feat(nextcloud): release nextcloud

deployment note:
- use nextcloud for groupware
- consider replacing vikunja and opencloud

ansible/inventory/group_vars/all.yaml

@@ -148,21 +148,29 @@ services:
       http: "3010"
       redis: "6381"
       manticore: "9308"
+  nextcloud:
+    domain:
+      public: "nextcloud"
+      internal: "nextcloud.app"
+    ports:
+      http: "8002"
+      redis: "6382"
+    subuid: "100032"
 
 version:
   packages:
     sops: "3.12.1"
-    step: "0.29.0"
+    step: "0.30.2"
     kopia: "0.22.3"
-    blocky: "0.28.2"
+    blocky: "0.29.0"
     alloy: "1.13.0"
   containers:
     # common
-    caddy: "2.10.2"
+    caddy: "2.11.2"
     # infra
-    step: "0.29.0"
+    step: "0.30.2"
     ldap: "v0.6.2"
-    x509-exporter: "3.19.1"
+    x509-exporter: "3.21.0"
     prometheus: "v3.9.1"
     loki: "3.6.5"
     grafana: "12.3.3"
@@ -172,15 +180,16 @@ version:
 #    pgvector: "v0.8.1"
     vectorchord: "0.5.3"
     # Auth
-    authelia: "4.39.15"
+    authelia: "4.39.19"
     # App
-    vaultwarden: "1.35.4"
-    gitea: "1.25.5"
+    vaultwarden: "1.35.8"
+    gitea: "1.26.1"
     redis: "8.6.1"
     immich: "v2.7.5"
     actualbudget: "26.3.0"
-    paperless: "2.20.13"
+    paperless: "2.20.15"
     vikunja: "2.2.2"
-    opencloud: "4.0.4"
+    opencloud: "4.0.6"
     manticore: "25.0.0"
     affine: "0.26.3"
+    nextcloud: "33.0.3"

ansible/playbooks/app/site.yaml

@@ -225,6 +225,14 @@
           tags: ["site", "affine"]
       tags: ["site", "affine"]
 
+    - name: Set nextcloud
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_nextcloud"
+        apply:
+          tags: ["stie", "nextcloud"]
+      tags: ["site", "nextcloud"]
+
 
     - name: Flush handlers right now
       ansible.builtin.meta: "flush_handlers"

ansible/roles/app/handlers/main.yaml

@@ -99,3 +99,15 @@
   changed_when: false
   listen: "notification_restart_affine"
   ignore_errors: true # noqa: ignore-errors
+
+- name: Restart nextcloud
+  ansible.builtin.systemd:
+    name: "nextcloud.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_nextcloud_init.stat.exists
+  changed_when: false
+  listen: "notification_restart_nextcloud"
+  ignore_errors: true # noqa: ignore-errors

