chore(deps): update miniflux/miniflux docker tag to v2.2.16

2026-01-07 03:00:06 +00:00
36 changed files with 284 additions and 698 deletions
--- a/docker/forgejo-runner/docker-compose.yml
+++ b/docker/forgejo-runner/docker-compose.yml
@ -1,6 +1,6 @@
 ---
 x-runner-common: &runner-common
-  image: code.forgejo.org/forgejo/runner:12.6.4
+  image: code.forgejo.org/forgejo/runner:11.3.1
  links:
    - docker-in-docker
  depends_on:
--- a/docker/ganymede/docker-compose.yml
+++ b/docker/ganymede/docker-compose.yml
@ -1,48 +0,0 @@
 ---
 services:
  ganymede:
    container_name: ganymede
    image: ghcr.io/zibbp/ganymede:4.11.5
    restart: unless-stopped
    environment:
      DEBUG: ${GANYMEDE_DEBUG:-false}
      TZ: ${GANYMEDE_TZ:-Europe/Madrid}
      VIDEOS_DIR: ${GANYMEDE_VIDEOS_DIR:-/data/videos}
      TEMP_DIR: ${GANYMEDE_TEMP_DIR:-/data/temp}
      LOGS_DIR: ${GANYMEDE_LOGS_DIR:-/data/logs}
      CONFIG_DIR: ${GANYMEDE_CONFIG_DIR:-/data/config}
      DB_HOST: ${GANYMEDE_DB_HOST:-192.168.1.3}
      DB_PORT: ${GANYMEDE_DB_PORT:-5432}
      DB_USER: ${GANYMEDE_DB_USER:-ganymede}
      DB_PASS: ${GANYMEDE_DB_PASS}
      DB_NAME: ${GANYMEDE_DB_NAME:-ganymede}
      DB_SSL: ${GANYMEDE_DB_SSL:-disable}
      TWITCH_CLIENT_ID: ${GANYMEDE_TWITCH_CLIENT_ID}
      TWITCH_CLIENT_SECRET: ${GANYMEDE_TWITCH_CLIENT_SECRET}
      MAX_CHAT_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS:-3}
      MAX_CHAT_RENDER_EXECUTIONS: ${GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS:-2}
      MAX_VIDEO_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS:-2}
      MAX_VIDEO_CONVERT_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS:-3}
      MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS:-2}
      OAUTH_ENABLED: ${GANYMEDE_OAUTH_ENABLED:-true}
      OAUTH_PROVIDER_URL: ${GANYMEDE_OAUTH_PROVIDER_URL:-https://auth.fukurokuju.dev/application/o/ganymede/}
      OAUTH_CLIENT_ID: ${GANYMEDE_OAUTH_CLIENT_ID}
      OAUTH_CLIENT_SECRET: ${GANYMEDE_OAUTH_CLIENT_SECRET}
      OAUTH_REDIRECT_URL: ${GANYMEDE_OAUTH_REDIRECT_URL:-https://vods.roboces.dev/api/v1/auth/oauth/callback}
      SHOW_SSO_LOGIN_BUTTON: ${GANYMEDE_SHOW_SSO_LOGIN_BUTTON:-true}
      FORCE_SSO_AUTH: ${GANYMEDE_FORCE_SSO_AUTH:-true}
      REQUIRE_LOGIN: ${GANYMEDE_REQUIRE_LOGIN:-true}
    volumes:
      - ${GANYMEDE_VIDEOS:-/mnt/vods/ganymede/videos}:/data/videos
      - ${GANYMEDE_TEMP:-/mnt/vods/ganymede/temp}:/data/temp
      - ${GANYMEDE_CACHE:-/mnt/vods/ganymede/cache}:/data/.cache
      - ${GANYMEDE_LOGS:-/mnt/vods/ganymede/logs}:/data/logs
      - ${GANYMEDE_CONFIG:-/mnt/vods/ganymede/config}:/data/config
    ports:
      - "4800:4000"
    healthcheck:
      test: curl --fail http://localhost:4000/health || exit 1
      interval: 60s
      retries: 5
      start_period: 60s
      timeout: 10s
--- a/docker/ganymede/sample.env
+++ b/docker/ganymede/sample.env
@ -1,27 +0,0 @@
 GANYMEDE_DEBUG=false
 GANYMEDE_TZ=Europe/Madrid
 GANYMEDE_VIDEOS_DIR=/data/videos
 GANYMEDE_TEMP_DIR=/data/temp
 GANYMEDE_LOGS_DIR=/data/logs
 GANYMEDE_CONFIG_DIR=/data/config
 GANYMEDE_DB_HOST=192.168.1.3
 GANYMEDE_DB_PORT=5432
 GANYMEDE_DB_USER=ganymede
 GANYMEDE_DB_PASS=
 GANYMEDE_DB_NAME=ganymede
 GANYMEDE_DB_SSL=disable
 GANYMEDE_TWITCH_CLIENT_ID=
 GANYMEDE_TWITCH_CLIENT_SECRET=
 GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS=3
 GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS=2
 GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS=2
 GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS=3
 GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS=2
 GANYMEDE_OAUTH_ENABLED=true
 GANYMEDE_OAUTH_PROVIDER_URL=https://auth.fukurokuju.dev/application/o/ganymede/
 GANYMEDE_OAUTH_CLIENT_ID=
 GANYMEDE_OAUTH_CLIENT_SECRET=
 GANYMEDE_OAUTH_REDIRECT_URL=https://vods.roboces.dev/api/v1/auth/oauth/callback
 GANYMEDE_SHOW_SSO_LOGIN_BUTTON=true
 GANYMEDE_FORCE_SSO_AUTH=false
 GANYMEDE_REQUIRE_LOGIN=false
--- a/docker/netbird/docker-compose.yml
+++ b/docker/netbird/docker-compose.yml
@ -0,0 +1,112 @@
 ---
 services:
  dashboard:
    image: netbirdio/dashboard:v2.20.2
    restart: unless-stopped
    ports:
      - 8005:80
    environment:
      NETBIRD_MGMT_API_ENDPOINT: ${NETBIRD_MGMT_API_ENDPOINT:-https://vpn.fukurokuju.dev}
      NETBIRD_MGMT_GRPC_API_ENDPOINT: ${NETBIRD_MGMT_GRPC_API_ENDPOINT:-https://vpn.fukurokuju.dev}
      AUTH_AUDIENCE: ${NETBIRD_AUTH_AUDIENCE:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2}  # yamllint disable rule:line-length
      AUTH_CLIENT_ID: ${NETBIRD_AUTH_CLIENT_ID:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2}  # yamllint disable rule:line-length
      AUTH_AUTHORITY: ${NETBIRD_AUTH_AUTHORITY:-https://auth.fukurokuju.dev/application/o/netbird/}
      USE_AUTH0: false
      AUTH_SUPPORTED_SCOPES: ${NETBIRD_AUTH_SUPPORTED_SCOPES:-api offline_access openid email profile}
      AUTH_REDIRECT_URI:
      AUTH_SILENT_REDIRECT_URI:
      NETBIRD_TOKEN_SOURCE: accessToken
