chore(app): archive removed stacks from app

archived stacks: - actual-budget - ezbookkeeping - opencloud - trilium - vikunja - wikijs
2026-05-09 23:55:40 +09:00
parent 02fa912cb1
commit 4527e39d0f
50 changed files with 402 additions and 561 deletions
@@ -0,0 +1,29 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Actual Budget
+
+[Container]
+Image=ghcr.io/actualbudget/actual-server:{{ version['containers']['actualbudget'] }}
+ContainerName=actual-budget
+HostName=actual-budget
+
+PublishPort={{ services['actualbudget']['ports']['http'] }}:5006
+
+Volume=%h/data/containers/actual-budget:/data:rw
+
+Environment="TZ=Asia/Seoul"
+Environment="ACTUAL_OPENID_DISCOVERY_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}/.well-known/openid-configuration"
+Environment="ACTUAL_OPENID_CLIENT_ID=actual-budget"
+Environment="ACTUAL_OPENID_SERVER_HOSTNAME=https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="ACTUAL_OPENID_AUTH_METHOD=oauth2"
+Secret=ACTUAL_OPENID_CLIENT_SECRET,type=env
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target
@@ -0,0 +1,26 @@
+---
+identity_providers:
+  oidc:
+    clients:
+      # https://www.authelia.com/integration/openid-connect/clients/actual-budget/
+      - client_id: 'actual-budget'
+        client_name: 'Actual Budget'
+        client_secret: 'secret'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://actualbudget.example.com/openid/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'groups'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
@@ -0,0 +1,6 @@
+name: crowdsecurity/whitelists
+description: "Local whitelist policy"
+whitelist:
+    expression:
+        # budget local-first sql scrap rule
+        - "evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/data/migrations/'"
@@ -0,0 +1,13 @@
+---
+services:
+    actualbudget:
+      domain:
+        public: ""
+        internal: ""
+      ports:
+        http: ""
+      subuid: "101000"
+
+version:
+  containers:
+    actualbudget: "26.3.0"
@@ -0,0 +1,5 @@
+---
+actualbudget:
+  oidc:
+    secret: ""
+    hash: ""
@@ -0,0 +1,35 @@
+---
+- name: Create actual budget directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/data/containers/actual-budget"
+    state: "directory"
+    owner: "{{ services['actualbudget']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  become: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "ACTUAL_OPENID_CLIENT_SECRET"
+    data: "{{ hostvars['console']['actualbudget']['oidc']['secret'] }}"
+    state: "present"
+    force: true
+  notify: "notification_restart_actual-budget"
+  no_log: true
+
+- name: Deploy container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/actual-budget/actual-budget.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/actual-budget.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_actual-budget"
+
+- name: Enable actual-budget.service
+  ansible.builtin.systemd:
+    name: "actual-budget.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
@@ -0,0 +1,25 @@
+---
+identity_providers:
+  oidc:
+    clients:
+      # https://www.authelia.com/integration/openid-connect/clients/ezbookkeeping/
+      - client_id: 'ezbookkeeping'
+        client_name: 'ezBookkeeping'
+        client_secret: 'hash'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://ezbookkeeping.example.com/oauth2/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
@@ -0,0 +1,61 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=ezBookkeeping
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=docker.io/mayswind/ezbookkeeping:{{ version['containers']['ezbookkeeping'] }}
