chore(deps): update miniflux/miniflux docker tag to v2.2.17

docker/forgejo-runner/docker-compose.yml

@@ -1,6 +1,6 @@
 ---
 x-runner-common: &runner-common
-  image: code.forgejo.org/forgejo/runner:11.3.1
+  image: code.forgejo.org/forgejo/runner:12.6.4
   links:
     - docker-in-docker
   depends_on:

docker/ganymede/docker-compose.yml

@@ -0,0 +1,48 @@
+---
+services:
+  ganymede:
+    container_name: ganymede
+    image: ghcr.io/zibbp/ganymede:4.11.5
+    restart: unless-stopped
+    environment:
+      DEBUG: ${GANYMEDE_DEBUG:-false}
+      TZ: ${GANYMEDE_TZ:-Europe/Madrid}
+      VIDEOS_DIR: ${GANYMEDE_VIDEOS_DIR:-/data/videos}
+      TEMP_DIR: ${GANYMEDE_TEMP_DIR:-/data/temp}
+      LOGS_DIR: ${GANYMEDE_LOGS_DIR:-/data/logs}
+      CONFIG_DIR: ${GANYMEDE_CONFIG_DIR:-/data/config}
+      DB_HOST: ${GANYMEDE_DB_HOST:-192.168.1.3}
+      DB_PORT: ${GANYMEDE_DB_PORT:-5432}
+      DB_USER: ${GANYMEDE_DB_USER:-ganymede}
+      DB_PASS: ${GANYMEDE_DB_PASS}
+      DB_NAME: ${GANYMEDE_DB_NAME:-ganymede}
+      DB_SSL: ${GANYMEDE_DB_SSL:-disable}
+      TWITCH_CLIENT_ID: ${GANYMEDE_TWITCH_CLIENT_ID}
+      TWITCH_CLIENT_SECRET: ${GANYMEDE_TWITCH_CLIENT_SECRET}
+      MAX_CHAT_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS:-3}
+      MAX_CHAT_RENDER_EXECUTIONS: ${GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS:-2}
+      MAX_VIDEO_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS:-2}
+      MAX_VIDEO_CONVERT_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS:-3}
+      MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS:-2}
+      OAUTH_ENABLED: ${GANYMEDE_OAUTH_ENABLED:-true}
+      OAUTH_PROVIDER_URL: ${GANYMEDE_OAUTH_PROVIDER_URL:-https://auth.fukurokuju.dev/application/o/ganymede/}
+      OAUTH_CLIENT_ID: ${GANYMEDE_OAUTH_CLIENT_ID}
+      OAUTH_CLIENT_SECRET: ${GANYMEDE_OAUTH_CLIENT_SECRET}
+      OAUTH_REDIRECT_URL: ${GANYMEDE_OAUTH_REDIRECT_URL:-https://vods.roboces.dev/api/v1/auth/oauth/callback}
+      SHOW_SSO_LOGIN_BUTTON: ${GANYMEDE_SHOW_SSO_LOGIN_BUTTON:-true}
+      FORCE_SSO_AUTH: ${GANYMEDE_FORCE_SSO_AUTH:-true}
+      REQUIRE_LOGIN: ${GANYMEDE_REQUIRE_LOGIN:-true}
+    volumes:
+      - ${GANYMEDE_VIDEOS:-/mnt/vods/ganymede/videos}:/data/videos
+      - ${GANYMEDE_TEMP:-/mnt/vods/ganymede/temp}:/data/temp
+      - ${GANYMEDE_CACHE:-/mnt/vods/ganymede/cache}:/data/.cache
+      - ${GANYMEDE_LOGS:-/mnt/vods/ganymede/logs}:/data/logs
+      - ${GANYMEDE_CONFIG:-/mnt/vods/ganymede/config}:/data/config
+    ports:
+      - "4800:4000"
+    healthcheck:
+      test: curl --fail http://localhost:4000/health || exit 1
+      interval: 60s
+      retries: 5
+      start_period: 60s
+      timeout: 10s

docker/ganymede/sample.env

@@ -0,0 +1,27 @@
+GANYMEDE_DEBUG=false
+GANYMEDE_TZ=Europe/Madrid
+GANYMEDE_VIDEOS_DIR=/data/videos
+GANYMEDE_TEMP_DIR=/data/temp
+GANYMEDE_LOGS_DIR=/data/logs
+GANYMEDE_CONFIG_DIR=/data/config
+GANYMEDE_DB_HOST=192.168.1.3
+GANYMEDE_DB_PORT=5432
+GANYMEDE_DB_USER=ganymede
+GANYMEDE_DB_PASS=
+GANYMEDE_DB_NAME=ganymede
+GANYMEDE_DB_SSL=disable
+GANYMEDE_TWITCH_CLIENT_ID=
+GANYMEDE_TWITCH_CLIENT_SECRET=
+GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS=3
+GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS=2
+GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS=2
+GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS=3
+GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS=2
+GANYMEDE_OAUTH_ENABLED=true
+GANYMEDE_OAUTH_PROVIDER_URL=https://auth.fukurokuju.dev/application/o/ganymede/
+GANYMEDE_OAUTH_CLIENT_ID=
+GANYMEDE_OAUTH_CLIENT_SECRET=
+GANYMEDE_OAUTH_REDIRECT_URL=https://vods.roboces.dev/api/v1/auth/oauth/callback
+GANYMEDE_SHOW_SSO_LOGIN_BUTTON=true
+GANYMEDE_FORCE_SSO_AUTH=false
+GANYMEDE_REQUIRE_LOGIN=false

