feat(wiki.js): release wiki.js

deployment notes: - use this as personal/family wiki system - compare to affine / memos and triliumNext
refactor(x509-exporter): update notification to restart x509-exporter when its config.yaml is changed
2026-05-09 17:50:05 +09:00 · 2026-05-09 17:42:35 +09:00 · 2026-05-09 13:55:28 +09:00
14 changed files with 285 additions and 6 deletions
@@ -178,6 +178,13 @@ services:
      http: "3001"
      redis: "6383"
    subuid: "100999"
+  wikijs:
+    domain:
+      public: "wiki"
+      internal: "wiki.app"
+    ports:
+      http: "3002"
+    subuid: "100999"

 version:
  packages:
@@ -206,7 +213,7 @@ version:
    # App
    vaultwarden: "1.36.0"
    gitea: "1.26.1"
-    redis: "8.6.1"
+    redis: "8.6.3"
    immich: "v2.7.5"
    actualbudget: "26.3.0"
    paperless: "2.20.15"
@@ -218,3 +225,4 @@ version:
    collabora: "25.04.9.4.1"
    ezbookkeeping: "1.4.0"
    sure: "0.7.0-hotfix.2"
+    wikijs: "2.5.314"
@@ -257,6 +257,14 @@
          tags: ["site", "sure"]
      tags: ["site", "sure"]

+    - name: Set wiki.js
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_wikijs"
+        apply:
+          tags: ["site", "wikijs"]
+      tags: ["site", "wikijs"]
+
    - name: Flush handlers right now
      ansible.builtin.meta: "flush_handlers"

@@ -147,3 +147,14 @@
  changed_when: false
  listen: "notification_restart_sure"
  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart wikijs
+  ansible.builtin.systemd:
+    name: "wikijs.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_wikijs"
+  ignore_errors: true # noqa: ignore-errors
@@ -0,0 +1,53 @@
+---
+- name: Create wiki.js directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['wikijs']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/wikijs"
+    - "data/containers/wikijs/data"
+    - "data/containers/wikijs/export"
+    - "containers/wikijs"
+    - "containers/wikijs/ssl"
+  become: true
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/wikijs/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['wikijs']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_wikijs"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "WIKIJS_DB_PASS"
+    data: "{{ hostvars['console']['postgresql']['password']['wikijs'] }}"
+    state: "present"
+    force: true
+  notify: "notification_restart_wikijs"
+  no_log: true
+
+- name: Deploy wikijs.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/wikijs/wikijs.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/wikijs.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_wikijs"
+
+- name: Enable wikijs.service
+  ansible.builtin.systemd:
+    name: "wikijs.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
@@ -14,6 +14,7 @@
      - "nextcloud"
      - "ezbookkeeping"
      - "sure"
+      - "wikijs"

 - name: Create postgresql directory
  ansible.builtin.file:
@@ -20,7 +20,7 @@
    group: "svadmins"
    mode: "0440"
  become: true
-  no_log: true
+  notify: "notification_restart_x509-exporter"

