feat(trilium): release trilium

deployment notes:
- oidc error (users cannot access at once, it needs login twice when using oidc

README.md

@@ -1,6 +1,6 @@
 # ilnmors homelab README
 
-This homelab project implements single-node On-premise IaaS system. The homelab contains virtual machines which are divided by their roles, such as private firewall, DNS, PKI, LDAP and database, SSO\(OIDC\). The standard domain is used to implement this system without specific vendors. All components are defined as code and initiated by IaC \(Ansible\) except hypervisor initial configuration.
+This homelab project implements single-node On-premise IaaS system. The homelab contains virtual machines which are divided by their roles, such as private firewall, DNS, PKI, LDAP and database, SSO(OIDC). The standard domain is used to implement this system without specific vendors. All components are defined as code and initiated by IaC (Ansible) except hypervisor initial configuration.
 
 ## RTO times
 - Feb/25/2026 - Reprovisioning Hypervisor and vms
@@ -15,12 +15,12 @@ This homelab project implements single-node On-premise IaaS system. The homelab
 - Mar/5/2026 - Reprovisioning Hardware and Hypervisor and vms
     - RTO: 2 hour 20 min
         - console: 15min - verified
-        - certificate: 0 min \(When it needs to be created, RTO will be 20 min) - not verified
-        - wireguard: 0 min \(When it needs to be created, RTO will be 1 min) - not verified
-        - hypervisor\(+fw\): 45 min - verified
+        - certificate: 0 min (When it needs to be created, RTO will be 20 min) - not verified
+        - wireguard: 0 min (When it needs to be created, RTO will be 1 min) - not verified
+        - hypervisor(+fw): 45 min - verified
         - switch: 1 min - verified
         - dsm: 30 min - verified
-        - kopia: 0 min \(When it needs to be created, RTO will be 10 min) - verified
+        - kopia: 0 min (When it needs to be created, RTO will be 10 min) - verified
         - Extra vms: 30 min - verified
         - Etc: 30 min
 

ansible/inventory/group_vars/all.yaml

@@ -2,81 +2,235 @@
 # Global vars
 ansible_ssh_private_key_file: "/etc/secrets/{{ hostvars['console']['node']['uid'] }}/id_console"
 
-# URL infromation, you can use {{ infra_uri['services'] | split(':') | first|last }} to seperate domain and ports
-infra_uri:
+# CA
+root_cert_filename: "ilnmors_root_ca.crt"
+intermediate_cert_filename: "ilnmors_intermediate_ca.crt"
+intermediate_key_filename: "ilnmors_intermediate_ca.key"
+
+
+# local SAN and SSH SAN should be updated manually on host_vars
+domain:
+  public: "ilnmors.com"
+  internal: "ilnmors.internal"
+  dc: "dc=ilnmors,dc=internal"
+  org: "ilnmors"
+
+# DNS configuration including bind and blocky should be set manually.
+# named.conf.j2 is also set manually.
+# Check the hosts.j2 when cname records are fixed
+
+services:
   crowdsec:
-    domain: "crowdsec.ilnmors.internal"
+    domain: "crowdsec"
     ports:
       https: "8080"
   bind:
-    domain: "bind.ilnmors.internal"
+    domain: "bind"
     ports:
       dns: "53"
   blocky:
-    domain: "blocky.ilnmors.internal"
+    domain: "blocky"
     ports:
       https: "443"
       dns: "53"
   postgresql:
-    domain: "postgresql.ilnmors.internal"
+    domain: "postgresql"
     ports:
       tcp: "5432" # postgresql db connection port
+    subuid: "100998"
   ldap:
-    domain: "ldap.ilnmors.internal"
+    domain: "ldap"
     ports:
       http: "17170"
-      ldaps: "636"
+      ldaps: "6360"
+    subuid: "100999"
   ca:
-    domain: "ca.ilnmors.internal"
+    domain: "ca"
     ports:
       https: "9000"
+    subuid: "100999"
+  x509-exporter:
+    ports:
+      http: "9793"
+    subuid: "165533"
   prometheus:
-    domain: "prometheus.ilnmors.internal"
+    domain: "prometheus"
     ports:
       https: "9090"
+    subuid: "165533"
   loki:
-    domain: "loki.ilnmors.internal"
+    domain: "loki"
     ports:
       https: "3100"
+    subuid: "110000"
+  grafana:
+    domain: "grafana"
+    ports:
+      http: "3000" # Infra server: Internal ports
+    subuid: "100471"
+  caddy:
+    ports:
+      http: "2080"
+      https: "2443"
   nas:
-    domain: "nas.ilnmors.internal"
+    domain: "nas"
     ports:
       https: "5001"
   kopia:
-    domain: "nas.ilnmors.internal"
+    domain: "nas"
     ports:
       https: "51515"
+  authelia:
+    domain: "authelia"
+    ports:
+      http: "9091"
+  redis:
+    subuid: "100998"
+  vaultwarden:
+    domain:
+      public: "vault"
+      internal: "vault.app"
+    ports:
+      http: "8000"
+  gitea:
+    domain:
+      public: "gitea"
+      internal: "gitea.app"
+    ports:
+      http: "3000" # App server: Public ports
+    subuid: "100999"
+  immich:
+    domain:
+      public: "immich"
+      internal: "immich.app"
+    ports:
+      http: "2283"
+      redis: "6379"
+  immich-ml:
+    ports:
+      http: "3003"
+  actualbudget:
+    domain:
+      public: "actualbudget"
+      internal: "actualbudget.app"
+    ports:
+      http: "5006"
+    subuid: "101000"
+  paperless:
+    domain:
+      public: "paperless"
+      internal: "paperless.app"
+    ports:
+      http: "8001"
+      redis: "6380"
+    subuid: "100999"
+  vikunja:
+    domain:
+      public: "vikunja"
+      internal: "vikunja.app"
+    ports:
+      http: "3456"
+    subuid: "100999"
+  opencloud:
+    domain:
+      public: "opencloud"
+      internal: "opencloud.app"
+    ports:
+      http: "9200"
+    subuid: "100999"
+  manticore:
+    subuid: "100998"
+  affine:
+    domain:
+      public: "affine"
+      internal: "affine.app"
+    ports:
+      http: "3010"
+      redis: "6381"
+      manticore: "9308"
+  nextcloud:
+    domain:
+      public: "nextcloud"
+      internal: "nextcloud.app"
+    ports:
+      http: "8002"
+      redis: "6382"
+    subuid: "100032"
+  collabora:
+    domain:
+      public: "collabora"
+      internal: "collabora.app"
+    ports:
+      http: "9980"
+    subuid: "101000"
+  ezbookkeeping:
+    domain:
+      public: "budget"
+      internal: "budget.app"
+    ports:
+      http: "8003"
+    subuid: "100999"
+  sure:
+    domain:
+      public: "sure"
+      internal: "sure.app"
+    ports:
+      http: "3001"
+      redis: "6383"
+    subuid: "100999"
+  wikijs:
+    domain:
+      public: "wiki"
+      internal: "wiki.app"
+    ports:
+      http: "3002"
+    subuid: "100999"
+  trilium:
+    domain:
+      public: "notes"
+      internal: "notes.app"
+    ports:
+      http: "8004"
+    subuid: "100999"
 
 version:
   packages:
     sops: "3.12.1"
-    step: "0.29.0"
+    step: "0.30.2"
     kopia: "0.22.3"
-    blocky: "0.28.2"
-    alloy: "1.13.0"
-    # telegraf: "1.37.1"
+    blocky: "0.29.0"
+    alloy: "1.16.1"
   containers:
     # common
-    caddy: "2.10.2"
+    caddy: "2.11.2"
     # infra
-    step: "0.29.0"
-    ldap: "v0.6.2"
-    x509-exporter: "3.19.1"
-    prometheus: "v3.9.1"
-    loki: "3.6.5"
-    grafana: "12.3.3"
+    step: "0.30.2"
+    ldap: "v0.6.3"
+    x509-exporter: "4.1.0"
+    prometheus: "v3.11.3"
+    loki: "3.7.1"
+    grafana: "13.0.1"
     ## Postgresql
-    postgresql: "18.2"
+    postgresql: "18.3"
     # For immich - https://github.com/immich-app/base-images/blob/main/postgres/versions.yaml
 #    pgvector: "v0.8.1"
-    vectorchord: "0.5.3"
+    vectorchord: "1.1.1"
     # Auth
-    authelia: "4.39.15"
+    authelia: "4.39.19"
     # App
-    vaultwarden: "1.35.4"
-    gitea: "1.25.5"
-    redis: "8.6.1"
-    immich: "v2.6.3"
+    vaultwarden: "1.36.0"
+    gitea: "1.26.1"
+    redis: "8.6.3"
+    immich: "v2.7.5"
     actualbudget: "26.3.0"
-    paperless: "2.20.13"
+    paperless: "2.20.15"
     vikunja: "2.2.2"
+    opencloud: "4.0.6"
+    manticore: "25.0.0"
+    affine: "0.26.3"
+    nextcloud: "33.0.3"
+    collabora: "25.04.9.4.1"
+    ezbookkeeping: "1.4.0"
+    sure: "0.7.0-hotfix.2"
+    wikijs: "2.5.314"
+    trilium: "v0.102.2"

ansible/inventory/host_vars/app.yaml

@@ -39,7 +39,3 @@ storage:
     label: "APP_DATA"
     level: "raid10"
     mount_point: "/home/app/data"
-
-redis:
-  immich: "6379"
-  paperless: "6380"

ansible/inventory/host_vars/console.yaml

@@ -21,5 +21,6 @@ node:
   config_path: "{{ node.homelab_path }}/config"
   ssh_san: "console,console.ilnmors.internal"
   ssh_users: "vmm,fw,infra,auth,app"
-  local_san: "localhost console.ilnmors.internal"
+  # add the hostname of wsl, it is needed to improve the sudo problem
+  local_san: "localhost console.ilnmors.internal surface"
 # ansible_python_interpreter: "{{ ansible_playbook_python }}"

ansible/playbooks/app/site.yaml

@@ -209,6 +209,70 @@
           tags: ["site", "vikunja"]
       tags: ["site", "vikunja"]
 
+    - name: Set opencloud
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_opencloud"
+        apply:
+          tags: ["site", "opencloud"]
+      tags: ["site", "opencloud"]
+
+    - name: Set affine
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_affine"
+        apply:
+          tags: ["site", "affine"]
+      tags: ["site", "affine"]
+
+    - name: Set nextcloud
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_nextcloud"
+        apply:
+          tags: ["site", "nextcloud"]
+      tags: ["site", "nextcloud"]
+
+    - name: Set collabora
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_collabora"
+        apply:
+          tags: ["site", "collabora"]
+      tags: ["site", "collabora"]
+
+    - name: Set ezbookkeeping
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_ezbookkeeping"
+        apply:
+          tags: ["site", "ezbookkeeping"]
+      tags: ["site", "ezbookkeeping"]
+
+    - name: Set sure
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_sure"
+        apply:
+          tags: ["site", "sure"]
+      tags: ["site", "sure"]
+
+    - name: Set wiki.js
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_wikijs"
+        apply:
+          tags: ["site", "wikijs"]
+      tags: ["site", "wikijs"]
+
+    - name: Set trilium
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_trilium"
+        apply:
+          tags: ["site", "trilium"]
+      tags: ["site", "trilium"]
+
     - name: Flush handlers right now
       ansible.builtin.meta: "flush_handlers"
 

ansible/playbooks/console/site.yaml

@@ -115,7 +115,7 @@
       become: true
       tags: ["init", "site", "install-packages"]
 
-    - name: Install CLI tools
+    - name: Set CLI tools
       ansible.builtin.include_role:
         name: "console"
         tasks_from: "services/set_cli_tools"
@@ -123,10 +123,10 @@
           tags: ["init", "site", "tools"]
       tags: ["init", "site", "tools"]
 
-    - name: Install chromium with font
+    - name: Set kopia
       ansible.builtin.include_role:
-        name: "console"
-        tasks_from: "services/set_chromium"
+        name: "common"
+        tasks_from: "services/set_kopia"
         apply:
-          tags: ["init", "site", "chromium"]
-      tags: ["init", "site", "chromium"]
+          tags: ["init", "site", "kopia"]
+      tags: ["init", "site", "kopia"]

ansible/roles/app/handlers/main.yaml

@@ -75,3 +75,97 @@
   changed_when: false
   listen: "notification_restart_vikunja"
   ignore_errors: true # noqa: ignore-errors
+
+- name: Restart opencloud
+  ansible.builtin.systemd:
+    name: "opencloud.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_opencloud_init.stat.exists
+  changed_when: false
+  listen: "notification_restart_opencloud"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart affine
+  ansible.builtin.systemd:
+    name: "affine.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_affine_init.stat.exists
+  changed_when: false
+  listen: "notification_restart_affine"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart nextcloud
+  ansible.builtin.systemd:
+    name: "nextcloud.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_nextcloud_init.stat.exists
+  changed_when: false
+  listen: "notification_restart_nextcloud"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart collabora
+  ansible.builtin.systemd:
+    name: "collabora.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_collabora"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart ezbookkeeping
+  ansible.builtin.systemd:
+    name: "ezbookkeeping.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_ezbookkeeping"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart sure
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  loop:
+    - "sure-web.service"
+    - "sure-worker.service"
+  changed_when: false
+  listen: "notification_restart_sure"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart wikijs
+  ansible.builtin.systemd:
+    name: "wikijs.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_wikijs"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart trilium
+  ansible.builtin.systemd:
+    name: "trilium.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_trilium"
+  ignore_errors: true # noqa: ignore-errors

ansible/roles/app/tasks/node/set_raid.yaml

@@ -68,3 +68,23 @@
     group: "svadmins"
     mode: "0770"
   become: true
+
+- name: Deploy btrfs scrub service and timer
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/app/btrfs/{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  loop:
+    - "btrfs-scrub.service"
+    - "btrfs-scrub.timer"
+  become: true
+
+- name: Enable auto btrfs scrub
+  ansible.builtin.systemd:
+    name: "btrfs-scrub.timer"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+  become: true

ansible/roles/app/tasks/services/set_actual-budget.yaml

@@ -1,13 +1,9 @@
 ---
-- name: Set actual budget container subuid
-  ansible.builtin.set_fact:
-    actualbudget_subuid: "101000"
-
 - name: Create actual budget directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/data/containers/actual-budget"
     state: "directory"
-    owner: "{{ actualbudget_subuid }}"
+    owner: "{{ services['actualbudget']['subuid'] }}"
     group: "svadmins"
     mode: "0770"
   become: true

ansible/roles/app/tasks/services/set_affine.yaml

@@ -0,0 +1,163 @@
+---
+- name: Set manticore service name
+  ansible.builtin.set_fact:
+    manticore_service: "affine"
+
+- name: Create manticore directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['manticore']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/manticore"
+    - "data/containers/manticore/{{ manticore_service }}"
+  become: true
+
+- name: Deploy manticore.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/manticore/manticore.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/manticore_{{ manticore_service }}.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_manticore_containerfile"
+
+- name: Enable (Restart) manticore.service
+  ansible.builtin.systemd:
+    name: "manticore_{{ manticore_service }}.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_manticore_containerfile.changed # noqa: no-handler
+
+- name: Set redis service name
+  ansible.builtin.set_fact:
+    redis_service: "affine"
+
+- name: Create redis_affine directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['redis']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "containers/redis"
+    - "containers/redis/{{ redis_service }}"
+    - "containers/redis/{{ redis_service }}/data"
+  become: true
+
+- name: Deploy redis config file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
+    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_conf"
+
+- name: Deploy redis container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_containerfile"
+
+- name: Enable (Restart) redis service
+  ansible.builtin.systemd:
+    name: "redis_{{ redis_service }}.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
+
+- name: Create affine directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/affine"
+    - "containers/affine"
+    - "containers/affine/ssl"
+    - "containers/affine/config"
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/affine/ssl/{{ root_cert_filename }}"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0440"
+  notify: "notification_restart_affine"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value }}"
+    state: "present"
+    force: true
+  loop:
+    - name: "AFFINE_PRIVATE_KEY"
+      value: "{{ hostvars['console']['affine']['secret_key'] }}"
+    - name: "AFFINE_DATABASE_URL"
+      value: "postgresql://affine:{{ hostvars['console']['postgresql']['password']['affine'] | urlencode | replace('/', '%2F') }}\
+        @{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}/affine_db?sslmode=verify-full&\
+        sslrootcert=/etc/ssl/affine/{{ root_cert_filename }}"
+  notify: "notification_restart_affine"
+  no_log: true
+
+- name: Check data directory empty
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/data/containers/affine/.init"
+  register: "is_affine_init"
+
+- name: Initialize affine
+  when: not is_affine_init.stat.exists
+  block:
+    - name: Execute init command (Including pulling image)
+      containers.podman.podman_container:
+        name: "affine_init"
+        image: "ghcr.io/toeverything/affine:{{ version['containers']['affine'] }}"
+        command: ['sh', '-c', 'node ./scripts/self-host-predeploy.js']
+        state: "started"
+        rm: true
+        detach: false
+        secrets:
+          - "AFFINE_DATABASE_URL,type=env,target=DATABASE_URL"
+      no_log: true
+
+    - name: Create .init file
+      ansible.builtin.file:
+        path: "{{ node['home_path'] }}/data/containers/affine/.init"
+        state: "touch"
+        mode: "0644"
+        owner: "{{ ansible_user }}"
+        group: "svadmins"
+
+- name: Deploy affine.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/affine/affine.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/affine.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_affine"
+
+- name: Enable affine.service
+  ansible.builtin.systemd:
+    name: "affine.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/app/tasks/services/set_collabora.yaml

@@ -0,0 +1,17 @@
+---
+- name: Deploy container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/collabora/collabora.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/collabora.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_collabora"
+
+- name: Enable collabora.service
+  ansible.builtin.systemd:
+    name: "collabora.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/app/tasks/services/set_ezbookkeeping.yaml

@@ -0,0 +1,58 @@
+---
+- name: Create ezbookkeeping directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['ezbookkeeping']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/ezbookkeeping"
+    - "data/containers/ezbookkeeping/data"
+    - "containers/ezbookkeeping"
+    - "containers/ezbookkeeping/ssl"
+  become: true
+
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/ezbookkeeping/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['ezbookkeeping']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_ezbookkeeping"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value }}"
+    state: "present"
+    force: true
+  loop:
+    - name: "EBK_AUTH_OAUTH2_CLIENT_SECRET"
+      value: "{{ hostvars['console']['ezbookkeeping']['oidc']['secret'] }}"
+    - name: "EBK_DATABASE_PASSWD"
+      value: "{{ hostvars['console']['postgresql']['password']['ezbookkeeping'] }}"
+  notify: "notification_restart_ezbookkeeping"
+  no_log: true
+
+- name: Deploy ezbookkeeping.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/ezbookkeeping/ezbookkeeping.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/ezbookkeeping.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_ezbookkeeping"
+
+- name: Enable ezbookkeeping.service
+  ansible.builtin.systemd:
+    name: "ezbookkeeping.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/app/tasks/services/set_gitea.yaml

@@ -1,13 +1,9 @@
 ---
-- name: Set gitea container subuid
-  ansible.builtin.set_fact:
-    gitea_subuid: "100999"
-
 - name: Create gitea directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/{{ item }}"
     state: "directory"
-    owner: "{{ gitea_subuid }}"
+    owner: "{{ services['gitea']['subuid'] }}"
     group: "svadmins"
     mode: "0770"
   loop:
@@ -20,8 +16,8 @@
   ansible.builtin.copy:
     content: |
       {{ hostvars['console']['ca']['root']['crt'] }}
-    dest: "{{ node['home_path'] }}/containers/gitea/ssl/ilnmors_root_ca.crt"
-    owner: "{{ gitea_subuid }}"
+    dest: "{{ node['home_path'] }}/containers/gitea/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['gitea']['subuid'] }}"
     group: "svadmins"
     mode: "0440"
   become: true

ansible/roles/app/tasks/services/set_immich.yaml

@@ -2,13 +2,12 @@
 - name: Set redis service name
   ansible.builtin.set_fact:
     redis_service: "immich"
-    redis_subuid: "100998"
 
 - name: Create redis_immich directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/{{ item }}"
     state: "directory"
-    owner: "{{ redis_subuid }}"
+    owner: "{{ services['redis']['subuid'] }}"
     group: "svadmins"
     mode: "0770"
   loop:
@@ -70,7 +69,7 @@
   ansible.builtin.copy:
     content: |
       {{ hostvars['console']['ca']['root']['crt'] }}
-    dest: "{{ node['home_path'] }}/containers/immich/ssl/ilnmors_root_ca.crt"
+    dest: "{{ node['home_path'] }}/containers/immich/ssl/{{ root_cert_filename }}"
     owner: "{{ ansible_user }}"
     group: "svadmins"
     mode: "0440"

ansible/roles/app/tasks/services/set_nextcloud.yaml

@@ -0,0 +1,176 @@
+---
+- name: Set redis service name
+  ansible.builtin.set_fact:
+    redis_service: "nextcloud"
+
+- name: Create redis_nextcloud directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['redis']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "containers/redis"
+    - "containers/redis/{{ redis_service }}"
+    - "containers/redis/{{ redis_service }}/data"
+  become: true
+
+- name: Deploy redis config file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
+    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_conf"
+
+- name: Deploy redis container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_containerfile"
+
+- name: Enable (Restart) redis service
+  ansible.builtin.systemd:
+    name: "redis_{{ redis_service }}.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
+
+- name: Create nextcloud directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['nextcloud']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/nextcloud"
+    - "data/containers/nextcloud/html"
+    - "containers/nextcloud"
+    - "containers/nextcloud/ssl"
+    - "containers/nextcloud/ini"
+  become: true
+
+- name: Check data directory empty
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/data/containers/nextcloud/.init"
+  register: "is_nextcloud_init"
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/nextcloud/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['nextcloud']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_nextcloud"
+  no_log: true
+
+- name: Initialize nextcloud
+  when: not is_nextcloud_init.stat.exists
+  block:
+    - name: Execute init command (Including pulling image)
+      containers.podman.podman_container:
+        name: "nextcloud_init"
+        image: "docker.io/library/nextcloud:{{ version['containers']['nextcloud'] }}"
+        command: "/bin/true"
+        state: "started"
+        rm: true
+        detach: false
+        env:
+          NEXTCLOUD_UPDATE: "1"
+          NEXTCLOUD_ADMIN_USER: "admin-local"
+          NEXTCLOUD_ADMIN_PASSWORD: "{{ hostvars['console']['nextcloud']['admin-local']['password'] }}"
+          POSTGRES_HOST: "{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}"
+          POSTGRES_DB: "nextcloud_db"
+          POSTGRES_USER: "nextcloud"
+          POSTGRES_PASSWORD: "{{ hostvars['console']['postgresql']['password']['nextcloud'] }}"
+          PGSSLMODE: "verify-full"
+          PGSSLROOTCERT: "/etc/ssl/nextcloud/{{ root_cert_filename }}"
+          PGSSLCERTMODE: "disable"
+          REDIS_HOST: "host.containers.internal"
+          REDIS_HOST_PORT: "{{ services['nextcloud']['ports']['redis'] }}"
+        volume:
+          - "{{ node['home_path'] }}/containers/nextcloud/ssl:/etc/ssl/nextcloud:ro"
+          - "{{ node['home_path'] }}/data/containers/nextcloud/html:/var/www/html:rw"
+      no_log: true
+
+    - name: Create .init file
+      ansible.builtin.file:
+        path: "{{ node['home_path'] }}/data/containers/nextcloud/.init"
+        state: "touch"
+        mode: "0644"
+        owner: "{{ ansible_user }}"
+        group: "svadmins"
+
+- name: Deploy config files
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/config/{{ item }}.j2"
+    dest: "{{ node['home_path'] }}/data/containers/nextcloud/html/config/{{ item }}"
+    owner: "{{ services['nextcloud']['subuid'] }}"
+    group: "svadmins"
+    mode: "0640"
+  loop:
+    - "background.config.php"
+    - "cache.config.php"
+    - "domain.config.php"
+    - "local_remote.config.php"
+    - "user_oidc.config.php"
+  become: true
+  notify: "notification_restart_nextcloud"
+
+- name: Deploy opcache.ini file
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/ini/{{ item }}"
+    dest: "{{ node['home_path'] }}/containers/nextcloud/ini/{{ item }}"
+    group: "svadmins"
+    mode: "0644"
+  loop:
+    - "opcache.ini"
+    - "upload.ini"
+  notify: "notification_restart_nextcloud"
+
+- name: Deploy nextcloud.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/nextcloud.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/nextcloud.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_nextcloud"
+
+- name: Deploy nextcloud-cron service
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/systemd/{{ item }}"
+    dest: "{{ node['home_path'] }}/.config/systemd/user/{{ item }}"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  loop:
+    - "nextcloud-cron.service"
+    - "nextcloud-cron.timer"
+
+- name: Enable nextcloud.service
+  ansible.builtin.systemd:
+    name: "nextcloud.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+
+- name: Enable nextcloud-cron.timer
+  ansible.builtin.systemd:
+    name: "nextcloud-cron.timer"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/app/tasks/services/set_opencloud.yaml

@@ -0,0 +1,76 @@
+---
+- name: Create opencloud directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['opencloud']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/opencloud"
+    - "containers/opencloud"
+  become: true
+
+- name: Check data directory empty
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/data/containers/opencloud/.init"
+  become: true
+  register: "is_opencloud_init"
+
+- name: Initialize opencloud
+  when: not is_opencloud_init.stat.exists
+  block:
+    - name: Execute init command (Including pulling image)
+      containers.podman.podman_container:
+        name: "opencloud_init"
+        image: "docker.io/opencloudeu/opencloud:{{ version['containers']['opencloud'] }}"
+        command: "init"
+        state: "started"
+        rm: true
+        detach: false
+        env:
+          IDM_ADMIN_PASSWORD: "{{ hostvars['console']['opencloud']['admin']['password'] }}"
+          # Verify the certificate (Opencloud to Authelia, authelia uses let's encrypt.)
+          OC_INSECURE: "true"
+        volume:
+          - "{{ node['home_path'] }}/containers/opencloud:/etc/opencloud:rw"
+          - "{{ node['home_path'] }}/data/containers/opencloud:/var/lib/opencloud:rw"
+      no_log: true
+
+    - name: Create .init file
+      ansible.builtin.file:
+        path: "{{ node['home_path'] }}/data/containers/opencloud/.init"
+        state: "touch"
+        mode: "0644"
+        owner: "{{ ansible_user }}"
+        group: "svadmins"
+
+- name: Deploy configuration files
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/opencloud/etc/{{ item }}.j2"
+    dest: "{{ node['home_path'] }}/containers/opencloud/{{ item }}"
+    owner: "{{ services['opencloud']['subuid'] }}"
+    group: "svadmins"
+    mode: "0640"
+  loop:
+    - "csp.yaml"
+    - "proxy.yaml"
+  become: true
+  notify: "notification_restart_opencloud"
+
+- name: Deploy container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/opencloud/opencloud.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/opencloud.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_opencloud"
+
+- name: Enable opencloud.service
+  ansible.builtin.systemd:
+    name: "opencloud.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/app/tasks/services/set_paperless.yaml

@@ -2,13 +2,12 @@
 - name: Set redis service name
   ansible.builtin.set_fact:
     redis_service: "paperless"
-    redis_subuid: "100998"
 
 - name: Create redis_paperless directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/{{ item }}"
     state: "directory"
-    owner: "{{ redis_subuid }}"
+    owner: "{{ services['redis']['subuid'] }}"
     group: "svadmins"
     mode: "0770"
   loop:
@@ -44,15 +43,11 @@
     scope: "user"
   when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
 
-- name: Set paperless subuid
-  ansible.builtin.set_fact:
-    paperless_subuid: "100999"
-
 - name: Create paperless directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/{{ item }}"
     state: "directory"
-    owner: "{{ paperless_subuid }}"
+    owner: "{{ services['paperless']['subuid'] }}"
     group: "svadmins"
     mode: "0770"
   loop:
@@ -69,8 +64,8 @@
   ansible.builtin.copy:
     content: |
       {{ hostvars['console']['ca']['root']['crt'] }}
-    dest: "{{ node['home_path'] }}/containers/paperless/ssl/ilnmors_root_ca.crt"
-    owner: "{{ paperless_subuid }}"
+    dest: "{{ node['home_path'] }}/containers/paperless/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['paperless']['subuid'] }}"
     group: "svadmins"
     mode: "0440"
   become: true
@@ -101,7 +96,7 @@
                 "client_id": "paperless",
                 "secret": "{{ hostvars['console']['paperless']['oidc']['secret'] }}",
                 "settings": {
-                  "server_url": "https://authelia.ilnmors.com/.well-known/openid-configuration",
+                  "server_url": "https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}/.well-known/openid-configuration",
                   "token_auth_method": "client_secret_post"
                 }
               }

ansible/roles/app/tasks/services/set_sure.yaml

@@ -0,0 +1,110 @@
+---
+- name: Set redis service name
+  ansible.builtin.set_fact:
+    redis_service: "sure"
+
+- name: Create redis_sure directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['redis']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "containers/redis"
+    - "containers/redis/{{ redis_service }}"
+    - "containers/redis/{{ redis_service }}/data"
+  become: true
+
+- name: Deploy redis config file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
+    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_conf"
+
+- name: Deploy redis container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_containerfile"
+
+- name: Enable (Restart) redis service
+  ansible.builtin.systemd:
+    name: "redis_{{ redis_service }}.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
+
+- name: Create sure directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['sure']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/sure"
+    - "data/containers/sure/storage"
+    - "containers/sure"
+    - "containers/sure/ssl"
+  become: true
+
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/sure/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['paperless']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_sure"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value }}"
+    state: "present"
+    force: true
+  loop:
+    - name: "SURE_SECRET_KEY_BASE"
+      value: "{{ hostvars['console']['sure']['session_secret'] }}"
+    - name: "SURE_POSTGRES_PASSWORD"
+      value: "{{ hostvars['console']['postgresql']['password']['sure'] }}"
+    - name: "SURE_OIDC_CLIENT_SECRET"
+      value: "{{ hostvars['console']['sure']['oidc']['secret'] }}"
+  notify: "notification_restart_sure"
+  no_log: true
+
+- name: Deploy sure.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/sure/{{ item }}.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/{{ item }}"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  loop:
+    - "sure-web.container"
+    - "sure-worker.container"
+  notify: "notification_restart_sure"
+
+- name: Enable paperless.service
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  loop:
+    - "sure-web.service"
+    - "sure-worker.service"

ansible/roles/app/tasks/services/set_trilium.yaml

@@ -0,0 +1,38 @@
+---
+- name: Create trilium directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['trilium']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/trilium"
+    - "data/containers/trilium/data"
+  become: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "TRILIUM_OAUTH_CLIENT_SECRET"
+    data: "{{ hostvars['console']['trilium']['oidc']['secret'] }}"
+    state: "present"
+    force: true
+  notify: "notification_restart_trilium"
+  no_log: true
+
+- name: Deploy trilium.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/trilium/trilium.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/trilium.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_trilium"
+
+- name: Enable trilium.service
+  ansible.builtin.systemd:
+    name: "trilium.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/app/tasks/services/set_vaultwarden.yaml

@@ -15,7 +15,7 @@
   ansible.builtin.copy:
     content: |
       {{ hostvars['console']['ca']['root']['crt'] }}
-    dest: "{{ node['home_path'] }}/containers/vaultwarden/ssl/ilnmors_root_ca.crt"
+    dest: "{{ node['home_path'] }}/containers/vaultwarden/ssl/{{ root_cert_filename }}"
     owner: "{{ ansible_user }}"
     group: "svadmins"
     mode: "0440"
@@ -34,7 +34,8 @@
       value: "{{ hostvars['console']['vaultwarden']['admin']['hash'] }}"
     - name: "VW_DATABASE_URL"
       value: "postgresql://vaultwarden:{{ hostvars['console']['postgresql']['password']['vaultwarden'] | urlencode | replace('/', '%2F') }}\
-        @{{ infra_uri['postgresql']['domain'] }}/vaultwarden_db?sslmode=verify-full&sslrootcert=/etc/ssl/vaultwarden/ilnmors_root_ca.crt"
+        @{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}/vaultwarden_db?sslmode=verify-full&\
+        sslrootcert=/etc/ssl/vaultwarden/{{ root_cert_filename }}"
   notify: "notification_restart_vaultwarden"
   no_log: true
 

ansible/roles/app/tasks/services/set_vikunja.yaml

@@ -1,13 +1,9 @@
 ---
-- name: Set vikunja subuid
-  ansible.builtin.set_fact:
-    vikunja_subuid: "100999"
-
 - name: Create vikunja directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/{{ item }}"
     state: "directory"
-    owner: "{{ vikunja_subuid }}"
+    owner: "{{ services['vikunja']['subuid'] }}"
     group: "svadmins"
     mode: "0770"
   loop:
@@ -20,8 +16,8 @@
   ansible.builtin.copy:
     content: |
       {{ hostvars['console']['ca']['root']['crt'] }}
-    dest: "{{ node['home_path'] }}/containers/vikunja/ssl/ilnmors_root_ca.crt"
-    owner: "{{ vikunja_subuid }}"
+    dest: "{{ node['home_path'] }}/containers/vikunja/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['vikunja']['subuid'] }}"
     group: "svadmins"
     mode: "0440"
   become: true

ansible/roles/app/tasks/services/set_wikijs.yaml

@@ -0,0 +1,53 @@
+---
+- name: Create wiki.js directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['wikijs']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/wikijs"
+    - "data/containers/wikijs/data"
+    - "data/containers/wikijs/export"
+    - "containers/wikijs"
+    - "containers/wikijs/ssl"
+  become: true
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/wikijs/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['wikijs']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_wikijs"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "WIKIJS_DB_PASS"
+    data: "{{ hostvars['console']['postgresql']['password']['wikijs'] }}"
+    state: "present"
+    force: true
+  notify: "notification_restart_wikijs"
+  no_log: true
+
+- name: Deploy wikijs.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/wikijs/wikijs.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/wikijs.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_wikijs"
+
+- name: Enable wikijs.service
+  ansible.builtin.systemd:
+    name: "wikijs.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/auth/tasks/services/set_authelia.yaml

@@ -27,7 +27,7 @@
   ansible.builtin.copy:
     content: |
       {{ hostvars['console']['ca']['root']['crt'] }}
-    dest: "{{ node['home_path'] }}/containers/authelia/certs/ilnmors_root_ca.crt"
+    dest: "{{ node['home_path'] }}/containers/authelia/certs/{{ root_cert_filename }}"
     owner: "{{ ansible_user }}"
     group: "svadmins"
     mode: "0440"

ansible/roles/common/tasks/node/deploy_root_ca.yaml

@@ -2,7 +2,7 @@
 - name: Deploy root_ca.crt
   ansible.builtin.copy:
     content: "{{ hostvars['console']['ca']['root']['crt'] }}"
-    dest: "/usr/local/share/ca-certificates/ilnmors_root_ca.crt"
+    dest: "/usr/local/share/ca-certificates/{{ root_cert_filename }}"
     owner: "root"
     group: "root"
     mode: "0644"

ansible/roles/common/tasks/services/set_alloy.yaml

@@ -5,9 +5,10 @@
       - hardware
   become: true
 
-- name: Deploy alloy deb file (x86_64)
-  ansible.builtin.copy:
-    src: "{{ hostvars['console']['node']['data_path'] }}/bin/alloy-{{ version['packages']['alloy'] }}-amd64.deb"
+- name: Download alloy deb file (x86_64)
+  ansible.builtin.get_url:
+    url: "https://github.com/grafana/alloy/releases/download/v{{ version['packages']['alloy'] }}/\
+      alloy-{{ version['packages']['alloy'] }}-1.amd64.deb"
     dest: "/var/cache/apt/archives/alloy-{{ version['packages']['alloy'] }}.deb"
     owner: "root"
     group: "root"
@@ -15,9 +16,10 @@
   become: true
   when: ansible_facts['architecture'] == "x86_64"
 
-- name: Deploy alloy deb file (aarch64)
-  ansible.builtin.copy:
-    src: "{{ hostvars['console']['node']['data_path'] }}/bin/alloy-{{ version['packages']['alloy'] }}-arm64.deb"
+- name: Download alloy deb file (aarch64)
+  ansible.builtin.get_url:
+    url: "https://github.com/grafana/alloy/releases/download/v{{ version['packages']['alloy'] }}/\
+      alloy-{{ version['packages']['alloy'] }}-1.arm64.deb"
     dest: "/var/cache/apt/archives/alloy-{{ version['packages']['alloy'] }}.deb"
     owner: "root"
     group: "root"
@@ -30,6 +32,7 @@
     deb: "/var/cache/apt/archives/alloy-{{ version['packages']['alloy'] }}.deb"
     state: "present"
   become: true
+  notify: "notification_restart_alloy"
 
 - name: Deploy alloy config
   ansible.builtin.template:

ansible/roles/common/tasks/services/set_caddy.yaml

@@ -54,7 +54,7 @@
 - name: Deploy root crt for build
   ansible.builtin.copy:
     content: "{{ hostvars['console']['ca']['root']['crt'] }}"
-    dest: "{{ node['home_path'] }}/containers/caddy/build/ilnmors_root_ca.crt"
+    dest: "{{ node['home_path'] }}/containers/caddy/build/{{ root_cert_filename }}"
     owner: "{{ ansible_user }}"
     group: "svadmins"
     mode: "0640"
@@ -62,7 +62,7 @@
 
 - name: Build caddy container image
   containers.podman.podman_image:
-    name: "ilnmors.internal/{{ node['name'] }}/caddy"
+    name: "{{ domain['internal'] }}/{{ node['name'] }}/caddy"
     # check tags from container file
     tag: "{{ version['containers']['caddy'] }}"
     state: "build"

ansible/roles/common/tasks/services/set_crowdsec.yaml

@@ -36,10 +36,15 @@
   ansible.builtin.set_fact:
     acquisd_list:
       fw:
-        collection: "crowdsecurity/suricata"
+        collection:
+          - "crowdsecurity/suricata"
+        parser: []
         config: "suricata.yaml"
       auth:
-        collection: "crowdsecurity/caddy"
+        collection:
+          - "crowdsecurity/caddy"
+        parser:
+          - "crowdsecurity/nextcloud-whitelist"
         config: "caddy.yaml"
 
 - name: Deploy crowdsec-update service files
@@ -181,7 +186,8 @@
   block:
     - name: Install crowdsec collection
       ansible.builtin.command:
-        cmd: "cscli collections install {{ acquisd_list[node['name']]['collection'] }}"
+        cmd: "cscli collections install {{ item }}"
+      loop: "{{ acquisd_list[node['name']]['collection'] }}"
       become: true
       changed_when: "'overwrite' not in is_collection_installed.stderr"
       failed_when:
@@ -189,6 +195,17 @@
         - "'already installed' not in is_collection_installed.stderr"
       register: "is_collection_installed"
 
