docs(issues): add affine android OIDC sign-up failure issue

start tracking service issues on the docs/issues directory

ansible/inventory/group_vars/all.yaml

@@ -177,7 +177,7 @@ version:
     vaultwarden: "1.35.4"
     gitea: "1.25.5"
     redis: "8.6.1"
-    immich: "v2.6.3"
+    immich: "v2.7.5"
     actualbudget: "26.3.0"
     paperless: "2.20.13"
     vikunja: "2.2.2"

ansible/inventory/host_vars/console.yaml

@@ -21,5 +21,6 @@ node:
   config_path: "{{ node.homelab_path }}/config"
   ssh_san: "console,console.ilnmors.internal"
   ssh_users: "vmm,fw,infra,auth,app"
-  local_san: "localhost console.ilnmors.internal"
+  # add the hostname of wsl, it is needed to improve the sudo problem
+  local_san: "localhost console.ilnmors.internal surface"
 # ansible_python_interpreter: "{{ ansible_playbook_python }}"

ansible/playbooks/console/site.yaml

@@ -115,18 +115,10 @@
       become: true
       tags: ["init", "site", "install-packages"]
 
-    - name: Install CLI tools
+    - name: Set CLI tools
       ansible.builtin.include_role:
         name: "console"
         tasks_from: "services/set_cli_tools"
         apply:
           tags: ["init", "site", "tools"]
       tags: ["init", "site", "tools"]
-
-    - name: Install chromium with font
-      ansible.builtin.include_role:
-        name: "console"
-        tasks_from: "services/set_chromium"
-        apply:
-          tags: ["init", "site", "chromium"]
-      tags: ["init", "site", "chromium"]

ansible/roles/app/handlers/main.yaml

@@ -83,7 +83,7 @@
     enabled: true
     daemon_reload: true
     scope: "user"
-  when: not (is_opencloud_init_run | default(false))
+  when: is_opencloud_init.stat.exists
   changed_when: false
   listen: "notification_restart_opencloud"
   ignore_errors: true # noqa: ignore-errors

ansible/roles/app/tasks/services/set_opencloud.yaml

@@ -12,15 +12,13 @@
   become: true
 
 - name: Check data directory empty
-  ansible.builtin.find:
+  ansible.builtin.stat:
-    paths: "{{ node['home_path'] }}/data/containers/opencloud/"
+    path: "{{ node['home_path'] }}/data/containers/opencloud/.init"
-    hidden: true
-    file_type: "any"
   become: true
-  register: "is_data_dir_empty"
+  register: "is_opencloud_init"
 
 - name: Initialize opencloud
-  when: is_data_dir_empty.matched == 0
+  when: not is_opencloud_init.stat.exists
   block:
     - name: Execute init command (Including pulling image)
       containers.podman.podman_container:
@@ -39,9 +37,13 @@
           - "{{ node['home_path'] }}/data/containers/opencloud:/var/lib/opencloud:rw"
       no_log: true
 
-    - name: Set is_opencloud_init_run
+    - name: Create .init file
-      ansible.builtin.set_fact:
+      ansible.builtin.file:
-        is_opencloud_init_run: true
+        path: "{{ node['home_path'] }}/data/containers/opencloud/.init"
+        state: "touch"
+        mode: "0644"
+        owner: "{{ ansible_user }}"
+        group: "svadmins"
 
 - name: Deploy configuration files
   ansible.builtin.template:

ansible/roles/common/tasks/services/set_podman.yaml

@@ -15,7 +15,7 @@
     state: "directory"
     mode: "0700"
 
-- name: Create contaienr data directory for app
+- name: Create container data directory for app
   ansible.builtin.file:
     path: "{{ node['home_path'] }}/data/containers"
     owner: "{{ ansible_user }}"

ansible/roles/infra/handlers/main.yaml

@@ -12,7 +12,7 @@
 - name: Reload postgresql
   ansible.builtin.command:
     /usr/bin/podman exec -u postgres postgresql sh -c "pg_ctl reload"
-  when: not (is_postgresql_init_run | default(false))
+  when: is_postgresql_init.stat.exists
   changed_when: false
   listen: "notification_reload_postgresql"
   ignore_errors: true # noqa: ignore-errors
@@ -24,7 +24,7 @@
     enabled: true
     daemon_reload: true
     scope: "user"
-  when: not (is_postgresql_init_run | default(false))
+  when: is_postgresql_init.stat.exists
   changed_when: false
   listen: "notification_restart_postgresql"
   ignore_errors: true # noqa: ignore-errors

