Auto-update README with current k8s applications

Generated by CI/CD workflow on 2025-12-23 01:34:07 This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.
2025-12-23 01:34:07 +00:00
36 changed files with 54 additions and 927 deletions
--- a/.gitea/workflows/k8s-wiki.yaml
+++ b/.gitea/workflows/k8s-wiki.yaml
@@ -22,13 +22,12 @@ jobs:

    - name: Install Python dependencies
      run: |
-        python3 -m venv .venv
-        .venv/bin/pip install pyyaml
+        pip install pyyaml

    - name: Generate K8s Services Wiki
      run: |
        echo "📋 Starting K8s wiki generation..."
-        .venv/bin/python .gitea/scripts/generate-k8s-wiki.py k8s/ Kubernetes-Services.md
+        python3 .gitea/scripts/generate-k8s-wiki.py k8s/ Kubernetes-Services.md
        
        if [ -f "Kubernetes-Services.md" ]; then
          echo "✅ Wiki content generated successfully"
--- a/k8s/apps/gitea/deployment.yaml
+++ b/k8s/apps/gitea/deployment.yaml
@@ -77,8 +77,8 @@ spec:
      labels:
        app: gitea-runner
    spec:
-      #nodeSelector:
-      #  kubernetes.io/hostname: home.homenet
+      nodeSelector:
+        kubernetes.io/hostname: home.homenet
      volumes:
        - name: docker-sock
          hostPath:
@@ -90,30 +90,27 @@ spec:
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 1
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
-                - home.homenet
-          - weight: 2
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
-                - master.tail2fe2d.ts.net
          - weight: 3
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
-                - it.tail2fe2d.ts.net
-                - ch.tail2fe2d.ts.net
-                - us.tail2fe2d.ts.net
-
+                - home.homenet
+          - weight: 1
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - master.tail2fe2d.ts.net
+          - weight: 2
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - nas.homenet
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
@@ -121,9 +118,7 @@ spec:
                operator: In
                values:
                - home.homenet
-                - it.tail2fe2d.ts.net
-                - ch.tail2fe2d.ts.net
-                - us.tail2fe2d.ts.net
+                - nas.homenet
                - master.tail2fe2d.ts.net
      containers:
        - name: gitea-runner
--- a/k8s/apps/k8s-secrets/deployment.yaml
+++ b/k8s/apps/k8s-secrets/deployment.yaml
@@ -19,7 +19,7 @@ spec:
        kubernetes.io/os: linux
      containers:
      - name: secret-reader
-        image: ultradesu/k8s-secrets:0.2.1
+        image: ultradesu/k8s-secrets:0.1.1
        imagePullPolicy: Always
        args:
          - "--secrets"
@@ -28,7 +28,6 @@ spec:
          - "k8s-secret"
          - "--port"
          - "3000"
-          - "--webhook"
        ports:
        - containerPort: 3000
          name: http
--- a/k8s/apps/pasarguard/daemonset-ingress.yaml
+++ b/k8s/apps/pasarguard/daemonset-ingress.yaml
@@ -192,10 +192,10 @@ spec:
          resources:
            requests:
              memory: "128Mi"
-              cpu: "300m"
+              cpu: "100m"
            limits:
              memory: "512Mi"
-              cpu: "1000m"
+              cpu: "750m"
          volumeMounts:
            - name: shared-data
              mountPath: /shared
--- a/k8s/apps/pasarguard/daemonset.yaml
+++ b/k8s/apps/pasarguard/daemonset.yaml
@@ -113,7 +113,7 @@ spec:
              mountPath: /scripts
      containers:
        - name: pasarguard-node
-          image: 'pasarguard/node:v0.1.4'
+          image: 'pasarguard/node:v0.1.3'
          imagePullPolicy: Always
          command:
            - /bin/sh
@@ -162,10 +162,10 @@ spec:
          resources:
            requests:
              memory: "128Mi"
-              cpu: "500m"
+              cpu: "100m"
            limits:
              memory: "512Mi"
-              cpu: "1200m"
+              cpu: "750m"
          volumeMounts:
            - name: shared-data
              mountPath: /shared
@@ -205,7 +205,7 @@ spec:
              cpu: "50m"
            limits:
              memory: "128Mi"
-              cpu: "500m"
+              cpu: "150m"
          volumeMounts:
            - name: shared-data
              mountPath: /shared
--- a/k8s/apps/tg-bots/desubot.yaml
+++ b/k8s/apps/tg-bots/desubot.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -22,7 +23,7 @@ spec:
        kubernetes.io/hostname: home.homenet
      containers:
        - name: desubot
-          image: "ultradesu/desubot:latest"
+          image: 'ultradesu/desubot:latest'
          imagePullPolicy: Always
          envFrom:
            - secretRef:
@@ -31,11 +32,11 @@ spec:
            - name: RUST_LOG
              value: "info"
          volumeMounts:
-            - mountPath: /storage
-              name: storage
+          - mountPath: /storage
+            name: storage
      volumes:
        - name: storage
-          persistentVolumeClaim:
-            claimName: desubot-storage
-            readOnly: false
-
+          nfs:
+            server: nas.homenet
+            path: /mnt/storage/Storage/k8s/desubot/
+            readOnly: false
--- a/k8s/apps/tg-bots/kustomization.yaml
+++ b/k8s/apps/tg-bots/kustomization.yaml
@@ -8,14 +8,3 @@ resources:
  - external-secrets.yaml
  - desubot.yaml
  - restart-job.yaml
-  - storage.yaml
-
-helmCharts:
-  - name: csi-driver-nfs
-    repo: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
-    version: 4.12.0
-    releaseName: csi-driver-nfs
-    namespace: kube-system
-    #valuesFile: values.yaml
-    includeCRDs: true
-
--- a/k8s/apps/tg-bots/storage.yaml
+++ b/k8s/apps/tg-bots/storage.yaml
@@ -1,28 +0,0 @@
---
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: desubot-pv
-spec:
-  capacity:
-    storage: 200Gi
-  accessModes:
-    - ReadWriteMany
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-storage
-  nfs:
-    path: /mnt/storage/Storage/k8s/desubot
-    server: nas.homenet
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: desubot-storage
-spec:
-  accessModes:
-    - ReadWriteMany
-  storageClassName: nfs-storage
-  resources:
-    requests:
-      storage: 200Gi
-  volumeName: desubot-pv
--- a/k8s/apps/xandikos/external-secrets.yaml
+++ b/k8s/apps/xandikos/external-secrets.yaml
@@ -1,31 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: mmdl-secrets
-spec:
-  target:
-    name: mmdl-secrets
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        DB_DIALECT: 'postgres'
-        DB_HOST: psql.psql.svc
-        DB_USER: mmdl
-        DB_NAME: mmdl
-        DB_PORT: "5432"
-        DB_PASS: |-
-          {{ .pg_pass }}
-        AES_PASSWORD: |-
-          {{ .pg_pass }}
-
-  data:
-    - secretKey: pg_pass
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[12].value
--- a/k8s/apps/xandikos/kustomization.yaml
+++ b/k8s/apps/xandikos/kustomization.yaml
@@ -7,5 +7,5 @@ resources:
  - mmdl-deployment.yaml
  - mmdl-service.yaml
  - ingress.yaml
-  - external-secrets.yaml
+