+    - name: Install crowdsec parser
+      ansible.builtin.command:
+        cmd: "cscli parsers install {{ item }}"
+      loop: "{{ acquisd_list[node['name']]['parser'] }}"
+      become: true
+      changed_when: "'overwrite' not in is_parser_installed.stderr"
+      failed_when:
+        - is_parser_installed.rc != 0
+        - "'already installed' not in is_parser_installed.stderr"
+      register: "is_parser_installed"
+
     - name: Create crowdsec acquis.d directory
       ansible.builtin.file:
         path: "/etc/crowdsec/acquis.d"

ansible/roles/common/tasks/services/set_kopia.yaml

@@ -5,41 +5,43 @@
       - hardware
   become: true
 
-- name: Check kopia installation
-  ansible.builtin.shell: |
-    command -v kopia
-  changed_when: false
-  failed_when: false
-  register: "is_kopia_installed"
-  ignore_errors: true
-
 - name: Set console kopia
   when: node['name'] == 'console'
   block:
-    - name: Apply cli tools (x86_64)
+    - name: Download kopia
+      ansible.builtin.get_url:
+        url: "https://github.com/kopia/kopia/releases/download/v{{ version['packages']['kopia'] }}/\
+          kopia_{{ version['packages']['kopia'] }}_linux_{{ item }}.deb"
+        dest: "{{ node['data_path'] }}/bin/kopia-{{ version['packages']['kopia'] }}-{{ item }}.deb"
+        owner: "{{ ansible_user }}"
+        group: "svadmins"
+        mode: "0600"
+      loop:
+        - "amd64"
+        - "arm64"
+
+    - name: Install kopia (x86_64)
       ansible.builtin.apt:
         deb: "{{ node['data_path'] }}/bin/kopia-{{ version['packages']['kopia'] }}-amd64.deb"
         state: "present"
       become: true
-      when:
-        - ansible_facts['architecture'] == "x86_64"
-        - is_kopia_installed.rc != 0
-    - name: Apply cli tools (aarch64)
+      when: ansible_facts['architecture'] == "x86_64"
+
+    - name: Install kopia (aarch64)
       ansible.builtin.apt:
         deb: "{{ node['data_path'] }}/bin/kopia-{{ version['packages']['kopia'] }}-arm64.deb"
         state: "present"
       become: true
-      when:
-        - ansible_facts['architecture'] == "aarch64"
-        - is_kopia_installed.rc != 0
-    - name: Connect kopia server
+      when: ansible_facts['architecture'] == "aarch64"
+
+    - name: Connect console kopia server
       environment:
         KOPIA_PASSWORD: "{{ hostvars['console']['kopia']['user']['console'] }}"
       ansible.builtin.shell: |
         /usr/bin/kopia repository connect server \
-        --url=https://{{ infra_uri['kopia']['domain'] }}:{{ infra_uri['kopia']['ports']['https'] }} \
+        --url=https://{{ services['kopia']['domain'] }}.{{ domain['internal'] }}:{{ services['kopia']['ports']['https'] }} \
         --override-username=console \
-        --override-hostname=console.ilnmors.internal
+        --override-hostname=console.{{ domain['internal'] }}
       changed_when: false
       failed_when: is_kopia_connected.rc != 0
       register: "is_kopia_connected"
@@ -51,30 +53,36 @@
     - name: Set kopia uid
       ansible.builtin.set_fact:
         kopia_uid: 951
-    - name: Deploy kopia deb file (x86_64)
-      ansible.builtin.copy:
-        src: "{{ hostvars['console']['node']['data_path'] }}/bin/kopia-{{ version['packages']['kopia'] }}-amd64.deb"
+
+    - name: Download kopia deb file (x86_64)
+      ansible.builtin.get_url:
+        url: "https://github.com/kopia/kopia/releases/download/v{{ version['packages']['kopia'] }}/\
+          kopia_{{ version['packages']['kopia'] }}_linux_amd64.deb"
         dest: "/var/cache/apt/archives/kopia-{{ version['packages']['kopia'] }}.deb"
         owner: "root"
         group: "root"
         mode: "0644"
       become: true
       when: ansible_facts['architecture'] == "x86_64"
-    - name: Deploy kopia deb file (aarch64)
-      ansible.builtin.copy:
-        src: "{{ hostvars['console']['node']['data_path'] }}/bin/kopia-{{ version['packages']['kopia'] }}-arm64.deb"
+
+    - name: Download kopia deb file (aarch64)
+      ansible.builtin.get_url:
+        url: "https://github.com/kopia/kopia/releases/download/v{{ version['packages']['kopia'] }}/\
+          kopia_{{ version['packages']['kopia'] }}_linux_arm64.deb"
         dest: "/var/cache/apt/archives/kopia-{{ version['packages']['kopia'] }}.deb"
         owner: "root"
         group: "root"
         mode: "0644"
       become: true
       when: ansible_facts['architecture'] == "aarch64"
+
     - name: Create kopia group
       ansible.builtin.group:
         name: "kopia"
         gid: "{{ kopia_uid }}"
         state: "present"
       become: true
+
     - name: Create kopia user
       ansible.builtin.user:
         name: "kopia"
@@ -85,6 +93,7 @@
         comment: "Kopia backup User"
         state: "present"
       become: true
+
     - name: Create kopia directory
       ansible.builtin.file:
         path: "{{ item.name }}"
@@ -101,12 +110,13 @@
           mode: "0700"
       become: true
       no_log: true
+
     - name: Install kopia
       ansible.builtin.apt:
         deb: "/var/cache/apt/archives/kopia-{{ version['packages']['kopia'] }}.deb"
         state: "present"
       become: true
-      when: is_kopia_installed.rc != 0
+
     - name: Deploy kopia env
       ansible.builtin.template:
         src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/common/kopia/kopia.env.j2"
@@ -116,6 +126,7 @@
         mode: "0400"
       become: true
       no_log: true
+
     - name: Deploy kopia service files
       ansible.builtin.template:
         src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/common/kopia/{{ item }}.j2"
@@ -128,6 +139,7 @@
         - "kopia-backup.service"
         - "kopia-backup.timer"
       become: true
+
     - name: Enable auto kopia rules update
       ansible.builtin.systemd:
         name: "kopia-backup.timer"

ansible/roles/common/tasks/services/set_podman.yaml

@@ -15,7 +15,7 @@
     state: "directory"
     mode: "0700"
 
-- name: Create contaienr data directory for app
+- name: Create container data directory for app
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/data/containers"
     owner: "{{ ansible_user }}"

ansible/roles/console/tasks/node/set_ssh_client.yaml

@@ -23,7 +23,7 @@
   become: true
   ansible.builtin.copy:
     content: |
-      @cert-authority *.ilnmors.internal {{ hostvars['console']['ssh']['ca']['pub'] }}
+      @cert-authority *.{{ domain['internal'] }} {{ hostvars['console']['ssh']['ca']['pub'] }}
     dest: "/etc/ssh/ssh_known_hosts"
     owner: "root"
     group: "root"

ansible/roles/console/tasks/services/set_cli_tools.yaml

@@ -49,42 +49,6 @@
     - "amd64"
     - "arm64"
 
-- name: Download kopia
-  ansible.builtin.get_url:
-    url: "https://github.com/kopia/kopia/releases/download/v{{ version['packages']['kopia'] }}/\
-      kopia_{{ version['packages']['kopia'] }}_linux_{{ item }}.deb"
-    dest: "{{ node['data_path'] }}/bin/kopia-{{ version['packages']['kopia'] }}-{{ item }}.deb"
-    owner: "{{ ansible_user }}"
-    group: "svadmins"
-    mode: "0600"
-  loop:
-    - "amd64"
-    - "arm64"
-
-- name: Download blocky
-  ansible.builtin.get_url:
-    url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
-      blocky_v{{ version['packages']['blocky'] }}_Linux_{{ item }}.tar.gz"
-    dest: "{{ node['data_path'] }}/bin/blocky-{{ version['packages']['blocky'] }}-{{ item }}.tar.gz"
-    owner: "{{ ansible_user }}"
-    group: "svadmins"
-    mode: "0600"
-  loop:
-    - "x86_64"
-    - "arm64"
-
-- name: Download alloy
-  ansible.builtin.get_url:
-    url: "https://github.com/grafana/alloy/releases/download/v{{ version['packages']['alloy'] }}/\
-      alloy-{{ version['packages']['alloy'] }}-1.{{ item }}.deb"
-    dest: "{{ node['data_path'] }}/bin/alloy-{{ version['packages']['alloy'] }}-{{ item }}.deb"
-    owner: "{{ ansible_user }}"
-    group: "svadmins"
-    mode: "0600"
-  loop:
-    - "amd64"
-    - "arm64"
-
 - name: Apply cli tools (x86_64)
   ansible.builtin.apt:
     deb: "{{ node['data_path'] }}/bin/{{ item }}"
@@ -92,7 +56,6 @@
   loop:
     - "sops-{{ version['packages']['sops'] }}-amd64.deb"
     - "step-{{ version['packages']['step'] }}-amd64.deb"
-    - "kopia-{{ version['packages']['kopia'] }}-amd64.deb"
   become: true
   when: ansible_facts['architecture'] == "x86_64"
 
@@ -103,6 +66,5 @@
   loop:
     - "sops-{{ version['packages']['sops'] }}-arm64.deb"
     - "step-{{ version['packages']['step'] }}-arm64.deb"
-    - "kopia-{{ version['packages']['kopia'] }}-arm64.deb"
   become: true
   when: ansible_facts['architecture'] == "aarch64"

ansible/roles/fw/tasks/services/set_blocky.yaml

@@ -23,7 +23,7 @@
     state: "present"
   become: true
 
-- name: Create blocky etc directory
+- name: Create blocky directory
   ansible.builtin.file:
     path: "{{ item }}"
     owner: "blocky"
@@ -31,13 +31,38 @@
     mode: "0750"
     state: "directory"
   loop:
+    - "/home/blocky"
+    - "/home/blocky/bin"
     - "/etc/blocky"
     - "/etc/blocky/ssl"
   become: true
 
+- name: Download blocky (x86_64)
+  ansible.builtin.get_url:
+    url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
+      blocky_v{{ version['packages']['blocky'] }}_Linux_x86_64.tar.gz"
+    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    owner: "blocky"
+    group: "blocky"
+    mode: "0600"
+  become: true
+  when: ansible_facts['architecture'] == "x86_64"
+
+- name: Download blocky (aarch64)
+  ansible.builtin.get_url:
+    url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
+      blocky_v{{ version['packages']['blocky'] }}_Linux_arm64.tar.gz"
+    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
+    owner: "blocky"
+    group: "blocky"
+    mode: "0600"
+  become: true
+  when: ansible_facts['architecture'] == "aarch64"
+
 - name: Deploy blocky binary file (x86_64)
   ansible.builtin.unarchive:
-    src: "{{ hostvars['console']['node']['data_path'] }}/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    remote_src: true
     dest: "/usr/local/bin/"
     owner: "root"
     group: "root"
@@ -52,7 +77,8 @@
 
 - name: Deploy blocky binary file (aarch64)
   ansible.builtin.unarchive:
-    src: "{{ hostvars['console']['node']['data_path'] }}/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
+    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
+    remote_src: true
     dest: "/usr/local/bin/"
     owner: "root"
     group: "root"

ansible/roles/fw/tasks/services/set_ddns.yaml

@@ -21,8 +21,8 @@
   become: true
 
 - name: Deploy ddns service files
-  ansible.builtin.copy:
-    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/ddns/{{ item }}"
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/ddns/{{ item }}.j2"
     dest: "{{ node['home_path'] }}/.config/systemd/user/{{ item }}"
     owner: "{{ ansible_user }}"
     group: "svadmins"

ansible/roles/infra/handlers/main.yaml

@@ -12,7 +12,7 @@
 - name: Reload postgresql
   ansible.builtin.command:
     /usr/bin/podman exec -u postgres postgresql sh -c "pg_ctl reload"
-  when: not (is_postgresql_init_run | default(false))
+  when: is_postgresql_init.stat.exists
   changed_when: false
   listen: "notification_reload_postgresql"
   ignore_errors: true # noqa: ignore-errors
@@ -24,7 +24,7 @@
     enabled: true
     daemon_reload: true
     scope: "user"
-  when: not (is_postgresql_init_run | default(false))
+  when: is_postgresql_init.stat.exists
   changed_when: false
   listen: "notification_restart_postgresql"
   ignore_errors: true # noqa: ignore-errors
@@ -73,10 +73,10 @@
   listen: "notification_restart_grafana"
   ignore_errors: true # noqa: ignore-errors
 
-- name: Enable x509-exporter.service
+- name: Restart x509-exporter.service
   ansible.builtin.systemd:
     name: "x509-exporter.service"
-    state: "started"
+    state: "restarted"
     enabled: true
     daemon_reload: true
     scope: "user"

ansible/roles/infra/tasks/services/set_ca_server.yaml

@@ -1,12 +1,8 @@
 ---
-- name: Set ca container subuid
-  ansible.builtin.set_fact:
-    ca_subuid: "100999"
-
 - name: Create ca directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/containers/{{ item }}"
-    owner: "{{ ca_subuid }}"
+    owner: "{{ services['ca']['subuid'] }}"
     group: "svadmins"
     state: "directory"
     mode: "0770"
@@ -32,7 +28,7 @@
   ansible.builtin.template:
     src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/ca/config/{{ item }}.j2"
     dest: "{{ node['home_path'] }}/containers/ca/config/{{ item }}"
-    owner: "{{ ca_subuid }}"
+    owner: "{{ services['ca']['subuid'] }}"
     group: "svadmins"
     mode: "0400"
   loop:
@@ -46,19 +42,19 @@
     content: |
       {{ item.value }}
     dest: "{{ item.path }}/{{ item.name }}"
-    owner: "{{ ca_subuid }}"
+    owner: "{{ services['ca']['subuid'] }}"
     group: "svadmins"
     mode: "{{ item.mode }}"
   loop:
-    - name: "ilnmors_root_ca.crt"
+    - name: "{{ root_cert_filename }}"
       value: "{{ hostvars['console']['ca']['root']['crt'] }}"
       path: "{{ node['home_path'] }}/containers/ca/certs"
       mode: "0440"
-    - name: "ilnmors_intermediate_ca.crt"
+    - name: "{{ intermediate_cert_filename }}"
       value: "{{ hostvars['console']['ca']['intermediate']['crt'] }}"
       path: "{{ node['home_path'] }}/containers/ca/certs"
       mode: "0440"
-    - name: "ilnmors_intermediate_ca.key"
+    - name: "{{ intermediate_key_filename }}"
       value: "{{ hostvars['console']['ca']['intermediate']['key'] }}"
       path: "{{ node['home_path'] }}/containers/ca/secrets"
       mode: "0400"

ansible/roles/infra/tasks/services/set_grafana.yaml

@@ -1,12 +1,8 @@
 ---
-- name: Set grafana container subuid
-  ansible.builtin.set_fact:
-    grafana_subuid: "100471"
-
 - name: Create grafana directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/containers/{{ item }}"
-    owner: "{{ grafana_subuid }}"
+    owner: "{{ services['grafana']['subuid'] }}"
     group: "svadmins"
     state: "directory"
     mode: "0770"
@@ -23,8 +19,8 @@
   ansible.builtin.copy:
     content: |
       {{ hostvars['console']['ca']['root']['crt'] }}
-    dest: "{{ node['home_path'] }}/containers/grafana/ssl/ilnmors_root_ca.crt"
-    owner: "{{ grafana_subuid }}"
+    dest: "{{ node['home_path'] }}/containers/grafana/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['grafana']['subuid'] }}"
     group: "svadmins"
     mode: "0400"
   become: true
@@ -51,7 +47,7 @@
   ansible.builtin.template:
     src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/grafana/etc/{{ item }}.j2"
     dest: "{{ node['home_path'] }}/containers/grafana/etc/{{ item }}"
-    owner: "{{ grafana_subuid }}"
+    owner: "{{ services['grafana']['subuid'] }}"
     group: "svadmins"
     mode: "0400"
   loop:
@@ -61,11 +57,11 @@
   notify: "notification_restart_grafana"
   no_log: true
 
-- name: Deploy provisioing and dashboard files
-  ansible.builtin.copy:
-    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/grafana/etc/provisioning/"
-    dest: "{{ node['home_path'] }}/containers/grafana/etc/provisioning/"
-    owner: "{{ grafana_subuid }}"
+- name: Deploy provisioing file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/grafana/etc/provisioning/datasources/datasources.yaml.j2"
+    dest: "{{ node['home_path'] }}/containers/grafana/etc/provisioning/datasources/datasources.yaml"
+    owner: "{{ services['grafana']['subuid'] }}"
     group: "svadmins"
     mode: "0400"
   become: true

ansible/roles/infra/tasks/services/set_ldap.yaml

@@ -1,12 +1,8 @@
 ---
-- name: Set ldap container subuid
-  ansible.builtin.set_fact:
-    ldap_subuid: "100999"
-
 - name: Create ldap directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/containers/{{ item }}"
-    owner: "{{ ldap_subuid }}"
+    owner: "{{ services['ldap']['subuid'] }}"
     group: "svadmins"
     state: "directory"
     mode: "0770"
@@ -21,11 +17,11 @@
     content: |
       {{ item.value }}
     dest: "{{ node['home_path'] }}/containers/ldap/ssl/{{ item.name }}"
-    owner: "{{ ldap_subuid }}"
+    owner: "{{ services['ldap']['subuid'] }}"
     group: "svadmins"
     mode: "{{ item.mode }}"
   loop:
-    - name: "ilnmors_root_ca.crt"
+    - name: "{{ root_cert_filename }}"
       value: "{{ hostvars['console']['ca']['root']['crt'] }}"
       mode: "0440"
     - name: "ldap.crt"
@@ -50,7 +46,7 @@
     # urlencode doesn't fix `/` as `%2F`. It needs replace
     - name: "LLDAP_DATABASE_URL"
       value: "postgres://ldap:{{ hostvars['console']['postgresql']['password']['ldap'] | urlencode | replace('/', '%2F') }}\
-        @{{ infra_uri['postgresql']['domain'] }}/ldap_db?sslmode=verify-full&sslrootcert=/etc/ssl/ldap/ilnmors_root_ca.crt"
+        @{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}/ldap_db?sslmode=verify-full&sslrootcert=/etc/ssl/ldap/{{ root_cert_filename }}"
     - name: "LLDAP_KEY_SEED"
       value: "{{ hostvars['console']['ldap']['seed_key'] }}"
     - name: "LLDAP_JWT_SECRET"
@@ -59,6 +55,8 @@
   no_log: true
 
 - name: Initiate ldap (When = false, If DB data does not exist in postgresql, activate this block)
+# The reason why this task doesn't use the way to check ".init" file is this tasks can override original database.
+# Absent of ".init" file cannot guarantee DB is empty.
   when: false
   become: true
   block:
@@ -78,7 +76,7 @@
         detach: false
         env:
           TZ: "Asia/Seoul"
-          LLDAP_LDAP_BASE_DN: "dc=ilnmors,dc=internal"
+          LLDAP_LDAP_BASE_DN: "{{ domain['dc'] }}"
         secrets:
           - "LLDAP_DATABASE_URL,type=env"
           - "LLDAP_KEY_SEED,type=env"

ansible/roles/infra/tasks/services/set_loki.yaml

@@ -1,13 +1,9 @@
 ---
-- name: Set loki container subuid
-  ansible.builtin.set_fact:
-    loki_subuid: "110000" # 10001
-
 - name: Create loki directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/containers/{{ item }}"
     state: "directory"
-    owner: "{{ loki_subuid }}"
+    owner: "{{ services['loki']['subuid'] }}"
     group: "svadmins"
     mode: "0770"
   loop:
@@ -18,10 +14,10 @@
   become: true
 
 - name: Deploy loki configuration file
-  ansible.builtin.copy:
-    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/loki/etc/loki.yaml"
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/loki/etc/loki.yaml.j2"
     dest: "{{ node['home_path'] }}/containers/loki/etc/loki.yaml"
-    owner: "{{ loki_subuid }}"
+    owner: "{{ services['loki']['subuid'] }}"
     group: "svadmins"
     mode: "0600"
   become: true
@@ -33,11 +29,11 @@
     content: |
       {{ item.value }}
     dest: "{{ node['home_path'] }}/containers/loki/ssl/{{ item.name }}"
-    owner: "{{ loki_subuid }}"
+    owner: "{{ services['loki']['subuid'] }}"
     group: "svadmins"
     mode: "{{ item.mode }}"
   loop:
-    - name: "ilnmors_root_ca.crt"
+    - name: "{{ root_cert_filename }}"
       value: "{{ hostvars['console']['ca']['root']['crt'] }}"
       mode: "0440"
     - name: "loki.crt"

ansible/roles/infra/tasks/services/set_postgresql.yaml

@@ -1,8 +1,4 @@
 ---
-- name: Set postgresql container subuid
-  ansible.builtin.set_fact:
-    postgresql_subuid: "100998"
-
 - name: Set connected services list
   ansible.builtin.set_fact:
     connected_services:
@@ -14,12 +10,17 @@
       - "immich"
       - "paperless"
       - "vikunja"
+      - "affine"
+      - "nextcloud"
+      - "ezbookkeeping"
+      - "sure"
+      - "wikijs"
 
 - name: Create postgresql directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/containers/{{ item }}"
     state: "directory"
-    owner: "{{ postgresql_subuid }}"
+    owner: "{{ services['postgresql']['subuid'] }}"
     group: "svadmins"
     mode: "0770"
   loop:
@@ -42,7 +43,7 @@
 
 - name: Build postgresql container image
   containers.podman.podman_image:
-    name: "ilnmors.internal/{{ node['name'] }}/postgres"
+    name: "{{ domain['internal'] }}/{{ node['name'] }}/postgres"
     # check tags from container file
     tag: "pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}"
     state: "build"
@@ -56,7 +57,7 @@
   ansible.builtin.template:
     src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/postgresql/config/{{ item }}.j2"
     dest: "{{ node['home_path'] }}/containers/postgresql/config/{{ item }}"
-    owner: "{{ postgresql_subuid }}"
+    owner: "{{ services['postgresql']['subuid'] }}"
     group: "svadmins"
     mode: "0600"
   loop:
@@ -71,11 +72,11 @@
     content: |
       {{ item.value }}
     dest: "{{ node['home_path'] }}/containers/postgresql/ssl/{{ item.name }}"
-    owner: "{{ postgresql_subuid }}"
+    owner: "{{ services['postgresql']['subuid'] }}"
     group: "svadmins"
     mode: "{{ item.mode }}"
   loop:
-    - name: "ilnmors_root_ca.crt"
+    - name: "{{ root_cert_filename }}"
       value: "{{ hostvars['console']['ca']['root']['crt'] }}"
       mode: "0440"
     - name: "postgresql.crt"
@@ -91,15 +92,13 @@
   no_log: true
 
