docs(nextcloud): update how to disable auto generated contacts from nextcloud account

update note:
- deprecate custom whitelist expression
- apply 'crowdsecurity/nextcloud-whitelist' parser

ansible/roles/common/tasks/services/set_crowdsec.yaml

@@ -36,10 +36,15 @@
   ansible.builtin.set_fact:
     acquisd_list:
       fw:
-        collection: "crowdsecurity/suricata"
+        collection:
+          - "crowdsecurity/suricata"
+        parser: []
         config: "suricata.yaml"
       auth:
-        collection: "crowdsecurity/caddy"
+        collection:
+          - "crowdsecurity/caddy"
+        parser:
+          - "crowdsecurity/nextcloud-whitelist"
         config: "caddy.yaml"
 
 - name: Deploy crowdsec-update service files
@@ -181,7 +186,8 @@
   block:
     - name: Install crowdsec collection
       ansible.builtin.command:
-        cmd: "cscli collections install {{ acquisd_list[node['name']]['collection'] }}"
+        cmd: "cscli collections install {{ item }}"
+      loop: "{{ acquisd_list[node['name']]['collection'] }}"
       become: true
       changed_when: "'overwrite' not in is_collection_installed.stderr"
       failed_when:
@@ -189,6 +195,17 @@
         - "'already installed' not in is_collection_installed.stderr"
       register: "is_collection_installed"
 
+    - name: Install crowdsec parser
+      ansible.builtin.command:
+        cmd: "cscli parsers install {{ item }}"
+      loop: "{{ acquisd_list[node['name']]['parser'] }}"
+      become: true
+      changed_when: "'overwrite' not in is_parser_installed.stderr"
+      failed_when:
+        - is_parser_installed.rc != 0
+        - "'already installed' not in is_parser_installed.stderr"
+      register: "is_parser_installed"
+
     - name: Create crowdsec acquis.d directory
       ansible.builtin.file:
         path: "/etc/crowdsec/acquis.d"

docs/issues/crowdsec/260321_actual_budget.md

@@ -26,8 +26,8 @@
 - Access to fw
   - Check the ban list with `sudo cscli alerts list`
   - Read the ban case with `sudo cscli alerts inspect $NUMBER`
-- Add regex on whitelist
+- Add expressions on whitelist
   - evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'
 - Delete false positive decision
   - Check false positive decision with `sudo cscli decision list`
-  - Delete false positive decision with `sudo cscli decision list --id $ID`
+  - Delete false positive decision with `sudo cscli decision delete --id $ID`

docs/issues/crowdsec/260321_immich.md

@@ -25,8 +25,8 @@
 - Access to fw
   - Check the ban list with `sudo cscli alerts list`
   - Read the ban case with `sudo cscli alerts inspect $NUMBER`
-- Add regex on whitelist
+- Add expressions on whitelist
-  - evt.Meta.target_fqdn == 'Immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
+  - evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
 - Delete false positive decision
   - Check false positive decision with `sudo cscli decision list`
-  - Delete false positive decision with `sudo cscli decision list --id $ID`
+  - Delete false positive decision with `sudo cscli decision delete --id $ID`

docs/issues/crowdsec/260404_opencloud.md

@@ -25,8 +25,8 @@
 - Access to fw
   - Check the ban list with `sudo cscli alerts list`
   - Read the ban case with `sudo cscli alerts inspect $NUMBER`
-- Add regex on whitelist
+- Add expressions on whitelist
   - evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'
 - Delete false positive decision
   - Check false positive decision with `sudo cscli decision list`
-  - Delete false positive decision with `sudo cscli decision list --id $ID`
+  - Delete false positive decision with `sudo cscli decision delete --id $ID`

docs/issues/crowdsec/260502_nextcloud.md

@@ -0,0 +1,38 @@
+# Nextcloud crowdsec false positive issue
+
+## Status
+- Finished
+
+## Date
+- 2026-05-02
+
+## Version
+- Nextcloud: 33.0.3
+
+## Problem
+- When users download or modify some files, all connections to homelab services are refused.
+  - fw ban users' IP address.
+
+## Reason
+- Nextcloud has a lot of workflows which can be caught from crowdsec
+
+## Timeline
+- 2026-05-02: Release nextcloud
+- 2026-05-02: Find the false positive case, and add whitelist
+- 2026-05-03: Install crowdsecurity/nextcloud-whitelist parser
+- 2026-05-03: Make previous expressions annotation
+
+## Solution
+- Install crowdsecurity/nextcloud-whitelist on auth node
+
+### Deprecated solution
+- Access to fw
+  - Check the ban list with `sudo cscli alerts list`
+  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
+- Add expressions on whitelist
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/apps/viewer/js/'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/dist/'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/remote.php/dav/files/'
+- Delete false positive decision
+  - Check false positive decision with `sudo cscli decision list`
+  - Delete false positive decision with `sudo cscli decision delete --id $ID`

docs/services/app/nextcloud.md

@@ -86,3 +86,8 @@ podman exec -u www-data nextcloud php occ db:add-missing-primary-keys
 
 - Profile: Accounts:
   - allocate admin group for admin users
+
+#### Disable System addressbook expose
+
+- Profile: Administration Settings: Groupware: System Address Book
+  - Dsiable Enable system address book