1.7.0: Release vikunja

ansible/inventory/group_vars/all.yaml

@@ -75,3 +75,8 @@ version:
     # App
     vaultwarden: "1.35.4"
     gitea: "1.25.5"
+    redis: "8.6.1"
+    immich: "v2.6.2"
+    actualbudget: "26.3.0"
+    paperless: "2.20.13"
+    vikunja: "2.2.2"

ansible/inventory/host_vars/app.yaml

@@ -39,3 +39,7 @@ storage:
     label: "APP_DATA"
     level: "raid10"
     mount_point: "/home/app/data"
+
+redis:
+  immich: "6379"
+  paperless: "6380"

ansible/playbooks/app/site.yaml

@@ -177,6 +177,38 @@
           tags: ["site", "gitea"]
       tags: ["site", "gitea"]
 
+    - name: Set immich
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_immich"
+        apply:
+          tags: ["site", "immich"]
+      tags: ["site", "immich"]
+
+    - name: Set actual budget
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_actual-budget"
+        apply:
+          tags: ["site", "actual-budget"]
+      tags: ["site", "actual-budget"]
+
+    - name: Set paperless
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_paperless"
+        apply:
+          tags: ["site", "paperless"]
+      tags: ["site", "paperless"]
+
+    - name: Set vikunja
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_vikunja"
+        apply:
+          tags: ["site", "vikunja"]
+      tags: ["site", "vikunja"]
+
     - name: Flush handlers right now
       ansible.builtin.meta: "flush_handlers"
 

ansible/roles/app/handlers/main.yaml

@@ -20,3 +20,58 @@
   changed_when: false
   listen: "notification_restart_gitea"
   ignore_errors: true # noqa: ignore-errors
+
+- name: Restart immich
+  ansible.builtin.systemd:
+    name: "immich.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_immich"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart immich-ml
+  ansible.builtin.systemd:
+    name: "immich-ml.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_immich-ml"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart actual-budget
+  ansible.builtin.systemd:
+    name: "actual-budget.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_actual-budget"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart paperless
+  ansible.builtin.systemd:
+    name: "paperless.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_paperless"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart vikunja
+  ansible.builtin.systemd:
+    name: "vikunja.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_vikunja"
+  ignore_errors: true # noqa: ignore-errors

ansible/roles/app/tasks/services/set_actual-budget.yaml

@@ -0,0 +1,39 @@
+---
+- name: Set actual budget container subuid
+  ansible.builtin.set_fact:
+    actualbudget_subuid: "101000"
+
+- name: Create actual budget directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/data/containers/actual-budget"
+    state: "directory"
+    owner: "{{ actualbudget_subuid }}"
+    group: "svadmins"
+    mode: "0770"
+  become: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "ACTUAL_OPENID_CLIENT_SECRET"
+    data: "{{ hostvars['console']['actualbudget']['oidc']['secret'] }}"
+    state: "present"
+    force: true
+  notify: "notification_restart_actual-budget"
+  no_log: true
+
+- name: Deploy container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/actual-budget/actual-budget.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/actual-budget.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_actual-budget"
+
+- name: Enable actual-budget.service
+  ansible.builtin.systemd:
+    name: "actual-budget.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/app/tasks/services/set_gitea.yaml

@@ -34,6 +34,7 @@
     data: "{{ hostvars['console']['postgresql']['password']['gitea'] }}"
     state: "present"
     force: true
+  notify: "notification_restart_gitea"
   no_log: true
 
 - name: Deploy container file

ansible/roles/app/tasks/services/set_immich.yaml

@@ -0,0 +1,121 @@
+---
+- name: Set redis service name
+  ansible.builtin.set_fact:
+    redis_service: "immich"
+    redis_subuid: "100998"
+
+- name: Create redis_immich directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ redis_subuid }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "containers/redis"
+    - "containers/redis/{{ redis_service }}"
+    - "containers/redis/{{ redis_service }}/data"
+  become: true
+
+- name: Deploy redis config file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
+    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_conf"
+
+- name: Deploy redis container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_containerfile"
+
+- name: Enable (Restart) redis service
+  ansible.builtin.systemd:
+    name: "redis_{{ redis_service }}.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
+
+- name: Add user in video, render group
+  ansible.builtin.user:
+    name: "{{ ansible_user }}"
+    state: "present"
+    groups: "video, render"
+    append: true
+  become: true
+
+- name: Create immich directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/immich"
+    - "containers/immich"
+    - "containers/immich/ssl"
+    - "containers/immich/ml"
+    - "containers/immich/ml/cache"
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/immich/ssl/ilnmors_root_ca.crt"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0440"
+  notify: "notification_restart_immich"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "IMMICH_DB_PASSWORD"
+    data: "{{ hostvars['console']['postgresql']['password']['immich'] }}"
+    state: "present"
+    force: true
+  notify: "notification_restart_immich"
+  no_log: true
+
+- name: Deploy immich.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/immich/immich.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/immich.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_immich"
+
+- name: Deploy immich-ml.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/immich/immich-ml.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/immich-ml.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_immich-ml"
+
+- name: Enable immich.service
+  ansible.builtin.systemd:
+    name: "immich.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+
+- name: Enable immich-ml.service
+  ansible.builtin.systemd:
+    name: "immich-ml.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/app/tasks/services/set_paperless.yaml