docker/netbird/docker-compose.yml

@@ -1,112 +0,0 @@
----
-services:
-  dashboard:
-    image: netbirdio/dashboard:v2.20.2
-    restart: unless-stopped
-    ports:
-      - 8005:80
-    environment:
-      NETBIRD_MGMT_API_ENDPOINT: ${NETBIRD_MGMT_API_ENDPOINT:-https://vpn.fukurokuju.dev}
-      NETBIRD_MGMT_GRPC_API_ENDPOINT: ${NETBIRD_MGMT_GRPC_API_ENDPOINT:-https://vpn.fukurokuju.dev}
-      AUTH_AUDIENCE: ${NETBIRD_AUTH_AUDIENCE:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2}  # yamllint disable rule:line-length
-      AUTH_CLIENT_ID: ${NETBIRD_AUTH_CLIENT_ID:-64e44b85ebdec2a3cf87c0c9916e2dbb0570f6d87b03ca8d149c3551565c3057ce1e559d16b5399cb7df60646e4e2bc6515842a198efb09d1620ea9ac1d8ace2}  # yamllint disable rule:line-length
-      AUTH_AUTHORITY: ${NETBIRD_AUTH_AUTHORITY:-https://auth.fukurokuju.dev/application/o/netbird/}
-      USE_AUTH0: false
-      AUTH_SUPPORTED_SCOPES: ${NETBIRD_AUTH_SUPPORTED_SCOPES:-api offline_access openid email profile}
-      AUTH_REDIRECT_URI:
-      AUTH_SILENT_REDIRECT_URI:
-      NETBIRD_TOKEN_SOURCE: accessToken
-      NGINX_SSL_PORT: 443
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-  signal:
-    image: netbirdio/signal:0.59.11
-    restart: unless-stopped
-    volumes:
-      - netbird-signal:/var/lib/netbird
-    ports:
-      - "10000:80"
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-  relay:
-    image: netbirdio/relay:0.59.11
-    restart: unless-stopped
-    environment:
-      NB_LOG_LEVEL: ${NB_LOG_LEVEL:-info}
-      NB_LISTEN_ADDRESS: ${NB_LISTEN_ADDRESS:-:33080}
-      NB_EXPOSED_ADDRESS: ${NB_EXPOSED_ADDRESS:-vpn.fukurokuju.dev:33080}
-      NB_AUTH_SECRET: ${NB_AUTH_SECRET}
-    ports:
-      - "33080:33080"
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-  management:
-    image: netbirdio/management:0.59.10
-    restart: unless-stopped
-    depends_on:
-      - dashboard
-    volumes:
-      - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/data:/var/lib/netbird
-      - ${NETBIRD_MANAGEMENT_VOLUME:-/mnt/nas1/shared/netbird/management}/management.json:/etc/netbird/management.json:z
-    ports:
-      - "33073:443"
-    command: [
-      "--port", "443",
-      "--log-file", "console",
-      "--log-level", "info",
-      "--disable-anonymous-metrics=false",
-      "--single-account-mode-domain=vpn.fukurokuju.dev",
-      "--dns-domain=netbird.fuku",
-    ]
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-    environment:
-      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
-
-  coturn:
-    image: coturn/coturn:4.7
-    restart: unless-stopped
-    domainname: vpn.fukurokuju.dev
-    volumes:
-      - ${NETBIRD_COTURN_VOLUME:-/mnt/nas1/shared/netbird/coturn}/turnserver.conf:/etc/turnserver.conf:ro
-    network_mode: host
-    command:
-      - -c /etc/turnserver.conf
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-
-  peer-1:
-    image: netbirdio/netbird:0.59.11
-    restart: unless-stopped
-    volumes:
-      - ${NETBIRD_PEER_VOLUME:-/mnt/nas1/shared/netbird/peer-1}/data:/etc/netbird
-    environment:
-      NB_MANAGEMENT_URL: https://vpn.fukurokuju.dev:443
-      NB_SETUP_KEY: ${NB_SETUP_KEY}
-    cap_add:
-      - NET_ADMIN
-    depends_on:
-      - management
-      - dashboard
-      - relay
-      - signal
-      - coturn
-
-volumes:
-  netbird-mgmt:
-  netbird-signal:

docker/netbird/sample.env

@@ -1,2 +0,0 @@
-NB_AUTH_SECRET=
-NB_SETUP_KEY=

docker/paperless/docker-compose.yml

@@ -14,7 +14,7 @@ services:
 
   webserver:
 
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.0
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.6
     restart: unless-stopped
     ports:
       - 8002:8000

docker/rustical/docker-compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   rustical:
-    image: ghcr.io/lennart-k/rustical:0.10.5
+    image: ghcr.io/lennart-k/rustical:0.12.4
     ports:
       - '4000:4000'
     volumes:

docker/tailscale/docker-compose.yml

@@ -0,0 +1,18 @@
+---
+services:
+  tailscale:
+    image: tailscale/tailscale:v1.92.5
+    hostname: tailscale
+    environment:
+      TS_AUTHKEY: ${TS_AUTHKEY}
+      TS_HOSTNAME: ${TS_HOSTNAME:-docker-exit-node}
+      TS_EXTRA_ARGS: ${TS_EXTRA_ARGS:---advertise-exit-node}
+      TS_ROUTES: ${TS_ROUTES:-192.168.1.0/24}
+      TS_STATE_DIR: /var/lib/tailscale
+    volumes:
+      - ${TS_VOLUME:-/mnt/nas1/shared/tailscale}:/var/lib/tailscale
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - net_admin
+    restart: unless-stopped