--- a/k8s/apps/xandikos/mmdl-deployment.yaml
+++ b/k8s/apps/xandikos/mmdl-deployment.yaml
@@ -26,9 +26,6 @@ spec:
        - name: mmdl
          image: intriin/mmdl:latest
          imagePullPolicy: Always
-          envFrom:
-            - secretRef:
-                name: mmdl-secrets
          env:
            - name: NEXTAUTH_URL
              value: "https://cal.hexor.cy"
--- a/k8s/core/argocd/appprojects.yaml
+++ b/k8s/core/argocd/appprojects.yaml
@@ -47,20 +47,3 @@ spec:
    server: https://kubernetes.default.svc
  sourceRepos:
  - ssh://git@gt.hexor.cy:30022/ab/homelab.git
-
---
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: desktop
-  namespace: argocd
-spec:
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  description: Hexor Home Lab Desktop Apps
-  destinations:
-  - namespace: '*'
-    server: https://kubernetes.default.svc
-  sourceRepos:
-  - ssh://git@gt.hexor.cy:30022/ab/homelab.git
--- a/k8s/core/argocd/values.yaml
+++ b/k8s/core/argocd/values.yaml
@@ -2,7 +2,7 @@

 global:
  domain: ag.hexor.cy
-  nodeSelector: &nodeSelector
+  nodeSelector:
    kubernetes.io/hostname: master.tail2fe2d.ts.net
  logging:
    format: text
@@ -55,15 +55,15 @@ configs:

 controller:
  replicas: 1
-  nodeSelector: 
-    <<: *nodeSelector
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
  # Add resources (requests/limits), PDB etc. if needed

