chore(deps): update helm release renovate to 46.142.*

.forgejo/workflows/ci.yaml

@@ -11,7 +11,7 @@ jobs:
       - uses: https://code.forgejo.org/actions/setup-python@v6
         with:
           python-version: '3.10'
-      - uses: opentofu/setup-opentofu@v1
+      - uses: opentofu/setup-opentofu@v2
         with:
           tofu_version: 1.7.0
       - uses: pre-commit/action@v3.0.1

.forgejo/workflows/deploy-tofu.yaml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: opentofu/setup-opentofu@v1
+      - uses: opentofu/setup-opentofu@v2
         with:
           tofu_version: 1.8.1
       - name: Deploy
@@ -41,7 +41,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: opentofu/setup-opentofu@v1
+      - uses: opentofu/setup-opentofu@v2
         with:
           tofu_version: 1.7.0
       - name: Deploy

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
@@ -15,18 +15,18 @@ repos:
       - id: trailing-whitespace
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.92.1
+    rev: v1.105.0
     hooks:
       - id: terraform_fmt
 
   - repo: https://github.com/adrienverge/yamllint.git
-    rev: v1.35.1
+    rev: v1.38.0
     hooks:
       - id: yamllint
         args: [--format, parsable, --strict]
 
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.10.0.1
+    rev: v0.11.0.1
     hooks:
       - id: shellcheck
         files: \.sh

docker/forgejo-runner/docker-compose.yml

@@ -1,41 +0,0 @@
----
-x-runner-common: &runner-common
-  image: code.forgejo.org/forgejo/runner:12.6.4
-  links:
-    - docker-in-docker
-  depends_on:
-    docker-in-docker:
-      condition: service_started
-  user: 1001:1001
-  restart: unless-stopped
-  command: '/bin/sh -c "sleep 5; forgejo-runner daemon"'
-  environment:
-    DOCKER_HOST: tcp://docker-in-docker:2375
-
-networks:
-  forgejo:
-    external: false
-
-services:
-  docker-in-docker:
-    image: docker:dind
-    container_name: 'docker_dind'
-    privileged: true
-    command: ['dockerd', '-H', 'tcp://0.0.0.0:2375', '--tls=false']
-    restart: 'unless-stopped'
-
-  runner:
-    <<: *runner-common
-    container_name: 'runner'
-    volumes:
-      - ${FORGEJO_RUNNER_DATA:-/mnt/nas1/shared/forgejo-runner/data}:/data
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-
-  runner-2:
-    <<: *runner-common
-    container_name: 'runner2'
-    volumes:
-      - ${FORGEJO_RUNNER_DATA:-/mnt/nas1/shared/forgejo-runner/data2}:/data
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro

docker/ganymede/docker-compose.yml

@@ -2,7 +2,7 @@
 services:
   ganymede:
     container_name: ganymede
-    image: ghcr.io/zibbp/ganymede:4.14.0
+    image: ghcr.io/zibbp/ganymede:4.16.0
     restart: unless-stopped
     environment:
       DEBUG: ${GANYMEDE_DEBUG:-false}

docker/minecraft/docker-compose.yml

@@ -1,39 +0,0 @@
----
-services:
-  mc:
-    image: itzg/minecraft-server:java23-graalvm
-    restart: unless-stopped
-    tty: true
-    stdin_open: true
-    ports:
-      - "25565:25565"
-    environment:
-      EULA: "TRUE"
-      MEMORY: ${MEMORY:-"6G"}
-      TZ: "Europe/Madrid"
-      VERSION: 1.21.1
-      ENABLE_ROLLING_LOGS: true
-      USE_AIKAR_FLAGS: true
-      MOTD: "Huesoperrers Minecraft Episodio 3: La venganza de los huesos"
-      MAX_PLAYERS: 10
-      MAX_WORLD_SIZE: 10000
-      SEED: huesoperrers3
-      MODE: survival
-      ONLINE_MODE: false
-      ALLOW_FLIGHT: true
-      SERVER_NAME: Huesoperrers and co.
-      PLAYER_IDLE_TIMEOUT: 15
-      STOP_SERVER_ANNOUNCE_DELAY: 30
-      OPS: ${OPS:-robosap1ens,commandkatt,Malva25}
-      SYNCHRONIZE: true
-      MERGE: true
-      ENFORCE_WHITELIST: true
-      ENABLE_RCON: false
-      MAX_TICK_TIME: -1
-      USER_API_PROVIDER: ${USER_API_PROVIDER:-playerdb}
-      DIFFICULTY: ${DIFFICULTY:-normal}
-      ENABLE_AUTOPAUSE: true
-      DEBUG_AUTOPAUSE: false
-      TYPE: NEOFORGE
-    volumes:
-      - ${MC_DATA_DIR:-/mnt/zeruel/nas1/shared/mc3}:/data

docker/nextcloud/Dockerfile

@@ -1,61 +0,0 @@
-FROM nextcloud:32.0.3-apache
-
-
-RUN set -ex; \
-    \
-    apt-get update; \
-    apt-get install -y --no-install-recommends \
-        ffmpeg \
-        ghostscript \
-        libmagickcore-7.q16-10-extra \
-        procps \
-        smbclient \
-        supervisor \
-        libreoffice \
-    ; \
-    rm -rf /var/lib/apt/lists/*
-
-RUN set -ex; \
-    \
-    savedAptMark="$(apt-mark showmanual)"; \
-    \
-    apt-get update; \
-    apt-get install -y --no-install-recommends \
-        libbz2-dev \
-        #libc-client-dev \
-        libkrb5-dev \
-        libsmbclient-dev \
-    ; \
-    \
-    #docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \
-    docker-php-ext-install \
-        bz2 \
-    #    imap \
-    ; \
-    pecl install smbclient; \
-    docker-php-ext-enable smbclient; \
-    \
-# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
-    apt-mark auto '.*' > /dev/null; \
-    apt-mark manual $savedAptMark; \
-    ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
-        | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
-        | sort -u \
-        | xargs -r dpkg-query --search \
-        | cut -d: -f1 \
-        | sort -u \
-        | xargs -rt apt-mark manual; \
-    \
-    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-    rm -rf /var/lib/apt/lists/*
-
-RUN mkdir -p \
-    /var/log/supervisord \
-    /var/run/supervisord \
-;
-
-COPY supervisord.conf /
-
-ENV NEXTCLOUD_UPDATE=1
-
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

docker/nextcloud/docker-compose.yml

@@ -1,40 +0,0 @@
----
-services:
-  imaginary:
-    image: nextcloud/aio-imaginary:latest
-    cap_add:
-      - SYS_NICE
-    volumes:
-      - type: tmpfs
-        target: /tmp:exec
-    environment:
-      - TZ=Europe/Madrid
-    restart: unless-stopped
-    networks:
-      - nextcloud
-
-  nextcloud:
-    image: git.roboces.dev/catalin/fukuops:nextcloud-32.0.3
-    volumes:
-      - /mnt/nas1/legacy-storage/cloud/cloud/data:/var/www/html/data
-      - /mnt/nas1/legacy-storage/cloud/cloud/config:/var/www/html/config
-      - /mnt/nas1/legacy-storage/cloud/cloud/custom_apps:/var/www/html/custom_apps
-      - /mnt/nas1/legacy-storage/cloud/cloud/apps:/var/www/html/apps
-      - type: tmpfs
-        target: /tmp:exec
-      - supervisorlog:/var/log/supervisor:z
-      - supervisorpid:/var/run/supervisord/:z
-    environment:
-      PHP_MEMORY_LIMIT: ${PHP_MEMORY_LIMIT:-2048M}
-      NEXTCLOUD_INIT_HTACCESS: ${NEXTCLOUD_INIT_HTACCESS:-1}
-    restart: unless-stopped
-    ports:
-      - '8080:80'
-    networks:
-      - nextcloud
-
-networks:
-  nextcloud: {}
-volumes:
-  supervisorlog: {}
-  supervisorpid: {}

docker/nextcloud/supervisord.conf

@@ -1,22 +0,0 @@
-[supervisord]
-nodaemon=true
-logfile=/var/log/supervisord/supervisord.log
-pidfile=/var/run/supervisord/supervisord.pid
-childlogdir=/var/log/supervisord/
-logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
-logfile_backups=10                              ; number of backed up logfiles
-loglevel=error
-
-[program:apache2]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=apache2-foreground
-
-[program:cron]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=/cron.sh

docker/oxicloud/docker-compose.yml

@@ -1,22 +0,0 @@
----
-services:
-  oxicloud:
-    image: git.roboces.dev/catalin/fukuops:oxicloud-0.5.2
-    restart: always
-    ports:
-      - "8086:8086"
-    environment:
-      OXICLOUD_DB_CONNECTION_STRING: ${OXICLOUD_DB_CONNECTION_STRING:-postgres://postgres:postgres@postgres/oxicloud}
-      OXICLOUD_OIDC_ENABLED: ${OXICLOUD_OIDC_ENABLED:-true}
-      OXICLOUD_OIDC_ISSUER_URL: ${OXICLOUD_OIDC_ISSUER_URL:-https://auth.fukurokuju.dev/application/o/ganymede/}
-      OXICLOUD_OIDC_CLIENT_ID: ${OXICLOUD_OIDC_CLIENT_ID}
-      OXICLOUD_OIDC_CLIENT_SECRET: ${OXICLOUD_OIDC_CLIENT_SECRET}
-      OXICLOUD_OIDC_REDIRECT_URI: ${OXICLOUD_OIDC_REDIRECT_URI:-https://cloud.roboces.dev/api/auth/oidc/callback}
-      OXICLOUD_OIDC_FRONTEND_URL: ${OXICLOUD_OIDC_FRONTEND_URL:-https://cloud.roboces.dev}
-      OXICLOUD_OIDC_ADMIN_GROUPS: ${OXICLOUD_OIDC_ADMIN_GROUPS:-""}
-      OXICLOUD_OIDC_SCOPES: ${OXICLOUD_OIDC_SCOPES:-offline_access openid profile email}
-      OXICLOUD_OIDC_PROVIDER_NAME: ${OXICLOUD_OIDC_PROVIDER_NAME:-Authentik}
-      OXICLOUD_OIDC_AUTO_PROVISION: ${OXICLOUD_OIDC_AUTO_PROVISION:-true}
-      RUST_LOG: debug
-    volumes:
-      - ${OXICLOUD_DATA_VOLUME:-/mnt/zeruel/nas1/shared/storage/data}:/app/storage

docker/oxicloud/sample.env

@@ -1,10 +0,0 @@
-OXICLOUD_DB_CONNECTION_STRING=
-OXICLOUD_OIDC_ENABLED=
-OXICLOUD_OIDC_ISSUER_URL=
-OXICLOUD_OIDC_CLIENT_ID=
-OXICLOUD_OIDC_CLIENT_SECRET=
-OXICLOUD_OIDC_REDIRECT_URI=
-OXICLOUD_OIDC_FRONTEND_URL=
-OXICLOUD_OIDC_ADMIN_GROUPS=""
-OXICLOUD_OIDC_PROVIDER_NAME=
-OXICLOUD_OIDC_SCOPES=offline_access openid profile email

docker/paperless/docker-compose.yml

@@ -14,7 +14,7 @@ services:
 
   webserver:
 
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.10
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.15
     restart: unless-stopped
     ports:
       - 8002:8000

docker/rustical/docker-compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   rustical:
-    image: ghcr.io/lennart-k/rustical:0.12.10
+    image: ghcr.io/lennart-k/rustical:0.12.12
     restart: unless-stopped
     ports:
       - '4000:4000'

docker/tailscale/docker-compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   tailscale:
-    image: tailscale/tailscale:v1.94.2
+    image: tailscale/tailscale:v1.96.5
     hostname: tailscale
     environment:
       TS_AUTHKEY: ${TS_AUTHKEY}

docker/tandoor/docker-compose.yml

@@ -1,21 +0,0 @@
----
-services:
-  web_recipes:
-    restart: always
-    image: vabene1111/recipes:2.5.3
-    volumes:
-      - ${TANDOOR_STATICFILES:-/mnt/nas1/shared/tandoor/staticfiles}:/opt/recipes/staticfiles
-      - ${TANDOOR_MEDIAFILES:-/mnt/nas1/shared/tandoor/mediafiles}:/opt/recipes/mediafiles
-    environment:
-      SECRET_KEY: ${TANDOOR_SECRET_KEY}
-      TZ: ${TANDOOR_TZ:-Europe/Madrid}
-      ALLOWED_HOSTS: ${TANDOOR_ALLOWED_HOSTS:-recipes.roboces.dev}
-      SOCIAL_PROVIDERS: ${TANDOOR_SOCIAL_PROVIDERS:-allauth.socialaccount.providers.openid_connect}
-      SOCIALACCOUNT_PROVIDERS: ${TANDOOR_SOCIALACCOUNT_PROVIDERS}
-      POSTGRES_HOST: ${TANDOOR_POSTGRES_HOST:-192.168.1.3}
-      POSTGRES_DB: ${TANDOOR_POSTGRES_DB:-tandoor}
-      POSTGRES_PORT: ${TANDOOR_POSTGRES_PORT:-5432}
-      POSTGRES_USER: ${TANDOOR_POSTGRES_USER}
-      POSTGRES_PASSWORD: ${TANDOOR_POSTGRES_PASSWORD}
-    ports:
-      - "8081:80"

docker/tandoor/sample.env

@@ -1,11 +0,0 @@
-TANDOOR_STATICFILES=
-TANDOOR_MEDIAFILES=
-TANDOOR_SECRET_KEY=
-TANDOOR_TZ=Europe/Madrid
-TANDOOR_ALLOWED_HOSTS=
-TANDOOR_SOCIALACCOUNT_PROVIDERS=
-TANDOOR_POSTGRES_HOST=
-TANDOOR_POSTGRES_DB=
-TANDOOR_POSTGRES_PORT=
-TANDOOR_POSTGRES_USER=
-TANDOOR_POSTGRES_PASSWORD=

docker/vaultwarden/docker-compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   vaultwarden:
-    image: vaultwarden/server:1.35.4-alpine
+    image: vaultwarden/server:1.36.0-alpine
     restart: unless-stopped
     environment:
       DATABASE_URL: ${DATABASE_URL}

k8s/argo-apps/elastic.yaml

@@ -1,46 +0,0 @@
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: elastic
-  namespace: argocd
-spec:
-  destination:
-    name: ''
-    namespace: apps-fuku
-    server: https://kubernetes.default.svc
-  sources:
-    - chart: elasticsearch
-      repoURL: registry-1.docker.io/bitnamicharts
-      targetRevision: 22.1.6
-      helm:
-        valuesObject:
-          service:
-            type: LoadBalancer
-          master:
-            persistence:
-              enabled: true
-              storageClass: truenas-nfs-csi
-              accessModes:
-                - ReadWriteMany
-              size: 50Gi
-          ingress:
-            enabled: true
-            hostname: elastic.fuku
-            tls: true
-            selfSigned: true
-            ingressClassName: traefik
-          data:
-            persistence:
-              enabled: true
-              storageClass: truenas-nfs-csi
-              accessModes:
-                - ReadWriteMany
-              size: 50Gi
-            autoscaling:
-              enabled: true
-              maxReplicas: 3
-              minReplicas: 1
-  project: fuku
-  syncPolicy:
-    automated: {}

k8s/argo-apps/forgejo.yaml

@@ -14,10 +14,10 @@ spec:
   sources:
     - chart: forgejo
       repoURL: code.forgejo.org/forgejo-helm
-      targetRevision: 16.2.0
+      targetRevision: 17.0.1
       helm:
         valuesObject:
-          replicaCount: 2
+          replicaCount: 1
           service:
             http:
               type: LoadBalancer
@@ -49,15 +49,8 @@ spec:
               serviceMonitor:
                 enabled: true
             config:
-              indexer:
-                ISSUE_INDEXER_CONN_STR: http://elastic-elasticsearch.apps-fuku.svc.cluster.local:9200
-                ISSUE_INDEXER_ENABLED: true
-                ISSUE_INDEXER_TYPE: elasticsearch
-                REPO_INDEXER_ENABLED: false
-                REPO_INDEXER_TYPE: elasticsearch
               actions:
-                ENABLED: true
+                ENABLED: false
-                DEFAULT_ACTIONS_URL: https://github.com
               picture:
                 DISABLE_GRAVATAR: false
                 ENABLE_FEDERATED_AVATAR: true
@@ -106,9 +99,6 @@ spec:
             enabled: false
           redis-cluster:
             enabled: false
-    - path: k8s/services/forgejo
-      repoURL: https://git.roboces.dev/catalin/fukuops.git
-      targetRevision: main
   project: roboces
   syncPolicy:
     automated: {}

k8s/argo-apps/meili.yaml

@@ -18,13 +18,13 @@ spec:
       targetRevision: main
     - chart: meilisearch
       repoURL: https://meilisearch.github.io/meilisearch-kubernetes
-      targetRevision: 0.27.*
+      targetRevision: 0.32.*
       helm:
         valuesObject:
           environment:
             MEILI_ENV: production
           auth:
-            existingMasterKeySecret: meilisearch-master-key
+            existingMasterKeySecret: meili
           service:
             type: NodePort
             port: 7700

k8s/argo-apps/oxicloud.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: oxicloud
+  namespace: argocd
+spec:
+  destination:
+    name: ''
+    namespace: apps-roboces
+    server: https://kubernetes.default.svc
+  sources:
+    - path: k8s/charts/oxicloud
+      repoURL: https://git.roboces.dev/catalin/fukuops.git
+      targetRevision: main
+      helm:
+        valuesObject:
+          image:
+            repository: diocrafts/oxicloud
+            pullPolicy: Always
+            tag: "0.5.6"
+          persistence:
+            enabled: true
+            storageClass: "truenas-nfs-csi"
+            accessMode: ReadWriteMany
+            size: 50Gi
+          service:
+            type: LoadBalancer
+          config:
+            server:
+              port: 8086
+              host: "0.0.0.0"
+              baseUrl: "https://cloud.roboces.dev"
+            features:
+              enableAuth: "true"
+              enableSharing: "true"
+            mimalloc:
+              purgeDelay: "0"
+              allowLargeOsPages: "0"
+          secrets:
+            existingSecret: oxicloud
+          wopi:
+            enabled: false
+          ingress:
+            className: "traefik"
+            hosts:
+              - host: cloud.roboces.dev
+                paths:
+                  - path: /
+                    pathType: ImplementationSpecific
+            tls: []
+  project: roboces
+  syncPolicy:
+    automated: {}

k8s/argo-apps/portainer.yaml

@@ -15,7 +15,7 @@ spec:
   sources:
     - repoURL: https://portainer.github.io/k8s/
       chart: portainer
-      targetRevision: 239.0.*
+      targetRevision: 239.1.*
       helm:
         valuesObject:
           service:

k8s/argo-apps/renovate.yaml

@@ -13,7 +13,7 @@ spec:
   sources:
     - chart: renovate
       repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 46.58.*
+      targetRevision: 46.142.*
       helm:
         valuesObject:
           renovate:

k8s/argo-apps/vault-sm.yaml

@@ -2,7 +2,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: vaultwarden-secrets-manager
+  name: vault-sm
   namespace: argocd
 spec:
   destination:
@@ -12,7 +12,7 @@ spec:
   sources:
     - chart: vaultwarden-kubernetes-secrets
       repoURL: ghcr.io/antoniolago/charts
-      targetRevision: 1.2.8
+      targetRevision: 1.4.01
       helm:
         valuesObject:
           api:

k8s/argo-apps/woodpecker.yaml

@@ -0,0 +1,57 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: woodpecker
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
+spec:
+  destination:
+    name: ''
+    namespace: apps-roboces
+    server: https://kubernetes.default.svc
+  sources:
+    - chart: woodpecker
+      repoURL: ghcr.io/woodpecker-ci/helm
+      targetRevision: 3.5.1
+      helm:
+        valuesObject:
+          agent:
+            persistence:
+              storageClass: truenas-nfs-csi
+              accessModes:
+                - ReadWriteMany
+          server:
+            env:
+              WOODPECKER_ADMIN: 'woodpecker,admin,catalin'
+              WOODPECKER_HOST: 'https://ci.roboces.dev'
+              WOODPECKER_FORGEJO: "true"
+              WOODPECKER_FORGEJO_URL: "https://git.roboces.dev"
+              WOODPECKER_FORGEJO_CLIENT:
+                valueFrom:
+                  secretKeyRef:
+                    name: woodpecker
+                    key: WOODPECKER_FORGEJO_CLIENT
+              WOODPECKER_FORGEJO_SECRET:
+                valueFrom:
+                  secretKeyRef:
+                    name: woodpecker
+                    key: WOODPECKER_FORGEJO_SECRET
+            persistentVolume:
+              storageClass: truenas-nfs-csi
+              accessModes:
+                - ReadWriteMany
+            service:
+              type: LoadBalancer
+            ingress:
+              enabled: true
+              ingressClassName: traefik
+              hosts:
+                - host: ci.roboces.dev
+                  paths:
+                    - path: /
+              tls: []
+  project: roboces
+  syncPolicy:
+    automated: {}

k8s/charts/miniflux/Chart.yaml

@@ -3,4 +3,4 @@ name: miniflux
 description: A Helm chart for Miniflux RSS reader
 type: application
 version: 0.1.0
-appVersion: "2.2.17"
+appVersion: "2.2.18"

k8s/charts/oxicloud/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

k8s/charts/oxicloud/Chart.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v2
+name: oxicloud
+description: |
+  Ultra-fast, secure & lightweight self-hosted cloud storage — your files, photos, calendars & contacts, all in one place. Built in Rust.
+type: application
+version: 0.1.0
+appVersion: "0.5.2"

k8s/charts/oxicloud/templates/_helpers.tpl

@@ -0,0 +1,32 @@
+{{/* Expand the name of the chart. */}}
+{{- define "oxicloud.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/* Create a default fully qualified app name. */}}
+{{- define "oxicloud.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/* Common labels */}}
+{{- define "oxicloud.labels" -}}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{ include "oxicloud.selectorLabels" . }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/* Selector labels */}}
+{{- define "oxicloud.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "oxicloud.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

k8s/charts/oxicloud/templates/configmap.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "oxicloud.fullname" . }}-config
+data:
+  OXICLOUD_SERVER_PORT: {{ .Values.config.server.port | quote }}
+  OXICLOUD_SERVER_HOST: {{ .Values.config.server.host | quote }}
+  {{- if .Values.config.server.baseUrl }}
+  OXICLOUD_BASE_URL: {{ .Values.config.server.baseUrl | quote }}
+  {{- end }}
+  OXICLOUD_ENABLE_AUTH: {{ .Values.config.features.enableAuth | quote }}
+  OXICLOUD_ENABLE_FILE_SHARING: {{ .Values.config.features.enableSharing | quote }}
+  MIMALLOC_PURGE_DELAY: {{ .Values.config.mimalloc.purgeDelay | quote }}
+  MIMALLOC_ALLOW_LARGE_OS_PAGES: {{ .Values.config.mimalloc.allowLargeOsPages | quote }}
+
+  {{- if .Values.wopi.enabled }}
+  OXICLOUD_WOPI_ENABLED: "true"
+  OXICLOUD_WOPI_DISCOVERY_URL: "{{ .Values.config.server.baseUrl }}/hosting/discovery"
+  {{- else }}
+  OXICLOUD_WOPI_ENABLED: "false"
+  {{- end }}

k8s/charts/oxicloud/templates/ingress.yaml

@@ -0,0 +1,64 @@
+---
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "oxicloud.fullname" . }}
+  labels:
+    {{- include "oxicloud.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    - host: {{ (index .Values.ingress.hosts 0).host | quote }}
+      http:
+        paths:
+          {{- if .Values.wopi.enabled }}
+          # Route Collabora traffic to the WOPI pod
+          - path: /browser
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "oxicloud.fullname" $ }}-wopi
+                port:
+                  number: {{ .Values.wopi.collabora.service.port }}
+          - path: /hosting
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "oxicloud.fullname" $ }}-wopi
+                port:
+                  number: {{ .Values.wopi.collabora.service.port }}
+          - path: /cool
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "oxicloud.fullname" $ }}-wopi
+                port:
+                  number: {{ .Values.wopi.collabora.service.port }}
+          {{- end }}
+
+          # Default Catch-All: Route everything else to OxiCloud
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "oxicloud.fullname" $ }}
+                port:
+                  number: {{ $.Values.service.port }}
+{{- end }}

k8s/charts/oxicloud/templates/secret.yaml

@@ -0,0 +1,19 @@
+---
+{{- if not .Values.secrets.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "oxicloud.fullname" . }}-secret
+  labels:
+    {{- include "oxicloud.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- if .Values.secrets.jwtSecret }}
+  OXICLOUD_JWT_SECRET: {{ .Values.secrets.jwtSecret | b64enc | quote }}
+  {{- end }}
+  DB_PASSWORD: {{ .Values.database.password | b64enc | quote }}
+  {{- if .Values.wopi.enabled }}
+  WOPI_ADMIN_USERNAME: {{ .Values.wopi.collabora.admin.username | b64enc | quote }}
+  WOPI_ADMIN_PASSWORD: {{ .Values.wopi.collabora.admin.password | b64enc | quote }}
+  {{- end }}
+{{- end }}

k8s/charts/oxicloud/templates/service.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "oxicloud.fullname" . }}
+  labels:
+    {{- include "oxicloud.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "oxicloud.selectorLabels" . | nindent 4 }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "oxicloud.fullname" . }}-headless
+  labels:
+    {{- include "oxicloud.labels" . | nindent 4 }}
+spec:
+  clusterIP: None
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "oxicloud.selectorLabels" . | nindent 4 }}

k8s/charts/oxicloud/templates/statefulset.yaml

@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "oxicloud.fullname" . }}
+  labels:
+    {{- include "oxicloud.labels" . | nindent 4 }}
+spec:
+  serviceName: {{ include "oxicloud.fullname" . }}-headless
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "oxicloud.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "oxicloud.selectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: oxicloud
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8086
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: {{ include "oxicloud.fullname" . }}-config
+            - secretRef:
+                name: {{ if .Values.secrets.existingSecret }}{{ .Values.secrets.existingSecret }}{{ else }}{{ include "oxicloud.fullname" . }}-secret{{ end }}
+          volumeMounts:
+            - name: storage-data
+              mountPath: /app/storage
+      {{- if not .Values.persistence.enabled }}
+      volumes:
+        - name: storage-data
+          emptyDir: {}
+      {{- end }}
+
+  {{- if .Values.persistence.enabled }}
+  volumeClaimTemplates:
+    - metadata:
+        name: storage-data
+      spec:
+        accessModes:
+          - {{ .Values.persistence.accessMode }}
+        {{- if .Values.persistence.storageClass }}
+        storageClassName: {{ .Values.persistence.storageClass }}
+        {{- end }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size }}
+  {{- end }}

k8s/charts/oxicloud/templates/wopi-deployment.yaml

@@ -0,0 +1,58 @@
+---
+{{- if .Values.wopi.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "oxicloud.fullname" . }}-wopi
+  labels:
+    {{- include "oxicloud.labels" . | nindent 4 }}
+    app.kubernetes.io/component: wopi
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "oxicloud.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: wopi
+  template:
+    metadata:
+      labels:
+        {{- include "oxicloud.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: wopi
+    spec:
+      containers:
+        - name: collabora
+          image: "{{ .Values.wopi.collabora.image.repository }}:{{ .Values.wopi.collabora.image.tag }}"
+          imagePullPolicy: {{ .Values.wopi.collabora.image.pullPolicy }}
+          # Required for Collabora to build chroot jails
+          securityContext:
+            capabilities:
+              add:
+                - MKNOD
+          ports:
+            - name: wopi
+              containerPort: 9980
+              protocol: TCP
+          env:
+            - name: aliasgroup1
+              value: "http://{{ .Values.wopi.collabora.domain }}"
+            - name: server_name
+              value: {{ .Values.wopi.collabora.domain | quote }}
+            - name: extra_params
+              value: {{ .Values.wopi.collabora.extraParams | quote }}
+            - name: username
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.secrets.existingSecret }}{{ .Values.secrets.existingSecret }}{{ else }}{{ include "oxicloud.fullname" . }}-secret{{ end }}
+                  key: WOPI_ADMIN_USERNAME
+            - name: password
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.secrets.existingSecret }}{{ .Values.secrets.existingSecret }}{{ else }}{{ include "oxicloud.fullname" . }}-secret{{ end }}
+                  key: WOPI_ADMIN_PASSWORD
+          readinessProbe:
+            httpGet:
+              path: /hosting/discovery
+              port: wopi
+            initialDelaySeconds: 10
+            periodSeconds: 10
+{{- end }}

k8s/charts/oxicloud/templates/wopi-service.yaml

@@ -0,0 +1,20 @@
+---
+{{- if .Values.wopi.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "oxicloud.fullname" . }}-wopi
+  labels:
+    {{- include "oxicloud.labels" . | nindent 4 }}
+    app.kubernetes.io/component: wopi
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.wopi.collabora.service.port }}
+      targetPort: wopi
+      protocol: TCP
+      name: wopi
+  selector:
+    {{- include "oxicloud.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: wopi
+{{- end }}

k8s/charts/oxicloud/values.yaml

@@ -0,0 +1,67 @@
+---
+replicaCount: 1
+
+image:
+  repository: oxicloud
+  pullPolicy: IfNotPresent
+  tag: "latest"
+
+database:
+  host: "postgres.example.com"
+  port: 5432
+  username: "postgres"
+  password: "change_me_in_production"
+  name: "oxicloud"
+
+config:
+  server:
+    port: 8086
+    host: "0.0.0.0"
+    baseUrl: "https://cloud.example.com"
+  features:
+    enableAuth: "true"
+    enableSharing: "true"
+  mimalloc:
+    purgeDelay: "0"
+    allowLargeOsPages: "0"
+
+persistence:
+  enabled: true
+  storageClass: ""
+  accessMode: ReadWriteOnce
+  size: 50Gi
+
+wopi:
+  enabled: true
+  collabora:
+    url: "cloud.example.com"
+    image:
+      repository: collabora/code
+      tag: latest
+      pullPolicy: IfNotPresent
+    service:
+      port: 9980
+    admin:
+      username: admin
+      password: "wopi_admin_password"
+    extraParams: "--o:ssl.enable=false --o:ssl.termination=false --o:net.frame_ancestors=http://* https://*"
+
+secrets:
+  existingSecret: ""
+  jwtSecret: ""
+  oidcClientSecret: ""
+
+service:
+  type: ClusterIP
+  port: 8086
+
+ingress:
+  enabled: true
+  className: "traefik"
+  annotations: {}
+  hosts:
+    - host: cloud.example.com
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []

k8s/services/argo/project-fuku.yaml

@@ -25,7 +25,6 @@ spec:
         - https://charts.crystalnet.org
         - https://portainer.github.io/k8s/
         - https://docs.renovatebot.com/helm-charts
-        - registry-1.docker.io/bitnamicharts
         - https://meilisearch.github.io/meilisearch-kubernetes
         - https://kubetail-org.github.io/helm-charts/
         - https://groundhog2k.github.io/helm-charts/
@@ -34,3 +33,4 @@ spec:
         - https://helm.runix.net
         - https://rcourtman.github.io/Pulse
         - ghcr.io/antoniolago/charts
+        - https://helm.elastic.co

k8s/services/argo/project-roboces.yaml

@@ -8,8 +8,11 @@ spec:
   destinations:
     - namespace: apps-roboces
       server: https://kubernetes.default.svc
+    - namespace: woodpecker
+      server: https://kubernetes.default.svc
   sourceRepos:
     - https://git.roboces.dev/catalin/fukuops.git
     - code.forgejo.org/forgejo-helm
     - https://git.roboces.dev/catalin/huesoporro.git
     - https://gitlab.com/api/v4/projects/64552889/packages/helm/release
+    - ghcr.io/woodpecker-ci/helm

k8s/services/factorio/sealedsecrets.yaml

@@ -1,18 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-    creationTimestamp:
-    name: secrets-factorio
-    namespace: apps-fuku
-spec:
-    encryptedData:
-        game_password: AgCmUZilQTlqof5so2DyvjbCh3J8OAkz4lSQv++z+9XUz4/+KjwgEjP5SI9nf2WVfIHt7WiJN8oaPlYnm2XIdbBUrvKlTEuMAy2XeI8DE2+wKHXdbmLg7t3oZR/8kw3py9W3o4dlXp5XY2G4S3cG8TX0fkN58ni61mYv+zSvc6stcT/iveJqO5E+hXPcDSexzxQ/8DybS4D5g8W3N2OMhRoU0wwhYfXAuxN90BzFKgD6X/9Xy1c7pPQQkEidpA6l1uP5qIG/vChmIpqsOmQWbibGQn53el5ulPvaybx1wRu33eJJcSPRS+XthZv9dtwduFlboMT6QPWcVL5gSQ0ceCBidQIHGLRLxcHYPZz83miCeVYFY1xFegrwPBsXYEdfar5mufxgSQGtSHGzwEV0Ry+tcmjz9JqWpQBQVg10Bs0GYwvy/XGHi1BLCouAXXL//eVbGp1s9cl4uyN9Ymzt5zNrf/SvUweFsaCYrC6xVFA2CCsLbsyu/YbmKkO+cd1IwAle4luGmJHnZgrXKMwQFYoMTGsgEGYt87Itz7eOSmHEm/ZJwZ3oL6n0LGgHpJu1gb4Op0ZA9p44DKeg2fy5Go9rWeMOP0RIw8/SApE6QmT0Bw8QccddnTHhwuCLet2PoiUodKhFffTfGN6PGPeIcyQJpiEDxUI7nquWSNGTcMJDsR3LbzU6A8MpDQrrg5Az6YzyZOo7NLEMbitKLrqt9lfH5g7g  # yamllint disable rule:line-length
-        password: AgCTY4hn/wTGipH9oX7SgS44PE6wEe34AB2Pz9IeB5KcISZVGgWAUMtcffexV31jcNwz5TrztNam22Ys7qYbsZZVNOWm27/KZP3U04Jrq1cIPhY+xE1xF3vMqCd54r+kaeMO4hlDhBlE7Hs6BHdURTpPz8ocqihT2bft+Q8p2Myf3vPHXcDwoUyQj/AFYJdJJhyVfD5NDdacFhOmPTB/tUE4AW1Rz9oND6sy0x7NaP44vswVbhREpMA9wkltJRugRKUwXdfC6kOrfKa1R88aNOwkqc22F1U1PhcqUSAMYQxOA+zz3xMjrP8o70V1/FBKxnTBYVIpdHuwl2RpvC/TewJYVEu1xzp3texfgkTn6XXMp9InxfA6y1wpSVpMPYK5zPRCnmuyPTdSd+DrD6C6y2rstrHvvHxnLPtqo5REVjkfTGkEilmQ1+SllPMPk/6hKivahdmORixoI2MtOz4k4d+7rdPrrsRscMHAheyJTNdKC3wGoKFqbm+0zFV3GFaxM65K0USlYhPwyKG3FlHGj0t8HmXOr+M2cQKd4vqIrq8betRp08YPGMOT0Ea1KIvoP3z4yiJg2Z64d8d0Brof/h4fFd4kKgfMYm/CvkNh5zjFzEYi+K/6G/G99RBxwl7kK3eMB6CiuOnLITCw/Ok/LiRcdnIcAe7yobHG6FWHas4KPL5t4dPTxo12catoWtuJG7L20AIl3171+gO3jS0e4zAvZ+7S  # yamllint disable rule:line-length
-        token: AgByS4w6xSn0/FzWkgNazh7hyZjKTTmg9WtQ3oyKQUVF6FYg+qvPYYLuNu7rTwQOa4LGw3Cvf/yYT0+WU93BjfNCSVMfes1lE2dQzukK4+zEeDhZ4MSpBOBgYYwHJkrFyHpvVSAQkaPi40T0M8iJmFv+Oq1s8zRWmx84LMllaJuRGH/t9jMfmR3rF6JBcSmEmkmB7N8cD+ytPPtZKXGJXaWE0qvuNKNveqirLRt7E+B7z7yvhroaEHahHEseOQnJ6dKY83KzH1riHBTUNOVcI62hSkiYEbbZXAzxznxMKDs04w/BpOksTeg3OWD/RzwuRdX5M2zb3wrrqbF9r9yoLUbWBMS2bdUbUyLiqvfzKUWKAd8eZsS4+P8N5fbPrLgXmB+xRz5xiCQ+r/ZL4Nj9pfuSZMDKytIglldB6BT5gtnodiaCgAPrtLz2OMtBvvojpWOaaBbYWxbrnMhCG2YYU7Kd4UFXEttL/MVs7YkZow12AIngKqzz7vXo3K2iwRYoi2CjOwv3NeXSWk9LdTrTxs00iO8RT55wbAcg9HiNkYZFtrI+6sygvnHhDmNhYG0z7yHCpx13KIjoFEtVEcx2F9bbMftxBmZoOFaGtBhFSgH323CLGoFecdhv41cH9F5HHzpc13Pc5dShm6ZPgWrWG88w0Q4WIT6hiXlriSnd9xw0At4kl7wRBqusZgwDVTBCFbtKS6Gg9msBZnZzADI/aeljY3QXGg2YT/2Ra2c3quY=  # yamllint disable rule:line-length
-    template:  # yamllint disable rule:line-length
-        metadata:
-            creationTimestamp:
-            name: secrets-factorio
-            namespace: apps-fuku
-        type: Opaque

