQ2hQ4HvzKcEH5nQsaSIF1Oh3yv6/ytWU=,tag:knGwjGhH5D/OSvW6j5S0VQ==,type:str] - hash: ENC[AES256_GCM,data:7jKBt9mdfxKDU6vBIP6k/wj0gIsRnLwwSrLOlnbbiNZVmbZXqv/UxEsLxCyx1rP2mzGgaxNCBh6WOo7mbSMPezMiuf/enrNrmIwpcP2R0H6LxGTiLFk/7EZ493oy7qFmmsM2qM7Y6qhhKUygD4XbJfVZ2sdojjIGAWy6XdpbbQICb5I=,iv:N3gPga+iDYUF0uAx671DP+4c7FYUKP12MEbYmKZRPAI=,tag:7tKwhxk5yQ0KfZrg0+v/rw==,type:str] -#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment] -# -# -#ENC[AES256_GCM,data:rf52AKZDCNq9PVnAMnDXzw==,iv:+rT8sgcAz0LoeUcPgIrpSw/JWvk5agunnTkaWac16kU=,tag:SCyTu1rUNnmS2EFMeIvlCw==,type:comment] -trilium: - oidc: - secret: ENC[AES256_GCM,data:EfKdxk/OBgQyGVwOnxMFS/HhucL5qicaB7HfWu4yNvmrqxU+ubkT62zJewQ=,iv:Ye4gNbyOuEaujGfxXYKg4GWDOP+cnTNL230t8B98WUY=,tag:B1YoabR7y8OVUKYj/aiSPA==,type:str] - hash: ENC[AES256_GCM,data:QyU+leT28FY3nW+tIbnap2n52xw1bcb77ziFf6cW9gdwwhL6rJCEaTGQritpVsCH5C9ytxlV0Acn7dJbnYSHFtZ2jbuvYMSQR4ewtY+tFX1MdD9+FmtH8umb7PHbG6upXgrXRNRIglJ4U1BEfg0xkdzEPbJq+r13A1+cKESrewayae4=,iv:CUE6YjDzgoc017e8+dT1S956PwmOlb7h6dhnOpCr3iw=,tag:XGgpzuVZXJ8Axb4ib8anVQ==,type:str] -#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment] -# -# #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment] switch: password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str] @@ -332,7 +280,7 @@ sops: UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-09T12:29:30Z" - mac: ENC[AES256_GCM,data:ql3rWwdwJRn2nH0SLnjTaJK4NVemxG8T814VEDaHv38bc7A3aaMGuZ92mHY4z+5oNA+DpR/UjkGJ/NrckbURxY63BEcyVCsS4Rb95HTKjDOjf2g5rrohdgI3ZUE1jvlyf3tAh2ZYh1J8QddLKyLju/J43KcB+XRQKhJv4kubAQ0=,iv:4inRbBMuhB7Hzi8fGpqyC3juUqteZGLXX0GtnHusF7Y=,tag:ZxJ6iv8NxJr4rvCInml8dg==,type:str] + lastmodified: "2026-05-09T14:26:51Z" + mac: ENC[AES256_GCM,data:TYs08ZSS2kcO5lYuhQ/IySUSQ3DpL+ba3/uNLyszht4OttR110/W/WQLiRuu/Ql6FwtDtjq6I3iNpOhmCHSv1kMCam1l99GEIYCaPUIY+TY3Zw0j7518dFXe8p/DrKRwIVXfK5lIKLIEd+eizD50HzwXXJFmU+7YDkQ1Dx+55kw=,iv:arJKJ4wO4sdQlu3GZbtultsfM6s8vbhG93tnf2EjJDc=,tag:m95gUqvn4w85XI8qVvCZpQ==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1 diff --git a/config/services/containers/auth/authelia/config/authelia.yaml.j2 b/config/services/containers/auth/authelia/config/authelia.yaml.j2 index 54d37e1..2e4078b 100644 --- a/config/services/containers/auth/authelia/config/authelia.yaml.j2 +++ b/config/services/containers/auth/authelia/config/authelia.yaml.j2 @@ -93,25 +93,6 @@ notifier: identity_providers: oidc: hmac_secret: '' # $AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE - claims_policies: - # trilium expects name/email value in id token, but authelia doesn't send it basically - trilium: - id_token: - - email - - email_verified - - preferred_username - - name - # For the app which doesn't use secret. - cors: - endpoints: - - 'authorization' - - 'token' - - 'revocation' - - 'introspection' - - 'userinfo' - allowed_origins: - - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' - allowed_origins_from_client_redirect_uris: true jwks:{% raw %} - algorithm: 'RS256' use: 'sig' @@ -192,28 +173,6 @@ identity_providers: access_token_signed_response_alg: 'none' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_post' - # https://www.authelia.com/integration/openid-connect/clients/actual-budget/ - - client_id: 'actual-budget' - client_name: 'Actual Budget' - client_secret: '{{ hostvars['console']['actualbudget']['oidc']['hash'] }}' - public: false - authorization_policy: 'one_factor' - require_pkce: false - pkce_challenge_method: '' - redirect_uris: - - 'https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}/openid/callback' - scopes: - - 'openid' - - 'profile' - - 'groups' - - 'email' - response_types: - - 'code' - grant_types: - - 'authorization_code' - access_token_signed_response_alg: 'none' - userinfo_signed_response_alg: 'none' - token_endpoint_auth_method: 'client_secret_basic' # https://www.authelia.com/integration/openid-connect/clients/paperless/ - client_id: 'paperless' client_name: 'Paperless' @@ -236,122 +195,6 @@ identity_providers: access_token_signed_response_alg: 'none' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_post' - # https://www.authelia.com/integration/openid-connect/clients/vikunja/ - - client_id: 'vikunja' - client_name: 'Vikunja' - client_secret: '{{ hostvars['console']['vikunja']['oidc']['hash'] }}' - public: false - authorization_policy: 'one_factor' - require_pkce: false - pkce_challenge_method: '' - redirect_uris: - - 'https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}/auth/openid/authelia' - scopes: - - 'openid' - - 'profile' - - 'email' - response_types: - - 