 # Dex OIDC provider
 dex:
  replicas: 1
  nodeSelector:
-    <<: *nodeSelector
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
  enabled: false

 # Standard Redis disabled because Redis HA is enabled
@@ -86,7 +86,7 @@ redis-ha:
 server:
  replicas: 1
  nodeSelector:
-    <<: *nodeSelector
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
  ingress:
    enabled: false

@@ -99,11 +99,8 @@ server:
 # Repository Server
 repoServer:
  replicas: 1
-  livenessProbe:
-    timeoutSeconds: 10
-    periodSeconds: 60
  nodeSelector:
-    <<: *nodeSelector
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
  # Add resources (requests/limits), PDB etc. if needed

 # ApplicationSet Controller
@@ -111,7 +108,7 @@ applicationSet:
  enabled: true # Enabled by default
  replicas: 1
  nodeSelector:
-    <<: *nodeSelector
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
  # Add resources (requests/limits), PDB etc. if needed

 # Notifications Controller
@@ -119,5 +116,5 @@ notifications:
  enabled: true # Enabled by default
  replicas: 1
  nodeSelector:
-    <<: *nodeSelector
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
  # Add notifiers, triggers, templates configurations if needed
--- a/k8s/core/external-secrets/bitwarden-store.yaml
+++ b/k8s/core/external-secrets/bitwarden-store.yaml
@@ -42,10 +42,10 @@ spec:
          resources:
            requests:
              memory: "128Mi"
-              cpu: "300m"
+              cpu: "100m"
            limits:
              memory: "512Mi"
-              cpu: "800m"
+              cpu: "500m"
          env:
            - name: BW_HOST
              valueFrom:
--- a/k8s/core/kube-system-custom/kustomization.yaml
+++ b/k8s/core/kube-system-custom/kustomization.yaml
@@ -3,6 +3,5 @@ kind: Kustomization

 resources:
  - app.yaml
-  - nfs-storage.yaml
  - coredns-internal-resolve.yaml

--- a/k8s/core/kube-system-custom/nfs-storage.yaml
+++ b/k8s/core/kube-system-custom/nfs-storage.yaml
@@ -1,13 +0,0 @@
---
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: nfs-csi
-provisioner: nfs.csi.k8s.io
-parameters:
-  server: 10.0.5.2
-  share: /mnt/storage/Storage/PVC
-reclaimPolicy: Retain
-volumeBindingMode: Immediate
-mountOptions:
-  - vers=4.1
--- a/k8s/core/postgresql/external-secrets.yaml
+++ b/k8s/core/postgresql/external-secrets.yaml
@@ -123,8 +123,6 @@ spec:
          {{ .remnawave }}
        USER_umami: |-
          {{ .umami }}
-        USER_mmdl: |-
-          {{ .mmdl }}
  data:
    - secretKey: authentik
      sourceRef:
@@ -247,14 +245,3 @@ spec:
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[11].value
-    - secretKey: mmdl
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[12].value
--- a/k8s/core/prom-stack/app.yaml
+++ b/k8s/core/prom-stack/app.yaml
@@ -13,6 +13,9 @@ spec:
    targetRevision: HEAD
    path: k8s/core/prom-stack
  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
--- a/k8s/core/prom-stack/external-secrets.yaml
+++ b/k8s/core/prom-stack/external-secrets.yaml
@@ -79,83 +79,3 @@ spec:
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[2].value

