chore(chromium): archive a removed stack from console

archived stack: chromium

.gitignore

@@ -2,6 +2,8 @@
 data/bin/*
 data/volumes/*
 data/images/*
+!data/images/containers
+data/images/containers/*
 docs/archives/textfiles/
 docs/notes/*
 *.sql

ansible/inventory/group_vars/all.yaml

@@ -1,6 +1,7 @@
 ---
 # Global vars
 ansible_ssh_private_key_file: "/etc/secrets/{{ hostvars['console']['node']['uid'] }}/id_console"
+timezone: "Asia/Seoul"
 
 # CA
 root_cert_filename: "ilnmors_root_ca.crt"

ansible/playbooks/app/site.yaml

@@ -23,9 +23,9 @@
       tags: ["always"]
 
   tasks:
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 

ansible/playbooks/auth/site.yaml

@@ -23,9 +23,9 @@
       tags: ["always"]
 
   tasks:
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 

ansible/playbooks/console/site.yaml

@@ -24,9 +24,9 @@
 
   tasks:
     # init
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 

ansible/playbooks/fw/site.yaml

@@ -23,9 +23,9 @@
       tags: ["always"]
 
   tasks:
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 

ansible/playbooks/infra/site.yaml

@@ -23,9 +23,9 @@
       tags: ["always"]
 
   tasks:
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 

ansible/playbooks/vmm/site.yaml

@@ -30,9 +30,9 @@
       tags: ["always"]
   tasks:
     # init
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 

ansible/roles/app/tasks/services/set_affine.yaml

@@ -161,3 +161,38 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ item.file }}.tar"
+  loop:
+    - image: "docker.io/manticoresearch/manticore:{{ version['containers']['manticore'] }}"
+      file: "docker.io_manticoresearch_manticore_{{ version['containers']['manticore'] }}"
+    - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
+      file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
+    - image: "ghcr.io/toeverything/affine:{{ version['containers']['affine'] }}"
+      file: "ghcr.io_toeverything_affine_{{ version['containers']['affine'] }}"
+  loop_control:
+    label: "{{ item.file }}"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ item.item.image }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    format: "oci-archive"
+    force: false
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"
+  when: not item.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/roles/app/tasks/services/set_collabora.yaml

@@ -15,3 +15,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_collabora_code_{{ version['containers']['collabora'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/collabora/code:{{ version['containers']['collabora'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_collabora_code_{{ version['containers']['collabora'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_collabora_code_{{ version['containers']['collabora'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/app/tasks/services/set_gitea.yaml

@@ -49,3 +49,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_gitea_gitea_{{ version['containers']['gitea'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/gitea/gitea:{{ version['containers']['gitea'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_gitea_gitea_{{ version['containers']['gitea'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_gitea_gitea_{{ version['containers']['gitea'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/app/tasks/services/set_immich.yaml

@@ -118,3 +118,38 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ item.file }}.tar"
+  loop:
+    - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
+      file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
+    - image: "ghcr.io/immich-app/immich-machine-learning:{{ version['containers']['immich'] }}-openvino"
+      file: "ghcr.io_immich-app_immich-machine-learning_{{ version['containers']['immich'] }}-openvino"
+    - image: "ghcr.io/immich-app/immich-server:{{ version['containers']['immich'] }}"
+      file: "ghcr.io_immich-app_immich-server_{{ version['containers']['immich'] }}"
+  loop_control:
+    label: "{{ item.file }}"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ item.item.image }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    format: "oci-archive"
+    force: false
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"
+  when: not item.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/roles/app/tasks/services/set_nextcloud.yaml

@@ -174,3 +174,36 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ item.file }}.tar"
+  loop:
+    - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
+      file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
+    - image: "docker.io/library/nextcloud:{{ version['containers']['nextcloud'] }}"
+      file: "docker.io_library_nextcloud_{{ version['containers']['nextcloud'] }}"
+  loop_control:
+    label: "{{ item.file }}"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ item.item.image }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    format: "oci-archive"
+    force: false
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"
+  when: not item.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/roles/app/tasks/services/set_paperless.yaml

