1.7.0: Release vikunja

roles: update set_immich.yaml to add redis_immich container restart logic
roles, config, docs: update set_paperless.yaml, paperless.container.j2, paperless-ngx.md to add redis_paperless container restart logic and to optimize paperless-ngx configuration
2026-03-28 10:44:18 +09:00 · 2026-03-28 10:19:41 +09:00 · 2026-03-25 23:47:50 +09:00 · 2026-03-25 19:44:28 +09:00 · 2026-03-25 00:01:06 +09:00 · 2026-03-24 21:55:04 +09:00
43 changed files with 1775 additions and 23 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .ansible
 data/bin/*
 data/volumes/*
 data/images/*
--- a/ansible/inventory/group_vars/all.yaml
+++ b/ansible/inventory/group_vars/all.yaml
@@ -72,3 +72,11 @@ version:
    vectorchord: "0.5.3"
    # Auth
    authelia: "4.39.15"
    # App
    vaultwarden: "1.35.4"
    gitea: "1.25.5"
    redis: "8.6.1"
    immich: "v2.6.2"
    actualbudget: "26.3.0"
    paperless: "2.20.13"
    vikunja: "2.2.2"
--- a/ansible/inventory/host_vars/app.yaml
+++ b/ansible/inventory/host_vars/app.yaml
@@ -39,3 +39,7 @@ storage:
    label: "APP_DATA"
    level: "raid10"
    mount_point: "/home/app/data"
 redis:
  immich: "6379"
  paperless: "6380"
--- a/ansible/playbooks/app/site.yaml
+++ b/ansible/playbooks/app/site.yaml
@@ -153,6 +153,62 @@
          tags: ["site", "kopia"]
      tags: ["site", "kopia"]
    - name: Set caddy
      ansible.builtin.include_role:
        name: "common"
        tasks_from: "services/set_caddy"
        apply:
          tags: ["site", "caddy"]
      tags: ["site", "caddy"]
    - name: Set vaultwarden
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_vaultwarden"
        apply:
          tags: ["site", "vaultwarden"]
      tags: ["site", "vaultwarden"]
    - name: Set gitea
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_gitea"
        apply:
          tags: ["site", "gitea"]
      tags: ["site", "gitea"]
    - name: Set immich
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_immich"
        apply:
          tags: ["site", "immich"]
      tags: ["site", "immich"]
    - name: Set actual budget
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_actual-budget"
        apply:
          tags: ["site", "actual-budget"]
      tags: ["site", "actual-budget"]
    - name: Set paperless
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_paperless"
        apply:
          tags: ["site", "paperless"]
      tags: ["site", "paperless"]
    - name: Set vikunja
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_vikunja"
        apply:
          tags: ["site", "vikunja"]
      tags: ["site", "vikunja"]
    - name: Flush handlers right now
      ansible.builtin.meta: "flush_handlers"
--- a/ansible/roles/app/handlers/main.yaml
+++ b/ansible/roles/app/handlers/main.yaml
@@ -0,0 +1,77 @@
 ---
 - name: Restart vaultwarden
  ansible.builtin.systemd:
    name: "vaultwarden.service"
    state: "restarted"
    enabled: true
    scope: "user"
    daemon_reload: true
  changed_when: false
  listen: "notification_restart_vaultwarden"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart gitea
  ansible.builtin.systemd:
    name: "gitea.service"
    state: "restarted"
    enabled: true
    scope: "user"
    daemon_reload: true
  changed_when: false
  listen: "notification_restart_gitea"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart immich
  ansible.builtin.systemd:
    name: "immich.service"
    state: "restarted"
    enabled: true
    scope: "user"
    daemon_reload: true
  changed_when: false
  listen: "notification_restart_immich"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart immich-ml
  ansible.builtin.systemd:
    name: "immich-ml.service"
    state: "restarted"
    enabled: true
    scope: "user"
    daemon_reload: true
  changed_when: false
  listen: "notification_restart_immich-ml"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart actual-budget
  ansible.builtin.systemd:
    name: "actual-budget.service"
    state: "restarted"
    enabled: true
    scope: "user"
    daemon_reload: true
  changed_when: false
  listen: "notification_restart_actual-budget"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart paperless
  ansible.builtin.systemd:
    name: "paperless.service"
    state: "restarted"
    enabled: true
    scope: "user"
    daemon_reload: true
  changed_when: false
  listen: "notification_restart_paperless"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart vikunja
  ansible.builtin.systemd:
    name: "vikunja.service"
    state: "restarted"
    enabled: true
    scope: "user"
    daemon_reload: true
  changed_when: false
  listen: "notification_restart_vikunja"
  ignore_errors: true # noqa: ignore-errors
--- a/ansible/roles/app/tasks/services/set_actual-budget.yaml
+++ b/ansible/roles/app/tasks/services/set_actual-budget.yaml
@@ -0,0 +1,39 @@
 ---
 - name: Set actual budget container subuid
  ansible.builtin.set_fact:
    actualbudget_subuid: "101000"
 - name: Create actual budget directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/data/containers/actual-budget"
    state: "directory"
    owner: "{{ actualbudget_subuid }}"
    group: "svadmins"
    mode: "0770"
  become: true
 - name: Register secret value to podman secret
  containers.podman.podman_secret:
    name: "ACTUAL_OPENID_CLIENT_SECRET"
    data: "{{ hostvars['console']['actualbudget']['oidc']['secret'] }}"
    state: "present"
    force: true
  notify: "notification_restart_actual-budget"
  no_log: true
 - name: Deploy container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/actual-budget/actual-budget.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/actual-budget.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_actual-budget"
 - name: Enable actual-budget.service
  ansible.builtin.systemd:
    name: "actual-budget.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
--- a/ansible/roles/app/tasks/services/set_gitea.yaml
+++ b/ansible/roles/app/tasks/services/set_gitea.yaml
@@ -0,0 +1,55 @@
 ---
 - name: Set gitea container subuid
  ansible.builtin.set_fact:
    gitea_subuid: "100999"
 - name: Create gitea directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ gitea_subuid }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/gitea"
    - "containers/gitea"
    - "containers/gitea/ssl"
  become: true
 - name: Deploy root certificate
  ansible.builtin.copy:
    content: |
      {{ hostvars['console']['ca']['root']['crt'] }}
    dest: "{{ node['home_path'] }}/containers/gitea/ssl/ilnmors_root_ca.crt"
    owner: "{{ gitea_subuid }}"
    group: "svadmins"
    mode: "0440"
  become: true
  notify: "notification_restart_gitea"
  no_log: true
 - name: Register secret value to podman secret
  containers.podman.podman_secret:
    name: "GITEA__database__PASSWD"
    data: "{{ hostvars['console']['postgresql']['password']['gitea'] }}"
    state: "present"
    force: true
  notify: "notification_restart_gitea"
  no_log: true
 - name: Deploy container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/gitea/gitea.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/gitea.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_gitea"
 - name: Enable gitea.service
  ansible.builtin.systemd:
    name: "gitea.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
--- a/ansible/roles/app/tasks/services/set_immich.yaml
+++ b/ansible/roles/app/tasks/services/set_immich.yaml
@@ -0,0 +1,121 @@
 ---
 - name: Set redis service name
  ansible.builtin.set_fact:
    redis_service: "immich"
    redis_subuid: "100998"
 - name: Create redis_immich directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ redis_subuid }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "containers/redis"
    - "containers/redis/{{ redis_service }}"
    - "containers/redis/{{ redis_service }}/data"
  become: true
 - name: Deploy redis config file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  register: "is_redis_conf"
 - name: Deploy redis container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  register: "is_redis_containerfile"
 - name: Enable (Restart) redis service
  ansible.builtin.systemd:
    name: "redis_{{ redis_service }}.service"
    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
 - name: Add user in video, render group
  ansible.builtin.user:
    name: "{{ ansible_user }}"
    state: "present"
    groups: "video, render"
    append: true
  become: true
