From c3560f7a6f2d995d7c1a60f989acb5ca7f9990aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Fri, 9 Jan 2026 11:24:37 +0100 Subject: [PATCH 01/43] chore(deps): update dcsi's images to v1.9.5 --- k8s/argo-apps/dcsi.yaml | 60 ++++++++++++++++++++++++----------------- 1 file changed, 35 insertions(+), 25 deletions(-) diff --git a/k8s/argo-apps/dcsi.yaml b/k8s/argo-apps/dcsi.yaml index 13a5a3c..563de65 100644 --- a/k8s/argo-apps/dcsi.yaml +++ b/k8s/argo-apps/dcsi.yaml @@ -2,29 +2,39 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: democratic-csi - namespace: argocd + name: democratic-csi + namespace: argocd spec: - destination: - name: '' - namespace: democratic-csi - server: https://kubernetes.default.svc - sources: - - chart: democratic-csi - repoURL: https://democratic-csi.github.io/charts/ - targetRevision: 0.15.* - helm: - releaseName: zfs-nfs - valuesObject: - csiDriver: - name: org.dcsi.nfs - driver: - existingConfigSecret: secrets-dcsi - config: - driver: freenas-api-nfs - - repoURL: https://git.roboces.dev/catalin/fukuops.git - path: k8s/services/dcsi - targetRevision: main - project: management - syncPolicy: - automated: {} + destination: + name: '' + namespace: democratic-csi + server: https://kubernetes.default.svc + sources: + - chart: democratic-csi + repoURL: https://democratic-csi.github.io/charts/ + targetRevision: 0.15.* + helm: + releaseName: zfs-nfs + valuesObject: + node: + driver: + image: + tag: 1.9.5 + controller: + driver: + image: + tag: 1.9.5 + csiDriver: + name: org.dcsi.nfs + driver: + image: + tag: 1.9.5 + existingConfigSecret: secrets-dcsi + config: + driver: freenas-api-nfs + - repoURL: https://git.roboces.dev/catalin/fukuops.git + path: k8s/services/dcsi + targetRevision: main + project: management + syncPolicy: + automated: {} From 2354f5971bdb53fd63797bfce1d006b708ed4a6d Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 6 Jan 2026 02:25:01 +0000 Subject: [PATCH 02/43] chore(deps): update ghcr.io/paperless-ngx/paperless-ngx docker tag to v2.20.3 --- docker/paperless/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/paperless/docker-compose.yml b/docker/paperless/docker-compose.yml index 58acc07..e1f79a8 100644 --- a/docker/paperless/docker-compose.yml +++ b/docker/paperless/docker-compose.yml @@ -14,7 +14,7 @@ services: webserver: - image: ghcr.io/paperless-ngx/paperless-ngx:2.20.0 + image: ghcr.io/paperless-ngx/paperless-ngx:2.20.3 restart: unless-stopped ports: - 8002:8000 From a856c4b230d24f75af36e7793a02061dde1658a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Fri, 9 Jan 2026 12:50:53 +0100 Subject: [PATCH 03/43] feat: add authentik-ldap module --- k8s/argo-apps/dcsi.yaml | 6 +-- tofu/authentik/.terraform.lock.hcl | 47 ++++++----------- tofu/authentik/main.tf | 17 +++--- tofu/authentik/sample.env | 2 - .../authentik-ldap/.terraform.lock.hcl | 24 +++++++++ tofu/modules/authentik-ldap/main.tf | 45 ++++++++++++++++ tofu/modules/authentik-ldap/vars.tf | 52 +++++++++++++++++++ tofu/modules/authentik-oidc/main.tf | 2 +- tofu/modules/authentik-proxy/main.tf | 2 +- 9 files changed, 151 insertions(+), 46 deletions(-) create mode 100644 tofu/modules/authentik-ldap/.terraform.lock.hcl create mode 100644 tofu/modules/authentik-ldap/main.tf create mode 100644 tofu/modules/authentik-ldap/vars.tf diff --git a/k8s/argo-apps/dcsi.yaml b/k8s/argo-apps/dcsi.yaml index 563de65..9c9e48d 100644 --- a/k8s/argo-apps/dcsi.yaml +++ b/k8s/argo-apps/dcsi.yaml @@ -19,16 +19,16 @@ spec: node: driver: image: - tag: 1.9.5 + tag: next controller: driver: image: - tag: 1.9.5 + tag: next csiDriver: name: org.dcsi.nfs driver: image: - tag: 1.9.5 + tag: next existingConfigSecret: secrets-dcsi config: driver: freenas-api-nfs diff --git a/tofu/authentik/.terraform.lock.hcl b/tofu/authentik/.terraform.lock.hcl index ce22035..de2d5a9 100644 --- a/tofu/authentik/.terraform.lock.hcl +++ b/tofu/authentik/.terraform.lock.hcl @@ -2,36 +2,23 @@ # Manual edits may be lost in future updates. provider "registry.opentofu.org/goauthentik/authentik" { - version = "2025.10.0" - constraints = "2025.10.0" + version = "2025.10.1" + constraints = "2025.10.1" hashes = [ - "h1:8nN6b5dEGbJJ5ajovedkO//QP4NrWU5GfrenIHAEyz0=", - "h1:EZlTiEEZ0a6AvlLuTKAIyhBI4m4poYUX4QW0wyHfIaw=", - "h1:ElpISil/0po3r4pb9KK7/pBCSLxL18a6IDHDSMFdmS0=", - "h1:F7+3L6JmVEG+PMizB9SuifxbznkZD3462LQpFMOW0M0=", - "h1:L1sFZI0qKeBpUUCMgQkuRge196DsrHaTUJKJWKm0V2w=", - "h1:OQgVyUOOLTGyosEpVHzE37h+91nHN5n9lKHt6nAOZyU=", - "h1:Ph1j1Flr4kXMZKCRlP4Hn0asAz1Yfpk+hf5t6aeF4mc=", - "h1:RjitcUcx/3QKUgs74q3ypbf7KQpg8BoNELW6sE4ONqk=", - "h1:Vw7hY7KdCtQ3hf00uCekrzdDgBJ2EnPXUAnj3ybLXPQ=", - "h1:fDQcyzUJqHb4qXOyze/Te0Fd3dVMdBcLQ+e2xOtsqbM=", - "h1:jKOzsHSorUnub0L+Lq+tPPhHmeKoaiPS8orF9zZf/i0=", - "h1:kXF4EEV9uzXzshloPfJQQzPbs0YVgjUu5aD+Fj040U0=", - "h1:pvMaS6PASVHMJxArSG1pAzS5Micb1fMcLz7MF7bO138=", - "h1:s3wkHrHE8Q/Dj+PIkvuPviLTUcK6h7aoAArrBKNJ8PE=", - "zh:0103a533f474db36223d8dbf2abc80f8d76a162b2e3042a2203f0d426f2c8e16", - "zh:03302f83cd5784435ef22864a936b88293284bfdc091ff2fd0cc18a40e97bb55", - "zh:0730ca92f8bc778dba52425d05c5dceb9ae57660797f88132c06a0bf8a4f4f55", - "zh:63ace720564b3549d482f0bc68b1f4596a1682faeef5fe4d40163abccda90ceb", - "zh:8c4acdc358b1f5b1c13192af81bba552c6ad98debd341d836f4adf1fb85610a8", - "zh:8f101bae1ab303b5e1b91ceb62d11386091a24c2bbd99bca4662bc88f127a8c4", - "zh:a683c5338f16d20a1432fbc093c35db388ec7ef9f657d7478e3a04fc72722ad7", - "zh:a99fcbaf234cb161c8d7018f62946178810c7645436229d05913ff432094734d", - "zh:aa7fc7a3e05e96522507a86ec50b53473ff3e917f56fb2fc7418070fe29f1abc", - "zh:bc3b9f7cce5f5fd4116700411c5f3d14c48a9b56115268094882d949b811e53a", - "zh:cba03e3c31ee1e83fcc25511a34ca5f7132e0bbb41f3edc7c7dc113edd5938db", - "zh:d1f168e7a87a3f74d9932b88daa367242d1e9a2ed1b7b9eaf44fcfcfc190305f", - "zh:eb5af50c8e13980da4830c5f23fa7d911ae07740b37cf9d6c5895da95374e940", - "zh:f9db4dbb47b257123bb70b770714552d873f9c8e2e8017c1de227757c8dfb074", + "h1:X0bV1LqI7nu4np+xiGP8yLVfyl6rh/XNXz7QQ7Hsr6g=", + "zh:02ac2478c8901043a0455b8b6b8185e9814786bd802a9aa6d4126d4f56d4735d", + "zh:24d680732a9ea72a86c1e7bf4aa13ab9cc0c60ee4bd4cae8af43670eff88edd9", + "zh:4f415f177671eeea2234eb835479bbb710e811e60864cec6a00ee0e03a412fa3", + "zh:55498caa20504dd52a1870823e15dec6c78948eac2e6ec98e6ec122b5407630b", + "zh:570f9ca7f909bda94b97feab7898ef392e01ae6178d8a9d36aac984d8a433ec1", + "zh:92ac78b97e2d5310ed82233980f941ebecf69ae1f9d03f3e719d8687aa6f4cc7", + "zh:95f852a4e7d22daac86901ebc6b327d5987832b707ad3fd3aeff6c36dd088717", + "zh:98c8659f468a58a9d224b2fca9d5909d39bcabf9e2593e9b4a574dbffb6e2dca", + "zh:a7d1428ec803ae794ebb05d772fa44020827a6b762a5b2da11869fc618ea59cd", + "zh:b1ef054b09fed4282c625a38a4aa6d1276c58e541f4cffcc716aa7d2b773f30a", + "zh:b95e3edeb0da3ee0c0392afa18957cf7d41b2f71ed08a50f4bf38010aaf77d30", + "zh:c3ce9f57889e6bb33f34ee4cc4463a77652b811351bbb25e6fc5ba9dc0c61e14", + "zh:f6d2fe811ad5c242ced99a6b51b2d7f60f060d4bc6837fe1026c2abb7cb6f9a4", + "zh:f78b8e20e7d9f53e1622051c706369a7c6d0f1e37c16df67a214697cd5d0a4fb", ] } diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 5b58c64..7b27b0c 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -8,7 +8,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.0" + version = "2025.10.1" } } } @@ -240,12 +240,11 @@ module "rustical" { app_access_group_id = "" } -module "mediamanager" { - source = "../modules/authentik-oidc" - app_name = "mediamanager" - app_slug = "mediamanager" - client_id = var.mediamanager_client_id - client_secret = var.mediamanager_client_secret - redirect_uris = [{ matching_mode = "strict", url = "https://mediamanager.roboces.dev/api/v1/auth/oauth/callback" }] - app_access_group_id = authentik_group.mediamanager.id +module "jellyfin" { + source = "../modules/authentik-ldap" + app_name = "Jellyfin" + app_slug = "jellyfin" + base_dn = "DC=ldap,DC=fukurokuju,DC=dev" + name = "jellyfin" + app_access_group_id = authentik_group.arrs.id } diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env index f7ff6ea..a784c41 100644 --- a/tofu/authentik/sample.env +++ b/tofu/authentik/sample.env @@ -13,5 +13,3 @@ TF_VAR_sftpgo_client_secret= TF_VAR_netbird_client_id= TF_VAR_rustical_client_id= TF_VAR_rustical_client_secret= -TF_VAR_mediamanager_client_id= -TF_VAR_mediamanager_client_secret= diff --git a/tofu/modules/authentik-ldap/.terraform.lock.hcl b/tofu/modules/authentik-ldap/.terraform.lock.hcl new file mode 100644 index 0000000..de2d5a9 --- /dev/null +++ b/tofu/modules/authentik-ldap/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/goauthentik/authentik" { + version = "2025.10.1" + constraints = "2025.10.1" + hashes = [ + "h1:X0bV1LqI7nu4np+xiGP8yLVfyl6rh/XNXz7QQ7Hsr6g=", + "zh:02ac2478c8901043a0455b8b6b8185e9814786bd802a9aa6d4126d4f56d4735d", + "zh:24d680732a9ea72a86c1e7bf4aa13ab9cc0c60ee4bd4cae8af43670eff88edd9", + "zh:4f415f177671eeea2234eb835479bbb710e811e60864cec6a00ee0e03a412fa3", + "zh:55498caa20504dd52a1870823e15dec6c78948eac2e6ec98e6ec122b5407630b", + "zh:570f9ca7f909bda94b97feab7898ef392e01ae6178d8a9d36aac984d8a433ec1", + "zh:92ac78b97e2d5310ed82233980f941ebecf69ae1f9d03f3e719d8687aa6f4cc7", + "zh:95f852a4e7d22daac86901ebc6b327d5987832b707ad3fd3aeff6c36dd088717", + "zh:98c8659f468a58a9d224b2fca9d5909d39bcabf9e2593e9b4a574dbffb6e2dca", + "zh:a7d1428ec803ae794ebb05d772fa44020827a6b762a5b2da11869fc618ea59cd", + "zh:b1ef054b09fed4282c625a38a4aa6d1276c58e541f4cffcc716aa7d2b773f30a", + "zh:b95e3edeb0da3ee0c0392afa18957cf7d41b2f71ed08a50f4bf38010aaf77d30", + "zh:c3ce9f57889e6bb33f34ee4cc4463a77652b811351bbb25e6fc5ba9dc0c61e14", + "zh:f6d2fe811ad5c242ced99a6b51b2d7f60f060d4bc6837fe1026c2abb7cb6f9a4", + "zh:f78b8e20e7d9f53e1622051c706369a7c6d0f1e37c16df67a214697cd5d0a4fb", + ] +} diff --git a/tofu/modules/authentik-ldap/main.tf b/tofu/modules/authentik-ldap/main.tf new file mode 100644 index 0000000..19cf5a6 --- /dev/null +++ b/tofu/modules/authentik-ldap/main.tf @@ -0,0 +1,45 @@ +terraform { + required_version = ">= 1.6" + required_providers { + authentik = { + source = "goauthentik/authentik" + version = "2025.10.1" + } + } +} + + +data "authentik_flow" "default-authentication-flow" { + slug = "default-authentication-flow" +} + +data "authentik_flow" "default-invalidation-flow" { + slug = "default-invalidation-flow" +} + + +resource "authentik_provider_ldap" "provider_ldap" { + base_dn = var.base_dn + bind_flow = data.authentik_flow.default-authentication-flow.id + name = var.name + unbind_flow = data.authentik_flow.default-invalidation-flow.id +} + + +resource "authentik_application" "app" { + name = var.app_name + slug = var.app_slug + protocol_provider = authentik_provider_ldap.provider_ldap.id + open_in_new_tab = var.open_in_new_tab + meta_icon = var.app_icon + meta_description = var.app_description + meta_publisher = var.app_publisher + meta_launch_url = var.app_url +} + +resource "authentik_policy_binding" "app_access" { + target = authentik_application.app.uuid + group = var.app_access_group_id + order = 0 + count = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists +} diff --git a/tofu/modules/authentik-ldap/vars.tf b/tofu/modules/authentik-ldap/vars.tf new file mode 100644 index 0000000..3d44d35 --- /dev/null +++ b/tofu/modules/authentik-ldap/vars.tf @@ -0,0 +1,52 @@ +variable "app_name" { + description = "App name" + type = string +} + +variable "app_slug" { + description = "App slug, a human-readable URL identifier, e.g.: Google -> google" + type = string +} + + +variable "app_access_group_id" { + description = "ID of a group which will have access to the app" + type = string +} + + +variable "open_in_new_tab" { + type = bool + description = "Open apps in a new tab" + default = true +} + +variable "app_icon" { + type = string + default = "" +} + +variable "app_description" { + type = string + default = "" +} + +variable "app_publisher" { + type = string + default = "" +} +variable "app_url" { + type = string + default = "" +} + + +variable "base_dn" { + type = string + description = "Base DN" +} + +variable "name" { + type = string + description = "Name" +} diff --git a/tofu/modules/authentik-oidc/main.tf b/tofu/modules/authentik-oidc/main.tf index beb4b02..d78086a 100644 --- a/tofu/modules/authentik-oidc/main.tf +++ b/tofu/modules/authentik-oidc/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.0" + version = "2025.10.1" } } } diff --git a/tofu/modules/authentik-proxy/main.tf b/tofu/modules/authentik-proxy/main.tf index 0d9c6f0..49179aa 100644 --- a/tofu/modules/authentik-proxy/main.tf +++ b/tofu/modules/authentik-proxy/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.0" + version = "2025.10.1" } } } From b0a23c7c056c41090350c45eb895ce8c82477469 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 11 Jan 2026 05:54:36 +0000 Subject: [PATCH 04/43] chore(deps): update ghcr.io/lennart-k/rustical docker tag to v0.11.11 --- docker/rustical/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/rustical/docker-compose.yml b/docker/rustical/docker-compose.yml index 662a7df..8bd23bf 100644 --- a/docker/rustical/docker-compose.yml +++ b/docker/rustical/docker-compose.yml @@ -1,7 +1,7 @@ --- services: rustical: - image: ghcr.io/lennart-k/rustical:0.10.5 + image: ghcr.io/lennart-k/rustical:0.11.11 ports: - '4000:4000' volumes: From b0daf0c1bec41d9fb17f542d34152f0b7aa91aac Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 10 Jan 2026 02:03:10 +0000 Subject: [PATCH 05/43] chore(deps): update code.forgejo.org/forgejo-helm/forgejo docker tag to v15.0.4 --- k8s/argo-apps/forgejo.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/forgejo.yaml b/k8s/argo-apps/forgejo.yaml index 277a779..4edfbf5 100644 --- a/k8s/argo-apps/forgejo.yaml +++ b/k8s/argo-apps/forgejo.yaml @@ -14,7 +14,7 @@ spec: sources: - chart: forgejo repoURL: code.forgejo.org/forgejo-helm - targetRevision: 15.0.3 + targetRevision: 15.0.4 helm: valuesObject: replicaCount: 2 From 951fc71b18494d6db756a77e37e1bae63ca16a62 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 12 Jan 2026 02:08:49 +0000 Subject: [PATCH 06/43] chore(deps): update helm release sealed-secrets to 2.18.* --- k8s/argo-apps/sealed-secrets.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/sealed-secrets.yaml b/k8s/argo-apps/sealed-secrets.yaml index d60c2ec..c180041 100644 --- a/k8s/argo-apps/sealed-secrets.yaml +++ b/k8s/argo-apps/sealed-secrets.yaml @@ -12,7 +12,7 @@ spec: source: chart: sealed-secrets repoURL: https://bitnami-labs.github.io/sealed-secrets - targetRevision: 2.17.* + targetRevision: 2.18.* helm: releaseName: sealed-secrets valuesObject: From b99cb2c04054a6c7cf5d1afa5263210e3cca9552 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 14 Jan 2026 03:22:02 +0000 Subject: [PATCH 07/43] chore(deps): update helm release renovate to 45.74.* --- k8s/argo-apps/renovate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml index 83c3d3a..73787dd 100644 --- a/k8s/argo-apps/renovate.yaml +++ b/k8s/argo-apps/renovate.yaml @@ -13,7 +13,7 @@ spec: sources: - chart: renovate repoURL: https://docs.renovatebot.com/helm-charts - targetRevision: 45.21.* + targetRevision: 45.74.* helm: valuesObject: renovate: From 806dc64134e07291213b783da153b10724c00c2a Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 17 Jan 2026 03:00:29 +0000 Subject: [PATCH 08/43] chore(deps): update ghcr.io/lennart-k/rustical docker tag to v0.11.17 --- docker/rustical/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/rustical/docker-compose.yml b/docker/rustical/docker-compose.yml index 8bd23bf..d5361b7 100644 --- a/docker/rustical/docker-compose.yml +++ b/docker/rustical/docker-compose.yml @@ -1,7 +1,7 @@ --- services: rustical: - image: ghcr.io/lennart-k/rustical:0.11.11 + image: ghcr.io/lennart-k/rustical:0.11.17 ports: - '4000:4000' volumes: From 2c176d77003efe7ac2a47ba52101077de538da57 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 17 Jan 2026 03:00:50 +0000 Subject: [PATCH 09/43] chore(deps): update ghcr.io/paperless-ngx/paperless-ngx docker tag to v2.20.4 --- docker/paperless/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/paperless/docker-compose.yml b/docker/paperless/docker-compose.yml index e1f79a8..06bb407 100644 --- a/docker/paperless/docker-compose.yml +++ b/docker/paperless/docker-compose.yml @@ -14,7 +14,7 @@ services: webserver: - image: ghcr.io/paperless-ngx/paperless-ngx:2.20.3 + image: ghcr.io/paperless-ngx/paperless-ngx:2.20.4 restart: unless-stopped ports: - 8002:8000 From 8281d9a0509f66550807b8dc3a537a3e2526f884 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 20 Jan 2026 03:28:17 +0000 Subject: [PATCH 10/43] chore(deps): update ghcr.io/lennart-k/rustical docker tag to v0.12.0 --- docker/rustical/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/rustical/docker-compose.yml b/docker/rustical/docker-compose.yml index d5361b7..ccaff81 100644 --- a/docker/rustical/docker-compose.yml +++ b/docker/rustical/docker-compose.yml @@ -1,7 +1,7 @@ --- services: rustical: - image: ghcr.io/lennart-k/rustical:0.11.17 + image: ghcr.io/lennart-k/rustical:0.12.0 ports: - '4000:4000' volumes: From 8341c04580b9a022f7b8de43791f757e7a371fdd Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 18 Jan 2026 03:16:28 +0000 Subject: [PATCH 11/43] chore(deps): update code.forgejo.org/forgejo-helm/forgejo docker tag to v15.1.0 --- k8s/argo-apps/forgejo.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/forgejo.yaml b/k8s/argo-apps/forgejo.yaml index 4edfbf5..1f49a0c 100644 --- a/k8s/argo-apps/forgejo.yaml +++ b/k8s/argo-apps/forgejo.yaml @@ -14,7 +14,7 @@ spec: sources: - chart: forgejo repoURL: code.forgejo.org/forgejo-helm - targetRevision: 15.0.4 + targetRevision: 15.1.0 helm: valuesObject: replicaCount: 2 From fd2870513788877a5f6d4b8b57c1a9f1cf5b9d36 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 20 Jan 2026 03:27:40 +0000 Subject: [PATCH 12/43] chore(deps): update ghcr.io/paperless-ngx/paperless-ngx docker tag to v2.20.5 --- docker/paperless/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/paperless/docker-compose.yml b/docker/paperless/docker-compose.yml index 06bb407..7e14770 100644 --- a/docker/paperless/docker-compose.yml +++ b/docker/paperless/docker-compose.yml @@ -14,7 +14,7 @@ services: webserver: - image: ghcr.io/paperless-ngx/paperless-ngx:2.20.4 + image: ghcr.io/paperless-ngx/paperless-ngx:2.20.5 restart: unless-stopped ports: - 8002:8000 From 63db0bc4c37d661dc36b0abd450338fb0cbef791 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 21 Jan 2026 03:22:01 +0000 Subject: [PATCH 13/43] chore(deps): update ghcr.io/lennart-k/rustical docker tag to v0.12.1 --- docker/rustical/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/rustical/docker-compose.yml b/docker/rustical/docker-compose.yml index ccaff81..1b2688e 100644 --- a/docker/rustical/docker-compose.yml +++ b/docker/rustical/docker-compose.yml @@ -1,7 +1,7 @@ --- services: rustical: - image: ghcr.io/lennart-k/rustical:0.12.0 + image: ghcr.io/lennart-k/rustical:0.12.1 ports: - '4000:4000' volumes: From 7f92604fb04477f7cf52035ca9c9cb31fd8ec2e8 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 18 Jan 2026 03:16:41 +0000 Subject: [PATCH 14/43] chore(deps): update helm release kubetail to v0.17.0 --- k8s/argo-apps/kubetail.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/kubetail.yaml b/k8s/argo-apps/kubetail.yaml index 453b3b8..b7d79e3 100644 --- a/k8s/argo-apps/kubetail.yaml +++ b/k8s/argo-apps/kubetail.yaml @@ -12,7 +12,7 @@ spec: sources: - chart: kubetail repoURL: https://kubetail-org.github.io/helm-charts/ - targetRevision: 0.16.3 + targetRevision: 0.17.0 helm: valuesObject: kubetail: From 6356c4954832bad834c27befc4ae8c5aa7bdeab7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Mon, 26 Jan 2026 10:13:27 +0100 Subject: [PATCH 15/43] chore(deps): update authentik to 2025.12 --- k8s/argo-apps/authentik.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/authentik.yaml b/k8s/argo-apps/authentik.yaml index 045afd6..b046a8b 100644 --- a/k8s/argo-apps/authentik.yaml +++ b/k8s/argo-apps/authentik.yaml @@ -12,7 +12,7 @@ spec: sources: - chart: authentik repoURL: https://charts.goauthentik.io/ - targetRevision: 2025.10.* + targetRevision: 2025.12.* helm: valuesObject: authentik: From 0764181b9048fa49d064a8b32265db86081aed54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Mon, 26 Jan 2026 17:38:03 +0100 Subject: [PATCH 16/43] feat: remove netbird --- docker/netbird/docker-compose.yml | 112 ---------------------------- docker/netbird/sample.env | 2 - k8s/services/argo/project-fuku.yaml | 1 + 3 files changed, 1 insertion(+), 114 deletions(-) delete mode 100644 docker/netbird/docker-compose.yml delete mode 100644 docker/netbird/sample.env diff --git a/docker/netbird/docker-compose.yml b/docker/netbird/docker-compose.yml deleted file mode 100644 index 76dc7af..0000000 --- a/docker/netbird/docker-compose.yml +++ /dev/null @@ -1,112 +0,0 @@ ---- -services: - dashboard: - image: netbirdio/dashboard:v2.20.2 - restart: unless-stopped - ports: - - 8005:80 - environment: - NETBIRD_MGMT_API_ENDPOINT: ${NETBIRD_MGMT_API_ENDPOINT:-https://vpn.fukurokuju.dev} - NETBIRD_MGMT_GRPC_API_ENDPOINT: ${NETBIRD_MGMT_GRPC_API_ENDPOINT:-https://vpn.fukurokuju.dev} - AUTH_AUDIENCE: ${NETBIRD_AUTH_AUDIENCE:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2} # yamllint disable rule:line-length - AUTH_CLIENT_ID: ${NETBIRD_AUTH_CLIENT_ID:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2} # yamllint disable rule:line-length - AUTH_AUTHORITY: ${NETBIRD_AUTH_AUTHORITY:-https://auth.fukurokuju.dev/application/o/netbird/} - USE_AUTH0: false - AUTH_SUPPORTED_SCOPES: ${NETBIRD_AUTH_SUPPORTED_SCOPES:-api offline_access openid email profile} - AUTH_REDIRECT_URI: - AUTH_SILENT_REDIRECT_URI: - NETBIRD_TOKEN_SOURCE: accessToken - NGINX_SSL_PORT: 443 - logging: - driver: "json-file" - options: - max-size: "500m" - max-file: "2" - signal: - image: netbirdio/signal:0.59.11 - restart: unless-stopped - volumes: - - netbird-signal:/var/lib/netbird - ports: - - "10000:80" - logging: - driver: "json-file" - options: - max-size: "500m" - max-file: "2" - relay: - image: netbirdio/relay:0.59.11 - restart: unless-stopped - environment: - NB_LOG_LEVEL: ${NB_LOG_LEVEL:-info} - NB_LISTEN_ADDRESS: ${NB_LISTEN_ADDRESS:-:33080} - NB_EXPOSED_ADDRESS: ${NB_EXPOSED_ADDRESS:-vpn.fukurokuju.dev:33080} - NB_AUTH_SECRET: ${NB_AUTH_SECRET} - ports: - - "33080:33080" - logging: - driver: "json-file" - options: - max-size: "500m" - max-file: "2" - management: - image: netbirdio/management:0.59.10 - restart: unless-stopped - depends_on: - - dashboard - volumes: - - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/data:/var/lib/netbird - - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/management.json:/etc/netbird/management.json:z - ports: - - "33073:443" - command: [ - "--port", "443", - "--log-file", "console", - "--log-level", "info", - "--disable-anonymous-metrics=false", - "--single-account-mode-domain=vpn.fukurokuju.dev", - "--dns-domain=netbird.fuku", - ] - logging: - driver: "json-file" - options: - max-size: "500m" - max-file: "2" - environment: - - NETBIRD_STORE_ENGINE_POSTGRES_DSN= - - coturn: - image: coturn/coturn:4.7 - restart: unless-stopped - domainname: vpn.fukurokuju.dev - volumes: - - ${NETBIRD_COTURN_VOLUME:-/mnt/nas1/shared/netbird/coturn}/turnserver.conf:/etc/turnserver.conf:ro - network_mode: host - command: - - -c /etc/turnserver.conf - logging: - driver: "json-file" - options: - max-size: "500m" - max-file: "2" - - peer-1: - image: netbirdio/netbird:0.59.11 - restart: unless-stopped - volumes: - - ${NETBIRD_PEER_VOLUME:-/mnt/nas1/shared/netbird/peer-1}/data:/etc/netbird - environment: - NB_MANAGEMENT_URL: https://vpn.fukurokuju.dev:443 - NB_SETUP_KEY: ${NB_SETUP_KEY} - cap_add: - - NET_ADMIN - depends_on: - - management - - dashboard - - relay - - signal - - coturn - -volumes: - netbird-mgmt: - netbird-signal: diff --git a/docker/netbird/sample.env b/docker/netbird/sample.env deleted file mode 100644 index 6a76871..0000000 --- a/docker/netbird/sample.env +++ /dev/null @@ -1,2 +0,0 @@ -NB_AUTH_SECRET= -NB_SETUP_KEY= diff --git a/k8s/services/argo/project-fuku.yaml b/k8s/services/argo/project-fuku.yaml index c4ab6ee..43e602a 100644 --- a/k8s/services/argo/project-fuku.yaml +++ b/k8s/services/argo/project-fuku.yaml @@ -31,3 +31,4 @@ spec: - https://groundhog2k.github.io/helm-charts/ - registry-1.docker.io/cloudpirates - https://vmware-tanzu.github.io/helm-charts/ + - https://helm.runix.net From d0b57297ea4e07badffeb1c48c09d3c15d458311 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Mon, 26 Jan 2026 19:37:42 +0100 Subject: [PATCH 17/43] feat: add tandoor --- docker/tandoor/docker-compose.yml | 21 ++++++++++++++++ docker/tandoor/sample.env | 11 +++++++++ tofu/authentik/main.tf | 40 ++++++++----------------------- tofu/authentik/sample.env | 3 ++- tofu/authentik/vars.tf | 16 ++++--------- 5 files changed, 49 insertions(+), 42 deletions(-) create mode 100644 docker/tandoor/docker-compose.yml create mode 100644 docker/tandoor/sample.env diff --git a/docker/tandoor/docker-compose.yml b/docker/tandoor/docker-compose.yml new file mode 100644 index 0000000..8133b76 --- /dev/null +++ b/docker/tandoor/docker-compose.yml @@ -0,0 +1,21 @@ +--- +services: + web_recipes: + restart: always + image: vabene1111/recipes:2.3.6 + volumes: + - ${TANDOOR_STATICFILES:-/mnt/nas1/shared/tandoor/staticfiles}:/opt/recipes/staticfiles + - ${TANDOOR_MEDIAFILES:-/mnt/nas1/shared/tandoor/mediafiles}:/opt/recipes/mediafiles + environment: + SECRET_KEY: ${TANDOOR_SECRET_KEY} + TZ: ${TANDOOR_TZ:-Europe/Madrid} + ALLOWED_HOSTS: ${TANDOOR_ALLOWED_HOSTS:-recipes.roboces.dev} + SOCIAL_PROVIDERS: ${TANDOOR_SOCIAL_PROVIDERS:-allauth.socialaccount.providers.openid_connect} + SOCIALACCOUNT_PROVIDERS: ${TANDOOR_SOCIALACCOUNT_PROVIDERS} + POSTGRES_HOST: ${TANDOOR_POSTGRES_HOST:-192.168.1.3} + POSTGRES_DB: ${TANDOOR_POSTGRES_DB:-tandoor} + POSTGRES_PORT: ${TANDOOR_POSTGRES_PORT:-5432} + POSTGRES_USER: ${TANDOOR_POSTGRES_USER} + POSTGRES_PASSWORD: ${TANDOOR_POSTGRES_PASSWORD} + ports: + - "8081:80" diff --git a/docker/tandoor/sample.env b/docker/tandoor/sample.env new file mode 100644 index 0000000..e5029ad --- /dev/null +++ b/docker/tandoor/sample.env @@ -0,0 +1,11 @@ +TANDOOR_STATICFILES= +TANDOOR_MEDIAFILES= +TANDOOR_SECRET_KEY= +TANDOOR_TZ=Europe/Madrid +TANDOOR_ALLOWED_HOSTS= +TANDOOR_SOCIALACCOUNT_PROVIDERS= +TANDOOR_POSTGRES_HOST= +TANDOOR_POSTGRES_DB= +TANDOOR_POSTGRES_PORT= +TANDOOR_POSTGRES_USER= +TANDOOR_POSTGRES_PASSWORD= diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 7b27b0c..87ebc58 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -199,36 +199,6 @@ module "sftpgo" { sub_mode = "user_username" } -module "netbird" { - source = "../modules/authentik-oidc" - app_name = "netbird" - app_slug = "netbird" - client_id = var.netbird_client_id - client_type = "public" - app_access_group_id = authentik_group.vpn.id - redirect_uris = [ - { - matching_mode = "strict", - url = "https://vpn.fukurokuju.dev", - }, - { - matching_mode = "regex", - url = "https://vpn.fukurokuju.dev.*", - }, - { - matching_mode = "strict", - url = "http://localhost:53000" - }, - - ] - sub_mode = "user_id" - extra_property_mappings = [ - "goauthentik.io/providers/oauth2/scope-authentik_api" - ] - app_icon = "https://vpn.fukurokuju.dev/apple-icon.png" - access_token_validity = "days=10" - client_secret = "" -} module "rustical" { source = "../modules/authentik-oidc" @@ -248,3 +218,13 @@ module "jellyfin" { name = "jellyfin" app_access_group_id = authentik_group.arrs.id } + +module "tandoor" { + source = "../modules/authentik-oidc" + app_name = "Tandoor" + app_slug = "tandoor" + app_access_group_id = "" + redirect_uris = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }] + client_id = var.tandoor_client_id + client_secret = var.tandoor_client_secret +} diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env index a784c41..3887146 100644 --- a/tofu/authentik/sample.env +++ b/tofu/authentik/sample.env @@ -10,6 +10,7 @@ TF_VAR_paperless_client_id= TF_VAR_paperless_client_secret= TF_VAR_sftpgo_client_id= TF_VAR_sftpgo_client_secret= -TF_VAR_netbird_client_id= TF_VAR_rustical_client_id= TF_VAR_rustical_client_secret= +TF_VAR_tandoor_client_id= +TF_VAR_tandoor_client_secret= diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf index 4a1c5dd..30ec835 100644 --- a/tofu/authentik/vars.tf +++ b/tofu/authentik/vars.tf @@ -39,12 +39,6 @@ variable "paperless_client_secret" { type = string } -variable "netbird_client_id" { - description = "Netbird client ID" - type = string -} - - variable "sftpgo_client_id" { description = "SFTPGo client ID" type = string @@ -61,16 +55,16 @@ variable "rustical_client_id" { } variable "rustical_client_secret" { - description = "Rustical client secret" + description = "Tandoor client secret" type = string } -variable "mediamanager_client_id" { - description = "MediaManager client ID" +variable "tandoor_client_id" { + description = "Tandoor client ID" type = string } -variable "mediamanager_client_secret" { - description = "MediaManager client secret" +variable "tandoor_client_secret" { + description = "Tandoor client secret" type = string } From 0706f4e6377a1f75161339164f4f210e99048203 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 28 Jan 2026 03:33:44 +0000 Subject: [PATCH 18/43] chore(deps): update code.forgejo.org/forgejo-helm/forgejo docker tag to v16 --- k8s/argo-apps/forgejo.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/forgejo.yaml b/k8s/argo-apps/forgejo.yaml index 1f49a0c..44b2f4d 100644 --- a/k8s/argo-apps/forgejo.yaml +++ b/k8s/argo-apps/forgejo.yaml @@ -14,7 +14,7 @@ spec: sources: - chart: forgejo repoURL: code.forgejo.org/forgejo-helm - targetRevision: 15.1.0 + targetRevision: 16.0.1 helm: valuesObject: replicaCount: 2 From 1b1dc44b5b69a31290c9312a22133af9d63912e5 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 28 Jan 2026 03:33:28 +0000 Subject: [PATCH 19/43] chore(deps): update vaultwarden/server docker tag to v1.35.2 --- docker/vaultwarden/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/vaultwarden/docker-compose.yml b/docker/vaultwarden/docker-compose.yml index 4c2b3dc..bef3334 100644 --- a/docker/vaultwarden/docker-compose.yml +++ b/docker/vaultwarden/docker-compose.yml @@ -1,7 +1,7 @@ --- services: vaultwarden: - image: vaultwarden/server:1.34.3-alpine + image: vaultwarden/server:1.35.2-alpine restart: unless-stopped environment: DATABASE_URL: ${DATABASE_URL} From 79c399ad0c4764d254db5ef44ea6dc6eda487bec Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 27 Jan 2026 03:25:54 +0000 Subject: [PATCH 20/43] chore(deps): update ghcr.io/lennart-k/rustical docker tag to v0.12.3 --- docker/rustical/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/rustical/docker-compose.yml b/docker/rustical/docker-compose.yml index 1b2688e..2818a50 100644 --- a/docker/rustical/docker-compose.yml +++ b/docker/rustical/docker-compose.yml @@ -1,7 +1,7 @@ --- services: rustical: - image: ghcr.io/lennart-k/rustical:0.12.1 + image: ghcr.io/lennart-k/rustical:0.12.3 ports: - '4000:4000' volumes: From b61b882081ac24b2d22424d91004b83e4e34d83e Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 27 Jan 2026 03:27:44 +0000 Subject: [PATCH 21/43] chore(deps): update terraform authentik to v2025.12.0 --- tofu/authentik/.terraform.lock.hcl | 47 ++++++++++++------- tofu/authentik/main.tf | 2 +- .../authentik-ldap/.terraform.lock.hcl | 47 ++++++++++++------- tofu/modules/authentik-ldap/main.tf | 2 +- tofu/modules/authentik-oidc/main.tf | 2 +- tofu/modules/authentik-proxy/main.tf | 2 +- 6 files changed, 64 insertions(+), 38 deletions(-) diff --git a/tofu/authentik/.terraform.lock.hcl b/tofu/authentik/.terraform.lock.hcl index de2d5a9..61e958d 100644 --- a/tofu/authentik/.terraform.lock.hcl +++ b/tofu/authentik/.terraform.lock.hcl @@ -2,23 +2,36 @@ # Manual edits may be lost in future updates. provider "registry.opentofu.org/goauthentik/authentik" { - version = "2025.10.1" - constraints = "2025.10.1" + version = "2025.12.0" + constraints = "2025.12.0" hashes = [ - "h1:X0bV1LqI7nu4np+xiGP8yLVfyl6rh/XNXz7QQ7Hsr6g=", - "zh:02ac2478c8901043a0455b8b6b8185e9814786bd802a9aa6d4126d4f56d4735d", - "zh:24d680732a9ea72a86c1e7bf4aa13ab9cc0c60ee4bd4cae8af43670eff88edd9", - "zh:4f415f177671eeea2234eb835479bbb710e811e60864cec6a00ee0e03a412fa3", - "zh:55498caa20504dd52a1870823e15dec6c78948eac2e6ec98e6ec122b5407630b", - "zh:570f9ca7f909bda94b97feab7898ef392e01ae6178d8a9d36aac984d8a433ec1", - "zh:92ac78b97e2d5310ed82233980f941ebecf69ae1f9d03f3e719d8687aa6f4cc7", - "zh:95f852a4e7d22daac86901ebc6b327d5987832b707ad3fd3aeff6c36dd088717", - "zh:98c8659f468a58a9d224b2fca9d5909d39bcabf9e2593e9b4a574dbffb6e2dca", - "zh:a7d1428ec803ae794ebb05d772fa44020827a6b762a5b2da11869fc618ea59cd", - "zh:b1ef054b09fed4282c625a38a4aa6d1276c58e541f4cffcc716aa7d2b773f30a", - "zh:b95e3edeb0da3ee0c0392afa18957cf7d41b2f71ed08a50f4bf38010aaf77d30", - "zh:c3ce9f57889e6bb33f34ee4cc4463a77652b811351bbb25e6fc5ba9dc0c61e14", - "zh:f6d2fe811ad5c242ced99a6b51b2d7f60f060d4bc6837fe1026c2abb7cb6f9a4", - "zh:f78b8e20e7d9f53e1622051c706369a7c6d0f1e37c16df67a214697cd5d0a4fb", + "h1:1WOionGZogRGfcwgsBshgGDDMFWqioq62s/FmpTonI8=", + "h1:7EkbL1fO5vkX5IvlGhKIjWcEPIc7U3zS/x0+rMC+NKE=", + "h1:N65bk3gPCHEJE8c68LCjQ2NMwDKDJlt0+ofnmeNM4FI=", + "h1:S2NDeRAxbfKPGvBqM7WES5znedi0V2AWc5wxkczYDd8=", + "h1:ZmqC2orWU2UItPZJZfsSnBBX7Ds0OEk8EarBtWjuFsc=", + "h1:aofPDDDWm9c87uip8IwKlhGDePNNr6Sy0Q+m9NgOols=", + "h1:f3+jlDlxpgKdCbcB7ac4lVn5pdSMM1e2Qh0AB0RDNsA=", + "h1:jt+Gtla0Z7zN4gCltMg//aDfCoSIdCyFF4ept4Qwc6E=", + "h1:msEjekUeIUKY6lipADjuQpaU1HPrp0MU19R9LpZv5UM=", + "h1:t61WX+9iOOCLlZ8tt/vZP7X8M/Q7F5k6QUyduYtpVf8=", + "h1:tI7fyxvSatX28mp0woFsBbhrnzgeZTZAaitzKThlyAo=", + "h1:wzjwM6RA9Jth4iCN5J9dzxnfjO56ZFl1T5rAQhuU1og=", + "h1:xZZSwrSXnUCPmP9U3EY9fKPmBru58wZozovF2+i//oY=", + "h1:z/+UpU0PH5hae3WEqJO7Lreo0wYO77UuJrimJyV3Mcg=", + "zh:0ce23bd10c1782a3ae9321a572093df2c283df9003fc1cf33f6e63df18a81b7a", + "zh:0de1db5b3363603e6bd25c9c420e24e872bcfe8d43a7015b710a0292ffa7a649", + "zh:1d719e62eb5195a6461cdf2e175960093cdb77b190a7b15eb3fd0e1fc38409e1", + "zh:3adba178a720c90f296183479872a82719f5497b24e90224c044bcc9e29092b7", + "zh:54e5895e61a39b955be26977c273d9581beccf0e22ec58932708472cab40b03b", + "zh:59b8df5b3be8bf9e8a8dcc7b5edf96b0ca505f93fc0db022cc33513172dbc2c8", + "zh:6d86630e353b874ad43d09e3d3541ba4f824c578122a21c7895a452a0534ca05", + "zh:b6c7466446ce685971dee0c7b2dcb16917e3d23805a51d7a2091e475908c8d87", + "zh:ca306de78ea0f99f698548d51b094501e8299340ccc9c6549d1b62fc1fe29456", + "zh:cc6bd38417c0a6c0d7a1c8533007c113155d82d085ea705d955dadf62b2f9f66", + "zh:da657c9db5647620fca377fdc934db6a0f6d05d4cc0dd91a47404850805fd6da", + "zh:dc0b1effedb7a35d1756be915ff8b48d0f422b7a9da75e7f14a2d3efa2d4806f", + "zh:eef8d1715e9cfcb6cbe05dc071390ee91276d12f6fd870bac116af47518f6176", + "zh:f4c0cd2168f59d4fbf4b1fada95a9c973224bbf81975e948f741ad18ef665690", ] } diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 87ebc58..7d43f4f 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -8,7 +8,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.1" + version = "2025.12.0" } } } diff --git a/tofu/modules/authentik-ldap/.terraform.lock.hcl b/tofu/modules/authentik-ldap/.terraform.lock.hcl index de2d5a9..61e958d 100644 --- a/tofu/modules/authentik-ldap/.terraform.lock.hcl +++ b/tofu/modules/authentik-ldap/.terraform.lock.hcl @@ -2,23 +2,36 @@ # Manual edits may be lost in future updates. provider "registry.opentofu.org/goauthentik/authentik" { - version = "2025.10.1" - constraints = "2025.10.1" + version = "2025.12.0" + constraints = "2025.12.0" hashes = [ - "h1:X0bV1LqI7nu4np+xiGP8yLVfyl6rh/XNXz7QQ7Hsr6g=", - "zh:02ac2478c8901043a0455b8b6b8185e9814786bd802a9aa6d4126d4f56d4735d", - "zh:24d680732a9ea72a86c1e7bf4aa13ab9cc0c60ee4bd4cae8af43670eff88edd9", - "zh:4f415f177671eeea2234eb835479bbb710e811e60864cec6a00ee0e03a412fa3", - "zh:55498caa20504dd52a1870823e15dec6c78948eac2e6ec98e6ec122b5407630b", - "zh:570f9ca7f909bda94b97feab7898ef392e01ae6178d8a9d36aac984d8a433ec1", - "zh:92ac78b97e2d5310ed82233980f941ebecf69ae1f9d03f3e719d8687aa6f4cc7", - "zh:95f852a4e7d22daac86901ebc6b327d5987832b707ad3fd3aeff6c36dd088717", - "zh:98c8659f468a58a9d224b2fca9d5909d39bcabf9e2593e9b4a574dbffb6e2dca", - "zh:a7d1428ec803ae794ebb05d772fa44020827a6b762a5b2da11869fc618ea59cd", - "zh:b1ef054b09fed4282c625a38a4aa6d1276c58e541f4cffcc716aa7d2b773f30a", - "zh:b95e3edeb0da3ee0c0392afa18957cf7d41b2f71ed08a50f4bf38010aaf77d30", - "zh:c3ce9f57889e6bb33f34ee4cc4463a77652b811351bbb25e6fc5ba9dc0c61e14", - "zh:f6d2fe811ad5c242ced99a6b51b2d7f60f060d4bc6837fe1026c2abb7cb6f9a4", - "zh:f78b8e20e7d9f53e1622051c706369a7c6d0f1e37c16df67a214697cd5d0a4fb", + "h1:1WOionGZogRGfcwgsBshgGDDMFWqioq62s/FmpTonI8=", + "h1:7EkbL1fO5vkX5IvlGhKIjWcEPIc7U3zS/x0+rMC+NKE=", + "h1:N65bk3gPCHEJE8c68LCjQ2NMwDKDJlt0+ofnmeNM4FI=", + "h1:S2NDeRAxbfKPGvBqM7WES5znedi0V2AWc5wxkczYDd8=", + "h1:ZmqC2orWU2UItPZJZfsSnBBX7Ds0OEk8EarBtWjuFsc=", + "h1:aofPDDDWm9c87uip8IwKlhGDePNNr6Sy0Q+m9NgOols=", + "h1:f3+jlDlxpgKdCbcB7ac4lVn5pdSMM1e2Qh0AB0RDNsA=", + "h1:jt+Gtla0Z7zN4gCltMg//aDfCoSIdCyFF4ept4Qwc6E=", + "h1:msEjekUeIUKY6lipADjuQpaU1HPrp0MU19R9LpZv5UM=", + "h1:t61WX+9iOOCLlZ8tt/vZP7X8M/Q7F5k6QUyduYtpVf8=", + "h1:tI7fyxvSatX28mp0woFsBbhrnzgeZTZAaitzKThlyAo=", + "h1:wzjwM6RA9Jth4iCN5J9dzxnfjO56ZFl1T5rAQhuU1og=", + "h1:xZZSwrSXnUCPmP9U3EY9fKPmBru58wZozovF2+i//oY=", + "h1:z/+UpU0PH5hae3WEqJO7Lreo0wYO77UuJrimJyV3Mcg=", + "zh:0ce23bd10c1782a3ae9321a572093df2c283df9003fc1cf33f6e63df18a81b7a", + "zh:0de1db5b3363603e6bd25c9c420e24e872bcfe8d43a7015b710a0292ffa7a649", + "zh:1d719e62eb5195a6461cdf2e175960093cdb77b190a7b15eb3fd0e1fc38409e1", + "zh:3adba178a720c90f296183479872a82719f5497b24e90224c044bcc9e29092b7", + "zh:54e5895e61a39b955be26977c273d9581beccf0e22ec58932708472cab40b03b", + "zh:59b8df5b3be8bf9e8a8dcc7b5edf96b0ca505f93fc0db022cc33513172dbc2c8", + "zh:6d86630e353b874ad43d09e3d3541ba4f824c578122a21c7895a452a0534ca05", + "zh:b6c7466446ce685971dee0c7b2dcb16917e3d23805a51d7a2091e475908c8d87", + "zh:ca306de78ea0f99f698548d51b094501e8299340ccc9c6549d1b62fc1fe29456", + "zh:cc6bd38417c0a6c0d7a1c8533007c113155d82d085ea705d955dadf62b2f9f66", + "zh:da657c9db5647620fca377fdc934db6a0f6d05d4cc0dd91a47404850805fd6da", + "zh:dc0b1effedb7a35d1756be915ff8b48d0f422b7a9da75e7f14a2d3efa2d4806f", + "zh:eef8d1715e9cfcb6cbe05dc071390ee91276d12f6fd870bac116af47518f6176", + "zh:f4c0cd2168f59d4fbf4b1fada95a9c973224bbf81975e948f741ad18ef665690", ] } diff --git a/tofu/modules/authentik-ldap/main.tf b/tofu/modules/authentik-ldap/main.tf index 19cf5a6..86d1806 100644 --- a/tofu/modules/authentik-ldap/main.tf +++ b/tofu/modules/authentik-ldap/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.1" + version = "2025.12.0" } } } diff --git a/tofu/modules/authentik-oidc/main.tf b/tofu/modules/authentik-oidc/main.tf index d78086a..3ca69a3 100644 --- a/tofu/modules/authentik-oidc/main.tf +++ b/tofu/modules/authentik-oidc/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.1" + version = "2025.12.0" } } } diff --git a/tofu/modules/authentik-proxy/main.tf b/tofu/modules/authentik-proxy/main.tf index 49179aa..288bd61 100644 --- a/tofu/modules/authentik-proxy/main.tf +++ b/tofu/modules/authentik-proxy/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.10.1" + version = "2025.12.0" } } } From 1ce70d911f4d7d9a9eb46e179a0681934b91e272 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Wed, 28 Jan 2026 10:17:13 +0100 Subject: [PATCH 22/43] feat: add ganymede --- docker/ganymede/docker-compose.yml | 48 ++++++++++++++++++++++++++++++ docker/ganymede/sample.env | 27 +++++++++++++++++ tofu/authentik/main.tf | 23 ++++++++++++++ tofu/authentik/sample.env | 2 ++ tofu/authentik/vars.tf | 10 +++++++ 5 files changed, 110 insertions(+) create mode 100644 docker/ganymede/docker-compose.yml create mode 100644 docker/ganymede/sample.env diff --git a/docker/ganymede/docker-compose.yml b/docker/ganymede/docker-compose.yml new file mode 100644 index 0000000..7ba5213 --- /dev/null +++ b/docker/ganymede/docker-compose.yml @@ -0,0 +1,48 @@ +--- +services: + ganymede: + container_name: ganymede + image: ghcr.io/zibbp/ganymede:4.11.3 + restart: unless-stopped + environment: + DEBUG: ${GANYMEDE_DEBUG:-false} + TZ: ${GANYMEDE_TZ:-Europe/Madrid} + VIDEOS_DIR: ${GANYMEDE_VIDEOS_DIR:-/data/videos} + TEMP_DIR: ${GANYMEDE_TEMP_DIR:-/data/temp} + LOGS_DIR: ${GANYMEDE_LOGS_DIR:-/data/logs} + CONFIG_DIR: ${GANYMEDE_CONFIG_DIR:-/data/config} + DB_HOST: ${GANYMEDE_DB_HOST:-192.168.1.3} + DB_PORT: ${GANYMEDE_DB_PORT:-5432} + DB_USER: ${GANYMEDE_DB_USER:-ganymede} + DB_PASS: ${GANYMEDE_DB_PASS} + DB_NAME: ${GANYMEDE_DB_NAME:-ganymede} + DB_SSL: ${GANYMEDE_DB_SSL:-disable} + TWITCH_CLIENT_ID: ${GANYMEDE_TWITCH_CLIENT_ID} + TWITCH_CLIENT_SECRET: ${GANYMEDE_TWITCH_CLIENT_SECRET} + MAX_CHAT_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS:-3} + MAX_CHAT_RENDER_EXECUTIONS: ${GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS:-2} + MAX_VIDEO_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS:-2} + MAX_VIDEO_CONVERT_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS:-3} + MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS:-2} + OAUTH_ENABLED: ${GANYMEDE_OAUTH_ENABLED:-true} + OAUTH_PROVIDER_URL: ${GANYMEDE_OAUTH_PROVIDER_URL:-https://auth.fukurokuju.dev/application/o/ganymede/} + OAUTH_CLIENT_ID: ${GANYMEDE_OAUTH_CLIENT_ID} + OAUTH_CLIENT_SECRET: ${GANYMEDE_OAUTH_CLIENT_SECRET} + OAUTH_REDIRECT_URL: ${GANYMEDE_OAUTH_REDIRECT_URL:-https://vods.roboces.dev/api/v1/auth/oauth/callback} + SHOW_SSO_LOGIN_BUTTON: ${GANYMEDE_SHOW_SSO_LOGIN_BUTTON:-true} + FORCE_SSO_AUTH: ${GANYMEDE_FORCE_SSO_AUTH:-true} + REQUIRE_LOGIN: ${GANYMEDE_REQUIRE_LOGIN:-true} + volumes: + - ${GANYMEDE_VIDEOS:-/mnt/vods/ganymede/videos}:/data/videos + - ${GANYMEDE_TEMP:-/mnt/vods/ganymede/temp}:/data/temp + - ${GANYMEDE_CACHE:-/mnt/vods/ganymede/cache}:/data/.cache + - ${GANYMEDE_LOGS:-/mnt/vods/ganymede/logs}:/data/logs + - ${GANYMEDE_CONFIG:-/mnt/vods/ganymede/config}:/data/config + ports: + - "4800:4000" + healthcheck: + test: curl --fail http://localhost:4000/health || exit 1 + interval: 60s + retries: 5 + start_period: 60s + timeout: 10s diff --git a/docker/ganymede/sample.env b/docker/ganymede/sample.env new file mode 100644 index 0000000..5b2205b --- /dev/null +++ b/docker/ganymede/sample.env @@ -0,0 +1,27 @@ +GANYMEDE_DEBUG=false +GANYMEDE_TZ=Europe/Madrid +GANYMEDE_VIDEOS_DIR=/data/videos +GANYMEDE_TEMP_DIR=/data/temp +GANYMEDE_LOGS_DIR=/data/logs +GANYMEDE_CONFIG_DIR=/data/config +GANYMEDE_DB_HOST=192.168.1.3 +GANYMEDE_DB_PORT=5432 +GANYMEDE_DB_USER=ganymede +GANYMEDE_DB_PASS= +GANYMEDE_DB_NAME=ganymede +GANYMEDE_DB_SSL=disable +GANYMEDE_TWITCH_CLIENT_ID= +GANYMEDE_TWITCH_CLIENT_SECRET= +GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS=3 +GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS=2 +GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS=2 +GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS=3 +GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS=2 +GANYMEDE_OAUTH_ENABLED=true +GANYMEDE_OAUTH_PROVIDER_URL=https://auth.fukurokuju.dev/application/o/ganymede/ +GANYMEDE_OAUTH_CLIENT_ID= +GANYMEDE_OAUTH_CLIENT_SECRET= +GANYMEDE_OAUTH_REDIRECT_URL=https://vods.roboces.dev/api/v1/auth/oauth/callback +GANYMEDE_SHOW_SSO_LOGIN_BUTTON=true +GANYMEDE_FORCE_SSO_AUTH=false +GANYMEDE_REQUIRE_LOGIN=false diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 7d43f4f..42c0582 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -22,6 +22,11 @@ resource "authentik_group" "ci" { users = [data.authentik_user.catalin.id] } +resource "authentik_group" "vods" { + name = "vods" + users = [data.authentik_user.catalin.id] +} + resource "authentik_group" "admins" { name = "authentik Admins" is_superuser = true @@ -204,6 +209,8 @@ module "rustical" { source = "../modules/authentik-oidc" app_name = "rustical" app_slug = "rustical" + app_url = "https://cal.roboces.dev" + app_icon = "https://cal.roboces.dev/favicon.ico" client_id = var.rustical_client_id client_secret = var.rustical_client_secret redirect_uris = [{ matching_mode = "strict", url = "https://cal.roboces.dev/frontend/login/oidc/callback" }] @@ -216,6 +223,8 @@ module "jellyfin" { app_slug = "jellyfin" base_dn = "DC=ldap,DC=fukurokuju,DC=dev" name = "jellyfin" + app_url = "https://jelly.roboces.dev" + app_icon = "https://jelly.roboces.dev/favicon.ico" app_access_group_id = authentik_group.arrs.id } @@ -224,7 +233,21 @@ module "tandoor" { app_name = "Tandoor" app_slug = "tandoor" app_access_group_id = "" + app_url = "https://recipes.roboces.dev" redirect_uris = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }] + app_icon = "https://recipes.roboces.dev/favicon.icon" client_id = var.tandoor_client_id client_secret = var.tandoor_client_secret } + +module "ganymede" { + source = "../modules/authentik-oidc" + app_name = "Ganymede" + app_slug = "ganymede" + redirect_uris = [{ matching_mode = "strict", url = "https://vods.roboces.dev/api/v1/auth/oauth/callback" }] + client_id = var.ganymede_client_id + client_secret = var.ganymede_client_secret + app_url = "https://vods.roboces.dev" + app_icon = "https://vods.roboces.dev/favicon.ico" + app_access_group_id = authentik_group.vods.id +} diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env index 3887146..d7e4361 100644 --- a/tofu/authentik/sample.env +++ b/tofu/authentik/sample.env @@ -14,3 +14,5 @@ TF_VAR_rustical_client_id= TF_VAR_rustical_client_secret= TF_VAR_tandoor_client_id= TF_VAR_tandoor_client_secret= +TF_VAR_ganymede_client_id= +TF_VAR_ganymede_client_secret= diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf index 30ec835..f85bfe7 100644 --- a/tofu/authentik/vars.tf +++ b/tofu/authentik/vars.tf @@ -68,3 +68,13 @@ variable "tandoor_client_secret" { description = "Tandoor client secret" type = string } + +variable "ganymede_client_id" { + description = "Ganymede client ID" + type = string +} + +variable "ganymede_client_secret" { + description = "Ganymede client secret" + type = string +} From 7a4f608d2e8df5a030bb2afd15e311b9f7a8eddc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Wed, 28 Jan 2026 11:07:42 +0100 Subject: [PATCH 23/43] feat: add jellyseerr --- tofu/authentik/main.tf | 25 ++++++++---- tofu/modules/authentik-app/main.tf | 26 +++++++++++++ tofu/modules/authentik-app/vars.tf | 62 ++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+), 8 deletions(-) create mode 100644 tofu/modules/authentik-app/main.tf create mode 100644 tofu/modules/authentik-app/vars.tf diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 42c0582..7979f79 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -52,6 +52,7 @@ resource "authentik_group" "mediamanager" { is_superuser = false } + module "gitea" { source = "../modules/authentik-oidc" app_name = "Gitea" @@ -133,7 +134,7 @@ module "sonarr" { app_slug = "sonarr" app_access_group_id = authentik_group.arrs.id app_url = "https://sonarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:38013/" + internal_host = "http://192.168.1.3:30113/" internal_host_ssl_validation = false app_icon = "https://sonarr.tv/img/logo.png" } @@ -144,7 +145,7 @@ module "radarr" { app_slug = "radarr" app_access_group_id = authentik_group.arrs.id app_url = "https://radarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:38012/" + internal_host = "http://192.168.1.3:30025/" internal_host_ssl_validation = false app_icon = "https://radarr.video/img/background/logo.png" } @@ -155,7 +156,7 @@ module "lidarr" { app_slug = "lidarr" app_access_group_id = authentik_group.arrs.id app_url = "https://lidarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:38010/" + internal_host = "http://192.168.1.3:30071/" internal_host_ssl_validation = false app_icon = "https://lidarr.audio/img/background/logo.png" } @@ -176,7 +177,7 @@ module "prowlarr" { app_slug = "prowlarr" app_access_group_id = authentik_group.admins.id app_url = "https://prowlarr.fukurokuju.dev" - internal_host = "http://192.168.1.3:38014" + internal_host = "http://192.168.1.3:30050" internal_host_ssl_validation = false } @@ -204,13 +205,11 @@ module "sftpgo" { sub_mode = "user_username" } - module "rustical" { source = "../modules/authentik-oidc" app_name = "rustical" app_slug = "rustical" app_url = "https://cal.roboces.dev" - app_icon = "https://cal.roboces.dev/favicon.ico" client_id = var.rustical_client_id client_secret = var.rustical_client_secret redirect_uris = [{ matching_mode = "strict", url = "https://cal.roboces.dev/frontend/login/oidc/callback" }] @@ -224,7 +223,7 @@ module "jellyfin" { base_dn = "DC=ldap,DC=fukurokuju,DC=dev" name = "jellyfin" app_url = "https://jelly.roboces.dev" - app_icon = "https://jelly.roboces.dev/favicon.ico" + app_icon = "https://jelly.roboces.dev/web/touchicon.f5bbb798cb2c65908633.png" app_access_group_id = authentik_group.arrs.id } @@ -235,7 +234,7 @@ module "tandoor" { app_access_group_id = "" app_url = "https://recipes.roboces.dev" redirect_uris = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }] - app_icon = "https://recipes.roboces.dev/favicon.icon" + app_icon = "https://recipes.roboces.dev/static/assets/logo_color_192.c9b9177ff941.png" client_id = var.tandoor_client_id client_secret = var.tandoor_client_secret } @@ -251,3 +250,13 @@ module "ganymede" { app_icon = "https://vods.roboces.dev/favicon.ico" app_access_group_id = authentik_group.vods.id } + +module "jellyseerr" { + source = "../modules/authentik-app" + app_name = "Solicitudes Jelly" + app_slug = "jellyseer" + app_url = "https://requests.roboces.dev" + app_icon = "https://requests.roboces.dev/os_icon.svg" + app_description = "Solicita series, animes y pelis para ser añadidas automáticamente a Jellyfin" + app_access_group_id = authentik_group.arrs.id +} diff --git a/tofu/modules/authentik-app/main.tf b/tofu/modules/authentik-app/main.tf new file mode 100644 index 0000000..778e119 --- /dev/null +++ b/tofu/modules/authentik-app/main.tf @@ -0,0 +1,26 @@ +terraform { + required_version = ">= 1.6" + required_providers { + authentik = { + source = "goauthentik/authentik" + version = "2025.12.0" + } + } +} + +resource "authentik_application" "app" { + name = var.app_name + slug = var.app_slug + open_in_new_tab = var.open_in_new_tab + meta_icon = var.app_icon + meta_description = var.app_description + meta_publisher = var.app_publisher + meta_launch_url = var.app_url +} + +resource "authentik_policy_binding" "app_access" { + target = authentik_application.app.uuid + group = var.app_access_group_id + order = 0 + count = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists +} diff --git a/tofu/modules/authentik-app/vars.tf b/tofu/modules/authentik-app/vars.tf new file mode 100644 index 0000000..445710f --- /dev/null +++ b/tofu/modules/authentik-app/vars.tf @@ -0,0 +1,62 @@ +variable "app_name" { + description = "App name" + type = string +} + +variable "app_slug" { + description = "App slug, a human-readable URL identifier, e.g.: Google -> google" + type = string +} + + +variable "client_type" { + type = string + default = "confidential" + + validation { + condition = contains(["confidential", "public"], var.client_type) + error_message = "client_type must be 'confidential' or 'public'" + } +} + +variable "app_access_group_id" { + description = "ID of a group which will have access to the app" + type = string +} + +variable "sub_mode" { + type = string + default = "user_username" + + validation { + condition = contains(["user_id", "user_username", "hashed_user_id"], var.sub_mode) + error_message = "sub_mode must be 'user_id', 'user_username' or 'hashed_user_id'" + } +} + + +variable "open_in_new_tab" { + type = bool + description = "Open apps in a new tab" + default = true +} + +variable "app_icon" { + type = string + default = "" +} + +variable "app_description" { + type = string + default = "" +} + +variable "app_publisher" { + type = string + default = "" +} + +variable "app_url" { + type = string + default = "" +} From aa05c20e2d5986661675c544cf4169a582aeb3b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Wed, 28 Jan 2026 12:37:28 +0100 Subject: [PATCH 24/43] feat: add pulse --- k8s/argo-apps/factorio.yaml | 45 ----------- k8s/argo-apps/pulse.yaml | 43 +++++++++++ k8s/services/argo/project-fuku.yaml | 1 + k8s/services/pulse/ds.yaml | 105 ++++++++++++++++++++++++++ k8s/services/pulse/sealedsecrets.yaml | 17 +++++ tofu/adguard/main.tf | 6 +- tofu/authentik/main.tf | 12 +++ tofu/authentik/sample.env | 2 + tofu/authentik/vars.tf | 10 +++ 9 files changed, 195 insertions(+), 46 deletions(-) delete mode 100644 k8s/argo-apps/factorio.yaml create mode 100644 k8s/argo-apps/pulse.yaml create mode 100644 k8s/services/pulse/ds.yaml create mode 100644 k8s/services/pulse/sealedsecrets.yaml diff --git a/k8s/argo-apps/factorio.yaml b/k8s/argo-apps/factorio.yaml deleted file mode 100644 index cd2d97d..0000000 --- a/k8s/argo-apps/factorio.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: factorio - namespace: argocd -spec: - destination: - name: '' - namespace: apps-fuku - server: https://kubernetes.default.svc - sources: - - chart: factorio-server-charts - repoURL: https://sqljames.github.io/factorio-server-charts/ - targetRevision: 2.5.* - helm: - valuesObject: - rcon: - passwordSecret: secrets-factorio - nodeSelector: - kubernetes.io/hostname: agent1 - image: - tag: latest - factorioServer: - save_name: fukurokuju-space - admin_list: - - Phireh - account: - accountSecret: secrets-factorio - server_settings: - name: factorio-fukurokuju - visibility: - public: false - require_user_verification: false - persistence: - storageClassName: truenas-nfs-csi - serverPassword: - passwordSecret: secrets-factorio - - - repoURL: https://git.roboces.dev/catalin/fukuops.git - path: k8s/services/factorio - targetRevision: main - project: fuku - syncPolicy: - automated: {} diff --git a/k8s/argo-apps/pulse.yaml b/k8s/argo-apps/pulse.yaml new file mode 100644 index 0000000..7873917 --- /dev/null +++ b/k8s/argo-apps/pulse.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: pulse + namespace: argocd +spec: + destination: + name: '' + namespace: apps-fuku + server: https://kubernetes.default.svc + project: fuku + syncPolicy: + automated: {} + sources: + - repoURL: https://rcourtman.github.io/Pulse + chart: pulse + targetRevision: v5.0.* + helm: + valuesObject: + persistence: + enabled: true + size: 10Gi + storageClass: truenas-nfs-csi + accessModes: + - ReadWriteMany + service: + type: LoadBalancer + ingress: + enabled: true + hosts: + - host: pulse.fukurokuju.dev + paths: + - path: / + pathType: Prefix + tls: [] + monitoring: + serviceMonitor: + enabled: true + + - path: k8s/services/pulse + repoURL: https://git.roboces.dev/catalin/fukuops.git + targetRevision: main diff --git a/k8s/services/argo/project-fuku.yaml b/k8s/services/argo/project-fuku.yaml index 43e602a..ead0d89 100644 --- a/k8s/services/argo/project-fuku.yaml +++ b/k8s/services/argo/project-fuku.yaml @@ -32,3 +32,4 @@ spec: - registry-1.docker.io/cloudpirates - https://vmware-tanzu.github.io/helm-charts/ - https://helm.runix.net + - https://rcourtman.github.io/Pulse diff --git a/k8s/services/pulse/ds.yaml b/k8s/services/pulse/ds.yaml new file mode 100644 index 0000000..26516fa --- /dev/null +++ b/k8s/services/pulse/ds.yaml @@ -0,0 +1,105 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pulse-agent + namespace: apps-fuku +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pulse-agent-read +rules: + - apiGroups: [""] + resources: ["nodes", "pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pulse-agent-read +subjects: + - kind: ServiceAccount + name: pulse-agent + namespace: apps-fuku +roleRef: + kind: ClusterRole + name: pulse-agent-read + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: pulse-agent + namespace: apps-fuku +spec: + selector: + matchLabels: + app: pulse-agent + template: + metadata: + labels: + app: pulse-agent + spec: + serviceAccountName: pulse-agent + containers: + - name: pulse-agent + image: rcourtman/pulse:v5.0.17 + command: ["/opt/pulse/bin/pulse-agent-linux-amd64"] + args: + - --enable-kubernetes + env: + - name: PULSE_URL + value: "https://pulse.fukurokuju.dev" + - name: PULSE_TOKEN + valueFrom: + secretKeyRef: + name: pulse-agent-secrets + key: PULSE_TOKEN + - name: PULSE_AGENT_ID + value: "k8s-cluster" + - name: PULSE_ENABLE_HOST + value: "true" + - name: HOST_PROC + value: "/host/proc" + - name: HOST_SYS + value: "/host/sys" + - name: HOST_ETC + value: "/host/etc" + - name: PULSE_KUBE_INCLUDE_ALL_PODS + value: "true" + - name: PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS + value: "true" + securityContext: + privileged: true + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + memory: 512Mi + volumeMounts: + - name: host-proc + mountPath: /host/proc + readOnly: true + - name: host-sys + mountPath: /host/sys + readOnly: true + - name: host-root + mountPath: /host/root + readOnly: true + volumes: + - name: host-proc + hostPath: + path: /proc + - name: host-sys + hostPath: + path: /sys + - name: host-root + hostPath: + path: / + tolerations: + - operator: Exists diff --git a/k8s/services/pulse/sealedsecrets.yaml b/k8s/services/pulse/sealedsecrets.yaml new file mode 100644 index 0000000..0cade5d --- /dev/null +++ b/k8s/services/pulse/sealedsecrets.yaml @@ -0,0 +1,17 @@ +# yamllint disable rule:line-length +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: pulse-agent-secrets + namespace: apps-fuku +spec: + encryptedData: + PULSE_TOKEN: AgBBxrJ80IpJ0RvYKQuN6p3G8vIdSL9nESO9OTAR0NiMjSGZNbNEELKE/a1f2ixQUSsNc/k31c+7GlAi+8PmNC4c7rmRJTe+z3uO/BNNLYeTi7DsEk9/oJZTWn7iOcLogiZJQKxbGozCp/S8zrWisH67N2ZHmzz5UEJAzq57+fBEyAk22/WR0QMfW3oOYHGZFNR5AdAxrdfyRwTvSEOz4R2YlrQKRtOFVIPG/aEaAn42AGYfrq2cLVEiCygjE+8nZQ62TMmQqMiwiCjk5do9uRhhiRimuD78FrNnFU5dSwe/11ji5sSrEPjszPB8O0TBbsCssxfz48cKRm/6IdI9B5pKHYob68Ed8u5UgpRU/ZhUWJLyXuZF/Tgw+WcIsVkQXb3eqQTARBeZueugnA23lnzxh5gjR17wjPw7ePYaLiUWTYikOK5HvgpJyiuB0ev2cjGSqYeeAAn5ewCGM/NODXUAlFdC+N9S7ft1+chJrHoaXgHy8J9LWm/maKW99+yT08a68RvGGoZtFPZNlFjzurNF6EY9SLUFf0RLzShkyq6uuOzLm8gENyDIQ+Ru7wWEwyEcUz4ceAR5I78k0gCIDR1o4Ti22asdbRjMptZdOTbep+PWmu2K1oUvxXtXwgKkn8pvTkJpcdejqehnYPWfRAI3Guxi7LQDf++yShKS1NdXMdjhtFoNLa03xHM/G94sF3/mnJwivNhur1V7iC1yCY5NlruPr4KCd5AgOnKqoreRRvRbCVlFO1mtP6XV4sjqEIhmZyXWFJ76bwAC+hxSlFzL + template: + metadata: + creationTimestamp: null + name: pulse-agent-secrets + namespace: apps-fuku + type: Opaque diff --git a/tofu/adguard/main.tf b/tofu/adguard/main.tf index e419eee..894cfea 100644 --- a/tofu/adguard/main.tf +++ b/tofu/adguard/main.tf @@ -85,8 +85,12 @@ resource "adguard_rewrite" "master2" { answer = "192.168.1.32" } - resource "adguard_rewrite" "k3m3" { domain = "k3m3.fuku" answer = "192.168.1.43" } + +resource "adguard_rewrite" "pulse" { + answer = "pulse.fukurokuju.dev" + domain = "192.168.1.12" +} diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 7979f79..6151382 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -260,3 +260,15 @@ module "jellyseerr" { app_description = "Solicita series, animes y pelis para ser añadidas automáticamente a Jellyfin" app_access_group_id = authentik_group.arrs.id } + +module "pulse" { + source = "../modules/authentik-oidc" + app_name = "Pulse" + app_slug = "pulse" + app_url = "https://pulse.fukurokuju.dev" + client_id = var.pulse_client_id + client_secret = var.pulse_client_secret + app_icon = "https://pulse.fukurokuju.dev/logo.svg" + redirect_uris = [{ matching_mode = "strict", url = "https://pulse.fukurokuju.dev/api/oidc/callback" }] + app_access_group_id = authentik_group.admins.id +} diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env index d7e4361..31a7461 100644 --- a/tofu/authentik/sample.env +++ b/tofu/authentik/sample.env @@ -16,3 +16,5 @@ TF_VAR_tandoor_client_id= TF_VAR_tandoor_client_secret= TF_VAR_ganymede_client_id= TF_VAR_ganymede_client_secret= +TF_VAR_pulse_client_id= +TF_VAR_pulse_client_secret= diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf index f85bfe7..f0e5dc2 100644 --- a/tofu/authentik/vars.tf +++ b/tofu/authentik/vars.tf @@ -78,3 +78,13 @@ variable "ganymede_client_secret" { description = "Ganymede client secret" type = string } + +variable "pulse_client_id" { + description = "Pulse client ID" + type = string +} + +variable "pulse_client_secret" { + description = "Pulse client secret" + type = string +} From 4b095e9fd378da24f11c8faff887f743acc62ed9 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 28 Jan 2026 03:32:45 +0000 Subject: [PATCH 25/43] chore(deps): update helm release renovate to 45.86.* --- k8s/argo-apps/renovate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml index 73787dd..9616b6d 100644 --- a/k8s/argo-apps/renovate.yaml +++ b/k8s/argo-apps/renovate.yaml @@ -13,7 +13,7 @@ spec: sources: - chart: renovate repoURL: https://docs.renovatebot.com/helm-charts - targetRevision: 45.74.* + targetRevision: 45.86.* helm: valuesObject: renovate: From a0ff2179155ddc23f9c50ec5240116805884efdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Wed, 28 Jan 2026 19:23:35 +0100 Subject: [PATCH 26/43] feat: add tailscale exit node --- docker/tailscale/docker-compose.yml | 18 ++++++++++++++++++ docker/tailscale/sample.env | 5 +++++ 2 files changed, 23 insertions(+) create mode 100644 docker/tailscale/docker-compose.yml create mode 100644 docker/tailscale/sample.env diff --git a/docker/tailscale/docker-compose.yml b/docker/tailscale/docker-compose.yml new file mode 100644 index 0000000..71384f1 --- /dev/null +++ b/docker/tailscale/docker-compose.yml @@ -0,0 +1,18 @@ +--- +services: + tailscale: + image: tailscale/tailscale:v1.92.4 + hostname: tailscale + environment: + TS_AUTHKEY: ${TS_AUTHKEY} + TS_HOSTNAME: ${TS_HOSTNAME:-docker-exit-node} + TS_EXTRA_ARGS: ${TS_EXTRA_ARGS:---advertise-exit-node} + TS_ROUTES: ${TS_ROUTES:-192.168.1.0/24} + TS_STATE_DIR: /var/lib/tailscale + volumes: + - ${TS_VOLUME:-/mnt/nas1/shared/tailscale}:/var/lib/tailscale + devices: + - /dev/net/tun:/dev/net/tun + cap_add: + - net_admin + restart: unless-stopped diff --git a/docker/tailscale/sample.env b/docker/tailscale/sample.env new file mode 100644 index 0000000..83646d5 --- /dev/null +++ b/docker/tailscale/sample.env @@ -0,0 +1,5 @@ +TS_AUTHKEY= +TS_HOSTNAME=docker-exit-node +TS_EXTRA_ARGS=--advertise-exit-node +TS_ROUTES=192.168.1.0/24 +TS_VOLUME=/mnt/nas1/shared/tailscale From 970bc7e125615d685bb56b0e91ef7ba2e2a51617 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 29 Jan 2026 03:22:25 +0000 Subject: [PATCH 27/43] chore(deps): update tailscale/tailscale docker tag to v1.92.5 --- docker/tailscale/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/tailscale/docker-compose.yml b/docker/tailscale/docker-compose.yml index 71384f1..f0d25e1 100644 --- a/docker/tailscale/docker-compose.yml +++ b/docker/tailscale/docker-compose.yml @@ -1,7 +1,7 @@ --- services: tailscale: - image: tailscale/tailscale:v1.92.4 + image: tailscale/tailscale:v1.92.5 hostname: tailscale environment: TS_AUTHKEY: ${TS_AUTHKEY} From f41e6349ef6f1cb4da43922c19559e522a07457b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 29 Jan 2026 03:21:56 +0000 Subject: [PATCH 28/43] chore(deps): update ghcr.io/zibbp/ganymede docker tag to v4.11.4 --- docker/ganymede/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/ganymede/docker-compose.yml b/docker/ganymede/docker-compose.yml index 7ba5213..93b9928 100644 --- a/docker/ganymede/docker-compose.yml +++ b/docker/ganymede/docker-compose.yml @@ -2,7 +2,7 @@ services: ganymede: container_name: ganymede - image: ghcr.io/zibbp/ganymede:4.11.3 + image: ghcr.io/zibbp/ganymede:4.11.4 restart: unless-stopped environment: DEBUG: ${GANYMEDE_DEBUG:-false} From a390412f56f84b8dcf73eded5938a58449760d45 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 30 Jan 2026 03:31:39 +0000 Subject: [PATCH 29/43] chore(deps): update code.forgejo.org/forgejo-helm/forgejo docker tag to v16.0.2 --- k8s/argo-apps/forgejo.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/forgejo.yaml b/k8s/argo-apps/forgejo.yaml index 44b2f4d..1106bc3 100644 --- a/k8s/argo-apps/forgejo.yaml +++ b/k8s/argo-apps/forgejo.yaml @@ -14,7 +14,7 @@ spec: sources: - chart: forgejo repoURL: code.forgejo.org/forgejo-helm - targetRevision: 16.0.1 + targetRevision: 16.0.2 helm: valuesObject: replicaCount: 2 From 27136043831c3d8e1a4f803754a1a86c75e01d8c Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 1 Feb 2026 03:20:32 +0000 Subject: [PATCH 30/43] chore(deps): update code.forgejo.org/forgejo/runner docker tag to v12 --- docker/forgejo-runner/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/forgejo-runner/docker-compose.yml b/docker/forgejo-runner/docker-compose.yml index e98dc66..c839404 100644 --- a/docker/forgejo-runner/docker-compose.yml +++ b/docker/forgejo-runner/docker-compose.yml @@ -1,6 +1,6 @@ --- x-runner-common: &runner-common - image: code.forgejo.org/forgejo/runner:11.3.1 + image: code.forgejo.org/forgejo/runner:12.6.3 links: - docker-in-docker depends_on: From 00d8d0adec936fc3da932bfda6675b4312b2a84d Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 1 Feb 2026 03:18:42 +0000 Subject: [PATCH 31/43] chore(deps): update ghcr.io/lennart-k/rustical docker tag to v0.12.4 --- docker/rustical/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/rustical/docker-compose.yml b/docker/rustical/docker-compose.yml index 2818a50..2bca4ee 100644 --- a/docker/rustical/docker-compose.yml +++ b/docker/rustical/docker-compose.yml @@ -1,7 +1,7 @@ --- services: rustical: - image: ghcr.io/lennart-k/rustical:0.12.3 + image: ghcr.io/lennart-k/rustical:0.12.4 ports: - '4000:4000' volumes: From 9f00f56733db90a2d7cf2bd2713b64d084f5bf8c Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 1 Feb 2026 03:18:58 +0000 Subject: [PATCH 32/43] chore(deps): update ghcr.io/paperless-ngx/paperless-ngx docker tag to v2.20.6 --- docker/paperless/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/paperless/docker-compose.yml b/docker/paperless/docker-compose.yml index 7e14770..99209c6 100644 --- a/docker/paperless/docker-compose.yml +++ b/docker/paperless/docker-compose.yml @@ -14,7 +14,7 @@ services: webserver: - image: ghcr.io/paperless-ngx/paperless-ngx:2.20.5 + image: ghcr.io/paperless-ngx/paperless-ngx:2.20.6 restart: unless-stopped ports: - 8002:8000 From c5a6d64a8bfc7ba67086b611f53e96e390b5e765 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 2 Feb 2026 09:55:07 +0000 Subject: [PATCH 33/43] chore(deps): update vabene1111/recipes docker tag to v2.4.2 --- docker/tandoor/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/tandoor/docker-compose.yml b/docker/tandoor/docker-compose.yml index 8133b76..5bf5d88 100644 --- a/docker/tandoor/docker-compose.yml +++ b/docker/tandoor/docker-compose.yml @@ -2,7 +2,7 @@ services: web_recipes: restart: always - image: vabene1111/recipes:2.3.6 + image: vabene1111/recipes:2.4.2 volumes: - ${TANDOOR_STATICFILES:-/mnt/nas1/shared/tandoor/staticfiles}:/opt/recipes/staticfiles - ${TANDOOR_MEDIAFILES:-/mnt/nas1/shared/tandoor/mediafiles}:/opt/recipes/mediafiles From c07ddb4c8605bc155ecd22b845a21f50a1beddbb Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 3 Feb 2026 10:04:46 +0000 Subject: [PATCH 34/43] chore(deps): update helm release renovate to v46 --- k8s/argo-apps/renovate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml index 9616b6d..70b68ef 100644 --- a/k8s/argo-apps/renovate.yaml +++ b/k8s/argo-apps/renovate.yaml @@ -13,7 +13,7 @@ spec: sources: - chart: renovate repoURL: https://docs.renovatebot.com/helm-charts - targetRevision: 45.86.* + targetRevision: 46.2.* helm: valuesObject: renovate: From b144f9a03a118b60268f60e63b8648c0ab2c8925 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 2 Feb 2026 09:50:49 +0000 Subject: [PATCH 35/43] chore(deps): update ghcr.io/zibbp/ganymede docker tag to v4.11.5 --- docker/ganymede/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/ganymede/docker-compose.yml b/docker/ganymede/docker-compose.yml index 93b9928..1f24da0 100644 --- a/docker/ganymede/docker-compose.yml +++ b/docker/ganymede/docker-compose.yml @@ -2,7 +2,7 @@ services: ganymede: container_name: ganymede - image: ghcr.io/zibbp/ganymede:4.11.4 + image: ghcr.io/zibbp/ganymede:4.11.5 restart: unless-stopped environment: DEBUG: ${GANYMEDE_DEBUG:-false} From e6fa586fbe413cdb83dd674de2e18dca1e5b3d10 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 6 Feb 2026 16:36:26 +0000 Subject: [PATCH 36/43] chore(deps): update helm release pulse to 5.1.* --- k8s/argo-apps/pulse.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/pulse.yaml b/k8s/argo-apps/pulse.yaml index 7873917..aa2dd3f 100644 --- a/k8s/argo-apps/pulse.yaml +++ b/k8s/argo-apps/pulse.yaml @@ -15,7 +15,7 @@ spec: sources: - repoURL: https://rcourtman.github.io/Pulse chart: pulse - targetRevision: v5.0.* + targetRevision: 5.1.* helm: valuesObject: persistence: From 6a56ed25a4e4bd3e563621f7d1434b11f61da48f Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 10 Feb 2026 03:21:37 +0000 Subject: [PATCH 37/43] chore(deps): update rcourtman/pulse docker tag to v5.1.6 --- k8s/services/pulse/ds.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/services/pulse/ds.yaml b/k8s/services/pulse/ds.yaml index 26516fa..3419d52 100644 --- a/k8s/services/pulse/ds.yaml +++ b/k8s/services/pulse/ds.yaml @@ -47,7 +47,7 @@ spec: serviceAccountName: pulse-agent containers: - name: pulse-agent - image: rcourtman/pulse:v5.0.17 + image: rcourtman/pulse:5.1.6 command: ["/opt/pulse/bin/pulse-agent-linux-amd64"] args: - --enable-kubernetes From ab6338496dae272c63d5cb5cf436c159932d4681 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 10 Feb 2026 03:21:11 +0000 Subject: [PATCH 38/43] chore(deps): update helm release renovate to 46.6.* --- k8s/argo-apps/renovate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml index 70b68ef..61305e6 100644 --- a/k8s/argo-apps/renovate.yaml +++ b/k8s/argo-apps/renovate.yaml @@ -13,7 +13,7 @@ spec: sources: - chart: renovate repoURL: https://docs.renovatebot.com/helm-charts - targetRevision: 46.2.* + targetRevision: 46.6.* helm: valuesObject: renovate: From 28c8df19678a34a2e4d02fff88adac17bb49008b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 6 Feb 2026 16:33:31 +0000 Subject: [PATCH 39/43] chore(deps): update terraform authentik to v2025.12.1 --- tofu/authentik/.terraform.lock.hcl | 60 +++++++++---------- tofu/authentik/main.tf | 2 +- tofu/modules/authentik-app/main.tf | 2 +- .../authentik-ldap/.terraform.lock.hcl | 60 +++++++++---------- tofu/modules/authentik-ldap/main.tf | 2 +- tofu/modules/authentik-oidc/main.tf | 2 +- tofu/modules/authentik-proxy/main.tf | 2 +- 7 files changed, 65 insertions(+), 65 deletions(-) diff --git a/tofu/authentik/.terraform.lock.hcl b/tofu/authentik/.terraform.lock.hcl index 61e958d..fe7616b 100644 --- a/tofu/authentik/.terraform.lock.hcl +++ b/tofu/authentik/.terraform.lock.hcl @@ -2,36 +2,36 @@ # Manual edits may be lost in future updates. provider "registry.opentofu.org/goauthentik/authentik" { - version = "2025.12.0" - constraints = "2025.12.0" + version = "2025.12.1" + constraints = "2025.12.1" hashes = [ - "h1:1WOionGZogRGfcwgsBshgGDDMFWqioq62s/FmpTonI8=", - "h1:7EkbL1fO5vkX5IvlGhKIjWcEPIc7U3zS/x0+rMC+NKE=", - "h1:N65bk3gPCHEJE8c68LCjQ2NMwDKDJlt0+ofnmeNM4FI=", - "h1:S2NDeRAxbfKPGvBqM7WES5znedi0V2AWc5wxkczYDd8=", - "h1:ZmqC2orWU2UItPZJZfsSnBBX7Ds0OEk8EarBtWjuFsc=", - "h1:aofPDDDWm9c87uip8IwKlhGDePNNr6Sy0Q+m9NgOols=", - "h1:f3+jlDlxpgKdCbcB7ac4lVn5pdSMM1e2Qh0AB0RDNsA=", - "h1:jt+Gtla0Z7zN4gCltMg//aDfCoSIdCyFF4ept4Qwc6E=", - "h1:msEjekUeIUKY6lipADjuQpaU1HPrp0MU19R9LpZv5UM=", - "h1:t61WX+9iOOCLlZ8tt/vZP7X8M/Q7F5k6QUyduYtpVf8=", - "h1:tI7fyxvSatX28mp0woFsBbhrnzgeZTZAaitzKThlyAo=", - "h1:wzjwM6RA9Jth4iCN5J9dzxnfjO56ZFl1T5rAQhuU1og=", - "h1:xZZSwrSXnUCPmP9U3EY9fKPmBru58wZozovF2+i//oY=", - "h1:z/+UpU0PH5hae3WEqJO7Lreo0wYO77UuJrimJyV3Mcg=", - "zh:0ce23bd10c1782a3ae9321a572093df2c283df9003fc1cf33f6e63df18a81b7a", - "zh:0de1db5b3363603e6bd25c9c420e24e872bcfe8d43a7015b710a0292ffa7a649", - "zh:1d719e62eb5195a6461cdf2e175960093cdb77b190a7b15eb3fd0e1fc38409e1", - "zh:3adba178a720c90f296183479872a82719f5497b24e90224c044bcc9e29092b7", - "zh:54e5895e61a39b955be26977c273d9581beccf0e22ec58932708472cab40b03b", - "zh:59b8df5b3be8bf9e8a8dcc7b5edf96b0ca505f93fc0db022cc33513172dbc2c8", - "zh:6d86630e353b874ad43d09e3d3541ba4f824c578122a21c7895a452a0534ca05", - "zh:b6c7466446ce685971dee0c7b2dcb16917e3d23805a51d7a2091e475908c8d87", - "zh:ca306de78ea0f99f698548d51b094501e8299340ccc9c6549d1b62fc1fe29456", - "zh:cc6bd38417c0a6c0d7a1c8533007c113155d82d085ea705d955dadf62b2f9f66", - "zh:da657c9db5647620fca377fdc934db6a0f6d05d4cc0dd91a47404850805fd6da", - "zh:dc0b1effedb7a35d1756be915ff8b48d0f422b7a9da75e7f14a2d3efa2d4806f", - "zh:eef8d1715e9cfcb6cbe05dc071390ee91276d12f6fd870bac116af47518f6176", - "zh:f4c0cd2168f59d4fbf4b1fada95a9c973224bbf81975e948f741ad18ef665690", + "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=", + "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=", + "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=", + "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=", + "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=", + "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=", + "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=", + "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=", + "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=", + "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=", + "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=", + "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=", + "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=", + "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=", + "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515", + "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962", + "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b", + "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91", + "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f", + "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1", + "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338", + "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7", + "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8", + "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897", + "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3", + "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50", + "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18", + "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25", ] } diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 6151382..4ff4a0c 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -8,7 +8,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.12.0" + version = "2025.12.1" } } } diff --git a/tofu/modules/authentik-app/main.tf b/tofu/modules/authentik-app/main.tf index 778e119..1b65990 100644 --- a/tofu/modules/authentik-app/main.tf +++ b/tofu/modules/authentik-app/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.12.0" + version = "2025.12.1" } } } diff --git a/tofu/modules/authentik-ldap/.terraform.lock.hcl b/tofu/modules/authentik-ldap/.terraform.lock.hcl index 61e958d..fe7616b 100644 --- a/tofu/modules/authentik-ldap/.terraform.lock.hcl +++ b/tofu/modules/authentik-ldap/.terraform.lock.hcl @@ -2,36 +2,36 @@ # Manual edits may be lost in future updates. provider "registry.opentofu.org/goauthentik/authentik" { - version = "2025.12.0" - constraints = "2025.12.0" + version = "2025.12.1" + constraints = "2025.12.1" hashes = [ - "h1:1WOionGZogRGfcwgsBshgGDDMFWqioq62s/FmpTonI8=", - "h1:7EkbL1fO5vkX5IvlGhKIjWcEPIc7U3zS/x0+rMC+NKE=", - "h1:N65bk3gPCHEJE8c68LCjQ2NMwDKDJlt0+ofnmeNM4FI=", - "h1:S2NDeRAxbfKPGvBqM7WES5znedi0V2AWc5wxkczYDd8=", - "h1:ZmqC2orWU2UItPZJZfsSnBBX7Ds0OEk8EarBtWjuFsc=", - "h1:aofPDDDWm9c87uip8IwKlhGDePNNr6Sy0Q+m9NgOols=", - "h1:f3+jlDlxpgKdCbcB7ac4lVn5pdSMM1e2Qh0AB0RDNsA=", - "h1:jt+Gtla0Z7zN4gCltMg//aDfCoSIdCyFF4ept4Qwc6E=", - "h1:msEjekUeIUKY6lipADjuQpaU1HPrp0MU19R9LpZv5UM=", - "h1:t61WX+9iOOCLlZ8tt/vZP7X8M/Q7F5k6QUyduYtpVf8=", - "h1:tI7fyxvSatX28mp0woFsBbhrnzgeZTZAaitzKThlyAo=", - "h1:wzjwM6RA9Jth4iCN5J9dzxnfjO56ZFl1T5rAQhuU1og=", - "h1:xZZSwrSXnUCPmP9U3EY9fKPmBru58wZozovF2+i//oY=", - "h1:z/+UpU0PH5hae3WEqJO7Lreo0wYO77UuJrimJyV3Mcg=", - "zh:0ce23bd10c1782a3ae9321a572093df2c283df9003fc1cf33f6e63df18a81b7a", - "zh:0de1db5b3363603e6bd25c9c420e24e872bcfe8d43a7015b710a0292ffa7a649", - "zh:1d719e62eb5195a6461cdf2e175960093cdb77b190a7b15eb3fd0e1fc38409e1", - "zh:3adba178a720c90f296183479872a82719f5497b24e90224c044bcc9e29092b7", - "zh:54e5895e61a39b955be26977c273d9581beccf0e22ec58932708472cab40b03b", - "zh:59b8df5b3be8bf9e8a8dcc7b5edf96b0ca505f93fc0db022cc33513172dbc2c8", - "zh:6d86630e353b874ad43d09e3d3541ba4f824c578122a21c7895a452a0534ca05", - "zh:b6c7466446ce685971dee0c7b2dcb16917e3d23805a51d7a2091e475908c8d87", - "zh:ca306de78ea0f99f698548d51b094501e8299340ccc9c6549d1b62fc1fe29456", - "zh:cc6bd38417c0a6c0d7a1c8533007c113155d82d085ea705d955dadf62b2f9f66", - "zh:da657c9db5647620fca377fdc934db6a0f6d05d4cc0dd91a47404850805fd6da", - "zh:dc0b1effedb7a35d1756be915ff8b48d0f422b7a9da75e7f14a2d3efa2d4806f", - "zh:eef8d1715e9cfcb6cbe05dc071390ee91276d12f6fd870bac116af47518f6176", - "zh:f4c0cd2168f59d4fbf4b1fada95a9c973224bbf81975e948f741ad18ef665690", + "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=", + "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=", + "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=", + "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=", + "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=", + "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=", + "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=", + "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=", + "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=", + "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=", + "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=", + "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=", + "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=", + "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=", + "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515", + "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962", + "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b", + "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91", + "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f", + "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1", + "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338", + "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7", + "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8", + "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897", + "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3", + "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50", + "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18", + "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25", ] } diff --git a/tofu/modules/authentik-ldap/main.tf b/tofu/modules/authentik-ldap/main.tf index 86d1806..b0fc742 100644 --- a/tofu/modules/authentik-ldap/main.tf +++ b/tofu/modules/authentik-ldap/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.12.0" + version = "2025.12.1" } } } diff --git a/tofu/modules/authentik-oidc/main.tf b/tofu/modules/authentik-oidc/main.tf index 3ca69a3..aea24f7 100644 --- a/tofu/modules/authentik-oidc/main.tf +++ b/tofu/modules/authentik-oidc/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.12.0" + version = "2025.12.1" } } } diff --git a/tofu/modules/authentik-proxy/main.tf b/tofu/modules/authentik-proxy/main.tf index 288bd61..86e4baa 100644 --- a/tofu/modules/authentik-proxy/main.tf +++ b/tofu/modules/authentik-proxy/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { authentik = { source = "goauthentik/authentik" - version = "2025.12.0" + version = "2025.12.1" } } } From cb6959808180facc1a0feb8263886158e0de2464 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 11 Feb 2026 03:03:46 +0000 Subject: [PATCH 40/43] chore(deps): update rcourtman/pulse docker tag to v5.1.8 --- k8s/services/pulse/ds.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/services/pulse/ds.yaml b/k8s/services/pulse/ds.yaml index 3419d52..2785813 100644 --- a/k8s/services/pulse/ds.yaml +++ b/k8s/services/pulse/ds.yaml @@ -47,7 +47,7 @@ spec: serviceAccountName: pulse-agent containers: - name: pulse-agent - image: rcourtman/pulse:5.1.6 + image: rcourtman/pulse:5.1.8 command: ["/opt/pulse/bin/pulse-agent-linux-amd64"] args: - --enable-kubernetes From 6ff4153f7d6a36f33beab6d3cd2433b2d3d69015 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 11 Feb 2026 03:03:03 +0000 Subject: [PATCH 41/43] chore(deps): update code.forgejo.org/forgejo/runner docker tag to v12.6.4 --- docker/forgejo-runner/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/forgejo-runner/docker-compose.yml b/docker/forgejo-runner/docker-compose.yml index c839404..903042c 100644 --- a/docker/forgejo-runner/docker-compose.yml +++ b/docker/forgejo-runner/docker-compose.yml @@ -1,6 +1,6 @@ --- x-runner-common: &runner-common - image: code.forgejo.org/forgejo/runner:12.6.3 + image: code.forgejo.org/forgejo/runner:12.6.4 links: - docker-in-docker depends_on: From c76d3db733f08314b9d7f7cc9931a0f29842cdbc Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 12 Feb 2026 03:06:50 +0000 Subject: [PATCH 42/43] chore(deps): update vaultwarden/server docker tag to v1.35.3 --- docker/vaultwarden/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/vaultwarden/docker-compose.yml b/docker/vaultwarden/docker-compose.yml index bef3334..dfd51a4 100644 --- a/docker/vaultwarden/docker-compose.yml +++ b/docker/vaultwarden/docker-compose.yml @@ -1,7 +1,7 @@ --- services: vaultwarden: - image: vaultwarden/server:1.35.2-alpine + image: vaultwarden/server:1.35.3-alpine restart: unless-stopped environment: DATABASE_URL: ${DATABASE_URL} From 89515b77446b95584991268d0f29d383f9fabc91 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 15 Feb 2026 23:42:43 +0000 Subject: [PATCH 43/43] chore(deps): update miniflux/miniflux docker tag to v2.2.17 --- k8s/services/miniflux/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/services/miniflux/deployment.yaml b/k8s/services/miniflux/deployment.yaml index f6be938..a89d916 100644 --- a/k8s/services/miniflux/deployment.yaml +++ b/k8s/services/miniflux/deployment.yaml @@ -28,7 +28,7 @@ spec: spec: containers: - name: miniflux - image: miniflux/miniflux:2.2.13 + image: miniflux/miniflux:2.2.17 imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false