---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: alertmanager-telegram
-spec:
-  target:
-    name: alertmanager-telegram-secret
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        TELEGRAM_BOT_TOKEN: |-
-          {{ .bot_token }}
-        TELEGRAM_CHAT_ID: |-
-          {{ .chat_id }}
-  data:
-    - secretKey: bot_token
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: eca0fb0b-3939-40a8-890a-6294863e5a65
-        property: fields[0].value
-    - secretKey: chat_id
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: eca0fb0b-3939-40a8-890a-6294863e5a65
-        property: fields[1].value
-
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: grafana-telegram
-spec:
-  target:
-    name: grafana-telegram
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        bot-token: |-
-          {{ .bot_token }}
-        chat-id: |-
-          {{ .chat_id }}
-  data:
-    - secretKey: bot_token
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: eca0fb0b-3939-40a8-890a-6294863e5a65
-        property: fields[0].value
-    - secretKey: chat_id
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: eca0fb0b-3939-40a8-890a-6294863e5a65
-        property: fields[1].value
-
--- a/k8s/core/prom-stack/grafana-alerting-configmap.yaml
+++ b/k8s/core/prom-stack/grafana-alerting-configmap.yaml
@@ -1,152 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: grafana-alerting
-  namespace: prometheus
-data:
-  rules.yaml: |
-    apiVersion: 1
-    groups:
-      - orgId: 1
-        name: pasarguard_alerts
-        folder: Kubernetes
-        interval: 1m
-        rules:
-          - uid: pasarguard_cpu_throttling
-            title: VPN CPU Throttle
-            condition: B
-            data:
-              - refId: A
-                relativeTimeRange:
-                  from: 600
-                  to: 0
-                datasourceUid: P76F38748CEC837F0
-                model:
-                  expr: 'rate(container_cpu_cfs_throttled_periods_total{container="pasarguard-node"}[5m])'
-                  refId: A
-                  intervalMs: 1000
-                  maxDataPoints: 43200
-              - refId: B
-                relativeTimeRange:
-                  from: 600
-                  to: 0
-                datasourceUid: __expr__
-                model:
-                  conditions:
-                    - evaluator:
-                        params:
-                          - 0.1
-                        type: gt
-                      operator:
-                        type: and
-                      query:
-                        params: []
-                  datasource:
-                    type: __expr__
-                    uid: __expr__
-                  expression: A
-                  reducer: last
-                  refId: B
-                  type: reduce
-            noDataState: NoData
-            execErrState: Alerting
-            for: 5m
-            annotations:
-              pod: '{{ $labels.pod }}'
-              node: '{{ $labels.node }}'
-              namespace: '{{ $labels.namespace }}'
-              throttle_rate: '{{ printf "%.2f" $values.A }}'
-              summary: 'VPN node throttling CPU'
-            labels:
-              severity: warning
-      
-      - orgId: 1
-        name: kubernetes_alerts
-        folder: Kubernetes
-        interval: 30s
-        rules:
-          - uid: node_not_ready
-            title: Kubernetes Node Not Ready
-            condition: B
-            data:
-              - refId: A
-                relativeTimeRange:
-                  from: 300
-                  to: 0
-                datasourceUid: P76F38748CEC837F0
-                model:
-                  expr: 'kube_node_status_condition{condition="Ready",status="true"} == 0'
-                  refId: A
-                  intervalMs: 1000
-                  maxDataPoints: 43200
-              - refId: B
-                relativeTimeRange:
-                  from: 300
-                  to: 0
-                datasourceUid: __expr__
-                model:
-                  conditions:
-                    - evaluator:
-                        params:
-                          - 0
-                        type: gt
-                      operator:
-                        type: and
-                      query:
-                        params: []
-                  datasource:
-                    type: __expr__
-                    uid: __expr__
-                  expression: A
-                  reducer: last
-                  refId: B
-                  type: reduce
-            noDataState: Alerting
-            execErrState: Alerting
-            for: 0s
-            annotations:
-              node: '{{ $labels.node }}'
-              condition: '{{ $labels.condition }}'
-              summary: 'Kubernetes node is not ready'
-            labels:
-              severity: critical
-  
-  contactpoints.yaml: |
-    apiVersion: 1
-    contactPoints:
-      - orgId: 1
-        name: telegram
-        receivers:
-          - uid: telegram_default
-            type: telegram
-            disableResolveMessage: false
-            settings:
-              bottoken: $TELEGRAM_BOT_TOKEN
-              chatid: "124317807"
-              message: |
-                {{ if eq .Status "firing" }}🔥 FIRING{{ else }}✅ RESOLVED{{ end }}
-                
-                {{ range .Alerts }}
-                📊 <b>{{ .Labels.alertname }}</b>
-                {{ .Annotations.summary }}
-                
-                {{ if .Annotations.node }}🖥 <b>Node:</b> <code>{{ .Annotations.node }}</code>{{ end }}
-                {{ if .Annotations.pod }}📦 <b>Pod:</b> <code>{{ .Annotations.pod }}</code>{{ end }}
-                {{ if .Annotations.namespace }}📁 <b>Namespace:</b> <code>{{ .Annotations.namespace }}</code>{{ end }}
-                {{ if .Annotations.throttle_rate }}⚠️ <b>Throttling rate:</b> {{ .Annotations.throttle_rate }}{{ end }}
-                
-                🔗 <a href="{{ .GeneratorURL }}">View in Grafana</a>
-                {{ end }}
-              parse_mode: HTML
-  
-  policies.yaml: |
-    apiVersion: 1
-    policies:
-      - orgId: 1
-        receiver: telegram
-        group_by:
-          - grafana_folder
-          - alertname
-        group_wait: 10s
-        group_interval: 5m
-        repeat_interval: 4h
--- a/k8s/core/prom-stack/grafana-values.yaml
+++ b/k8s/core/prom-stack/grafana-values.yaml
@@ -38,10 +38,6 @@ datasources:
        url: http://prometheus-kube-prometheus-prometheus.prometheus.svc:9090
        access: proxy
        isDefault: true
-      - name: Loki
-        type: loki
-        url: http://loki-gateway.prometheus.svc:80
-        access: proxy

 ingress:
  enabled: true
@@ -56,30 +52,3 @@ ingress:
      hosts:
        - '*.hexor.cy'

-extraConfigmapMounts:
-  - name: grafana-alerting-rules
-    mountPath: /etc/grafana/provisioning/alerting/rules.yaml
-    configMap: grafana-alerting
-    subPath: rules.yaml
-    readOnly: true
-  - name: grafana-alerting-contactpoints
-    mountPath: /etc/grafana/provisioning/alerting/contactpoints.yaml
-    configMap: grafana-alerting
-    subPath: contactpoints.yaml
-    readOnly: true
-  - name: grafana-alerting-policies
-    mountPath: /etc/grafana/provisioning/alerting/policies.yaml
-    configMap: grafana-alerting
-    subPath: policies.yaml
-    readOnly: true
-
-envValueFrom:
-  TELEGRAM_BOT_TOKEN:
-    secretKeyRef:
-      name: grafana-telegram
-      key: bot-token
-  TELEGRAM_CHAT_ID:
-    secretKeyRef:
-      name: grafana-telegram
-      key: chat-id
-
--- a/k8s/core/prom-stack/kustomization.yaml
+++ b/k8s/core/prom-stack/kustomization.yaml
@@ -2,9 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
+  - app.yaml
  - persistentVolume.yaml
  - external-secrets.yaml
-  - grafana-alerting-configmap.yaml

 helmCharts:
  - name: kube-prometheus-stack
@@ -23,18 +23,3 @@ helmCharts:
    valuesFile: grafana-values.yaml
    includeCRDs: true

-  - name: loki
-    repo: https://grafana.github.io/helm-charts
-    version: 6.29.0
-    releaseName: loki
-    namespace: prometheus
-    valuesFile: loki-values.yaml
-    includeCRDs: true
-
-  - name: promtail
-    repo: https://grafana.github.io/helm-charts
-    version: 6.16.6
-    releaseName: promtail
-    namespace: prometheus
-    valuesFile: promtail-values.yaml
-
--- a/k8s/core/prom-stack/loki-values.yaml
+++ b/k8s/core/prom-stack/loki-values.yaml
@@ -1,75 +0,0 @@
-# Loki SingleBinary mode - optimal for homelab
-deploymentMode: SingleBinary
-
-loki:
-  auth_enabled: false
-  commonConfig:
-    replication_factor: 1
-    path_prefix: /var/loki
-  schemaConfig:
-    configs:
-      - from: 2024-01-01
-        store: tsdb
-        object_store: filesystem
-        schema: v13
-        index:
-          prefix: index_
-          period: 24h
-  storage:
-    type: filesystem
-    filesystem:
-      chunks_directory: /var/loki/chunks
-      rules_directory: /var/loki/rules
-  limits_config:
-    reject_old_samples: false
-    ingestion_rate_mb: 16
-    ingestion_burst_size_mb: 32
-    max_query_parallelism: 32
-    volume_enabled: true
-
-singleBinary:
-  replicas: 1
-  nodeSelector:
-    kubernetes.io/hostname: master.tail2fe2d.ts.net
-  persistence:
-    enabled: true
-    size: 50Gi
-    storageClass: ""
-
-# Disable distributed mode components
-read:
-  replicas: 0
-write:
-  replicas: 0
-backend:
-  replicas: 0
-
-# Disable memcached (not needed for SingleBinary)
-chunksCache:
-  enabled: false
-resultsCache:
-  enabled: false
-
-# Gateway for Loki access
-gateway:
-  enabled: true
-  replicas: 1
-  service:
-    type: ClusterIP
-
-# Disable tests and canary
-test:
-  enabled: false
-lokiCanary:
-  enabled: false
-
-# Monitoring
-monitoring:
-  dashboards:
-    enabled: false
-  rules:
-    enabled: false
-  serviceMonitor:
-    enabled: false
-  selfMonitoring:
-    enabled: false
--- a/k8s/core/prom-stack/prom-values.yaml
+++ b/k8s/core/prom-stack/prom-values.yaml
@@ -1,35 +1,5 @@
 grafana:
  enabled: false
-
-alertmanager:
-  config:
-    global:
-      telegram_api_url: "https://api.telegram.org"
-    route:
-      group_by: ['alertname', 'cluster', 'service']
-      group_wait: 10s
-      group_interval: 10s
-      repeat_interval: 12h
-      receiver: 'telegram'
-    receivers:
-      - name: 'telegram'
-        telegram_configs:
-          - bot_token: '${TELEGRAM_BOT_TOKEN}'
-            chat_id: ${TELEGRAM_CHAT_ID}
-            parse_mode: 'HTML'
-            message: |
-              {{ range .Alerts }}
-              <b>{{ .Labels.alertname }}</b>
-              {{ if .Labels.severity }}<b>Severity:</b> {{ .Labels.severity }}{{ end }}
-              <b>Status:</b> {{ .Status }}
-              {{ if .Annotations.summary }}<b>Summary:</b> {{ .Annotations.summary }}{{ end }}
-              {{ if .Annotations.description }}<b>Description:</b> {{ .Annotations.description }}{{ end }}
-              {{ end }}
-
-  alertmanagerSpec:
-    secrets:
-      - alertmanager-telegram-secret
-
 prometheus:
  prometheusSpec:
    enableRemoteWriteReceiver: true
--- a/k8s/core/prom-stack/promtail-values.yaml
+++ b/k8s/core/prom-stack/promtail-values.yaml
@@ -1,37 +0,0 @@
-# Promtail - log collection agent for all cluster pods
-config:
-  clients:
-    - url: http://loki-gateway.prometheus.svc:80/loki/api/v1/push
-
-# DaemonSet - runs on every node
-daemonset:
-  enabled: true
-
-# Tolerations for master/control-plane nodes
-tolerations:
-  - key: node-role.kubernetes.io/master
-    operator: Exists
-    effect: NoSchedule
-  - key: node-role.kubernetes.io/control-plane
-    operator: Exists
-    effect: NoSchedule
-
-# Init container to increase inotify limits
-initContainer:
-  - name: init-inotify
-    image: docker.io/busybox:1.36
-    imagePullPolicy: IfNotPresent
-    command:
-      - sh
-      - -c
-      - sysctl -w fs.inotify.max_user_instances=512
-    securityContext:
-      privileged: true
-
-resources:
-  requests:
-    cpu: 50m
-    memory: 64Mi
-  limits:
-    cpu: 200m
-    memory: 128Mi
--- a/k8s/core/system-upgrade/plan.yaml
+++ b/k8s/core/system-upgrade/plan.yaml
@@ -16,7 +16,7 @@ spec:
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
-  version: v1.34.3+k3s1
+  version: v1.34.2+k3s1
 ---
 # Agent plan
 apiVersion: upgrade.cattle.io/v1
@@ -39,5 +39,5 @@ spec:
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
-  version: v1.34.3+k3s1
+  version: v1.34.2+k3s1