@@ -0,0 +1,129 @@
+---
+- name: Set redis service name
+  ansible.builtin.set_fact:
+    redis_service: "paperless"
+    redis_subuid: "100998"
+
+- name: Create redis_paperless directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ redis_subuid }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "containers/redis"
+    - "containers/redis/{{ redis_service }}"
+    - "containers/redis/{{ redis_service }}/data"
+  become: true
+
+- name: Deploy redis config file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
+    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_conf"
+
+- name: Deploy redis container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_containerfile"
+
+- name: Enable (Restart) redis service
+  ansible.builtin.systemd:
+    name: "redis_{{ redis_service }}.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
+
+- name: Set paperless subuid
+  ansible.builtin.set_fact:
+    paperless_subuid: "100999"
+
+- name: Create paperless directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ paperless_subuid }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/paperless"
+    - "data/containers/paperless/data"
+    - "data/containers/paperless/media"
+    - "data/containers/paperless/consume"
+    - "containers/paperless"
+    - "containers/paperless/ssl"
+  become: true
+
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/paperless/ssl/ilnmors_root_ca.crt"
+    owner: "{{ paperless_subuid }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_paperless"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value }}"
+    state: "present"
+    force: true
+  loop:
+    - name: "PAPERLESS_SECRET_KEY"
+      value: "{{ hostvars['console']['paperless']['session_secret'] }}"
+    - name: "PAPERLESS_DBPASS"
+      value: "{{ hostvars['console']['postgresql']['password']['paperless'] }}"
+    - name: "PAPERLESS_SOCIALACCOUNT_PROVIDERS"
+      value: |-
+        {
+          "openid_connect": {
+            "SCOPE": ["openid", "profile", "email"],
+            "OAUTH_PKCE_ENABLED": true,
+            "APPS": [
+              {
+                "provider_id": "authelia",
+                "name": "Authelia",
+                "client_id": "paperless",
+                "secret": "{{ hostvars['console']['paperless']['oidc']['secret'] }}",
+                "settings": {
+                  "server_url": "https://authelia.ilnmors.com/.well-known/openid-configuration",
+                  "token_auth_method": "client_secret_post"
+                }
+              }
+            ]
+          }
+        }
+  notify: "notification_restart_paperless"
+  no_log: true
+
+- name: Deploy paperless.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/paperless/paperless.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/paperless.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_paperless"
+
+- name: Enable paperless.service
+  ansible.builtin.systemd:
+    name: "paperless.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/app/tasks/services/set_vikunja.yaml

@@ -0,0 +1,62 @@
+---
+- name: Set vikunja subuid
+  ansible.builtin.set_fact:
+    vikunja_subuid: "100999"
+
+- name: Create paperless directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ vikunja_subuid }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/vikunja"
+    - "containers/vikunja"
+    - "containers/vikunja/ssl"
+  become: true
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/vikunja/ssl/ilnmors_root_ca.crt"
+    owner: "{{ vikunja_subuid }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_vikunja"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value }}"
+    state: "present"
+    force: true
+  loop:
+    - name: "VIKUNJA_SERVICE_JWTSECRET"
+      value: "{{ hostvars['console']['vikunja']['session_secret'] }}"
+    - name: "VIKUNJA_DATABASE_PASSWORD"
+      value: "{{ hostvars['console']['postgresql']['password']['vikunja'] }}"
+    - name: "VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTSECRET"
+      value: "{{ hostvars['console']['vikunja']['oidc']['secret'] }}"
+  notify: "notification_restart_vikunja"
+  no_log: true
+
+- name: Deploy vikunja.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/vikunja/vikunja.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/vikunja.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_vikunja"
+
+- name: Enable vikunja.service
+  ansible.builtin.systemd:
+    name: "vikunja.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/common/handlers/main.yaml

@@ -27,14 +27,14 @@
   listen: "notification_reload_networkctl"
   ignore_errors: true # noqa: ignore-errors
 
-- name: Reload systemd-resolved.service
+- name: Restart systemd-resolved.service
   ansible.builtin.systemd:
     name: "systemd-resolved.service"
-    state: "reloaded"
+    state: "restarted"
     enabled: true
   become: true
   changed_when: false
-  listen: "notification_reload_resolved"
+  listen: "notification_restart_resolved"
   ignore_errors: true # noqa: ignore-errors
 
 - name: Restart systemd-timesyncd

ansible/roles/common/tasks/node/set_resolved.yaml

@@ -28,7 +28,7 @@
     group: "systemd-resolve"
     mode: "0640"
   become: true
-  notify: "notification_reload_resolved"
+  notify: "notification_restart_resolved"
 
 - name: Restart systemd-resolved.service when it is initiated
   ansible.builtin.systemd:

ansible/roles/console/tasks/services/set_cli_tools.yaml

@@ -68,7 +68,7 @@
     dest: "{{ node['data_path'] }}/bin/blocky-{{ version['packages']['blocky'] }}-{{ item }}.tar.gz"
     owner: "{{ ansible_user }}"
     group: "svadmins"
-    mode: "0600" # noqa: line-length
+    mode: "0600"
   loop:
     - "x86_64"
     - "arm64"

ansible/roles/infra/tasks/services/set_postgresql.yaml

@@ -5,13 +5,15 @@
 
 - name: Set connected services list
   ansible.builtin.set_fact:
-    # telegraf has no database
     connected_services:
       - "ldap"
       - "authelia"
       - "grafana"
       - "vaultwarden"
       - "gitea"
+      - "immich"
+      - "paperless"
+      - "vikunja"
 
 - name: Create postgresql directory
   ansible.builtin.file:
@@ -109,7 +111,7 @@
         group: "svadmins"
         mode: "0600"
 
