diff --git a/docker/netbird/docker-compose.yml b/docker/netbird/docker-compose.yml
deleted file mode 100644
index 76dc7af..0000000
--- a/docker/netbird/docker-compose.yml
+++ /dev/null
@@ -1,112 +0,0 @@
----
-services:
-  dashboard:
-    image: netbirdio/dashboard:v2.20.2
-    restart: unless-stopped
-    ports:
-      - 8005:80
-    environment:
-      NETBIRD_MGMT_API_ENDPOINT: ${NETBIRD_MGMT_API_ENDPOINT:-https://vpn.fukurokuju.dev}
-      NETBIRD_MGMT_GRPC_API_ENDPOINT: ${NETBIRD_MGMT_GRPC_API_ENDPOINT:-https://vpn.fukurokuju.dev}
-      AUTH_AUDIENCE: ${NETBIRD_AUTH_AUDIENCE:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2}  # yamllint disable rule:line-length
-      AUTH_CLIENT_ID: ${NETBIRD_AUTH_CLIENT_ID:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2}  # yamllint disable rule:line-length
-      AUTH_AUTHORITY: ${NETBIRD_AUTH_AUTHORITY:-https://auth.fukurokuju.dev/application/o/netbird/}
-      USE_AUTH0: false
-      AUTH_SUPPORTED_SCOPES: ${NETBIRD_AUTH_SUPPORTED_SCOPES:-api offline_access openid email profile}
-      AUTH_REDIRECT_URI:
-      AUTH_SILENT_REDIRECT_URI:
-      NETBIRD_TOKEN_SOURCE: accessToken
-      NGINX_SSL_PORT: 443
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-  signal:
-    image: netbirdio/signal:0.59.11
-    restart: unless-stopped
-    volumes:
-      - netbird-signal:/var/lib/netbird
-    ports:
-      - "10000:80"
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-  relay:
-    image: netbirdio/relay:0.59.11
-    restart: unless-stopped
-    environment:
-      NB_LOG_LEVEL: ${NB_LOG_LEVEL:-info}
-      NB_LISTEN_ADDRESS: ${NB_LISTEN_ADDRESS:-:33080}
-      NB_EXPOSED_ADDRESS: ${NB_EXPOSED_ADDRESS:-vpn.fukurokuju.dev:33080}
-      NB_AUTH_SECRET: ${NB_AUTH_SECRET}
-    ports:
-      - "33080:33080"
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-  management:
-    image: netbirdio/management:0.59.10
-    restart: unless-stopped
-    depends_on:
-      - dashboard
-    volumes:
-      - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/data:/var/lib/netbird
-      - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/management.json:/etc/netbird/management.json:z
-    ports:
-      - "33073:443"
-    command: [
-      "--port", "443",
-      "--log-file", "console",
-      "--log-level", "info",
-      "--disable-anonymous-metrics=false",
-      "--single-account-mode-domain=vpn.fukurokuju.dev",
-      "--dns-domain=netbird.fuku",
-    ]
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-    environment:
-      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
-
-  coturn:
-    image: coturn/coturn:4.7
-    restart: unless-stopped
-    domainname: vpn.fukurokuju.dev
-    volumes:
-      - ${NETBIRD_COTURN_VOLUME:-/mnt/nas1/shared/netbird/coturn}/turnserver.conf:/etc/turnserver.conf:ro
-    network_mode: host
-    command:
-      - -c /etc/turnserver.conf
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-
-  peer-1:
-    image: netbirdio/netbird:0.59.11
-    restart: unless-stopped
-    volumes:
-      - ${NETBIRD_PEER_VOLUME:-/mnt/nas1/shared/netbird/peer-1}/data:/etc/netbird
-    environment:
-      NB_MANAGEMENT_URL: https://vpn.fukurokuju.dev:443
-      NB_SETUP_KEY: ${NB_SETUP_KEY}
-    cap_add:
-      - NET_ADMIN
-    depends_on:
-      - management
