diff --git a/docker/netbird/docker-compose.yml b/docker/netbird/docker-compose.yml
new file mode 100644
index 0000000..76dc7af
--- /dev/null
+++ b/docker/netbird/docker-compose.yml
@@ -0,0 +1,112 @@
+---
+services:
+  dashboard:
+    image: netbirdio/dashboard:v2.20.2
+    restart: unless-stopped
+    ports:
+      - 8005:80
+    environment:
+      NETBIRD_MGMT_API_ENDPOINT: ${NETBIRD_MGMT_API_ENDPOINT:-https://vpn.fukurokuju.dev}
+      NETBIRD_MGMT_GRPC_API_ENDPOINT: ${NETBIRD_MGMT_GRPC_API_ENDPOINT:-https://vpn.fukurokuju.dev}
+      AUTH_AUDIENCE: ${NETBIRD_AUTH_AUDIENCE:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2}  # yamllint disable rule:line-length
+      AUTH_CLIENT_ID: ${NETBIRD_AUTH_CLIENT_ID:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2}  # yamllint disable rule:line-length
+      AUTH_AUTHORITY: ${NETBIRD_AUTH_AUTHORITY:-https://auth.fukurokuju.dev/application/o/netbird/}
+      USE_AUTH0: false
+      AUTH_SUPPORTED_SCOPES: ${NETBIRD_AUTH_SUPPORTED_SCOPES:-api offline_access openid email profile}
+      AUTH_REDIRECT_URI:
+      AUTH_SILENT_REDIRECT_URI:
+      NETBIRD_TOKEN_SOURCE: accessToken
+      NGINX_SSL_PORT: 443
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+  signal:
+    image: netbirdio/signal:0.59.11
+    restart: unless-stopped
+    volumes:
+      - netbird-signal:/var/lib/netbird
+    ports:
+      - "10000:80"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+  relay:
+    image: netbirdio/relay:0.59.11
+    restart: unless-stopped
+    environment:
+      NB_LOG_LEVEL: ${NB_LOG_LEVEL:-info}
+      NB_LISTEN_ADDRESS: ${NB_LISTEN_ADDRESS:-:33080}
+      NB_EXPOSED_ADDRESS: ${NB_EXPOSED_ADDRESS:-vpn.fukurokuju.dev:33080}
+      NB_AUTH_SECRET: ${NB_AUTH_SECRET}
+    ports:
+      - "33080:33080"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+  management:
+    image: netbirdio/management:0.59.10
+    restart: unless-stopped
+    depends_on:
+      - dashboard
+    volumes:
+      - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/data:/var/lib/netbird
+      - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/management.json:/etc/netbird/management.json:z
+    ports:
+      - "33073:443"
+    command: [
+      "--port", "443",
+      "--log-file", "console",
+      "--log-level", "info",
+      "--disable-anonymous-metrics=false",
+      "--single-account-mode-domain=vpn.fukurokuju.dev",
+      "--dns-domain=netbird.fuku",
+    ]
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+    environment:
+      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
+
+  coturn:
+    image: coturn/coturn:4.7
+    restart: unless-stopped
+    domainname: vpn.fukurokuju.dev
+    volumes:
+      - ${NETBIRD_COTURN_VOLUME:-/mnt/nas1/shared/netbird/coturn}/turnserver.conf:/etc/turnserver.conf:ro
+    network_mode: host
+    command:
+      - -c /etc/turnserver.conf
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  peer-1:
+    image: netbirdio/netbird:0.59.11
+    restart: unless-stopped
+    volumes:
+      - ${NETBIRD_PEER_VOLUME:-/mnt/nas1/shared/netbird/peer-1}/data:/etc/netbird
+    environment:
+      NB_MANAGEMENT_URL: https://vpn.fukurokuju.dev:443
+      NB_SETUP_KEY: ${NB_SETUP_KEY}
+    cap_add:
+      - NET_ADMIN
+    depends_on:
+      - management
+      - dashboard
+      - relay
+      - signal
+      - coturn
+
+volumes:
+  netbird-mgmt:
+  netbird-signal:
diff --git a/docker/netbird/sample.env b/docker/netbird/sample.env
new file mode 100644
index 0000000..6a76871
--- /dev/null
+++ b/docker/netbird/sample.env
@@ -0,0 +1,2 @@
+NB_AUTH_SECRET=
+NB_SETUP_KEY=
diff --git a/docker/tandoor/docker-compose.yml b/docker/tandoor/docker-compose.yml
deleted file mode 100644
index 8133b76..0000000
--- a/docker/tandoor/docker-compose.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-services:
-  web_recipes:
-    restart: always
-    image: vabene1111/recipes:2.3.6
-    volumes:
-      - ${TANDOOR_STATICFILES:-/mnt/nas1/shared/tandoor/staticfiles}:/opt/recipes/staticfiles
-      - ${TANDOOR_MEDIAFILES:-/mnt/nas1/shared/tandoor/mediafiles}:/opt/recipes/mediafiles
-    environment:
-      SECRET_KEY: ${TANDOOR_SECRET_KEY}
-      TZ: ${TANDOOR_TZ:-Europe/Madrid}
-      ALLOWED_HOSTS: ${TANDOOR_ALLOWED_HOSTS:-recipes.roboces.dev}
-      SOCIAL_PROVIDERS: ${TANDOOR_SOCIAL_PROVIDERS:-allauth.socialaccount.providers.openid_connect}
-      SOCIALACCOUNT_PROVIDERS: ${TANDOOR_SOCIALACCOUNT_PROVIDERS}
-      POSTGRES_HOST: ${TANDOOR_POSTGRES_HOST:-192.168.1.3}
-      POSTGRES_DB: ${TANDOOR_POSTGRES_DB:-tandoor}
-      POSTGRES_PORT: ${TANDOOR_POSTGRES_PORT:-5432}
-      POSTGRES_USER: ${TANDOOR_POSTGRES_USER}
-      POSTGRES_PASSWORD: ${TANDOOR_POSTGRES_PASSWORD}
-    ports:
-      - "8081:80"
diff --git a/docker/tandoor/sample.env b/docker/tandoor/sample.env
deleted file mode 100644
index e5029ad..0000000
--- a/docker/tandoor/sample.env
+++ /dev/null
@@ -1,11 +0,0 @@
-TANDOOR_STATICFILES=
-TANDOOR_MEDIAFILES=
-TANDOOR_SECRET_KEY=
-TANDOOR_TZ=Europe/Madrid
-TANDOOR_ALLOWED_HOSTS=
-TANDOOR_SOCIALACCOUNT_PROVIDERS=
-TANDOOR_POSTGRES_HOST=
-TANDOOR_POSTGRES_DB=
-TANDOOR_POSTGRES_PORT=
-TANDOOR_POSTGRES_USER=
-TANDOOR_POSTGRES_PASSWORD=
diff --git a/k8s/argo-apps/authentik.yaml b/k8s/argo-apps/authentik.yaml
index b046a8b..045afd6 100644
--- a/k8s/argo-apps/authentik.yaml
+++ b/k8s/argo-apps/authentik.yaml
@@ -12,7 +12,7 @@ spec:
   sources:
     - chart: authentik
       repoURL: https://charts.goauthentik.io/
-      targetRevision: 2025.12.*
+      targetRevision: 2025.10.*
       helm:
         valuesObject:
           authentik:
diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml
index 9616b6d..4e0a358 100644
--- a/k8s/argo-apps/renovate.yaml
+++ b/k8s/argo-apps/renovate.yaml
@@ -13,7 +13,7 @@ spec:
   sources:
     - chart: renovate
       repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 45.86.*
+      targetRevision: 45.85.*
       helm:
         valuesObject:
           renovate:
diff --git a/k8s/services/argo/project-fuku.yaml b/k8s/services/argo/project-fuku.yaml
index 43e602a..c4ab6ee 100644
--- a/k8s/services/argo/project-fuku.yaml
+++ b/k8s/services/argo/project-fuku.yaml
@@ -31,4 +31,3 @@ spec:
         - https://groundhog2k.github.io/helm-charts/
         - registry-1.docker.io/cloudpirates
         - https://vmware-tanzu.github.io/helm-charts/
-        - https://helm.runix.net
diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf
index 87ebc58..7b27b0c 100644
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@@ -199,6 +199,36 @@ module "sftpgo" {
   sub_mode              = "user_username"
 }
 
+module "netbird" {
+  source              = "../modules/authentik-oidc"
+  app_name            = "netbird"
+  app_slug            = "netbird"
+  client_id           = var.netbird_client_id
+  client_type         = "public"
+  app_access_group_id = authentik_group.vpn.id
+  redirect_uris = [
+    {
+      matching_mode = "strict",
+      url           = "https://vpn.fukurokuju.dev",
+    },
+    {
+      matching_mode = "regex",
+      url           = "https://vpn.fukurokuju.dev.*",
+    },
+    {
+      matching_mode = "strict",
+      url           = "http://localhost:53000"
+    },
+
+  ]
+  sub_mode = "user_id"
+  extra_property_mappings = [
+    "goauthentik.io/providers/oauth2/scope-authentik_api"
+  ]
+  app_icon              = "https://vpn.fukurokuju.dev/apple-icon.png"
+  access_token_validity = "days=10"
+  client_secret         = ""
+}
 
 module "rustical" {
   source              = "../modules/authentik-oidc"
@@ -218,13 +248,3 @@ module "jellyfin" {
   name                = "jellyfin"
   app_access_group_id = authentik_group.arrs.id
 }
-
-module "tandoor" {
-  source              = "../modules/authentik-oidc"
-  app_name            = "Tandoor"
-  app_slug            = "tandoor"
-  app_access_group_id = ""
-  redirect_uris       = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }]
-  client_id           = var.tandoor_client_id
-  client_secret       = var.tandoor_client_secret
-}
diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env
index 3887146..a784c41 100644
--- a/tofu/authentik/sample.env
+++ b/tofu/authentik/sample.env
@@ -10,7 +10,6 @@ TF_VAR_paperless_client_id=
 TF_VAR_paperless_client_secret=
 TF_VAR_sftpgo_client_id=
 TF_VAR_sftpgo_client_secret=
+TF_VAR_netbird_client_id=
 TF_VAR_rustical_client_id=
 TF_VAR_rustical_client_secret=
-TF_VAR_tandoor_client_id=
-TF_VAR_tandoor_client_secret=
diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf
index 30ec835..4a1c5dd 100644
--- a/tofu/authentik/vars.tf
+++ b/tofu/authentik/vars.tf
@@ -39,6 +39,12 @@ variable "paperless_client_secret" {
   type        = string
 }
 
+variable "netbird_client_id" {
+  description = "Netbird client ID"
+  type        = string
+}
+
+
 variable "sftpgo_client_id" {
   description = "SFTPGo client ID"
   type        = string
@@ -55,16 +61,16 @@ variable "rustical_client_id" {
 }
 
 variable "rustical_client_secret" {
-  description = "Tandoor client secret"
+  description = "Rustical client secret"
   type        = string
 }
 
-variable "tandoor_client_id" {
-  description = "Tandoor client ID"
+variable "mediamanager_client_id" {
+  description = "MediaManager client ID"
   type        = string
 }
 
-variable "tandoor_client_secret" {
-  description = "Tandoor client secret"
+variable "mediamanager_client_secret" {
+  description = "MediaManager client secret"
   type        = string
 }