 - name: Create immich directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/immich"
    - "containers/immich"
    - "containers/immich/ssl"
    - "containers/immich/ml"
    - "containers/immich/ml/cache"
 - name: Deploy root certificate
  ansible.builtin.copy:
    content: |
      {{ hostvars['console']['ca']['root']['crt'] }}
    dest: "{{ node['home_path'] }}/containers/immich/ssl/ilnmors_root_ca.crt"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0440"
  notify: "notification_restart_immich"
  no_log: true
 - name: Register secret value to podman secret
  containers.podman.podman_secret:
    name: "IMMICH_DB_PASSWORD"
    data: "{{ hostvars['console']['postgresql']['password']['immich'] }}"
    state: "present"
    force: true
  notify: "notification_restart_immich"
  no_log: true
 - name: Deploy immich.container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/immich/immich.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/immich.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_immich"
 - name: Deploy immich-ml.container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/immich/immich-ml.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/immich-ml.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_immich-ml"
 - name: Enable immich.service
  ansible.builtin.systemd:
    name: "immich.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
 - name: Enable immich-ml.service
  ansible.builtin.systemd:
    name: "immich-ml.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
--- a/ansible/roles/app/tasks/services/set_paperless.yaml
+++ b/ansible/roles/app/tasks/services/set_paperless.yaml
@@ -0,0 +1,129 @@
 ---
 - name: Set redis service name
  ansible.builtin.set_fact:
    redis_service: "paperless"
    redis_subuid: "100998"
 - name: Create redis_paperless directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ redis_subuid }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "containers/redis"
    - "containers/redis/{{ redis_service }}"
    - "containers/redis/{{ redis_service }}/data"
  become: true
 - name: Deploy redis config file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  register: "is_redis_conf"
 - name: Deploy redis container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  register: "is_redis_containerfile"
 - name: Enable (Restart) redis service
  ansible.builtin.systemd:
    name: "redis_{{ redis_service }}.service"
    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
 - name: Set paperless subuid
  ansible.builtin.set_fact:
    paperless_subuid: "100999"
 - name: Create paperless directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ paperless_subuid }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/paperless"
    - "data/containers/paperless/data"
    - "data/containers/paperless/media"
    - "data/containers/paperless/consume"
    - "containers/paperless"
    - "containers/paperless/ssl"
  become: true
 - name: Deploy root certificate
  ansible.builtin.copy:
    content: |
      {{ hostvars['console']['ca']['root']['crt'] }}
    dest: "{{ node['home_path'] }}/containers/paperless/ssl/ilnmors_root_ca.crt"
    owner: "{{ paperless_subuid }}"
    group: "svadmins"
    mode: "0440"
  become: true
  notify: "notification_restart_paperless"
  no_log: true
 - name: Register secret value to podman secret
  containers.podman.podman_secret:
    name: "{{ item.name }}"
    data: "{{ item.value }}"
    state: "present"
    force: true
  loop:
    - name: "PAPERLESS_SECRET_KEY"
      value: "{{ hostvars['console']['paperless']['session_secret'] }}"
    - name: "PAPERLESS_DBPASS"
      value: "{{ hostvars['console']['postgresql']['password']['paperless'] }}"
    - name: "PAPERLESS_SOCIALACCOUNT_PROVIDERS"
      value: |-
        {
          "openid_connect": {
            "SCOPE": ["openid", "profile", "email"],
            "OAUTH_PKCE_ENABLED": true,
            "APPS": [
              {
                "provider_id": "authelia",
                "name": "Authelia",
                "client_id": "paperless",
                "secret": "{{ hostvars['console']['paperless']['oidc']['secret'] }}",
                "settings": {
                  "server_url": "https://authelia.ilnmors.com/.well-known/openid-configuration",
                  "token_auth_method": "client_secret_post"
                }
              }
            ]
          }
        }
  notify: "notification_restart_paperless"
  no_log: true
 - name: Deploy paperless.container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/paperless/paperless.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/paperless.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_paperless"
 - name: Enable paperless.service
  ansible.builtin.systemd:
    name: "paperless.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
--- a/ansible/roles/app/tasks/services/set_vaultwarden.yaml
+++ b/ansible/roles/app/tasks/services/set_vaultwarden.yaml
@@ -0,0 +1,56 @@
 ---
 - name: Create vaultwarden directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/vaultwarden"
    - "containers/vaultwarden"
    - "containers/vaultwarden/ssl"
 - name: Deploy root certificate
  ansible.builtin.copy:
    content: |
      {{ hostvars['console']['ca']['root']['crt'] }}
    dest: "{{ node['home_path'] }}/containers/vaultwarden/ssl/ilnmors_root_ca.crt"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0440"
  become: true
  notify: "notification_restart_vaultwarden"
  no_log: true
 - name: Register secret value to podman secret
  containers.podman.podman_secret:
    name: "{{ item.name }}"
    data: "{{ item.value }}"
    state: "present"
    force: true
  loop:
    - name: "VW_ADMIN_TOKEN"
      value: "{{ hostvars['console']['vaultwarden']['admin']['hash'] }}"
    - name: "VW_DATABASE_URL"
      value: "postgresql://vaultwarden:{{ hostvars['console']['postgresql']['password']['vaultwarden'] | urlencode | replace('/', '%2F') }}\
        @{{ infra_uri['postgresql']['domain'] }}/vaultwarden_db?sslmode=verify-full&sslrootcert=/etc/ssl/vaultwarden/ilnmors_root_ca.crt"
  notify: "notification_restart_vaultwarden"
  no_log: true
 - name: Deploy container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/vaultwarden/vaultwarden.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/vaultwarden.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_vaultwarden"
 - name: Enable vaultwarden.service
  ansible.builtin.systemd:
    name: "vaultwarden.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
--- a/ansible/roles/app/tasks/services/set_vikunja.yaml
+++ b/ansible/roles/app/tasks/services/set_vikunja.yaml
@@ -0,0 +1,62 @@
 ---
 - name: Set vikunja subuid
  ansible.builtin.set_fact:
    vikunja_subuid: "100999"
 - name: Create paperless directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ vikunja_subuid }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/vikunja"
    - "containers/vikunja"
    - "containers/vikunja/ssl"
  become: true
 - name: Deploy root certificate
  ansible.builtin.copy:
    content: |
      {{ hostvars['console']['ca']['root']['crt'] }}
    dest: "{{ node['home_path'] }}/containers/vikunja/ssl/ilnmors_root_ca.crt"
    owner: "{{ vikunja_subuid }}"
    group: "svadmins"
    mode: "0440"
  become: true
  notify: "notification_restart_vikunja"
  no_log: true
 - name: Register secret value to podman secret
  containers.podman.podman_secret:
    name: "{{ item.name }}"
    data: "{{ item.value }}"
    state: "present"
    force: true
  loop:
    - name: "VIKUNJA_SERVICE_JWTSECRET"
      value: "{{ hostvars['console']['vikunja']['session_secret'] }}"
    - name: "VIKUNJA_DATABASE_PASSWORD"
      value: "{{ hostvars['console']['postgresql']['password']['vikunja'] }}"
    - name: "VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTSECRET"
      value: "{{ hostvars['console']['vikunja']['oidc']['secret'] }}"
  notify: "notification_restart_vikunja"
  no_log: true
 - name: Deploy vikunja.container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/vikunja/vikunja.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/vikunja.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_vikunja"
 - name: Enable vikunja.service
  ansible.builtin.systemd:
    name: "vikunja.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
--- a/ansible/roles/common/handlers/main.yaml
+++ b/ansible/roles/common/handlers/main.yaml
@@ -27,14 +27,14 @@
  listen: "notification_reload_networkctl"