 - name: Deploy certificates
  ansible.builtin.copy:
@@ -122,6 +122,7 @@ postgresql:
        nextcloud: ENC[AES256_GCM,data:ROsximNuWYMTZktmLJPx7W1Qol/uT+APgwoCtFO/6ZYYc3KxKvlk344eqEc=,iv:4d+MrfIHjJKAcwhvZ3g4go66uZcieuL7lngKErJd+fg=,tag:QbWOtxeCbiu62GyrE2atXg==,type:str]
        ezbookkeeping: ENC[AES256_GCM,data:CYYQ5DVr8Na46QduvUNF6d0XBVSXTml34q3/PhIYIvUNviOVgCjqXA4wN7g=,iv:qRljohJ+wI50XxSgMElKp65HyV3mKRTqDGjw9C1S0d0=,tag:PClp7PRmC0+PV0SzZpJqqQ==,type:str]
        sure: ENC[AES256_GCM,data:FULJ2gjJ2gZC3s324itW+CjGRBHIP9RnOqw5TT1UaiUhb7UHAPm1na+LsZk=,iv:c0GnVZkxprJUzPPq3TCQaZvAes9QQuvDXqgVLLaiQIg=,tag:uDxy/Lkd2hNK4AWwMNMslw==,type:str]
+        wikijs: ENC[AES256_GCM,data:2drkkTevrcUrgxOHavIEPcemc2l5+/3GEAYNCYVL/63daVda5tzL61tPm2A=,iv:87qPrlRaosXO75eaxo4xjevVc1Pt9MiHv6lYFBB3MKU=,tag:SnVbVR4ZM0qvVmWpcgSKrg==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -285,6 +286,15 @@ sure:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
+#ENC[AES256_GCM,data:NkvAsD10P7qUvGPXeTY+rQ==,iv:GjsUk3Ht6RYW/rhkRhMSFEmtsAiS+dK7niYDJVBj2iE=,tag:8KnDcuRTm7P76Kh2hmWeXw==,type:comment]
+wikijs:
+    il: ENC[AES256_GCM,data:gsAEHk4MI75EXIiqdb05RYSmlxaQ7mlYXTwTYYVJ20KC397T6xbHzvNojlI=,iv:iYc+BahiJ50LSr35/T1VCQsxsRen5rKLwQhfVQMkdz4=,tag:rscWcLWyTaSR4KEPJaes2A==,type:str]
+    oidc:
+        secret: ENC[AES256_GCM,data:+bmvyUkiQ+vnaJW7wgjohv4wdvliqx8whdSM8iBUJXGFy/QOs2oJm4FoUcA=,iv:U07y/+87zbXQ2hQ4HvzKcEH5nQsaSIF1Oh3yv6/ytWU=,tag:knGwjGhH5D/OSvW6j5S0VQ==,type:str]
+        hash: ENC[AES256_GCM,data:7jKBt9mdfxKDU6vBIP6k/wj0gIsRnLwwSrLOlnbbiNZVmbZXqv/UxEsLxCyx1rP2mzGgaxNCBh6WOo7mbSMPezMiuf/enrNrmIwpcP2R0H6LxGTiLFk/7EZ493oy7qFmmsM2qM7Y6qhhKUygD4XbJfVZ2sdojjIGAWy6XdpbbQICb5I=,iv:N3gPga+iDYUF0uAx671DP+4c7FYUKP12MEbYmKZRPAI=,tag:7tKwhxk5yQ0KfZrg0+v/rw==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
    password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -314,7 +324,7 @@ sops:
            UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
            k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-06T07:38:04Z"
-    mac: ENC[AES256_GCM,data:5Q9oN/oun7x1q7L4HWWM52V0YDPyoADBZICdgDwLPWqgpXabz5Z49xvKt+NLXwsC+5q3VK27Y9NS2ZWOXJJGE2uQ7XWYh08r4yA9wHXpq0LcBdhPeV3R1aVG8zVtsyV760ctqJnmfThM18lVgnVahJAQDmg6VPYMd/UV5cFbtAw=,iv:99S9Qt7BdvDCKLgEdUqcWI2M2dxzpN5koxe6W9asrpg=,tag:cEOceyMhocPKS1Wyhhoe4A==,type:str]
+    lastmodified: "2026-05-09T06:19:32Z"
+    mac: ENC[AES256_GCM,data:XZQO+US/uCCngkzTi/C+shPw5kb3jWBwWbRd2eTwduBbuCMXUCiGPhPws27qMC3mCOmpr98AHJa5CS+chbC/bWwYqxwWPG03d6lN+EHJHPNiM6HBFhCIBv8d0+mNMlgQaS83Up+diSFliJZ54tOMYDvyj0iwYr1mVXN0QXHhAF4=,iv:e0spAJI5WETIxIpS7dmBwP/6eIrYaC37S8qXUtoE0Jw=,tag:GKlCgm/BAypbbe0S3OkObA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.1
@@ -0,0 +1,41 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Wiki.js
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=ghcr.io/requarks/wiki:{{ version['containers']['wikijs'] }}
+ContainerName=wikijs
+HostName=wikijs
+PublishPort={{ services['wikijs']['ports']['http'] }}:3000/tcp
+
+# Volumes
+Volume=%h/data/containers/wikijs/data:/wiki/data:rw
+Volume=%h/data/containers/wikijs/export:/wiki/export:rw
+Volume=%h/containers/wikijs/ssl:/etc/ssl/wiki:ro
+
+# General
+Environment="TZ=Asia/Seoul"
+
+# Database
+Environment="DB_TYPE=postgres"
+Environment="DB_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
+Environment="DB_PORT={{ services['postgresql']['ports']['tcp'] }}"
+Environment="DB_USER=wikijs"
+Environment="DB_NAME=wikijs_db"
+Environment="DB_SSL=true"
+Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/wiki/{{ root_cert_filename }}"
+Secret=WIKIJS_DB_PASS,type=env,target=DB_PASS
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target
@@ -430,3 +430,25 @@ identity_providers:
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'
+      # https://www.authelia.com/integration/openid-connect/clients/wikijs/
+      - client_id: 'wikijs'
+        client_name: 'Wiki'
+        client_secret: '{{ hostvars['console']['wikijs']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          # add Callback URL / Redirect URI HERE
+          - 'https://wiki.ilnmors.com/login/aa72242e-7058-4cfa-9504-19a4208062ea/callback'  # Note this must be copied during step 7 of the Application configuration.
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
@@ -101,3 +101,9 @@
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
+{{ services['wikijs']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['wikijs']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
@@ -172,6 +172,15 @@
                }
        }
 }
+{{ services['wikijs']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{services['wikijs']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}