ansible/roles/app/tasks/services/set_nextcloud.yaml

@@ -0,0 +1,115 @@
+---
+- name: Set redis service name
+  ansible.builtin.set_fact:
+    redis_service: "nextcloud"
+
+- name: Create redis_nextcloud directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['redis']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "containers/redis"
+    - "containers/redis/{{ redis_service }}"
+    - "containers/redis/{{ redis_service }}/data"
+  become: true
+
+- name: Deploy redis config file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.conf.j2"
+    dest: "{{ node['home_path'] }}/containers/redis/{{ redis_service }}/redis.conf"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_conf"
+
+- name: Deploy redis container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/redis/redis.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/redis_{{ redis_service }}.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  register: "is_redis_containerfile"
+
+- name: Enable (Restart) redis service
+  ansible.builtin.systemd:
+    name: "redis_{{ redis_service }}.service"
+    state: "restarted"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
+  when: is_redis_conf.changed or is_redis_containerfile.changed # noqa: no-handler
+
+- name: Create nextcloud directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ services['nextcloud']['subuid'] }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/nextcloud"
+    - "data/containers/nextcloud/html"
+    - "containers/nextcloud"
+    - "containers/nextcloud/ssl"
+  become: true
+
+- name: Check data directory empty
+  ansible.builtin.stat:
+    path: "{{ node['home_path'] }}/data/containers/nextcloud/.init"
+  register: "is_nextcloud_init"
+
+- name: Create .init file
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/data/containers/nextcloud/.init"
+    state: "touch"
+    mode: "0644"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+  when: not is_nextcloud_init.stat.exists
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/nextcloud/ssl/{{ root_cert_filename }}"
+    owner: "{{ services['nextcloud']['subuid'] }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_nextcloud"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value }}"
+    state: "present"
+    force: true
+  loop:
+    - name: "NEXTCLOUD_DB_PASSWORD"
+      value: "{{ hostvars['console']['postgresql']['password']['nextcloud'] }}"
+    - name: "NEXTCLOUD_ADMIN_PASSWORD"
+      value: "{{ hostvars['console']['nextcloud']['admin-local']['password'] }}"
+  notify: "notification_restart_nextcloud"
+  no_log: true
+
+- name: Deploy nextcloud.container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/nextcloud/nextcloud.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/nextcloud.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_nextcloud"
+
+- name: Enable nextcloud.service
+  ansible.builtin.systemd:
+    name: "nextcloud.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/infra/handlers/main.yaml

@@ -73,10 +73,10 @@
   listen: "notification_restart_grafana"
   ignore_errors: true # noqa: ignore-errors
 
-- name: Enable x509-exporter.service
+- name: Restart x509-exporter.service
   ansible.builtin.systemd:
     name: "x509-exporter.service"
-    state: "started"
+    state: "restarted"
     enabled: true
     daemon_reload: true
     scope: "user"

ansible/roles/infra/tasks/services/set_postgresql.yaml

@@ -11,6 +11,7 @@
       - "paperless"
       - "vikunja"
       - "affine"
+      - "nextcloud"
 
 - name: Create postgresql directory
   ansible.builtin.file:

config/secrets/secrets.yaml

@@ -119,6 +119,7 @@ postgresql:
         paperless: ENC[AES256_GCM,data:6VBrBbjVoam7SkZCSvoBTdrfkUoDghdGTiBmFLul04X/okXOHeC5zusJffY=,iv:iZumcJ3TWwZD77FzYx8THwCqC+EbnXUBrEKuPh3zgV8=,tag:u2m8SppAdxZ/duNdpuS3oQ==,type:str]
         vikunja: ENC[AES256_GCM,data:/+wQdoFPTBG2elI9kZbAVWrHZ0DhMaYr4dc+2z9QNdb3TcDS2PEia0JuSAg=,iv:MViZTyUD8YqMmxSTWCQpJ30f/KQdQGOzPlRHHsQ8lAw=,tag:zov3POno139dkMxFDpj2gg==,type:str]
         affine: ENC[AES256_GCM,data:XPXrcszsV06YqCJZ7CDqc4rCwqqNlbtLCFYfLAQ8jamLtft8L2UVrMA4WZo=,iv:vrWdBeckxB9tmEE628j4jhU+hSpE6TXYMGt0hh1Cg84=,tag:hlWwWUGht8NqWTZREMsa1Q==,type:str]
+        nextcloud: ENC[AES256_GCM,data:ROsximNuWYMTZktmLJPx7W1Qol/uT+APgwoCtFO/6ZYYc3KxKvlk344eqEc=,iv:4d+MrfIHjJKAcwhvZ3g4go66uZcieuL7lngKErJd+fg=,tag:QbWOtxeCbiu62GyrE2atXg==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -255,6 +256,16 @@ affine:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
+#ENC[AES256_GCM,data:PZS7EbvMHqHGorNUGAWj4dk1,iv:vOE+djRAvBTMM51kHi6kG5Arw3uPXlJt1d/BpcEaD0c=,tag:AuoCHLQz42CYvVVdKFWu1Q==,type:comment]
+nextcloud:
+    admin-local:
+        password: ENC[AES256_GCM,data:mIwF5A09oqYbdK3bOKid9A896Q5J5Q6Ax+vDNqEJFGNdzd/mJ4oQS6rva+s=,iv:QroUMST2wnEJzk6DySe9tPZaWuqdxzJZ0+oi6mW6x00=,tag:3UTzjupK7+omrI3Hvyr8bA==,type:str]
+    oidc:
+        secret: ENC[AES256_GCM,data:Sr4KkKkYdkU0UWdpfUF7PyiGoerjBiw+sOFcENyLxw0FRXGG0Y8gv5uGb4Q=,iv:LbGsNM3+iY7bWFQe88TepVKUdiRQWZ+K7Ubn6ze6lV4=,tag:SbcfIAMW9ZprgahOFU4IQQ==,type:str]
+        hash: ENC[AES256_GCM,data:CkstbIYQmi72QhsbJZN0lQedgCn7TmGpYcYj0n+NvJIoTlol8G9N/88cwGbVoGK9nEISv54FL94cEJFppnMIuj0BHrhasrZsyI2/Lj52YLWdwNJWNQ+iYt+Ifp/1kI0zqmdoajzZ5DS2w/1evCBC1+JdfTRlpVXmSsHUIPIHelBRj90=,iv:vwvT5TTkF4woxXOvrRRqmrdLXf19s47NIDtdT+zLp0U=,tag:KC0MS0DTH6j3zIHOjCFOSA==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
     password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -284,7 +295,7 @@ sops:
             UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
             k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-06T14:32:22Z"
-    mac: ENC[AES256_GCM,data:OFiSsBBAzOUoOwnAwhaplQQ8k2kUo+Avzk475BpaiOJoaB2c0wsJ3siP15tcLMrav4Qw8boZFo64v+rjdMoNI/MRo1EOYWNr1ZRMqHzwmQeaiMH2QcfoRZ0oLqrn5ekQztuPR9ULjDYZb63AwVGmzseUf4R5lGXgdgN5tjU/pH4=,iv:hqzDwryMuJ7JnkBazzDSznw05m7k61Sk61aPgO3JtpU=,tag:Lhhlgwy+YuQ1S0hkbsjecg==,type:str]
+    lastmodified: "2026-05-02T04:55:25Z"
+    mac: ENC[AES256_GCM,data:4U/SGYS9eNRgRvUEvZh9E0JSctkZzSpdoUYEAbnOVyU+5u8NcG9lbMUAB4kFXb9kHVGBUI5wMwnzg102g96q1IYw5m/k4lrpePceGVNAxxKpWTnkLROhJlL3Z/Bylgq2mj7PVDcGCGEB0xPDgN+ffa7ldCxIikYmSKktISguwYU=,iv:zqS9iJ54FIaNQhnfOl4YY9QcaZLbPekTxlY1AEp3m/s=,tag:TckIRAKRVyxf/UD+jejNng==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1

config/services/containers/app/nextcloud/nextcloud.container.j2

@@ -0,0 +1,47 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Nextcloud
+
+[Container]
+Image=docker.io/library/nextcloud:{{ version['containers']['nextcloud'] }}
+ContainerName=nextcloud
+HostName=nextcloud
+
+PublishPort={{ services['nextcloud']['ports']['http'] }}:80
+
+Volume=%h/containers/nextcloud/ssl:/etc/ssl/nextcloud:ro
+Volume=%h/data/containers/nextcloud/html:/var/www/html:rw
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="NEXTCLOUD_TRUSTED_DOMAINS={{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="OVERWRITEHOST={{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}"
+Environment="OVERWRITEPROTOCOL=https"
+Environment="OVERWRITECLIURL=https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}"
+# Initial admin
+Environment="NEXTCLOUD_ADMIN_USER=admin-local"
+Environment="NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/ADMIN_PASSWORD"
+Secret=NEXTCLOUD_ADMIN_PASSWORD,target=/run/secrets/ADMIN_PASSWORD
+# PostgreSQL
+Environment="POSTGRES_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}"
+Environment="POSTGRES_DB=nextcloud_db"
+Environment="POSTGRES_USER=nextcloud"
+Environment="POSTGRES_PASSWORD_FILE=/run/secrets/DB_PASSWORD"
+Secret=NEXTCLOUD_DB_PASSWORD,target=/run/secrets/DB_PASSWORD
+Environment="PGSSLMODE=verify-full"
+Environment="PGSSLROOTCERT=/etc/ssl/nextcloud/{{ root_cert_filename }}"
+## libpq in Nextcloud automatically tries to use a client certificate for mTLS. Therefore, when only TLS is required, then disable the option explicitly.
+Environment="PGSSLCERTMODE=disable"
+# Redis
+Environment="REDIS_HOST=host.containers.internal"
+Environment="REDIS_HOST_PORT={{ services['nextcloud']['ports']['redis'] }}"
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/auth/authelia/config/authelia.yaml.j2

@@ -365,3 +365,25 @@ identity_providers:
         access_token_signed_response_alg: 'none'
         userinfo_signed_response_alg: 'none'
         token_endpoint_auth_method: 'client_secret_post'
+      # https://www.authelia.com/integration/openid-connect/clients/nextcloud/#openid-connect-user-backend-app
+      - client_id: 'nextcloud'
+        client_name: 'Nextcloud'
+        client_secret: '{{ hostvars['console']['nextcloud']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}/apps/user_oidc/code'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'

config/services/containers/common/caddy/etc/app/Caddyfile.j2

@@ -77,3 +77,9 @@
                 header_up Host {http.request.header.X-Forwarded-Host}
         }
 }
+{{ services['nextcloud']['domain']['internal'] }}.{{ domain['internal'] }} {
+        import private_tls
+        reverse_proxy host.containers.internal:{{ services['nextcloud']['ports']['http'] }} {
+                header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}

config/services/containers/common/caddy/etc/auth/Caddyfile.j2

@@ -136,6 +136,15 @@
                 }
         }
 }
+{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }} {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://{{services['nextcloud']['domain']['internal'] }}.{{ domain['internal'] }} {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
 
 # Internal domain
 {{ node['name'] }}.{{ domain['internal'] }} {

config/services/containers/infra/ca/ca.container.j2

@@ -22,10 +22,13 @@ Volume=%h/containers/ca/db:/home/step/db:rw
 Volume=%h/containers/ca/templates:/home/step/templates:rw
 
 Environment="TZ=Asia/Seoul"
-Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
+# Since 0.30.0, Docker CMD no longer expands PWDPATH.
+#Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
 
 Secret=STEP_CA_PASSWORD,target=/run/secrets/STEP_CA_PASSWORD
 
+Exec=/usr/local/bin/step-ca --password-file /run/secrets/STEP_CA_PASSWORD /home/step/config/ca.json
+
 [Service]
 Restart=always
 RestartSec=10s

docs/issues/affine/260420_android_oidc.md

@@ -0,0 +1,33 @@
+# Android application OIDC issue
+
+## Status
+- Processing
+
+## Date
+- 2026-04-20
+
+## Version
+- affine server: 0.26.3 (self-hosted)
+- affine application: 0.26.3 (Android)
+- IdP: Authelia:4.39.15
+
+## Problem
+- Affine android app cannot authenticate via OIDC
+  - IdP authentication succeeds, but the app does not establish a session
+  - The app remains on the "Sign In" screen
+
+## Reason
+- Affine uses callback deep link `affine://authentication`
+- For self-hosted instances the deep link carries a 'server' parameter pointing to the correct origin, but android never read it.
+- [Issue #12819: No SSO on Android](https://github.com/toeverything/AFFiNE/issues/12819)
+- [PR #14809](https://github.com/toeverything/AFFiNE/pull/14809)
+
+## Timeline
+- 2025-06-14: Issue #12819
+- 2026-04-08: PR #14809
+- 2026-04-09: Canary branch merge
+- 2026-04-15: Fork, cherry-pick
+
+## Solution
+- Wait for stable release which contains the merge above
+- When the stable version releases, then verify after update

docs/issues/crowdsec/260321_actual_budget.md

@@ -0,0 +1,33 @@
+# Actual Budget crowdsec false positive issue
+
+## Status
+- Finished
+
+## Date
+- 2026-03-21
+
+## Version
+- Actual Budget: 26.3.0
+
+## Problem
+- When users access and log in actual budget, all connections to homelab services are refused.
+  - fw ban users' IP address.
+
+## Reason
+- Actual budget has local first policy.
+- When the user log in actual budget, the client downloads all sql files from the server.
+- LAPI decides that as an attack which sensitive file(sql) is downloaded concurrently.
+
+## Timeline
+- 2026-03-21: Release actual budget
+- 2026-03-21: Find the false positive case, and add whitelist
+
+## Solution
+- Access to fw
+  - Check the ban list with `sudo cscli alerts list`
+  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
+- Add regex on whitelist
+  - evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'
+- Delete false positive decision
+  - Check false positive decision with `sudo cscli decision list`
+  - Delete false positive decision with `sudo cscli decision list --id $ID`

docs/issues/crowdsec/260321_immich.md

@@ -0,0 +1,32 @@
+# Immich crowdsec false positive issue
+
+## Status
+- Finished
+
+## Date
+- 2026-03-21
+
+## Version
+- Immich: 2.6.1
+
+## Problem
+- When users access and log in Immich while Immich is generating thumbnail, all connections to homelab services are refused.
+  - fw ban users' IP address.
+
+## Reason
+- Immich sends 404 error to clients when the client request thumbnail while it is generating them.
+- LAPI decides a ban when a lot of 404 errors occur in short time
+
+## Timeline
+- 2026-03-21: Release Immich
+- 2026-03-21: Find the false positive case, and add whitelist
+
+## Solution
+- Access to fw
+  - Check the ban list with `sudo cscli alerts list`
+  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
+- Add regex on whitelist
+  - evt.Meta.target_fqdn == 'Immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
+- Delete false positive decision
+  - Check false positive decision with `sudo cscli decision list`
+  - Delete false positive decision with `sudo cscli decision list --id $ID`

docs/issues/crowdsec/260404_opencloud.md

@@ -0,0 +1,32 @@
+# OpenCloud crowdsec false positive issue
+
+## Status
+- Finished
+
+## Date
+- 2026-04-04
+
+## Version
+- OpenCloud: 4.0.4
+
+## Problem
+- When users download some files, all connections to homelab services are refused.
+  - fw ban users' IP address.
+
+## Reason
+- OpenCloud uses chunks when clients uploads or download files to it.
+- LAPI decides a ban when a lot of chunks file is uploaded or downloaded from external devices 
+
+## Timeline
+- 2026-04-04: Release OpenCloud
+- 2026-04-04: Find the false positive case, and add whitelist
+
+## Solution
+- Access to fw
+  - Check the ban list with `sudo cscli alerts list`
+  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
+- Add regex on whitelist
+  - evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'
+- Delete false positive decision
+  - Check false positive decision with `sudo cscli decision list`
+  - Delete false positive decision with `sudo cscli decision list --id $ID`

docs/services/app/affine.md

@@ -117,6 +117,5 @@ Environment="AFFINE_SERVER_HTTPS=true"
 