k8s/services/meili/sealedsecrets.yaml

@@ -1,16 +0,0 @@
-# yamllint disable rule:line-length
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: meilisearch-master-key
-  namespace: apps-fuku
-spec:
-  encryptedData:
-    MEILI_MASTER_KEY: AgBcQDv79lsUJF09YTd+zsuC9Ufhgs74mk5sxIrgaAQW/5yBupPgIsZw+g33qDqejuG+hfdhvkTOFHYetNuEDjnPWEpySjMLiB6N/HXMSuPimbOSjhHP3d7jgnWnIluUPs3RsvxDzaHCygVsS2a5ul7+qJGbiQTlmcV/rMVkqiw95mxwswkZhWi1Da1QYPgjRkazbCV0JAVhYYoo7VBnxceyGOS7Um5BsdyDMmXCn0qegU2FDlXTcBBur48hlyRqie/DxyZi3Yx/yiOnVH7g7H41H6hLJpKhQTMQbnohAqUC2UZZJlwrc8b/3kisFw/pxBP7S47hn9iseQcw18mXs6SzlXbhWm+CyNsKEvuXJAMVlaCrOCqs8Kf8ZlraCJYYq8mx+zoA7yAHnRdC4uByR5SGwnXJgq4WJD3wx90NuVbTcJfpQ+bNMPpRS8W+66S9j+rBVk6YcqCqL62JPSf0I9ZKCrNJrtbx5WyxbcVAgZdd2oxxXq6fG4I/wvqn/LN7nAqDwaCjU0395R+vM89o24h8pMTNOUhY1Dqxh0rKQOnTACc12kmhwQucdtjwkFzM7PJxW8d8GGdvgPoIxe27sguUMvn6IFo8h0JmGrbAyDEeR113s/gwQm9ozM9KJXXyImfiRJCcDSlny0rTNWZaGonXuSezFuhcSazepd0v85ofHgIflQQjMfLUNz1b9+ci4SbnpoJwzlrY2d6SyJSIA7Bz223j9UcRgDvRvIz3
-  template:
-    metadata:
-      creationTimestamp: null
-      name: meilisearch-master-key
-      namespace: apps-fuku

scripts/k3scale.sh

@@ -0,0 +1,162 @@
+#!/usr/bin/env bash
+
+
+usage() {
+    cat <<EOF
+Usage: $(basename "$0") REPLICAS [RESOURCE...] [OPTIONS]
+
+Scale up or down one or several deployments/statefulsets.
+
+Arguments:
+  REPLICAS        Number of replicas to scale to
+  RESOURCE        Resource to scale in "namespace/name" format, or just "name"
+                  (uses current context namespace). Can be specified multiple times.
+
+Commands:
+  --all           Scale all deployments and statefulsets in the namespace
+  --all-namespaces
+                  Scale all deployments and statefulsets across all namespaces
+
+Options:
+  -h, --help      Show this help message
+  -n, --namespace NAMESPACE
+                  Namespace to use (default: current context namespace)
+  --dry-run       Print what would be scaled without making changes
+  -v              Pass -v to kubectl (minimal output)
+  -vv             Pass -vv to kubectl (more output)
+  -vvv            Pass -vvv to kubectl (debug output)
+
+Examples:
+  $(basename "$0") 1 mynamespace/mydeployment
+  $(basename "$0") 1 mynamespace/mydeployment mydeployment2
+  $(basename "$0") 1 --all
+  $(basename "$0") 1 --all --namespace mynamespace
+  $(basename "$0") 0 --all-namespaces --dry-run
+EOF
+}
+
+KUBECTL_V=""
+NAMESPACE=""
+DRY_RUN=false
+REPLICAS=""
+RESOURCES=()
+ALL=false
+ALL_NAMESPACES=false
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        -h|--help)
+            usage
+            exit 0
+            ;;
+        -n|--namespace)
+            NAMESPACE="$2"
+            shift 2
+            ;;
+        --dry-run)
+            DRY_RUN=true
+            shift
+            ;;
+        -v|-vv|-vvv)
+            KUBECTL_V="$1"
+            shift
+            ;;
+        --all)
+            ALL=true
+            shift
+            ;;
+        --all-namespaces)
+            ALL_NAMESPACES=true
+            shift
+            ;;
+        -*)
+            echo "Error: Unknown option: $1" >&2
+            usage >&2
+            exit 1
+            ;;
+        *)
+            if [[ -z "$REPLICAS" ]]; then
+                REPLICAS="$1"
+            else
+                RESOURCES+=("$1")
+            fi
+            shift
+            ;;
+    esac
+done
+
+if [[ -z "$REPLICAS" ]]; then
+    echo "Error: REPLICAS is required" >&2
+    usage >&2
+    exit 1
+fi
+
+if [[ "$ALL" == false && "$ALL_NAMESPACES" == false && ${#RESOURCES[@]} -eq 0 ]]; then
+    echo "Error: Must specify --all, --all-namespaces, or at least one RESOURCE" >&2
+    usage >&2
+    exit 1
+fi
+
+NAMESPACE_ARG=()
+if [[ -n "$NAMESPACE" ]]; then
+    NAMESPACE_ARG=("-n" "$NAMESPACE")
+fi
+
+DRY_RUN_ARG=()
+if [[ "$DRY_RUN" == true ]]; then
+    DRY_RUN_ARG=("--dry-run=client")
+fi
+
+KUBECTL_BASE=(kubectl)
+if [[ -n "$KUBECTL_V" ]]; then
+    KUBECTL_BASE+=( "$KUBECTL_V" )
+fi
+KUBECTL_BASE+=( "${NAMESPACE_ARG[@]}" )
+KUBECTL_BASE+=( "${DRY_RUN_ARG[@]}" )
+
+scale_resource() {
+    local resource="$1"
+    local ns name
+
+    if [[ "$resource" == */* ]]; then
+        ns="${resource%%/*}"
+        name="${resource#*/}"
+    else
+        ns="${NAMESPACE:-$(kubectl "${NAMESPACE_ARG[@]}" config view --minify --output jsonpath='{.contexts[0].context.namespace}' 2>/dev/null || echo "default")}"
+        name="$resource"
+    fi
+
+    for kind in deployment statefulset; do
+        if "${KUBECTL_BASE[@]}" get "$kind" "$name" -n "$ns" &>/dev/null; then
+            echo "Scaling $kind/$ns/$name to $REPLICAS replicas${DRY_RUN:+ (dry-run)}"
+            "${KUBECTL_BASE[@]}" scale "$kind" "$name" -n "$ns" --replicas="$REPLICAS"
+            return 0
+        fi
+    done
+
+    echo "Error: Resource '$resource' not found as deployment or statefulset" >&2
+    return 1
+}
+
+get_resources() {
+    local ns_flag=()
+    if [[ "$ALL_NAMESPACES" == true ]]; then
+        ns_flag=("--all-namespaces")
+    elif [[ -n "$NAMESPACE" ]]; then
+        ns_flag=("-n" "$NAMESPACE")
+    fi
+
+    "${KUBECTL_BASE[@]}" get "${ns_flag[@]}" deployment,statefulset -o jsonpath='{range .items[*]}{.metadata.namespace}/{.kind}/{.metadata.name}{"\n"}{end}' 2>/dev/null | while IFS=/ read -r ns kind name; do
+        echo "$ns/$name"
+    done
+}
+
+if [[ "$ALL" == true || "$ALL_NAMESPACES" == true ]]; then
+    while IFS= read -r resource; do
+        [[ -n "$resource" ]] && scale_resource "$resource"
+    done < <(get_resources)
+else
+    for resource in "${RESOURCES[@]}"; do
+        scale_resource "$resource"
+    done
+fi

