fix(crowdsec): update whitelist.yaml to prevent false positive

false positive: - chunk problems (crowdsecurity/http-crawl-non_statics) - directory upload 404 problem (crowdsecurity/http-probing)
docs(issues): fix crowdsec command 'cscli decision list' to 'cscli decision delete'
2026-05-02 20:38:48 +09:00 · 2026-05-02 19:46:51 +09:00 · 2026-05-02 19:22:05 +09:00 · 2026-04-30 10:03:33 +09:00 · 2026-04-30 10:01:18 +09:00 · 2026-04-30 09:56:22 +09:00
48 changed files with 1535 additions and 62 deletions
@@ -131,21 +131,46 @@ services:
    ports:
      http: "3456"
    subuid: "100999"
  opencloud:
    domain:
      public: "opencloud"
      internal: "opencloud.app"
    ports:
      http: "9200"
    subuid: "100999"
  manticore:
    subuid: "100998"
  affine:
    domain:
      public: "affine"
      internal: "affine.app"
    ports:
      http: "3010"
      redis: "6381"
      manticore: "9308"
  nextcloud:
    domain:
      public: "nextcloud"
      internal: "nextcloud.app"
    ports:
      http: "8002"
      redis: "6382"
    subuid: "100032"
 version:
  packages:
    sops: "3.12.1"
-    step: "0.29.0"
+    step: "0.30.2"
    kopia: "0.22.3"
-    blocky: "0.28.2"
+    blocky: "0.29.0"
    alloy: "1.13.0"
  containers:
    # common
-    caddy: "2.10.2"
+    caddy: "2.11.2"
    # infra
-    step: "0.29.0"
+    step: "0.30.2"
    ldap: "v0.6.2"
-    x509-exporter: "3.19.1"
+    x509-exporter: "3.21.0"
    prometheus: "v3.9.1"
    loki: "3.6.5"
    grafana: "12.3.3"
@@ -155,12 +180,16 @@ version:
 #    pgvector: "v0.8.1"
    vectorchord: "0.5.3"
    # Auth
-    authelia: "4.39.15"
+    authelia: "4.39.19"
    # App
-    vaultwarden: "1.35.4"
+    vaultwarden: "1.35.8"
-    gitea: "1.25.5"
+    gitea: "1.26.1"
    redis: "8.6.1"
-    immich: "v2.6.3"
+    immich: "v2.7.5"
    actualbudget: "26.3.0"
-    paperless: "2.20.13"
+    paperless: "2.20.15"
    vikunja: "2.2.2"
    opencloud: "4.0.6"
    manticore: "25.0.0"
    affine: "0.26.3"
    nextcloud: "33.0.3"
@@ -21,5 +21,6 @@ node:
  config_path: "{{ node.homelab_path }}/config"
  ssh_san: "console,console.ilnmors.internal"
  ssh_users: "vmm,fw,infra,auth,app"
-  local_san: "localhost console.ilnmors.internal"
+  # add the hostname of wsl, it is needed to improve the sudo problem
  local_san: "localhost console.ilnmors.internal surface"
 # ansible_python_interpreter: "{{ ansible_playbook_python }}"
@@ -209,6 +209,31 @@
          tags: ["site", "vikunja"]
      tags: ["site", "vikunja"]
    - name: Set opencloud
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_opencloud"
        apply:
          tags: ["site", "opencloud"]
      tags: ["site", "opencloud"]
    - name: Set affine
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_affine"
        apply:
          tags: ["site", "affine"]
      tags: ["site", "affine"]
    - name: Set nextcloud
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_nextcloud"
        apply:
          tags: ["site", "nextcloud"]
      tags: ["site", "nextcloud"]
    - name: Flush handlers right now
      ansible.builtin.meta: "flush_handlers"
@@ -115,18 +115,10 @@
      become: true
      tags: ["init", "site", "install-packages"]
-    - name: Install CLI tools
+    - name: Set CLI tools
      ansible.builtin.include_role:
        name: "console"
        tasks_from: "services/set_cli_tools"
        apply:
          tags: ["init", "site", "tools"]
      tags: ["init", "site", "tools"]
    - name: Install chromium with font
      ansible.builtin.include_role:
        name: "console"
        tasks_from: "services/set_chromium"
        apply:
          tags: ["init", "site", "chromium"]
      tags: ["init", "site", "chromium"]
@@ -75,3 +75,39 @@
  changed_when: false
  listen: "notification_restart_vikunja"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart opencloud
  ansible.builtin.systemd:
    name: "opencloud.service"
    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
  when: is_opencloud_init.stat.exists
  changed_when: false
  listen: "notification_restart_opencloud"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart affine
  ansible.builtin.systemd:
    name: "affine.service"
    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
  when: is_affine_init.stat.exists
  changed_when: false
  listen: "notification_restart_affine"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart nextcloud
  ansible.builtin.systemd:
    name: "nextcloud.service"
    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
  when: is_nextcloud_init.stat.exists
  changed_when: false
  listen: "notification_restart_nextcloud"
  ignore_errors: true # noqa: ignore-errors
@@ -0,0 +1,163 @@
 ---
 - name: Set manticore service name
  ansible.builtin.set_fact:
    manticore_service: "affine"
 - name: Create manticore directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ services['manticore']['subuid'] }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/manticore"
    - "data/containers/manticore/{{ manticore_service }}"
  become: true
 - name: Deploy manticore.container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/manticore/manticore.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/manticore_{{ manticore_service }}.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  register: "is_manticore_containerfile"
 - name: Enable (Restart) manticore.service
  ansible.builtin.systemd:
    name: "manticore_{{ manticore_service }}.service"
    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
  when: is_manticore_containerfile.changed # noqa: no-handler
 - name: Set redis service name
  ansible.builtin.set_fact:
    redis_service: "affine"
 - name: Create redis_affine directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ services['redis']['subuid'] }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "containers/redis"
    - "containers/redis/{{ redis_service }}"
    - "containers/redis/{{ redis_service }}/data"
  become: true
 - name: Deploy redis config file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  register: "is_redis_conf"
 - name: Deploy redis container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  register: "is_redis_containerfile"
 - name: Enable (Restart) redis service
  ansible.builtin.systemd:
    name: "redis_{{ redis_service }}.service"
    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
 - name: Create affine directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/affine"
    - "containers/affine"
    - "containers/affine/ssl"
    - "containers/affine/config"
 - name: Deploy root certificate
  ansible.builtin.copy:
    content: |
      {{ hostvars['console']['ca']['root']['crt'] }}
    dest: "{{ node['home_path'] }}/containers/affine/ssl/{{ root_cert_filename }}"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0440"
  notify: "notification_restart_affine"
  no_log: true
 - name: Register secret value to podman secret
  containers.podman.podman_secret:
    name: "{{ item.name }}"
    data: "{{ item.value }}"
    state: "present"
    force: true
  loop:
    - name: "AFFINE_PRIVATE_KEY"
      value: "{{ hostvars['console']['affine']['secret_key'] }}"
    - name: "AFFINE_DATABASE_URL"
      value: "postgresql://affine:{{ hostvars['console']['postgresql']['password']['affine'] | urlencode | replace('/', '%2F') }}\
        @{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}/affine_db?sslmode=verify-full&\
        sslrootcert=/etc/ssl/affine/{{ root_cert_filename }}"
  notify: "notification_restart_affine"
  no_log: true
 - name: Check data directory empty
  ansible.builtin.stat:
    path: "{{ node['home_path'] }}/data/containers/affine/.init"
  register: "is_affine_init"
 - name: Initialize affine
  when: not is_affine_init.stat.exists
  block:
    - name: Execute init command (Including pulling image)
      containers.podman.podman_container:
        name: "affine_init"
        image: "ghcr.io/toeverything/affine:{{ version['containers']['affine'] }}"
        command: ['sh', '-c', 'node ./scripts/self-host-predeploy.js']
        state: "started"
        rm: true
        detach: false
        secrets:
          - "AFFINE_DATABASE_URL,type=env,target=DATABASE_URL"
      no_log: true
    - name: Create .init file
      ansible.builtin.file:
        path: "{{ node['home_path'] }}/data/containers/affine/.init"
        state: "touch"
        mode: "0644"
        owner: "{{ ansible_user }}"
        group: "svadmins"
 - name: Deploy affine.container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/affine/affine.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/affine.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_affine"
