wip

.forgejo/workflows/ci.yaml

@@ -1,40 +0,0 @@
----
-name: checks
-on:  # yamllint disable-line rule:truthy
-  - 'push'
-
-jobs:
-  pre-commit:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: https://code.forgejo.org/actions/setup-python@v6
-        with:
-          python-version: '3.10'
-      - uses: opentofu/setup-opentofu@v2
-        with:
-          tofu_version: 1.7.0
-      - uses: pre-commit/action@v3.0.1
-
-  k8s:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - name: Set up Kubeconform
-        uses: bmuschko/setup-kubeconform@v1
-
-      - name: Validate manifests
-        run: make lint--kubeconform
-
-
-  tflint:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: terraform-linters/setup-tflint@v6
-        name: Setup TFLint
-        with:
-          tflint_version: v0.50.3
-
-      - name: Run TFLint
-        run: make lint--tflint

.forgejo/workflows/deploy-tofu.yaml

@@ -1,55 +0,0 @@
----
-name: OpenTofu deployments
-
-on:  # yamllint disable-line rule:truthy
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  authentik:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: opentofu/setup-opentofu@v2
-        with:
-          tofu_version: 1.8.1
-      - name: Deploy
-        env:
-          AUTHENTIK_URL: ${{ secrets.AUTHENTIK_URL }}
-          AUTHENTIK_TOKEN: ${{ secrets.AUTHENTIK_TOKEN }}
-          TF_VAR_firezone_client_id: ${{ secrets.TF_VAR_firezone_client_id }}
-          TF_VAR_firezone_client_secret: ${{ secrets.TF_VAR_firezone_client_secret }}
-          TF_VAR_gitea_client_id: ${{ secrets.TF_VAR_gitea_client_id }}
-          TF_VAR_gitea_client_secret: ${{ secrets.TF_VAR_gitea_client_secret }}
-          TF_VAR_miniflux_client_id: ${{ secrets.TF_VAR_miniflux_client_id }}
-          TF_VAR_miniflux_client_secret: ${{ secrets.TF_VAR_miniflux_client_secret }}
-          TF_VAR_portainer_client_id: ${{ secrets.TF_VAR_portainer_client_id }}
-          TF_VAR_portainer_client_secret: ${{ secrets.TF_VAR_portainer_client_secret }}
-          TF_VAR_paperless_client_id: ${{ secrets.TF_VAR_paperless_client_id }}
-          TF_VAR_paperless_client_secret: ${{ secrets.TF_VAR_paperless_secret }}
-          TF_VAR_netbird_client_id: ${{ secrets.TF_VAR_netbird_client_id }}
-          TF_VAR_netbird_client_secret: ${{ secrets.TF_VAR_netbird_client_secret }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: |
-          cd tofu/authentik
-          tofu init
-          tofu apply -auto-approve
-
-  adguard:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: opentofu/setup-opentofu@v2
-        with:
-          tofu_version: 1.7.0
-      - name: Deploy
-        env:
-          ADGUARD_PASSWORD: ${{ secrets.ADGUARD_PASSWORD }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: |
-          cd tofu/adguard
-          tofu init
-          tofu apply -auto-approve

.woodpecker/fmt.yaml

@@ -0,0 +1,36 @@
+---
+when:
+  - event: push
+    branch: feat/woodpecker-ci
+
+steps:
+  - name: build-image
+    image: woodpeckerci/plugin-kaniko
+    settings:
+      registry: git.roboces.dev
+      repo: catalin/fukuops
+      tags: ci-fmt
+      target: fmt
+      username:
+        from_secret: FORGEJO_REGISTRY_USERNAME
+      password:
+        from_secret: FORGEJO_REGISTRY_PASSWORD
+
+  - name: pre-commit
+    image: git.roboces.dev/catalin/fukuops:ci-fmt
+    depends_on: [build-image]
+    commands:
+      - echo $PATH
+      - make fmt--pre-commit
+
+  - name: kubeconform
+    image: git.roboces.dev/catalin/fukuops:ci-fmt
+    depends_on: [build-image]
+    commands:
+      - make fmt--kubeconform
+
+  - name: tflint
+    image: git.roboces.dev/catalin/fukuops:ci-fmt
+    depends_on: [build-image]
+    commands:
+      - make fmt--tflint

Dockerfile

@@ -0,0 +1,16 @@
+FROM alpine:3.21 AS tofu
+
+RUN apk add --no-cache opentofu
+
+CMD ["/bin/sh"]
+
+FROM tofu AS fmt
+
+RUN apk add --no-cache \
+    pre-commit \
+    make \
+    kubeconform --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing/
+
+COPY --from=ghcr.io/terraform-linters/tflint:v0.61.0 /usr/local/bin/tflint /usr/bin/tflint
+
+CMD ["/bin/sh"]

Makefile

@@ -1,13 +1,15 @@
-lint--pre-commit:
+fmt--pre-commit:
 	pre-commit run --all-files --color always
 
-lint--kubeconform:
+fmt--kubeconform:
-	kubeconform -strict -ignore-missing-schemas k8s/
+	kubeconform -strict -ignore-missing-schemas k8s/argo-apps
+	kubeconform -strict -ignore-missing-schemas k8s/services
 
-lint--tflint:
+
+fmt--tflint:
 	tflint --recursive
 
-lint:
+fmt:
-	make lint--pre-commit
+	make fmt--pre-commit
-	make lint--kubeconform
+	make fmt--kubeconform
-	make lint--tflint
+	make fmt--tflint

README.md

@@ -1,4 +1,3 @@
 # fukuops
 
-[![Last build status](https://git.roboces.dev/catalin/fukuops/badges/workflows/ci.yaml/badge.svg)](https://git.roboces.dev/catalin/fukuops/actions)
+[![status-badge](https://ci.roboces.dev/api/badges/1/status.svg)](https://ci.roboces.dev/repos/1)
-[![Tofu deployments](https://git.roboces.dev/catalin/fukuops/badges/workflows/deploy-tofu.yaml/badge.svg)](https://git.roboces.dev/catalin/fukuops/actions)

docker/ganymede/docker-compose.yml

@@ -2,7 +2,7 @@
 services:
   ganymede:
     container_name: ganymede
-    image: ghcr.io/zibbp/ganymede:4.16.0
+    image: ghcr.io/zibbp/ganymede:4.14.1
     restart: unless-stopped
     environment:
       DEBUG: ${GANYMEDE_DEBUG:-false}

docker/paperless/docker-compose.yml

@@ -14,7 +14,7 @@ services:
 
   webserver:
 