scripts/update-argo.sh

@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+
+check_kubectl() {
+    if ! command -v kubectl &>/dev/null; then
+        echo "Error: kubectl is not installed or not in PATH" >&2
+        exit 1
+    fi
+    log_info "kubectl found at $(command -v kubectl)"
+}
+
+VERBOSE=0
+
+log_debug() { [[ $VERBOSE -ge 3 ]] && echo "[DEBUG] $*" || true; }
+log_verbose() { [[ $VERBOSE -ge 2 ]] && echo "[VERBOSE] $*" || true; }
+log_info() { [[ $VERBOSE -ge 1 ]] && echo "[INFO] $*" || true; }
+log_error() { echo "[ERROR] $*" >&2; }
+
+usage() {
+    cat <<EOF
+Usage: $(basename "$0") [OPTIONS] [VERSION]
+
+Upgrade ArgoCD to a new version. Requires an existing ArgoCD installation.
+
+Examples:
+  $(basename "$0")                # queries the current argo version and tries to update to the immediate newest version
+  $(basename "$0") v4.3.0        # incrementally update to target version
+
+Options:
+  -h, --help      Show this help message
+  --dry-run       Show what would be done without making changes
+  -v              Verbose output (info level)
+  -vv             More verbose output (info + verbose level)
+  -vvv            Debug output (all log levels)
+EOF
+}
+
+DRY_RUN=false
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        -h|--help)
+            usage
+            exit 0
+            ;;
+        --dry-run)
+            DRY_RUN=true
+            shift
+            ;;
+        -v|-vv|-vvv)
+            case "$1" in
+                -v)   VERBOSE=1 ;;
+                -vv)  VERBOSE=2 ;;
+                -vvv) VERBOSE=3 ;;
+            esac
+            shift
+            ;;
+        -*)
+            echo "Error: Unknown option: $1" >&2
+            usage >&2
+            exit 1
+            ;;
+        *)
+            TARGET_VERSION="$1"
+            shift
+            ;;
+    esac
+done
+
+log_debug "Script started with target version: ${TARGET_VERSION:-auto}"
+
+check_kubectl
+
+log_info "Checking current kubectl context"
+CURRENT_CONTEXT=$(kubectl config current-context 2>/dev/null)
+log_verbose "Current context: $CURRENT_CONTEXT"
+
+log_info "Checking for ArgoCD installation"
+if ! kubectl get ns argocd &>/dev/null; then
+    log_error "ArgoCD namespace not found. This script only upgrades existing installations."
+    exit 1
+fi
+log_verbose "ArgoCD namespace found"
+
+log_info "Checking current ArgoCD version"
+CURRENT_VERSION=$(kubectl get deployment argocd-server -n argocd -o jsonpath='{.spec.template.spec.containers[0].image}' 2>/dev/null)
+if [[ -n "$CURRENT_VERSION" ]]; then
+    CURRENT_VERSION=$(echo "$CURRENT_VERSION" | sed 's/.*argocd:v\?//' | tr -d ' \n')
+    if [[ -n "$CURRENT_VERSION" ]]; then
+        CURRENT_VERSION="${CURRENT_VERSION#v}"
+        log_verbose "Current ArgoCD version: $CURRENT_VERSION"
+    else
+        log_error "Could not extract ArgoCD version from image: $CURRENT_VERSION"
+        exit 1
+    fi
+fi
+
+if [[ -z "$TARGET_VERSION" ]]; then
+    log_info "No target version specified, querying for latest version"
+    log_verbose "Fetching latest release from GitHub"
+    LATEST_VERSION=$(curl -s https://api.github.com/repos/argoproj/argo-cd/releases/latest | grep -oP '"tag_name":\s*"\K[^"]+' | sed 's/^v//')
+    if [[ -n "$LATEST_VERSION" ]]; then
+        log_verbose "Latest version available: $LATEST_VERSION"
+        TARGET_VERSION="$LATEST_VERSION"
+    else
+        echo "Error: Could not fetch latest version" >&2
+        exit 1
+    fi
+fi
+
+log_info "Target version: $TARGET_VERSION"
+
+log_debug "Determining update path from $CURRENT_VERSION to $TARGET_VERSION"
+
+log_info "Applying ArgoCD manifests"
+log_verbose "Downloading manifest from https://raw.githubusercontent.com/argoproj/argo-cd/v${TARGET_VERSION}/manifests/install.yaml"
+curl -sLO "https://raw.githubusercontent.com/argoproj/argo-cd/v${TARGET_VERSION}/manifests/install.yaml"
+
+log_debug "Applying manifest with kubectl"
+if [[ "$DRY_RUN" == true ]]; then
+    log_verbose "Dry-run mode: would apply manifest"
+    kubectl apply -n argocd -f install.yaml --dry-run=client
+else
+    kubectl apply -n argocd -f install.yaml
+fi
+
+log_verbose "Cleaning up downloaded manifest"
+rm -f install.yaml
+
+log_info "Update to ArgoCD $TARGET_VERSION initiated"