 - name: Enable affine.service
  ansible.builtin.systemd:
    name: "affine.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
@@ -0,0 +1,176 @@
 ---
 - name: Set redis service name
  ansible.builtin.set_fact:
    redis_service: "nextcloud"
 - name: Create redis_nextcloud directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ services['redis']['subuid'] }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "containers/redis"
    - "containers/redis/{{ redis_service }}"
    - "containers/redis/{{ redis_service }}/data"
  become: true
 - name: Deploy redis config file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  register: "is_redis_conf"
 - name: Deploy redis container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  register: "is_redis_containerfile"
 - name: Enable (Restart) redis service
  ansible.builtin.systemd:
    name: "redis_{{ redis_service }}.service"
    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
 - name: Create nextcloud directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ services['nextcloud']['subuid'] }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/nextcloud"
    - "data/containers/nextcloud/html"
    - "containers/nextcloud"
    - "containers/nextcloud/ssl"
    - "containers/nextcloud/ini"
  become: true
 - name: Check data directory empty
  ansible.builtin.stat:
    path: "{{ node['home_path'] }}/data/containers/nextcloud/.init"
  register: "is_nextcloud_init"
 - name: Deploy root certificate
  ansible.builtin.copy:
    content: |
      {{ hostvars['console']['ca']['root']['crt'] }}
    dest: "{{ node['home_path'] }}/containers/nextcloud/ssl/{{ root_cert_filename }}"
    owner: "{{ services['nextcloud']['subuid'] }}"
    group: "svadmins"
    mode: "0440"
  become: true
  notify: "notification_restart_nextcloud"
  no_log: true
 - name: Initialize nextcloud
  when: not is_nextcloud_init.stat.exists
  block:
    - name: Execute init command (Including pulling image)
      containers.podman.podman_container:
        name: "nextcloud_init"
        image: "docker.io/library/nextcloud:{{ version['containers']['nextcloud'] }}"
        command: "/bin/true"
        state: "started"
        rm: true
        detach: false
        env:
          NEXTCLOUD_UPDATE: "1"
          NEXTCLOUD_ADMIN_USER: "admin-local"
          NEXTCLOUD_ADMIN_PASSWORD: "{{ hostvars['console']['nextcloud']['admin-local']['password'] }}"
          POSTGRES_HOST: "{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}"
          POSTGRES_DB: "nextcloud_db"
          POSTGRES_USER: "nextcloud"
          POSTGRES_PASSWORD: "{{ hostvars['console']['postgresql']['password']['nextcloud'] }}"
          PGSSLMODE: "verify-full"
          PGSSLROOTCERT: "/etc/ssl/nextcloud/{{ root_cert_filename }}"
          PGSSLCERTMODE: "disable"
          REDIS_HOST: "host.containers.internal"
          REDIS_HOST_PORT: "{{ services['nextcloud']['ports']['redis'] }}"
        volume:
          - "{{ node['home_path'] }}/containers/nextcloud/ssl:/etc/ssl/nextcloud:ro"
          - "{{ node['home_path'] }}/data/containers/nextcloud/html:/var/www/html:rw"
      no_log: true
    - name: Create .init file
      ansible.builtin.file:
        path: "{{ node['home_path'] }}/data/containers/nextcloud/.init"
        state: "touch"
        mode: "0644"
        owner: "{{ ansible_user }}"
        group: "svadmins"
 - name: Deploy config files
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/config/{{ item }}.j2"
    dest: "{{ node['home_path'] }}/data/containers/nextcloud/html/config/{{ item }}"
    owner: "{{ services['nextcloud']['subuid'] }}"
    group: "svadmins"
    mode: "0640"
  loop:
    - "background.config.php"
    - "cache.config.php"
    - "domain.config.php"
    - "local_remote.config.php"
    - "user_oidc.config.php"
  become: true
  notify: "notification_restart_nextcloud"
 - name: Deploy opcache.ini file
  ansible.builtin.copy:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/ini/{{ item }}"
    dest: "{{ node['home_path'] }}/containers/nextcloud/ini/{{ item }}"
    group: "svadmins"
    mode: "0644"
  loop:
    - "opcache.ini"
    - "upload.ini"
  notify: "notification_restart_nextcloud"
 - name: Deploy nextcloud.container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/nextcloud.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/nextcloud.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_nextcloud"
 - name: Deploy nextcloud-cron service
  ansible.builtin.copy:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/systemd/{{ item }}"
    dest: "{{ node['home_path'] }}/.config/systemd/user/{{ item }}"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  loop:
    - "nextcloud-cron.service"
    - "nextcloud-cron.timer"
 - name: Enable nextcloud.service
  ansible.builtin.systemd:
    name: "nextcloud.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
 - name: Enable nextcloud-cron.timer
  ansible.builtin.systemd:
    name: "nextcloud-cron.timer"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
@@ -0,0 +1,76 @@
 ---
 - name: Create opencloud directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ services['opencloud']['subuid'] }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/opencloud"
    - "containers/opencloud"
  become: true
 - name: Check data directory empty
  ansible.builtin.stat:
    path: "{{ node['home_path'] }}/data/containers/opencloud/.init"
  become: true
  register: "is_opencloud_init"
 - name: Initialize opencloud
  when: not is_opencloud_init.stat.exists
  block:
    - name: Execute init command (Including pulling image)
      containers.podman.podman_container:
        name: "opencloud_init"
        image: "docker.io/opencloudeu/opencloud:{{ version['containers']['opencloud'] }}"
        command: "init"
        state: "started"
        rm: true
        detach: false
        env:
          IDM_ADMIN_PASSWORD: "{{ hostvars['console']['opencloud']['admin']['password'] }}"
          # Verify the certificate (Opencloud to Authelia, authelia uses let's encrypt.)
          OC_INSECURE: "true"
        volume:
          - "{{ node['home_path'] }}/containers/opencloud:/etc/opencloud:rw"
          - "{{ node['home_path'] }}/data/containers/opencloud:/var/lib/opencloud:rw"
      no_log: true
    - name: Create .init file
      ansible.builtin.file:
        path: "{{ node['home_path'] }}/data/containers/opencloud/.init"
        state: "touch"
        mode: "0644"
        owner: "{{ ansible_user }}"
        group: "svadmins"
 - name: Deploy configuration files
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/opencloud/etc/{{ item }}.j2"
    dest: "{{ node['home_path'] }}/containers/opencloud/{{ item }}"
    owner: "{{ services['opencloud']['subuid'] }}"
    group: "svadmins"
    mode: "0640"
  loop:
    - "csp.yaml"
    - "proxy.yaml"
  become: true
  notify: "notification_restart_opencloud"
 - name: Deploy container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/opencloud/opencloud.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/opencloud.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_opencloud"
 - name: Enable opencloud.service
  ansible.builtin.systemd:
    name: "opencloud.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
@@ -15,7 +15,7 @@
    state: "directory"
    mode: "0700"
- name: Create contaienr data directory for app
+- name: Create container data directory for app
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/data/containers"
    owner: "{{ ansible_user }}"
@@ -12,7 +12,7 @@
 - name: Reload postgresql
  ansible.builtin.command:
    /usr/bin/podman exec -u postgres postgresql sh -c "pg_ctl reload"
-  when: not (is_postgresql_init_run | default(false))
+  when: is_postgresql_init.stat.exists
  changed_when: false
  listen: "notification_reload_postgresql"
  ignore_errors: true # noqa: ignore-errors
@@ -24,7 +24,7 @@
    enabled: true
    daemon_reload: true
    scope: "user"
-  when: not (is_postgresql_init_run | default(false))
+  when: is_postgresql_init.stat.exists
  changed_when: false
  listen: "notification_restart_postgresql"
  ignore_errors: true # noqa: ignore-errors
@@ -73,10 +73,10 @@
  listen: "notification_restart_grafana"
  ignore_errors: true # noqa: ignore-errors
- name: Enable x509-exporter.service
+- name: Restart x509-exporter.service
  ansible.builtin.systemd:
    name: "x509-exporter.service"
-    state: "started"
+    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
@@ -55,6 +55,8 @@
  no_log: true
 - name: Initiate ldap (When = false, If DB data does not exist in postgresql, activate this block)