 #### Flags
 
-- [ ] Whether allow guest users to create demo workspaces
+- [x] Whether allow guest users to create demo workspaces
 - save
-

docs/services/app/nextcloud.md

@@ -0,0 +1,99 @@
+# Nextcloud
+
+## Prerequisite
+
+### Create database
+
+- Create the password with `openssl rand -base64 32`
+  - Save this value in secrets.yaml in `postgresql.password.nextcloud`
+  - Access infra server to create nextcloud_db with `podman exec -it postgresql psql -U postgres`
+
+```SQL
+CREATE USER nextcloud WITH PASSWORD 'postgresql.password.nextcloud';
+CREATE DATABASE nextcloud_db;
+ALTER DATABASE nextcloud_db OWNER TO nextcloud;
+```
+
+### Create oidc secret and hash
+
+- Create the secret with `openssl rand -base64 32`
+- access to auth vm
+  - `podman exec -it authelia sh`
+  - `authelia crypto hash generate pbkdf2 --password 'nextcloud.oidc.secret'`
+- Save this value in secrets.yaml in `nextcloud.oidc.secret` and `nextcloud.oidc.hash`
+
+### Create admin password
+
+- Create the secret with `openssl rand -base64 32`
+- Save this value in secrets.yaml in `nextcloud.admin-local.password`
+
+### Add postgresql dump backup list
+
+- [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
+
+```yaml
+- name: Set connected services list
+  ansible.builtin.set_fact:
+    connected_services:
+      - ...
+      - "nextcloud"
+```
+
+## Configuration
+
+### Access
+
+- https://nextcloud.ilnmors.com
+  - login with admin-local
+
+### Disable and enable apps
+
+- Profile: Apps: Your apps: Disable
+  - Photo
+  - dashboard
+
+- Profile: Apps: Search
+  - OpenID Connect user backend
+  - Calendar
+  - Contacts
+  - Deck
+  - Tasks
+  - Mail
+  - Nextcloud Office
+
+### OIDC configuration
+
+```bash
+podman exec -u www-data nextcloud php occ user_oidc:provider Authelia --clientid="nextcloud" --clientsecret="nextcloud.oidc.secret" --discoveryuri="https://authelia.ilnmors.com/.well-known/openid-configuration"
+
+podman exec -u www-data nextcloud sh -c "cat > /var/www/html/config/user_oidc.config.php << 'EOF'
+<?php
+\$CONFIG = [
+  'user_oidc' => [
+    'default_token_endpoint_auth_method' => 'client_secret_post',
+    'auto_provision' => true,
+    'soft_auto_provision' => true,
+    'disable_account_creation' => false,
+  ],
+];
+EOF"
+
+podman exec -u www-data nextcloud php occ config:system:get user_oidc
+
+podman exec -u www-data nextcloud sh -c "cat > /var/www/html/config/local_remote.config.php <<'EOF'
+<?php
+\$CONFIG = [
+  'allow_local_remote_servers' => true,
+];
+EOF"
+podman exec -u www-data nextcloud php occ config:system:get allow_local_remote_servers
+```
+
+### Account configuration
+
+- Profile: Accounts:
+  - allocate admin group for admin users
+  - manage groups and quota in Nextcloud UI
+  - OIDC users may have UUID-like account names
+  - use Display name for human-readable user management
+  - keep `admin-local` as a break-glass local administrator account

docs/specifications/environments.md

@@ -11,8 +11,8 @@
     - [x] Terminal
     - [x] Step-CLI
     - [x] Ansible
-    - Git
-    - Kopia
+    - [x] Git
+    - [x] Kopia
     - [x] cloud-image-utils
 
 ## vmm \(Hypervisor\)
@@ -119,10 +119,10 @@
         - [x] Immich
         - [x] Actual budget
         - [x] Paperless-ngx
-        - [x] vikunja - When affine is verified to substitute kanban board and etc, then disable this service.
+        - [x] vikunja
         - [x] OpenCloud
         - [x] affine \(Notion substitution\)
-        - [ ] Radicale
+        - [x] Nextcloud \(Use nextcloud as CalDAV and CardDav, kanban and todo\)
         - [ ] Collabora office
         - WriteFreely
         - MediaCMS