bitwarden: bump to 1.35.3, helm chart 2.0.44

mastodon: bump to v4.5.6, helm chart 6.6.6

cert-manager: bump to 1.19.3, helm chart 1.19.3

inventory/ghp/sample/group_vars/all/versions.yaml

@@ -12,7 +12,7 @@ ceph_csi_rbd_version: 3.8.0
 ceph_csi_cephfs_version: 3.8.0
 
 # Cert-manager
-cert_manager_version: 1.19.2
+cert_manager_version: 1.19.3
 
 # External-DNS
 external_dns_version: 9.1.0
@@ -39,12 +39,12 @@ minio_version: 5.0.13
 adguard_version: 2.3.35
 
 # Bitwarden (aka Vaultwarden)
-bitwarden_version: 2.0.42
+bitwarden_version: 2.0.44
 
 # Gitea
 gitea_ingress_nginx_version: 4.14.1
 gitea_dns_version: 9.1.0
-gitea_version: 12.4.0
+gitea_version: 12.5.0
 
 # Gitea Act Runner
 gitea_act_runner_version: 0.1.14
@@ -53,25 +53,25 @@ gitea_act_runner_version: 0.1.14
 harbor_version: 1.12.4
 
 # Mastodon
-mastodon_version: 6.5.4
+mastodon_version: 6.6.6
 
 # Nextcloud
-nextcloud_version: 5.0.2
+nextcloud_version: 8.7.0
 
 # Email
 dovecot_version: 0.1.8
 postfix_version: 0.1.7
-roundcube_version: 0.4.7
-rspamd_version: 0.6.0
+roundcube_version: 0.4.8
+rspamd_version: 0.6.1
 
 # Pypi server
 pypiserver_version: 2.5.0
 
 # WikiJS
-wikijs_version: 2.4.1
+wikijs_version: 2.4.3
 
 # PeerTube
-peertube_version: 0.5.0
+peertube_version: 0.5.2
 
 # Playmaker android APK repository
 playmaker_version: 0.1.3

roles/external-ingress-nginx/defaults/main.yaml

@@ -6,6 +6,7 @@ external_ingress_nginx_default_values:
       use-proxy-protocol: true
       use-forward-headers: true
       compute-full-forward-for: true
+      annotations-risk-level: Critical
     publishService:
       enabled: true
     scope:
@@ -17,3 +18,4 @@ external_ingress_nginx_default_values:
     ingressClassResource:
       name: "{{ external_ingress_class }}"
       controllerValue: "k8s.io/{{ external_ingress_class }}"
+    allowSnippetAnnotations: true

roles/gitea/defaults/main.yaml

@@ -122,6 +122,8 @@ gitea_publish_ingress_nginx_values:
 gitea_ingress_nginx_chart_ref: "ingress-nginx/ingress-nginx"
 gitea_ingress_nginx_default_values:
   controller:
+    config:
+      annotations-risk-level: Critical
     containerPort:
       ssh: 22
       http: 80
@@ -148,6 +150,7 @@ gitea_ingress_nginx_default_values:
     ingressClassResource:
       name: "{{ gitea_ingress_class }}"
       controllerValue: "k8s.io/{{ gitea_ingress_class }}"
+    allowSnippetAnnotations: true
   tcp: 
     22: "{{ gitea_namespace | default(namespace) }}/{{ namespace }}-gitea-ssh:22"
 

roles/internal-ingress-nginx/defaults/main.yaml

@@ -1,6 +1,8 @@
 internal_ingress_nginx_chart_ref: "ingress-nginx/ingress-nginx"
 internal_ingress_nginx_default_values:
   controller:
+    config:
+      annotations-risk-level: Critical
     publishService:
       enabled: true
     scope:
@@ -11,3 +13,4 @@ internal_ingress_nginx_default_values:
     ingressClassResource:
       name: "{{ internal_ingress_class }}"
       controllerValue: "k8s.io/{{ internal_ingress_class }}"
+    allowSnippetAnnotations: true

roles/knot/tasks/main.yaml

@@ -18,7 +18,7 @@
         - "vars"
   tags: knot_vars
 
-- name: Include knot install for {{ ansible_distribution }}
+- name: Include knot install for {{ ansible_facts['distribution'] }}
   include_tasks: "{{ ansible_facts['os_family'] }}.yaml"
 
