Update k8s/core/authentik/values.yaml

Disable hexound
Update k8s/apps/hexound/kustomization.yaml
2025-10-22 15:49:23 +00:00 · 2025-10-22 15:31:09 +00:00 · 2025-10-22 15:30:09 +00:00 · 2025-10-22 15:29:34 +00:00 · 2025-10-22 15:19:13 +03:00 · 2025-10-22 15:08:13 +03:00
45 changed files with 2685 additions and 154 deletions
--- a/.gitea/scripts/README.md
+++ b/.gitea/scripts/README.md
@@ -0,0 +1,91 @@
+# Wiki Generators for Homelab
+
+Automated Wiki page generation scripts for documenting homelab infrastructure.
+
+## 1. Authentik Applications Wiki Generator
+
+Generates a Wiki page with all applications managed by Authentik from Terraform configuration.
+
+### Files:
+- `generate-apps-wiki.py` - Generates Applications.md from Terraform output
+- `process-terraform-output.py` - Processes Terraform JSON output
+
+### Workflow: 
+- **Trigger**: Push to `main` branch with Terraform changes
+- **Workflow**: `.gitea/workflows/authentik-apps.yaml` 
+- **Output**: Applications Wiki page
+
+## 2. Kubernetes Services Wiki Generator
+
+Analyzes k8s/ directory and generates comprehensive documentation for all Kubernetes services.
+
+### Files:
+- `generate-k8s-wiki.py` - Main script for analyzing k8s services
+
+### Features:
+- **Service Types**: Detects Helm Charts, Kustomize, and YAML manifests
+- **ArgoCD Integration**: Shows auto-sync status and project info
+- **Service Discovery**: Lists all services, ingresses, and external secrets
+- **Categorization**: Groups by apps, core, games categories
+- **Detailed Analysis**: Shows deployments, containers, files
+
+### Workflow:
+- **Trigger**: Changes in `k8s/` directory
+- **Workflow**: `.gitea/workflows/k8s-wiki.yaml`
+- **Output**: Kubernetes-Services Wiki page
+
+## GitHub Secrets Configuration
+
+Required secrets in repository settings:
+
+```
+GT_URL=https://gt.hexor.cy
+GT_WIKI_TOKEN=your_gitea_access_token
+GT_OWNER=your_username  
+GT_REPO=homelab
+```
+
+## Generated Wiki Pages Structure
+
+### Applications Page
+- Table with icons (32x32), external/internal URLs
+- Statistics by type (Proxy vs OAuth2)
+- Grouping by categories (Core, Tools, Media, etc.)
+
+### Kubernetes Services Page  
+- Overview table with service types and status
+- Detailed sections by category
+- ArgoCD integration status
+- Service discovery information
+
+## Local Testing
+
+### Authentik Apps:
+```bash
+cd terraform/authentik
+terraform output -json > terraform-output.json
+python3 ../../.gitea/scripts/process-terraform-output.py terraform-output.json processed-output.json
+python3 ../../.gitea/scripts/generate-apps-wiki.py processed-output.json
+```
+
+### K8s Services:
+```bash
+pip install pyyaml
+python3 .gitea/scripts/generate-k8s-wiki.py k8s/ Kubernetes-Services.md
+```
+
+## Troubleshooting
+
+### Common Issues:
+
+1. **Terraform output parsing errors**
+   - Check for [command] prefix in output
+   - Verify JSON structure with debug mode
+
+2. **Wiki upload failures**
+   - Verify Gitea token permissions
+   - Check network connectivity to Gitea instance
+
+3. **YAML parsing errors in k8s analysis**
+   - Ensure valid YAML syntax in k8s files
+   - Check PyYAML installation
--- a/.gitea/scripts/generate-apps-wiki.py
+++ b/.gitea/scripts/generate-apps-wiki.py
@@ -0,0 +1,226 @@
+#!/usr/bin/env python3
+"""
+Script for generating Wiki page with applications list from Terraform outputs
+"""
+
+import json
+import sys
+import os
+from datetime import datetime
+
+def generate_markdown_table(apps_data):
+    """Generates Markdown table for applications"""
+    
+    # Combine all applications
+    all_apps = []
+    
+    if 'proxy_apps' in apps_data:
+        for key, app in apps_data['proxy_apps'].items():
+            all_apps.append({
+                'key': key,
+                'name': app['name'],
+                'type': app['type'], 
+                'url': app['url'],
+                'internal_url': app.get('internal_url', '-'),
+                'group': app['group'],
+                'description': app['description'],
+                'icon': app['icon'],
+                'slug': app['slug']
+            })
+    
+    if 'oauth_apps' in apps_data:
+        for key, app in apps_data['oauth_apps'].items():
+            all_apps.append({
+                'key': key,
+                'name': app['name'],
+                'type': app['type'],
+                'url': app['url'],
+                'internal_url': '-',  # OAuth apps don't have internal URLs
+                'group': app['group'], 
+                'description': app['description'],
+                'icon': app['icon'],
+                'slug': app['slug']
+            })
+    
+    # Sort by groups, then by name
+    all_apps.sort(key=lambda x: (x['group'], x['name']))
+    
+    # Generate Markdown
+    markdown = []
+    markdown.append("# Authentik Applications")
+    markdown.append("")
+    markdown.append(f"*Automatically generated: {datetime.now().strftime('%Y-%m-%d %H:%M:%S UTC')}*")
+    markdown.append("")
