From 64cec4fec4e07004a11d55cfc102ff67050da8ba Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 8 Jan 2026 02:18:27 +0000 Subject: [PATCH 1/5] chore(deps): update helm release renovate to 45.67.* --- k8s/argo-apps/renovate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml index 83c3d3a..6949777 100644 --- a/k8s/argo-apps/renovate.yaml +++ b/k8s/argo-apps/renovate.yaml @@ -13,7 +13,7 @@ spec: sources: - chart: renovate repoURL: https://docs.renovatebot.com/helm-charts - targetRevision: 45.21.* + targetRevision: 45.67.* helm: valuesObject: renovate: From c3560f7a6f2d995d7c1a60f989acb5ca7f9990aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Fri, 9 Jan 2026 11:24:37 +0100 Subject: [PATCH 2/5] chore(deps): update dcsi's images to v1.9.5 --- k8s/argo-apps/dcsi.yaml | 60 ++++++++++++++++++++++++----------------- 1 file changed, 35 insertions(+), 25 deletions(-) diff --git a/k8s/argo-apps/dcsi.yaml b/k8s/argo-apps/dcsi.yaml index 13a5a3c..563de65 100644 --- a/k8s/argo-apps/dcsi.yaml +++ b/k8s/argo-apps/dcsi.yaml @@ -2,29 +2,39 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: democratic-csi - namespace: argocd + name: democratic-csi + namespace: argocd spec: - destination: - name: '' - namespace: democratic-csi - server: https://kubernetes.default.svc - sources: - - chart: democratic-csi - repoURL: https://democratic-csi.github.io/charts/ - targetRevision: 0.15.* - helm: - releaseName: zfs-nfs - valuesObject: - csiDriver: - name: org.dcsi.nfs - driver: - existingConfigSecret: secrets-dcsi - config: - driver: freenas-api-nfs - - repoURL: https://git.roboces.dev/catalin/fukuops.git - path: k8s/services/dcsi - targetRevision: main - project: management - syncPolicy: - automated: {} + destination: + name: '' + namespace: democratic-csi + server: https://kubernetes.default.svc + sources: + - chart: democratic-csi + repoURL: https://democratic-csi.github.io/charts/ + targetRevision: 0.15.* + helm: + releaseName: zfs-nfs + valuesObject: + node: + driver: + image: + tag: 1.9.5 + controller: + driver: + image: + tag: 1.9.5 + csiDriver: + name: org.dcsi.nfs + driver: + image: + tag: 1.9.5 + existingConfigSecret: secrets-dcsi + config: + driver: freenas-api-nfs + - repoURL: https://git.roboces.dev/catalin/fukuops.git + path: k8s/services/dcsi + targetRevision: main + project: management + syncPolicy: + automated: {} From 2354f5971bdb53fd63797bfce1d006b708ed4a6d Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 6 Jan 2026 02:25:01 +0000 Subject: [PATCH 3/5] chore(deps): update ghcr.io/paperless-ngx/paperless-ngx docker tag to v2.20.3 --- docker/paperless/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/paperless/docker-compose.yml b/docker/paperless/docker-compose.yml index 58acc07..e1f79a8 100644 --- a/docker/paperless/docker-compose.yml +++ b/docker/paperless/docker-compose.yml @@ -14,7 +14,7 @@ services: webserver: - image: ghcr.io/paperless-ngx/paperless-ngx:2.20.0 + image: ghcr.io/paperless-ngx/paperless-ngx:2.20.3 restart: unless-stopped ports: - 8002:8000 From a856c4b230d24f75af36e7793a02061dde1658a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Fri, 9 Jan 2026 12:50:53 +0100 Subject: [PATCH 4/5] feat: add authentik-ldap module --- k8s/argo-apps/dcsi.yaml | 6 +-- tofu/authentik/.terraform.lock.hcl | 47 ++++++----------- tofu/authentik/main.tf | 17 +++--- tofu/authentik/sample.env | 2 - .../authentik-ldap/.terraform.lock.hcl | 24 +++++++++ tofu/modules/authentik-ldap/main.tf | 45 ++++++++++++++++ tofu/modules/authentik-ldap/vars.tf | 52 +++++++++++++++++++ tofu/modules/authentik-oidc/main.tf | 2 +- tofu/modules/authentik-proxy/main.tf | 2 +- 9 files changed, 151 insertions(+), 46 deletions(-) create mode 100644 tofu/modules/authentik-ldap/.terraform.lock.hcl create mode 100644 tofu/modules/authentik-ldap/main.tf create mode 100644 tofu/modules/authentik-ldap/vars.tf diff --git a/k8s/argo-apps/dcsi.yaml b/k8s/argo-apps/dcsi.yaml index 563de65..9c9e48d 100644 --- a/k8s/argo-apps/dcsi.yaml +++ b/k8s/argo-apps/dcsi.yaml @@ -19,16 +19,16 @@ spec: node: driver: image: - tag: 1.9.5 + tag: next controller: driver: image: - tag: 1.9.5 + tag: next csiDriver: name: org.dcsi.nfs driver: image: - tag: 1.9.5 + tag: next existingConfigSecret: secrets-dcsi config: driver: freenas-api-nfs diff --git a/tofu/authentik/.terraform.lock.hcl b/tofu/authentik/.terraform.lock.hcl index ce22035..de2d5a9 100644 --- a/tofu/authentik/.terraform.lock.hcl +++ b/tofu/authentik/.terraform.lock.hcl @@ -2,36 +2,23 @@ # Manual edits may be lost in future updates. provider "registry.opentofu.org/goauthentik/authentik" { - version = "2025.10.0" - constraints = "2025.10.0" + version = "2025.10.1" + constraints = "2025.10.1" hashes = [ - "h1:8nN6b5dEGbJJ5ajovedkO//QP4NrWU5GfrenIHAEyz0=", - "h1:EZlTiEEZ0a6AvlLuTKAIyhBI4m4poYUX4QW0wyHfIaw=", - "h1:ElpISil/0po3r4pb9KK7/pBCSLxL18a6IDHDSMFdmS0=", - "h1:F7+3L6JmVEG+PMizB9SuifxbznkZD3462LQpFMOW0M0=", - "h1:L1sFZI0qKeBpUUCMgQkuRge196DsrHaTUJKJWKm0V2w=", - "h1:OQgVyUOOLTGyosEpVHzE37h+91nHN5n9lKHt6nAOZyU=", - "h1:Ph1j1Flr4kXMZKCRlP4Hn0asAz1Yfpk+hf5t6aeF4mc=", - "h1:RjitcUcx/3QKUgs74q3ypbf7KQpg8BoNELW6sE4ONqk=", - "h1:Vw7hY7KdCtQ3hf00uCekrzdDgBJ2EnPXUAnj3ybLXPQ=", - "h1:fDQcyzUJqHb4qXOyze/Te0Fd3dVMdBcLQ+e2xOtsqbM=", - "h1:jKOzsHSorUnub0L+Lq+tPPhHmeKoaiPS8orF9zZf/i0=", - "h1:kXF4EEV9uzXzshloPfJQQzPbs0YVgjUu5aD+Fj040U0=", - "h1:pvMaS6PASVHMJxArSG1pAzS5Micb1fMcLz7MF7bO138=", - "h1:s3wkHrHE8Q/Dj+PIkvuPviLTUcK6h7aoAArrBKNJ8PE=", - "zh:0103a533f474db36223d8dbf2abc80f8d76a162b2e3042a2203f0d426f2c8e16", - "zh:03302f83cd5784435ef22864a936b88293284bfdc091ff2fd0cc18a40e97bb55", - "zh:0730ca92f8bc778dba52425d05c5dceb9ae57660797f88132c06a0bf8a4f4f55", - "zh:63ace720564b3549d482f0bc68b1f4596a1682faeef5fe4d40163abccda90ceb", - "zh:8c4acdc358b1f5b1c13192af81bba552c6ad98debd341d836f4adf1fb85610a8", - "zh:8f101bae1ab303b5e1b91ceb62d11386091a24c2bbd99bca4662bc88f127a8c4", - "zh:a683c5338f16d20a1432fbc093c35db388ec7ef9f657d7478e3a04fc72722ad7", - "zh:a99fcbaf234cb161c8d7018f62946178810c7645436229d05913ff432094734d", - "zh:aa7fc7a3e05e96522507a86ec50b53473ff3e917f56fb2fc7418070fe29f1abc", - "zh:bc3b9f7cce5f5fd4116700411c5f3d14c48a9b56115268094882d949b811e53a", - "zh:cba03e3c31ee1e83fcc25511a34ca5f7132e0bbb41f3edc7c7dc113edd5938db", - "zh:d1f168e7a87a3f74d9932b88daa367242d1e9a2ed1b7b9eaf44fcfcfc190305f", - "zh:eb5af50c8e13980da4830c5f23fa7d911ae07740b37cf9d6c5895da95374e940", - "zh:f9db4dbb47b257123bb70b770714552d873f9c8e2e8017c1de227757c8dfb074", + "h1:X0bV1LqI7nu4np+xiGP8yLVfyl6rh/XNXz7QQ7Hsr6g=", + "zh:02ac2478c8901043a0455b8b6b8185e9814786bd802a9aa6d4126d4f56d4735d", + "zh:24d680732a9ea72a86c1e7bf4aa13ab9cc0c60ee4bd4cae8af43670eff88edd9", + "zh:4f415f177671eeea2234eb835479bbb710e811e60864cec6a00ee0e03a412fa3", + "zh:55498caa20504dd52a1870823e15dec6c78948eac2e6ec98e6ec122b5407630b", + "zh:570f9ca7f909bda94b97feab7898