diff --git a/.forgejo/workflows/deploy-kaniko.yaml b/.forgejo/workflows/deploy-kaniko.yaml index 1c7b1e6..55bb901 100644 --- a/.forgejo/workflows/deploy-kaniko.yaml +++ b/.forgejo/workflows/deploy-kaniko.yaml @@ -13,12 +13,12 @@ jobs: steps: - uses: https://code.forgejo.org/actions/checkout@v4 - name: Kaniko build - uses: aevea/action-kaniko@v0.13.0 + uses: aevea/action-kaniko@v0.14.0 with: image: catalin/fukuops username: kaniko password: ${{ secrets.REGISTRY_PASSWORD }} cache: true registry: git.roboces.dev - tag: nextcloud-30.0.1 + tag: nextcloud-30.0.2 path: docker/nextcloud diff --git a/docker/forgejo-runner/docker-compose.yml b/docker/forgejo-runner/docker-compose.yml index 45761fd..5d61fb4 100644 --- a/docker/forgejo-runner/docker-compose.yml +++ b/docker/forgejo-runner/docker-compose.yml @@ -1,6 +1,6 @@ --- x-runner-common: &runner-common - image: code.forgejo.org/forgejo/runner:3.5.1 + image: code.forgejo.org/forgejo/runner:4.0.1 links: - docker-in-docker depends_on: diff --git a/docker/netbird/docker-compose.yml b/docker/netbird/docker-compose.yml index 1d42ff2..32b75c6 100644 --- a/docker/netbird/docker-compose.yml +++ b/docker/netbird/docker-compose.yml @@ -1,7 +1,7 @@ --- services: dashboard: - image: netbirdio/dashboard:v2.6.1 + image: netbirdio/dashboard:v2.7.0 restart: unless-stopped ports: - 8005:80 @@ -23,7 +23,7 @@ services: max-size: "500m" max-file: "2" signal: - image: netbirdio/signal:0.30.3 + image: netbirdio/signal:0.31.1 restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird @@ -35,7 +35,7 @@ services: max-size: "500m" max-file: "2" relay: - image: netbirdio/relay:0.30.3 + image: netbirdio/relay:0.31.1 restart: unless-stopped environment: NB_LOG_LEVEL: ${NB_LOG_LEVEL:-info} @@ -50,7 +50,7 @@ services: max-size: "500m" max-file: "2" management: - image: netbirdio/management:0.30.3 + image: netbirdio/management:0.31.1 restart: unless-stopped depends_on: - dashboard @@ -91,7 +91,7 @@ services: max-file: "2" peer-1: - image: netbirdio/netbird:0.30.3 + image: netbirdio/netbird:0.31.1 restart: unless-stopped volumes: - ${NETBIRD_PEER_VOLUME:-/mnt/nas1/shared/netbird/peer-1}/data:/etc/netbird diff --git a/docker/nextcloud/Dockerfile b/docker/nextcloud/Dockerfile index 16edcab..07aac47 100644 --- a/docker/nextcloud/Dockerfile +++ b/docker/nextcloud/Dockerfile @@ -1,4 +1,4 @@ -FROM nextcloud:30.0.1-apache +FROM nextcloud:30.0.2-apache RUN set -ex; \ \ diff --git a/docker/nextcloud/docker-compose.yml b/docker/nextcloud/docker-compose.yml index b85a715..c8cdfc0 100644 --- a/docker/nextcloud/docker-compose.yml +++ b/docker/nextcloud/docker-compose.yml @@ -14,7 +14,7 @@ services: - nextcloud nextcloud: - image: git.roboces.dev/catalin/fukuops:nextcloud-30.0.1 + image: git.roboces.dev/catalin/fukuops:nextcloud-30.0.2 volumes: - /mnt/nas1/legacy-storage/cloud/cloud/data:/var/www/html/data - /mnt/nas1/legacy-storage/cloud/cloud/config:/var/www/html/config @@ -22,6 +22,8 @@ services: - /mnt/nas1/legacy-storage/cloud/cloud/apps:/var/www/html/apps - type: tmpfs target: /tmp:exec + - supervisorlog:/var/log/supervisor:z + - supervisorpid:/var/run/supervisord/:z environment: PHP_MEMORY_LIMIT: ${PHP_MEMORY_LIMIT:-2048M} NEXTCLOUD_INIT_HTACCESS: ${NEXTCLOUD_INIT_HTACCESS:-1} @@ -33,3 +35,6 @@ services: networks: nextcloud: {} +volumes: + supervisorlog: {} + supervisorpid: {} diff --git a/docker/paperless/docker-compose.yml b/docker/paperless/docker-compose.yml index 180c264..3b08f63 100644 --- a/docker/paperless/docker-compose.yml +++ b/docker/paperless/docker-compose.yml @@ -14,7 +14,7 @@ services: webserver: - image: ghcr.io/paperless-ngx/paperless-ngx:2.13.0 + image: ghcr.io/paperless-ngx/paperless-ngx:2.13.5 restart: unless-stopped ports: - 8002:8000 diff --git a/docker/vaultwarden/docker-compose.yml b/docker/vaultwarden/docker-compose.yml index 4d5e7e7..562eaa6 100644 --- a/docker/vaultwarden/docker-compose.yml +++ b/docker/vaultwarden/docker-compose.yml @@ -1,7 +1,7 @@ --- services: vaultwarden: - image: vaultwarden/server:1.32.3-alpine + image: vaultwarden/server:1.32.5-alpine restart: unless-stopped environment: DATABASE_URL: ${DATABASE_URL} diff --git a/k8s/argo-apps/authentik.yaml b/k8s/argo-apps/authentik.yaml index dfa275e..bb7ae86 100644 --- a/k8s/argo-apps/authentik.yaml +++ b/k8s/argo-apps/authentik.yaml @@ -12,7 +12,7 @@ spec: sources: - chart: authentik repoURL: https://charts.goauthentik.io/ - targetRevision: 2024.8.* + targetRevision: 2024.10.* helm: valuesObject: authentik: diff --git a/k8s/argo-apps/elastic.yaml b/k8s/argo-apps/elastic.yaml index 6eb6dcb..c69baf0 100644 --- a/k8s/argo-apps/elastic.yaml +++ b/k8s/argo-apps/elastic.yaml @@ -12,7 +12,7 @@ spec: sources: - chart: elasticsearch repoURL: registry-1.docker.io/bitnamicharts - targetRevision: 21.3.22 + targetRevision: 21.3.24 helm: valuesObject: service: diff --git a/k8s/argo-apps/factorio.yaml b/k8s/argo-apps/factorio.yaml index 461643c..cd2d97d 100644 --- a/k8s/argo-apps/factorio.yaml +++ b/k8s/argo-apps/factorio.yaml @@ -12,7 +12,7 @@ spec: sources: - chart: factorio-server-charts repoURL: https://sqljames.github.io/factorio-server-charts/ - targetRevision: 2.0.* + targetRevision: 2.5.* helm: valuesObject: rcon: diff --git a/k8s/argo-apps/forgejo.yaml b/k8s/argo-apps/forgejo.yaml index 5eecd4c..4775e01 100644 --- a/k8s/argo-apps/forgejo.yaml +++ b/k8s/argo-apps/forgejo.yaml @@ -12,7 +12,7 @@ spec: sources: - chart: forgejo repoURL: code.forgejo.org/forgejo-helm - targetRevision: 10.0.0 + targetRevision: 10.1.1 helm: valuesObject: replicaCount: 2 diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml index 19d1549..4d07268 100644 --- a/k8s/argo-apps/renovate.yaml +++ b/k8s/argo-apps/renovate.yaml @@ -13,7 +13,7 @@ spec: sources: - chart: renovate repoURL: https://docs.renovatebot.com/helm-charts - targetRevision: 38.132.