@@ -122,3 +122,36 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ item.file }}.tar"
+  loop:
+    - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
+      file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
+    - image: "ghcr.io/paperless-ngx/paperless-ngx:{{ version['containers']['paperless'] }}"
+      file: "ghcr.io_paperless-ngx_paperless-ngx_{{ version['containers']['paperless'] }}"
+  loop_control:
+    label: "{{ item.file }}"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ item.item.image }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    format: "oci-archive"
+    force: false
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"
+  when: not item.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/roles/app/tasks/services/set_sure.yaml

@@ -63,7 +63,7 @@
     content: |
       {{ hostvars['console']['ca']['root']['crt'] }}
     dest: "{{ node['home_path'] }}/containers/sure/ssl/{{ root_cert_filename }}"
-    owner: "{{ services['paperless']['subuid'] }}"
+    owner: "{{ services['sure']['subuid'] }}"
     group: "svadmins"
     mode: "0440"
   become: true
@@ -98,7 +98,7 @@
     - "sure-worker.container"
   notify: "notification_restart_sure"
 
-- name: Enable paperless.service
+- name: Enable sure.service
   ansible.builtin.systemd:
     name: "{{ item }}"
     state: "started"
@@ -108,3 +108,36 @@
   loop:
     - "sure-web.service"
     - "sure-worker.service"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ item.file }}.tar"
+  loop:
+    - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
+      file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
+    - image: "ghcr.io/we-promise/sure:{{ version['containers']['sure'] }}"
+      file: "ghcr.io_we-promise_sure_{{ version['containers']['sure'] }}"
+  loop_control:
+    label: "{{ item.file }}"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ item.item.image }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    format: "oci-archive"
+    force: false
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"
+  when: not item.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/roles/app/tasks/services/set_vaultwarden.yaml

@@ -55,3 +55,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_vaultwarden_server_{{ version['containers']['vaultwarden'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/vaultwarden/server:{{ version['containers']['vaultwarden'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_vaultwarden_server_{{ version['containers']['vaultwarden'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_vaultwarden_server_{{ version['containers']['vaultwarden'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/auth/tasks/services/set_authelia.yaml

@@ -76,3 +76,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_authelia_authelia_{{ version['containers']['authelia'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/authelia/authelia:{{ version['containers']['authelia'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_authelia_authelia_{{ version['containers']['authelia'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_authelia_authelia_{{ version['containers']['authelia'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/common/tasks/services/set_alloy.yaml

@@ -74,3 +74,10 @@
     enabled: true
     daemon_reload: true
   become: true
+
+- name: Fetch deb bin file
+  ansible.builtin.fetch:
+    src: "/var/cache/apt/archives/alloy-{{ version['packages']['alloy'] }}.deb"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/bin/"
+    flat: true
+  become: true

ansible/roles/common/tasks/services/set_caddy.yaml

@@ -97,3 +97,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/ilnmors.internal_{{ node['name'] }}_caddy_{{ version['containers']['caddy'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "ilnmors.internal/{{ node['name'] }}/caddy:{{ version['containers']['caddy'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/ilnmors.internal_{{ node['name'] }}_caddy_{{ version['containers']['caddy'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/ilnmors.internal_{{ node['name'] }}_caddy_{{ version['containers']['caddy'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/common/tasks/services/set_podman.yaml

@@ -24,6 +24,17 @@
     mode: "0770"
   when: node['name'] == "app"
 
+- name: Create container image archive directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    state: "directory"
+    mode: "0700"
+  loop:
+    - "{{ node['home_path'] }}/archives"
+    - "{{ node['home_path'] }}/archives/containers"
+
 - name: Install podman and reset ssh connection for initiating
   when: is_podman_installed.rc != 0
   become: true

ansible/roles/console/handlers/main.yaml

@@ -1,8 +1 @@
 ---
-- name: Register font
-  ansible.builtin.shell: |
-    fc-cache -f -v
-  become: true
-  changed_when: false
-  listen: "notification_update_font"
-  ignore_errors: true # noqa: ignore-errors

ansible/roles/fw/tasks/services/set_blocky.yaml

@@ -41,7 +41,7 @@
   ansible.builtin.get_url:
     url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
       blocky_v{{ version['packages']['blocky'] }}_Linux_x86_64.tar.gz"
-    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
     owner: "blocky"
     group: "blocky"
     mode: "0600"
@@ -52,16 +52,16 @@
   ansible.builtin.get_url:
     url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
       blocky_v{{ version['packages']['blocky'] }}_Linux_arm64.tar.gz"
-    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
+    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
     owner: "blocky"
     group: "blocky"
     mode: "0600"
   become: true
   when: ansible_facts['architecture'] == "aarch64"
 