+    markdown.append("## All Applications")
+    markdown.append("")
+    
+    # Table
+    markdown.append("| Icon | Name | Type | External URL | Internal URL | Group | Description |")
+    markdown.append("|:----:|------|------|--------------|--------------|-------|-------------|")
+    
+    for app in all_apps:
+        # Icon with size constraint
+        if app['icon']:
+            icon = f'<img src="{app["icon"]}" width="32" height="32" alt="{app["name"]}">'
+        else:
+            icon = "📱"
+        
+        # External URL link
+        external_link = f"[🔗 {app['url'].replace('https://', '').replace('http://', '')}]({app['url']})" if app.get('url') else "-"
+        
+        # Internal URL (only for proxy apps)
+        internal_url = app.get('internal_url', '-')
+        if internal_url != '-':
+            # Show full internal URL without shortening
+            internal_url = f"`{internal_url}`"
+        
+        description = app['description'] if app['description'] else "-"
+        
+        markdown.append(f"| {icon} | **{app['name']}** | {app['type']} | {external_link} | {internal_url} | {app['group']} | {description} |")
+    
+    markdown.append("")
+    
+    # Statistics
+    proxy_count = len(apps_data.get('proxy_apps', {}))
+    oauth_count = len(apps_data.get('oauth_apps', {}))
+    total_count = proxy_count + oauth_count
+    
+    markdown.append("## Statistics")
+    markdown.append("")
+    markdown.append(f"- **Total applications**: {total_count}")
+    markdown.append(f"- **Proxy applications**: {proxy_count}")
+    markdown.append(f"- **OAuth2/OpenID applications**: {oauth_count}")
+    markdown.append("")
+    
+    # Grouping by types
+    groups = {}
+    for app in all_apps:
+        group = app['group']
+        if group not in groups:
+            groups[group] = {'proxy': 0, 'oauth': 0}
+        if app['type'] == 'Proxy':
+            groups[group]['proxy'] += 1
+        else:
+            groups[group]['oauth'] += 1
+    
+    markdown.append("## Applications by Groups")
+    markdown.append("")
+    for group, counts in sorted(groups.items()):
+        total = counts['proxy'] + counts['oauth']
+        markdown.append(f"- **{group}**: {total} applications (Proxy: {counts['proxy']}, OAuth: {counts['oauth']})")
+    
+    markdown.append("")
+    markdown.append("---")
+    markdown.append("*This page is automatically generated via Terraform CI/CD*")
+    
+    return "\n".join(markdown)
+
+def parse_terraform_output(output_data):
+    """Parse Terraform output JSON structure"""
+    # Check if this is a full terraform output (with value, type, sensitive fields)
+    if isinstance(output_data, dict) and 'applications_for_wiki' in output_data:
+        # This is full terraform output format
+        app_output = output_data.get('applications_for_wiki', {})
+        if isinstance(app_output, dict) and 'value' in app_output:
+            return app_output['value']
+        else:
+            return app_output
+    else:
+        # This is already the value extracted
+        return output_data
+
+def main():
+    if len(sys.argv) < 2:
+        print("Usage: python3 generate-apps-wiki.py <terraform-output-json> [--debug]")
+        sys.exit(1)
+    
+    output_file = sys.argv[1]
+    debug = "--debug" in sys.argv
+    
+    try:
+        # Check if file exists and has content
+        if not os.path.exists(output_file):
+            print(f"ERROR: File {output_file} not found")
+            sys.exit(1)
+            
+        file_size = os.path.getsize(output_file)
+        if file_size == 0:
+            print(f"ERROR: File {output_file} is empty")
+            sys.exit(1)
+        
+        print(f"📄 Reading Terraform output file: {output_file} ({file_size} bytes)")
+        
+        # Read file content
+        with open(output_file, 'r') as f:
+            content = f.read()
+            
+        if debug:
+            print(f"🔍 File content preview: {content[:200]}...")
+        
+        # Clean content - remove command line if present
+        if content.startswith('[command]'):
+            print("⚠️  Detected command prefix, removing...")
+            lines = content.split('\n', 1)
+            if len(lines) > 1:
+                content = lines[1]
+                if debug:
+                    print(f"🔍 Cleaned content preview: {content[:200]}...")
+            else:
+                print("ERROR: File contains only command line, no JSON data")
+                sys.exit(1)
+        
+        # Parse JSON
+        try:
+            terraform_output = json.loads(content)
+        except json.JSONDecodeError as e:
+            print(f"ERROR: Invalid JSON in {output_file}: {e}")
+            print(f"Content starts with: {repr(content[:100])}")
+            # Try to find where JSON starts
+            json_start = content.find('{')
+            if json_start > 0:
+                print(f"Found JSON starting at position {json_start}, retrying...")