* + targetRevision: 39.17.* helm: valuesObject: renovate: diff --git a/k8s/services/miniflux/deployment.yaml b/k8s/services/miniflux/deployment.yaml index 3ca2690..31752ee 100644 --- a/k8s/services/miniflux/deployment.yaml +++ b/k8s/services/miniflux/deployment.yaml @@ -28,7 +28,7 @@ spec: spec: containers: - name: miniflux - image: miniflux/miniflux:2.2.1 + image: miniflux/miniflux:2.2.3 imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false diff --git a/tofu/authentik/.terraform.lock.hcl b/tofu/authentik/.terraform.lock.hcl index ef51f97..cb46ce0 100644 --- a/tofu/authentik/.terraform.lock.hcl +++ b/tofu/authentik/.terraform.lock.hcl @@ -2,36 +2,36 @@ # Manual edits may be lost in future updates. provider "registry.opentofu.org/goauthentik/authentik" { - version = "2024.8.4" - constraints = "2024.8.4" + version = "2024.10.1" + constraints = "2024.10.1" hashes = [ - "h1:8Xv5wta3hIIkK42Io8K0SyPYoWOpaFpPY9QapGddpjI=", - "h1:D7ubAOqNdetqacJgTRjLbbrcOxooXCO0Lyp62OvI8yo=", - "h1:ESLExFZhUZ7waYS/R0bYT+QSIQMlGzu/38j0rS3Lp5c=", - "h1:M/wlTfeq/7P2O+SCIMQZGNX79H8rKZC64SoB6BjqjOg=", - "h1:Ov4eV/U1qYkr1nPLEZGH2W+ehL/VoS3PO6nRcgnZ18U=", - "h1:QdMNGXTpTnw+dB2l1h3iCmz2kaxr/5yOqc02ixxsQWg=", - "h1:SyTR+nvSWpqhwqyUHDGxrRnKp5KXQwJLUZgPxkHad4c=", - "h1:U3sDctMTEHA2HFpzYhfFyDycKoB4Rk7n9RQZ1RdS+UU=", - "h1:V949CiGQmZxaAbnJxPzom3ie//dTUuxO3B+tMq3CIB8=", - "h1:VnjNTGyEtKuhE+nZupVIfXZ6XgqQRLF3vyu7WW8ynrM=", - "h1:Wj3W1TDkn/FcDFQiT5g+GbOUSjUSmGdXfGrJNdWfen8=", - "h1:bZS9RwjEc1FlLFMidiCzyUrFTC7VONufHBDgGjAtSWs=", - "h1:deAiR6R2FBDLmBAFL0D/UG7Uu3MgiI5RL2Zen0PecAA=", - "h1:fY36N5ASC+z8LqowzgasNz0xJSWbdjJGeHdPPf6yMlo=", - "zh:13040879209e226ba73dd3492849301f5d6233098decf4789dde4e75a7db00a3", - "zh:21e5b1403749e4577c85efe1e1ffbc7f70f910c9b025a66ee36d6d9e7a26834d", - "zh:3290e95ff74aa269031df2d9604526c977826d76c4c1c03b61c61d4767775f44", - "zh:5648de4e32e83f1162844dfae55c2c2ff23eb1b0ae0c6a251a38917d6c7407f0", - "zh:5a12f804038d3d84819954fe7666b84aa24bc2284682e5732302c0811401faa3", - "zh:6b61eaad598256beb677f170fcb63c2f56c8a9e2a8f6516c98802fab0009807d", - "zh:8071892662952c013bdee898a4f5dc4116c18e7e2fbcb0fa96afdf56e78a582f", - "zh:94aead29a3fb563c84eca7275a88f7b49e14f6bc7344cc06c766fdf638098d6d", - "zh:96ad4fddd7c4ff84f6c18e7106a7565c545e545ac8b8419f2c76216760e1a35a", - "zh:c5105037a5d9f0be8fd6a3ecbf08928e26acd3af587dbeb099a328c994cef6f6", - "zh:c69b47759a0b831270ba074002078ebf375da712f8c306053b880946cb80ae14", - "zh:cb76e7fcdffa73055670f2ecf88286353a3d70a9cc3528e77217ea00465a32c2", - "zh:d95b39d122b61c833e234b3fdf423495685cb20456efd761fdcbafc3817248e1", - "zh:fc1a55ce2f8f7872f6911afd68d5f76472ba247a2ad2d739010d15add2c7e268", + "h1:/Eo+yQyGAKK67bkgt1plX5X41mkRKu5br66XYnL/UyQ=", + "h1:1S06FnDvjDsdOm/2J/M95FypohflaT0a9OUOwl4S87o=", + "h1:7c3PvOLtsB0F4KHdGT1bTq2mzeNjx4TaNlVKRX78vAc=", + "h1:8NUPNLWr9/klFJckfw6HkOMqsGhTTdePUmlBRLOIJjY=", + "h1:Ariy1e