 # The reason why this task doesn't use the way to check ".init" file is this tasks can override original database.
 # Absent of ".init" file cannot guarantee DB is empty.
  when: false
  become: true
  block:
@@ -10,6 +10,8 @@
      - "immich"
      - "paperless"
      - "vikunja"
      - "affine"
      - "nextcloud"
 - name: Create postgresql directory
  ansible.builtin.file:
@@ -87,15 +89,13 @@
  no_log: true
 - name: Check data directory empty
-  ansible.builtin.find:
+  ansible.builtin.stat:
-    paths: "{{ node['home_path'] }}/containers/postgresql/data/"
+    path: "{{ node['home_path'] }}/containers/postgresql/data/.init"
    hidden: true
    file_type: "any"
  become: true
-  register: "is_data_dir_empty"
+  register: "is_postgresql_init"
 - name: Prepare initiating DB
-  when: is_data_dir_empty.matched == 0
+  when: not is_postgresql_init.stat.exists
  become: true
  block:
    # `init/pg_cluster.sql` should be fetched from postgresql's backup directory before running initiating
@@ -117,9 +117,14 @@
      loop: "{{ connected_services }}"
      loop_control:
        index_var: index_num
-    - name: Set is_postgresql_init_run
+
-      ansible.builtin.set_fact:
+    - name: Create .init file
-        is_postgresql_init_run: true
+      ansible.builtin.file:
        path: "{{ node['home_path'] }}/containers/postgresql/data/.init"
        state: "touch"
        mode: "0644"
        owner: "{{ ansible_user }}"
        group: "svadmins"
 - name: Deploy container file
  ansible.builtin.template:
@@ -118,6 +118,8 @@ postgresql:
        immich: ENC[AES256_GCM,data:11jvxTKA/RL0DGL6y2/X092hnDohj6yTrYGK4IVojqBd1gCOBnDvUjgmx14=,iv:oBfHxsx9nxhyKY/WOuWfybxEX2bf+lHEtsaifFRS9lg=,tag:tAfkBdgQ8ZEkLIFcDICKDw==,type:str]
        paperless: ENC[AES256_GCM,data:6VBrBbjVoam7SkZCSvoBTdrfkUoDghdGTiBmFLul04X/okXOHeC5zusJffY=,iv:iZumcJ3TWwZD77FzYx8THwCqC+EbnXUBrEKuPh3zgV8=,tag:u2m8SppAdxZ/duNdpuS3oQ==,type:str]
        vikunja: ENC[AES256_GCM,data:/+wQdoFPTBG2elI9kZbAVWrHZ0DhMaYr4dc+2z9QNdb3TcDS2PEia0JuSAg=,iv:MViZTyUD8YqMmxSTWCQpJ30f/KQdQGOzPlRHHsQ8lAw=,tag:zov3POno139dkMxFDpj2gg==,type:str]
        affine: ENC[AES256_GCM,data:XPXrcszsV06YqCJZ7CDqc4rCwqqNlbtLCFYfLAQ8jamLtft8L2UVrMA4WZo=,iv:vrWdBeckxB9tmEE628j4jhU+hSpE6TXYMGt0hh1Cg84=,tag:hlWwWUGht8NqWTZREMsa1Q==,type:str]
        nextcloud: ENC[AES256_GCM,data:ROsximNuWYMTZktmLJPx7W1Qol/uT+APgwoCtFO/6ZYYc3KxKvlk344eqEc=,iv:4d+MrfIHjJKAcwhvZ3g4go66uZcieuL7lngKErJd+fg=,tag:QbWOtxeCbiu62GyrE2atXg==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -136,7 +138,7 @@ ldap:
        authelia: ENC[AES256_GCM,data:G8ZGsLKqEmMzQ5NMAgirF5BQraHNqixtI6dyyaeNhTdXebjJZML52xL36p4=,iv:ZtHAsFYmrQxr+qoQLPW/eme0+nsT148KRsXmW/LNLlU=,tag:Pvjs/eylkgxJpmGBsRmjcw==,type:str]
        grafana: ENC[AES256_GCM,data:vWmU3ZKcolETWAY74C3OMD8gMXDeYk+DqssACL0xefIPi5IkbrhYWmnWAnA=,iv:wcRms3Zp8kPM4USRPVa0UHpCTK36SWhK9C8yHSWu2Cs=,tag:gU5S/6fdMZVd/ih3Yd5uJA==,type:str]
        il: ENC[AES256_GCM,data:/CyMeo1+rIUAYiB25nI0,iv:jsyiiRN5z9GqcUnTZ0CZo4s+umTc2zeY2FPp+tVOC9o=,tag:cwOHcqMysCxX57w3a+Pzpg==,type:str]
-        morsalin: null
+        morsalin: ENC[AES256_GCM,data:YryNch8hF6rx,iv:bNIBur3Jcib8BvKjJ0MejpemsurYTP8rCxo6b2R5yEo=,tag:9dIIgqEPtbeixtgJ1OtMnQ==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -236,6 +238,34 @@ vikunja:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:EsRGZP7snPchEAMoQN5PoQpiOA==,iv:A/8POGq3pIw7aX5S2vyKtI2vPqH0FT6yZnpe/vVbifw=,tag:BgUYHX2zxIL7yLS0JbI1Yg==,type:comment]
 opencloud:
    admin:
        password: ENC[AES256_GCM,data:VKG7sNTTLHCXRGf4SAlR91+hvc7PaNrnpJX/4kItVcT9W1Hdl/yKgHHD7M8=,iv:WwWnx9KuN+i/Ugwv+HY4IGDZrLHk71hsobGFOn9kml0=,tag:SS6ihrtZjLnlAJR59lw+gw==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:k55osvepVeB1RC5hZ4IF,iv:AlhfmWwn/DiSESWc+ULJSOLUhnrKAIfWr7MeiwV8qc8=,tag:hOgptwUcY6nVxPIhu+DYgw==,type:comment]
 affine:
    secret_key: ENC[AES256_GCM,data:LLX78DpYnha1JWhgw0sHLzIVq/oIzvT+nB7zgli4mroGbnt7WZaXCx34zKkYRwYj/+0L4IFFVdkzKtK5DO84SgFkS2Bk2iNdCMqIx80CpyiD8IWAcyRu5d6hh82PlgyxU80T/4nbLbIn0GLubPTTeUX8GC3VxRU=,iv:DnmvbhlygSHes0jAkIm4+WXMUQLzr4R4dNa33rO67v8=,tag:+2wlh+/ekiTyShWM4XBbUw==,type:str]
    il:
        password: ENC[AES256_GCM,data:4zxiQAzXTR+fraRjYT657BIwSqrih3lMPFFSibQdardRMjskAbuRYIQA6mo=,iv:ub3giRG9vCFSuwRXDazYTqWbjENzQUWR36290Kruj1o=,tag:C2Ixd2eTEgzBvUNCNBtJuA==,type:str]
    oidc:
        secret: ENC[AES256_GCM,data:eRDBrqLZR7MFLlsUwk7Wg7FzxDov7vJLIWQRuKq7vrXbPSJkMcy9jfG2rL4=,iv:UaSoi7gODXgjzihJIDVIdDHJcSAZNV8UKfGeM6YzxqI=,tag:cOUDblcMStP8E4fp+s1WRQ==,type:str]
        hash: ENC[AES256_GCM,data:jE1CvFo+mjb/Xc3Ft5ky7on03vcnv79cw/5g/xaldXsv94VRrIjmfGMgHAj07r8j5mDpP34A5bYO1PSe9DYrwRcsXa9OUQuzm/8avFy9wVZDhBUUAGR+jiW1BP9hc6nmSpPVPtle+3sbqOB0ZMjXWwlcAcuknOtuhH1mzwmaDP9yf+M=,iv:CSSaXY/6MpHBMhPLUWPkabIeJ9zpZkcVjiEhxVF0zJM=,tag:f72ekkjJs7Qmh1K9wC8L9w==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:PZS7EbvMHqHGorNUGAWj4dk1,iv:vOE+djRAvBTMM51kHi6kG5Arw3uPXlJt1d/BpcEaD0c=,tag:AuoCHLQz42CYvVVdKFWu1Q==,type:comment]
 nextcloud:
    admin-local:
        password: ENC[AES256_GCM,data:mIwF5A09oqYbdK3bOKid9A896Q5J5Q6Ax+vDNqEJFGNdzd/mJ4oQS6rva+s=,iv:QroUMST2wnEJzk6DySe9tPZaWuqdxzJZ0+oi6mW6x00=,tag:3UTzjupK7+omrI3Hvyr8bA==,type:str]
    oidc:
        secret: ENC[AES256_GCM,data:Sr4KkKkYdkU0UWdpfUF7PyiGoerjBiw+sOFcENyLxw0FRXGG0Y8gv5uGb4Q=,iv:LbGsNM3+iY7bWFQe88TepVKUdiRQWZ+K7Ubn6ze6lV4=,tag:SbcfIAMW9ZprgahOFU4IQQ==,type:str]
        hash: ENC[AES256_GCM,data:CkstbIYQmi72QhsbJZN0lQedgCn7TmGpYcYj0n+NvJIoTlol8G9N/88cwGbVoGK9nEISv54FL94cEJFppnMIuj0BHrhasrZsyI2/Lj52YLWdwNJWNQ+iYt+Ifp/1kI0zqmdoajzZ5DS2w/1evCBC1+JdfTRlpVXmSsHUIPIHelBRj90=,iv:vwvT5TTkF4woxXOvrRRqmrdLXf19s47NIDtdT+zLp0U=,tag:KC0MS0DTH6j3zIHOjCFOSA==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
    password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -265,7 +295,7 @@ sops:
            UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