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.15
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.13
     restart: unless-stopped
     ports:
       - 8002:8000

docker/rustical/docker-compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   rustical:
-    image: ghcr.io/lennart-k/rustical:0.12.12
+    image: ghcr.io/lennart-k/rustical:0.12.10
     restart: unless-stopped
     ports:
       - '4000:4000'

docker/tailscale/docker-compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   tailscale:
-    image: tailscale/tailscale:v1.96.5
+    image: tailscale/tailscale:v1.94.2
     hostname: tailscale
     environment:
       TS_AUTHKEY: ${TS_AUTHKEY}

docker/vaultwarden/docker-compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   vaultwarden:
-    image: vaultwarden/server:1.36.0-alpine
+    image: vaultwarden/server:1.35.4-alpine
     restart: unless-stopped
     environment:
       DATABASE_URL: ${DATABASE_URL}

k8s/argo-apps/elastic.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: elastic
+  namespace: argocd
+spec:
+  destination:
+    name: ''
+    namespace: apps-fuku
+    server: https://kubernetes.default.svc
+  sources:
+    - chart: elasticsearch
+      repoURL: registry-1.docker.io/bitnamicharts
+      targetRevision: 22.1.6
+      helm:
+        valuesObject:
+          service:
+            type: LoadBalancer
+          master:
+            persistence:
+              enabled: true
+              storageClass: truenas-nfs-csi
+              accessModes:
+                - ReadWriteMany
+              size: 50Gi
+          ingress:
+            enabled: true
+            hostname: elastic.fuku
+            tls: true
+            selfSigned: true
+            ingressClassName: traefik
+          data:
+            persistence:
+              enabled: true
+              storageClass: truenas-nfs-csi
+              accessModes:
+                - ReadWriteMany
+              size: 50Gi
+            autoscaling:
+              enabled: true
+              maxReplicas: 3
+              minReplicas: 1
+  project: fuku
+  syncPolicy:
+    automated: {}

k8s/argo-apps/forgejo.yaml

@@ -14,10 +14,10 @@ spec:
   sources:
     - chart: forgejo
       repoURL: code.forgejo.org/forgejo-helm
-      targetRevision: 17.0.1
+      targetRevision: 16.2.1
       helm:
         valuesObject:
-          replicaCount: 1
+          replicaCount: 2
           service:
             http:
               type: LoadBalancer
@@ -49,8 +49,15 @@ spec:
               serviceMonitor:
                 enabled: true
             config:
+              indexer:
+                ISSUE_INDEXER_CONN_STR: http://elastic-elasticsearch.apps-fuku.svc.cluster.local:9200
+                ISSUE_INDEXER_ENABLED: true
+                ISSUE_INDEXER_TYPE: elasticsearch
+                REPO_INDEXER_ENABLED: false
+                REPO_INDEXER_TYPE: elasticsearch
               actions:
-                ENABLED: false
+                ENABLED: true
+                DEFAULT_ACTIONS_URL: https://github.com
               picture:
                 DISABLE_GRAVATAR: false
                 ENABLE_FEDERATED_AVATAR: true
@@ -99,6 +106,9 @@ spec:
             enabled: false
           redis-cluster:
             enabled: false
+    - path: k8s/services/forgejo
+      repoURL: https://git.roboces.dev/catalin/fukuops.git
+      targetRevision: main
   project: roboces
   syncPolicy:
     automated: {}

k8s/argo-apps/meili.yaml

@@ -18,13 +18,13 @@ spec:
       targetRevision: main
     - chart: meilisearch
       repoURL: https://meilisearch.github.io/meilisearch-kubernetes
-      targetRevision: 0.32.*
+      targetRevision: 0.30.*
       helm:
         valuesObject:
           environment:
             MEILI_ENV: production
           auth:
-            existingMasterKeySecret: meili
+            existingMasterKeySecret: meilisearch-master-key
           service:
             type: NodePort
             port: 7700

k8s/argo-apps/oxicloud.yaml

@@ -16,9 +16,9 @@ spec:
       helm:
         valuesObject:
           image:
-            repository: diocrafts/oxicloud
+            repository: git.roboces.dev/catalin/fukuops
             pullPolicy: Always
-            tag: "0.5.6"
+            tag: "oxicloud-0.5.3"
           persistence:
             enabled: true
             storageClass: "truenas-nfs-csi"

k8s/argo-apps/renovate.yaml

@@ -13,7 +13,7 @@ spec:
   sources:
     - chart: renovate
       repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 46.142.*
+      targetRevision: 46.98.*
       helm:
         valuesObject:
           renovate:

k8s/argo-apps/vault-sm.yaml

@@ -12,7 +12,7 @@ spec:
   sources:
     - chart: vaultwarden-kubernetes-secrets
       repoURL: ghcr.io/antoniolago/charts
-      targetRevision: 1.4.01
+      targetRevision: 1.3.0
       helm:
         valuesObject:
           api:

k8s/argo-apps/woodpecker.yaml

@@ -22,6 +22,9 @@ spec:
               storageClass: truenas-nfs-csi
               accessModes:
                 - ReadWriteMany
+            env:
+              WOODPECKER_MAX_WORKFLOWS: '4'
+
           server:
             env:
               WOODPECKER_ADMIN: 'woodpecker,admin,catalin'
@@ -38,6 +41,13 @@ spec:
                   secretKeyRef:
                     name: woodpecker
                     key: WOODPECKER_FORGEJO_SECRET
+              WOODPECKER_DATABASE_DRIVER: postgres
+              WOODPECKER_PLUGINS_PRIVILEGED: woodpeckerci/plugin-docker-buildx
+              WOODPECKER_DATABASE_DATASOURCE:
+                valueFrom:
+                  secretKeyRef:
+                    name: woodpecker
+                    key: WOODPECKER_DATABASE_DATASOURCE
             persistentVolume:
               storageClass: truenas-nfs-csi
               accessModes:

k8s/playground/nfstest/pod.yaml

@@ -1,19 +0,0 @@
----
-kind: Pod
-apiVersion: v1
-metadata:
-  name: pod-using-nfs
-  namespace: apps-fuku
-spec:
-  containers:
-    - name: app
-      image: alpine
-      volumeMounts:
-        - name: data
-          mountPath: /var/nfs
-      command: ["/bin/sh"]
-      args: ["-c", "sleep 500000"]
-  volumes:
-    - name: data
-      persistentVolumeClaim:
-        claimName: myapp-nfs

k8s/playground/nfstest/pvc.yaml

@@ -1,14 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: myapp-nfs
-  namespace: apps-fuku
-spec:
-  accessModes:
-    - ReadWriteMany
-  storageClassName: ""
-  volumeName: nas1
-  resources:
-    requests:
-      storage: 5Gi

k8s/playground/nfstest/pvwithnfs.yaml

@@ -1,15 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nas1
-  namespace: apps-fuku
-spec:
-  capacity:
-    storage: 5Gi
-  accessModes:
-    - ReadWriteMany
-  persistentVolumeReclaimPolicy: Retain
-  nfs:
-    server: zeruel.fuku
-    path: /mnt/pool1/nas1

k8s/services/argo/project-fuku.yaml

@@ -25,6 +25,7 @@ spec:
         - https://charts.crystalnet.org
         - https://portainer.github.io/k8s/
         - https://docs.renovatebot.com/helm-charts
+        - registry-1.docker.io/bitnamicharts
         - https://meilisearch.github.io/meilisearch-kubernetes
         - https://kubetail-org.github.io/helm-charts/
         - https://groundhog2k.github.io/helm-charts/
@@ -33,4 +34,3 @@ spec:
         - https://helm.runix.net
         - https://rcourtman.github.io/Pulse
         - ghcr.io/antoniolago/charts
-        - https://helm.elastic.co

k8s/services/meili/sealedsecrets.yaml

@@ -0,0 +1,16 @@
+# yamllint disable rule:line-length
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: meilisearch-master-key
+  namespace: apps-fuku
+spec:
+  encryptedData:
+    MEILI_MASTER_KEY: AgBcQDv79lsUJF09YTd+zsuC9Ufhgs74mk5sxIrgaAQW/5yBupPgIsZw+g33qDqejuG+hfdhvkTOFHYetNuEDjnPWEpySjMLiB6N/HXMSuPimbOSjhHP3d7jgnWnIluUPs3RsvxDzaHCygVsS2a5ul7+qJGbiQTlmcV/rMVkqiw95mxwswkZhWi1Da1QYPgjRkazbCV0JAVhYYoo7VBnxceyGOS7Um5BsdyDMmXCn0qegU2FDlXTcBBur48hlyRqie/DxyZi3Yx/yiOnVH7g7H41H6hLJpKhQTMQbnohAqUC2UZZJlwrc8b/3kisFw/pxBP7S47hn9iseQcw18mXs6SzlXbhWm+CyNsKEvuXJAMVlaCrOCqs8Kf8ZlraCJYYq8mx+zoA7yAHnRdC4uByR5SGwnXJgq4WJD3wx90NuVbTcJfpQ+bNMPpRS8W+66S9j+rBVk6YcqCqL62JPSf0I9ZKCrNJrtbx5WyxbcVAgZdd2oxxXq6fG4I/wvqn/LN7nAqDwaCjU0395R+vM89o24h8pMTNOUhY1Dqxh0rKQOnTACc12kmhwQucdtjwkFzM7PJxW8d8GGdvgPoIxe27sguUMvn6IFo8h0JmGrbAyDEeR113s/gwQm9ozM9KJXXyImfiRJCcDSlny0rTNWZaGonXuSezFuhcSazepd0v85ofHgIflQQjMfLUNz1b9+ci4SbnpoJwzlrY2d6SyJSIA7Bz223j9UcRgDvRvIz3
+  template:
+    metadata:
+      creationTimestamp: null
+      name: meilisearch-master-key
+      namespace: apps-fuku

scripts/create-nginx-certs.sh

@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage:
+  create-nginx-certs.sh --domain <domain> [--output <name>]
+
+Options:
+  -d, --domain   Domain name to use for the certificate Common Name and SAN
+  -o, --output   Output file base name (defaults to the domain name)
+  -h, --help     Show this help message
+
+Examples:
+  ./create-nginx-certs.sh --domain mydomain.local
+  ./create-nginx-certs.sh --domain mydomain.local --output foo
+EOF
+}
+
+DOMAIN=""
+OUTPUT_BASE=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -d|--domain)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: --domain requires a value" >&2
+        usage >&2
+        exit 1
+      fi
+      DOMAIN="$2"
+      shift 2
+      ;;
+    -o|--output)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: --output requires a value" >&2
+        usage >&2
+        exit 1
+      fi
+      OUTPUT_BASE="$2"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Error: unknown argument: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -z "$DOMAIN" ]]; then
+  echo "Error: --domain is required" >&2
+  usage >&2
+  exit 1
+fi
+
+if [[ -z "$OUTPUT_BASE" ]]; then
+  OUTPUT_BASE="$DOMAIN"
+fi
+
+CERT_FILE="${OUTPUT_BASE}.pem"
+KEY_FILE="${OUTPUT_BASE}.key.pem"
+TMP_CONFIG="$(mktemp)"
+
+cleanup() {
+  rm -f "$TMP_CONFIG"
+}
+trap cleanup EXIT
+
+cat > "$TMP_CONFIG" <<EOF
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+req_extensions = req_ext
+
+[dn]
+CN = ${DOMAIN}
+
+[req_ext]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = ${DOMAIN}
+EOF
+
+openssl req -x509 \
+  -nodes \
+  -days 3650 \
+  -newkey rsa:2048 \
+  -keyout "$KEY_FILE" \
+  -out "$CERT_FILE" \
+  -config "$TMP_CONFIG" \
+  -extensions req_ext
+
+echo "Created certificate: $CERT_FILE"
+echo "Created private key:  $KEY_FILE"