docker/tailscale/sample.env

@@ -0,0 +1,5 @@
+TS_AUTHKEY=
+TS_HOSTNAME=docker-exit-node
+TS_EXTRA_ARGS=--advertise-exit-node
+TS_ROUTES=192.168.1.0/24
+TS_VOLUME=/mnt/nas1/shared/tailscale

docker/tandoor/docker-compose.yml

@@ -0,0 +1,21 @@
+---
+services:
+  web_recipes:
+    restart: always
+    image: vabene1111/recipes:2.4.2
+    volumes:
+      - ${TANDOOR_STATICFILES:-/mnt/nas1/shared/tandoor/staticfiles}:/opt/recipes/staticfiles
+      - ${TANDOOR_MEDIAFILES:-/mnt/nas1/shared/tandoor/mediafiles}:/opt/recipes/mediafiles
+    environment:
+      SECRET_KEY: ${TANDOOR_SECRET_KEY}
+      TZ: ${TANDOOR_TZ:-Europe/Madrid}
+      ALLOWED_HOSTS: ${TANDOOR_ALLOWED_HOSTS:-recipes.roboces.dev}
+      SOCIAL_PROVIDERS: ${TANDOOR_SOCIAL_PROVIDERS:-allauth.socialaccount.providers.openid_connect}
+      SOCIALACCOUNT_PROVIDERS: ${TANDOOR_SOCIALACCOUNT_PROVIDERS}
+      POSTGRES_HOST: ${TANDOOR_POSTGRES_HOST:-192.168.1.3}
+      POSTGRES_DB: ${TANDOOR_POSTGRES_DB:-tandoor}
+      POSTGRES_PORT: ${TANDOOR_POSTGRES_PORT:-5432}
+      POSTGRES_USER: ${TANDOOR_POSTGRES_USER}
+      POSTGRES_PASSWORD: ${TANDOOR_POSTGRES_PASSWORD}
+    ports:
+      - "8081:80"

docker/tandoor/sample.env

@@ -0,0 +1,11 @@
+TANDOOR_STATICFILES=
+TANDOOR_MEDIAFILES=
+TANDOOR_SECRET_KEY=
+TANDOOR_TZ=Europe/Madrid
+TANDOOR_ALLOWED_HOSTS=
+TANDOOR_SOCIALACCOUNT_PROVIDERS=
+TANDOOR_POSTGRES_HOST=
+TANDOOR_POSTGRES_DB=
+TANDOOR_POSTGRES_PORT=
+TANDOOR_POSTGRES_USER=
+TANDOOR_POSTGRES_PASSWORD=

docker/vaultwarden/docker-compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   vaultwarden:
-    image: vaultwarden/server:1.34.3-alpine
+    image: vaultwarden/server:1.35.3-alpine
     restart: unless-stopped
     environment:
       DATABASE_URL: ${DATABASE_URL}

k8s/argo-apps/authentik.yaml

@@ -12,7 +12,7 @@ spec:
   sources:
     - chart: authentik
       repoURL: https://charts.goauthentik.io/
-      targetRevision: 2025.10.*
+      targetRevision: 2025.12.*
       helm:
         valuesObject:
           authentik:

k8s/argo-apps/dcsi.yaml

@@ -2,29 +2,39 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-    name: democratic-csi
-    namespace: argocd
+  name: democratic-csi
+  namespace: argocd
 spec:
-    destination:
-        name: ''
-        namespace: democratic-csi
-        server: https://kubernetes.default.svc
-    sources:
-        - chart: democratic-csi
-          repoURL: https://democratic-csi.github.io/charts/
-          targetRevision: 0.15.*
-          helm:
-              releaseName: zfs-nfs
-              valuesObject:
-                  csiDriver:
-                      name: org.dcsi.nfs
-                  driver:
-                      existingConfigSecret: secrets-dcsi
-                      config:
-                          driver: freenas-api-nfs
-        - repoURL: https://git.roboces.dev/catalin/fukuops.git
-          path: k8s/services/dcsi
-          targetRevision: main
-    project: management
-    syncPolicy:
-        automated: {}
+  destination:
+    name: ''
+    namespace: democratic-csi
+    server: https://kubernetes.default.svc
+  sources:
+    - chart: democratic-csi
+      repoURL: https://democratic-csi.github.io/charts/
+      targetRevision: 0.15.*
+      helm:
+        releaseName: zfs-nfs
+        valuesObject:
+          node:
+            driver:
+              image:
+                tag: next
+          controller:
+            driver:
+              image:
+                tag: next
+          csiDriver:
+            name: org.dcsi.nfs
+          driver:
+            image:
+              tag: next
+            existingConfigSecret: secrets-dcsi
+            config:
+              driver: freenas-api-nfs
+    - repoURL: https://git.roboces.dev/catalin/fukuops.git
+      path: k8s/services/dcsi
+      targetRevision: main
+  project: management
+  syncPolicy:
+    automated: {}