ansible/roles/infra/tasks/services/set_ldap.yaml

@@ -55,6 +55,8 @@
   no_log: true
 
 - name: Initiate ldap (When = false, If DB data does not exist in postgresql, activate this block)
+# The reason why this task doesn't use the way to check ".init" file is this tasks can override original database.
+# Absent of ".init" file cannot guarantee DB is empty.
   when: false
   become: true
   block:

ansible/roles/infra/tasks/services/set_postgresql.yaml

@@ -88,15 +88,13 @@
   no_log: true
 
 - name: Check data directory empty
-  ansible.builtin.find:
+  ansible.builtin.stat:
-    paths: "{{ node['home_path'] }}/containers/postgresql/data/"
+    path: "{{ node['home_path'] }}/containers/postgresql/data/.init"
-    hidden: true
-    file_type: "any"
   become: true
-  register: "is_data_dir_empty"
+  register: "is_postgresql_init"
 
 - name: Prepare initiating DB
-  when: is_data_dir_empty.matched == 0
+  when: not is_postgresql_init.stat.exists
   become: true
   block:
     # `init/pg_cluster.sql` should be fetched from postgresql's backup directory before running initiating
@@ -118,9 +116,14 @@
       loop: "{{ connected_services }}"
       loop_control:
         index_var: index_num
-    - name: Set is_postgresql_init_run
+
-      ansible.builtin.set_fact:
+    - name: Create .init file
-        is_postgresql_init_run: true
+      ansible.builtin.file:
+        path: "{{ node['home_path'] }}/containers/postgresql/data/.init"
+        state: "touch"
+        mode: "0644"
+        owner: "{{ ansible_user }}"
+        group: "svadmins"
 
 - name: Deploy container file
   ansible.builtin.template:

config/services/containers/app/gitea/gitea.container.j2

@@ -13,7 +13,7 @@ Image=docker.io/gitea/gitea:{{ version['containers']['gitea'] }}
 ContainerName=gitea
 HostName=gitea
 
-PublishPort=3000:3000/tcp
+PublishPort={{ services['gitea']['ports']['http'] }}:3000/tcp
 
 Volume=%h/data/containers/gitea:/data:rw
 Volume=%h/containers/gitea/ssl:/etc/ssl/gitea:ro

config/services/containers/app/immich/immich.container.j2

@@ -25,6 +25,10 @@ Volume=%h/containers/immich/ssl:/etc/ssl/immich:ro
 
 # Environment
 Environment="TZ=Asia/Seoul"
+# The new environment from version 2.7.0 to enable CSP
+Environment="IMMICH_HELMET_FILE=true"
+
+# Redis
 Environment="REDIS_HOSTNAME=host.containers.internal"
 Environment="REDIS_PORT={{ services['immich']['ports']['redis'] }}"
 Environment="REDIS_DBINDEX=0"

config/services/containers/auth/authelia/config/authelia.yaml.j2

@@ -10,7 +10,7 @@ theme: 'auto'
 # Server configuration
 server:
   # TLS will be applied on caddy
-  address: 'tcp://:9091/'
+  address: 'tcp://:{{ services['authelia']['ports']['http'] }}/'
 
 # Log configuration
 log:

config/services/containers/common/caddy/etc/auth/Caddyfile.j2

@@ -39,7 +39,7 @@
         import crowdsec_log
         route {
                 crowdsec
-                reverse_proxy host.containers.internal:9091
+                reverse_proxy host.containers.internal:{{ services['authelia']['ports']['http'] }}
         }
 }
 # test.ilnmors.com {

config/services/systemd/common/alloy/config.alloy.j2

@@ -203,12 +203,11 @@ loki.relabel "caddy_relabel" {
 loki.process "journal_parser" {
         forward_to = [loki.write.loki.receiver]
         // Severity parsing
-        // If content of log includes "level" information, change the level
+        stage.regex {
-        stage.logfmt {
+            // Regex to extract the log level from the content.
-            mapping = {
+            expression = "(?i)(?:level[\"\\s:=]+|\\[|\\s|^)(?P<content_level>info|warn|warning|error|debug|fatal|critical|trace)(?:[\"\\]\\s]|$)"
-                "content_level" = "level",
-            }
         }
+        
         stage.labels {
             values = {
                 "level" = "content_level",

config/services/systemd/common/kopia/kopia-backup.service.j2

@@ -21,9 +21,9 @@ ProtectHome=tmpfs
 InaccessiblePaths=/boot /root
 
 {% if node['name'] == 'infra' %}
-BindReadOnlyPaths=/home/infra/containers/postgresql/backups
+BindReadOnlyPaths=%h/containers/postgresql/backups
 {% elif node['name'] == 'app' %}
-BindReadOnlyPaths=/home/app/data
+BindReadOnlyPaths=%h/data
 {% endif %}
 # In root namescope, %u always bring 0
 BindPaths=/etc/kopia