scripts/k3scale.sh

@@ -1,162 +0,0 @@
-#!/usr/bin/env bash
-
-
-usage() {
-    cat <<EOF
-Usage: $(basename "$0") REPLICAS [RESOURCE...] [OPTIONS]
-
-Scale up or down one or several deployments/statefulsets.
-
-Arguments:
-  REPLICAS        Number of replicas to scale to
-  RESOURCE        Resource to scale in "namespace/name" format, or just "name"
-                  (uses current context namespace). Can be specified multiple times.
-
-Commands:
-  --all           Scale all deployments and statefulsets in the namespace
-  --all-namespaces
-                  Scale all deployments and statefulsets across all namespaces
-
-Options:
-  -h, --help      Show this help message
-  -n, --namespace NAMESPACE
-                  Namespace to use (default: current context namespace)
-  --dry-run       Print what would be scaled without making changes
-  -v              Pass -v to kubectl (minimal output)
-  -vv             Pass -vv to kubectl (more output)
-  -vvv            Pass -vvv to kubectl (debug output)
-
-Examples:
-  $(basename "$0") 1 mynamespace/mydeployment
-  $(basename "$0") 1 mynamespace/mydeployment mydeployment2
-  $(basename "$0") 1 --all
-  $(basename "$0") 1 --all --namespace mynamespace
-  $(basename "$0") 0 --all-namespaces --dry-run
-EOF
-}
-
-KUBECTL_V=""
-NAMESPACE=""
-DRY_RUN=false
-REPLICAS=""
-RESOURCES=()
-ALL=false
-ALL_NAMESPACES=false
-
-while [[ $# -gt 0 ]]; do
-    case "$1" in
-        -h|--help)
-            usage
-            exit 0
-            ;;
-        -n|--namespace)
-            NAMESPACE="$2"
-            shift 2
-            ;;
-        --dry-run)
-            DRY_RUN=true
-            shift
-            ;;
-        -v|-vv|-vvv)
-            KUBECTL_V="$1"
-            shift
-            ;;
-        --all)
-            ALL=true
-            shift
-            ;;
-        --all-namespaces)
-            ALL_NAMESPACES=true
-            shift
-            ;;
-        -*)
-            echo "Error: Unknown option: $1" >&2
-            usage >&2
-            exit 1
-            ;;
-        *)
-            if [[ -z "$REPLICAS" ]]; then
-                REPLICAS="$1"
-            else
-                RESOURCES+=("$1")
-            fi
-            shift
-            ;;
-    esac
-done
-
-if [[ -z "$REPLICAS" ]]; then
-    echo "Error: REPLICAS is required" >&2
-    usage >&2
-    exit 1
-fi
-
-if [[ "$ALL" == false && "$ALL_NAMESPACES" == false && ${#RESOURCES[@]} -eq 0 ]]; then
-    echo "Error: Must specify --all, --all-namespaces, or at least one RESOURCE" >&2
-    usage >&2
-    exit 1
-fi
-
-NAMESPACE_ARG=()
-if [[ -n "$NAMESPACE" ]]; then
-    NAMESPACE_ARG=("-n" "$NAMESPACE")
-fi
-
-DRY_RUN_ARG=()
-if [[ "$DRY_RUN" == true ]]; then
-    DRY_RUN_ARG=("--dry-run=client")
-fi
-
-KUBECTL_BASE=(kubectl)
-if [[ -n "$KUBECTL_V" ]]; then
-    KUBECTL_BASE+=( "$KUBECTL_V" )
-fi
-KUBECTL_BASE+=( "${NAMESPACE_ARG[@]}" )
-KUBECTL_BASE+=( "${DRY_RUN_ARG[@]}" )
-
-scale_resource() {
-    local resource="$1"
-    local ns name
-
-    if [[ "$resource" == */* ]]; then
-        ns="${resource%%/*}"
-        name="${resource#*/}"
-    else
-        ns="${NAMESPACE:-$(kubectl "${NAMESPACE_ARG[@]}" config view --minify --output jsonpath='{.contexts[0].context.namespace}' 2>/dev/null || echo "default")}"
-        name="$resource"
-    fi
-
-    for kind in deployment statefulset; do
-        if "${KUBECTL_BASE[@]}" get "$kind" "$name" -n "$ns" &>/dev/null; then
-            echo "Scaling $kind/$ns/$name to $REPLICAS replicas${DRY_RUN:+ (dry-run)}"
-            "${KUBECTL_BASE[@]}" scale "$kind" "$name" -n "$ns" --replicas="$REPLICAS"
-            return 0
-        fi
-    done
-
-    echo "Error: Resource '$resource' not found as deployment or statefulset" >&2
-    return 1
-}
-
-get_resources() {
-    local ns_flag=()
-    if [[ "$ALL_NAMESPACES" == true ]]; then
-        ns_flag=("--all-namespaces")
-    elif [[ -n "$NAMESPACE" ]]; then
-        ns_flag=("-n" "$NAMESPACE")
-    fi
-
-    "${KUBECTL_BASE[@]}" get "${ns_flag[@]}" deployment,statefulset -o jsonpath='{range .items[*]}{.metadata.namespace}/{.kind}/{.metadata.name}{"\n"}{end}' 2>/dev/null | while IFS=/ read -r ns kind name; do
-        echo "$ns/$name"
-    done
-}
-
-if [[ "$ALL" == true || "$ALL_NAMESPACES" == true ]]; then
-    while IFS= read -r resource; do
-        [[ -n "$resource" ]] && scale_resource "$resource"
-    done < <(get_resources)
-else
-    for resource in "${RESOURCES[@]}"; do
-        scale_resource "$resource"
-    done
-fi

scripts/update-argo.sh

@@ -1,129 +0,0 @@
-#!/usr/bin/env bash
-
-check_kubectl() {
-    if ! command -v kubectl &>/dev/null; then
-        echo "Error: kubectl is not installed or not in PATH" >&2
-        exit 1
-    fi
-    log_info "kubectl found at $(command -v kubectl)"
-}
-
-VERBOSE=0
-
-log_debug() { [[ $VERBOSE -ge 3 ]] && echo "[DEBUG] $*" || true; }
-log_verbose() { [[ $VERBOSE -ge 2 ]] && echo "[VERBOSE] $*" || true; }
-log_info() { [[ $VERBOSE -ge 1 ]] && echo "[INFO] $*" || true; }
-log_error() { echo "[ERROR] $*" >&2; }
-
-usage() {
-    cat <<EOF
-Usage: $(basename "$0") [OPTIONS] [VERSION]
-
-Upgrade ArgoCD to a new version. Requires an existing ArgoCD installation.
-
-Examples:
-  $(basename "$0")                # queries the current argo version and tries to update to the immediate newest version
-  $(basename "$0") v4.3.0        # incrementally update to target version
-
-Options:
-  -h, --help      Show this help message
-  --dry-run       Show what would be done without making changes
-  -v              Verbose output (info level)
-  -vv             More verbose output (info + verbose level)
-  -vvv            Debug output (all log levels)
-EOF
-}
-
-DRY_RUN=false
-
-while [[ $# -gt 0 ]]; do
-    case "$1" in
-        -h|--help)
-            usage
-            exit 0
-            ;;
-        --dry-run)
-            DRY_RUN=true
-            shift
-            ;;
-        -v|-vv|-vvv)
-            case "$1" in
-                -v)   VERBOSE=1 ;;
-                -vv)  VERBOSE=2 ;;
-                -vvv) VERBOSE=3 ;;
-            esac
-            shift
-            ;;
-        -*)
-            echo "Error: Unknown option: $1" >&2
-            usage >&2
-            exit 1
-            ;;
-        *)
-            TARGET_VERSION="$1"
-            shift
-            ;;
-    esac
-done
-
-log_debug "Script started with target version: ${TARGET_VERSION:-auto}"
-
-check_kubectl
-
-log_info "Checking current kubectl context"
-CURRENT_CONTEXT=$(kubectl config current-context 2>/dev/null)
-log_verbose "Current context: $CURRENT_CONTEXT"
-
-log_info "Checking for ArgoCD installation"
-if ! kubectl get ns argocd &>/dev/null; then
-    log_error "ArgoCD namespace not found. This script only upgrades existing installations."
-    exit 1
-fi
-log_verbose "ArgoCD namespace found"
-
-log_info "Checking current ArgoCD version"
-CURRENT_VERSION=$(kubectl get deployment argocd-server -n argocd -o jsonpath='{.spec.template.spec.containers[0].image}' 2>/dev/null)
-if [[ -n "$CURRENT_VERSION" ]]; then
-    CURRENT_VERSION=$(echo "$CURRENT_VERSION" | sed 's/.*argocd:v\?//' | tr -d ' \n')
-    if [[ -n "$CURRENT_VERSION" ]]; then
-        CURRENT_VERSION="${CURRENT_VERSION#v}"
-        log_verbose "Current ArgoCD version: $CURRENT_VERSION"
-    else
-        log_error "Could not extract ArgoCD version from image: $CURRENT_VERSION"
-        exit 1
-    fi
-fi
-
-if [[ -z "$TARGET_VERSION" ]]; then
-    log_info "No target version specified, querying for latest version"
-    log_verbose "Fetching latest release from GitHub"
-    LATEST_VERSION=$(curl -s https://api.github.com/repos/argoproj/argo-cd/releases/latest | grep -oP '"tag_name":\s*"\K[^"]+' | sed 's/^v//')
-    if [[ -n "$LATEST_VERSION" ]]; then
-        log_verbose "Latest version available: $LATEST_VERSION"
-        TARGET_VERSION="$LATEST_VERSION"
-    else
-        echo "Error: Could not fetch latest version" >&2
-        exit 1
-    fi
-fi
-
-log_info "Target version: $TARGET_VERSION"
-
-log_debug "Determining update path from $CURRENT_VERSION to $TARGET_VERSION"
-
-log_info "Applying ArgoCD manifests"
-log_verbose "Downloading manifest from https://raw.githubusercontent.com/argoproj/argo-cd/v${TARGET_VERSION}/manifests/install.yaml"
-curl -sLO "https://raw.githubusercontent.com/argoproj/argo-cd/v${TARGET_VERSION}/manifests/install.yaml"
-
-log_debug "Applying manifest with kubectl"
-if [[ "$DRY_RUN" == true ]]; then
-    log_verbose "Dry-run mode: would apply manifest"
-    kubectl apply -n argocd -f install.yaml --dry-run=client
-else
-    kubectl apply -n argocd -f install.yaml
-fi
-
-log_verbose "Cleaning up downloaded manifest"
-rm -f install.yaml
-
-log_info "Update to ArgoCD $TARGET_VERSION initiated"