  ignore_errors: true # noqa: ignore-errors
- name: Reload systemd-resolved.service
+- name: Restart systemd-resolved.service
  ansible.builtin.systemd:
    name: "systemd-resolved.service"
-    state: "reloaded"
+    state: "restarted"
    enabled: true
  become: true
  changed_when: false
-  listen: "notification_reload_resolved"
+  listen: "notification_restart_resolved"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart systemd-timesyncd
--- a/ansible/roles/common/tasks/node/set_resolved.yaml
+++ b/ansible/roles/common/tasks/node/set_resolved.yaml
@@ -28,7 +28,7 @@
    group: "systemd-resolve"
    mode: "0640"
  become: true
-  notify: "notification_reload_resolved"
+  notify: "notification_restart_resolved"
 - name: Restart systemd-resolved.service when it is initiated
  ansible.builtin.systemd:
--- a/ansible/roles/console/tasks/services/set_cli_tools.yaml
+++ b/ansible/roles/console/tasks/services/set_cli_tools.yaml
@@ -68,7 +68,7 @@
    dest: "{{ node['data_path'] }}/bin/blocky-{{ version['packages']['blocky'] }}-{{ item }}.tar.gz"
    owner: "{{ ansible_user }}"
    group: "svadmins"
-    mode: "0600" # noqa: line-length
+    mode: "0600"
  loop:
    - "x86_64"
    - "arm64"
--- a/ansible/roles/infra/tasks/services/set_postgresql.yaml
+++ b/ansible/roles/infra/tasks/services/set_postgresql.yaml
@@ -5,11 +5,15 @@
 - name: Set connected services list
  ansible.builtin.set_fact:
    # telegraf has no database
    connected_services:
      - "ldap"
      - "authelia"
      - "grafana"
      - "vaultwarden"
      - "gitea"
      - "immich"
      - "paperless"
      - "vikunja"
 - name: Create postgresql directory
  ansible.builtin.file:
@@ -107,7 +111,7 @@
        group: "svadmins"
        mode: "0600"
-    - name: Deploy resoring data sql files
+    - name: Deploy restoring data sql files
      ansible.builtin.copy:
        src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/postgresql/init/pg_{{ item }}.sql"
        dest: "{{ node['home_path'] }}/containers/postgresql/init/{{ index_num + 1 }}_pg_{{ item }}.sql"
--- a/config/node/app/nftables.conf.j2
+++ b/config/node/app/nftables.conf.j2
@@ -5,17 +5,27 @@ define NET4_SERVER = {{ hostvars['fw']['network4']['subnet']['server'] }}
 define NET6_SERVER = {{ hostvars['fw']['network6']['subnet']['server'] }}
 define HOSTS4_CONSOLE = { {{ hostvars['fw']['network4']['console'].values() | join(', ') }} }
 define HOSTS6_CONSOLE = { {{ hostvars['fw']['network6']['console'].values() | join(', ') }} }
 define HOSTS4_AUTH = {{ hostvars['fw']['network4']['auth']['server'] }}
 define HOSTS6_AUTH = {{ hostvars['fw']['network6']['auth']['server'] }}
 define PORTS_SSH = 22
 define PORTS_HTTP = 80
 define PORTS_HTTP_FORWARD = 2080
 define PORTS_HTTPS = 443
 define PORTS_HTTPS_FORWARD = 2443
 table inet nat {
    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;
        tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "dnat http ports to $PORTS_HTTP_FORWARD"
        tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "dnat https ports to $PORTS_HTTPS_FORWARD"
    }
    chain postrouting {
    }
    chain output {
        type nat hook output priority dstnat; policy accept;
        oifname "lo" tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "dnat http ports to $PORTS_HTTP_FORWARD out of LOCALHOST"
        oifname "lo" tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "dnat https ports to $PORTS_HTTPS_FORWARD out of LOCALHOST"
    }
 }
@@ -28,6 +38,10 @@ table inet filter {
        meta l4proto { icmp, icmpv6 } accept comment "allow icmp connection"
        ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv4 ssh connection: CONSOLE > APP"
        ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_SSH  accept comment "allow ipv6 ssh connection: CONSOLE > APP"
        ip saddr { $HOSTS4_CONSOLE, $HOSTS4_AUTH } tcp dport $PORTS_HTTP_FORWARD ct original proto-dst $PORTS_HTTP accept comment "allow ipv4 http connection: CONSOLE, AUTH > APP"
        ip6 saddr { $HOSTS6_CONSOLE, $HOSTS6_AUTH } tcp dport $PORTS_HTTP_FORWARD ct original proto-dst $PORTS_HTTP accept comment "allow ipv6 http connection: CONSOLE, AUTH > APP"
        ip saddr { $HOSTS4_CONSOLE, $HOSTS4_AUTH } tcp dport $PORTS_HTTPS_FORWARD ct original proto-dst $PORTS_HTTPS accept comment "allow ipv4 https connection: CONSOLE, AUTH > APP"
        ip6 saddr { $HOSTS6_CONSOLE, $HOSTS6_AUTH } tcp dport $PORTS_HTTPS_FORWARD ct original proto-dst $PORTS_HTTPS accept comment "allow ipv6 https connection: CONSOLE, AUTH > APP"
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
--- a/config/node/common/resolved/global.conf.j2
+++ b/config/node/common/resolved/global.conf.j2
@@ -3,4 +3,4 @@
 DNS=1.1.1.2 1.0.0.2
 DNS=2606:4700:4700::1112 2606:4700:4700::1002
 {% endif %}
-cache=false
+cache=false
--- a/config/secrets/secrets.yaml
+++ b/config/secrets/secrets.yaml
@@ -113,6 +113,11 @@ postgresql:
        ldap: ENC[AES256_GCM,data:mJrxIhXynHxJhncw3upHpOkXIw+Ka9bmDBJwkDjYl+D9Pg4RDvL6WzBjthw=,iv:y8MUYo6VhgTzbWh/+n7/hf1Jw+L2KcdxKvulPJ67xn8=,tag:4ZFpj1UdOwXmaZjYvC/s3A==,type:str]
        grafana: ENC[AES256_GCM,data:P9okJ7bcsqmeGstkSwbDq/RgnG+lFrgAOvcj8A5lOTpmHaSlXGiKG+ybXa0=,iv:Di1ghnxIbAb/u7uo/mJCC3QYVjdweTHaQDZmXTx8OG4=,tag:DT3a1zgU9sTr0BXpyoZ/SQ==,type:str]
        authelia: ENC[AES256_GCM,data:OqyloAADO6KKEaBjGLsJc9GTe77wn6IvA1VCD2dfCWxx+zgzUYh87fK1XX8=,iv:QIOHNTdNnzcY/f3Co8dPdNHykhBnYRhm43nt35hbALM=,tag:DLQq58GrZd+Ul7MSn6s9uQ==,type:str]
        vaultwarden: ENC[AES256_GCM,data:BPj5eFo54DTZ82n3yTIqEbm7kb/jWT0n2kZY//oV5q48eRch3C2RBuxn/Ko=,iv:DGC4ipHMyVs25gc4sNMt8LN1RsHjiR/b303vgiFoxMY=,tag:k1eb4DoRPLKvvMstSI1faQ==,type:str]
        gitea: ENC[AES256_GCM,data:l+pBCzyQa3000SE9z1R4htD0V0ONsBtKy92dfgsVYsZ3XlEyVJDIBOsugwM=,iv:5t/oHW1vFAmV/s2Ze/cV9Vuqo96Qu6QvZeRbio7VX2s=,tag:4zeQaXiXIzBpy+tXsxmN7Q==,type:str]
        immich: ENC[AES256_GCM,data:11jvxTKA/RL0DGL6y2/X092hnDohj6yTrYGK4IVojqBd1gCOBnDvUjgmx14=,iv:oBfHxsx9nxhyKY/WOuWfybxEX2bf+lHEtsaifFRS9lg=,tag:tAfkBdgQ8ZEkLIFcDICKDw==,type:str]
        paperless: ENC[AES256_GCM,data:6VBrBbjVoam7SkZCSvoBTdrfkUoDghdGTiBmFLul04X/okXOHeC5zusJffY=,iv:iZumcJ3TWwZD77FzYx8THwCqC+EbnXUBrEKuPh3zgV8=,tag:u2m8SppAdxZ/duNdpuS3oQ==,type:str]
        vikunja: ENC[AES256_GCM,data:/+wQdoFPTBG2elI9kZbAVWrHZ0DhMaYr4dc+2z9QNdb3TcDS2PEia0JuSAg=,iv:MViZTyUD8YqMmxSTWCQpJ30f/KQdQGOzPlRHHsQ8lAw=,tag:zov3POno139dkMxFDpj2gg==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -170,6 +175,69 @@ authelia:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:MiobmVqj3dPargzws5q7Cpggnvw=,iv:VzBh1ZWqyByyTDn90pl0//TsjAYO5QLpfbrxnMF5OU4=,tag:7Y16L9i/homdtEpWynzsdg==,type:comment]
 vaultwarden:
    admin:
        password: ENC[AES256_GCM,data:FzD80H5lPNyjTRGd/IcIGir35KLF8gN3qmTzEQrlfutHh08mk0Vh9X8irHA=,iv:cfn5432g2MvkuBJLB2zDJmU0sLgMefVvpy0bP/4/oPY=,tag:7MHEv8XswdQZNTARvxs55g==,type:str]
        hash: ENC[AES256_GCM,data:Ae7bhnL5pxfNV3+r/PCDIpxx0tHcNiB/s4sm7OoxVpp+tcEpXZ9vsv38sZjx+Z8t2vlmiYHc72PEdapcAihleuLMBPM1dAVn8LqzzWtVhfmCOoUZI8Z5L3VL8eyyz6npiw==,iv:c2MEIbrnVsR+bUx3zLLTnKSElFTH7JRl23HmmTlWEBg=,tag:mnMrER9pQEKAdloYMeRa3g==,type:str]
    il:
        password: ENC[AES256_GCM,data:mhLb55ENatpE59Rbzk2Uq6iBKc0Jj/9x4fOANJOHR0WvSxTQRKJ94cCq9Ykp/chWbdgYYPrwU5oD0Yo17zqb,iv:6bzKq5WaKhuOsQ8zSSH9ZrQYbDPB1nv/bFoQou1ycL4=,tag:bSmuUodl+/9nzxZ7YBoezA==,type:str]
    morsalin:
        password: ENC[AES256_GCM,data:ibg5/MfLH7pSY2pEmjM=,iv:+aV5muP/9BYoKwTGQxKEL+IGY9P+O3GVKGgSuTzT+U0=,tag:rgqcmJvd1RtvWJ91PCxYIg==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:HAN9BBEl1CW11LAf3x8=,iv:hwqCErtmPqGJ+y86D9MoxJwixvbcJONlyT900Y5DOug=,tag:kCxsG353ltbOCKLe85adCg==,type:comment]
 gitea:
    il:
        password: ENC[AES256_GCM,data:Bs5/t5mNbSv5+ek9gNHZp5qqxitM4Kq0Xgh2JV6LiFw9lZJSOVT4JPLRP5M=,iv:z50+naWOTVL8lEgBgm51j6hLjS8ve2UcRRKukvtykM0=,tag:TF9rPxjoLe/vAyvl23PiCg==,type:str]
        token: ENC[AES256_GCM,data:CiYEXEKLLRDp++iga5YmhyPB2bSvqhhDgSOhmiulp9n9SsBVQ3s5MQ==,iv:+oetgEH/IORz74Xoz5zgDjD3BLyledZTqlYlCWaDrRk=,tag:S9O09YEMuSexuNW3ojEw5Q==,type:str]
    oidc:
        secret: ENC[AES256_GCM,data:qjQosi83oaK47wX4VtDktDFlIU3FQgmDpwyiSgJNPDq2Dtc/QEKzdv5/ZpQ=,iv:aUJx5a6Wj7lhaD19aPiZWIE/MWKUgH0muxtTSkwfg8M=,tag:DttjXee7ntxRAbqbFq6qeQ==,type:str]
        hash: ENC[AES256_GCM,data:iVls8UzdP6JTfRosET6nsk3RcEtFQ8ak6GtPuBjcqAv3lyA9oSLwvvC8MvGaT1aHCB+5y/lspuloHEaAcVGNuzGCIVLg9Adut4a7LYDTHNOZnJIKLj8ldL1ytD5XVdbeBhZGCqoTs088oO0HVCQiDzpJL5NdmM3Ru6egyYBCLLUOlPA=,iv:er63GEC+kxNDscvspvvLiq17VSg0GeZ2w3jmGojF9PM=,tag:F1pDpaQrVdomIlZ8psVpAw==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:HvMeGuC8JwK50pO1E/nm,iv:5NFTyjesMX0ZnBpH+hEv8jQ0G2NvrDtT23CUyLbQcUo=,tag:qWmPvQpADTeD+W8nWXRQvA==,type:comment]
