diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 087465a78a9cadd435c2e391c0f79be03657b2a8..4b853f9a914728918afd305425bdede423a182a1 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,7 +1,9 @@
 default:
   before_script:
     - set -ex
-    - env
+    # env -0 | sort -z | tr '\0' '\n': Sort env output alphabetically, keeping multiline variables intact
+    # egrep: Remove sensitive information from the output of env
+    - env -0 | sort -z | tr '\0' '\n' | egrep -ve '^(DOCKER_AUTH_CONFIG|GOOGLE_APPLICATION_CREDENTIALS)=.*'
   interruptible: true
   tags:
     - 1cpu-4gb # build on smaller machine
@@ -13,7 +15,7 @@ variables:
 
 .deploy:
   image:
-    name: 'hashicorp/terraform:1.6.1'
+    name: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/hashicorp/terraform:1.6.6'
     # default entrypoint is terraform command, but we want to run shell scripts
     entrypoint: ["/bin/sh", "-c"]
   variables:
@@ -25,16 +27,15 @@ variables:
       - $API_DOMAIN_PATH
     name: "${CI_JOB_NAME}_${CI_JOB_ID}"
     #when: on_failure
-    expire_in: 1 month
+    expire_in: 1 week
   script:
-    - export GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_CLOUD_SERVICE_ACCOUNT}
     - terraform/environments/scripts/create-or-update-env.sh $ENVIRONMENT_ID $CI_COMMIT_SHA
-    - echo "$(terraform/environments/scripts/get-api-domain.sh)" > $API_DOMAIN_PATH
+    - echo "$(terraform/environments/scripts/get-output.sh api_domain)" > $API_DOMAIN_PATH
   resource_group: $ENVIRONMENT_ID # never execute terraform in parallel on the same environment
   interruptible: false
 
 .e2e:
-  image: 'archlinux:latest'
+  image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/archlinux:latest'
   script:
     - API_DOMAIN=`cat $API_DOMAIN_PATH`
     - echo "e2e tests against $CI_ENVIRONMENT_SLUG environment go here and against $API_DOMAIN"
@@ -47,7 +48,7 @@ variables:
 ## common steps
 
 cache_lint_test:
-  image: 'denoland/deno:alpine-1.37.2'
+  image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/denoland/deno:alpine-1.45.2'
   stage: 'test'
   script:
     - deno cache --lock=deno.lock app/deps.ts app/dev_deps.ts
@@ -71,14 +72,12 @@ include:
 
 build_docker:
   needs: ['cache_lint_test']
-  image: docker:20.10
+  image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/docker:27'
   services:
-    - docker:20.10-dind
+    - 'docker:27-dind'
   variables:
     # this could be fetched via terraform output ("gcr_location" in infra project), but then we would need an extra job for terraform
     GCR_IMAGE: europe-north1-docker.pkg.dev/holi-shared/docker/holi-notifications-api
-  before_script:
-    - cat $GOOGLE_CLOUD_SERVICE_ACCOUNT | docker login -u _json_key --password-stdin https://europe-north1-docker.pkg.dev
   script:
     - docker pull $GCR_IMAGE || true # Allows us to use --cache-from, we need to tag with latest in the next command for this to work
     - docker build --cache-from $GCR_IMAGE -t $GCR_IMAGE:latest -t $GCR_IMAGE:$CI_COMMIT_SHA -t $GCR_IMAGE:$CI_COMMIT_REF_SLUG .
@@ -111,7 +110,7 @@ review_e2e:
 review_destroy:
   needs: ['review_deploy']
   image:
-    name: 'hashicorp/terraform:1.6.1'
+    name: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/hashicorp/terraform:1.6.6'
     # default entrypoint is terraform command, but we want to run shell scripts
     entrypoint: ["/bin/sh", "-c"]
   variables:
@@ -123,7 +122,6 @@ review_destroy:
     action: stop
   dependencies: [] # explicitly disable artifact usage
   script:
-    - export GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_CLOUD_SERVICE_ACCOUNT}
     # branch may have been deleted, so we clone and checkout main
     - git clone $CI_REPOSITORY_URL main-clone
     - cd main-clone
diff --git a/Dockerfile b/Dockerfile
index 45fa37b6e49b5dc1693ec5f5c32c338a0e8fbc94..6351d9e292734360b0361dfb746c25df09c048be 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM denoland/deno:alpine-1.39.1
+FROM europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/denoland/deno:alpine-1.45.2
 
 # The port that your application listens to.
 EXPOSE 8005
diff --git a/terraform/common/init.tf b/terraform/common/init.tf
index af3a6f20ce802fc3719661db088590c0b2a8e377..d05853b22a327c9d33188aabff52d9b75e686693 100644
--- a/terraform/common/init.tf
+++ b/terraform/common/init.tf
@@ -15,9 +15,9 @@ data "terraform_remote_state" "holi_infra_state" {
 
 # provider google including beta features
 provider "google" {
-  region = "europe-north1"
+  region = local.default_region
 }
 
 provider "google-beta" {
-  region = "europe-north1"
+  region = local.default_region
 }
diff --git a/terraform/common/vars.tf b/terraform/common/vars.tf
new file mode 100644
index 0000000000000000000000000000000000000000..1c12ce4019d313359dfe5c31ca6df20b8d0cd440
--- /dev/null
+++ b/terraform/common/vars.tf
@@ -0,0 +1,3 @@
+locals {
+  default_region = data.terraform_remote_state.holi_infra_state.outputs.default_region
+}
diff --git a/terraform/environments/deployment.tf b/terraform/environments/deployment.tf
index 473611cdf4b4dd737a35bf80314a91ef1eb24f2d..766e63a635467225b0b2c0b63c411cbc4636e869 100644
--- a/terraform/environments/deployment.tf
+++ b/terraform/environments/deployment.tf
@@ -32,7 +32,7 @@ variable "image_tag" {
 resource "google_cloud_run_service" "notifications_api" {
   project  = data.terraform_remote_state.holi_infra_state.outputs.shared_project_id
   name     = random_id.main.hex
-  location = "europe-north1" # finland, low CO2 emissions
+  location = local.default_region # finland, low CO2 emissions
   # https://github.com/hashicorp/terraform-provider-google/issues/5898
   autogenerate_revision_name = true
 
diff --git a/terraform/environments/init.tf b/terraform/environments/init.tf
index 8c7a2d3d132f1e727bbae715ace0484e132bd27c..93cb73e17a641b6c1cc083b1738175be07ce81a8 100644
--- a/terraform/environments/init.tf
+++ b/terraform/environments/init.tf
@@ -23,9 +23,9 @@ data "terraform_remote_state" "holi_notifications_api_common_state" {
 
 # provider google including beta features
 provider "google" {
-  region = "europe-north1"
+  region = local.default_region
 }
 
 provider "google-beta" {
-  region = "europe-north1"
+  region = local.default_region
 }
diff --git a/terraform/environments/scripts/get-api-domain.sh b/terraform/environments/scripts/get-api-domain.sh
deleted file mode 100755
index 63451fcec2e41baf24a5d48a5abfbdf076891c69..0000000000000000000000000000000000000000
--- a/terraform/environments/scripts/get-api-domain.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/usr/bin/env sh
-
-# exit when any command fails
-set -ex
-
-cd terraform/environments > /dev/null
-
-terraform output -raw api_domain
diff --git a/terraform/environments/scripts/get-output.sh b/terraform/environments/scripts/get-output.sh
new file mode 100755
index 0000000000000000000000000000000000000000..2e1d9b65003d2dd4e752e54bd1cf2234384af85a
--- /dev/null
+++ b/terraform/environments/scripts/get-output.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env sh
+
+# exit when any command fails
+set -ex
+
+: "${1?"Usage: $0 OUTPUT_NAME"}"
+
+cd "$(dirname "$0")"/.. > /dev/null
+
+terraform output -raw "$1"
diff --git a/terraform/environments/vars.tf b/terraform/environments/vars.tf
index 452df688826aeb69e03e8358f9b89620f9e6e4d2..ee27e81fe448b9a1a64d80bdfb8433f52e1a7090 100644
--- a/terraform/environments/vars.tf
+++ b/terraform/environments/vars.tf
@@ -5,4 +5,6 @@ locals {
 
   # the dns name can be at most 64 chars in total
   dns_name = "${trimsuffix(substr(local.environment, 0, 34), ".-")}.${data.terraform_remote_state.holi_notifications_api_common_state.outputs.dns_notifications_api_domain}"
+
+  default_region = data.terraform_remote_state.holi_infra_state.outputs.default_region
 }