feat(ezbookkeeping): release ezbookkeeping

deployment notes: - use ezbookkeeping for budget - compare to actual budget - it has no RBAC and sharing budget, try to sure (we-promise/sure)
docs(ADR): update ADR 007 - backup to add checking rule and flows
2026-05-06 15:56:19 +09:00 · 2026-05-06 14:30:25 +09:00 · 2026-05-06 14:06:22 +09:00 · 2026-05-06 10:33:57 +09:00 · 2026-05-06 08:15:53 +09:00 · 2026-05-05 21:20:31 +09:00
37 changed files with 955 additions and 31 deletions
@@ -111,8 +111,8 @@ services:
      http: "3003"
  actualbudget:
    domain:
-      public: "budget"
+      public: "actualbudget"
-      internal: "budget.app"
+      internal: "actualbudget.app"
    ports:
      http: "5006"
    subuid: "101000"
@@ -148,13 +148,35 @@ services:
      http: "3010"
      redis: "6381"
      manticore: "9308"
  nextcloud:
    domain:
      public: "nextcloud"
      internal: "nextcloud.app"
    ports:
      http: "8002"
      redis: "6382"
    subuid: "100032"
  collabora:
    domain:
      public: "collabora"
      internal: "collabora.app"
    ports:
      http: "9980"
    subuid: "101000"
  ezbookkeeping:
    domain:
      public: "budget"
      internal: "budget.app"
    ports:
      http: "8003"
    subuid: "100999"
 version:
  packages:
    sops: "3.12.1"
    step: "0.30.2"
    kopia: "0.22.3"
-    blocky: "0.28.2"
+    blocky: "0.29.0"
    alloy: "1.13.0"
  containers:
    # common
@@ -174,7 +196,7 @@ version:
    # Auth
    authelia: "4.39.19"
    # App
-    vaultwarden: "1.35.4"
+    vaultwarden: "1.35.8"
    gitea: "1.26.1"
    redis: "8.6.1"
    immich: "v2.7.5"
@@ -184,3 +206,6 @@ version:
    opencloud: "4.0.6"
    manticore: "25.0.0"
    affine: "0.26.3"
    nextcloud: "33.0.3"
    collabora: "25.04.9.4.1"
    ezbookkeeping: "1.4.0"
@@ -225,6 +225,29 @@
          tags: ["site", "affine"]
      tags: ["site", "affine"]
    - name: Set nextcloud
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_nextcloud"
        apply:
          tags: ["site", "nextcloud"]
      tags: ["site", "nextcloud"]
    - name: Set collabora
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_collabora"
        apply:
          tags: ["site", "collabora"]
      tags: ["site", "collabora"]
    - name: Set ezbookkeeping
      ansible.builtin.include_role:
        name: "app"
        tasks_from: "services/set_ezbookkeeping"
        apply:
          tags: ["site", "ezbookkeeping"]
      tags: ["site", "ezbookkeeping"]
    - name: Flush handlers right now
      ansible.builtin.meta: "flush_handlers"
@@ -99,3 +99,37 @@
  changed_when: false
  listen: "notification_restart_affine"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart nextcloud
  ansible.builtin.systemd:
    name: "nextcloud.service"
    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
  when: is_nextcloud_init.stat.exists
  changed_when: false
  listen: "notification_restart_nextcloud"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart collabora
  ansible.builtin.systemd:
    name: "collabora.service"
    state: "restarted"
    enabled: true
    scope: "user"
    daemon_reload: true
  changed_when: false
  listen: "notification_restart_collabora"
  ignore_errors: true # noqa: ignore-errors
 - name: Restart ezbookkeeping
  ansible.builtin.systemd:
    name: "ezbookkeeping.service"
    state: "restarted"
    enabled: true
    scope: "user"
    daemon_reload: true
  changed_when: false
  listen: "notification_restart_ezbookkeeping"
  ignore_errors: true # noqa: ignore-errors
@@ -68,3 +68,23 @@
    group: "svadmins"
    mode: "0770"
  become: true
 - name: Deploy btrfs scrub service and timer
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/app/btrfs/{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
    owner: "root"
    group: "root"
    mode: "0644"
  loop:
    - "btrfs-scrub.service"
    - "btrfs-scrub.timer"
  become: true
 - name: Enable auto btrfs scrub
  ansible.builtin.systemd:
    name: "btrfs-scrub.timer"
    state: "started"
    enabled: true
    daemon_reload: true
  become: true
@@ -0,0 +1,17 @@
 ---
 - name: Deploy container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/collabora/collabora.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/collabora.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_collabora"
 - name: Enable collabora.service
  ansible.builtin.systemd:
    name: "collabora.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
@@ -0,0 +1,58 @@
 ---
 - name: Create ezbookkeeping directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ services['ezbookkeeping']['subuid'] }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/ezbookkeeping"
    - "data/containers/ezbookkeeping/data"
    - "containers/ezbookkeeping"
    - "containers/ezbookkeeping/ssl"
  become: true
 - name: Deploy root certificate
