chore(deps): update helm release renovate to 39.10.*

.forgejo/workflows/deploy-kaniko.yaml

@@ -20,5 +20,5 @@ jobs:
           password: ${{ secrets.REGISTRY_PASSWORD }}
           cache: true
           registry: git.roboces.dev
-          tag: nextcloud-30.0.1
+          tag: nextcloud-30.0.2
           path: docker/nextcloud

docker/netbird/docker-compose.yml

@@ -23,7 +23,7 @@ services:
         max-size: "500m"
         max-file: "2"
   signal:
-    image: netbirdio/signal:0.31.0
+    image: netbirdio/signal:0.31.1
     restart: unless-stopped
     volumes:
       - netbird-signal:/var/lib/netbird
@@ -35,7 +35,7 @@ services:
         max-size: "500m"
         max-file: "2"
   relay:
-    image: netbirdio/relay:0.31.0
+    image: netbirdio/relay:0.31.1
     restart: unless-stopped
     environment:
       NB_LOG_LEVEL: ${NB_LOG_LEVEL:-info}
@@ -50,7 +50,7 @@ services:
         max-size: "500m"
         max-file: "2"
   management:
-    image: netbirdio/management:0.31.0
+    image: netbirdio/management:0.31.1
     restart: unless-stopped
     depends_on:
       - dashboard
@@ -91,7 +91,7 @@ services:
         max-file: "2"
 
   peer-1:
-    image: netbirdio/netbird:0.30.3
+    image: netbirdio/netbird:0.31.1
     restart: unless-stopped
     volumes:
       - ${NETBIRD_PEER_VOLUME:-/mnt/nas1/shared/netbird/peer-1}/data:/etc/netbird

docker/nextcloud/docker-compose.yml

@@ -14,7 +14,7 @@ services:
       - nextcloud
 
   nextcloud:
-    image: git.roboces.dev/catalin/fukuops:nextcloud-30.0.1
+    image: git.roboces.dev/catalin/fukuops:nextcloud-30.0.2
     volumes:
       - /mnt/nas1/legacy-storage/cloud/cloud/data:/var/www/html/data
       - /mnt/nas1/legacy-storage/cloud/cloud/config:/var/www/html/config
@@ -22,6 +22,8 @@ services:
       - /mnt/nas1/legacy-storage/cloud/cloud/apps:/var/www/html/apps
       - type: tmpfs
         target: /tmp:exec
+      - supervisorlog:/var/log/supervisor:z
+      - supervisorpid:/var/run/supervisord/:z
     environment:
       PHP_MEMORY_LIMIT: ${PHP_MEMORY_LIMIT:-2048M}
       NEXTCLOUD_INIT_HTACCESS: ${NEXTCLOUD_INIT_HTACCESS:-1}
@@ -33,3 +35,6 @@ services:
 
 networks:
   nextcloud: {}
+volumes:
+  supervisorlog: {}
+  supervisorpid: {}

docker/paperless/docker-compose.yml

@@ -14,7 +14,7 @@ services:
 
   webserver:
 
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.13.4
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.13.5
     restart: unless-stopped
     ports:
       - 8002:8000

k8s/argo-apps/forgejo.yaml

@@ -12,7 +12,7 @@ spec:
   sources:
     - chart: forgejo
       repoURL: code.forgejo.org/forgejo-helm
-      targetRevision: 10.0.2
+      targetRevision: 10.1.0
       helm:
         valuesObject:
           replicaCount: 2

k8s/argo-apps/renovate.yaml

@@ -13,7 +13,7 @@ spec:
   sources:
     - chart: renovate
       repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 39.8.*
+      targetRevision: 39.10.*
       helm:
         valuesObject:
           renovate:

k8s/services/miniflux/deployment.yaml

@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
         - name: miniflux
-          image: miniflux/miniflux:2.2.2
+          image: miniflux/miniflux:2.2.3
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false

tofu/authentik/main.tf

@@ -33,21 +33,6 @@ resource "authentik_group" "vpn" {
 }
 
 
-module "firezone" {
-  source              = "../modules/authentik-oidc"
-  app_name            = "Firezone"
-  app_slug            = "firezone"
-  client_id           = var.firezone_client_id
-  client_secret       = var.firezone_client_secret
-  app_access_group_id = authentik_group.admins.id
-  redirect_uris       = ["https://fz.fukurokuju.dev/auth/oidc/authentik/callback/"]
-  app_icon            = "https://www.firezone.dev/icon.svg"
-  app_description     = "VPN"
-  app_publisher       = "Firezone"
-  app_url             = "https://fz.fukurokuju.dev"
-  sub_mode            = "hashed_user_id"
-}
-
 module "gitea" {
   source              = "../modules/authentik-oidc"
   app_name            = "Gitea"
@@ -160,4 +145,5 @@ module "netbird" {
     "goauthentik.io/providers/oauth2/scope-authentik_api"
   ]
   app_icon              = "https://vpn.fukurokuju.dev/apple-icon.png"
+  access_token_validity = "days=10"
 }

tofu/modules/authentik-oidc/main.tf

@@ -26,6 +26,9 @@ data "authentik_property_mapping_provider_scope" "default-scopes" {
   ], var.extra_property_mappings)
 }
 
+data "authentik_flow" "default-provider-invalidation-flow" {
+  slug = "default-provider-invalidation-flow "
+}
 
 resource "authentik_provider_oauth2" "provider_oidc" {
   name                   = var.app_name
@@ -40,6 +43,8 @@ resource "authentik_provider_oauth2" "provider_oidc" {
   signing_key            = var.oidc_signing_key
   access_code_validity   = var.access_code_validity
   access_token_validity  = var.access_token_validity
+  refresh_token_validity = var.refresh_token_validity
+  invalidation_flow      = data.authentik_flow.default-provider-invalidation-flow.id
 }
 
 

tofu/modules/authentik-oidc/vars.tf

@@ -90,6 +90,11 @@ variable "access_token_validity" {
   default = "minutes=10"
 }
 
+variable "refresh_token_validity" {
+  type    = string
+  default = "days=30"
+}
+
 variable "extra_property_mappings" {
   type    = list(string)
   default = []

tofu/modules/authentik-proxy/main.tf

@@ -16,6 +16,9 @@ data "authentik_flow" "default-authentication-flow" {
   slug = "default-authentication-flow"
 }
 
+data "authentik_flow" "default-provider-invalidation-flow" {
+  slug = "default-provider-invalidation-flow "
+}
 
 resource "authentik_provider_proxy" "provider_proxy" {
   authorization_flow           = data.authentik_flow.default-authorization-flow.id
@@ -24,6 +27,7 @@ resource "authentik_provider_proxy" "provider_proxy" {
   internal_host                = var.internal_host
   name                         = var.app_name
   internal_host_ssl_validation = var.internal_host_ssl_validation
+  invalidation_flow            = data.authentik_flow.default-provider-invalidation-flow.id
 }