'code' - grant_types: - - 'authorization_code' - access_token_signed_response_alg: 'none' - userinfo_signed_response_alg: 'none' - token_endpoint_auth_method: 'client_secret_basic' - # OpenCloud configuration - ## https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/ - ## Web - - client_id: 'opencloud' - client_name: 'OpenCloud' - public: true - authorization_policy: 'one_factor' - require_pkce: true - pkce_challenge_method: 'S256' - redirect_uris: - - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/' - - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/oidc-callback.html' - - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/oidc-silent-redirect.html' - scopes: - - 'openid' - - 'profile' - - 'email' - - 'groups' - response_types: - - 'code' - grant_types: - - 'authorization_code' - access_token_signed_response_alg: 'RS256' - userinfo_signed_response_alg: 'none' - token_endpoint_auth_method: 'none' - ## desktop - - client_id: 'OpenCloudDesktop' - client_name: 'OpenCloud' - public: true - authorization_policy: 'one_factor' - require_pkce: true - pkce_challenge_method: 'S256' - redirect_uris: - - 'http://localhost' - - 'http://127.0.0.1' - scopes: - - 'openid' - - 'profile' - - 'email' - - 'groups' - - 'offline_access' - response_types: - - 'code' - grant_types: - - 'authorization_code' - - 'refresh_token' - access_token_signed_response_alg: 'RS256' - userinfo_signed_response_alg: 'none' - token_endpoint_auth_method: 'none' - ## Android - - client_id: 'OpenCloudAndroid' - client_name: 'OpenCloud' - public: true - authorization_policy: 'one_factor' - require_pkce: true - pkce_challenge_method: 'S256' - redirect_uris: - - 'oc://android.opencloud.eu' - scopes: - - 'openid' - - 'profile' - - 'email' - - 'groups' - - 'offline_access' - response_types: - - 'code' - grant_types: - - 'authorization_code' - - 'refresh_token' - access_token_signed_response_alg: 'RS256' - userinfo_signed_response_alg: 'none' - token_endpoint_auth_method: 'none' - ## IOS - - client_id: 'OpenCloudIOS' - client_name: 'OpenCloud' - public: true - authorization_policy: 'one_factor' - require_pkce: true - pkce_challenge_method: 'S256' - redirect_uris: - - 'oc://ios.opencloud.eu' - scopes: - - 'openid' - - 'profile' - - 'email' - - 'groups' - - 'offline_access' - response_types: - - 'code' - grant_types: - - 'authorization_code' - - 'refresh_token' - access_token_signed_response_alg: 'RS256' - userinfo_signed_response_alg: 'none' - token_endpoint_auth_method: 'none' # https://docs.affine.pro/self-host-affine/administer/oauth-2-0 - client_id: 'affine' client_name: 'Affine' @@ -395,27 +238,6 @@ identity_providers: access_token_signed_response_alg: 'none' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_post' - # https://www.authelia.com/integration/openid-connect/clients/ezbookkeeping/ - - client_id: 'ezbookkeeping' - client_name: 'ezBookkeeping' - client_secret: '{{ hostvars['console']['ezbookkeeping']['oidc']['hash'] }}' - public: false - authorization_policy: 'one_factor' - require_pkce: true - pkce_challenge_method: 'S256' - redirect_uris: - - 'https://{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}/oauth2/callback' - scopes: - - 'openid' - - 'profile' - - 'email' - response_types: - - 'code' - grant_types: - - 'authorization_code' - access_token_signed_response_alg: 'none' - userinfo_signed_response_alg: 'none' - token_endpoint_auth_method: 'client_secret_basic' # https://www.authelia.com/integration/openid-connect/clients/sure/ - client_id: 'sure' client_name: 'Sure' @@ -438,49 +260,3 @@ identity_providers: access_token_signed_response_alg: 'none' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_basic' - # https://www.authelia.com/integration/openid-connect/clients/wikijs/ - - client_id: 'wikijs' - client_name: 'Wiki' - client_secret: '{{ hostvars['console']['wikijs']['oidc']['hash'] }}' - public: false - authorization_policy: 'one_factor' - require_pkce: false - pkce_challenge_method: '' - redirect_uris: - # add Callback URL / Redirect URI HERE - - 'https://{{ services['wikijs']['domain']['public'] }}.