  ansible.builtin.copy:
    content: |
      {{ hostvars['console']['ca']['root']['crt'] }}
    dest: "{{ node['home_path'] }}/containers/ezbookkeeping/ssl/{{ root_cert_filename }}"
    owner: "{{ services['ezbookkeeping']['subuid'] }}"
    group: "svadmins"
    mode: "0440"
  become: true
  notify: "notification_restart_ezbookkeeping"
  no_log: true
 - name: Register secret value to podman secret
  containers.podman.podman_secret:
    name: "{{ item.name }}"
    data: "{{ item.value }}"
    state: "present"
    force: true
  loop:
    - name: "EBK_AUTH_OAUTH2_CLIENT_SECRET"
      value: "{{ hostvars['console']['ezbookkeeping']['oidc']['secret'] }}"
    - name: "EBK_DATABASE_PASSWD"
      value: "{{ hostvars['console']['postgresql']['password']['ezbookkeeping'] }}"
  notify: "notification_restart_ezbookkeeping"
  no_log: true
 - name: Deploy ezbookkeeping.container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/ezbookkeeping/ezbookkeeping.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/ezbookkeeping.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_ezbookkeeping"
 - name: Enable ezbookkeeping.service
  ansible.builtin.systemd:
    name: "ezbookkeeping.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
@@ -0,0 +1,176 @@
 ---
 - name: Set redis service name
  ansible.builtin.set_fact:
    redis_service: "nextcloud"
 - name: Create redis_nextcloud directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ services['redis']['subuid'] }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "containers/redis"
    - "containers/redis/{{ redis_service }}"
    - "containers/redis/{{ redis_service }}/data"
  become: true
 - name: Deploy redis config file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  register: "is_redis_conf"
 - name: Deploy redis container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  register: "is_redis_containerfile"
 - name: Enable (Restart) redis service
  ansible.builtin.systemd:
    name: "redis_{{ redis_service }}.service"
    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
 - name: Create nextcloud directory
  ansible.builtin.file:
    path: "{{ node['home_path'] }}/{{ item }}"
    state: "directory"
    owner: "{{ services['nextcloud']['subuid'] }}"
    group: "svadmins"
    mode: "0770"
  loop:
    - "data/containers/nextcloud"
    - "data/containers/nextcloud/html"
    - "containers/nextcloud"
    - "containers/nextcloud/ssl"
    - "containers/nextcloud/ini"
  become: true
 - name: Check data directory empty
  ansible.builtin.stat:
    path: "{{ node['home_path'] }}/data/containers/nextcloud/.init"
  register: "is_nextcloud_init"
 - name: Deploy root certificate
  ansible.builtin.copy:
    content: |
      {{ hostvars['console']['ca']['root']['crt'] }}
    dest: "{{ node['home_path'] }}/containers/nextcloud/ssl/{{ root_cert_filename }}"
    owner: "{{ services['nextcloud']['subuid'] }}"
    group: "svadmins"
    mode: "0440"
  become: true
  notify: "notification_restart_nextcloud"
  no_log: true
 - name: Initialize nextcloud
  when: not is_nextcloud_init.stat.exists
  block:
    - name: Execute init command (Including pulling image)
      containers.podman.podman_container:
        name: "nextcloud_init"
        image: "docker.io/library/nextcloud:{{ version['containers']['nextcloud'] }}"
        command: "/bin/true"
        state: "started"
        rm: true
        detach: false
        env:
          NEXTCLOUD_UPDATE: "1"
          NEXTCLOUD_ADMIN_USER: "admin-local"
          NEXTCLOUD_ADMIN_PASSWORD: "{{ hostvars['console']['nextcloud']['admin-local']['password'] }}"
          POSTGRES_HOST: "{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}"
          POSTGRES_DB: "nextcloud_db"
          POSTGRES_USER: "nextcloud"
          POSTGRES_PASSWORD: "{{ hostvars['console']['postgresql']['password']['nextcloud'] }}"
          PGSSLMODE: "verify-full"
          PGSSLROOTCERT: "/etc/ssl/nextcloud/{{ root_cert_filename }}"
          PGSSLCERTMODE: "disable"
          REDIS_HOST: "host.containers.internal"
          REDIS_HOST_PORT: "{{ services['nextcloud']['ports']['redis'] }}"
        volume:
          - "{{ node['home_path'] }}/containers/nextcloud/ssl:/etc/ssl/nextcloud:ro"
          - "{{ node['home_path'] }}/data/containers/nextcloud/html:/var/www/html:rw"
      no_log: true
    - name: Create .init file
      ansible.builtin.file:
        path: "{{ node['home_path'] }}/data/containers/nextcloud/.init"
        state: "touch"
        mode: "0644"
        owner: "{{ ansible_user }}"
        group: "svadmins"
 - name: Deploy config files
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/config/{{ item }}.j2"
    dest: "{{ node['home_path'] }}/data/containers/nextcloud/html/config/{{ item }}"
    owner: "{{ services['nextcloud']['subuid'] }}"
    group: "svadmins"