/DAbcoXS9Wud/Ad3rEC1cLqQ7HdcHBzfTRiSM=", + "h1:Bc9zVu8DyzeveEqEaCitlsvzBEY6CU/F648PEjrFYuk=", + "h1:D5mConUujTcrau12WRa+Qg1lvPJLzjc76ClIYevJtVw=", + "h1:FFYDaQDN8nbfsjwp8kw7YO6xsFCJlhtKSXx9gdLLbok=", + "h1:Qfd127te/m5E0LAJvJ9kGWKdCXQdFXlz3ve+nV3HsWM=", + "h1:RpNxc5WPT5H3WoKP8t7yKLO7MUAuHgfjm/rifaKpYM8=", + "h1:XifS+/OiEMhGI7MQnQtF3ACScqWB/N2Sr/bIrvSKOag=", + "h1:YMreOu0B0U2v8azRZ/iVJPhoDedlATNHCam1iztTUks=", + "h1:eIMjryDbwEUWlBOFPtGWPf9NdNVWeGLeniVzafoPXZU=", + "h1:v6XQwr4PDKtgHtdgCq03iYme4VaJAG8kSH4aKJL0OSw=", + "zh:149c76107f75ea5b530409d81cd3b63abc5478831c1f794df1fc12acd5f7ac78", + "zh:60bf7a62ec4bb742121f708b1e964b6bc816988e14c9e831723f0788a5c22471", + "zh:625f1eecf87e1d741bc99b69aa0aac3c82a4040bb9e704e2c20b09e562517c20", + "zh:690f247fd428dd7659aad3189a86288c784fdedbeb8cd75295aa417338d126b2", + "zh:6be8c0c70b18da79b5c7cb19ca445a1607404b7e1caff9bdb8e2330c22a591c6", + "zh:77bd031a28ec92a215cc5c12381791239ad43087c37f73ab1538f909e15ceae5", + "zh:78ffd4fe7b65220db2d33430240507395a71ef8e1dd1c22d82fd547855113df5", + "zh:7c0414978a45481bbeb8fc1aed1806409a2499967bd30edfcf9c34d1005d0faa", + "zh:7df2c43de2555c11b761a938e2414f25165845d932ca95d562ccabfe3a78a209", + "zh:819baedab497151fabcc9c887bcb07382a371708e3f9632ae1a58563ba79104f", + "zh:891208df7e634c2de7cb164d1ed88d492e7852abd32293b727b5b82f32efd7e7", + "zh:b6385a881b7098f6a6260f7b298eb26ef06eeed02a90ffdff9d2d7cf72fdaa27", + "zh:ce642bbd35babd93339a80549552823ec743397e456f18dbcffdf5af3fec612e", + "zh:ffd96ddda256a49097b21e6e672ef63d532a960bbc5455958102900ce79a4a10", ] } diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 62709de..d7bb06f 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -8,7 +8,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2024.8.4" + version = "2024.10.1" } } } @@ -33,21 +33,6 @@ resource "authentik_group" "vpn" { } -module "firezone" { - source = "../modules/authentik-oidc" - app_name = "Firezone" - app_slug = "firezone" - client_id = var.firezone_client_id - client_secret = var.firezone_client_secret - app_access_group_id = authentik_group.admins.id - redirect_uris = ["https://fz.fukurokuju.dev/auth/oidc/authentik/callback/"] - app_icon = "https://www.firezone.dev/icon.svg" - app_description = "VPN" - app_publisher = "Firezone" - app_url = "https://fz.fukurokuju.dev" - sub_mode = "hashed_user_id" -} - module "gitea" { source = "../modules/authentik-oidc" app_name = "Gitea" @@ -159,5 +144,6 @@ module "netbird" { extra_property_mappings = [ "goauthentik.io/providers/oauth2/scope-authentik_api" ] - app_icon = "https://vpn.fukurokuju.dev/apple-icon.png" + app_icon = "https://vpn.fukurokuju.dev/apple-icon.png" + access_token_validity = "days=10" } diff --git a/tofu/modules/authentik-oidc/main.tf b/tofu/modules/authentik-oidc/main.tf index b374a96..ba8396e 100644 --- a/tofu/modules/authentik-oidc/main.tf +++ b/tofu/modules/authentik-oidc/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2024.8.4" + version = "2024.10.1" } } } @@ -26,20 +26,25 @@ data "authentik_property_mapping_provider_scope" "default-scopes" { ], var.extra_property_mappings) } +data "authentik_flow" "default-provider-invalidation-flow" { + slug = "default-provider-invalidation-flow " +} resource "authentik_provider_oauth2" "provider_oidc" { - name = var.app_name - client_id = var.client_id - client_secret = var.client_secret - client_type = var.client_type - authorization_flow = data.authentik_flow.default-authorization-flow.id - authentication_flow = data.authentik_flow.default-authentication-flow.id - redirect_uris = var.redirect_uris - property_mappings = data.authentik_property_mapping_provider_scope.default-scopes.ids - sub_mode = var.sub_mode - signing_key = var.oidc_signing_key - access_code_validity = var.access_code_validity - access_token_validity = var.access_token_validity + name = var.app_name + client_id = var.client_id + client_secret = var.client_secret + client_type = var.client_type + authorization_flow = data.authentik_flow.default-authorization-flow.id + authentication_flow = data.authentik_flow.default-authentication-flow.id + redirect_uris = var.redirect_uris + property_mappings = data.authentik_property_mapping_provider_scope.default-scopes.ids + sub_mode = var.sub_mode + signing_key = var.oidc_signing_key + access_code_validity = var.access_code_validity + access_token_validity = var.access_token_validity + refresh_token_validity = var.refresh_token_validity + invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id } diff --git a/tofu/modules/authentik-oidc/vars.tf b/tofu/modules/authentik-oidc/vars.tf index 56796af..ee9583e 100644 --- a/tofu/modules/authentik-oidc/vars.tf +++ b/tofu/modules/authentik-oidc/vars.tf @@ -90,6 +90,11 @@ variable "access_token_validity" { default = "minutes=10" } +variable "refresh_token_validity" { + type = string + default = "days=30" +} + variable "extra_property_mappings" { type = list(string) default = [] diff --git a/tofu/modules/authentik-proxy/main.tf b/tofu/modules/authentik-proxy/main.tf index 68e79ed..62ed0e3 100644 --- a/tofu/modules/authentik-proxy/main.tf +++ b/tofu/modules/authentik-proxy/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2024.8.4" + version = "2024.10.1" } } } @@ -16,6 +16,9 @@ data "authentik_flow" "default-authentication-flow" { slug = "default-authentication-flow" } +data "authentik_flow" "default-provider-invalidation-flow" { + slug = "default-provider-invalidation-flow " +} resource "authentik_provider_proxy" "provider_proxy" { authorization_flow = data.authentik_flow.default-authorization-flow.id @@ -24,6 +27,7 @@ resource "authentik_provider_proxy" "provider_proxy" { internal_host = var.internal_host name = var.app_name internal_host_ssl_validation = var.internal_host_ssl_validation + invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id }