-- name: Deploy blocky binary file (x86_64)
+- name: Deploy blocky binary file
   ansible.builtin.unarchive:
-    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
     remote_src: true
     dest: "/usr/local/bin/"
     owner: "root"
@@ -72,23 +72,6 @@
       - "--wildcards"
       - "blocky"
   become: true
-  when: ansible_facts['architecture'] == "x86_64"
-  notify: "notification_restart_blocky"
-
-- name: Deploy blocky binary file (aarch64)
-  ansible.builtin.unarchive:
-    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
-    remote_src: true
-    dest: "/usr/local/bin/"
-    owner: "root"
-    group: "root"
-    mode: "0755"
-    extra_opts:
-      - "--strip-components=0"
-      - "--wildcards"
-      - "blocky"
-  become: true
-  when: ansible_facts['architecture'] == "aarch64"
   notify: "notification_restart_blocky"
 
 - name: Deploy blocky config
@@ -141,3 +124,10 @@
     enabled: true
     daemon_reload: true
   become: true
+
+- name: Fetch deb bin file
+  ansible.builtin.fetch:
+    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/bin/"
+    flat: true
+  become: true

ansible/roles/infra/tasks/services/set_ca_server.yaml

@@ -78,3 +78,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_smallstep_step-ca_{{ version['containers']['step'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/smallstep/step-ca:{{ version['containers']['step'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_smallstep_step-ca_{{ version['containers']['step'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_smallstep_step-ca_{{ version['containers']['step'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_grafana.yaml

@@ -83,3 +83,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_grafana_{{ version['containers']['grafana'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/grafana/grafana:{{ version['containers']['grafana'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_grafana_{{ version['containers']['grafana'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_grafana_{{ version['containers']['grafana'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_ldap.yaml

@@ -75,7 +75,7 @@
         rm: true
         detach: false
         env:
-          TZ: "Asia/Seoul"
+          TZ: "{{ timezone }}"
           LLDAP_LDAP_BASE_DN: "{{ domain['dc'] }}"
         secrets:
           - "LLDAP_DATABASE_URL,type=env"
@@ -108,3 +108,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_lldap_lldap_{{ version['containers']['ldap'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/lldap/lldap:{{ version['containers']['ldap'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_lldap_lldap_{{ version['containers']['ldap'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_lldap_lldap_{{ version['containers']['ldap'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_loki.yaml

@@ -64,3 +64,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_loki_{{ version['containers']['loki'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/grafana/loki:{{ version['containers']['loki'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_loki_{{ version['containers']['loki'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_loki_{{ version['containers']['loki'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_postgresql.yaml

@@ -172,3 +172,26 @@
     daemon_reload: true
     scope: "user"
   loop: "{{ connected_services }}"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/\
+      ilnmors.internal_{{ node['name'] }}_postgres_pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "ilnmors.internal/{{ node['name'] }}/postgres:pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/\
+      ilnmors.internal_{{ node['name'] }}_postgres_pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/\
+      ilnmors.internal_{{ node['name'] }}_postgres_pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_prometheus.yaml

@@ -68,3 +68,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_prom_prometheus_{{ version['containers']['prometheus'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/prom/prometheus:{{ version['containers']['prometheus'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_prom_prometheus_{{ version['containers']['prometheus'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_prom_prometheus_{{ version['containers']['prometheus'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_x509-exporter.yaml