--- a/k8s/desktop/jellyfin/app.yaml
+++ b/k8s/desktop/jellyfin/app.yaml
@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: jellyfin-uk
-  namespace: argocd
-spec:
-  project: apps
-  destination:
-    namespace: jellyfin-uk
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/desktop/jellyfin
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-
--- a/k8s/desktop/jellyfin/kustomization.yaml
+++ b/k8s/desktop/jellyfin/kustomization.yaml
@@ -1,16 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - qbittorent.yaml
-
-helmCharts:
-  - name: jellyfin
-    repo: https://utkuozdemir.org/helm-charts
-    version: 2.0.0
-    releaseName: jellyfin
-    namespace: jellyfin
-    valuesFile: values.yaml
-    includeCRDs: true
-
--- a/k8s/desktop/jellyfin/qbittorent.yaml
+++ b/k8s/desktop/jellyfin/qbittorent.yaml
@@ -1,123 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: vpn-creds
-spec:
-  target:
-    name: vpn-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        ss_link: |-
-          {{ .ss_link }}
-  data:
-    - secretKey: ss_link
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: cfee6f62-fb06-4a4c-b6d8-92da4908c65a
-        property: fields[0].value
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: qbittorrent
-  labels:
-    app: qbittorrent
-  annotations:
-    reloader.stakater.com/auto: "true"
-spec:
-  selector:
-    matchLabels:
-      app: qbittorrent
-  replicas: 1
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 0
-  template:
-    metadata:
-      labels:
-        app: qbittorrent
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: uk-desktop.tail2fe2d.ts.net
-      tolerations:
-        - key: workload
-          operator: Equal
-          value: desktop
-          effect: NoSchedule
-      volumes:
-        - name: config
-          hostPath:
-            path: /k8s/qbt-config
-            type: DirectoryOrCreate
-        - name: media
-          hostPath:
-            path: /k8s/media/downloads
-            type: DirectoryOrCreate
-      containers:
-        - name: qbittorrent
-          image: 'linuxserver/qbittorrent:latest'
-          ports:
-            - name: http
-              containerPort: 8080
-              protocol: TCP
-          volumeMounts:
-            - name: config
-              mountPath: /config
-            - name: media
-              mountPath: /downloads
-        - name: shadowsocks-proxy
-          image: teddysun/shadowsocks-rust:latest
-          env:
-            - name: SS_LINK
-              valueFrom:
-                secretKeyRef:
-                  name: vpn-creds
-                  key: ss_link
-          command: ["/bin/bash", "-c", "rm /etc/shadowsocks-rust/config.json && sslocal --server-url $SS_LINK --local-addr 127.0.0.1:8081 -U --protocol http"]
-          resources:
-            requests:
-              memory: "64Mi"
-              cpu: "300m"
-            limits:
-              memory: "128Mi"
-              cpu: "300m"
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: qbittorrent
-spec:
-  selector:
-    app: qbittorrent
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 8080
-
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: jf-local-ingress
-  annotations:
-    ingressClassName: traefik
-spec:
-  rules:
-    - host: tr.uk
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: qbittorrent
-                port:
-                  number: 80
--- a/k8s/desktop/jellyfin/values.yaml
+++ b/k8s/desktop/jellyfin/values.yaml
@@ -1,41 +0,0 @@
-image:
-  tag: 10.11.4
-resources:
-  requests:
-    memory: "2Gi"
-    cpu: "1000m"
-  limits:
-    memory: "8Gi"
-    cpu: "6000m"
-nodeSelector:
-  kubernetes.io/hostname: uk-desktop.tail2fe2d.ts.net
-tolerations:
-  - key: workload
-    operator: Equal
-    value: desktop
-    effect: NoSchedule
-persistence:
-  config:
-    enabled: true
-    isPvc: false
-    customVolume:
-      hostPath:
-        path: /k8s/jellyfin
-        type: DirectoryOrCreate
-  data:
-    enabled: true
-    isPvc: false
-    customVolume:
-      hostPath:
-        path: /k8s/media/downloads
-        type: DirectoryOrCreate
-
-ingress:
-    enabled: true
-    className: traefik
-    hosts:
-      - host: jf.uk
-        paths:
-          - path: /
-            pathType: Prefix
-
--- a/k8s/desktop/khm/app.yaml
+++ b/k8s/desktop/khm/app.yaml
@@ -1,18 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: khm-client
-  namespace: argocd