    mode: "0640"
  loop:
    - "background.config.php"
    - "cache.config.php"
    - "domain.config.php"
    - "local_remote.config.php"
    - "user_oidc.config.php"
  become: true
  notify: "notification_restart_nextcloud"
 - name: Deploy opcache.ini file
  ansible.builtin.copy:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/ini/{{ item }}"
    dest: "{{ node['home_path'] }}/containers/nextcloud/ini/{{ item }}"
    group: "svadmins"
    mode: "0644"
  loop:
    - "opcache.ini"
    - "upload.ini"
  notify: "notification_restart_nextcloud"
 - name: Deploy nextcloud.container file
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/nextcloud.container.j2"
    dest: "{{ node['home_path'] }}/.config/containers/systemd/nextcloud.container"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  notify: "notification_restart_nextcloud"
 - name: Deploy nextcloud-cron service
  ansible.builtin.copy:
    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/systemd/{{ item }}"
    dest: "{{ node['home_path'] }}/.config/systemd/user/{{ item }}"
    owner: "{{ ansible_user }}"
    group: "svadmins"
    mode: "0644"
  loop:
    - "nextcloud-cron.service"
    - "nextcloud-cron.timer"
 - name: Enable nextcloud.service
  ansible.builtin.systemd:
    name: "nextcloud.service"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
 - name: Enable nextcloud-cron.timer
  ansible.builtin.systemd:
    name: "nextcloud-cron.timer"
    state: "started"
    enabled: true
    daemon_reload: true
    scope: "user"
@@ -36,10 +36,15 @@
  ansible.builtin.set_fact:
    acquisd_list:
      fw:
-        collection: "crowdsecurity/suricata"
+        collection:
          - "crowdsecurity/suricata"
        parser: []
        config: "suricata.yaml"
      auth:
-        collection: "crowdsecurity/caddy"
+        collection:
          - "crowdsecurity/caddy"
        parser:
          - "crowdsecurity/nextcloud-whitelist"
        config: "caddy.yaml"
 - name: Deploy crowdsec-update service files
@@ -181,7 +186,8 @@
  block:
    - name: Install crowdsec collection
      ansible.builtin.command:
-        cmd: "cscli collections install {{ acquisd_list[node['name']]['collection'] }}"
+        cmd: "cscli collections install {{ item }}"
      loop: "{{ acquisd_list[node['name']]['collection'] }}"
      become: true
      changed_when: "'overwrite' not in is_collection_installed.stderr"
      failed_when:
@@ -189,6 +195,17 @@
        - "'already installed' not in is_collection_installed.stderr"
      register: "is_collection_installed"
    - name: Install crowdsec parser
      ansible.builtin.command:
        cmd: "cscli parsers install {{ item }}"
      loop: "{{ acquisd_list[node['name']]['parser'] }}"
      become: true
      changed_when: "'overwrite' not in is_parser_installed.stderr"
      failed_when:
        - is_parser_installed.rc != 0
        - "'already installed' not in is_parser_installed.stderr"
      register: "is_parser_installed"
    - name: Create crowdsec acquis.d directory
      ansible.builtin.file:
        path: "/etc/crowdsec/acquis.d"
@@ -11,6 +11,8 @@
      - "paperless"
      - "vikunja"
      - "affine"
      - "nextcloud"
      - "ezbookkeeping"
 - name: Create postgresql directory
  ansible.builtin.file:
@@ -119,6 +119,8 @@ postgresql:
        paperless: ENC[AES256_GCM,data:6VBrBbjVoam7SkZCSvoBTdrfkUoDghdGTiBmFLul04X/okXOHeC5zusJffY=,iv:iZumcJ3TWwZD77FzYx8THwCqC+EbnXUBrEKuPh3zgV8=,tag:u2m8SppAdxZ/duNdpuS3oQ==,type:str]
        vikunja: ENC[AES256_GCM,data:/+wQdoFPTBG2elI9kZbAVWrHZ0DhMaYr4dc+2z9QNdb3TcDS2PEia0JuSAg=,iv:MViZTyUD8YqMmxSTWCQpJ30f/KQdQGOzPlRHHsQ8lAw=,tag:zov3POno139dkMxFDpj2gg==,type:str]
        affine: ENC[AES256_GCM,data:XPXrcszsV06YqCJZ7CDqc4rCwqqNlbtLCFYfLAQ8jamLtft8L2UVrMA4WZo=,iv:vrWdBeckxB9tmEE628j4jhU+hSpE6TXYMGt0hh1Cg84=,tag:hlWwWUGht8NqWTZREMsa1Q==,type:str]
        nextcloud: ENC[AES256_GCM,data:ROsximNuWYMTZktmLJPx7W1Qol/uT+APgwoCtFO/6ZYYc3KxKvlk344eqEc=,iv:4d+MrfIHjJKAcwhvZ3g4go66uZcieuL7lngKErJd+fg=,tag:QbWOtxeCbiu62GyrE2atXg==,type:str]
        ezbookkeeping: ENC[AES256_GCM,data:CYYQ5DVr8Na46QduvUNF6d0XBVSXTml34q3/PhIYIvUNviOVgCjqXA4wN7g=,iv:qRljohJ+wI50XxSgMElKp65HyV3mKRTqDGjw9C1S0d0=,tag:PClp7PRmC0+PV0SzZpJqqQ==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -255,6 +257,24 @@ affine:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:PZS7EbvMHqHGorNUGAWj4dk1,iv:vOE+djRAvBTMM51kHi6kG5Arw3uPXlJt1d/BpcEaD0c=,tag:AuoCHLQz42CYvVVdKFWu1Q==,type:comment]
 nextcloud:
    admin-local:
        password: ENC[AES256_GCM,data:mIwF5A09oqYbdK3bOKid9A896Q5J5Q6Ax+vDNqEJFGNdzd/mJ4oQS6rva+s=,iv:QroUMST2wnEJzk6DySe9tPZaWuqdxzJZ0+oi6mW6x00=,tag:3UTzjupK7+omrI3Hvyr8bA==,type:str]
    oidc:
        secret: ENC[AES256_GCM,data:Sr4KkKkYdkU0UWdpfUF7PyiGoerjBiw+sOFcENyLxw0FRXGG0Y8gv5uGb4Q=,iv:LbGsNM3+iY7bWFQe88TepVKUdiRQWZ+K7Ubn6ze6lV4=,tag:SbcfIAMW9ZprgahOFU4IQQ==,type:str]
        hash: ENC[AES256_GCM,data:CkstbIYQmi72QhsbJZN0lQedgCn7TmGpYcYj0n+NvJIoTlol8G9N/88cwGbVoGK9nEISv54FL94cEJFppnMIuj0BHrhasrZsyI2/Lj52YLWdwNJWNQ+iYt+Ifp/1kI0zqmdoajzZ5DS2w/1evCBC1+JdfTRlpVXmSsHUIPIHelBRj90=,iv:vwvT5TTkF4woxXOvrRRqmrdLXf19s47NIDtdT+zLp0U=,tag:KC0MS0DTH6j3zIHOjCFOSA==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:tMahvC9OLW4+AGLyx68SNsOPBezApw==,iv:WHx8ruuQ33J/8XtwyhvDy2cKqE7lAWvj/r5AUhdyssU=,tag:uRwheXUxqNSIhcPqGeMNog==,type:comment]
 ezbookkeeping:
    oidc:
        secret: ENC[AES256_GCM,data:ZMIfRwXDT1ujGKoc7DGvc8/O+ciB+kajo9yOwVsMsbEjl6D8gl6I0Lbsta8=,iv:++p1TTW6gDUEvh56SjMgldrpob/VWNtiYGo6wNS8cz0=,tag:LQaW333UskiN4mtIjUAguA==,type:str]
        hash: ENC[AES256_GCM,data:XyB1N3MUzBHWHAumat7/ASy/Aja/gLKmeTriOqLnMgZ9lBE1birYtFW+R0wZ+vyx79tHKVnRxzrWsxoD5jitCmHyMVrJmJKl5c4SYMhytKfBPgrNe3twcc06U+wONmgAuVpaEQlnnyzAz42SpOHbT55GegHjYzT5hXax8eRvdM6xJSY=,iv:R4+EdQuKo2JumY3cu8KPpeFezcLhlehXBxr2wVG5wHk=,tag:hpDX1x9NCCutUsnDKEf1Sg==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
    password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -284,7 +304,7 @@ sops:
            UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
            k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-06T14:32:22Z"
+    lastmodified: "2026-05-06T05:55:57Z"
-    mac: ENC[AES256_GCM,data:OFiSsBBAzOUoOwnAwhaplQQ8k2kUo+Avzk475BpaiOJoaB2c0wsJ3siP15tcLMrav4Qw8boZFo64v+rjdMoNI/MRo1EOYWNr1ZRMqHzwmQeaiMH2QcfoRZ0oLqrn5ekQztuPR9ULjDYZb63AwVGmzseUf4R5lGXgdgN5tjU/pH4=,iv:hqzDwryMuJ7JnkBazzDSznw05m7k61Sk61aPgO3JtpU=,tag:Lhhlgwy+YuQ1S0hkbsjecg==,type:str]
+    mac: ENC[AES256_GCM,data:ZIZKCze9wNuUj3C1ghHjCgVtwU9AyZPZZ0HLfEmrnPvVjyNtTlrlmj3rwR+luHSRC6kUMKWBL1NETcs3cUupcep52Ec1cxK2gHjYFK4Ri+Ep7WJB2PXzLxtxCgurrASmW1HvEihbEEpfcLA2PP4SZ7bUrjKfIPjXxcSOOKLu7kI=,iv:5evst9V+IwsB6QXNbZfKOBrUHJzI83Z4kri+P/5Xx3M=,tag:UVwMuDLQ0e/5wX8v3+L8Gg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.1
@@ -0,0 +1,25 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Collabora Online
 [Container]
 Image=docker.io/collabora/code:{{ version['containers']['collabora'] }}
 ContainerName=collabora
 HostName=collabora
 PublishPort={{ services['collabora']['ports']['http'] }}:9980/tcp
 Environment="TZ=Asia/Seoul"
 Environment="aliasgroup1=https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}"
 # Environment="aliasgroup2=other_server_FQDN"
 Environment="extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:server_name={{ services['collabora']['domain']['public'] }}.{{ domain['public'] }} --o:admin_console.enable=false"
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
@@ -0,0 +1,61 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=ezBookkeeping
 After=network-online.target
 Wants=network-online.target
 [Container]
 Image=docker.io/mayswind/ezbookkeeping:{{ version['containers']['ezbookkeeping'] }}
 ContainerName=ezbookkeeping
 HostName=ezbookkeeping
 PublishPort={{ services['ezbookkeeping']['ports']['http'] }}:8080/tcp
 Volume=%h/data/containers/ezbookkeeping/data:/data:rw
 Volume=%h/containers/ezbookkeeping/ssl:/etc/ssl/ezbookkeeping:ro
 # General
 Environment="TZ=Asia/Seoul"
 Environment="EBK_SERVER_DOMAIN={{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}"
 Environment="EBK_SERVER_ROOT_URL=https://{{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }}/"
 Environment="EBK_LOG_MODE=console"
 # Database
 Environment="EBK_DATABASE_TYPE=postgres"
 Environment="EBK_DATABASE_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}"
 Environment="EBK_DATABASE_NAME=ezbookkeeping_db"
 Environment="EBK_DATABASE_USER=ezbookkeeping"
 Secret=EBK_DATABASE_PASSWD,type=env
 Environment="EBK_DATABASE_SSL_MODE=verify-full"
 Environment="PGSSLROOTCERT=/etc/ssl/ezbookkeeping/{{ root_cert_filename }}"
 # OIDC
 Environment="EBK_AUTH_ENABLE_OAUTH2_AUTH=true"
 Environment="EBK_AUTH_OAUTH2_PROVIDER=oidc"
 Environment="EBK_AUTH_OAUTH2_CLIENT_ID=ezbookkeeping"
 Secret=EBK_AUTH_OAUTH2_CLIENT_SECRET,type=env
 Environment="EBK_AUTH_OAUTH2_USE_PKCE=true"
 Environment="EBK_AUTH_OIDC_PROVIDER_BASE_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
 Environment="EBK_AUTH_ENABLE_OIDC_DISPLAY_NAME=true"
 Environment="EBK_AUTH_OIDC_CUSTOM_DISPLAY_NAME=Authelia"
 # Registration / auth policy
 Environment="EBK_AUTH_ENABLE_INTERNAL_AUTH=false"
 Environment="EBK_USER_ENABLE_REGISTER=true"
 Environment="EBK_AUTH_OAUTH2_AUTO_REGISTER=true"
 # AI / MCP disabled by default
 Environment="EBK_MCP_ENABLE_MCP=false"
 Environment="EBK_LLM_TRANSACTION_FROM_AI_IMAGE_RECOGNITION=false"
 [Service]
 ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
@@ -0,0 +1,5 @@
 <?php
 $CONFIG = [
    // Background jobs mode is auto-detected as 'cron' when nextcloud-cron.timer runs cron.php via CLI. No explicit config required.
