Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-05 14:22:01

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -13,10 +13,13 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **argocd** | [![argocd](https://ag.hexor.cy/api/badge?name=argocd&revision=true)](https://ag.hexor.cy/applications/argocd/argocd) |
+| **auth-proxy** | [![auth-proxy](https://ag.hexor.cy/api/badge?name=auth-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/auth-proxy) |
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
+| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
+| **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
@@ -62,9 +65,12 @@ ArgoCD homelab project
 | **sonarr-stack** | [![sonarr-stack](https://ag.hexor.cy/api/badge?name=sonarr-stack&revision=true)](https://ag.hexor.cy/applications/argocd/sonarr-stack) |
 | **stirling-pdf** | [![stirling-pdf](https://ag.hexor.cy/api/badge?name=stirling-pdf&revision=true)](https://ag.hexor.cy/applications/argocd/stirling-pdf) |
 | **syncthing** | [![syncthing](https://ag.hexor.cy/api/badge?name=syncthing&revision=true)](https://ag.hexor.cy/applications/argocd/syncthing) |
+| **teamspeak** | [![teamspeak](https://ag.hexor.cy/api/badge?name=teamspeak&revision=true)](https://ag.hexor.cy/applications/argocd/teamspeak) |
 | **tg-bots** | [![tg-bots](https://ag.hexor.cy/api/badge?name=tg-bots&revision=true)](https://ag.hexor.cy/applications/argocd/tg-bots) |
 | **vaultwarden** | [![vaultwarden](https://ag.hexor.cy/api/badge?name=vaultwarden&revision=true)](https://ag.hexor.cy/applications/argocd/vaultwarden) |
 | **vpn** | [![vpn](https://ag.hexor.cy/api/badge?name=vpn&revision=true)](https://ag.hexor.cy/applications/argocd/vpn) |
+| **web-petting** | [![web-petting](https://ag.hexor.cy/api/badge?name=web-petting&revision=true)](https://ag.hexor.cy/applications/argocd/web-petting) |
+| **wedding** | [![wedding](https://ag.hexor.cy/api/badge?name=wedding&revision=true)](https://ag.hexor.cy/applications/argocd/wedding) |
 | **xandikos** | [![xandikos](https://ag.hexor.cy/api/badge?name=xandikos&revision=true)](https://ag.hexor.cy/applications/argocd/xandikos) |
 
 </td>

k8s/apps/k8s-secrets/ingress.yaml

@@ -1,46 +0,0 @@
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: auth-proxy
-spec:
-  forwardAuth:
-    address: http://auth-proxy.auth-proxy.svc:80/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-Auth-Request-User
-      - X-Auth-Request-Email
-      - X-Auth-Request-Groups
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: secret-reader
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`pass.hexor.cy`)
-      kind: Rule
-      middlewares:
-        - name: auth-proxy
-      services:
-        - name: secret-reader
-          port: 80
-  tls:
-    secretName: secret-reader-tls
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: secret-reader-tls
-spec:
-  secretName: secret-reader-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  dnsNames:
-    - pass.hexor.cy
-

k8s/core/argocd/values.yaml

@@ -24,30 +24,31 @@ configs:
     statusbadge.enabled: true
     timeout.reconciliation: 60s
     oidc.config: |
-      name: Keycloak
+      name: Authentik
-      issuer: https://auth.hexor.cy/auth/realms/hexor
+      issuer: https://idm.hexor.cy/application/o/argocd/
       clientID: $oidc-creds:id
       clientSecret: $oidc-creds:secret
-      requestedScopes: ["openid", "profile", "email", "offline_access"]
+      requestedScopes: ["openid", "profile", "email", "groups", "offline_access"]
       requestedIDTokenClaims: {"groups": {"essential": true}}
       refreshTokenThreshold: 2m
   rbac:
     create: true
     policy.default: ""
     policy.csv: |
-        g, game-servers-managers, GameServersManagersRole
+      # Bound OIDC Group and internal role
-        # Role permissions
+      g, Game Servers Managers, GameServersManagersRole
-        p, GameServersManagersRole, applications, get, games/*, allow
+      # Role permissions
-        p, GameServersManagersRole, applications, update, games/*, allow
+      p, GameServersManagersRole, applications, get, games/*, allow
-        p, GameServersManagersRole, applications, sync, games/*, allow
+      p, GameServersManagersRole, applications, update, games/*, allow
-        p, GameServersManagersRole, applications, override, games/*, allow
+      p, GameServersManagersRole, applications, sync, games/*, allow
-        p, GameServersManagersRole, applications, action/*, games/*, allow
+      p, GameServersManagersRole, applications, override, games/*, allow
-        p, GameServersManagersRole, exec, create, games/*, allow
+      p, GameServersManagersRole, applications, action/*, games/*, allow
-        p, GameServersManagersRole, logs, get, games/*, allow
+      p, GameServersManagersRole, exec, create, games/*, allow
-        p, GameServersManagersRole, applications, delete, games/*, deny
+      p, GameServersManagersRole, logs, get, games/*, allow
-    
+      p, GameServersManagersRole, applications, delete, games/*, deny
-        # Admin policy
+
-        g, argocd-admins, role:admin
+      # Admin policy
+      g, ArgoCD Admins, role:admin
 
   secret:
     createSecret: true

k8s/core/auth-proxy/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: auth-proxy
-          image: ultradesu/rsauth2-proxy:latest
+          image: ultradesu/rsauth2-proxy:0.1.0
           ports:
             - containerPort: 8080
               name: http
@@ -35,7 +35,7 @@ spec:
             - name: AUTH_PROXY_ROUTES_FILE
               value: "/config/routes.yaml"
             - name: AUTH_PROXY_LOG_LEVEL
-              value: "debug"
+              value: "info"
           volumeMounts:
             - name: routes
               mountPath: /config

k8s/core/auth-proxy/kustomization.yaml

@@ -7,5 +7,4 @@ resources:
   - deployment.yaml
   - service.yaml
   - ingress.yaml
-  - servicemonitor.yaml
 # routes.yaml ConfigMap is managed by Terraform (kubernetes_config_map)

k8s/core/auth-proxy/servicemonitor.yaml

@@ -1,21 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: auth-proxy-metrics
-  labels:
-    app: auth-proxy
-    release: prometheus
-spec:
-  selector:
-    matchLabels:
-      app: auth-proxy
-  endpoints:
-    - port: http
-      path: /metrics
-      interval: 30s
-      scrapeTimeout: 10s
-      honorLabels: true
-  namespaceSelector:
-    matchNames:
-      - auth-proxy