            k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-31T11:16:41Z"
+    lastmodified: "2026-05-02T04:55:25Z"
-    mac: ENC[AES256_GCM,data:VsWpQ6epQ6ZnA3f2dn3pWqj18xkM3KNIkFC5oeG14QOdWi3c6YQXs+aIr69H15L1UUDen9g0tp165PVs191lECW8WzibZ3y5SfY8xGdXl6GeDDQ47fM059CEYnoIeN084+swCXW5aenmk2Mxmk00a6IX0XSIGB66SMB33w4cH0Q=,iv:t1omYq8SmOTeKHBoinfPZi+TBwGjTZ/23T6ZR5pmdmQ=,tag:1c7eL97pro1uK1QeNo9ePg==,type:str]
+    mac: ENC[AES256_GCM,data:4U/SGYS9eNRgRvUEvZh9E0JSctkZzSpdoUYEAbnOVyU+5u8NcG9lbMUAB4kFXb9kHVGBUI5wMwnzg102g96q1IYw5m/k4lrpePceGVNAxxKpWTnkLROhJlL3Z/Bylgq2mj7PVDcGCGEB0xPDgN+ffa7ldCxIikYmSKktISguwYU=,iv:zqS9iJ54FIaNQhnfOl4YY9QcaZLbPekTxlY1AEp3m/s=,tag:TckIRAKRVyxf/UD+jejNng==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.1
@@ -0,0 +1,49 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=AFFiNE
 After=redis_affine.service manticore_affine.service
 Wants=redis_affine.service manticore_affine.service
 [Container]
 Image=ghcr.io/toeverything/affine:{{ version['containers']['affine'] }}
 ContainerName=affine
 HostName=affine
 PublishPort={{ services['affine']['ports']['http'] }}:3010
 Volume=%h/data/containers/affine:/root/.affine/storage:rw
 Volume=%h/containers/affine/config:/root/.affine/config
 Volume=%h/containers/affine/ssl:/etc/ssl/affine:ro
 # General
 Environment="TZ=Asia/Seoul"
 ## OIDC callback URIs
 Environment="AFFINE_SERVER_HOST={{ services['affine']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="AFFINE_SERVER_EXTERNAL_URL=https://{{ services['affine']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="AFFINE_SERVER_HTTPS=true"
 Secret=AFFINE_PRIVATE_KEY,type=env
 # Database
 Secret=AFFINE_DATABASE_URL,type=env,target=DATABASE_URL
 ## Enable AI function: this needs pgvector
 # Redis
 Environment="REDIS_SERVER_HOST=host.containers.internal"
 Environment="REDIS_SERVER_PORT={{ services['affine']['ports']['redis'] }}"
 # Indexer
 Environment="AFFINE_INDEXER_ENABLED=true"
 Environment="AFFINE_INDEXER_SEARCH_ENDPOINT=http://host.containers.internal:{{ services['affine']['ports']['manticore'] }}"
 [Service]
 ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
@@ -13,7 +13,7 @@ Image=docker.io/gitea/gitea:{{ version['containers']['gitea'] }}
 ContainerName=gitea
 HostName=gitea
-PublishPort=3000:3000/tcp
+PublishPort={{ services['gitea']['ports']['http'] }}:3000/tcp
 Volume=%h/data/containers/gitea:/data:rw
 Volume=%h/containers/gitea/ssl:/etc/ssl/gitea:ro
@@ -25,6 +25,10 @@ Volume=%h/containers/immich/ssl:/etc/ssl/immich:ro
 # Environment
 Environment="TZ=Asia/Seoul"
 # The new environment from version 2.7.0 to enable CSP
 Environment="IMMICH_HELMET_FILE=true"
 # Redis
 Environment="REDIS_HOSTNAME=host.containers.internal"
 Environment="REDIS_PORT={{ services['immich']['ports']['redis'] }}"
 Environment="REDIS_DBINDEX=0"
@@ -0,0 +1,25 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Manticore - {{ manticore_service }}
 [Container]
 Image=docker.io/manticoresearch/manticore:{{ version['containers']['manticore'] }}
 ContainerName=manticore_{{ manticore_service }}
 HostName=manticore_{{ manticore_service }}
 PublishPort={{ services[manticore_service]['ports']['manticore'] }}:9308
 Volume=%h/data/containers/manticore/{{ manticore_service }}:/var/lib/manticore:rw
 # General
 Environment="TZ=Asia/Seoul"
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
@@ -0,0 +1,4 @@
 <?php
 $CONFIG = [
    'maintenance_window_start' => 18,
 ];
@@ -0,0 +1,12 @@
 <?php
 $CONFIG = [
    'memcache.local' => '\OC\Memcache\APCu',
    'memcache.distributed' => '\OC\Memcache\Redis',
    'memcache.locking' => '\OC\Memcache\Redis',
    'redis' => [
        'host' => 'host.containers.internal',
        'port' => {{ services['nextcloud']['ports']['redis'] }},
        'timeout' => 1.5,
        'dbindex' => 0,
    ],
 ];
@@ -0,0 +1,9 @@
 <?php
 $CONFIG = [
  'trusted_domains' => [
    '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}',
  ],
  'overwritehost' => '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}',
  'overwriteprotocol' => 'https',
  'overwrite.cli.url' => 'https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}',
 ];
@@ -0,0 +1,4 @@
 <?php
 $CONFIG = [
  'allow_local_remote_servers' => true,
 ];
@@ -0,0 +1,9 @@
 <?php
 $CONFIG = [
  'user_oidc' => [
    'default_token_endpoint_auth_method' => 'client_secret_post',
    'auto_provision' => true,
    'soft_auto_provision' => true,
    'disable_account_creation' => false,
  ],
 ];
@@ -0,0 +1,14 @@
 ; /usr/local/etc/php/conf.d/opcache-recommended.ini
 ; OPcache tuning
 opcache.enable=1
 opcache.enable_cli=1
 opcache.memory_consumption=512
 opcache.interned_strings_buffer=32
 opcache.max_accelerated_files=20000
 opcache.validate_timestamps=0
 opcache.save_comments=1
 opcache.revalidate_freq=60
 opcache.fast_shutdown=1
 ; APCu CLI activate
 apc.enable_cli=1
@@ -0,0 +1,6 @@
 ; /usr/local/etc/php/conf.d/nextcloud-upload.ini
 upload_max_filesize=16G
 post_max_size=16G
 memory_limit=1024M
 max_execution_time=3600
 max_input_time=3600
@@ -0,0 +1,36 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Nextcloud
 [Container]
 Image=docker.io/library/nextcloud:{{ version['containers']['nextcloud'] }}
 ContainerName=nextcloud
 HostName=nextcloud
 PublishPort={{ services['nextcloud']['ports']['http'] }}:80
 Volume=%h/containers/nextcloud/ssl:/etc/ssl/nextcloud:ro
 Volume=%h/containers/nextcloud/ini/opcache.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:ro
 Volume=%h/containers/nextcloud/ini/upload.ini:/usr/local/etc/php/conf.d/upload.ini:ro
 Volume=%h/data/containers/nextcloud/html:/var/www/html:rw
 # General
 Environment="TZ=Asia/Seoul"
 # PostgreSQL
 Environment="PGSSLMODE=verify-full"
 Environment="PGSSLROOTCERT=/etc/ssl/nextcloud/{{ root_cert_filename }}"
 ## libpq in Nextcloud automatically tries to use a client certificate for mTLS. Therefore, when only TLS is required, then disable the option explicitly.