ef392e01ae6178d8a9d36aac984d8a433ec1", + "zh:92ac78b97e2d5310ed82233980f941ebecf69ae1f9d03f3e719d8687aa6f4cc7", + "zh:95f852a4e7d22daac86901ebc6b327d5987832b707ad3fd3aeff6c36dd088717", + "zh:98c8659f468a58a9d224b2fca9d5909d39bcabf9e2593e9b4a574dbffb6e2dca", + "zh:a7d1428ec803ae794ebb05d772fa44020827a6b762a5b2da11869fc618ea59cd", + "zh:b1ef054b09fed4282c625a38a4aa6d1276c58e541f4cffcc716aa7d2b773f30a", + "zh:b95e3edeb0da3ee0c0392afa18957cf7d41b2f71ed08a50f4bf38010aaf77d30", + "zh:c3ce9f57889e6bb33f34ee4cc4463a77652b811351bbb25e6fc5ba9dc0c61e14", + "zh:f6d2fe811ad5c242ced99a6b51b2d7f60f060d4bc6837fe1026c2abb7cb6f9a4", + "zh:f78b8e20e7d9f53e1622051c706369a7c6d0f1e37c16df67a214697cd5d0a4fb", ] } diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 5b58c64..7b27b0c 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -8,7 +8,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.0" + version = "2025.10.1" } } } @@ -240,12 +240,11 @@ module "rustical" { app_access_group_id = "" } -module "mediamanager" { - source = "../modules/authentik-oidc" - app_name = "mediamanager" - app_slug = "mediamanager" - client_id = var.mediamanager_client_id - client_secret = var.mediamanager_client_secret - redirect_uris = [{ matching_mode = "strict", url = "https://mediamanager.roboces.dev/api/v1/auth/oauth/callback" }] - app_access_group_id = authentik_group.mediamanager.id +module "jellyfin" { + source = "../modules/authentik-ldap" + app_name = "Jellyfin" + app_slug = "jellyfin" + base_dn = "DC=ldap,DC=fukurokuju,DC=dev" + name = "jellyfin" + app_access_group_id = authentik_group.arrs.id } diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env index f7ff6ea..a784c41 100644 --- a/tofu/authentik/sample.env +++ b/tofu/authentik/sample.env @@ -13,5 +13,3 @@ TF_VAR_sftpgo_client_secret= TF_VAR_netbird_client_id= TF_VAR_rustical_client_id= TF_VAR_rustical_client_secret= -TF_VAR_mediamanager_client_id= -TF_VAR_mediamanager_client_secret= diff --git a/tofu/modules/authentik-ldap/.terraform.lock.hcl b/tofu/modules/authentik-ldap/.terraform.lock.hcl new file mode 100644 index 0000000..de2d5a9 --- /dev/null +++ b/tofu/modules/authentik-ldap/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/goauthentik/authentik" { + version = "2025.10.1" + constraints = "2025.10.1" + hashes = [ + "h1:X0bV1LqI7nu4np+xiGP8yLVfyl6rh/XNXz7QQ7Hsr6g=", + "zh:02ac2478c8901043a0455b8b6b8185e9814786bd802a9aa6d4126d4f56d4735d", + "zh:24d680732a9ea72a86c1e7bf4aa13ab9cc0c60ee4bd4cae8af43670eff88edd9", + "zh:4f415f177671eeea2234eb835479bbb710e811e60864cec6a00ee0e03a412fa3", + "zh:55498caa20504dd52a1870823e15dec6c78948eac2e6ec98e6ec122b5407630b", + "zh:570f9ca7f909bda94b97feab7898ef392e01ae6178d8a9d36aac984d8a433ec1", + "zh:92ac78b97e2d5310ed82233980f941ebecf69ae1f9d03f3e719d8687aa6f4cc7", + "zh:95f852a4e7d22daac86901ebc6b327d5987832b707ad3fd3aeff6c36dd088717", + "zh:98c8659f468a58a9d224b2fca9d5909d39bcabf9e2593e9b4a574dbffb6e2dca", + "zh:a7d1428ec803ae794ebb05d772fa44020827a6b762a5b2da11869fc618ea59cd", + "zh:b1ef054b09fed4282c625a38a4aa6d1276c58e541f4cffcc716aa7d2b773f30a", + "zh:b95e3edeb0da3ee0c0392afa18957cf7d41b2f71ed08a50f4bf38010aaf77d30", + "zh:c3ce9f57889e6bb33f34ee4cc4463a77652b811351bbb25e6fc5ba9dc0c61e14", + "zh:f6d2fe811ad5c242ced99a6b51b2d7f60f060d4bc6837fe1026c2abb7cb6f9a4", + "zh:f78b8e20e7d9f53e1622051c706369a7c6d0f1e37c16df67a214697cd5d0a4fb", + ] +} diff --git a/tofu/modules/authentik-ldap/main.tf