chore(app): archive removed stacks from app

archived stacks:
- actual-budget
- ezbookkeeping
- opencloud
- trilium
- vikunja
- wikijs

ansible/inventory/group_vars/all.yaml

@@ -109,13 +109,6 @@ services:
   immich-ml:
     ports:
       http: "3003"
-  actualbudget:
-    domain:
-      public: "actualbudget"
-      internal: "actualbudget.app"
-    ports:
-      http: "5006"
-    subuid: "101000"
   paperless:
     domain:
       public: "paperless"
@@ -124,20 +117,6 @@ services:
       http: "8001"
       redis: "6380"
     subuid: "100999"
-  vikunja:
-    domain:
-      public: "vikunja"
-      internal: "vikunja.app"
-    ports:
-      http: "3456"
-    subuid: "100999"
-  opencloud:
-    domain:
-      public: "opencloud"
-      internal: "opencloud.app"
-    ports:
-      http: "9200"
-    subuid: "100999"
   manticore:
     subuid: "100998"
   affine:
@@ -163,13 +142,6 @@ services:
     ports:
       http: "9980"
     subuid: "101000"
-  ezbookkeeping:
-    domain:
-      public: "budget"
-      internal: "budget.app"
-    ports:
-      http: "8003"
-    subuid: "100999"
   sure:
     domain:
       public: "sure"
@@ -178,20 +150,6 @@ services:
       http: "3001"
       redis: "6383"
     subuid: "100999"
-  wikijs:
-    domain:
-      public: "wiki"
-      internal: "wiki.app"
-    ports:
-      http: "3002"
-    subuid: "100999"
-  trilium:
-    domain:
-      public: "notes"
-      internal: "notes.app"
-    ports:
-      http: "8004"
-    subuid: "100999"
 
 version:
   packages:
@@ -222,15 +180,9 @@ version:
     gitea: "1.26.1"
     redis: "8.6.3"
     immich: "v2.7.5"
-    actualbudget: "26.3.0"
     paperless: "2.20.15"
-    vikunja: "2.2.2"
-    opencloud: "4.0.6"
     manticore: "25.0.0"
     affine: "0.26.3"
     nextcloud: "33.0.3"
     collabora: "25.04.9.4.1"
-    ezbookkeeping: "1.4.0"
     sure: "0.7.0-hotfix.2"
-    wikijs: "2.5.314"
-    trilium: "v0.102.2"

ansible/playbooks/app/site.yaml

@@ -185,14 +185,6 @@
           tags: ["site", "immich"]
       tags: ["site", "immich"]
 
-    - name: Set actual budget
-      ansible.builtin.include_role:
-        name: "app"
-        tasks_from: "services/set_actual-budget"
-        apply:
-          tags: ["site", "actual-budget"]
-      tags: ["site", "actual-budget"]
-
     - name: Set paperless
       ansible.builtin.include_role:
         name: "app"
@@ -201,22 +193,6 @@
           tags: ["site", "paperless"]
       tags: ["site", "paperless"]
 
-    - name: Set vikunja
-      ansible.builtin.include_role:
-        name: "app"
-        tasks_from: "services/set_vikunja"
-        apply:
-          tags: ["site", "vikunja"]
-      tags: ["site", "vikunja"]
-
-    - name: Set opencloud
-      ansible.builtin.include_role:
-        name: "app"
-        tasks_from: "services/set_opencloud"
-        apply:
-          tags: ["site", "opencloud"]
-      tags: ["site", "opencloud"]
-
     - name: Set affine
       ansible.builtin.include_role:
         name: "app"
@@ -241,14 +217,6 @@
           tags: ["site", "collabora"]
       tags: ["site", "collabora"]
 
-    - name: Set ezbookkeeping
-      ansible.builtin.include_role:
-        name: "app"
-        tasks_from: "services/set_ezbookkeeping"
-        apply:
-          tags: ["site", "ezbookkeeping"]
-      tags: ["site", "ezbookkeeping"]
-
     - name: Set sure
       ansible.builtin.include_role:
         name: "app"
@@ -257,22 +225,6 @@
           tags: ["site", "sure"]
       tags: ["site", "sure"]
 
-    - name: Set wiki.js
-      ansible.builtin.include_role:
-        name: "app"
-        tasks_from: "services/set_wikijs"
-        apply:
-          tags: ["site", "wikijs"]
-      tags: ["site", "wikijs"]
-
-    - name: Set trilium
-      ansible.builtin.include_role:
-        name: "app"
-        tasks_from: "services/set_trilium"
-        apply:
-          tags: ["site", "trilium"]
-      tags: ["site", "trilium"]
-
     - name: Flush handlers right now
       ansible.builtin.meta: "flush_handlers"
 

ansible/roles/app/handlers/main.yaml

@@ -43,17 +43,6 @@
   listen: "notification_restart_immich-ml"
   ignore_errors: true # noqa: ignore-errors
 
-- name: Restart actual-budget
-  ansible.builtin.systemd:
-    name: "actual-budget.service"
-    state: "restarted"
-    enabled: true
-    scope: "user"
-    daemon_reload: true
-  changed_when: false
-  listen: "notification_restart_actual-budget"
-  ignore_errors: true # noqa: ignore-errors
-
 - name: Restart paperless
   ansible.builtin.systemd:
     name: "paperless.service"
@@ -65,29 +54,6 @@
   listen: "notification_restart_paperless"
   ignore_errors: true # noqa: ignore-errors
 
-- name: Restart vikunja
-  ansible.builtin.systemd:
-    name: "vikunja.service"
-    state: "restarted"
-    enabled: true
-    scope: "user"
-    daemon_reload: true
-  changed_when: false
-  listen: "notification_restart_vikunja"
-  ignore_errors: true # noqa: ignore-errors
-
-- name: Restart opencloud
-  ansible.builtin.systemd:
-    name: "opencloud.service"
-    state: "restarted"
-    enabled: true
-    daemon_reload: true
-    scope: "user"
-  when: is_opencloud_init.stat.exists
-  changed_when: false
-  listen: "notification_restart_opencloud"
-  ignore_errors: true # noqa: ignore-errors
-
 - name: Restart affine
   ansible.builtin.systemd:
     name: "affine.service"
@@ -123,17 +89,6 @@
   listen: "notification_restart_collabora"
   ignore_errors: true # noqa: ignore-errors
 
-- name: Restart ezbookkeeping
-  ansible.builtin.systemd:
-    name: "ezbookkeeping.service"
-    state: "restarted"
-    enabled: true
-    scope: "user"
-    daemon_reload: true
-  changed_when: false
-  listen: "notification_restart_ezbookkeeping"
-  ignore_errors: true # noqa: ignore-errors
-
 - name: Restart sure
   ansible.builtin.systemd:
     name: "{{ item }}"
@@ -147,25 +102,3 @@
   changed_when: false
   listen: "notification_restart_sure"
   ignore_errors: true # noqa: ignore-errors
-
-- name: Restart wikijs
-  ansible.builtin.systemd:
-    name: "wikijs.service"
-    state: "restarted"
-    enabled: true
-    scope: "user"
-    daemon_reload: true
-  changed_when: false
-  listen: "notification_restart_wikijs"
-  ignore_errors: true # noqa: ignore-errors
-
-- name: Restart trilium
-  ansible.builtin.systemd:
-    name: "trilium.service"
-    state: "restarted"
-    enabled: true
-    scope: "user"
-    daemon_reload: true
-  changed_when: false
-  listen: "notification_restart_trilium"
-  ignore_errors: true # noqa: ignore-errors

ansible/roles/infra/tasks/services/set_postgresql.yaml

@@ -9,12 +9,9 @@
       - "gitea"
       - "immich"
       - "paperless"
-      - "vikunja"
       - "affine"
       - "nextcloud"
-      - "ezbookkeeping"
       - "sure"
-      - "wikijs"
 
 - name: Create postgresql directory
   ansible.builtin.file:

config/secrets/secrets.yaml

@@ -117,12 +117,9 @@ postgresql:
         gitea: ENC[AES256_GCM,data:l+pBCzyQa3000SE9z1R4htD0V0ONsBtKy92dfgsVYsZ3XlEyVJDIBOsugwM=,iv:5t/oHW1vFAmV/s2Ze/cV9Vuqo96Qu6QvZeRbio7VX2s=,tag:4zeQaXiXIzBpy+tXsxmN7Q==,type:str]
         immich: ENC[AES256_GCM,data:11jvxTKA/RL0DGL6y2/X092hnDohj6yTrYGK4IVojqBd1gCOBnDvUjgmx14=,iv:oBfHxsx9nxhyKY/WOuWfybxEX2bf+lHEtsaifFRS9lg=,tag:tAfkBdgQ8ZEkLIFcDICKDw==,type:str]
         paperless: ENC[AES256_GCM,data:6VBrBbjVoam7SkZCSvoBTdrfkUoDghdGTiBmFLul04X/okXOHeC5zusJffY=,iv:iZumcJ3TWwZD77FzYx8THwCqC+EbnXUBrEKuPh3zgV8=,tag:u2m8SppAdxZ/duNdpuS3oQ==,type:str]
-        vikunja: ENC[AES256_GCM,data:/+wQdoFPTBG2elI9kZbAVWrHZ0DhMaYr4dc+2z9QNdb3TcDS2PEia0JuSAg=,iv:MViZTyUD8YqMmxSTWCQpJ30f/KQdQGOzPlRHHsQ8lAw=,tag:zov3POno139dkMxFDpj2gg==,type:str]
         affine: ENC[AES256_GCM,data:XPXrcszsV06YqCJZ7CDqc4rCwqqNlbtLCFYfLAQ8jamLtft8L2UVrMA4WZo=,iv:vrWdBeckxB9tmEE628j4jhU+hSpE6TXYMGt0hh1Cg84=,tag:hlWwWUGht8NqWTZREMsa1Q==,type:str]
         nextcloud: ENC[AES256_GCM,data:ROsximNuWYMTZktmLJPx7W1Qol/uT+APgwoCtFO/6ZYYc3KxKvlk344eqEc=,iv:4d+MrfIHjJKAcwhvZ3g4go66uZcieuL7lngKErJd+fg=,tag:QbWOtxeCbiu62GyrE2atXg==,type:str]
-        ezbookkeeping: ENC[AES256_GCM,data:CYYQ5DVr8Na46QduvUNF6d0XBVSXTml34q3/PhIYIvUNviOVgCjqXA4wN7g=,iv:qRljohJ+wI50XxSgMElKp65HyV3mKRTqDGjw9C1S0d0=,tag:PClp7PRmC0+PV0SzZpJqqQ==,type:str]
         sure: ENC[AES256_GCM,data:FULJ2gjJ2gZC3s324itW+CjGRBHIP9RnOqw5TT1UaiUhb7UHAPm1na+LsZk=,iv:c0GnVZkxprJUzPPq3TCQaZvAes9QQuvDXqgVLLaiQIg=,tag:uDxy/Lkd2hNK4AWwMNMslw==,type:str]
-        wikijs: ENC[AES256_GCM,data:2drkkTevrcUrgxOHavIEPcemc2l5+/3GEAYNCYVL/63daVda5tzL61tPm2A=,iv:87qPrlRaosXO75eaxo4xjevVc1Pt9MiHv6lYFBB3MKU=,tag:SnVbVR4ZM0qvVmWpcgSKrg==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -213,14 +210,6 @@ immich:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
-#ENC[AES256_GCM,data:bzMt0Ox0Za4dOhoo7S6dYCdK32JI9Q==,iv:PRTryIJk0tR545XY0LoHwklvsJp5+A5bEljNmzUvRhY=,tag:EVsjRUGMOadaNbMu0Xr4XA==,type:comment]
-actualbudget:
-    oidc:
-        secret: ENC[AES256_GCM,data:TE2umZ9Vvr7cSfA2+TAfRadIWZN3hyOKQ6U9NqJFm5e9iiw1avI+QlnYcKI=,iv:rUWoclBRqh0tsGnMq29395Fn2NP7AXnSCd0s+S8jQ6I=,tag:qPX/TcdIo6BJeex7wmi02Q==,type:str]
-        hash: ENC[AES256_GCM,data:UjhNkGj+sxbnmPUx1V5kVYwZnzsB0aEvN8YV29lcvMbSnf9xpQWwD5C93Zu8SYrnS/p88qZpGBgAjr9Pcly3y0H1YMRt9zzbHZU3Uo0DPDrSWRQdeB/8LkcM/cwMAs8arS6PO03ECNnN5Z6aTmFdFnLjUkvUuSWMFscItAzMzhWCpeY=,iv:B06LI7Cq3NN8haOLfN3gWIpUFnvdUlq6D2XmARojDpk=,tag:MflE8qcY5j/aAA7xfPCqng==,type:str]
-#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
-#
-#
 #ENC[AES256_GCM,data:McPUAbIUvtC1gdPaxTgAxAMCMWcLfg==,iv:Tp6idRf7he3sYzo8LW596C905JAaoTIhIoDUzSyRT0k=,tag:4mZQ0Swu1X9uuwjsRNhr2A==,type:comment]
 paperless:
     session_secret: ENC[AES256_GCM,data:siwCs2noeVpg9DCEZybnmo/oz11BdrHSTnHciMOu/6g=,iv:XVjhu10TIujIdUopN9+TVVqRade9EvItDWxym6YXnZs=,tag:TxLYm+4Bo7IMaTQBtMg9pQ==,type:str]
@@ -232,22 +221,6 @@ paperless:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
-#ENC[AES256_GCM,data:V7DJHA2JQirfBsrCGhXrhg==,iv:+jYqX9hGNnuyYj9o9LpCYFVOoD6nSrtc4t40Ag0mMzo=,tag:1wSxKtkJm42reUxdwYDvlg==,type:comment]
-vikunja:
-    session_secret: ENC[AES256_GCM,data:CMyw8JGHyTczGsrOJJwQBKfXMU4Sudvwkur1Lgx4o64=,iv:F2VmpqddiDT4jGaGDKGl6FARsQOt3lLz3X6TjC2MIVU=,tag:UJYyzrl/FX1BNwY4ROFncA==,type:str]
-    oidc:
-        secret: ENC[AES256_GCM,data:QwqndYsfr+fh9OLkHYtLYCa6WUdhnL7A4btz1d1eelTwq3Kps5S6BUN5qZg=,iv:51N8byIAAUh4ky7YBAuEJOBEWu1d9AX5W1m37/cLlCM=,tag:GD7jbxNGd748TCPgqsxyMg==,type:str]
-        hash: ENC[AES256_GCM,data:ORifyT4u1V2CyBCNBgF72wwS2i05mlzA4iIVEa1cH9aaE69PdiQvGGzMHK+tmlfpVaVQEENSt1QDUSSlMyeuZT/3a0JwAvlz+XDbpS7bicL2cB6DCa4JyEd/rbGRXs0/COfxPxXzYv7jq9gd2uSJ+cCGYb/93WuEXSEI6PHi+FF7N94=,iv:FVSGySa4YB2vwenqSagBzxeIexg91ewvcQMix+etmng=,tag:yyQtOgzOZypba+rV3A1K9g==,type:str]
-#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
-#
-#
-#ENC[AES256_GCM,data:EsRGZP7snPchEAMoQN5PoQpiOA==,iv:A/8POGq3pIw7aX5S2vyKtI2vPqH0FT6yZnpe/vVbifw=,tag:BgUYHX2zxIL7yLS0JbI1Yg==,type:comment]
-opencloud:
-    admin:
-        password: ENC[AES256_GCM,data:VKG7sNTTLHCXRGf4SAlR91+hvc7PaNrnpJX/4kItVcT9W1Hdl/yKgHHD7M8=,iv:WwWnx9KuN+i/Ugwv+HY4IGDZrLHk71hsobGFOn9kml0=,tag:SS6ihrtZjLnlAJR59lw+gw==,type:str]
