diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
index 2004d35..a371b35 100644
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,3 +1,4 @@
+---
 # These are supported funding model platforms
 
 patreon: christianlempa
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
new file mode 100644
index 0000000..50aadc6
--- /dev/null
+++ b/.github/workflows/lint.yaml
@@ -0,0 +1,19 @@
+---
+name: Lint
+
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Linters
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - run: yamllint --strict -- $(git ls-files '*.yaml' '*.yml')
diff --git a/.yamllint b/.yamllint
new file mode 100644
index 0000000..0f25798
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,7 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 160
+    level: warning
diff --git a/README.md b/README.md
index ab889cb..9816ae9 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,6 @@ If you’d like to contribute to this project, reach out to me on social media o
 
 - [Dotfiles](https://github.com/christianlempa/dotfiles) - My personal configuration files on macOS
 - [Cheat-Sheets](https://github.com/christianlempa/cheat-sheets) - Command Reference for various tools and technologies
-- [Homelab](https://github.com/christianlempa/homelab) - This is my entire Homelab documentation, and configurations for infrastructure, applications, networking, and more.
 
 ## Support me
 
diff --git a/github-actions/kubectl/kubernetes-deploy.yml b/actions/github/kubectl/kubernetes-deploy.yml
similarity index 88%
rename from github-actions/kubectl/kubernetes-deploy.yml
rename to actions/github/kubectl/kubernetes-deploy.yml
index 9851873..28cb002 100644
--- a/github-actions/kubectl/kubernetes-deploy.yml
+++ b/actions/github/kubectl/kubernetes-deploy.yml
@@ -1,6 +1,7 @@
+---
 name: Kubernetes Deploy
 
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - main
diff --git a/github-actions/scp-action/copy-config-files.yml b/actions/github/scp-action/copy-config-files.yml
similarity index 92%
rename from github-actions/scp-action/copy-config-files.yml
rename to actions/github/scp-action/copy-config-files.yml
index 4f16db3..0c3b731 100644
--- a/github-actions/scp-action/copy-config-files.yml
+++ b/actions/github/scp-action/copy-config-files.yml
@@ -1,6 +1,7 @@
+---
 name: copy config files to remote machine
 
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - main
diff --git a/github-actions/ssh-action/restart-docker.yml b/actions/github/ssh-action/restart-docker.yml
similarity index 94%
rename from github-actions/ssh-action/restart-docker.yml
rename to actions/github/ssh-action/restart-docker.yml
index 9930840..b6735f7 100644
--- a/github-actions/ssh-action/restart-docker.yml
+++ b/actions/github/ssh-action/restart-docker.yml
@@ -1,6 +1,7 @@
+---
 name: Update Docker Compose File
 
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - main
diff --git a/ansible/configuration/fail2ban/config-f2b-protect-sshd.yaml b/ansible/configuration/fail2ban/config-f2b-protect-sshd.yaml
deleted file mode 100644
index 7f83962..0000000
--- a/ansible/configuration/fail2ban/config-f2b-protect-sshd.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
----
-- name: Install fail2ban and configure sshd
-  hosts: "{{ my_hosts | d([]) }}"
-  become: true
-
-  tasks:
-    - name: Install fail2ban
-      ansible.builtin.apt:
-        name:
-          - fail2ban
-        update_cache: true
-
-    - name: Copy fail2ban config file
-      ansible.builtin.copy:
-        src: configfiles/debian-sshd-default.conf
-        dest: /etc/fail2ban/jail.d/debian-sshd-default.conf
-        mode: '0644'
-        owner: root
-        group: root
-
-    - name: Restart fail2ban
-      ansible.builtin.systemd_service:
-        state: restarted
-        daemon_reload: true
-        name: fail2ban
diff --git a/ansible/configuration/fail2ban/configfiles/debian-sshd-default.conf b/ansible/configuration/fail2ban/configfiles/debian-sshd-default.conf
deleted file mode 100644
index df10058..0000000
--- a/ansible/configuration/fail2ban/configfiles/debian-sshd-default.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[sshd]
-enabled = true
-bantime = 3600
diff --git a/ansible/notification/notify-discord.yaml b/ansible/discord/notify-discord.yaml
similarity index 100%
rename from ansible/notification/notify-discord.yaml
rename to ansible/discord/notify-discord.yaml
diff --git a/ansible/docker/docker-certs-enable.yaml b/ansible/docker/docker-certs-enable.yaml
new file mode 100644
index 0000000..ff0f3d3
--- /dev/null
+++ b/ansible/docker/docker-certs-enable.yaml
@@ -0,0 +1,52 @@
+---
+- name: "Docker Certs enable"
+  hosts: "{{ my_hosts | d([]) }}"
+  become: true
+  vars:
+    certs_path: "/root/docker-certs"
+
+  tasks:
+    - name: Check if docker certs are existing
+      ansible.builtin.stat:
+        path: "{{ certs_path }}"
+      register: certs_dir
+
+    - name: Fail if docker certs are not existing
+      ansible.builtin.fail:
+        msg: "Docker certificates are not existing in /root/docker-certs."
+      when: not certs_dir.stat.exists
+
+    - name: Get machine's primary internal ip address from eth0 interface
+      ansible.builtin.setup:
+      register: ip_address
+
+    - name: Set machine's primary internal ip address
+      ansible.builtin.set_fact:
+        ip_address: "{{ ip_address.ansible_facts.ansible_default_ipv4.address }}"
+
+    - name: Check if ip_address is a valid ip address
+      ansible.builtin.assert:
+        that:
+          - ip_address is match("^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$")
+        fail_msg: "ip_address is not a valid ip address."
+        success_msg: "ip_address is a valid ip address."
+
+    - name: Change docker daemon to use certs
+      ansible.builtin.lineinfile:
+        path: /lib/systemd/system/docker.service
+        line: >
+          ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
+          -H tcp://{{ ip_address }}:2376 --tlsverify --tlscacert={{ certs_path }}/ca.pem
+          --tlscert={{ certs_path }}/server-cert.pem --tlskey={{ certs_path }}/server-key.pem
+        regexp: '^ExecStart='
+        state: present
+
+    - name: Reload systemd daemon
+      ansible.builtin.systemd:
+        daemon_reload: true
+
+    - name: Restart docker daemon
+      ansible.builtin.systemd:
+        name: docker
+        state: restarted
+        enabled: true
diff --git a/ansible/docker/docker-certs.yaml b/ansible/docker/docker-certs.yaml
new file mode 100644
index 0000000..f7b8f71
--- /dev/null
+++ b/ansible/docker/docker-certs.yaml
@@ -0,0 +1,158 @@
+---
+- name: "Docker Certs"
+  hosts: "{{ my_hosts | d([]) }}"
+  become: true
+  vars:
+    certs_path: "/root/docker-certs"
+    cert_validity_days: 3650
+    cn_domain: "your-domain.tld"
+
+  tasks:
+    - name: Check if docker certs are existing
+      ansible.builtin.stat:
+        path: "{{ certs_path }}"
+      register: certs_dir
+
+    - name: Create docker certs directory (if needed)
+      ansible.builtin.file:
+        path: "{{ certs_path }}"
+        state: directory
+        mode: '0700'
+      when: not certs_dir.stat.exists
+
+    - name: Check if docker certs directory is empty
+      ansible.builtin.command: ls -A "{{ certs_path }}"
+      register: certs_list
+      when: certs_dir.stat.exists
+      changed_when: false
+      ignore_errors: true
+
+    - name: Fail if docker certs already exist
+      ansible.builtin.fail:
+        msg: "Docker certificates already exist in /root/docker-certs."
+      when: certs_list.stdout | default('') != ''
+
+    - name: Get machine's primary internal ip address from eth0 interface
+      ansible.builtin.setup:
+      register: ip_address
+
+    - name: Set machine's primary internal ip address
+      ansible.builtin.set_fact:
+        ip_address: "{{ ip_address.ansible_facts.ansible_default_ipv4.address }}"
+
+    - name: Check if ip_address is a valid ip address
+      ansible.builtin.assert:
+        that:
+          - ip_address is match("^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$")
+        fail_msg: "ip_address is not a valid ip address."
+        success_msg: "ip_address is a valid ip address."
+
+    - name: Generate CA private key
+      ansible.builtin.command:
+        cmd: >
+          openssl genrsa -out "{{ certs_path }}/ca-key.pem" 4096
+      args:
+        creates: "{{ certs_path }}/ca-key.pem"
+
+    - name: Generate CA certificate
+      ansible.builtin.command:
+        cmd: >
+          openssl req -sha256 -new -x509
+            -subj "/CN={{ cn_domain }}"
+            -days "{{ cert_validity_days }}"
+            -key "{{ certs_path }}/ca-key.pem"
+            -out "{{ certs_path }}/ca.pem"
+      args:
+        creates: "{{ certs_path }}/ca.pem"
+
+    - name: Generate server private key
+      ansible.builtin.command:
+        cmd: >
+          openssl genrsa -out "{{ certs_path }}/server-key.pem" 4096
+        creates: "{{ certs_path }}/server-key.pem"
+
+    - name: Generate server certificate signing request
+      ansible.builtin.command:
+        cmd: >
+          openssl req -sha256 -new
+            -subj "/CN={{ inventory_hostname }}"
+            -key "{{ certs_path }}/server-key.pem"
+            -out "{{ certs_path }}/server.csr"
+        creates: "{{ certs_path }}/server.csr"
+
+    - name: Generate server certificate extension file
+      ansible.builtin.shell: |
+        echo "subjectAltName = DNS:{{ inventory_hostname }},IP:{{ ip_address }},IP:127.0.0.1" >> "{{ certs_path }}/extfile.cnf"
+        echo "extendedKeyUsage = serverAuth" >> "{{ certs_path }}/extfile.cnf"
+      args:
+        creates: "{{ certs_path }}/extfile.cnf"
+
+    - name: Generate server certificate
+      ansible.builtin.command:
+        cmd: >
+          openssl x509 -req -days "{{ cert_validity_days }}" -sha256
+            -in "{{ certs_path }}/server.csr"
+            -CA "{{ certs_path }}/ca.pem"
+            -CAkey "{{ certs_path }}/ca-key.pem"
+            -CAcreateserial -out "{{ certs_path }}/server-cert.pem"
+            -extfile "{{ certs_path }}/extfile.cnf"
+        creates: "{{ certs_path }}/server-cert.pem"
+
+    - name: Generate client private key
+      ansible.builtin.command:
+        cmd: >
+          openssl genrsa -out "{{ certs_path }}/key.pem" 4096
+        creates: "{{ certs_path }}/key.pem"
+
+    - name: Generate client certificate signing request
+      ansible.builtin.command:
+        cmd: >
+          openssl req -sha256 -new
+            -subj "/CN=client"
+            -key "{{ certs_path }}/key.pem"
+            -out "{{ certs_path }}/client.csr"
+        creates: "{{ certs_path }}/client.csr"
+
+    - name: Generate client certificate extension file
+      ansible.builtin.shell: |
+        echo "extendedKeyUsage = clientAuth" >> "{{ certs_path }}/client-extfile.cnf"
+      args:
+        creates: "{{ certs_path }}/client-extfile.cnf"
+
+    - name: Generate client certificate
+      ansible.builtin.command:
+        cmd: >
+          openssl x509 -req -days "{{ cert_validity_days }}"
+            -sha256 -in "{{ certs_path }}/client.csr"
+            -CA "{{ certs_path }}/ca.pem"
+            -CAkey "{{ certs_path }}/ca-key.pem"
+            -CAcreateserial -out "{{ certs_path }}/cert.pem"
+            -extfile "{{ certs_path }}/client-extfile.cnf"
+        creates: "{{ certs_path }}/cert.pem"
+
+    - name: Remove client certificate signing request
+      ansible.builtin.file:
+        path: "{{ certs_path }}/server.csr"
+        state: absent
+
+    - name: Remove client certificate signing request
+      ansible.builtin.file:
+        path: "{{ certs_path }}/client.csr"
+        state: absent
+
+    - name: Remove server certificate extension file
+      ansible.builtin.file:
+        path: "{{ certs_path }}/extfile.cnf"
+        state: absent
+
+    - name: Remove client certificate extension file
+      ansible.builtin.file:
+        path: "{{ certs_path }}/client-extfile.cnf"
+        state: absent
+
+    - name: Set permissions for docker certs
+      ansible.builtin.file:
+        path: "{{ certs_path }}"
+        mode: '0700'
+        recurse: true
+        follow: true
diff --git a/ansible/installation/inst-docker-ubuntu.yaml b/ansible/docker/inst-docker-ubuntu.yaml
similarity index 92%
rename from ansible/installation/inst-docker-ubuntu.yaml
rename to ansible/docker/inst-docker-ubuntu.yaml
index d2b4f42..4db252e 100644
--- a/ansible/installation/inst-docker-ubuntu.yaml
+++ b/ansible/docker/inst-docker-ubuntu.yaml
@@ -30,9 +30,6 @@
       ansible.builtin.apt:
         name:
           - docker-ce
-          - docker-ce-cli
-          - containerd.io
           - docker-buildx-plugin
-          - docker-scan-plugin
           - docker-compose-plugin
         update_cache: true
diff --git a/ansible/maintenance/maint-docker-clean.yaml b/ansible/docker/maint-docker-clean.yaml
similarity index 100%
rename from ansible/maintenance/maint-docker-clean.yaml
rename to ansible/docker/maint-docker-clean.yaml
diff --git a/ansible/installation/inst-core.yaml b/ansible/installation/inst-core.yaml
deleted file mode 100644
index 24ca7da..0000000
--- a/ansible/installation/inst-core.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-- name: Install core packages
-  hosts: "{{ my_hosts | d([]) }}"
-  become: true
-
-  tasks:
-    - name: Install core packages
-      ansible.builtin.apt:
-        name:
-          - prometheus-node-exporter
-          - nfs-common
-        update_cache: true
diff --git a/ansible/installation/inst-microk8s.yaml b/ansible/installation/inst-microk8s.yaml
deleted file mode 100644
index c7c63c7..0000000
--- a/ansible/installation/inst-microk8s.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-- name: Install microk8s
-  hosts: "{{ my_hosts | d([]) }}"
-  become: true
-
-  tasks:
-    - name: Install microk8s
-      community.general.snap:
-        classic: true
-        name: microk8s
-
-    - name: Add user to group microk8s
-      ansible.builtin.user:
-        name: "{{ lookup('env', 'USER') }}"
-        groups: microk8s
-        append: true
diff --git a/ansible/installation/inst-k8s/README.md b/ansible/kubernetes/README.md
similarity index 100%
rename from ansible/installation/inst-k8s/README.md
rename to ansible/kubernetes/README.md
diff --git a/ansible/installation/inst-k8s/ansible.cfg b/ansible/kubernetes/ansible.cfg
similarity index 100%
rename from ansible/installation/inst-k8s/ansible.cfg
rename to ansible/kubernetes/ansible.cfg
diff --git a/ansible/installation/inst-k8s/inst-k8s.yaml b/ansible/kubernetes/inst-k8s.yaml
similarity index 100%
rename from ansible/installation/inst-k8s/inst-k8s.yaml
rename to ansible/kubernetes/inst-k8s.yaml
diff --git a/ansible/installation/inst-k8s/k8s_worker_node_connection.j2 b/ansible/kubernetes/k8s_worker_node_connection.j2
similarity index 100%
rename from ansible/installation/inst-k8s/k8s_worker_node_connection.j2
rename to ansible/kubernetes/k8s_worker_node_connection.j2
diff --git a/ansible/maintenance/maint-diskspace.yaml b/ansible/maintenance/maint-diskspace.yaml
deleted file mode 100644
index 5164855..0000000
--- a/ansible/maintenance/maint-diskspace.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
----
-- name: Check disk space
-  hosts: "{{ my_hosts | d([]) }}"
-
-  tasks:
-    - name: Check disk space available
-      ansible.builtin.shell:
-        cmd: |
-          set -euo pipefail
-          df -Ph / | awk 'NR==2 {print $5}'
-        executable: /bin/bash
-      changed_when: false
-      check_mode: false
-      register: disk_usage
-
-    # - name: Send discord message when disk space is over 80%
-    #   uri:
-    #     url: "your-webhook"
-    #     method: POST
-    #     body_format: json
-    #     body: '{"content": "Disk space on {{ inventory_hostname }} is above 80%!"}'
-    #     headers:
-    #       Content-Type: application/json
-    #     status_code: 204
-    #   when: disk_usage.stdout[:-1]|int > 80
diff --git a/ansible/deployment/portainer/deploy-portainer.yaml b/ansible/portainer/deploy-portainer.yaml
similarity index 100%
rename from ansible/deployment/portainer/deploy-portainer.yaml
rename to ansible/portainer/deploy-portainer.yaml
diff --git a/ansible/deployment/traefik/deploy-traefik.yaml b/ansible/traefik/deploy-traefik.yaml
similarity index 100%
rename from ansible/deployment/traefik/deploy-traefik.yaml
rename to ansible/traefik/deploy-traefik.yaml
diff --git a/ansible/configuration/ssh/config-add-sshkey.yaml b/ansible/ubuntu/config-add-sshkey.yaml
similarity index 100%
rename from ansible/configuration/ssh/config-add-sshkey.yaml
rename to ansible/ubuntu/config-add-sshkey.yaml
diff --git a/ansible/installation/inst-qemu-agent.yaml b/ansible/ubuntu/inst-qemu-agent.yaml
similarity index 100%
rename from ansible/installation/inst-qemu-agent.yaml
rename to ansible/ubuntu/inst-qemu-agent.yaml
diff --git a/ansible/installation/inst-vm-core.yaml b/ansible/ubuntu/inst-vm-core.yaml
similarity index 100%
rename from ansible/installation/inst-vm-core.yaml
rename to ansible/ubuntu/inst-vm-core.yaml
diff --git a/ansible/installation/inst-zsh.yaml b/ansible/ubuntu/inst-zsh.yaml
similarity index 100%
rename from ansible/installation/inst-zsh.yaml
rename to ansible/ubuntu/inst-zsh.yaml
diff --git a/ansible/ubuntu/maint-diskspace.yaml b/ansible/ubuntu/maint-diskspace.yaml
new file mode 100644
index 0000000..19eaaee
--- /dev/null
+++ b/ansible/ubuntu/maint-diskspace.yaml
@@ -0,0 +1,25 @@
+---
+- name: Check disk space
+  hosts: "{{ my_hosts | d([]) }}"
+
+  tasks:
+    - name: Check disk space available
+      ansible.builtin.shell:
+        cmd: |
+          set -euo pipefail
+          df -Ph / | awk 'NR==2 {print $5}'
+        executable: /bin/bash
+      changed_when: false
+      check_mode: false
+      register: disk_usage
+
+#   - name: Send discord message when disk space is over 80%
+#     uri:
+#       url: "your-webhook"
+#       method: POST
+#       body_format: json
+#       body: '{"content": "Disk space on {{ inventory_hostname }} is above 80%!"}'
+#       headers:
+#         Content-Type: application/json
+#       status_code: 204
+#     when: disk_usage.stdout[:-1]|int > 80
diff --git a/ansible/maintenance/maint-reboot-required.yaml b/ansible/ubuntu/maint-reboot-required.yaml
similarity index 100%
rename from ansible/maintenance/maint-reboot-required.yaml
rename to ansible/ubuntu/maint-reboot-required.yaml
diff --git a/ansible/maintenance/maint-reboot.yaml b/ansible/ubuntu/maint-reboot.yaml
similarity index 100%
rename from ansible/maintenance/maint-reboot.yaml
rename to ansible/ubuntu/maint-reboot.yaml
diff --git a/ansible/ubuntu/upd-apt.yaml b/ansible/ubuntu/upd-apt.yaml
new file mode 100644
index 0000000..b6b4017
--- /dev/null
+++ b/ansible/ubuntu/upd-apt.yaml
@@ -0,0 +1,14 @@
+---
+- name: Update and upgrade apt packages
+  hosts: all
+
+  tasks:
+    - name: Update packages with apt
+      when: ansible_pkg_mgr == 'apt'
+      ansible.builtin.apt:
+        update_cache: true
+
+    - name: Upgrade packages with apt
+      when: ansible_pkg_mgr == 'apt'
+      ansible.builtin.apt:
+        upgrade: dist
diff --git a/ansible/update/upd-apt-dist.yaml b/ansible/update/upd-apt-dist.yaml
deleted file mode 100644
index ed97d53..0000000
--- a/ansible/update/upd-apt-dist.yaml
+++ /dev/null
@@ -1 +0,0 @@
----
diff --git a/ansible/update/upd-apt.yaml b/ansible/update/upd-apt.yaml
deleted file mode 100644
index b2b552e..0000000
--- a/ansible/update/upd-apt.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-- name: Update and upgrade apt packages
-  hosts: all
-
-  tasks:
-    - name: Update packages with apt
-      when: ansible_pkg_mgr == 'apt'
-      ansible.builtin.apt:
-        update_cache: true
-
-    - name: Update packages with yum
-      when: ansible_pkg_mgr == 'yum'
-      ansible.builtin.yum:
-        name: '*'
-        state: latest # noqa: package-latest
-
-    - name: Upgrade packages with apt
-      when: ansible_pkg_mgr == 'apt'
-      ansible.builtin.apt:
-        upgrade: dist
-
-    - name: Upgrade packages with yum
-      when: ansible_pkg_mgr == 'yum'
-      ansible.builtin.yum:
-        name: '*'
-        state: latest # noqa: package-latest
-        exclude: kernel*
diff --git a/ansible/installation/inst-wireguard.yaml b/ansible/wireguard/inst-wireguard.yaml
similarity index 100%
rename from ansible/installation/inst-wireguard.yaml
rename to ansible/wireguard/inst-wireguard.yaml
diff --git a/docker-compose/ansiblesemaphore/compose.yaml b/docker-compose/ansiblesemaphore/compose.yaml
index fe9be57..5a6b762 100644
--- a/docker-compose/ansiblesemaphore/compose.yaml
+++ b/docker-compose/ansiblesemaphore/compose.yaml
@@ -4,7 +4,7 @@ volumes:
     driver: local
 services:
   mysql:
-    image: docker.io/library/mysql:8.3
+    image: docker.io/library/mysql:8.4
     hostname: mysql
     volumes:
       - semaphore-mysql:/var/lib/mysql
@@ -16,7 +16,7 @@ services:
     restart: unless-stopped
   semaphore:
     container_name: ansiblesemaphore
-    image: docker.io/semaphoreui/semaphore:v2.10.42
+    image: docker.io/semaphoreui/semaphore:v2.11.2
     user: "${UID}:${GID}"
     ports:
       - 3000:3000
diff --git a/docker-compose/authentik/compose.yaml b/docker-compose/authentik/compose.yaml
index c834b2a..3c0ed38 100644
--- a/docker-compose/authentik/compose.yaml
+++ b/docker-compose/authentik/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: docker.io/library/postgres:16.5
+    image: docker.io/library/postgres:16.6
     container_name: authentik-db
     environment:
       - POSTGRES_USER=${POSTGRES_USER:-authentik}
@@ -18,7 +18,7 @@ services:
       - postgres_data:/var/lib/postgresql/data
     restart: unless-stopped
   redis:
-    image: docker.io/library/redis:7.4.1
+    image: docker.io/library/redis:7.4.2
     container_name: authentik-redis
     command: --save 60 1 --loglevel warning
     healthcheck:
@@ -31,7 +31,7 @@ services:
       - redis_data:/data
     restart: unless-stopped
   server:
-    image: ghcr.io/goauthentik/server:2024.10.4
+    image: ghcr.io/goauthentik/server:2024.12.2
     container_name: authentik-server
     command: server
     environment:
@@ -65,7 +65,7 @@ services:
       - redis
     restart: unless-stopped
   worker:
-    image: ghcr.io/goauthentik/server:2024.10.4
+    image: ghcr.io/goauthentik/server:2024.12.2
     container_name: authentik-worker
     command: worker
     environment:
diff --git a/docker-compose/clamav/compose.yaml b/docker-compose/clamav/compose.yaml
new file mode 100644
index 0000000..f1d7c42
--- /dev/null
+++ b/docker-compose/clamav/compose.yaml
@@ -0,0 +1,20 @@
+---
+services:
+  clamav:
+    image: docker.io/clamav/clamav:1.4.1
+    container_name: clamav
+    volumes:
+      - ./config/clamd.conf:/etc/clamav/clamd.conf:ro
+      - ./config/freshclam.conf:/etc/clamav/freshclam.conf:ro
+      - clamav-data:/var/lib/clamav
+      # --> (Optional) Add a directory to scan
+      # - ./scandir:/scandir:rw
+      # <--
+    # -- Change logging driver here... (required for Wazuh integration)
+    logging:
+      driver: syslog
+      options:
+        tag: "clamd"
+    restart: unless-stopped
+volumes:
+  clamav-data:
diff --git a/docker-compose/clamav/config/clamd.conf b/docker-compose/clamav/config/clamd.conf
new file mode 100644
index 0000000..fe339da
--- /dev/null
+++ b/docker-compose/clamav/config/clamd.conf
@@ -0,0 +1,81 @@
+# -- Change Log settings here...
+LogSyslog yes
+LogTime yes
+# --> (Optional) Enable logging to file, can work together with LogSyslog
+# LogFile /var/log/clamav/clamd.log
+# LogRotate no
+# <--
+
+# -- Change process settings here...
+PidFile /tmp/clamd.pid
+LocalSocket /run/clamav/clamd.sock
+
+# -- Change TCP port settings here...
+TCPSocket 3310
+
+# -- Change user settings here...
+User clamav
+
+# -- Change detection settings here...
+# DetectPUA no
+# HeuristicAlerts yes
+# HeuristicScanPrecedence no
+
+# -- Change Heuristic Alerts here...
+# AlertBrokenExecutables no
+# AlertBrokenMedia no
+# AlertEncrypted no
+# AlertEncryptedArchive no
+# AlertEncryptedDoc no
+# AlertOLE2Macros no
+# AlertPhishingSSLMismatch no
+# AlertPhishingCloak no
+# AlertPartitionIntersection no
+
+# -- Change Executable files settings here...
+# ScanPE yes
+# DisableCertCheck no
+# ScanELF yes
+
+# -- Change Documents settings here...
+# ScanOLE2 yes
+# ScanPDF yes
+# ScanSWF yes
+# ScanXMLDOCS yes
+# ScanHWP3 yes
+# ScanOneNote yes
+
+# -- Change other file types settings here...
+# ScanImage yes
+# ScanImageFuzzyHash yes
+
+# -- Change Mail files settings here...
+# ScanMail yes
+# ScanPartialMessages no
+# PhishingSignatures yes
+# PhishingScanURLs yes
+
+# -- Change Data Loss Prevention (DLP) settings here...
+# StructuredDataDetection no
+# StructuredMinCreditCardCount 3
+# StructuredCCOnly no
+# StructuredMinSSNCount 3
+# StructuredSSNFormatNormal yes
+# StructuredSSNFormatStripped no
+
+# -- Change HTML settings here...
+# ScanHTML yes
+
+# -- Change Archives settings here...
+# ScanArchive yes
+
+# -- Change On-access Scan settings here...
+# OnAccessMaxFileSize 5M
+# OnAccessMaxThreads 5
+# --> (Optional) Set include paths, exclude paths, mount paths, etc...
+#OnAccessIncludePath /home
+#OnAccessExcludePath /home/user
+#OnAccessExtraScanning no
+#OnAccessMountPath /
+#OnAccessMountPath /home/user
+# <--
diff --git a/docker-compose/clamav/config/freshclam.conf b/docker-compose/clamav/config/freshclam.conf
new file mode 100644
index 0000000..7b8ce2a
--- /dev/null
+++ b/docker-compose/clamav/config/freshclam.conf
@@ -0,0 +1,21 @@
+# -- Change Log settings here...
+LogSyslog no
+LogTime yes
+# --> (Optional) Enable logging to file, can work together with LogSyslog
+# UpdateLogFile /var/log/clamav/freshclam.log
+# LogRotate no
+# <--
+
+# -- Change process settings here...
+PidFile /tmp/freshclam.pid
+
+# -- Change database settings here...
+DatabaseOwner clamav
+DatabaseMirror database.clamav.net
+
+# -- Change update and notification settings here...
+ScriptedUpdates yes
+NotifyClamd /etc/clamav/clamd.conf
+
+# -- Change custom sources for databases here...
+#DatabaseCustomURL http://myserver.example.com/mysigs.ndb
diff --git a/docker-compose/dockge/compose.yaml b/docker-compose/dockge/compose.yaml
index 83f7961..cc546fa 100644
--- a/docker-compose/dockge/compose.yaml
+++ b/docker-compose/dockge/compose.yaml
@@ -2,7 +2,7 @@
 services:
   dockge:
     container_name: dockge
-    image: louislam/dockge:1.4.2
+    image: docker.io/louislam/dockge:1.4.2
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - dockge-data:/app/data
diff --git a/docker-compose/duplicati/compose.yaml b/docker-compose/duplicati/compose.yaml
index 1d8dddd..9f158fc 100644
--- a/docker-compose/duplicati/compose.yaml
+++ b/docker-compose/duplicati/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
   duplicati:
-    image: lscr.io/linuxserver/duplicati:2.0.8
+    image: lscr.io/linuxserver/duplicati:2.1.0
     container_name: duplicati
     environment:
       - PUID=1000
diff --git a/docker-compose/factory/runner-pool/compose.yaml b/docker-compose/factory/runner-pool/compose.yaml
index 563d0c8..d460bca 100644
--- a/docker-compose/factory/runner-pool/compose.yaml
+++ b/docker-compose/factory/runner-pool/compose.yaml
@@ -2,7 +2,7 @@
 services:
   refactr-runner:
     container_name: factory-runnerpool-prod-1
-    image: docker.io/refactr/runner-pool:v0.152.4
+    image: docker.io/refactr/runner-pool:v0.152.6
     user: root
     volumes:
       - /run/docker.sock:/run/docker.sock
diff --git a/docker-compose/gitea/.env.example b/docker-compose/gitea/.env.example
new file mode 100644
index 0000000..2a6bc0e
--- /dev/null
+++ b/docker-compose/gitea/.env.example
@@ -0,0 +1,8 @@
+# Environment Variable Example File
+# ---
+# Add internal database credentials here...
+# POSTGRES_HOST     = "your-database-host"
+# POSTGRES_PORT     = "your-database-port"
+POSTGRES_DB       = "your-database-name"  
+POSTGRES_USER     = "your-database-user"
+POSTGRES_PASSWORD = "your-database-password"
diff --git a/docker-compose/gitea/compose.yaml b/docker-compose/gitea/compose.yaml
new file mode 100644
index 0000000..c8e02b9
--- /dev/null
+++ b/docker-compose/gitea/compose.yaml
@@ -0,0 +1,90 @@
+---
+services:
+  server:
+    image: gitea/gitea:1.23.1
+    container_name: gitea-server
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      # -- Change your database settings here...
+      # --> PostgreSQL
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=${POSTGRES_HOST:-db}:${POSTGRES_PORT:-5432}
+      - GITEA__database__NAME=${POSTGRES_DB:?POSTGRES_DB not set}
+      - GITEA__database__USER=${POSTGRES_USER:?POSTGRES_USER not set}
+      - GITEA__database__PASSWD=${POSTGRES_PASSWORD:?POSTGRES_PASSWORD not set}
+      # <--
+      # --> OR MySQL
+      # - GITEA__database__DB_TYPE=mysql
+      # - GITEA__database__HOST=db:3306
+      # - GITEA__database__NAME=${MYSQL_DATABASE:?MYSQL_DATABASE not set}
+      # - GITEA__database__USER=${MYSQL_USER:?MYSQL_USER not set}
+      # - GITEA__database__PASSWD=${MYSQL_PASSWORD:?MYSQL_PASSWORD not set}
+      # <--
+      # -- (Optional) Change your server settings here...
+      - GITEA__server__SSH_PORT=2221  # <-- (Optional) Replace with your desired SSH port
+      - GITEA__server__ROOT_URL=http://your-fqdn  # <-- Replace with your FQDN
+    # --> (Optional) When using traefik...
+    # networks:
+    #   - frontend
+    # <--
+    # --> (Optional) When using an internal database...
+    #   - backend
+    # <--
+    volumes:
+      - gitea-data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      # --> (Optional) Remove when using traefik...
+      - "3000:3000"
+      # <--
+      - "2221:22"  # <-- (Optional) Replace with your desired SSH port
+      # --> (Optional) When using internal database...
+    # depends_on:
+    #   - db
+    # <--
+    # --> (Optional) When using traefik...
+    # labels:
+    #   - traefik.enable=true
+    #   - traefik.http.services.gitea.loadbalancer.server.port=3000
+    #   - traefik.http.services.gitea.loadbalancer.server.scheme=http
+    #   - traefik.http.routers.gitea-https.entrypoints=websecure
+    #   - traefik.http.routers.gitea-https.rule=Host(`your-fqdn`)  # <-- Replace with your FQDN
+    #   - traefik.http.routers.gitea-https.tls=true
+    #   - traefik.http.routers.gitea-https.tls.certresolver=your-certresolver  # <-- Replace with your certresolver
+    # <--
+    restart: unless-stopped
+
+# --> When using internal database
+# db:
+#   image: postgres:14
+#   container_name: gitea-db
+#   environment:
+#     - POSTGRES_USER=${POSTGRES_USER:?POSTGRES_USER not set}
+#     - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?POSTGRES_PASSWORD not set}
+#     - POSTGRES_DB=${POSTGRES_DB:?POSTGRES_DB not set}
+#   networks:
+#     - backend
+#   volumes:
+#     - gitea-db:/var/lib/postgresql/data
+#   restart: unless-stopped
+# <--
+
+volumes:
+  gitea-data:
+    driver: local
+# --> When using internal database
+# gitea-db:
+#   driver: local
+# <--
+
+# --> (Optional) When using traefik...
+# networks:
+#   frontend:
+#     external: true
+# <--
+# --> (Optional) When using an internal database...
+#   backend:
+#     external: true
+# <--
diff --git a/docker-compose/gitlab/compose.yaml b/docker-compose/gitlab/compose.yaml
new file mode 100644
index 0000000..ebe2128
--- /dev/null
+++ b/docker-compose/gitlab/compose.yaml
@@ -0,0 +1,52 @@
+---
+services:
+  gitlab:
+    image: gitlab/gitlab-ce:17.7.1-ce.0
+    container_name: gitlab
+    shm_size: '256m'
+    environment: {}
+    # --> (Optional) When using traefik...
+    # networks:
+    #   - frontend
+    # <--
+    volumes:
+      - ./config:/etc/gitlab
+      - ./logs:/var/log/gitlab
+      - gitlab-data:/var/opt/gitlab
+    ports:
+      # --> (Optional) Remove when using traefik...
+      - "80:80"
+      - "443:443"
+      # <--
+      - '2424:22'
+    # --> (Optional) When using traefik...
+    # labels:
+    #   - traefik.enable=true
+    #   - traefik.http.services.gitlab.loadbalancer.server.port=80
+    #   - traefik.http.services.gitlab.loadbalancer.server.scheme=http
+    #   - traefik.http.routers.gitlab.service=gitlab
+    #   - traefik.http.routers.gitlab.rule=Host(`your-gitlab-fqdn`)
+    #   - traefik.http.routers.gitlab.entrypoints=websecure
+    #   - traefik.http.routers.gitlab.tls=true
+    #   - traefik.http.routers.gitlab.tls.certresolver=cloudflare
+    # <--
+    # --> (Optional) Enable Container Registry settings here...
+    #   - traefik.http.services.registry.loadbalancer.server.port=5678
+    #   - traefik.http.services.registry.loadbalancer.server.scheme=http
+    #   - traefik.http.routers.registry.service=registry
+    #   - traefik.http.routers.registry.rule=Host(`your-registry-fqdn`)
+    #   - traefik.http.routers.registry.entrypoints=websecure
+    #   - traefik.http.routers.registry.tls=true
+    #   - traefik.http.routers.registry.tls.certresolver=cloudflare
+    # <--
+    restart: unless-stopped
+
+volumes:
+  gitlab-data:
+    driver: local
+
+# --> (Optional) When using traefik...
+# networks:
+#   frontend:
+#     external: true
+# <--
diff --git a/docker-compose/gitlab/config/gitlab.rb b/docker-compose/gitlab/config/gitlab.rb
new file mode 100644
index 0000000..a838539
--- /dev/null
+++ b/docker-compose/gitlab/config/gitlab.rb
@@ -0,0 +1,58 @@
+# -- Change GitLab settings here...
+external_url 'https://your-gitlab-fqdn'  # <-- Replace with your GitLab FQDN
+
+# -- (Optional) Change GitLab Shell settings here...
+gitlab_rails['gitlab_shell_ssh_port'] = 2424
+
+# -- Change internal web service settings here...
+letsencrypt['enable'] = false
+nginx['listen_port']  = 80
+nginx['listen_https'] = false
+
+# --> (Optional) Enable Container Registry settings here...
+# registry_external_url 'https://your-registry-fqdn'  # <-- Replace with your registry FQDN
+# gitlab_rails['registry_enabled']  = true
+# registry_nginx['listen_https']    = false
+# registry_nginx['listen_port']     = 5678  # <-- Replace with your registry port
+# <--
+
+# --> (Optional) Add Authentik settings here...
+# gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']
+# gitlab_rails['omniauth_providers'] = [
+#   {
+#     name: "openid_connect",  #  !-- Do not change this parameter
+#     label: "Authentik",  # <-- (Optional) Change name for login button, defaults to "Openid Connect"
+#     icon: "https://avatars.githubusercontent.com/u/82976448?s=200&v=4",
+#     args: {
+#       name: "openid_connect",
+#       scope: ["openid","profile","email"],
+#       response_type: "code",
+#       issuer: "https://your-authentik-fqdn/application/o/your-gitlab-slug/",  # <-- Replace with your Authentik FQDN and GitLab slug
+#       discovery: true,
+#       client_auth_method: "query",
+#       uid_field: "email",
+#       send_scope_to_token_endpoint: "false",
+#       pkce: true,
+#       client_options: {
+#         identifier: "your-authentik-provider-client-id",  # <-- Replace with your Authentik provider client ID
+#         secret: "your-authentik-provider-client-secret",  # <-- Replace with your Authentik provider client secret
+#         redirect_uri: "https://your-authentik-fqdn/users/auth/openid_connect/callback"  # <-- Replace with your Authentik FQDN
+#       }
+#     }
+#   }
+# ]
+# <--
+
+# --> (Optional) Change SMTP settings here...
+# gitlab_rails['smtp_enable']           = true
+# gitlab_rails['smtp_address']          = "your-smtp-server-addr"  # <-- Replace with your SMTP server address
+# gitlab_rails['smtp_port']             = 465
+# gitlab_rails['smtp_user_name']        = "your-smtp-username"  # <-- Replace with your SMTP username
+# gitlab_rails['smtp_password']         = "your-smtp-password"  # <-- Replace with your SMTP password
+# gitlab_rails['smtp_domain']           = "your-smtp-domain"  # <-- Replace with your SMTP domain
+# gitlab_rails['smtp_authentication']   = "login"
+# gitlab_rails['smtp_ssl']              = true
+# gitlab_rails['smtp_force_ssl']        = true
+# gitlab_rails['gitlab_email_from']     = 'your-email-from-addr'  # <-- Replace with your email from address
+# gitlab_rails['gitlab_email_reply_to'] = 'your-email-replyto-addr'  # <-- Replace with your email reply-to address
+# <--
diff --git a/docker-compose/grafana/compose.yaml b/docker-compose/grafana/compose.yaml
index 8b4a1e9..f805307 100644
--- a/docker-compose/grafana/compose.yaml
+++ b/docker-compose/grafana/compose.yaml
@@ -4,7 +4,7 @@ volumes:
     driver: local
 services:
   grafana:
-    image: docker.io/grafana/grafana-oss:11.3.1
+    image: docker.io/grafana/grafana-oss:11.4.0
     container_name: grafana
     ports:
       - "3000:3000"
diff --git a/docker-compose/homeassistant/compose.yaml b/docker-compose/homeassistant/compose.yaml
index 1204ba4..fa776cf 100644
--- a/docker-compose/homeassistant/compose.yaml
+++ b/docker-compose/homeassistant/compose.yaml
@@ -2,7 +2,7 @@
 services:
   homeassistant:
     container_name: homeassistant
-    image: ghcr.io/home-assistant/home-assistant:2024.11.2
+    image: ghcr.io/home-assistant/home-assistant:2025.1.2
     volumes:
       - ./config:/config
       - /etc/localtime:/etc/localtime:ro
diff --git a/docker-compose/homepage/compose.yaml b/docker-compose/homepage/compose.yaml
index 6f27d65..2702740 100644
--- a/docker-compose/homepage/compose.yaml
+++ b/docker-compose/homepage/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
   homepage:
-    image: ghcr.io/gethomepage/homepage:v0.9.12
+    image: ghcr.io/gethomepage/homepage:v0.10.9
     container_name: homepage
     environment:
       - LOG_LEVEL=info
@@ -17,17 +17,17 @@ services:
       - ./images:/app/images  # for custom background images
       - ./icons:/app/icons  # for custom icons
     restart: unless-stopped
-  # (Optional) For secure docker socket integration
-  # dockerproxy:
-  #   image: ghcr.io/tecnativa/docker-socket-proxy:0.3.0
-  #   container_name: homepage-demo-1-dockerproxy
-  #   environment:
-  #     - CONTAINERS=1 # Allow access to viewing containers
-  #     - SERVICES=1 # Allow access to viewing services (necessary when using Docker Swarm)
-  #     - TASKS=1 # Allow access to viewing tasks (necessary when using Docker Swarm)
-  #     - POST=0 # Disallow any POST operations (effectively read-only)
-  #   ports:
-  #     - 127.0.0.1:2375:2375
-  #   volumes:
-  #     - /run/docker.sock:/run/docker.sock:ro # Mounted as read-only
-  #   restart: unless-stopped
+#   (Optional) For secure docker socket integration
+#   dockerproxy:
+#     image: ghcr.io/tecnativa/docker-socket-proxy:0.3.0
+#     container_name: homepage-demo-1-dockerproxy
+#     environment:
+#       - CONTAINERS=1 # Allow access to viewing containers
+#       - SERVICES=1 # Allow access to viewing services (necessary when using Docker Swarm)
+#       - TASKS=1 # Allow access to viewing tasks (necessary when using Docker Swarm)
+#       - POST=0 # Disallow any POST operations (effectively read-only)
+#     ports:
+#       - 127.0.0.1:2375:2375
+#     volumes:
+#       - /run/docker.sock:/run/docker.sock:ro # Mounted as read-only
+#     restart: unless-stopped
diff --git a/docker-compose/homer/assets/example.config.yml b/docker-compose/homer/assets/example.config.yml
index e59e138..3aa1f41 100644
--- a/docker-compose/homer/assets/example.config.yml
+++ b/docker-compose/homer/assets/example.config.yml
@@ -8,7 +8,7 @@ logo: "logo.png"
 # icon: "fas fa-skull-crossbones" # Optional icon
 
 header: true
-footer: '<p>Created with <span class="has-text-danger">❤</span> with <a href="https://bulma.io/">bulma</a>, <a href="https://vuejs.org/">vuejs</a> & <a href="https://fontawesome.com/">font awesome</a> // Fork me on <a href="https://github.com/bastienwirtz/homer"><i class="fab fa-github-alt"></i></a></p>' # set false if you want to hide it.
+footer: false
 
 # Optional theme customization
 theme: default
@@ -40,8 +40,8 @@ colors:
 
 # Optional message
 message:
-  #url: https://b4bz.io
-  style: "is-dark" # See https://bulma.io/documentation/components/message/#colors for styling options.
+  # url: https://b4bz.io
+  style: "is-dark"  # See https://bulma.io/documentation/components/message/#colors for styling options.
   title: "Demo !"
   icon: "fa fa-grin"
   content: "This is a dummy homepage demo. <br /> Find more information on <a href='https://github.com/bastienwirtz/homer'>github.com/bastienwirtz/homer</a>"
@@ -52,7 +52,7 @@ links:
   - name: "Contribute"
     icon: "fab fa-github"
     url: "https://github.com/bastienwirtz/homer"
-    target: "_blank" # optional html a tag target attribute
+    target: "_blank"  # optional html a tag target attribute
   - name: "Wiki"
     icon: "fas fa-book"
     url: "https://www.wikipedia.org/"
@@ -74,7 +74,7 @@ services:
         subtitle: "Bookmark example"
         tag: "app"
         url: "https://www.reddit.com/r/selfhosted/"
-        target: "_blank" # optional html a tag target attribute
+        target: "_blank"  # optional html a tag target attribute
       - name: "Another one"
         logo: "assets/tools/sample2.png"
         subtitle: "Another application"
diff --git a/docker-compose/homer/compose.yaml b/docker-compose/homer/compose.yaml
index 0c7c742..659c888 100644
--- a/docker-compose/homer/compose.yaml
+++ b/docker-compose/homer/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
   homer:
-    image: docker.io/b4bz/homer:v24.11.4
+    image: docker.io/b4bz/homer:v24.12.1
     container_name: homer
     ports:
       - "8080:8080"
diff --git a/docker-compose/influxdb/compose.yaml b/docker-compose/influxdb/compose.yaml
index 60eca8c..5cc437c 100644
--- a/docker-compose/influxdb/compose.yaml
+++ b/docker-compose/influxdb/compose.yaml
@@ -8,7 +8,7 @@ volumes:
 services:
   influxdb:
     container_name: influxdb
-    image: docker.io/library/influxdb:2.7.10-alpine
+    image: docker.io/library/influxdb:2.7.11-alpine
     # (Optional) remove this section when using traefik
     ports:
       - '8086:8086'
diff --git a/docker-compose/mariadb/compose.yaml b/docker-compose/mariadb/compose.yaml
index b0ca923..8131e38 100644
--- a/docker-compose/mariadb/compose.yaml
+++ b/docker-compose/mariadb/compose.yaml
@@ -7,8 +7,7 @@ volumes:
   mariadb-data:
 services:
   mariadb:
-    # (Recommended) replace "latest" with specific version
-    image: docker.io/library/mariadb:11.5.2
+    image: docker.io/library/mariadb:11.6.2
     # (Optional) remove this section when you don't want to expose
     ports:
       - 3306:3306
diff --git a/docker-compose/nextcloud/compose.yaml b/docker-compose/nextcloud/compose.yaml
index 422d8b3..f0743a3 100644
--- a/docker-compose/nextcloud/compose.yaml
+++ b/docker-compose/nextcloud/compose.yaml
@@ -4,7 +4,7 @@ volumes:
   nextcloud-db:
 services:
   nextcloud-app:
-    image: docker.io/library/nextcloud:30.0.2-apache
+    image: docker.io/library/nextcloud:30.0.4-apache
     container_name: nextcloud-app
     ports:
       - 80:80
diff --git a/docker-compose/nginxproxymanager/compose.yaml b/docker-compose/nginxproxymanager/compose.yaml
index 031acad..ddff9c5 100644
--- a/docker-compose/nginxproxymanager/compose.yaml
+++ b/docker-compose/nginxproxymanager/compose.yaml
@@ -5,7 +5,7 @@ volumes:
   nginxproxymanager-db:
 services:
   nginxproxymanager:
-    image: docker.io/jc21/nginx-proxy-manager:2.12.1
+    image: docker.io/jc21/nginx-proxy-manager:2.12.2
     ports:
       - 80:80
       - 81:81
diff --git a/docker-compose/nvidiasmi/compose.yaml b/docker-compose/nvidiasmi/compose.yaml
index 1fbe86c..ee51711 100644
--- a/docker-compose/nvidiasmi/compose.yaml
+++ b/docker-compose/nvidiasmi/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
   nvidia_smi_exporter:
-    image: docker.io/utkuozdemir/nvidia_gpu_exporter:1.2.1
+    image: docker.io/utkuozdemir/nvidia_gpu_exporter:1.3.0
     container_name: nvidia_smi_exporter
     runtime: nvidia
     environment:
diff --git a/docker-compose/passbolt/compose.yaml b/docker-compose/passbolt/compose.yaml
index 81ec8a8..4177151 100644
--- a/docker-compose/passbolt/compose.yaml
+++ b/docker-compose/passbolt/compose.yaml
@@ -17,7 +17,7 @@ services:
     restart: unless-stopped
   passbolt:
     container_name: passbolt-app
-    image: docker.io/passbolt/passbolt:4.9.1-1-ce
+    image: docker.io/passbolt/passbolt:4.10.1-1-ce
     depends_on:
       - passbolt-db
     environment:
diff --git a/docker-compose/postgres/compose.yaml b/docker-compose/postgres/compose.yaml
index e1c133f..385760a 100644
--- a/docker-compose/postgres/compose.yaml
+++ b/docker-compose/postgres/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: docker.io/library/postgres:17.1
+    image: docker.io/library/postgres:17.2
     container_name: postgres
     environment:
       - POSTGRES_INITDB_ARGS=${POSTGRES_INITDB_ARGS---data-checksums}
diff --git a/docker-compose/prometheus/compose.yaml b/docker-compose/prometheus/compose.yaml
index 954eace..3a6da92 100644
--- a/docker-compose/prometheus/compose.yaml
+++ b/docker-compose/prometheus/compose.yaml
@@ -4,7 +4,7 @@ volumes:
     driver: local
 services:
   prometheus:
-    image: docker.io/prom/prometheus:v2.55.1
+    image: docker.io/prom/prometheus:v3.0.0
     container_name: prometheus
     ports:
       - 9090:9090
diff --git a/docker-compose/prometheus/config/prometheus.yaml b/docker-compose/prometheus/config/prometheus.yaml
index 8f41942..69e5117 100755
--- a/docker-compose/prometheus/config/prometheus.yaml
+++ b/docker-compose/prometheus/config/prometheus.yaml
@@ -1,5 +1,6 @@
+---
 global:
-  scrape_interval:     15s # By default, scrape targets every 15 seconds.
+  scrape_interval: 15s  # By default, scrape targets every 15 seconds.
 
   # Attach these labels to any time series or alerts when communicating with
   # external systems (federation, remote storage, Alertmanager).
@@ -16,12 +17,12 @@ scrape_configs:
     static_configs:
       - targets: ['localhost:9090']
 
-  # Example job for node_exporter
-  # - job_name: 'node_exporter'
-  #   static_configs:
-  #     - targets: ['node_exporter:9100']
+# Example job for node_exporter
+# - job_name: 'node_exporter'
+#   static_configs:
+#     - targets: ['node_exporter:9100']
 
-  # Example job for cadvisor
-  # - job_name: 'cadvisor'
-  #   static_configs:
-  #     - targets: ['cadvisor:8080']
+# Example job for cadvisor
+# - job_name: 'cadvisor'
+#   static_configs:
+#     - targets: ['cadvisor:8080']
diff --git a/docker-compose/swag/compose.yaml b/docker-compose/swag/compose.yaml
index 31aee80..a46a4e6 100644
--- a/docker-compose/swag/compose.yaml
+++ b/docker-compose/swag/compose.yaml
@@ -15,7 +15,7 @@ services:
       - /opt/webserver_swag/config/mariadb:/config
     restart: unless-stopped
   swag:
-    image: docker.io/linuxserver/swag:3.0.1
+    image: docker.io/linuxserver/swag:3.1.0
     container_name: swag
     cap_add:
       - NET_ADMIN
diff --git a/docker-compose/teleport/compose.yaml b/docker-compose/teleport/compose.yaml
index 2c5e24f..39010d1 100644
--- a/docker-compose/teleport/compose.yaml
+++ b/docker-compose/teleport/compose.yaml
@@ -18,17 +18,17 @@ services:
       - ./data:/var/lib/teleport
     # -- (Optional) Traefik example configuration
     # labels:
-      # - "traefik.enable=true"
-      # - "traefik.http.services.teleport.loadbalancer.server.port=3080"
-      # - "traefik.http.services.teleport.loadbalancer.server.scheme=https"
-      # - "traefik.http.routers.teleport-http.entrypoints=web"
-      # - "traefik.http.routers.teleport-http.rule=HostRegexp(`^(?i)(?:[[:alnum:]]+(?:-+[[:alnum:]]+)*\\.)?your-server-url(?::\\d+)?$`)"
-      # - "traefik.http.routers.teleport-https.entrypoints=websecure"
-      # - "traefik.http.routers.teleport-https.rule=HostRegexp(`^(?i)(?:[[:alnum:]]+(?:-+[[:alnum:]]+)*\\.)?your-server-url(?::\\d+)?$`)"
-      # - "traefik.http.routers.teleport-https.tls=true"
-      # - "traefik.http.routers.teleport-https.tls.certresolver=your-certresolver"
-      # - "traefik.http.routers.teleport-https.tls.domains[0].main=your-server-url"
-      # - "traefik.http.routers.teleport-https.tls.domains[0].sans=*.your-server-url"
+    #   - "traefik.enable=true"
+    #   - "traefik.http.services.teleport.loadbalancer.server.port=3080"
+    #   - "traefik.http.services.teleport.loadbalancer.server.scheme=https"
+    #   - "traefik.http.routers.teleport-http.entrypoints=web"
+    #   - "traefik.http.routers.teleport-http.rule=HostRegexp(`^(?i)(?:[[:alnum:]]+(?:-+[[:alnum:]]+)*\\.)?your-server-url(?::\\d+)?$`)"
+    #   - "traefik.http.routers.teleport-https.entrypoints=websecure"
+    #   - "traefik.http.routers.teleport-https.rule=HostRegexp(`^(?i)(?:[[:alnum:]]+(?:-+[[:alnum:]]+)*\\.)?your-server-url(?::\\d+)?$`)"
+    #   - "traefik.http.routers.teleport-https.tls=true"
+    #   - "traefik.http.routers.teleport-https.tls.certresolver=your-certresolver"
+    #   - "traefik.http.routers.teleport-https.tls.domains[0].main=your-server-url"
+    #   - "traefik.http.routers.teleport-https.tls.domains[0].sans=*.your-server-url"
     # networks:
     #   - your-traefik-network
     restart: unless-stopped
diff --git a/docker-compose/teleport/config/teleport.yaml b/docker-compose/teleport/config/teleport.yaml
index d4ae4e0..0b0cde6 100644
--- a/docker-compose/teleport/config/teleport.yaml
+++ b/docker-compose/teleport/config/teleport.yaml
@@ -1,3 +1,4 @@
+---
 version: v2
 teleport:
   nodename: your-server-name
@@ -9,7 +10,7 @@ teleport:
       output: text
 
 auth_service:
-  enabled: "yes"
+  enabled: true
   listen_addr: 0.0.0.0:3025
   proxy_listener_mode: multiplex
   cluster_name: your-server-url
@@ -26,10 +27,10 @@ auth_service:
   #     api_token_path: /etc/teleport/openai_key
 
 ssh_service:
-  enabled: "no"
+  enabled: false
 
 proxy_service:
-  enabled: "yes"
+  enabled: true
   web_listen_addr: 0.0.0.0:3080
   # -- (Optional) when using reverse proxy
   # public_addr: ['your-server-url:443']
@@ -37,7 +38,7 @@ proxy_service:
   acme: {}
   # --(Optional) ACME
   # acme:
-  #   enabled: "yes"
+  #   enabled: true
   #   email: your-email-address
   # -- (Optional) Teleport Assist
   # assist:
@@ -45,9 +46,9 @@ proxy_service:
   #     api_token_path: /etc/teleport/openai_key
 
 app_service:
-  enabled: no
+  enabled: false
   # -- (Optional) App Service
-  # enabled: yes
+  # enabled: true
   # apps:
   #   - name: "yourapp"
   #     uri: "http://your-app-url"
diff --git a/docker-compose/traefik/compose.yaml b/docker-compose/traefik/compose.yaml
index 0765be3..281289a 100644
--- a/docker-compose/traefik/compose.yaml
+++ b/docker-compose/traefik/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
   traefik:
-    image: docker.io/library/traefik:v3.2.1
+    image: docker.io/library/traefik:v3.3.1
     container_name: traefik
     ports:
       - 80:80
@@ -15,10 +15,10 @@ services:
       - ./data/certs/:/var/traefik/certs/:rw
       - ./config/conf.d/:/etc/traefik/conf.d/:ro
     environment:
-      - CF_DNS_API_TOKEN=your-cloudflare-api-token # <-- Change this to your Cloudflare API Token
+      - CF_DNS_API_TOKEN=your-cloudflare-api-token  # <-- Change this to your Cloudflare API Token
     networks:
       - frontend
     restart: unless-stopped
 networks:
   frontend:
-    external: true # <-- (Optional) Change this to false if you want to create a new network
+    external: true  # <-- (Optional) Change this to false if you want to create a new network
diff --git a/docker-compose/traefik/config/conf.d/externalservice.yaml.example b/docker-compose/traefik/config/conf.d/externalservice.yaml
similarity index 99%
rename from docker-compose/traefik/config/conf.d/externalservice.yaml.example
rename to docker-compose/traefik/config/conf.d/externalservice.yaml
index a138191..33ba61c 100644
--- a/docker-compose/traefik/config/conf.d/externalservice.yaml.example
+++ b/docker-compose/traefik/config/conf.d/externalservice.yaml
@@ -1,3 +1,4 @@
+---
 http:
   # -- Change Router Configuration here...
   routers:
diff --git a/docker-compose/traefik/config/conf.d/middleware-authentik.yaml b/docker-compose/traefik/config/conf.d/middleware-authentik.yaml
new file mode 100644
index 0000000..6a1c451
--- /dev/null
+++ b/docker-compose/traefik/config/conf.d/middleware-authentik.yaml
@@ -0,0 +1,20 @@
+# --> (Optional) Securely expose apps using the Traefik proxy outpost...
+# http:
+#   middlewares:
+#     authentik-middleware:
+#       forwardAuth:
+#         address: http://your-authentik-outpost-fqdn:9000/outpost.goauthentik.io/auth/traefik
+#         trustForwardHeader: true
+#         authResponseHeaders:
+#           - X-authentik-username
+#           - X-authentik-groups
+#           - X-authentik-email
+#           - X-authentik-name
+#           - X-authentik-uid
+#           - X-authentik-jwt
+#           - X-authentik-meta-jwks
+#           - X-authentik-meta-outpost
+#           - X-authentik-meta-provider
+#           - X-authentik-meta-app
+#           - X-authentik-meta-version
+# <--
diff --git a/docker-compose/traefik/config/conf.d/middleware-passbolt.yaml b/docker-compose/traefik/config/conf.d/middleware-passbolt.yaml
new file mode 100644
index 0000000..012fae1
--- /dev/null
+++ b/docker-compose/traefik/config/conf.d/middleware-passbolt.yaml
@@ -0,0 +1,22 @@
+# --> (Optional) When using Passbolt with Traefik...
+# http:
+#   middlewares:
+#     passbolt-middleware:
+#       headers:
+#         FrameDeny: true
+#         AccessControlAllowMethods: 'GET,OPTIONS,PUT'
+#         AccessControlAllowOriginList:
+#           - origin-list-or-null
+#         AccessControlMaxAge: 100
+#         AddVaryHeader: true
+#         BrowserXssFilter: true
+#         ContentTypeNosniff: true
+#         ForceSTSHeader: true
+#         STSIncludeSubdomains: true
+#         STSPreload: true
+#         ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
+#         CustomFrameOptionsValue: SAMEORIGIN
+#         ReferrerPolicy: same-origin
+#         PermissionsPolicy: vibrate 'self'
+#         STSSeconds: 315360000
+# <--
diff --git a/docker-compose/traefik/config/conf.d/tls.yaml b/docker-compose/traefik/config/conf.d/tls.yaml
new file mode 100644
index 0000000..3bf9464
--- /dev/null
+++ b/docker-compose/traefik/config/conf.d/tls.yaml
@@ -0,0 +1,18 @@
+---
+# -- Change TLS Configuration here...
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      sniStrict: true
+      curvePreferences:
+        - CurveP256
+        - CurveP384
+        - CurveP521
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
diff --git a/docker-compose/traefik/config/traefik.yaml b/docker-compose/traefik/config/traefik.yaml
index 850b1be..f9446a1 100644
--- a/docker-compose/traefik/config/traefik.yaml
+++ b/docker-compose/traefik/config/traefik.yaml
@@ -1,3 +1,4 @@
+---
 global:
   checkNewVersion: false
   sendAnonymousUsage: false
@@ -40,7 +41,7 @@ certificatesResolvers:
       storage: /var/traefik/certs/cloudflare-acme.json
       caServer: "https://acme-v02.api.letsencrypt.org/directory"
       dnsChallenge:
-        provider: cloudflare # <-- (Optional) Change this to your DNS provider
+        provider: cloudflare  # <-- (Optional) Change this to your DNS provider
         resolvers:
           - "1.1.1.1:53"
           - "8.8.8.8:53"
@@ -53,6 +54,9 @@ certificatesResolvers:
 providers:
   docker:
     exposedByDefault: false  # <-- (Optional) Change this to true if you want to expose all services
+    # Specify discovery network - This ensures correct name resolving and possible issues with containers, that are in multiple networks.
+    # E.g. Database container in a separate network and a container in the frontend and database network.
+    network: frontend
   file:
     directory: /etc/traefik
     watch: true
diff --git a/docker-compose/twingate/connector/compose.yaml b/docker-compose/twingate/connector/compose.yaml
index 55433d8..765d55a 100644
--- a/docker-compose/twingate/connector/compose.yaml
+++ b/docker-compose/twingate/connector/compose.yaml
@@ -7,7 +7,7 @@
 services:
   twingate_connector:
     container_name: twingate_connector
-    image: docker.io/twingate/connector:1.72.0
+    image: docker.io/twingate/connector:1.73.0
     environment:
       - TWINGATE_NETWORK=your-twingate-network
       - TWINGATE_ACCESS_TOKEN=${TWINGATE_ACCESS_TOKEN}
diff --git a/docker-compose/uptimekuma/compose.yaml b/docker-compose/uptimekuma/compose.yaml
index 71817be..be71fac 100644
--- a/docker-compose/uptimekuma/compose.yaml
+++ b/docker-compose/uptimekuma/compose.yaml
@@ -4,7 +4,7 @@ volumes:
     driver: local
 services:
   uptimekuma:
-    image: docker.io/louislam/uptime-kuma:1.23.15
+    image: docker.io/louislam/uptime-kuma:1.23.16
     container_name: uptimekuma
     ports:
       - 3001:3001
diff --git a/docker-compose/wazuh/.env.example b/docker-compose/wazuh/.env.example
new file mode 100644
index 0000000..6c4025e
--- /dev/null
+++ b/docker-compose/wazuh/.env.example
@@ -0,0 +1,6 @@
+INDEXER_USERNAME = "admin"
+INDEXER_PASSWORD = "your-admin-password"
+DASHBOARD_USERNAME = "kibanaserver"
+DASHBOARD_PASSWORD = "your-kibanaserver-password"
+API_USERNAME = "wazuh-wui"
+API_PASSWORD = "your-wazuh-wui-password"
diff --git a/docker-compose/wazuh/compose.yaml b/docker-compose/wazuh/compose.yaml
new file mode 100644
index 0000000..6971d24
--- /dev/null
+++ b/docker-compose/wazuh/compose.yaml
@@ -0,0 +1,174 @@
+---
+services:
+  wazuh.manager:
+    image: docker.io/wazuh/wazuh-manager:4.10.0
+    container_name: wazuh-prod-1-manager
+    hostname: wazuh.manager
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 655360
+        hard: 655360
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - INDEXER_URL=https://wazuh.indexer:9200
+      - INDEXER_USERNAME=${INDEXER_USERNAME:?error}
+      - INDEXER_PASSWORD=${INDEXER_PASSWORD:?error}
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+      - API_USERNAME=${API_USERNAME:?error}
+      - API_PASSWORD=${API_PASSWORD:?error}
+    volumes:
+      - wazuh_api_configuration:/var/ossec/api/configuration
+      - wazuh_etc:/var/ossec/etc
+      - wazuh_logs:/var/ossec/logs
+      - wazuh_queue:/var/ossec/queue
+      - wazuh_var_multigroups:/var/ossec/var/multigroups
+      - wazuh_integrations:/var/ossec/integrations
+      - wazuh_active_response:/var/ossec/active-response/bin
+      - wazuh_agentless:/var/ossec/agentless
+      - wazuh_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
+      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
+      # --> (Optional) For custom rules
+      # - ./config/rules/local_rules.xml:/var/ossec/etc/rules/local_rules.xml:ro
+      # <--
+    # --> (Optional) When using traefik
+    # networks:
+    #   - frontend
+    # <--
+    # --> (Optional) When using a separate backend network
+    #   - backend
+    # <--
+    restart: unless-stopped
+
+  wazuh.indexer:
+    image: docker.io/wazuh/wazuh-indexer:4.10.0
+    container_name: wazuh-prod-1-indexer
+    hostname: wazuh.indexer
+    ports:
+      - "9200:9200"
+    environment:
+      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - wazuh-indexer-data:/var/lib/wazuh-indexer
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
+      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
+      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+    # --> (Optional) When using traefik
+    # networks:
+    #   - frontend
+    # <--
+    # --> (Optional) When using a separate backend network
+    #   - backend
+    # <--
+    restart: unless-stopped
+
+  wazuh.dashboard:
+    image: docker.io/wazuh/wazuh-dashboard:4.10.0
+    container_name: wazuh-prod-1-dashboard
+    hostname: wazuh.dashboard
+    # --> (Optional) Remove the port mapping when using traefik
+    ports:
+      - 4443:5601
+    # <--
+    environment:
+      - INDEXER_USERNAME=${INDEXER_USERNAME:?error}
+      - INDEXER_PASSWORD=${INDEXER_PASSWORD:?error}
+      - WAZUH_API_URL=https://wazuh.manager
+      - DASHBOARD_USERNAME=${DASHBOARD_USERNAME:?error}
+      - DASHBOARD_PASSWORD=${DASHBOARD_PASSWORD:?error}
+      - API_USERNAME=${API_USERNAME:?error}
+      - API_PASSWORD=${API_PASSWORD:?error}
+    volumes:
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
+      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
+      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
+      - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
+      - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
+    # --> (Optional) When using traefik
+    # labels:
+    #   - traefik.enable=true
+    #   - traefik.http.routers.wazuh-prod-1-https.entrypoints=websecure
+    #   - traefik.http.routers.wazuh-prod-1-https.rule=Host(`wazuh-prod-1.srv-prod-1.home.clcreative.de`)
+    #   - traefik.http.routers.wazuh-prod-1-https.tls=true
+    #   - traefik.http.routers.wazuh-prod-1-https.tls.certresolver=cloudflare
+    #   - traefik.http.services.wazuh-prod-1-service.loadbalancer.server.port=5601
+    #   - traefik.http.services.wazuh-prod-1-service.loadbalancer.server.scheme=https
+    # networks:
+    #   - frontend
+    # <--
+    # --> (Optional) When using a separate backend network
+    #   - backend
+    # <--
+    depends_on:
+      - wazuh.indexer
+    restart: unless-stopped
+
+# --> (Optional) When you need to use an SMTP relay for email notifications, and authentication is required
+# postfix:
+#   image: docker.io/mwader/postfix-relay:1.1.39
+#   environment:
+#     - POSTFIX_myhostname=postfix
+#   volumes:
+#     - ./config/postfix-relay/main.cf:/etc/postfix/main.cf:ro
+#     - ./config/postfix-relay/sasl_passwd:/etc/postfix/sasl_passwd:rw  # <-- (Optional) Remove when using inline credentials
+#     - postfix_data:/etc/postfix
+#   networks:
+#     - backend
+#   restart: unless-stopped
+# <--
+
+volumes:
+  wazuh_api_configuration:
+  wazuh_etc:
+  wazuh_logs:
+  wazuh_queue:
+  wazuh_var_multigroups:
+  wazuh_integrations:
+  wazuh_active_response:
+  wazuh_agentless:
+  wazuh_wodles:
+  filebeat_etc:
+  filebeat_var:
+  wazuh-indexer-data:
+  wazuh-dashboard-config:
+  wazuh-dashboard-custom:
+  # --> (Optional) When you need to use an SMTP relay for email notifications, and authentication is required
+  # postfix_data:
+  # <--
+
+# --> (Optional) When using traefik
+# networks:
+#   frontend:
+#     external: true
+# <--
+# --> (Optional) When using a separate backend network
+#   backend:
+#     external: true
+# <--
diff --git a/docker-compose/wazuh/config/postfix-relay/main.cf b/docker-compose/wazuh/config/postfix-relay/main.cf
new file mode 100644
index 0000000..c3cede7
--- /dev/null
+++ b/docker-compose/wazuh/config/postfix-relay/main.cf
@@ -0,0 +1,15 @@
+relayhost = [your-smtp-server-addr]:587  ; Replace [your-smtp-server-addr] with your SMTP server address
+smtp_sasl_auth_enable = yes
+smtp_sasl_security_options = noanonymous
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtp_use_tls = yes
+smtpd_relay_restrictions = permit_mynetworks
+mydestination = localhost
+myhostname = postfix
+mynetworks = 127.0.0.0/8, 172.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, [::1]/128
+smtp_tls_security_level = may
+smtpd_tls_security_level = none
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd  # <-- (Optional) Remove when using inline credentials
+# --> (Optional) When using inline credentials, uncomment the following line and replace the placeholders with your SMTP server address and credentials
+# smtp_sasl_password_maps = inline:{ [your-smtp-server-addr]:587=username:password }  # <-- Replace [your-smtp-server-addr] with your SMTP server address, and username:password with your SMTP server credentials
+# <--
diff --git a/docker-compose/wazuh/config/postfix-relay/sasl_passwd b/docker-compose/wazuh/config/postfix-relay/sasl_passwd
new file mode 100644
index 0000000..81d7682
--- /dev/null
+++ b/docker-compose/wazuh/config/postfix-relay/sasl_passwd
@@ -0,0 +1 @@
+[your-smtp-server-addr]:587  username:password  ; Replace [your-smtp-server-addr] with your SMTP server address, and username:password with your SMTP server credentials
diff --git a/docker-compose/wazuh/config/rules/local_rules.xml b/docker-compose/wazuh/config/rules/local_rules.xml
new file mode 100644
index 0000000..0fe6725
--- /dev/null
+++ b/docker-compose/wazuh/config/rules/local_rules.xml
@@ -0,0 +1,12 @@
+<!-- Custom Rules XML file for Wazuh -->
+
+<!-- (Optional) Fix false-positive reports in Wazuh ClamAV
+<group name="clamd,freshclam,">
+  <rule id="52502" level="8" overwrite="yes">
+    <if_sid>52500</if_sid>
+    <match>FOUND$</match>
+    <description>ClamAV: Virus detected</description>
+    <group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,nist_800_53_SI.3,nist_800_53_SI.4,tsc_A1.2,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+  </rule>
+</group>
+-->
diff --git a/docker-compose/wazuh/config/wazuh_cluster/wazuh_manager.conf b/docker-compose/wazuh/config/wazuh_cluster/wazuh_manager.conf
new file mode 100644
index 0000000..bd1d556
--- /dev/null
+++ b/docker-compose/wazuh/config/wazuh_cluster/wazuh_manager.conf
@@ -0,0 +1,308 @@
+<ossec_config>
+  <global>
+    <jsonout_output>yes</jsonout_output>
+    <alerts_log>yes</alerts_log>
+    <logall>no</logall>
+    <logall_json>no</logall_json>
+    <email_notification>no</email_notification>  <!-- (Optional) When you want to use email notifications -->
+    <smtp_server>postfix</smtp_server>  <!-- Optional) When you need to use an SMTP relay for email notifications, and authentication is required -->
+    <email_from>your-from-email</email_from>  <!-- (Optional) Replace with your email, hen you want to use email notifications -->
+    <email_to>your-to-email</email_to>  <!-- (Optional) Replace with your email, when you want to use email notifications  -->
+    <email_maxperhour>12</email_maxperhour>
+    <email_log_source>alerts.log</email_log_source>
+    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
+  </global>
+
+  <alerts>
+    <log_alert_level>3</log_alert_level>
+    <email_alert_level>12</email_alert_level>
+  </alerts>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+  <remote>
+    <connection>secure</connection>
+    <port>1514</port>
+    <protocol>tcp</protocol>
+    <queue_size>131072</queue_size>
+  </remote>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <vulnerability-detection>
+    <enabled>yes</enabled>
+    <index-status>yes</index-status>
+    <feed-update-interval>60m</feed-update-interval>
+  </vulnerability-detection>
+
+  <indexer>
+    <enabled>yes</enabled>
+    <hosts>
+      <host>https://wazuh.indexer:9200</host>
+    </hosts>
+    <ssl>
+      <certificate_authorities>
+        <ca>/etc/ssl/root-ca.pem</ca>
+      </certificate_authorities>
+      <certificate>/etc/ssl/filebeat.pem</certificate>
+      <key>/etc/ssl/filebeat.key</key>
+    </ssl>
+  </indexer>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Generate alert when new file detected -->
+    <alert_new_files>yes</alert_new_files>
+
+    <!-- Don't ignore files that change more than 'frequency' times -->
+    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>100</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_interval>1h</max_interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Active response -->
+  <global>
+    <white_list>127.0.0.1</white_list>
+    <white_list>^localhost.localdomain$</white_list>
+  </global>
+
+  <command>
+    <name>disable-account</name>
+    <executable>disable-account</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>restart-wazuh</name>
+    <executable>restart-wazuh</executable>
+  </command>
+
+  <command>
+    <name>firewall-drop</name>
+    <executable>firewall-drop</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>host-deny</name>
+    <executable>host-deny</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>route-null</name>
+    <executable>route-null</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>win_route-null</name>
+    <executable>route-null.exe</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>netsh</name>
+    <executable>netsh.exe</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <!--
+  <active-response>
+    active-response options here
+  </active-response>
+  -->
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <ruleset>
+    <!-- Default ruleset -->
+    <decoder_dir>ruleset/decoders</decoder_dir>
+    <rule_dir>ruleset/rules</rule_dir>
+    <rule_exclude>0215-policy_rules.xml</rule_exclude>
+    <list>etc/lists/audit-keys</list>
+    <list>etc/lists/amazon/aws-eventnames</list>
+    <list>etc/lists/security-eventchannel</list>
+
+    <!-- User-defined ruleset -->
+    <decoder_dir>etc/decoders</decoder_dir>
+    <rule_dir>etc/rules</rule_dir>
+  </ruleset>
+
+  <rule_test>
+    <enabled>yes</enabled>
+    <threads>1</threads>
+    <max_sessions>64</max_sessions>
+    <session_timeout>15m</session_timeout>
+  </rule_test>
+
+  <!-- Configuration for wazuh-authd -->
+  <auth>
+    <disabled>no</disabled>
+    <port>1515</port>
+    <use_source_ip>no</use_source_ip>
+    <purge>yes</purge>
+    <use_password>no</use_password>
+    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
+    <!-- <ssl_agent_ca></ssl_agent_ca> -->
+    <ssl_verify_host>no</ssl_verify_host>
+    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
+    <ssl_auto_negotiate>no</ssl_auto_negotiate>
+  </auth>
+
+  <cluster>
+    <name>wazuh</name>
+    <node_name>node01</node_name>
+    <node_type>master</node_type>
+    <key>aa093264ef885029653eea20dfcf51ae</key>
+    <port>1516</port>
+    <bind_addr>0.0.0.0</bind_addr>
+    <nodes>
+        <node>wazuh.manager</node>
+    </nodes>
+    <hidden>no</hidden>
+    <disabled>yes</disabled>
+  </cluster>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+</ossec_config>
diff --git a/docker-compose/wazuh/config/wazuh_dashboard/opensearch_dashboards.yml b/docker-compose/wazuh/config/wazuh_dashboard/opensearch_dashboards.yml
new file mode 100644
index 0000000..fce78dc
--- /dev/null
+++ b/docker-compose/wazuh/config/wazuh_dashboard/opensearch_dashboards.yml
@@ -0,0 +1,17 @@
+---
+server.host: 0.0.0.0
+server.port: 5601
+opensearch.hosts: https://wazuh.indexer:9200
+opensearch.ssl.verificationMode: certificate
+opensearch.requestHeadersWhitelist:
+  - "securitytenant"
+  - "Authorization"
+opensearch_security.multitenancy.enabled: false
+opensearch_security.readonly_mode.roles:
+  - "kibana_read_only"
+server.ssl.enabled: true
+server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
+server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
+opensearch.ssl.certificateAuthorities:
+  - "/usr/share/wazuh-dashboard/certs/root-ca.pem"
+uiSettings.overrides.defaultRoute: /app/wz-home
diff --git a/docker-compose/wazuh/config/wazuh_dashboard/wazuh.yml b/docker-compose/wazuh/config/wazuh_dashboard/wazuh.yml
new file mode 100644
index 0000000..1528933
--- /dev/null
+++ b/docker-compose/wazuh/config/wazuh_dashboard/wazuh.yml
@@ -0,0 +1,11 @@
+---
+hosts:
+  - 1513629884013:
+      url: "https://wazuh.manager"
+      port: 55000
+      username: wazuh-wui
+      password: "your-wazuh-wui-password"
+      run_as: false
+
+enrollment.dns: "your-enrollment-dns-server"
+alerts.sample.prefix: "wazuh-alerts-"
diff --git a/docker-compose/wazuh/config/wazuh_indexer/internal_users.yml b/docker-compose/wazuh/config/wazuh_indexer/internal_users.yml
new file mode 100644
index 0000000..e62e890
--- /dev/null
+++ b/docker-compose/wazuh/config/wazuh_indexer/internal_users.yml
@@ -0,0 +1,56 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# Define your internal users here
+
+## Demo users
+
+admin:
+  hash: "$2y$12$y85PV5Ob2lqeR30Rcm/F9..8JMgLT5ALZGMtzTo7c.p1vPpR394ki"
+  reserved: true
+  backend_roles:
+    - admin
+  description: "Demo admin user"
+
+kibanaserver:
+  hash: "$2y$12$b9G5KNitghhTt1V5asLQd.nDOjd7O8h.30vkZVfroWT/HFq0y51TO"
+  reserved: true
+  description: "Demo kibanaserver user"
+
+kibanaro:
+  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+  reserved: false
+  backend_roles:
+    - kibanauser
+    - readall
+  attributes:
+    attribute1: "value1"
+    attribute2: "value2"
+    attribute3: "value3"
+  description: "Demo kibanaro user"
+
+logstash:
+  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
+  reserved: false
+  backend_roles:
+    - logstash
+  description: "Demo logstash user"
+
+readall:
+  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
+  reserved: false
+  backend_roles:
+    - readall
+  description: "Demo readall user"
+
+snapshotrestore:
+  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
+  reserved: false
+  backend_roles:
+    - snapshotrestore
+  description: "Demo snapshotrestore user"
diff --git a/docker-compose/wazuh/config/wazuh_indexer/wazuh.indexer.yml b/docker-compose/wazuh/config/wazuh_indexer/wazuh.indexer.yml
new file mode 100644
index 0000000..77e5d07
--- /dev/null
+++ b/docker-compose/wazuh/config/wazuh_indexer/wazuh.indexer.yml
@@ -0,0 +1,43 @@
+---
+network.host: "0.0.0.0"
+node.name: "wazuh.indexer"
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+discovery.type: single-node
+http.port: 9200-9299
+transport.tcp.port: 9300-9399
+compatibility.override_main_response_version: true
+plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
+plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
+plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.authcz.admin_dn:
+  - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.nodes_dn:
+  - "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.restapi.roles_enabled:
+  - "all_access"
+  - "security_rest_api_access"
+plugins.security.system_indices.enabled: true
+plugins.security.system_indices.indices:
+  - ".opendistro-alerting-config"
+  - ".opendistro-alerting-alert*"
+  - ".opendistro-anomaly-results*"
+  - ".opendistro-anomaly-detector*"
+  - ".opendistro-anomaly-checkpoints"
+  - ".opendistro-anomaly-detection-state"
+  - ".opendistro-reports-*"
+  - ".opendistro-notifications-*"
+  - ".opendistro-notebooks"
+  - ".opensearch-observability"
+  - ".opendistro-asynchronous-search-response*"
+  - ".replication-metadata-store"
+plugins.security.allow_default_init_securityindex: true
+cluster.routing.allocation.disk.threshold_enabled: false
diff --git a/docker-compose/wazuh/generate-certs.yaml b/docker-compose/wazuh/generate-certs.yaml
new file mode 100644
index 0000000..7f9ecfe
--- /dev/null
+++ b/docker-compose/wazuh/generate-certs.yaml
@@ -0,0 +1,8 @@
+---
+services:
+  generator:
+    image: wazuh/wazuh-certs-generator:0.0.2
+    hostname: wazuh-certs-generator
+    volumes:
+      - ./config/wazuh_indexer_ssl_certs/:/certificates/
+      - ./config/certs.yml:/config/certs.yml
diff --git a/helm/traefik/values.yaml b/helm/traefik/values.yaml
deleted file mode 100644
index ab55c03..0000000
--- a/helm/traefik/values.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-image:
-  repository: traefik
-  version: v3.2.1
-  pullPolicy: IfNotPresent
-
-# --> (Optional) Change log settings here...
-# logs:
-#   general:
-#     level: ERROR
-#   access:
-#     enabled: false
-# <--
-
-# --> (Optional) Redirect HTTP to HTTPs by default
-# ports:
-#   web:
-#     redirectTo: 
-#       port: websecure
-# <--
diff --git a/kestra/ansible/ansible-playbook-git.yaml b/kestra/ansible/ansible-playbook-git.yaml
new file mode 100644
index 0000000..e786323
--- /dev/null
+++ b/kestra/ansible/ansible-playbook-git.yaml
@@ -0,0 +1,36 @@
+---
+# Kestra ansible-playbook Template
+# ---
+#
+# Run an ansible playbook cloned from a Git Repository
+#
+id: ansible_playbook_git
+namespace: your_namespace  # <-- Replace with your namespace...
+tasks:
+  - id: ansible_job
+    type: io.kestra.plugin.core.flow.WorkingDirectory
+    inputFiles:
+      id_rsa: "{{ secret('RSA_SSH_KEY') }}"  # <-- (Required) Replace with your secret key...
+      # id_ed25519: "{{ secret('ED25519_SSH_KEY') }}"  # <-- (Optional) Replace with your secret key, when using ED25519...
+    tasks:
+      - id: git_clone
+        type: io.kestra.plugin.git.Clone
+        url: your-git-repository-url  # <-- Replace with your Git repository URL...
+        directory: ansible
+        branch: main  # <-- (Optional) Replace with your Git branch...
+        # --> (Optional) If Git repository is private, add your Git token...
+        # username: xcad
+        # password: "{{ secret('GITOKEN') }}"
+        # <--
+      - id: ansible_playbook
+        type: io.kestra.plugin.ansible.cli.AnsibleCLI
+        taskRunner:
+          type: io.kestra.plugin.scripts.runner.docker.Docker
+          image: docker.io/cytopia/ansible:latest-tools
+          user: "1000"  # <-- (Required) Replace with your user id...
+        env:
+          "ANSIBLE_HOST_KEY_CHECKING": "false"
+          "ANSIBLE_REMOTE_USER": "your-remote-user"  # <-- (Required) Replace with your remote user...
+        commands:
+          - ansible-playbook -i ansible/inventory --key-file id_rsa ansible/your-playbook.yaml
+          # - ansible-playbook -i ansible/inventory --key-file id_ed25519 ansible/your-playbook.yaml  # <-- (Optional) when using ED25519...
diff --git a/kestra/ansible/ansible-playbook-inline.yaml b/kestra/ansible/ansible-playbook-inline.yaml
new file mode 100644
index 0000000..38f2628
--- /dev/null
+++ b/kestra/ansible/ansible-playbook-inline.yaml
@@ -0,0 +1,38 @@
+---
+# Kestra ansible-playbook Template
+# ---
+#
+# Run an ansible playbook defined inline the kestra flow.
+#
+id: ansible_playbook_inline
+namespace: your_namespace  # <-- Replace with your namespace...
+tasks:
+  - id: ansible_job
+    type: io.kestra.plugin.core.flow.WorkingDirectory
+    inputFiles:
+      inventory.ini: |  # <-- Replace with your inventory file content...
+        srv-demo-1.home.clcreative.de
+      myplaybook.yaml: |  # <-- Replace with your playbook file content...
+        ---
+        - hosts: srv-demo-1.home.clcreative.de
+          tasks:
+            - name: upgrade apt packages
+              become: true
+              ansible.builtin.apt:
+                upgrade: true
+                update_cache: true
+      id_rsa: "{{ secret('RSA_SSH_KEY') }}"  # <-- (Required) Replace with your secret key...
+      # id_ed25519: "{{ secret('ED25519_SSH_KEY') }}"  # <-- (Optional) Replace with your secret key, when using ED25519...
+    tasks:
+      - id: ansible_playbook
+        type: io.kestra.plugin.ansible.cli.AnsibleCLI
+        taskRunner:
+          type: io.kestra.plugin.scripts.runner.docker.Docker
+          image: docker.io/cytopia/ansible:latest-tools
+          user: "1000"  # <-- (Required) Replace with your user id...
+        env:
+          "ANSIBLE_HOST_KEY_CHECKING": "false"
+          "ANSIBLE_REMOTE_USER": "your-remote-user"  # <-- (Required) Replace with your remote user...
+        commands:
+          - ansible-playbook -i inventory.ini --key-file id_rsa myplaybook.yaml
+          # - ansible-playbook -i inventory.ini --key-file id_ed25519 myplaybook.yaml  # <-- (Optional) when using ED25519...
diff --git a/kestra/ansible/playbook-inline.yaml b/kestra/ansible/playbook-inline.yaml
deleted file mode 100644
index 082c253..0000000
--- a/kestra/ansible/playbook-inline.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
----
-# Kestra ansible-playbook Template
-# ---
-#
-# Run an ansible playbook defined inline the kestra flow.
-#
-id: ansible_job
-namespace: # your-namespace
-
-tasks:
-  - id: ansible
-    type: io.kestra.plugin.core.flow.WorkingDirectory
-    tasks:
-      - id: local_files
-        type: io.kestra.core.tasks.storages.LocalFiles
-        inputs:
-          inventory.ini: |
-            srv-demo-1.home.clcreative.de
-          # --> replace with your playbook
-          myplaybook.yaml: |
-            ---
-            - hosts: srv-demo-1.home.clcreative.de
-              tasks:
-                - name: upgrade apt packages
-                  become: true
-                  ansible.builtin.apt:
-                    upgrade: true
-                    update_cache: true
-          # <--
-          id_rsa: "{{ secret('SSH_KEY') }}"
-      - id: ansible_task
-        type: io.kestra.plugin.ansible.cli.AnsibleCLI
-        docker:
-          image: docker.io/cytopia/ansible:latest-tools
-          user: "1000"  # required to set ssh key permissions
-        env:
-          "ANSIBLE_HOST_KEY_CHECKING": "false"
-          # --> (optional) when using a different remote user
-          # "ANSIBLE_REMOTE_USER": "your-remote-user"
-          # <--
-        commands:
-          - ansible-playbook -i inventory.ini --key-file id_rsa myplaybook.yaml
diff --git a/kestra/ansible/playbook-password.yaml b/kestra/ansible/playbook-password.yaml
deleted file mode 100644
index e86dad8..0000000
--- a/kestra/ansible/playbook-password.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-# Kestra ansible-playbook Template
-# ---
-#
-# Run an ansible playbook which has been uploaded to the server.
-#
-id: ansible_job
-namespace: # your-namespace
-
-tasks:
-  - id: ansible
-    type: io.kestra.plugin.core.flow.WorkingDirectory
-    tasks:
-      - id: ansible_task
-        namespaceFiles:
-          enabled: true
-          # --> upload your files to the kestra data directory for the namespace in
-          #     <docker volume for kestra-data>/<namespace>/_files/
-          include:
-            - inventory.ini
-            - myplaybook.yaml
-          # <--
-        type: io.kestra.plugin.ansible.cli.AnsibleCLI
-        docker:
-          image: docker.io/cytopia/ansible:latest-tools
-        env:
-          "ANSIBLE_HOST_KEY_CHECKING": "false"
-          # --> (optional) when using a different remote user
-          # "ANSIBLE_REMOTE_USER": "your-remote-user"
-          # <--
-        commands:
-          - apk add sshpass  # only required if use ssh passwords.
-          - ansible-playbook -i inventory.ini myplaybook.yaml
diff --git a/kestra/ansible/playbook-ssh-key.yaml b/kestra/ansible/playbook-ssh-key.yaml
deleted file mode 100644
index 86e17fa..0000000
--- a/kestra/ansible/playbook-ssh-key.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-# Kestra ansible-playbook Template
-# ---
-#
-# Run an ansible playbook which has been uploaded to the server, using 
-# ssh key authentication.
-#
-id: ansible_job
-namespace: # your-namespace
-
-tasks:
-  - id: ansible
-    type: io.kestra.plugin.core.flow.WorkingDirectory
-    tasks:
-      - id: load_ssh_key
-        type: io.kestra.core.tasks.storages.LocalFiles
-        inputs:
-          id_rsa: "{{ secret('SSH_KEY') }}"
-      - id: ansible_task
-        namespaceFiles:
-          enabled: true
-          # --> upload your files to the kestra data directory for the namespace in
-          #     <docker volume for kestra-data>/<namespace>/_files/
-          include:
-            - inventory.ini
-            - myplaybook.yaml
-          # <--
-        type: io.kestra.plugin.ansible.cli.AnsibleCLI
-        docker:
-          image: docker.io/cytopia/ansible:latest-tools
-          user: "1000"  # required to set ssh key permissions
-        env:
-          "ANSIBLE_HOST_KEY_CHECKING": "false"
-          # --> (optional) when using a different remote user
-          # "ANSIBLE_REMOTE_USER": "your-remote-user"
-          # <--
-        commands:
-          - ansible-playbook -i inventory.ini --key-file id_rsa myplaybook.yaml
diff --git a/kestra/docker/docker-build-git.yaml b/kestra/docker/docker-build-git.yaml
new file mode 100644
index 0000000..68fa04c
--- /dev/null
+++ b/kestra/docker/docker-build-git.yaml
@@ -0,0 +1,31 @@
+---
+# Kestra Docker Git Build Template
+# ---
+#
+# Build a Docker image from a Git repository.
+#
+id: docker_build_git
+namespace: your_namespace  # <- Replace with your namespace...
+tasks:
+  - id: docker_job
+    type: io.kestra.plugin.core.flow.WorkingDirectory
+    tasks:
+      - id: git_clone
+        type: io.kestra.plugin.git.Clone
+        url: your-git-repository-url  # <-- Replace with your Git repository URL...
+        directory: docker
+        branch: main  # <-- (Optional) Replace with your Git branch...
+        # --> (Optional) If Git repository is private, add your Git token...
+        # username: xcad
+        # password: "{{ secret('GITOKEN') }}"
+        # <--
+      - id: docker_build
+        type: io.kestra.plugin.docker.Build
+        dockerfile: "docker/src/Dockerfile"  # <- Replace with your Dockerfile path...
+        tags:
+          - your-username/your-repository:your-tag  # <- Replace with your Docker image tag...
+        push: true
+        credentials:
+          registry: https://index.docker.io/v1/
+          username: "{{ secret('YOUR_USERNAME') }}"  # <- Replace with your Docker Hub username...
+          password: "{{ secret('YOUR_PASSWORD') }}"  # <- Replace with your Docker Hub password...
diff --git a/kestra/docker/docker-build-inline.yaml b/kestra/docker/docker-build-inline.yaml
new file mode 100644
index 0000000..d6546be
--- /dev/null
+++ b/kestra/docker/docker-build-inline.yaml
@@ -0,0 +1,33 @@
+---
+# Kestra Docker File Build Template
+# ---
+#
+# Build a Docker image from a File.
+#
+id: docker_build_inline
+namespace: your_namespace  # <- Replace with your namespace...
+tasks:
+  - id: docker_job
+    type: io.kestra.plugin.core.flow.WorkingDirectory
+    inputFiles:
+      Dockerfile: |  # <- Replace with your Dockerfile content...
+        FROM alpine:latest
+        WORKDIR /app
+        COPY . /app
+        RUN apk add --update python3
+        CMD [ "python", "main.py"]
+      main.py: |  # <- Replace with your Python script content...
+        if __name__ == "__main__":
+          print("Hello from Docker!")
+          exit(0)
+    tasks:
+      - id: docker_build
+        type: io.kestra.plugin.docker.Build
+        dockerfile: "src/Dockerfile"  # <- Replace with your Dockerfile path...
+        tags:
+          - your-username/your-repository:your-tag  # <- Replace with your Docker image tag...
+        push: true
+        credentials:
+          registry: https://index.docker.io/v1/
+          username: "{{ secret('YOUR_USERNAME') }}"  # <- Replace with your Docker Hub username...
+          password: "{{ secret('YOUR_PASSWORD') }}"  # <- Replace with your Docker Hub password...
diff --git a/kestra/docker/file-build.yaml b/kestra/docker/file-build.yaml
deleted file mode 100644
index bf689af..0000000
--- a/kestra/docker/file-build.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
----
-# Kestra Docker File Build Template
-# ---
-#
-# Build a Docker image from a File.
-#
-
-id: docker-file-build
-namespace:  # your-namespace
-
-tasks:
-
-  - id: file
-    type: io.kestra.core.tasks.flows.WorkingDirectory
-    tasks:
-      - id: createFiles
-        type: io.kestra.core.tasks.storages.LocalFiles
-        inputs:
-          Dockerfile: |
-            FROM alpine:latest
-            WORKDIR /app
-            COPY . /app
-            RUN apk add --update python3
-            CMD [ "python", "main.py"]
-          main.py: |
-            if __name__ == "__main__":
-              print("Hello from Docker!")
-              exit(0)
-
-      - id: build
-        type: io.kestra.plugin.docker.Build
-        dockerfile: "src/Dockerfile"
-        tags:
-          - your-username/your-repository:your-tag
-        push: true
-        credentials:
-          registry: https://index.docker.io/v1/
-          username: "{{ secret('YOUR_USERNAME') }}"
-          password: "{{ secret('YOUR_PASSWORD') }}"
diff --git a/kestra/docker/git-build.yaml b/kestra/docker/git-build.yaml
deleted file mode 100644
index 2046b70..0000000
--- a/kestra/docker/git-build.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-# Kestra Docker Git Build Template
-# ---
-#
-# Build a Docker image from a Git repository.
-#
-
-id: docker-git-build
-namespace:  # your-namespace
-
-tasks:
-
-  - id: git
-    type: io.kestra.core.tasks.flows.WorkingDirectory
-    tasks:
-      - id: clone
-        type: io.kestra.plugin.git.Clone
-        url: https://your-git-repo-url
-        branch: your-branch
-
-      - id: build
-        type: io.kestra.plugin.docker.Build
-        dockerfile: "src/Dockerfile"
-        tags:
-          - your-username/your-repository:your-tag
-        push: true
-        credentials:
-          registry: https://index.docker.io/v1/
-          username: "{{ secret('YOUR_USERNAME') }}"
-          password: "{{ secret('YOUR_PASSWORD') }}"
diff --git a/kestra/inputs.yaml b/kestra/inputs.yaml
index 432e692..2d60e59 100644
--- a/kestra/inputs.yaml
+++ b/kestra/inputs.yaml
@@ -5,61 +5,61 @@
 # Inputs is a list of dynamic values passed to the flow at runtime.
 #
 
-id: inputs
-namespace:  # your-namespace
+id: inputs  # <- Replace with your task id...
+namespace: your-namespace  # <- Replace with your namespace...
 
 inputs:
-  - id: string
+  - id: string  # <- Replace with your input name...
     type: STRING
 
-  - id: optional
+  - id: optional  # <- Replace with your input name...
     type: STRING
     required: false
 
-  - id: int
+  - id: int  # <- Replace with your input name...
     type: INT
 
-  - id: bool
+  - id: bool  # <- Replace with your input name...
     type: BOOLEAN
 
-  - id: float
+  - id: float  # <- Replace with your input name...
     type: FLOAT
 
-  - id: instant
+  - id: instant  # <- Replace with your input name...
     type: DATETIME
 
-  - id: date
+  - id: date  # <- Replace with your input name...
     type: DATE
 
-  - id: time
+  - id: time  # <- Replace with your input name...
     type: TIME
 
-  - id: duration
+  - id: duration  # <- Replace with your input name...
     type: DURATION
 
-  - id: file
+  - id: file  # <- Replace with your input name...
     type: FILE
 
-  - id: optionalFile
+  - id: optionalFile  # <- Replace with your input name...
     type: FILE
 
-  - id: instantDefaults
+  - id: instantDefaults  # <- Replace with your input name...
     type: DATETIME
-    defaults: "2013-08-09T14:19:00Z"
+    defaults: "2013-08-09T14:19:00Z"  # <- Replace with your default value...
 
-  - id: json
+  - id: json  # <- Replace with your input name...
     type: JSON
 
-  - id: uri
+  - id: uri  # <- Replace with your input name...
     type: URI
 
-  - id: secret
+  - id: secret  # <- Replace with your input name...
     type: SECRET
 
-  - id: nested.string
+  - id: nested.string  # <- Replace with your input name...
     type: STRING
 
 tasks:
   - id: using_inputs
-    type: io.kestra.core.tasks.log.Log
+    type: io.kestra.plugin.core.log.Log
     message: "{{ inputs.string }}"
diff --git a/kestra/python/command.yaml b/kestra/python/python_command.yaml
similarity index 69%
rename from kestra/python/command.yaml
rename to kestra/python/python_command.yaml
index 50c7b56..b2f4e57 100644
--- a/kestra/python/command.yaml
+++ b/kestra/python/python_command.yaml
@@ -7,14 +7,13 @@
 # usage:
 #   make sure the Kestra instance can access the /app/scripts/your-python-script.py file
 #   if you're running Kestra in Docker, use a volume to mount the file/directory.
-
-id: python-command
-namespace:  # your-namespace
-
+#
+id: python_command
+namespace: your_namespace  # <-- Replace with your namespace...
 tasks:
-
-  - id: python_command
+  - id: python_job
     type: io.kestra.plugin.scripts.python.Commands
     commands:
       - python /app/scripts/your-python-script.py
-    runner: PROCESS  # or DOCKER (might be deprecated in the future) use TaskRunner instead
+    taskRunner:
+      type: io.kestra.plugin.core.runner.Process
diff --git a/kestra/python/script.yaml b/kestra/python/python_script.yaml
similarity index 68%
rename from kestra/python/script.yaml
rename to kestra/python/python_script.yaml
index e69b1c7..15226fb 100644
--- a/kestra/python/script.yaml
+++ b/kestra/python/python_script.yaml
@@ -4,15 +4,13 @@
 #
 # This template is a simple Python script that can be used to make a request to a website and log the status code.
 #
-
-id: python-script
-namespace:  # your-namespace
-
+id: python_script
+namespace: your_namespace  # <-- Replace with your namespace...
 tasks:
-
-  - id: python_script
+  - id: python_job
     type: io.kestra.plugin.scripts.python.Script
-    runner: DOCKER  # (might be deprecated in the future) use TaskRunner instead
+    taskRunner:
+      type: io.kestra.plugin.core.runner.Process
     script: |
         from kestra import Kestra
         import requests
@@ -21,9 +19,6 @@ tasks:
         print(response.status_code)
 
         Kestra.outputs({'status': response.status_code, 'text': response.text})
-    beforeCommands:
-      - pip install requests kestra
-
   - id: log
-    type: io.kestra.core.tasks.log.Log
+    type: io.kestra.plugin.core.log.Log
     message: "StatusCode: {{outputs.pythonscript.vars.status}}"
diff --git a/kestra/variables.yaml b/kestra/variables.yaml
index 10f3ef7..51123bb 100644
--- a/kestra/variables.yaml
+++ b/kestra/variables.yaml
@@ -2,16 +2,16 @@
 # Kestra Variable Template
 # ---
 #
-#
+# Variables is a list of static values passed to the flow at runtime.
 #
 
-id: variables
-namespace:  # your-namespace
+id: variables  # <- Replace with your task id...
+namespace: your-namespace  # <- Replace with your namespace...
 
 variables:
-  variable-name: "variable-value"
+  variable-name: "variable-value"  # <- Replace with your variable name and value...
 
 tasks:
   - id: using_variables
-    type: io.kestra.core.tasks.log.Log
+    type: io.kestra.plugin.core.log.Log
     message: "{{ vars.variable-name }}"
diff --git a/kestra/webhook.yaml b/kestra/webhook.yaml
index c37506e..a7eb03b 100644
--- a/kestra/webhook.yaml
+++ b/kestra/webhook.yaml
@@ -6,14 +6,15 @@
 #
 # usage:
 #   curl http://your-kestra-instance/api/v1/executions/webhook/your-namespace/your-task-id/your-secret-key
+#
 
-id: webhook
-namespace:  # your-namespace
+id: webhook  # <- Replace with your task id...
+namespace: your-namespace  # <- Replace with your namespace...
 
 tasks:
-# - your-tasks
+# -- Add your tasks here...
 
 triggers:
   - id: webhook
-    type: io.kestra.core.models.triggers.types.Webhook
-    key:  # your-secret-key, keep this secret!
+    type: io.kestra.plugin.core.trigger.Webhook
+    key: your-secret-key  # <- Replace with your secret key...
diff --git a/kubernetes/cert-manager/clusterissuer.yaml b/kubernetes/cert-manager/clusterissuer.yaml
index f1b25af..e830541 100644
--- a/kubernetes/cert-manager/clusterissuer.yaml
+++ b/kubernetes/cert-manager/clusterissuer.yaml
@@ -14,4 +14,4 @@ spec:
           cloudflare:
             apiTokenSecretRef:
               name: cloudflare-api-token-secret
-              key: api-token        
+              key: api-token
diff --git a/kubernetes/cert-manager/certificate.yaml.example b/kubernetes/cert-manager/examples/certificate.yaml
similarity index 100%
rename from kubernetes/cert-manager/certificate.yaml.example
rename to kubernetes/cert-manager/examples/certificate.yaml
diff --git a/helm/cert-manager/values.yaml b/kubernetes/cert-manager/helm-values.yaml
similarity index 98%
rename from helm/cert-manager/values.yaml
rename to kubernetes/cert-manager/helm-values.yaml
index 9476682..71a0484 100644
--- a/helm/cert-manager/values.yaml
+++ b/kubernetes/cert-manager/helm-values.yaml
@@ -11,7 +11,7 @@ cainjector:
     repository: quay.io/jetstack/cert-manager-cainjector
     tag: v1.16.2
 
-crds: 
+crds:
   enabled: true
 
 extraArgs:
diff --git a/helm/longhorn/values.yaml b/kubernetes/longhorn/helm-values.yaml
similarity index 98%
rename from helm/longhorn/values.yaml
rename to kubernetes/longhorn/helm-values.yaml
index 934f16c..51fc0d1 100644
--- a/helm/longhorn/values.yaml
+++ b/kubernetes/longhorn/helm-values.yaml
@@ -21,7 +21,7 @@ image:
       tag: "v1.7.2"
     supportBundleKit:
       repository: "longhornio/support-bundle-kit"
-      tag: "v0.0.45"
+      tag: "v0.0.47"
   csi:
     attacher:
       repository: "longhornio/csi-attacher"
diff --git a/kubernetes/longhorn/ingressroute.yaml b/kubernetes/longhorn/ingressroute.yaml
index e530a02..c8916bb 100644
--- a/kubernetes/longhorn/ingressroute.yaml
+++ b/kubernetes/longhorn/ingressroute.yaml
@@ -14,4 +14,4 @@ spec:
         - name: longhorn-frontend
           port: 80
   tls:
-      secretName: longhorn-certificate-secret
+    secretName: longhorn-certificate-secret
diff --git a/helm/portainer/values.yaml b/kubernetes/portainer/helm-values.yaml
similarity index 97%
rename from helm/portainer/values.yaml
rename to kubernetes/portainer/helm-values.yaml
index 2d97c88..e0df31b 100644
--- a/helm/portainer/values.yaml
+++ b/kubernetes/portainer/helm-values.yaml
@@ -1,7 +1,7 @@
 ---
 image:
   repository: portainer/portainer-ce
-  tag: 2.24.0
+  tag: 2.25.0
   pullPolicy: IfNotPresent
 
 service:
diff --git a/kubernetes/traefik/certificate.yaml b/kubernetes/traefik/certificate.yaml
new file mode 100644
index 0000000..3169aec
--- /dev/null
+++ b/kubernetes/traefik/certificate.yaml
@@ -0,0 +1,14 @@
+# --> (Optional) Securely expose the Traefik dashboard...
+# apiVersion: cert-manager.io/v1
+# kind: Certificate
+# metadata:
+#   name: traefik-web-ui-cert
+#   namespace: traefik
+# spec:
+#   secretName: traefik-web-ui-tls
+#   dnsNames:
+#     - your-traefik-dashboard-fqdn
+#   issuerRef:
+#     name: cloudflare-clusterissuer  # <-- Replace with your issuer name
+#     kind: ClusterIssuer
+# <--
diff --git a/kubernetes/traefik/examples/ingressroute.yaml b/kubernetes/traefik/examples/ingressroute.yaml
new file mode 100644
index 0000000..a8e80ac
--- /dev/null
+++ b/kubernetes/traefik/examples/ingressroute.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: your-ingressroute  # <-- Replace with your IngressRoute name
+  namespace: your-namespace  # <-- Replace with your namespace
+spec:
+  entryPoints:
+    - web
+    - websecure
+  routes:
+    - match: Host(`your-fqdn`)  # <-- Replace with your FQDN
+      kind: Rule
+      services:
+        - name: your-service  # <-- Replace with your service name
+          port: 80
+# --> (Optional) Add certificate secret
+# tls:
+#     secretName: your-certificate-secret
+# <--
diff --git a/kubernetes/traefik/examples/ingressroutetcp.yaml b/kubernetes/traefik/examples/ingressroutetcp.yaml
new file mode 100644
index 0000000..2b0f1ae
--- /dev/null
+++ b/kubernetes/traefik/examples/ingressroutetcp.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: your-ingressroutetcp  # <-- Replace with your IngressRouteTCP name
+  namespace: your-namespace   # <-- Replace with your namespace
+spec:
+  entryPoints:
+    - web
+    - websecure
+  routes:
+    - match: HostSNI(`your-sni`)  # <-- Replace with your SNI
+      priority: 10  # <-- (Optional) change rule priority
+      services:
+        - name: your-service  # <-- Replace with your service name
+          port: 80
+# --> (Optional) Enable TLS Passthrough
+# tls:
+#   passthrough: true
+# <--
diff --git a/kubernetes/traefik/helm-values.yaml b/kubernetes/traefik/helm-values.yaml
new file mode 100644
index 0000000..c94243b
--- /dev/null
+++ b/kubernetes/traefik/helm-values.yaml
@@ -0,0 +1,33 @@
+---
+image:
+  repository: traefik
+  tag: v3.2.3
+  pullPolicy: IfNotPresent
+
+# --> Change redirect HTTP to HTTPs by default here...
+ports:
+  web:
+    redirectTo:
+      port: websecure
+# <--
+
+# --> (Optional) Securely expose the Traefik dashboard...
+# ingressRoute:
+#   dashboard:
+#     enabled: true
+#     entryPoints:
+#       - websecure
+#     matchRule: Host(`your-traefik-dashboard-fqdn`)  # <-- Replace with your FQDN
+#     middlewares:
+#       - name: traefik-web-ui-middleware  # <-- Replace with your authentication middleware
+#     tls:
+#       secretName: traefik-web-ui-tls  # <-- Replace with your TLS secret name
+# <--
+
+# --> (Optional) Change log settings here...
+# logs:
+#   general:
+#     level: ERROR
+#   access:
+#     enabled: false
+# <--
diff --git a/kubernetes/traefik/ingressroute.yaml.example b/kubernetes/traefik/ingressroute.yaml.example
deleted file mode 100644
index 36f0da4..0000000
--- a/kubernetes/traefik/ingressroute.yaml.example
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: your-ingressroute # <-- Replace with your IngressRoute name
-  namespace: your-namespace  # <-- Replace with your namespace
-spec:
-  entryPoints:
-  - web
-  - websecure
-  routes:
-  - match: Host(`your-fqdn`)  # <-- Replace with your FQDN
-    kind: Rule
-    services:
-    - name: your-service  # <-- Replace with your service name
-      port: 80
-  # --> (Optional) Add certificate secret
-  # tls:
-  #   secretName: your-certificate-secret
-  # <--
diff --git a/kubernetes/traefik/ingressroutetcp.yaml.example b/kubernetes/traefik/ingressroutetcp.yaml.example
deleted file mode 100644
index 55178e4..0000000
--- a/kubernetes/traefik/ingressroutetcp.yaml.example
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRouteTCP
-metadata:
-  name: your-ingressroutetcp # <-- Replace with your IngressRouteTCP name
-  namespace: your-namespace  # <-- Replace with your namespace
-spec:
-  entryPoints:
-  - web
-  - websecure
-  routes:
-  - match: HostSNI(`your-sni`)  # <-- Replace with your SNI
-    priority: 10  # <-- (Optional) change rule priority
-    services:
-    - name: your-service  # <-- Replace with your service name
-      port: 80
-  # --> (Optional) Enable TLS Passthrough
-  # tls:
-  #   passthrough: true
-  # <--
diff --git a/kubernetes/traefik/middleware.yaml b/kubernetes/traefik/middleware.yaml
new file mode 100644
index 0000000..fad3409
--- /dev/null
+++ b/kubernetes/traefik/middleware.yaml
@@ -0,0 +1,23 @@
+# --> (Optional) Securely expose the Traefik dashboard...
+# apiVersion: traefik.io/v1alpha1
+# kind: Middleware
+# metadata:
+#   name: traefik-web-ui-middleware
+#   namespace: traefik
+# spec:
+#   forwardAuth:
+#     address: "http://your-authentik-outpost-fqdn:9000/outpost.goauthentik.io/auth/traefik"
+#     trustForwardHeader: true
+#     authResponseHeaders:
+#       - X-authentik-username
+#       - X-authentik-groups
+#       - X-authentik-email
+#       - X-authentik-name
+#       - X-authentik-uid
+#       - X-authentik-jwt
+#       - X-authentik-meta-jwks
+#       - X-authentik-meta-outpost
+#       - X-authentik-meta-provider
+#       - X-authentik-meta-app
+#       - X-authentik-meta-version
+# <--
diff --git a/renovate.json b/renovate.json
index 1b1347e..12bb977 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,7 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base",
+    "config:recommended",
     ":dependencyDashboard",
     ":enableVulnerabilityAlertsWithLabel('security')",
     ":preserveSemverRanges",
@@ -12,7 +12,9 @@
     "renovate"
   ],
   "kubernetes": {
-    "fileMatch": ["(^|/)kubernetes/.+\/[^\/]+\\.ya?ml$"]
+    "fileMatch": [
+      "(^|/)kubernetes/.+/[^/]+\\.ya?ml$"
+    ]
   },
   "packageRules": [
     {
@@ -30,7 +32,7 @@
     {
       "description": "Update MariaDB or MySQL on a patch level only, bumps to major and minor versions might break compatibilty with an application",
       "enabled": false,
-      "managers": [
+      "matchManagers": [
         "docker-compose",
         "dockerfile"
       ],
@@ -38,28 +40,28 @@
         "major",
         "minor"
       ],
-      "packagePatterns": [
-        "^([^/]+\\/)*(mariadb|mysql)(:.+)?$"
+      "matchPackageNames": [
+        "/^([^/]+\\/)*(mariadb|mysql)(:.+)?$/"
       ]
     },
     {
       "description": "Update PostgreSQL on a minor version or patch level only, bumps to major versions might break compatibilty with an application",
       "enabled": false,
-      "managers": [
+      "matchManagers": [
         "docker-compose",
         "dockerfile"
       ],
       "matchUpdateTypes": [
         "major"
       ],
-      "packagePatterns": [
-        "^([^/]+\\/)*postgres(:.+)?$"
+      "matchPackageNames": [
+        "/^([^/]+\\/)*postgres(:.+)?$/"
       ]
     },
     {
       "description": "Update MariaDB or PostgreSQL to the most recent release if they are standalone and not part of an application stack",
       "enabled": true,
-      "managers": [
+      "matchManagers": [
         "docker-compose",
         "dockerfile"
       ],
@@ -72,49 +74,51 @@
         "minor",
         "patch"
       ],
-      "packagePatterns": [
-        "^([^/]+\\/)*(mariadb|postgres)(:.+)?$"
+      "matchPackageNames": [
+        "/^([^/]+\\/)*(mariadb|postgres)(:.+)?$/"
       ]
     },
     {
       "description": "Over time Heimdall changed its versioning schema several times, ensure we only consider the current style",
-      "managers": [
+      "matchManagers": [
         "docker-compose",
         "dockerfile"
       ],
-      "packagePatterns": [
-        "^([^/]+\\/)*heimdall(:.+)?$"
-      ],
-      "versioning": "regex:^(?<major>\\d{1,2})\\.(?<minor>\\d+)(\\.(?<patch>\\d+))?$"
+      "versioning": "regex:^(?<major>\\d{1,2})\\.(?<minor>\\d+)(\\.(?<patch>\\d+))?$",
+      "matchPackageNames": [
+        "/^([^/]+\\/)*heimdall(:.+)?$/"
+      ]
     },
     {
       "description": "Track stable releases of Nginx only",
-      "managers": [
+      "matchManagers": [
         "docker-compose",
         "dockerfile"
       ],
-      "packagePatterns": [
-        "^([^/]+\\/)*nginx(:.+)?$"
-      ],
-      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d*[02468])(\\.(?<patch>\\d+))?(?:-(?<compatibility>.*))?$"
+      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d*[02468])(\\.(?<patch>\\d+))?(?:-(?<compatibility>.*))?$",
+      "matchPackageNames": [
+        "/^([^/]+\\/)*nginx(:.+)?$/"
+      ]
     },
     {
       "description": "Ignore erroneous version tags of Semaphore",
-      "managers": [
+      "matchManagers": [
         "docker-compose",
         "dockerfile"
       ],
-      "packagePatterns": [
-        "^([^/]+\\/)*semaphore(:.+)?$"
-      ],
-      "allowedVersions": "!/^v?2\\.19\\.10$/"
+      "allowedVersions": "!/^v?2\\.19\\.10$/",
+      "matchPackageNames": [
+        "/^([^/]+\\/)*semaphore(:.+)?$/"
+      ]
     }
   ],
   "customManagers": [
     {
       "customType": "regex",
       "description": "Update Longhorn images in Helm",
-      "fileMatch": ["(^|/)helm/longhorn/.+\\.yaml$"],
+      "fileMatch": [
+        "(^|/)helm/longhorn/.+\\.yaml$"
+      ],
       "matchStrings": [
         "engine:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
         "manager:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
diff --git a/terraform/kubectl/provider.tf b/terraform/kubectl/provider.tf
index 50fa003..346a326 100644
--- a/terraform/kubectl/provider.tf
+++ b/terraform/kubectl/provider.tf
@@ -9,7 +9,7 @@ terraform {
     required_providers {
         kubectl = {
             source = "gavinbunney/kubectl"
-            version = "1.14.0"
+            version = "1.18.0"
         }
     }
 }
diff --git a/terraform/kubernetes/provider.tf b/terraform/kubernetes/provider.tf
index d7f5cfd..c64be59 100644
--- a/terraform/kubernetes/provider.tf
+++ b/terraform/kubernetes/provider.tf
@@ -9,7 +9,7 @@ terraform {
     required_providers {
         kubernetes = {
             source = "hashicorp/kubernetes"
-            version = "2.33.0"     
+            version = "2.35.1"     
         }
     }
 }
diff --git a/terraform/templates/kubernetes-automation-example/provider.tf b/terraform/templates/kubernetes-automation-example/provider.tf
index 921a220..b716fad 100644
--- a/terraform/templates/kubernetes-automation-example/provider.tf
+++ b/terraform/templates/kubernetes-automation-example/provider.tf
@@ -9,15 +9,15 @@ terraform {
         }
         helm = {
             source = "hashicorp/helm"
-            version = "2.16.1"
+            version = "2.17.0"
         }
         kubernetes = {
             source = "hashicorp/kubernetes"
-            version = "2.33.0"     
+            version = "2.35.1"     
         }
         kubectl = {
             source = "gavinbunney/kubectl"
-            version = "1.14.0"
+            version = "1.18.0"
         }
         cloudflare = {
             source = "cloudflare/cloudflare"