 immich:
    il:
        password: ENC[AES256_GCM,data:PbDFc4m7rNPPN1mCjcvhbKwf/EbiJxdvO/iMspf9jMuCqQyGv7h6VrZqk98=,iv:hlMAp5wXXkFO9+ekq3A2/ioF/EX8Uau0puhb4TAHkRQ=,tag:pfS0W2JNaFNMpBlKgZ3Pjw==,type:str]
    oidc:
        secret: ENC[AES256_GCM,data:9ENcp2Ns21OLXDY05zRoSdP+93EiwSH8MGzZZpxK7sToe4QLUXWt9w6xQIE=,iv:Q/VcnArZHs/J2YLRVFXt3Mp+LYfuq4PD/trqO8Simig=,tag:BY/mOyZpYmoAc7NrASlmSA==,type:str]
        hash: ENC[AES256_GCM,data:mrML2CWFFtGjq8wfWipVpv+pjJRSHe74VGC7Eoa6588R5C/sCnC3W5aI+dsRCZN3LRCjHAkOJJgjeYrwcXYdKRauXsAYR51dNSsHqqSN3WebLxapRDwcYu5e4j5RN1aPHsysr7GaQ4hhe5rKW4ORCGC3Cp3Ob+LChPy4bdCAZG3bN9k=,iv:Q4hmqhq+dvIr7DxCpcqP4E0NKyFZkOeTnDpGctmCxXM=,tag:/gji6AFkHnYwkQf3FSQUxA==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:bzMt0Ox0Za4dOhoo7S6dYCdK32JI9Q==,iv:PRTryIJk0tR545XY0LoHwklvsJp5+A5bEljNmzUvRhY=,tag:EVsjRUGMOadaNbMu0Xr4XA==,type:comment]
 actualbudget:
    oidc:
        secret: ENC[AES256_GCM,data:TE2umZ9Vvr7cSfA2+TAfRadIWZN3hyOKQ6U9NqJFm5e9iiw1avI+QlnYcKI=,iv:rUWoclBRqh0tsGnMq29395Fn2NP7AXnSCd0s+S8jQ6I=,tag:qPX/TcdIo6BJeex7wmi02Q==,type:str]
        hash: ENC[AES256_GCM,data:UjhNkGj+sxbnmPUx1V5kVYwZnzsB0aEvN8YV29lcvMbSnf9xpQWwD5C93Zu8SYrnS/p88qZpGBgAjr9Pcly3y0H1YMRt9zzbHZU3Uo0DPDrSWRQdeB/8LkcM/cwMAs8arS6PO03ECNnN5Z6aTmFdFnLjUkvUuSWMFscItAzMzhWCpeY=,iv:B06LI7Cq3NN8haOLfN3gWIpUFnvdUlq6D2XmARojDpk=,tag:MflE8qcY5j/aAA7xfPCqng==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:McPUAbIUvtC1gdPaxTgAxAMCMWcLfg==,iv:Tp6idRf7he3sYzo8LW596C905JAaoTIhIoDUzSyRT0k=,tag:4mZQ0Swu1X9uuwjsRNhr2A==,type:comment]
 paperless:
    session_secret: ENC[AES256_GCM,data:siwCs2noeVpg9DCEZybnmo/oz11BdrHSTnHciMOu/6g=,iv:XVjhu10TIujIdUopN9+TVVqRade9EvItDWxym6YXnZs=,tag:TxLYm+4Bo7IMaTQBtMg9pQ==,type:str]
    il:
        password: ENC[AES256_GCM,data:9bJHf+chTg1rppgNVafNgEuvwQ69Gx+w5d65hu68q9XeeaVb2pO9HE4BOgg=,iv:1kaXBg/iOoIZxDjEVEdaMJLDtp6zQjep3vxLmIgQN5o=,tag:+MgX8Oa3tmhjx6u9aHkDfQ==,type:str]
    oidc:
        secret: ENC[AES256_GCM,data:wjRDVCJsINM4z5946a6uZD+6bhN5BChLMdRzgMEJFGRGFNcXd7A1p2Iqn4I=,iv:Y4QDA09L8ULKr4hhvoiduzCD8Hifo1gAnpzjCr8e520=,tag:R0RvGxYnXo3zwykXJykRug==,type:str]
        hash: ENC[AES256_GCM,data:pali6WwPNhJA+6QL4O+tKv42PnpGqmojb8JQUZLqxGizv1bJSCgdUN8upCy5Ke0DYZs5P+JY5vh23xfMZFnHduGxGwOuPX6J5lYgvJRV58LqS3/+yIBBprTJyro3MwsurTTEWesgKMr8/2H9lirhaLjWUOSPxAmQ6e4wPNpHycDVyj4=,iv:cg2trI7t1MfIcMo1/M+IY6JEl2msDoKRGgAx/Y5nyGk=,tag:gnOq7sBq9z5zrRY0yhIabg==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:V7DJHA2JQirfBsrCGhXrhg==,iv:+jYqX9hGNnuyYj9o9LpCYFVOoD6nSrtc4t40Ag0mMzo=,tag:1wSxKtkJm42reUxdwYDvlg==,type:comment]
 vikunja:
    session_secret: ENC[AES256_GCM,data:CMyw8JGHyTczGsrOJJwQBKfXMU4Sudvwkur1Lgx4o64=,iv:F2VmpqddiDT4jGaGDKGl6FARsQOt3lLz3X6TjC2MIVU=,tag:UJYyzrl/FX1BNwY4ROFncA==,type:str]
    il:
        password: ENC[AES256_GCM,data:wDYAVUTFyL/CaXQXYviP3WAILmnREwYui8PZq9nXJPNa3FlwX6b/fzxbCvw=,iv:We+jb4W62O8tYRjGPv+lwlhyVF8eIeTiPNoELdLU+6M=,tag:y7vTZ+6TAsv4XajB4JOL7A==,type:str]
    oidc:
        secret: ENC[AES256_GCM,data:QwqndYsfr+fh9OLkHYtLYCa6WUdhnL7A4btz1d1eelTwq3Kps5S6BUN5qZg=,iv:51N8byIAAUh4ky7YBAuEJOBEWu1d9AX5W1m37/cLlCM=,tag:GD7jbxNGd748TCPgqsxyMg==,type:str]
        hash: ENC[AES256_GCM,data:ORifyT4u1V2CyBCNBgF72wwS2i05mlzA4iIVEa1cH9aaE69PdiQvGGzMHK+tmlfpVaVQEENSt1QDUSSlMyeuZT/3a0JwAvlz+XDbpS7bicL2cB6DCa4JyEd/rbGRXs0/COfxPxXzYv7jq9gd2uSJ+cCGYb/93WuEXSEI6PHi+FF7N94=,iv:FVSGySa4YB2vwenqSagBzxeIexg91ewvcQMix+etmng=,tag:yyQtOgzOZypba+rV3A1K9g==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
    password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -199,7 +267,7 @@ sops:
            UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
            k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-14T19:40:47Z"
+    lastmodified: "2026-03-28T01:12:44Z"
-    mac: ENC[AES256_GCM,data:EUVSxs6FPhKMSSmHe8P/d0IyBZsNb3q7AYj06j98bklAMYYVOludVePdh45MSvn92lDn712Muy6pqcJzDpsPWyxgXngywTu2SGV1yRCyA7U7RloRxlNROuDiugMkJWOtHcKArytVChUHT2PnzagAJR2kBSApbjUsC/xUTMBpsNM=,iv:SsJW2fMNEJHT2M+gjW5TKu6AYoxsf9jKf5T9KgJoF40=,tag:ItVweaSxts2Cm1VKkLp0/w==,type:str]
+    mac: ENC[AES256_GCM,data:hGvVNYQ2qUf9zGMbY5lupY9NI4rCnbza7OruAho12UTcTpD9vktWj559U/UoZpKDknR9n+d50UOGcukeFgLtPBo6xy0+Yf0FRCZU59SQ9k02f3wyIck5ANikBImeN6gGKUbiuIcQUqD3jWH1b2u6V02KN8UkKs7CywHKhI2IoKg=,iv:orXjewDUalAxGOdMjXs18Al98MLzYHTyaWnCz0VqRU4=,tag:hZ5aV3E2kB0US4zAk66Z2Q==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.1
--- a/config/services/containers/app/actual-budget/actual-budget.container.j2
+++ b/config/services/containers/app/actual-budget/actual-budget.container.j2
@@ -0,0 +1,29 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Actual Budget
 [Container]
 Image=ghcr.io/actualbudget/actual-server:{{ version['containers']['actualbudget'] }}
 ContainerName=actual-budget
 HostName=actual-budget
 PublishPort=5006:5006
 Volume=%h/data/containers/actual-budget:/data:rw
 Environment="TZ=Asia/Seoul"
 Environment="ACTUAL_OPENID_DISCOVERY_URL=https://authelia.ilnmors.com/.well-known/openid-configuration"
 Environment="ACTUAL_OPENID_CLIENT_ID=actual-budget"
 Environment="ACTUAL_OPENID_SERVER_HOSTNAME=https://budget.ilnmors.com"
 Environment="ACTUAL_OPENID_AUTH_METHOD=oauth2"
 Secret=ACTUAL_OPENID_CLIENT_SECRET,type=env
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
--- a/config/services/containers/app/gitea/gitea.container.j2
+++ b/config/services/containers/app/gitea/gitea.container.j2
@@ -0,0 +1,51 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Gitea
 After=network-online.target
 Wants=network-online.target
 [Container]
 Image=docker.io/gitea/gitea:{{ version['containers']['gitea'] }}
 ContainerName=gitea
 HostName=gitea
 PublishPort=3000:3000/tcp
 Volume=%h/data/containers/gitea:/data:rw
 Volume=%h/containers/gitea/ssl:/etc/ssl/gitea:ro
 # General
 Environment="TZ=Asia/Seoul"
 Environment="GITEA__server__DISABLE_SSH=true"
 # Database
 Environment="GITEA__database__DB_TYPE=postgres"
 Environment="GITEA__database__HOST={{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}"
 Environment="GITEA__database__NAME=gitea_db"
 Environment="GITEA__database__USER=gitea"
 Secret=GITEA__database__PASSWD,type=env
 Environment="GITEA__database__SSL_MODE=verify-full"
 Environment="PGSSLROOTCERT=/etc/ssl/gitea/ilnmors_root_ca.crt"
 # OAuth2 client
 Environment="GITEA__oauth2_client__ACCOUNT_LINKING=auto"
 # OIDC configuration
 Environment="GITEA__openid__ENABLE_OPENID_SIGNIN=false"
 Environment="GITEA__openid__ENABLE_OPENID_SIGNUP=true"
 Environment="GITEA__openid__WHITELISTED_URIS=authelia.ilnmors.com"
 # automatic create user via authelia
 Environment="GITEA__service__DISABLE_REGISTRATION=false"
 Environment="GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true"
 Environment="GITEA__service__SHOW_REGISTRATION_BUTTON=false"
 [Service]
 ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
--- a/config/services/containers/app/immich/immich-ml.container.j2
+++ b/config/services/containers/app/immich/immich-ml.container.j2
@@ -0,0 +1,32 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Immich Machine Learning
 After=immich.service
 Wants=immich.service
 [Container]
 Image=ghcr.io/immich-app/immich-machine-learning:{{ version['containers']['immich'] }}-openvino
 ContainerName=immich-ml
 HostName=immich-ml
 PublishPort=3003:3003
 # iGPU access for OpenVINO
 AddDevice=/dev/dri:/dev/dri
 PodmanArgs=--group-add keep-groups
 Volume=%h/containers/immich/ml/cache:/cache:rw
 Environment="TZ=Asia/Seoul"
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
--- a/config/services/containers/app/immich/immich.container.j2
+++ b/config/services/containers/app/immich/immich.container.j2
@@ -0,0 +1,49 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Immich
 After=redis_immich.service
 Wants=redis_immich.service
 [Container]
 Image=ghcr.io/immich-app/immich-server:{{ version['containers']['immich'] }}
 ContainerName=immich
 HostName=immich
 PublishPort=2283:2283
 # iGPU access
 AddDevice=/dev/dri:/dev/dri
 PodmanArgs=--group-add keep-groups
 # Volumes
 Volume=%h/data/containers/immich:/data:rw
 Volume=%h/containers/immich/ssl:/etc/ssl/immich:ro
 # Environment
 Environment="TZ=Asia/Seoul"
 Environment="REDIS_HOSTNAME=host.containers.internal"