-#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
-#
-#
 #ENC[AES256_GCM,data:k55osvepVeB1RC5hZ4IF,iv:AlhfmWwn/DiSESWc+ULJSOLUhnrKAIfWr7MeiwV8qc8=,tag:hOgptwUcY6nVxPIhu+DYgw==,type:comment]
 affine:
     secret_key: ENC[AES256_GCM,data:LLX78DpYnha1JWhgw0sHLzIVq/oIzvT+nB7zgli4mroGbnt7WZaXCx34zKkYRwYj/+0L4IFFVdkzKtK5DO84SgFkS2Bk2iNdCMqIx80CpyiD8IWAcyRu5d6hh82PlgyxU80T/4nbLbIn0GLubPTTeUX8GC3VxRU=,iv:DnmvbhlygSHes0jAkIm4+WXMUQLzr4R4dNa33rO67v8=,tag:+2wlh+/ekiTyShWM4XBbUw==,type:str]
@@ -269,14 +242,6 @@ nextcloud:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
-#ENC[AES256_GCM,data:tMahvC9OLW4+AGLyx68SNsOPBezApw==,iv:WHx8ruuQ33J/8XtwyhvDy2cKqE7lAWvj/r5AUhdyssU=,tag:uRwheXUxqNSIhcPqGeMNog==,type:comment]
-ezbookkeeping:
-    oidc:
-        secret: ENC[AES256_GCM,data:ZMIfRwXDT1ujGKoc7DGvc8/O+ciB+kajo9yOwVsMsbEjl6D8gl6I0Lbsta8=,iv:++p1TTW6gDUEvh56SjMgldrpob/VWNtiYGo6wNS8cz0=,tag:LQaW333UskiN4mtIjUAguA==,type:str]
-        hash: ENC[AES256_GCM,data:XyB1N3MUzBHWHAumat7/ASy/Aja/gLKmeTriOqLnMgZ9lBE1birYtFW+R0wZ+vyx79tHKVnRxzrWsxoD5jitCmHyMVrJmJKl5c4SYMhytKfBPgrNe3twcc06U+wONmgAuVpaEQlnnyzAz42SpOHbT55GegHjYzT5hXax8eRvdM6xJSY=,iv:R4+EdQuKo2JumY3cu8KPpeFezcLhlehXBxr2wVG5wHk=,tag:hpDX1x9NCCutUsnDKEf1Sg==,type:str]
-#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
-#
-#
 #ENC[AES256_GCM,data:Fsqc2JDp9dvfgiCjdQ==,iv:3DALKKEXaP8hzXRvxD4CgfFpOiPPsOa16OB94n8WKp8=,tag:K+FF3zGrc0YLXWK/R2L3Ow==,type:comment]
 sure:
     session_secret: ENC[AES256_GCM,data:InHsz/jld8E9TwI8MWpxk9x2I7dxlIsY9R6jtDK2pBA=,iv:HY5yXEC2Dce26e9/vXTIWELvVd9ZjhcCwFD0jhz5pPw=,tag:LLSJovZ0RH3CUK+se7R4Ag==,type:str]
@@ -286,23 +251,6 @@ sure:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
-#ENC[AES256_GCM,data:NkvAsD10P7qUvGPXeTY+rQ==,iv:GjsUk3Ht6RYW/rhkRhMSFEmtsAiS+dK7niYDJVBj2iE=,tag:8KnDcuRTm7P76Kh2hmWeXw==,type:comment]
-wikijs:
-    il: ENC[AES256_GCM,data:gsAEHk4MI75EXIiqdb05RYSmlxaQ7mlYXTwTYYVJ20KC397T6xbHzvNojlI=,iv:iYc+BahiJ50LSr35/T1VCQsxsRen5rKLwQhfVQMkdz4=,tag:rscWcLWyTaSR4KEPJaes2A==,type:str]
-    oidc:
-        secret: ENC[AES256_GCM,data:+bmvyUkiQ+vnaJW7wgjohv4wdvliqx8whdSM8iBUJXGFy/QOs2oJm4FoUcA=,iv:U07y/+87zbXQ2hQ4HvzKcEH5nQsaSIF1Oh3yv6/ytWU=,tag:knGwjGhH5D/OSvW6j5S0VQ==,type:str]
-        hash: ENC[AES256_GCM,data:7jKBt9mdfxKDU6vBIP6k/wj0gIsRnLwwSrLOlnbbiNZVmbZXqv/UxEsLxCyx1rP2mzGgaxNCBh6WOo7mbSMPezMiuf/enrNrmIwpcP2R0H6LxGTiLFk/7EZ493oy7qFmmsM2qM7Y6qhhKUygD4XbJfVZ2sdojjIGAWy6XdpbbQICb5I=,iv:N3gPga+iDYUF0uAx671DP+4c7FYUKP12MEbYmKZRPAI=,tag:7tKwhxk5yQ0KfZrg0+v/rw==,type:str]
-#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
-#
-#
-#ENC[AES256_GCM,data:rf52AKZDCNq9PVnAMnDXzw==,iv:+rT8sgcAz0LoeUcPgIrpSw/JWvk5agunnTkaWac16kU=,tag:SCyTu1rUNnmS2EFMeIvlCw==,type:comment]
-trilium:
-    oidc:
-        secret: ENC[AES256_GCM,data:EfKdxk/OBgQyGVwOnxMFS/HhucL5qicaB7HfWu4yNvmrqxU+ubkT62zJewQ=,iv:Ye4gNbyOuEaujGfxXYKg4GWDOP+cnTNL230t8B98WUY=,tag:B1YoabR7y8OVUKYj/aiSPA==,type:str]
-        hash: ENC[AES256_GCM,data:QyU+leT28FY3nW+tIbnap2n52xw1bcb77ziFf6cW9gdwwhL6rJCEaTGQritpVsCH5C9ytxlV0Acn7dJbnYSHFtZ2jbuvYMSQR4ewtY+tFX1MdD9+FmtH8umb7PHbG6upXgrXRNRIglJ4U1BEfg0xkdzEPbJq+r13A1+cKESrewayae4=,iv:CUE6YjDzgoc017e8+dT1S956PwmOlb7h6dhnOpCr3iw=,tag:XGgpzuVZXJ8Axb4ib8anVQ==,type:str]
-#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
-#
-#
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
     password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -332,7 +280,7 @@ sops:
             UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
             k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-09T12:29:30Z"
+    lastmodified: "2026-05-09T14:26:51Z"
-    mac: ENC[AES256_GCM,data:ql3rWwdwJRn2nH0SLnjTaJK4NVemxG8T814VEDaHv38bc7A3aaMGuZ92mHY4z+5oNA+DpR/UjkGJ/NrckbURxY63BEcyVCsS4Rb95HTKjDOjf2g5rrohdgI3ZUE1jvlyf3tAh2ZYh1J8QddLKyLju/J43KcB+XRQKhJv4kubAQ0=,iv:4inRbBMuhB7Hzi8fGpqyC3juUqteZGLXX0GtnHusF7Y=,tag:ZxJ6iv8NxJr4rvCInml8dg==,type:str]
+    mac: ENC[AES256_GCM,data:TYs08ZSS2kcO5lYuhQ/IySUSQ3DpL+ba3/uNLyszht4OttR110/W/WQLiRuu/Ql6FwtDtjq6I3iNpOhmCHSv1kMCam1l99GEIYCaPUIY+TY3Zw0j7518dFXe8p/DrKRwIVXfK5lIKLIEd+eizD50HzwXXJFmU+7YDkQ1Dx+55kw=,iv:arJKJ4wO4sdQlu3GZbtultsfM6s8vbhG93tnf2EjJDc=,tag:m95gUqvn4w85XI8qVvCZpQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1