 - name: Check data directory empty
-  ansible.builtin.find:
-    paths: "{{ node['home_path'] }}/containers/postgresql/data/"
-    hidden: true
-    file_type: "any"
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/containers/postgresql/data/.init"
   become: true
-  register: "is_data_dir_empty"
+  register: "is_postgresql_init"
 
 - name: Prepare initiating DB
-  when: is_data_dir_empty.matched == 0
+  when: not is_postgresql_init.stat.exists
   become: true
   block:
     # `init/pg_cluster.sql` should be fetched from postgresql's backup directory before running initiating
@@ -107,7 +106,7 @@
       ansible.builtin.copy:
         src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/postgresql/init/pg_cluster.sql"
         dest: "{{ node['home_path'] }}/containers/postgresql/init/0_pg_cluster.sql"
-        owner: "{{ postgresql_subuid }}"
+        owner: "{{ services['postgresql']['subuid'] }}"
         group: "svadmins"
         mode: "0600"
 
@@ -115,15 +114,20 @@
       ansible.builtin.copy:
         src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/postgresql/init/pg_{{ item }}.sql"
         dest: "{{ node['home_path'] }}/containers/postgresql/init/{{ index_num + 1 }}_pg_{{ item }}.sql"
-        owner: "{{ postgresql_subuid }}"
+        owner: "{{ services['postgresql']['subuid'] }}"
         group: "svadmins"
         mode: "0600"
       loop: "{{ connected_services }}"
       loop_control:
         index_var: index_num
-    - name: Set is_postgresql_init_run
-      ansible.builtin.set_fact:
-        is_postgresql_init_run: true
+
+    - name: Create .init file
+      ansible.builtin.file:
+        path: "{{ node['home_path'] }}/containers/postgresql/data/.init"
+        state: "touch"
+        mode: "0644"
+        owner: "{{ ansible_user }}"
+        group: "svadmins"
 
 - name: Deploy container file
   ansible.builtin.template:

ansible/roles/infra/tasks/services/set_prometheus.yaml

@@ -1,13 +1,9 @@
 ---
-- name: Set prometheus container subuid
-  ansible.builtin.set_fact:
-    prometheus_subuid: "165533" # nobody - 65534
-
 - name: Create prometheus directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/containers/{{ item }}"
     state: "directory"
-    owner: "{{ prometheus_subuid }}"
+    owner: "{{ services['prometheus']['subuid'] }}"
     group: "svadmins"
     mode: "0770"
   loop:
@@ -21,7 +17,7 @@
   ansible.builtin.template:
     src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/prometheus/etc/{{ item }}.j2"
     dest: "{{ node['home_path'] }}/containers/prometheus/etc/{{ item }}"
-    owner: "{{ prometheus_subuid }}"
+    owner: "{{ services['prometheus']['subuid'] }}"
     group: "svadmins"
     mode: "0600"
   loop:
@@ -37,11 +33,11 @@
     content: |
       {{ item.value }}
     dest: "{{ node['home_path'] }}/containers/prometheus/ssl/{{ item.name }}"
-    owner: "{{ prometheus_subuid }}"
+    owner: "{{ services['prometheus']['subuid'] }}"
     group: "svadmins"
     mode: "{{ item.mode }}"
   loop:
-    - name: "ilnmors_root_ca.crt"
+    - name: "{{ root_cert_filename }}"
       value: "{{ hostvars['console']['ca']['root']['crt'] }}"
       mode: "0440"
     - name: "prometheus.crt"

ansible/roles/infra/tasks/services/set_x509-exporter.yaml

@@ -1,26 +1,33 @@
 ---
-- name: Set x509-exporter container subuid
-  ansible.builtin.set_fact:
-    x509_exporter_subuid: "165533" # nobody - 65534
-
 - name: Create x509-exporter directory
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/containers/{{ item }}"
     state: "directory"
-    owner: "{{ x509_exporter_subuid }}"
+    owner: "{{ services['x509-exporter']['subuid'] }}"
     group: "svadmins"
     mode: "0770"
   loop:
     - "x509-exporter"
+    - "x509-exporter/config"
     - "x509-exporter/certs"
   become: true
 
+- name: Deploy config.yaml
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/x509-exporter/config/config.yaml"
+    dest: "{{ node['home_path'] }}/containers/x509-exporter/config/config.yaml"
+    owner: "{{ services['x509-exporter']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_x509-exporter"
+
 - name: Deploy certificates
   ansible.builtin.copy:
     content: |
       {{ item.value }}
     dest: "{{ node['home_path'] }}/containers/x509-exporter/certs/{{ item.name }}"
-    owner: "{{ x509_exporter_subuid }}"
+    owner: "{{ services['x509-exporter']['subuid'] }}"
     group: "svadmins"
     mode: "0440"
   loop:

config/node/common/hosts.j2

@@ -3,32 +3,32 @@
 ::1 {{ node['local_san'] }}
 {% if node['name'] == 'console' %}
 # Hosts IPv4
-{{ hostvars['fw']['network4']['firewall']['server'] }} fw.ilnmors.internal
-{{ hostvars['fw']['network4']['vmm']['client'] }} init.vmm.ilnmors.internal
-{{ hostvars['fw']['network4']['vmm']['server'] }} vmm.ilnmors.internal
-{{ hostvars['fw']['network4']['infra']['server'] }} infra.ilnmors.internal
-{{ hostvars['fw']['network4']['auth']['server'] }} auth.ilnmors.internal
-{{ hostvars['fw']['network4']['app']['server'] }} app.ilnmors.internal
+{{ hostvars['fw']['network4']['firewall']['server'] }} fw.{{ domain['internal'] }}
+{{ hostvars['fw']['network4']['vmm']['client'] }} init.vmm.{{ domain['internal'] }}
+{{ hostvars['fw']['network4']['vmm']['server'] }} vmm.{{ domain['internal'] }}
+{{ hostvars['fw']['network4']['infra']['server'] }} infra.{{ domain['internal'] }}
+{{ hostvars['fw']['network4']['auth']['server'] }} auth.{{ domain['internal'] }}
+{{ hostvars['fw']['network4']['app']['server'] }} app.{{ domain['internal'] }}
 # Hosts IPv6
-{{ hostvars['fw']['network6']['firewall']['server'] }} fw.ilnmors.internal
-{{ hostvars['fw']['network6']['vmm']['client'] }} init.vmm.ilnmors.internal
-{{ hostvars['fw']['network6']['vmm']['server'] }} vmm.ilnmors.internal
-{{ hostvars['fw']['network6']['infra']['server'] }} infra.ilnmors.internal
-{{ hostvars['fw']['network6']['auth']['server'] }} auth.ilnmors.internal
-{{ hostvars['fw']['network6']['app']['server'] }} app.ilnmors.internal
+{{ hostvars['fw']['network6']['firewall']['server'] }} fw.{{ domain['internal'] }}
+{{ hostvars['fw']['network6']['vmm']['client'] }} init.vmm.{{ domain['internal'] }}
+{{ hostvars['fw']['network6']['vmm']['server'] }} vmm.{{ domain['internal'] }}
+{{ hostvars['fw']['network6']['infra']['server'] }} infra.{{ domain['internal'] }}
+{{ hostvars['fw']['network6']['auth']['server'] }} auth.{{ domain['internal'] }}
+{{ hostvars['fw']['network6']['app']['server'] }} app.{{ domain['internal'] }}
 {% else %}
 # IPv4
 # Crowdsec, blocky, bind(fw)
-{{ hostvars['fw']['network4']['firewall']['server'] }} ntp.ilnmors.internal crowdsec.ilnmors.internal
-{{ hostvars['fw']['network4']['blocky']['server'] }} blocky.ilnmors.internal
-{{ hostvars['fw']['network4']['bind']['server'] }} bind.ilnmors.internal
+{{ hostvars['fw']['network4']['firewall']['server'] }} ntp.{{ domain['internal'] }} crowdsec.{{ domain['internal'] }}
+{{ hostvars['fw']['network4']['blocky']['server'] }} blocky.{{ domain['internal'] }}
+{{ hostvars['fw']['network4']['bind']['server'] }} bind.{{ domain['internal'] }}
 # DB, LDAP, CA, Prometheus, Loki, mail (infra)
-{{ hostvars['fw']['network4']['infra']['server'] }} postgresql.ilnmors.internal ldap.ilnmors.internal prometheus.ilnmors.internal loki.ilnmors.internal mail.ilnmors.internal ca.ilnmors.internal
+{{ hostvars['fw']['network4']['infra']['server'] }} postgresql.{{ domain['internal'] }} ldap.{{ domain['internal'] }} prometheus.{{ domain['internal'] }} loki.{{ domain['internal'] }} mail.{{ domain['internal'] }} ca.{{ domain['internal'] }}
 # IPv6
 # Crowdsec, blocky, bind(fw)
-{{ hostvars['fw']['network6']['firewall']['server'] }} ntp.ilnmors.internal crowdsec.ilnmors.internal
-{{ hostvars['fw']['network6']['blocky']['server'] }} blocky.ilnmors.internal
-{{ hostvars['fw']['network6']['bind']['server'] }} bind.ilnmors.internal
+{{ hostvars['fw']['network6']['firewall']['server'] }} ntp.{{ domain['internal'] }} crowdsec.{{ domain['internal'] }}
+{{ hostvars['fw']['network6']['blocky']['server'] }} blocky.{{ domain['internal'] }}
+{{ hostvars['fw']['network6']['bind']['server'] }} bind.{{ domain['internal'] }}
 # DB, LDAP, CA, Prometheus, Loki, mail (infra)
-{{ hostvars['fw']['network6']['infra']['server'] }} postgresql.ilnmors.internal ldap.ilnmors.internal prometheus.ilnmors.internal loki.ilnmors.internal mail.ilnmors.internal ca.ilnmors.internal
+{{ hostvars['fw']['network6']['infra']['server'] }} postgresql.{{ domain['internal'] }} ldap.{{ domain['internal'] }} prometheus.{{ domain['internal'] }} loki.{{ domain['internal'] }} mail.{{ domain['internal'] }} ca.{{ domain['internal'] }}
 {% endif %}

config/node/common/timesyncd/local-ntp.conf

@@ -1,3 +1,3 @@
 [Time]
-NTP=ntp.ilnmors.internal
+NTP=ntp.{{ domain['internal'] }}
 FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org

config/node/fw/nftables.conf.j2

@@ -82,6 +82,8 @@ table inet filter {
         chain global {
                 # invalid packets
                 ct state invalid drop comment "deny invalid connection"
+                # VPN connection exception handling
+                udp dport $PORTS_VPN return comment "return vpn connection to input and forward chain"
                 # crowdsec
                 ip saddr @crowdsec-blacklists counter drop comment "deny all crowdsec blacklist"
                 ip6 saddr @crowdsec6-blacklists counter drop comment "deny all ipv6 crowdsec blacklist"

config/secrets/secrets.yaml

@@ -118,6 +118,11 @@ postgresql:
         immich: ENC[AES256_GCM,data:11jvxTKA/RL0DGL6y2/X092hnDohj6yTrYGK4IVojqBd1gCOBnDvUjgmx14=,iv:oBfHxsx9nxhyKY/WOuWfybxEX2bf+lHEtsaifFRS9lg=,tag:tAfkBdgQ8ZEkLIFcDICKDw==,type:str]
         paperless: ENC[AES256_GCM,data:6VBrBbjVoam7SkZCSvoBTdrfkUoDghdGTiBmFLul04X/okXOHeC5zusJffY=,iv:iZumcJ3TWwZD77FzYx8THwCqC+EbnXUBrEKuPh3zgV8=,tag:u2m8SppAdxZ/duNdpuS3oQ==,type:str]
         vikunja: ENC[AES256_GCM,data:/+wQdoFPTBG2elI9kZbAVWrHZ0DhMaYr4dc+2z9QNdb3TcDS2PEia0JuSAg=,iv:MViZTyUD8YqMmxSTWCQpJ30f/KQdQGOzPlRHHsQ8lAw=,tag:zov3POno139dkMxFDpj2gg==,type:str]
+        affine: ENC[AES256_GCM,data:XPXrcszsV06YqCJZ7CDqc4rCwqqNlbtLCFYfLAQ8jamLtft8L2UVrMA4WZo=,iv:vrWdBeckxB9tmEE628j4jhU+hSpE6TXYMGt0hh1Cg84=,tag:hlWwWUGht8NqWTZREMsa1Q==,type:str]
+        nextcloud: ENC[AES256_GCM,data:ROsximNuWYMTZktmLJPx7W1Qol/uT+APgwoCtFO/6ZYYc3KxKvlk344eqEc=,iv:4d+MrfIHjJKAcwhvZ3g4go66uZcieuL7lngKErJd+fg=,tag:QbWOtxeCbiu62GyrE2atXg==,type:str]
+        ezbookkeeping: ENC[AES256_GCM,data:CYYQ5DVr8Na46QduvUNF6d0XBVSXTml34q3/PhIYIvUNviOVgCjqXA4wN7g=,iv:qRljohJ+wI50XxSgMElKp65HyV3mKRTqDGjw9C1S0d0=,tag:PClp7PRmC0+PV0SzZpJqqQ==,type:str]
+        sure: ENC[AES256_GCM,data:FULJ2gjJ2gZC3s324itW+CjGRBHIP9RnOqw5TT1UaiUhb7UHAPm1na+LsZk=,iv:c0GnVZkxprJUzPPq3TCQaZvAes9QQuvDXqgVLLaiQIg=,tag:uDxy/Lkd2hNK4AWwMNMslw==,type:str]
+        wikijs: ENC[AES256_GCM,data:2drkkTevrcUrgxOHavIEPcemc2l5+/3GEAYNCYVL/63daVda5tzL61tPm2A=,iv:87qPrlRaosXO75eaxo4xjevVc1Pt9MiHv6lYFBB3MKU=,tag:SnVbVR4ZM0qvVmWpcgSKrg==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -136,7 +141,7 @@ ldap:
         authelia: ENC[AES256_GCM,data:G8ZGsLKqEmMzQ5NMAgirF5BQraHNqixtI6dyyaeNhTdXebjJZML52xL36p4=,iv:ZtHAsFYmrQxr+qoQLPW/eme0+nsT148KRsXmW/LNLlU=,tag:Pvjs/eylkgxJpmGBsRmjcw==,type:str]
         grafana: ENC[AES256_GCM,data:vWmU3ZKcolETWAY74C3OMD8gMXDeYk+DqssACL0xefIPi5IkbrhYWmnWAnA=,iv:wcRms3Zp8kPM4USRPVa0UHpCTK36SWhK9C8yHSWu2Cs=,tag:gU5S/6fdMZVd/ih3Yd5uJA==,type:str]
         il: ENC[AES256_GCM,data:/CyMeo1+rIUAYiB25nI0,iv:jsyiiRN5z9GqcUnTZ0CZo4s+umTc2zeY2FPp+tVOC9o=,tag:cwOHcqMysCxX57w3a+Pzpg==,type:str]
-        morsalin: null
+        morsalin: ENC[AES256_GCM,data:YryNch8hF6rx,iv:bNIBur3Jcib8BvKjJ0MejpemsurYTP8rCxo6b2R5yEo=,tag:9dIIgqEPtbeixtgJ1OtMnQ==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -230,14 +235,74 @@ paperless:
 #ENC[AES256_GCM,data:V7DJHA2JQirfBsrCGhXrhg==,iv:+jYqX9hGNnuyYj9o9LpCYFVOoD6nSrtc4t40Ag0mMzo=,tag:1wSxKtkJm42reUxdwYDvlg==,type:comment]
 vikunja:
     session_secret: ENC[AES256_GCM,data:CMyw8JGHyTczGsrOJJwQBKfXMU4Sudvwkur1Lgx4o64=,iv:F2VmpqddiDT4jGaGDKGl6FARsQOt3lLz3X6TjC2MIVU=,tag:UJYyzrl/FX1BNwY4ROFncA==,type:str]
-    il:
-        password: ENC[AES256_GCM,data:wDYAVUTFyL/CaXQXYviP3WAILmnREwYui8PZq9nXJPNa3FlwX6b/fzxbCvw=,iv:We+jb4W62O8tYRjGPv+lwlhyVF8eIeTiPNoELdLU+6M=,tag:y7vTZ+6TAsv4XajB4JOL7A==,type:str]
     oidc:
         secret: ENC[AES256_GCM,data:QwqndYsfr+fh9OLkHYtLYCa6WUdhnL7A4btz1d1eelTwq3Kps5S6BUN5qZg=,iv:51N8byIAAUh4ky7YBAuEJOBEWu1d9AX5W1m37/cLlCM=,tag:GD7jbxNGd748TCPgqsxyMg==,type:str]
         hash: ENC[AES256_GCM,data:ORifyT4u1V2CyBCNBgF72wwS2i05mlzA4iIVEa1cH9aaE69PdiQvGGzMHK+tmlfpVaVQEENSt1QDUSSlMyeuZT/3a0JwAvlz+XDbpS7bicL2cB6DCa4JyEd/rbGRXs0/COfxPxXzYv7jq9gd2uSJ+cCGYb/93WuEXSEI6PHi+FF7N94=,iv:FVSGySa4YB2vwenqSagBzxeIexg91ewvcQMix+etmng=,tag:yyQtOgzOZypba+rV3A1K9g==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
+#ENC[AES256_GCM,data:EsRGZP7snPchEAMoQN5PoQpiOA==,iv:A/8POGq3pIw7aX5S2vyKtI2vPqH0FT6yZnpe/vVbifw=,tag:BgUYHX2zxIL7yLS0JbI1Yg==,type:comment]
+opencloud:
+    admin:
+        password: ENC[AES256_GCM,data:VKG7sNTTLHCXRGf4SAlR91+hvc7PaNrnpJX/4kItVcT9W1Hdl/yKgHHD7M8=,iv:WwWnx9KuN+i/Ugwv+HY4IGDZrLHk71hsobGFOn9kml0=,tag:SS6ihrtZjLnlAJR59lw+gw==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
+#ENC[AES256_GCM,data:k55osvepVeB1RC5hZ4IF,iv:AlhfmWwn/DiSESWc+ULJSOLUhnrKAIfWr7MeiwV8qc8=,tag:hOgptwUcY6nVxPIhu+DYgw==,type:comment]
+affine:
+    secret_key: ENC[AES256_GCM,data:LLX78DpYnha1JWhgw0sHLzIVq/oIzvT+nB7zgli4mroGbnt7WZaXCx34zKkYRwYj/+0L4IFFVdkzKtK5DO84SgFkS2Bk2iNdCMqIx80CpyiD8IWAcyRu5d6hh82PlgyxU80T/4nbLbIn0GLubPTTeUX8GC3VxRU=,iv:DnmvbhlygSHes0jAkIm4+WXMUQLzr4R4dNa33rO67v8=,tag:+2wlh+/ekiTyShWM4XBbUw==,type:str]
+    il:
+        password: ENC[AES256_GCM,data:4zxiQAzXTR+fraRjYT657BIwSqrih3lMPFFSibQdardRMjskAbuRYIQA6mo=,iv:ub3giRG9vCFSuwRXDazYTqWbjENzQUWR36290Kruj1o=,tag:C2Ixd2eTEgzBvUNCNBtJuA==,type:str]
+    oidc:
+        secret: ENC[AES256_GCM,data:eRDBrqLZR7MFLlsUwk7Wg7FzxDov7vJLIWQRuKq7vrXbPSJkMcy9jfG2rL4=,iv:UaSoi7gODXgjzihJIDVIdDHJcSAZNV8UKfGeM6YzxqI=,tag:cOUDblcMStP8E4fp+s1WRQ==,type:str]
+        hash: ENC[AES256_GCM,data:jE1CvFo+mjb/Xc3Ft5ky7on03vcnv79cw/5g/xaldXsv94VRrIjmfGMgHAj07r8j5mDpP34A5bYO1PSe9DYrwRcsXa9OUQuzm/8avFy9wVZDhBUUAGR+jiW1BP9hc6nmSpPVPtle+3sbqOB0ZMjXWwlcAcuknOtuhH1mzwmaDP9yf+M=,iv:CSSaXY/6MpHBMhPLUWPkabIeJ9zpZkcVjiEhxVF0zJM=,tag:f72ekkjJs7Qmh1K9wC8L9w==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
+#ENC[AES256_GCM,data:PZS7EbvMHqHGorNUGAWj4dk1,iv:vOE+djRAvBTMM51kHi6kG5Arw3uPXlJt1d/BpcEaD0c=,tag:AuoCHLQz42CYvVVdKFWu1Q==,type:comment]
+nextcloud:
+    admin-local:
+        password: ENC[AES256_GCM,data:mIwF5A09oqYbdK3bOKid9A896Q5J5Q6Ax+vDNqEJFGNdzd/mJ4oQS6rva+s=,iv:QroUMST2wnEJzk6DySe9tPZaWuqdxzJZ0+oi6mW6x00=,tag:3UTzjupK7+omrI3Hvyr8bA==,type:str]
+    oidc:
+        secret: ENC[AES256_GCM,data:Sr4KkKkYdkU0UWdpfUF7PyiGoerjBiw+sOFcENyLxw0FRXGG0Y8gv5uGb4Q=,iv:LbGsNM3+iY7bWFQe88TepVKUdiRQWZ+K7Ubn6ze6lV4=,tag:SbcfIAMW9ZprgahOFU4IQQ==,type:str]
+        hash: ENC[AES256_GCM,data:CkstbIYQmi72QhsbJZN0lQedgCn7TmGpYcYj0n+NvJIoTlol8G9N/88cwGbVoGK9nEISv54FL94cEJFppnMIuj0BHrhasrZsyI2/Lj52YLWdwNJWNQ+iYt+Ifp/1kI0zqmdoajzZ5DS2w/1evCBC1+JdfTRlpVXmSsHUIPIHelBRj90=,iv:vwvT5TTkF4woxXOvrRRqmrdLXf19s47NIDtdT+zLp0U=,tag:KC0MS0DTH6j3zIHOjCFOSA==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
+#ENC[AES256_GCM,data:tMahvC9OLW4+AGLyx68SNsOPBezApw==,iv:WHx8ruuQ33J/8XtwyhvDy2cKqE7lAWvj/r5AUhdyssU=,tag:uRwheXUxqNSIhcPqGeMNog==,type:comment]
+ezbookkeeping:
+    oidc:
+        secret: ENC[AES256_GCM,data:ZMIfRwXDT1ujGKoc7DGvc8/O+ciB+kajo9yOwVsMsbEjl6D8gl6I0Lbsta8=,iv:++p1TTW6gDUEvh56SjMgldrpob/VWNtiYGo6wNS8cz0=,tag:LQaW333UskiN4mtIjUAguA==,type:str]
+        hash: ENC[AES256_GCM,data:XyB1N3MUzBHWHAumat7/ASy/Aja/gLKmeTriOqLnMgZ9lBE1birYtFW+R0wZ+vyx79tHKVnRxzrWsxoD5jitCmHyMVrJmJKl5c4SYMhytKfBPgrNe3twcc06U+wONmgAuVpaEQlnnyzAz42SpOHbT55GegHjYzT5hXax8eRvdM6xJSY=,iv:R4+EdQuKo2JumY3cu8KPpeFezcLhlehXBxr2wVG5wHk=,tag:hpDX1x9NCCutUsnDKEf1Sg==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
+#ENC[AES256_GCM,data:Fsqc2JDp9dvfgiCjdQ==,iv:3DALKKEXaP8hzXRvxD4CgfFpOiPPsOa16OB94n8WKp8=,tag:K+FF3zGrc0YLXWK/R2L3Ow==,type:comment]
+sure:
+    session_secret: ENC[AES256_GCM,data:InHsz/jld8E9TwI8MWpxk9x2I7dxlIsY9R6jtDK2pBA=,iv:HY5yXEC2Dce26e9/vXTIWELvVd9ZjhcCwFD0jhz5pPw=,tag:LLSJovZ0RH3CUK+se7R4Ag==,type:str]
+    oidc:
+        secret: ENC[AES256_GCM,data:9BSvpcU9BJctSN9bkPIAsRxg8JNHTWvOKdpJFhm//CUDm/Xc7oC/ANHf5no=,iv:JVQLl/rp65kZSK/4SpVXxtiac3Z35XNkxWm2+lEdq/c=,tag:WgfaORiNlrO+wHSdnl4CWQ==,type:str]
+        hash: ENC[AES256_GCM,data:EjJ+1fP7/9wG2jG0Jv2hxMLtErqxjHBstRjru79dd5ZXhqwT7S+jpLfl9WpZU9qi20ps9YP4qe7G08p6NJNXjYhQj852GQxEORRh/9StAZsPt3p8w+ePZSVbivPQH+FpPKWYxoH0VR7y3TnL66R0tKRLh1fNTc5jRy5rU5r1bfs1jZ0=,iv:0y9FxW4QdD7qHz3bPRWlwHFpvOsvlYhVrOItB6BzaE8=,tag:Wc7MZhP3QRYmvZcjpoEWtQ==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
+#ENC[AES256_GCM,data:NkvAsD10P7qUvGPXeTY+rQ==,iv:GjsUk3Ht6RYW/rhkRhMSFEmtsAiS+dK7niYDJVBj2iE=,tag:8KnDcuRTm7P76Kh2hmWeXw==,type:comment]
+wikijs:
+    il: ENC[AES256_GCM,data:gsAEHk4MI75EXIiqdb05RYSmlxaQ7mlYXTwTYYVJ20KC397T6xbHzvNojlI=,iv:iYc+BahiJ50LSr35/T1VCQsxsRen5rKLwQhfVQMkdz4=,tag:rscWcLWyTaSR4KEPJaes2A==,type:str]
+    oidc:
+        secret: ENC[AES256_GCM,data:+bmvyUkiQ+vnaJW7wgjohv4wdvliqx8whdSM8iBUJXGFy/QOs2oJm4FoUcA=,iv:U07y/+87zbXQ2hQ4HvzKcEH5nQsaSIF1Oh3yv6/ytWU=,tag:knGwjGhH5D/OSvW6j5S0VQ==,type:str]
+        hash: ENC[AES256_GCM,data:7jKBt9mdfxKDU6vBIP6k/wj0gIsRnLwwSrLOlnbbiNZVmbZXqv/UxEsLxCyx1rP2mzGgaxNCBh6WOo7mbSMPezMiuf/enrNrmIwpcP2R0H6LxGTiLFk/7EZ493oy7qFmmsM2qM7Y6qhhKUygD4XbJfVZ2sdojjIGAWy6XdpbbQICb5I=,iv:N3gPga+iDYUF0uAx671DP+4c7FYUKP12MEbYmKZRPAI=,tag:7tKwhxk5yQ0KfZrg0+v/rw==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
+#ENC[AES256_GCM,data:rf52AKZDCNq9PVnAMnDXzw==,iv:+rT8sgcAz0LoeUcPgIrpSw/JWvk5agunnTkaWac16kU=,tag:SCyTu1rUNnmS2EFMeIvlCw==,type:comment]
+trilium:
+    oidc:
+        secret: ENC[AES256_GCM,data:EfKdxk/OBgQyGVwOnxMFS/HhucL5qicaB7HfWu4yNvmrqxU+ubkT62zJewQ=,iv:Ye4gNbyOuEaujGfxXYKg4GWDOP+cnTNL230t8B98WUY=,tag:B1YoabR7y8OVUKYj/aiSPA==,type:str]
+        hash: ENC[AES256_GCM,data:QyU+leT28FY3nW+tIbnap2n52xw1bcb77ziFf6cW9gdwwhL6rJCEaTGQritpVsCH5C9ytxlV0Acn7dJbnYSHFtZ2jbuvYMSQR4ewtY+tFX1MdD9+FmtH8umb7PHbG6upXgrXRNRIglJ4U1BEfg0xkdzEPbJq+r13A1+cKESrewayae4=,iv:CUE6YjDzgoc017e8+dT1S956PwmOlb7h6dhnOpCr3iw=,tag:XGgpzuVZXJ8Axb4ib8anVQ==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
     password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -267,7 +332,7 @@ sops:
             UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
             k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-28T01:12:44Z"
-    mac: ENC[AES256_GCM,data:hGvVNYQ2qUf9zGMbY5lupY9NI4rCnbza7OruAho12UTcTpD9vktWj559U/UoZpKDknR9n+d50UOGcukeFgLtPBo6xy0+Yf0FRCZU59SQ9k02f3wyIck5ANikBImeN6gGKUbiuIcQUqD3jWH1b2u6V02KN8UkKs7CywHKhI2IoKg=,iv:orXjewDUalAxGOdMjXs18Al98MLzYHTyaWnCz0VqRU4=,tag:hZ5aV3E2kB0US4zAk66Z2Q==,type:str]
+    lastmodified: "2026-05-09T12:29:30Z"
+    mac: ENC[AES256_GCM,data:ql3rWwdwJRn2nH0SLnjTaJK4NVemxG8T814VEDaHv38bc7A3aaMGuZ92mHY4z+5oNA+DpR/UjkGJ/NrckbURxY63BEcyVCsS4Rb95HTKjDOjf2g5rrohdgI3ZUE1jvlyf3tAh2ZYh1J8QddLKyLju/J43KcB+XRQKhJv4kubAQ0=,iv:4inRbBMuhB7Hzi8fGpqyC3juUqteZGLXX0GtnHusF7Y=,tag:ZxJ6iv8NxJr4rvCInml8dg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1

config/services/containers/app/actual-budget/actual-budget.container.j2

@@ -9,14 +9,14 @@ Image=ghcr.io/actualbudget/actual-server:{{ version['containers']['actualbudget'
 ContainerName=actual-budget
 HostName=actual-budget
 
-PublishPort=5006:5006
+PublishPort={{ services['actualbudget']['ports']['http'] }}:5006
 
 Volume=%h/data/containers/actual-budget:/data:rw
 
 Environment="TZ=Asia/Seoul"
-Environment="ACTUAL_OPENID_DISCOVERY_URL=https://authelia.ilnmors.com/.well-known/openid-configuration"
+Environment="ACTUAL_OPENID_DISCOVERY_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}/.well-known/openid-configuration"
 Environment="ACTUAL_OPENID_CLIENT_ID=actual-budget"
-Environment="ACTUAL_OPENID_SERVER_HOSTNAME=https://budget.ilnmors.com"
+Environment="ACTUAL_OPENID_SERVER_HOSTNAME=https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="ACTUAL_OPENID_AUTH_METHOD=oauth2"
 Secret=ACTUAL_OPENID_CLIENT_SECRET,type=env
 

config/services/containers/app/affine/affine.container.j2

@@ -0,0 +1,49 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=AFFiNE
+
+After=redis_affine.service manticore_affine.service
+Wants=redis_affine.service manticore_affine.service
+
+[Container]
+Image=ghcr.io/toeverything/affine:{{ version['containers']['affine'] }}
+ContainerName=affine
+HostName=affine
+
+PublishPort={{ services['affine']['ports']['http'] }}:3010
+
+Volume=%h/data/containers/affine:/root/.affine/storage:rw
+Volume=%h/containers/affine/config:/root/.affine/config
+Volume=%h/containers/affine/ssl:/etc/ssl/affine:ro
+
+# General
+Environment="TZ=Asia/Seoul"
+## OIDC callback URIs
+Environment="AFFINE_SERVER_HOST={{ services['affine']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="AFFINE_SERVER_EXTERNAL_URL=https://{{ services['affine']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="AFFINE_SERVER_HTTPS=true"
+
+Secret=AFFINE_PRIVATE_KEY,type=env
+
+# Database
+Secret=AFFINE_DATABASE_URL,type=env,target=DATABASE_URL
+## Enable AI function: this needs pgvector
+
+# Redis
+Environment="REDIS_SERVER_HOST=host.containers.internal"
+Environment="REDIS_SERVER_PORT={{ services['affine']['ports']['redis'] }}"
+
+# Indexer
+Environment="AFFINE_INDEXER_ENABLED=true"
+Environment="AFFINE_INDEXER_SEARCH_ENDPOINT=http://host.containers.internal:{{ services['affine']['ports']['manticore'] }}"
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/collabora/collabora.container.j2

@@ -0,0 +1,25 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Collabora Online
+
+[Container]
+Image=docker.io/collabora/code:{{ version['containers']['collabora'] }}
+ContainerName=collabora
+HostName=collabora
+
+PublishPort={{ services['collabora']['ports']['http'] }}:9980/tcp
+
+Environment="TZ=Asia/Seoul"
+Environment="aliasgroup1=https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}"
+# Environment="aliasgroup2=other_server_FQDN"
+Environment="extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:server_name={{ services['collabora']['domain']['public'] }}.{{ domain['public'] }} --o:admin_console.enable=false"
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/ezbookkeeping/ezbookkeeping.container.j2

@@ -0,0 +1,61 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=ezBookkeeping
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=docker.io/mayswind/ezbookkeeping:{{ version['containers']['ezbookkeeping'] }}
+ContainerName=ezbookkeeping
+HostName=ezbookkeeping
+
+PublishPort={{ services['ezbookkeeping']['ports']['http'] }}:8080/tcp
+
+Volume=%h/data/containers/ezbookkeeping/data:/data:rw
+Volume=%h/containers/ezbookkeeping/ssl:/etc/ssl/ezbookkeeping:ro
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="EBK_SERVER_DOMAIN={{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="EBK_SERVER_ROOT_URL=https://{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}/"
+Environment="EBK_LOG_MODE=console"
+
+# Database
+Environment="EBK_DATABASE_TYPE=postgres"
+Environment="EBK_DATABASE_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}"
+Environment="EBK_DATABASE_NAME=ezbookkeeping_db"
+Environment="EBK_DATABASE_USER=ezbookkeeping"
+Secret=EBK_DATABASE_PASSWD,type=env
+Environment="EBK_DATABASE_SSL_MODE=verify-full"
+Environment="PGSSLROOTCERT=/etc/ssl/ezbookkeeping/{{ root_cert_filename }}"
+
+# OIDC
+Environment="EBK_AUTH_ENABLE_OAUTH2_AUTH=true"
+Environment="EBK_AUTH_OAUTH2_PROVIDER=oidc"
+Environment="EBK_AUTH_OAUTH2_CLIENT_ID=ezbookkeeping"
+Secret=EBK_AUTH_OAUTH2_CLIENT_SECRET,type=env
+Environment="EBK_AUTH_OAUTH2_USE_PKCE=true"
+Environment="EBK_AUTH_OIDC_PROVIDER_BASE_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+Environment="EBK_AUTH_ENABLE_OIDC_DISPLAY_NAME=true"
+Environment="EBK_AUTH_OIDC_CUSTOM_DISPLAY_NAME=Authelia"
+
+# Registration / auth policy
+Environment="EBK_AUTH_ENABLE_INTERNAL_AUTH=false"
+Environment="EBK_USER_ENABLE_REGISTER=true"
+Environment="EBK_AUTH_OAUTH2_AUTO_REGISTER=true"
+
+# AI / MCP disabled by default
+Environment="EBK_MCP_ENABLE_MCP=false"
+Environment="EBK_LLM_TRANSACTION_FROM_AI_IMAGE_RECOGNITION=false"
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/gitea/gitea.container.j2

@@ -13,7 +13,7 @@ Image=docker.io/gitea/gitea:{{ version['containers']['gitea'] }}
 ContainerName=gitea
 HostName=gitea
 
-PublishPort=3000:3000/tcp
+PublishPort={{ services['gitea']['ports']['http'] }}:3000/tcp
 
 Volume=%h/data/containers/gitea:/data:rw
 Volume=%h/containers/gitea/ssl:/etc/ssl/gitea:ro
@@ -23,18 +23,18 @@ Environment="TZ=Asia/Seoul"
 Environment="GITEA__server__DISABLE_SSH=true"
 # Database
 Environment="GITEA__database__DB_TYPE=postgres"
-Environment="GITEA__database__HOST={{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}"
+Environment="GITEA__database__HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}"
 Environment="GITEA__database__NAME=gitea_db"
 Environment="GITEA__database__USER=gitea"
 Secret=GITEA__database__PASSWD,type=env
 Environment="GITEA__database__SSL_MODE=verify-full"
-Environment="PGSSLROOTCERT=/etc/ssl/gitea/ilnmors_root_ca.crt"
+Environment="PGSSLROOTCERT=/etc/ssl/gitea/{{ root_cert_filename }}"
 # OAuth2 client
 Environment="GITEA__oauth2_client__ACCOUNT_LINKING=auto"
 # OIDC configuration
 Environment="GITEA__openid__ENABLE_OPENID_SIGNIN=false"
 Environment="GITEA__openid__ENABLE_OPENID_SIGNUP=true"
-Environment="GITEA__openid__WHITELISTED_URIS=authelia.ilnmors.com"
+Environment="GITEA__openid__WHITELISTED_URIS={{ services['authelia']['domain'] }}.{{ domain['public'] }}"
 # automatic create user via authelia
 Environment="GITEA__service__DISABLE_REGISTRATION=false"
 Environment="GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true"
@@ -42,7 +42,7 @@ Environment="GITEA__service__SHOW_REGISTRATION_BUTTON=false"
 
 
 [Service]
-ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120

config/services/containers/app/immich/immich-ml.container.j2

@@ -13,7 +13,7 @@ Image=ghcr.io/immich-app/immich-machine-learning:{{ version['containers']['immic
 ContainerName=immich-ml
 HostName=immich-ml
 
-PublishPort=3003:3003
+PublishPort={{ services['immich-ml']['ports']['http'] }}:3003
 
 # iGPU access for OpenVINO
 AddDevice=/dev/dri:/dev/dri

config/services/containers/app/immich/immich.container.j2

@@ -13,7 +13,7 @@ Image=ghcr.io/immich-app/immich-server:{{ version['containers']['immich'] }}
 ContainerName=immich
 HostName=immich
 
-PublishPort=2283:2283
+PublishPort={{ services['immich']['ports']['http'] }}:2283
 
 # iGPU access
 AddDevice=/dev/dri:/dev/dri
@@ -25,22 +25,26 @@ Volume=%h/containers/immich/ssl:/etc/ssl/immich:ro
 
 # Environment
 Environment="TZ=Asia/Seoul"
+# The new environment from version 2.7.0 to enable CSP
+Environment="IMMICH_HELMET_FILE=true"
+
+# Redis
 Environment="REDIS_HOSTNAME=host.containers.internal"
-Environment="REDIS_PORT={{ hostvars['app']['redis']['immich'] }}"
+Environment="REDIS_PORT={{ services['immich']['ports']['redis'] }}"
 Environment="REDIS_DBINDEX=0"
 
 # Database
-Environment="DB_HOSTNAME={{ infra_uri['postgresql']['domain'] }}"
-Environment="DB_PORT={{ infra_uri['postgresql']['ports']['tcp'] }}"
+Environment="DB_HOSTNAME={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
+Environment="DB_PORT={{ services['postgresql']['ports']['tcp'] }}"
 Environment="DB_USERNAME=immich"
 Environment="DB_DATABASE_NAME=immich_db"
 Environment="DB_PASSWORD_FILE=/run/secrets/DB_PASSWORD"
 Environment="DB_SSL_MODE=verify-full"
-Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/immich/ilnmors_root_ca.crt"
+Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/immich/{{ root_cert_filename }}"
 Secret=IMMICH_DB_PASSWORD,target=/run/secrets/DB_PASSWORD
 
 [Service]
-ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120

config/services/containers/app/manticore/manticore.container.j2

@@ -0,0 +1,25 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Manticore - {{ manticore_service }}
+
+[Container]
+Image=docker.io/manticoresearch/manticore:{{ version['containers']['manticore'] }}
+ContainerName=manticore_{{ manticore_service }}
+HostName=manticore_{{ manticore_service }}
+
+PublishPort={{ services[manticore_service]['ports']['manticore'] }}:9308
+
+Volume=%h/data/containers/manticore/{{ manticore_service }}:/var/lib/manticore:rw
+
+# General
+Environment="TZ=Asia/Seoul"
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/nextcloud/config/background.config.php.j2

