diff --git a/.forgejo/workflows/deploy-kaniko.yaml b/.forgejo/workflows/deploy-kaniko.yaml
index 8bbf265..55bb901 100644
--- a/.forgejo/workflows/deploy-kaniko.yaml
+++ b/.forgejo/workflows/deploy-kaniko.yaml
@@ -20,5 +20,5 @@ jobs:
           password: ${{ secrets.REGISTRY_PASSWORD }}
           cache: true
           registry: git.roboces.dev
-          tag: nextcloud-30.0.1
+          tag: nextcloud-30.0.2
           path: docker/nextcloud
diff --git a/docker/netbird/docker-compose.yml b/docker/netbird/docker-compose.yml
index 65f9a64..32b75c6 100644
--- a/docker/netbird/docker-compose.yml
+++ b/docker/netbird/docker-compose.yml
@@ -23,7 +23,7 @@ services:
         max-size: "500m"
         max-file: "2"
   signal:
-    image: netbirdio/signal:0.31.0
+    image: netbirdio/signal:0.31.1
     restart: unless-stopped
     volumes:
       - netbird-signal:/var/lib/netbird
@@ -35,7 +35,7 @@ services:
         max-size: "500m"
         max-file: "2"
   relay:
-    image: netbirdio/relay:0.31.0
+    image: netbirdio/relay:0.31.1
     restart: unless-stopped
     environment:
       NB_LOG_LEVEL: ${NB_LOG_LEVEL:-info}
@@ -50,7 +50,7 @@ services:
         max-size: "500m"
         max-file: "2"
   management:
-    image: netbirdio/management:0.31.0
+    image: netbirdio/management:0.31.1
     restart: unless-stopped
     depends_on:
       - dashboard
@@ -91,7 +91,7 @@ services:
         max-file: "2"
 
   peer-1:
-    image: netbirdio/netbird:0.30.3
+    image: netbirdio/netbird:0.31.1
     restart: unless-stopped
     volumes:
       - ${NETBIRD_PEER_VOLUME:-/mnt/nas1/shared/netbird/peer-1}/data:/etc/netbird
diff --git a/docker/nextcloud/docker-compose.yml b/docker/nextcloud/docker-compose.yml
index b85a715..c8cdfc0 100644
--- a/docker/nextcloud/docker-compose.yml
+++ b/docker/nextcloud/docker-compose.yml
@@ -14,7 +14,7 @@ services:
       - nextcloud
 
   nextcloud:
-    image: git.roboces.dev/catalin/fukuops:nextcloud-30.0.1
+    image: git.roboces.dev/catalin/fukuops:nextcloud-30.0.2
     volumes:
       - /mnt/nas1/legacy-storage/cloud/cloud/data:/var/www/html/data
       - /mnt/nas1/legacy-storage/cloud/cloud/config:/var/www/html/config
@@ -22,6 +22,8 @@ services:
       - /mnt/nas1/legacy-storage/cloud/cloud/apps:/var/www/html/apps
       - type: tmpfs
         target: /tmp:exec
+      - supervisorlog:/var/log/supervisor:z
+      - supervisorpid:/var/run/supervisord/:z
     environment:
       PHP_MEMORY_LIMIT: ${PHP_MEMORY_LIMIT:-2048M}
       NEXTCLOUD_INIT_HTACCESS: ${NEXTCLOUD_INIT_HTACCESS:-1}
@@ -33,3 +35,6 @@ services:
 
 networks:
   nextcloud: {}
+volumes:
+  supervisorlog: {}
+  supervisorpid: {}
diff --git a/docker/paperless/docker-compose.yml b/docker/paperless/docker-compose.yml
index b3eb597..3b08f63 100644
--- a/docker/paperless/docker-compose.yml
+++ b/docker/paperless/docker-compose.yml
@@ -14,7 +14,7 @@ services:
 
   webserver:
 
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.13.4
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.13.5
     restart: unless-stopped
     ports:
       - 8002:8000
diff --git a/docker/vaultwarden/docker-compose.yml b/docker/vaultwarden/docker-compose.yml
index 4d5e7e7..ca332bd 100644
--- a/docker/vaultwarden/docker-compose.yml
+++ b/docker/vaultwarden/docker-compose.yml
@@ -1,7 +1,7 @@
 ---
 services:
   vaultwarden:
-    image: vaultwarden/server:1.32.3-alpine
+    image: vaultwarden/server:1.32.4-alpine
     restart: unless-stopped
     environment:
       DATABASE_URL: ${DATABASE_URL}
diff --git a/k8s/argo-apps/elastic.yaml b/k8s/argo-apps/elastic.yaml
index 6eb6dcb..c69baf0 100644
--- a/k8s/argo-apps/elastic.yaml
+++ b/k8s/argo-apps/elastic.yaml
@@ -12,7 +12,7 @@ spec:
   sources:
     - chart: elasticsearch
       repoURL: registry-1.docker.io/bitnamicharts
-      targetRevision: 21.3.22
+      targetRevision: 21.3.24
       helm:
         valuesObject:
           service:
diff --git a/k8s/argo-apps/factorio.yaml b/k8s/argo-apps/factorio.yaml
index cd69c5f..cd2d97d 100644
--- a/k8s/argo-apps/factorio.yaml
+++ b/k8s/argo-apps/factorio.yaml
@@ -12,7 +12,7 @@ spec:
     sources:
         - chart: factorio-server-charts
           repoURL: https://sqljames.github.io/factorio-server-charts/
-          targetRevision: 2.2.*
+          targetRevision: 2.5.*
           helm:
               valuesObject:
                   rcon:
diff --git a/k8s/argo-apps/forgejo.yaml b/k8s/argo-apps/forgejo.yaml
index 9565b31..6179c7c 100644
--- a/k8s/argo-apps/forgejo.yaml
+++ b/k8s/argo-apps/forgejo.yaml
@@ -12,7 +12,7 @@ spec:
   sources:
     - chart: forgejo
       repoURL: code.forgejo.org/forgejo-helm
-      targetRevision: 10.0.2
+      targetRevision: 10.1.0
       helm:
         valuesObject:
           replicaCount: 2
diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml
index 5aa26eb..841ef4f 100644
--- a/k8s/argo-apps/renovate.yaml
+++ b/k8s/argo-apps/renovate.yaml
@@ -13,7 +13,7 @@ spec:
   sources:
     - chart: renovate
       repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 39.8.*
+      targetRevision: 39.10.*
       helm:
         valuesObject:
           renovate:
diff --git a/k8s/services/miniflux/deployment.yaml b/k8s/services/miniflux/deployment.yaml
index c2e8186..31752ee 100644
--- a/k8s/services/miniflux/deployment.yaml
+++ b/k8s/services/miniflux/deployment.yaml
@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
         - name: miniflux
-          image: miniflux/miniflux:2.2.2
+          image: miniflux/miniflux:2.2.3
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false
diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf
index 246f494..358a36f 100644
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@@ -33,21 +33,6 @@ resource "authentik_group" "vpn" {
 }
 
 
-module "firezone" {
-  source              = "../modules/authentik-oidc"
-  app_name            = "Firezone"
-  app_slug            = "firezone"
-  client_id           = var.firezone_client_id
-  client_secret       = var.firezone_client_secret
-  app_access_group_id = authentik_group.admins.id
-  redirect_uris       = ["https://fz.fukurokuju.dev/auth/oidc/authentik/callback/"]
-  app_icon            = "https://www.firezone.dev/icon.svg"
-  app_description     = "VPN"
-  app_publisher       = "Firezone"
-  app_url             = "https://fz.fukurokuju.dev"
-  sub_mode            = "hashed_user_id"
-}
-
 module "gitea" {
   source              = "../modules/authentik-oidc"
   app_name            = "Gitea"
@@ -159,5 +144,6 @@ module "netbird" {
   extra_property_mappings = [
     "goauthentik.io/providers/oauth2/scope-authentik_api"
   ]
-  app_icon = "https://vpn.fukurokuju.dev/apple-icon.png"
+  app_icon              = "https://vpn.fukurokuju.dev/apple-icon.png"
+  access_token_validity = "days=10"
 }
diff --git a/tofu/modules/authentik-oidc/main.tf b/tofu/modules/authentik-oidc/main.tf
index 8fa7348..1560dcc 100644
--- a/tofu/modules/authentik-oidc/main.tf
+++ b/tofu/modules/authentik-oidc/main.tf
@@ -26,20 +26,25 @@ data "authentik_property_mapping_provider_scope" "default-scopes" {
   ], var.extra_property_mappings)
 }
 
+data "authentik_flow" "default-provider-invalidation-flow" {
+  slug = "default-provider-invalidation-flow "
+}
 
 resource "authentik_provider_oauth2" "provider_oidc" {
-  name                  = var.app_name
-  client_id             = var.client_id
-  client_secret         = var.client_secret
-  client_type           = var.client_type
-  authorization_flow    = data.authentik_flow.default-authorization-flow.id
-  authentication_flow   = data.authentik_flow.default-authentication-flow.id
-  redirect_uris         = var.redirect_uris
-  property_mappings     = data.authentik_property_mapping_provider_scope.default-scopes.ids
-  sub_mode              = var.sub_mode
-  signing_key           = var.oidc_signing_key
-  access_code_validity  = var.access_code_validity
-  access_token_validity = var.access_token_validity
+  name                   = var.app_name
+  client_id              = var.client_id
+  client_secret          = var.client_secret
+  client_type            = var.client_type
+  authorization_flow     = data.authentik_flow.default-authorization-flow.id
+  authentication_flow    = data.authentik_flow.default-authentication-flow.id
+  redirect_uris          = var.redirect_uris
+  property_mappings      = data.authentik_property_mapping_provider_scope.default-scopes.ids
+  sub_mode               = var.sub_mode
+  signing_key            = var.oidc_signing_key
+  access_code_validity   = var.access_code_validity
+  access_token_validity  = var.access_token_validity
+  refresh_token_validity = var.refresh_token_validity
+  invalidation_flow      = data.authentik_flow.default-provider-invalidation-flow.id
 }
 
 
diff --git a/tofu/modules/authentik-oidc/vars.tf b/tofu/modules/authentik-oidc/vars.tf
index 56796af..ee9583e 100644
--- a/tofu/modules/authentik-oidc/vars.tf
+++ b/tofu/modules/authentik-oidc/vars.tf
@@ -90,6 +90,11 @@ variable "access_token_validity" {
   default = "minutes=10"
 }
 
+variable "refresh_token_validity" {
+  type    = string
+  default = "days=30"
+}
+
 variable "extra_property_mappings" {
   type    = list(string)
   default = []
diff --git a/tofu/modules/authentik-proxy/main.tf b/tofu/modules/authentik-proxy/main.tf
index 6e3951c..8583eda 100644
--- a/tofu/modules/authentik-proxy/main.tf
+++ b/tofu/modules/authentik-proxy/main.tf
@@ -16,6 +16,9 @@ data "authentik_flow" "default-authentication-flow" {
   slug = "default-authentication-flow"
 }
 
+data "authentik_flow" "default-provider-invalidation-flow" {
+  slug = "default-provider-invalidation-flow "
+}
 
 resource "authentik_provider_proxy" "provider_proxy" {
   authorization_flow           = data.authentik_flow.default-authorization-flow.id
@@ -24,6 +27,7 @@ resource "authentik_provider_proxy" "provider_proxy" {
   internal_host                = var.internal_host
   name                         = var.app_name
   internal_host_ssl_validation = var.internal_host_ssl_validation
+  invalidation_flow            = data.authentik_flow.default-provider-invalidation-flow.id
 }