k8s/argo-apps/factorio.yaml

@@ -1,45 +0,0 @@
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-    name: factorio
-    namespace: argocd
-spec:
-    destination:
-        name: ''
-        namespace: apps-fuku
-        server: https://kubernetes.default.svc
-    sources:
-        - chart: factorio-server-charts
-          repoURL: https://sqljames.github.io/factorio-server-charts/
-          targetRevision: 2.5.*
-          helm:
-              valuesObject:
-                  rcon:
-                      passwordSecret: secrets-factorio
-                  nodeSelector:
-                      kubernetes.io/hostname: agent1
-                  image:
-                      tag: latest
-                  factorioServer:
-                      save_name: fukurokuju-space
-                  admin_list:
-                      - Phireh
-                  account:
-                      accountSecret: secrets-factorio
-                  server_settings:
-                      name: factorio-fukurokuju
-                      visibility:
-                          public: false
-                      require_user_verification: false
-                  persistence:
-                      storageClassName: truenas-nfs-csi
-                  serverPassword:
-                      passwordSecret: secrets-factorio
-
-        - repoURL: https://git.roboces.dev/catalin/fukuops.git
-          path: k8s/services/factorio
-          targetRevision: main
-    project: fuku
-    syncPolicy:
-        automated: {}

k8s/argo-apps/forgejo.yaml

@@ -14,7 +14,7 @@ spec:
   sources:
     - chart: forgejo
       repoURL: code.forgejo.org/forgejo-helm
-      targetRevision: 15.0.3
+      targetRevision: 16.0.2
       helm:
         valuesObject:
           replicaCount: 2

k8s/argo-apps/kubetail.yaml

@@ -12,7 +12,7 @@ spec:
   sources:
     - chart: kubetail
       repoURL: https://kubetail-org.github.io/helm-charts/
-      targetRevision: 0.16.3
+      targetRevision: 0.17.0
       helm:
         valuesObject:
           kubetail:

k8s/argo-apps/pulse.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: pulse
+  namespace: argocd
+spec:
+  destination:
+    name: ''
+    namespace: apps-fuku
+    server: https://kubernetes.default.svc
+  project: fuku
+  syncPolicy:
+    automated: {}
+  sources:
+    - repoURL: https://rcourtman.github.io/Pulse
+      chart: pulse
+      targetRevision: 5.1.*
+      helm:
+        valuesObject:
+          persistence:
+            enabled: true
+            size: 10Gi
+            storageClass: truenas-nfs-csi
+            accessModes:
+              - ReadWriteMany
+          service:
+            type: LoadBalancer
+          ingress:
+            enabled: true
+            hosts:
+              - host: pulse.fukurokuju.dev
+                paths:
+                  - path: /
+                    pathType: Prefix
+            tls: []
+          monitoring:
+            serviceMonitor:
+              enabled: true
+
+    - path: k8s/services/pulse
+      repoURL: https://git.roboces.dev/catalin/fukuops.git
+      targetRevision: main

k8s/argo-apps/renovate.yaml

@@ -13,7 +13,7 @@ spec:
   sources:
     - chart: renovate
       repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 45.21.*
+      targetRevision: 46.6.*
       helm:
         valuesObject:
           renovate:

k8s/argo-apps/sealed-secrets.yaml

@@ -12,7 +12,7 @@ spec:
     source:
         chart: sealed-secrets
         repoURL: https://bitnami-labs.github.io/sealed-secrets
-        targetRevision: 2.17.*
+        targetRevision: 2.18.*
         helm:
             releaseName: sealed-secrets
             valuesObject:

k8s/services/argo/project-fuku.yaml

@@ -31,3 +31,5 @@ spec:
         - https://groundhog2k.github.io/helm-charts/
         - registry-1.docker.io/cloudpirates
         - https://vmware-tanzu.github.io/helm-charts/
+        - https://helm.runix.net
+        - https://rcourtman.github.io/Pulse

k8s/services/miniflux/deployment.yaml

@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
         - name: miniflux
-          image: miniflux/miniflux:2.2.13
+          image: miniflux/miniflux:2.2.17
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false

k8s/services/pulse/ds.yaml

@@ -0,0 +1,105 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pulse-agent
+  namespace: apps-fuku
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pulse-agent-read
+rules:
+  - apiGroups: [""]
+    resources: ["nodes", "pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pulse-agent-read
+subjects:
+  - kind: ServiceAccount
+    name: pulse-agent
+    namespace: apps-fuku
+roleRef:
+  kind: ClusterRole
+  name: pulse-agent-read
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: pulse-agent
+  namespace: apps-fuku
+spec:
+  selector:
+    matchLabels:
+      app: pulse-agent
+  template:
+    metadata:
+      labels:
+        app: pulse-agent
+    spec:
+      serviceAccountName: pulse-agent
+      containers:
+        - name: pulse-agent
+          image: rcourtman/pulse:5.1.8
+          command: ["/opt/pulse/bin/pulse-agent-linux-amd64"]
+          args:
+            - --enable-kubernetes
+          env:
+            - name: PULSE_URL
+              value: "https://pulse.fukurokuju.dev"
+            - name: PULSE_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: pulse-agent-secrets
+                  key: PULSE_TOKEN
+            - name: PULSE_AGENT_ID
+              value: "k8s-cluster"
+            - name: PULSE_ENABLE_HOST
+              value: "true"
+            - name: HOST_PROC
+              value: "/host/proc"
+            - name: HOST_SYS
+              value: "/host/sys"
+            - name: HOST_ETC
+              value: "/host/etc"
+            - name: PULSE_KUBE_INCLUDE_ALL_PODS
+              value: "true"
+            - name: PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS
+              value: "true"
+          securityContext:
+            privileged: true
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              memory: 512Mi
+          volumeMounts:
+            - name: host-proc
+              mountPath: /host/proc
+              readOnly: true
+            - name: host-sys
+              mountPath: /host/sys
+              readOnly: true
+            - name: host-root
+              mountPath: /host/root
+              readOnly: true
+      volumes:
+        - name: host-proc
+          hostPath:
+            path: /proc
+        - name: host-sys
+          hostPath:
+            path: /sys
+        - name: host-root
+          hostPath:
+            path: /
+      tolerations:
+        - operator: Exists

k8s/services/pulse/sealedsecrets.yaml

@@ -0,0 +1,17 @@
+# yamllint disable rule:line-length
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: pulse-agent-secrets
+  namespace: apps-fuku
+spec:
+  encryptedData:
+    PULSE_TOKEN: AgBBxrJ80IpJ0RvYKQuN6p3G8vIdSL9nESO9OTAR0NiMjSGZNbNEELKE/a1f2ixQUSsNc/k31c+7GlAi+8PmNC4c7rmRJTe+z3uO/BNNLYeTi7DsEk9/oJZTWn7iOcLogiZJQKxbGozCp/S8zrWisH67N2ZHmzz5UEJAzq57+fBEyAk22/WR0QMfW3oOYHGZFNR5AdAxrdfyRwTvSEOz4R2YlrQKRtOFVIPG/aEaAn42AGYfrq2cLVEiCygjE+8nZQ62TMmQqMiwiCjk5do9uRhhiRimuD78FrNnFU5dSwe/11ji5sSrEPjszPB8O0TBbsCssxfz48cKRm/6IdI9B5pKHYob68Ed8u5UgpRU/ZhUWJLyXuZF/Tgw+WcIsVkQXb3eqQTARBeZueugnA23lnzxh5gjR17wjPw7ePYaLiUWTYikOK5HvgpJyiuB0ev2cjGSqYeeAAn5ewCGM/NODXUAlFdC+N9S7ft1+chJrHoaXgHy8J9LWm/maKW99+yT08a68RvGGoZtFPZNlFjzurNF6EY9SLUFf0RLzShkyq6uuOzLm8gENyDIQ+Ru7wWEwyEcUz4ceAR5I78k0gCIDR1o4Ti22asdbRjMptZdOTbep+PWmu2K1oUvxXtXwgKkn8pvTkJpcdejqehnYPWfRAI3Guxi7LQDf++yShKS1NdXMdjhtFoNLa03xHM/G94sF3/mnJwivNhur1V7iC1yCY5NlruPr4KCd5AgOnKqoreRRvRbCVlFO1mtP6XV4sjqEIhmZyXWFJ76bwAC+hxSlFzL
+  template:
+    metadata:
+      creationTimestamp: null
+      name: pulse-agent-secrets
+      namespace: apps-fuku
+    type: Opaque

tofu/adguard/main.tf

@@ -85,8 +85,12 @@ resource "adguard_rewrite" "master2" {
   answer = "192.168.1.32"
 }
 
-
 resource "adguard_rewrite" "k3m3" {
   domain = "k3m3.fuku"
   answer = "192.168.1.43"
 }
+
+resource "adguard_rewrite" "pulse" {
+  answer = "pulse.fukurokuju.dev"
+  domain = "192.168.1.12"
+}

tofu/authentik/.terraform.lock.hcl

@@ -2,36 +2,36 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/goauthentik/authentik" {
-  version     = "2025.10.0"
-  constraints = "2025.10.0"
+  version     = "2025.12.1"
+  constraints = "2025.12.1"
   hashes = [
-    "h1:8nN6b5dEGbJJ5ajovedkO//QP4NrWU5GfrenIHAEyz0=",
-    "h1:EZlTiEEZ0a6AvlLuTKAIyhBI4m4poYUX4QW0wyHfIaw=",
-    "h1:ElpISil/0po3r4pb9KK7/pBCSLxL18a6IDHDSMFdmS0=",
-    "h1:F7+3L6JmVEG+PMizB9SuifxbznkZD3462LQpFMOW0M0=",
-    "h1:L1sFZI0qKeBpUUCMgQkuRge196DsrHaTUJKJWKm0V2w=",
-    "h1:OQgVyUOOLTGyosEpVHzE37h+91nHN5n9lKHt6nAOZyU=",
-    "h1:Ph1j1Flr4kXMZKCRlP4Hn0asAz1Yfpk+hf5t6aeF4mc=",
-    "h1:RjitcUcx/3QKUgs74q3ypbf7KQpg8BoNELW6sE4ONqk=",
-    "h1:Vw7hY7KdCtQ3hf00uCekrzdDgBJ2EnPXUAnj3ybLXPQ=",
-    "h1:fDQcyzUJqHb4qXOyze/Te0Fd3dVMdBcLQ+e2xOtsqbM=",
-    "h1:jKOzsHSorUnub0L+Lq+tPPhHmeKoaiPS8orF9zZf/i0=",
-    "h1:kXF4EEV9uzXzshloPfJQQzPbs0YVgjUu5aD+Fj040U0=",
-    "h1:pvMaS6PASVHMJxArSG1pAzS5Micb1fMcLz7MF7bO138=",
-    "h1:s3wkHrHE8Q/Dj+PIkvuPviLTUcK6h7aoAArrBKNJ8PE=",
-    "zh:0103a533f474db36223d8dbf2abc80f8d76a162b2e3042a2203f0d426f2c8e16",
-    "zh:03302f83cd5784435ef22864a936b88293284bfdc091ff2fd0cc18a40e97bb55",
-    "zh:0730ca92f8bc778dba52425d05c5dceb9ae57660797f88132c06a0bf8a4f4f55",
-    "zh:63ace720564b3549d482f0bc68b1f4596a1682faeef5fe4d40163abccda90ceb",
-    "zh:8c4acdc358b1f5b1c13192af81bba552c6ad98debd341d836f4adf1fb85610a8",
-    "zh:8f101bae1ab303b5e1b91ceb62d11386091a24c2bbd99bca4662bc88f127a8c4",
-    "zh:a683c5338f16d20a1432fbc093c35db388ec7ef9f657d7478e3a04fc72722ad7",
-    "zh:a99fcbaf234cb161c8d7018f62946178810c7645436229d05913ff432094734d",
-    "zh:aa7fc7a3e05e96522507a86ec50b53473ff3e917f56fb2fc7418070fe29f1abc",
-    "zh:bc3b9f7cce5f5fd4116700411c5f3d14c48a9b56115268094882d949b811e53a",
-    "zh:cba03e3c31ee1e83fcc25511a34ca5f7132e0bbb41f3edc7c7dc113edd5938db",
-    "zh:d1f168e7a87a3f74d9932b88daa367242d1e9a2ed1b7b9eaf44fcfcfc190305f",
-    "zh:eb5af50c8e13980da4830c5f23fa7d911ae07740b37cf9d6c5895da95374e940",
-    "zh:f9db4dbb47b257123bb70b770714552d873f9c8e2e8017c1de227757c8dfb074",
+    "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=",
+    "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=",
+    "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=",
+    "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=",
+    "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=",
+    "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=",
+    "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=",
+    "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=",
+    "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=",
+    "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=",
+    "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=",
+    "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=",
+    "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=",
+    "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=",
+    "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515",
+    "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962",
+    "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b",
+    "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91",
+    "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f",
+    "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1",
+    "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338",
+    "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7",
+    "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8",
+    "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897",
+    "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3",
+    "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50",
+    "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18",
+    "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25",
   ]
 }