config/services/containers/auth/authelia/config/authelia.yaml.j2

@@ -93,25 +93,6 @@ notifier:
 identity_providers:
   oidc:
     hmac_secret: '' # $AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
-    claims_policies:
-      # trilium expects name/email value in id token, but authelia doesn't send it basically
-      trilium:
-        id_token:
-          - email
-          - email_verified
-          - preferred_username
-          - name
-    # For the app which doesn't use secret.
-    cors:
-      endpoints:
-        - 'authorization'
-        - 'token'
-        - 'revocation'
-        - 'introspection'
-        - 'userinfo'
-      allowed_origins:
-        - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}'
-      allowed_origins_from_client_redirect_uris: true
     jwks:{% raw %}
       - algorithm: 'RS256'
         use: 'sig'
@@ -192,28 +173,6 @@ identity_providers:
         access_token_signed_response_alg: 'none'
         userinfo_signed_response_alg: 'none'
         token_endpoint_auth_method: 'client_secret_post'
-      # https://www.authelia.com/integration/openid-connect/clients/actual-budget/
-      - client_id: 'actual-budget'
-        client_name: 'Actual Budget'
-        client_secret: '{{ hostvars['console']['actualbudget']['oidc']['hash'] }}'
-        public: false
-        authorization_policy: 'one_factor'
-        require_pkce: false
-        pkce_challenge_method: ''
-        redirect_uris:
-          - 'https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}/openid/callback'
-        scopes:
-          - 'openid'
-          - 'profile'
-          - 'groups'
-          - 'email'
-        response_types:
-          - 'code'
-        grant_types:
-          - 'authorization_code'
-        access_token_signed_response_alg: 'none'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'client_secret_basic'
       # https://www.authelia.com/integration/openid-connect/clients/paperless/
       - client_id: 'paperless'
         client_name: 'Paperless'
@@ -236,122 +195,6 @@ identity_providers:
         access_token_signed_response_alg: 'none'
         userinfo_signed_response_alg: 'none'
         token_endpoint_auth_method: 'client_secret_post'
-      # https://www.authelia.com/integration/openid-connect/clients/vikunja/
-      - client_id: 'vikunja'
-        client_name: 'Vikunja'
-        client_secret: '{{ hostvars['console']['vikunja']['oidc']['hash'] }}'
-        public: false
-        authorization_policy: 'one_factor'
-        require_pkce: false
-        pkce_challenge_method: ''
-        redirect_uris:
-          - 'https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}/auth/openid/authelia'
-        scopes:
-          - 'openid'
-          - 'profile'
-          - 'email'
-        response_types:
-          - 'code'
-        grant_types:
-          - 'authorization_code'
-        access_token_signed_response_alg: 'none'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'client_secret_basic'
-      # OpenCloud configuration
-      ## https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/
-      ## Web
-      - client_id: 'opencloud'
-        client_name: 'OpenCloud'
-        public: true
-        authorization_policy: 'one_factor'
-        require_pkce: true
-        pkce_challenge_method: 'S256'
-        redirect_uris:
-          - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/'
-          - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/oidc-callback.html'
-          - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/oidc-silent-redirect.html'
-        scopes:
-          - 'openid'
-          - 'profile'
-          - 'email'
-          - 'groups'
-        response_types:
-          - 'code'
-        grant_types:
-          - 'authorization_code'
-        access_token_signed_response_alg: 'RS256'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'none'
-      ## desktop
-      - client_id: 'OpenCloudDesktop'
-        client_name: 'OpenCloud'
-        public: true
-        authorization_policy: 'one_factor'
-        require_pkce: true
-        pkce_challenge_method: 'S256'
-        redirect_uris:
-          - 'http://localhost'
-          - 'http://127.0.0.1'
-        scopes:
-          - 'openid'
-          - 'profile'
-          - 'email'
-          - 'groups'
-          - 'offline_access'
-        response_types:
-          - 'code'
-        grant_types:
-          - 'authorization_code'
-          - 'refresh_token'
-        access_token_signed_response_alg: 'RS256'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'none'   
-      ## Android
-      - client_id: 'OpenCloudAndroid'
-        client_name: 'OpenCloud'
-        public: true
-        authorization_policy: 'one_factor'
-        require_pkce: true
-        pkce_challenge_method: 'S256'
-        redirect_uris:
-          - 'oc://android.opencloud.eu'
-        scopes:
-          - 'openid'
-          - 'profile'
-          - 'email'
-          - 'groups'
-          - 'offline_access'
-        response_types:
-          - 'code'
-        grant_types:
-          - 'authorization_code'
-          - 'refresh_token'
-        access_token_signed_response_alg: 'RS256'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'none'
-      ## IOS
-      - client_id: 'OpenCloudIOS'
-        client_name: 'OpenCloud'
-        public: true
-        authorization_policy: 'one_factor'
-        require_pkce: true
-        pkce_challenge_method: 'S256'
-        redirect_uris:
-          - 'oc://ios.opencloud.eu'
-        scopes:
-          - 'openid'
-          - 'profile'
-          - 'email'
-          - 'groups'
-          - 'offline_access'
-        response_types:
-          - 'code'
-        grant_types:
-          - 'authorization_code'
-          - 'refresh_token'
-        access_token_signed_response_alg: 'RS256'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'none'
       # https://docs.affine.pro/self-host-affine/administer/oauth-2-0
       - client_id: 'affine'
         client_name: 'Affine'
@@ -395,27 +238,6 @@ identity_providers:
         access_token_signed_response_alg: 'none'
         userinfo_signed_response_alg: 'none'
         token_endpoint_auth_method: 'client_secret_post'
-      # https://www.authelia.com/integration/openid-connect/clients/ezbookkeeping/
-      - client_id: 'ezbookkeeping'
-        client_name: 'ezBookkeeping'
-        client_secret: '{{ hostvars['console']['ezbookkeeping']['oidc']['hash'] }}'
-        public: false
-        authorization_policy: 'one_factor'
-        require_pkce: true
-        pkce_challenge_method: 'S256'
-        redirect_uris:
-          - 'https://{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}/oauth2/callback'
-        scopes:
-          - 'openid'
-          - 'profile'
-          - 'email'
-        response_types:
-          - 'code'
-        grant_types:
-          - 'authorization_code'
-        access_token_signed_response_alg: 'none'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'client_secret_basic'
       # https://www.authelia.com/integration/openid-connect/clients/sure/
       - client_id: 'sure'
         client_name: 'Sure'
@@ -438,49 +260,3 @@ identity_providers:
         access_token_signed_response_alg: 'none'
         userinfo_signed_response_alg: 'none'
         token_endpoint_auth_method: 'client_secret_basic'
-      # https://www.authelia.com/integration/openid-connect/clients/wikijs/
-      - client_id: 'wikijs'
-        client_name: 'Wiki'
-        client_secret: '{{ hostvars['console']['wikijs']['oidc']['hash'] }}'
-        public: false
-        authorization_policy: 'one_factor'
-        require_pkce: false
-        pkce_challenge_method: ''
-        redirect_uris:
-          # add Callback URL / Redirect URI HERE
-          - 'https://{{ services['wikijs']['domain']['public'] }}.{{ domain['public'] }}/login/aa72242e-7058-4cfa-9504-19a4208062ea/callback'  # Note this must be copied during step 7 of the Application configuration.
-        scopes:
-          - 'openid'
-          - 'profile'
-          - 'email'
-        response_types:
-          - 'code'
-        grant_types:
-          - 'authorization_code'
-        access_token_signed_response_alg: 'none'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'client_secret_post'
-      # https://www.authelia.com/integration/openid-connect/clients/trillium/
-      # The name is trilium, not trillium
-      - client_id: 'trilium'
-        client_name: 'Trilium Notes'
-        client_secret: '{{ hostvars['console']['trilium']['oidc']['hash'] }}'
-        public: false
-        authorization_policy: 'one_factor'
-        # claims policy above
-        claims_policy: 'trilium'
-        require_pkce: false
-        pkce_challenge_method: ''
-        redirect_uris:
-          - 'https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}/callback'
-        scopes:
-          - 'openid'
-          - 'profile'
-          - 'email'
-        response_types:
-          - 'code'
-        grant_types:
-          - 'authorization_code'
-        access_token_signed_response_alg: 'none'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'client_secret_basic'