{{ domain['public'] }}/login/aa72242e-7058-4cfa-9504-19a4208062ea/callback' # Note this must be copied during step 7 of the Application configuration. - scopes: - - 'openid' - - 'profile' - - 'email' - response_types: - - 'code' - grant_types: - - 'authorization_code' - access_token_signed_response_alg: 'none' - userinfo_signed_response_alg: 'none' - token_endpoint_auth_method: 'client_secret_post' - # https://www.authelia.com/integration/openid-connect/clients/trillium/ - # The name is trilium, not trillium - - client_id: 'trilium' - client_name: 'Trilium Notes' - client_secret: '{{ hostvars['console']['trilium']['oidc']['hash'] }}' - public: false - authorization_policy: 'one_factor' - # claims policy above - claims_policy: 'trilium' - require_pkce: false - pkce_challenge_method: '' - redirect_uris: - - 'https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}/callback' - scopes: - - 'openid' - - 'profile' - - 'email' - response_types: - - 'code' - grant_types: - - 'authorization_code' - access_token_signed_response_alg: 'none' - userinfo_signed_response_alg: 'none' - token_endpoint_auth_method: 'client_secret_basic' diff --git a/config/services/containers/common/caddy/etc/app/Caddyfile.j2 b/config/services/containers/common/caddy/etc/app/Caddyfile.j2 index da44f5a..9e57c65 100644 --- a/config/services/containers/common/caddy/etc/app/Caddyfile.j2 +++ b/config/services/containers/common/caddy/etc/app/Caddyfile.j2 @@ -47,30 +47,12 @@ header_up Host {http.request.header.X-Forwarded-Host} } } -{{ services['actualbudget']['domain']['internal'] }}.{{ domain['internal'] }} { - import private_tls - reverse_proxy host.containers.internal:{{ services['actualbudget']['ports']['http'] }} { - header_up Host {http.request.header.X-Forwarded-Host} - } -} {{ services['paperless']['domain']['internal'] }}.{{ domain['internal'] }} { import private_tls reverse_proxy host.containers.internal:{{ services['paperless']['ports']['http'] }} { header_up Host {http.request.header.X-Forwarded-Host} } } -{{ services['vikunja']['domain']['internal'] }}.{{ domain['internal'] }} { - import private_tls - reverse_proxy host.containers.internal:{{ services['vikunja']['ports']['http'] }} { - header_up Host {http.request.header.X-Forwarded-Host} - } -} -{{ services['opencloud']['domain']['internal'] }}.{{ domain['internal'] }} { - import private_tls - reverse_proxy host.containers.internal:{{ services['opencloud']['ports']['http'] }} { - header_up Host {http.request.header.X-Forwarded-Host} - } -} {{ services['affine']['domain']['internal'] }}.{{ domain['internal'] }} { import private_tls reverse_proxy host.containers.internal:{{ services['affine']['ports']['http'] }} { @@ -89,27 +71,9 @@ header_up Host {http.request.header.X-Forwarded-Host} } } -{{ services['ezbookkeeping']['domain']['internal'] }}.{{ domain['internal'] }} { - import private_tls - reverse_proxy host.containers.internal:{{ services['ezbookkeeping']['ports']['http'] }} { - header_up Host {http.request.header.X-Forwarded-Host} - } -} {{ services['sure']['domain']['internal'] }}.{{ domain['internal'] }} { import private_tls reverse_proxy host.containers.internal:{{ services['sure']['ports']['http'] }} { header_up Host {http.request.header.X-Forwarded-Host} } } -{{ services['wikijs']['domain']['internal'] }}.{{ domain['internal'] }} { - import private_tls - reverse_proxy host.containers.internal:{{ services['wikijs']['ports']['http'] }} { - header_up Host {http.request.header.X-Forwarded-Host} - } -} -{{ services['trilium']['domain']['internal'] }}.{{ domain['internal'] }} { - import private_tls - reverse_proxy host.containers.internal:{{ services['trilium']['ports']['http'] }} { - header_up Host {http.request.header.X-Forwarded-Host} - } -} diff --git a/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 b/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 index db77c63..666aa1b 100644 --- a/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 +++ b/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 @@ -91,15 +91,6 @@ } } } -{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }} { - import crowdsec_log - route { - crowdsec - reverse_proxy https://{{ services['actualbudget']['domain']['internal'] }}.{{ domain['internal'] }} { - header_up Host {http.reverse_proxy.upstream.host} - } - } -} {{ services['paperless']['domain']['public'] }}.{{ domain['public'] }} { import crowdsec_log route { @@ -109,24 +100,6 @@ } } } -{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }} { - import crowdsec_log - route { - crowdsec - reverse_proxy https://{{ services['vikunja']['domain']['internal'] }}.{{ domain['internal'] }} { - header_up Host {http.reverse_proxy.upstream.host} - } - } -} -{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }} { - import crowdsec_log - route { - crowdsec - reverse_proxy https://{{ services['opencloud']['domain']['internal'] }}.{{ domain['internal'] }} { - header_up Host {http.reverse_proxy.upstream.host} - } - } -} {{ services['affine']['domain']['public'] }}.{{ domain['public'] }} { import crowdsec_log route { @@ -154,15 +127,6 @@ } } } -{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }} { - import crowdsec_log - route { - crowdsec - reverse_proxy https://{{services['ezbookkeeping']['domain']['internal'] }}.{{ domain['internal'] }} { - header_up Host {http.reverse_proxy.upstream.host} - } - } -} {{ services['sure']['domain']['public'] }}.{{ domain['public'] }} { import crowdsec_log route { @@ -172,24 +136,6 @@ } } } -{{ services['wikijs']['domain']['public'] }}.{{ domain['public'] }} { - import crowdsec_log - route { - crowdsec - reverse_proxy https://{{services['wikijs']['domain']['internal'] }}.{{ domain['internal'] }} { - header_up Host {http.reverse_proxy.upstream.host} - } - } -} -{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }} { - import crowdsec_log - route { - crowdsec - reverse_proxy https://{{services['trilium']['domain']['internal'] }}.{{ domain['internal'] }} { - header_up Host {http.reverse_proxy.upstream.host} - } - } -} # Internal domain {{ node['name'] }}.{{ domain['internal'] }} { diff --git a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 index 6c576f4..74f1135 100644 --- a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 +++ b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 @@ -12,12 +12,8 @@ whitelist: - "{{ hostvars['fw']['network6']['console']['wg'] }}" {% if node['name'] == 'auth' %} expression: - # budget local-first sql scrap rule - - "evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/data/migrations/'" # immich thumbnail request 404 error false positive - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'" - # opencloud chunk request false positive - - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/js/chunks/'" # nextcloud thumbnail/preview request error false positive - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/index.php/core/preview?'" {% endif %} diff --git a/config/services/containers/app/actual-budget/actual-budget.container.j2 b/docs/archives/services/app/actual-budget/actual-budget.container.j2 similarity index 100% rename from config/services/containers/app/actual-budget/actual-budget.container.j2 rename to docs/archives/services/app/actual-budget/actual-budget.container.j2 diff --git a/docs/services/app/actual-budget.md b/docs/archives/services/app/actual-budget/actual-budget.md similarity index 100% rename from docs/services/app/actual-budget.md rename to docs/archives/services/app/actual-budget/actual-budget.md diff --git a/docs/archives/services/app/actual-budget/authelia.yaml b/docs/archives/services/app/actual-budget/authelia.yaml new file mode 100644 index 0000000..e5ddb01 --- /dev/null +++ b/docs/archives/services/app/actual-budget/authelia.yaml @@ -0,0 +1,26 @@ +--- +identity_providers: + oidc: + clients: + # https://www.authelia.com/integration/openid-connect/clients/actual-budget/ + - client_id: 'actual-budget' + client_name: 'Actual Budget' + client_secret: 'secret' + public: false + authorization_policy: 'one_factor' + require_pkce: false + pkce_challenge_method: '' + redirect_uris: + - 'https://actualbudget.example.com/openid/callback' + scopes: + - 'openid' + - 'profile' + - 'groups' + - 'email' + response_types: + - 'code' + grant_types: + - 'authorization_code' + access_token_signed_response_alg: 'none' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'client_secret_basic' diff --git a/docs/archives/services/app/actual-budget/crowdsec-whitelist.yaml b/docs/archives/services/app/actual-budget/crowdsec-whitelist.yaml new file mode 100644 index 0000000..754eb7f --- /dev/null +++ b/docs/archives/services/app/actual-budget/crowdsec-whitelist.yaml @@ -0,0 +1,6 @@ +name: crowdsecurity/whitelists +description: "Local whitelist policy" +whitelist: + expression: + # budget local-first sql scrap rule + - "evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/data/migrations/'" diff --git a/docs/archives/services/app/actual-budget/group_vars.yaml b/docs/archives/services/app/actual-budget/group_vars.yaml new file mode 100644 index 0000000..c3efb5f --- /dev/null +++ b/docs/archives/services/app/actual-budget/group_vars.yaml @@ -0,0 +1,13 @@ +--- +services: + actualbudget: + domain: + public: "" + internal: "" + ports: + http: "" + subuid: "101000" + +version: + containers: + actualbudget: "26.3.0" diff --git a/docs/archives/services/app/actual-budget/secret.example.yaml b/docs/archives/services/app/actual-budget/secret.example.yaml new file mode 100644 index 0000000..30825d8 --- /dev/null +++ b/docs/archives/services/app/actual-budget/secret.example.yaml @@ -0,0 +1,5 @@ +--- +actualbudget: + oidc: + secret: "" + hash: "" diff --git a/ansible/roles/app/tasks/services/set_actual-budget.yaml b/docs/archives/services/app/actual-budget/set_actual-budget.yaml similarity index 100% rename from ansible/roles/app/tasks/services/set_actual-budget.yaml rename to docs/archives/services/app/actual-budget/set_actual-budget.yaml diff --git a/docs/archives/services/app/ezbookkeeping/authelia.yaml b/docs/archives/services/app/ezbookkeeping/authelia.yaml new file mode 100644 index 0000000..82fd382 --- /dev/null +++ b/docs/archives/services/app/ezbookkeeping/authelia.yaml @@ -0,0 +1,25 @@ +--- +identity_providers: + oidc: + clients: + # https://www.authelia.com/integration/openid-connect/clients/ezbookkeeping/ + - client_id: 'ezbookkeeping' + client_name: 'ezBookkeeping' + client_secret: 'hash' + public: false + authorization_policy: 'one_factor' + require_pkce: true + pkce_challenge_method: 'S256' + redirect_uris: + - 'https://ezbookkeeping.example.com/oauth2/callback' + scopes: + - 'openid' + - 'profile' + - 'email' + response_types: + - 'code' + grant_types: + - 'authorization_code' + access_token_signed_response_alg: 'none' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'client_secret_basic' diff --git a/config/services/containers/app/ezbookkeeping/ezbookkeeping.container.j2 b/docs/archives/services/app/ezbookkeeping/ezbookkeeping.container.j2 similarity index 98% rename from config/services/containers/app/ezbookkeeping/ezbookkeeping.container.j2 rename to docs/archives/services/app/ezbookkeeping/ezbookkeeping.container.j2 index 9a319ee..a86d5c1 100644 --- a/config/services/containers/app/ezbookkeeping/ezbookkeeping.container.j2 +++ b/docs/archives/services/app/ezbookkeeping/ezbookkeeping.container.j2 @@ -58,4 +58,4 @@ RestartSec=10s TimeoutStopSec=120 [Install] -WantedBy=default.target \ No newline at end of file +WantedBy=default.target diff --git a/docs/services/app/ezbookkeeping.md b/docs/archives/services/app/ezbookkeeping/ezbookkeeping.md similarity index 100% rename from docs/services/app/ezbookkeeping.md rename to docs/archives/services/app/ezbookkeeping/ezbookkeeping.md diff --git a/docs/archives/services/app/ezbookkeeping/group_vars.yaml b/docs/archives/services/app/ezbookkeeping/group_vars.yaml new file mode 100644 index 0000000..dc97931 --- /dev/null +++ b/docs/archives/services/app/ezbookkeeping/group_vars.yaml @@ -0,0 +1,13 @@ +--- +services: + ezbookkeeping: + domain: + public: "" + internal: "" + ports: + http: "" + subuid: "100999" + +version: + containers: + ezbookkeeping: "1.4.0" diff --git a/docs/archives/services/app/ezbookkeeping/secret.example.yaml b/docs/archives/services/app/ezbookkeeping/secret.example.yaml new file mode 100644 index 0000000..05e8971 --- /dev/null +++ b/docs/archives/services/app/ezbookkeeping/secret.example.yaml @@ -0,0 +1,8 @@ +--- +postgresql: + password: + ezbookkeeping: "" +ezbookkeeping: + oidc: + secret: "" + hash: "" diff --git a/ansible/roles/app/tasks/services/set_ezbookkeeping.yaml b/docs/archives/services/app/ezbookkeeping/set_ezbookkeeping.yaml similarity index 100% rename from ansible/roles/app/tasks/services/set_ezbookkeeping.yaml rename to docs/archives/services/app/ezbookkeeping/set_ezbookkeeping.yaml diff --git a/docs/archives/services/app/opencloud/authelia.yaml b/docs/archives/services/app/opencloud/authelia.yaml new file mode 100644 index 0000000..eace585 --- /dev/null +++ b/docs/archives/services/app/opencloud/authelia.yaml @@ -0,0 +1,110 @@ +--- +identity_providers: + oidc: + # For the app which doesn't use secret. + cors: + endpoints: + - 'authorization' + - 'token' + - 'revocation' + - 'introspection' + - 'userinfo' + allowed_origins: + - 'https://opencloud.example.com' + allowed_origins_from_client_redirect_uris: true + clients: +# OpenCloud configuration + ## https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/ + ## Web + - client_id: 'opencloud' + client_name: 'OpenCloud' + public: true + authorization_policy: 'one_factor' + require_pkce: true + pkce_challenge_method: 'S256' + redirect_uris: + - 'https://opencloud.example.com/' + - 'https://opencloud.example.com/oidc-callback.html' + - 'https://opencloud.example.com/oidc-silent-redirect.html' + scopes: + - 'openid' + - 'profile' + - 'email' + - 'groups' + response_types: + - 'code' + grant_types: + - 'authorization_code' + access_token_signed_response_alg: 'RS256' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'none' + ## desktop + - client_id: 'OpenCloudDesktop' + client_name: 'OpenCloud' + public: true + authorization_policy: 'one_factor' + require_pkce: true + pkce_challenge_method: 'S256' + redirect_uris: + - 'http://localhost' + - 'http://127.0.0.1' + scopes: + - 'openid' + - 'profile' + - 'email' + - 'groups' + - 'offline_access' + response_types: + - 'code' + grant_types: + - 'authorization_code' + - 'refresh_token' + access_token_signed_response_alg: 'RS256' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'none' + ## Android + - client_id: 'OpenCloudAndroid' + client_name: 'OpenCloud' + public: true + authorization_policy: 'one_factor' + require_pkce: true + pkce_challenge_method: 'S256' + redirect_uris: + - 'oc://android.opencloud.eu' + scopes: + - 'openid' + - 'profile' + - 'email' + - 'groups' + - 'offline_access' + response_types: + - 'code' + grant_types: + - 'authorization_code' + - 'refresh_token' + access_token_signed_response_alg: 'RS256' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'none' + ## IOS + - client_id: 'OpenCloudIOS' + client_name: 'OpenCloud' + public: true + authorization_policy: 'one_factor' + require_pkce: true + pkce_challenge_method: 'S256' + redirect_uris: + - 'oc://ios.opencloud.eu' + scopes: + - 'openid' + - 'profile' + - 'email' + - 'groups' + - 'offline_access' + response_types: + - 'code' + grant_types: + - 'authorization_code' + - 'refresh_token' + access_token_signed_response_alg: 'RS256' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'none' diff --git a/docs/archives/services/app/opencloud/crowdsec-whitelist.yaml b/docs/archives/services/app/opencloud/crowdsec-whitelist.yaml new file mode 100644 index 0000000..a7ddc0b --- /dev/null +++ b/docs/archives/services/app/opencloud/crowdsec-whitelist.yaml @@ -0,0 +1,6 @@ +name: crowdsecurity/whitelists +description: "Local whitelist policy" +whitelist: + expression: + # opencloud chunk request false positive + - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/js/chunks/'" diff --git a/config/services/containers/app/opencloud/etc/csp.yaml.j2 b/docs/archives/services/app/opencloud/etc/csp.yaml.j2 similarity index 98% rename from config/services/containers/app/opencloud/etc/csp.yaml.j2 rename to docs/archives/services/app/opencloud/etc/csp.yaml.j2 index 81c484d..9ebc5eb 100644 --- a/config/services/containers/app/opencloud/etc/csp.yaml.j2 +++ b/docs/archives/services/app/opencloud/etc/csp.yaml.j2 @@ -35,4 +35,4 @@ directives: - '''unsafe-inline''' worker-src: - '''self''' - - 'blob:' \ No newline at end of file + - 'blob:' diff --git a/config/services/containers/app/opencloud/etc/proxy.yaml.j2 b/docs/archives/services/app/opencloud/etc/proxy.yaml.j2 similarity index 100% rename from config/services/containers/app/opencloud/etc/proxy.yaml.j2 rename to docs/archives/services/app/opencloud/etc/proxy.yaml.j2 diff --git a/docs/archives/services/app/opencloud/group_vars.yaml b/docs/archives/services/app/opencloud/group_vars.yaml new file mode 100644 index 0000000..5f762ef --- /dev/null +++ b/docs/archives/services/app/opencloud/group_vars.yaml @@ -0,0 +1,13 @@ +--- +services: + opencloud: + domain: + public: "" + internal: "" + ports: + http: "" + subuid: "100999" + +version: + containers: + opencloud: "4.0.6" diff --git a/config/services/containers/app/opencloud/opencloud.container.j2 b/docs/archives/services/app/opencloud/opencloud.container.j2 similarity index 100% rename from config/services/containers/app/opencloud/opencloud.container.j2 rename to docs/archives/services/app/opencloud/opencloud.container.j2 diff --git a/docs/services/app/opencloud.md b/docs/archives/services/app/opencloud/opencloud.md similarity index 100% rename from docs/services/app/opencloud.md rename to docs/archives/services/app/opencloud/opencloud.md diff --git a/docs/archives/services/app/opencloud/secret.example.yaml b/docs/archives/services/app/opencloud/secret.example.yaml new file mode 100644 index 0000000..9fec507 --- /dev/null +++ b/docs/archives/services/app/opencloud/secret.example.yaml @@ -0,0 +1,3 @@ +--- +opencloud: + admin: "" diff --git a/ansible/roles/app/tasks/services/set_opencloud.yaml b/docs/archives/services/app/opencloud/set_opencloud.yaml similarity index 100% rename from ansible/roles/app/tasks/services/set_opencloud.yaml rename to docs/archives/services/app/opencloud/set_opencloud.yaml diff --git a/docs/archives/services/app/trilium/authelia.yaml b/docs/archives/services/app/trilium/authelia.yaml new file mode 100644 index 0000000..0cd7db1 --- /dev/null +++ b/docs/archives/services/app/trilium/authelia.yaml @@ -0,0 +1,36 @@ +--- +identity_providers: + oidc: + claims_policies: + # trilium expects name/email value in id token, but authelia doesn't send it basically + trilium: + id_token: + - email + - email_verified + - preferred_username + - name + clients: + # https://www.authelia.com/integration/openid-connect/clients/trillium/ + # The name is trilium, not trillium + - client_id: 'trilium' + client_name: 'Trilium Notes' + client_secret: 'hash' + public: false + authorization_policy: 'one_factor' + # claims policy above + claims_policy: 'trilium' + require_pkce: false + pkce_challenge_method: '' + redirect_uris: + - 'https://trilium.example.com/callback' + scopes: + - 'openid' + - 'profile' + - 'email' + response_types: + - 'code' + grant_types: + - 'authorization_code' + access_token_signed_response_alg: 'none' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'client_secret_basic' diff --git a/docs/archives/services/app/trilium/group_vars.yaml b/docs/archives/services/app/trilium/group_vars.yaml new file mode 100644 index 0000000..c3269a0 --- /dev/null +++ b/docs/archives/services/app/trilium/group_vars.yaml @@ -0,0 +1,13 @@ +--- +services: + trilium: + domain: + public: "" + internal: "" + ports: + http: "" + subuid: "100999" + +version: + containers: + trilium: "v0.102.2" diff --git a/docs/archives/services/app/trilium/secret.example.yaml b/docs/archives/services/app/trilium/secret.example.yaml new file mode 100644 index 0000000..76a50b5 --- /dev/null +++ b/docs/archives/services/app/trilium/secret.example.yaml @@ -0,0 +1,6 @@ +--- +trilium: + admin: "" + oidc: + secret: "" + hash: "" diff --git a/ansible/roles/app/tasks/services/set_trilium.yaml b/docs/archives/services/app/trilium/set_trilium.yaml similarity index 100% rename from ansible/roles/app/tasks/services/set_trilium.yaml rename to docs/archives/services/app/trilium/set_trilium.yaml diff --git a/config/services/containers/app/trilium/trilium.container.j2 b/docs/archives/services/app/trilium/trilium.container.j2 similarity index 100% rename from config/services/containers/app/trilium/trilium.container.j2 rename to docs/archives/services/app/trilium/trilium.container.j2 diff --git a/docs/services/app/trilium.md b/docs/archives/services/app/trilium/trilium.md similarity index 100% rename from docs/services/app/trilium.md rename to docs/archives/services/app/trilium/trilium.md diff --git a/docs/archives/services/app/vikunja/authelia.yaml b/docs/archives/services/app/vikunja/authelia.yaml new file mode 100644 index 0000000..bfeb5bf --- /dev/null +++ b/docs/archives/services/app/vikunja/authelia.yaml @@ -0,0 +1,25 @@ +--- +identity_providers: + oidc: + clients: + # https://www.authelia.com/integration/openid-connect/clients/vikunja/ + - client_id: 'vikunja' + client_name: 'Vikunja' + client_secret: 'hash' + public: false + authorization_policy: 'one_factor' + require_pkce: false + pkce_challenge_method: '' + redirect_uris: + - 'https://vikunja.example.com/auth/openid/authelia' + scopes: + - 'openid' + - 'profile' + - 'email' + response_types: + - 'code' + grant_types: + - 'authorization_code' + access_token_signed_response_alg: 'none' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'client_secret_basic' diff --git a/docs/archives/services/app/vikunja/group_vars.yaml b/docs/archives/services/app/vikunja/group_vars.yaml new file mode 100644 index 0000000..d842f94 --- /dev/null +++ b/docs/archives/services/app/vikunja/group_vars.yaml @@ -0,0 +1,13 @@ +--- +services: + vikunja: + domain: + public: "" + internal: "" + ports: + http: "" + subuid: "100999" + +version: + containers: + vikunja: "2.2.2" diff --git a/docs/archives/services/app/vikunja/secret.example.yaml b/docs/archives/services/app/vikunja/secret.example.yaml new file mode 100644 index 0000000..7f1b293 --- /dev/null +++ b/docs/archives/services/app/vikunja/secret.example.yaml @@ -0,0 +1,9 @@ +--- +postgresql: + password: + vikunja: "" +vikunja: + session_secret: "" + oidc: + secret: "" + hash: "" diff --git a/ansible/roles/app/tasks/services/set_vikunja.yaml b/docs/archives/services/app/vikunja/set_vikunja.yaml similarity index 100% rename from ansible/roles/app/tasks/services/set_vikunja.yaml rename to docs/archives/services/app/vikunja/set_vikunja.yaml diff --git a/config/services/containers/app/vikunja/vikunja.container.j2 b/docs/archives/services/app/vikunja/vikunja.container.j2 similarity index 100% rename from config/services/containers/app/vikunja/vikunja.container.j2 rename to docs/archives/services/app/vikunja/vikunja.container.j2 diff --git a/docs/services/app/vikunja.md b/docs/archives/services/app/vikunja/vikunja.md similarity index 100% rename from docs/services/app/vikunja.md rename to docs/archives/services/app/vikunja/vikunja.md diff --git a/docs/archives/services/app/wikijs/authelia.yaml b/docs/archives/services/app/wikijs/authelia.yaml new file mode 100644 index 0000000..6df6fa6 --- /dev/null +++ b/docs/archives/services/app/wikijs/authelia.yaml @@ -0,0 +1,26 @@ +--- +identity_providers: + oidc: + clients: + # https://www.authelia.com/integration/openid-connect/clients/wikijs/ + - client_id: 'wikijs' + client_name: 'Wiki' + client_secret: 'hash' + public: false + authorization_policy: 'one_factor' + require_pkce: false + pkce_challenge_method: '' + redirect_uris: + # add Callback URL / Redirect URI HERE + - 'https://wikijs.example.com/login/$UUID/callback' # Note this must be copied during step 7 of the Application configuration. + scopes: + - 'openid' + - 'profile' + - 'email' + response_types: + - 'code' + grant_types: + - 'authorization_code' + access_token_signed_response_alg: 'none' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'client_secret_post' diff --git a/docs/archives/services/app/wikijs/group_vars.yaml b/docs/archives/services/app/wikijs/group_vars.yaml new file mode 100644 index 0000000..d27ee1c --- /dev/null +++ b/docs/archives/services/app/wikijs/group_vars.yaml @@ -0,0 +1,13 @@ +--- +services: + wikijs: + domain: + public: "" + internal: "" + ports: + http: "" + subuid: "100999" + +version: + containers: + wikijs: "2.5.314" diff --git a/docs/archives/services/app/wikijs/secret.example.yaml b/docs/archives/services/app/wikijs/secret.example.yaml new file mode 100644 index 0000000..5792dd8 --- /dev/null +++ b/docs/archives/services/app/wikijs/secret.example.yaml @@ -0,0 +1,9 @@ +--- +postgresql: + password: + wikijs: "" +wikijs: + admin: "" + oidc: + secret: "" + hash: "" diff --git a/ansible/roles/app/tasks/services/set_wikijs.yaml b/docs/archives/services/app/wikijs/set_wikijs.yaml similarity index 100% rename from ansible/roles/app/tasks/services/set_wikijs.yaml rename to docs/archives/services/app/wikijs/set_wikijs.yaml diff --git a/config/services/containers/app/wikijs/wikijs.container.j2 b/docs/archives/services/app/wikijs/wikijs.container.j2 similarity index 100% rename from config/services/containers/app/wikijs/wikijs.container.j2 rename to docs/archives/services/app/wikijs/wikijs.container.j2 diff --git a/docs/services/app/wikijs.md b/docs/archives/services/app/wikijs/wikijs.md similarity index 100% rename from docs/services/app/wikijs.md rename to docs/archives/services/app/wikijs/wikijs.md diff --git a/docs/specifications/environments.md b/docs/specifications/environments.md index 607d58c..0757640 100644 --- a/docs/specifications/environments.md +++ b/docs/specifications/environments.md @@ -117,24 +117,15 @@ - [x] Vaultwarden - [x] Gitea - [x] Immich - - [x] Actual budget - [x] Paperless-ngx - - [x] vikunja (Comparing to Nextcloud deck) - - [x] OpenCloud (Comparing to Nextcloud) - - [x] affine (Notion substitution) - - [x] Nextcloud (Use nextcloud as CalDAV and CardDav, kanban and todo) - - [x] Collabora office (Link to Nextcloud, it works well) - - [x] ezBookkeeping - - use budget.ilnmors.com for ezBookkeeping, actual budget domain is changed as actualbudget.ilnmors.com + - [x] affine + - integrated document management via markdown, whiteboard, canvas + - [x] Nextcloud + - Use Nextcloud as CalDAV and CardDav, kanban and todo + - [x] Collabora office + - Link to Nextcloud - [x] sure - - comparing sure, ezBookkeeping, and actualbudget - - ezbookkeeping has no function to share the account and budget to the other users. - - actual budget's YNAB way is hard to adjust - - sure is heavy, but it is not YNAB and it allows to share account the other users - - [x] wiki.js - - check wiki.js to use as base wiki of documents. - - [x] TriliumNext - - UNSTABLE, it is impossible to use. + - budget and finance - [ ] memos - WriteFreely or directus + frontend(Astro) - MediaCMS or PeerTube @@ -146,11 +137,19 @@ - Ralph - Conduit - SnappyMail - + - archived services: + - [x] Actual budget + - YNAB way is hard to adjust + - [x] OpenCloud + - Nextcloud is more stable + - [x] vikunja + - integrated experience from Nextcloud is better + - [x] ezBookkeeping + - No sharing budget function + - [x] wiki.js + - Too complex, too heavy + - [x] TriliumNext + - OIDC errors, and trilium itself is unstable ## External Backup server