diff --git a/.github/workflows/build-toolkit-docker-image.yaml b/.github/workflows/build-toolkit-docker-image.yaml index 3a48f903..7e53c73b 100644 --- a/.github/workflows/build-toolkit-docker-image.yaml +++ b/.github/workflows/build-toolkit-docker-image.yaml @@ -19,20 +19,20 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: toolkit/ push: true @@ -41,7 +41,7 @@ jobs: ghcr.io/${{ github.repository }}:toolkit-${{ github.sha }} - name: Build and push Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: immich/ push: true diff --git a/backup/Dockerfile b/backup/Dockerfile index 7eb7026f..46900eb5 100644 --- a/backup/Dockerfile +++ b/backup/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:trixie-slim +FROM debian:trixie-slim@sha256:77ba0164de17b88dd0bf6cdc8f65569e6e5fa6cd256562998b62553134a00ef0 RUN apt-get update && \ apt-get install -y wget ca-certificates tar just restic ansible unzip && \ diff --git a/docker/caddy/docker-compose.yaml b/docker/caddy/docker-compose.yaml index 37aa6fbd..f1453d8e 100644 --- a/docker/caddy/docker-compose.yaml +++ b/docker/caddy/docker-compose.yaml @@ -1,6 +1,6 @@ services: caddy: - image: ghcr.io/caddybuilds/caddy-cloudflare:latest + image: ghcr.io/caddybuilds/caddy-cloudflare:latest@sha256:4a3d4afed443f026040cad84b48ef2eef6cc6eb5a80a3ecab66a03df469a46f8 container_name: caddy restart: unless-stopped ports: diff --git a/docker/immich/docker-compose.yaml b/docker/immich/docker-compose.yaml index 41f9e8db..86d79b44 100644 --- a/docker/immich/docker-compose.yaml +++ b/docker/immich/docker-compose.yaml @@ -14,7 +14,7 @@ services: UMASK_SET: "002" healthcheck: disable: false - image: ghcr.io/immich-app/immich-machine-learning:v1.138.0 + image: ghcr.io/immich-app/immich-machine-learning:v1.138.0@sha256:25fca00128f10444303c93829516927bd14804ccbe9b7450eb41c64c722c5ac4 platform: linux/amd64 privileged: false restart: unless-stopped @@ -30,7 +30,7 @@ services: nocopy: false database: - image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0 + image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0@sha256:c570d9e1c2494f65d2a0a379a7f6df66e8441964254a30aa62cc58e8ebf1dee0 environment: NVIDIA_VISIBLE_DEVICES: void POSTGRES_DB: ${POSTGRES_DB} @@ -52,7 +52,7 @@ services: type: bind pgvecto: - image: tensorchord/pgvecto-rs:pg15-v0.2.0 + image: tensorchord/pgvecto-rs:pg15-v0.2.0@sha256:104a26ad4d0446c54a46d3a694c6193ef018c5ad4f9d9faf7765ab09cb9ffe06 cap_drop: - ALL environment: @@ -161,7 +161,7 @@ services: UMASK_SET: "002" healthcheck: disable: false - image: ghcr.io/immich-app/immich-server:v1.138.0 + image: ghcr.io/immich-app/immich-server:v1.138.0@sha256:12cee930e2cc211a95acae12ad780c0b2eecaea0479a06e255c73a4deb0b3efb #platform: linux/amd64 #ports: # - mode: ingress @@ -227,7 +227,7 @@ services: - "traefik.http.services.immich-dashboard.loadbalancer.server.port=30041" traefik: - image: traefik:v3.5.0 + image: traefik:v3.5.0@sha256:4e7175cfe19be83c6b928cae49dde2f2788fb307189a4dc9550b67acf30c11a5 container_name: traefik restart: unless-stopped #read_only: true diff --git a/docker/kestra/docker-compose.yml b/docker/kestra/docker-compose.yml index c689ab81..414c3b16 100644 --- a/docker/kestra/docker-compose.yml +++ b/docker/kestra/docker-compose.yml @@ -8,7 +8,7 @@ volumes: services: postgres: - image: postgres + image: postgres@sha256:5773fe724c49c42a7a9ca70202e11e1dff21fb7235b335a73f39297d200b73a2 volumes: - postgres-data:/var/lib/postgresql/data environment: @@ -22,7 +22,7 @@ services: retries: 10 kestra: - image: kestra/kestra:latest + image: kestra/kestra:latest@sha256:72b4be36ddad30a840fe96b8d604fd3445f87c157fa7eccf679532c079f8972f pull_policy: always # Note that this setup with a root user is intended for development purpose. # Our base image runs without root, but the Docker Compose implementation needs root to access the Docker socket diff --git a/docker/mafl/docker-compose.yaml b/docker/mafl/docker-compose.yaml index ffb516f4..8f128f14 100644 --- a/docker/mafl/docker-compose.yaml +++ b/docker/mafl/docker-compose.yaml @@ -1,6 +1,6 @@ services: mafl: - image: hywax/mafl + image: hywax/mafl@sha256:2c89020be334b341da41a6b95830b1b52b1b9f43c9f16d09c0ab4e9dad3ea4ad container_name: mafl restart: unless-stopped volumes: diff --git a/docker/minio/docker-compose.yaml b/docker/minio/docker-compose.yaml index 9240a4eb..e8b3b1e1 100644 --- a/docker/minio/docker-compose.yaml +++ b/docker/minio/docker-compose.yaml @@ -1,6 +1,6 @@ services: minio: - image: quay.io/minio/minio:RELEASE.2025-03-12T18-04-18Z + image: quay.io/minio/minio:RELEASE.2025-03-12T18-04-18Z@sha256:46b3009bf7041eefbd90bd0d2b38c6ddc24d20a35d609551a1802c558c1c958f command: server /data --console-address ":9002" restart: unless-stopped ports: diff --git a/docker/pocket-id/docker-compose.yaml b/docker/pocket-id/docker-compose.yaml index ebe9b86c..e3a119b2 100644 --- a/docker/pocket-id/docker-compose.yaml +++ b/docker/pocket-id/docker-compose.yaml @@ -1,6 +1,6 @@ services: pocket-id: - image: ghcr.io/pocket-id/pocket-id + image: ghcr.io/pocket-id/pocket-id@sha256:84d20a801692b9635f481522df2672a7aae522726c30953dae52e17fc2696b27 container_name: pocket-id restart: unless-stopped environment: diff --git a/docker/portainer/docker-compose.yaml b/docker/portainer/docker-compose.yaml index e9257781..01415c1a 100644 --- a/docker/portainer/docker-compose.yaml +++ b/docker/portainer/docker-compose.yaml @@ -1,6 +1,6 @@ services: portainer: - image: portainer/portainer-ce:latest + image: portainer/portainer-ce:latest@sha256:4786931dc7c588ff1c242696fe1eb3f7f9c5dafb136b6c713aff7745dd5bd407 container_name: portainer restart: unless-stopped ports: diff --git a/docker/semaphore/docker-compose.yaml b/docker/semaphore/docker-compose.yaml index 670820b9..bcc2e7da 100644 --- a/docker/semaphore/docker-compose.yaml +++ b/docker/semaphore/docker-compose.yaml @@ -1,6 +1,6 @@ services: semaphore: - image: semaphoreui/semaphore:v2.13.1 + image: semaphoreui/semaphore:v2.13.1@sha256:db69c024e924bd2ac158b1e5e3534d1d7b60dc22ea232b050ec7eee28af34471 container_name: semaphore environment: TZ: Europe/Berlin diff --git a/docker/upsnap/docker-compose.yaml b/docker/upsnap/docker-compose.yaml index 2696c247..7169d372 100644 --- a/docker/upsnap/docker-compose.yaml +++ b/docker/upsnap/docker-compose.yaml @@ -1,7 +1,7 @@ services: upsnap: container_name: upsnap - image: ghcr.io/seriousm4x/upsnap:5 + image: ghcr.io/seriousm4x/upsnap:5@sha256:36532b5b14ede1fff71fe4d4203454f701ea0fa932ddf8132acdc4fbbfb580d1 network_mode: host restart: unless-stopped volumes: diff --git a/immich/Dockerfile b/immich/Dockerfile index b55112cd..2acc8060 100644 --- a/immich/Dockerfile +++ b/immich/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:trixie-slim +FROM debian:trixie-slim@sha256:77ba0164de17b88dd0bf6cdc8f65569e6e5fa6cd256562998b62553134a00ef0 RUN apt-get update && \ apt-get install -y \ diff --git a/k8s/linkding/base/deployment.yaml b/k8s/linkding/base/deployment.yaml index 70f1798d..c59b86e0 100644 --- a/k8s/linkding/base/deployment.yaml +++ b/k8s/linkding/base/deployment.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: linkding - image: sissbruecker/linkding:latest + image: sissbruecker/linkding:latest@sha256:61b2eb9eed8e5772a473fb7f1f8923e046cb8cbbeb50e88150afd5ff287d4060 imagePullPolicy: IfNotPresent ports: - containerPort: 9090 diff --git a/k8s/lldap/base/deployment.yaml b/k8s/lldap/base/deployment.yaml index 16694f9f..39ecaca7 100644 --- a/k8s/lldap/base/deployment.yaml +++ b/k8s/lldap/base/deployment.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: lldap - image: lldap/lldap:stable-alpine + image: lldap/lldap:stable-alpine@sha256:9e605a66c02514bfcffd1b67cafb1e98d50992216bb2871d7ae44622047dd09d imagePullPolicy: IfNotPresent ports: - name: http diff --git a/k8s/lldap/overlays/production/kustomization.yaml b/k8s/lldap/overlays/production/kustomization.yaml index a69bdb72..3264f4da 100644 --- a/k8s/lldap/overlays/production/kustomization.yaml +++ b/k8s/lldap/overlays/production/kustomization.yaml @@ -12,4 +12,4 @@ namespace: lldap images: - name: lldap/lldap:latest - newTag: stable + newTag: stable@sha256:9e605a66c02514bfcffd1b67cafb1e98d50992216bb2871d7ae44622047dd09d diff --git a/k8s/mafl/base/deployment.yaml b/k8s/mafl/base/deployment.yaml index c8fc12e8..7f027b0b 100644 --- a/k8s/mafl/base/deployment.yaml +++ b/k8s/mafl/base/deployment.yaml @@ -22,7 +22,7 @@ spec: spec: containers: - name: mafl - image: hywax/mafl:latest + image: hywax/mafl:latest@sha256:2c89020be334b341da41a6b95830b1b52b1b9f43c9f16d09c0ab4e9dad3ea4ad imagePullPolicy: IfNotPresent ports: - containerPort: 3000 diff --git a/k8s/opengist/base/deployment.yaml b/k8s/opengist/base/deployment.yaml index de00a47d..7d819ee9 100644 --- a/k8s/opengist/base/deployment.yaml +++ b/k8s/opengist/base/deployment.yaml @@ -18,7 +18,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: opengist - image: ghcr.io/thomiceli/opengist:latest + image: ghcr.io/thomiceli/opengist:latest@sha256:86e7eb1f9fb2aa7b5d620fe452406de331c6e4d1c47b4d23d46b4b01e1ebf69d imagePullPolicy: IfNotPresent env: - name: TZ diff --git a/k8s/papra/base/deployment.yaml b/k8s/papra/base/deployment.yaml index eb77edab..375148ff 100644 --- a/k8s/papra/base/deployment.yaml +++ b/k8s/papra/base/deployment.yaml @@ -18,7 +18,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: papra - image: ghcr.io/papra-hq/papra:latest + image: ghcr.io/papra-hq/papra:latest@sha256:9b3ddb66c63caf9d2616a2cb47689d39af4efd4ed19bffdf1943a8a262719c35 imagePullPolicy: IfNotPresent env: - name: TZ diff --git a/k8s/papra/overlays/production/kustomization.yaml b/k8s/papra/overlays/production/kustomization.yaml index 4411c170..6cfcefa7 100644 --- a/k8s/papra/overlays/production/kustomization.yaml +++ b/k8s/papra/overlays/production/kustomization.yaml @@ -10,4 +10,4 @@ resources: # https://github.com/thomiceli/opengist/releases images: - name: ghcr.io/papra-hq/papra - newTag: latest + newTag: latest@sha256:9b3ddb66c63caf9d2616a2cb47689d39af4efd4ed19bffdf1943a8a262719c35 diff --git a/k8s/subscription-manager/base/deployment.yaml b/k8s/subscription-manager/base/deployment.yaml index 081e9b2a..2fa7629f 100644 --- a/k8s/subscription-manager/base/deployment.yaml +++ b/k8s/subscription-manager/base/deployment.yaml @@ -22,7 +22,7 @@ spec: spec: containers: - name: subscription-manager - image: dh1011/subscription-manager:latest + image: dh1011/subscription-manager:latest@sha256:3517b960983162504b304d0c70d849a7093744ce76e4c0a144e8164fdd0b5087 imagePullPolicy: IfNotPresent ports: - containerPort: 3000 diff --git a/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml b/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml index 7df3dfbe..78455b9b 100644 --- a/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml +++ b/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml @@ -17,7 +17,7 @@ spec: restartPolicy: Never containers: - name: backup-vault-export - image: ghcr.io/tryrocket-cloud/home-ops:toolkit + image: ghcr.io/tryrocket-cloud/home-ops:toolkit@sha256:6ebf6602fa4ecb82be238f8dba70b2ea0c95843bdac9ab55c083debc89e29be2 imagePullPolicy: Always env: - name: RESTIC_CACHE_DIR diff --git a/k8s/vault/export-and-backup/base/cronjob.yaml b/k8s/vault/export-and-backup/base/cronjob.yaml index 293275d4..f18a220b 100644 --- a/k8s/vault/export-and-backup/base/cronjob.yaml +++ b/k8s/vault/export-and-backup/base/cronjob.yaml @@ -15,7 +15,7 @@ spec: restartPolicy: Never initContainers: - name: export-hashicorp-vault - image: ghcr.io/jonasvinther/medusa:latest + image: ghcr.io/jonasvinther/medusa:latest@sha256:bc4696d3328bed5a0712318d643766e36c87d2ae836d14170d010df6abf0447d imagePullPolicy: IfNotPresent command: ["./medusa", "export", "$(VAULT_PATH)", "-o", "/export/vault-export.json"] env: diff --git a/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml b/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml index 9291037c..412419eb 100644 --- a/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml +++ b/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: ionos-com-objectstorage-eu-central-3-s3-kopia-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c imagePullPolicy: Always env: - name: EXPORT_JSON @@ -60,7 +60,7 @@ spec: mountPath: /export readOnly: true - name: ionos-com-objectstorage-eu-central-3-s3-restic-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c imagePullPolicy: Always env: - name: EXPORT_JSON diff --git a/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml b/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml index 16f8e598..22c8bf20 100644 --- a/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml +++ b/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: truenas-tryrocket-cloud-objectstorage-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c imagePullPolicy: Always env: - name: VAULT_EXPORT_JSON diff --git a/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml b/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml index d48fff07..e65f9008 100644 --- a/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml +++ b/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml @@ -17,7 +17,7 @@ spec: restartPolicy: Never initContainers: - name: export-hashicorp-vault - image: ghcr.io/jonasvinther/medusa:latest + image: ghcr.io/jonasvinther/medusa:latest@sha256:bc4696d3328bed5a0712318d643766e36c87d2ae836d14170d010df6abf0447d imagePullPolicy: IfNotPresent command: ["./medusa", "export", "$(VAULT_PATH)", "-o", "/export/vault-export.json"] env: @@ -36,7 +36,7 @@ spec: containers: - name: ionos-com-objectstorage-eu-central-3-s3-kopia-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c imagePullPolicy: Always env: - name: EXPORT_JSON @@ -85,7 +85,7 @@ spec: # - name: backup-cache-volume # mountPath: /cache - name: ionos-com-objectstorage-eu-central-3-s3-restic-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c imagePullPolicy: Always env: - name: EXPORT_JSON diff --git a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml index 00ec2347..6dbb2873 100644 --- a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml +++ b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml @@ -42,7 +42,7 @@ spec: initContainers: - name: vaultwarden-export - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-38dfa08a823162b91b8b4b579a025a471c475a33 + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-38dfa08a823162b91b8b4b579a025a471c475a33@sha256:0bfead9e4ae9f6b86fc8b14f89cc8a396909dbc9a08acc7246cd60892a3ced84 imagePullPolicy: IfNotPresent env: - name: TZ @@ -134,7 +134,7 @@ spec: echo "All jobs finished!" - name: restic-s3-policy - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 imagePullPolicy: IfNotPresent env: - name: TZ @@ -177,7 +177,7 @@ spec: containers: - name: restic-ionos-backup - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 imagePullPolicy: IfNotPresent env: - name: TZ @@ -236,7 +236,7 @@ spec: run_restic_backup - name: kopia-ionos-backup - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 imagePullPolicy: IfNotPresent env: - name: TZ @@ -302,7 +302,7 @@ spec: run_kopia_backup - name: deny-all-s3-policy - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 volumeMounts: - name: signals mountPath: /signals diff --git a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml index 2fbd1769..df7e2212 100644 --- a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml +++ b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml @@ -49,7 +49,7 @@ spec: initContainers: - name: healthcheck-start - image: curlimages/curl + image: curlimages/curl@sha256:d94d07ba9e7d6de898b6d96c1a072f6f8266c687af78a74f380087a0addf5d17 envFrom: - secretRef: name: healthchecksio @@ -60,7 +60,7 @@ spec: curl -fsS -m 10 --retry 5 https://hc-ping.com/$HC_UUID/start - name: get-vaultwarden-version - image: alpine:3.21 + image: alpine:3.21@sha256:5405e8f36ce1878720f71217d664aa3dea32e5e5df11acbf07fc78ef5661465b env: - name: VAULTWARDEN_HOST value: vaultwarden.tryrocket.cloud @@ -88,7 +88,7 @@ spec: mountPath: /export - name: export-2967ac9f-f0e5-4881-8be5-9d08371a167a - image: debian:bookworm-slim + image: debian:bookworm-slim@sha256:56ff6d36d4eb3db13a741b342ec466f121480b5edded42e4b7ee850ce7a418ee env: - name: VAULTWARDEN_HOST value: vaultwarden.tryrocket.cloud @@ -139,7 +139,7 @@ spec: mountPath: /export - name: encrypt-with-age - image: alpine:3.21 + image: alpine:3.21@sha256:5405e8f36ce1878720f71217d664aa3dea32e5e5df11acbf07fc78ef5661465b env: - name: VAULTWARDEN_USER_ID value: 2967ac9f-f0e5-4881-8be5-9d08371a167a @@ -178,7 +178,7 @@ spec: mountPath: /export - name: configure-s3-access-allowance - image: public.ecr.aws/aws-cli/aws-cli:latest + image: public.ecr.aws/aws-cli/aws-cli:latest@sha256:e53de7e9d96e346ba46f0b7c6ed6c6f32a477dbf36b2b784045a482fa5f52075 command: ["/bin/sh","-c"] args: - | @@ -208,7 +208,7 @@ spec: readOnly: true - name: restic - image: restic/restic:0.18.0 + image: restic/restic:0.18.0@sha256:4cf4a61ef9786f4de53e9de8c8f5c040f33830eb0a10bf3d614410ee2fcb6120 envFrom: - secretRef: name: restic @@ -244,7 +244,7 @@ spec: mountPath: /export - name: configure-s3-access-block - image: public.ecr.aws/aws-cli/aws-cli:latest + image: public.ecr.aws/aws-cli/aws-cli:latest@sha256:e53de7e9d96e346ba46f0b7c6ed6c6f32a477dbf36b2b784045a482fa5f52075 command: ["/bin/sh","-c"] args: - | @@ -273,7 +273,7 @@ spec: readOnly: true - name: healthcheck-ping - image: curlimages/curl + image: curlimages/curl@sha256:d94d07ba9e7d6de898b6d96c1a072f6f8266c687af78a74f380087a0addf5d17 envFrom: - secretRef: name: healthchecksio @@ -285,5 +285,5 @@ spec: containers: - name: teardown - image: alpine + image: alpine@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 command: ["sh","-c","echo backup done!"] \ No newline at end of file diff --git a/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml b/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml index e01eed4c..e8d1f545 100644 --- a/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml +++ b/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml @@ -17,7 +17,7 @@ spec: restartPolicy: Never containers: - name: test-restic-backup - image: ghcr.io/tryrocket-cloud/home-ops:toolkit + image: ghcr.io/tryrocket-cloud/home-ops:toolkit@sha256:6ebf6602fa4ecb82be238f8dba70b2ea0c95843bdac9ab55c083debc89e29be2 imagePullPolicy: Always env: - name: RESTIC_CACHE_DIR diff --git a/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml b/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml index fa66a540..30d0f79f 100644 --- a/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml +++ b/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml @@ -15,7 +15,7 @@ spec: restartPolicy: Never initContainers: - name: get-vaultwarden-version - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c command: ["/bin/sh", "-c"] args: - | @@ -46,7 +46,7 @@ spec: - name: vaultwarden-export-volume mountPath: /export - name: export-vaultwarden-user-vault - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c imagePullPolicy: Always env: - name: NODE_NO_WARNINGS diff --git a/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml b/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml index 16d2e8ba..62562954 100644 --- a/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml +++ b/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: ionos-com-objectstorage-eu-central-3-s3-kopia-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c imagePullPolicy: Always env: - name: VAULTWARDEN_EXPORT_JSON diff --git a/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml b/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml index 47d5597e..a72ba867 100644 --- a/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml +++ b/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: truenas-tryrocket-cloud-objectstorage-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c imagePullPolicy: Always env: - name: VAULTWARDEN_EXPORT_JSON diff --git a/toolkit/Dockerfile b/toolkit/Dockerfile index 6886ea0b..e509385f 100644 --- a/toolkit/Dockerfile +++ b/toolkit/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bookworm-slim +FROM debian:bookworm-slim@sha256:56ff6d36d4eb3db13a741b342ec466f121480b5edded42e4b7ee850ce7a418ee ENV DEBIAN_FRONTEND=noninteractive