@@ -68,3 +68,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_enix_x509-certificate-exporter_{{ version['containers']['x509-exporter'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/enix/x509-certificate-exporter:{{ version['containers']['x509-exporter'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_enix_x509-certificate-exporter_{{ version['containers']['x509-exporter'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_enix_x509-certificate-exporter_{{ version['containers']['x509-exporter'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

config/services/containers/app/affine/affine.container.j2

@@ -19,7 +19,7 @@ Volume=%h/containers/affine/config:/root/.affine/config
 Volume=%h/containers/affine/ssl:/etc/ssl/affine:ro
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 ## OIDC callback URIs
 Environment="AFFINE_SERVER_HOST={{ services['affine']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="AFFINE_SERVER_EXTERNAL_URL=https://{{ services['affine']['domain']['public'] }}.{{ domain['public'] }}"

config/services/containers/app/collabora/collabora.container.j2

@@ -11,7 +11,7 @@ HostName=collabora
 
 PublishPort={{ services['collabora']['ports']['http'] }}:9980/tcp
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="aliasgroup1=https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}"
 # Environment="aliasgroup2=other_server_FQDN"
 Environment="extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:server_name={{ services['collabora']['domain']['public'] }}.{{ domain['public'] }} --o:admin_console.enable=false"

config/services/containers/app/gitea/gitea.container.j2

@@ -19,7 +19,7 @@ Volume=%h/data/containers/gitea:/data:rw
 Volume=%h/containers/gitea/ssl:/etc/ssl/gitea:ro
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="GITEA__server__DISABLE_SSH=true"
 # Database
 Environment="GITEA__database__DB_TYPE=postgres"

config/services/containers/app/immich/immich-ml.container.j2

@@ -21,7 +21,7 @@ PodmanArgs=--group-add keep-groups
 
 Volume=%h/containers/immich/ml/cache:/cache:rw
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 [Service]
 Restart=always

config/services/containers/app/immich/immich.container.j2

@@ -24,7 +24,7 @@ Volume=%h/data/containers/immich:/data:rw
 Volume=%h/containers/immich/ssl:/etc/ssl/immich:ro
 
 # Environment
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # The new environment from version 2.7.0 to enable CSP
 Environment="IMMICH_HELMET_FILE=true"
 

config/services/containers/app/manticore/manticore.container.j2

@@ -14,7 +14,7 @@ PublishPort={{ services[manticore_service]['ports']['manticore'] }}:9308
 Volume=%h/data/containers/manticore/{{ manticore_service }}:/var/lib/manticore:rw
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 [Service]
 Restart=always

config/services/containers/app/nextcloud/nextcloud.container.j2

@@ -17,7 +17,7 @@ Volume=%h/containers/nextcloud/ini/upload.ini:/usr/local/etc/php/conf.d/upload.i
 Volume=%h/data/containers/nextcloud/html:/var/www/html:rw
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # PostgreSQL
 Environment="PGSSLMODE=verify-full"
 Environment="PGSSLROOTCERT=/etc/ssl/nextcloud/{{ root_cert_filename }}"

config/services/containers/app/paperless/paperless.container.j2

@@ -20,8 +20,8 @@ Volume=%h/data/containers/paperless/consume:/usr/src/paperless/consume:rw
 Volume=%h/containers/paperless/ssl:/etc/ssl/paperless:ro
 
 # General
-Environment="TZ=Asia/Seoul"
-Environment="PAPERLESS_TIME_ZONE=Asia/Seoul"
+Environment="TZ={{ timezone }}"
+Environment="PAPERLESS_TIME_ZONE={{ timezone }}"
 Environment="PAPERLESS_URL=https://{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="PAPERLESS_OCR_LANGUAGE=kor+eng"
 Environment="PAPERLESS_OCR_LANGUAGES=kor"

config/services/containers/app/redis/redis.container.j2

@@ -20,7 +20,7 @@ Volume=%h/containers/redis/{{ redis_service }}/redis.conf:/usr/local/etc/redis/r
 
 Exec=redis-server /usr/local/etc/redis/redis.conf
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 [Service]
 Restart=always

config/services/containers/app/sure/sure-web.container.j2

@@ -18,7 +18,7 @@ Volume=%h/data/containers/sure/storage:/rails/storage:rw
 Volume=%h/containers/sure/ssl:/etc/ssl/sure:ro
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="SELF_HOSTED=true"
 Environment="ONBOARDING_STATE=closed"
 Environment="RAILS_FORCE_SSL=false"

config/services/containers/app/sure/sure-worker.container.j2

@@ -18,7 +18,7 @@ Volume=%h/containers/sure/ssl:/etc/ssl/sure:ro
 Exec=bundle exec sidekiq
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="SELF_HOSTED=true"
 Environment="ONBOARDING_STATE=closed"
 Environment="RAILS_FORCE_SSL=false"

config/services/containers/app/vaultwarden/vaultwarden.container.j2

@@ -18,7 +18,7 @@ PublishPort={{ services['vaultwarden']['ports']['http'] }}:80/tcp
 Volume=%h/data/containers/vaultwarden:/data:rw
 Volume=%h/containers/vaultwarden/ssl:/etc/ssl/vaultwarden:ro
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="DOMAIN=https://{{ services['vaultwarden']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="SIGNUPS_ALLOWED=false"
 Secret=VW_ADMIN_TOKEN,type=env,target=ADMIN_TOKEN

config/services/containers/auth/authelia/authelia.container.j2

@@ -22,7 +22,7 @@ Volume=%h/containers/authelia/config:/config:rw
 Volume=%h/containers/authelia/certs:/etc/ssl/authelia:ro
 
 # Default
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # Enable Go template engine
 # !CAUTION!
 {% raw %}# If this environment were enabled, you would have to use {{/* ... /*}} for {{ go_filter }} options. Go engine always processes its own grammar first.

config/services/containers/common/caddy/caddy.container.j2

@@ -33,7 +33,7 @@ Volume=%h/containers/caddy/data:/data:rw
 Volume=/var/log/caddy:/log:rw
 {% endif %}
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 Secret=CADDY_ACME_KEY,target=/run/secrets/CADDY_ACME_KEY
 {% if node['name'] == 'auth' %}

config/services/containers/infra/ca/ca.container.j2

@@ -21,7 +21,7 @@ Volume=%h/containers/ca/config:/home/step/config:rw
 Volume=%h/containers/ca/db:/home/step/db:rw
 Volume=%h/containers/ca/templates:/home/step/templates:rw
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # Since 0.30.0, Docker CMD no longer expands PWDPATH.
 #Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
 

config/services/containers/infra/grafana/grafana.container.j2

@@ -24,7 +24,7 @@ Volume=%h/containers/grafana/data:/var/lib/grafana:rw
 Volume=%h/containers/grafana/etc:/etc/grafana:ro
 Volume=%h/containers/grafana/ssl:/etc/ssl/grafana:ro
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="GF_PATHS_CONFIG=/etc/grafana/grafana.ini"
 # plugin
 # Environment="GF_INSTALL_PLUGINS=grafana-clock-panel,grafana-simple-json-datasource"

config/services/containers/infra/ldap/ldap.container.j2

@@ -24,7 +24,7 @@ Volume=%h/containers/ldap/data:/data:rw
 Volume=%h/containers/ldap/ssl:/etc/ssl/ldap:ro
 
 # Default
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 # Domain
 Environment="LLDAP_LDAP_BASE_DN={{ domain['dc'] }}"

config/services/containers/infra/loki/loki.container.j2

@@ -19,7 +19,7 @@ Volume=%h/containers/loki/data:/loki:rw
 Volume=%h/containers/loki/etc:/etc/loki:ro
 Volume=%h/containers/loki/ssl:/etc/ssl/loki:ro
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 Exec=--config.file=/etc/loki/loki.yaml
 

config/services/containers/infra/postgresql/postgresql.container.j2

@@ -21,7 +21,7 @@ Volume=%h/containers/postgresql/ssl:/etc/ssl/postgresql:ro
 Volume=%h/containers/postgresql/init:/docker-entrypoint-initdb.d/:ro
 Volume=%h/containers/postgresql/backups:/backups:rw
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # This option is only for init process, after init custom config file `pg_hba.conf` will control this option.
 Environment="POSTGRES_HOST_AUTH_METHOD=trust"
 

config/services/containers/infra/prometheus/prometheus.container.j2

@@ -19,7 +19,7 @@ Volume=%h/containers/prometheus/data:/prometheus:rw
 Volume=%h/containers/prometheus/etc:/etc/prometheus:ro
 Volume=%h/containers/prometheus/ssl:/etc/ssl/prometheus:ro
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 Exec=--config.file=/etc/prometheus/prometheus.yaml \
      --web.config.file=/etc/prometheus/web-config.yaml \

config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2

@@ -16,4 +16,6 @@ whitelist:
         - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
         # nextcloud thumbnail/preview request error false positive
         - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'"
+        # nextcloud chunks.mjs request false positive
+        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunks.mjs'"
 {% endif %}

docs/archives/services/app/actual-budget/actual-budget.container.j2

@@ -13,7 +13,7 @@ PublishPort={{ services['actualbudget']['ports']['http'] }}:5006
 
 Volume=%h/data/containers/actual-budget:/data:rw
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="ACTUAL_OPENID_DISCOVERY_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}/.well-known/openid-configuration"
 Environment="ACTUAL_OPENID_CLIENT_ID=actual-budget"
 Environment="ACTUAL_OPENID_SERVER_HOSTNAME=https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}"

docs/archives/services/app/ezbookkeeping/ezbookkeeping.container.j2

@@ -18,7 +18,7 @@ Volume=%h/data/containers/ezbookkeeping/data:/data:rw
 Volume=%h/containers/ezbookkeeping/ssl:/etc/ssl/ezbookkeeping:ro
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="EBK_SERVER_DOMAIN={{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="EBK_SERVER_ROOT_URL=https://{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}/"
 Environment="EBK_LOG_MODE=console"

docs/archives/services/app/opencloud/opencloud.container.j2

@@ -15,7 +15,7 @@ Volume=%h/containers/opencloud:/etc/opencloud:rw
 Volume=%h/data/containers/opencloud:/var/lib/opencloud:rw
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # Log level info
 Environment="OC_LOG_LEVEL=info"
 # TLS configuration

docs/archives/services/app/trilium/trilium.container.j2

@@ -18,7 +18,7 @@ PublishPort={{ services['trilium']['ports']['http'] }}:8080/tcp
 Volume=%h/data/containers/trilium/data:/home/node/trilium-data:rw
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="TRILIUM_DATA_DIR=/home/node/trilium-data"
 Environment="TRILIUM_NO_UPLOAD_LIMIT=true"
 

docs/archives/services/app/vikunja/vikunja.container.j2

@@ -18,9 +18,9 @@ Volume=%h/data/containers/vikunja:/app/vikunja/files:rw
 Volume=%h/containers/vikunja/ssl:/etc/ssl/vikunja:ro
 
 # General
-Environment="TZ=Asia/Seoul"
-Environment="VIKUNJA_DEFAULTSETTINGS_TIMEZONE=Asia/Seoul"
-Environment="VIKUNJA_SERVICE_TIMEZONE=Asia/Seoul"
+Environment="TZ={{ timezone }}"
+Environment="VIKUNJA_DEFAULTSETTINGS_TIMEZONE={{ timezone }}"
+Environment="VIKUNJA_SERVICE_TIMEZONE={{ timezone }}"
 Environment="VIKUNJA_SERVICE_PUBLICURL=https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="VIKUNJA_SERVICE_ENABLEREGISTRATION=false"
 Secret=VIKUNJA_SERVICE_JWTSECRET,type=env

docs/archives/services/app/wikijs/wikijs.container.j2

@@ -19,7 +19,7 @@ Volume=%h/data/containers/wikijs/export:/wiki/export:rw
 Volume=%h/containers/wikijs/ssl:/etc/ssl/wiki:ro
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 # Database
 Environment="DB_TYPE=postgres"

docs/issues/crowdsec/260502_nextcloud.md

@@ -23,11 +23,14 @@
 - 2026-05-03: Make previous expressions annotation
 - 2026-05-07: Find the false positive case, which is not on `crowdsecurity/nextcloud-whitelist`
 - 2026-05-07: Set whitelist expression
+- 2026-05-11: Find the false positive case, which is not on `crowdsec/nextcloud-whitelist`
+- 2026-05-11: Set whitelist expression
 
 ## Solution
 - Install crowdsecurity/nextcloud-whitelist on auth node
 - Add expression on whitelist
-  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/index.php/core/preview?'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunks.mjs'
 
 ### Deprecated solution
 - Access to fw