 Environment="REDIS_PORT={{ hostvars['app']['redis']['immich'] }}"
 Environment="REDIS_DBINDEX=0"
 # Database
 Environment="DB_HOSTNAME={{ infra_uri['postgresql']['domain'] }}"
 Environment="DB_PORT={{ infra_uri['postgresql']['ports']['tcp'] }}"
 Environment="DB_USERNAME=immich"
 Environment="DB_DATABASE_NAME=immich_db"
 Environment="DB_PASSWORD_FILE=/run/secrets/DB_PASSWORD"
 Environment="DB_SSL_MODE=verify-full"
 Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/immich/ilnmors_root_ca.crt"
 Secret=IMMICH_DB_PASSWORD,target=/run/secrets/DB_PASSWORD
 [Service]
 ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
--- a/config/services/containers/app/paperless/paperless.container.j2
+++ b/config/services/containers/app/paperless/paperless.container.j2
@@ -0,0 +1,59 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Paperless
 After=redis_paperless.service
 Wants=redis_paperless.service
 [Container]
 Image=ghcr.io/paperless-ngx/paperless-ngx:{{ version['containers']['paperless'] }}
 ContainerName=paperless
 HostName=paperless
 PublishPort=8001:8000/tcp
 # Volumes
 Volume=%h/data/containers/paperless/data:/usr/src/paperless/data:rw
 Volume=%h/data/containers/paperless/media:/usr/src/paperless/media:rw
 Volume=%h/data/containers/paperless/consume:/usr/src/paperless/consume:rw
 Volume=%h/containers/paperless/ssl:/etc/ssl/paperless:ro
 # General
 Environment="TZ=Asia/Seoul"
 Environment="PAPERLESS_TIME_ZONE=Asia/Seoul"
 Environment="PAPERLESS_URL=https://paperless.ilnmors.com"
 Environment="PAPERLESS_OCR_LANGUAGE=kor+eng"
 Environment="PAPERLESS_OCR_LANGUAGES=kor"
 # Environment="PAPERLESS_OCR_MODE=force"
 # Environment="PAPERLESS_TASK_WORKERS=1"
 # Environment="PAPERLESS_THREADS_PER_WORKER=1"
 Environment="PAPERLESS_WORKER_TIMEOUT=7200"
 Secret=PAPERLESS_SECRET_KEY,type=env
 # Redis
 Environment="PAPERLESS_REDIS=redis://host.containers.internal:{{ hostvars['app']['redis']['paperless'] }}"
 # Database
 Environment="PAPERLESS_DBHOST={{ infra_uri['postgresql']['domain'] }}"
 Environment="PAPERLESS_DBPORT={{ infra_uri['postgresql']['ports']['tcp'] }}"
 Environment="PAPERLESS_DBNAME=paperless_db"
 Environment="PAPERLESS_DBUSER=paperless"
 Environment="PAPERLESS_DBSSLMODE=verify-full"
 Environment="PAPERLESS_DBSSLROOTCERT=/etc/ssl/paperless/ilnmors_root_ca.crt"
 Secret=PAPERLESS_DBPASS,type=env
 # OIDC
 Environment="PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect"
 Environment="PAPERLESS_SOCIAL_AUTO_SIGNUP=true"
 Environment="PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS=true"
 Secret=PAPERLESS_SOCIALACCOUNT_PROVIDERS,type=env
 [Service]
 ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
--- a/config/services/containers/app/redis/redis.conf.j2
+++ b/config/services/containers/app/redis/redis.conf.j2
@@ -0,0 +1,4 @@
 databases 16
 bind 0.0.0.0
 port {{ hostvars['app']['redis'][redis_service] }}
 protected-mode no
--- a/config/services/containers/app/redis/redis.container.j2
+++ b/config/services/containers/app/redis/redis.container.j2
@@ -0,0 +1,31 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Redis - {{ redis_service }}
 After=network-online.target
 Wants=network-online.target
 [Container]
 Image=docker.io/library/redis:{{ version['containers']['redis'] }}
 ContainerName=redis_{{ redis_service }}
 HostName=redis_{{ redis_service }}
 PublishPort={{ hostvars['app']['redis'][redis_service] }}:{{ hostvars['app']['redis'][redis_service] }}
 Volume=%h/containers/redis/{{ redis_service }}/data:/data:rw
 Volume=%h/containers/redis/{{ redis_service }}/redis.conf:/usr/local/etc/redis/redis.conf:ro
 Exec=redis-server /usr/local/etc/redis/redis.conf
 Environment="TZ=Asia/Seoul"
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
--- a/config/services/containers/app/vaultwarden/vaultwarden.container.j2
+++ b/config/services/containers/app/vaultwarden/vaultwarden.container.j2
@@ -0,0 +1,34 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Vaultwarden
 After=network-online.target
 Wants=network-online.target
 [Container]
 Image=docker.io/vaultwarden/server:{{ version['containers']['vaultwarden'] }}
 ContainerName=vaultwarden
 HostName=vaultwarden
 PublishPort=8000:80/tcp
 Volume=%h/data/containers/vaultwarden:/data:rw
 Volume=%h/containers/vaultwarden/ssl:/etc/ssl/vaultwarden:ro
 Environment="TZ=Asia/Seoul"
 Environment="DOMAIN=https://vault.ilnmors.com"
 Environment="SIGNUPS_ALLOWED=false"
 Secret=VW_ADMIN_TOKEN,type=env,target=ADMIN_TOKEN
 Secret=VW_DATABASE_URL,type=env,target=DATABASE_URL
 [Service]
 ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
--- a/config/services/containers/app/vikunja/vikunja.container.j2
+++ b/config/services/containers/app/vikunja/vikunja.container.j2
@@ -0,0 +1,56 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Vikunja
 After=network-online.target
 Wants=network-online.target
 [Container]
 Image=docker.io/vikunja/vikunja:{{ version['containers']['vikunja'] }}
 ContainerName=vikunja
 HostName=vikunja
 PublishPort=3456:3456/tcp
 # Volumes
 Volume=%h/data/containers/vikunja:/app/vikunja/files:rw
 Volume=%h/containers/vikunja/ssl:/etc/ssl/vikunja:ro
 # General
 Environment="TZ=Asia/Seoul"
 Environment="VIKUNJA_DEFAULTSETTINGS_TIMEZONE=Asia/Seoul"
 Environment="VIKUNJA_SERVICE_TIMEZONE=Asia/Seoul"
 Environment="VIKUNJA_SERVICE_PUBLICURL=https://vikunja.ilnmors.com"
 Environment="VIKUNJA_SERVICE_ENABLEREGISTRATION=false"
 Secret=VIKUNJA_SERVICE_JWTSECRET,type=env
 # Database
 Environment="VIKUNJA_DATABASE_TYPE=postgres"
 Environment="VIKUNJA_DATABASE_HOST={{ infra_uri['postgresql']['domain'] }}"
 Environment="VIKUNJA_DATABASE_USER=vikunja"
 Environment="VIKUNJA_DATABASE_DATABASE=vikunja_db"
 Environment="VIKUNJA_DATABASE_SSLMODE=verify-full"
 Environment="VIKUNJA_DATABASE_SSLROOTCERT=/etc/ssl/vikunja/ilnmors_root_ca.crt"
 Secret=VIKUNJA_DATABASE_PASSWORD,type=env
 # OIDC
 Environment="VIKUNJA_AUTH_OPENID_ENABLED=true"
 Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_NAME=Authelia"
 Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_AUTHURL=https://authelia.ilnmors.com"
 Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTID=vikunja"
 # Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_SCOPE=" default value = openid email profile
 Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_USERNAMEFALLBACK=true"
 Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_EMAILFALLBACK=true"
 Secret=VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTSECRET,type=env
 [Service]
 ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
--- a/config/services/containers/auth/authelia/config/authelia.yaml.j2
+++ b/config/services/containers/auth/authelia/config/authelia.yaml.j2
@@ -131,3 +131,112 @@ identity_providers:
        userinfo_signed_response_alg: 'none'
        # [ client_secret_post | client_secret_basic ]
        token_endpoint_auth_method: 'client_secret_post'
      # https://www.authelia.com/integration/openid-connect/clients/gitea/
      - client_id: 'gitea'
        client_name: 'gitea'
        client_secret: '{{ hostvars['console']['gitea']['oidc']['hash'] }}'
        public: false
        authorization_policy: 'one_factor'
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://gitea.ilnmors.com/user/oauth2/authelia/callback'
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'
      # https://www.authelia.com/integration/openid-connect/clients/immich/
      - client_id: 'immich'
        client_name: 'immich'
        client_secret: '{{ hostvars['console']['immich']['oidc']['hash'] }}'
        public: false
        authorization_policy: 'one_factor'
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://immich.ilnmors.com/auth/login'
          - 'https://immich.ilnmors.com/user-settings'
          - 'app.immich:///oauth-callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
      # https://www.authelia.com/integration/openid-connect/clients/actual-budget/
      - client_id: 'actual-budget'
        client_name: 'Actual Budget'
        client_secret: '{{ hostvars['console']['actualbudget']['oidc']['hash'] }}'
        public: false
        authorization_policy: 'one_factor'
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://budget.ilnmors.com/openid/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'groups'
          - 'email'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'
      # https://www.authelia.com/integration/openid-connect/clients/paperless/
      - client_id: 'paperless'
        client_name: 'Paperless'
