feat(authelia): update authelia version from 4.39.15 to 4.39.19

deployment note:
- stop gitea container
- create manual database backup
- update gitea

ansible/inventory/group_vars/all.yaml

@@ -172,15 +172,15 @@ version:
 #    pgvector: "v0.8.1"
     vectorchord: "0.5.3"
     # Auth
-    authelia: "4.39.15"
+    authelia: "4.39.19"
     # App
     vaultwarden: "1.35.4"
-    gitea: "1.25.5"
+    gitea: "1.26.1"
     redis: "8.6.1"
     immich: "v2.7.5"
     actualbudget: "26.3.0"
-    paperless: "2.20.13"
+    paperless: "2.20.15"
     vikunja: "2.2.2"
-    opencloud: "4.0.4"
+    opencloud: "4.0.6"
     manticore: "25.0.0"
     affine: "0.26.3"

docs/issues/affine/260420_android_oidc.md

@@ -0,0 +1,33 @@
+# Android application OIDC issue
+
+## Status
+- Processing
+
+## Date
+- 2026-04-20
+
+## Version
+- affine server: 0.26.3 (self-hosted)
+- affine application: 0.26.3 (Android)
+- IdP: Authelia:4.39.15
+
+## Problem
+- Affine android app cannot authenticate via OIDC
+  - IdP authentication succeeds, but the app does not establish a session
+  - The app remains on the "Sign In" screen
+
+## Reason
+- Affine uses callback deep link `affine://authentication`
+- For self-hosted instances the deep link carries a 'server' parameter pointing to the correct origin, but android never read it.
+- [Issue #12819: No SSO on Android](https://github.com/toeverything/AFFiNE/issues/12819)
+- [PR #14809](https://github.com/toeverything/AFFiNE/pull/14809)
+
+## Timeline
+- 2025-06-14: Issue #12819
+- 2026-04-08: PR #14809
+- 2026-04-09: Canary branch merge
+- 2026-04-15: Fork, cherry-pick
+
+## Solution
+- Wait for stable release which contains the merge above
+- When the stable version releases, then verify after update

docs/issues/crowdsec/260321_actual_budget.md

@@ -0,0 +1,33 @@
+# Actual Budget crowdsec false positive issue
+
+## Status
+- Finished
+
+## Date
+- 2026-03-21
+
+## Version
+- Actual Budget: 26.3.0
+
+## Problem
+- When users access and log in actual budget, all connections to homelab services are refused.
+  - fw ban users' IP address.
+
+## Reason
+- Actual budget has local first policy.
+- When the user log in actual budget, the client downloads all sql files from the server.
+- LAPI decides that as an attack which sensitive file(sql) is downloaded concurrently.
+
+## Timeline
+- 2026-03-21: Release actual budget
+- 2026-03-21: Find the false positive case, and add whitelist
+
+## Solution
+- Access to fw
+  - Check the ban list with `sudo cscli alerts list`
+  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
+- Add regex on whitelist
+  - evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'
+- Delete false positive decision
+  - Check false positive decision with `sudo cscli decision list`
+  - Delete false positive decision with `sudo cscli decision list --id $ID`

docs/issues/crowdsec/260321_immich.md

@@ -0,0 +1,32 @@
+# Immich crowdsec false positive issue
+
+## Status
+- Finished
+
+## Date
+- 2026-03-21
+
+## Version
+- Immich: 2.6.1
+
+## Problem
+- When users access and log in Immich while Immich is generating thumbnail, all connections to homelab services are refused.
+  - fw ban users' IP address.
+
+## Reason
+- Immich sends 404 error to clients when the client request thumbnail while it is generating them.
+- LAPI decides a ban when a lot of 404 errors occur in short time
+
+## Timeline
+- 2026-03-21: Release Immich
+- 2026-03-21: Find the false positive case, and add whitelist
+
+## Solution
+- Access to fw
+  - Check the ban list with `sudo cscli alerts list`
+  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
+- Add regex on whitelist
+  - evt.Meta.target_fqdn == 'Immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
+- Delete false positive decision
+  - Check false positive decision with `sudo cscli decision list`
+  - Delete false positive decision with `sudo cscli decision list --id $ID`

docs/issues/crowdsec/260404_opencloud.md

@@ -0,0 +1,32 @@
+# OpenCloud crowdsec false positive issue
+
+## Status
+- Finished
+
+## Date
+- 2026-04-04
+
+## Version
+- OpenCloud: 4.0.4
+
+## Problem
+- When users download some files, all connections to homelab services are refused.
+  - fw ban users' IP address.
+
+## Reason
+- OpenCloud uses chunks when clients uploads or download files to it.
+- LAPI decides a ban when a lot of chunks file is uploaded or downloaded from external devices 
+
+## Timeline
+- 2026-04-04: Release OpenCloud
+- 2026-04-04: Find the false positive case, and add whitelist
+
+## Solution
+- Access to fw
+  - Check the ban list with `sudo cscli alerts list`
+  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
+- Add regex on whitelist
+  - evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'
+- Delete false positive decision
+  - Check false positive decision with `sudo cscli decision list`
+  - Delete false positive decision with `sudo cscli decision list --id $ID`

docs/services/app/affine.md

@@ -117,6 +117,5 @@ Environment="AFFINE_SERVER_HTTPS=true"
 
 #### Flags
 
-- [ ] Whether allow guest users to create demo workspaces
+- [x] Whether allow guest users to create demo workspaces
 - save
-