config/services/containers/common/caddy/etc/app/Caddyfile.j2

@@ -47,30 +47,12 @@
                 header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
-{{ services['actualbudget']['domain']['internal'] }}.{{ domain['internal'] }} {
-        import private_tls
-        reverse_proxy host.containers.internal:{{ services['actualbudget']['ports']['http'] }} {
-                header_up Host {http.request.header.X-Forwarded-Host}
-        }
-}
 {{ services['paperless']['domain']['internal'] }}.{{ domain['internal'] }} {
         import private_tls
         reverse_proxy host.containers.internal:{{ services['paperless']['ports']['http'] }} {
                 header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
-{{ services['vikunja']['domain']['internal'] }}.{{ domain['internal'] }} {
-        import private_tls
-        reverse_proxy host.containers.internal:{{ services['vikunja']['ports']['http'] }} {
-                header_up Host {http.request.header.X-Forwarded-Host}
-        }
-}
-{{ services['opencloud']['domain']['internal'] }}.{{ domain['internal'] }} {
-        import private_tls
-        reverse_proxy host.containers.internal:{{ services['opencloud']['ports']['http'] }} {
-                header_up Host {http.request.header.X-Forwarded-Host}
-        }
-}
 {{ services['affine']['domain']['internal'] }}.{{ domain['internal'] }} {
         import private_tls
         reverse_proxy host.containers.internal:{{ services['affine']['ports']['http'] }} {
@@ -89,27 +71,9 @@
                 header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
-{{ services['ezbookkeeping']['domain']['internal'] }}.{{ domain['internal'] }} {
-        import private_tls
-        reverse_proxy host.containers.internal:{{ services['ezbookkeeping']['ports']['http'] }} {
-                header_up Host {http.request.header.X-Forwarded-Host}
-        }
-}
 {{ services['sure']['domain']['internal'] }}.{{ domain['internal'] }} {
         import private_tls
         reverse_proxy host.containers.internal:{{ services['sure']['ports']['http'] }} {
                 header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
-{{ services['wikijs']['domain']['internal'] }}.{{ domain['internal'] }} {
-        import private_tls
-        reverse_proxy host.containers.internal:{{ services['wikijs']['ports']['http'] }} {
-                header_up Host {http.request.header.X-Forwarded-Host}
-        }
-}
-{{ services['trilium']['domain']['internal'] }}.{{ domain['internal'] }} {
-        import private_tls
-        reverse_proxy host.containers.internal:{{ services['trilium']['ports']['http'] }} {
-                header_up Host {http.request.header.X-Forwarded-Host}
-        }
-}

config/services/containers/common/caddy/etc/auth/Caddyfile.j2

@@ -91,15 +91,6 @@
                 }
         }
 }
-{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }} {
-        import crowdsec_log
-        route {
-                crowdsec
-                reverse_proxy https://{{ services['actualbudget']['domain']['internal'] }}.{{ domain['internal'] }} {
-                        header_up Host {http.reverse_proxy.upstream.host}
-                }
-        }
-}
 {{ services['paperless']['domain']['public'] }}.{{ domain['public'] }} {
         import crowdsec_log
         route {
@@ -109,24 +100,6 @@
                 }
         }  
 }
-{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }} {
-        import crowdsec_log
-        route {
-                crowdsec
-                reverse_proxy https://{{ services['vikunja']['domain']['internal'] }}.{{ domain['internal'] }} {
-                        header_up Host {http.reverse_proxy.upstream.host}
-                }
-        }
-}
-{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }} {
-        import crowdsec_log
-        route {
-                crowdsec
-                reverse_proxy https://{{ services['opencloud']['domain']['internal'] }}.{{ domain['internal'] }} {
-                        header_up Host {http.reverse_proxy.upstream.host}
-                }
-        }
-}
 {{ services['affine']['domain']['public'] }}.{{ domain['public'] }} {
         import crowdsec_log
         route {
@@ -154,15 +127,6 @@
                 }
         }
 }
-{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }} {
-        import crowdsec_log
-        route {
-                crowdsec
-                reverse_proxy https://{{services['ezbookkeeping']['domain']['internal'] }}.{{ domain['internal'] }} {
-                        header_up Host {http.reverse_proxy.upstream.host}
-                }
-        }
-}
 {{ services['sure']['domain']['public'] }}.{{ domain['public'] }} {
         import crowdsec_log
         route {
@@ -172,24 +136,6 @@
                 }
         }
 }
-{{ services['wikijs']['domain']['public'] }}.{{ domain['public'] }} {
-        import crowdsec_log
-        route {
-                crowdsec
-                reverse_proxy https://{{services['wikijs']['domain']['internal'] }}.{{ domain['internal'] }} {
-                        header_up Host {http.reverse_proxy.upstream.host}
-                }
-        }
-}
-{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }} {
-        import crowdsec_log
-        route {
-                crowdsec
-                reverse_proxy https://{{services['trilium']['domain']['internal'] }}.{{ domain['internal'] }} {
-                        header_up Host {http.reverse_proxy.upstream.host}
-                }
-        }
-}
 