@@ -0,0 +1,5 @@
+<?php
+$CONFIG = [
+    // Background jobs mode is auto-detected as 'cron' when nextcloud-cron.timer runs cron.php via CLI. No explicit config required.
+    'maintenance_window_start' => 18,
+];

config/services/containers/app/nextcloud/config/cache.config.php.j2

@@ -0,0 +1,12 @@
+<?php
+$CONFIG = [
+    'memcache.local' => '\OC\Memcache\APCu',
+    'memcache.distributed' => '\OC\Memcache\Redis',
+    'memcache.locking' => '\OC\Memcache\Redis',
+    'redis' => [
+        'host' => 'host.containers.internal',
+        'port' => {{ services['nextcloud']['ports']['redis'] }},
+        'timeout' => 1.5,
+        'dbindex' => 0,
+    ],
+];

config/services/containers/app/nextcloud/config/domain.config.php.j2

@@ -0,0 +1,9 @@
+<?php
+$CONFIG = [
+  'trusted_domains' => [
+    '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}',
+  ],
+  'overwritehost' => '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}',
+  'overwriteprotocol' => 'https',
+  'overwrite.cli.url' => 'https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}',
+];

config/services/containers/app/nextcloud/config/local_remote.config.php.j2

@@ -0,0 +1,4 @@
+<?php
+$CONFIG = [
+  'allow_local_remote_servers' => true,
+];

config/services/containers/app/nextcloud/config/user_oidc.config.php.j2

@@ -0,0 +1,9 @@
+<?php
+$CONFIG = [
+  'user_oidc' => [
+    'default_token_endpoint_auth_method' => 'client_secret_post',
+    'auto_provision' => true,
+    'soft_auto_provision' => true,
+    'disable_account_creation' => false,
+  ],
+];

config/services/containers/app/nextcloud/ini/opcache.ini

@@ -0,0 +1,14 @@
+; /usr/local/etc/php/conf.d/opcache-recommended.ini
+; OPcache tuning
+opcache.enable=1
+opcache.enable_cli=1
+opcache.memory_consumption=512
+opcache.interned_strings_buffer=32
+opcache.max_accelerated_files=20000
+opcache.validate_timestamps=0
+opcache.save_comments=1
+opcache.revalidate_freq=60
+opcache.fast_shutdown=1
+
+; APCu CLI activate
+apc.enable_cli=1

config/services/containers/app/nextcloud/ini/upload.ini

@@ -0,0 +1,6 @@
+; /usr/local/etc/php/conf.d/nextcloud-upload.ini
+upload_max_filesize=16G
+post_max_size=16G
+memory_limit=1024M
+max_execution_time=3600
+max_input_time=3600

config/services/containers/app/nextcloud/nextcloud.container.j2

@@ -0,0 +1,36 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Nextcloud
+
+[Container]
+Image=docker.io/library/nextcloud:{{ version['containers']['nextcloud'] }}
+ContainerName=nextcloud
+HostName=nextcloud
+
+PublishPort={{ services['nextcloud']['ports']['http'] }}:80
+
+Volume=%h/containers/nextcloud/ssl:/etc/ssl/nextcloud:ro
+Volume=%h/containers/nextcloud/ini/opcache.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:ro
+Volume=%h/containers/nextcloud/ini/upload.ini:/usr/local/etc/php/conf.d/upload.ini:ro
+Volume=%h/data/containers/nextcloud/html:/var/www/html:rw
+
+# General
+Environment="TZ=Asia/Seoul"
+# PostgreSQL
+Environment="PGSSLMODE=verify-full"
+Environment="PGSSLROOTCERT=/etc/ssl/nextcloud/{{ root_cert_filename }}"
+## libpq in Nextcloud automatically tries to use a client certificate for mTLS. Therefore, when only TLS is required, then disable the option explicitly.
+Environment="PGSSLCERTMODE=disable"
+# Redis
+Environment="REDIS_HOST=host.containers.internal"
+Environment="REDIS_HOST_PORT={{ services['nextcloud']['ports']['redis'] }}"
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/nextcloud/systemd/nextcloud-cron.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=Nextcloud cron.php
+Requires=nextcloud.service
+After=nextcloud.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/podman exec -u www-data nextcloud php -f /var/www/html/cron.php

config/services/containers/app/nextcloud/systemd/nextcloud-cron.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Run Nextcloud cron every 5 minutes
+
+[Timer]
+OnBootSec=5min
+OnUnitActiveSec=5min
+Unit=nextcloud-cron.service
+
+[Install]
+WantedBy=timers.target

config/services/containers/app/opencloud/etc/csp.yaml.j2

@@ -0,0 +1,38 @@
+directives:
+  child-src:
+    - '''self'''
+  connect-src:
+    - '''self'''
+    - 'blob:'
+    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps'
+    - 'https://update.opencloud.eu'
+    - 'https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}'
+#  default-src:
+#    - '''none'''
+  font-src:
+    - '''self'''
+  frame-ancestors:
+    - '''self'''
+  frame-src:
+    - '''self'''
+    - 'blob:'
+  img-src:
+    - '''self'''
+    - 'data:'
+    - 'blob:'
+  manifest-src:
+    - '''self'''
+  media-src:
+    - '''self'''
+#  object-src:
+#    - '''none'''
+  script-src:
+    - '''self'''
+    - '''unsafe-inline'''
+    - '''unsafe-eval'''
+  style-src:
+    - '''self'''
+    - '''unsafe-inline'''
+  worker-src:
+    - '''self'''
+    - 'blob:'

config/services/containers/app/opencloud/etc/proxy.yaml.j2

@@ -0,0 +1,17 @@
+role_assignment:
+  driver: "oidc"
+  oidc_role_mapper:
+    role_claim: "preferred_username"
+    role_mapping:
+{% for admin_user in ['il'] %}
+      - role_name: "admin"
+        claim_value: "{{ admin_user }}"
+{% endfor %}
+{% for general_user in ['morsalin', 'eunkyoung'] %}
+      - role_name: "user"
+        claim_value: "{{ general_user }}"
+{% endfor %}
+#    - role_name: "spaceadmin"
+#      claim_value: ""
+#    - role_name: user-light
+#      claim_value: ""

config/services/containers/app/opencloud/opencloud.container.j2

@@ -0,0 +1,60 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=OpenCloud
+
+[Container]
+Image=docker.io/opencloudeu/opencloud:{{ version['containers']['opencloud'] }}
+ContainerName=opencloud
+HostName=opencloud
+
+PublishPort={{ services['opencloud']['ports']['http'] }}:9200
+
+Volume=%h/containers/opencloud:/etc/opencloud:rw
+Volume=%h/data/containers/opencloud:/var/lib/opencloud:rw
+
+# General
+Environment="TZ=Asia/Seoul"
+# Log level info
+Environment="OC_LOG_LEVEL=info"
+# TLS configuration
+Environment="PROXY_TLS=false"
+Environment="OC_INSECURE=true"
+# Connection
+Environment="PROXY_HTTP_ADDR=0.0.0.0:9200"
+Environment="OC_URL=https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}"
+## CSP file location: allow authelia public domain
+Environment="PROXY_CSP_CONFIG_FILE_LOCATION=/etc/opencloud/csp.yaml"
+# OIDC
+Environment="OC_OIDC_ISSUER=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+Environment="PROXY_OIDC_REWRITE_WELLKNOWN=true"
+## OIDC CLIENT CONFIGURATION and SCOPES
+Environment="WEB_OIDC_CLIENT_ID=opencloud"
+Environment="WEB_OIDC_SCOPE=openid profile email"
+## auto sign-in from authelia
+Environment="PROXY_AUTOPROVISION_ACCOUNTS=true"
+## Stop using internal idP service
+Environment="OC_EXCLUDE_RUN_SERVICES=idp"
+## Don't limit special characters
+Environment="GRAPH_USERNAME_MATCH=none"
+
+
+# OIDC standard link environments
+#Environment="WEB_OIDC_AUTHORITY=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+#Environment="WEBFINGER_OIDC_ISSUER=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+#Environment="OC_OIDC_CLIENT_ID=opencloud"
+#Environment="OC_OIDC_CLIENT_SCOPES=openid profile email groups"
+#Environment="WEBFINGER_ANDROID_OIDC_CLIENT_ID=opencloud"
+#Environment="WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=openid profile email groups offline_access"
+#Environment="WEBFINGER_DESKTOP_OIDC_CLIENT_ID=opencloud"
+#Environment="WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=openid profile email groups offline_access"
+#Environment="WEBFINGER_IOS_OIDC_CLIENT_ID=opencloud"
+#Environment="WEBFINGER_IOS_OIDC_CLIENT_SCOPES=openid profile email groups offline_access"
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/paperless/paperless.container.j2

@@ -11,7 +11,7 @@ Wants=redis_paperless.service
 Image=ghcr.io/paperless-ngx/paperless-ngx:{{ version['containers']['paperless'] }}
 ContainerName=paperless
 HostName=paperless
-PublishPort=8001:8000/tcp
+PublishPort={{ services['paperless']['ports']['http'] }}:8000/tcp
 
 # Volumes
 Volume=%h/data/containers/paperless/data:/usr/src/paperless/data:rw
@@ -22,7 +22,7 @@ Volume=%h/containers/paperless/ssl:/etc/ssl/paperless:ro
 # General
 Environment="TZ=Asia/Seoul"
 Environment="PAPERLESS_TIME_ZONE=Asia/Seoul"
-Environment="PAPERLESS_URL=https://paperless.ilnmors.com"
+Environment="PAPERLESS_URL=https://{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="PAPERLESS_OCR_LANGUAGE=kor+eng"
 Environment="PAPERLESS_OCR_LANGUAGES=kor"
 # Environment="PAPERLESS_OCR_MODE=force"
@@ -32,15 +32,15 @@ Environment="PAPERLESS_WORKER_TIMEOUT=7200"
 Secret=PAPERLESS_SECRET_KEY,type=env
 
 # Redis
-Environment="PAPERLESS_REDIS=redis://host.containers.internal:{{ hostvars['app']['redis']['paperless'] }}"
+Environment="PAPERLESS_REDIS=redis://host.containers.internal:{{ services['paperless']['ports']['redis'] }}"
 
 # Database
-Environment="PAPERLESS_DBHOST={{ infra_uri['postgresql']['domain'] }}"
-Environment="PAPERLESS_DBPORT={{ infra_uri['postgresql']['ports']['tcp'] }}"
+Environment="PAPERLESS_DBHOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
+Environment="PAPERLESS_DBPORT={{ services['postgresql']['ports']['tcp'] }}"
 Environment="PAPERLESS_DBNAME=paperless_db"
 Environment="PAPERLESS_DBUSER=paperless"
 Environment="PAPERLESS_DBSSLMODE=verify-full"
-Environment="PAPERLESS_DBSSLROOTCERT=/etc/ssl/paperless/ilnmors_root_ca.crt"
+Environment="PAPERLESS_DBSSLROOTCERT=/etc/ssl/paperless/{{ root_cert_filename }}"
 Secret=PAPERLESS_DBPASS,type=env
 
 # OIDC
@@ -50,7 +50,7 @@ Environment="PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS=true"
 Secret=PAPERLESS_SOCIALACCOUNT_PROVIDERS,type=env
 
 [Service]
-ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120

config/services/containers/app/redis/redis.conf.j2

@@ -1,4 +1,4 @@
 databases 16
 bind 0.0.0.0
-port {{ hostvars['app']['redis'][redis_service] }}
+port 6379
 protected-mode no

config/services/containers/app/redis/redis.container.j2

@@ -13,7 +13,7 @@ Image=docker.io/library/redis:{{ version['containers']['redis'] }}
 ContainerName=redis_{{ redis_service }}
 HostName=redis_{{ redis_service }}
 
-PublishPort={{ hostvars['app']['redis'][redis_service] }}:{{ hostvars['app']['redis'][redis_service] }}
+PublishPort={{ services[redis_service]['ports']['redis'] }}:6379
 
 Volume=%h/containers/redis/{{ redis_service }}/data:/data:rw
 Volume=%h/containers/redis/{{ redis_service }}/redis.conf:/usr/local/etc/redis/redis.conf:ro

config/services/containers/app/sure/sure-web.container.j2

@@ -0,0 +1,67 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Sure Web
+
+After=network-online.target redis_sure.service
+Wants=network-online.target redis_sure.service
+
+[Container]
+Image=ghcr.io/we-promise/sure:{{ version['containers']['sure'] }}
+ContainerName=sure-web
+HostName=sure-web
+
+PublishPort={{ services['sure']['ports']['http'] }}:3000/tcp
+
+Volume=%h/data/containers/sure/storage:/rails/storage:rw
+Volume=%h/containers/sure/ssl:/etc/ssl/sure:ro
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="SELF_HOSTED=true"
+Environment="ONBOARDING_STATE=closed"
+Environment="RAILS_FORCE_SSL=false"
+Environment="RAILS_ASSUME_SSL=true"
+Environment="APP_DOMAIN={{ services['sure']['domain']['public'] }}.{{ domain['public'] }}"
+Secret=SURE_SECRET_KEY_BASE,type=env,target=SECRET_KEY_BASE
+
+# PostgreSQL
+Environment="POSTGRES_USER=sure"
+Environment="POSTGRES_DB=sure_db"
+Environment="DB_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
+Environment="DB_PORT={{ services['postgresql']['ports']['tcp'] }}"
+Environment="PGSSLMODE=verify-full"
+Environment="PGSSLROOTCERT=/etc/ssl/sure/{{ root_cert_filename }}"
+Secret=SURE_POSTGRES_PASSWORD,type=env,target=POSTGRES_PASSWORD
+
+# Redis
+Environment="REDIS_URL=redis://host.containers.internal:{{ services['sure']['ports']['redis'] }}/1"
+
+# OIDC - Authelia
+Environment="OIDC_CLIENT_ID=sure"
+Environment="OIDC_ISSUER=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+Environment="OIDC_REDIRECT_URI=https://{{ services['sure']['domain']['public'] }}.{{ domain['public'] }}/auth/openid_connect/callback"
+Secret=SURE_OIDC_CLIENT_SECRET,type=env,target=OIDC_CLIENT_SECRET
+Environment="OIDC_BUTTON_LABEL=Sign in with Authelia"
+Environment="AUTH_JIT_MODE=create_and_link"
+# email's domain, e.g. ilnmors.internal then only user@ilnmors.internal is allowed to sign-up
+Environment="ALLOWED_OIDC_DOMAINS="
+
+# WebAuthn / Passkey
+Environment="WEBAUTHN_RP_ID={{ domain['public'] }}"
+Environment="WEBAUTHN_ALLOWED_ORIGINS=https://{{ services['sure']['domain']['public'] }}.{{ domain['public'] }}"
+
+# Provider
+## Currency
+Environment="EXCHANGE_RATE_PROVIDER=yahoo_finance"
+Environment="SECURITIES_PROVIDER=yahoo_finance"
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/sure/sure-worker.container.j2

@@ -0,0 +1,67 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Sure Worker
+
+After=network-online.target redis_sure.service
+Wants=network-online.target redis_sure.service
+
+[Container]
+Image=ghcr.io/we-promise/sure:{{ version['containers']['sure'] }}
+ContainerName=sure-worker
+HostName=sure-worker
+
+Volume=%h/data/containers/sure/storage:/rails/storage:rw
+Volume=%h/containers/sure/ssl:/etc/ssl/sure:ro
+
+Exec=bundle exec sidekiq
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="SELF_HOSTED=true"
+Environment="ONBOARDING_STATE=closed"
+Environment="RAILS_FORCE_SSL=false"
+Environment="RAILS_ASSUME_SSL=true"
+Environment="APP_DOMAIN={{ services['sure']['domain']['public'] }}.{{ domain['public'] }}"
+Secret=SURE_SECRET_KEY_BASE,type=env,target=SECRET_KEY_BASE
+
+# PostgreSQL
+Environment="POSTGRES_USER=sure"
+Environment="POSTGRES_DB=sure_db"
+Environment="DB_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
+Environment="DB_PORT={{ services['postgresql']['ports']['tcp'] }}"
+Environment="PGSSLMODE=verify-full"
+Environment="PGSSLROOTCERT=/etc/ssl/sure/{{ root_cert_filename }}"
+Secret=SURE_POSTGRES_PASSWORD,type=env,target=POSTGRES_PASSWORD
+
+# Redis
+Environment="REDIS_URL=redis://host.containers.internal:{{ services['sure']['ports']['redis'] }}/1"
+
+# OIDC - Authelia
+Environment="OIDC_CLIENT_ID=sure"
+Environment="OIDC_ISSUER=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+Environment="OIDC_REDIRECT_URI=https://{{ services['sure']['domain']['public'] }}.{{ domain['public'] }}/auth/openid_connect/callback"
+Secret=SURE_OIDC_CLIENT_SECRET,type=env,target=OIDC_CLIENT_SECRET
+Environment="OIDC_BUTTON_LABEL=Sign in with Authelia"
+Environment="AUTH_JIT_MODE=create_and_link"
+# email's domain, e.g. ilnmors.internal then only user@ilnmors.internal is allowed to sign-up
+Environment="ALLOWED_OIDC_DOMAINS="
+
+# WebAuthn / Passkey
+Environment="WEBAUTHN_RP_ID={{ domain['public'] }}"
+Environment="WEBAUTHN_ALLOWED_ORIGINS=https://{{ services['sure']['domain']['public'] }}.{{ domain['public'] }}"
+
+# Provider
+## Currency
+Environment="EXCHANGE_RATE_PROVIDER=yahoo_finance"
+Environment="SECURITIES_PROVIDER=yahoo_finance"
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/trilium/trilium.container.j2

@@ -0,0 +1,46 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=trilium
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=docker.io/triliumnext/trilium:{{ version['containers']['trilium'] }}
+
+ContainerName=trilium
+HostName=trilium
+
+PublishPort={{ services['trilium']['ports']['http'] }}:8080/tcp
+
+Volume=%h/data/containers/trilium/data:/home/node/trilium-data:rw
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="TRILIUM_DATA_DIR=/home/node/trilium-data"
+Environment="TRILIUM_NO_UPLOAD_LIMIT=true"
+
+# OIDC
+## Short Alias doesn't work now.
+#Environment="TRILIUM_OAUTH_BASE_URL=https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}"
+#Environment="TRILIUM_OAUTH_CLIENT_ID=trilium"
+#Environment="TRILIUM_OAUTH_ISSUER_BASE_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+#Environment="TRILIUM_OAUTH_ISSUER_NAME=Authelia"
+#Environment="TRILIUM_OAUTH_ISSUER_ICON=https://www.authelia.com/images/branding/logo-cropped.png"
+#Secret="TRILIUM_OAUTH_CLIENT_SECRET",type=env
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHBASEURL=https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHCLIENTID=trilium"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERBASEURL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERNAME=Authelia"
+Environment="TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHISSUERICON=https://www.authelia.com/images/branding/logo-cropped.png"
+Secret="TRILIUM_OAUTH_CLIENT_SECRET",type=env,target=TRILIUM_MULTIFACTORAUTHENTICATION_OAUTHCLIENTSECRET
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/vaultwarden/vaultwarden.container.j2

@@ -13,19 +13,19 @@ Image=docker.io/vaultwarden/server:{{ version['containers']['vaultwarden'] }}
 ContainerName=vaultwarden
 HostName=vaultwarden
 
-PublishPort=8000:80/tcp
+PublishPort={{ services['vaultwarden']['ports']['http'] }}:80/tcp
 
 Volume=%h/data/containers/vaultwarden:/data:rw
 Volume=%h/containers/vaultwarden/ssl:/etc/ssl/vaultwarden:ro
 
 Environment="TZ=Asia/Seoul"
-Environment="DOMAIN=https://vault.ilnmors.com"
+Environment="DOMAIN=https://{{ services['vaultwarden']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="SIGNUPS_ALLOWED=false"
 Secret=VW_ADMIN_TOKEN,type=env,target=ADMIN_TOKEN
 Secret=VW_DATABASE_URL,type=env,target=DATABASE_URL
 
 [Service]
-ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120

config/services/containers/app/vikunja/vikunja.container.j2

@@ -11,7 +11,7 @@ Wants=network-online.target
 Image=docker.io/vikunja/vikunja:{{ version['containers']['vikunja'] }}
 ContainerName=vikunja
 HostName=vikunja
-PublishPort=3456:3456/tcp
+PublishPort={{ services['vikunja']['ports']['http'] }}:3456/tcp
 
 # Volumes
 Volume=%h/data/containers/vikunja:/app/vikunja/files:rw
@@ -21,33 +21,34 @@ Volume=%h/containers/vikunja/ssl:/etc/ssl/vikunja:ro
 Environment="TZ=Asia/Seoul"
 Environment="VIKUNJA_DEFAULTSETTINGS_TIMEZONE=Asia/Seoul"
 Environment="VIKUNJA_SERVICE_TIMEZONE=Asia/Seoul"
-Environment="VIKUNJA_SERVICE_PUBLICURL=https://vikunja.ilnmors.com"
+Environment="VIKUNJA_SERVICE_PUBLICURL=https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="VIKUNJA_SERVICE_ENABLEREGISTRATION=false"
 Secret=VIKUNJA_SERVICE_JWTSECRET,type=env
 
