diff --git a/modules/kubernetes/actualbudget/factory/main.tf b/modules/kubernetes/actualbudget/factory/main.tf index 2ce68ea3..99c33c62 100644 --- a/modules/kubernetes/actualbudget/factory/main.tf +++ b/modules/kubernetes/actualbudget/factory/main.tf @@ -25,7 +25,8 @@ resource "kubernetes_deployment" "actualbudget" { template { metadata { annotations = { - "diun.enable" = "true" + "diun.enable" = "true" + "diun.include_tags" = "^${var.tag}$" } labels = { app = "actualbudget-${var.name}" diff --git a/modules/kubernetes/audiobookshelf/main.tf b/modules/kubernetes/audiobookshelf/main.tf index 4cbf0417..54f9eeac 100644 --- a/modules/kubernetes/audiobookshelf/main.tf +++ b/modules/kubernetes/audiobookshelf/main.tf @@ -38,9 +38,6 @@ resource "kubernetes_deployment" "audiobookshelf" { } template { metadata { - annotations = { - "diun.enable" = "true" - } labels = { app = "audiobookshelf" } diff --git a/modules/kubernetes/authentik/values.yaml b/modules/kubernetes/authentik/values.yaml index 14ca606d..95147651 100644 --- a/modules/kubernetes/authentik/values.yaml +++ b/modules/kubernetes/authentik/values.yaml @@ -16,3 +16,8 @@ server: enabled: false # hosts: # - authentik.viktorbarzin.me + podAnnotations: + diun.enable: true + diun.include_tags: "^202[0-9].[0-9]+.*$" # no need to annotate the worker as it uses the same image +global: + addPrometheusAnnotations: true diff --git a/modules/kubernetes/calibre/main.tf b/modules/kubernetes/calibre/main.tf index 998b1df7..2beb5bfc 100644 --- a/modules/kubernetes/calibre/main.tf +++ b/modules/kubernetes/calibre/main.tf @@ -45,7 +45,8 @@ resource "kubernetes_deployment" "calibre" { template { metadata { annotations = { - "diun.enable" = "true" + "diun.enable" = "true" + "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$" } labels = { app = "calibre" diff --git a/modules/kubernetes/cyberchef/main.tf b/modules/kubernetes/cyberchef/main.tf index c1997937..4403011f 100644 --- a/modules/kubernetes/cyberchef/main.tf +++ b/modules/kubernetes/cyberchef/main.tf @@ -34,16 +34,13 @@ resource "kubernetes_deployment" "cyberchef" { } template { metadata { - annotations = { - "diun.enable" = "true" - } labels = { app = "cyberchef" } } spec { container { - image = "mpepping/cyberchef" + image = "mpepping/cyberchef:latest" name = "cyberchef" port { diff --git a/modules/kubernetes/dashy/main.tf b/modules/kubernetes/dashy/main.tf index 26389fe0..4fc282ad 100644 --- a/modules/kubernetes/dashy/main.tf +++ b/modules/kubernetes/dashy/main.tf @@ -52,7 +52,7 @@ resource "kubernetes_deployment" "dashy" { template { metadata { annotations = { - "diun.enable" = "true" + # "diun.enable" = "true" } labels = { app = "dashy" diff --git a/modules/kubernetes/dbaas/main.tf b/modules/kubernetes/dbaas/main.tf index 6697039a..047827ad 100644 --- a/modules/kubernetes/dbaas/main.tf +++ b/modules/kubernetes/dbaas/main.tf @@ -114,10 +114,14 @@ resource "kubernetes_deployment" "mysql" { labels = { app = "mysql" } + annotations = { + "diun.enable" = "true" + "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$" + } } spec { container { - image = "mysql" + image = "mysql:9.1.0" name = "mysql" env { name = "MYSQL_ROOT_PASSWORD" @@ -720,11 +724,16 @@ resource "kubernetes_deployment" "postgres" { labels = { app = "postgresql" } + annotations = { + "diun.enable" = "true" + "diun.include_tags" = "^\\d+(?:\\.\\d+)?-bullseye$" + } } spec { container { image = "postgres:16.4-bullseye" - name = "postgresql" + # image = "postgres:17.2-bullseye" # needs pg_upgrade to data dir + name = "postgresql" env { name = "POSTGRES_PASSWORD" value = var.postgresql_root_password diff --git a/modules/kubernetes/diun/main.tf b/modules/kubernetes/diun/main.tf index 04b690b4..7b7ef9d3 100644 --- a/modules/kubernetes/diun/main.tf +++ b/modules/kubernetes/diun/main.tf @@ -102,16 +102,38 @@ resource "kubernetes_deployment" "diun" { name = "DIUN_PROVIDERS_KUBERNETES" value = "true" } + # env { + # name = "DIUN_DEFAULTS_EXCLUDETAGS" + # value = "^.