        client_secret: '{{ hostvars['console']['paperless']['oidc']['hash'] }}'
        public: false
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://paperless.ilnmors.com/accounts/oidc/authelia/login/callback/'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
      # https://www.authelia.com/integration/openid-connect/clients/vikunja/
      - client_id: 'vikunja'
        client_name: 'Vikunja'
        client_secret: '{{ hostvars['console']['vikunja']['oidc']['hash'] }}'
        public: false
        authorization_policy: 'one_factor'
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://vikunja.ilnmors.com/auth/openid/authelia'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'
--- a/config/services/containers/common/caddy/etc/app/Caddyfile.j2
+++ b/config/services/containers/common/caddy/etc/app/Caddyfile.j2
@@ -0,0 +1,67 @@
 {
        servers {
                # Only accept packets from auth main caddy
                trusted_proxies static {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }}
        }
 }
 # Private TLS ACME with DNS-01-challenge
 (private_tls) {
        tls {
                issuer acme {
                        dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory
                        dns rfc2136 {
                                server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }}
                                key_name acme-key
                                key_alg hmac-sha256
                                key "{file./run/secrets/CADDY_ACME_KEY}"
                        }
                        resolvers {{ infra_uri['bind']['domain'] }}
                }
        }
 }
 app.ilnmors.internal {
        import private_tls
        metrics
 }
 # test.app.ilnmors.internal {
 #         import private_tls
 #         root * /usr/share/caddy
 #         file_server
 # }
 vault.app.ilnmors.internal {
        import private_tls
        reverse_proxy host.containers.internal:8000 {
               header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 gitea.app.ilnmors.internal {
        import private_tls
        reverse_proxy host.containers.internal:3000 {
               header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 immich.app.ilnmors.internal {
        import private_tls
        reverse_proxy host.containers.internal:2283 {
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 budget.app.ilnmors.internal {
        import private_tls
        reverse_proxy host.containers.internal:5006 {
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 paperless.app.ilnmors.internal {
        import private_tls
        reverse_proxy host.containers.internal:8001 {
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 vikunja.app.ilnmors.internal {
        import private_tls
        reverse_proxy host.containers.internal:3456 {
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
--- a/config/services/containers/common/caddy/etc/auth/Caddyfile.j2
+++ b/config/services/containers/common/caddy/etc/auth/Caddyfile.j2
@@ -29,6 +29,7 @@
                                key_alg hmac-sha256
                                key "{file./run/secrets/CADDY_ACME_KEY}"
                        }
                        resolvers {{ infra_uri['bind']['domain'] }}
                }
        }
 }
@@ -41,17 +42,80 @@ authelia.ilnmors.com {
                reverse_proxy host.containers.internal:9091
        }
 }
-test.ilnmors.com {
+# test.ilnmors.com {
 #         import crowdsec_log
 #         route {
 #                 crowdsec
 #                 forward_auth host.containers.internal:9091 {
 #                         # Authelia Forward Auth endpoint URI
 #                         uri /api/authz/forward-auth
 #                         copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
 #                 }
 #                 root * /usr/share/caddy
 #                 file_server
 #         }
 # }
 # test.app.ilnmors.com {
 #         import crowdsec_log
 #         route {
 #                 crowdsec
 #                 reverse_proxy https://test.app.ilnmors.internal {
 #                         header_up Host {http.reverse_proxy.upstream.host}
 #                 }
 #         }
 # }
 vault.ilnmors.com {
        import crowdsec_log
        route {
                crowdsec
-                forward_auth host.containers.internal:9091 {
+                reverse_proxy https://vault.app.ilnmors.internal {
-                        # Authelia Forward Auth endpoint URI
+                        header_up Host {http.reverse_proxy.upstream.host}
-                        uri /api/authz/forward-auth
+                }
-                        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
 }
 gitea.ilnmors.com {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://gitea.app.ilnmors.internal {
                        header_up Host {http.reverse_proxy.upstream.host}
                }
        }
 }
 immich.ilnmors.com {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://immich.app.ilnmors.internal {
                        header_up Host {http.reverse_proxy.upstream.host}
                }
        }
 }
 budget.ilnmors.com {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://budget.app.ilnmors.internal {
                        header_up Host {http.reverse_proxy.upstream.host}
                }
        }
 }
 paperless.ilnmors.com {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://paperless.app.ilnmors.internal {
                        header_up Host {http.reverse_proxy.upstream.host}
                }
        }  
 }
 vikunja.ilnmors.com {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://vikunja.app.ilnmors.internal {
                        header_up HOST {http.reverse_proxy.upstream.host}
                }
                root * /usr/share/caddy
                file_server
        }
 }
--- a/config/services/containers/common/caddy/etc/infra/Caddyfile.j2
+++ b/config/services/containers/common/caddy/etc/infra/Caddyfile.j2
@@ -9,6 +9,7 @@
                                key_alg hmac-sha256
                                key "{file./run/secrets/CADDY_ACME_KEY}"
                        }
                        resolvers {{ infra_uri['bind']['domain'] }}
                }
        }
 }
--- a/config/services/containers/infra/ca/config/ca.json.j2
+++ b/config/services/containers/infra/ca/config/ca.json.j2
@@ -22,7 +22,8 @@
 				"allow": {
 					"dns": [
 						"ilnmors.internal",
-						"*.ilnmors.internal"
+						"*.ilnmors.internal",
 						"*.app.ilnmors.internal"
 					]
 				},
 				"allowWildcardNames": true
--- a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2
+++ b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2
@@ -1,11 +1,19 @@
 name: crowdsecurity/whitelists
-description: "Whitelist console/admin hosts only"
+description: "Local whitelist policy"
 whitelist:
-    reason: "trusted admin hosts"
+    reason: "rules"
    ip:
        # Console IP lists
        - "127.0.0.1"
        - "::1"
        - "{{ hostvars['fw']['network4']['console']['client'] }}"
        - "{{ hostvars['fw']['network4']['console']['wg'] }}"
        - "{{ hostvars['fw']['network6']['console']['client'] }}"
        - "{{ hostvars['fw']['network6']['console']['wg'] }}"
 {% if node['name'] == 'auth' %}
    expression:
        # budget local-first sql scrap rule
        - "evt.Meta.target_fqdn == 'budget.ilnmors.com' && evt.Meta.http_path contains '/data/migrations/'"
        # immich thumbnail request 404 error false positive
        - "evt.Meta.target_fqdn == 'immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
 {% endif %}
--- a/data/create_all_structure.sh
+++ b/data/create_all_structure.sh
--- a/docs/runbook/07-git.md
+++ b/docs/runbook/07-git.md
@@ -69,3 +69,27 @@ git tag -a 0.0.1-caddy-app -m "caddy-app: Start caddy-app branch"
 git switch main
 git merge caddy-app
 ```
 ## Connect local git and remote git
 - Set this after gitea is implemented
 ```bash
 # Add git remote repository
 git config --global credential.helper store
 git remote add origin https://gitea.ilnmors.com/il/ilnmors-homelab.git
 # For first time to make connection between local and remote git
 git push -u origin main
 # Username for 'https://gitea.ilnmors.com': il
 # Password for 'https://il@gitea.ilnmors.com': gitea.il.token
 git push --tags
 # After first connection, -u origin main option is not needed
 git add $PATH
 git commit -m "comment"