 
 # Database
 Environment="VIKUNJA_DATABASE_TYPE=postgres"
-Environment="VIKUNJA_DATABASE_HOST={{ infra_uri['postgresql']['domain'] }}"
+Environment="VIKUNJA_DATABASE_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
 Environment="VIKUNJA_DATABASE_USER=vikunja"
 Environment="VIKUNJA_DATABASE_DATABASE=vikunja_db"
 Environment="VIKUNJA_DATABASE_SSLMODE=verify-full"
-Environment="VIKUNJA_DATABASE_SSLROOTCERT=/etc/ssl/vikunja/ilnmors_root_ca.crt"
+Environment="VIKUNJA_DATABASE_SSLROOTCERT=/etc/ssl/vikunja/{{ root_cert_filename }}"
 Secret=VIKUNJA_DATABASE_PASSWORD,type=env
 
 
 # OIDC
 Environment="VIKUNJA_AUTH_OPENID_ENABLED=true"
 Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_NAME=Authelia"
-Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_AUTHURL=https://authelia.ilnmors.com"
+Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_AUTHURL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
 Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTID=vikunja"
 # Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_SCOPE=" default value = openid email profile
-Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_USERNAMEFALLBACK=true"
-Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_EMAILFALLBACK=true"
+# Vikunja doesn't support OIDC and local dual login.
+# Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_USERNAMEFALLBACK=true"
+# Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_EMAILFALLBACK=true"
 Secret=VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTSECRET,type=env
 
 [Service]
-ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120

config/services/containers/app/wikijs/wikijs.container.j2

@@ -0,0 +1,41 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Wiki.js
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=ghcr.io/requarks/wiki:{{ version['containers']['wikijs'] }}
+ContainerName=wikijs
+HostName=wikijs
+PublishPort={{ services['wikijs']['ports']['http'] }}:3000/tcp
+
+# Volumes
+Volume=%h/data/containers/wikijs/data:/wiki/data:rw
+Volume=%h/data/containers/wikijs/export:/wiki/export:rw
+Volume=%h/containers/wikijs/ssl:/etc/ssl/wiki:ro
+
+# General
+Environment="TZ=Asia/Seoul"
+
+# Database
+Environment="DB_TYPE=postgres"
+Environment="DB_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
+Environment="DB_PORT={{ services['postgresql']['ports']['tcp'] }}"
+Environment="DB_USER=wikijs"
+Environment="DB_NAME=wikijs_db"
+Environment="DB_SSL=true"
+Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/wiki/{{ root_cert_filename }}"
+Secret=WIKIJS_DB_PASS,type=env,target=DB_PASS
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/auth/authelia/authelia.container.j2

@@ -15,7 +15,7 @@ ContainerName=authelia
 HostName=authelia
 
 # Web UI
-PublishPort=9091:9091/tcp
+PublishPort={{ services['authelia']['ports']['http'] }}:9091/tcp
 
 
 Volume=%h/containers/authelia/config:/config:rw
@@ -56,8 +56,9 @@ Exec=--config /config/authelia.yaml
 # Wait for dependency
 # They run as rootless podman container, so their port is not opened until they are normaly running
 # Check their ports with nc command 
-ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
-ExecStartPre=/usr/bin/nc -zv {{ infra_uri['ldap']['domain'] }} {{ infra_uri['ldap']['ports']['ldaps'] }}
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+# services['ldap']['ports']['ldaps'] is 6360, but nftables works on 636 the original port
+ExecStartPre=/usr/bin/nc -zv {{ services['ldap']['domain'] }}.{{ domain['internal'] }} 636
 ExecStartPre=sleep 5
 Restart=always
 RestartSec=10s

config/services/containers/auth/authelia/config/authelia.yaml.j2

@@ -10,7 +10,7 @@ theme: 'auto'
 # Server configuration
 server:
   # TLS will be applied on caddy
-  address: 'tcp://:9091/'
+  address: 'tcp://:{{ services['authelia']['ports']['http'] }}/'
 
 # Log configuration
 log:
@@ -20,7 +20,7 @@ log:
 # TOTP configuration
 totp:
   # issure option is for 2FA app. It works as identifier. "My homelab' or 'ilnmors.internal', 'Authelia - ilnmors'
-  issuer: 'ilnmors.internal'
+  issuer: '{{ domain['internal'] }}'
 
 # Identity validation confituration
 identity_validation:
@@ -31,21 +31,21 @@ identity_validation:
 authentication_backend:
   ldap:
     # ldaps uses 636 -> NAT automatically change port 636 in output packet -> 2636 which lldap server uses.
-    address: 'ldaps://ldap.ilnmors.internal'
+    address: 'ldaps://{{ services['ldap']['domain'] }}.{{ domain['internal'] }}'
     implementation: 'lldap'
-    # tls configruation, it uses certificates_directory's /etc/ssl/authelia/ilnmors_root_ca.crt
+    # tls configruation, it uses certificates_directory's /etc/ssl/authelia/{{ root_cert_filename }}
     tls:
-      server_name: 'ldap.ilnmors.internal'
+      server_name: '{{ services['ldap']['domain'] }}.{{ domain['internal'] }}'
       skip_verify: false
     # LLDAP base DN
-    base_dn: 'dc=ilnmors,dc=internal'
+    base_dn: '{{ domain['dc'] }}'
     additional_users_dn: 'ou=people'
     additional_groups_dn: 'ou=groups'
     # LLDAP filters
     users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
     groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
     # LLDAP bind account configuration
-    user: 'uid=authelia,ou=people,dc=ilnmors,dc=internal'
+    user: 'uid=authelia,ou=people,{{ domain['dc'] }}'
     password: '' # $AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE option is designated in container file
 
 # Access control configuration
@@ -53,14 +53,12 @@ access_control:
   default_policy: 'deny'
   rules:
     # authelia portal
-    - domain: 'authelia.ilnmors.internal'
+    - domain: '{{ services['authelia']['domain'] }}.{{ domain['public'] }}'
       policy: 'bypass'
-    - domain: 'authelia.ilnmors.com'
-      policy: 'bypass'
-    - domain: 'test.ilnmors.com'
-      policy: 'one_factor'
-      subject:
-        - 'group:admins'
+#    - domain: 'test.ilnmors.com'
+#      policy: 'one_factor'
+#      subject:
+#        - 'group:admins'
 # Session provider configuration
 session:
   secret: '' # $AUTHELIA_SESSION_SECRET_FILE  is designated in container file
@@ -68,8 +66,8 @@ session:
   inactivity: '24 hours' # Session maintains for 24 hours without actions
   cookies:
     - name: 'authelia_public_session'
-      domain: 'ilnmors.com'
-      authelia_url: 'https://authelia.ilnmors.com'
+      domain: '{{ domain['public'] }}'
+      authelia_url: 'https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}'
       same_site: 'lax'
 
 # This authelia doesn't use Redis.
@@ -78,12 +76,12 @@ session:
 storage:
   encryption_key: '' # $AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE is designated in container file
   postgres:
-    address: 'tcp://{{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}'
+    address: 'tcp://{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}'
     database: 'authelia_db'
     username: 'authelia'
     password: '' # $AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE is designated in container file
     tls:
-      server_name: '{{ infra_uri['postgresql']['domain'] }}'
+      server_name: '{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}'
       skip_verify: false
 
 # Notification provider
@@ -95,13 +93,32 @@ notifier:
 identity_providers:
   oidc:
     hmac_secret: '' # $AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
+    claims_policies:
+      # trilium expects name/email value in id token, but authelia doesn't send it basically
+      trilium:
+        id_token:
+          - email
+          - email_verified
+          - preferred_username
+          - name
+    # For the app which doesn't use secret.
+    cors:
+      endpoints:
+        - 'authorization'
+        - 'token'
+        - 'revocation'
+        - 'introspection'
+        - 'userinfo'
+      allowed_origins:
+        - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}'
+      allowed_origins_from_client_redirect_uris: true
     jwks:{% raw %}
       - algorithm: 'RS256'
         use: 'sig'
         key: {{ secret "/run/secrets/AUTHELIA_JWKS_RS256" | mindent 10 "|" | msquote }}
       - algorithm: 'ES256'
         use: 'sig'
-        key: {{ secret "/run/secrets/AUTHELIA_JWKS_ES256" | mindent 10 "|" | msquote }}{% endraw %}   
+        key: {{ secret "/run/secrets/AUTHELIA_JWKS_ES256" | mindent 10 "|" | msquote }}{% endraw %} 
     clients:
       # https://www.authelia.com/integration/openid-connect/clients/synology-dsm/
       - client_id: 'dsm'
@@ -117,7 +134,7 @@ identity_providers:
         require_pkce: false
         pkce_challenge_method: ''
         redirect_uris:
-          - 'https://{{ infra_uri['nas']['domain'] }}:{{ infra_uri['nas']['ports']['https'] }}'
+          - 'https://{{ services['nas']['domain'] }}.{{ domain['internal'] }}:{{ services['nas']['ports']['https'] }}'
         scopes:
           - 'openid'
           - 'profile'
@@ -140,7 +157,7 @@ identity_providers:
         require_pkce: false
         pkce_challenge_method: ''
         redirect_uris:
-          - 'https://gitea.ilnmors.com/user/oauth2/authelia/callback'
+          - 'https://{{ services['gitea']['domain']['public'] }}.{{ domain['public'] }}/user/oauth2/authelia/callback'
         scopes:
           - 'openid'
           - 'email'
@@ -161,8 +178,8 @@ identity_providers:
         require_pkce: false
         pkce_challenge_method: ''
         redirect_uris:
-          - 'https://immich.ilnmors.com/auth/login'
-          - 'https://immich.ilnmors.com/user-settings'
+          - 'https://{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}/auth/login'
+          - 'https://{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}/user-settings'
           - 'app.immich:///oauth-callback'
         scopes:
           - 'openid'
@@ -184,7 +201,7 @@ identity_providers:
         require_pkce: false
         pkce_challenge_method: ''
         redirect_uris:
-          - 'https://budget.ilnmors.com/openid/callback'
+          - 'https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}/openid/callback'
         scopes:
           - 'openid'
           - 'profile'
@@ -206,7 +223,7 @@ identity_providers:
         require_pkce: true
         pkce_challenge_method: 'S256'
         redirect_uris:
-          - 'https://paperless.ilnmors.com/accounts/oidc/authelia/login/callback/'
+          - 'https://{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }}/accounts/oidc/authelia/login/callback/'
         scopes:
           - 'openid'
           - 'profile'
@@ -228,7 +245,234 @@ identity_providers:
         require_pkce: false
         pkce_challenge_method: ''
         redirect_uris:
-          - 'https://vikunja.ilnmors.com/auth/openid/authelia'
+          - 'https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}/auth/openid/authelia'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
+      # OpenCloud configuration
+      ## https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/
+      ## Web
+      - client_id: 'opencloud'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/'
+          - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/oidc-callback.html'
+          - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/oidc-silent-redirect.html'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'
+      ## desktop
+      - client_id: 'OpenCloudDesktop'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'http://localhost'
+          - 'http://127.0.0.1'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+          - 'offline_access'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+          - 'refresh_token'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'   
+      ## Android
+      - client_id: 'OpenCloudAndroid'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'oc://android.opencloud.eu'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+          - 'offline_access'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+          - 'refresh_token'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'
+      ## IOS
+      - client_id: 'OpenCloudIOS'
+        client_name: 'OpenCloud'
+        public: true
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'oc://ios.opencloud.eu'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+          - 'offline_access'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+          - 'refresh_token'
+        access_token_signed_response_alg: 'RS256'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'
+      # https://docs.affine.pro/self-host-affine/administer/oauth-2-0
+      - client_id: 'affine'
+        client_name: 'Affine'
+        client_secret: '{{ hostvars['console']['affine']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://{{ services['affine']['domain']['public'] }}.{{ domain['public'] }}/oauth/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
+      # https://www.authelia.com/integration/openid-connect/clients/nextcloud/#openid-connect-user-backend-app
+      - client_id: 'nextcloud'
+        client_name: 'Nextcloud'
+        client_secret: '{{ hostvars['console']['nextcloud']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}/apps/user_oidc/code'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
+      # https://www.authelia.com/integration/openid-connect/clients/ezbookkeeping/
+      - client_id: 'ezbookkeeping'
+        client_name: 'ezBookkeeping'
+        client_secret: '{{ hostvars['console']['ezbookkeeping']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}/oauth2/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
+      # https://www.authelia.com/integration/openid-connect/clients/sure/
+      - client_id: 'sure'
+        client_name: 'Sure'
+        client_secret: '{{ hostvars['console']['sure']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://{{ services['sure']['domain']['public'] }}.{{ domain['public'] }}/auth/openid_connect/callback'
+        scopes:
+          - 'openid'
+          - 'email'
+          - 'profile'
+          - 'groups'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'
+      # https://www.authelia.com/integration/openid-connect/clients/wikijs/
+      - client_id: 'wikijs'
+        client_name: 'Wiki'
+        client_secret: '{{ hostvars['console']['wikijs']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          # add Callback URL / Redirect URI HERE
+          - 'https://{{ services['wikijs']['domain']['public'] }}.{{ domain['public'] }}/login/aa72242e-7058-4cfa-9504-19a4208062ea/callback'  # Note this must be copied during step 7 of the Application configuration.
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
+      # https://www.authelia.com/integration/openid-connect/clients/trillium/
+      # The name is trilium, not trillium
+      - client_id: 'trilium'
+        client_name: 'Trilium Notes'
+        client_secret: '{{ hostvars['console']['trilium']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        # claims policy above
+        claims_policy: 'trilium'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }}/callback'
         scopes:
           - 'openid'
           - 'profile'

config/services/containers/common/caddy/build/caddy.containerfile.j2

@@ -12,6 +12,6 @@ RUN xcaddy build \
 FROM docker.io/library/caddy:{{ version['containers']['caddy'] }}
 
 COPY --from=builder /usr/bin/caddy /usr/bin/caddy
-COPY ./ilnmors_root_ca.crt /usr/local/share/ca-certificates/ilnmors_root_ca.crt
+COPY ./{{ root_cert_filename }} /usr/local/share/ca-certificates/{{ root_cert_filename }}
 
 RUN update-ca-certificates

config/services/containers/common/caddy/caddy.container.j2

@@ -14,18 +14,18 @@ Wants=network-online.target
 
 
 [Container]
-Image=ilnmors.internal/{{ node['name'] }}/caddy:{{ version['containers']['caddy'] }}
+Image={{ domain['internal'] }}/{{ node['name'] }}/caddy:{{ version['containers']['caddy'] }}
 
 ContainerName=caddy_{{ node['name'] }}
 HostName=caddy_{{ node['name'] }}
 {% if node['name'] == 'infra' %}
-AddHost={{ infra_uri['ca']['domain'] }}:host-gateway
-AddHost={{ infra_uri['prometheus']['domain'] }}:host-gateway
-AddHost={{ infra_uri['loki']['domain'] }}:host-gateway
+AddHost={{ services['ca']['domain'] }}.{{ domain['internal'] }}:host-gateway
+AddHost={{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:host-gateway
+AddHost={{ services['loki']['domain'] }}.{{ domain['internal'] }}:host-gateway
 {% endif %}
 
-PublishPort=2080:80/tcp
-PublishPort=2443:443/tcp
+PublishPort={{ services['caddy']['ports']['http'] }}:80/tcp
+PublishPort={{ services['caddy']['ports']['https'] }}:443/tcp
 
 Volume=%h/containers/caddy/etc:/etc/caddy:ro
 Volume=%h/containers/caddy/data:/data:rw

config/services/containers/common/caddy/etc/app/Caddyfile.j2

@@ -8,19 +8,19 @@
 (private_tls) {
         tls {
                 issuer acme {
-                        dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory
+                        dir https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}/acme/acme@{{ domain['internal'] }}/directory
                         dns rfc2136 {
-                                server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }}
+                                server {{ services['bind']['domain'] }}.{{ domain['internal'] }}:{{ services['bind']['ports']['dns'] }}
                                 key_name acme-key
                                 key_alg hmac-sha256
                                 key "{file./run/secrets/CADDY_ACME_KEY}"
                         }
-                        resolvers {{ infra_uri['bind']['domain'] }}
+                        resolvers {{ services['bind']['domain'] }}.{{ domain['internal'] }}
                 }
         }
 }
 
-app.ilnmors.internal {
+{{ node['name'] }}.{{ domain['internal'] }} {
         import private_tls
         metrics
 }
@@ -29,39 +29,87 @@ app.ilnmors.internal {
 #         root * /usr/share/caddy
 #         file_server
 # }
-vault.app.ilnmors.internal {
+{{ services['vaultwarden']['domain']['internal'] }}.{{ domain['internal'] }} {
         import private_tls
-        reverse_proxy host.containers.internal:8000 {
+        reverse_proxy host.containers.internal:{{ services['vaultwarden']['ports']['http'] }} {
                header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
-gitea.app.ilnmors.internal {
+{{ services['gitea']['domain']['internal'] }}.{{ domain['internal'] }} {
         import private_tls
-        reverse_proxy host.containers.internal:3000 {
+        reverse_proxy host.containers.internal:{{ services['gitea']['ports']['http'] }} {
                header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
-immich.app.ilnmors.internal {
+{{ services['immich']['domain']['internal'] }}.{{ domain['internal'] }} {
         import private_tls
-        reverse_proxy host.containers.internal:2283 {
+        reverse_proxy host.containers.internal:{{ services['immich']['ports']['http'] }} {
                 header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
-budget.app.ilnmors.internal {
+{{ services['actualbudget']['domain']['internal'] }}.{{ domain['internal'] }} {
         import private_tls
-        reverse_proxy host.containers.internal:5006 {
+        reverse_proxy host.containers.internal:{{ services['actualbudget']['ports']['http'] }} {
                 header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
-paperless.app.ilnmors.internal {
+{{ services['paperless']['domain']['internal'] }}.{{ domain['internal'] }} {
         import private_tls
-        reverse_proxy host.containers.internal:8001 {
+        reverse_proxy host.containers.internal:{{ services['paperless']['ports']['http'] }} {
                 header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
-vikunja.app.ilnmors.internal {
+{{ services['vikunja']['domain']['internal'] }}.{{ domain['internal'] }} {
         import private_tls
-        reverse_proxy host.containers.internal:3456 {
+        reverse_proxy host.containers.internal:{{ services['vikunja']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+{{ services['opencloud']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['opencloud']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+{{ services['affine']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['affine']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+{{ services['nextcloud']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['nextcloud']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+{{ services['collabora']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['collabora']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+{{ services['ezbookkeeping']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['ezbookkeeping']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+{{ services['sure']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['sure']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+{{ services['wikijs']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['wikijs']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+{{ services['trilium']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['trilium']['ports']['http'] }} {
                 header_up Host {http.request.header.X-Forwarded-Host}
         }
 }

config/services/containers/common/caddy/etc/auth/Caddyfile.j2

@@ -1,7 +1,7 @@
 {
         # CrowdSec LAPI connection
         crowdsec {
-                api_url https://{{ infra_uri['crowdsec']['domain'] }}:{{ infra_uri['crowdsec']['ports']['https'] }} 
+                api_url https://{{ services['crowdsec']['domain'] }}.{{ domain['internal'] }}:{{ services['crowdsec']['ports']['https'] }} 
                 api_key "{file./run/secrets/CADDY_CROWDSEC_KEY}"
         }
 }
@@ -15,31 +15,31 @@
                         roll_size 100MiB
                         roll_keep 1
                 }
-        format json
+                format json
         }
 }
 # Private TLS ACME with DNS-01-challenge
 (private_tls) {
         tls {
                 issuer acme {
-                        dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory
+                        dir https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}/acme/acme@{{ domain['internal'] }}/directory
                         dns rfc2136 {
-                                server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }}
+                                server {{ services['bind']['domain'] }}.{{ domain['internal'] }}:{{ services['bind']['ports']['dns'] }}
                                 key_name acme-key
                                 key_alg hmac-sha256
                                 key "{file./run/secrets/CADDY_ACME_KEY}"
                         }
-                        resolvers {{ infra_uri['bind']['domain'] }}
+                        resolvers {{ services['bind']['domain'] }}.{{ domain['internal'] }}
                 }
         }
 }
 