+ContainerName=ezbookkeeping
+HostName=ezbookkeeping
+
+PublishPort={{ services['ezbookkeeping']['ports']['http'] }}:8080/tcp
+
+Volume=%h/data/containers/ezbookkeeping/data:/data:rw
+Volume=%h/containers/ezbookkeeping/ssl:/etc/ssl/ezbookkeeping:ro
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="EBK_SERVER_DOMAIN={{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="EBK_SERVER_ROOT_URL=https://{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}/"
+Environment="EBK_LOG_MODE=console"
+
+# Database
+Environment="EBK_DATABASE_TYPE=postgres"
+Environment="EBK_DATABASE_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}"
+Environment="EBK_DATABASE_NAME=ezbookkeeping_db"
+Environment="EBK_DATABASE_USER=ezbookkeeping"
+Secret=EBK_DATABASE_PASSWD,type=env
+Environment="EBK_DATABASE_SSL_MODE=verify-full"
+Environment="PGSSLROOTCERT=/etc/ssl/ezbookkeeping/{{ root_cert_filename }}"
+
+# OIDC
+Environment="EBK_AUTH_ENABLE_OAUTH2_AUTH=true"
+Environment="EBK_AUTH_OAUTH2_PROVIDER=oidc"
+Environment="EBK_AUTH_OAUTH2_CLIENT_ID=ezbookkeeping"
+Secret=EBK_AUTH_OAUTH2_CLIENT_SECRET,type=env
+Environment="EBK_AUTH_OAUTH2_USE_PKCE=true"
+Environment="EBK_AUTH_OIDC_PROVIDER_BASE_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+Environment="EBK_AUTH_ENABLE_OIDC_DISPLAY_NAME=true"
+Environment="EBK_AUTH_OIDC_CUSTOM_DISPLAY_NAME=Authelia"
+
+# Registration / auth policy
+Environment="EBK_AUTH_ENABLE_INTERNAL_AUTH=false"
+Environment="EBK_USER_ENABLE_REGISTER=true"
+Environment="EBK_AUTH_OAUTH2_AUTO_REGISTER=true"
+
+# AI / MCP disabled by default
+Environment="EBK_MCP_ENABLE_MCP=false"
+Environment="EBK_LLM_TRANSACTION_FROM_AI_IMAGE_RECOGNITION=false"
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target
@@ -0,0 +1,13 @@
+---
+services:
+  ezbookkeeping:
+    domain:
+      public: ""
+      internal: ""
+    ports:
+      http: ""
+    subuid: "100999"
+
+version:
+  containers:
+    ezbookkeeping: "1.4.0"
@@ -0,0 +1,8 @@
+---
+postgresql:
+  password:
+    ezbookkeeping: ""
+ezbookkeeping:
+  oidc:
+    secret: ""
+    hash: ""
@@ -0,0 +1,58 @@
+---
+- name: Create ezbookkeeping directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['ezbookkeeping']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/ezbookkeeping"
+    - "data/containers/ezbookkeeping/data"
+    - "containers/ezbookkeeping"
+    - "containers/ezbookkeeping/ssl"
+  become: true
+
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/ezbookkeeping/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['ezbookkeeping']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_ezbookkeeping"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value }}"
+    state: "present"
+    force: true
+  loop:
+    - name: "EBK_AUTH_OAUTH2_CLIENT_SECRET"
+      value: "{{ hostvars['console']['ezbookkeeping']['oidc']['secret'] }}"
+    - name: "EBK_DATABASE_PASSWD"
+      value: "{{ hostvars['console']['postgresql']['password']['ezbookkeeping'] }}"
+  notify: "notification_restart_ezbookkeeping"
+  no_log: true
+
+- name: Deploy ezbookkeeping.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/ezbookkeeping/ezbookkeeping.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/ezbookkeeping.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_ezbookkeeping"
+
+- name: Enable ezbookkeeping.service
+  ansible.builtin.systemd:
+    name: "ezbookkeeping.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
@@ -0,0 +1,110 @@
+---
+identity_providers:
+  oidc:
+    # For the app which doesn't use secret.
