chore(deps): update helm release renovate to 39.9.*

.forgejo/workflows/deploy-kaniko.yaml

@@ -20,5 +20,5 @@ jobs:
           password: ${{ secrets.REGISTRY_PASSWORD }}
           cache: true
           registry: git.roboces.dev
-          tag: nextcloud-30.0.2
+          tag: nextcloud-30.0.1
           path: docker/nextcloud

docker/netbird/docker-compose.yml

@@ -23,7 +23,7 @@ services:
         max-size: "500m"
         max-file: "2"
   signal:
-    image: netbirdio/signal:0.31.1
+    image: netbirdio/signal:0.31.0
     restart: unless-stopped
     volumes:
       - netbird-signal:/var/lib/netbird
@@ -35,7 +35,7 @@ services:
         max-size: "500m"
         max-file: "2"
   relay:
-    image: netbirdio/relay:0.31.1
+    image: netbirdio/relay:0.31.0
     restart: unless-stopped
     environment:
       NB_LOG_LEVEL: ${NB_LOG_LEVEL:-info}
@@ -50,7 +50,7 @@ services:
         max-size: "500m"
         max-file: "2"
   management:
-    image: netbirdio/management:0.31.1
+    image: netbirdio/management:0.31.0
     restart: unless-stopped
     depends_on:
       - dashboard
@@ -91,7 +91,7 @@ services:
         max-file: "2"
 
   peer-1:
-    image: netbirdio/netbird:0.31.1
+    image: netbirdio/netbird:0.30.3
     restart: unless-stopped
     volumes:
       - ${NETBIRD_PEER_VOLUME:-/mnt/nas1/shared/netbird/peer-1}/data:/etc/netbird

docker/nextcloud/docker-compose.yml

@@ -14,7 +14,7 @@ services:
       - nextcloud
 
   nextcloud:
-    image: git.roboces.dev/catalin/fukuops:nextcloud-30.0.2
+    image: git.roboces.dev/catalin/fukuops:nextcloud-30.0.1
     volumes:
       - /mnt/nas1/legacy-storage/cloud/cloud/data:/var/www/html/data
       - /mnt/nas1/legacy-storage/cloud/cloud/config:/var/www/html/config
@@ -22,8 +22,6 @@ services:
       - /mnt/nas1/legacy-storage/cloud/cloud/apps:/var/www/html/apps
       - type: tmpfs
         target: /tmp:exec
-      - supervisorlog:/var/log/supervisor:z
-      - supervisorpid:/var/run/supervisord/:z
     environment:
       PHP_MEMORY_LIMIT: ${PHP_MEMORY_LIMIT:-2048M}
       NEXTCLOUD_INIT_HTACCESS: ${NEXTCLOUD_INIT_HTACCESS:-1}
@@ -35,6 +33,3 @@ services:
 
 networks:
   nextcloud: {}
-volumes:
-  supervisorlog: {}
-  supervisorpid: {}

docker/paperless/docker-compose.yml

@@ -14,7 +14,7 @@ services:
 
   webserver:
 
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.13.5
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.13.4
     restart: unless-stopped
     ports:
       - 8002:8000

k8s/argo-apps/forgejo.yaml

@@ -12,7 +12,7 @@ spec:
   sources:
     - chart: forgejo
       repoURL: code.forgejo.org/forgejo-helm
-      targetRevision: 10.1.0
+      targetRevision: 10.0.2
       helm:
         valuesObject:
           replicaCount: 2

k8s/argo-apps/renovate.yaml

@@ -13,7 +13,7 @@ spec:
   sources:
     - chart: renovate
       repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 39.10.*
+      targetRevision: 39.9.*
       helm:
         valuesObject:
           renovate:

k8s/services/miniflux/deployment.yaml

@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
         - name: miniflux
-          image: miniflux/miniflux:2.2.3
+          image: miniflux/miniflux:2.2.2
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false

tofu/authentik/main.tf

@@ -33,6 +33,21 @@ resource "authentik_group" "vpn" {
 }
 
 
+module "firezone" {
+  source              = "../modules/authentik-oidc"
+  app_name            = "Firezone"
+  app_slug            = "firezone"
+  client_id           = var.firezone_client_id
+  client_secret       = var.firezone_client_secret
+  app_access_group_id = authentik_group.admins.id
+  redirect_uris       = ["https://fz.fukurokuju.dev/auth/oidc/authentik/callback/"]
+  app_icon            = "https://www.firezone.dev/icon.svg"
+  app_description     = "VPN"
+  app_publisher       = "Firezone"
+  app_url             = "https://fz.fukurokuju.dev"
+  sub_mode            = "hashed_user_id"
+}
+
 module "gitea" {
   source              = "../modules/authentik-oidc"
   app_name            = "Gitea"
@@ -145,5 +160,4 @@ module "netbird" {
     "goauthentik.io/providers/oauth2/scope-authentik_api"
   ]
   app_icon = "https://vpn.fukurokuju.dev/apple-icon.png"
-  access_token_validity = "days=10"
 }

tofu/modules/authentik-oidc/main.tf

@@ -26,9 +26,6 @@ data "authentik_property_mapping_provider_scope" "default-scopes" {
   ], var.extra_property_mappings)
 }
 
-data "authentik_flow" "default-provider-invalidation-flow" {
-  slug = "default-provider-invalidation-flow "
-}
 
 resource "authentik_provider_oauth2" "provider_oidc" {
   name                  = var.app_name
@@ -43,8 +40,6 @@ resource "authentik_provider_oauth2" "provider_oidc" {
   signing_key           = var.oidc_signing_key
   access_code_validity  = var.access_code_validity
   access_token_validity = var.access_token_validity
-  refresh_token_validity = var.refresh_token_validity
-  invalidation_flow      = data.authentik_flow.default-provider-invalidation-flow.id
 }
 
 

tofu/modules/authentik-oidc/vars.tf

@@ -90,11 +90,6 @@ variable "access_token_validity" {
   default = "minutes=10"
 }
 
-variable "refresh_token_validity" {
-  type    = string
-  default = "days=30"
-}
-
 variable "extra_property_mappings" {
   type    = list(string)
   default = []

tofu/modules/authentik-proxy/main.tf

@@ -16,9 +16,6 @@ data "authentik_flow" "default-authentication-flow" {
   slug = "default-authentication-flow"
 }
 
-data "authentik_flow" "default-provider-invalidation-flow" {
-  slug = "default-provider-invalidation-flow "
-}
 
 resource "authentik_provider_proxy" "provider_proxy" {
   authorization_flow           = data.authentik_flow.default-authorization-flow.id
@@ -27,7 +24,6 @@ resource "authentik_provider_proxy" "provider_proxy" {
   internal_host                = var.internal_host
   name                         = var.app_name
   internal_host_ssl_validation = var.internal_host_ssl_validation
-  invalidation_flow            = data.authentik_flow.default-provider-invalidation-flow.id
 }