feat(trilium): release trilium

deployment notes: - oidc error (users cannot access at once, it needs login twice when using oidc
refactor(authelia): update authelia.yaml.j2 to fix redirect_uris from hardcoded uris to ansible variables
2026-05-09 22:38:57 +09:00 · 2026-05-09 21:44:11 +09:00 · 2026-05-09 20:54:32 +09:00
53 changed files with 435 additions and 215 deletions
@@ -1,6 +1,6 @@
 # ilnmors homelab README

-This homelab project implements single-node On-premise IaaS system. The homelab contains virtual machines which are divided by their roles, such as private firewall, DNS, PKI, LDAP and database, SSO\(OIDC\). The standard domain is used to implement this system without specific vendors. All components are defined as code and initiated by IaC \(Ansible\) except hypervisor initial configuration.
+This homelab project implements single-node On-premise IaaS system. The homelab contains virtual machines which are divided by their roles, such as private firewall, DNS, PKI, LDAP and database, SSO(OIDC). The standard domain is used to implement this system without specific vendors. All components are defined as code and initiated by IaC (Ansible) except hypervisor initial configuration.

 ## RTO times
 - Feb/25/2026 - Reprovisioning Hypervisor and vms
@@ -15,12 +15,12 @@ This homelab project implements single-node On-premise IaaS system. The homelab
 - Mar/5/2026 - Reprovisioning Hardware and Hypervisor and vms
    - RTO: 2 hour 20 min
        - console: 15min - verified
-        - certificate: 0 min \(When it needs to be created, RTO will be 20 min) - not verified
-        - wireguard: 0 min \(When it needs to be created, RTO will be 1 min) - not verified
-        - hypervisor\(+fw\): 45 min - verified
+        - certificate: 0 min (When it needs to be created, RTO will be 20 min) - not verified
+        - wireguard: 0 min (When it needs to be created, RTO will be 1 min) - not verified
+        - hypervisor(+fw): 45 min - verified
        - switch: 1 min - verified
        - dsm: 30 min - verified
-        - kopia: 0 min \(When it needs to be created, RTO will be 10 min) - verified
+        - kopia: 0 min (When it needs to be created, RTO will be 10 min) - verified
        - Extra vms: 30 min - verified
        - Etc: 30 min

@@ -185,6 +185,13 @@ services:
    ports:
      http: "3002"
    subuid: "100999"
+  trilium:
+    domain:
+      public: "notes"
+      internal: "notes.app"
+    ports:
+      http: "8004"
+    subuid: "100999"

 version:
  packages:
@@ -226,3 +233,4 @@ version:
    ezbookkeeping: "1.4.0"
    sure: "0.7.0-hotfix.2"
    wikijs: "2.5.314"
+    trilium: "v0.102.2"
@@ -265,6 +265,14 @@
          tags: ["site", "wikijs"]
      tags: ["site", "wikijs"]

+    - name: Set trilium
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_trilium"
+        apply:
+          tags: ["site", "trilium"]
+      tags: ["site", "trilium"]
+
    - name: Flush handlers right now
      ansible.builtin.meta: "flush_handlers"

@@ -158,3 +158,14 @@
  changed_when: false
  listen: "notification_restart_wikijs"
  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart trilium
+  ansible.builtin.systemd:
+    name: "trilium.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_trilium"
+  ignore_errors: true # noqa: ignore-errors
@@ -0,0 +1,38 @@
+---
+- name: Create trilium directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['trilium']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/trilium"
+    - "data/containers/trilium/data"
+  become: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "TRILIUM_OAUTH_CLIENT_SECRET"
+    data: "{{ hostvars['console']['trilium']['oidc']['secret'] }}"
+    state: "present"
+    force: true
+  notify: "notification_restart_trilium"
+  no_log: true
+
+- name: Deploy trilium.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/trilium/trilium.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/trilium.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_trilium"
+
+- name: Enable trilium.service
+  ansible.builtin.systemd:
+    name: "trilium.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
@@ -295,6 +295,14 @@ wikijs:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
+#ENC[AES256_GCM,data:rf52AKZDCNq9PVnAMnDXzw==,iv:+rT8sgcAz0LoeUcPgIrpSw/JWvk5agunnTkaWac16kU=,tag:SCyTu1rUNnmS2EFMeIvlCw==,type:comment]
+trilium:
+    oidc:
+        secret: ENC[AES256_GCM,data:EfKdxk/OBgQyGVwOnxMFS/HhucL5qicaB7HfWu4yNvmrqxU+ubkT62zJewQ=,iv:Ye4gNbyOuEaujGfxXYKg4GWDOP+cnTNL230t8B98WUY=,tag:B1YoabR7y8OVUKYj/aiSPA==,type:str]
+        hash: ENC[AES256_GCM,data:QyU+leT28FY3nW+tIbnap2n52xw1bcb77ziFf6cW9gdwwhL6rJCEaTGQritpVsCH5C9ytxlV0Acn7dJbnYSHFtZ2jbuvYMSQR4ewtY+tFX1MdD9+FmtH8umb7PHbG6upXgrXRNRIglJ4U1BEfg0xkdzEPbJq+r13A1+cKESrewayae4=,iv:CUE6YjDzgoc017e8+dT1S956PwmOlb7h6dhnOpCr3iw=,tag:XGgpzuVZXJ8Axb4ib8anVQ==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
    password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -324,7 +332,7 @@ sops:
            UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
            k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-09T06:19:32Z"
-    mac: ENC[AES256_GCM,data:XZQO+US/uCCngkzTi/C+shPw5kb3jWBwWbRd2eTwduBbuCMXUCiGPhPws27qMC3mCOmpr98AHJa5CS+chbC/bWwYqxwWPG03d6lN+EHJHPNiM6HBFhCIBv8d0+mNMlgQaS83Up+diSFliJZ54tOMYDvyj0iwYr1mVXN0QXHhAF4=,iv:e0spAJI5WETIxIpS7dmBwP/6eIrYaC37S8qXUtoE0Jw=,tag:GKlCgm/BAypbbe0S3OkObA==,type:str]
+    lastmodified: "2026-05-09T12:29:30Z"
+    mac: ENC[AES256_GCM,data:ql3rWwdwJRn2nH0SLnjTaJK4NVemxG8T814VEDaHv38bc7A3aaMGuZ92mHY4z+5oNA+DpR/UjkGJ/NrckbURxY63BEcyVCsS4Rb95HTKjDOjf2g5rrohdgI3ZUE1jvlyf3tAh2ZYh1J8QddLKyLju/J43KcB+XRQKhJv4kubAQ0=,iv:4inRbBMuhB7Hzi8fGpqyC3juUqteZGLXX0GtnHusF7Y=,tag:ZxJ6iv8NxJr4rvCInml8dg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.1
@@ -0,0 +1,46 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=trilium
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=docker.io/triliumnext/trilium:{{ version['containers']['trilium'] }}
+
+ContainerName=trilium
+HostName=trilium
+
+PublishPort={{ services['trilium']['ports']['http'] }}:8080/tcp
+
+Volume=%h/data/containers/trilium/data:/home/node/trilium-data:rw
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="TRILIUM_DATA_DIR=/home/node/trilium-data"
+Environment="TRILIUM_NO_UPLOAD_LIMIT=true"
+
+# OIDC
+## Short Alias doesn't work now.
+#Environment="TRILIUM_OAUTH_BASE_URL=https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}"
+#Environment="TRILIUM_OAUTH_CLIENT_ID=trilium"
+#Environment="TRILIUM_OAUTH_ISSUER_BASE_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+#Environment="TRILIUM_OAUTH_ISSUER_NAME=Authelia"
+#Environment="TRILIUM_OAUTH_ISSUER_ICON=https://www.authelia.com/images/branding/logo-cropped.png"
+#Secret="TRILIUM_OAUTH_CLIENT_SECRET",type=env
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHBASEURL=https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHCLIENTID=trilium"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERBASEURL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERNAME=Authelia"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERICON=https://www.authelia.com/images/branding/logo-cropped.png"
+Secret="TRILIUM_OAUTH_CLIENT_SECRET",type=env,target=TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHCLIENTSECRET
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target
@@ -93,6 +93,14 @@ notifier:
 identity_providers:
  oidc:
    hmac_secret: '' # $AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
+    claims_policies:
+      # trilium expects name/email value in id token, but authelia doesn't send it basically
+      trilium:
+        id_token:
+          - email
+          - email_verified
+          - preferred_username
+          - name
    # For the app which doesn't use secret.
    cors:
      endpoints:
@@ -396,7 +404,7 @@ identity_providers:
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
-          - 'https://budget.ilnmors.com/oauth2/callback'
+          - 'https://{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}/oauth2/callback'
        scopes:
          - 'openid'
          - 'profile'
@@ -417,7 +425,7 @@ identity_providers:
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
-          - 'https://sure.ilnmors.com/auth/openid_connect/callback'
+          - 'https://{{ services['sure']['domain']['public'] }}.{{ domain['public'] }}/auth/openid_connect/callback'
        scopes:
          - 'openid'
          - 'email'
@@ -440,7 +448,7 @@ identity_providers:
        pkce_challenge_method: ''
        redirect_uris:
          # add Callback URL / Redirect URI HERE
-          - 'https://wiki.ilnmors.com/login/aa72242e-7058-4cfa-9504-19a4208062ea/callback'  # Note this must be copied during step 7 of the Application configuration.
+          - 'https://{{ services['wikijs']['domain']['public'] }}.{{ domain['public'] }}/login/aa72242e-7058-4cfa-9504-19a4208062ea/callback'  # Note this must be copied during step 7 of the Application configuration.
        scopes:
          - 'openid'
          - 'profile'
@@ -452,3 +460,27 @@ identity_providers:
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
+      # https://www.authelia.com/integration/openid-connect/clients/trillium/
+      # The name is trilium, not trillium
+      - client_id: 'trilium'
+        client_name: 'Trilium Notes'
+        client_secret: '{{ hostvars['console']['trilium']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        # claims policy above
+        claims_policy: 'trilium'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
@@ -107,3 +107,9 @@
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
+{{ services['trilium']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['trilium']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
@@ -181,6 +181,15 @@
                }
        }
 }
+{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{services['trilium']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}

 # Internal domain
 {{ node['name'] }}.{{ domain['internal'] }} {
@@ -14,22 +14,22 @@
 ## Context

 - Maintaining multi nodes requires a huge amount of resources, including hardware, electricity, even administrative efforts
- All units which responsible for a single role should follow the Principle of Least Privilege \(PoLP\).
+- All units which responsible for a single role should follow the Principle of Least Privilege (PoLP).
 - All units should be interchangeable on standard to avoid vendor lock-in.

 ## Consideration

 ### Hypervisor

- Proxmox Virutal Environment \(PVE\)
+- Proxmox Virutal Environment (PVE)
    - Based on Debian.
    - PVE uses `qm` command which is not a standard to implement the virtual environment.
 - VMware ESXi
-    - Based on UNIX, deveoped by VMware \(Licence is not free\)
+    - Based on UNIX, deveoped by VMware (Licence is not free)
 - Hyper-V
-    - Based on Microsoft Windows \(Licence is not free\)
+    - Based on Microsoft Windows (Licence is not free)
 - Debian Stable
-    - Based on standard linux \(conservative\)
+    - Based on standard linux (conservative)
    - Standard virtualization technology 'Libvirt, QEMU, KVM'

 ### Container
@@ -37,7 +37,7 @@
 - Docker
    - Daemon is used to run containers
    - Root authority required
-    - Socket and network problem is complex \(Docker bridge\)
+    - Socket and network problem is complex (Docker bridge)
    - docker-compose is an orchestration tool
 - Rootless Podman
    - Daemonless design
@@ -58,7 +58,7 @@

 ## Decisions

- Use Libvirt/KVM/QEMU on pure linux \(Debian stable\).
+- Use Libvirt/KVM/QEMU on pure linux (Debian stable).
 - Separate all services by VM, and podman rootless containers without K3S.
    - Orchestration stack is not needed in single node system
    - Services will be defined by Quadelt to integrate into systemd and to manage them declaratively
@@ -23,15 +23,15 @@

 - OPNSense/pfSense
    - vendor lock-in
-    - GUI environment \(WebGUI\) can contain vulnerability
+    - GUI environment (WebGUI) can contain vulnerability
    - It is hard to manage configurations by IaC
 - iptables
    - Previous standard of Linux
-    - IPv4 and IPv6 configuration is separated \(no inet\)
+    - IPv4 and IPv6 configuration is separated (no inet)
 - nftables
    - New standard of Linux
    - English grammar friendly
-    - IPv4 and IPv6 configuration can be set on the same table \(inet\)
+    - IPv4 and IPv6 configuration can be set on the same table (inet)

 ### Flat network structure
 - LAN only
@@ -48,8 +48,8 @@
    - VLAN 20: user (DHCP allocated devices)
    - wg0: VPN connections
 - Manage the rules based on roles fundamentally, furthermore manage them based on ip and ports when it is needed
- All L3 communication which needs to pass gateway should be on control of firewall \(fw\)
- All nodes including firewall uses nftables \(modern standard\) to manage the packets based on zone concept
+- All L3 communication which needs to pass gateway should be on control of firewall (fw)
+- All nodes including firewall uses nftables (modern standard) to manage the packets based on zone concept
 - IPv6 has two track strategy
    - Client and server, wg nodes has static ULA IP, and use NAT66 for permanency
    - User nodes has GUA SLAAC IP from ISP for compatibility
@@ -24,7 +24,7 @@
 ### Automate protocol

 - JWK/JWT provisioner
-    - It is hard to manage pre-shared secret values than ACME \(Especially nsupdate\)
+    - It is hard to manage pre-shared secret values than ACME (Especially nsupdate)
 - authorized_keys
    - When the nodes are increased, it is hard to manage authorized_key.
    - SSH ca.pub allow all the certificates signed by ca key, so it is not needed to manage authroized_keys from each hosts.
@@ -39,19 +39,19 @@
 ## Decisions

 - Operate private CA
-    - Root CA \(Store on coldstorage\) - 10 years
-    - Intermediate CA \(Online server as Step-CA\) - 5 years
+    - Root CA (Store on coldstorage) - 10 years
+    - Intermediate CA (Online server as Step-CA) - 5 years
    - SSH CA - No period
 - Manage certificates with two track
-    - ACME with nsupdate \(using private DNS\) for web services via Caddy - 90 days
+    - ACME with nsupdate (using private DNS) for web services via Caddy - 90 days
    - Manual issuing and managing leaf certificate for infra services for independency - 2.5 years
    - All manual issuing leaf certificate expiry date is observed by x509-exporter on infra vm
 - Manage SSH certificates
-    - *-cert.pub for host \(with -h options\)
-    - *-cert.pub for client \(without -h options\)
+    - *-cert.pub for host (with -h options)
+    - *-cert.pub for client (without -h options)

 ## Consequences

 - Private PKI is operated
 - Private SSH CA is operated
- All external/internal communication is encrypted as TLS re-encryption. \(E2EE\)
+- All external/internal communication is encrypted as TLS re-encryption. (E2EE)
@@ -12,9 +12,9 @@

 ## Context

- Private authoritative DNS is required to use private reserved root domain \(.internal\)
+- Private authoritative DNS is required to use private reserved root domain (.internal)
 - Split horizon DNS needs DNS resolver, because authoritative DNS must not send queries to other DNS.
- Automatical issuing certificates needs private authoritative DNS which supports nsupdate \(RFC 2136\)
+- Automatical issuing certificates needs private authoritative DNS which supports nsupdate (RFC 2136)

 ## Consideration

@@ -22,13 +22,13 @@
 - AdGuard Home
    - More powerful query routing than blocky
    - Web UI dependency
-    - Extra function which is not useful \(DHCP, etc ..\)
+    - Extra function which is not useful (DHCP, etc ..)
 - Unbound DNS
    - Cache and forward zone management is powerful
    - more complex than blocky
    - cache function is not that needed in this environment
        - Internal authoritative DNS only takes charge of internal communication
-        - All security function is delegated to public DNS like cloudflare \(DNSSEC, etc\) 
+        - All security function is delegated to public DNS like cloudflare (DNSSEC, etc) 

 ## Decisions

@@ -29,8 +29,8 @@
    - Regex based log parsing is less structured than CrowdSec's parser/scenario model

 - Crowdsec
-    - Community based rules and sinario \(CAPI\)
-    - Prevention based on local machines and parsers \(LAPI\)
+    - Community based rules and sinario (CAPI)
+    - Prevention based on local machines and parsers (LAPI)
    - Bouncers can use nftables to prevent threats
    - Parser can detect even L7 attack under TLS

@@ -43,7 +43,7 @@
 - Operate Crowdsec as IPS
    - CrowdSec uses two API server, CAPI, LAPI.
        - CAPI updates malicious IPs based on community decisions
-        - LAPI decides malicious attack based on log from its parser and scenario \(Suricata, caddy, etc\)
+        - LAPI decides malicious attack based on log from its parser and scenario (Suricata, caddy, etc)
        - When CAPI, and LAPI decides block some IP based on log parsed by parser and scenarios, bouncer block the malicious accesses.
    - Crowdsec register blacklist on nftables or iptables.