tofu/adguard/.terraform.lock.hcl

@@ -2,37 +2,35 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/gmichels/adguard" {
-  version     = "1.6.2"
+  version     = "1.7.0"
-  constraints = "1.6.2"
+  constraints = "1.7.0"
   hashes = [
-    "h1:4rfmv0e8MoRPw+CTZBxTlPZbOSvPnIIt8kwVIIRIqbc=",
+    "h1:1vvJ6KcLUR8U2BHNtj7tMsgEsGXzTKMIFsHfcZYEVyc=",
-    "h1:FUOYxkRfDHxiAlTKpvfZpNpRdCkq7Gs9JcZjLWo+guM=",
+    "h1:5BDrsrU/Sdain/+KkhbNzxVL81rh69wG4iKOIBf9qys=",
-    "h1:FewdC+pt/Z8XC1M5M49D74MYnMzVjwVoAcnonmbxhwA=",
+    "h1:70gWtux/jVZQgsDjr8+j0aRHKkGZqRWCmzoX9ddC7f4=",
-    "h1:RAXQ/T7oF42hDSuXH7hH85uj8QmHRS+ArP5pO4ILslc=",
+    "h1:Qdqipgukxph9vqXiEKVzFSgXfEmGiGw1JrrQvwJOtco=",
-    "h1:a5SEI5KSX0cENGjd+IrxMj4l0Cr5GWvTP8Ng3cJaLTg=",
+    "h1:QveIrziFNxu+Go7pl7qjH5tqPOb8pgzfTdunVgsJ3vg=",
-    "h1:gNdYW6qM5jJTA2M9BHzVtuCTSmY2Fi/r08A/duZR8Yg=",
+    "h1:UrJdOlCLAWC7/I2Co02RtOKT3tSGb8TwOgJ7s0sOtCo=",
-    "h1:gnBusJUhlOSxn2JG5V0N3aHWAcTtMLcSjRSMKm8+6S4=",
+    "h1:W6nZfQzWb3Ds1JRytBqzsZoNBa6x4OOe9J87f1nyCRA=",
-    "h1:hwB3SSfBITtOIggACNkdTnA8hG2AzYaFgG3WJny3290=",
+    "h1:c3RK8fSEr2yfPySC0WemOC/CR3608Ra4vFwGhvdrswg=",
-    "h1:iGjswHan6q6vYBTxR+WFBCUwCN7jmg7mAvFnv4P3/m8=",
+    "h1:jizPinVWDQUN6rKwiBgRm7PcgUJe4AWlCWghgH0v7xI=",
-    "h1:mBxI5srrplxBHZLuXfEVZzwph3mCl9SQv0e9nR2GhQ4=",
+    "h1:lb9gv3IiUZDA4P/kpuvOqZmidWMIbpG+sUecM1QclNo=",
-    "h1:o3CYF1B/kMBktAn1cWJuqW84VqZkM5K3A1BPw6v5fnA=",
+    "h1:sRIMccvZq71/CxTknprnRozCChEZSq4Nmt+M+DOjTq8=",
-    "h1:sX4l50R6dzuHdQJFBfGDY6lZc4bCGKjxkKRtoKmx/1g=",
+    "h1:uOdtIfvNVEHheucpt51bSCYtX2W1LKELlOkBTbjBm6o=",
-    "h1:shVeqrDxxOvnsD//ryu7IoxwPsGb+6FeLmum3szd/mU=",
+    "h1:woGvhSgZDFj5+yH5uHonXSIn6AaeZekb3t9oXMZB/DQ=",
-    "h1:wY3pI9C3lEZ9nZRIqky5cqfwLm+u7Wi/9HBVCo4o9/M=",
+    "zh:0b83aa1ade1a6f7c9b1af0488dad43bf00e733d1517463d4bee51c17612546da",
-    "zh:0337224a2b6418ba38cedf7f2cef9b154f51db4791b03d6b5745cb26f60614d2",
+    "zh:15d784c16545efaf6c368b642995bb0d0ef61b6961e67b072430d445ef6c02fc",
-    "zh:09addda402962c46cd236ae1703ba9632f377897e8d321678cf0e4428a5071f7",
+    "zh:1c4da4d20c98795fee1ac0cd9ffd880a68f06992d6fe849342c4b19f79c8aff9",
-    "zh:1f7b511933d6ca8fbdcd5bb50bba910e88b73fee57ae2922e01f18470350929e",
+    "zh:41afcdcc5236fa40a0b7ec614cb830ef03d45f8f1b8988d24d80ec999ef34b9b",
-    "zh:2bd2a45c4cddd19b2a55d6d658184df25f002e0b7a929da48b5086922ae846d6",
+    "zh:4c8e832a5a842420b5163eb5eb2bd7d460ece524efc618bdba64e4f4a2d403b5",
-    "zh:30ed44fd468132273029302fc16de4e76a1f10b816862e2e5dfca545e5b67f70",
+    "zh:58e19d2f9e4bd9f2a13b631c3213157ea80ef3aa7b3b8edcd8fb341f9c06c5e5",
-    "zh:3f73e37f6410509f7811db77b53f6e332c24344ad800a1d56bcf6af2a706d998",
+    "zh:7380ca4d053255f787ded10c26b19ebd23d3563ddbb36d0be66bb2cef293d27d",
-    "zh:5215dbeb6edbe0e7fae238580bb649745824d3744cc0d3b407244383ddeefd96",
+    "zh:7b21589bb31084bb68b2deb96bd4130b8b13c1c71614704d13d4cbdfc583f3c7",
-    "zh:543a6b4d814607884791306ae661a1d3475af90785712fb6c94e2b616f75afba",
+    "zh:82aee49172286676cdccbc97b809b84acf3edeb164ae77cafa837118ee3769a6",
-    "zh:8402d7a2d501ff0c9fe2216bf80f6bc133f0277cc3f184d3d37f4628b778f18b",
+    "zh:95431a266520cce112474616c27c80f0017625ef7d80aaf69118360222d7974b",
-    "zh:894ac1fce4fd92c66684d64d41356d5d02ebcf3a68e4ae1150314732f9ac384f",
+    "zh:a6dc4b60beafc471d049b856df4bf793838b1e8b2079efe4a12ebf6fbd482098",
-    "zh:ad547c8c8413de6886cf563129b117a0aab79b9841e7486e58a639c74eeacc12",
+    "zh:d9c5c35be3ae54a52fb444b61e442445e74df6a4ab5bc4884b0f5d55eacc4ced",
-    "zh:b9d69a6f99256cbd741ddc881f8665eec6e51ee1a4b99918ae8e9bdcf73cf31d",
+    "zh:f6bd2db5d9a178c9b5b020e505affc245a0ceaa8e662f37ad9743d65e1153322",
-    "zh:d254d2dae145dbe5435be32b821198d9d5dca81fb67e06499eb8a8bd78a34ba5",
-    "zh:df327c22ba4437fa5e879ae70ce8330363a4e6f320711e7bd2ac249db3a3a551",
     "zh:f809ab383cca0a5f83072981c64208cbd7fa67e986a86ee02dd2c82333221e32",
   ]
 }

tofu/adguard/main.tf

@@ -9,7 +9,7 @@ terraform {
   required_providers {
     adguard = {
       source  = "gmichels/adguard"
-      version = "1.6.2"
+      version = "1.7.0"
     }
   }
 }

tofu/authentik/.terraform.lock.hcl

@@ -2,36 +2,34 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/goauthentik/authentik" {
-  version     = "2025.12.1"
+  version     = "2026.2.0"
-  constraints = "2025.12.1"
+  constraints = "2026.2.0"
   hashes = [
-    "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=",
+    "h1:/y7//ItB3vYvtDzSgrd7eY4QHGQ7b2G/rF/rtXdvUiY=",
-    "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=",
+    "h1:2MTCDpaUJ9AAckFf+lfhq5VNkl4/e1is7XIHfjFX20U=",
-    "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=",
+    "h1:EECfgcbT6h+ppgQ3x06iQZSheZ4vJ6NVwXGYGzyuQQ4=",
-    "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=",
+    "h1:Hg5gBZc/mPbMwH3r5AVbDycUFoeh1LlHtAvVKsnruTY=",
-    "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=",
+    "h1:J9+XlKbvc8x99ZV779XH0swZhsJo+Zcrh7UCK5pKQKY=",
-    "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=",
+    "h1:On3/Zzv3W72aGsJ4AhW/tnpi4hvq9cxwgf7tF6Tg+a4=",
-    "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=",
+    "h1:imSeB1o2GiuyBKsK6prOkOT7dQVDK42TaxGWAb+wEvg=",
-    "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=",
+    "h1:jpOkyfrzbb/LBCdW/0R2Ag+X9bRw6X1/2BRMoImfgQ8=",
-    "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=",
+    "h1:pT8YP3VDxKxhT1X+UXmjN78C+8NNb3fIANWNjR0xRX4=",
-    "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=",
+    "h1:pum2uBRNDUjPeP9aYszm+6GU+K7tZIpbbLrsN39l8iw=",
-    "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=",
+    "h1:qYcmNSTHIU6XefHE11SmywKqgp84B6n2Fzwdj/8dRN8=",
-    "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=",
+    "h1:zH1hHNBUvxXZBzxyQa6OPjDAlZyr3rA7LqwTVVZDW9s=",
-    "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=",
+    "h1:zacZCsqLyCstv+qE+VhFvwCIGLQEdNBsMIM7r9umUSQ=",
-    "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=",
+    "zh:00c44e8ee842e75de9cc4fd6193b10258d1dc840e5be4aaaf118ffc180dceee0",
-    "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515",
+    "zh:13057f08bce3b63613e1be3997dd454ff9568c569dd983987b1550280fbe3d01",
-    "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962",
+    "zh:410a1ff2ae4647cc0ab37894f81e4d474b588a0a7f005d05d55e8c3a40978dd2",
-    "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b",
+    "zh:43830834d12b3c0eeabe397842f82ca3a6b58a5bc8dd837d55b821419b55ed61",
-    "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91",
+    "zh:56eaedd196ed7c4003cee0434b891b38242b4fde2031978d0ddcfdf6e16ee5ad",
-    "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f",
+    "zh:5b3c10bb63c3c215ed9e0918e5808b240e3f2ee8248d10cd4d824a4998a213c5",
-    "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1",
+    "zh:99c14891bcb92a6b21ef4c0e60f6c0df23e3452808f3eefd67cde78d132c80d9",
-    "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338",
+    "zh:9a32cdda9f939f8484e27d4200d004c44f016fe97579a111201083f4beea78e8",
-    "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7",
+    "zh:ae5086816144f68de9a0002e7696321169a71473f9d161793f4ae996388f56de",
-    "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8",
+    "zh:bd09409dd34608a4ef3ea80cfc5e397268e7872f2e84c1ccdc9b5698e36ddad5",
-    "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897",
+    "zh:be7af8b9eb61b0eb5053f14360e5a68caeb32c115efe8e1b583f2e7c91352a2a",
-    "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3",
+    "zh:e11726812a1b2caf6b6784a3d074d1f50e3d406e9629c02096a001e5a5979331",
-    "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50",
+    "zh:e39183d10d8158ccab51208f4f727c7419b1b1e596f4feb23dc42aebb36d01e3",
-    "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18",
-    "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25",
   ]
 }

tofu/authentik/main.tf

@@ -8,7 +8,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2025.12.1"
+      version = "2026.2.0"
     }
   }
 }
@@ -37,6 +37,11 @@ resource "authentik_group" "arrs" {
   is_superuser = false
 }
 
