diff --git a/docker-30/fuj-management/run.sh b/docker-30/fuj-management/run.sh
new file mode 100644
index 0000000..e666d51
--- /dev/null
+++ b/docker-30/fuj-management/run.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+docker rm -f fuj-management
+
+# gitea registry login with kacerr / token
+docker run -d --name fuj-management \
+  --restart=always \
+  -p 8081:5001 \
+  -v /srv/fuj-management/data:/app/data \
+  gitea.home.hrajfrisbee.cz/kacerr/fuj-management:latest
\ No newline at end of file
diff --git a/docker-30/kanidm/gitea-action-kubernetes-access.md b/docker-30/kanidm/gitea-action-kubernetes-access.md
new file mode 100644
index 0000000..c932aa7
--- /dev/null
+++ b/docker-30/kanidm/gitea-action-kubernetes-access.md
@@ -0,0 +1,84 @@
+## 1. Create Kanidm service account + OAuth2 client
+
+```bash
+# Create a service account for CI
+kanidm service-account create gitea_ci "Gitea CI Deploy" idm_admins --name idm_admin
+
+# Create a group and add the service account
+kanidm group create k8s_deployers
+kanidm group add-members k8s_deployers gitea_ci
+
+# Create the OAuth2 client (or reuse existing k8s one)
+# If you already have a k8s OIDC client, just add scope maps:
+kanidm system oauth2 update-scope-map k8s k8s_deployers openid groups
+
+# Generate an API token for the service account
+kanidm service-account api-token generate --name idm_admin gitea_ci "gitea-ci-token"
+# ⚠️ Save the output token — this is the subject_token for exchange
+```
+
+## 2. RBAC in Kubernetes
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gitea-ci-deploy
+subjects:
+  - kind: User
+    name: "gitea_ci@idm.home.hrajfrisbee.cz"  # matches preferred_username claim
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: edit  # scope down as needed
+  apiGroup: rbac.authorization.k8s.io
+
+```
+
+## 3. Token exchange + kubeconfig setup (test in bash)
+
+```bash
+vault-login # prepared alias
+
+#!/usr/bin/env bash
+# set -euo pipefail
+
+KANIDM_URL="https://idm.home.hrajfrisbee.cz"
+OAUTH2_CLIENT_ID="k8s"          # your k8s OIDC client name in Kanidm
+API_TOKEN=$(vault kv get -format=json -mount="secret" "k8s_home/gitea/gitea-ci-token" |jq -r .data.data.token)
+K8S_API="https://192.168.0.31:6443"
+
+# Exchange the API token for an OIDC token via RFC 8693
+RESPONSE=$(curl -sf -X POST "${KANIDM_URL}/oauth2/token" \
+  -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
+  -d "client_id=${OAUTH2_CLIENT_ID}" \
+  -d "subject_token=${API_TOKEN}" \
+  -d "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
+  -d "audience=${OAUTH2_CLIENT_ID}" \
+  -d "scope=openid groups")
+
+ID_TOKEN=$(echo "$RESPONSE" | jq -r '.id_token')
+
+# Inspect claims (sanity check)
+echo "$ID_TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq .
+
+# Build kubeconfig
+export KUBECONFIG=$(mktemp)
+kubectl config set-cluster mycluster \
+  --server="${K8S_API}" \
+  --certificate-authority=/path/to/ca.crt
+
+kubectl config set-credentials gitea-ci \
+  --token="${ID_TOKEN}"
+
+kubectl config set-context gitea-ci \
+  --cluster=mycluster \
+  --user=gitea-ci
+
+kubectl config use-context gitea-ci
+
+# Test
+kubectl auth whoami
+kubectl get ns
+
+```
\ No newline at end of file
diff --git a/docker-30/kanidm/readme.md b/docker-30/kanidm/readme.md
index 27c2930..aef3227 100644
--- a/docker-30/kanidm/readme.md
+++ b/docker-30/kanidm/readme.md
@@ -1,3 +1,27 @@
+## Upgrade
+
+```bash
+docker exec -it kanidmd kanidmd domain upgrade-check
+# make sure backup exists: /srv/docker/kanidm/data/kanidm/backups
+
+# change container image in: /srv/docker/kanidm/run.sh
+
+# kanidm data restore
+docker stop kanidmd
+docker run --rm -it \
+  -v kanidmd:/data \
+  -v kanidmd_backups:/backup \
+  kanidm/server:latest \
+  /sbin/kanidmd database restore -c /data/server.toml /backup/kanidm.backup.json
+docker start kanidmd
+```
+
+## Recover passwords from kanidm instance
+
+```bash
+docker exec -i -t kanidmd  kanidmd recover-account idm_admin
+```
+
 ## add user to k8s group
 
 based on: https://blog.kammel.dev/post/k8s_home_lab_2025_06/
@@ -115,4 +139,31 @@ docker run --rm -i -t -v --restart=always \
   docker.io/kanidm/server:latest \
   kanidmd cert-generate
 
+```
+
+
+## Service account for gitea runner
+
+```bash
+# create service account
+#kanidm service-account create \
+#  gitea_ci \              # account name
+#  "Gitea CI Deploy" \     # display name
+#  idm_admins \            # entry-managed-by (delegation group)
+#  --name idm_admin        # authenticate as this user
+
+kanidm service-account create gitea_ci "Gitea CI Deploy" idm_admins --name idm_admin
+
+# Create a group and add the service account
+kanidm group create k8s_deployers
+kanidm group add-members k8s_deployers gitea_ci
+
+# Create the OAuth2 client (or reuse existing k8s one)
+# If you already have a k8s OIDC client, just add scope maps:
+kanidm system oauth2 update-scope-map k8s k8s_deployers openid groups
+
+# Generate an API token for the service account
+kanidm service-account api-token generate --name idm_admin gitea_ci "gitea-ci-token"
+# ⚠️ Save the output token — this is the subject_token for exchange
+
 ```
\ No newline at end of file
diff --git a/docker-30/kanidm/run.sh b/docker-30/kanidm/run.sh
new file mode 100644
index 0000000..fa8bbba
--- /dev/null
+++ b/docker-30/kanidm/run.sh
@@ -0,0 +1,9 @@
+docker rm -f kanidmd
+
+docker run -d --name=kanidmd --restart=always \
+  -p '8443:8443' \
+  -p '3636:3636' \
+  --volume /srv/docker/kanidm/data:/data \
+  docker.io/kanidm/server:1.9.1
+
+# previous version: 1.8.5
\ No newline at end of file
diff --git a/docker-30/maru-hleda-byt/run.sh b/docker-30/maru-hleda-byt/run.sh
index 38f2234..bfa60b3 100644
--- a/docker-30/maru-hleda-byt/run.sh
+++ b/docker-30/maru-hleda-byt/run.sh
@@ -4,6 +4,7 @@ docker rm -f maru-hleda-byt
 
 # gitea registry login with kacerr / token
 docker run -d --name maru-hleda-byt \
+  --restart=always \
   -p 8080:8080 \
   -v /srv/maru-hleda-byt/data:/app/data \
   gitea.home.hrajfrisbee.cz/littlemeat/maru-hleda-byt:0.01
\ No newline at end of file
diff --git a/docker-30/vault/gitea-access-into-vault.md b/docker-30/vault/gitea-access-into-vault.md
new file mode 100644
index 0000000..260872f
--- /dev/null
+++ b/docker-30/vault/gitea-access-into-vault.md
@@ -0,0 +1,10 @@
+## 1. Enable & configure JWT auth in Vault
+
+```bash
+vault auth enable jwt
+
+vault write auth/jwt/config \
+  bound_issuer="https://gitea.home.hrajfrisbee.cz" \
+  jwks_url="https://gitea.home.hrajfrisbee.cz/login/oauth/keys"
+
+```
\ No newline at end of file
diff --git a/docker-30/vault/terraform/main.tf b/docker-30/vault/terraform/main.tf
index f693e74..80353fe 100644
--- a/docker-30/vault/terraform/main.tf
+++ b/docker-30/vault/terraform/main.tf
@@ -4,6 +4,13 @@ resource "vault_mount" "kv" {
   description = "KV v2 secrets engine"
 }
 
+resource "vault_jwt_auth_backend" "gitea" {
+  path               = "jwt"
+  type               = "jwt"
+  bound_issuer       = "https://gitea.home.hrajfrisbee.cz"
+  jwks_url           = "https://gitea.home.hrajfrisbee.cz/login/oauth/keys"
+}
+
 resource "vault_policy" "eso_read" {
   name   = "external-secrets-read"
   policy = <<-EOT
@@ -16,6 +23,37 @@ resource "vault_policy" "eso_read" {
   EOT
 }
 
+# for now i allow my gitea to read everything in /v1/secret/data/gitea
+resource "vault_policy" "gitea_ci_read" {
+  name   = "gitea-ci-read"
+  policy = <<-EOT
+    path "${vault_mount.kv.path}/data/gitea/*" {
+      capabilities = ["read"]
+    }
+    path "${vault_mount.kv.path}/metadata/gitea/*" {
+      capabilities = ["read", "list"]
+    }
+  EOT
+}
+
+resource "vault_jwt_auth_backend_role" "gitea_ci" {
+  backend        = vault_jwt_auth_backend.gitea.path
+  role_name      = "gitea-ci"
+  role_type      = "jwt"
+  token_policies = [vault_policy.gitea_ci_read.name]
+
+  user_claim      = "sub"
+  bound_audiences = ["https://gitea.home.hrajfrisbee.cz"]
+
+  # allow any valid jwt token when commented out
+  # bound_claims = {
+  #   repository = "myorg/repo1,myorg/repo3"
+  # }
+
+  token_ttl     = 600
+  token_max_ttl = 1200
+}
+
 resource "vault_auth_backend" "approle" {
   type = "approle"
 }
@@ -46,4 +84,32 @@ output "role_id" {
 output "secret_id" {
   value     = vault_approle_auth_backend_role_secret_id.eso.secret_id
   sensitive = true
+}
+
+resource "vault_approle_auth_backend_role" "gitea_ci" {
+  backend        = vault_auth_backend.approle.path
+  role_name      = "gitea-ci"
+  token_policies = [vault_policy.gitea_ci_read.name]
+  token_ttl      = 600
+  token_max_ttl  = 1200
+}
+
+data "vault_approle_auth_backend_role_id" "gitea_ci" {
+  backend   = vault_auth_backend.approle.path
+  role_name = vault_approle_auth_backend_role.gitea_ci.role_name
+}
+
+resource "vault_approle_auth_backend_role_secret_id" "gitea_ci" {
+  backend   = vault_auth_backend.approle.path
+  role_name = vault_approle_auth_backend_role.gitea_ci.role_name
+}
+
+output "gitea_ci_role_id" {
+  value     = data.vault_approle_auth_backend_role_id.gitea_ci.role_id
+  sensitive = true
+}
+
+output "gitea_ci_secret_id" {
+  value     = vault_approle_auth_backend_role_secret_id.gitea_ci.secret_id
+  sensitive = true
 }
\ No newline at end of file
diff --git a/docker-30/vault/terraform/terraform.tfstate b/docker-30/vault/terraform/terraform.tfstate
index f82de51..1291e0d 100644
--- a/docker-30/vault/terraform/terraform.tfstate
+++ b/docker-30/vault/terraform/terraform.tfstate
@@ -1 +1 @@
-{"version":4,"terraform_version":"1.11.2","serial":2,"lineage":"88d0da45-267c-24b8-34e1-c9a1c58ab70f","outputs":{"role_id":{"value":"864e352d-2064-2bf9-2c73-dbd676a95368","type":"string","sensitive":true},"secret_id":{"value":"8dd0e675-f4dc-50ba-6665-3db5ae423702","type":"string","sensitive":true}},"resources":[{"mode":"data","type":"vault_approle_auth_backend_role_id","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","id":"auth/approle/role/external-secrets/role-id","namespace":null,"role_id":"864e352d-2064-2bf9-2c73-dbd676a95368","role_name":"external-secrets"},"sensitive_attributes":[]}]},{"mode":"managed","type":"vault_approle_auth_backend_role","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","bind_secret_id":true,"id":"auth/approle/role/external-secrets","namespace":null,"role_id":"864e352d-2064-2bf9-2c73-dbd676a95368","role_name":"external-secrets","secret_id_bound_cidrs":null,"secret_id_num_uses":0,"secret_id_ttl":0,"token_bound_cidrs":null,"token_explicit_max_ttl":0,"token_max_ttl":14400,"token_no_default_policy":false,"token_num_uses":0,"token_period":0,"token_policies":["external-secrets-read"],"token_ttl":3600,"token_type":"default"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_auth_backend.approle","vault_mount.kv","vault_policy.eso_read"]}]},{"mode":"managed","type":"vault_approle_auth_backend_role_secret_id","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"f20ef8a0-f21f-8c9b-fc38-887a005af763","backend":"approle","cidr_list":null,"id":"backend=approle::role=external-secrets::accessor=f20ef8a0-f21f-8c9b-fc38-887a005af763","metadata":"{}","namespace":null,"num_uses":0,"role_name":"external-secrets","secret_id":"8dd0e675-f4dc-50ba-6665-3db5ae423702","ttl":0,"with_wrapped_accessor":null,"wrapping_accessor":null,"wrapping_token":null,"wrapping_ttl":null},"sensitive_attributes":[[{"type":"get_attr","value":"secret_id"}],[{"type":"get_attr","value":"wrapping_token"}]],"private":"bnVsbA==","dependencies":["vault_approle_auth_backend_role.eso","vault_auth_backend.approle","vault_mount.kv","vault_policy.eso_read"]}]},{"mode":"managed","type":"vault_auth_backend","name":"approle","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":1,"attributes":{"accessor":"auth_approle_409190cb","description":"","disable_remount":false,"id":"approle","identity_token_key":null,"local":false,"namespace":null,"path":"approle","tune":[],"type":"approle"},"sensitive_attributes":[],"private":"eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="}]},{"mode":"managed","type":"vault_mount","name":"kv","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"kv_d207dd40","allowed_managed_keys":null,"allowed_response_headers":null,"audit_non_hmac_request_keys":[],"audit_non_hmac_response_keys":[],"default_lease_ttl_seconds":0,"delegated_auth_accessors":null,"description":"KV v2 secrets engine","external_entropy_access":false,"id":"secret","identity_token_key":"","listing_visibility":"","local":false,"max_lease_ttl_seconds":0,"namespace":null,"options":null,"passthrough_request_headers":null,"path":"secret","plugin_version":null,"seal_wrap":false,"type":"kv-v2"},"sensitive_attributes":[],"private":"bnVsbA=="}]},{"mode":"managed","type":"vault_policy","name":"eso_read","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"id":"external-secrets-read","name":"external-secrets-read","namespace":null,"policy":"path \"secret/data/*\" {\n  capabilities = [\"read\"]\n}\npath \"secret/metadata/*\" {\n  capabilities = [\"read\", \"list\"]\n}\n"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_mount.kv"]}]}],"check_results":null}
+{"version":4,"terraform_version":"1.11.5","serial":6,"lineage":"88d0da45-267c-24b8-34e1-c9a1c58ab70f","outputs":{"gitea_ci_role_id":{"value":"02fc6463-af48-1d88-1f60-1569ec3d90e2","type":"string","sensitive":true},"gitea_ci_secret_id":{"value":"95c63c88-c2f6-c3bd-4ba7-cba79df5f011","type":"string","sensitive":true},"role_id":{"value":"864e352d-2064-2bf9-2c73-dbd676a95368","type":"string","sensitive":true},"secret_id":{"value":"8dd0e675-f4dc-50ba-6665-3db5ae423702","type":"string","sensitive":true}},"resources":[{"mode":"data","type":"vault_approle_auth_backend_role_id","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","id":"auth/approle/role/external-secrets/role-id","namespace":null,"role_id":"864e352d-2064-2bf9-2c73-dbd676a95368","role_name":"external-secrets"},"sensitive_attributes":[]}]},{"mode":"data","type":"vault_approle_auth_backend_role_id","name":"gitea_ci","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","id":"auth/approle/role/gitea-ci/role-id","namespace":null,"role_id":"02fc6463-af48-1d88-1f60-1569ec3d90e2","role_name":"gitea-ci"},"sensitive_attributes":[]}]},{"mode":"managed","type":"vault_approle_auth_backend_role","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","bind_secret_id":true,"id":"auth/approle/role/external-secrets","namespace":null,"role_id":"864e352d-2064-2bf9-2c73-dbd676a95368","role_name":"external-secrets","secret_id_bound_cidrs":[],"secret_id_num_uses":0,"secret_id_ttl":0,"token_bound_cidrs":[],"token_explicit_max_ttl":0,"token_max_ttl":14400,"token_no_default_policy":false,"token_num_uses":0,"token_period":0,"token_policies":["external-secrets-read"],"token_ttl":3600,"token_type":"default"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_auth_backend.approle","vault_mount.kv","vault_policy.eso_read"]}]},{"mode":"managed","type":"vault_approle_auth_backend_role","name":"gitea_ci","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","bind_secret_id":true,"id":"auth/approle/role/gitea-ci","namespace":null,"role_id":"02fc6463-af48-1d88-1f60-1569ec3d90e2","role_name":"gitea-ci","secret_id_bound_cidrs":null,"secret_id_num_uses":0,"secret_id_ttl":0,"token_bound_cidrs":null,"token_explicit_max_ttl":0,"token_max_ttl":1200,"token_no_default_policy":false,"token_num_uses":0,"token_period":0,"token_policies":["gitea-ci-read"],"token_ttl":600,"token_type":"default"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_auth_backend.approle","vault_mount.kv","vault_policy.gitea_ci_read"]}]},{"mode":"managed","type":"vault_approle_auth_backend_role_secret_id","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"f20ef8a0-f21f-8c9b-fc38-887a005af763","backend":"approle","cidr_list":[],"id":"backend=approle::role=external-secrets::accessor=f20ef8a0-f21f-8c9b-fc38-887a005af763","metadata":"{}","namespace":null,"num_uses":0,"role_name":"external-secrets","secret_id":"8dd0e675-f4dc-50ba-6665-3db5ae423702","ttl":0,"with_wrapped_accessor":null,"wrapping_accessor":null,"wrapping_token":null,"wrapping_ttl":null},"sensitive_attributes":[[{"type":"get_attr","value":"secret_id"}],[{"type":"get_attr","value":"wrapping_token"}]],"private":"bnVsbA==","dependencies":["vault_approle_auth_backend_role.eso","vault_auth_backend.approle","vault_mount.kv","vault_policy.eso_read"]}]},{"mode":"managed","type":"vault_approle_auth_backend_role_secret_id","name":"gitea_ci","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"fc004726-1fc7-b6c4-c9e3-1dac77712ce6","backend":"approle","cidr_list":null,"id":"backend=approle::role=gitea-ci::accessor=fc004726-1fc7-b6c4-c9e3-1dac77712ce6","metadata":"{}","namespace":null,"num_uses":0,"role_name":"gitea-ci","secret_id":"95c63c88-c2f6-c3bd-4ba7-cba79df5f011","ttl":0,"with_wrapped_accessor":null,"wrapping_accessor":null,"wrapping_token":null,"wrapping_ttl":null},"sensitive_attributes":[[{"type":"get_attr","value":"secret_id"}],[{"type":"get_attr","value":"wrapping_token"}]],"private":"bnVsbA==","dependencies":["vault_approle_auth_backend_role.gitea_ci","vault_auth_backend.approle","vault_mount.kv","vault_policy.gitea_ci_read"]}]},{"mode":"managed","type":"vault_auth_backend","name":"approle","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":1,"attributes":{"accessor":"auth_approle_409190cb","description":"","disable_remount":false,"id":"approle","identity_token_key":null,"local":false,"namespace":null,"path":"approle","tune":[],"type":"approle"},"sensitive_attributes":[],"private":"eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="}]},{"mode":"managed","type":"vault_jwt_auth_backend","name":"gitea","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":1,"attributes":{"accessor":"auth_jwt_d2814e6f","bound_issuer":"https://gitea.home.hrajfrisbee.cz","default_role":"","description":null,"disable_remount":null,"id":"jwt","jwks_ca_pem":"","jwks_url":"https://gitea.home.hrajfrisbee.cz/login/oauth/keys","jwt_supported_algs":[],"jwt_validation_pubkeys":[],"local":false,"namespace":null,"namespace_in_state":true,"oidc_client_id":"","oidc_client_secret":null,"oidc_discovery_ca_pem":"","oidc_discovery_url":"","oidc_response_mode":"","oidc_response_types":[],"path":"jwt","provider_config":{},"tune":[{"allowed_response_headers":[],"audit_non_hmac_request_keys":[],"audit_non_hmac_response_keys":[],"default_lease_ttl":"168h","listing_visibility":"","max_lease_ttl":"768h","passthrough_request_headers":[],"token_type":"default-service"}],"type":"jwt"},"sensitive_attributes":[[{"type":"get_attr","value":"oidc_client_secret"}]],"private":"eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="}]},{"mode":"managed","type":"vault_jwt_auth_backend_role","name":"gitea_ci","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"allowed_redirect_uris":null,"backend":"jwt","bound_audiences":["https://gitea.home.hrajfrisbee.cz"],"bound_claims":{},"bound_claims_type":"string