feat(x509-exporter): update x509-exporter version from 3.19.1 to 3.21.0

refactor(x509-exporter): change handler from enable to restart
feat(caddy): update caddy version from 2.10.2 to 2.11.2
2026-04-30 09:19:42 +09:00 · 2026-04-30 09:18:44 +09:00 · 2026-04-30 09:09:40 +09:00 · 2026-04-30 09:07:16 +09:00 · 2026-04-30 08:28:51 +09:00 · 2026-04-30 08:10:50 +09:00
9 changed files with 156 additions and 22 deletions
@@ -158,11 +158,11 @@ version:
    alloy: "1.13.0"
  containers:
    # common
-    caddy: "2.10.2"
+    caddy: "2.11.2"
    # infra
    step: "0.29.0"
    ldap: "v0.6.2"
-    x509-exporter: "3.19.1"
+    x509-exporter: "3.21.0"
    prometheus: "v3.9.1"
    loki: "3.6.5"
    grafana: "12.3.3"
@@ -172,15 +172,15 @@ version:
 #    pgvector: "v0.8.1"
    vectorchord: "0.5.3"
    # Auth
-    authelia: "4.39.15"
+    authelia: "4.39.19"
    # App
    vaultwarden: "1.35.4"
-    gitea: "1.25.5"
+    gitea: "1.26.1"
    redis: "8.6.1"
-    immich: "v2.7.4"
+    immich: "v2.7.5"
    actualbudget: "26.3.0"
-    paperless: "2.20.13"
+    paperless: "2.20.15"
    vikunja: "2.2.2"
-    opencloud: "4.0.4"
+    opencloud: "4.0.6"
    manticore: "25.0.0"
    affine: "0.26.3"
@@ -12,7 +12,7 @@
 - name: Reload postgresql
  ansible.builtin.command:
    /usr/bin/podman exec -u postgres postgresql sh -c "pg_ctl reload"
-  when: not (is_postgresql_init_run | default(false))
+  when: is_postgresql_init.stat.exists
  changed_when: false
  listen: "notification_reload_postgresql"
  ignore_errors: true # noqa: ignore-errors
@@ -24,7 +24,7 @@
    enabled: true
    daemon_reload: true
    scope: "user"
-  when: not (is_postgresql_init_run | default(false))
+  when: is_postgresql_init.stat.exists
  changed_when: false
  listen: "notification_restart_postgresql"
  ignore_errors: true # noqa: ignore-errors
@@ -73,10 +73,10 @@
  listen: "notification_restart_grafana"
  ignore_errors: true # noqa: ignore-errors
- name: Enable x509-exporter.service
+- name: Restart x509-exporter.service
  ansible.builtin.systemd:
    name: "x509-exporter.service"
-    state: "started"
+    state: "restarted"
    enabled: true
    daemon_reload: true
    scope: "user"
@@ -55,6 +55,8 @@
  no_log: true
 - name: Initiate ldap (When = false, If DB data does not exist in postgresql, activate this block)
 # The reason why this task doesn't use the way to check ".init" file is this tasks can override original database.
 # Absent of ".init" file cannot guarantee DB is empty.
  when: false
  become: true
  block:
@@ -88,15 +88,13 @@
  no_log: true
 - name: Check data directory empty
-  ansible.builtin.find:
+  ansible.builtin.stat:
-    paths: "{{ node['home_path'] }}/containers/postgresql/data/"
+    path: "{{ node['home_path'] }}/containers/postgresql/data/.init"
    hidden: true
    file_type: "any"
  become: true
-  register: "is_data_dir_empty"
+  register: "is_postgresql_init"
 - name: Prepare initiating DB
-  when: is_data_dir_empty.matched == 0
+  when: not is_postgresql_init.stat.exists
  become: true
  block:
    # `init/pg_cluster.sql` should be fetched from postgresql's backup directory before running initiating
@@ -118,9 +116,14 @@
      loop: "{{ connected_services }}"
      loop_control:
        index_var: index_num
-    - name: Set is_postgresql_init_run
+
-      ansible.builtin.set_fact:
+    - name: Create .init file
-        is_postgresql_init_run: true
+      ansible.builtin.file:
        path: "{{ node['home_path'] }}/containers/postgresql/data/.init"
        state: "touch"
        mode: "0644"
        owner: "{{ ansible_user }}"
        group: "svadmins"
 - name: Deploy container file
  ansible.builtin.template:
@@ -0,0 +1,33 @@
 # Android application OIDC issue
 ## Status
 - Processing
 ## Date
 - 2026-04-20
 ## Version
 - affine server: 0.26.3 (self-hosted)
 - affine application: 0.26.3 (Android)
 - IdP: Authelia:4.39.15
 ## Problem
 - Affine android app cannot authenticate via OIDC
  - IdP authentication succeeds, but the app does not establish a session
  - The app remains on the "Sign In" screen
 ## Reason
 - Affine uses callback deep link `affine://authentication`
 - For self-hosted instances the deep link carries a 'server' parameter pointing to the correct origin, but android never read it.