-    - name: Deploy resoring data sql files
+    - name: Deploy restoring data sql files
       ansible.builtin.copy:
         src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/postgresql/init/pg_{{ item }}.sql"
         dest: "{{ node['home_path'] }}/containers/postgresql/init/{{ index_num + 1 }}_pg_{{ item }}.sql"

config/secrets/secrets.yaml

@@ -115,6 +115,9 @@ postgresql:
         authelia: ENC[AES256_GCM,data:OqyloAADO6KKEaBjGLsJc9GTe77wn6IvA1VCD2dfCWxx+zgzUYh87fK1XX8=,iv:QIOHNTdNnzcY/f3Co8dPdNHykhBnYRhm43nt35hbALM=,tag:DLQq58GrZd+Ul7MSn6s9uQ==,type:str]
         vaultwarden: ENC[AES256_GCM,data:BPj5eFo54DTZ82n3yTIqEbm7kb/jWT0n2kZY//oV5q48eRch3C2RBuxn/Ko=,iv:DGC4ipHMyVs25gc4sNMt8LN1RsHjiR/b303vgiFoxMY=,tag:k1eb4DoRPLKvvMstSI1faQ==,type:str]
         gitea: ENC[AES256_GCM,data:l+pBCzyQa3000SE9z1R4htD0V0ONsBtKy92dfgsVYsZ3XlEyVJDIBOsugwM=,iv:5t/oHW1vFAmV/s2Ze/cV9Vuqo96Qu6QvZeRbio7VX2s=,tag:4zeQaXiXIzBpy+tXsxmN7Q==,type:str]
+        immich: ENC[AES256_GCM,data:11jvxTKA/RL0DGL6y2/X092hnDohj6yTrYGK4IVojqBd1gCOBnDvUjgmx14=,iv:oBfHxsx9nxhyKY/WOuWfybxEX2bf+lHEtsaifFRS9lg=,tag:tAfkBdgQ8ZEkLIFcDICKDw==,type:str]
+        paperless: ENC[AES256_GCM,data:6VBrBbjVoam7SkZCSvoBTdrfkUoDghdGTiBmFLul04X/okXOHeC5zusJffY=,iv:iZumcJ3TWwZD77FzYx8THwCqC+EbnXUBrEKuPh3zgV8=,tag:u2m8SppAdxZ/duNdpuS3oQ==,type:str]
+        vikunja: ENC[AES256_GCM,data:/+wQdoFPTBG2elI9kZbAVWrHZ0DhMaYr4dc+2z9QNdb3TcDS2PEia0JuSAg=,iv:MViZTyUD8YqMmxSTWCQpJ30f/KQdQGOzPlRHHsQ8lAw=,tag:zov3POno139dkMxFDpj2gg==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -195,6 +198,46 @@ gitea:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
+#ENC[AES256_GCM,data:HvMeGuC8JwK50pO1E/nm,iv:5NFTyjesMX0ZnBpH+hEv8jQ0G2NvrDtT23CUyLbQcUo=,tag:qWmPvQpADTeD+W8nWXRQvA==,type:comment]
+immich:
+    il:
+        password: ENC[AES256_GCM,data:PbDFc4m7rNPPN1mCjcvhbKwf/EbiJxdvO/iMspf9jMuCqQyGv7h6VrZqk98=,iv:hlMAp5wXXkFO9+ekq3A2/ioF/EX8Uau0puhb4TAHkRQ=,tag:pfS0W2JNaFNMpBlKgZ3Pjw==,type:str]
+    oidc:
+        secret: ENC[AES256_GCM,data:9ENcp2Ns21OLXDY05zRoSdP+93EiwSH8MGzZZpxK7sToe4QLUXWt9w6xQIE=,iv:Q/VcnArZHs/J2YLRVFXt3Mp+LYfuq4PD/trqO8Simig=,tag:BY/mOyZpYmoAc7NrASlmSA==,type:str]
+        hash: ENC[AES256_GCM,data:mrML2CWFFtGjq8wfWipVpv+pjJRSHe74VGC7Eoa6588R5C/sCnC3W5aI+dsRCZN3LRCjHAkOJJgjeYrwcXYdKRauXsAYR51dNSsHqqSN3WebLxapRDwcYu5e4j5RN1aPHsysr7GaQ4hhe5rKW4ORCGC3Cp3Ob+LChPy4bdCAZG3bN9k=,iv:Q4hmqhq+dvIr7DxCpcqP4E0NKyFZkOeTnDpGctmCxXM=,tag:/gji6AFkHnYwkQf3FSQUxA==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
+#ENC[AES256_GCM,data:bzMt0Ox0Za4dOhoo7S6dYCdK32JI9Q==,iv:PRTryIJk0tR545XY0LoHwklvsJp5+A5bEljNmzUvRhY=,tag:EVsjRUGMOadaNbMu0Xr4XA==,type:comment]
+actualbudget:
+    oidc:
+        secret: ENC[AES256_GCM,data:TE2umZ9Vvr7cSfA2+TAfRadIWZN3hyOKQ6U9NqJFm5e9iiw1avI+QlnYcKI=,iv:rUWoclBRqh0tsGnMq29395Fn2NP7AXnSCd0s+S8jQ6I=,tag:qPX/TcdIo6BJeex7wmi02Q==,type:str]
+        hash: ENC[AES256_GCM,data:UjhNkGj+sxbnmPUx1V5kVYwZnzsB0aEvN8YV29lcvMbSnf9xpQWwD5C93Zu8SYrnS/p88qZpGBgAjr9Pcly3y0H1YMRt9zzbHZU3Uo0DPDrSWRQdeB/8LkcM/cwMAs8arS6PO03ECNnN5Z6aTmFdFnLjUkvUuSWMFscItAzMzhWCpeY=,iv:B06LI7Cq3NN8haOLfN3gWIpUFnvdUlq6D2XmARojDpk=,tag:MflE8qcY5j/aAA7xfPCqng==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
+#ENC[AES256_GCM,data:McPUAbIUvtC1gdPaxTgAxAMCMWcLfg==,iv:Tp6idRf7he3sYzo8LW596C905JAaoTIhIoDUzSyRT0k=,tag:4mZQ0Swu1X9uuwjsRNhr2A==,type:comment]
+paperless:
+    session_secret: ENC[AES256_GCM,data:siwCs2noeVpg9DCEZybnmo/oz11BdrHSTnHciMOu/6g=,iv:XVjhu10TIujIdUopN9+TVVqRade9EvItDWxym6YXnZs=,tag:TxLYm+4Bo7IMaTQBtMg9pQ==,type:str]
+    il:
+        password: ENC[AES256_GCM,data:9bJHf+chTg1rppgNVafNgEuvwQ69Gx+w5d65hu68q9XeeaVb2pO9HE4BOgg=,iv:1kaXBg/iOoIZxDjEVEdaMJLDtp6zQjep3vxLmIgQN5o=,tag:+MgX8Oa3tmhjx6u9aHkDfQ==,type:str]
+    oidc:
+        secret: ENC[AES256_GCM,data:wjRDVCJsINM4z5946a6uZD+6bhN5BChLMdRzgMEJFGRGFNcXd7A1p2Iqn4I=,iv:Y4QDA09L8ULKr4hhvoiduzCD8Hifo1gAnpzjCr8e520=,tag:R0RvGxYnXo3zwykXJykRug==,type:str]
+        hash: ENC[AES256_GCM,data:pali6WwPNhJA+6QL4O+tKv42PnpGqmojb8JQUZLqxGizv1bJSCgdUN8upCy5Ke0DYZs5P+JY5vh23xfMZFnHduGxGwOuPX6J5lYgvJRV58LqS3/+yIBBprTJyro3MwsurTTEWesgKMr8/2H9lirhaLjWUOSPxAmQ6e4wPNpHycDVyj4=,iv:cg2trI7t1MfIcMo1/M+IY6JEl2msDoKRGgAx/Y5nyGk=,tag:gnOq7sBq9z5zrRY0yhIabg==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
+#ENC[AES256_GCM,data:V7DJHA2JQirfBsrCGhXrhg==,iv:+jYqX9hGNnuyYj9o9LpCYFVOoD6nSrtc4t40Ag0mMzo=,tag:1wSxKtkJm42reUxdwYDvlg==,type:comment]
+vikunja:
+    session_secret: ENC[AES256_GCM,data:CMyw8JGHyTczGsrOJJwQBKfXMU4Sudvwkur1Lgx4o64=,iv:F2VmpqddiDT4jGaGDKGl6FARsQOt3lLz3X6TjC2MIVU=,tag:UJYyzrl/FX1BNwY4ROFncA==,type:str]
+    il:
+        password: ENC[AES256_GCM,data:wDYAVUTFyL/CaXQXYviP3WAILmnREwYui8PZq9nXJPNa3FlwX6b/fzxbCvw=,iv:We+jb4W62O8tYRjGPv+lwlhyVF8eIeTiPNoELdLU+6M=,tag:y7vTZ+6TAsv4XajB4JOL7A==,type:str]
+    oidc:
+        secret: ENC[AES256_GCM,data:QwqndYsfr+fh9OLkHYtLYCa6WUdhnL7A4btz1d1eelTwq3Kps5S6BUN5qZg=,iv:51N8byIAAUh4ky7YBAuEJOBEWu1d9AX5W1m37/cLlCM=,tag:GD7jbxNGd748TCPgqsxyMg==,type:str]
+        hash: ENC[AES256_GCM,data:ORifyT4u1V2CyBCNBgF72wwS2i05mlzA4iIVEa1cH9aaE69PdiQvGGzMHK+tmlfpVaVQEENSt1QDUSSlMyeuZT/3a0JwAvlz+XDbpS7bicL2cB6DCa4JyEd/rbGRXs0/COfxPxXzYv7jq9gd2uSJ+cCGYb/93WuEXSEI6PHi+FF7N94=,iv:FVSGySa4YB2vwenqSagBzxeIexg91ewvcQMix+etmng=,tag:yyQtOgzOZypba+rV3A1K9g==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
     password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -224,7 +267,7 @@ sops:
             UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
             k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-14T21:11:56Z"
-    mac: ENC[AES256_GCM,data:cTm/Vrukt1cnq5xWmfF7J3xhDrVH94ampOK1IqZgsBICuJgDm6VYbntElCcnrmPE4BrIAFr8SyDQa28QgLf+e2UBn36yVUNZTor1kx24WkMsjj4MIRJRlYSQoFAg1iJSGTshqiwgQQMfj1nOCctLXdNAyQFWHt+E+9zqeXFB/l8=,iv:/dDIeqEW8/T5V8glumE3cTTy9e3bFAvg3GaMHAYkFi0=,tag:7eUKYIkju8wniz+/xmGfgg==,type:str]
+    lastmodified: "2026-03-28T01:12:44Z"
+    mac: ENC[AES256_GCM,data:hGvVNYQ2qUf9zGMbY5lupY9NI4rCnbza7OruAho12UTcTpD9vktWj559U/UoZpKDknR9n+d50UOGcukeFgLtPBo6xy0+Yf0FRCZU59SQ9k02f3wyIck5ANikBImeN6gGKUbiuIcQUqD3jWH1b2u6V02KN8UkKs7CywHKhI2IoKg=,iv:orXjewDUalAxGOdMjXs18Al98MLzYHTyaWnCz0VqRU4=,tag:hZ5aV3E2kB0US4zAk66Z2Q==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1