-spec:
-  project: desktop
-  destination:
-    namespace: khm
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/desktop/khm
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
--- a/k8s/desktop/khm/external-secrets.yaml
+++ b/k8s/desktop/khm/external-secrets.yaml
@@ -1,33 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: khm-client-creds
-spec:
-  target:
-    name: khm-client-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        USERNAME: |-
-          {{ .username }}
-        PASSWORD: |-
-          {{ .password }}
-  data:
-    - secretKey: username
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 19c06480-0814-4d1f-aa80-710105989188
-        property: login.username
-    - secretKey: password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 19c06480-0814-4d1f-aa80-710105989188
-        property: login.password
--- a/k8s/desktop/khm/khm-client-cronjob.yaml
+++ b/k8s/desktop/khm/khm-client-cronjob.yaml
@@ -1,69 +0,0 @@
---
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: khm-client
-  labels:
-    app: khm-client
-spec:
-  schedule: "15 * * * *"
-  concurrencyPolicy: Forbid
-  successfulJobsHistoryLimit: 3
-  failedJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      template:
-        metadata:
-          labels:
-            app: khm-client
-        spec:
-          restartPolicy: OnFailure
-          hostNetwork: true
-          nodeSelector:
-            node-role.kubernetes.io/desktop: ""
-          tolerations:
-            - key: workload
-              operator: Equal
-              value: desktop
-              effect: NoSchedule
-          containers:
-            - name: khm-client
-              image: 'ultradesu/khm:latest'
-              imagePullPolicy: Always
-              securityContext:
-                privileged: false
-              resources:
-                requests:
-                  memory: "64Mi"
-                  cpu: "50m"
-                limits:
-                  memory: "256Mi"
-                  cpu: "200m"
-              command:
-                - /bin/sh
-                - -c
-                - |
-                  /usr/local/bin/khm \
-                    --known-hosts /host-ssh/known_hosts \
-                    --host https://khm.hexor.cy \
-                    --flow=private \
-                    --basic-auth="${USERNAME}:${PASSWORD}" \
-                    --in-place
-              env:
-                - name: USERNAME
-                  valueFrom:
-                    secretKeyRef:
-                      name: khm-client-creds
-                      key: USERNAME
-                - name: PASSWORD
-                  valueFrom:
-                    secretKeyRef:
-                      name: khm-client-creds
-                      key: PASSWORD
-              volumeMounts:
-                - name: known-hosts
-                  mountPath: /host-ssh/known_hosts
-          volumes:
-            - name: known-hosts
-              hostPath:
-                path: /home/ab/.ssh/known_hosts
--- a/k8s/desktop/khm/kustomization.yaml
+++ b/k8s/desktop/khm/kustomization.yaml
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - external-secrets.yaml
-  - khm-client-cronjob.yaml
--- a/terraform/authentik/main.tf
+++ b/terraform/authentik/main.tf
@@ -1,3 +1,4 @@
+
 data "authentik_flow" "default_authorization_flow" {
  slug = var.default_authorization_flow
 }
@@ -298,7 +299,7 @@ resource "authentik_outpost" "outposts" {
    kubernetes_ingress_class_name  = null
    kubernetes_disabled_components = []
    kubernetes_ingress_annotations = {}
-    kubernetes_ingress_secret_name = "idm-tls"
+    kubernetes_ingress_secret_name = "authentik-outpost-tls"
  })

  depends_on = [
--- a/terraform/authentik/proxy-apps.tfvars
+++ b/terraform/authentik/proxy-apps.tfvars
@@ -51,9 +51,6 @@ proxy_applications = {
    internal_host                = "http://secret-reader.k8s-secret.svc:80"
    internal_host_ssl_validation = false
    meta_description             = ""
-    skip_path_regex              = <<-EOT
-/webhook
-EOT
    meta_icon                    = "https://img.icons8.com/ios-filled/50/password.png"
    mode                         = "proxy"
    outpost                      = "kubernetes-outpost"
@@ -199,7 +196,6 @@ EOT
    internal_host_ssl_validation = false
    meta_description             = ""
    skip_path_regex              = <<-EOT
-/
 /sub/
 /dashboard/
 /api/