-      - dashboard
-      - relay
-      - signal
-      - coturn
-
-volumes:
-  netbird-mgmt:
-  netbird-signal:
diff --git a/docker/netbird/sample.env b/docker/netbird/sample.env
deleted file mode 100644
index 6a76871..0000000
--- a/docker/netbird/sample.env
+++ /dev/null
@@ -1,2 +0,0 @@
-NB_AUTH_SECRET=
-NB_SETUP_KEY=
diff --git a/docker/tandoor/docker-compose.yml b/docker/tandoor/docker-compose.yml
new file mode 100644
index 0000000..8133b76
--- /dev/null
+++ b/docker/tandoor/docker-compose.yml
@@ -0,0 +1,21 @@
+---
+services:
+  web_recipes:
+    restart: always
+    image: vabene1111/recipes:2.3.6
+    volumes:
+      - ${TANDOOR_STATICFILES:-/mnt/nas1/shared/tandoor/staticfiles}:/opt/recipes/staticfiles
+      - ${TANDOOR_MEDIAFILES:-/mnt/nas1/shared/tandoor/mediafiles}:/opt/recipes/mediafiles
+    environment:
+      SECRET_KEY: ${TANDOOR_SECRET_KEY}
+      TZ: ${TANDOOR_TZ:-Europe/Madrid}
+      ALLOWED_HOSTS: ${TANDOOR_ALLOWED_HOSTS:-recipes.roboces.dev}
+      SOCIAL_PROVIDERS: ${TANDOOR_SOCIAL_PROVIDERS:-allauth.socialaccount.providers.openid_connect}
+      SOCIALACCOUNT_PROVIDERS: ${TANDOOR_SOCIALACCOUNT_PROVIDERS}
+      POSTGRES_HOST: ${TANDOOR_POSTGRES_HOST:-192.168.1.3}
+      POSTGRES_DB: ${TANDOOR_POSTGRES_DB:-tandoor}
+      POSTGRES_PORT: ${TANDOOR_POSTGRES_PORT:-5432}
+      POSTGRES_USER: ${TANDOOR_POSTGRES_USER}
+      POSTGRES_PASSWORD: ${TANDOOR_POSTGRES_PASSWORD}
+    ports:
+      - "8081:80"
diff --git a/docker/tandoor/sample.env b/docker/tandoor/sample.env
new file mode 100644
index 0000000..e5029ad
--- /dev/null
+++ b/docker/tandoor/sample.env
@@ -0,0 +1,11 @@
+TANDOOR_STATICFILES=
+TANDOOR_MEDIAFILES=
+TANDOOR_SECRET_KEY=
+TANDOOR_TZ=Europe/Madrid
+TANDOOR_ALLOWED_HOSTS=
+TANDOOR_SOCIALACCOUNT_PROVIDERS=
+TANDOOR_POSTGRES_HOST=
+TANDOOR_POSTGRES_DB=
+TANDOOR_POSTGRES_PORT=
+TANDOOR_POSTGRES_USER=
+TANDOOR_POSTGRES_PASSWORD=
diff --git a/k8s/argo-apps/authentik.yaml b/k8s/argo-apps/authentik.yaml
index 045afd6..b046a8b 100644
--- a/k8s/argo-apps/authentik.yaml
+++ b/k8s/argo-apps/authentik.yaml
@@ -12,7 +12,7 @@ spec:
   sources:
     - chart: authentik
       repoURL: https://charts.goauthentik.io/
-      targetRevision: 2025.10.*
+      targetRevision: 2025.12.*
       helm:
         valuesObject:
           authentik:
diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml
index 4e0a358..9616b6d 100644
--- a/k8s/argo-apps/renovate.yaml
+++ b/k8s/argo-apps/renovate.yaml
@@ -13,7 +13,7 @@ spec:
   sources:
     - chart: renovate
       repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 45.85.*
+      targetRevision: 45.86.*
       helm:
         valuesObject:
           renovate:
diff --git a/k8s/services/argo/project-fuku.yaml b/k8s/services/argo/project-fuku.yaml
index c4ab6ee..43e602a 100644
--- a/k8s/services/argo/project-fuku.yaml
+++ b/k8s/services/argo/project-fuku.yaml
@@ -31,3 +31,4 @@ spec:
         - https://groundhog2k.github.io/helm-charts/
         - registry-1.docker.io/cloudpirates
         - https://vmware-tanzu.github.io/helm-charts/
+        - https://helm.runix.net
diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf
index 7b27b0c..87ebc58 100644
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@@ -199,36 +199,6 @@ module "sftpgo" {
   sub_mode              = "user_username"
 }
 