config/services/containers/app/actual-budget/actual-budget.container.j2

@@ -0,0 +1,29 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Actual Budget
+
+[Container]
+Image=ghcr.io/actualbudget/actual-server:{{ version['containers']['actualbudget'] }}
+ContainerName=actual-budget
+HostName=actual-budget
+
+PublishPort=5006:5006
+
+Volume=%h/data/containers/actual-budget:/data:rw
+
+Environment="TZ=Asia/Seoul"
+Environment="ACTUAL_OPENID_DISCOVERY_URL=https://authelia.ilnmors.com/.well-known/openid-configuration"
+Environment="ACTUAL_OPENID_CLIENT_ID=actual-budget"
+Environment="ACTUAL_OPENID_SERVER_HOSTNAME=https://budget.ilnmors.com"
+Environment="ACTUAL_OPENID_AUTH_METHOD=oauth2"
+Secret=ACTUAL_OPENID_CLIENT_SECRET,type=env
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/immich/immich-ml.container.j2

@@ -0,0 +1,32 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Immich Machine Learning
+
+After=immich.service
+Wants=immich.service
+
+[Container]
+Image=ghcr.io/immich-app/immich-machine-learning:{{ version['containers']['immich'] }}-openvino
+
+ContainerName=immich-ml
+HostName=immich-ml
+
+PublishPort=3003:3003
+
+# iGPU access for OpenVINO
+AddDevice=/dev/dri:/dev/dri
+PodmanArgs=--group-add keep-groups
+
+Volume=%h/containers/immich/ml/cache:/cache:rw
+
+Environment="TZ=Asia/Seoul"
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/immich/immich.container.j2

@@ -0,0 +1,49 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Immich
+
+After=redis_immich.service
+Wants=redis_immich.service
+
+[Container]
+Image=ghcr.io/immich-app/immich-server:{{ version['containers']['immich'] }}
+
+ContainerName=immich
+HostName=immich
+
+PublishPort=2283:2283
+
+# iGPU access
+AddDevice=/dev/dri:/dev/dri
+PodmanArgs=--group-add keep-groups
+
+# Volumes
+Volume=%h/data/containers/immich:/data:rw
+Volume=%h/containers/immich/ssl:/etc/ssl/immich:ro
+
+# Environment
+Environment="TZ=Asia/Seoul"
+Environment="REDIS_HOSTNAME=host.containers.internal"
+Environment="REDIS_PORT={{ hostvars['app']['redis']['immich'] }}"
+Environment="REDIS_DBINDEX=0"
+
+# Database
+Environment="DB_HOSTNAME={{ infra_uri['postgresql']['domain'] }}"
+Environment="DB_PORT={{ infra_uri['postgresql']['ports']['tcp'] }}"
+Environment="DB_USERNAME=immich"
+Environment="DB_DATABASE_NAME=immich_db"
+Environment="DB_PASSWORD_FILE=/run/secrets/DB_PASSWORD"
+Environment="DB_SSL_MODE=verify-full"
+Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/immich/ilnmors_root_ca.crt"
+Secret=IMMICH_DB_PASSWORD,target=/run/secrets/DB_PASSWORD
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/paperless/paperless.container.j2

@@ -0,0 +1,59 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Paperless
+
+After=redis_paperless.service
+Wants=redis_paperless.service
+
+[Container]
+Image=ghcr.io/paperless-ngx/paperless-ngx:{{ version['containers']['paperless'] }}
+ContainerName=paperless
+HostName=paperless
+PublishPort=8001:8000/tcp
+
+# Volumes
+Volume=%h/data/containers/paperless/data:/usr/src/paperless/data:rw
+Volume=%h/data/containers/paperless/media:/usr/src/paperless/media:rw
+Volume=%h/data/containers/paperless/consume:/usr/src/paperless/consume:rw
+Volume=%h/containers/paperless/ssl:/etc/ssl/paperless:ro
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="PAPERLESS_TIME_ZONE=Asia/Seoul"
+Environment="PAPERLESS_URL=https://paperless.ilnmors.com"
+Environment="PAPERLESS_OCR_LANGUAGE=kor+eng"
+Environment="PAPERLESS_OCR_LANGUAGES=kor"
+# Environment="PAPERLESS_OCR_MODE=force"
+# Environment="PAPERLESS_TASK_WORKERS=1"
+# Environment="PAPERLESS_THREADS_PER_WORKER=1"
+Environment="PAPERLESS_WORKER_TIMEOUT=7200"
+Secret=PAPERLESS_SECRET_KEY,type=env
+
+# Redis
+Environment="PAPERLESS_REDIS=redis://host.containers.internal:{{ hostvars['app']['redis']['paperless'] }}"
+
+# Database
+Environment="PAPERLESS_DBHOST={{ infra_uri['postgresql']['domain'] }}"
+Environment="PAPERLESS_DBPORT={{ infra_uri['postgresql']['ports']['tcp'] }}"
+Environment="PAPERLESS_DBNAME=paperless_db"
+Environment="PAPERLESS_DBUSER=paperless"
+Environment="PAPERLESS_DBSSLMODE=verify-full"
+Environment="PAPERLESS_DBSSLROOTCERT=/etc/ssl/paperless/ilnmors_root_ca.crt"
+Secret=PAPERLESS_DBPASS,type=env
+
+# OIDC
+Environment="PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect"
+Environment="PAPERLESS_SOCIAL_AUTO_SIGNUP=true"
+Environment="PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS=true"
+Secret=PAPERLESS_SOCIALACCOUNT_PROVIDERS,type=env
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/redis/redis.conf.j2

@@ -0,0 +1,4 @@
+databases 16
+bind 0.0.0.0
+port {{ hostvars['app']['redis'][redis_service] }}
+protected-mode no

config/services/containers/app/redis/redis.container.j2

@@ -0,0 +1,31 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Redis - {{ redis_service }}
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=docker.io/library/redis:{{ version['containers']['redis'] }}
+
+ContainerName=redis_{{ redis_service }}
+HostName=redis_{{ redis_service }}
+
+PublishPort={{ hostvars['app']['redis'][redis_service] }}:{{ hostvars['app']['redis'][redis_service] }}
+
+Volume=%h/containers/redis/{{ redis_service }}/data:/data:rw
+Volume=%h/containers/redis/{{ redis_service }}/redis.conf:/usr/local/etc/redis/redis.conf:ro
+
+Exec=redis-server /usr/local/etc/redis/redis.conf
+
+Environment="TZ=Asia/Seoul"
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/vikunja/vikunja.container.j2