tofu/authentik/main.tf

@@ -8,7 +8,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2025.10.0"
+      version = "2025.12.1"
     }
   }
 }
@@ -22,6 +22,11 @@ resource "authentik_group" "ci" {
   users = [data.authentik_user.catalin.id]
 }
 
+resource "authentik_group" "vods" {
+  name  = "vods"
+  users = [data.authentik_user.catalin.id]
+}
+
 resource "authentik_group" "admins" {
   name         = "authentik Admins"
   is_superuser = true
@@ -47,6 +52,7 @@ resource "authentik_group" "mediamanager" {
   is_superuser = false
 }
 
+
 module "gitea" {
   source              = "../modules/authentik-oidc"
   app_name            = "Gitea"
@@ -128,7 +134,7 @@ module "sonarr" {
   app_slug                     = "sonarr"
   app_access_group_id          = authentik_group.arrs.id
   app_url                      = "https://sonarr.fukurokuju.dev"
-  internal_host                = "http://192.168.1.3:38013/"
+  internal_host                = "http://192.168.1.3:30113/"
   internal_host_ssl_validation = false
   app_icon                     = "https://sonarr.tv/img/logo.png"
 }
@@ -139,7 +145,7 @@ module "radarr" {
   app_slug                     = "radarr"
   app_access_group_id          = authentik_group.arrs.id
   app_url                      = "https://radarr.fukurokuju.dev"
-  internal_host                = "http://192.168.1.3:38012/"
+  internal_host                = "http://192.168.1.3:30025/"
   internal_host_ssl_validation = false
   app_icon                     = "https://radarr.video/img/background/logo.png"
 }
@@ -150,7 +156,7 @@ module "lidarr" {
   app_slug                     = "lidarr"
   app_access_group_id          = authentik_group.arrs.id
   app_url                      = "https://lidarr.fukurokuju.dev"
-  internal_host                = "http://192.168.1.3:38010/"
+  internal_host                = "http://192.168.1.3:30071/"
   internal_host_ssl_validation = false
   app_icon                     = "https://lidarr.audio/img/background/logo.png"
 }
@@ -171,7 +177,7 @@ module "prowlarr" {
   app_slug                     = "prowlarr"
   app_access_group_id          = authentik_group.admins.id
   app_url                      = "https://prowlarr.fukurokuju.dev"
-  internal_host                = "http://192.168.1.3:38014"
+  internal_host                = "http://192.168.1.3:30050"
   internal_host_ssl_validation = false
 }
 
@@ -199,53 +205,70 @@ module "sftpgo" {
   sub_mode              = "user_username"
 }
 
-module "netbird" {
-  source              = "../modules/authentik-oidc"
-  app_name            = "netbird"
-  app_slug            = "netbird"
-  client_id           = var.netbird_client_id
-  client_type         = "public"
-  app_access_group_id = authentik_group.vpn.id
-  redirect_uris = [
-    {
-      matching_mode = "strict",
-      url           = "https://vpn.fukurokuju.dev",
-    },
-    {
-      matching_mode = "regex",
-      url           = "https://vpn.fukurokuju.dev.*",
-    },
-    {
-      matching_mode = "strict",
-      url           = "http://localhost:53000"
-    },
-
-  ]
-  sub_mode = "user_id"
-  extra_property_mappings = [
-    "goauthentik.io/providers/oauth2/scope-authentik_api"
-  ]
-  app_icon              = "https://vpn.fukurokuju.dev/apple-icon.png"
-  access_token_validity = "days=10"
-  client_secret         = ""
-}
-
 module "rustical" {
   source              = "../modules/authentik-oidc"
   app_name            = "rustical"
   app_slug            = "rustical"
+  app_url             = "https://cal.roboces.dev"
   client_id           = var.rustical_client_id
   client_secret       = var.rustical_client_secret
   redirect_uris       = [{ matching_mode = "strict", url = "https://cal.roboces.dev/frontend/login/oidc/callback" }]
   app_access_group_id = ""
 }
 