 - [Issue #12819: No SSO on Android](https://github.com/toeverything/AFFiNE/issues/12819)
 - [PR #14809](https://github.com/toeverything/AFFiNE/pull/14809)
 ## Timeline
 - 2025-06-14: Issue #12819
 - 2026-04-08: PR #14809
 - 2026-04-09: Canary branch merge
 - 2026-04-15: Fork, cherry-pick
 ## Solution
 - Wait for stable release which contains the merge above
 - When the stable version releases, then verify after update
@@ -0,0 +1,33 @@
 # Actual Budget crowdsec false positive issue
 ## Status
 - Finished
 ## Date
 - 2026-03-21
 ## Version
 - Actual Budget: 26.3.0
 ## Problem
 - When users access and log in actual budget, all connections to homelab services are refused.
  - fw ban users' IP address.
 ## Reason
 - Actual budget has local first policy.
 - When the user log in actual budget, the client downloads all sql files from the server.
 - LAPI decides that as an attack which sensitive file(sql) is downloaded concurrently.
 ## Timeline
 - 2026-03-21: Release actual budget
 - 2026-03-21: Find the false positive case, and add whitelist
 ## Solution
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
 - Add regex on whitelist
  - evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
  - Delete false positive decision with `sudo cscli decision list --id $ID`
@@ -0,0 +1,32 @@
 # Immich crowdsec false positive issue
 ## Status
 - Finished
 ## Date
 - 2026-03-21
 ## Version
 - Immich: 2.6.1
 ## Problem
 - When users access and log in Immich while Immich is generating thumbnail, all connections to homelab services are refused.
  - fw ban users' IP address.
 ## Reason
 - Immich sends 404 error to clients when the client request thumbnail while it is generating them.
 - LAPI decides a ban when a lot of 404 errors occur in short time
 ## Timeline
 - 2026-03-21: Release Immich
 - 2026-03-21: Find the false positive case, and add whitelist
 ## Solution
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
 - Add regex on whitelist
  - evt.Meta.target_fqdn == 'Immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
  - Delete false positive decision with `sudo cscli decision list --id $ID`
@@ -0,0 +1,32 @@
 # OpenCloud crowdsec false positive issue
 ## Status
 - Finished
 ## Date
 - 2026-04-04
 ## Version
 - OpenCloud: 4.0.4
 ## Problem
 - When users download some files, all connections to homelab services are refused.
  - fw ban users' IP address.
 ## Reason
 - OpenCloud uses chunks when clients uploads or download files to it.
 - LAPI decides a ban when a lot of chunks file is uploaded or downloaded from external devices 
 ## Timeline
 - 2026-04-04: Release OpenCloud
 - 2026-04-04: Find the false positive case, and add whitelist
 ## Solution
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`
 - Add regex on whitelist
  - evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'
 - Delete false positive decision
  - Check false positive decision with `sudo cscli decision list`
  - Delete false positive decision with `sudo cscli decision list --id $ID`
@@ -117,6 +117,5 @@ Environment="AFFINE_SERVER_HTTPS=true"
 #### Flags
- [ ] Whether allow guest users to create demo workspaces
+- [x] Whether allow guest users to create demo workspaces
 - save
Author	SHA1	Message	Date
il	88e1383202	feat(x509-exporter): update x509-exporter version from 3.19.1 to 3.21.0	2026-04-30 09:19:42 +09:00
il	c9b4707cb2	refactor(x509-exporter): change handler from enable to restart	2026-04-30 09:18:44 +09:00
il	da9c610426	feat(caddy): update caddy version from 2.10.2 to 2.11.2 update note: - https upstream Host rewrite is automated - Caddyfile already defines Host rewrite explicitly	2026-04-30 09:09:40 +09:00
il	c1a6da2aa8	feat(authelia): update authelia version from 4.39.15 to 4.39.19	2026-04-30 09:07:16 +09:00
il	f1cd8c9a60	feat(gitea): update gitea version from 1.25.5 to 1.26.1 deployment note: - stop gitea container - create manual database backup - update gitea	2026-04-30 08:28:51 +09:00
il	6010230a14	feat(paperless): update paperless version from 2.20.13 to 2.20.15	2026-04-30 08:10:50 +09:00
il	c3d8b62504	feat(opencloud): update opencloud version from 4.0.4 to 4.0.6	2026-04-30 08:03:33 +09:00
il	4a409e37e9	docs(issues): fix service name in timeline	2026-04-28 11:19:50 +09:00
il	cb4d17f99e	docs(issues): add the past issues which existed before tracking issues add crowdsec false positive issues fix the file name of affine android oidc issues	2026-04-27 19:50:04 +09:00
il	9569492e42	docs(issues): add affine android OIDC sign-up failure issue start tracking service issues on the docs/issues directory	2026-04-20 17:55:26 +09:00
il	2a7b234f4e	docs(affine): update flags on affine doc to check blocking guest user	2026-04-20 15:53:27 +09:00
il	621d5310a3	feat(immich): update immich version from 2.7.4 to 2.7.5	2026-04-17 14:16:44 +09:00
il	6377a56d95	refactor(ldap): Add annotation in ldap roles file the reason why task doesn't use init logic which uses .init file	2026-04-17 14:10:36 +09:00
il	dbd72f43a4	refactor(postgresql): update postgresql roles and handler to optimize init check logic	2026-04-17 13:58:22 +09:00