 git tag -a $VERSION -m "comment"
 git push && git push --tags
 # -f and --force-with-lease can be used in commit and tags
 # -f option and --force-with-lease
 # -f: just overwrite forcefully without any condition. it is dangerous, because it doesn't care the changes (commit) from other local git
 # --force-with-lease: overwrite forcefully only when there's no changes (commit) from other local git
 ```
--- a/docs/services/app/actual-budget.md
+++ b/docs/services/app/actual-budget.md
@@ -0,0 +1,22 @@
 # Actual budget
 ## Prerequisite
 ### Create oidc secret and hash
 - Create the secret with `openssl rand -base64 32`
 - access to auth vm
  - `podman exec -it authelia sh`
  - `authelia crypto hash generate pbkdf2 --password 'actualbudget.oidc.secret'`
 - Save this value in secrets.yaml in `actualbudget.oidc.secret` and `actualbudget.oidc.hash`
 ## Configuration
 ### Initialization
 - Use current domain
  - ok
 - Start Using OpenID
  - Start fresh
 - Server Online: User directory: Add User: the user name which is defined on LDAP
 - Server Online: User Access: enable user
--- a/docs/services/app/gitea.md
+++ b/docs/services/app/gitea.md
@@ -0,0 +1,93 @@
 # gitea
 ## Prerequisite
 ### Create database
 - Create the password with `openssl rand -base64 32`
  - Save this value in secrets.yaml in `postgresql.password.gitea`
  - Access infra server to create gitea_db with `podman exec -it postgresql psql -U postgres`
 ```SQL
 CREATE USER gitea WITH PASSWORD 'postgresql.password.gitea';
 CREATE DATABASE gitea_db;
 ALTER DATABASE gitea_db OWNER TO gitea;
 ```
 ### Create oidc secret and hash
 - Create the secret with `openssl rand -base64 32`
 - access to auth vm
  - `podman exec -it authelia sh`
  - `authelia crypto hash generate pbkdf2 --password 'gitea.oidc.secret'`
 - Save this value in secrets.yaml in `gitea.oidc.secret` and `gitea.oidc.hash`
 ### Create admin password
 - Create the secret with `openssl rand -base64 32`
 - Save this value in secrets.yaml in `gitea.admin.password`
 - 
 ### Add postgresql dump backup list
 - [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
 ```yaml
 - name: Set connected services list
  ansible.builtin.set_fact:
    connected_services:
      - ...
      - "gitea"
 ```
 ## Configuration
 ### Site installation
 - **!CAUTION!** This is needed Only when first installing. This process isn't needed when the data is restored on `~/data/containers/gitea`
 - https://gitea.ilnmors.com
 - General setting
  - Site Title: Gitea: ilnmors
 - Administrator Account Setting
  - Administrator Username: il
  - Email Address il@ilnmors.internal
  - Password & confirm password: gitea.il.password
 - Install Gitea
 ### Oauth configuration
 - Site Administration
 - Identity & Access: Authentication Sources: Add Authentication Source
 - Configure the following options:
  - Authentication Type: OAuth2
  - Authentication Name: authelia
  - OAuth2 Provider: OpenID Connect
  - Client ID (Key): gitea
  - Client Secret: gitea.oidc.secret
  - OpenID Connect Auto Discovery URL: https://authelia.ilnmors.com/.well-known/openid-configuration
 ### Link Account via OAuth2
 - Login with autheila
  - Register New Account
  - Link to Existing Account
    - Link the account of administrational account which set at the inital install page
    - id and password
 ### Set repository access token
 - Settings: Applications: Generate New Token
  - Token name: ilnmors-homelab
  - Repository and Organization Access: All
  - repository - Read and Write
 - Generate Token
 - Copy token value and save this in `secrets.yaml`
 ## Connect with loacl git repository
 ### Create remote git repository
 - Repository: `+`
  - Name: ilnmors-homelab
  - etc: default vaules
 - Following [07-git.md](../../runbook/07-git.md)
--- a/docs/services/app/immich.md
+++ b/docs/services/app/immich.md
@@ -0,0 +1,86 @@
 # immich
 ## Prerequisite
 ### Create database
 - Create the password with `openssl rand -base64 32`
  - Save this value in secrets.yaml in `postgresql.password.immich`
  - Access infra server to create immich_db with `podman exec -it postgresql psql -U postgres`
 ```SQL
 CREATE USER immich WITH PASSWORD 'postgresql.password.immich';
 CREATE DATABASE immich_db;
 ALTER DATABASE immich_db OWNER TO immich;
 \connect immich_db
 CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
 CREATE EXTENSION IF NOT EXISTS cube CASCADE;
 CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;
 \dx
 -- Check the extension is activated with `\dx`
 -- postgresql image is built with `pgvector` and `vectorchord` already
 ```
 ### Create oidc secret and hash
 - Create the secret with `openssl rand -base64 32`
 - access to auth vm
  - `podman exec -it authelia sh`
  - `authelia crypto hash generate pbkdf2 --password 'immich.oidc.secret'`
 - Save this value in secrets.yaml in `immich.oidc.secret` and `immich.oidc.hash`
 ### Create admin password
 - Create the secret with `openssl rand -base64 32`
 - Save this value in secrets.yaml in `immich.il.password`
 ### Add postgresql dump backup list
 - [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
 ```yaml
 - name: Set connected services list
  ansible.builtin.set_fact:
    connected_services:
      - ...
      - "immich"
 ```
 ## Configuration
 ### Access to immich
 - https://immich.ilnmors.com
  - Getting started
  - admin E-mail
  - admin password
  - admin name
 - Theme
 - language
 - Server privacy
  - map
  - version check
 - User privacy
  - google cast \(disable\)
 - Storage template
  - `{{y}}/{{MM}}/{{y}}{{MM}}{{dd}}_{{hh}}{{mm}}{{ss}}`
 - Backups
 - Mobile App
 - Done
 ### Oauth configuration
 - Administartion: Authentication Settings: OAuth: Enable
    - Issuer URL: https://auth.example.com/.well-known/openid-configuration
    - Client ID: immich
    - Client Secret: immich.oidc.secret
    - Scope: openid profile email
    - Button Text: Login with Authelia
    - Auto Register: Enable if desired
 ### Machine learning configuration
 - Administration: Machine Learning Settings: Enable
  - URL: http://host.containers.internal:3003
 - **!CAUTION!**
  - immich-ml should contain `-openvino` to use GPU for machine learning.
--- a/docs/services/app/paperless-ngx.md
+++ b/docs/services/app/paperless-ngx.md
@@ -0,0 +1,116 @@
 # paperless
 ## Prerequisite
 ### Create database
 - Create the password with `openssl rand -base64 32`
  - Save this value in secrets.yaml in `postgresql.password.paperless`
  - Access infra server to create paperless_db with `podman exec -it postgresql psql -U postgres`
 ```SQL
 CREATE USER paperless WITH PASSWORD 'postgresql.password.paperless';
 CREATE DATABASE paperless_db;
 ALTER DATABASE paperless_db OWNER TO paperless;
 ```
 ### Create oidc secret and hash
 - Create the secret with `openssl rand -base64 32`
 - access to auth vm
  - `podman exec -it authelia sh`
  - `authelia crypto hash generate pbkdf2 --password 'paperless.oidc.secret'`
 - Save this value in secrets.yaml in `paperless.oidc.secret` and `paperless.oidc.hash`
 - Use `client_secret_post`, django encodes the secret value wrong frequently.
 ### Create session secret value
 - Create the secret with `LC_ALL=C tr -dc 'A-Za-z0-9!#%&()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32`
  - Save this value in secrets.yaml in `paperless.session_secret`
 ### Create admin password
 - Create the secret with `openssl rand -base64 32`
 - Save this value in secrets.yaml in `paperless.il.password`
 ### Add postgresql dump backup list
 - [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
 ```yaml
 - name: Set connected services list
  ansible.builtin.set_fact:
    connected_services:
      - ...
      - "paperless"
 ```
 ## Configuration
 ### Access to paperless
 - https://paperless.ilnmors.com
  - name: il
  - E-mail: il@ilnmors.internal
  - password: `paperless.il.password`
 ### Oauth configuration
 - My Profiles: Connect new social account: Authelia
  - Continue
  - Login with Authelia
 ### OCR configuration
 - Configuration: OCR settings
  - Output Type: pdfa
  - Mode: skip
    - When the archive file has broken ocr text, then conduct replcae command manually
  - Skip archive File: never
  - Deskew: disable \(toggle to enable and once more to active disable option\)
  - rotate: disable \(toggle to enable and once more to active disable option\)
 ## The non-standard pdf file
 - Some pdf files doesn't follow the standard, for example korean court or government pdf files.