+    cors:
+      endpoints:
+        - 'authorization'
+        - 'token'
+        - 'revocation'
+        - 'introspection'
+        - 'userinfo'
+      allowed_origins:
+        - 'https://opencloud.example.com'
+      allowed_origins_from_client_redirect_uris: true
+    clients:
+# OpenCloud configuration
+      ## https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/
+      ## Web
+      - client_id: 'opencloud'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://opencloud.example.com/'
+          - 'https://opencloud.example.com/oidc-callback.html'
+          - 'https://opencloud.example.com/oidc-silent-redirect.html'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'
+      ## desktop
+      - client_id: 'OpenCloudDesktop'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'http://localhost'
+          - 'http://127.0.0.1'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+          - 'offline_access'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+          - 'refresh_token'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'   
+      ## Android
+      - client_id: 'OpenCloudAndroid'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'oc://android.opencloud.eu'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+          - 'offline_access'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+          - 'refresh_token'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'
+      ## IOS
+      - client_id: 'OpenCloudIOS'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'oc://ios.opencloud.eu'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+          - 'offline_access'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+          - 'refresh_token'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'
@@ -0,0 +1,6 @@
+name: crowdsecurity/whitelists
+description: "Local whitelist policy"
+whitelist:
+    expression:
+        # opencloud chunk request false positive
+        - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/js/chunks/'"
@@ -0,0 +1,38 @@
+directives:
+  child-src:
+    - '''self'''
+  connect-src:
+    - '''self'''
+    - 'blob:'
+    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps'
+    - 'https://update.opencloud.eu'
+    - 'https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}'
+#  default-src:
+#    - '''none'''
+  font-src:
+    - '''self'''
+  frame-ancestors:
+    - '''self'''
+  frame-src:
+    - '''self'''
+    - 'blob:'
+  img-src:
+    - '''self'''
+    - 'data:'
+    - 'blob:'
+  manifest-src:
+    - '''self'''
+  media-src:
+    - '''self'''
+#  object-src:
+#    - '''none'''
+  script-src:
+    - '''self'''
+    - '''unsafe-inline'''
+    - '''unsafe-eval'''
+  style-src:
+    - '''self'''
+    - '''unsafe-inline'''
+  worker-src:
+    - '''self'''
+    - 'blob:'
@@ -0,0 +1,17 @@
+role_assignment:
+  driver: "oidc"
+  oidc_role_mapper:
+    role_claim: "preferred_username"
+    role_mapping:
+{% for admin_user in ['il'] %}
+      - role_name: "admin"
+        claim_value: "{{ admin_user }}"
+{% endfor %}
+{% for general_user in ['morsalin', 'eunkyoung'] %}
+      - role_name: "user"
+        claim_value: "{{ general_user }}"
+{% endfor %}
+#    - role_name: "spaceadmin"
+#      claim_value: ""
+#    - role_name: user-light
+#      claim_value: ""
@@ -0,0 +1,13 @@
+---
+services:
+  opencloud:
+    domain:
+      public: ""
+      internal: ""
+    ports:
+      http: ""
+    subuid: "100999"
+
+version:
+  containers:
+    opencloud: "4.0.6"
@@ -0,0 +1,60 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=OpenCloud
+
+[Container]
+Image=docker.io/opencloudeu/opencloud:{{ version['containers']['opencloud'] }}
+ContainerName=opencloud
+HostName=opencloud
+
+PublishPort={{ services['opencloud']['ports']['http'] }}:9200
+
+Volume=%h/containers/opencloud:/etc/opencloud:rw
+Volume=%h/data/containers/opencloud:/var/lib/opencloud:rw
+
+# General
+Environment="TZ=Asia/Seoul"
+# Log level info
+Environment="OC_LOG_LEVEL=info"