@@ -20,7 +20,7 @@

 - HashiCorp Vault or Infisical
    - Very powerful, but introduces significant compute/memory overhead.
-    - Creates a "Secret Zero" problem for a single-node homelab environment because of dependency \(DB, or etc\).
+    - Creates a "Secret Zero" problem for a single-node homelab environment because of dependency (DB, or etc).
    - It is hard to operate hardware separated key servers.

 ### Systemd-credential
@@ -37,10 +37,10 @@
 ## Decisions

 - All secret data which has yaml format is encrypted by sops with age-key in `secret.yaml`.
- age-key is encrypted by gpg and ansible vault with master key \(including upper, lower case, number, special letters) above 40 characters.
+- age-key is encrypted by gpg and ansible vault with master key (including upper, lower case, number, special letters) above 40 characters.
    - All secret data always decrypt by `edit_secret.sh` script or ansible tasks from secrets.yaml using age-key encrypted by ansible-vault.
    - decrypted secret data is always processed on ramfs, they are never saved on disk.
- Master key is never saved on disk, but only cold storage \(USB, M-DISC, operators' memory\)
+- Master key is never saved on disk, but only cold storage (USB, M-DISC, operators' memory)
 - The secret data will be saved on each servers specific directory or podman secret.
    - OS:
        - path: /etc/secrets
@@ -17,7 +17,7 @@

 ## Context

- All configuration file is managed by git \(IaC\)
+- All configuration file is managed by git (IaC)
 - All data file should be backed up by kopia
 - All backup should follow 3-2-1 backup cycle

@@ -45,14 +45,14 @@
 - All configuration files are managed by Git
    - Configuration files are based on text
    - It is necessary to version, history management.
-    - Local git -> private Gitea -> github private project \(mirrored\) 
+    - Local git -> private Gitea -> github private project (mirrored) 
    - This fulfills 3-2-1 backup rules
 - Data files are managed by Kopia and DSM
    - Local storage - kopia -> DSM's Kopia repository server - CloudSync -> Cloud server such as OneDrive or Google Drive
    - This fulfills 3-2-1 backup rules
 - Data files which needs backup
    - DB data files: dump
-        - DB data files are located on infra:/home/infra/containers/postgresql/backups/\{cluster,$service\}/
+        - DB data files are located on infra:/home/infra/containers/postgresql/backups/{cluster,$service}/
    - App data files: Photos, Media, etc ..
        - App data files are located on app:/home/app/data/
    - Backed up files: kopia
@@ -60,7 +60,7 @@
 - Kopia over DSM configuration is managed by runbook with equivalent CLI commands due to vendor limitation
 - Restore will be processed manually
    - DB data files
-        - From kopia server to console:$HOMELAB_PATH/data/volume/infra/postgresql/\{cluster,data\}
+        - From kopia server to console:$HOMELAB_PATH/data/volume/infra/postgresql/{cluster,data}
    - APP data files
        - From kopia server to APP vm after initiating before deploy services
 - Automatic backup does not guarantee integrity of data system, so before reset the system conduct manual backup after making sure all services are shutdown.
@@ -74,4 +74,4 @@

 ## Consequences

- All files including configuration and data back ups will fulfill 3-2-1 \(3 Copies, 2 different media, 1 offsite\) back up rules
+- All files including configuration and data back ups will fulfill 3-2-1 (3 Copies, 2 different media, 1 offsite) back up rules
@@ -11,7 +11,7 @@

 ## Context

- App VM needs GPU for heavy workloads like Immich \(hardware transcoding and machine learning\)
+- App VM needs GPU for heavy workloads like Immich (hardware transcoding and machine learning)
 - App VM needs huge data storage for its own services 

 ## Considerations
@@ -18,7 +18,7 @@
 ### Hypervisor

 - As a pure hypervisor, it should only operate virtualization for VM.
- Hypervisor just provides resources and dummy hub \(br\)
+- Hypervisor just provides resources and dummy hub (br)

 ### VM

@@ -30,7 +30,7 @@

 ### Services

- Services should be distinguished based on their needs \(Privilege\)
+- Services should be distinguished based on their needs (Privilege)
    - Network stack, backup stack needs special privilege for low level ACL or networks.
    - application stack doesn't need low level privilege usually

@@ -27,7 +27,7 @@
    - Removing
    - Formatting
    - Destroying
-    - Certificates and CA \([ADR-003](./003-pki.md)\)
+    - Certificates and CA ([ADR-003](./003-pki.md))
    - Etc. what operator decides that is sensitive

 ## Consequences
@@ -19,7 +19,7 @@
 ### Apply mTLS

 - implementing mTLS needs both client certificate and server certificate
- Managing a number of certificates makes a huge operational burden \(expiry date, revocation, etc ..\)
+- Managing a number of certificates makes a huge operational burden (expiry date, revocation, etc ..)

 ## Decisions

@@ -30,4 +30,4 @@

 - The policy is set simple
 - The overhead is increased little
- Exclude the exceptions on operation \(For the administrator\)
+- Exclude the exceptions on operation (For the administrator)
@@ -22,7 +22,11 @@ When the migration is decided, the manual backup after shutting all services dow
 Only when kopia repository exists.

 ```bash
-kopia repository connect --override-username="console" --override-hostname="console.ilnmors.internal"
+kopia repository connect server \
+--url=https://nas.ilnmors.internal:51515 \
+--override-username=console \
+--override-hostname=console.ilnmors.internal
+# Enter the password

 kopia snapshot list --all

@@ -38,7 +42,7 @@ cp ~/workspace/homelab/volumes/infra/cluster/cluster.sql ~/workspace/homelab/con

 ### Provisioning

-Ansible playbooks should be declarative. This won't contain complex branch logics \(Declarative over imperative\). Playbooks describes what should be there, not how to. The basic rule is manual destroy and auto reprovisioning.
+Ansible playbooks should be declarative. This won't contain complex branch logics (Declarative over imperative). Playbooks describes what should be there, not how to. The basic rule is manual destroy and auto reprovisioning.

 #### vmm and fw

@@ -63,6 +63,10 @@ Set-Service DiagTrack -StartupType Disable
 Stop-Service dmwappushservice
 Set-Service dmwappushservice -StartupType Disable

+## Disable - WorkloadsSessionHost which is the service for AI function
+Stop-Service -Name "WSAIFabricSvc" -Force -ErrorAction SilentlyContinue; Set-Service -Name "WSAIFabricSvc" -StartupType Disabled
+Stop-Process -Name "WorkloadsSessionHost" -Force -ErrorAction SilentlyContinue
+
 ## Compact OS configuration
 compact /compactos:always
 ```
@@ -102,10 +106,10 @@ sign in on app only

 - WindowsDefender Firewall:Inbound Rules:
    - File and Printer Sharing (Echo Request - ICMPv4-In) - Profile: Private, Public
-        - General: \[x\] Enable
+        - General: `[x]` Enable
        - Scope: 192.168.1.0/24, 192.168.10.0/24, 192.168.99.0/24
    - File and Printer Sharing (Echo Request - ICMPv6-In) - Profile: Private, Public
-        - General: \[x\] Enable
+        - General: `[x]` Enable
        - Scope: fd00::/8
    - Apply

@@ -119,7 +123,8 @@ sign in on app only

 ### Create wsl config

- C:\Users\$USERNAME\.wslconfig
+- `C:\Users\$USERNAME\.wslconfig`
+
 ```ini
 [wsl2]
 processors=4
@@ -201,13 +206,13 @@ mkdir ~/workspace

 #### VS Code configuration

- WSL extension\(`Ctrl + shift + x`\)
+- WSL extension(`Ctrl + shift + x`)
    - Install `WSL` by Microsoft
        - Remote Explorer:Debian:Connect in Current Windows
 - `Ctrl + k` and `Ctrl + o`
    - Open folder: `/home/console/workspace`
 - `` Ctrl + shift + ` `` for Terminal
- Extensions\(`Ctrl + shift + x`\)
+- Extensions(`Ctrl + shift + x`)
    - Install `Ansible` by RedHat

 ### Playbooks
@@ -244,9 +249,9 @@ ansible-playbook playbooks/console/site.yaml --tags "init"
    - encrypted by gpg and ansible vault with master key
 - Master key
    - The key which has above 40 characters containing upper and lower letters, numbers, and special letters
-    - managed by physical media \(Mind, MDisc, paper\) as file, string, and QR
+    - managed by physical media (Mind, MDisc, paper) as file, string, and QR
    - This value is never saved in server or console.
- Root CA \(including ssh CA\) must not be deployed.
+- Root CA (including ssh CA) must not be deployed.
     - The tasks with root CA must be performed manually. The source of Trust is the most important in security.
 - Intermediate CA can be deployed.
    - Intermediate CA is operated as a live server. 
@@ -12,7 +12,7 @@ openssl rand -base64 32 > /run/user/$UID/root_ca_password
 openssl rand -base64 32 > /run/user/$UID/intermediate_ca_password
 # Save the values in `secrets.yaml`

-# Create CAs \(Key and cert)
+# Create CAs (Key and cert)
 # Root CA
 step certificate create \
 "ilnmors.internal Root CA" /run/user/$UID/root_ca.crt /run/user/$UID/root_ca.key \
@@ -1,4 +1,4 @@
-# Hypervisor \(vmm\)
+# Hypervisor (vmm)

 Initiating hypervisor doesn't use ansible. Hypervisor is working on hardware itself, so there is a lot of possible variables like IOMMU id, MAC addresses, etc.

@@ -19,29 +19,29 @@ Hypervisor is initiated manually with the configuration files which are stored i
    - Hostname: vmm
    - Domain: ilnmors.internal
 - User:
-    - Root Password: \[blank\]
+    - Root Password: `[blank]`
    - Full name for the new user: vmm
    - User Name: bootstrap
    - User Password: debian
 - Partition setting: manual
-    - 512MiB - EFI system partition \(Booting flag: on\) 
-    - 1GiB - Ext4 Journaling \(Mount: /boot)
+    - 512MiB - EFI system partition (Booting flag: on) 
+    - 1GiB - Ext4 Journaling (Mount: /boot)
    - 800 GiB -LVM
-        - 64GiB: vmm-root - Ext4 Journaling \(Mount: /\)
-        - 700GiB: vmm-libvirt - Ext4 \(Mount: /var/lib/libvirt\)
+        - 64GiB: vmm-root - Ext4 Journaling (Mount: /)
+        - 700GiB: vmm-libvirt - Ext4 (Mount: /var/lib/libvirt)
 - Debian package manager setting
    - Scan extra installation media: no
    - Mirror country: South Korea
    - Archive mirror: deb.debian.org
-    - Proxy: \[blank\]
+    - Proxy: `[blank]`
    - Popularity-contest: no
 - Installing packages setting
-    - \[\*\] SSH server
-    - \[\*\] Standard system utilities
+    - `[*]` SSH server
+    - `[*]` Standard system utilities

 ### Initial configuration

-Hypervisor operates pure L2 switch for fw and it never can access WAN without fw after initial configuration. This means, there is an air-gap which means hypervisor cannot access to WAN for a while \(from end of initial setting to the beginning of fw setting\).
+Hypervisor operates pure L2 switch for fw and it never can access WAN without fw after initial configuration. This means, there is an air-gap which means hypervisor cannot access to WAN for a while (from end of initial setting to the beginning of fw setting).

 Hypervisor operates on hardware. Hardware information is always uncertain, and it is set only once. Managing this process as IaC is over engineering.

@@ -6,19 +6,19 @@ All hardware configuration is set after fw vm. The MAC address of hardware is re

 ### Access VLAN switch

- http://switch.ilnmors.internal \(192.168.1.2, KEA-DHCP, Only IPv4 support\)
+- http://switch.ilnmors.internal (192.168.1.2, KEA-DHCP, Only IPv4 support)
    - before set ipv6, use ip4 address instead of FQDN
    - id: admin, password: admin
    - new password: switch.password

 ### Set VLAN
 - VLAN:802.1Q VLAN
-    - \[x\] Enable - Apply
+    - `[x]` Enable - Apply
    - VLAN client
        - id 1
        - name default > client
-        - member \(Untagged\)
-            - Port 1 \(Trunk, untagged\): Linux bridge is already process untagged packet as id 1
+        - member (Untagged)
+            - Port 1 (Trunk, untagged): Linux bridge is already process untagged packet as id 1
            - Port 3
            - Port 4
            - Port 5
@@ -29,13 +29,13 @@ All hardware configuration is set after fw vm. The MAC address of hardware is re
        - id 10
        - name server
        - member
-            - Port 1 \(Trunk, tagged\)
+            - Port 1 (Trunk, tagged)
    - VLAN user
        - id 20
        - name user
        - member
-            - Port 1 \(Trunk, tagged\)
-            - Port 2 \(Not a member of client vlan, untagged\)
+            - Port 1 (Trunk, tagged)
+            - Port 2 (Not a member of client vlan, untagged)

 - VLAN:802.1Q VLAN PVID setting
    - Port 2
@@ -48,9 +48,9 @@ All hardware configuration is set after fw vm. The MAC address of hardware is re
 - Check internet connection


-## DSM \(DS124\)
+## DSM (DS124)

- https://finds.synology.com/# \(192.168.1.11, KEA-DHCP\)
+- https://finds.synology.com/# (192.168.1.11, KEA-DHCP)
    - Install DSM

 ### Initial configuration
@@ -83,7 +83,7 @@ Kea in fw already reserved DSM's IP. However it is necessary to set IP address s
        - Certificate
        - Intermediate certificate
    - Edit: For: Set as default certificate
-    - Setting \(!CAUTION!\)
+    - Setting (!CAUTION!)
        - Even though you set the certificate as default, you have to set certificate for each services.
        - configure: service: certificate: nas.ilnmors.internal

@@ -92,20 +92,20 @@ Kea in fw already reserved DSM's IP. However it is necessary to set IP address s
 - **!CAUTION!** It can be set after authelia is implemented
 - Following [here](../../config/services/containers/auth/authelia/config/authelia.yaml.j2) for Authelia configuration
 - Control Panel:Domain/LDAP:SSO Client
-    - Login Settings: \[x\] Select SSO by default on the login page
+    - Login Settings: `[x]` Select SSO by default on the login page
    - Services
-        - \[x\] Enable OpenID Connect SSO service
+        - `[x]` Enable OpenID Connect SSO service
        - OpenID Connect SSO Settings
            - Profile: OIDC
            - Account type: Domain/LDAP/local
            - Name: Authelia
            - Well-Known URL: https://authelia.ilnmors.com/.well-known/openid-configuration
-            - Application ID: dsm \(what you designated\)
+            - Application ID: dsm (what you designated)
            - Application Secret: secret value
            - Redirect URI: https://nas.ilnmors.internal:5001
            - Authorization scope: openid profile groups email
            - Username claim: preferred_username
- Match the user name \(ID\) in DSM and lldap id.
+- Match the user name (ID) in DSM and lldap id.

 ### Kopia in DSM

@@ -123,15 +123,15 @@ Kea in fw already reserved DSM's IP. However it is necessary to set IP address s

 - Add certificate - DSM reverse proxy cannot deal with gRPC
    - /docker/kopia/config/ssl/nas.key
-    - /docker/kopia/config/ssl/nas.crt \(including intermediate crt\)
+    - /docker/kopia/config/ssl/nas.crt (including intermediate crt)

 - container manager:images:import
    - kopia/kopia
-    - tags: \{\{ version['packages']['kopia'] \}\}
+    - tags: {{ version['packages']['kopia'] }}
 - run
    - image: kopia/kopia
    - containername: kopia-server
-    - \[x\] Enable auto restart
+    - `[x]` Enable auto restart
    - port: 51515:51515
    - volume: /docker/kopia/config:/app/config:rw
    - volume: /docker/kopia/cache:/app/cache:rw
@@ -159,7 +159,7 @@ Repository directory - encrypted by server KOPIA_PASSWORD as master key of repos

 Server manage ACL with user password, user's KOPIA_PASSWORD. When server verify user with their password, server works with its repository password.

-Repository - \(Repository key; master key\) -  Server - \(User key; access key\) - Client
+Repository - (Repository key; master key) -  Server - (User key; access key) - Client

 - Client knows its access password as KOPIA_PASSWORD to access server. It doesn't know master key, server's KOPIA_PASSWORD. server will control repository by its KOPIA_PASSWORD. their name is the same but it is different.

@@ -8,11 +8,11 @@

 # *! CAUTION !*
 # THIS PROCESS CONTAINING SECRET VALUES.
-# WHEN YOU TYPE THE COMMAND ON SHELL, YOU MUST USE [BLANK] BEFORE COMMAND
+# WHEN YOU TYPE THE COMMAND ON SHELL, YOU MUST USE [blank] BEFORE COMMAND
 # e.g.
 # shell@shell$ command (X)
-# shell@shell$ [BLANK]command (O)
-# BLANK prevent the command to save on .bash_history
+# shell@shell$ [blank]command (O)
+# [blank] prevent the command to save on .bash_history
 # After finish this process, use `history -c` and `clear` for just in case.


@@ -70,6 +70,13 @@ git stash pop # get temporary save
 # After git switch
 git switch service
 git rebase --ignore-date main # set date as current time on main branch
+
+# Example
+
+git show HEAD
+git show HEAD~$NUM
+git diff HEAD~$NUM HEAD
+git diff $PREVIOUS_HASH $CURRENT_HASH
 ```