 - name: Configure knot

roles/local-ingress-nginx/defaults/main.yaml

@@ -1,6 +1,8 @@
 local_ingress_nginx_chart_ref: "ingress-nginx/ingress-nginx"
 local_ingress_nginx_default_values:
   controller:
+    config:
+      annotations-risk-level: Critical
     publishService:
       enabled: true
     scope:
@@ -11,3 +13,4 @@ local_ingress_nginx_default_values:
     ingressClassResource:
       name: "{{ local_ingress_class }}"
       controllerValue: "k8s.io/{{ local_ingress_class }}"
+    allowSnippetAnnotations: true

roles/nextcloud/defaults/main.yaml

@@ -16,8 +16,8 @@ nextcloud_default_values:
       nginx.ingress.kubernetes.io/server-snippet: |-
         server_tokens off;
         proxy_hide_header X-Powered-By;
-  
-        rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
+        rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
+        rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
         rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
         rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
         location = /.well-known/carddav {
@@ -48,9 +48,7 @@ nextcloud_default_values:
     host: "{{ nextcloud_short_name }}.{{ domain }}"
     username: admin
     password: "{{ nextcloud_admin_pass | default(nextcloud_admin_password) }}"
-    update: 0
-    datadir: /var/www/html/data
-    tableprefix:
+    trustedDomains: ["{{ nextcloud_short_name }}.{{ domain }}"]
     mail:
       enabled: true
       fromAddress: nextcloud
@@ -112,23 +110,14 @@ nextcloud_default_values:
     database: nextcloud
     user: "{{ nextcloud_db_username }}"
     password: "{{ nextcloud_db_password }}"
-
   ## Cronjob to execute Nextcloud background tasks
   ## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron-jobs
   ##
   cronjob:
     enabled: true
-    schedule: "*/5 * * * *"
-    annotations: {}
-    # Set curl's insecure option if you use e.g. self-signed certificates
-    curlInsecure: false
-    failedJobsHistoryLimit: 1
-    successfulJobsHistoryLimit: 1
-  service:
-    type: ClusterIP
-    port: 8080
-    loadBalancerIP: nil
-
+  ## Enable persistence using Persistent Volume Claims
+  ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
+  ##
   persistence:
     # Nextcloud Data (/var/www/html)
     enabled: true

roles/peertube/defaults/main.yaml

@@ -5,9 +5,6 @@ peertube_use_external_db: true
 peertube_short_name: "peertube"
 peertube_default_values:
   replicaCount: 1
-  imagePullSecrets: []
-  nameOverride: ""
-  fullnameOverride: ""
   configAsCode:
     enabled: true
     config:
@@ -21,33 +18,6 @@ peertube_default_values:
         port: 443
       secrets:
         peertube: '{{ peertube_secret }}'
-      rates_limit:
-        api:
-          # 50 attempts in 10 seconds
-          window: 10 seconds
-          max: 50
-        login:
-          # 15 attempts in 5 min
-          window: 5 minutes
-          max: 15
-        signup:
-          # 2 attempts in 5 min (only succeeded attempts are taken into account)
-          window: 5 minutes
-          max: 2
-        ask_send_email:
-          # 3 attempts in 5 min
-          window: 5 minutes
-          max: 3
-      # Proxies to trust to get real client IP
-      # If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
-      # If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
-      trust_proxy:
-        - 'loopback'
-        - 'linklocal'
-        - 'uniquelocal'
-        - '10.0.0.0/8'
-        - '172.16.0.0/12'
-        - '192.168.0.0/16'
       # Your database name will be database.name OR "peertube"+database.suffix
       database:
         hostname: '{{ namespace }}-postgres.{{ postgres_db_namespace | default(namespace) }}.svc.cluster.local'
@@ -89,11 +59,6 @@ peertube_default_values:
       # Instance settings
       instance:
         name: 'GHP PeerTube'
-        default_client_route: '/videos/recently-added'
-      federation:
-        videos:
-          federate_unlisted: false
-          cleanup_remote_interactions: true
 
   env:
     - name: PT_INITIAL_ROOT_PASSWORD
@@ -125,4 +90,3 @@ peertube_default_values:
     enabled: true
   postgresql:
     enabled: false
-