*nightly.*$" + # } + # env { + # name = "DIUN_DEFAULTS_INCLUDETAGS" + # value = "^\\d+\\.\\d+\\.\\d+$" + # } + env { + name = "DIUN_DEFAULTS_WATCHREPO" + value = "true" + # value = "false" + } + env { + name = "DIUN_DEFAULTS_MAXTAGS" + value = "3" + } + env { + name = "DIUN_DEFAULTS_SORTTAGS" + value = "reverse" + } + # DIUN_PROVIDERS_KUBERNETES_WATCHBYDEFAULT = "true" ?? // ntfy settings # env { // disabled as if this fails, no other notifications are sent # name = "DIUN_NOTIF_NTFY_ENDPOINT" # value = "https://ntfy.viktorbarzin.me" # } - env { - name = "DIUN_NOTIF_NTFY_TOPIC" - value = "diun-updates" - } + # env { + # name = "DIUN_NOTIF_NTFY_TOPIC" + # value = "diun-updates" + # } # env { # name = "DIUN_NOTIF_NTFY_TOKEN" # value = var.diun_nfty_token @@ -121,17 +143,29 @@ resource "kubernetes_deployment" "diun" { value = var.diun_slack_url } env { - name = "LOG_LEVEL" - value = "info" - } - env { - name = "DIUN_WATCH_FIRSTCHECKNOTIF" - value = "true" + name = "LOG_LEVEL" + # value = "info" + value = "debug" } # env { + # name = "DIUN_WATCH_FIRSTCHECKNOTIF" + # value = "true" # send notfication on start; subsequent checks check for newer versions and is what you need + # } + # env { # name = "DIUN_NOTIF_NTFY_TIMEOUT" # value = "10s" # } + volume_mount { + name = "data" + mount_path = "/data" + } + } + volume { + name = "data" + nfs { + path = "/mnt/main/diun" + server = "10.0.10.15" + } } } } diff --git a/modules/kubernetes/excalidraw/main.tf b/modules/kubernetes/excalidraw/main.tf index e80dc8c5..c48f2373 100644 --- a/modules/kubernetes/excalidraw/main.tf +++ b/modules/kubernetes/excalidraw/main.tf @@ -36,6 +36,10 @@ resource "kubernetes_deployment" "excalidraw" { labels = { app = "excalidraw" } + annotations = { + "diun.enable" = "true" + "diun.include_tags" = "^latest$" + } } spec { container { diff --git a/modules/kubernetes/headscale/config.yaml b/modules/kubernetes/headscale/config.yaml deleted file mode 100644 index 9f15d229..00000000 --- a/modules/kubernetes/headscale/config.yaml +++ /dev/null @@ -1,330 +0,0 @@ ---- -# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order: -# -# - `/etc/headscale` -# - `~/.headscale` -# - current working directory - -# The url clients will connect to. -# Typically this will be a domain like: -# -# https://myheadscale.example.com:443 -# -server_url: http://10.0.10.104:8080 - -# Address to listen to / bind to on the server -# -# For production: -listen_addr: 0.0.0.0:8080 -# listen_addr: 127.0.0.1:8080 - -# Address to listen to /metrics, you may want -# to keep this endpoint private to your internal -# network -# -# metrics_listen_addr: 127.0.0.1:9090 -metrics_listen_addr: 0.0.0.0:9090 - -# Address to listen for gRPC. -# gRPC is used for controlling a headscale server -# remotely with the CLI -# Note: Remote access _only_ works if you have -# valid certificates. -# -# For production: -grpc_listen_addr: 0.0.0.0:50443 -# grpc_listen_addr: 127.0.0.1:50443 - -# Allow the gRPC admin interface to run in INSECURE -# mode. This is not recommended as the traffic will -# be unencrypted. Only enable if you know what you -# are doing. -grpc_allow_insecure: false - -# Private key used to encrypt the traffic between headscale -# and Tailscale clients. -# The private key file will be autogenerated if it's missing. -# -# private_key_path: /var/lib/headscale/private.key -private_key_path: /etc/headscale/private.key - -# The Noise section includes specific configuration for the -# TS2021 Noise protocol -noise: - # The Noise private key is used to encrypt the - # traffic between headscale and Tailscale clients when - # using the new Noise-based protocol. It must be different - # from the legacy private key. - # private_key_path: /var/lib/headscale/noise_private.key - private_key_path: /etc/headscale/noise_private.key - -# List of