 Environment="PGSSLCERTMODE=disable"
 # Redis
 Environment="REDIS_HOST=host.containers.internal"
 Environment="REDIS_HOST_PORT={{ services['nextcloud']['ports']['redis'] }}"
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
@@ -0,0 +1,8 @@
 [Unit]
 Description=Nextcloud cron.php
 Requires=nextcloud.service
 After=nextcloud.service
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/podman exec -u www-data nextcloud php -f /var/www/html/cron.php
@@ -0,0 +1,10 @@
 [Unit]
 Description=Run Nextcloud cron every 5 minutes
 [Timer]
 OnBootSec=5min
 OnUnitActiveSec=5min
 Unit=nextcloud-cron.service
 [Install]
 WantedBy=timers.target
@@ -0,0 +1,38 @@
 directives:
  child-src:
    - '''self'''
  connect-src:
    - '''self'''
    - 'blob:'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps'
    - 'https://update.opencloud.eu'
    - 'https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}'
 #  default-src:
 #    - '''none'''
  font-src:
    - '''self'''
  frame-ancestors:
    - '''self'''
  frame-src:
    - '''self'''
    - 'blob:'
  img-src:
    - '''self'''
    - 'data:'
    - 'blob:'
  manifest-src:
    - '''self'''
  media-src:
    - '''self'''
 #  object-src:
 #    - '''none'''
  script-src:
    - '''self'''
    - '''unsafe-inline'''
    - '''unsafe-eval'''
  style-src:
    - '''self'''
    - '''unsafe-inline'''
  worker-src:
    - '''self'''
    - 'blob:'
@@ -0,0 +1,17 @@
 role_assignment:
  driver: "oidc"
  oidc_role_mapper:
    role_claim: "preferred_username"
    role_mapping:
 {% for admin_user in ['il'] %}
      - role_name: "admin"
        claim_value: "{{ admin_user }}"
 {% endfor %}
 {% for general_user in ['morsalin', 'eunkyoung'] %}
      - role_name: "user"
        claim_value: "{{ general_user }}"
 {% endfor %}
 #    - role_name: "spaceadmin"
 #      claim_value: ""
 #    - role_name: user-light
 #      claim_value: ""
@@ -0,0 +1,60 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=OpenCloud
 [Container]
 Image=docker.io/opencloudeu/opencloud:{{ version['containers']['opencloud'] }}
 ContainerName=opencloud
 HostName=opencloud
 PublishPort={{ services['opencloud']['ports']['http'] }}:9200
 Volume=%h/containers/opencloud:/etc/opencloud:rw
 Volume=%h/data/containers/opencloud:/var/lib/opencloud:rw
 # General
 Environment="TZ=Asia/Seoul"
 # Log level info
 Environment="OC_LOG_LEVEL=info"
 # TLS configuration
 Environment="PROXY_TLS=false"
 Environment="OC_INSECURE=true"
 # Connection
 Environment="PROXY_HTTP_ADDR=0.0.0.0:9200"
 Environment="OC_URL=https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}"
 ## CSP file location: allow authelia public domain
 Environment="PROXY_CSP_CONFIG_FILE_LOCATION=/etc/opencloud/csp.yaml"
 # OIDC
 Environment="OC_OIDC_ISSUER=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
 Environment="PROXY_OIDC_REWRITE_WELLKNOWN=true"
 ## OIDC CLIENT CONFIGURATION and SCOPES
 Environment="WEB_OIDC_CLIENT_ID=opencloud"
 Environment="WEB_OIDC_SCOPE=openid profile email"
 ## auto sign-in from authelia
 Environment="PROXY_AUTOPROVISION_ACCOUNTS=true"
 ## Stop using internal idP service
 Environment="OC_EXCLUDE_RUN_SERVICES=idp"
 ## Don't limit special characters
 Environment="GRAPH_USERNAME_MATCH=none"
 # OIDC standard link environments
 #Environment="WEB_OIDC_AUTHORITY=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
 #Environment="WEBFINGER_OIDC_ISSUER=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
 #Environment="OC_OIDC_CLIENT_ID=opencloud"
 #Environment="OC_OIDC_CLIENT_SCOPES=openid profile email groups"
 #Environment="WEBFINGER_ANDROID_OIDC_CLIENT_ID=opencloud"
 #Environment="WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=openid profile email groups offline_access"
 #Environment="WEBFINGER_DESKTOP_OIDC_CLIENT_ID=opencloud"
 #Environment="WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=openid profile email groups offline_access"
 #Environment="WEBFINGER_IOS_OIDC_CLIENT_ID=opencloud"
 #Environment="WEBFINGER_IOS_OIDC_CLIENT_SCOPES=openid profile email groups offline_access"
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
@@ -10,7 +10,7 @@ theme: 'auto'
 # Server configuration
 server:
  # TLS will be applied on caddy
-  address: 'tcp://:9091/'
+  address: 'tcp://:{{ services['authelia']['ports']['http'] }}/'
 # Log configuration
 log:
@@ -93,13 +93,24 @@ notifier:
 identity_providers:
  oidc:
    hmac_secret: '' # $AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
    # For the app which doesn't use secret.
    cors:
      endpoints:
        - 'authorization'
        - 'token'
        - 'revocation'
        - 'introspection'
        - 'userinfo'
      allowed_origins:
        - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}'
      allowed_origins_from_client_redirect_uris: true
    jwks:{% raw %}
      - algorithm: 'RS256'
        use: 'sig'
        key: {{ secret "/run/secrets/AUTHELIA_JWKS_RS256" | mindent 10 "|" | msquote }}
      - algorithm: 'ES256'
        use: 'sig'
-        key: {{ secret "/run/secrets/AUTHELIA_JWKS_ES256" | mindent 10 "|" | msquote }}{% endraw %}   
+        key: {{ secret "/run/secrets/AUTHELIA_JWKS_ES256" | mindent 10 "|" | msquote }}{% endraw %} 
    clients:
      # https://www.authelia.com/integration/openid-connect/clients/synology-dsm/
      - client_id: 'dsm'
@@ -238,3 +249,141 @@ identity_providers:
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'
      # OpenCloud configuration
      ## https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/
      ## Web
      - client_id: 'opencloud'
        client_name: 'OpenCloud'
        public: true
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/'
          - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/oidc-callback.html'
          - 'https://{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}/oidc-silent-redirect.html'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'RS256'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'none'
      ## desktop
      - client_id: 'OpenCloudDesktop'
        client_name: 'OpenCloud'
        public: true
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'http://localhost'
          - 'http://127.0.0.1'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
          - 'offline_access'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
          - 'refresh_token'
        access_token_signed_response_alg: 'RS256'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'none'   
      ## Android
      - client_id: 'OpenCloudAndroid'
        client_name: 'OpenCloud'
        public: true
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'oc://android.opencloud.eu'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
          - 'offline_access'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
          - 'refresh_token'
        access_token_signed_response_alg: 'RS256'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'none'
      ## IOS
      - client_id: 'OpenCloudIOS'
        client_name: 'OpenCloud'
        public: true
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'oc://ios.opencloud.eu'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
          - 'offline_access'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
          - 'refresh_token'
        access_token_signed_response_alg: 'RS256'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'none'
      # https://docs.affine.pro/self-host-affine/administer/oauth-2-0
      - client_id: 'affine'
        client_name: 'Affine'
        client_secret: '{{ hostvars['console']['affine']['oidc']['hash'] }}'
        public: false
        authorization_policy: 'one_factor'
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://{{ services['affine']['domain']['public'] }}.{{ domain['public'] }}/oauth/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
      # https://www.authelia.com/integration/openid-connect/clients/nextcloud/#openid-connect-user-backend-app
      - client_id: 'nextcloud'
        client_name: 'Nextcloud'
        client_secret: '{{ hostvars['console']['nextcloud']['oidc']['hash'] }}'
        public: false
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}/apps/user_oidc/code'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
@@ -65,3 +65,21 @@
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 {{ services['opencloud']['domain']['internal'] }}.{{ domain['internal'] }} {
        import private_tls
        reverse_proxy host.containers.internal:{{ services['opencloud']['ports']['http'] }} {
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 {{ services['affine']['domain']['internal'] }}.{{ domain['internal'] }} {
        import private_tls
        reverse_proxy host.containers.internal:{{ services['affine']['ports']['http'] }} {
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 {{ services['nextcloud']['domain']['internal'] }}.{{ domain['internal'] }} {
        import private_tls
        reverse_proxy host.containers.internal:{{ services['nextcloud']['ports']['http'] }} {
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
@@ -39,7 +39,7 @@
        import crowdsec_log
        route {
                crowdsec
-                reverse_proxy host.containers.internal:9091
+                reverse_proxy host.containers.internal:{{ services['authelia']['ports']['http'] }}
        }
 }
 # test.ilnmors.com {
@@ -118,6 +118,33 @@
                }
        }
 }
 {{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }} {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://{{ services['opencloud']['domain']['internal'] }}.{{ domain['internal'] }} {
                        header_up Host {http.reverse_proxy.upstream.host}
                }
        }
 }
 {{ services['affine']['domain']['public'] }}.{{ domain['public'] }} {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://{{ services['affine']['domain']['internal'] }}.{{ domain['internal'] }} {
                        header_up Host {http.reverse_proxy.upstream.host}
                }
        }
 }
 {{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }} {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://{{services['nextcloud']['domain']['internal'] }}.{{ domain['internal'] }} {
                        header_up Host {http.reverse_proxy.upstream.host}
                }
        }
 }
 # Internal domain
 {{ node['name'] }}.{{ domain['internal'] }} {
@@ -22,14 +22,17 @@ Volume=%h/containers/ca/db:/home/step/db:rw
 Volume=%h/containers/ca/templates:/home/step/templates:rw
 Environment="TZ=Asia/Seoul"
-Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
+# Since 0.30.0, Docker CMD no longer expands PWDPATH.