 - Before upload this kind of non-standard pdf files, convert it first.
 - This process uses ghostscript and powershell in Windows for console
 ```PowerShell
 # 1. The engine
 $gsPath = "C:\Program Files\gs\gs10.07.0\bin\gswin64c.exe"
 # 2. new folder which the converted file will be stored
 $outputDirName = "converted_pdfs"
 $outputDir = Join-Path (Get-Location) $outputDirName
 if (!(Test-Path $outputDir)) { New-Item -ItemType Directory -Path $outputDir }
 # 3. Find all pdf files
 $files = Get-ChildItem -Filter *.pdf
 foreach ($file in $files) {
    if ($file.FullName -like "*$outputDirName*") { continue }
    $inputPath = $file.FullName
    $outputPath = Join-Path $outputDir $file.Name
    Write-Host "convert: $($file.Name)" -ForegroundColor Cyan
    $gsArgs = @(
        "-sDEVICE=pdfwrite",
        "-dCompatibilityLevel=1.4",
        "-dPDFSETTINGS=/default",
        "-dNOPAUSE",
        "-dQUIET",
        "-dBATCH",
        "-dNoOutputFonts", # Change all text as image
        "-sOutputFile=$outputPath",
        "$inputPath"
    )
    # 실행
    & $gsPath @gsArgs
 }
 Write-Host "`n[Complete] All file is stored in '$outputDirName'." -ForegroundColor Green
 ```
--- a/docs/services/app/vaultwarden.md
+++ b/docs/services/app/vaultwarden.md
@@ -0,0 +1,49 @@
 # vaultwarden
 ## Prerequisite
 ### Create database
 - Create the password with `openssl rand -base64 32`
  - Save this value in secrets.yaml in `postgresql.password.vaultwarden`
  - Access infra server to create vaultwarden_db with `podman exec -it postgresql psql -U postgres`
 ```SQL
 CREATE USER vaultwarden WITH PASSWORD 'postgresql.password.vaultwarden';
 CREATE DATABASE vaultwarden_db;
 ALTER DATABASE vaultwarden_db OWNER TO vaultwarden;
 ```
 ### Create admin hash
 - Create the password with `openssl rand -base64 32`
  - https://argon2.online/
  - salt: auto generate
  - parallelism: factor 4
  - memory cost: 65536
  - iterations: 3
  - hash length: 32
  - type: argon2id
 - Save this value in secrets.yaml in `vaultwarden.admin.password` and `vaultwarden.admin.hash`
 ### Add postgresql dump backup list
 - [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
 ```yaml
 - name: Set connected services list
  ansible.builtin.set_fact:
    connected_services:
      - ...
      - "vaultwarden"
 ```
 ## Configuration
 - https://vault.ilnmors.com/admin
  - token value: vaultwarden.admin.password
 - Users:Invite User:Email
  - add
 - https://vault.ilnmors.com
  - Create account and input the Email which added in admin page
--- a/docs/services/app/vikunja.md
+++ b/docs/services/app/vikunja.md
@@ -0,0 +1,62 @@
 # vikunja
 ## Prerequisite
 ### Create database
 - Create the password with `openssl rand -base64 32`
  - Save this value in secrets.yaml in `postgresql.password.vikunja`
  - Access infra server to create vikunja_db with `podman exec -it postgresql psql -U postgres`
 ```SQL
 CREATE USER vikunja WITH PASSWORD 'postgresql.password.vikunja';
 CREATE DATABASE vikunja_db;
 ALTER DATABASE vikunja_db OWNER TO vikunja;
 ```
 ### Create oidc secret and hash
 - Create the secret with `openssl rand -base64 32`
 - access to auth vm
  - `podman exec -it authelia sh`
  - `authelia crypto hash generate pbkdf2 --password 'vikunja.oidc.secret'`
 - Save this value in secrets.yaml in `vikunja.oidc.secret` and `vikunja.oidc.hash`
 ### Create session secret value
 - Create the secret with `LC_ALL=C tr -dc 'A-Za-z0-9!#%&()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32`
  - Save this value in secrets.yaml in `vikunja.session_secret`
 ### Create admin password
 - Create the secret with `openssl rand -base64 32`
 - Save this value in secrets.yaml in `vikunja.il.password`
 ### Add postgresql dump backup list
 - [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
 ```yaml
 - name: Set connected services list
  ansible.builtin.set_fact:
    connected_services:
      - ...
      - "vikunja"
 ```
 ## Configuration
 ### Create local account
 - Access to app vm via ssh
 ```bash
 ssh app
 podman exec -it vikunja /app/vikunja/vikunja user create --email il@ilnmors.internal --username il
 # Enter Password: vikunja.il.password
 # Confirm Password: vikunja.il.password
 ```
 - https://vikunja.ilnmors.com
  - Try to login locally
  - Try to login via Authelia
--- a/docs/services/common/caddy.md
+++ b/docs/services/common/caddy.md
@@ -28,17 +28,23 @@ test.ilnmors.com
    import crowdsec_log
    route {
        crowdsec
-        reverse_proxy https://test.app.ilnmors.internal
+        reverse_proxy https://test.app.ilnmors.internal {
            header_up Host {http.reverse_proxy.upstream.host}
        }
    }
 }
 # App server
 {
    servers {
        trusted_proxies static {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }}
    }
 }
 test.app.ilnmors.internal
 {
     import internal_tls
     trusted_proxies {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }}
     route {
        reverse_proxy host.containers.internal:3000 {
-            header_up Host {header.X-Forwarded-Host} {Host}
+            header_up Host {http.request.header.X-Forwarded-Host}
        }
     }
 }
--- a/docs/services/common/crowdsec.md
+++ b/docs/services/common/crowdsec.md
@@ -228,6 +228,11 @@ auth@auth:~$ sudo cscli alerts list
 │ 9  │ Ip:138.68.144.227  │ crowdsecurity/jira_cve-2021-26086 │         │    │ ban:1     │ 2026-03-06 04:18:18.35776077 +0000 UTC  │
 ╰────┴────────────────────┴───────────────────────────────────┴─────────┴────┴───────────┴─────────────────────────────────────────╯
 ## Log check and inspect
 fw@fw:~$ sudo cscli alerts inspect 230 -d
 - check the log and analyze and make expression
  - e.g. immich
    - evt.Meta.target_fqdn == 'immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
Author	SHA1	Message	Date
il	9137791aac	1.7.0: Release vikunja	2026-03-28 10:44:18 +09:00
il	f9179282b8	roles: update set_immich.yaml to add redis_immich container restart logic	2026-03-28 10:19:41 +09:00
il	25e33caec9	roles, config, docs: update set_paperless.yaml, paperless.container.j2, paperless-ngx.md to add redis_paperless container restart logic and to optimize paperless-ngx configuration	2026-03-25 23:47:50 +09:00
il	d5090503d8	version: update group_vars/all.yaml to update immich from v2.6.1 to v2.6.2	2026-03-25 19:44:28 +09:00
il	b7a038dcab	docs: update paperless-ngx.md to add how to deal with non-standard format pdf such as korean government documents	2026-03-25 00:01:06 +09:00
il	5f063d82d5	1.6.0 Release paperless-ngx	2026-03-24 21:55:04 +09:00
il	95eff329b6	docs: update immich.md to polish the document	2026-03-24 11:18:26 +09:00
il	e8f523c2af	config, docs: update whitelists.yaml.j2 and crowdsec.md to add whitelist expression to fix false positive of immich thumbnails 404 error	2026-03-21 21:35:41 +09:00
il	726c0c3523	config: update whitelists.yaml.j2 to add whitelist expression to fix false positive of actual budget	2026-03-21 19:32:25 +09:00
il	8bff16d172	1.5.0 Release actual budget	2026-03-21 19:27:05 +09:00
il	fc3b5a1e05	config: update each of Caddyfile to add resolver as bind directly to avoid pass through blocky to verify acme txt record	2026-03-21 16:07:28 +09:00
il	13839c9dfd	1.4.0 Release immich	2026-03-21 13:32:51 +09:00
il	242b719671	roles: update handlers/main.yaml and set_resolved.yaml to modify handler from reload to restart to apply configuration immediately	2026-03-21 11:51:43 +09:00
il	224b27abc3	roles: update set_gitea to add restart notification when the secret value is changed	2026-03-21 10:32:34 +09:00
il	a2022fd14c	roles: update set_cli_tools.yaml to remove unnecessary #noqa	2026-03-21 10:28:16 +09:00
il	be07698dae	roles, docs: update set_postgresql.yaml, gitea.md, vaultwarden.md to remove telegraf annotation	2026-03-19 00:20:43 +09:00
il	ab7e09d90b	docs: update gitea.md, vaultwarden.md to fix password example	2026-03-19 00:15:04 +09:00
il	8c81827e24	1.3.1 Update redis	2026-03-18 23:16:52 +09:00
il	57996f1efd	data: set create_all_structure.sh mode 700 to excute	2026-03-15 06:39:33 +09:00
il	8311fcf53e	1.3.0 Release gitea	2026-03-15 06:17:01 +09:00
il	90277b2d4e	config: update resolved/global.conf to add \n end of the file	2026-03-15 05:55:01 +09:00
il	6fc12d0119	1.2.0 Release vaultwarden	2026-03-15 05:28:43 +09:00
il	4b7ec4d638	git: update .gitignore to add .ansible path	2026-03-15 04:59:15 +09:00
il	6cd26eb7d8	1.1.0 Release caddy-app	2026-03-15 04:57:27 +09:00