 ## Add Service with git
@@ -90,6 +97,10 @@ git merge caddy-app
 - Set this after gitea is implemented

 ```bash
+# Copy git from remote
+git clone --mirror https://gitea.ilnmors.com/il/ilnmors-homelab.git
+# If the tag doesn't come then
+git fetch --tags
 # Add git remote repository
 git config --global credential.helper store
 git remote add origin https://gitea.ilnmors.com/il/ilnmors-homelab.git
@@ -54,8 +54,8 @@ CREATE EXTENSION IF NOT EXISTS vector;
 ### About community edition limitation

 - Workspace seats
-  - The number of members itself \(account\) are unlimited.
-  - However the number of members who work on the same workspace simultaneously \(seats\) are designated as 10 members.
+  - The number of members itself (account) are unlimited.
+  - However the number of members who work on the same workspace simultaneously (seats) are designated as 10 members.
 - Workspace storage quota
  - Originally, self-hosted version has no limitation in storage quota and uploading file size.
  - Now, there is some limitation even in the self-hosted version.
@@ -85,8 +85,8 @@ CREATE EXTENSION IF NOT EXISTS vector;

 #### Auth

- [ ] Whether allow new registrations
- [x] Whether allow new registration via configured oauth
+- `[ ]` Whether allow new registrations
+- `[x]` Whether allow new registration via configured oauth
 - Minimum length requirement of password: 8
 - Maximum length requirement of password: 50
 - save
@@ -117,5 +117,5 @@ Environment="AFFINE_SERVER_HTTPS=true"

 #### Flags

- [x] Whether allow guest users to create demo workspaces
+- `[x]` Whether allow guest users to create demo workspaces
 - save
@@ -61,7 +61,7 @@ CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;
  - map
  - version check
 - User privacy
-  - google cast \(disable\)
+  - google cast (disable)
 - Storage template
  - `{{y}}/{{MM}}/{{y}}{{MM}}{{dd}}_{{hh}}{{mm}}{{ss}}`
 - Backups
@@ -13,8 +13,8 @@

 ## Configuration

- **!CAUTION!** OpenCloud application \(Android, IOS, Desktop\) doesn't support standard OIDC. Every scopes and client id is hardcoded.
-  - WEBFINGER_\[DESKTOP|ANDROID|IOS\]_OIDC_CLIENT_ID, WEBFINGER_\[DESKTOP|ANDROID|IOS\]_OIDC_CLIENT_SCOPES don't work on official app.
+- **!CAUTION!** OpenCloud application (Android, IOS, Desktop) doesn't support standard OIDC. Every scopes and client id is hardcoded.
+  - `WEBFINGER_[DESKTOP|ANDROID|IOS]_OIDC_CLIENT_ID`, `WEBFINGER_[DESKTOP|ANDROID|IOS]_OIDC_CLIENT_SCOPES` don't work on official app.
  - It is impossible to set group claim in scopes. Therefore, it is hard to control roles with token including group claim.
 - When authelia doesn't work, annotate `OC_EXCLUDE_RUN_SERVICES=idp` and restart to container to use local admin.
 - This app doesn't support regex on role_assignment mapping.
@@ -67,8 +67,8 @@ ALTER DATABASE paperless_db OWNER TO paperless;
  - Mode: skip
    - When the archive file has broken ocr text, then conduct replcae command manually
  - Skip archive File: never
-  - Deskew: disable \(toggle to enable and once more to active disable option\)
-  - rotate: disable \(toggle to enable and once more to active disable option\)
+  - Deskew: disable (toggle to enable and once more to active disable option)
+  - rotate: disable (toggle to enable and once more to active disable option)

 ## The non-standard pdf file

@@ -52,7 +52,7 @@ ALTER DATABASE sure_db OWNER TO sure;
 - Setup: 
  - First name and last name
  - Will be using sure with
-    - [x] Family members
+    - `[x]` Family members
  - Country: South Korea
 - Preference: 
  - South Korean Won (KRW)
@@ -0,0 +1,33 @@
+# trilium
+
+## Prerequisite
+
+### Create oidc secret and hash
+
+- Create the secret with `openssl rand -base64 32`
+- access to auth vm
+  - `podman exec -it authelia sh`
+  - `authelia crypto hash generate pbkdf2 --password 'trilium.oidc.secret'`
+- Save this value in secrets.yaml in `trilium.oidc.secret` and `trilium.oidc.hash`
+
+## Configuration
+
+### Access
+
+- https://notes.ilnmors.com
+    - `[x]` I'm a new user, and I want to create a new Trilium document for my notes
+    - Next
+    - Password configuration
+    - local password login
+
+### OIDC
+
+- Menu: Options: MFA
+    - `[x]` Enable MFA
+    - `[x]` OAuth/OpenID
+    - logout
+- Authelia
+
+### about ERRORS
+
+- This is so unstable to use, especially OIDC is one of terrible experience.
@@ -2,7 +2,7 @@

 ## Communication

-Alloy runs on systemd \(host\), and postgresql runs as container \(rootless podman\). When host system and container communicate, container recognizes host system as host-gateway \(Link local address\).
+Alloy runs on systemd (host), and postgresql runs as container (rootless podman). When host system and container communicate, container recognizes host system as host-gateway (Link local address).

 ## postgresql monitor
 
@@ -6,10 +6,10 @@ This is not a perfect E2EE communication theorogically, however technically it i

 ### .com public domain

-WAN - \(Let's Encrypt certificate\) -> Caddy \(auth\) - \(ilnmors internal certificate\) -> Caddy \(app\) or https services - http -> app's local service
+WAN - (Let's Encrypt certificate) -> Caddy (auth) - (ilnmors internal certificate) -> Caddy (app) or https services - http -> app's local service

 ### .internal private domain
-client - \(ilnmors internal certificate\) -> Caddy \(Infra\) - http -> local services
+client - (ilnmors internal certificate) -> Caddy (Infra) - http -> local services

 ### DNS record

@@ -3,16 +3,16 @@
 ## LAPI

 ### Detecting
-Host logs \> CrowdSec Agent\(parser\) > CrowdSec LAPI
+Host logs > CrowdSec Agent(parser) > CrowdSec LAPI

 ### Decision
-CrowdSec LAPI \(Decision + Register\)
+CrowdSec LAPI (Decision + Register)

 ### Block
-CrowdSec LAPI \> CrowdSec Bouncer \(Block\)
+CrowdSec LAPI > CrowdSec Bouncer (Block)

 ## CAPI
-CrowdSec CAPI \> crowdsec LAPI \(local\) \> CrowdSec Bouncer \(Block\)
+CrowdSec CAPI > crowdsec LAPI (local) > CrowdSec Bouncer (Block)

 ## Ansible Deployment

@@ -20,34 +20,34 @@ CrowdSec CAPI \> crowdsec LAPI \(local\) \> CrowdSec Bouncer \(Block\)

 - Deploy fw's config.yaml
 - Deploy crowdsec certificates
- Register machines \(Agents\)
- Register bouncers \(Bouncers\)
+- Register machines (Agents)
+- Register bouncers (Bouncers)

 ### Set Bouncer (fw/roles/tasks/set_crowdsec_bouncer.yaml)

 - Deploy crowdsec-firewall-bouncer.yaml
- Install suricata collection \(parser\) with cscli
+- Install suricata collection (parser) with cscli
 - Set acquis.d for suricata
 - set-only: bouncer can't get metrics from the chain and rules count result which it doesn't make. - It means, it is impossible to use prometheus metric with set-only true option.
 - chain or rules matched count reasults are able to check on nftables. 
-  - use sudo nft list chain inet filter global to check packet blocked. \(counter command is required\)
+  - use sudo nft list chain inet filter global to check packet blocked. (counter command is required)

 ### Set Machines; agents (common/tasks/set_crowdsec_agent.yaml)

- Deploy config.yaml except fw \(disable LAPI, online_api_credentials\)
+- Deploy config.yaml except fw (disable LAPI, online_api_credentials)
 - Deploy local_api_credentials.yaml

 ### Set caddy host (auth/tasks/set_caddy.yaml)

 - Set caddy CrowdSec module
 - Set caddy log directory
- Install caddy collection \(parser\) with cscli
+- Install caddy collection (parser) with cscli
 - Set acquis.d for caddy

 ### Set whitelist (/etc/crowdsec/parser/s02-enrich/whitelists.yaml)

 - Set only local console IP address
- This can block local VM to the other subnet, but the communication between vms is possible because they are in the same subnet\(L2\) - packets don't pass the fw.
+- This can block local VM to the other subnet, but the communication between vms is possible because they are in the same subnet(L2) - packets don't pass the fw.
 - Crowdsec bouncer only conducts blocks forward chain which pass Firewall, it is blocked by crowdsec bouncer based on lapi

 ## Test
@@ -10,5 +10,5 @@ Kopia saves all information, even the users and policies on repository. Reposito

 When kopia is run as a kopia server, client can access to server with user and user password. The clients don't have to know master password. Kopia server decrypt the repository with the master password, and the client just access to the kopia server with their user account.

-Repository \<- Master password -\> Kopia server \<- User password -\> Kopia client
+Repository <- Master password -> Kopia server <- User password -> Kopia client

@@ -3,20 +3,20 @@
 ## IPv4

 ### Subnet management
- Static subnet \(manage without dhcp\)
-    - client \(for ipv4, set reservation\)
+- Static subnet (manage without dhcp)
+    - client (for ipv4, set reservation)
    - server
- Dynamic subnet \(manage with dhcp\)
+- Dynamic subnet (manage with dhcp)
    - user

 ## IPv6

 ### Subnet management
- Static subnet \(manage without RA - specific defination\)
-    - client \(Designated ULA with NAT66\)
-    - server \(Designated ULA with NAT66\)
- Dynamic subnet \(manage with RA and SLAAC\)
-    - user \(Autogenerated GUA\)
+- Static subnet (manage without RA - specific defination)
+    - client (Designated ULA with NAT66)
+    - server (Designated ULA with NAT66)
+- Dynamic subnet (manage with RA and SLAAC)
+    - user (Autogenerated GUA)

 ## Firewall policy for each subnet

@@ -26,4 +26,4 @@ Make polices based on each specific designated IP address for nodes.

 ### Dynamic subnet

-Make polices based on subnet \(or interface itself\)
+Make polices based on subnet (or interface itself)
@@ -142,5 +142,5 @@ podman exec -it ca step ca certificate test.com test.crt test_key --provisioner
 ### Firefox

 - Setting - Security - view certificates - Authority - add
-    - \[x\] trust this ca to identify website
-    - \[x\] trust this ca to identify email users
+    - `[x]` trust this ca to identify website
+    - `[x]` trust this ca to identify email users
@@ -2,14 +2,14 @@

 ## Operation
 Refer to Ansible playbook
-\(Postgresql user and DB is needed\)
-\(LDAP strict readonly account is needed\)
+(Postgresql user and DB is needed)
+(LDAP strict readonly account is needed)

 ## Verification
- Check Caddyfile \(without caddy, use 3000 ports\)
+- Check Caddyfile (without caddy, use 3000 ports)
 - https://grafana.ilnmors.internal
 - login with LDAP user
-    - connection:data sources: \[prometheus|loki\]: provisioned
+    - connection:data sources: `[prometheus|loki]`: provisioned
        - https://prometheus.ilnmors.internal:9090
        - https://loki.ilnmors.internal:3100

@@ -17,4 +17,4 @@ Refer to Ansible playbook

 ## Dashboard

- Dashboard isn't saved on local directory. They are saved on DB \(Postgresql\).
+- Dashboard isn't saved on local directory. They are saved on DB (Postgresql).
@@ -1,6 +1,6 @@
 ## Operation
 Refer to Ansible playbook
-\(Postgresql user and DB is needed\)
+(Postgresql user and DB is needed)

 Integrate configuration with various app: https://github.com/lldap/lldap/blob/main/example_configs

@@ -8,7 +8,7 @@ Integrate configuration with various app: https://github.com/lldap/lldap/blob/ma
 ### DB URL

 Jinja2 `urlencode` module doesn't replace `/` as `%2F`. replace('/', '%2F') is necessary.
-ex\) {{ var | urlencode | replace('/', '%2F') }}
+ex) {{ var | urlencode | replace('/', '%2F') }}

 ### Reset administrator password

@@ -28,56 +28,56 @@ systemctl --user restart ldap.service

 ### Access web UI and Login

- URL: http://ldap.ilnmors.internal:17170 \(This is temporary access way before Caddy, which is reverse proxy, is set)
+- URL: http://ldap.ilnmors.internal:17170 (This is temporary access way before Caddy, which is reverse proxy, is set)
 - ID: admin
 - PW: $LLDAP_LDAP_USER_PASSWORD

 ### Create the groups

- Groups - \[\+\] Create a group
+- Groups - `[+]` Create a group
 	- Group: admins
 	- Group: users
    
 It is necessary to manage ACL via authelia based on groups.

-### Create the authelia user for OCID \(OP\)
+### Create the authelia user for OCID (OP)

- Users: \[\+\] Create a user
+- Users: `[+]` Create a user
 	- Username (cn; uid): authelia
 	- Display name: Authelia
 	- First Name: Authelia
 	- Last Name (sn): Service
 	- Email (mail): authelia@ilnmors.internal
 	- Password: "$(openssl rand -base64 32)"
- Groups:lldap_strict_readonly: \[Add to group\]
+- Groups:lldap_strict_readonly: `[Add to group]`
 	- This group allow search authority.
- Users: \[\+\] Create a user
+- Users: `[+]` Create a user
 	- Username (cn; uid): grafana
 	- Display name: Grafana
 	- First Name: Grafana
 	- Last Name (sn): Service
 	- Email (mail): grafana@ilnmors.internal
 	- Password: "$(openssl rand -base64 32)"
- Groups:lldap_strict_readonly: \[Add to group\]
+- Groups:lldap_strict_readonly: `[Add to group]`
 	- This group allow search authority.
 > Save the password in .secret.yaml

 ### Create the normal users

- Users: \[\+\] Create a user
+- Users: `[+]` Create a user
 	- Username (cn; uid): il
 	- First Name: Il
 	- Last Name (sn): Lee
 	- Email (mail): il@ilnmors.internal
 	- Password: "$PASSWORD"
- Groups:lldap_admin&admins&users: \[Add to group\]
- Users: \[\+\] Create a user
+- Groups:lldap_admin&admins&users: `[Add to group]`
+- Users: `[+]` Create a user
 	- Username (cn; uid): user
 	- First Name: John
 	- Last Name (sn): Doe
 	- Email (mail): john_doe@ilnmors.internal
 	- Password: "$PASSWORD"
- Groups:(admins|users): \[Add to group\]
+- Groups:(admins|users): `[Add to group]`

 > Custom schema in `User schema`, `Group schema` doesn't need to be added. This is for advanced function to add additional value such as `identity number` or `phone number`. Hardcoded schema, which means basic schema the lldap provides is enough to use Authelia.

@@ -3,7 +3,7 @@
 ## Operation
 Refer to Ansible playbook
 ## Verification
- fw@fw:/var/lib/bind$ curl -k https://loki.ilnmors.internal:3100/ready \(Node which is in NET_SERVER except infra itself\)
+- fw@fw:/var/lib/bind$ curl -k https://loki.ilnmors.internal:3100/ready (Node which is in NET_SERVER except infra itself)
    - ready
 - fw@fw:/var/lib/bind$ curl -k https://loki.ilnmors.internal:3100/metrics
    - metrics lists
@@ -3,7 +3,7 @@
 ## Operation
 Refer to Ansible playbook
 ## Verification
- Check Caddyfile \(without caddy, use 9090 ports\)
+- Check Caddyfile (without caddy, use 9090 ports)
 - https://prometheus.ilnmors.internal
 - Status:Target Health
    - Check `Endpoint localhost:9090 ` with green circle
@@ -4,7 +4,7 @@
 - link file
    Link file links hardware interface and kernel while booting
 - netdev file
-    netdev file defines virtual interface \(port, bridge\)
+    netdev file defines virtual interface (port, bridge)