 #Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
 Secret=STEP_CA_PASSWORD,target=/run/secrets/STEP_CA_PASSWORD
 Exec=/usr/local/bin/step-ca --password-file /run/secrets/STEP_CA_PASSWORD /home/step/config/ca.json
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
-WantedBy=default.target
+WantedBy=default.target
@@ -203,12 +203,11 @@ loki.relabel "caddy_relabel" {
 loki.process "journal_parser" {
        forward_to = [loki.write.loki.receiver]
        // Severity parsing
-        // If content of log includes "level" information, change the level
+        stage.regex {
-        stage.logfmt {
+            // Regex to extract the log level from the content.
-            mapping = {
+            expression = "(?i)(?:level[\"\\s:=]+|\\[|\\s|^)(?P<content_level>info|warn|warning|error|debug|fatal|critical|trace)(?:[\"\\]\\s]|$)"
                "content_level" = "level",
            }
        }
        stage.labels {
            values = {
                "level" = "content_level",
@@ -16,4 +16,11 @@ whitelist:
        - "evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'"
        # immich thumbnail request 404 error false positive
        - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
        # opencloud chunk request false positive
        - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'"
        # nextcloud chunk request false positive (crowdsecurity/http-crawl-non_statics)
        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/apps/viewer/js/'"
        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/dist/'"
        # nextcloud upload directory request 404 error false positive (crowdsecurity/http-probing)
        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/remote.php/dav/files/'"
 {% endif %}
@@ -21,9 +21,9 @@ ProtectHome=tmpfs
 InaccessiblePaths=/boot /root
 {% if node['name'] == 'infra' %}
-BindReadOnlyPaths=/home/infra/containers/postgresql/backups
+BindReadOnlyPaths=%h/containers/postgresql/backups
 {% elif node['name'] == 'app' %}
-BindReadOnlyPaths=/home/app/data
+BindReadOnlyPaths=%h/data
 {% endif %}
 # In root namescope, %u always bring 0
 BindPaths=/etc/kopia
@@ -0,0 +1,33 @@
 # Android application OIDC issue
 ## Status
 - Processing
 ## Date
 - 2026-04-20
 ## Version
 - affine server: 0.26.3 (self-hosted)
 - affine application: 0.26.3 (Android)
 - IdP: Authelia:4.39.15
 ## Problem
 - Affine android app cannot authenticate via OIDC
  - IdP authentication succeeds, but the app does not establish a session
  - The app remains on the "Sign In" screen
 ## Reason
 - Affine uses callback deep link `affine://authentication`
 - For self-hosted instances the deep link carries a 'server' parameter pointing to the correct origin, but android never read it.
 - [Issue #12819: No SSO on Android](https://github.com/toeverything/AFFiNE/issues/12819)
 - [PR #14809](https://github.com/toeverything/AFFiNE/pull/14809)
 ## Timeline
 - 2025-06-14: Issue #12819
 - 2026-04-08: PR #14809
 - 2026-04-09: Canary branch merge
 - 2026-04-15: Fork, cherry-pick
 ## Solution
 - Wait for stable release which contains the merge above
 - When the stable version releases, then verify after update
@@ -0,0 +1,33 @@
 # Actual Budget crowdsec false positive issue
 ## Status
 - Finished
 ## Date
 - 2026-03-21
 ## Version
 - Actual Budget: 26.3.0
 ## Problem
 - When users access and log in actual budget, all connections to homelab services are refused.
  - fw ban users' IP address.
 ## Reason
 - Actual budget has local first policy.
 - When the user log in actual budget, the client downloads all sql files from the server.
 - LAPI decides that as an attack which sensitive file(sql) is downloaded concurrently.
 ## Timeline
 - 2026-03-21: Release actual budget
 - 2026-03-21: Find the false positive case, and add whitelist
 ## Solution
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
 - Add regex on whitelist
  - evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
  - Delete false positive decision with `sudo cscli decision delete --id $ID`
@@ -0,0 +1,32 @@
 # Immich crowdsec false positive issue
 ## Status
 - Finished
 ## Date
 - 2026-03-21
 ## Version
 - Immich: 2.6.1
 ## Problem
 - When users access and log in Immich while Immich is generating thumbnail, all connections to homelab services are refused.
  - fw ban users' IP address.
 ## Reason
 - Immich sends 404 error to clients when the client request thumbnail while it is generating them.
 - LAPI decides a ban when a lot of 404 errors occur in short time
 ## Timeline
 - 2026-03-21: Release Immich
 - 2026-03-21: Find the false positive case, and add whitelist
 ## Solution
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
 - Add regex on whitelist
  - evt.Meta.target_fqdn == 'Immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
  - Delete false positive decision with `sudo cscli decision delete --id $ID`
@@ -0,0 +1,32 @@
 # OpenCloud crowdsec false positive issue
 ## Status
 - Finished
 ## Date
 - 2026-04-04
 ## Version
 - OpenCloud: 4.0.4
 ## Problem
 - When users download some files, all connections to homelab services are refused.
  - fw ban users' IP address.
 ## Reason
 - OpenCloud uses chunks when clients uploads or download files to it.
 - LAPI decides a ban when a lot of chunks file is uploaded or downloaded from external devices 
 ## Timeline
 - 2026-04-04: Release OpenCloud
 - 2026-04-04: Find the false positive case, and add whitelist
 ## Solution
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
 - Add regex on whitelist
  - evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
  - Delete false positive decision with `sudo cscli decision delete --id $ID`
@@ -0,0 +1,38 @@
 # Nextcloud crowdsec false positive issue
 ## Status
 - Finished
 ## Date
 - 2026-05-02
 ## Version
 - Nextcloud: 33.0.3
 ## Problem
 - When users download or modify some files, all connections to homelab services are refused.
  - fw ban users' IP address.