b/tofu/modules/authentik-ldap/main.tf new file mode 100644 index 0000000..19cf5a6 --- /dev/null +++ b/tofu/modules/authentik-ldap/main.tf @@ -0,0 +1,45 @@ +terraform { + required_version = ">= 1.6" + required_providers { + authentik = { + source = "goauthentik/authentik" + version = "2025.10.1" + } + } +} + + +data "authentik_flow" "default-authentication-flow" { + slug = "default-authentication-flow" +} + +data "authentik_flow" "default-invalidation-flow" { + slug = "default-invalidation-flow" +} + + +resource "authentik_provider_ldap" "provider_ldap" { + base_dn = var.base_dn + bind_flow = data.authentik_flow.default-authentication-flow.id + name = var.name + unbind_flow = data.authentik_flow.default-invalidation-flow.id +} + + +resource "authentik_application" "app" { + name = var.app_name + slug = var.app_slug + protocol_provider = authentik_provider_ldap.provider_ldap.id + open_in_new_tab = var.open_in_new_tab + meta_icon = var.app_icon + meta_description = var.app_description + meta_publisher = var.app_publisher + meta_launch_url = var.app_url +} + +resource "authentik_policy_binding" "app_access" { + target = authentik_application.app.uuid + group = var.app_access_group_id + order = 0 + count = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists +} diff --git a/tofu/modules/authentik-ldap/vars.tf b/tofu/modules/authentik-ldap/vars.tf new file mode 100644 index 0000000..3d44d35 --- /dev/null +++ b/tofu/modules/authentik-ldap/vars.tf @@ -0,0 +1,52 @@ +variable "app_name" { + description = "App name" + type = string +} + +variable "app_slug" { + description = "App slug, a human-readable URL identifier, e.g.: Google -> google" + type = string +} + + +variable "app_access_group_id" { + description = "ID of a group which will have access to the app" + type = string +} + + +variable "open_in_new_tab" { + type = bool + description = "Open apps in a new tab" + default = true +} + +variable "app_icon" { + type = string + default = "" +} + +variable "app_description" { + type = string + default = "" +} + +variable "app_publisher" { + type = string + default = "" +} +variable "app_url" { + type = string + default = "" +} + + +variable "base_dn" { + type = string + description = "Base DN" +} + +variable "name" { + type = string + description = "Name" +} diff --git a/tofu/modules/authentik-oidc/main.tf b/tofu/modules/authentik-oidc/main.tf index beb4b02..d78086a 100644 --- a/tofu/modules/authentik-oidc/main.tf +++ b/tofu/modules/authentik-oidc/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.0" + version = "2025.10.1" } } } diff --git a/tofu/modules/authentik-proxy/main.tf b/tofu/modules/authentik-proxy/main.tf index 0d9c6f0..49179aa 100644 --- a/tofu/modules/authentik-proxy/main.tf +++ b/tofu/modules/authentik-proxy/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.0" + version = "2025.10.1" } } } From 6a8d491625c935ea85e4ada6ad893eece90dfe4b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 10 Jan 2026 02:03:51 +0000 Subject: [PATCH 5/5] chore(deps): update helm release renovate to 45.69.* --- k8s/argo-apps/renovate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml index 83c3d3a..7ec3ece 100644 --- a/k8s/argo-apps/renovate.yaml +++ b/k8s/argo-apps/renovate.yaml @@ -13,7 +13,7 @@ spec: sources: - chart: renovate repoURL: https://docs.renovatebot.com/helm-charts - targetRevision: 45.21.* + targetRevision: 45.69.* helm: valuesObject: renovate: