diff --git a/docker/paperless/docker-compose.yml b/docker/paperless/docker-compose.yml
index 58acc07..4bb523e 100644
--- a/docker/paperless/docker-compose.yml
+++ b/docker/paperless/docker-compose.yml
@@ -14,7 +14,7 @@ services:
 
   webserver:
 
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.0
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.19.5
     restart: unless-stopped
     ports:
       - 8002:8000
diff --git a/docker/rustical/docker-compose.yml b/docker/rustical/docker-compose.yml
deleted file mode 100644
index 662a7df..0000000
--- a/docker/rustical/docker-compose.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-services:
-  rustical:
-    image: ghcr.io/lennart-k/rustical:0.10.5
-    ports:
-      - '4000:4000'
-    volumes:
-      - "${RUSTICAL_DATA_VOLUME:-/mnt/nas1/shared/rustical/:/var/lib/rustical/}"
-    environment:
-      RUSTICAL_OIDC__NAME: ${RUSTICAL_OIDC_NAME:-Authentik}
-      RUSTICAL_OIDC__ISSUER: ${RUSTICAL_OIDC_ISSUER:-https://auth.fukurokuju.dev/application/o/rustical/}
-      RUSTICAL_OIDC__CLIENT_ID: ${RUSTICAL_OIDC_CLIENT_ID}
-      RUSTICAL_OIDC__CLIENT_SECRET: ${RUSTICAL_OIDC_CLIENT_SECRET}
-      RUSTICAL_OIDC__CLAIM_USERID: ${RUSTICAL_OIDC_CLAIM_USERID:-preferred_username}
-      RUSTICAL_OIDC__SCOPES: '["openid", "profile", "groups"]'
-      RUSTICAL_OIDC__ALLOW_SIGN_UP: "true"
-      RUSTICAL_FRONTEND__ALLOW_PASSWORD_LOGIN: ${RUSTICAL_FRONTED_ALLOW_PASSWORD_LOGIN:-false}
diff --git a/k8s/argo-apps/forgejo.yaml b/k8s/argo-apps/forgejo.yaml
index 277a779..fdae5da 100644
--- a/k8s/argo-apps/forgejo.yaml
+++ b/k8s/argo-apps/forgejo.yaml
@@ -14,7 +14,7 @@ spec:
   sources:
     - chart: forgejo
       repoURL: code.forgejo.org/forgejo-helm
-      targetRevision: 15.0.3
+      targetRevision: 15.0.2
       helm:
         valuesObject:
           replicaCount: 2
diff --git a/k8s/argo-apps/kubetail.yaml b/k8s/argo-apps/kubetail.yaml
index 453b3b8..0c6b50f 100644
--- a/k8s/argo-apps/kubetail.yaml
+++ b/k8s/argo-apps/kubetail.yaml
@@ -12,7 +12,7 @@ spec:
   sources:
     - chart: kubetail
       repoURL: https://kubetail-org.github.io/helm-charts/
-      targetRevision: 0.16.3
+      targetRevision: 0.16.1
       helm:
         valuesObject:
           kubetail:
diff --git a/k8s/argo-apps/psql.yaml b/k8s/argo-apps/psql.yaml
index 627a13c..9ec41d0 100644
--- a/k8s/argo-apps/psql.yaml
+++ b/k8s/argo-apps/psql.yaml
@@ -10,7 +10,7 @@ spec:
     server: 'https://kubernetes.default.svc'
   sources:
     - chart: postgres
-      targetRevision: 1.6.1
+      targetRevision: 1.6.0
       repoURL: https://groundhog2k.github.io/helm-charts/
       helm:
         valuesObject:
diff --git a/k8s/argo-apps/renovate.yaml b/k8s/argo-apps/renovate.yaml
index 83c3d3a..940a12a 100644
--- a/k8s/argo-apps/renovate.yaml
+++ b/k8s/argo-apps/renovate.yaml
@@ -13,7 +13,7 @@ spec:
   sources:
     - chart: renovate
       repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 45.21.*
+      targetRevision: 45.1.*
       helm:
         valuesObject:
           renovate:
diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf
index c062e8f..5c0ffef 100644
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@@ -42,7 +42,6 @@ resource "authentik_group" "ftp" {
   is_superuser = false
 }
 
-
 module "gitea" {
   source              = "../modules/authentik-oidc"
   app_name            = "Gitea"
@@ -200,6 +199,7 @@ module "netbird" {
   app_name            = "netbird"
   app_slug            = "netbird"
   client_id           = var.netbird_client_id
+  client_secret       = var.netbird_client_secret
   client_type         = "public"
   app_access_group_id = authentik_group.vpn.id
   redirect_uris = [
@@ -223,15 +223,4 @@ module "netbird" {
   ]
   app_icon              = "https://vpn.fukurokuju.dev/apple-icon.png"
   access_token_validity = "days=10"
-  client_secret         = ""
-}
-
-module "rustical" {
-  source              = "../modules/authentik-oidc"
-  app_name            = "rustical"
-  app_slug            = "rustical"
-  client_id           = var.rustical_client_id
-  client_secret       = var.rustical_client_secret
-  redirect_uris       = [{ matching_mode = "strict", url = "https://cal.roboces.dev/frontend/login/oidc/callback" }]
-  app_access_group_id = ""
 }
diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf
index 3dca992..50cba45 100644
--- a/tofu/authentik/vars.tf
+++ b/tofu/authentik/vars.tf
@@ -44,6 +44,10 @@ variable "netbird_client_id" {
   type        = string
 }
 
+variable "netbird_client_secret" {
+  description = "Netbird client secret"
+  type        = string
+}
 
 variable "sftpgo_client_id" {
   description = "SFTPGo client ID"
@@ -54,13 +58,3 @@ variable "sftpgo_client_secret" {
   description = "SFTPGo client secret"
   type        = string
 }
-
-variable "rustical_client_id" {
-  description = "Radicale client ID"
-  type        = string
-}
-
-variable "rustical_client_secret" {
-  description = "Radicale client secret"
-  type        = string
-}