IP prefixes to allocate tailaddresses from. -# Each prefix consists of either an IPv4 or IPv6 address, -# and the associated prefix length, delimited by a slash. -# It must be within IP ranges supported by the Tailscale -# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48. -# See below: -# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 -# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 -# Any other range is NOT supported, and it will cause unexpected issues. -ip_prefixes: - - fd7a:115c:a1e0::/48 - - 100.64.0.0/10 - -# DERP is a relay system that Tailscale uses when a direct -# connection cannot be established. -# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp -# -# headscale needs a list of DERP servers that can be presented -# to the clients. -derp: - server: - # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config - # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place - enabled: false - - # Region ID to use for the embedded DERP server. - # The local DERP prevails if the region ID collides with other region ID coming from - # the regular DERP config. - region_id: 999 - - # Region code and name are displayed in the Tailscale UI to identify a DERP region - region_code: "headscale" - region_name: "Headscale Embedded DERP" - - # Listens over UDP at the configured address for STUN connections - to help with NAT traversal. - # When the embedded DERP server is enabled stun_listen_addr MUST be defined. - # - # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ - stun_listen_addr: "0.0.0.0:3478" - - # List of externally available DERP maps encoded in JSON - urls: - - https://controlplane.tailscale.com/derpmap/default - - # Locally available DERP map files encoded in YAML - # - # This option is mostly interesting for people hosting - # their own DERP servers: - # https://tailscale.com/kb/1118/custom-derp-servers/ - # - # paths: - # - /etc/headscale/derp-example.yaml - paths: [] - - # If enabled, a worker will be set up to periodically - # refresh the given sources and update the derpmap - # will be set up. - auto_update_enabled: true - - # How often should we check for DERP updates? - update_frequency: 24h - -# Disables the automatic check for headscale updates on startup -disable_check_updates: false - -# Time before an inactive ephemeral node is deleted? -ephemeral_node_inactivity_timeout: 30m - -# Period to check for node updates within the tailnet. A value too low will severely affect -# CPU consumption of Headscale. A value too high (over 60s) will cause problems -# for the nodes, as they won't get updates or keep alive messages frequently enough. -# In case of doubts, do not touch the default 10s. -node_update_check_interval: 10s - -# SQLite config -db_type: sqlite3 - -# For production: -db_path: /etc/headscale/db.sqlite - -# # Postgres config -# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. -# db_type: postgres -# db_host: localhost -# db_port: 5432 -# db_name: headscale -# db_user: foo -# db_pass: bar - -# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need -# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1. -# db_ssl: false - -### TLS configuration -# -## Let's encrypt / ACME -# -# headscale supports automatically requesting and setting up -# TLS for a domain with Let's Encrypt. -# -# URL to ACME directory -acme_url: https://acme-v02.api.letsencrypt.org/directory - -# Email to register with ACME provider -acme_email: "" - -# Domain name to request a TLS certificate for: -tls_letsencrypt_hostname: "" - -# Path to store certificates and metadata needed by -# letsencrypt -# For production: -tls_letsencrypt_cache_dir: /var/lib/headscale/cache - -# Type of ACME challenge to use, currently supported types: -# HTTP-01 or TLS-ALPN-01 -# See [docs/tls.md](docs/tls.md) for more information -tls_letsencrypt_challenge_type: HTTP-01 -# When HTTP-01 challenge is chosen, letsencrypt must set up a -# verification endpoint, and it will be listening on: -# :http = port 80 -tls_letsencrypt_listen: ":http" - -## Use already defined certificates: -tls_cert_path: "" -tls_key_path: "" - -log: - # Output formatting for logs: text or json - format: text - level: info - -# Path to a file containg ACL policies. -# ACLs can be defined as YAML or HUJSON. -# https://tailscale.com/kb/1018/acls/ -acl_policy_path: "" - -## DNS -# -# headscale supports Tailscale's DNS configuration and MagicDNS. -# Please have a look to their KB to better understand the concepts: -# -# - https://tailscale.com/kb/1054/dns/ -# - https://tailscale.com/kb/1081/magicdns/ -# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ -# -dns_config: - # Whether to prefer using Headscale provided DNS or use local. - override_local_dns: true - - # List of DNS servers to expose to clients. - nameservers: - - "10.0.20.101" - - "1.1.1.1" - - # NextDNS (see https://tailscale.com/kb/1218/nextdns/). - # "abc123" is example NextDNS ID, replace with yours. - # - # With metadata sharing: - # nameservers: - # - https://dns.nextdns.io/abc123 - # - # Without metadata sharing: - # nameservers: - # - 2a07:a8c0::ab:c123 - # - 2a07:a8c1::ab:c123 - - # Split DNS (see https://tailscale.com/kb/1054/dns/), - # list of search domains and the DNS to query for each one. - # - # restricted_nameservers: - # foo.bar.com: - # - 1.1.1.1 - # darp.headscale.net: - # - 1.1.1.1 - # - 8.8.8.8 - - # Search domains to inject. - domains: ["viktorbarzin.lan"] - - # Extra DNS records - # so far only A-records are supported (on the tailscale side) - # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations - # extra_records: - # - name: "grafana.myvpn.example.com" - # type: "A" - # value: "100.64.0.3" - # - # # you can also put it in one line - # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" } - - # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). - # Only works if there is at least a nameserver defined. - magic_dns: true - - # Defines the base domain to create the hostnames for MagicDNS. - # `base_domain` must be a FQDNs, without the trailing dot. - # The FQDN of the hosts will be - # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). - base_domain: viktorbarzin.lan - -# Unix socket used for the CLI to connect without authentication -# Note: for production you will want to set this to something like: -unix_socket: /var/run/headscale/headscale.sock -unix_socket_permission: "0770" -# -# headscale supports experimental OpenID connect support, -# it is still being tested and might have some bugs, please -# help us test it. -# OpenID Connect -# oidc: -# only_start_if_oidc_is_available: true -# issuer: "https://your-oidc.issuer.com/path" -# client_id: "your-oidc-client-id" -# client_secret: "your-oidc-client-secret" -# # Alternatively, set `client_secret_path` to read the secret from the file. -# # It resolves environment variables, making integration to systemd's -# # `LoadCredential` straightforward: -# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" -# # client_secret and client_secret_path are mutually exclusive. -# -# # The amount of time from a node is authenticated with OpenID until it -# # expires and needs to reauthenticate. -# # Setting the value to "0" will mean no expiry. -# expiry: 180d -# -# # Use the expiry from the token received from OpenID when the user logged -# # in, this will typically lead to frequent need to reauthenticate and should -# # only been enabled if you know what you are doing. -# # Note: enabling this will cause `oidc.expiry` to be ignored. -# use_expiry_from_token: false -# -# # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query -# # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". -# -# scope: ["openid", "profile", "email", "custom"] -# extra_params: -# domain_hint: example.com -# -# # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the -# # authentication request will be rejected. -# -# allowed_domains: -# - example.com -# # Note: Groups from keycloak have a leading '/' -# allowed_groups: -# - /headscale -# allowed_users: -# - alice@example.com -# -# # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. -# # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` -# # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following -# user: `first-name.last-name.example.com` -# -# strip_email_domain: true - -# Logtail configuration -# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel -# to instruct tailscale nodes to log their activity to a remote server. -logtail: - # Enable logtail for this headscales clients. - # As there is currently no support for overriding the log server in headscale, this is - # disabled by default. Enabling this will make your clients send logs to Tailscale Inc. - enabled: false - -# Enabling this option makes devices prefer a random port for WireGuard traffic over the -# default static port 41641. This option is intended as a workaround for some buggy -# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information. -randomize_client_port: false diff --git a/modules/kubernetes/headscale/main.tf b/modules/kubernetes/headscale/main.tf index 365ba44d..53d54ad1 100644 --- a/modules/kubernetes/headscale/main.tf +++ b/modules/kubernetes/headscale/main.tf @@ -44,10 +44,14 @@ resource "kubernetes_deployment" "headscale" { labels = { app = "headscale" } + annotations = { + "diun.enable" = "true" + "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$" + } } spec { container { - image = "headscale/headscale:0.22" + image = "headscale/headscale:0.23.0" name = "headscale" command = ["headscale", "serve"] port { diff --git a/modules/kubernetes/linkwarden/main.tf b/modules/kubernetes/linkwarden/main.tf index 97722a6d..8bda9174 100644 --- a/modules/kubernetes/linkwarden/main.tf +++ b/modules/kubernetes/linkwarden/main.tf @@ -44,6 +44,10 @@ resource "kubernetes_deployment" "linkwarden" { labels = { app = "linkwarden" } + annotations = { + "diun.enable" = "true" + "diun.include_tags" = "latest" + } } spec { container { diff --git a/modules/kubernetes/mailserver/main.tf b/modules/kubernetes/mailserver/main.tf index 17952db6..ea8e4420 100644 --- a/modules/kubernetes/mailserver/main.tf +++ b/modules/kubernetes/mailserver/main.tf @@ -149,7 +149,7 @@ resource "kubernetes_deployment" "mailserver" { template { metadata { annotations = { - "diun.enable" = "true" + # "diun.enable" = "true" } labels = { "app" = "mailserver" diff --git a/modules/kubernetes/meshcentral/main.tf b/modules/kubernetes/meshcentral/main.tf index b0be8eda..afe77ea7 100644 --- a/modules/kubernetes/meshcentral/main.tf +++ b/modules/kubernetes/meshcentral/main.tf @@ -42,6 +42,10 @@ resource "kubernetes_deployment" "meshcentral" { labels = { app = "meshcentral" } + annotations = { + "diun.enable" = "true" + "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$,latest" + } } spec { diff --git a/modules/kubernetes/nextcloud/chart_values.yaml b/modules/kubernetes/nextcloud/chart_values.yaml index f225cdc1..a2f02b8f 100644 --- a/modules/kubernetes/nextcloud/chart_values.yaml +++ b/modules/kubernetes/nextcloud/chart_values.yaml @@ -45,3 +45,7 @@ startupProbe: timeoutSeconds: 5 failureThreshold: 30 successThreshold: 1 + +podAnnotations: + diun.enable: "true" + diun.include_tags: "^[0-9]+(?:.[0-9]+)?(?:.[0-9]+)?.*" diff --git a/modules/kubernetes/nginx-ingress/main.tf b/modules/kubernetes/nginx-ingress/main.tf index 39637329..57be5bf7 100644 --- a/modules/kubernetes/nginx-ingress/main.tf +++ b/modules/kubernetes/nginx-ingress/main.tf @@ -455,6 +455,10 @@ resource "kubernetes_deployment" "ingress_nginx_controller" { "app.kubernetes.io/version" = "1.8.2" "app" = "ingress-nginx" } + annotations = { + "diun.enable" = "true" + "diun.include_tags" = "^v\\d+(?:\\.\\d+)?(?:\\.\\d+)?.