 ## Reason
 - Nextcloud uses chunks for actions, and uploading and downloading
    - chunks on '/apps/viewer/js', '/dist/'
    - `crowdsecurity/http-crawl-non_statics`
 - Nextcloud keeps checking directory which is uploading
    - upload directory '/remote.php/dav/files/'
    - `crowdsecurity/http-probing`
 ## Timeline
 - 2026-05-02: Release nextcloud
 - 2026-05-02: Find the false positive case, and add whitelist
 ## Solution
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
 - Add expressions on whitelist
  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/apps/viewer/js/'
  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/dist/'
  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/remote.php/dav/files/'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
  - Delete false positive decision with `sudo cscli decision delete --id $ID`
@@ -1,5 +1,26 @@
 # Git configuration
 ## Convention
 - `type(scope): subject`
 - type:
    - feat: Append the new feature
    - fix: Fix the bug or errors
    - docs: Fix the documentations
    - refactor: Modify code structure without functional changes
    - perf: Improve the performance
    - chore: Modify system, package manager, etc configuration 
    - style: Fix code formatting, etc...
 ## Commit and tags
 - In this homelab, `[Infra_structure_change]:[Services_change]:[Documents_and_configuration_change]` is the tagging rule.
 - Tagging and commit should be distinguished.
 - The change which affects system: tagging
 - The change which doesn't affect system: commit
 - `git commit -m "docs(git): define git convention"`
 ## Local git
 ```bash
@@ -29,14 +50,8 @@ git add .
 # Check git changes
 git status
 git commit -m "1.0.0: Release IaaS baseline"
 # git commit -m "docs: update 07-git.md to add the way to manage git system"
 # Make current documents as snapshot
 git tag -a 1.0.0 -m "IaaS baseline"
-# Make special changes
+
 # In this homelab, [Infra_structure_change]:[Services_change]:[Documents_and_configuration_change]
 # Tagging and commit should be distinguished.
 # The change which affects system: tagging
 # The change which doesn't affect system: commit
 # Commands
 git status # What files are changed
@@ -0,0 +1,121 @@
 # affine
 ## Prerequisite
 ### Create database
 - Create the password with `openssl rand -base64 32`
  - Save this value in secrets.yaml in `postgresql.password.affine`
  - Access infra server to create affine_db with `podman exec -it postgresql psql -U postgres`
 ```SQL
 CREATE USER affine WITH PASSWORD 'postgresql.password.affine';
 CREATE DATABASE affine_db;
 ALTER DATABASE affine_db OWNER TO affine;
 \connect affine_db
 CREATE EXTENSION IF NOT EXISTS vector;
 \dx
 -- Check the extension is activated with `\dx`
 -- postgresql image is built with `pgvector` and `vectorchord` already
 ```
 ### Create oidc secret and hash
 - Create the secret with `openssl rand -base64 32`
 - access to auth vm
  - `podman exec -it authelia sh`
  - `authelia crypto hash generate pbkdf2 --password 'affine.oidc.secret'`
 - Save this value in secrets.yaml in `affine.oidc.secret` and `affine.oidc.hash`
 ### Create secret key value
 - Create the secret with `openssl genpkey -algorithm ed25519 -outform PEM`
  - Save this value in secrets.yaml in `affine.secret_key`
 ### Create admin password
 - Create the secret with `openssl rand -base64 32`
 - Save this value in secrets.yaml in `affine.il.password`
 ### Add postgresql dump backup list
 - [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
 ```yaml
 - name: Set connected services list
  ansible.builtin.set_fact:
    connected_services:
      - ...
      - "affine"
 ```
 ## Configuration
 ### About community edition limitation
 - Workspace seats
  - The number of members itself \(account\) are unlimited.
  - However the number of members who work on the same workspace simultaneously \(seats\) are designated as 10 members.
 - Workspace storage quota
  - Originally, self-hosted version has no limitation in storage quota and uploading file size.
  - Now, there is some limitation even in the self-hosted version.
  - It will be changed when the application is updating
 ### Following feature which will be applied in this system
 - Linking local caldav vaikal or radicale ...
 - Apply AI function with API
 ### Access to affine
 - https://affine.ilnmors.com
  - Getting started
  - admin name
  - admin E-mail
  - admin password
    - Initial setting allows only 32 digit password, now just set temporary password
 ### Server configuration
 - https://affine.ilnmors.com/admin
 #### Server
 - A recognizable name for the server. Will be shown when connected with AFFiNE Desktop.
  - Ilnmors
 #### Auth
 - [ ] Whether allow new registrations
 - [x] Whether allow new registration via configured oauth
 - Minimum length requirement of password: 8
 - Maximum length requirement of password: 50
 - save
 #### Oauth configuration
 ```ini
 # These options are required
 ## OIDC callback URIs
 Environment="AFFINE_SERVER_HOST={{ services['affine']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="AFFINE_SERVER_EXTERNAL_URL=https://{{ services['affine']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="AFFINE_SERVER_HTTPS=true"
 ```
 - OIDC Oauth provider config
 ```json
 {
  "clientId":"affine",
  "clientSecret":"affine.oidc.secret",
  "issuer":"https://authelia.ilnmors.com",
  "args":{
    "scope": "openid profile email"
  }
 }
 ```
 - save
 #### Flags
 - [x] Whether allow guest users to create demo workspaces
 - save
@@ -0,0 +1,88 @@
 # Nextcloud
 ## Prerequisite
 ### Create database
 - Create the password with `openssl rand -base64 32`
  - Save this value in secrets.yaml in `postgresql.password.nextcloud`
  - Access infra server to create nextcloud_db with `podman exec -it postgresql psql -U postgres`
 ```SQL
 CREATE USER nextcloud WITH PASSWORD 'postgresql.password.nextcloud';
 CREATE DATABASE nextcloud_db;
 ALTER DATABASE nextcloud_db OWNER TO nextcloud;
 ```
 ### Create oidc secret and hash
 - Create the secret with `openssl rand -base64 32`
 - access to auth vm
  - `podman exec -it authelia sh`
  - `authelia crypto hash generate pbkdf2 --password 'nextcloud.oidc.secret'`
 - Save this value in secrets.yaml in `nextcloud.oidc.secret` and `nextcloud.oidc.hash`
 ### Create admin password
 - Create the secret with `openssl rand -base64 32`
 - Save this value in secrets.yaml in `nextcloud.admin-local.password`
 ### Add postgresql dump backup list
 - [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
 ```yaml
 - name: Set connected services list
  ansible.builtin.set_fact:
    connected_services:
      - ...
      - "nextcloud"
 ```
 ## Configuration
 ### Access
 - https://nextcloud.ilnmors.com
  - login with admin-local
 ### Disable and enable apps
 - Profile: Apps: Your apps: Disable
  - Photo
  - dashboard
 - Profile: Apps: Search
  - OpenID Connect user backend
  - Calendar
  - Contacts
  - Deck
  - Tasks
  - Mail
  - Nextcloud Office
 ### Configuration
 ```bash
 podman exec -u www-data nextcloud php occ user_oidc:provider Authelia \
  --clientid="nextcloud" \
  --clientsecret="nextcloud.oidc.secret" \
  --discoveryuri="https://authelia.ilnmors.com/.well-known/openid-configuration" \
  --scope="openid profile email groups" \
  --unique-uid=0 \
  --mapping-uid="preferred_username" \
  --mapping-display-name="name" \
  --mapping-email="email" \
  --mapping-groups="groups" \
  --group-whitelist-regex="/^users$/" \
  --group-provisioning=1
 podman exec -u www-data nextcloud php occ db:add-missing-indices
 podman exec -u www-data nextcloud php occ db:add-missing-columns
 podman exec -u www-data nextcloud php occ db:add-missing-primary-keys
 ```
 ### Account configuration
 - Profile: Accounts:
  - allocate admin group for admin users
@@ -0,0 +1,25 @@
 # opencloud
 ## Prerequisite
 ### oidc secret and hash
 - Opencloud uses PKEC, therefore it doesn't need client secret
 ### Create admin password
 - Create the password with `openssl rand -base64 32`
  - Save this value in secrets.yaml in `opencloud.admin.password`
 ## Configuration
 - **!CAUTION!** OpenCloud application \(Android, IOS, Desktop\) doesn't support standard OIDC. Every scopes and client id is hardcoded.
  - WEBFINGER_\[DESKTOP|ANDROID|IOS\]_OIDC_CLIENT_ID, WEBFINGER_\[DESKTOP|ANDROID|IOS\]_OIDC_CLIENT_SCOPES don't work on official app.