 # Internal domain
 {{ node['name'] }}.{{ domain['internal'] }} {
@@ -8,4 +8,4 @@ sources:
      - /certs/*.crt
      - /certs/*.pem
      - /certs/*.cer
-    refreshInterval: 1m
+    refreshInterval: 1m
@@ -0,0 +1,106 @@
+# wiki.js
+
+## Prerequisite
+
+### Create database
+
+- Create the password with `openssl rand -base64 32`
+  - Save this value in secrets.yaml in `postgresql.password.wikijs`
+  - Access infra server to create wikijs_db with `podman exec -it postgresql psql -U postgres`
+
+```SQL
+CREATE USER wikijs WITH PASSWORD 'postgresql.password.wikijs';
+CREATE DATABASE wikijs_db;
+ALTER DATABASE wikijs_db OWNER TO wikijs;
+```
+
+### Create oidc secret and hash
+
+- Create the secret with `openssl rand -base64 32`
+- access to auth vm
+  - `podman exec -it authelia sh`
+  - `authelia crypto hash generate pbkdf2 --password 'wikijs.oidc.secret'`
+- Save this value in secrets.yaml in `wikijs.oidc.secret` and `wikijs.oidc.hash`
+- !CAUTION! Don't update authelia with ansible-playbook before configuration
+
+### Add postgresql dump backup list
+
+- [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
+
+```yaml
+- name: Set connected services list
+  ansible.builtin.set_fact:
+    connected_services:
+      - ...
+      - "wikijs"
+```
+
+## Configuration
+
+### Access
+
+- https://wiki.ilnmors.com
+    - Administrator Email: admin@wiki.ilnmors.internal
+    - Password: wikijs.il.password
+    - Site URL: https://wiki.ilnmors.com
+    - INSTALL
+
+### Group configuration
+
+- Administration: Groups: Guests: PERMISSIONS
+    - Remove all permissions
+- Administration: Groups: NEW GROUP
+    - Users
+- Administration: Groups: Users: PERMISSIONS
+    - Grant all permission in CONTENT
+
+- Administration: Groups: Users: PAGE RULES
+    - Allow / Deny: Allow
+    - Match: Path starts with
+    - Path: empty value
+    - Locale: Any / All
+    - Permissions:
+        - Grant all permission
+    - Update Group
+
+### OIDC configuration
+
+- Administration: Modules: Authentication
+    - Add Strategy: Generic OpenID Connect / OAuth2
+        - Display Name: Authelia
+        - client id: wikijs
+        - client secret: wikijs.oidc.secret
+        - Authorization Endpoint URL: https://authelia.ilnmors.com/api/oidc/authorization
+        - Token Endpoint URL: https://authelia.ilnmors.com/api/oidc/token
+        - User info Endpoint URL: https://authelia.ilnmors.com/api/oidc/userinfo
+        - Skip User Profile: untoggled
+        - Issure: https://authelia.ilnmors.com
+        - Email Claim: email
+        - Display Name Claim: displayName
+        - Picture Claim: picture
+        - Map Groups: untoggled
+        - Groups Claim: groups
+        - Registration: Allow self-registration: toggled
+        - Assign to group: Users
+    - Check: Callback URL / Redirect URI
+    - Apply
+
+- add Callback URL / Redirect URI to [authelia config](../../../config/services/containers/auth/authelia/config/authelia.yaml.j2)
+    - update authelia
+
+- logout from administrator
+
+- login: Select Authentication Provider: Authelia
+
+### Storage
+
+- Administration: Modules: Stroage
+    - Local File System
+    - Path: /wiki/export
+    - Apply
+
+### Locale
+
+- Administration: Site: Locale
+    - Download what you needs.
+    - Korean, Arabic, French ...
@@ -131,7 +131,11 @@
            - ezbookkeeping has no function to share the account and budget to the other users.
            - actual budget's YNAB way is hard to adjust
            - sure is heavy, but it is not YNAB and it allows to share account the other users
-        - WriteFreely
+        - [x] wiki.js
+            - check wiki.js to use as base wiki of documents.
+        - [ ] TriliumNext
+        - [ ] memos
+        - WriteFreely or directus + frontend(Astro)
        - MediaCMS or PeerTube
        - Funkwhale or Navidrome or Jellyfin
        - Kavita
Author	SHA1	Message	Date
il	81244d55a7	feat(wiki.js): release wiki.js deployment notes: - use this as personal/family wiki system - compare to affine / memos and triliumNext	2026-05-09 17:50:05 +09:00
il	1cfd024285	refactor(x509-exporter): update notification to restart x509-exporter when its config.yaml is changed	2026-05-09 17:42:35 +09:00
il	26115c5660	feat(redis): update redis from 8.6.1 to 8.6.3 update notes: - run 'ansible-playbook playbooks/app/site.yaml --tags "site"' so that update all redis at onece	2026-05-09 13:55:28 +09:00