 # Internal domain
 {{ node['name'] }}.{{ domain['internal'] }} {

config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2

@@ -12,12 +12,8 @@ whitelist:
         - "{{ hostvars['fw']['network6']['console']['wg'] }}"
 {% if node['name'] == 'auth' %}
     expression:
-        # budget local-first sql scrap rule
-        - "evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/data/migrations/'"
         # immich thumbnail request 404 error false positive
         - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
-        # opencloud chunk request false positive
-        - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/js/chunks/'"
         # nextcloud thumbnail/preview request error false positive
         - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'"
 {% endif %}

docs/archives/services/app/actual-budget/authelia.yaml

@@ -0,0 +1,26 @@
+---
+identity_providers:
+  oidc:
+    clients:
+      # https://www.authelia.com/integration/openid-connect/clients/actual-budget/
+      - client_id: 'actual-budget'
+        client_name: 'Actual Budget'
+        client_secret: 'secret'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://actualbudget.example.com/openid/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'groups'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'

docs/archives/services/app/actual-budget/crowdsec-whitelist.yaml

@@ -0,0 +1,6 @@
+name: crowdsecurity/whitelists
+description: "Local whitelist policy"
+whitelist:
+    expression:
+        # budget local-first sql scrap rule
+        - "evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/data/migrations/'"

docs/archives/services/app/actual-budget/group_vars.yaml

@@ -0,0 +1,13 @@
+---
+services:
+    actualbudget:
+      domain:
+        public: ""
+        internal: ""
+      ports:
+        http: ""
+      subuid: "101000"
+
+version:
+  containers:
+    actualbudget: "26.3.0"

docs/archives/services/app/actual-budget/secret.example.yaml

@@ -0,0 +1,5 @@
+---
+actualbudget:
+  oidc:
+    secret: ""
+    hash: ""

docs/archives/services/app/ezbookkeeping/authelia.yaml

@@ -0,0 +1,25 @@
+---
+identity_providers:
+  oidc:
+    clients:
+      # https://www.authelia.com/integration/openid-connect/clients/ezbookkeeping/
+      - client_id: 'ezbookkeeping'
+        client_name: 'ezBookkeeping'
+        client_secret: 'hash'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://ezbookkeeping.example.com/oauth2/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'

docs/archives/services/app/ezbookkeeping/ezbookkeeping.container.j2

@@ -58,4 +58,4 @@ RestartSec=10s
 TimeoutStopSec=120
 
 [Install]
-WantedBy=default.target
+WantedBy=default.target

docs/archives/services/app/ezbookkeeping/group_vars.yaml

@@ -0,0 +1,13 @@
+---
+services:
+  ezbookkeeping:
+    domain:
+      public: ""
+      internal: ""
+    ports:
+      http: ""
+    subuid: "100999"
+
+version:
+  containers:
+    ezbookkeeping: "1.4.0"

docs/archives/services/app/ezbookkeeping/secret.example.yaml

@@ -0,0 +1,8 @@
+---
+postgresql:
+  password:
+    ezbookkeeping: ""
+ezbookkeeping:
+  oidc:
+    secret: ""
+    hash: ""

docs/archives/services/app/opencloud/authelia.yaml

@@ -0,0 +1,110 @@
+---
+identity_providers:
+  oidc:
+    # For the app which doesn't use secret.
+    cors:
+      endpoints:
+        - 'authorization'
+        - 'token'
+        - 'revocation'
+        - 'introspection'
+        - 'userinfo'
+      allowed_origins:
+        - 'https://opencloud.example.com'
+      allowed_origins_from_client_redirect_uris: true
+    clients:
+# OpenCloud configuration
+      ## https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/
+      ## Web
+      - client_id: 'opencloud'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://opencloud.example.com/'
+          - 'https://opencloud.example.com/oidc-callback.html'
+          - 'https://opencloud.example.com/oidc-silent-redirect.html'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'
+      ## desktop
+      - client_id: 'OpenCloudDesktop'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'http://localhost'
+          - 'http://127.0.0.1'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+          - 'offline_access'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+          - 'refresh_token'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'   
+      ## Android
+      - client_id: 'OpenCloudAndroid'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'oc://android.opencloud.eu'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+          - 'offline_access'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+          - 'refresh_token'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'
+      ## IOS
+      - client_id: 'OpenCloudIOS'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'oc://ios.opencloud.eu'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+          - 'offline_access'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+          - 'refresh_token'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'

docs/archives/services/app/opencloud/crowdsec-whitelist.yaml

@@ -0,0 +1,6 @@
+name: crowdsecurity/whitelists
+description: "Local whitelist policy"
+whitelist:
+    expression:
+        # opencloud chunk request false positive
+        - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/js/chunks/'"

docs/archives/services/app/opencloud/etc/csp.yaml.j2

@@ -35,4 +35,4 @@ directives:
     - '''unsafe-inline'''
   worker-src:
     - '''self'''
-    - 'blob:'
+    - 'blob:'