-module "netbird" {
-  source              = "../modules/authentik-oidc"
-  app_name            = "netbird"
-  app_slug            = "netbird"
-  client_id           = var.netbird_client_id
-  client_type         = "public"
-  app_access_group_id = authentik_group.vpn.id
-  redirect_uris = [
-    {
-      matching_mode = "strict",
-      url           = "https://vpn.fukurokuju.dev",
-    },
-    {
-      matching_mode = "regex",
-      url           = "https://vpn.fukurokuju.dev.*",
-    },
-    {
-      matching_mode = "strict",
-      url           = "http://localhost:53000"
-    },
-
-  ]
-  sub_mode = "user_id"
-  extra_property_mappings = [
-    "goauthentik.io/providers/oauth2/scope-authentik_api"
-  ]
-  app_icon              = "https://vpn.fukurokuju.dev/apple-icon.png"
-  access_token_validity = "days=10"
-  client_secret         = ""
-}
 
 module "rustical" {
   source              = "../modules/authentik-oidc"
@@ -248,3 +218,13 @@ module "jellyfin" {
   name                = "jellyfin"
   app_access_group_id = authentik_group.arrs.id
 }
+
+module "tandoor" {
+  source              = "../modules/authentik-oidc"
+  app_name            = "Tandoor"
+  app_slug            = "tandoor"
+  app_access_group_id = ""
+  redirect_uris       = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }]
+  client_id           = var.tandoor_client_id
+  client_secret       = var.tandoor_client_secret
+}
diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env
index a784c41..3887146 100644
--- a/tofu/authentik/sample.env
+++ b/tofu/authentik/sample.env
@@ -10,6 +10,7 @@ TF_VAR_paperless_client_id=
 TF_VAR_paperless_client_secret=
 TF_VAR_sftpgo_client_id=
 TF_VAR_sftpgo_client_secret=
-TF_VAR_netbird_client_id=
 TF_VAR_rustical_client_id=
 TF_VAR_rustical_client_secret=
+TF_VAR_tandoor_client_id=
+TF_VAR_tandoor_client_secret=
diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf
index 4a1c5dd..30ec835 100644
--- a/tofu/authentik/vars.tf
+++ b/tofu/authentik/vars.tf
@@ -39,12 +39,6 @@ variable "paperless_client_secret" {
   type        = string
 }
 
-variable "netbird_client_id" {
-  description = "Netbird client ID"
-  type        = string
-}
-
-
 variable "sftpgo_client_id" {
   description = "SFTPGo client ID"
   type        = string
@@ -61,16 +55,16 @@ variable "rustical_client_id" {
 }
 
 variable "rustical_client_secret" {
-  description = "Rustical client secret"
+  description = "Tandoor client secret"
   type        = string
 }
 
-variable "mediamanager_client_id" {
-  description = "MediaManager client ID"
+variable "tandoor_client_id" {
+  description = "Tandoor client ID"
   type        = string
 }
 
-variable "mediamanager_client_secret" {
-  description = "MediaManager client secret"
+variable "tandoor_client_secret" {
+  description = "Tandoor client secret"
   type        = string
 }