diff --git a/.github/workflows/build-toolkit-docker-image.yaml b/.github/workflows/build-toolkit-docker-image.yaml index 3a48f903b..35db6a976 100644 --- a/.github/workflows/build-toolkit-docker-image.yaml +++ b/.github/workflows/build-toolkit-docker-image.yaml @@ -19,20 +19,20 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: toolkit/ push: true @@ -41,7 +41,7 @@ jobs: ghcr.io/${{ github.repository }}:toolkit-${{ github.sha }} - name: Build and push Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: immich/ push: true diff --git a/backup/Dockerfile b/backup/Dockerfile index 7eb7026f3..9020040ed 100644 --- a/backup/Dockerfile +++ b/backup/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:trixie-slim +FROM debian:trixie-slim@sha256:26f98ccd92fd0a44d6928ce8ff8f4921b4d2f535bfa07555ee5d18f61429cf0c RUN apt-get update && \ apt-get install -y wget ca-certificates tar just restic ansible unzip && \ diff --git a/docker/caddy/docker-compose.yaml b/docker/caddy/docker-compose.yaml index 37aa6fbd4..d10870fbb 100644 --- a/docker/caddy/docker-compose.yaml +++ b/docker/caddy/docker-compose.yaml @@ -1,6 +1,6 @@ services: caddy: - image: ghcr.io/caddybuilds/caddy-cloudflare:latest + image: ghcr.io/caddybuilds/caddy-cloudflare:latest@sha256:b8e5319ef93a03754d302d203fb6632522d0f8d7da221519e9d520ee037d496b container_name: caddy restart: unless-stopped ports: diff --git a/docker/immich/docker-compose.yaml b/docker/immich/docker-compose.yaml index 41f9e8db0..86d79b441 100644 --- a/docker/immich/docker-compose.yaml +++ b/docker/immich/docker-compose.yaml @@ -14,7 +14,7 @@ services: UMASK_SET: "002" healthcheck: disable: false - image: ghcr.io/immich-app/immich-machine-learning:v1.138.0 + image: ghcr.io/immich-app/immich-machine-learning:v1.138.0@sha256:25fca00128f10444303c93829516927bd14804ccbe9b7450eb41c64c722c5ac4 platform: linux/amd64 privileged: false restart: unless-stopped @@ -30,7 +30,7 @@ services: nocopy: false database: - image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0 + image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0@sha256:c570d9e1c2494f65d2a0a379a7f6df66e8441964254a30aa62cc58e8ebf1dee0 environment: NVIDIA_VISIBLE_DEVICES: void POSTGRES_DB: ${POSTGRES_DB} @@ -52,7 +52,7 @@ services: type: bind pgvecto: - image: tensorchord/pgvecto-rs:pg15-v0.2.0 + image: tensorchord/pgvecto-rs:pg15-v0.2.0@sha256:104a26ad4d0446c54a46d3a694c6193ef018c5ad4f9d9faf7765ab09cb9ffe06 cap_drop: - ALL environment: @@ -161,7 +161,7 @@ services: UMASK_SET: "002" healthcheck: disable: false - image: ghcr.io/immich-app/immich-server:v1.138.0 + image: ghcr.io/immich-app/immich-server:v1.138.0@sha256:12cee930e2cc211a95acae12ad780c0b2eecaea0479a06e255c73a4deb0b3efb #platform: linux/amd64 #ports: # - mode: ingress @@ -227,7 +227,7 @@ services: - "traefik.http.services.immich-dashboard.loadbalancer.server.port=30041" traefik: - image: traefik:v3.5.0 + image: traefik:v3.5.0@sha256:4e7175cfe19be83c6b928cae49dde2f2788fb307189a4dc9550b67acf30c11a5 container_name: traefik restart: unless-stopped #read_only: true diff --git a/docker/kestra/docker-compose.yml b/docker/kestra/docker-compose.yml index c689ab818..c2b47bbda 100644 --- a/docker/kestra/docker-compose.yml +++ b/docker/kestra/docker-compose.yml @@ -8,7 +8,7 @@ volumes: services: postgres: - image: postgres + image: postgres@sha256:a9abf4275f9e99bff8e6aed712b3b7dfec9cac1341bba01c1ffdfce9ff9fc34a volumes: - postgres-data:/var/lib/postgresql/data environment: @@ -22,7 +22,7 @@ services: retries: 10 kestra: - image: kestra/kestra:latest + image: kestra/kestra:latest@sha256:79207760598551feb2bb86479cfc89115feeabf65851d1a19b1d947ab2fd27f9 pull_policy: always # Note that this setup with a root user is intended for development purpose. # Our base image runs without root, but the Docker Compose implementation needs root to access the Docker socket diff --git a/docker/mafl/docker-compose.yaml b/docker/mafl/docker-compose.yaml index ffb516f40..8f128f145 100644 --- a/docker/mafl/docker-compose.yaml +++ b/docker/mafl/docker-compose.yaml @@ -1,6 +1,6 @@ services: mafl: - image: hywax/mafl + image: hywax/mafl@sha256:2c89020be334b341da41a6b95830b1b52b1b9f43c9f16d09c0ab4e9dad3ea4ad container_name: mafl restart: unless-stopped volumes: diff --git a/docker/minio/docker-compose.yaml b/docker/minio/docker-compose.yaml index 9240a4eba..e8b3b1e11 100644 --- a/docker/minio/docker-compose.yaml +++ b/docker/minio/docker-compose.yaml @@ -1,6 +1,6 @@ services: minio: - image: quay.io/minio/minio:RELEASE.2025-03-12T18-04-18Z + image: quay.io/minio/minio:RELEASE.2025-03-12T18-04-18Z@sha256:46b3009bf7041eefbd90bd0d2b38c6ddc24d20a35d609551a1802c558c1c958f command: server /data --console-address ":9002" restart: unless-stopped ports: diff --git a/docker/pocket-id/docker-compose.yaml b/docker/pocket-id/docker-compose.yaml index ebe9b86c7..1cf16fc36 100644 --- a/docker/pocket-id/docker-compose.yaml +++ b/docker/pocket-id/docker-compose.yaml @@ -1,6 +1,6 @@ services: pocket-id: - image: ghcr.io/pocket-id/pocket-id + image: ghcr.io/pocket-id/pocket-id@sha256:3e790c5d4fd82ff276b1c2bc3242be9da13cff204a2b937768ea1eba1e892571 container_name: pocket-id restart: unless-stopped environment: diff --git a/docker/portainer/docker-compose.yaml b/docker/portainer/docker-compose.yaml index e92577810..7826bc648 100644 --- a/docker/portainer/docker-compose.yaml +++ b/docker/portainer/docker-compose.yaml @@ -1,6 +1,6 @@ services: portainer: - image: portainer/portainer-ce:latest + image: portainer/portainer-ce:latest@sha256:1ae8e65d50ca5498cb2c33e617495a1e3ef245b0d2392b4a44c70ae09b822891 container_name: portainer restart: unless-stopped ports: diff --git a/docker/semaphore/docker-compose.yaml b/docker/semaphore/docker-compose.yaml index 670820b9e..bcc2e7da6 100644 --- a/docker/semaphore/docker-compose.yaml +++ b/docker/semaphore/docker-compose.yaml @@ -1,6 +1,6 @@ services: semaphore: - image: semaphoreui/semaphore:v2.13.1 + image: semaphoreui/semaphore:v2.13.1@sha256:db69c024e924bd2ac158b1e5e3534d1d7b60dc22ea232b050ec7eee28af34471 container_name: semaphore environment: TZ: Europe/Berlin diff --git a/docker/upsnap/docker-compose.yaml b/docker/upsnap/docker-compose.yaml index 2696c2474..f4fbd5514 100644 --- a/docker/upsnap/docker-compose.yaml +++ b/docker/upsnap/docker-compose.yaml @@ -1,7 +1,7 @@ services: upsnap: container_name: upsnap - image: ghcr.io/seriousm4x/upsnap:5 + image: ghcr.io/seriousm4x/upsnap:5@sha256:fa3b1a6b31dd9767047d10968039b23f59a51921f01bb771337a41fe92823350 network_mode: host restart: unless-stopped volumes: diff --git a/immich/Dockerfile b/immich/Dockerfile index b55112cd1..d2af96bdf 100644 --- a/immich/Dockerfile +++ b/immich/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:trixie-slim +FROM debian:trixie-slim@sha256:26f98ccd92fd0a44d6928ce8ff8f4921b4d2f535bfa07555ee5d18f61429cf0c RUN apt-get update && \ apt-get install -y \ diff --git a/k8s/linkding/base/deployment.yaml b/k8s/linkding/base/deployment.yaml index 70f1798d8..c59b86e0e 100644 --- a/k8s/linkding/base/deployment.yaml +++ b/k8s/linkding/base/deployment.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: linkding - image: sissbruecker/linkding:latest + image: sissbruecker/linkding:latest@sha256:61b2eb9eed8e5772a473fb7f1f8923e046cb8cbbeb50e88150afd5ff287d4060 imagePullPolicy: IfNotPresent ports: - containerPort: 9090 diff --git a/k8s/lldap/base/deployment.yaml b/k8s/lldap/base/deployment.yaml index 16694f9fd..39ecaca79 100644 --- a/k8s/lldap/base/deployment.yaml +++ b/k8s/lldap/base/deployment.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: lldap - image: lldap/lldap:stable-alpine + image: lldap/lldap:stable-alpine@sha256:9e605a66c02514bfcffd1b67cafb1e98d50992216bb2871d7ae44622047dd09d imagePullPolicy: IfNotPresent ports: - name: http diff --git a/k8s/lldap/overlays/production/kustomization.yaml b/k8s/lldap/overlays/production/kustomization.yaml index a69bdb728..3264f4da3 100644 --- a/k8s/lldap/overlays/production/kustomization.yaml +++ b/k8s/lldap/overlays/production/kustomization.yaml @@ -12,4 +12,4 @@ namespace: lldap images: - name: lldap/lldap:latest - newTag: stable + newTag: stable@sha256:9e605a66c02514bfcffd1b67cafb1e98d50992216bb2871d7ae44622047dd09d diff --git a/k8s/mafl/base/deployment.yaml b/k8s/mafl/base/deployment.yaml index c8fc12e8c..7f027b0b3 100644 --- a/k8s/mafl/base/deployment.yaml +++ b/k8s/mafl/base/deployment.yaml @@ -22,7 +22,7 @@ spec: spec: containers: - name: mafl - image: hywax/mafl:latest + image: hywax/mafl:latest@sha256:2c89020be334b341da41a6b95830b1b52b1b9f43c9f16d09c0ab4e9dad3ea4ad imagePullPolicy: IfNotPresent ports: - containerPort: 3000 diff --git a/k8s/opengist/base/deployment.yaml b/k8s/opengist/base/deployment.yaml index de00a47d6..b1a5bd74b 100644 --- a/k8s/opengist/base/deployment.yaml +++ b/k8s/opengist/base/deployment.yaml @@ -18,7 +18,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: opengist - image: ghcr.io/thomiceli/opengist:latest + image: ghcr.io/thomiceli/opengist:latest@sha256:85361da4c2f259df6e0675c54574c991ae2601922cb56c4d0419fd3e15ceb139 imagePullPolicy: IfNotPresent env: - name: TZ diff --git a/k8s/papra/base/deployment.yaml b/k8s/papra/base/deployment.yaml index eb77edabe..e5229fcb8 100644 --- a/k8s/papra/base/deployment.yaml +++ b/k8s/papra/base/deployment.yaml @@ -18,7 +18,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: papra - image: ghcr.io/papra-hq/papra:latest + image: ghcr.io/papra-hq/papra:latest@sha256:e397d2a604306141b5f6fcdbcf0260677dcfe0dbc2c8e7ac4d2d336ce764ae5f imagePullPolicy: IfNotPresent env: - name: TZ diff --git a/k8s/papra/overlays/production/kustomization.yaml b/k8s/papra/overlays/production/kustomization.yaml index 4411c1701..ecb53334f 100644 --- a/k8s/papra/overlays/production/kustomization.yaml +++ b/k8s/papra/overlays/production/kustomization.yaml @@ -10,4 +10,4 @@ resources: # https://github.com/thomiceli/opengist/releases images: - name: ghcr.io/papra-hq/papra - newTag: latest + newTag: latest@sha256:e397d2a604306141b5f6fcdbcf0260677dcfe0dbc2c8e7ac4d2d336ce764ae5f diff --git a/k8s/subscription-manager/base/deployment.yaml b/k8s/subscription-manager/base/deployment.yaml index 081e9b2ac..aa8580246 100644 --- a/k8s/subscription-manager/base/deployment.yaml +++ b/k8s/subscription-manager/base/deployment.yaml @@ -22,7 +22,7 @@ spec: spec: containers: - name: subscription-manager - image: dh1011/subscription-manager:latest + image: dh1011/subscription-manager:latest@sha256:3e22a34de4e4f4cb2b35d53ba849b67981e34f06d3e33496ebf8ca2fdad6dd28 imagePullPolicy: IfNotPresent ports: - containerPort: 3000 diff --git a/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml b/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml index 7df3dfbeb..dbb6f6aae 100644 --- a/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml +++ b/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml @@ -17,7 +17,7 @@ spec: restartPolicy: Never containers: - name: backup-vault-export - image: ghcr.io/tryrocket-cloud/home-ops:toolkit + image: ghcr.io/tryrocket-cloud/home-ops:toolkit@sha256:5c784db805d578316286086852368aaf431d6922c5268bd5e8e9aa6d18a22108 imagePullPolicy: Always env: - name: RESTIC_CACHE_DIR diff --git a/k8s/vault/export-and-backup/base/cronjob.yaml b/k8s/vault/export-and-backup/base/cronjob.yaml index 293275d48..f18a220b6 100644 --- a/k8s/vault/export-and-backup/base/cronjob.yaml +++ b/k8s/vault/export-and-backup/base/cronjob.yaml @@ -15,7 +15,7 @@ spec: restartPolicy: Never initContainers: - name: export-hashicorp-vault - image: ghcr.io/jonasvinther/medusa:latest + image: ghcr.io/jonasvinther/medusa:latest@sha256:bc4696d3328bed5a0712318d643766e36c87d2ae836d14170d010df6abf0447d imagePullPolicy: IfNotPresent command: ["./medusa", "export", "$(VAULT_PATH)", "-o", "/export/vault-export.json"] env: diff --git a/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml b/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml index 9291037ce..356f7bbfe 100644 --- a/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml +++ b/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: ionos-com-objectstorage-eu-central-3-s3-kopia-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:6dc2aa6410a133e9db663ab7e14f3e00a3853e1d574a4fee24ea34c8645cf041 imagePullPolicy: Always env: - name: EXPORT_JSON @@ -60,7 +60,7 @@ spec: mountPath: /export readOnly: true - name: ionos-com-objectstorage-eu-central-3-s3-restic-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:6dc2aa6410a133e9db663ab7e14f3e00a3853e1d574a4fee24ea34c8645cf041 imagePullPolicy: Always env: - name: EXPORT_JSON diff --git a/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml b/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml index 16f8e5980..e356dcd4f 100644 --- a/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml +++ b/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: truenas-tryrocket-cloud-objectstorage-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:6dc2aa6410a133e9db663ab7e14f3e00a3853e1d574a4fee24ea34c8645cf041 imagePullPolicy: Always env: - name: VAULT_EXPORT_JSON diff --git a/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml b/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml index d48fff071..72555ee08 100644 --- a/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml +++ b/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml @@ -17,7 +17,7 @@ spec: restartPolicy: Never initContainers: - name: export-hashicorp-vault - image: ghcr.io/jonasvinther/medusa:latest + image: ghcr.io/jonasvinther/medusa:latest@sha256:bc4696d3328bed5a0712318d643766e36c87d2ae836d14170d010df6abf0447d imagePullPolicy: IfNotPresent command: ["./medusa", "export", "$(VAULT_PATH)", "-o", "/export/vault-export.json"] env: @@ -36,7 +36,7 @@ spec: containers: - name: ionos-com-objectstorage-eu-central-3-s3-kopia-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:6dc2aa6410a133e9db663ab7e14f3e00a3853e1d574a4fee24ea34c8645cf041 imagePullPolicy: Always env: - name: EXPORT_JSON @@ -85,7 +85,7 @@ spec: # - name: backup-cache-volume # mountPath: /cache - name: ionos-com-objectstorage-eu-central-3-s3-restic-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:6dc2aa6410a133e9db663ab7e14f3e00a3853e1d574a4fee24ea34c8645cf041 imagePullPolicy: Always env: - name: EXPORT_JSON diff --git a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml index 00ec23473..6dbb2873d 100644 --- a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml +++ b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml @@ -42,7 +42,7 @@ spec: initContainers: - name: vaultwarden-export - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-38dfa08a823162b91b8b4b579a025a471c475a33 + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-38dfa08a823162b91b8b4b579a025a471c475a33@sha256:0bfead9e4ae9f6b86fc8b14f89cc8a396909dbc9a08acc7246cd60892a3ced84 imagePullPolicy: IfNotPresent env: - name: TZ @@ -134,7 +134,7 @@ spec: echo "All jobs finished!" - name: restic-s3-policy - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 imagePullPolicy: IfNotPresent env: - name: TZ @@ -177,7 +177,7 @@ spec: containers: - name: restic-ionos-backup - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 imagePullPolicy: IfNotPresent env: - name: TZ @@ -236,7 +236,7 @@ spec: run_restic_backup - name: kopia-ionos-backup - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 imagePullPolicy: IfNotPresent env: - name: TZ @@ -302,7 +302,7 @@ spec: run_kopia_backup - name: deny-all-s3-policy - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 volumeMounts: - name: signals mountPath: /signals diff --git a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml index 2fbd17692..fbdc200f0 100644 --- a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml +++ b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml @@ -49,7 +49,7 @@ spec: initContainers: - name: healthcheck-start - image: curlimages/curl + image: curlimages/curl@sha256:d94d07ba9e7d6de898b6d96c1a072f6f8266c687af78a74f380087a0addf5d17 envFrom: - secretRef: name: healthchecksio @@ -60,7 +60,7 @@ spec: curl -fsS -m 10 --retry 5 https://hc-ping.com/$HC_UUID/start - name: get-vaultwarden-version - image: alpine:3.21 + image: alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709 env: - name: VAULTWARDEN_HOST value: vaultwarden.tryrocket.cloud @@ -88,7 +88,7 @@ spec: mountPath: /export - name: export-2967ac9f-f0e5-4881-8be5-9d08371a167a - image: debian:bookworm-slim + image: debian:bookworm-slim@sha256:f06537653ac770703bc45b4b113475bd402f451e85223f0f2837acbf89ab020a env: - name: VAULTWARDEN_HOST value: vaultwarden.tryrocket.cloud @@ -139,7 +139,7 @@ spec: mountPath: /export - name: encrypt-with-age - image: alpine:3.21 + image: alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709 env: - name: VAULTWARDEN_USER_ID value: 2967ac9f-f0e5-4881-8be5-9d08371a167a @@ -178,7 +178,7 @@ spec: mountPath: /export - name: configure-s3-access-allowance - image: public.ecr.aws/aws-cli/aws-cli:latest + image: public.ecr.aws/aws-cli/aws-cli:latest@sha256:0a8bbdb160cbb09e357ba24533204e90a97e2e56beadf1730739644c2d5f1bdb command: ["/bin/sh","-c"] args: - | @@ -208,7 +208,7 @@ spec: readOnly: true - name: restic - image: restic/restic:0.18.0 + image: restic/restic:0.18.0@sha256:4cf4a61ef9786f4de53e9de8c8f5c040f33830eb0a10bf3d614410ee2fcb6120 envFrom: - secretRef: name: restic @@ -244,7 +244,7 @@ spec: mountPath: /export - name: configure-s3-access-block - image: public.ecr.aws/aws-cli/aws-cli:latest + image: public.ecr.aws/aws-cli/aws-cli:latest@sha256:0a8bbdb160cbb09e357ba24533204e90a97e2e56beadf1730739644c2d5f1bdb command: ["/bin/sh","-c"] args: - | @@ -273,7 +273,7 @@ spec: readOnly: true - name: healthcheck-ping - image: curlimages/curl + image: curlimages/curl@sha256:d94d07ba9e7d6de898b6d96c1a072f6f8266c687af78a74f380087a0addf5d17 envFrom: - secretRef: name: healthchecksio @@ -285,5 +285,5 @@ spec: containers: - name: teardown - image: alpine + image: alpine@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 command: ["sh","-c","echo backup done!"] \ No newline at end of file diff --git a/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml b/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml index e01eed4cc..eaa2561e0 100644 --- a/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml +++ b/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml @@ -17,7 +17,7 @@ spec: restartPolicy: Never containers: - name: test-restic-backup - image: ghcr.io/tryrocket-cloud/home-ops:toolkit + image: ghcr.io/tryrocket-cloud/home-ops:toolkit@sha256:5c784db805d578316286086852368aaf431d6922c5268bd5e8e9aa6d18a22108 imagePullPolicy: Always env: - name: RESTIC_CACHE_DIR diff --git a/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml b/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml index fa66a5406..87164abff 100644 --- a/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml +++ b/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml @@ -15,7 +15,7 @@ spec: restartPolicy: Never initContainers: - name: get-vaultwarden-version - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:6dc2aa6410a133e9db663ab7e14f3e00a3853e1d574a4fee24ea34c8645cf041 command: ["/bin/sh", "-c"] args: - | @@ -46,7 +46,7 @@ spec: - name: vaultwarden-export-volume mountPath: /export - name: export-vaultwarden-user-vault - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:6dc2aa6410a133e9db663ab7e14f3e00a3853e1d574a4fee24ea34c8645cf041 imagePullPolicy: Always env: - name: NODE_NO_WARNINGS diff --git a/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml b/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml index 16d2e8ba8..f39754431 100644 --- a/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml +++ b/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: ionos-com-objectstorage-eu-central-3-s3-kopia-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:6dc2aa6410a133e9db663ab7e14f3e00a3853e1d574a4fee24ea34c8645cf041 imagePullPolicy: Always env: - name: VAULTWARDEN_EXPORT_JSON diff --git a/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml b/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml index 47d5597e9..e3ef10339 100644 --- a/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml +++ b/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: truenas-tryrocket-cloud-objectstorage-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:6dc2aa6410a133e9db663ab7e14f3e00a3853e1d574a4fee24ea34c8645cf041 imagePullPolicy: Always env: - name: VAULTWARDEN_EXPORT_JSON diff --git a/toolkit/Dockerfile b/toolkit/Dockerfile index 6886ea0bc..8af4134bf 100644 --- a/toolkit/Dockerfile +++ b/toolkit/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bookworm-slim +FROM debian:bookworm-slim@sha256:f06537653ac770703bc45b4b113475bd402f451e85223f0f2837acbf89ab020a ENV DEBIAN_FRONTEND=noninteractive