fix(crowdsec): update whitelist.yaml to prevent false positive

false positive:
- outline session problem (LePresidente/http-generic-401-bf)

.gitignore

@@ -2,6 +2,8 @@
 data/bin/*
 data/volumes/*
 data/images/*
+!data/images/containers
+data/images/containers/*
 docs/archives/textfiles/
 docs/notes/*
 *.sql

README.md

@@ -2,7 +2,16 @@
 
 This homelab project implements single-node On-premise IaaS system. The homelab contains virtual machines which are divided by their roles, such as private firewall, DNS, PKI, LDAP and database, SSO(OIDC). The standard domain is used to implement this system without specific vendors. All components are defined as code and initiated by IaC (Ansible) except hypervisor initial configuration.
 
-## RTO times
+## RTO and RPO
+
+### RPO
+- Each backup guarantees 24 hours RPO
+    - DB dumps are backed up at 12:00 AM
+    - Stateful data in app vm is backed up at 03:00 AM
+- The maximum inconsistency window between DB dumps and stateful data can be 27 hours.
+    - The different backup time.
+
+### RTO
 - Feb/25/2026 - Reprovisioning Hypervisor and vms
     - RTO: 1 hour 30 min - verified
         - Manual install and set vmm: 20 min

ansible/convention.yaml

@@ -33,7 +33,6 @@
   tags:
     - "always"
     - "init"
-    - "upgrade"
-    - "update"
-
+    - "site"
+    - "[service_name]"
 # when: "'tags' is not in ansible_run_tags"

ansible/inventory/group_vars/all.yaml

@@ -1,6 +1,7 @@
 ---
 # Global vars
 ansible_ssh_private_key_file: "/etc/secrets/{{ hostvars['console']['node']['uid'] }}/id_console"
+timezone: "Asia/Seoul"
 
 # CA
 root_cert_filename: "ilnmors_root_ca.crt"
@@ -150,6 +151,21 @@ services:
       http: "3001"
       redis: "6383"
     subuid: "100999"
+  outline:
+    domain:
+      public: "outline"
+      internal: "outline.app"
+    ports:
+      http: "3002"
+      redis: "6384"
+    subuid: "101000"
+  memos:
+    domain:
+      public: "memos"
+      internal: "memos.app"
+    ports:
+      http: "3004"
+    subuid: "110000"
 
 version:
   packages:
@@ -186,3 +202,5 @@ version:
     nextcloud: "33.0.3"
     collabora: "25.04.9.4.1"
     sure: "0.7.0-hotfix.2"
+    outline: "1.7.1"
+    memos: "0.28.0"

ansible/playbooks/app/site.yaml

@@ -23,9 +23,9 @@
       tags: ["always"]
 
   tasks:
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 
@@ -142,8 +142,8 @@
         name: "common"
         tasks_from: "services/set_alloy"
         apply:
-          tags: ["init", "update", "alloy"]
-      tags: ["init", "update", "alloy"]
+          tags: ["init", "alloy"]
+      tags: ["init", "alloy"]
 
     - name: Set kopia
       ansible.builtin.include_role:
@@ -225,6 +225,22 @@
           tags: ["site", "sure"]
       tags: ["site", "sure"]
 
+    - name: Set outline
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_outline"
+        apply:
+          tags: ["site", "outline"]
+      tags: ["site", "outline"]
+
+    - name: Set memos
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_memos"
+        apply:
+          tags: ["site", "memos"]
+      tags: ["site", "memos"]
+
     - name: Flush handlers right now
       ansible.builtin.meta: "flush_handlers"
 

ansible/playbooks/auth/site.yaml

@@ -23,9 +23,9 @@
       tags: ["always"]
 
   tasks:
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 

ansible/playbooks/console/site.yaml

@@ -24,9 +24,9 @@
 
   tasks:
     # init
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 

ansible/playbooks/fw/site.yaml

@@ -23,9 +23,9 @@
       tags: ["always"]
 
   tasks:
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 
@@ -162,8 +162,8 @@
         name: "fw"
         tasks_from: "services/set_bind"
         apply:
-          tags: ["init", "update", "bind"]
-      tags: ["init", "update", "bind"]
+          tags: ["init", "bind"]
+      tags: ["init", "bind"]
 
     - name: Set blocky
       ansible.builtin.include_role:

ansible/playbooks/infra/site.yaml

@@ -23,9 +23,9 @@
       tags: ["always"]
 
   tasks:
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 

ansible/playbooks/vmm/site.yaml

@@ -30,9 +30,9 @@
       tags: ["always"]
   tasks:
     # init
-    - name: Set timezone to Asia/Seoul
+    - name: Set timezone
       community.general.timezone:
-        name: Asia/Seoul
+        name: "{{ timezone }}"
       become: true
       tags: ["init", "timezone"]
 

ansible/roles/app/handlers/main.yaml

@@ -102,3 +102,26 @@
   changed_when: false
   listen: "notification_restart_sure"
   ignore_errors: true # noqa: ignore-errors
+
+- name: Restart outline
+  ansible.builtin.systemd:
+    name: "outline.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  when: is_outline_init.stat.exists
+  changed_when: false
+  listen: "notification_restart_outline"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart memos
+  ansible.builtin.systemd:
+    name: "memos.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_memos"
+  ignore_errors: true # noqa: ignore-errors

ansible/roles/app/tasks/services/set_affine.yaml

@@ -161,3 +161,38 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ item.file }}.tar"
+  loop:
+    - image: "docker.io/manticoresearch/manticore:{{ version['containers']['manticore'] }}"
+      file: "docker.io_manticoresearch_manticore_{{ version['containers']['manticore'] }}"
+    - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
+      file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
+    - image: "ghcr.io/toeverything/affine:{{ version['containers']['affine'] }}"
+      file: "ghcr.io_toeverything_affine_{{ version['containers']['affine'] }}"
+  loop_control:
+    label: "{{ item.file }}"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ item.item.image }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    format: "oci-archive"
+    force: false
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"
+  when: not item.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/roles/app/tasks/services/set_collabora.yaml

@@ -15,3 +15,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_collabora_code_{{ version['containers']['collabora'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/collabora/code:{{ version['containers']['collabora'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_collabora_code_{{ version['containers']['collabora'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_collabora_code_{{ version['containers']['collabora'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/app/tasks/services/set_gitea.yaml

@@ -49,3 +49,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_gitea_gitea_{{ version['containers']['gitea'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/gitea/gitea:{{ version['containers']['gitea'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_gitea_gitea_{{ version['containers']['gitea'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_gitea_gitea_{{ version['containers']['gitea'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/app/tasks/services/set_immich.yaml

@@ -118,3 +118,38 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ item.file }}.tar"
+  loop:
+    - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
+      file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
+    - image: "ghcr.io/immich-app/immich-machine-learning:{{ version['containers']['immich'] }}-openvino"
+      file: "ghcr.io_immich-app_immich-machine-learning_{{ version['containers']['immich'] }}-openvino"
+    - image: "ghcr.io/immich-app/immich-server:{{ version['containers']['immich'] }}"
+      file: "ghcr.io_immich-app_immich-server_{{ version['containers']['immich'] }}"
+  loop_control:
+    label: "{{ item.file }}"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ item.item.image }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    format: "oci-archive"
+    force: false
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"
+  when: not item.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/roles/app/tasks/services/set_memos.yaml

@@ -0,0 +1,73 @@
+---
+- name: Create memos directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['memos']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/memos"
+    - "data/containers/memos/data"
+    - "containers/memos"
+    - "containers/memos/ssl"
+  become: true
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/memos/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['memos']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_memos"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "MEMOS_DSN"
+    data: "postgresql://memos:{{ hostvars['console']['postgresql']['password']['memos'] | urlencode | replace('/', '%2F') }}\
+        @{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}/memos_db?sslmode=verify-full&\
+        sslrootcert=/etc/ssl/memos/{{ root_cert_filename }}"
+    state: "present"
+    force: true
+  notify: "notification_restart_memos"
+
+- name: Deploy memos.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/memos/memos.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/memos.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_memos"
+
+- name: Enable memos.service
+  ansible.builtin.systemd:
+    name: "memos.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_neosmemo_memos_{{ version['containers']['memos'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/neosmemo/memos:{{ version['containers']['memos'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_neosmemo_memos_{{ version['containers']['memos'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_neosmemo_memos_{{ version['containers']['memos'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/app/tasks/services/set_nextcloud.yaml

@@ -174,3 +174,36 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ item.file }}.tar"
+  loop:
+    - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
+      file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
+    - image: "docker.io/library/nextcloud:{{ version['containers']['nextcloud'] }}"
+      file: "docker.io_library_nextcloud_{{ version['containers']['nextcloud'] }}"
+  loop_control:
+    label: "{{ item.file }}"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ item.item.image }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    format: "oci-archive"
+    force: false
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"
+  when: not item.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/roles/app/tasks/services/set_outline.yaml

@@ -0,0 +1,152 @@
+---
+- name: Set redis service name
+  ansible.builtin.set_fact:
+    redis_service: "outline"
+
+- name: Create redis_outline directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['redis']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "containers/redis"
+    - "containers/redis/{{ redis_service }}"
+    - "containers/redis/{{ redis_service }}/data"
+  become: true
+
+- name: Deploy redis config file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
+    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_conf"
+
+- name: Deploy redis container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_containerfile"
+
+- name: Enable (Restart) redis service
+  ansible.builtin.systemd:
+    name: "redis_{{ redis_service }}.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
+
+- name: Create outline directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['outline']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/outline"
+    - "data/containers/outline/data"
+    - "containers/outline"
+    - "containers/outline/ssl"
+  become: true
+
+- name: Check data directory empty
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/data/containers/outline/.init"
+  register: "is_outline_init"
+
+- name: Create .init file
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/data/containers/outline/.init"
+    state: "touch"
+    mode: "0644"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+  when: not is_outline_init.stat.exists
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/outline/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['outline']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_outline"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value }}"
+    state: "present"
+    force: true
+  loop:
+    - name: "OUTLINE_SECRET_KEY"
+      value: "{{ hostvars['console']['outline']['session_secret'] }}"
+    - name: "OUTLINE_UTILS_SECRET"
+      value: "{{ hostvars['console']['outline']['utils_secret'] }}"
+    - name: "OUTLINE_DATABASE_PASSWORD"
+      value: "{{ hostvars['console']['postgresql']['password']['outline'] }}"
+    - name: "OUTLINE_OIDC_CLIENT_SECRET"
+      value: "{{ hostvars['console']['outline']['oidc']['secret'] }}"
+  notify: "notification_restart_outline"
+  no_log: true
+
+- name: Deploy outline.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/outline/outline.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/outline.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_outline"
+
+- name: Enable outline.service
+  ansible.builtin.systemd:
+    name: "outline.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ item.file }}.tar"
+  loop:
+    - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
+      file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
+    - image: "docker.io/outlinewiki/outline:{{ version['containers']['outline'] }}"
+      file: "docker.io_outlinewiki_outline_{{ version['containers']['outline'] }}"
+  loop_control:
+    label: "{{ item.file }}"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ item.item.image }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    format: "oci-archive"
+    force: false
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"
+  when: not item.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/roles/app/tasks/services/set_paperless.yaml

@@ -57,8 +57,16 @@
     - "data/containers/paperless/consume"
     - "containers/paperless"
     - "containers/paperless/ssl"
+    - "containers/paperless/build"
   become: true
 
+- name: Deploy containerfile for build
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/paperless/build/paperless.containerfile.j2"
+    dest: "{{ node['home_path'] }}/containers/paperless/build/Containerfile"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0640"
 
 - name: Deploy root certificate
   ansible.builtin.copy:
@@ -72,6 +80,18 @@
   notify: "notification_restart_paperless"
   no_log: true
 
+- name: Build paperless container image
+  containers.podman.podman_image:
+    name: "{{ domain['internal'] }}/{{ node['name'] }}/paperless-ngx"
+    # check tags from container file
+    tag: "{{ version['containers']['paperless'] }}"
+    state: "build"
+    path: "{{ node['home_path'] }}/containers/paperless/build"
+
+- name: Prune paperless dangling images
+  containers.podman.podman_prune:
+    image: true
+
 - name: Register secret value to podman secret
   containers.podman.podman_secret:
     name: "{{ item.name }}"
@@ -122,3 +142,36 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ item.file }}.tar"
+  loop:
+    - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
+      file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
+    - image: "{{ domain['internal'] }}/{{ node['name'] }}/paperless-ngx:{{ version['containers']['paperless'] }}"
+      file: "{{ domain['internal'] }}_{{ node['name'] }}_paperless-ngx_{{ version['containers']['paperless'] }}"
+  loop_control:
+    label: "{{ item.file }}"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ item.item.image }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    format: "oci-archive"
+    force: false
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"
+  when: not item.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/roles/app/tasks/services/set_sure.yaml

@@ -63,7 +63,7 @@
     content: |
       {{ hostvars['console']['ca']['root']['crt'] }}
     dest: "{{ node['home_path'] }}/containers/sure/ssl/{{ root_cert_filename }}"
-    owner: "{{ services['paperless']['subuid'] }}"
+    owner: "{{ services['sure']['subuid'] }}"
     group: "svadmins"
     mode: "0440"
   become: true
@@ -98,7 +98,7 @@
     - "sure-worker.container"
   notify: "notification_restart_sure"
 
-- name: Enable paperless.service
+- name: Enable sure.service
   ansible.builtin.systemd:
     name: "{{ item }}"
     state: "started"
@@ -108,3 +108,36 @@
   loop:
     - "sure-web.service"
     - "sure-worker.service"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ item.file }}.tar"
+  loop:
+    - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
+      file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
+    - image: "ghcr.io/we-promise/sure:{{ version['containers']['sure'] }}"
+      file: "ghcr.io_we-promise_sure_{{ version['containers']['sure'] }}"
+  loop_control:
+    label: "{{ item.file }}"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ item.item.image }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    format: "oci-archive"
+    force: false
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"
+  when: not item.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ item.item.file }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true
+  loop: "{{ container_archive_images.results }}"
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/roles/app/tasks/services/set_vaultwarden.yaml

@@ -55,3 +55,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_vaultwarden_server_{{ version['containers']['vaultwarden'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/vaultwarden/server:{{ version['containers']['vaultwarden'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_vaultwarden_server_{{ version['containers']['vaultwarden'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_vaultwarden_server_{{ version['containers']['vaultwarden'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/auth/tasks/services/set_authelia.yaml

@@ -76,3 +76,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_authelia_authelia_{{ version['containers']['authelia'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/authelia/authelia:{{ version['containers']['authelia'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_authelia_authelia_{{ version['containers']['authelia'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_authelia_authelia_{{ version['containers']['authelia'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/common/tasks/services/set_alloy.yaml

@@ -74,3 +74,10 @@
     enabled: true
     daemon_reload: true
   become: true
+
+- name: Fetch deb bin file
+  ansible.builtin.fetch:
+    src: "/var/cache/apt/archives/alloy-{{ version['packages']['alloy'] }}.deb"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/bin/"
+    flat: true
+  become: true

ansible/roles/common/tasks/services/set_caddy.yaml

@@ -97,3 +97,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/{{ domain['internal'] }}_{{ node['name'] }}_caddy_{{ version['containers']['caddy'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ domain['internal'] }}/{{ node['name'] }}/caddy:{{ version['containers']['caddy'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/{{ domain['internal'] }}_{{ node['name'] }}_caddy_{{ version['containers']['caddy'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/{{ domain['internal'] }}_{{ node['name'] }}_caddy_{{ version['containers']['caddy'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/common/tasks/services/set_podman.yaml

@@ -24,6 +24,17 @@
     mode: "0770"
   when: node['name'] == "app"
 
+- name: Create container image archive directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    state: "directory"
+    mode: "0700"
+  loop:
+    - "{{ node['home_path'] }}/archives"
+    - "{{ node['home_path'] }}/archives/containers"
+
 - name: Install podman and reset ssh connection for initiating
   when: is_podman_installed.rc != 0
   become: true

ansible/roles/console/handlers/main.yaml

@@ -1,8 +1 @@
 ---
-- name: Register font
-  ansible.builtin.shell: |
-    fc-cache -f -v
-  become: true
-  changed_when: false
-  listen: "notification_update_font"
-  ignore_errors: true # noqa: ignore-errors

ansible/roles/fw/tasks/services/set_blocky.yaml

@@ -41,7 +41,7 @@
   ansible.builtin.get_url:
     url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
       blocky_v{{ version['packages']['blocky'] }}_Linux_x86_64.tar.gz"
-    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
     owner: "blocky"
     group: "blocky"
     mode: "0600"
@@ -52,16 +52,16 @@
   ansible.builtin.get_url:
     url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
       blocky_v{{ version['packages']['blocky'] }}_Linux_arm64.tar.gz"
-    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
+    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
     owner: "blocky"
     group: "blocky"
     mode: "0600"
   become: true
   when: ansible_facts['architecture'] == "aarch64"
 
-- name: Deploy blocky binary file (x86_64)
+- name: Deploy blocky binary file
   ansible.builtin.unarchive:
-    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
     remote_src: true
     dest: "/usr/local/bin/"
     owner: "root"
@@ -72,23 +72,6 @@
       - "--wildcards"
       - "blocky"
   become: true
-  when: ansible_facts['architecture'] == "x86_64"
-  notify: "notification_restart_blocky"
-
-- name: Deploy blocky binary file (aarch64)
-  ansible.builtin.unarchive:
-    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
-    remote_src: true
-    dest: "/usr/local/bin/"
-    owner: "root"
-    group: "root"
-    mode: "0755"
-    extra_opts:
-      - "--strip-components=0"
-      - "--wildcards"
-      - "blocky"
-  become: true
-  when: ansible_facts['architecture'] == "aarch64"
   notify: "notification_restart_blocky"
 
 - name: Deploy blocky config
@@ -141,3 +124,10 @@
     enabled: true
     daemon_reload: true
   become: true
+
+- name: Fetch deb bin file
+  ansible.builtin.fetch:
+    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/bin/"
+    flat: true
+  become: true

ansible/roles/infra/tasks/services/set_ca_server.yaml

@@ -78,3 +78,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_smallstep_step-ca_{{ version['containers']['step'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/smallstep/step-ca:{{ version['containers']['step'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_smallstep_step-ca_{{ version['containers']['step'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_smallstep_step-ca_{{ version['containers']['step'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_grafana.yaml

@@ -83,3 +83,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_grafana_{{ version['containers']['grafana'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/grafana/grafana:{{ version['containers']['grafana'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_grafana_{{ version['containers']['grafana'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_grafana_{{ version['containers']['grafana'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_ldap.yaml

@@ -75,7 +75,7 @@
         rm: true
         detach: false
         env:
-          TZ: "Asia/Seoul"
+          TZ: "{{ timezone }}"
           LLDAP_LDAP_BASE_DN: "{{ domain['dc'] }}"
         secrets:
           - "LLDAP_DATABASE_URL,type=env"
@@ -108,3 +108,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_lldap_lldap_{{ version['containers']['ldap'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/lldap/lldap:{{ version['containers']['ldap'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_lldap_lldap_{{ version['containers']['ldap'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_lldap_lldap_{{ version['containers']['ldap'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_loki.yaml

@@ -64,3 +64,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_loki_{{ version['containers']['loki'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/grafana/loki:{{ version['containers']['loki'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_loki_{{ version['containers']['loki'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_grafana_loki_{{ version['containers']['loki'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_postgresql.yaml

@@ -12,6 +12,8 @@
       - "affine"
       - "nextcloud"
       - "sure"
+      - "outline"
+      - "memos"
 
 - name: Create postgresql directory
   ansible.builtin.file:
@@ -172,3 +174,29 @@
     daemon_reload: true
     scope: "user"
   loop: "{{ connected_services }}"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/\
+      {{ domain['internal'] }}_{{ node['name'] }}_postgres_\
+      pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "{{ domain['internal'] }}/{{ node['name'] }}/postgres:pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/\
+      {{ domain['internal'] }}_{{ node['name'] }}_postgres_\
+      pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/\
+      {{ domain['internal'] }}_{{ node['name'] }}_postgres_\
+      pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_prometheus.yaml

@@ -68,3 +68,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_prom_prometheus_{{ version['containers']['prometheus'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/prom/prometheus:{{ version['containers']['prometheus'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_prom_prometheus_{{ version['containers']['prometheus'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_prom_prometheus_{{ version['containers']['prometheus'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

ansible/roles/infra/tasks/services/set_x509-exporter.yaml

@@ -68,3 +68,23 @@
     enabled: true
     daemon_reload: true
     scope: "user"
+
+- name: Check container archive images
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/archives/containers/docker.io_enix_x509-certificate-exporter_{{ version['containers']['x509-exporter'] }}.tar"
+  register: container_archive_images
+
+- name: Save container archive images
+  containers.podman.podman_save:
+    image:
+      - "docker.io/enix/x509-certificate-exporter:{{ version['containers']['x509-exporter'] }}"
+    dest: "{{ node['home_path'] }}/archives/containers/docker.io_enix_x509-certificate-exporter_{{ version['containers']['x509-exporter'] }}.tar"
+    format: "oci-archive"
+    force: false
+  when: not container_archive_images.stat.exists
+
+- name: Fetch container archive images
+  ansible.builtin.fetch:
+    src: "{{ node['home_path'] }}/archives/containers/docker.io_enix_x509-certificate-exporter_{{ version['containers']['x509-exporter'] }}.tar"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/images/containers/"
+    flat: true

config/secrets/edit_secret.sh

@@ -19,7 +19,11 @@ log() {
     local timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
     local level="$1"
     local msg="$2"
-    echo "time=\"$timestamp\" level=\"$level\" msg=\"$msg\" source=\"edit_secret.sh\"">&2
+    if [ "$level" == "error" ]; then
+        echo "time=\"$timestamp\" level=\"$level\" msg=\"$msg\" source=\"edit_secret.sh\"">&2
+    else
+        echo "time=\"$timestamp\" level=\"$level\" msg=\"$msg\" source=\"edit_secret.sh\"">&1
+    fi
 }
 
 # Secret file check
@@ -58,9 +62,9 @@ cleanup() {
 trap cleanup EXIT
 
 # Get GPG password from prompt
-echo -n "Enter GPG passphrase: " >&2
+echo -n "Enter GPG passphrase: " >&1
 read -s GPG_PASSPHRASE
-echo "" >&2
+echo "" >&1
 
 # Decrypt age-key on the tmpfs (memory)
 echo "$GPG_PASSPHRASE" | gpg --batch --yes --passphrase-fd 0 \

config/secrets/secrets.yaml

@@ -120,6 +120,8 @@ postgresql:
         affine: ENC[AES256_GCM,data:XPXrcszsV06YqCJZ7CDqc4rCwqqNlbtLCFYfLAQ8jamLtft8L2UVrMA4WZo=,iv:vrWdBeckxB9tmEE628j4jhU+hSpE6TXYMGt0hh1Cg84=,tag:hlWwWUGht8NqWTZREMsa1Q==,type:str]
         nextcloud: ENC[AES256_GCM,data:ROsximNuWYMTZktmLJPx7W1Qol/uT+APgwoCtFO/6ZYYc3KxKvlk344eqEc=,iv:4d+MrfIHjJKAcwhvZ3g4go66uZcieuL7lngKErJd+fg=,tag:QbWOtxeCbiu62GyrE2atXg==,type:str]
         sure: ENC[AES256_GCM,data:FULJ2gjJ2gZC3s324itW+CjGRBHIP9RnOqw5TT1UaiUhb7UHAPm1na+LsZk=,iv:c0GnVZkxprJUzPPq3TCQaZvAes9QQuvDXqgVLLaiQIg=,tag:uDxy/Lkd2hNK4AWwMNMslw==,type:str]
+        outline: ENC[AES256_GCM,data:0eJFCfHgS4olWXHOnUPixs4Dl5PoxJa+2H1mk3YgC4GUv+nX8gTPmzKTMVM=,iv:HGxX7aLODUc2nVLC8YXdet9qphU/wxMapWhk93YmHDM=,tag:6/2uckW/a24LgVFRH6E85Q==,type:str]
+        memos: ENC[AES256_GCM,data:BaNTnZFZH4oMTnDkgrf2/fMTkO43rc9bSsgnDWrHJ/Z6+MZdMitpIMkrMN4=,iv:JsG3B0YweZYO96MW9NmoSsIG++gFq+jRUsozwJtWl3M=,tag:orLTUiW0inOJdD4YSp4baQ==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -251,6 +253,24 @@ sure:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
+#ENC[AES256_GCM,data:H6BtfLuevnDCEpHSmf6pxQ==,iv:9Jw0UZwVwS2It7c4e1rAN/BEiqDKp9DHD4W9xdpJ/Vs=,tag:Xj8HKvxgCA260CXBVK2S1A==,type:comment]
+outline:
+    session_secret: ENC[AES256_GCM,data:A26j8/ghGA9MjDiuq+H84iTFXkHZp3l3LbGKO9w+Cgv+u1dkTF5q4zuBnOSBi+Tnz+2Y4jIoxsac+CS0dguRMg==,iv:NzJiJxVxOvud3e4mP8urnHrqugE8SmjFVnZtwfzrUzs=,tag:YR/jexb3G0HfC2qHpn6fPA==,type:str]
+    utils_secret: ENC[AES256_GCM,data:ACI+NZzqHBsYeb4WwTJ1nfJcy6zNwJn2hBqA93aM5cgNWQ4KtQHDXgmS6UTwmSpxrteiaH25J3Np03H3eQoVeA==,iv:nitwxxwTPQvoQXGLVMnk2zsdC7M+JIXkTY4zJdQ3DFo=,tag:IQewG7EE9IgQk+Rfz7M5Iw==,type:str]
+    oidc:
+        secret: ENC[AES256_GCM,data:zR6sN205C51BIiQxLYOwC4ZbTYGr2AveiPeEbdadairmfnNJkGOtm0zT4Gg=,iv:uyYoJYuAuH/Gy2dlLr2SkkLYq+lMdwBgmzUsEj1EAKc=,tag:uhgvE6BagvPPKf7Y3NaGfA==,type:str]
+        hash: ENC[AES256_GCM,data:xOibOUdmfhvUk6HABHf/MGIaUqRtrmbBpD5eTIrlt+Ll5IxuIaECMIyBufqV6KStoNsAxtlWmPqoVYROnVh7Z50ntywP6w6YNFbihMGr5tYnNBAS2ITViCq0Z7GQpNVmhNkFbmZv4bX14YOI557CS1KeDVrKrHnZ3fPgEgDwEiUdCwo=,iv:3lVQEw/gmTvJ6wteyKhAHAYUUw1AfKku8YEveddJTZU=,tag:0jimA4vof+nKOQtCOrVFdw==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
+#ENC[AES256_GCM,data:Fis0K+QOQwUfHItGI5U=,iv:kRmt4WhV6bBwN7Xl2xLrbxnKuLKTBC5nI9ZnQSIgIwo=,tag:whb1oOEX+fry9GS1+RlPrA==,type:comment]
+memos:
+    oidc:
+        secret: ENC[AES256_GCM,data:+rX8znej0jjXybmUjoI7DkybNkNeg15Py7bav665Uej48I5ZAZbUiKwccNo=,iv:UzcCqXxvweosRL8afhyRBB2ERm1PNs+tuxeDwL7Mcu8=,tag:+gJWSAq2BpSlSw/iwhIbpA==,type:str]
+        hash: ENC[AES256_GCM,data:D7+37XTpDFRabT5YEh9nfxO1Q9Sdc98jAxPsjkPzj7bthn1H0dlLYZSJ2Fy8Ye4vjIFO+TZ6HWx8N4cSwHTfgls3EYFh1TW0FUnyCY1kYd/+ljfZB9Y6M+i5zb5nEIBHI32Sk7/B20cGnr0SUb3EKU+SmnACgZ0fjKKyUpSzGu75MH8=,iv:3RkTpgy85JPJqu6AEKrw8RY2O+L/CldPuPpN9ln54u8=,tag:Nl0DL5tVenA/fdRNOGyPkA==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
     password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -280,7 +300,7 @@ sops:
             UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
             k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-09T14:26:51Z"
-    mac: ENC[AES256_GCM,data:TYs08ZSS2kcO5lYuhQ/IySUSQ3DpL+ba3/uNLyszht4OttR110/W/WQLiRuu/Ql6FwtDtjq6I3iNpOhmCHSv1kMCam1l99GEIYCaPUIY+TY3Zw0j7518dFXe8p/DrKRwIVXfK5lIKLIEd+eizD50HzwXXJFmU+7YDkQ1Dx+55kw=,iv:arJKJ4wO4sdQlu3GZbtultsfM6s8vbhG93tnf2EjJDc=,tag:m95gUqvn4w85XI8qVvCZpQ==,type:str]
+    lastmodified: "2026-05-16T11:08:23Z"
+    mac: ENC[AES256_GCM,data:FprpwGfSw+KObEthT41tD8qgawQPpRlHw0ZxcyH74Nzk+47AbkDR3dWUPmZGPTePcQM4WI3e1IzE0ptJA7Hpcsnq/wHdo+uTW8nozYxzDU7JhjG2Xn6CPov2mV3o0SCegiCpfvE4A3bXiBOPapUIIs+ySBUMmyyW6m5ravElxsA=,iv:wt/3nFmVfodxActWBNvli2M2LLQZG8bkuagA/Fc6iuk=,tag:z1QWaMrGN/8kBrmZ8mPJUA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1

config/services/containers/app/affine/affine.container.j2

@@ -19,7 +19,7 @@ Volume=%h/containers/affine/config:/root/.affine/config
 Volume=%h/containers/affine/ssl:/etc/ssl/affine:ro
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 ## OIDC callback URIs
 Environment="AFFINE_SERVER_HOST={{ services['affine']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="AFFINE_SERVER_EXTERNAL_URL=https://{{ services['affine']['domain']['public'] }}.{{ domain['public'] }}"

config/services/containers/app/collabora/collabora.container.j2

@@ -11,7 +11,7 @@ HostName=collabora
 
 PublishPort={{ services['collabora']['ports']['http'] }}:9980/tcp
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="aliasgroup1=https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}"
 # Environment="aliasgroup2=other_server_FQDN"
 Environment="extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:server_name={{ services['collabora']['domain']['public'] }}.{{ domain['public'] }} --o:admin_console.enable=false"

config/services/containers/app/gitea/gitea.container.j2

@@ -19,7 +19,7 @@ Volume=%h/data/containers/gitea:/data:rw
 Volume=%h/containers/gitea/ssl:/etc/ssl/gitea:ro
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="GITEA__server__DISABLE_SSH=true"
 # Database
 Environment="GITEA__database__DB_TYPE=postgres"

config/services/containers/app/immich/immich-ml.container.j2

@@ -21,7 +21,7 @@ PodmanArgs=--group-add keep-groups
 
 Volume=%h/containers/immich/ml/cache:/cache:rw
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 [Service]
 Restart=always

config/services/containers/app/immich/immich.container.j2

@@ -24,7 +24,7 @@ Volume=%h/data/containers/immich:/data:rw
 Volume=%h/containers/immich/ssl:/etc/ssl/immich:ro
 
 # Environment
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # The new environment from version 2.7.0 to enable CSP
 Environment="IMMICH_HELMET_FILE=true"
 

config/services/containers/app/manticore/manticore.container.j2

@@ -14,7 +14,7 @@ PublishPort={{ services[manticore_service]['ports']['manticore'] }}:9308
 Volume=%h/data/containers/manticore/{{ manticore_service }}:/var/lib/manticore:rw
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 [Service]
 Restart=always

config/services/containers/app/memos/memos.container.j2

@@ -0,0 +1,34 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Memos
+
+[Container]
+Image=docker.io/neosmemo/memos:{{ version['containers']['memos'] }}
+ContainerName=memos
+HostName=memos
+PublishPort={{ services['memos']['ports']['http'] }}:5230/tcp
+
+# Volumes
+Volume=%h/data/containers/memos/data:/var/opt/memos:rw
+Volume=%h/containers/memos/ssl:/etc/ssl/memos:ro
+
+# General
+Environment="TZ={{ timezone }}"
+Environment="MEMOS_MODE=prod"
+Environment="MEMOS_PORT=5230"
+Environment="MEMOS_INSTANCE_URL=https://{{ services['memos']['domain']['public'] }}.{{ domain['public'] }}"
+
+# Database (PostgreSQL)
+Environment="MEMOS_DRIVER=postgres"
+Secret=MEMOS_DSN,type=env
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/nextcloud/nextcloud.container.j2

@@ -17,7 +17,7 @@ Volume=%h/containers/nextcloud/ini/upload.ini:/usr/local/etc/php/conf.d/upload.i
 Volume=%h/data/containers/nextcloud/html:/var/www/html:rw
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # PostgreSQL
 Environment="PGSSLMODE=verify-full"
 Environment="PGSSLROOTCERT=/etc/ssl/nextcloud/{{ root_cert_filename }}"

config/services/containers/app/outline/outline.container.j2

@@ -0,0 +1,77 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Outline
+
+After=redis_outline.service
+Wants=redis_outline.service
+
+[Container]
+Image=docker.io/outlinewiki/outline:{{ version['containers']['outline'] }}
+ContainerName=outline
+HostName=outline
+PublishPort={{ services['outline']['ports']['http'] }}:3000/tcp
+
+# Volumes
+Volume=%h/data/containers/outline/data:/var/lib/outline/data:rw
+Volume=%h/containers/outline/ssl:/etc/ssl/outline:ro
+
+# General
+Environment="TZ={{ timezone }}"
+Environment="NODE_ENV=production"
+Environment="URL=https://{{ services['outline']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="PORT=3000"
+#Environment="FORCE_HTTPS=true" #HSTS function is not required
+
+# Secrets
+Secret=OUTLINE_SECRET_KEY,type=env,target=SECRET_KEY
+Secret=OUTLINE_UTILS_SECRET,type=env,target=UTILS_SECRET
+
+# Database
+Environment="DATABASE_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
+Environment="DATABASE_PORT={{ services['postgresql']['ports']['tcp'] }}"
+Environment="DATABASE_NAME=outline_db"
+Environment="DATABASE_USER=outline"
+Environment="PGSSLMODE=verify-full"
+Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/outline/{{ root_cert_filename }}"
+Secret=OUTLINE_DATABASE_PASSWORD,type=env,target=DATABASE_PASSWORD
+
+# Redis
+Environment="REDIS_URL=redis://host.containers.internal:{{ services['outline']['ports']['redis'] }}"
+
+# Storage
+Environment="FILE_STORAGE=local"
+Environment="FILE_STORAGE_LOCAL_ROOT_DIR=/var/lib/outline/data"
+Environment="FILE_STORAGE_UPLOAD_MAX_SIZE=262144000"
+
+# OIDC
+Environment="OIDC_CLIENT_ID=outline"
+Environment="OIDC_AUTH_URI=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}/api/oidc/authorization"
+Environment="OIDC_TOKEN_URI=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}/api/oidc/token"
+Environment="OIDC_USERINFO_URI=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}/api/oidc/userinfo"
+Environment="OIDC_USERNAME_CLAIM=preferred_username"
+Environment="OIDC_DISPLAY_NAME=Authelia"
+Environment="OIDC_SCOPES=openid offline_access profile email"
+Secret=OUTLINE_OIDC_CLIENT_SECRET,type=env,target=OIDC_CLIENT_SECRET
+
+# Mail
+#Environment="SMTP_HOST=smtp.example.com"
+#Environment="SMTP_PORT=587"
+#Environment="SMTP_USERNAME=outline@example.com"
+#Environment="SMTP_PASSWORD=change_me"
+#Environment="SMTP_FROM_EMAIL=outline@example.com"
+#Environment="SMTP_REPLY_EMAIL=outline@example.com"
+#Environment="SMTP_SECURE=false"
+
+# Optional
+Environment="LOG_LEVEL=warn"
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/paperless/build/paperless.containerfile.j2

@@ -0,0 +1,13 @@
+FROM ghcr.io/paperless-ngx/paperless-ngx:{{ version['containers']['paperless'] }}
+
+USER root
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends curl ca-certificates \
+  && curl -fsSL https://raw.githubusercontent.com/tesseract-ocr/tessdata_best/main/kor.traineddata \
+    -o /usr/share/tesseract-ocr/5/tessdata/kor.traineddata \
+  && curl -fsSL https://raw.githubusercontent.com/tesseract-ocr/tessdata_best/main/eng.traineddata \
+    -o /usr/share/tesseract-ocr/5/tessdata/eng.traineddata \
+  && rm -rf /var/lib/apt/lists/*
+
+USER paperless

config/services/containers/app/paperless/paperless.container.j2

@@ -8,7 +8,7 @@ After=redis_paperless.service
 Wants=redis_paperless.service
 
 [Container]
-Image=ghcr.io/paperless-ngx/paperless-ngx:{{ version['containers']['paperless'] }}
+Image={{ domain['internal'] }}/{{ node['name'] }}/paperless-ngx:{{ version['containers']['paperless'] }}
 ContainerName=paperless
 HostName=paperless
 PublishPort={{ services['paperless']['ports']['http'] }}:8000/tcp
@@ -20,8 +20,8 @@ Volume=%h/data/containers/paperless/consume:/usr/src/paperless/consume:rw
 Volume=%h/containers/paperless/ssl:/etc/ssl/paperless:ro
 
 # General
-Environment="TZ=Asia/Seoul"
-Environment="PAPERLESS_TIME_ZONE=Asia/Seoul"
+Environment="TZ={{ timezone }}"
+Environment="PAPERLESS_TIME_ZONE={{ timezone }}"
 Environment="PAPERLESS_URL=https://{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="PAPERLESS_OCR_LANGUAGE=kor+eng"
 Environment="PAPERLESS_OCR_LANGUAGES=kor"

config/services/containers/app/redis/redis.container.j2

@@ -20,7 +20,7 @@ Volume=%h/containers/redis/{{ redis_service }}/redis.conf:/usr/local/etc/redis/r
 
 Exec=redis-server /usr/local/etc/redis/redis.conf
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 [Service]
 Restart=always

config/services/containers/app/sure/sure-web.container.j2

@@ -18,7 +18,7 @@ Volume=%h/data/containers/sure/storage:/rails/storage:rw
 Volume=%h/containers/sure/ssl:/etc/ssl/sure:ro
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="SELF_HOSTED=true"
 Environment="ONBOARDING_STATE=closed"
 Environment="RAILS_FORCE_SSL=false"

config/services/containers/app/sure/sure-worker.container.j2

@@ -18,7 +18,7 @@ Volume=%h/containers/sure/ssl:/etc/ssl/sure:ro
 Exec=bundle exec sidekiq
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="SELF_HOSTED=true"
 Environment="ONBOARDING_STATE=closed"
 Environment="RAILS_FORCE_SSL=false"

config/services/containers/app/vaultwarden/vaultwarden.container.j2

@@ -18,7 +18,7 @@ PublishPort={{ services['vaultwarden']['ports']['http'] }}:80/tcp
 Volume=%h/data/containers/vaultwarden:/data:rw
 Volume=%h/containers/vaultwarden/ssl:/etc/ssl/vaultwarden:ro
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="DOMAIN=https://{{ services['vaultwarden']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="SIGNUPS_ALLOWED=false"
 Secret=VW_ADMIN_TOKEN,type=env,target=ADMIN_TOKEN

config/services/containers/auth/authelia/authelia.container.j2

@@ -22,7 +22,7 @@ Volume=%h/containers/authelia/config:/config:rw
 Volume=%h/containers/authelia/certs:/etc/ssl/authelia:ro
 
 # Default
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # Enable Go template engine
 # !CAUTION!
 {% raw %}# If this environment were enabled, you would have to use {{/* ... /*}} for {{ go_filter }} options. Go engine always processes its own grammar first.

config/services/containers/auth/authelia/config/authelia.yaml.j2

@@ -260,3 +260,47 @@ identity_providers:
         access_token_signed_response_alg: 'none'
         userinfo_signed_response_alg: 'none'
         token_endpoint_auth_method: 'client_secret_basic'
+      # https://www.authelia.com/integration/openid-connect/clients/outline/
+      - client_id: 'outline'
+        client_name: 'Outline'
+        client_secret: '{{ hostvars['console']['outline']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://{{ services['outline']['domain']['public'] }}.{{ domain['public'] }}/auth/oidc.callback'
+        scopes:
+          - 'openid'
+          - 'offline_access'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+          - 'refresh_token'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
+      # https://www.authelia.com/integration/openid-connect/clients/memos/
+      - client_id: 'memos'
+        client_name: 'Memos'
+        client_secret: '{{ hostvars['console']['memos']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://{{ services['memos']['domain']['public'] }}.{{ domain['public'] }}/auth/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'

config/services/containers/common/caddy/caddy.container.j2

@@ -33,7 +33,7 @@ Volume=%h/containers/caddy/data:/data:rw
 Volume=/var/log/caddy:/log:rw
 {% endif %}
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 Secret=CADDY_ACME_KEY,target=/run/secrets/CADDY_ACME_KEY
 {% if node['name'] == 'auth' %}

config/services/containers/common/caddy/etc/app/Caddyfile.j2

@@ -77,3 +77,15 @@
                 header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
+{{ services['outline']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['outline']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+{{ services['memos']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['memos']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}

config/services/containers/common/caddy/etc/auth/Caddyfile.j2

@@ -136,6 +136,24 @@
                 }
         }
 }
+{{ services['outline']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{services['outline']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+{{ services['memos']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{services['memos']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
 
 # Internal domain
 {{ node['name'] }}.{{ domain['internal'] }} {

config/services/containers/infra/ca/ca.container.j2

@@ -21,7 +21,7 @@ Volume=%h/containers/ca/config:/home/step/config:rw
 Volume=%h/containers/ca/db:/home/step/db:rw
 Volume=%h/containers/ca/templates:/home/step/templates:rw
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # Since 0.30.0, Docker CMD no longer expands PWDPATH.
 #Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
 

config/services/containers/infra/grafana/grafana.container.j2

@@ -24,7 +24,7 @@ Volume=%h/containers/grafana/data:/var/lib/grafana:rw
 Volume=%h/containers/grafana/etc:/etc/grafana:ro
 Volume=%h/containers/grafana/ssl:/etc/ssl/grafana:ro
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="GF_PATHS_CONFIG=/etc/grafana/grafana.ini"
 # plugin
 # Environment="GF_INSTALL_PLUGINS=grafana-clock-panel,grafana-simple-json-datasource"

config/services/containers/infra/ldap/ldap.container.j2

@@ -24,7 +24,7 @@ Volume=%h/containers/ldap/data:/data:rw
 Volume=%h/containers/ldap/ssl:/etc/ssl/ldap:ro
 
 # Default
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 # Domain
 Environment="LLDAP_LDAP_BASE_DN={{ domain['dc'] }}"

config/services/containers/infra/loki/loki.container.j2

@@ -19,7 +19,7 @@ Volume=%h/containers/loki/data:/loki:rw
 Volume=%h/containers/loki/etc:/etc/loki:ro
 Volume=%h/containers/loki/ssl:/etc/ssl/loki:ro
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 Exec=--config.file=/etc/loki/loki.yaml
 

config/services/containers/infra/postgresql/postgresql.container.j2

@@ -21,7 +21,7 @@ Volume=%h/containers/postgresql/ssl:/etc/ssl/postgresql:ro
 Volume=%h/containers/postgresql/init:/docker-entrypoint-initdb.d/:ro
 Volume=%h/containers/postgresql/backups:/backups:rw
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # This option is only for init process, after init custom config file `pg_hba.conf` will control this option.
 Environment="POSTGRES_HOST_AUTH_METHOD=trust"
 

config/services/containers/infra/prometheus/prometheus.container.j2

@@ -19,7 +19,7 @@ Volume=%h/containers/prometheus/data:/prometheus:rw
 Volume=%h/containers/prometheus/etc:/etc/prometheus:ro
 Volume=%h/containers/prometheus/ssl:/etc/ssl/prometheus:ro
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 Exec=--config.file=/etc/prometheus/prometheus.yaml \
      --web.config.file=/etc/prometheus/web-config.yaml \

config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2

@@ -16,4 +16,9 @@ whitelist:
         - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
         # nextcloud thumbnail/preview request error false positive
         - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'"
+        # nextcloud chunks.mjs request false positive
+        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunk.mjs'"
+        # outline POST 401 errors false positive
+        - "evt.Meta.target_fqdn == '{{ services['outline']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '401' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path startsWith '/api/'"
+
 {% endif %}

docs/archives/services/app/actual-budget/actual-budget.container.j2

@@ -13,7 +13,7 @@ PublishPort={{ services['actualbudget']['ports']['http'] }}:5006
 
 Volume=%h/data/containers/actual-budget:/data:rw
 
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="ACTUAL_OPENID_DISCOVERY_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}/.well-known/openid-configuration"
 Environment="ACTUAL_OPENID_CLIENT_ID=actual-budget"
 Environment="ACTUAL_OPENID_SERVER_HOSTNAME=https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}"

docs/archives/services/app/ezbookkeeping/ezbookkeeping.container.j2

@@ -18,7 +18,7 @@ Volume=%h/data/containers/ezbookkeeping/data:/data:rw
 Volume=%h/containers/ezbookkeeping/ssl:/etc/ssl/ezbookkeeping:ro
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="EBK_SERVER_DOMAIN={{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="EBK_SERVER_ROOT_URL=https://{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}/"
 Environment="EBK_LOG_MODE=console"

docs/archives/services/app/opencloud/opencloud.container.j2

@@ -15,7 +15,7 @@ Volume=%h/containers/opencloud:/etc/opencloud:rw
 Volume=%h/data/containers/opencloud:/var/lib/opencloud:rw
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 # Log level info
 Environment="OC_LOG_LEVEL=info"
 # TLS configuration

docs/archives/services/app/trilium/trilium.container.j2

@@ -18,7 +18,7 @@ PublishPort={{ services['trilium']['ports']['http'] }}:8080/tcp
 Volume=%h/data/containers/trilium/data:/home/node/trilium-data:rw
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 Environment="TRILIUM_DATA_DIR=/home/node/trilium-data"
 Environment="TRILIUM_NO_UPLOAD_LIMIT=true"
 

docs/archives/services/app/vikunja/vikunja.container.j2

@@ -18,9 +18,9 @@ Volume=%h/data/containers/vikunja:/app/vikunja/files:rw
 Volume=%h/containers/vikunja/ssl:/etc/ssl/vikunja:ro
 
 # General
-Environment="TZ=Asia/Seoul"
-Environment="VIKUNJA_DEFAULTSETTINGS_TIMEZONE=Asia/Seoul"
-Environment="VIKUNJA_SERVICE_TIMEZONE=Asia/Seoul"
+Environment="TZ={{ timezone }}"
+Environment="VIKUNJA_DEFAULTSETTINGS_TIMEZONE={{ timezone }}"
+Environment="VIKUNJA_SERVICE_TIMEZONE={{ timezone }}"
 Environment="VIKUNJA_SERVICE_PUBLICURL=https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="VIKUNJA_SERVICE_ENABLEREGISTRATION=false"
 Secret=VIKUNJA_SERVICE_JWTSECRET,type=env

docs/archives/services/app/wikijs/wikijs.container.j2

@@ -19,7 +19,7 @@ Volume=%h/data/containers/wikijs/export:/wiki/export:rw
 Volume=%h/containers/wikijs/ssl:/etc/ssl/wiki:ro
 
 # General
-Environment="TZ=Asia/Seoul"
+Environment="TZ={{ timezone }}"
 
 # Database
 Environment="DB_TYPE=postgres"

docs/archives/services/console/script/extract_secret.sh

@@ -148,4 +148,4 @@ if [ "$TYPE" == "ENV" ]; then
         log "error" "SOPS extract error"
         exit 1
     fi
-fi
+fi

docs/issues/crowdsec/260502_nextcloud.md

@@ -23,11 +23,14 @@
 - 2026-05-03: Make previous expressions annotation
 - 2026-05-07: Find the false positive case, which is not on `crowdsecurity/nextcloud-whitelist`
 - 2026-05-07: Set whitelist expression
+- 2026-05-11: Find the false positive case, which is not on `crowdsec/nextcloud-whitelist`
+- 2026-05-11: Set whitelist expression
 
 ## Solution
 - Install crowdsecurity/nextcloud-whitelist on auth node
 - Add expression on whitelist
-  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/index.php/core/preview?'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunk.mjs'
 
 ### Deprecated solution
 - Access to fw

docs/issues/crowdsec/260516_outline.md

@@ -0,0 +1,26 @@
+# Outline crowdsec false positive issue
+
+## Status
+- Finished
+
+## Date
+- 2026-05-16
+
+## Version
+- Outline: 1.7.1
+
+## Problem
+- Reload the outline when session is terminated, it causes 401 errors
+  - fw ban users' IP address.
+
+## Reason
+- When the session is terminated by some reasons, every request recieves 401 errors
+    - `LePresidente/http-generic-401-bf`
+
+## Timeline
+- 2026-05-16: Release outline
+- 2026-05-16: Find the false positive case, and add whitelist
+
+## Solution
+- Add expression on whitelist
+  - evt.Meta.target_fqdn == '{{ services['outline']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '401' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path startsWith '/api/'

docs/services/app/memos.md

@@ -0,0 +1,74 @@
+# Memos
+
+## Prerequisite
+
+### Create database
+
+- Create the password with `openssl rand -base64 32`
+  - Save this value in secrets.yaml in `postgresql.password.memos`
+  - Access infra server to create memos_db with `podman exec -it postgresql psql -U postgres`
+
+```SQL
+CREATE USER memos WITH PASSWORD 'postgresql.password.memos';
+CREATE DATABASE memos_db;
+ALTER DATABASE memos_db OWNER TO memos;
+```
+
+### Create oidc secret and hash
+
+- Create the secret with `openssl rand -base64 32`
+- access to auth vm
+  - `podman exec -it authelia sh`
+  - `authelia crypto hash generate pbkdf2 --password 'memos.oidc.secret'`
+- Save this value in secrets.yaml in `memos.oidc.secret` and `memos.oidc.hash`
+
+### Add postgresql dump backup list
+
+- [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
+
+```yaml
+- name: Set connected services list
+  ansible.builtin.set_fact:
+    connected_services:
+      - ...
+      - "memos"
+```
+
+## Configuration
+
+### Access to memos
+
+- https://memos.ilnmors.com
+  - Create local-admin account
+
+### Set OIDC
+
+- Profile: Settings: Admin: SSO: Create
+  - Type: OAUTH2
+  - Template: Custom
+  - Provider ID: authelia
+  - Name: Authelia
+  - Client ID: memos
+  - Client secret: memos.oidc.secret
+  - Authorization endpoint: https://authelia.ilnmors.com/api/oidc/authorization
+  - Token endpoint: https://authelia.ilnmors.com/api/oidc/token
+  - User endpoint: https://authelia.ilnmors.com/api/oidc/userinfo
+  - Scopes: openid profile email
+  - Identifier: preferred_username
+  - Display Name: given_name
+  - Email: email
+- Create
+
+- Profile: Settings: Basic: My Account: SSO Accounts: Link
+  - Login with Authelia
+  - Accept
+
+### Disallow local login and signup
+
+- Profile: Settings: Admin: System
+  - Disallow password auth: toggle
+- Save
+
+### Change user name
+
+- Profile: Settings: Basic: My Account: Edit

docs/services/app/outline.md

@@ -0,0 +1,52 @@
+# Outline
+
+## Prerequisite
+
+### Create database
+
+- Create the password with `openssl rand -base64 32`
+  - Save this value in secrets.yaml in `postgresql.password.outline`
+  - Access infra server to create outline_db with `podman exec -it postgresql psql -U postgres`
+
+```SQL
+CREATE USER outline WITH PASSWORD 'postgresql.password.outline';
+CREATE DATABASE outline_db;
+ALTER DATABASE outline_db OWNER TO outline;
+```
+
+### Create oidc secret and hash
+
+- Create the secret with `openssl rand -base64 32`
+- access to auth vm
+  - `podman exec -it authelia sh`
+  - `authelia crypto hash generate pbkdf2 --password 'outline.oidc.secret'`
+- Save this value in secrets.yaml in `outline.oidc.secret` and `outline.oidc.hash`
+
+### Create session secret and utils value
+
+- Create two secrets with `openssl rand -hex 32`
+  - Save this value in secrets.yaml in `outline.session_secret`
+  - Save this value in secrets.yaml in `outline.utils_secret`
+
+### Add postgresql dump backup list
+
+- [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
+
+```yaml
+- name: Set connected services list
+  ansible.builtin.set_fact:
+    connected_services:
+      - ...
+      - "outline"
+```
+
+## Configuration
+
+### Notice
+
+- Outline is a BSL, not fully open-sourced stack. Always ensure they can change their policy of the outline
+
+### Access to outline
+
+- https://outline.ilnmors.com
+  - Authelia redirect and automatically sign-up

docs/services/app/paperless-ngx.md

@@ -45,6 +45,11 @@ ALTER DATABASE paperless_db OWNER TO paperless;
       - "paperless"
 ```
 
+### Paperless custom build
+
+- paperless-ngx uses 'tesseract_fast' model
+- building custom container to use 'tesseract_best' model to improve OCR accuracy.
+
 ## Configuration
 
 ### Access to paperless

docs/specifications/environments.md

@@ -126,7 +126,10 @@
             - Link to Nextcloud
         - [x] sure
             - budget and finance
-        - [ ] memos
+        - [x] outline
+            - Compare to affine, the whiteboard and canvas functions are not useful enough
+        - [x] memos
+            - Check outline and memos can be substituded for affine
         - WriteFreely or directus + frontend(Astro)
         - MediaCMS or PeerTube
         - Funkwhale or Navidrome or Jellyfin