","bound_subject":"","claim_mappings":null,"clock_skew_leeway":0,"disable_bound_claims_parsing":false,"expiration_leeway":0,"groups_claim":"","id":"auth/jwt/role/gitea-ci","max_age":0,"namespace":null,"not_before_leeway":0,"oidc_scopes":[],"role_name":"gitea-ci","role_type":"jwt","token_bound_cidrs":[],"token_explicit_max_ttl":0,"token_max_ttl":1200,"token_no_default_policy":false,"token_num_uses":0,"token_period":0,"token_policies":["gitea-ci-read"],"token_ttl":600,"token_type":"default","user_claim":"sub","user_claim_json_pointer":false,"verbose_oidc_logging":false},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_jwt_auth_backend.gitea","vault_mount.kv","vault_policy.gitea_ci_read"]}]},{"mode":"managed","type":"vault_mount","name":"kv","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"kv_d207dd40","allowed_managed_keys":[],"allowed_response_headers":[],"audit_non_hmac_request_keys":[],"audit_non_hmac_response_keys":[],"default_lease_ttl_seconds":0,"delegated_auth_accessors":null,"description":"KV v2 secrets engine","external_entropy_access":false,"id":"secret","identity_token_key":"","listing_visibility":"","local":false,"max_lease_ttl_seconds":0,"namespace":null,"options":{},"passthrough_request_headers":[],"path":"secret","plugin_version":null,"seal_wrap":false,"type":"kv-v2"},"sensitive_attributes":[],"private":"bnVsbA=="}]},{"mode":"managed","type":"vault_policy","name":"eso_read","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"id":"external-secrets-read","name":"external-secrets-read","namespace":null,"policy":"path \"secret/data/*\" {\n  capabilities = [\"read\"]\n}\npath \"secret/metadata/*\" {\n  capabilities = [\"read\", \"list\"]\n}\n"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_mount.kv"]}]},{"mode":"managed","type":"vault_policy","name":"gitea_ci_read","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"id":"gitea-ci-read","name":"gitea-ci-read","namespace":null,"policy":"path \"secret/data/gitea/*\" {\n  capabilities = [\"read\"]\n}\npath \"secret/metadata/gitea/*\" {\n  capabilities = [\"read\", \"list\"]\n}\n"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_mount.kv"]}]}],"check_results":null}
diff --git a/docker-30/vault/terraform/terraform.tfstate.backup b/docker-30/vault/terraform/terraform.tfstate.backup
index 3dd2334..aad4c97 100644
--- a/docker-30/vault/terraform/terraform.tfstate.backup
+++ b/docker-30/vault/terraform/terraform.tfstate.backup
@@ -1 +1 @@
-{"version":4,"terraform_version":"1.11.2","serial":1,"lineage":"88d0da45-267c-24b8-34e1-c9a1c58ab70f","outputs":{"role_id":{"value":"8833d0f8-d35d-d7ea-658b-c27837d121ab","type":"string","sensitive":true},"secret_id":{"value":"1791bfd9-5dc6-406a-3960-ba8fcad4a5a9","type":"string","sensitive":true}},"resources":[{"mode":"data","type":"vault_approle_auth_backend_role_id","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","id":"auth/approle/role/external-secrets/role-id","namespace":null,"role_id":"8833d0f8-d35d-d7ea-658b-c27837d121ab","role_name":"external-secrets"},"sensitive_attributes":[]}]},{"mode":"managed","type":"vault_approle_auth_backend_role","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","bind_secret_id":true,"id":"auth/approle/role/external-secrets","namespace":null,"role_id":"8833d0f8-d35d-d7ea-658b-c27837d121ab","role_name":"external-secrets","secret_id_bound_cidrs":null,"secret_id_num_uses":0,"secret_id_ttl":0,"token_bound_cidrs":null,"token_explicit_max_ttl":0,"token_max_ttl":14400,"token_no_default_policy":false,"token_num_uses":0,"token_period":0,"token_policies":["external-secrets-read"],"token_ttl":3600,"token_type":"default"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_auth_backend.approle","vault_mount.kv","vault_policy.eso_read"]}]},{"mode":"managed","type":"vault_approle_auth_backend_role_secret_id","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"bcc08746-6bea-8df2-02da-f6a697bceb59","backend":"approle","cidr_list":null,"id":"backend=approle::role=external-secrets::accessor=bcc08746-6bea-8df2-02da-f6a697bceb59","metadata":"{}","namespace":null,"num_uses":0,"role_name":"external-secrets","secret_id":"1791bfd9-5dc6-406a-3960-ba8fcad4a5a9","ttl":0,"with_wrapped_accessor":null,"wrapping_accessor":null,"wrapping_token":null,"wrapping_ttl":null},"sensitive_attributes":[[{"type":"get_attr","value":"secret_id"}],[{"type":"get_attr","value":"wrapping_token"}]],"private":"bnVsbA==","dependencies":["vault_approle_auth_backend_role.eso","vault_auth_backend.approle","vault_mount.kv","vault_policy.eso_read"]}]},{"mode":"managed","type":"vault_auth_backend","name":"approle","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":1,"attributes":{"accessor":"auth_approle_c6cd7bc1","description":"","disable_remount":false,"id":"approle","identity_token_key":null,"local":false,"namespace":null,"path":"approle","tune":[],"type":"approle"},"sensitive_attributes":[],"private":"eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="}]},{"mode":"managed","type":"vault_mount","name":"kv","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"kv_8285fbfc","allowed_managed_keys":null,"allowed_response_headers":null,"audit_non_hmac_request_keys":[],"audit_non_hmac_response_keys":[],"default_lease_ttl_seconds":0,"delegated_auth_accessors":null,"description":"KV v2 secrets engine","external_entropy_access":false,"id":"secret","identity_token_key":"","listing_visibility":"","local":false,"max_lease_ttl_seconds":0,"namespace":null,"options":null,"passthrough_request_headers":null,"path":"secret","plugin_version":null,"seal_wrap":false,"type":"kv-v2"},"sensitive_attributes":[],"private":"bnVsbA=="}]},{"mode":"managed","type":"vault_policy","name":"eso_read","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"id":"external-secrets-read","name":"external-secrets-read","namespace":null,"policy":"path \"secret/data/*\" {\n  capabilities = [\"read\"]\n}\npath \"secret/metadata/*\" {\n  capabilities = [\"read\", \"list\"]\n}\n"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_mount.kv"]}]}],"check_results":null}
+{"version":4,"terraform_version":"1.11.5","serial":5,"lineage":"88d0da45-267c-24b8-34e1-c9a1c58ab70f","outputs":{"role_id":{"value":"864e352d-2064-2bf9-2c73-dbd676a95368","type":"string","sensitive":true},"secret_id":{"value":"8dd0e675-f4dc-50ba-6665-3db5ae423702","type":"string","sensitive":true}},"resources":[{"mode":"data","type":"vault_approle_auth_backend_role_id","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","id":"auth/approle/role/external-secrets/role-id","namespace":null,"role_id":"864e352d-2064-2bf9-2c73-dbd676a95368","role_name":"external-secrets"},"sensitive_attributes":[]}]},{"mode":"managed","type":"vault_approle_auth_backend_role","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","bind_secret_id":true,"id":"auth/approle/role/external-secrets","namespace":null,"role_id":"864e352d-2064-2bf9-2c73-dbd676a95368","role_name":"external-secrets","secret_id_bound_cidrs":[],"secret_id_num_uses":0,"secret_id_ttl":0,"token_bound_cidrs":[],"token_explicit_max_ttl":0,"token_max_ttl":14400,"token_no_default_policy":false,"token_num_uses":0,"token_period":0,"token_policies":["external-secrets-read"],"token_ttl":3600,"token_type":"default"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_auth_backend.approle","vault_mount.kv","vault_policy.eso_read"]}]},{"mode":"managed","type":"vault_approle_auth_backend_role_secret_id","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"f20ef8a0-f21f-8c9b-fc38-887a005af763","backend":"approle","cidr_list":[],"id":"backend=approle::role=external-secrets::accessor=f20ef8a0-f21f-8c9b-fc38-887a005af763","metadata":"{}","namespace":null,"num_uses":0,"role_name":"external-secrets","secret_id":"8dd0e675-f4dc-50ba-6665-3db5ae423702","ttl":0,"with_wrapped_accessor":null,"wrapping_accessor":null,"wrapping_token":null,"wrapping_ttl":null},"sensitive_attributes":[[{"type":"get_attr","value":"secret_id"}],[{"type":"get_attr","value":"wrapping_token"}]],"private":"bnVsbA==","dependencies":["vault_approle_auth_backend_role.eso","vault_auth_backend.approle","vault_mount.kv","vault_policy.eso_read"]}]},{"mode":"managed","type":"vault_auth_backend","name":"approle","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":1,"attributes":{"accessor":"auth_approle_409190cb","description":"","disable_remount":false,"id":"approle","identity_token_key":null,"local":false,"namespace":null,"path":"approle","tune":[],"type":"approle"},"sensitive_attributes":[],"private":"eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="}]},{"mode":"managed","type":"vault_jwt_auth_backend","name":"gitea","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":1,"attributes":{"accessor":"auth_jwt_d2814e6f","bound_issuer":"https://gitea.home.hrajfrisbee.cz","default_role":"","description":null,"disable_remount":null,"id":"jwt","jwks_ca_pem":"","jwks_url":"https://gitea.home.hrajfrisbee.cz/login/oauth/keys","jwt_supported_algs":[],"jwt_validation_pubkeys":[],"local":false,"namespace":null,"namespace_in_state":true,"oidc_client_id":"","oidc_client_secret":null,"oidc_discovery_ca_pem":"","oidc_discovery_url":"","oidc_response_mode":"","oidc_response_types":[],"path":"jwt","provider_config":{},"tune":[{"allowed_response_headers":[],"audit_non_hmac_request_keys":[],"audit_non_hmac_response_keys":[],"default_lease_ttl":"168h","listing_visibility":"","max_lease_ttl":"768h","passthrough_request_headers":[],"token_type":"default-service"}],"type":"jwt"},"sensitive_attributes":[[{"type":"get_attr","value":"oidc_client_secret"}]],"private":"eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="}]},{"mode":"managed","type":"vault_jwt_auth_backend_role","name":"gitea_ci","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"allowed_redirect_uris":null,"backend":"jwt","bound_audiences":["https://gitea.home.hrajfrisbee.cz"],"bound_claims":null,"bound_claims_type":"string","bound_subject":"","claim_mappings":null,"clock_skew_leeway":0,"disable_bound_claims_parsing":false,"expiration_leeway":0,"groups_claim":"","id":"auth/jwt/role/gitea-ci","max_age":0,"namespace":null,"not_before_leeway":0,"oidc_scopes":null,"role_name":"gitea-ci","role_type":"jwt","token_bound_cidrs":null,"token_explicit_max_ttl":0,"token_max_ttl":1200,"token_no_default_policy":false,"token_num_uses":0,"token_period":0,"token_policies":["gitea-ci-read"],"token_ttl":600,"token_type":"default","user_claim":"sub","user_claim_json_pointer":false,"verbose_oidc_logging":false},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_jwt_auth_backend.gitea","vault_mount.kv","vault_policy.gitea_ci_read"]}]},{"mode":"managed","type":"vault_mount","name":"kv","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"kv_d207dd40","allowed_managed_keys":[],"allowed_response_headers":[],"audit_non_hmac_request_keys":[],"audit_non_hmac_response_keys":[],"default_lease_ttl_seconds":0,"delegated_auth_accessors":null,"description":"KV v2 secrets engine","external_entropy_access":false,"id":"secret","identity_token_key":"","listing_visibility":"","local":false,"max_lease_ttl_seconds":0,"namespace":null,"options":{},"passthrough_request_headers":[],"path":"secret","plugin_version":null,"seal_wrap":false,"type":"kv-v2"},"sensitive_attributes":[],"private":"bnVsbA=="}]},{"mode":"managed","type":"vault_policy","name":"eso_read","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"id":"external-secrets-read","name":"external-secrets-read","namespace":null,"policy":"path \"secret/data/*\" {\n  capabilities = [\"read\"]\n}\npath \"secret/metadata/*\" {\n  capabilities = [\"read\", \"list\"]\n}\n"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_mount.kv"]}]},{"mode":"managed","type":"vault_policy","name":"gitea_ci_read","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"id":"gitea-ci-read","name":"gitea-ci-read","namespace":null,"policy":"path \"secret/data/gitea/*\" {\n  capabilities = [\"read\"]\n}\npath \"secret/metadata/gitea/*\" {\n  capabilities = [\"read\", \"list\"]\n}\n"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_mount.kv"]}]}],"check_results":null}