@@ -0,0 +1,56 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Vikunja
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=docker.io/vikunja/vikunja:{{ version['containers']['vikunja'] }}
+ContainerName=vikunja
+HostName=vikunja
+PublishPort=3456:3456/tcp
+
+# Volumes
+Volume=%h/data/containers/vikunja:/app/vikunja/files:rw
+Volume=%h/containers/vikunja/ssl:/etc/ssl/vikunja:ro
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="VIKUNJA_DEFAULTSETTINGS_TIMEZONE=Asia/Seoul"
+Environment="VIKUNJA_SERVICE_TIMEZONE=Asia/Seoul"
+Environment="VIKUNJA_SERVICE_PUBLICURL=https://vikunja.ilnmors.com"
+Environment="VIKUNJA_SERVICE_ENABLEREGISTRATION=false"
+Secret=VIKUNJA_SERVICE_JWTSECRET,type=env
+
+
+# Database
+Environment="VIKUNJA_DATABASE_TYPE=postgres"
+Environment="VIKUNJA_DATABASE_HOST={{ infra_uri['postgresql']['domain'] }}"
+Environment="VIKUNJA_DATABASE_USER=vikunja"
+Environment="VIKUNJA_DATABASE_DATABASE=vikunja_db"
+Environment="VIKUNJA_DATABASE_SSLMODE=verify-full"
+Environment="VIKUNJA_DATABASE_SSLROOTCERT=/etc/ssl/vikunja/ilnmors_root_ca.crt"
+Secret=VIKUNJA_DATABASE_PASSWORD,type=env
+
+
+# OIDC
+Environment="VIKUNJA_AUTH_OPENID_ENABLED=true"
+Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_NAME=Authelia"
+Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_AUTHURL=https://authelia.ilnmors.com"
+Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTID=vikunja"
+# Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_SCOPE=" default value = openid email profile
+Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_USERNAMEFALLBACK=true"
+Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_EMAILFALLBACK=true"
+Secret=VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTSECRET,type=env
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/auth/authelia/config/authelia.yaml.j2

@@ -152,3 +152,91 @@ identity_providers:
         access_token_signed_response_alg: 'none'
         userinfo_signed_response_alg: 'none'
         token_endpoint_auth_method: 'client_secret_basic'
+      # https://www.authelia.com/integration/openid-connect/clients/immich/
+      - client_id: 'immich'
+        client_name: 'immich'
+        client_secret: '{{ hostvars['console']['immich']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://immich.ilnmors.com/auth/login'
+          - 'https://immich.ilnmors.com/user-settings'
+          - 'app.immich:///oauth-callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
+      # https://www.authelia.com/integration/openid-connect/clients/actual-budget/
+      - client_id: 'actual-budget'
+        client_name: 'Actual Budget'
+        client_secret: '{{ hostvars['console']['actualbudget']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://budget.ilnmors.com/openid/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'groups'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
+      # https://www.authelia.com/integration/openid-connect/clients/paperless/
+      - client_id: 'paperless'
+        client_name: 'Paperless'
+        client_secret: '{{ hostvars['console']['paperless']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://paperless.ilnmors.com/accounts/oidc/authelia/login/callback/'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
+      # https://www.authelia.com/integration/openid-connect/clients/vikunja/
+      - client_id: 'vikunja'
+        client_name: 'Vikunja'
+        client_secret: '{{ hostvars['console']['vikunja']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://vikunja.ilnmors.com/auth/openid/authelia'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'

config/services/containers/common/caddy/etc/app/Caddyfile.j2

@@ -15,6 +15,7 @@
                                 key_alg hmac-sha256
                                 key "{file./run/secrets/CADDY_ACME_KEY}"
                         }
+                        resolvers {{ infra_uri['bind']['domain'] }}
                 }
         }
 }
@@ -40,3 +41,27 @@ gitea.app.ilnmors.internal {
                header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
+immich.app.ilnmors.internal {
+        import private_tls
+        reverse_proxy host.containers.internal:2283 {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+budget.app.ilnmors.internal {
+        import private_tls
+        reverse_proxy host.containers.internal:5006 {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+paperless.app.ilnmors.internal {
+        import private_tls
+        reverse_proxy host.containers.internal:8001 {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+vikunja.app.ilnmors.internal {
+        import private_tls
+        reverse_proxy host.containers.internal:3456 {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}

config/services/containers/common/caddy/etc/auth/Caddyfile.j2

@@ -29,6 +29,7 @@
                                 key_alg hmac-sha256
                                 key "{file./run/secrets/CADDY_ACME_KEY}"
                         }
+                        resolvers {{ infra_uri['bind']['domain'] }}
                 }
         }
 }
@@ -81,6 +82,42 @@ gitea.ilnmors.com {
                 }
         }
 }
+immich.ilnmors.com {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://immich.app.ilnmors.internal {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+budget.ilnmors.com {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://budget.app.ilnmors.internal {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+paperless.ilnmors.com {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://paperless.app.ilnmors.internal {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }  
+}
+vikunja.ilnmors.com {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://vikunja.app.ilnmors.internal {
+                        header_up HOST {http.reverse_proxy.upstream.host}
+                }
+        }
+}
 
 # Internal domain
 auth.ilnmors.internal {

config/services/containers/common/caddy/etc/infra/Caddyfile.j2

@@ -9,6 +9,7 @@
                                 key_alg hmac-sha256
                                 key "{file./run/secrets/CADDY_ACME_KEY}"
                         }
+                        resolvers {{ infra_uri['bind']['domain'] }}
                 }
         }
 }

config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2

@@ -1,11 +1,19 @@
 name: crowdsecurity/whitelists
-description: "Whitelist console/admin hosts only"
+description: "Local whitelist policy"
 whitelist:
-    reason: "trusted admin hosts"
+    reason: "rules"
     ip:
+        # Console IP lists
         - "127.0.0.1"
         - "::1"
         - "{{ hostvars['fw']['network4']['console']['client'] }}"
         - "{{ hostvars['fw']['network4']['console']['wg'] }}"
         - "{{ hostvars['fw']['network6']['console']['client'] }}"
         - "{{ hostvars['fw']['network6']['console']['wg'] }}"
+{% if node['name'] == 'auth' %}
+    expression:
+        # budget local-first sql scrap rule
+        - "evt.Meta.target_fqdn == 'budget.ilnmors.com' && evt.Meta.http_path contains '/data/migrations/'"
+        # immich thumbnail request 404 error false positive
+        - "evt.Meta.target_fqdn == 'immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
+{% endif %}

