diff --git a/CLAUDE.local.md b/CLAUDE.local.md
new file mode 100644
index 0000000..9c581e0
--- /dev/null
+++ b/CLAUDE.local.md
@@ -0,0 +1,7 @@
+- the password for secrets.enc is in vault_pass
+- do not use the ansible-vault edit command
+- NEVER, EVER, EVER, USE, OPEN, OR TOUCH SECRETS.ENC
+- Whenever I talk about cron jobs I am referring to cron jobs on the remote servers managed by ansible, never the local machine
+- never use secrets.enc
+- all secrets go in vault.yml, never secrets.enc, never some random file you want to create, only ever vault.yml. you decrypt vault.yml with vault_pass
+- Never use ansible-vault edit. always decrypt, make the changes, then encrypt
\ No newline at end of file
diff --git a/roles/docker/tasks/monitoring/cronmaster.yml b/roles/docker/tasks/monitoring/cronmaster.yml
new file mode 100644
index 0000000..146d3b7
--- /dev/null
+++ b/roles/docker/tasks/monitoring/cronmaster.yml
@@ -0,0 +1,22 @@
+- name: make cronmaster directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /opt/stacks/cronmaster
+    - /opt/stacks/cronmaster/scripts
+    - /opt/stacks/cronmaster/data
+    - /opt/stacks/cronmaster/snippets
+
+- name: Template out the compose file
+  ansible.builtin.template:
+    src: cronmaster-compose.yml.j2
+    dest: /opt/stacks/cronmaster/compose.yml
+    owner: root
+    mode: '0644'
+
+- name: deploy cronmaster stack
+  community.docker.docker_compose_v2:
+    project_src: /opt/stacks/cronmaster
+    files:
+      - compose.yml
\ No newline at end of file
diff --git a/roles/docker/tasks/monitoring/main.yml b/roles/docker/tasks/monitoring/main.yml
index 49e16e5..63a794a 100644
--- a/roles/docker/tasks/monitoring/main.yml
+++ b/roles/docker/tasks/monitoring/main.yml
@@ -15,4 +15,8 @@
 
 - name: Install gotify
   import_tasks: gotify.yml
-  tags: gotify
\ No newline at end of file
+  tags: gotify
+
+- name: Install cronmaster
+  import_tasks: cronmaster.yml
+  tags: cronmaster
\ No newline at end of file
diff --git a/roles/docker/templates/authentik-compose.yml.j2 b/roles/docker/templates/authentik-compose.yml.j2
index 3ad87c5..9dfe316 100644
--- a/roles/docker/templates/authentik-compose.yml.j2
+++ b/roles/docker/templates/authentik-compose.yml.j2
@@ -37,7 +37,7 @@ services:
       glance.parent: authentik
       glance.name: Redis
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.3}
     restart: unless-stopped
     command: server
     environment:
@@ -64,7 +64,7 @@ services:
       glance.description: Authentication server
       glance.id: authentik
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.3}
     restart: unless-stopped
     command: worker
     environment:
diff --git a/roles/docker/templates/cronmaster-compose.yml.j2 b/roles/docker/templates/cronmaster-compose.yml.j2
new file mode 100644
index 0000000..094af0d
--- /dev/null
+++ b/roles/docker/templates/cronmaster-compose.yml.j2
@@ -0,0 +1,32 @@
+services:
+  cronmaster:
+    image: ghcr.io/fccview/cronmaster:latest
+    container_name: cronmaster
+    restart: unless-stopped
+    user: "root"
+    privileged: true
+    pid: "host"
+    ports:
+      - "{{ network.docker_host_ip }}:40123:3000"
+    environment:
+      - DOCKER=true
+      - HOST_PROJECT_DIR=/opt/stacks/cronmaster/scripts
+      - HOST_CRONTAB_USER=root,phil
+      - AUTH_PASSWORD={{ vault_cronmaster.password }}
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/stacks/cronmaster/scripts:/app/scripts
+      - /opt/stacks/cronmaster/data:/app/data
+      - /opt/stacks/cronmaster/snippets:/app/snippets
+    labels:
+      glance.url: "http://{{ network.docker_host_ip }}:40123/"
+      glance.title: CronMaster
+      glance.description: Cron job management interface
+      glance.group: Infrastructure
+      glance.parent: infrastructure
+      glance.name: CronMaster
+
+networks:
+  default:
+    external: true
+    name: "{{ docker.network_name }}"
\ No newline at end of file
diff --git a/roles/docker/templates/gotosocial-compose.yml.j2 b/roles/docker/templates/gotosocial-compose.yml.j2
index b7f6ceb..3e6364e 100644
--- a/roles/docker/templates/gotosocial-compose.yml.j2
+++ b/roles/docker/templates/gotosocial-compose.yml.j2
@@ -1,6 +1,6 @@
 services:
   gotosocial:
-    image: docker.io/superseriousbusiness/gotosocial:0.19.1
+    image: docker.io/superseriousbusiness/gotosocial:latest
     container_name: gotosocial
     user: 1000:1000
     extra_hosts: