diff --git a/stacks/instagram-poster/modules/instagram-poster/main.tf b/stacks/instagram-poster/modules/instagram-poster/main.tf
index c4879bab..3f2f235f 100644
--- a/stacks/instagram-poster/modules/instagram-poster/main.tf
+++ b/stacks/instagram-poster/modules/instagram-poster/main.tf
@@ -152,6 +152,15 @@ resource "kubernetes_deployment" "instagram_poster" {
           name = "registry-credentials"
         }
 
+        # PVC mounts as root by default; pod runs as uid/gid 10001 (poster).
+        # fs_group makes kubelet chown the volume to gid 10001 on mount.
+        security_context {
+          fs_group        = 10001
+          run_as_user     = 10001
+          run_as_group    = 10001
+          run_as_non_root = true
+        }
+
         container {
           name  = "instagram-poster"
           image = local.image
diff --git a/stacks/instagram-poster/terragrunt.hcl b/stacks/instagram-poster/terragrunt.hcl
index df54666f..b309c258 100644
--- a/stacks/instagram-poster/terragrunt.hcl
+++ b/stacks/instagram-poster/terragrunt.hcl
@@ -19,5 +19,5 @@ dependency "external-secrets" {
 
 inputs = {
   # Bump per deploy. Use 8-char git SHA — :latest causes stale pull-through cache.
-  image_tag = "23f8b4ed"
+  image_tag = "24935ab4"
 }
diff --git a/stacks/postiz/modules/postiz/main.tf b/stacks/postiz/modules/postiz/main.tf
index 6da6db89..a33b39cf 100644
--- a/stacks/postiz/modules/postiz/main.tf
+++ b/stacks/postiz/modules/postiz/main.tf
@@ -102,7 +102,7 @@ resource "helm_release" "postiz" {
   timeout          = 600
 
   repository = "oci://ghcr.io/gitroomhq/postiz-helmchart/charts"
-  chart      = "postiz"
+  chart      = "postiz-app"
   version    = var.chart_version
 
   values = [yamlencode({
@@ -184,8 +184,15 @@ resource "helm_release" "postiz" {
     # PG/Redis Services are ClusterIP and only routable from the postiz
     # namespace, so the credentials never leave the pod network. Promotion to
     # CNPG with Vault-rotated creds is the next step.
+    # Bitnami removed bitnami/postgresql + bitnami/redis from DockerHub
+    # (Broadcom acquisition, Aug 2025). Older tags moved to bitnamilegacy/*.
     postgresql = {
       enabled = true
+      image = {
+        registry   = "docker.io"
+        repository = "bitnamilegacy/postgresql"
+        tag        = "16.4.0-debian-12-r7"
+      }
       auth = {
         username = "postiz"
         database = "postiz"
@@ -194,6 +201,11 @@ resource "helm_release" "postiz" {
 
     redis = {
       enabled = true
+      image = {
+        registry   = "docker.io"
+        repository = "bitnamilegacy/redis"
+        tag        = "7.4.0-debian-12-r2"
+      }
     }
   })]