*$" + } } spec { volume { @@ -539,7 +543,8 @@ resource "kubernetes_deployment" "ingress_nginx_controller" { container { name = "controller" image = "registry.k8s.io/ingress-nginx/controller:v1.10.1@sha256:e24f39d3eed6bcc239a56f20098878845f62baa34b9f2be2fd2c38ce9fb0f29e" - args = ["/nginx-ingress-controller", "--election-id=ingress-nginx-leader", "--controller-class=k8s.io/ingress-nginx", "--ingress-class=nginx", "--configmap=$(POD_NAMESPACE)/ingress-nginx-controller", "--validating-webhook=:8443", "--validating-webhook-certificate=/usr/local/certificates/cert", "--validating-webhook-key=/usr/local/certificates/key", "--udp-services-configmap", "ingress-nginx/udp-services"] + # image = "registry.k8s.io/ingress-nginx/controller:v1.12.0" # reverse-proxy sites break for some reason with this version + args = ["/nginx-ingress-controller", "--election-id=ingress-nginx-leader", "--controller-class=k8s.io/ingress-nginx", "--ingress-class=nginx", "--configmap=$(POD_NAMESPACE)/ingress-nginx-controller", "--validating-webhook=:8443", "--validating-webhook-certificate=/usr/local/certificates/cert", "--validating-webhook-key=/usr/local/certificates/key", "--udp-services-configmap", "ingress-nginx/udp-services"] volume_mount { name = "crowdsec" mount_path = "/etc/nginx/lua/plugins/crowdsec" diff --git a/modules/kubernetes/paperless-ngx/main.tf b/modules/kubernetes/paperless-ngx/main.tf index 866a335a..9259460c 100644 --- a/modules/kubernetes/paperless-ngx/main.tf +++ b/modules/kubernetes/paperless-ngx/main.tf @@ -46,10 +46,14 @@ resource "kubernetes_deployment" "paperless-ngx" { labels = { app = "paperless-ngx" } + annotations = { + "diun.enable" = "true" + "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$" + } } spec { container { - image = "paperlessngx/paperless-ngx:2.9" + image = "paperlessngx/paperless-ngx:2.13.5" name = "paperless-ngx" env { name = "PAPERLESS_REDIS" diff --git a/modules/kubernetes/technitium/main.tf b/modules/kubernetes/technitium/main.tf index 98b75ba3..82a4ab17 100644 --- a/modules/kubernetes/technitium/main.tf +++ b/modules/kubernetes/technitium/main.tf @@ -39,7 +39,9 @@ resource "kubernetes_deployment" "technitium" { template { metadata { annotations = { - "diun.enable" = "true" + "diun.enable" = "true" + # "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$" + "diun.include_tags" = "latest" } labels = { app = "technitium" diff --git a/modules/kubernetes/uptime-kuma/main.tf b/modules/kubernetes/uptime-kuma/main.tf index 4fecfacf..703d17ac 100644 --- a/modules/kubernetes/uptime-kuma/main.tf +++ b/modules/kubernetes/uptime-kuma/main.tf @@ -39,7 +39,8 @@ resource "kubernetes_deployment" "uptime-kuma" { template { metadata { annotations = { - "diun.enable" = "true" + "diun.enable" = "true" + "diun.include_tags" = "latest" } labels = { app = "uptime-kuma" diff --git a/modules/kubernetes/vaultwarden/main.tf b/modules/kubernetes/vaultwarden/main.tf index 21868c7a..570b241e 100644 --- a/modules/kubernetes/vaultwarden/main.tf +++ b/modules/kubernetes/vaultwarden/main.tf @@ -37,15 +37,16 @@ resource "kubernetes_deployment" "vaultwarden" { template { metadata { annotations = { - "diun.enable" = "true" + "diun.enable" = "true" + "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$" } labels = { - app = "vaultwarden" + "app" = "vaultwarden" } } spec { container { - image = "vaultwarden/server:1.32.0" + image = "vaultwarden/server:1.32.7" name = "vaultwarden" env { name = "DOMAIN" @@ -57,7 +58,7 @@ resource "kubernetes_deployment" "vaultwarden" { # } env { name = "SMTP_HOST" - value = "smtp.viktorbarzin.me" + value = "mail.viktorbarzin.me" } env { name = "SMTP_FROM" diff --git a/terraform.tfstate b/terraform.tfstate index d3b7d35a..6fce4445 100644 Binary files a/terraform.tfstate and b/terraform.tfstate differ diff --git a/terraform.tfvars b/terraform.tfvars index 07a08587..f05a44f0 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