      NGINX_SSL_PORT: 443
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  signal:
    image: netbirdio/signal:0.59.11
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - "10000:80"
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  relay:
    image: netbirdio/relay:0.59.11
    restart: unless-stopped
    environment:
      NB_LOG_LEVEL: ${NB_LOG_LEVEL:-info}
      NB_LISTEN_ADDRESS: ${NB_LISTEN_ADDRESS:-:33080}
      NB_EXPOSED_ADDRESS: ${NB_EXPOSED_ADDRESS:-vpn.fukurokuju.dev:33080}
      NB_AUTH_SECRET: ${NB_AUTH_SECRET}
    ports:
      - "33080:33080"
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  management:
    image: netbirdio/management:0.59.10
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/data:/var/lib/netbird
      - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/management.json:/etc/netbird/management.json:z
    ports:
      - "33073:443"
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=vpn.fukurokuju.dev",
      "--dns-domain=netbird.fuku",
    ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
  coturn:
    image: coturn/coturn:4.7
    restart: unless-stopped
    domainname: vpn.fukurokuju.dev
    volumes:
      - ${NETBIRD_COTURN_VOLUME:-/mnt/nas1/shared/netbird/coturn}/turnserver.conf:/etc/turnserver.conf:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  peer-1:
    image: netbirdio/netbird:0.59.11
    restart: unless-stopped
    volumes:
      - ${NETBIRD_PEER_VOLUME:-/mnt/nas1/shared/netbird/peer-1}/data:/etc/netbird
    environment:
      NB_MANAGEMENT_URL: https://vpn.fukurokuju.dev:443
      NB_SETUP_KEY: ${NB_SETUP_KEY}
    cap_add:
      - NET_ADMIN
    depends_on:
      - management
      - dashboard
      - relay
      - signal
      - coturn
 volumes:
  netbird-mgmt:
  netbird-signal:
--- a/docker/netbird/sample.env
+++ b/docker/netbird/sample.env
@ -0,0 +1,2 @@
 NB_AUTH_SECRET=
 NB_SETUP_KEY=
--- a/docker/paperless/docker-compose.yml
+++ b/docker/paperless/docker-compose.yml
@ -14,7 +14,7 @@ services:
  webserver:
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.6
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.0
    restart: unless-stopped
    ports:
      - 8002:8000
--- a/docker/rustical/docker-compose.yml
+++ b/docker/rustical/docker-compose.yml
@ -1,7 +1,7 @@
 ---
 services:
  rustical:
-    image: ghcr.io/lennart-k/rustical:0.12.4
+    image: ghcr.io/lennart-k/rustical:0.10.5
    ports:
      - '4000:4000'
    volumes:
--- a/docker/tailscale/docker-compose.yml
+++ b/docker/tailscale/docker-compose.yml
@ -1,18 +0,0 @@
 ---
 services:
  tailscale:
    image: tailscale/tailscale:v1.92.5
    hostname: tailscale
    environment:
      TS_AUTHKEY: ${TS_AUTHKEY}
      TS_HOSTNAME: ${TS_HOSTNAME:-docker-exit-node}
      TS_EXTRA_ARGS: ${TS_EXTRA_ARGS:---advertise-exit-node}
      TS_ROUTES: ${TS_ROUTES:-192.168.1.0/24}
      TS_STATE_DIR: /var/lib/tailscale
    volumes:
      - ${TS_VOLUME:-/mnt/nas1/shared/tailscale}:/var/lib/tailscale
    devices:
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin
    restart: unless-stopped
--- a/docker/tailscale/sample.env
+++ b/docker/tailscale/sample.env
@ -1,5 +0,0 @@
 TS_AUTHKEY=
 TS_HOSTNAME=docker-exit-node
 TS_EXTRA_ARGS=--advertise-exit-node
 TS_ROUTES=192.168.1.0/24
 TS_VOLUME=/mnt/nas1/shared/tailscale
--- a/docker/tandoor/docker-compose.yml
+++ b/docker/tandoor/docker-compose.yml
@ -1,21 +0,0 @@
 ---
 services:
  web_recipes:
    restart: always
    image: vabene1111/recipes:2.4.2
    volumes:
      - ${TANDOOR_STATICFILES:-/mnt/nas1/shared/tandoor/staticfiles}:/opt/recipes/staticfiles
      - ${TANDOOR_MEDIAFILES:-/mnt/nas1/shared/tandoor/mediafiles}:/opt/recipes/mediafiles
    environment:
      SECRET_KEY: ${TANDOOR_SECRET_KEY}
      TZ: ${TANDOOR_TZ:-Europe/Madrid}
      ALLOWED_HOSTS: ${TANDOOR_ALLOWED_HOSTS:-recipes.roboces.dev}
      SOCIAL_PROVIDERS: ${TANDOOR_SOCIAL_PROVIDERS:-allauth.socialaccount.providers.openid_connect}
      SOCIALACCOUNT_PROVIDERS: ${TANDOOR_SOCIALACCOUNT_PROVIDERS}
      POSTGRES_HOST: ${TANDOOR_POSTGRES_HOST:-192.168.1.3}
      POSTGRES_DB: ${TANDOOR_POSTGRES_DB:-tandoor}
      POSTGRES_PORT: ${TANDOOR_POSTGRES_PORT:-5432}
      POSTGRES_USER: ${TANDOOR_POSTGRES_USER}
      POSTGRES_PASSWORD: ${TANDOOR_POSTGRES_PASSWORD}
    ports:
      - "8081:80"
--- a/docker/tandoor/sample.env
+++ b/docker/tandoor/sample.env
@ -1,11 +0,0 @@
 TANDOOR_STATICFILES=
 TANDOOR_MEDIAFILES=
 TANDOOR_SECRET_KEY=
 TANDOOR_TZ=Europe/Madrid
 TANDOOR_ALLOWED_HOSTS=
 TANDOOR_SOCIALACCOUNT_PROVIDERS=
 TANDOOR_POSTGRES_HOST=
 TANDOOR_POSTGRES_DB=
 TANDOOR_POSTGRES_PORT=
 TANDOOR_POSTGRES_USER=
 TANDOOR_POSTGRES_PASSWORD=
--- a/docker/vaultwarden/docker-compose.yml
+++ b/docker/vaultwarden/docker-compose.yml
@ -1,7 +1,7 @@
 ---
 services:
  vaultwarden:
-    image: vaultwarden/server:1.35.3-alpine
+    image: vaultwarden/server:1.34.3-alpine
    restart: unless-stopped
    environment:
      DATABASE_URL: ${DATABASE_URL}
--- a/k8s/argo-apps/authentik.yaml
+++ b/k8s/argo-apps/authentik.yaml
@ -12,7 +12,7 @@ spec:
  sources:
    - chart: authentik
      repoURL: https://charts.goauthentik.io/
-      targetRevision: 2025.12.*
+      targetRevision: 2025.10.*
      helm:
        valuesObject:
          authentik:
--- a/k8s/argo-apps/dcsi.yaml
+++ b/k8s/argo-apps/dcsi.yaml
@ -2,39 +2,29 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: democratic-csi
+    name: democratic-csi
-  namespace: argocd
+    namespace: argocd
 spec:
-  destination:
+    destination:
-    name: ''
+        name: ''
-    namespace: democratic-csi
+        namespace: democratic-csi
-    server: https://kubernetes.default.svc
+        server: https://kubernetes.default.svc
-  sources:
+    sources:
-    - chart: democratic-csi
+        - chart: democratic-csi
-      repoURL: https://democratic-csi.github.io/charts/
+          repoURL: https://democratic-csi.github.io/charts/
-      targetRevision: 0.15.*
+          targetRevision: 0.15.*
-      helm:
+          helm:
-        releaseName: zfs-nfs
+              releaseName: zfs-nfs
-        valuesObject:
+              valuesObject:
-          node:
+                  csiDriver:
-            driver:
+                      name: org.dcsi.nfs
-              image:
+                  driver:
-                tag: next
+                      existingConfigSecret: secrets-dcsi
-          controller:
+                      config:
-            driver:
+                          driver: freenas-api-nfs
-              image:
+        - repoURL: https://git.roboces.dev/catalin/fukuops.git
-                tag: next
+          path: k8s/services/dcsi
-          csiDriver:
+          targetRevision: main
-            name: org.dcsi.nfs
+    project: management
-          driver:
+    syncPolicy:
-            image:
+        automated: {}
              tag: next
            existingConfigSecret: secrets-dcsi
            config:
              driver: freenas-api-nfs
    - repoURL: https://git.roboces.dev/catalin/fukuops.git
      path: k8s/services/dcsi
      targetRevision: main
  project: management
  syncPolicy:
    automated: {}
--- a/k8s/argo-apps/factorio.yaml
+++ b/k8s/argo-apps/factorio.yaml
@ -0,0 +1,45 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
    name: factorio
    namespace: argocd
 spec:
    destination:
        name: ''
        namespace: apps-fuku
        server: https://kubernetes.default.svc
    sources:
        - chart: factorio-server-charts
          repoURL: https://sqljames.github.io/factorio-server-charts/
          targetRevision: 2.5.*
          helm:
              valuesObject:
                  rcon:
                      passwordSecret: secrets-factorio
                  nodeSelector:
                      kubernetes.io/hostname: agent1
                  image:
                      tag: latest
                  factorioServer:
                      save_name: fukurokuju-space
                  admin_list:
                      - Phireh
                  account:
                      accountSecret: secrets-factorio
                  server_settings:
                      name: factorio-fukurokuju
                      visibility:
                          public: false
                      require_user_verification: false
                  persistence:
                      storageClassName: truenas-nfs-csi
                  serverPassword:
                      passwordSecret: secrets-factorio
        - repoURL: https://git.roboces.dev/catalin/fukuops.git
          path: k8s/services/factorio
          targetRevision: main
    project: fuku
    syncPolicy:
        automated: {}
--- a/k8s/argo-apps/forgejo.yaml
+++ b/k8s/argo-apps/forgejo.yaml
@ -14,7 +14,7 @@ spec:
  sources:
    - chart: forgejo
      repoURL: code.forgejo.org/forgejo-helm
-      targetRevision: 16.0.2
+      targetRevision: 15.0.3
      helm:
        valuesObject:
          replicaCount: 2
--- a/k8s/argo-apps/kubetail.yaml
+++ b/k8s/argo-apps/kubetail.yaml
@ -12,7 +12,7 @@ spec:
  sources:
    - chart: kubetail
      repoURL: https://kubetail-org.github.io/helm-charts/
-      targetRevision: 0.17.0
+      targetRevision: 0.16.3
      helm:
        valuesObject:
          kubetail:
--- a/k8s/argo-apps/pulse.yaml
+++ b/k8s/argo-apps/pulse.yaml
@ -1,43 +0,0 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: pulse
  namespace: argocd
 spec:
  destination:
    name: ''
    namespace: apps-fuku
    server: https://kubernetes.default.svc
  project: fuku
  syncPolicy:
    automated: {}
  sources:
    - repoURL: https://rcourtman.github.io/Pulse
      chart: pulse
      targetRevision: 5.1.*
      helm:
        valuesObject:
          persistence:
            enabled: true
            size: 10Gi
            storageClass: truenas-nfs-csi
            accessModes:
              - ReadWriteMany
          service:
            type: LoadBalancer
          ingress:
            enabled: true
            hosts:
              - host: pulse.fukurokuju.dev
                paths:
                  - path: /
                    pathType: Prefix
            tls: []
          monitoring:
            serviceMonitor:
              enabled: true
    - path: k8s/services/pulse
      repoURL: https://git.roboces.dev/catalin/fukuops.git
      targetRevision: main
--- a/k8s/argo-apps/renovate.yaml
+++ b/k8s/argo-apps/renovate.yaml
@ -13,7 +13,7 @@ spec:
  sources:
    - chart: renovate
      repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 46.6.*
+      targetRevision: 45.21.*
      helm:
        valuesObject:
          renovate:
--- a/k8s/argo-apps/sealed-secrets.yaml
+++ b/k8s/argo-apps/sealed-secrets.yaml
@ -12,7 +12,7 @@ spec:
    source:
        chart: sealed-secrets
        repoURL: https://bitnami-labs.github.io/sealed-secrets
-        targetRevision: 2.18.*
+        targetRevision: 2.17.*
        helm:
            releaseName: sealed-secrets
            valuesObject:
--- a/k8s/services/argo/project-fuku.yaml
+++ b/k8s/services/argo/project-fuku.yaml
@ -31,5 +31,3 @@ spec:
        - https://groundhog2k.github.io/helm-charts/
        - registry-1.docker.io/cloudpirates
        - https://vmware-tanzu.github.io/helm-charts/
        - https://helm.runix.net
        - https://rcourtman.github.io/Pulse
--- a/k8s/services/miniflux/deployment.yaml
+++ b/k8s/services/miniflux/deployment.yaml
@ -28,7 +28,7 @@ spec:
    spec:
      containers:
        - name: miniflux
-          image: miniflux/miniflux:2.2.17
+          image: miniflux/miniflux:2.2.16
          imagePullPolicy: Always
          securityContext:
            allowPrivilegeEscalation: false
--- a/k8s/services/pulse/ds.yaml
+++ b/k8s/services/pulse/ds.yaml
@ -1,105 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: pulse-agent
  namespace: apps-fuku
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: pulse-agent-read
 rules:
  - apiGroups: [""]
    resources: ["nodes", "pods"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: pulse-agent-read
 subjects:
  - kind: ServiceAccount
    name: pulse-agent
    namespace: apps-fuku
 roleRef:
  kind: ClusterRole
  name: pulse-agent-read
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: pulse-agent
  namespace: apps-fuku
 spec:
  selector:
    matchLabels:
      app: pulse-agent
  template:
    metadata:
      labels:
        app: pulse-agent
    spec:
      serviceAccountName: pulse-agent
      containers:
        - name: pulse-agent
          image: rcourtman/pulse:5.1.8
          command: ["/opt/pulse/bin/pulse-agent-linux-amd64"]
          args:
            - --enable-kubernetes
          env:
            - name: PULSE_URL
              value: "https://pulse.fukurokuju.dev"
            - name: PULSE_TOKEN
              valueFrom:
                secretKeyRef:
                  name: pulse-agent-secrets
                  key: PULSE_TOKEN
            - name: PULSE_AGENT_ID
              value: "k8s-cluster"
            - name: PULSE_ENABLE_HOST
              value: "true"
            - name: HOST_PROC
              value: "/host/proc"
            - name: HOST_SYS
              value: "/host/sys"
            - name: HOST_ETC
              value: "/host/etc"
            - name: PULSE_KUBE_INCLUDE_ALL_PODS
              value: "true"
            - name: PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS
              value: "true"
          securityContext:
            privileged: true
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              memory: 512Mi
          volumeMounts:
            - name: host-proc
              mountPath: /host/proc
              readOnly: true
            - name: host-sys
              mountPath: /host/sys
              readOnly: true
            - name: host-root
              mountPath: /host/root
              readOnly: true
      volumes:
        - name: host-proc
          hostPath:
            path: /proc
        - name: host-sys
          hostPath:
            path: /sys
        - name: host-root
          hostPath:
            path: /
      tolerations:
        - operator: Exists
--- a/k8s/services/pulse/sealedsecrets.yaml
+++ b/k8s/services/pulse/sealedsecrets.yaml
@ -1,17 +0,0 @@
 # yamllint disable rule:line-length
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: pulse-agent-secrets
  namespace: apps-fuku
 spec:
  encryptedData:
    PULSE_TOKEN: AgBBxrJ80IpJ0RvYKQuN6p3G8vIdSL9nESO9OTAR0NiMjSGZNbNEELKE/a1f2ixQUSsNc/k31c+7GlAi+8PmNC4c7rmRJTe+z3uO/BNNLYeTi7DsEk9/oJZTWn7iOcLogiZJQKxbGozCp/S8zrWisH67N2ZHmzz5UEJAzq57+fBEyAk22/WR0QMfW3oOYHGZFNR5AdAxrdfyRwTvSEOz4R2YlrQKRtOFVIPG/aEaAn42AGYfrq2cLVEiCygjE+8nZQ62TMmQqMiwiCjk5do9uRhhiRimuD78FrNnFU5dSwe/11ji5sSrEPjszPB8O0TBbsCssxfz48cKRm/6IdI9B5pKHYob68Ed8u5UgpRU/ZhUWJLyXuZF/Tgw+WcIsVkQXb3eqQTARBeZueugnA23lnzxh5gjR17wjPw7ePYaLiUWTYikOK5HvgpJyiuB0ev2cjGSqYeeAAn5ewCGM/NODXUAlFdC+N9S7ft1+chJrHoaXgHy8J9LWm/maKW99+yT08a68RvGGoZtFPZNlFjzurNF6EY9SLUFf0RLzShkyq6uuOzLm8gENyDIQ+Ru7wWEwyEcUz4ceAR5I78k0gCIDR1o4Ti22asdbRjMptZdOTbep+PWmu2K1oUvxXtXwgKkn8pvTkJpcdejqehnYPWfRAI3Guxi7LQDf++yShKS1NdXMdjhtFoNLa03xHM/G94sF3/mnJwivNhur1V7iC1yCY5NlruPr4KCd5AgOnKqoreRRvRbCVlFO1mtP6XV4sjqEIhmZyXWFJ76bwAC+hxSlFzL