docs/services/app/actual-budget.md

@@ -0,0 +1,22 @@
+# Actual budget
+
+## Prerequisite
+
+### Create oidc secret and hash
+
+- Create the secret with `openssl rand -base64 32`
+- access to auth vm
+  - `podman exec -it authelia sh`
+  - `authelia crypto hash generate pbkdf2 --password 'actualbudget.oidc.secret'`
+- Save this value in secrets.yaml in `actualbudget.oidc.secret` and `actualbudget.oidc.hash`
+
+## Configuration
+
+### Initialization
+
+- Use current domain
+  - ok
+- Start Using OpenID
+  - Start fresh
+- Server Online: User directory: Add User: the user name which is defined on LDAP
+- Server Online: User Access: enable user

docs/services/app/gitea.md

@@ -5,11 +5,11 @@
 ### Create database
 
 - Create the password with `openssl rand -base64 32`
-  - Save this value in secrets.yaml in `postgres.password.gitea`
+  - Save this value in secrets.yaml in `postgresql.password.gitea`
   - Access infra server to create gitea_db with `podman exec -it postgresql psql -U postgres`
 
 ```SQL
-CREATE USER gitea WITH PASSWORD 'gitea.password.vaultwarden';
+CREATE USER gitea WITH PASSWORD 'postgresql.password.gitea';
 CREATE DATABASE gitea_db;
 ALTER DATABASE gitea_db OWNER TO gitea;
 ```
@@ -34,7 +34,6 @@ ALTER DATABASE gitea_db OWNER TO gitea;
 ```yaml
 - name: Set connected services list
   ansible.builtin.set_fact:
-    # telegraf has no database
     connected_services:
       - ...
       - "gitea"

docs/services/app/immich.md

@@ -0,0 +1,86 @@
+# immich
+
+## Prerequisite
+
+### Create database
+
+- Create the password with `openssl rand -base64 32`
+  - Save this value in secrets.yaml in `postgresql.password.immich`
+  - Access infra server to create immich_db with `podman exec -it postgresql psql -U postgres`
+
+```SQL
+CREATE USER immich WITH PASSWORD 'postgresql.password.immich';
+CREATE DATABASE immich_db;
+ALTER DATABASE immich_db OWNER TO immich;
+\connect immich_db
+CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
+CREATE EXTENSION IF NOT EXISTS cube CASCADE;
+CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;
+\dx
+-- Check the extension is activated with `\dx`
+-- postgresql image is built with `pgvector` and `vectorchord` already
+```
+
+### Create oidc secret and hash
+
+- Create the secret with `openssl rand -base64 32`
+- access to auth vm
+  - `podman exec -it authelia sh`
+  - `authelia crypto hash generate pbkdf2 --password 'immich.oidc.secret'`
+- Save this value in secrets.yaml in `immich.oidc.secret` and `immich.oidc.hash`
+
+### Create admin password
+
+- Create the secret with `openssl rand -base64 32`
+- Save this value in secrets.yaml in `immich.il.password`
+
+### Add postgresql dump backup list
+
+- [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
+
+```yaml
+- name: Set connected services list
+  ansible.builtin.set_fact:
+    connected_services:
+      - ...
+      - "immich"
+```
+
+## Configuration
+
+### Access to immich
+
+- https://immich.ilnmors.com
+  - Getting started
+  - admin E-mail
+  - admin password
+  - admin name
+- Theme
+- language
+- Server privacy
+  - map
+  - version check
+- User privacy
+  - google cast \(disable\)
+- Storage template
+  - `{{y}}/{{MM}}/{{y}}{{MM}}{{dd}}_{{hh}}{{mm}}{{ss}}`
+- Backups
+- Mobile App
+- Done
+
+### Oauth configuration
+
+- Administartion: Authentication Settings: OAuth: Enable
+    - Issuer URL: https://auth.example.com/.well-known/openid-configuration
+    - Client ID: immich
+    - Client Secret: immich.oidc.secret
+    - Scope: openid profile email
+    - Button Text: Login with Authelia
+    - Auto Register: Enable if desired
+
+### Machine learning configuration
+
+- Administration: Machine Learning Settings: Enable
+  - URL: http://host.containers.internal:3003
+- **!CAUTION!**
+  - immich-ml should contain `-openvino` to use GPU for machine learning.

docs/services/app/paperless-ngx.md

@@ -0,0 +1,116 @@
+# paperless
+
+## Prerequisite
+
+### Create database
+
+- Create the password with `openssl rand -base64 32`
+  - Save this value in secrets.yaml in `postgresql.password.paperless`
+  - Access infra server to create paperless_db with `podman exec -it postgresql psql -U postgres`
+
+```SQL
+CREATE USER paperless WITH PASSWORD 'postgresql.password.paperless';
+CREATE DATABASE paperless_db;
+ALTER DATABASE paperless_db OWNER TO paperless;
+```
+
+### Create oidc secret and hash
+
+- Create the secret with `openssl rand -base64 32`
+- access to auth vm
+  - `podman exec -it authelia sh`
+  - `authelia crypto hash generate pbkdf2 --password 'paperless.oidc.secret'`
+- Save this value in secrets.yaml in `paperless.oidc.secret` and `paperless.oidc.hash`
+- Use `client_secret_post`, django encodes the secret value wrong frequently.
+
+### Create session secret value
+
+- Create the secret with `LC_ALL=C tr -dc 'A-Za-z0-9!#%&()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32`
+  - Save this value in secrets.yaml in `paperless.session_secret`
+
+### Create admin password
+
+- Create the secret with `openssl rand -base64 32`
+- Save this value in secrets.yaml in `paperless.il.password`
+
+### Add postgresql dump backup list
+
+- [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
+
+```yaml
+- name: Set connected services list
+  ansible.builtin.set_fact:
+    connected_services:
+      - ...
+      - "paperless"
+```
+
+## Configuration
+
+### Access to paperless
+
+- https://paperless.ilnmors.com
+  - name: il
+  - E-mail: il@ilnmors.internal
+  - password: `paperless.il.password`
+
+### Oauth configuration
+
+- My Profiles: Connect new social account: Authelia
+  - Continue
+  - Login with Authelia
+
+### OCR configuration
+
+- Configuration: OCR settings
+  - Output Type: pdfa
+  - Mode: skip
+    - When the archive file has broken ocr text, then conduct replcae command manually
+  - Skip archive File: never
+  - Deskew: disable \(toggle to enable and once more to active disable option\)
+  - rotate: disable \(toggle to enable and once more to active disable option\)
+
+## The non-standard pdf file
+
+- Some pdf files doesn't follow the standard, for example korean court or government pdf files.
+- Before upload this kind of non-standard pdf files, convert it first.
+- This process uses ghostscript and powershell in Windows for console
+
+```PowerShell
+# 1. The engine
+$gsPath = "C:\Program Files\gs\gs10.07.0\bin\gswin64c.exe"
+
+# 2. new folder which the converted file will be stored
+$outputDirName = "converted_pdfs"
+$outputDir = Join-Path (Get-Location) $outputDirName
+if (!(Test-Path $outputDir)) { New-Item -ItemType Directory -Path $outputDir }
+
+# 3. Find all pdf files
+$files = Get-ChildItem -Filter *.pdf
+
+foreach ($file in $files) {
+    if ($file.FullName -like "*$outputDirName*") { continue }
+    
+    $inputPath = $file.FullName
+    $outputPath = Join-Path $outputDir $file.Name
+    
+    Write-Host "convert: $($file.Name)" -ForegroundColor Cyan
+    
+    $gsArgs = @(
+        "-sDEVICE=pdfwrite",
+        "-dCompatibilityLevel=1.4",
+        "-dPDFSETTINGS=/default",
+        "-dNOPAUSE",
+        "-dQUIET",
+        "-dBATCH",
+        "-dNoOutputFonts", # Change all text as image
+        "-sOutputFile=$outputPath",
+        "$inputPath"
+    )
+    
+    # 실행
+    & $gsPath @gsArgs
+}
+
+Write-Host "`n[Complete] All file is stored in '$outputDirName'." -ForegroundColor Green
+```

docs/services/app/vaultwarden.md

@@ -5,11 +5,11 @@
 ### Create database
 
 - Create the password with `openssl rand -base64 32`
-  - Save this value in secrets.yaml in `postgres.password.vaultwarden`
+  - Save this value in secrets.yaml in `postgresql.password.vaultwarden`
   - Access infra server to create vaultwarden_db with `podman exec -it postgresql psql -U postgres`
 
 ```SQL
-CREATE USER vaultwarden WITH PASSWORD 'postgres.password.vaultwarden';
+CREATE USER vaultwarden WITH PASSWORD 'postgresql.password.vaultwarden';
 CREATE DATABASE vaultwarden_db;
 ALTER DATABASE vaultwarden_db OWNER TO vaultwarden;
 ```
@@ -33,7 +33,6 @@ ALTER DATABASE vaultwarden_db OWNER TO vaultwarden;
 ```yaml
 - name: Set connected services list
   ansible.builtin.set_fact:
-    # telegraf has no database
     connected_services:
       - ...
       - "vaultwarden"

docs/services/app/vikunja.md

@@ -0,0 +1,62 @@
+# vikunja
+
+## Prerequisite
+
+### Create database
+
+- Create the password with `openssl rand -base64 32`
+  - Save this value in secrets.yaml in `postgresql.password.vikunja`
+  - Access infra server to create vikunja_db with `podman exec -it postgresql psql -U postgres`
+
+```SQL
+CREATE USER vikunja WITH PASSWORD 'postgresql.password.vikunja';
+CREATE DATABASE vikunja_db;
+ALTER DATABASE vikunja_db OWNER TO vikunja;
+```
+
+### Create oidc secret and hash
+
+- Create the secret with `openssl rand -base64 32`
+- access to auth vm
+  - `podman exec -it authelia sh`
+  - `authelia crypto hash generate pbkdf2 --password 'vikunja.oidc.secret'`
+- Save this value in secrets.yaml in `vikunja.oidc.secret` and `vikunja.oidc.hash`
+
+### Create session secret value
+
+- Create the secret with `LC_ALL=C tr -dc 'A-Za-z0-9!#%&()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32`
+  - Save this value in secrets.yaml in `vikunja.session_secret`
+
+### Create admin password
+
+- Create the secret with `openssl rand -base64 32`
+- Save this value in secrets.yaml in `vikunja.il.password`
+
+### Add postgresql dump backup list
+
+- [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
+
+```yaml
+- name: Set connected services list
+  ansible.builtin.set_fact:
+    connected_services:
+      - ...
+      - "vikunja"
+```
+
+## Configuration
+
+### Create local account
+
+- Access to app vm via ssh
+
+```bash
+ssh app
+podman exec -it vikunja /app/vikunja/vikunja user create --email il@ilnmors.internal --username il
+# Enter Password: vikunja.il.password
+# Confirm Password: vikunja.il.password
+```
+
+- https://vikunja.ilnmors.com
+  - Try to login locally
+  - Try to login via Authelia

docs/services/common/crowdsec.md

@@ -228,6 +228,11 @@ auth@auth:~$ sudo cscli alerts list
 │ 9  │ Ip:138.68.144.227  │ crowdsecurity/jira_cve-2021-26086 │         │    │ ban:1     │ 2026-03-06 04:18:18.35776077 +0000 UTC  │
 ╰────┴────────────────────┴───────────────────────────────────┴─────────┴────┴───────────┴─────────────────────────────────────────╯
 
+## Log check and inspect
 
+fw@fw:~$ sudo cscli alerts inspect 230 -d
 
+- check the log and analyze and make expression
+  - e.g. immich
+    - evt.Meta.target_fqdn == 'immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'