docs/archives/services/app/opencloud/group_vars.yaml

@@ -0,0 +1,13 @@
+---
+services:
+  opencloud:
+    domain:
+      public: ""
+      internal: ""
+    ports:
+      http: ""
+    subuid: "100999"
+
+version:
+  containers:
+    opencloud: "4.0.6"

docs/archives/services/app/opencloud/secret.example.yaml

@@ -0,0 +1,3 @@
+---
+opencloud:
+  admin: ""

docs/archives/services/app/trilium/authelia.yaml

@@ -0,0 +1,36 @@
+---
+identity_providers:
+  oidc:
+    claims_policies:
+      # trilium expects name/email value in id token, but authelia doesn't send it basically
+      trilium:
+        id_token:
+          - email
+          - email_verified
+          - preferred_username
+          - name
+    clients:
+      # https://www.authelia.com/integration/openid-connect/clients/trillium/
+      # The name is trilium, not trillium
+      - client_id: 'trilium'
+        client_name: 'Trilium Notes'
+        client_secret: 'hash'
+        public: false
+        authorization_policy: 'one_factor'
+        # claims policy above
+        claims_policy: 'trilium'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://trilium.example.com/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'

docs/archives/services/app/trilium/group_vars.yaml

@@ -0,0 +1,13 @@
+---
+services:
+  trilium:
+    domain:
+      public: ""
+      internal: ""
+    ports:
+      http: ""
+    subuid: "100999"
+
+version:
+  containers:
+    trilium: "v0.102.2"

docs/archives/services/app/trilium/secret.example.yaml

@@ -0,0 +1,6 @@
+---
+trilium:
+  admin: ""
+  oidc:
+    secret: ""
+    hash: ""

docs/archives/services/app/vikunja/authelia.yaml

@@ -0,0 +1,25 @@
+---
+identity_providers:
+  oidc:
+    clients:
+      # https://www.authelia.com/integration/openid-connect/clients/vikunja/
+      - client_id: 'vikunja'
+        client_name: 'Vikunja'
+        client_secret: 'hash'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://vikunja.example.com/auth/openid/authelia'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'

docs/archives/services/app/vikunja/group_vars.yaml

@@ -0,0 +1,13 @@
+---
+services:
+  vikunja:
+    domain:
+      public: ""
+      internal: ""
+    ports:
+      http: ""
+    subuid: "100999"
+
+version:
+  containers:
+    vikunja: "2.2.2"

docs/archives/services/app/vikunja/secret.example.yaml

@@ -0,0 +1,9 @@
+---
+postgresql:
+  password:
+    vikunja: ""
+vikunja:
+  session_secret: ""
+  oidc:
+    secret: ""
+    hash: ""

docs/archives/services/app/wikijs/authelia.yaml

@@ -0,0 +1,26 @@
+---
+identity_providers:
+  oidc:
+    clients:
+      # https://www.authelia.com/integration/openid-connect/clients/wikijs/
+      - client_id: 'wikijs'
+        client_name: 'Wiki'
+        client_secret: 'hash'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          # add Callback URL / Redirect URI HERE
+          - 'https://wikijs.example.com/login/$UUID/callback'  # Note this must be copied during step 7 of the Application configuration.
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'

docs/archives/services/app/wikijs/group_vars.yaml

@@ -0,0 +1,13 @@
+---
+services:
+  wikijs:
+    domain:
+      public: ""
+      internal: ""
+    ports:
+      http: ""
+    subuid: "100999"
+
+version:
+  containers:
+    wikijs: "2.5.314"

docs/archives/services/app/wikijs/secret.example.yaml

@@ -0,0 +1,9 @@
+---
+postgresql:
+  password: 
+    wikijs: ""
+wikijs:
+  admin: ""
+  oidc:
+    secret: ""
+    hash: ""

docs/specifications/environments.md

@@ -117,24 +117,15 @@
         - [x] Vaultwarden
         - [x] Gitea
         - [x] Immich
-        - [x] Actual budget
         - [x] Paperless-ngx
-        - [x] vikunja (Comparing to Nextcloud deck)
+        - [x] affine
-        - [x] OpenCloud (Comparing to Nextcloud)
+            - integrated document management via markdown, whiteboard, canvas
-        - [x] affine (Notion substitution)
+        - [x] Nextcloud
-        - [x] Nextcloud (Use nextcloud as CalDAV and CardDav, kanban and todo)
+            - Use Nextcloud as CalDAV and CardDav, kanban and todo
-        - [x] Collabora office (Link to Nextcloud, it works well)
+        - [x] Collabora office
-        - [x] ezBookkeeping 
+            - Link to Nextcloud
-            - use budget.ilnmors.com for ezBookkeeping, actual budget domain is changed as actualbudget.ilnmors.com
         - [x] sure
-            - comparing sure, ezBookkeeping, and actualbudget
+            - budget and finance
-            - ezbookkeeping has no function to share the account and budget to the other users.
-            - actual budget's YNAB way is hard to adjust
-            - sure is heavy, but it is not YNAB and it allows to share account the other users
-        - [x] wiki.js
-            - check wiki.js to use as base wiki of documents.
-        - [x] TriliumNext
-            - UNSTABLE, it is impossible to use.
         - [ ] memos
         - WriteFreely or directus + frontend(Astro)
         - MediaCMS or PeerTube
@@ -146,11 +137,19 @@
         - Ralph
         - Conduit
         - SnappyMail
-    <!--
+    - archived services:
-        - n8n
+        - [x] Actual budget
-    - Forward_auth
+            - YNAB way is hard to adjust
-        - Homepage
+        - [x] OpenCloud
-    -->
+            - Nextcloud is more stable
+        - [x] vikunja
+            - integrated experience from Nextcloud is better
+        - [x] ezBookkeeping
+            - No sharing budget function
+        - [x] wiki.js
+            - Too complex, too heavy
+        - [x] TriliumNext
+            - OIDC errors, and trilium itself is unstable
 
 ## External Backup server