+# TLS configuration
+Environment="PROXY_TLS=false"
+Environment="OC_INSECURE=true"
+# Connection
+Environment="PROXY_HTTP_ADDR=0.0.0.0:9200"
+Environment="OC_URL=https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}"
+## CSP file location: allow authelia public domain
+Environment="PROXY_CSP_CONFIG_FILE_LOCATION=/etc/opencloud/csp.yaml"
+# OIDC
+Environment="OC_OIDC_ISSUER=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+Environment="PROXY_OIDC_REWRITE_WELLKNOWN=true"
+## OIDC CLIENT CONFIGURATION and SCOPES
+Environment="WEB_OIDC_CLIENT_ID=opencloud"
+Environment="WEB_OIDC_SCOPE=openid profile email"
+## auto sign-in from authelia
+Environment="PROXY_AUTOPROVISION_ACCOUNTS=true"
+## Stop using internal idP service
+Environment="OC_EXCLUDE_RUN_SERVICES=idp"
+## Don't limit special characters
+Environment="GRAPH_USERNAME_MATCH=none"
+
+
+# OIDC standard link environments
+#Environment="WEB_OIDC_AUTHORITY=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+#Environment="WEBFINGER_OIDC_ISSUER=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+#Environment="OC_OIDC_CLIENT_ID=opencloud"
+#Environment="OC_OIDC_CLIENT_SCOPES=openid profile email groups"
+#Environment="WEBFINGER_ANDROID_OIDC_CLIENT_ID=opencloud"
+#Environment="WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=openid profile email groups offline_access"
+#Environment="WEBFINGER_DESKTOP_OIDC_CLIENT_ID=opencloud"
+#Environment="WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=openid profile email groups offline_access"
+#Environment="WEBFINGER_IOS_OIDC_CLIENT_ID=opencloud"
+#Environment="WEBFINGER_IOS_OIDC_CLIENT_SCOPES=openid profile email groups offline_access"
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target
@@ -0,0 +1,3 @@
+---
+opencloud:
+  admin: ""
@@ -0,0 +1,76 @@
+---
+- name: Create opencloud directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['opencloud']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/opencloud"
+    - "containers/opencloud"
+  become: true
+
+- name: Check data directory empty
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/data/containers/opencloud/.init"
+  become: true
+  register: "is_opencloud_init"
+
+- name: Initialize opencloud
+  when: not is_opencloud_init.stat.exists
+  block:
+    - name: Execute init command (Including pulling image)
+      containers.podman.podman_container:
+        name: "opencloud_init"
+        image: "docker.io/opencloudeu/opencloud:{{ version['containers']['opencloud'] }}"
+        command: "init"
+        state: "started"
+        rm: true
+        detach: false
+        env:
+          IDM_ADMIN_PASSWORD: "{{ hostvars['console']['opencloud']['admin']['password'] }}"
+          # Verify the certificate (Opencloud to Authelia, authelia uses let's encrypt.)
+          OC_INSECURE: "true"
+        volume:
+          - "{{ node['home_path'] }}/containers/opencloud:/etc/opencloud:rw"
+          - "{{ node['home_path'] }}/data/containers/opencloud:/var/lib/opencloud:rw"
+      no_log: true
+
+    - name: Create .init file
+      ansible.builtin.file:
+        path: "{{ node['home_path'] }}/data/containers/opencloud/.init"
+        state: "touch"
+        mode: "0644"
+        owner: "{{ ansible_user }}"
+        group: "svadmins"
+
+- name: Deploy configuration files
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/opencloud/etc/{{ item }}.j2"
+    dest: "{{ node['home_path'] }}/containers/opencloud/{{ item }}"
+    owner: "{{ services['opencloud']['subuid'] }}"
+    group: "svadmins"
+    mode: "0640"
+  loop:
+    - "csp.yaml"
+    - "proxy.yaml"
+  become: true
+  notify: "notification_restart_opencloud"
+
+- name: Deploy container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/opencloud/opencloud.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/opencloud.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_opencloud"
+
+- name: Enable opencloud.service
+  ansible.builtin.systemd:
+    name: "opencloud.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
@@ -0,0 +1,36 @@
+---
+identity_providers:
+  oidc:
+    claims_policies:
+      # trilium expects name/email value in id token, but authelia doesn't send it basically
+      trilium:
+        id_token:
+          - email
+          - email_verified
+          - preferred_username
+          - name
+    clients:
+      # https://www.authelia.com/integration/openid-connect/clients/trillium/
+      # The name is trilium, not trillium
+      - client_id: 'trilium'
+        client_name: 'Trilium Notes'
+        client_secret: 'hash'
+        public: false
+        authorization_policy: 'one_factor'
+        # claims policy above
+        claims_policy: 'trilium'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://trilium.example.com/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
@@ -0,0 +1,13 @@
+---
+services:
+  trilium:
+    domain:
+      public: ""
+      internal: ""
+    ports:
+      http: ""
+    subuid: "100999"
+
+version:
+  containers:
+    trilium: "v0.102.2"
@@ -0,0 +1,6 @@
+---
+trilium:
+  admin: ""
+  oidc:
+    secret: ""
+    hash: ""
@@ -0,0 +1,38 @@
+---
+- name: Create trilium directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['trilium']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/trilium"
+    - "data/containers/trilium/data"
+  become: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "TRILIUM_OAUTH_CLIENT_SECRET"
+    data: "{{ hostvars['console']['trilium']['oidc']['secret'] }}"
+    state: "present"
+    force: true
+  notify: "notification_restart_trilium"
+  no_log: true
+
+- name: Deploy trilium.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/trilium/trilium.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/trilium.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_trilium"
+
+- name: Enable trilium.service
+  ansible.builtin.systemd:
+    name: "trilium.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
@@ -0,0 +1,46 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=trilium
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=docker.io/triliumnext/trilium:{{ version['containers']['trilium'] }}
+
+ContainerName=trilium
+HostName=trilium
+
+PublishPort={{ services['trilium']['ports']['http'] }}:8080/tcp
+
+Volume=%h/data/containers/trilium/data:/home/node/trilium-data:rw
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="TRILIUM_DATA_DIR=/home/node/trilium-data"
+Environment="TRILIUM_NO_UPLOAD_LIMIT=true"
+
+# OIDC
+## Short Alias doesn't work now.
+#Environment="TRILIUM_OAUTH_BASE_URL=https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}"
+#Environment="TRILIUM_OAUTH_CLIENT_ID=trilium"
+#Environment="TRILIUM_OAUTH_ISSUER_BASE_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+#Environment="TRILIUM_OAUTH_ISSUER_NAME=Authelia"
+#Environment="TRILIUM_OAUTH_ISSUER_ICON=https://www.authelia.com/images/branding/logo-cropped.png"
+#Secret="TRILIUM_OAUTH_CLIENT_SECRET",type=env
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHBASEURL=https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHCLIENTID=trilium"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERBASEURL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERNAME=Authelia"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERICON=https://www.authelia.com/images/branding/logo-cropped.png"
+Secret="TRILIUM_OAUTH_CLIENT_SECRET",type=env,target=TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHCLIENTSECRET
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target
@@ -0,0 +1,25 @@
+---
+identity_providers:
+  oidc:
+    clients:
+      # https://www.authelia.com/integration/openid-connect/clients/vikunja/
+      - client_id: 'vikunja'
+        client_name: 'Vikunja'
+        client_secret: 'hash'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://vikunja.example.com/auth/openid/authelia'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
@@ -0,0 +1,13 @@
+---
+services:
+  vikunja:
+    domain:
+      public: ""
+      internal: ""
+    ports:
+      http: ""
+    subuid: "100999"
+
+version:
+  containers:
+    vikunja: "2.2.2"
@@ -0,0 +1,9 @@
+---
+postgresql:
+  password:
+    vikunja: ""
+vikunja:
+  session_secret: ""
+  oidc:
+    secret: ""
+    hash: ""
@@ -0,0 +1,58 @@
+---
+- name: Create vikunja directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['vikunja']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/vikunja"
+    - "containers/vikunja"
+    - "containers/vikunja/ssl"
+  become: true
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/vikunja/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['vikunja']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_vikunja"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value }}"
+    state: "present"
+    force: true
+  loop:
+    - name: "VIKUNJA_SERVICE_JWTSECRET"
+      value: "{{ hostvars['console']['vikunja']['session_secret'] }}"
+    - name: "VIKUNJA_DATABASE_PASSWORD"
+      value: "{{ hostvars['console']['postgresql']['password']['vikunja'] }}"
+    - name: "VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTSECRET"
+      value: "{{ hostvars['console']['vikunja']['oidc']['secret'] }}"
+  notify: "notification_restart_vikunja"
+  no_log: true
+
+- name: Deploy vikunja.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/vikunja/vikunja.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/vikunja.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_vikunja"
+
+- name: Enable vikunja.service
+  ansible.builtin.systemd:
+    name: "vikunja.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
@@ -0,0 +1,57 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Vikunja
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=docker.io/vikunja/vikunja:{{ version['containers']['vikunja'] }}
+ContainerName=vikunja
+HostName=vikunja
+PublishPort={{ services['vikunja']['ports']['http'] }}:3456/tcp
+
+# Volumes
+Volume=%h/data/containers/vikunja:/app/vikunja/files:rw
+Volume=%h/containers/vikunja/ssl:/etc/ssl/vikunja:ro
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="VIKUNJA_DEFAULTSETTINGS_TIMEZONE=Asia/Seoul"
+Environment="VIKUNJA_SERVICE_TIMEZONE=Asia/Seoul"
+Environment="VIKUNJA_SERVICE_PUBLICURL=https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="VIKUNJA_SERVICE_ENABLEREGISTRATION=false"
+Secret=VIKUNJA_SERVICE_JWTSECRET,type=env
+
+
+# Database
+Environment="VIKUNJA_DATABASE_TYPE=postgres"
+Environment="VIKUNJA_DATABASE_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
+Environment="VIKUNJA_DATABASE_USER=vikunja"
+Environment="VIKUNJA_DATABASE_DATABASE=vikunja_db"
+Environment="VIKUNJA_DATABASE_SSLMODE=verify-full"
+Environment="VIKUNJA_DATABASE_SSLROOTCERT=/etc/ssl/vikunja/{{ root_cert_filename }}"
+Secret=VIKUNJA_DATABASE_PASSWORD,type=env
+
+
+# OIDC
+Environment="VIKUNJA_AUTH_OPENID_ENABLED=true"
+Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_NAME=Authelia"
+Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_AUTHURL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTID=vikunja"
+# Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_SCOPE=" default value = openid email profile
+# Vikunja doesn't support OIDC and local dual login.
+# Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_USERNAMEFALLBACK=true"
+# Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_EMAILFALLBACK=true"
+Secret=VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTSECRET,type=env
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target
@@ -0,0 +1,26 @@
+---
+identity_providers:
+  oidc:
+    clients:
+      # https://www.authelia.com/integration/openid-connect/clients/wikijs/
+      - client_id: 'wikijs'
+        client_name: 'Wiki'
+        client_secret: 'hash'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          # add Callback URL / Redirect URI HERE
+          - 'https://wikijs.example.com/login/$UUID/callback'  # Note this must be copied during step 7 of the Application configuration.
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
@@ -0,0 +1,13 @@
+---
+services:
+  wikijs:
+    domain:
+      public: ""
+      internal: ""
+    ports:
+      http: ""
+    subuid: "100999"
+
+version:
+  containers:
+    wikijs: "2.5.314"
@@ -0,0 +1,9 @@
+---
+postgresql:
+  password: 
+    wikijs: ""
+wikijs:
+  admin: ""
+  oidc:
+    secret: ""
+    hash: ""
@@ -0,0 +1,53 @@
+---
+- name: Create wiki.js directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['wikijs']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/wikijs"
+    - "data/containers/wikijs/data"
+    - "data/containers/wikijs/export"
+    - "containers/wikijs"
+    - "containers/wikijs/ssl"
+  become: true
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/wikijs/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['wikijs']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_wikijs"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "WIKIJS_DB_PASS"
+    data: "{{ hostvars['console']['postgresql']['password']['wikijs'] }}"
+    state: "present"
+    force: true
+  notify: "notification_restart_wikijs"
+  no_log: true
+
+- name: Deploy wikijs.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/wikijs/wikijs.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/wikijs.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_wikijs"
+
+- name: Enable wikijs.service
+  ansible.builtin.systemd:
+    name: "wikijs.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
@@ -0,0 +1,41 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Wiki.js
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=ghcr.io/requarks/wiki:{{ version['containers']['wikijs'] }}
+ContainerName=wikijs
+HostName=wikijs
+PublishPort={{ services['wikijs']['ports']['http'] }}:3000/tcp
+
+# Volumes
+Volume=%h/data/containers/wikijs/data:/wiki/data:rw
+Volume=%h/data/containers/wikijs/export:/wiki/export:rw
+Volume=%h/containers/wikijs/ssl:/etc/ssl/wiki:ro
+
+# General
+Environment="TZ=Asia/Seoul"
+
+# Database
+Environment="DB_TYPE=postgres"
+Environment="DB_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
+Environment="DB_PORT={{ services['postgresql']['ports']['tcp'] }}"
+Environment="DB_USER=wikijs"
+Environment="DB_NAME=wikijs_db"
+Environment="DB_SSL=true"
+Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/wiki/{{ root_cert_filename }}"
+Secret=WIKIJS_DB_PASS,type=env,target=DB_PASS
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target
@@ -117,24 +117,15 @@
        - [x] Vaultwarden
        - [x] Gitea
        - [x] Immich
-        - [x] Actual budget
        - [x] Paperless-ngx
-        - [x] vikunja (Comparing to Nextcloud deck)
-        - [x] OpenCloud (Comparing to Nextcloud)
-        - [x] affine (Notion substitution)
-        - [x] Nextcloud (Use nextcloud as CalDAV and CardDav, kanban and todo)
-        - [x] Collabora office (Link to Nextcloud, it works well)
-        - [x] ezBookkeeping 
-            - use budget.ilnmors.com for ezBookkeeping, actual budget domain is changed as actualbudget.ilnmors.com
+        - [x] affine
+            - integrated document management via markdown, whiteboard, canvas
+        - [x] Nextcloud
+            - Use Nextcloud as CalDAV and CardDav, kanban and todo
+        - [x] Collabora office
+            - Link to Nextcloud
        - [x] sure
-            - comparing sure, ezBookkeeping, and actualbudget
-            - ezbookkeeping has no function to share the account and budget to the other users.
-            - actual budget's YNAB way is hard to adjust
-            - sure is heavy, but it is not YNAB and it allows to share account the other users
-        - [x] wiki.js
-            - check wiki.js to use as base wiki of documents.
-        - [x] TriliumNext
-            - UNSTABLE, it is impossible to use.
+            - budget and finance
        - [ ] memos
        - WriteFreely or directus + frontend(Astro)
        - MediaCMS or PeerTube
@@ -146,11 +137,19 @@
        - Ralph
        - Conduit
        - SnappyMail
-    <!--
-        - n8n
-    - Forward_auth
-        - Homepage
-    -->
+    - archived services:
+        - [x] Actual budget
+            - YNAB way is hard to adjust
+        - [x] OpenCloud
+            - Nextcloud is more stable
+        - [x] vikunja
+            - integrated experience from Nextcloud is better
+        - [x] ezBookkeeping
+            - No sharing budget function
+        - [x] wiki.js
+            - Too complex, too heavy
+        - [x] TriliumNext
+            - OIDC errors, and trilium itself is unstable

 ## External Backup server