 - network file
    network file defines network option above interfaces

@@ -12,7 +12,7 @@

 - reload
  - networkctl reload
-  - networkctl reconfigure \[interface name\]
+  - networkctl reconfigure [interface name]

 ## references

@@ -24,10 +24,10 @@
 ## Plans

 - Hypervisor's linux bridges work as L2 switch
-  - br0 is completely L2 switch \(LinkLocalAddressing=no\)
+  - br0 is completely L2 switch (LinkLocalAddressing=no)
  - br1 has ip address for hypervisor itself, but basically works as L2 switch whitch can deal with VLAN tags; id=1,10
- Firewall's port \(wan\) works as Gateway which can conduct NAT
- Firewall's port \(clients\) works as trunk port which can deal with VLAN tags; id=1,10,20
+- Firewall's port (wan) works as Gateway which can conduct NAT
+- Firewall's port (clients) works as trunk port which can deal with VLAN tags; id=1,10,20
 - Firewall's port
  - client, id = 1
  - server, id = 10
@@ -4,7 +4,7 @@ Quadlet is for defining container configuration and lifecycle combining systemd

 ## Rootless container

-Containers should be isolated from host OS. However, docker runs with root permission on daemon \(dockerd\). This means when one docker container has vulnerability and it is taken over, all the host system authority is threatened. Rootless container, podman runs without root permission and daemon so that even if one of containers is taken over, prevent the damage in host's normal user authority.
+Containers should be isolated from host OS. However, docker runs with root permission on daemon (dockerd). This means when one docker container has vulnerability and it is taken over, all the host system authority is threatened. Rootless container, podman runs without root permission and daemon so that even if one of containers is taken over, prevent the damage in host's normal user authority.

 Rootless container maps UID/GID between host and its own following namespace. Host's user UID/GID is mapped with container's root, and host's subuid/subgid defined on `/etc/subuid`, `/etc/subgid` is mapped with container's user UID/GID by default.

@@ -2,11 +2,11 @@

 ## Console

- OS: WSL2 \(Debian 13\)
+- OS: WSL2 (Debian 13)
 - Processor: 4vCPU
 - Memory: 4GiB
 - Disk:
-    - 32GiB for `/` \(VHD file\)
+    - 32GiB for `/` (VHD file)
 - Services:
    - [x] Terminal
    - [x] Step-CLI
@@ -15,25 +15,25 @@
    - [x] Kopia
    - [x] cloud-image-utils

-## vmm \(Hypervisor\)
+## vmm (Hypervisor)

 - OS: Debian13
- Processor: pCPU \(N150\)
- Memory: 3GiB \(margin\)
+- Processor: pCPU (N150)
+- Memory: 3GiB (margin)
    - KSM allows more than 3GiB for vmm
 - MAC:
    - c8:ff:bf:05:aa:b0
    - c8:ff:bf:05:aa:b1
 - Disk:
    - SSD:
-        - 64GiB for `/` \(ext4 in LVM\)
-        - 700GiB for `/var/lib/libvirt` \(ext4 in LVM\)
+        - 64GiB for `/` (ext4 in LVM)
+        - 700GiB for `/var/lib/libvirt` (ext4 in LVM)
 - Services:
    - [x] QEMU/KVM
    - [x] libvirtd
    - [x] ksmtuned

-## fw \(Firewall\)
+## fw (Firewall)

 - OS: Debian13
 - Processor: 2vCPU
@@ -43,20 +43,20 @@
    - 0a:49:6e:4d:00:00
    - 0a:49:6e:4d:00:01
 - Disk:
-    - SSD: 64GiB for `/` \(ext4 in qcow2 file\)
+    - SSD: 64GiB for `/` (ext4 in qcow2 file)
 - Services:
    - native packages:
-        - [x] nftables \(firewall based on ZONE\)
-        - [x] Suricata \(IDS\)
-        - [x] CrowdSec LAPI \(IPS\)
+        - [x] nftables (firewall based on ZONE)
+        - [x] Suricata (IDS)
+        - [x] CrowdSec LAPI (IPS)
        - [x] Kea DHCP
        - [x] Wireguard-tool
-        - [x] BIND9 \(Local authoritative DNS\)
-        - [x] Blocky \(Resolver DNS\)
+        - [x] BIND9 (Local authoritative DNS)
+        - [x] Blocky (Resolver DNS)
    - Scripts:
        - [x] ddns.sh

-## infra \(Infrastructure\)
+## infra (Infrastructure)

 - OS: Debian13
 - Processor: 2vCPU
@@ -64,15 +64,15 @@
 - Memory: 6GiB
 - MAC: 0a:49:6e:4d:01:00
 - Disk:
-    - SSD: 256GiB for `/` \(ext4 in qcow2 file\)
+    - SSD: 256GiB for `/` (ext4 in qcow2 file)
 - Services:
    - Rootless containers:
        - [x] PostgreSQL
        - [x] lldap
        - [x] Step-CA
-        - [x] Caddy \(with nsupdate\)
-        - [x] Prometheus \(alloy - push\)
-        - [x] Loki \(alloy\)
+        - [x] Caddy (with nsupdate)
+        - [x] Prometheus (alloy - push)
+        - [x] Loki (alloy)
        - [x] Grafana 
    <!-- 
        Mail service is not needed, especially Diun is not needed.
@@ -80,12 +80,12 @@
        - Dovecot
        - mbsync
        - Diun
-    - Study \(Rootless container\):
+    - Study (Rootless container):
        - Kali
        - Debian 
    -->

-## auth \(Authorization\)
+## auth (Authorization)

 - OS: Debian13
 - Processor: 2vCPU
@@ -93,13 +93,13 @@
 - Memory: 2GiB
 - MAC: 0a:49:6e:4d:02:00
 - Disk:
-    - SSD: 64GiB for `/` \(ext4 in qcow2 file\)
+    - SSD: 64GiB for `/` (ext4 in qcow2 file)
 - Services:
    - Rootless containers:
-        - [x] Caddy \(with nsupdate, crowdsec-http, crowdsec-bouncer module\)
+        - [x] Caddy (with nsupdate, crowdsec-http, crowdsec-bouncer module)
        - [x] authelia

-## app \(Application\)
+## app (Application)

 - OS: Debian13
 - Processor: 4vCPU
@@ -107,9 +107,9 @@
 - Memory: 16GiB
 - MAC: 0a:49:6e:4d:03:00
 - Disk:
-    - SSD: 256GiB for `/` \(ext4 in qcow2 file\)
-    - HDD: 4TB for `/home/app/data` \(btrfs\)
- VFIO \(Hardware passthrough):
+    - SSD: 256GiB for `/` (ext4 in qcow2 file)
+    - HDD: 4TB for `/home/app/data` (btrfs)
+- VFIO (Hardware passthrough):
    - Graphic: N150 iGPU
    - Disk: SATA Controller
 - Services:
@@ -121,9 +121,9 @@
        - [x] Paperless-ngx
        - [x] vikunja (Comparing to Nextcloud deck)
        - [x] OpenCloud (Comparing to Nextcloud)
-        - [x] affine \(Notion substitution\)
-        - [x] Nextcloud \(Use nextcloud as CalDAV and CardDav, kanban and todo\)
-        - [x] Collabora office \(Link to Nextcloud, it works well\)
+        - [x] affine (Notion substitution)
+        - [x] Nextcloud (Use nextcloud as CalDAV and CardDav, kanban and todo)
+        - [x] Collabora office (Link to Nextcloud, it works well)
        - [x] ezBookkeeping 
            - use budget.ilnmors.com for ezBookkeeping, actual budget domain is changed as actualbudget.ilnmors.com
        - [x] sure
@@ -133,7 +133,8 @@
            - sure is heavy, but it is not YNAB and it allows to share account the other users
        - [x] wiki.js
            - check wiki.js to use as base wiki of documents.
-        - [ ] TriliumNext
+        - [x] TriliumNext
+            - UNSTABLE, it is impossible to use.
        - [ ] memos
        - WriteFreely or directus + frontend(Astro)
        - MediaCMS or PeerTube
@@ -153,8 +154,8 @@

 ## External Backup server

- OS: DSM \(Synology\)
- Processor: pCPU \(Realtek RTD1619B\)
+- OS: DSM (Synology)
+- Processor: pCPU (Realtek RTD1619B)
 - Memory: 1GiB
 - MAC: 90:09:d0:65:a9:db
 - Disk:
@@ -162,4 +163,4 @@
 - Services:
    - SFTP
    - Kopia repository server
-    - CloudSync \(Upload backup files to Cloud\)
+    - CloudSync (Upload backup files to Cloud)
@@ -5,27 +5,27 @@
 ### Main server

 - Aoostar WTR Pro N150
-    - Processor: Intel N150 \(4C4T\)
+    - Processor: Intel N150 (4C4T)
    - Graphic: Intel UHD Graphics
    - 2.5 Gbps NIC x 2
-    - M.2 Slot x 2 \(SSD, WiFi\)
+    - M.2 Slot x 2 (SSD, WiFi)
    - SATA bay x 4
    - 279,900 KRW
 - Samsung DDR4 SO-DIMM 3200 32G x 1
    - 106,900 KRW
 - Samsung 980 Pro 1TB TLC x 1
-    - 276,000 KRW \(Previously owned\)
+    - 276,000 KRW (Previously owned)
 - 3RAYS glaicer 6 m.2 SSD heatsink x 1
    - 7,330 KRW
 - HGST Ultrastar 7K4000 2TB HDD x 3
    - 99,000 KRW
 - HGST Ultrastar 7K2 2TB HDD x 1
    - 43,000 KRW
- Total price: 698,030 KRW \(1,460,030 KRW with previously owned ones\)
+- Total price: 698,030 KRW (1,460,030 KRW with previously owned ones)

 ### Backup server
 - Synology DS124
-    - Processor: Realtek RTD1619B \(4C4T\)
+    - Processor: Realtek RTD1619B (4C4T)
    - Memory: DDR4 1GB
    - 1 Gbps NIC x 1
    - SATA bay x 1
@@ -34,9 +34,9 @@
    - 55,000 KRW
 - Total price: 297,000 KRW

-### Console \(Laptop\)
+### Console (Laptop)
 - Microsoft surface laptop 7th ZGJ-00021
-    - Processor: Snapdragon X Plus \(ARM64, 10C10T\)
+    - Processor: Snapdragon X Plus (ARM64, 10C10T)
    - Memory: LPDDR5x 16GB
    - SSD: 256GB SSD
    - OS: Windows11 Home
@@ -49,7 +49,7 @@
 - EFM 3.5 External HDD case ipTIME HDD3135 Plus x 1
    - 29,400 KRW
 - Seagate BARRACUDA HDD 2TB x 1
-    - 99,000 KRW \(Previously owned\)
+    - 99,000 KRW (Previously owned)
 - Total price: 128,400 KRW

 ## Devices
@@ -12,7 +12,7 @@
 |infra|2002|2000|infrastructure|
 |auth|2003|2000|authentication and authorization|
 |app|2004|2000|services|
-|console|2999|2000|console node\(surface\)|
+|console|2999|2000|console node(surface)|

 ### subuid and subgid

@@ -25,8 +25,8 @@
 |port number|node|subnet|id|
 |:-:|:-:|:-:|:-:|
 |1|WTR Pro N150|Trunk|-|
-|2|AP\(Preparation\)|USER|20|
-|3|DS124\(NAS\)|CLIENT|1|
+|2|AP(Preparation)|USER|20|
+|3|DS124(NAS)|CLIENT|1|
 |4|Console|CLIENT|1|
 |5|Printer|CLIENT|1|
 |6|-|-|-|
@@ -39,10 +39,10 @@

 |name|IPv4|IPv6|id|
 |:-:|:-:|:-:|:-:|
-|CLIENT|192.168.1.0/24|fd00:1::/64\(ULA\)|1|
-|SERVER|192.168.10.0/24|fd00:10::/64\(ULA\)|10|
+|CLIENT|192.168.1.0/24|fd00:1::/64(ULA)|1|
+|SERVER|192.168.10.0/24|fd00:10::/64(ULA)|10|
 |USER|192.168.20.0/24|GUA from ISP|20|
-|WG0|192.168.99.0/24|fd00:99::/64\(ULA\)|-|
+|WG0|192.168.99.0/24|fd00:99::/64(ULA)|-|

 ### Host

@@ -68,12 +68,12 @@
    - 192.168.99.1
    - fd00:99::1

-#### blocky \(fw\)
+#### blocky (fw)
 - SERVER
    - 192.168.10.2
    - fd00:10::2

-#### bind \(fw\)
+#### bind (fw)
 - SERVER
    - 192.168.10.3
    - fd00:10::3
@@ -1,6 +1,6 @@
 # DHCP (Dynamic Host Configuration Protocol)

-Before DHCP emerged, every client had to set their own static IP or using RARP\(Reverse Address Resolution Protocol\). They have critical problems. 
+Before DHCP emerged, every client had to set their own static IP or using RARP(Reverse Address Resolution Protocol). They have critical problems. 

 - Static IP
    - Each host has their own IP regardless they run or not. It cause lack of IP address.
@@ -36,7 +36,7 @@ Forward zone has basically information of the pair of domain and IP address. The

 - Reverse zone

-Reverse zone also has basically information of the pair of IP address and domain. The role of this zone is change IP address to domain name. To change domain to IP address it uses specific domain name. \[reversed_ip_address\].in_addr.arpa (i.e. 1.168.192.in-addr.arpa)
+Reverse zone also has basically information of the pair of IP address and domain. The role of this zone is change IP address to domain name. To change domain to IP address it uses specific domain name. `[reversed_ip_address].in_addr.arpa` (i.e. 1.168.192.in-addr.arpa)

 ### Records

@@ -6,11 +6,11 @@ link-local address is for reserved subnets for L2 communication.

 ### APIPA

-When the client couldn't get IP address from DHCP, OS automatically allocate IP address subnet 169.254.0.0/16. This address can never pass L3 point \(router\). It is usually used for internal communication in cloud environment, or PASTA network in containers.
+When the client couldn't get IP address from DHCP, OS automatically allocate IP address subnet 169.254.0.0/16. This address can never pass L3 point (router). It is usually used for internal communication in cloud environment, or PASTA network in containers.

 ### RFC1918

-These are originally IP addresses subnet 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 which can communicate beyond L3 point \(Router\). However, it is reserved for LAN \(Local Area Network\) because of the lack of the number of IPv4 address. They can communicate to the other subnets but they cannot be used on WAN environment, which means ISP cannot allocate these IP subnet to their client.
+These are originally IP addresses subnet 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 which can communicate beyond L3 point (Router). However, it is reserved for LAN (Local Area Network) because of the lack of the number of IPv4 address. They can communicate to the other subnets but they cannot be used on WAN environment, which means ISP cannot allocate these IP subnet to their client.

 ## IPv6

@@ -20,11 +20,11 @@ Link-local address is very important in IPv6 unlike IPv4. Basically, every edge

 ### IPv4
 - 127.0.0.1: container itself
- 169.254.0.0/16: container and host communication \(linklocal\)
+- 169.254.0.0/16: container and host communication (linklocal)
 - RFC1918 for private LAN
 - WAN
 ### IPv6
- \[::1\]: container itself
- \[fe80::\]: container and host communication \(linklocal\)
- \[fd00::\]: (ULA) for private LAN
- [ Global IPv6 ]
+- `[::1]`: container itself
+- `[fe80::]`: container and host communication (linklocal)
+- `[fd00::]`: (ULA) for private LAN
+- `[ Global IPv6 ]`
@@ -4,11 +4,11 @@ The concept of hardware passthrough is directly passing the hardware devices to

 ## GRUB

-GRUB \(Grand Unified Bootloader\) is bootloader for OS. They runs first when the computer boots, load the kernel on memory, and binds hardwares on kernel with their driver. The configuration of sequence that GRUB decides is stored on initramfs.
+GRUB (Grand Unified Bootloader) is bootloader for OS. They runs first when the computer boots, load the kernel on memory, and binds hardwares on kernel with their driver. The configuration of sequence that GRUB decides is stored on initramfs.

 ## IOMMU

-IOMMU is MMU \(Memory Management Unit\) for I/O device. It convert and isolate logical address of IO devices to physical address of memory, so that I/O device's DMA \(Direct Memory Access\). When IOMMU is enabled on GRUB, they can allocate and manage hardwares address on physical memory. This fact allows, this can reserve physical address area for device to allocate virtual machines.
+IOMMU is MMU (Memory Management Unit) for I/O device. It convert and isolate logical address of IO devices to physical address of memory, so that I/O device's DMA (Direct Memory Access). When IOMMU is enabled on GRUB, they can allocate and manage hardwares address on physical memory. This fact allows, this can reserve physical address area for device to allocate virtual machines.

 ## VFIO
Author	SHA1	Message	Date
il	02fa912cb1	feat(trilium): release trilium deployment notes: - oidc error (users cannot access at once, it needs login twice when using oidc	2026-05-09 22:38:57 +09:00
il	aceef4bdaa	refactor(authelia): update authelia.yaml.j2 to fix redirect_uris from hardcoded uris to ansible variables	2026-05-09 21:44:11 +09:00
il	64aad4fcf0	docs(all): fix markdown syntax and snippets	2026-05-09 20:54:32 +09:00