  template:
    metadata:
      creationTimestamp: null
      name: pulse-agent-secrets
      namespace: apps-fuku
    type: Opaque
--- a/tofu/adguard/main.tf
+++ b/tofu/adguard/main.tf
@ -85,12 +85,8 @@ resource "adguard_rewrite" "master2" {
  answer = "192.168.1.32"
 }
 resource "adguard_rewrite" "k3m3" {
  domain = "k3m3.fuku"
  answer = "192.168.1.43"
 }
 resource "adguard_rewrite" "pulse" {
  answer = "pulse.fukurokuju.dev"
  domain = "192.168.1.12"
 }
--- a/tofu/authentik/.terraform.lock.hcl
+++ b/tofu/authentik/.terraform.lock.hcl
@ -2,36 +2,36 @@
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/goauthentik/authentik" {
-  version     = "2025.12.1"
+  version     = "2025.10.0"
-  constraints = "2025.12.1"
+  constraints = "2025.10.0"
  hashes = [
-    "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=",
+    "h1:8nN6b5dEGbJJ5ajovedkO//QP4NrWU5GfrenIHAEyz0=",
-    "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=",
+    "h1:EZlTiEEZ0a6AvlLuTKAIyhBI4m4poYUX4QW0wyHfIaw=",
-    "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=",
+    "h1:ElpISil/0po3r4pb9KK7/pBCSLxL18a6IDHDSMFdmS0=",
-    "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=",
+    "h1:F7+3L6JmVEG+PMizB9SuifxbznkZD3462LQpFMOW0M0=",
-    "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=",
+    "h1:L1sFZI0qKeBpUUCMgQkuRge196DsrHaTUJKJWKm0V2w=",
-    "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=",
+    "h1:OQgVyUOOLTGyosEpVHzE37h+91nHN5n9lKHt6nAOZyU=",
-    "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=",
+    "h1:Ph1j1Flr4kXMZKCRlP4Hn0asAz1Yfpk+hf5t6aeF4mc=",
-    "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=",
+    "h1:RjitcUcx/3QKUgs74q3ypbf7KQpg8BoNELW6sE4ONqk=",
-    "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=",
+    "h1:Vw7hY7KdCtQ3hf00uCekrzdDgBJ2EnPXUAnj3ybLXPQ=",
-    "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=",
+    "h1:fDQcyzUJqHb4qXOyze/Te0Fd3dVMdBcLQ+e2xOtsqbM=",
-    "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=",
+    "h1:jKOzsHSorUnub0L+Lq+tPPhHmeKoaiPS8orF9zZf/i0=",
-    "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=",
+    "h1:kXF4EEV9uzXzshloPfJQQzPbs0YVgjUu5aD+Fj040U0=",
-    "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=",
+    "h1:pvMaS6PASVHMJxArSG1pAzS5Micb1fMcLz7MF7bO138=",
-    "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=",
+    "h1:s3wkHrHE8Q/Dj+PIkvuPviLTUcK6h7aoAArrBKNJ8PE=",
-    "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515",
+    "zh:0103a533f474db36223d8dbf2abc80f8d76a162b2e3042a2203f0d426f2c8e16",
-    "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962",
+    "zh:03302f83cd5784435ef22864a936b88293284bfdc091ff2fd0cc18a40e97bb55",
-    "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b",
+    "zh:0730ca92f8bc778dba52425d05c5dceb9ae57660797f88132c06a0bf8a4f4f55",
-    "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91",
+    "zh:63ace720564b3549d482f0bc68b1f4596a1682faeef5fe4d40163abccda90ceb",
-    "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f",
+    "zh:8c4acdc358b1f5b1c13192af81bba552c6ad98debd341d836f4adf1fb85610a8",
-    "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1",
+    "zh:8f101bae1ab303b5e1b91ceb62d11386091a24c2bbd99bca4662bc88f127a8c4",
-    "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338",
+    "zh:a683c5338f16d20a1432fbc093c35db388ec7ef9f657d7478e3a04fc72722ad7",
-    "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7",
+    "zh:a99fcbaf234cb161c8d7018f62946178810c7645436229d05913ff432094734d",
-    "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8",
+    "zh:aa7fc7a3e05e96522507a86ec50b53473ff3e917f56fb2fc7418070fe29f1abc",
-    "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897",
+    "zh:bc3b9f7cce5f5fd4116700411c5f3d14c48a9b56115268094882d949b811e53a",
-    "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3",
+    "zh:cba03e3c31ee1e83fcc25511a34ca5f7132e0bbb41f3edc7c7dc113edd5938db",
-    "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50",
+    "zh:d1f168e7a87a3f74d9932b88daa367242d1e9a2ed1b7b9eaf44fcfcfc190305f",
-    "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18",
+    "zh:eb5af50c8e13980da4830c5f23fa7d911ae07740b37cf9d6c5895da95374e940",
-    "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25",
+    "zh:f9db4dbb47b257123bb70b770714552d873f9c8e2e8017c1de227757c8dfb074",
  ]
 }
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@ -8,7 +8,7 @@ terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
-      version = "2025.12.1"
+      version = "2025.10.0"
    }
  }
 }
@ -22,11 +22,6 @@ resource "authentik_group" "ci" {
  users = [data.authentik_user.catalin.id]
 }
 resource "authentik_group" "vods" {
  name  = "vods"
  users = [data.authentik_user.catalin.id]
 }
 resource "authentik_group" "admins" {
  name         = "authentik Admins"
  is_superuser = true
@ -52,7 +47,6 @@ resource "authentik_group" "mediamanager" {
  is_superuser = false
 }
 module "gitea" {
  source              = "../modules/authentik-oidc"
  app_name            = "Gitea"
@ -134,7 +128,7 @@ module "sonarr" {
  app_slug                     = "sonarr"
  app_access_group_id          = authentik_group.arrs.id
  app_url                      = "https://sonarr.fukurokuju.dev"
-  internal_host                = "http://192.168.1.3:30113/"
+  internal_host                = "http://192.168.1.3:38013/"
  internal_host_ssl_validation = false
  app_icon                     = "https://sonarr.tv/img/logo.png"
 }
@ -145,7 +139,7 @@ module "radarr" {
  app_slug                     = "radarr"
  app_access_group_id          = authentik_group.arrs.id
  app_url                      = "https://radarr.fukurokuju.dev"
-  internal_host                = "http://192.168.1.3:30025/"
+  internal_host                = "http://192.168.1.3:38012/"
  internal_host_ssl_validation = false
  app_icon                     = "https://radarr.video/img/background/logo.png"
 }
@ -156,7 +150,7 @@ module "lidarr" {
  app_slug                     = "lidarr"
  app_access_group_id          = authentik_group.arrs.id
  app_url                      = "https://lidarr.fukurokuju.dev"
-  internal_host                = "http://192.168.1.3:30071/"
+  internal_host                = "http://192.168.1.3:38010/"
  internal_host_ssl_validation = false
  app_icon                     = "https://lidarr.audio/img/background/logo.png"
 }
@ -177,7 +171,7 @@ module "prowlarr" {
  app_slug                     = "prowlarr"
  app_access_group_id          = authentik_group.admins.id
  app_url                      = "https://prowlarr.fukurokuju.dev"
-  internal_host                = "http://192.168.1.3:30050"
+  internal_host                = "http://192.168.1.3:38014"
  internal_host_ssl_validation = false
 }
@ -205,70 +199,53 @@ module "sftpgo" {
  sub_mode              = "user_username"
 }
 module "netbird" {
  source              = "../modules/authentik-oidc"
  app_name            = "netbird"
  app_slug            = "netbird"
  client_id           = var.netbird_client_id
  client_type         = "public"
  app_access_group_id = authentik_group.vpn.id
  redirect_uris = [
    {
      matching_mode = "strict",
      url           = "https://vpn.fukurokuju.dev",
    },
    {
      matching_mode = "regex",
      url           = "https://vpn.fukurokuju.dev.*",
    },
    {
      matching_mode = "strict",
      url           = "http://localhost:53000"
    },
  ]
  sub_mode = "user_id"
  extra_property_mappings = [
    "goauthentik.io/providers/oauth2/scope-authentik_api"
  ]
  app_icon              = "https://vpn.fukurokuju.dev/apple-icon.png"
  access_token_validity = "days=10"
  client_secret         = ""
 }
 module "rustical" {
  source              = "../modules/authentik-oidc"
  app_name            = "rustical"
  app_slug            = "rustical"
  app_url             = "https://cal.roboces.dev"
  client_id           = var.rustical_client_id
  client_secret       = var.rustical_client_secret
  redirect_uris       = [{ matching_mode = "strict", url = "https://cal.roboces.dev/frontend/login/oidc/callback" }]
  app_access_group_id = ""
 }
-module "jellyfin" {
+module "mediamanager" {
  source              = "../modules/authentik-ldap"
  app_name            = "Jellyfin"
  app_slug            = "jellyfin"
  base_dn             = "DC=ldap,DC=fukurokuju,DC=dev"
  name                = "jellyfin"
  app_url             = "https://jelly.roboces.dev"
  app_icon            = "https://jelly.roboces.dev/web/touchicon.f5bbb798cb2c65908633.png"
  app_access_group_id = authentik_group.arrs.id
 }
 module "tandoor" {
  source              = "../modules/authentik-oidc"
-  app_name            = "Tandoor"
+  app_name            = "mediamanager"
-  app_slug            = "tandoor"
+  app_slug            = "mediamanager"
-  app_access_group_id = ""
+  client_id           = var.mediamanager_client_id
-  app_url             = "https://recipes.roboces.dev"
+  client_secret       = var.mediamanager_client_secret
-  redirect_uris       = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }]
+  redirect_uris       = [{ matching_mode = "strict", url = "https://mediamanager.roboces.dev/api/v1/auth/oauth/callback" }]
-  app_icon            = "https://recipes.roboces.dev/static/assets/logo_color_192.c9b9177ff941.png"
+  app_access_group_id = authentik_group.mediamanager.id
  client_id           = var.tandoor_client_id
  client_secret       = var.tandoor_client_secret
 }
 module "ganymede" {
  source              = "../modules/authentik-oidc"
  app_name            = "Ganymede"
  app_slug            = "ganymede"
  redirect_uris       = [{ matching_mode = "strict", url = "https://vods.roboces.dev/api/v1/auth/oauth/callback" }]
  client_id           = var.ganymede_client_id
  client_secret       = var.ganymede_client_secret
  app_url             = "https://vods.roboces.dev"
  app_icon            = "https://vods.roboces.dev/favicon.ico"
  app_access_group_id = authentik_group.vods.id
 }
 module "jellyseerr" {
  source              = "../modules/authentik-app"
  app_name            = "Solicitudes Jelly"
  app_slug            = "jellyseer"
  app_url             = "https://requests.roboces.dev"
  app_icon            = "https://requests.roboces.dev/os_icon.svg"
  app_description     = "Solicita series, animes y pelis para ser añadidas automáticamente a Jellyfin"
  app_access_group_id = authentik_group.arrs.id
 }
 module "pulse" {
  source              = "../modules/authentik-oidc"
  app_name            = "Pulse"
  app_slug            = "pulse"
  app_url             = "https://pulse.fukurokuju.dev"
  client_id           = var.pulse_client_id
  client_secret       = var.pulse_client_secret
  app_icon            = "https://pulse.fukurokuju.dev/logo.svg"
  redirect_uris       = [{ matching_mode = "strict", url = "https://pulse.fukurokuju.dev/api/oidc/callback" }]
  app_access_group_id = authentik_group.admins.id
 }
--- a/tofu/authentik/sample.env
+++ b/tofu/authentik/sample.env
@ -10,11 +10,8 @@ TF_VAR_paperless_client_id=
 TF_VAR_paperless_client_secret=
 TF_VAR_sftpgo_client_id=
 TF_VAR_sftpgo_client_secret=
 TF_VAR_netbird_client_id=
 TF_VAR_rustical_client_id=
 TF_VAR_rustical_client_secret=
-TF_VAR_tandoor_client_id=
+TF_VAR_mediamanager_client_id=
-TF_VAR_tandoor_client_secret=
+TF_VAR_mediamanager_client_secret=
 TF_VAR_ganymede_client_id=
 TF_VAR_ganymede_client_secret=
 TF_VAR_pulse_client_id=
 TF_VAR_pulse_client_secret=
--- a/tofu/authentik/vars.tf
+++ b/tofu/authentik/vars.tf
@ -39,6 +39,12 @@ variable "paperless_client_secret" {
  type        = string
 }
 variable "netbird_client_id" {
  description = "Netbird client ID"
  type        = string
 }
 variable "sftpgo_client_id" {
  description = "SFTPGo client ID"
  type        = string
@ -55,36 +61,16 @@ variable "rustical_client_id" {
 }
 variable "rustical_client_secret" {
-  description = "Tandoor client secret"
+  description = "Rustical client secret"
  type        = string
 }
-variable "tandoor_client_id" {
+variable "mediamanager_client_id" {
-  description = "Tandoor client ID"
+  description = "MediaManager client ID"
  type        = string
 }
-variable "tandoor_client_secret" {
+variable "mediamanager_client_secret" {
-  description = "Tandoor client secret"
+  description = "MediaManager client secret"
  type        = string
 }
 variable "ganymede_client_id" {
  description = "Ganymede client ID"
  type        = string
 }
 variable "ganymede_client_secret" {
  description = "Ganymede client secret"
  type        = string
 }
 variable "pulse_client_id" {
  description = "Pulse client ID"
  type        = string
 }
 variable "pulse_client_secret" {
  description = "Pulse client secret"
  type        = string
 }
--- a/tofu/modules/authentik-app/main.tf
+++ b/tofu/modules/authentik-app/main.tf
@ -1,26 +0,0 @@
 terraform {
  required_version = ">= 1.6"
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
      version = "2025.12.1"
    }
  }
 }
 resource "authentik_application" "app" {
  name             = var.app_name
  slug             = var.app_slug
  open_in_new_tab  = var.open_in_new_tab
  meta_icon        = var.app_icon
  meta_description = var.app_description
  meta_publisher   = var.app_publisher
  meta_launch_url  = var.app_url
 }
 resource "authentik_policy_binding" "app_access" {
  target = authentik_application.app.uuid
  group  = var.app_access_group_id
  order  = 0
  count  = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists
 }
--- a/tofu/modules/authentik-app/vars.tf
+++ b/tofu/modules/authentik-app/vars.tf
@ -1,62 +0,0 @@
 variable "app_name" {
  description = "App name"
  type        = string
 }
 variable "app_slug" {
  description = "App slug, a human-readable URL identifier, e.g.: Google -> google"
  type        = string
 }
 variable "client_type" {
  type    = string
  default = "confidential"
  validation {
    condition     = contains(["confidential", "public"], var.client_type)
    error_message = "client_type must be 'confidential' or 'public'"
  }
 }
 variable "app_access_group_id" {
  description = "ID of a group which will have access to the app"
  type        = string
 }
 variable "sub_mode" {
  type    = string
  default = "user_username"
  validation {
    condition     = contains(["user_id", "user_username", "hashed_user_id"], var.sub_mode)
    error_message = "sub_mode must be 'user_id', 'user_username' or 'hashed_user_id'"
  }
 }
 variable "open_in_new_tab" {
  type        = bool
  description = "Open apps in a new tab"
  default     = true
 }
 variable "app_icon" {
  type    = string
  default = ""
 }
 variable "app_description" {
  type    = string
  default = ""
 }
 variable "app_publisher" {
  type    = string
  default = ""
 }
 variable "app_url" {
  type    = string
  default = ""
 }
--- a/tofu/modules/authentik-ldap/.terraform.lock.hcl
+++ b/tofu/modules/authentik-ldap/.terraform.lock.hcl
@ -1,37 +0,0 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/goauthentik/authentik" {
  version     = "2025.12.1"
  constraints = "2025.12.1"
  hashes = [
    "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=",
    "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=",
    "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=",
    "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=",
    "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=",
    "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=",
    "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=",
    "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=",
    "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=",
    "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=",
    "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=",
    "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=",
    "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=",
    "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=",
    "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515",
    "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962",
    "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b",
    "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91",
    "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f",
    "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1",
    "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338",
    "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7",
    "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8",
    "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897",
    "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3",
    "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50",
    "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18",
    "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25",
  ]
 }
--- a/tofu/modules/authentik-ldap/main.tf
+++ b/tofu/modules/authentik-ldap/main.tf
@ -1,45 +0,0 @@
 terraform {
  required_version = ">= 1.6"
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
      version = "2025.12.1"
    }
  }
 }
 data "authentik_flow" "default-authentication-flow" {
  slug = "default-authentication-flow"
 }
 data "authentik_flow" "default-invalidation-flow" {
  slug = "default-invalidation-flow"
 }
 resource "authentik_provider_ldap" "provider_ldap" {
  base_dn     = var.base_dn
  bind_flow   = data.authentik_flow.default-authentication-flow.id
  name        = var.name
  unbind_flow = data.authentik_flow.default-invalidation-flow.id
 }
 resource "authentik_application" "app" {
  name              = var.app_name
  slug              = var.app_slug
  protocol_provider = authentik_provider_ldap.provider_ldap.id
  open_in_new_tab   = var.open_in_new_tab
  meta_icon         = var.app_icon
  meta_description  = var.app_description
  meta_publisher    = var.app_publisher
  meta_launch_url   = var.app_url
 }
 resource "authentik_policy_binding" "app_access" {
  target = authentik_application.app.uuid
  group  = var.app_access_group_id
  order  = 0
  count  = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists
 }
--- a/tofu/modules/authentik-ldap/vars.tf
+++ b/tofu/modules/authentik-ldap/vars.tf
@ -1,52 +0,0 @@
 variable "app_name" {
  description = "App name"
  type        = string
 }
 variable "app_slug" {
  description = "App slug, a human-readable URL identifier, e.g.: Google -> google"
  type        = string
 }
 variable "app_access_group_id" {
  description = "ID of a group which will have access to the app"
  type        = string
 }
 variable "open_in_new_tab" {
  type        = bool
  description = "Open apps in a new tab"
  default     = true
 }
 variable "app_icon" {
  type    = string
  default = ""
 }
 variable "app_description" {
  type    = string
  default = ""
 }
 variable "app_publisher" {
  type    = string
  default = ""
 }
 variable "app_url" {
  type    = string
  default = ""
 }
 variable "base_dn" {
  type        = string
  description = "Base DN"
 }
 variable "name" {
  type        = string
  description = "Name"
 }
--- a/tofu/modules/authentik-oidc/main.tf
+++ b/tofu/modules/authentik-oidc/main.tf
@ -3,7 +3,7 @@ terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
-      version = "2025.12.1"
+      version = "2025.10.0"
    }
  }
 }
--- a/tofu/modules/authentik-proxy/main.tf
+++ b/tofu/modules/authentik-proxy/main.tf
@ -3,7 +3,7 @@ terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
-      version = "2025.12.1"
+      version = "2025.10.0"
    }
  }
 }