+resource "authentik_group" "cloud" {
+  name         = "cloud"
+  is_superuser = false
+}
+
 module "gitea" {
   source              = "../modules/authentik-oidc"
   app_name            = "Gitea"
@@ -187,17 +192,6 @@ module "jellyfin" {
   app_access_group_id = authentik_group.arrs.id
 }
 
-module "tandoor" {
-  source              = "../modules/authentik-oidc"
-  app_name            = "Tandoor"
-  app_slug            = "tandoor"
-  app_access_group_id = ""
-  app_url             = "https://recipes.roboces.dev"
-  redirect_uris       = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }]
-  app_icon            = "https://recipes.roboces.dev/static/assets/logo_color_192.c9b9177ff941.png"
-  client_id           = var.tandoor_client_id
-  client_secret       = var.tandoor_client_secret
-}
 
 module "ganymede" {
   source              = "../modules/authentik-oidc"
@@ -221,18 +215,6 @@ module "jellyseerr" {
   app_access_group_id = authentik_group.arrs.id
 }
 
-module "pulse" {
-  source              = "../modules/authentik-oidc"
-  app_name            = "Pulse"
-  app_slug            = "pulse"
-  app_url             = "https://pulse.fukurokuju.dev"
-  client_id           = var.pulse_client_id
-  client_secret       = var.pulse_client_secret
-  app_icon            = "https://pulse.fukurokuju.dev/logo.svg"
-  redirect_uris       = [{ matching_mode = "strict", url = "https://pulse.fukurokuju.dev/api/oidc/callback" }]
-  app_access_group_id = authentik_group.admins.id
-}
-
 module "cloud" {
   source        = "../modules/authentik-oidc"
   app_name      = "Cloud"
@@ -244,5 +226,5 @@ module "cloud" {
   redirect_uris = [{
     matching_mode = "strict", url = "https://cloud.roboces.dev/api/auth/oidc/callback"
   }]
-  app_access_group_id = ""
+  app_access_group_id = authentik_group.cloud.id
 }

tofu/authentik/sample.env

@@ -8,15 +8,9 @@ TF_VAR_portainer_client_id=
 TF_VAR_portainer_client_secret=
 TF_VAR_paperless_client_id=
 TF_VAR_paperless_client_secret=
-TF_VAR_sftpgo_client_id=
-TF_VAR_sftpgo_client_secret=
 TF_VAR_rustical_client_id=
 TF_VAR_rustical_client_secret=
-TF_VAR_tandoor_client_id=
-TF_VAR_tandoor_client_secret=
 TF_VAR_ganymede_client_id=
 TF_VAR_ganymede_client_secret=
-TF_VAR_pulse_client_id=
-TF_VAR_pulse_client_secret=
 TF_VAR_oxicloud_client_id=aef61f77326b813cf8d8ba71d1ac994b5642685ca37e4710ab0079e91d87702d55fd9775d473b05aff45603bf08e78dba26850af3a815f3c3ac171d163368aa0
 TF_VAR_oxicloud_client_secret=a4038df17c9fd06f86372aeaaae8f3fd1374d8978983af7b398d948ef15d1efe522a1faa2fc7652bc410c516d96cd2e4211dad4e05ba6297bdd8d9090460d5fc

tofu/authentik/vars.tf

@@ -39,15 +39,6 @@ variable "paperless_client_secret" {
   type        = string
 }
 
-variable "sftpgo_client_id" {
-  description = "SFTPGo client ID"
-  type        = string
-}
-
-variable "sftpgo_client_secret" {
-  description = "SFTPGo client secret"
-  type        = string
-}
 
 variable "rustical_client_id" {
   description = "Rustical client ID"
@@ -59,15 +50,6 @@ variable "rustical_client_secret" {
   type        = string
 }
 
-variable "tandoor_client_id" {
-  description = "Tandoor client ID"
-  type        = string
-}
-
-variable "tandoor_client_secret" {
-  description = "Tandoor client secret"
-  type        = string
-}
 
 variable "ganymede_client_id" {
   description = "Ganymede client ID"
@@ -79,16 +61,6 @@ variable "ganymede_client_secret" {
   type        = string
 }
 
-variable "pulse_client_id" {
-  description = "Pulse client ID"
-  type        = string
-}
-
-variable "pulse_client_secret" {
-  description = "Pulse client secret"
-  type        = string
-}
-
 variable "oxicloud_client_id" {
   description = "Oxicloud client ID"
   type        = string

tofu/modules/authentik-app/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2025.12.1"
+      version = "2026.2.0"
     }
   }
 }

tofu/modules/authentik-ldap/.terraform.lock.hcl

@@ -2,36 +2,34 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/goauthentik/authentik" {
-  version     = "2025.12.1"
+  version     = "2026.2.0"
-  constraints = "2025.12.1"
+  constraints = "2026.2.0"
   hashes = [
-    "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=",
+    "h1:/y7//ItB3vYvtDzSgrd7eY4QHGQ7b2G/rF/rtXdvUiY=",
-    "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=",
+    "h1:2MTCDpaUJ9AAckFf+lfhq5VNkl4/e1is7XIHfjFX20U=",
-    "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=",
+    "h1:EECfgcbT6h+ppgQ3x06iQZSheZ4vJ6NVwXGYGzyuQQ4=",
-    "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=",
+    "h1:Hg5gBZc/mPbMwH3r5AVbDycUFoeh1LlHtAvVKsnruTY=",
-    "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=",
+    "h1:J9+XlKbvc8x99ZV779XH0swZhsJo+Zcrh7UCK5pKQKY=",
-    "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=",
+    "h1:On3/Zzv3W72aGsJ4AhW/tnpi4hvq9cxwgf7tF6Tg+a4=",
-    "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=",
+    "h1:imSeB1o2GiuyBKsK6prOkOT7dQVDK42TaxGWAb+wEvg=",
-    "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=",
+    "h1:jpOkyfrzbb/LBCdW/0R2Ag+X9bRw6X1/2BRMoImfgQ8=",
-    "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=",
+    "h1:pT8YP3VDxKxhT1X+UXmjN78C+8NNb3fIANWNjR0xRX4=",
-    "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=",
+    "h1:pum2uBRNDUjPeP9aYszm+6GU+K7tZIpbbLrsN39l8iw=",
-    "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=",
+    "h1:qYcmNSTHIU6XefHE11SmywKqgp84B6n2Fzwdj/8dRN8=",
-    "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=",
+    "h1:zH1hHNBUvxXZBzxyQa6OPjDAlZyr3rA7LqwTVVZDW9s=",
-    "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=",
+    "h1:zacZCsqLyCstv+qE+VhFvwCIGLQEdNBsMIM7r9umUSQ=",
-    "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=",
+    "zh:00c44e8ee842e75de9cc4fd6193b10258d1dc840e5be4aaaf118ffc180dceee0",
-    "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515",
+    "zh:13057f08bce3b63613e1be3997dd454ff9568c569dd983987b1550280fbe3d01",
-    "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962",
+    "zh:410a1ff2ae4647cc0ab37894f81e4d474b588a0a7f005d05d55e8c3a40978dd2",
-    "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b",
+    "zh:43830834d12b3c0eeabe397842f82ca3a6b58a5bc8dd837d55b821419b55ed61",
-    "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91",
+    "zh:56eaedd196ed7c4003cee0434b891b38242b4fde2031978d0ddcfdf6e16ee5ad",
-    "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f",
+    "zh:5b3c10bb63c3c215ed9e0918e5808b240e3f2ee8248d10cd4d824a4998a213c5",
-    "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1",
+    "zh:99c14891bcb92a6b21ef4c0e60f6c0df23e3452808f3eefd67cde78d132c80d9",
-    "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338",
+    "zh:9a32cdda9f939f8484e27d4200d004c44f016fe97579a111201083f4beea78e8",
-    "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7",
+    "zh:ae5086816144f68de9a0002e7696321169a71473f9d161793f4ae996388f56de",
-    "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8",
+    "zh:bd09409dd34608a4ef3ea80cfc5e397268e7872f2e84c1ccdc9b5698e36ddad5",
-    "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897",
+    "zh:be7af8b9eb61b0eb5053f14360e5a68caeb32c115efe8e1b583f2e7c91352a2a",
-    "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3",
+    "zh:e11726812a1b2caf6b6784a3d074d1f50e3d406e9629c02096a001e5a5979331",
-    "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50",
+    "zh:e39183d10d8158ccab51208f4f727c7419b1b1e596f4feb23dc42aebb36d01e3",
-    "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18",
-    "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25",
   ]
 }

tofu/modules/authentik-ldap/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2025.12.1"
+      version = "2026.2.0"
     }
   }
 }

tofu/modules/authentik-oidc/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2025.12.1"
+      version = "2026.2.0"
     }
   }
 }

tofu/modules/authentik-proxy/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2025.12.1"
+      version = "2026.2.0"
     }
   }
 }