-module "mediamanager" {
-  source              = "../modules/authentik-oidc"
-  app_name            = "mediamanager"
-  app_slug            = "mediamanager"
-  client_id           = var.mediamanager_client_id
-  client_secret       = var.mediamanager_client_secret
-  redirect_uris       = [{ matching_mode = "strict", url = "https://mediamanager.roboces.dev/api/v1/auth/oauth/callback" }]
-  app_access_group_id = authentik_group.mediamanager.id
+module "jellyfin" {
+  source              = "../modules/authentik-ldap"
+  app_name            = "Jellyfin"
+  app_slug            = "jellyfin"
+  base_dn             = "DC=ldap,DC=fukurokuju,DC=dev"
+  name                = "jellyfin"
+  app_url             = "https://jelly.roboces.dev"
+  app_icon            = "https://jelly.roboces.dev/web/touchicon.f5bbb798cb2c65908633.png"
+  app_access_group_id = authentik_group.arrs.id
+}
+
+module "tandoor" {
+  source              = "../modules/authentik-oidc"
+  app_name            = "Tandoor"
+  app_slug            = "tandoor"
+  app_access_group_id = ""
+  app_url             = "https://recipes.roboces.dev"
+  redirect_uris       = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }]
+  app_icon            = "https://recipes.roboces.dev/static/assets/logo_color_192.c9b9177ff941.png"
+  client_id           = var.tandoor_client_id
+  client_secret       = var.tandoor_client_secret
+}
+
+module "ganymede" {
+  source              = "../modules/authentik-oidc"
+  app_name            = "Ganymede"
+  app_slug            = "ganymede"
+  redirect_uris       = [{ matching_mode = "strict", url = "https://vods.roboces.dev/api/v1/auth/oauth/callback" }]
+  client_id           = var.ganymede_client_id
+  client_secret       = var.ganymede_client_secret
+  app_url             = "https://vods.roboces.dev"
+  app_icon            = "https://vods.roboces.dev/favicon.ico"
+  app_access_group_id = authentik_group.vods.id
+}
+
+module "jellyseerr" {
+  source              = "../modules/authentik-app"
+  app_name            = "Solicitudes Jelly"
+  app_slug            = "jellyseer"
+  app_url             = "https://requests.roboces.dev"
+  app_icon            = "https://requests.roboces.dev/os_icon.svg"
+  app_description     = "Solicita series, animes y pelis para ser añadidas automáticamente a Jellyfin"
+  app_access_group_id = authentik_group.arrs.id
+}
+
+module "pulse" {
+  source              = "../modules/authentik-oidc"
+  app_name            = "Pulse"
+  app_slug            = "pulse"
+  app_url             = "https://pulse.fukurokuju.dev"
+  client_id           = var.pulse_client_id
+  client_secret       = var.pulse_client_secret
+  app_icon            = "https://pulse.fukurokuju.dev/logo.svg"
+  redirect_uris       = [{ matching_mode = "strict", url = "https://pulse.fukurokuju.dev/api/oidc/callback" }]
+  app_access_group_id = authentik_group.admins.id
 }

tofu/authentik/sample.env

@@ -10,8 +10,11 @@ TF_VAR_paperless_client_id=
 TF_VAR_paperless_client_secret=
 TF_VAR_sftpgo_client_id=
 TF_VAR_sftpgo_client_secret=
-TF_VAR_netbird_client_id=
 TF_VAR_rustical_client_id=
 TF_VAR_rustical_client_secret=
-TF_VAR_mediamanager_client_id=
-TF_VAR_mediamanager_client_secret=
+TF_VAR_tandoor_client_id=
+TF_VAR_tandoor_client_secret=
+TF_VAR_ganymede_client_id=
+TF_VAR_ganymede_client_secret=
+TF_VAR_pulse_client_id=
+TF_VAR_pulse_client_secret=

tofu/authentik/vars.tf

@@ -39,12 +39,6 @@ variable "paperless_client_secret" {
   type        = string
 }
 
-variable "netbird_client_id" {
-  description = "Netbird client ID"
-  type        = string
-}
-
-
 variable "sftpgo_client_id" {
   description = "SFTPGo client ID"
   type        = string
@@ -61,16 +55,36 @@ variable "rustical_client_id" {
 }
 
 variable "rustical_client_secret" {
-  description = "Rustical client secret"
+  description = "Tandoor client secret"
   type        = string
 }
 
-variable "mediamanager_client_id" {
-  description = "MediaManager client ID"
+variable "tandoor_client_id" {
+  description = "Tandoor client ID"
   type        = string
 }
 
-variable "mediamanager_client_secret" {
-  description = "MediaManager client secret"
+variable "tandoor_client_secret" {
+  description = "Tandoor client secret"
+  type        = string
+}
+
+variable "ganymede_client_id" {
+  description = "Ganymede client ID"
+  type        = string
+}
+
+variable "ganymede_client_secret" {
+  description = "Ganymede client secret"
+  type        = string
+}
+
+variable "pulse_client_id" {
+  description = "Pulse client ID"
+  type        = string
+}
+
+variable "pulse_client_secret" {
+  description = "Pulse client secret"
   type        = string
 }

tofu/modules/authentik-app/main.tf

@@ -0,0 +1,26 @@
+terraform {
+  required_version = ">= 1.6"
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2025.12.1"
+    }
+  }
+}
+
+resource "authentik_application" "app" {
+  name             = var.app_name
+  slug             = var.app_slug
+  open_in_new_tab  = var.open_in_new_tab
+  meta_icon        = var.app_icon
+  meta_description = var.app_description
+  meta_publisher   = var.app_publisher
+  meta_launch_url  = var.app_url
+}
+
+resource "authentik_policy_binding" "app_access" {
+  target = authentik_application.app.uuid
+  group  = var.app_access_group_id
+  order  = 0
+  count  = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists
+}

tofu/modules/authentik-app/vars.tf

@@ -0,0 +1,62 @@
+variable "app_name" {
+  description = "App name"
+  type        = string
+}
+
+variable "app_slug" {
+  description = "App slug, a human-readable URL identifier, e.g.: Google -> google"
+  type        = string
+}
+
+
+variable "client_type" {
+  type    = string
+  default = "confidential"
+
+  validation {
+    condition     = contains(["confidential", "public"], var.client_type)
+    error_message = "client_type must be 'confidential' or 'public'"
+  }
+}
+
+variable "app_access_group_id" {
+  description = "ID of a group which will have access to the app"
+  type        = string
+}
+
+variable "sub_mode" {
+  type    = string
+  default = "user_username"
+
+  validation {
+    condition     = contains(["user_id", "user_username", "hashed_user_id"], var.sub_mode)
+    error_message = "sub_mode must be 'user_id', 'user_username' or 'hashed_user_id'"
+  }
+}
+
+
+variable "open_in_new_tab" {
+  type        = bool
+  description = "Open apps in a new tab"
+  default     = true
+}
+
+variable "app_icon" {
+  type    = string
+  default = ""
+}
+
+variable "app_description" {
+  type    = string
+  default = ""
+}
+
+variable "app_publisher" {
+  type    = string
+  default = ""
+}
+
+variable "app_url" {
+  type    = string
+  default = ""
+}

tofu/modules/authentik-ldap/.terraform.lock.hcl

@@ -0,0 +1,37 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/goauthentik/authentik" {
+  version     = "2025.12.1"
+  constraints = "2025.12.1"
+  hashes = [
+    "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=",
+    "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=",
+    "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=",
+    "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=",
+    "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=",
+    "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=",
+    "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=",
+    "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=",
+    "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=",
+    "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=",
+    "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=",
+    "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=",
+    "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=",
+    "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=",
+    "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515",
+    "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962",
+    "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b",
+    "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91",
+    "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f",
+    "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1",
+    "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338",
+    "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7",
+    "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8",
+    "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897",
+    "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3",
+    "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50",
+    "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18",
+    "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25",
+  ]
+}

tofu/modules/authentik-ldap/main.tf

@@ -0,0 +1,45 @@
+terraform {
+  required_version = ">= 1.6"
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2025.12.1"
+    }
+  }
+}
+
+
+data "authentik_flow" "default-authentication-flow" {
+  slug = "default-authentication-flow"
+}
+
+data "authentik_flow" "default-invalidation-flow" {
+  slug = "default-invalidation-flow"
+}
+
+
+resource "authentik_provider_ldap" "provider_ldap" {
+  base_dn     = var.base_dn
+  bind_flow   = data.authentik_flow.default-authentication-flow.id
+  name        = var.name
+  unbind_flow = data.authentik_flow.default-invalidation-flow.id
+}
+
+
+resource "authentik_application" "app" {
+  name              = var.app_name
+  slug              = var.app_slug
+  protocol_provider = authentik_provider_ldap.provider_ldap.id
+  open_in_new_tab   = var.open_in_new_tab
+  meta_icon         = var.app_icon
+  meta_description  = var.app_description
+  meta_publisher    = var.app_publisher
+  meta_launch_url   = var.app_url
+}
+
+resource "authentik_policy_binding" "app_access" {
+  target = authentik_application.app.uuid
+  group  = var.app_access_group_id
+  order  = 0
+  count  = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists
+}

tofu/modules/authentik-ldap/vars.tf

@@ -0,0 +1,52 @@
+variable "app_name" {
+  description = "App name"
+  type        = string
+}
+
+variable "app_slug" {
+  description = "App slug, a human-readable URL identifier, e.g.: Google -> google"
+  type        = string
+}
+
+
+variable "app_access_group_id" {
+  description = "ID of a group which will have access to the app"
+  type        = string
+}
+
+
+variable "open_in_new_tab" {
+  type        = bool
+  description = "Open apps in a new tab"
+  default     = true
+}
+
+variable "app_icon" {
+  type    = string
+  default = ""
+}
+
+variable "app_description" {
+  type    = string
+  default = ""
+}
+
+variable "app_publisher" {
+  type    = string
+  default = ""
+}
+variable "app_url" {
+  type    = string
+  default = ""
+}
+
+
+variable "base_dn" {
+  type        = string
+  description = "Base DN"
+}
+
+variable "name" {
+  type        = string
+  description = "Name"
+}

tofu/modules/authentik-oidc/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2025.10.0"
+      version = "2025.12.1"
     }
   }
 }

tofu/modules/authentik-proxy/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2025.10.0"
+      version = "2025.12.1"
     }
   }
 }