docs/issues/affine/250420_android_oidc.md

@@ -0,0 +1,33 @@
+# Android application OIDC issue
+
+## Status
+- Processing
+
+## Date
+- 2026-04-20
+
+## version
+- affine server: 0.26.3 (self-hosted)
+- affine application: 0.26.3 (Android)
+- IdP: Authelia:4.39.15
+
+## Problem
+- Affine android app cannot authenticate via OIDC
+  - IdP authentication succeeds, but the app does not establish a session
+  - The app remains on the "Sign In" screen
+
+## Reason
+- Affine uses callback deep link `affine://authentication`
+- For self-hosted instances the deep link carries a 'server' parameter pointing to the correct origin, but android never read it.
+- [Issue #12819: No SSO on Android](https://github.com/toeverything/AFFiNE/issues/12819)
+- [PR #14809](https://github.com/toeverything/AFFiNE/pull/14809)
+
+## Timeline
+- 2025-06-14: Issue #12819
+- 2026-04-08: PR #14809
+- 2026-04-09: Canary branch merge
+- 2026-04-15: Fork, cherry-pick
+
+## Solution
+- Wait for stable release which contains the merge above
+- When the stable version releases, then verify after update

docs/runbook/07-git.md

@@ -1,5 +1,26 @@
 # Git configuration
 
+## Convention
+
+- `type(scope): subject`
+
+- type:
+    - feat: Append the new feature
+    - fix: Fix the bug or errors
+    - docs: Fix the documentations
+    - refactor: Modify code structure without functional changes
+    - perf: Improve the performance
+    - chore: Modify system, package manager, etc configuration 
+    - style: Fix code formatting, etc...
+
+## Commit and tags
+
+- In this homelab, `[Infra_structure_change]:[Services_change]:[Documents_and_configuration_change]` is the tagging rule.
+- Tagging and commit should be distinguished.
+- The change which affects system: tagging
+- The change which doesn't affect system: commit
+- `git commit -m "docs(git): define git convention"`
+
 ## Local git
 
 ```bash
@@ -29,14 +50,8 @@ git add .
 # Check git changes
 git status
 git commit -m "1.0.0: Release IaaS baseline"
-# git commit -m "docs: update 07-git.md to add the way to manage git system"
-# Make current documents as snapshot
 git tag -a 1.0.0 -m "IaaS baseline"
-# Make special changes
+
-# In this homelab, [Infra_structure_change]:[Services_change]:[Documents_and_configuration_change]
-# Tagging and commit should be distinguished.
-# The change which affects system: tagging
-# The change which doesn't affect system: commit
 
 # Commands
 git status # What files are changed

docs/services/app/affine.md

@@ -51,12 +51,15 @@ CREATE EXTENSION IF NOT EXISTS vector;
 
 ## Configuration
 
-### About quota
+### About community edition limitation
 
-- Workspace seats for family: below 10 seats
+- Workspace seats
-  - If 10 members is needed, then buy a licence
+  - The number of members itself \(account\) are unlimited.
+  - However the number of members who work on the same workspace simultaneously \(seats\) are designated as 10 members.
 - Workspace storage quota
-  - They are planning unlimited storage quota, not now. Now they have 100GB quota for sync.
+  - Originally, self-hosted version has no limitation in storage quota and uploading file size.
+  - Now, there is some limitation even in the self-hosted version.
+  - It will be changed when the application is updating
 
 ### Following feature which will be applied in this system
 
@@ -114,6 +117,5 @@ Environment="AFFINE_SERVER_HTTPS=true"
 
 #### Flags
 
-- [ ] Whether allow guest users to create demo workspaces
+- [x] Whether allow guest users to create demo workspaces
 - save
-

docs/specifications/environments.md

@@ -119,10 +119,11 @@
         - [x] Immich
         - [x] Actual budget
         - [x] Paperless-ngx
-        - [x] vikunja
+        - [x] vikunja - When affine is verified to substitute kanban board and etc, then disable this service.
-        - OpenCloud \(with Radicale, Collabora Web Office\)
+        - [x] OpenCloud
-        - Outline
+        - [x] affine \(Notion substitution\)
-        - Wiki.js
+        - [ ] Radicale
+        - [ ] Collabora office
         - WriteFreely
         - MediaCMS
         - Funkwhale