    'maintenance_window_start' => 18,
 ];
@@ -0,0 +1,12 @@
 <?php
 $CONFIG = [
    'memcache.local' => '\OC\Memcache\APCu',
    'memcache.distributed' => '\OC\Memcache\Redis',
    'memcache.locking' => '\OC\Memcache\Redis',
    'redis' => [
        'host' => 'host.containers.internal',
        'port' => {{ services['nextcloud']['ports']['redis'] }},
        'timeout' => 1.5,
        'dbindex' => 0,
    ],
 ];
@@ -0,0 +1,9 @@
 <?php
 $CONFIG = [
  'trusted_domains' => [
    '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}',
  ],
  'overwritehost' => '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}',
  'overwriteprotocol' => 'https',
  'overwrite.cli.url' => 'https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}',
 ];
@@ -0,0 +1,4 @@
 <?php
 $CONFIG = [
  'allow_local_remote_servers' => true,
 ];
@@ -0,0 +1,9 @@
 <?php
 $CONFIG = [
  'user_oidc' => [
    'default_token_endpoint_auth_method' => 'client_secret_post',
    'auto_provision' => true,
    'soft_auto_provision' => true,
    'disable_account_creation' => false,
  ],
 ];
@@ -0,0 +1,14 @@
 ; /usr/local/etc/php/conf.d/opcache-recommended.ini
 ; OPcache tuning
 opcache.enable=1
 opcache.enable_cli=1
 opcache.memory_consumption=512
 opcache.interned_strings_buffer=32
 opcache.max_accelerated_files=20000
 opcache.validate_timestamps=0
 opcache.save_comments=1
 opcache.revalidate_freq=60
 opcache.fast_shutdown=1
 ; APCu CLI activate
 apc.enable_cli=1
@@ -0,0 +1,6 @@
 ; /usr/local/etc/php/conf.d/nextcloud-upload.ini
 upload_max_filesize=16G
 post_max_size=16G
 memory_limit=1024M
 max_execution_time=3600
 max_input_time=3600
@@ -0,0 +1,36 @@
 [Quadlet]
 DefaultDependencies=false
 [Unit]
 Description=Nextcloud
 [Container]
 Image=docker.io/library/nextcloud:{{ version['containers']['nextcloud'] }}
 ContainerName=nextcloud
 HostName=nextcloud
 PublishPort={{ services['nextcloud']['ports']['http'] }}:80
 Volume=%h/containers/nextcloud/ssl:/etc/ssl/nextcloud:ro
 Volume=%h/containers/nextcloud/ini/opcache.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:ro
 Volume=%h/containers/nextcloud/ini/upload.ini:/usr/local/etc/php/conf.d/upload.ini:ro
 Volume=%h/data/containers/nextcloud/html:/var/www/html:rw
 # General
 Environment="TZ=Asia/Seoul"
 # PostgreSQL
 Environment="PGSSLMODE=verify-full"
 Environment="PGSSLROOTCERT=/etc/ssl/nextcloud/{{ root_cert_filename }}"
 ## libpq in Nextcloud automatically tries to use a client certificate for mTLS. Therefore, when only TLS is required, then disable the option explicitly.
 Environment="PGSSLCERTMODE=disable"
 # Redis
 Environment="REDIS_HOST=host.containers.internal"
 Environment="REDIS_HOST_PORT={{ services['nextcloud']['ports']['redis'] }}"
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 [Install]
 WantedBy=default.target
@@ -0,0 +1,8 @@
 [Unit]
 Description=Nextcloud cron.php
 Requires=nextcloud.service
 After=nextcloud.service
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/podman exec -u www-data nextcloud php -f /var/www/html/cron.php
@@ -0,0 +1,10 @@
 [Unit]
 Description=Run Nextcloud cron every 5 minutes
 [Timer]
 OnBootSec=5min
 OnUnitActiveSec=5min
 Unit=nextcloud-cron.service
 [Install]
 WantedBy=timers.target
@@ -365,3 +365,46 @@ identity_providers:
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
      # https://www.authelia.com/integration/openid-connect/clients/nextcloud/#openid-connect-user-backend-app
      - client_id: 'nextcloud'
        client_name: 'Nextcloud'
        client_secret: '{{ hostvars['console']['nextcloud']['oidc']['hash'] }}'
        public: false
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}/apps/user_oidc/code'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
      # https://www.authelia.com/integration/openid-connect/clients/ezbookkeeping/
      - client_id: 'ezbookkeeping'
        client_name: 'ezBookkeeping'
        client_secret: '{{ hostvars['console']['ezbookkeeping']['oidc']['hash'] }}'
        public: false
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://budget.ilnmors.com/oauth2/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'
@@ -77,3 +77,21 @@
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 {{ services['nextcloud']['domain']['internal'] }}.{{ domain['internal'] }} {
        import private_tls
        reverse_proxy host.containers.internal:{{ services['nextcloud']['ports']['http'] }} {
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 {{ services['collabora']['domain']['internal'] }}.{{ domain['internal'] }} {
        import private_tls
        reverse_proxy host.containers.internal:{{ services['collabora']['ports']['http'] }} {
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
 {{ services['ezbookkeeping']['domain']['internal'] }}.{{ domain['internal'] }} {
        import private_tls
        reverse_proxy host.containers.internal:{{ services['ezbookkeeping']['ports']['http'] }} {
                header_up Host {http.request.header.X-Forwarded-Host}
        }
 }
@@ -136,6 +136,33 @@
                }
        }
 }
 {{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }} {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://{{services['nextcloud']['domain']['internal'] }}.{{ domain['internal'] }} {
                        header_up Host {http.reverse_proxy.upstream.host}
                }
        }
 }
 {{ services['collabora']['domain']['public'] }}.{{ domain['public'] }} {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://{{services['collabora']['domain']['internal'] }}.{{ domain['internal'] }} {
                        header_up Host {http.reverse_proxy.upstream.host}
                }
        }
 }
 {{ services['ezbookkeeping']['domain']['public'] }}.{{ domain['public'] }} {
        import crowdsec_log
        route {
                crowdsec
                reverse_proxy https://{{services['ezbookkeeping']['domain']['internal'] }}.{{ domain['internal'] }} {
                        header_up Host {http.reverse_proxy.upstream.host}
                }
        }
 }
 # Internal domain
 {{ node['name'] }}.{{ domain['internal'] }} {
@@ -0,0 +1,10 @@
 [Unit]
 Description=BTRFS auto scrub
 ConditionPathIsMountPoint={{ storage['btrfs']['mount_point'] }}
 RequiresMountsFor={{ storage['btrfs']['mount_point'] }}
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/btrfs scrub start -Bd {{ storage['btrfs']['mount_point'] }}
 Nice=19
 IOSchedulingClass=idle
@@ -0,0 +1,10 @@
 [Unit]
 Description=Monthly BTRFS auto scrub 
 [Timer]
 OnCalendar=*-*-01 04:00:00
 Persistent=true
 RandomizedDelaySec=300
 [Install]
 WantedBy=timers.target
@@ -21,9 +21,9 @@ ProtectHome=tmpfs
 InaccessiblePaths=/boot /root
 {% if node['name'] == 'infra' %}
-BindReadOnlyPaths=%h/containers/postgresql/backups
+BindReadOnlyPaths={{ node['home_path'] }}/containers/postgresql/backups
 {% elif node['name'] == 'app' %}
-BindReadOnlyPaths=%h/data
+BindReadOnlyPaths={{ node['home_path'] }}/data
 {% endif %}
 # In root namescope, %u always bring 0
 BindPaths=/etc/kopia
@@ -38,10 +38,10 @@ ExecStartPre=/usr/bin/kopia repository connect server \
 {% if node['name'] == 'infra' %}
 ExecStart=/usr/bin/kopia snapshot create \
-    /home/infra/containers/postgresql/backups
+    {{ node['home_path'] }}/containers/postgresql/backups
 {% elif node['name'] == 'app' %}
 ExecStart=/usr/bin/kopia snapshot create \
-    /home/app/data
+    {{ node['home_path'] }}/data
 {% endif %}
@@ -6,7 +6,10 @@
    - First documentation
 - Feb/27/2026
-    - Status changed from Deffered to Accepted
+    - Status changed from Deferred to Accepted
 - May/06/2026
    - Add backup checking rules
 ## Status
@@ -30,6 +33,12 @@
    - Backing up the `/var/lib/postgresql` directory directly while the DB is running can lead to severe data corruption and inconsistency.
    - Logical dumps (`pg_dump`) are much safer, database-agnostic, and easier to restore in a homelab environment.
 ### Silent failure problem
 - May/06/2026, the fact that backups haven't run since commit '9f236b6fa5' because of '%h' in system service unit.
    - Operator couldn't realize backup doesn't run because the system service was failed silently.
    - Therefore, set the checking rule.
 ## Decisions
@@ -54,7 +63,14 @@
        - From kopia server to console:$HOMELAB_PATH/data/volume/infra/postgresql/\{cluster,data\}
    - APP data files
        - From kopia server to APP vm after initiating before deploy services
- Automative backup does not guarantee integrity of data system, so before reset the system conduct manual backup after making sure all services are shutdown.
+- Automatic backup does not guarantee integrity of data system, so before reset the system conduct manual backup after making sure all services are shutdown.
 - Check the repository once a week (Every monday)
    - Check the snapshot in repository with `kopia snapshot list --all`
    - Mount the snapshot respectively with `kopia mount $SNAPSHOT_ID $DESTINATION`
    - Copy random file from snapshot and check the values.
    - If there's some failure, check the backup service and conduct backup immediately.
    - Repeat the check flow.