tofu/adguard/.terraform.lock.hcl

@@ -2,35 +2,37 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/gmichels/adguard" {
-  version     = "1.7.0"
+  version     = "1.6.2"
-  constraints = "1.7.0"
+  constraints = "1.6.2"
   hashes = [
-    "h1:1vvJ6KcLUR8U2BHNtj7tMsgEsGXzTKMIFsHfcZYEVyc=",
+    "h1:4rfmv0e8MoRPw+CTZBxTlPZbOSvPnIIt8kwVIIRIqbc=",
-    "h1:5BDrsrU/Sdain/+KkhbNzxVL81rh69wG4iKOIBf9qys=",
+    "h1:FUOYxkRfDHxiAlTKpvfZpNpRdCkq7Gs9JcZjLWo+guM=",
-    "h1:70gWtux/jVZQgsDjr8+j0aRHKkGZqRWCmzoX9ddC7f4=",
+    "h1:FewdC+pt/Z8XC1M5M49D74MYnMzVjwVoAcnonmbxhwA=",
-    "h1:Qdqipgukxph9vqXiEKVzFSgXfEmGiGw1JrrQvwJOtco=",
+    "h1:RAXQ/T7oF42hDSuXH7hH85uj8QmHRS+ArP5pO4ILslc=",
-    "h1:QveIrziFNxu+Go7pl7qjH5tqPOb8pgzfTdunVgsJ3vg=",
+    "h1:a5SEI5KSX0cENGjd+IrxMj4l0Cr5GWvTP8Ng3cJaLTg=",
-    "h1:UrJdOlCLAWC7/I2Co02RtOKT3tSGb8TwOgJ7s0sOtCo=",
+    "h1:gNdYW6qM5jJTA2M9BHzVtuCTSmY2Fi/r08A/duZR8Yg=",
-    "h1:W6nZfQzWb3Ds1JRytBqzsZoNBa6x4OOe9J87f1nyCRA=",
+    "h1:gnBusJUhlOSxn2JG5V0N3aHWAcTtMLcSjRSMKm8+6S4=",
-    "h1:c3RK8fSEr2yfPySC0WemOC/CR3608Ra4vFwGhvdrswg=",
+    "h1:hwB3SSfBITtOIggACNkdTnA8hG2AzYaFgG3WJny3290=",
-    "h1:jizPinVWDQUN6rKwiBgRm7PcgUJe4AWlCWghgH0v7xI=",
+    "h1:iGjswHan6q6vYBTxR+WFBCUwCN7jmg7mAvFnv4P3/m8=",
-    "h1:lb9gv3IiUZDA4P/kpuvOqZmidWMIbpG+sUecM1QclNo=",
+    "h1:mBxI5srrplxBHZLuXfEVZzwph3mCl9SQv0e9nR2GhQ4=",
-    "h1:sRIMccvZq71/CxTknprnRozCChEZSq4Nmt+M+DOjTq8=",
+    "h1:o3CYF1B/kMBktAn1cWJuqW84VqZkM5K3A1BPw6v5fnA=",
-    "h1:uOdtIfvNVEHheucpt51bSCYtX2W1LKELlOkBTbjBm6o=",
+    "h1:sX4l50R6dzuHdQJFBfGDY6lZc4bCGKjxkKRtoKmx/1g=",
-    "h1:woGvhSgZDFj5+yH5uHonXSIn6AaeZekb3t9oXMZB/DQ=",
+    "h1:shVeqrDxxOvnsD//ryu7IoxwPsGb+6FeLmum3szd/mU=",
-    "zh:0b83aa1ade1a6f7c9b1af0488dad43bf00e733d1517463d4bee51c17612546da",
+    "h1:wY3pI9C3lEZ9nZRIqky5cqfwLm+u7Wi/9HBVCo4o9/M=",
-    "zh:15d784c16545efaf6c368b642995bb0d0ef61b6961e67b072430d445ef6c02fc",
+    "zh:0337224a2b6418ba38cedf7f2cef9b154f51db4791b03d6b5745cb26f60614d2",
-    "zh:1c4da4d20c98795fee1ac0cd9ffd880a68f06992d6fe849342c4b19f79c8aff9",
+    "zh:09addda402962c46cd236ae1703ba9632f377897e8d321678cf0e4428a5071f7",
-    "zh:41afcdcc5236fa40a0b7ec614cb830ef03d45f8f1b8988d24d80ec999ef34b9b",
+    "zh:1f7b511933d6ca8fbdcd5bb50bba910e88b73fee57ae2922e01f18470350929e",
-    "zh:4c8e832a5a842420b5163eb5eb2bd7d460ece524efc618bdba64e4f4a2d403b5",
+    "zh:2bd2a45c4cddd19b2a55d6d658184df25f002e0b7a929da48b5086922ae846d6",
-    "zh:58e19d2f9e4bd9f2a13b631c3213157ea80ef3aa7b3b8edcd8fb341f9c06c5e5",
+    "zh:30ed44fd468132273029302fc16de4e76a1f10b816862e2e5dfca545e5b67f70",
-    "zh:7380ca4d053255f787ded10c26b19ebd23d3563ddbb36d0be66bb2cef293d27d",
+    "zh:3f73e37f6410509f7811db77b53f6e332c24344ad800a1d56bcf6af2a706d998",
-    "zh:7b21589bb31084bb68b2deb96bd4130b8b13c1c71614704d13d4cbdfc583f3c7",
+    "zh:5215dbeb6edbe0e7fae238580bb649745824d3744cc0d3b407244383ddeefd96",
-    "zh:82aee49172286676cdccbc97b809b84acf3edeb164ae77cafa837118ee3769a6",
+    "zh:543a6b4d814607884791306ae661a1d3475af90785712fb6c94e2b616f75afba",
-    "zh:95431a266520cce112474616c27c80f0017625ef7d80aaf69118360222d7974b",
+    "zh:8402d7a2d501ff0c9fe2216bf80f6bc133f0277cc3f184d3d37f4628b778f18b",
-    "zh:a6dc4b60beafc471d049b856df4bf793838b1e8b2079efe4a12ebf6fbd482098",
+    "zh:894ac1fce4fd92c66684d64d41356d5d02ebcf3a68e4ae1150314732f9ac384f",
-    "zh:d9c5c35be3ae54a52fb444b61e442445e74df6a4ab5bc4884b0f5d55eacc4ced",
+    "zh:ad547c8c8413de6886cf563129b117a0aab79b9841e7486e58a639c74eeacc12",
-    "zh:f6bd2db5d9a178c9b5b020e505affc245a0ceaa8e662f37ad9743d65e1153322",
+    "zh:b9d69a6f99256cbd741ddc881f8665eec6e51ee1a4b99918ae8e9bdcf73cf31d",
+    "zh:d254d2dae145dbe5435be32b821198d9d5dca81fb67e06499eb8a8bd78a34ba5",
+    "zh:df327c22ba4437fa5e879ae70ce8330363a4e6f320711e7bd2ac249db3a3a551",
     "zh:f809ab383cca0a5f83072981c64208cbd7fa67e986a86ee02dd2c82333221e32",
   ]
 }

tofu/adguard/main.tf

@@ -9,7 +9,7 @@ terraform {
   required_providers {
     adguard = {
       source  = "gmichels/adguard"
-      version = "1.7.0"
+      version = "1.6.2"
     }
   }
 }
@@ -23,18 +23,9 @@ provider "adguard" {
 
 resource "adguard_rewrite" "argo_1" {
   domain = "argo.fuku"
-  answer = "192.168.1.31"
+  answer = "192.168.1.12"
 }
 
-resource "adguard_rewrite" "argo_2" {
-  domain = "argo.fuku"
-  answer = "192.168.1.32"
-}
-
-resource "adguard_rewrite" "argo_3" {
-  domain = "argo.fuku"
-  answer = "192.168.1.33"
-}
 resource "adguard_rewrite" "feeds" {
   domain = "feeds.roboces.dev"
   answer = "192.168.1.12"

tofu/authentik/.terraform.lock.hcl

@@ -2,34 +2,36 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/goauthentik/authentik" {
-  version     = "2026.2.0"
+  version     = "2025.12.1"
-  constraints = "2026.2.0"
+  constraints = "2025.12.1"
   hashes = [
-    "h1:/y7//ItB3vYvtDzSgrd7eY4QHGQ7b2G/rF/rtXdvUiY=",
+    "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=",
-    "h1:2MTCDpaUJ9AAckFf+lfhq5VNkl4/e1is7XIHfjFX20U=",
+    "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=",
-    "h1:EECfgcbT6h+ppgQ3x06iQZSheZ4vJ6NVwXGYGzyuQQ4=",
+    "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=",
-    "h1:Hg5gBZc/mPbMwH3r5AVbDycUFoeh1LlHtAvVKsnruTY=",
+    "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=",
-    "h1:J9+XlKbvc8x99ZV779XH0swZhsJo+Zcrh7UCK5pKQKY=",
+    "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=",
-    "h1:On3/Zzv3W72aGsJ4AhW/tnpi4hvq9cxwgf7tF6Tg+a4=",
+    "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=",
-    "h1:imSeB1o2GiuyBKsK6prOkOT7dQVDK42TaxGWAb+wEvg=",
+    "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=",
-    "h1:jpOkyfrzbb/LBCdW/0R2Ag+X9bRw6X1/2BRMoImfgQ8=",
+    "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=",
-    "h1:pT8YP3VDxKxhT1X+UXmjN78C+8NNb3fIANWNjR0xRX4=",
+    "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=",
-    "h1:pum2uBRNDUjPeP9aYszm+6GU+K7tZIpbbLrsN39l8iw=",
+    "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=",
-    "h1:qYcmNSTHIU6XefHE11SmywKqgp84B6n2Fzwdj/8dRN8=",
+    "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=",
-    "h1:zH1hHNBUvxXZBzxyQa6OPjDAlZyr3rA7LqwTVVZDW9s=",
+    "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=",
-    "h1:zacZCsqLyCstv+qE+VhFvwCIGLQEdNBsMIM7r9umUSQ=",
+    "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=",
-    "zh:00c44e8ee842e75de9cc4fd6193b10258d1dc840e5be4aaaf118ffc180dceee0",
+    "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=",
-    "zh:13057f08bce3b63613e1be3997dd454ff9568c569dd983987b1550280fbe3d01",
+    "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515",
-    "zh:410a1ff2ae4647cc0ab37894f81e4d474b588a0a7f005d05d55e8c3a40978dd2",
+    "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962",
-    "zh:43830834d12b3c0eeabe397842f82ca3a6b58a5bc8dd837d55b821419b55ed61",
+    "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b",
-    "zh:56eaedd196ed7c4003cee0434b891b38242b4fde2031978d0ddcfdf6e16ee5ad",
+    "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91",
-    "zh:5b3c10bb63c3c215ed9e0918e5808b240e3f2ee8248d10cd4d824a4998a213c5",
+    "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f",
-    "zh:99c14891bcb92a6b21ef4c0e60f6c0df23e3452808f3eefd67cde78d132c80d9",
+    "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1",
-    "zh:9a32cdda9f939f8484e27d4200d004c44f016fe97579a111201083f4beea78e8",
+    "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338",
-    "zh:ae5086816144f68de9a0002e7696321169a71473f9d161793f4ae996388f56de",
+    "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7",
-    "zh:bd09409dd34608a4ef3ea80cfc5e397268e7872f2e84c1ccdc9b5698e36ddad5",
+    "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8",
-    "zh:be7af8b9eb61b0eb5053f14360e5a68caeb32c115efe8e1b583f2e7c91352a2a",
+    "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897",
-    "zh:e11726812a1b2caf6b6784a3d074d1f50e3d406e9629c02096a001e5a5979331",
+    "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3",
-    "zh:e39183d10d8158ccab51208f4f727c7419b1b1e596f4feb23dc42aebb36d01e3",
+    "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50",
+    "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18",
+    "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25",
   ]
 }

tofu/authentik/main.tf

@@ -8,7 +8,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2026.2.0"
+      version = "2025.12.1"
     }
   }
 }

tofu/modules/authentik-app/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2026.2.0"
+      version = "2025.12.1"
     }
   }
 }

tofu/modules/authentik-app/vars.tf

@@ -8,33 +8,11 @@ variable "app_slug" {
   type        = string
 }
 
-
-variable "client_type" {
-  type    = string
-  default = "confidential"
-
-  validation {
-    condition     = contains(["confidential", "public"], var.client_type)
-    error_message = "client_type must be 'confidential' or 'public'"
-  }
-}
-
 variable "app_access_group_id" {
   description = "ID of a group which will have access to the app"
   type        = string
 }
 