  - It is impossible to set group claim in scopes. Therefore, it is hard to control roles with token including group claim.
 - When authelia doesn't work, annotate `OC_EXCLUDE_RUN_SERVICES=idp` and restart to container to use local admin.
 - This app doesn't support regex on role_assignment mapping.
  - When the new user added, manage proxy.yaml.j2 manually until they will support regex or fallback mapping, or fix the hardcoded scopes on applications.
 ### csp
 - Fix `csp.yaml`
@@ -235,4 +235,16 @@ fw@fw:~$ sudo cscli alerts inspect 230 -d
 - check the log and analyze and make expression
  - e.g. immich
    - evt.Meta.target_fqdn == 'immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
  - e.g. opencloud
    - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'"
 - free false positive decision
 fw@fw:~$ sudo cscli decision list
 ╭─────────┬──────────┬───────────────────┬──────────────────────────────────────┬────────┬─────────┬────────────────────────┬────────┬────────────────────┬──────────╮
 │   ID    │  Source  │    Scope:Value    │                Reason                │ Action │ Country │           AS           │ Events │     expiration     │ Alert ID │
 ├─────────┼──────────┼───────────────────┼──────────────────────────────────────┼────────┼─────────┼────────────────────────┼────────┼────────────────────┼──────────┤
 │ 5280078 │ crowdsec │ Ip:223.195.50.112 │ crowdsecurity/http-crawl-non_statics │ ban    │ KR      │ 9769 Sejong University │ 43     │ 3h42m21.824049012s │ 430      │
 ╰─────────┴──────────┴───────────────────┴──────────────────────────────────────┴────────┴─────────┴────────────────────────┴────────┴────────────────────┴──────────╯
 fw@fw:~$ sudo cscli decision delete --id 5280078
 INFO[04-04-2026 09:55:02] 1 decision(s) deleted
@@ -11,8 +11,8 @@
    - [x] Terminal
    - [x] Step-CLI
    - [x] Ansible
-    - Git
+    - [x] Git
-    - Kopia
+    - [x] Kopia
    - [x] cloud-image-utils
 ## vmm \(Hypervisor\)
@@ -120,9 +120,10 @@
        - [x] Actual budget
        - [x] Paperless-ngx
        - [x] vikunja
-        - OpenCloud \(with Radicale, Collabora Web Office\)
+        - [x] OpenCloud
-        - Outline
+        - [x] affine \(Notion substitution\)
-        - Wiki.js
+        - [x] Nextcloud \(Use nextcloud as CalDAV and CardDav, kanban and todo\)
        - [ ] Collabora office
        - WriteFreely
        - MediaCMS
        - Funkwhale
Author	SHA1	Message	Date
il	5dd38b7e49	fix(crowdsec): update whitelist.yaml to prevent false positive false positive: - chunk problems (crowdsecurity/http-crawl-non_statics) - directory upload 404 problem (crowdsecurity/http-probing)	2026-05-02 20:38:48 +09:00
il	33d94211d1	docs(issues): fix crowdsec command 'cscli decision list' to 'cscli decision delete'	2026-05-02 19:46:51 +09:00
il	278dd3cebe	feat(nextcloud): release nextcloud deployment note: - use nextcloud for groupware - consider replacing vikunja and opencloud	2026-05-02 19:22:05 +09:00
il	d1dcb1984a	feat(vaultwarden): update vaultwarden version from 1.35.4 to 1.35.8	2026-04-30 10:03:33 +09:00
il	37c986177b	feat(blocky): update blocky version from 0.28.2 to 0.29.0	2026-04-30 10:01:18 +09:00
il	17326b1b15	feat(step-ca): update step-ca version from 0.29.0 to 0.30.2 update note: - step-ca container doesn't support $PWDPATH anymore - add --password-file argument to exec	2026-04-30 09:56:22 +09:00
il	88e1383202	feat(x509-exporter): update x509-exporter version from 3.19.1 to 3.21.0	2026-04-30 09:19:42 +09:00
il	c9b4707cb2	refactor(x509-exporter): change handler from enable to restart	2026-04-30 09:18:44 +09:00
il	da9c610426	feat(caddy): update caddy version from 2.10.2 to 2.11.2 update note: - https upstream Host rewrite is automated - Caddyfile already defines Host rewrite explicitly	2026-04-30 09:09:40 +09:00
il	c1a6da2aa8	feat(authelia): update authelia version from 4.39.15 to 4.39.19	2026-04-30 09:07:16 +09:00
il	f1cd8c9a60	feat(gitea): update gitea version from 1.25.5 to 1.26.1 deployment note: - stop gitea container - create manual database backup - update gitea	2026-04-30 08:28:51 +09:00
il	6010230a14	feat(paperless): update paperless version from 2.20.13 to 2.20.15	2026-04-30 08:10:50 +09:00
il	c3d8b62504	feat(opencloud): update opencloud version from 4.0.4 to 4.0.6	2026-04-30 08:03:33 +09:00
il	4a409e37e9	docs(issues): fix service name in timeline	2026-04-28 11:19:50 +09:00
il	cb4d17f99e	docs(issues): add the past issues which existed before tracking issues add crowdsec false positive issues fix the file name of affine android oidc issues	2026-04-27 19:50:04 +09:00
il	9569492e42	docs(issues): add affine android OIDC sign-up failure issue start tracking service issues on the docs/issues directory	2026-04-20 17:55:26 +09:00
il	2a7b234f4e	docs(affine): update flags on affine doc to check blocking guest user	2026-04-20 15:53:27 +09:00
il	621d5310a3	feat(immich): update immich version from 2.7.4 to 2.7.5	2026-04-17 14:16:44 +09:00
il	6377a56d95	refactor(ldap): Add annotation in ldap roles file the reason why task doesn't use init logic which uses .init file	2026-04-17 14:10:36 +09:00
il	dbd72f43a4	refactor(postgresql): update postgresql roles and handler to optimize init check logic	2026-04-17 13:58:22 +09:00
il	9f236b6fa5	refactor(kopia): fix the homepath from hardcoded path to %h the systemd specifier	2026-04-14 07:44:39 +09:00
il	b4a0874deb	refactor(authelia): fix publish port from hardcoded number to variable	2026-04-14 07:43:12 +09:00
il	c51216ff9b	refactor(gitea): fix publish port from hardcoded number to varible	2026-04-14 07:42:32 +09:00
il	7debdfcb93	fix(alloy): fix log level parser - remove parser for JSON and logfmt, and add regex expression to extract the level of log	2026-04-13 10:42:10 +09:00
il	da016343c0	feat(alloy): add json parser to categorize log level	2026-04-12 14:09:44 +09:00
il	bf749ebbde	chore(chromium): delete the roles from the console playbook	2026-04-12 10:58:07 +09:00
il	41d509a49d	feat(immich): update immich version from 2.6.3 to 2.7.4 - IMMICH_HELMET_FILE environment can set CSP from v2.7.0	2026-04-12 10:45:59 +09:00
il	f062f6862f	docs(git): define git convention	2026-04-12 10:31:13 +09:00
il	2dfc0f734e	roles, docs: update set_podman.yaml and environments.md to fix typo	2026-04-08 15:21:22 +09:00
il	f9211dfa24	inventory: update host_vars/console.yaml to add the hostname of console in local_san to fix sudo speed problem	2026-04-08 14:34:05 +09:00
il	8713631e0b	docs: update affine.md to clarify limitation of affine's community edition	2026-04-07 11:34:08 +09:00
il	01ad4350b0	docs: update environments.md to reflect current server status	2026-04-07 00:04:51 +09:00
il	8a4ce488f1	roles: update handlers/main.yaml and set_opencloud.yaml to optimize init check logic in roles	2026-04-06 23:40:06 +09:00
il	664cf2956d	1.9.0 Release affine	2026-04-06 23:33:44 +09:00
il	8c3fe409ae	1.8.2 Update manticore	2026-04-06 20:35:34 +09:00
il	075b796608	config, docs: update whitelists.yaml.j2 and crowdsec.md to add whitelist expression to fix false positive of opencloud chunk problem	2026-04-04 09:59:58 +09:00
il	0b7d1c4d78	1.8.0 Release opencloud	2026-04-04 09:45:48 +09:00