 # Public domain
-authelia.ilnmors.com {
+{{ services['authelia']['domain'] }}.{{ domain['public'] }} {
         import crowdsec_log
         route {
                 crowdsec
-                reverse_proxy host.containers.internal:9091
+                reverse_proxy host.containers.internal:{{ services['authelia']['ports']['http'] }}
         }
 }
 # test.ilnmors.com {
@@ -64,63 +64,135 @@ authelia.ilnmors.com {
 #                 }
 #         }
 # }
-vault.ilnmors.com {
+{{ services['vaultwarden']['domain']['public'] }}.{{ domain['public'] }} {
         import crowdsec_log
         route {
                 crowdsec
-                reverse_proxy https://vault.app.ilnmors.internal {
+                reverse_proxy https://{{ services['vaultwarden']['domain']['internal'] }}.{{ domain['internal'] }} {
                         header_up Host {http.reverse_proxy.upstream.host}
                 }
         }
 }
-gitea.ilnmors.com {
+{{ services['gitea']['domain']['public'] }}.{{ domain['public'] }} {
         import crowdsec_log
         route {
                 crowdsec
-                reverse_proxy https://gitea.app.ilnmors.internal {
+                reverse_proxy https://{{ services['gitea']['domain']['internal'] }}.{{ domain['internal'] }} {
                         header_up Host {http.reverse_proxy.upstream.host}
                 }
         }
 }
-immich.ilnmors.com {
+{{ services['immich']['domain']['public'] }}.{{ domain['public'] }} {
         import crowdsec_log
         route {
                 crowdsec
-                reverse_proxy https://immich.app.ilnmors.internal {
+                reverse_proxy https://{{ services['immich']['domain']['internal'] }}.{{ domain['internal'] }} {
                         header_up Host {http.reverse_proxy.upstream.host}
                 }
         }
 }
-budget.ilnmors.com {
+{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }} {
         import crowdsec_log
         route {
                 crowdsec
-                reverse_proxy https://budget.app.ilnmors.internal {
+                reverse_proxy https://{{ services['actualbudget']['domain']['internal'] }}.{{ domain['internal'] }} {
                         header_up Host {http.reverse_proxy.upstream.host}
                 }
         }
 }
-paperless.ilnmors.com {
+{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }} {
         import crowdsec_log
         route {
                 crowdsec
-                reverse_proxy https://paperless.app.ilnmors.internal {
+                reverse_proxy https://{{ services['paperless']['domain']['internal'] }}.{{ domain['internal'] }} {
                         header_up Host {http.reverse_proxy.upstream.host}
                 }
         }  
 }
-vikunja.ilnmors.com {
+{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }} {
         import crowdsec_log
         route {
                 crowdsec
-                reverse_proxy https://vikunja.app.ilnmors.internal {
-                        header_up HOST {http.reverse_proxy.upstream.host}
+                reverse_proxy https://{{ services['vikunja']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{ services['opencloud']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+{{ services['affine']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{ services['affine']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{services['nextcloud']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+{{ services['collabora']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{services['collabora']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{services['ezbookkeeping']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+{{ services['sure']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{services['sure']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+{{ services['wikijs']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{services['wikijs']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+{{ services['trilium']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{services['trilium']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
                 }
         }
 }
 
 # Internal domain
-auth.ilnmors.internal {
+{{ node['name'] }}.{{ domain['internal'] }} {
         import private_tls
         metrics
 }

config/services/containers/common/caddy/etc/infra/Caddyfile.j2

@@ -2,40 +2,40 @@
 (private_tls) {
         tls {
                 issuer acme {
-                        dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory
+                        dir https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}/acme/acme@{{ domain['internal'] }}/directory
                         dns rfc2136 {
-                                server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }}
+                                server {{ services['bind']['domain'] }}.{{ domain['internal'] }}:{{ services['bind']['ports']['dns'] }}
                                 key_name acme-key
                                 key_alg hmac-sha256
                                 key "{file./run/secrets/CADDY_ACME_KEY}"
                         }
-                        resolvers {{ infra_uri['bind']['domain'] }}
+                        resolvers {{ services['bind']['domain'] }}.{{ domain['internal'] }}
                 }
         }
 }
 
-infra.ilnmors.internal {
+{{ node['name'] }}.{{ domain['internal'] }} {
         import private_tls
         metrics
 }
 
-{{ infra_uri['ldap']['domain'] }} {
+{{ services['ldap']['domain'] }}.{{ domain['internal'] }} {
         import private_tls
         route {
-            reverse_proxy host.containers.internal:{{ infra_uri['ldap']['ports']['http'] }}
+            reverse_proxy host.containers.internal:{{ services['ldap']['ports']['http'] }}
         }
 }
 
-{{ infra_uri['prometheus']['domain'] }} {
+{{ services['prometheus']['domain'] }}.{{ domain['internal'] }} {
         import private_tls
         route {
-                reverse_proxy https://{{ infra_uri['prometheus']['domain'] }}:{{ infra_uri['prometheus']['ports']['https'] }}
+                reverse_proxy https://{{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:{{ services['prometheus']['ports']['https'] }}
         }
 }
 
-grafana.ilnmors.internal {
+{{ services['grafana']['domain'] }}.{{ domain['internal'] }} {
         import private_tls
         route {
-                reverse_proxy host.containers.internal:3000
+                reverse_proxy host.containers.internal:{{ services['grafana']['ports']['http'] }}
         }
 }

config/services/containers/infra/ca/ca.container.j2

@@ -13,7 +13,7 @@ Image=docker.io/smallstep/step-ca:{{ version['containers']['step'] }}
 ContainerName=ca
 HostName=ca
 
-PublishPort=9000:9000/tcp
+PublishPort={{ services['ca']['ports']['https'] }}:9000/tcp
 
 Volume=%h/containers/ca/certs:/home/step/certs:ro
 Volume=%h/containers/ca/secrets:/home/step/secrets:ro
@@ -22,14 +22,17 @@ Volume=%h/containers/ca/db:/home/step/db:rw
 Volume=%h/containers/ca/templates:/home/step/templates:rw
 
 Environment="TZ=Asia/Seoul"
-Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
+# Since 0.30.0, Docker CMD no longer expands PWDPATH.
+#Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
 
 Secret=STEP_CA_PASSWORD,target=/run/secrets/STEP_CA_PASSWORD
 
+Exec=/usr/local/bin/step-ca --password-file /run/secrets/STEP_CA_PASSWORD /home/step/config/ca.json
+
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 
 [Install]
-WantedBy=default.target
+WantedBy=default.target

config/services/containers/infra/ca/config/ca.json.j2

@@ -1,12 +1,12 @@
 {
-	"root": "/home/step/certs/ilnmors_root_ca.crt",
+	"root": "/home/step/certs/{{ root_cert_filename }}",
 	"federatedRoots": null,
-	"crt": "/home/step/certs/ilnmors_intermediate_ca.crt",
-	"key": "/home/step/secrets/ilnmors_intermediate_ca.key",
+	"crt": "/home/step/certs/{{ intermediate_cert_filename }}",
+	"key": "/home/step/secrets/{{ intermediate_key_filename }}",
 	"address": ":9000",
 	"insecureAddress": "",
 	"dnsNames": [
-		"{{ infra_uri['ca']['domain'] }}"
+		"{{ services['ca']['domain'] }}.{{ domain['internal'] }}"
 	],
 	"logger": {
 		"format": "text"
@@ -21,9 +21,9 @@
 			"x509": {
 				"allow": {
 					"dns": [
-						"ilnmors.internal",
-						"*.ilnmors.internal",
-						"*.app.ilnmors.internal"
+						"{{ domain['internal'] }}",
+						"*.{{ domain['internal'] }}",
+						"*.app.{{ domain['internal'] }}"
 					]
 				},
 				"allowWildcardNames": true
@@ -32,7 +32,7 @@
 		"provisioners": [
 			{
 				"type": "ACME",
-				"name": "acme@ilnmors.internal",
+				"name": "acme@{{ domain['internal'] }}",
 				"claims": {
 					"defaultTLSCertDuration": "2160h0m0s",
 					"enableSSHCA": true,
@@ -58,5 +58,5 @@
 		"maxVersion": 1.3,
 		"renegotiation": false
 	},
-	"commonName": "ilnmors Online CA"
+	"commonName": "{{ domain['internal'] }} Online CA"
 }

config/services/containers/infra/ca/config/defaults.json.j2

@@ -1,6 +1,6 @@
 {
-	"ca-url": "https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}",
+	"ca-url": "https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}",
 	"ca-config": "/home/step/config/ca.json",
 	"fingerprint": "215c851d2d0d2dbf90fc3507425207c29696ffd587c640c94a68dddb1d84d8e8",
-	"root": "/home/step/certs/ilnmors_root_ca.crt"
+	"root": "/home/step/certs/{{ root_cert_filename }}"
 }

config/services/containers/infra/grafana/etc/grafana.ini.j2

@@ -7,19 +7,19 @@ provisioning = /etc/grafana/provisioning
 
 [server]
 protocol = http
-http_port = 3000
-domain = grafana.ilnmors.internal
-root_url = http://grafana.ilnmors.internal/
+http_port = {{ services['grafana']['ports']['http'] }}
+domain = {{ services['grafana']['domain'] }}.{{ domain['internal'] }}
+root_url = http://{{ services['grafana']['domain'] }}.{{ domain['internal'] }}/
 router_logging = false
 
 [database]
 type = postgres
-host = {{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}
+host = {{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}
 name = grafana_db
 user = grafana
 password = $__file{/run/secrets/GF_DB_PASSWORD}
 ssl_mode = verify-full
-ca_cert_path = /etc/ssl/grafana/ilnmors_root_ca.crt
+ca_cert_path = /etc/ssl/grafana/{{ root_cert_filename }}
 
 [auth.ldap]
 enabled = true

config/services/containers/infra/grafana/etc/ldap.toml.j2

@@ -1,7 +1,7 @@
 # https://github.com/lldap/lldap/blob/main/example_configs/grafana_ldap_config.toml
 [[servers]]
-host = "{{ infra_uri['ldap']['domain'] }}"
-port = {{ infra_uri['ldap']['ports']['ldaps'] }}
+host = "{{ services['ldap']['domain'] }}.{{ domain['internal'] }}"
+port = {{ services['ldap']['ports']['ldaps'] }}
 # Activate STARTTLS or LDAPS
 use_ssl = true
 # true = STARTTLS, false = LDAPS
@@ -9,16 +9,16 @@ start_tls = false
 tls_ciphers = []
 min_tls_version = ""
 ssl_skip_verify = false
-root_ca_cert = "/etc/ssl/grafana/ilnmors_root_ca.crt"
+root_ca_cert = "/etc/ssl/grafana/{{ root_cert_filename }}"
 # mTLS option, it is not needed
 # client_cert = "/path/to/client.crt"
 # client_key = "/path/to/client.key"
 
-bind_dn = "uid=grafana,ou=people,dc=ilnmors,dc=internal"
+bind_dn = "uid=grafana,ou=people,{{ domain['dc'] }}"
 bind_password = "$__file{/run/secrets/LDAP_BIND_PASSWORD}"
 
 search_filter = "(|(uid=%s)(mail=%s))"
-search_base_dns = ["dc=ilnmors,dc=internal"]
+search_base_dns = ["{{ domain['dc'] }}"]
 
 [servers.attributes]
 member_of = "memberOf"
@@ -28,20 +28,20 @@ surname = "sn"
 username = "uid"
 
 group_search_filter = "(&(objectClass=groupOfUniqueNames)(uniqueMember=%s))"
-group_search_base_dns = ["ou=groups,dc=ilnmors,dc=internal"]
+group_search_base_dns = ["ou=groups,{{ domain['dc'] }}"]
 group_search_filter_user_attribute = "uid"
 
 [[servers.group_mappings]]
-group_dn = "cn=lldap_admin,ou=groups,dc=ilnmors,dc=internal"
+group_dn = "cn=lldap_admin,ou=groups,{{ domain['dc'] }}"
 org_role = "Admin"
 grafana_admin = true
 
 [[servers.group_mappings]]
-group_dn = "cn=admins,ou=groups,dc=ilnmors,dc=internal"
+group_dn = "cn=admins,ou=groups,{{ domain['dc'] }}"
 org_role = "Editor"
 grafana_admin = false
 
 [[servers.group_mappings]]
-group_dn = "cn=users,ou=groups,dc=ilnmors,dc=internal"
+group_dn = "cn=users,ou=groups,{{ domain['dc'] }}"
 org_role = "Viewer"
 grafana_admin = false

config/services/containers/infra/grafana/etc/provisioning/datasources/datasources.yaml.j2

@@ -4,7 +4,7 @@ apiVersion: 1
 datasources:
   - name: Prometheus
     type: prometheus
-    url: https://prometheus.ilnmors.internal:9090
+    url: https://{{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:{{ services['prometheus']['ports']['https'] }}
     access: proxy
     isDefault: true
     jsonData:
@@ -12,11 +12,11 @@ datasources:
       tlsAuthWithCACert: true
       httpMethod: POST
     secureJsonData:
-      tlsCACert: "$__file{/etc/ssl/grafana/ilnmors_root_ca.crt}"
+      tlsCACert: "$__file{/etc/ssl/grafana/{{ root_cert_filename }}}"
 
   - name: Loki
     type: loki
-    url: https://loki.ilnmors.internal:3100
+    url: https://{{ services['loki']['domain'] }}.{{ domain['internal'] }}:{{ services['loki']['ports']['https'] }}
     access: proxy
     jsonData:
       tlsAuth: false
@@ -25,5 +25,5 @@ datasources:
       httpHeaderName1: "X-Scope-OrgID"
       maxLines: 1000
     secureJsonData:
-      tlsCACert: "$__file{/etc/ssl/grafana/ilnmors_root_ca.crt}"
-      httpHeaderValue1: "ilnmors.internal"
+      tlsCACert: "$__file{/etc/ssl/grafana/{{ root_cert_filename }}}"
+      httpHeaderValue1: "{{ domain['internal'] }} "

config/services/containers/infra/grafana/grafana.container.j2

@@ -13,12 +13,12 @@ Image=docker.io/grafana/grafana:{{ version['containers']['grafana'] }}
 ContainerName=grafana
 HostName=grafana
 
-AddHost={{ infra_uri['postgresql']['domain'] }}:host-gateway
-AddHost={{ infra_uri['ldap']['domain'] }}:host-gateway
-AddHost={{ infra_uri['prometheus']['domain'] }}:host-gateway
-AddHost={{ infra_uri['loki']['domain'] }}:host-gateway
+AddHost={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:host-gateway
+AddHost={{ services['ldap']['domain'] }}.{{ domain['internal'] }}:host-gateway
+AddHost={{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:host-gateway
+AddHost={{ services['loki']['domain'] }}.{{ domain['internal'] }}:host-gateway
 
-PublishPort=3000:3000/tcp
+PublishPort={{ services['grafana']['ports']['http'] }}:3000/tcp
 
 Volume=%h/containers/grafana/data:/var/lib/grafana:rw
 Volume=%h/containers/grafana/etc:/etc/grafana:ro

config/services/containers/infra/ldap/ldap.container.j2

@@ -13,11 +13,11 @@ Image=docker.io/lldap/lldap:{{ version['containers']['ldap'] }}
 ContainerName=ldap
 HostName=ldap
 # They are at the same host (for Pasta, it is needed)
-AddHost={{ infra_uri['postgresql']['domain'] }}:host-gateway
+AddHost={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:host-gateway
 # For LDAPS - 636 > 6360 nftables
-PublishPort=6360:6360/tcp
+PublishPort={{ services['ldap']['ports']['ldaps'] }}:6360/tcp
 # Web UI
-PublishPort=17170:17170/tcp
+PublishPort={{ services['ldap']['ports']['http'] }}:17170/tcp
 
 
 Volume=%h/containers/ldap/data:/data:rw
@@ -27,7 +27,7 @@ Volume=%h/containers/ldap/ssl:/etc/ssl/ldap:ro
 Environment="TZ=Asia/Seoul"
 
 # Domain
-Environment="LLDAP_LDAP_BASE_DN=dc=ilnmors,dc=internal"
+Environment="LLDAP_LDAP_BASE_DN={{ domain['dc'] }}"
 
 # LDAPS
 Environment="LLDAP_LDAPS_OPTIONS__ENABLED=true"

config/services/containers/infra/loki/etc/loki.yaml.j2

@@ -1,7 +1,7 @@
 ---
 server:
   http_listen_address: "::"
-  http_listen_port: 3100
+  http_listen_port: {{ services['loki']['ports']['https'] }}
   http_tls_config:
     cert_file: /etc/ssl/loki/loki.crt
     key_file: /etc/ssl/loki/loki.key

config/services/containers/infra/loki/loki.container.j2

@@ -13,7 +13,7 @@ Image=docker.io/grafana/loki:{{ version['containers']['loki'] }}
 ContainerName=loki
 HostName=loki
 
-PublishPort=3100:3100/tcp
+PublishPort={{ services['loki']['ports']['https'] }}:3100/tcp
 
 Volume=%h/containers/loki/data:/loki:rw
 Volume=%h/containers/loki/etc:/etc/loki:ro

config/services/containers/infra/postgresql/config/postgresql.conf.j2

@@ -8,11 +8,11 @@ listen_addresses = '*'
 # Max connections
 max_connections = 250
 # listen_port
-port = 5432
+port = {{ services['postgresql']['ports']['tcp'] }}
 
 # SSL
 ssl = on
-ssl_ca_file = '/etc/ssl/postgresql/ilnmors_root_ca.crt'
+ssl_ca_file = '/etc/ssl/postgresql/{{ root_cert_filename }}'
 ssl_cert_file = '/etc/ssl/postgresql/postgresql.crt'
 ssl_key_file = '/etc/ssl/postgresql/postgresql.key'
 ssl_ciphers = 'HIGH:!aNULL:!MD5'

config/services/containers/infra/postgresql/postgresql.container.j2

@@ -8,12 +8,12 @@ After=network-online.target
 Wants=network-online.target
 
 [Container]
-Image=ilnmors.internal/{{ node['name'] }}/postgres:pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}
+Image={{ domain['internal'] }}/{{ node['name'] }}/postgres:pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}
 
 ContainerName=postgresql
 HostName=postgresql
 
-PublishPort=5432:5432/tcp
+PublishPort={{ services['postgresql']['ports']['tcp'] }}:5432/tcp
 
 Volume=%h/containers/postgresql/data:/var/lib/postgresql:rw
 Volume=%h/containers/postgresql/config:/config:ro

config/services/containers/infra/prometheus/etc/prometheus.yaml.j2

@@ -23,8 +23,8 @@ scrape_configs:
     # metrics_path defaults to '/metrics'
     scheme: "https"
     tls_config:
-      ca_file: "/etc/ssl/prometheus/ilnmors_root_ca.crt"
-      server_name: "{{ infra_uri['prometheus']['domain'] }}"
+      ca_file: "/etc/ssl/prometheus/{{ root_cert_filename }}"
+      server_name: "{{ services['prometheus']['domain'] }}.{{ domain['internal'] }}"
     static_configs:
       - targets: ["localhost:9090"]
        # The label name is added as a label `label_name=<label_value>` to any timeseries scraped from this config.

config/services/containers/infra/prometheus/prometheus.container.j2

@@ -13,7 +13,7 @@ Image=docker.io/prom/prometheus:{{ version['containers']['prometheus'] }}
 ContainerName=prometheus
 HostName=prometheus
 
-PublishPort=9090:9090/tcp
+PublishPort={{ services['prometheus']['ports']['https'] }}:9090/tcp
 
 Volume=%h/containers/prometheus/data:/prometheus:rw
 Volume=%h/containers/prometheus/etc:/etc/prometheus:ro

config/services/containers/infra/x509-exporter/config/config.yaml

@@ -0,0 +1,11 @@
+server:
+  listen: :9793
+
+sources:
+  - kind: file
+    name: homelab-certs
+    paths:
+      - /certs/*.crt
+      - /certs/*.pem
+      - /certs/*.cer
+    refreshInterval: 1m

config/services/containers/infra/x509-exporter/x509-exporter.container.j2

@@ -11,11 +11,12 @@ Image=docker.io/enix/x509-certificate-exporter:{{ version['containers']['x509-ex
 ContainerName=x509-exporter
 HostName=X509-exporter
 
+Volume=%h/containers/x509-exporter/config/config.yaml:/etc/config.yaml:ro
 Volume=%h/containers/x509-exporter/certs:/certs:ro
 
-PublishPort=9793:9793
+PublishPort={{ services['x509-exporter']['ports']['http'] }}:9793
 
-Exec=--listen-address :9793 --watch-dir=/certs
+Exec=--config /etc/config.yaml
 
 [Service]
 Restart=always

config/services/systemd/app/btrfs/btrfs-scrub.service.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=BTRFS auto scrub
+ConditionPathIsMountPoint={{ storage['btrfs']['mount_point'] }}
+RequiresMountsFor={{ storage['btrfs']['mount_point'] }}
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/btrfs scrub start -Bd {{ storage['btrfs']['mount_point'] }}
+Nice=19
+IOSchedulingClass=idle

config/services/systemd/app/btrfs/btrfs-scrub.timer.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=Monthly BTRFS auto scrub 
+
+[Timer]
+OnCalendar=*-*-01 04:00:00
+Persistent=true
+RandomizedDelaySec=300
+
+[Install]
+WantedBy=timers.target