-variable "sub_mode" {
-  type    = string
-  default = "user_username"
-
-  validation {
-    condition     = contains(["user_id", "user_username", "hashed_user_id"], var.sub_mode)
-    error_message = "sub_mode must be 'user_id', 'user_username' or 'hashed_user_id'"
-  }
-}
-
-
 variable "open_in_new_tab" {
   type        = bool
   description = "Open apps in a new tab"

tofu/modules/authentik-ldap/.terraform.lock.hcl

@@ -2,34 +2,36 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/goauthentik/authentik" {
-  version     = "2026.2.0"
+  version     = "2025.12.1"
-  constraints = "2026.2.0"
+  constraints = "2025.12.1"
   hashes = [
-    "h1:/y7//ItB3vYvtDzSgrd7eY4QHGQ7b2G/rF/rtXdvUiY=",
+    "h1:+R2MRgaXvmR1l+nYxYJqMSuvA4VBzfBoh2Er6TnDRPE=",
-    "h1:2MTCDpaUJ9AAckFf+lfhq5VNkl4/e1is7XIHfjFX20U=",
+    "h1:1y5I173i8qvxp8GQHBBI/bxkr6YOqY4IqOiJWIUSeeM=",
-    "h1:EECfgcbT6h+ppgQ3x06iQZSheZ4vJ6NVwXGYGzyuQQ4=",
+    "h1:XHaltkhuTgyFCCZgpay2orOgc0TyZf0KqrFHNfUgY20=",
-    "h1:Hg5gBZc/mPbMwH3r5AVbDycUFoeh1LlHtAvVKsnruTY=",
+    "h1:XvFByv5e6fKSlayYaXpFD/JbTYZN1ybujVJJjny1Q18=",
-    "h1:J9+XlKbvc8x99ZV779XH0swZhsJo+Zcrh7UCK5pKQKY=",
+    "h1:ZU9d05CLVYBbmdB0IGiG9MueY4/fVo4D6FeyQtbeujA=",
-    "h1:On3/Zzv3W72aGsJ4AhW/tnpi4hvq9cxwgf7tF6Tg+a4=",
+    "h1:doHtDOiEIgIUWlUUc9jC7Uqdhj1hsy3etvdYmegcUZM=",
-    "h1:imSeB1o2GiuyBKsK6prOkOT7dQVDK42TaxGWAb+wEvg=",
+    "h1:hUgMx2B40ByfaMA4Al0h7xotp/pZxJJxZZa/HJb6NDc=",
-    "h1:jpOkyfrzbb/LBCdW/0R2Ag+X9bRw6X1/2BRMoImfgQ8=",
+    "h1:kG5J46qkCdUWJp/1p8CLifqc7Fy54IDZEjYhpmWcars=",
-    "h1:pT8YP3VDxKxhT1X+UXmjN78C+8NNb3fIANWNjR0xRX4=",
+    "h1:lNx+bJr11tPJxpkL5aTdOkGwB41O2Kv8fvKuiMl/LLs=",
-    "h1:pum2uBRNDUjPeP9aYszm+6GU+K7tZIpbbLrsN39l8iw=",
+    "h1:mSOL+FqSLNkWeXopegyK/MoCkMD/VmW9V3PHLaIePjU=",
-    "h1:qYcmNSTHIU6XefHE11SmywKqgp84B6n2Fzwdj/8dRN8=",
+    "h1:oCKzPBsyaD1ENda7qbREG3DYV3Opu09ub+msk3vRCkw=",
-    "h1:zH1hHNBUvxXZBzxyQa6OPjDAlZyr3rA7LqwTVVZDW9s=",
+    "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=",
-    "h1:zacZCsqLyCstv+qE+VhFvwCIGLQEdNBsMIM7r9umUSQ=",
+    "h1:tBoVWDOhByI7cg9TYAAw6LDdMmWLpa2LYwJzzcukdiA=",
-    "zh:00c44e8ee842e75de9cc4fd6193b10258d1dc840e5be4aaaf118ffc180dceee0",
+    "h1:zHQHXKmlGNYBaWLJ9SuXsJ7dbpsvhDJl5pJi+PFU+2w=",
-    "zh:13057f08bce3b63613e1be3997dd454ff9568c569dd983987b1550280fbe3d01",
+    "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515",
-    "zh:410a1ff2ae4647cc0ab37894f81e4d474b588a0a7f005d05d55e8c3a40978dd2",
+    "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962",
-    "zh:43830834d12b3c0eeabe397842f82ca3a6b58a5bc8dd837d55b821419b55ed61",
+    "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b",
-    "zh:56eaedd196ed7c4003cee0434b891b38242b4fde2031978d0ddcfdf6e16ee5ad",
+    "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91",
-    "zh:5b3c10bb63c3c215ed9e0918e5808b240e3f2ee8248d10cd4d824a4998a213c5",
+    "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f",
-    "zh:99c14891bcb92a6b21ef4c0e60f6c0df23e3452808f3eefd67cde78d132c80d9",
+    "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1",
-    "zh:9a32cdda9f939f8484e27d4200d004c44f016fe97579a111201083f4beea78e8",
+    "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338",
-    "zh:ae5086816144f68de9a0002e7696321169a71473f9d161793f4ae996388f56de",
+    "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7",
-    "zh:bd09409dd34608a4ef3ea80cfc5e397268e7872f2e84c1ccdc9b5698e36ddad5",
+    "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8",
-    "zh:be7af8b9eb61b0eb5053f14360e5a68caeb32c115efe8e1b583f2e7c91352a2a",
+    "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897",
-    "zh:e11726812a1b2caf6b6784a3d074d1f50e3d406e9629c02096a001e5a5979331",
+    "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3",
-    "zh:e39183d10d8158ccab51208f4f727c7419b1b1e596f4feb23dc42aebb36d01e3",
+    "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50",
+    "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18",
+    "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25",
   ]
 }

tofu/modules/authentik-ldap/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2026.2.0"
+      version = "2025.12.1"
     }
   }
 }

tofu/modules/authentik-oidc/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2026.2.0"
+      version = "2025.12.1"
     }
   }
 }

tofu/modules/authentik-proxy/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2026.2.0"
+      version = "2025.12.1"
     }
   }
 }