    - When everything is done, umount the kopia mount with `ctrl+c`
 ## Consequences
@@ -26,8 +26,8 @@
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
- Add regex on whitelist
+- Add expressions on whitelist
  - evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
-  - Delete false positive decision with `sudo cscli decision list --id $ID`
+  - Delete false positive decision with `sudo cscli decision delete --id $ID`
@@ -25,8 +25,8 @@
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
- Add regex on whitelist
+- Add expressions on whitelist
-  - evt.Meta.target_fqdn == 'Immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
+  - evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
-  - Delete false positive decision with `sudo cscli decision list --id $ID`
+  - Delete false positive decision with `sudo cscli decision delete --id $ID`
@@ -25,8 +25,8 @@
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
- Add regex on whitelist
+- Add expressions on whitelist
  - evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
-  - Delete false positive decision with `sudo cscli decision list --id $ID`
+  - Delete false positive decision with `sudo cscli decision delete --id $ID`
@@ -0,0 +1,38 @@
 # Nextcloud crowdsec false positive issue
 ## Status
 - Finished
 ## Date
 - 2026-05-02
 ## Version
 - Nextcloud: 33.0.3
 ## Problem
 - When users download or modify some files, all connections to homelab services are refused.
  - fw ban users' IP address.
 ## Reason
 - Nextcloud has a lot of workflows which can be caught from crowdsec
 ## Timeline
 - 2026-05-02: Release nextcloud
 - 2026-05-02: Find the false positive case, and add whitelist
 - 2026-05-03: Install crowdsecurity/nextcloud-whitelist parser
 - 2026-05-03: Make previous expressions annotation
 ## Solution
 - Install crowdsecurity/nextcloud-whitelist on auth node
 ### Deprecated solution
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
 - Add expressions on whitelist
  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/apps/viewer/js/'
  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/dist/'
  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/remote.php/dav/files/'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
  - Delete false positive decision with `sudo cscli decision delete --id $ID`
@@ -0,0 +1,28 @@
 # Collabora office
 ## Prerequisite
 - Nothing
 ## Configuration
 - Admin page is disabled by Environment options
    - `admin_console.enable=false`
 ### Link to nextcloud
 - https://nextcloud.ilnmors.com
    - login with admin account
 - Profile: Apps: Nextcloud Office 
    - Check installation and enable
 - Profile: Administration Settings: Nextcloud Office: Your own server
    - http://host.containers.internal:9980 (collabora container port)
    - Public FQDN is set automatically
    - save
 - Files
    - Verify document opening (verified)
    - The basic font `Noto Sans KR` exists
        - Korean is presented very well
@@ -0,0 +1,35 @@
 # ezBookkeeping
 ## Prerequisite
 ### Create database
 - Create the password with `openssl rand -base64 32`
  - Save this value in secrets.yaml in `postgresql.password.ezbookkeeping`
  - Access infra server to create paperless_db with `podman exec -it postgresql psql -U postgres`
 ```SQL
 CREATE USER ezbookkeeping WITH PASSWORD 'postgresql.password.ezbookkeeping';
 CREATE DATABASE ezbookkeeping_db;
 ALTER DATABASE ezbookkeeping_db OWNER TO ezbookkeeping;
 ```
 ### Create oidc secret and hash
 - Create the secret with `openssl rand -base64 32`
 - access to auth vm
  - `podman exec -it authelia sh`
  - `authelia crypto hash generate pbkdf2 --password 'ezbookkeeping.oidc.secret'`
 - Save this value in secrets.yaml in `ezbookkeeping.oidc.secret` and `ezbookkeeping.oidc.hash`
 ### Add postgresql dump backup list
 - [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
 ```yaml
 - name: Set connected services list
  ansible.builtin.set_fact:
    connected_services:
      - ...
      - "ezbookkeeping"
 ```
@@ -0,0 +1,106 @@
 # Nextcloud
 ## Prerequisite
 ### Create database
 - Create the password with `openssl rand -base64 32`
  - Save this value in secrets.yaml in `postgresql.password.nextcloud`
  - Access infra server to create nextcloud_db with `podman exec -it postgresql psql -U postgres`
 ```SQL
 CREATE USER nextcloud WITH PASSWORD 'postgresql.password.nextcloud';
 CREATE DATABASE nextcloud_db;
 ALTER DATABASE nextcloud_db OWNER TO nextcloud;
 ```
 ### Create oidc secret and hash
 - Create the secret with `openssl rand -base64 32`
 - access to auth vm
  - `podman exec -it authelia sh`
  - `authelia crypto hash generate pbkdf2 --password 'nextcloud.oidc.secret'`
 - Save this value in secrets.yaml in `nextcloud.oidc.secret` and `nextcloud.oidc.hash`
 ### Create admin password
 - Create the secret with `openssl rand -base64 32`
 - Save this value in secrets.yaml in `nextcloud.admin-local.password`
 ### Add postgresql dump backup list
 - [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
 ```yaml
 - name: Set connected services list
  ansible.builtin.set_fact:
    connected_services:
      - ...
      - "nextcloud"
 ```
 ## Configuration
 ### Access
 - https://nextcloud.ilnmors.com
  - login with admin-local
 ### Disable and enable apps
 - Profile: Apps: Your apps: Disable
  - Photo
  - dashboard
 - Profile: Apps: Search
  - OpenID Connect user backend
  - Calendar
  - Contacts
  - Deck
  - Tasks
  - Mail
  - Nextcloud Office
 ### OIDC and DB Configuration
 ```bash
 podman exec -u www-data nextcloud php occ user_oidc:provider Authelia \
  --clientid="nextcloud" \
  --clientsecret="nextcloud.oidc.secret" \
  --discoveryuri="https://authelia.ilnmors.com/.well-known/openid-configuration" \
  --scope="openid profile email groups" \
  --unique-uid=0 \
  --mapping-uid="preferred_username" \
  --mapping-display-name="name" \
  --mapping-email="email" \
  --mapping-groups="groups" \
  --group-whitelist-regex="/^users$/" \
  --group-provisioning=1
 podman exec -u www-data nextcloud php occ db:add-missing-indices
 podman exec -u www-data nextcloud php occ db:add-missing-columns
 podman exec -u www-data nextcloud php occ db:add-missing-primary-keys
 ```
 ### Account configuration
 - Profile: Accounts:
  - allocate admin group for admin users
 #### Disable System addressbook expose
 - Profile: Administration Settings: Groupware: System Address Book
  - Disable `Enable system address book` option
 ## Security warning in Nextcloud (ignored)
 ### trusted_proxies option
 - Nextcloud wants admin to set `trusted_proxies` via forwarded ip header.
  - In current system, app vm explicitly prevents access the nextcloud container outside of vm.
  - trusted_proxy ip address will be definitely 169.254.1.2 (caddy's APIPA address which is used in PASTA network), so it is not distinguished from other containers.
  - Therefore, it doesn't need to be set.
 ### HSTS option
 - This system is already main - sidecar reverse proxy system, and main proxy automatically changes http requests to https request (Caddyfile listens https).
  - main - sidecar communication is also on https via internal certificate.
  - Therefore, it doesn't need to be set.
@@ -11,8 +11,8 @@
    - [x] Terminal
    - [x] Step-CLI
    - [x] Ansible
-    - Git
+    - [x] Git
-    - Kopia
+    - [x] Kopia
    - [x] cloud-image-utils
 ## vmm \(Hypervisor\)
@@ -117,16 +117,18 @@
        - [x] Vaultwarden
        - [x] Gitea
        - [x] Immich
-        - [x] Actual budget
+        - [x] Actual budget (Comparing to ezBookkeeping)
        - [x] Paperless-ngx
-        - [x] vikunja - When affine is verified to substitute kanban board and etc, then disable this service.
+        - [x] vikunja (Comparing to Nextcloud deck)
-        - [x] OpenCloud
+        - [x] OpenCloud (Comparing to Nextcloud)
        - [x] affine \(Notion substitution\)
-        - [ ] Radicale
+        - [x] Nextcloud \(Use nextcloud as CalDAV and CardDav, kanban and todo\)
-        - [ ] Collabora office
+        - [x] Collabora office \(Link to Nextcloud, it works well\)
        - [x] ezBookkeeping (budget, consider this the main budget app instead of actual budget)
            - use budget.ilnmors.com for ezBookkeeping, actual budget domain is changed as actualbudget.ilnmors.com
        - WriteFreely
-        - MediaCMS
+        - MediaCMS or PeerTube
-        - Funkwhale
+        - Funkwhale or Navidrome or Jellyfin
        - Kavita
        - Audiobookshelf
        - Miniflux
Author	SHA1	Message	Date
il	be7f215380	feat(ezbookkeeping): release ezbookkeeping deployment notes: - use ezbookkeeping for budget - compare to actual budget - it has no RBAC and sharing budget, try to sure (we-promise/sure)	2026-05-06 15:56:19 +09:00
il	26e0fe4f8b	docs(ADR): update ADR 007 - backup to add checking rule and flows	2026-05-06 14:30:25 +09:00
il	2bb1f015e0	fix(kopia): update the bound home path from %h to ansible variable update note: - hotfix - backups haven't run since commit '9f236b6fa5' - the root service unit's %h always indicates root's home path - backup service is verified	2026-05-06 14:06:22 +09:00
il	0f546e13b3	fix(btrfs): update btrfs scrub path update notes: - from '{{ node['home_path'] }}/data' to '{{ storage['btrfs']['mount_point'] }}'	2026-05-06 10:33:57 +09:00
il	ba8b312bf2	feat(btrfs): update btrfs scrub service and timer on app vm	2026-05-06 08:15:53 +09:00
il	6fcedd9162	feat(collabora): release collabora deployment note: - link to nextcloud - document opening is verified (including korean fonts)	2026-05-05 21:20:31 +09:00
il	6ca4f61d50	docs(nextcloud): update security warning decisions and background job annotation update notes: - trusted_proxies warning - HSTS option warning - background job mode annotation	2026-05-05 20:09:00 +09:00
il	15c09cb899	docs(nextcloud): update how to disable auto generated contacts from nextcloud account	2026-05-03 12:05:11 +09:00
il	880857a70a	fix(crowdsec): update parser 'crowdsecurity/nextcloud-whitelist' update note: - deprecate custom whitelist expression - apply 'crowdsecurity/nextcloud-whitelist' parser	2026-05-03 07:19:59 +09:00
il	70bf539546	docs(issues): fix crowdsec whitelist regex to whitelist expressions	2026-05-02 20:40:10 +09:00
il	5dd38b7e49	fix(crowdsec): update whitelist.yaml to prevent false positive false positive: - chunk problems (crowdsecurity/http-crawl-non_statics) - directory upload 404 problem (crowdsecurity/http-probing)	2026-05-02 20:38:48 +09:00
il	33d94211d1	docs(issues): fix crowdsec command 'cscli decision list' to 'cscli decision delete'	2026-05-02 19:46:51 +09:00
il	278dd3cebe	feat(nextcloud): release nextcloud deployment note: - use nextcloud for groupware - consider replacing vikunja and opencloud	2026-05-02 19:22:05 +09:00
il	d1dcb1984a	feat(vaultwarden): update vaultwarden version from 1.35.4 to 1.35.8	2026-04-30 10:03:33 +09:00
il	37c986177b	feat(blocky): update blocky version from 0.28.2 to 0.29.0	2026-04-30 10:01:18 +09:00