+                content = content[json_start:]
+                try:
+                    terraform_output = json.loads(content)
+                except json.JSONDecodeError as e2:
+                    print(f"ERROR: Still invalid JSON: {e2}")
+                    sys.exit(1)
+            else:
+                sys.exit(1)
+        
+        # Extract application data using helper function
+        apps_data = parse_terraform_output(terraform_output)
+        
+        if not apps_data:
+            print("ERROR: No applications data found in Terraform output")
+            if debug:
+                print(f"Full output structure: {json.dumps(terraform_output, indent=2)[:500]}...")
+            sys.exit(1)
+        
+        # Check if we have correct structure
+        if 'proxy_apps' not in apps_data and 'oauth_apps' not in apps_data:
+            print("ERROR: Expected 'proxy_apps' or 'oauth_apps' in output")
+            print(f"Available keys: {list(apps_data.keys())}")
+            if debug and apps_data:
+                print(f"Data structure: {json.dumps(apps_data, indent=2)[:500]}...")
+            sys.exit(1)
+        
+        print(f"📊 Found {len(apps_data.get('proxy_apps', {}))} proxy apps, {len(apps_data.get('oauth_apps', {}))} oauth apps")
+        
+        # Generate Markdown
+        markdown_content = generate_markdown_table(apps_data)
+        
+        # Write result
+        wiki_file = "Applications.md"
+        with open(wiki_file, 'w', encoding='utf-8') as f:
+            f.write(markdown_content)
+        
+        print(f"✅ Wiki page generated: {wiki_file}")
+        print(f"📊 Total applications: {len(apps_data.get('proxy_apps', {})) + len(apps_data.get('oauth_apps', {}))}")
+        
+    except Exception as e:
+        print(f"ERROR: {e}")
+        sys.exit(1)
+
+if __name__ == "__main__":
+    main()
--- a/.gitea/scripts/generate-k8s-wiki.py
+++ b/.gitea/scripts/generate-k8s-wiki.py
@@ -0,0 +1,298 @@
+#!/usr/bin/env python3
+"""
+Script for generating Wiki page with Kubernetes services from k8s/ directory
+"""
+
+import os
+import yaml
+import json
+import sys
+from datetime import datetime
+from collections import defaultdict
+
+class K8sService:
+    def __init__(self, name, category, path):
+        self.name = name
+        self.category = category
+        self.path = path
+        self.namespace = None
+        self.deployment_type = "Unknown"
+        self.helm_charts = []
+        self.services = []
+        self.ingresses = []
+        self.external_secrets = []
+        self.deployments = []
+        self.pvcs = []
+        self.argo_app = None
+        self.files = []
+    
+    def __repr__(self):
+        return f"K8sService({self.name}, {self.deployment_type})"
+
+def parse_yaml_file(filepath):
+    """Parse YAML file and return content"""
+    try:
+        with open(filepath, 'r') as f:
+            # Load all documents in the file
+            docs = list(yaml.safe_load_all(f))
+            return docs if len(docs) > 1 else docs[0] if docs else None
+    except Exception as e:
+        print(f"  ⚠️  Error parsing {filepath}: {e}")
+        return None
+
+def analyze_service_directory(service_path, service_name, category):
+    """Analyze a service directory and extract information"""
+    service = K8sService(service_name, category, service_path)
+    
+    # List all files
+    for file in os.listdir(service_path):
+        if file.endswith('.yaml') or file.endswith('.yml'):
+            service.files.append(file)
+            filepath = os.path.join(service_path, file)
+            
+            # Parse YAML content
+            content = parse_yaml_file(filepath)
+            if not content:
+                continue
+            
+            # Handle multiple documents in one file
+            documents = content if isinstance(content, list) else [content]
+            
+            for doc in documents:
+                if not isinstance(doc, dict) or 'kind' not in doc:
+                    continue
+                
+                kind = doc['kind']
+                metadata = doc.get('metadata', {})
+                
+                # ArgoCD Application
+                if kind == 'Application' and doc.get('apiVersion', '').startswith('argoproj.io'):
+                    service.argo_app = {
+                        'name': metadata.get('name', ''),
+                        'namespace': doc.get('spec', {}).get('destination', {}).get('namespace', ''),
+                        'project': doc.get('spec', {}).get('project', ''),
+                        'auto_sync': doc.get('spec', {}).get('syncPolicy', {}).get('automated') is not None
+                    }
+                    service.namespace = service.argo_app['namespace']
+                
+                # Kustomization
+                elif kind == 'Kustomization':
+                    if 'helmCharts' in doc:
+                        service.deployment_type = "Helm Chart"
+                        for chart in doc.get('helmCharts', []):
+                            service.helm_charts.append({
+                                'name': chart.get('name', ''),
+                                'repo': chart.get('repo', ''),
+                                'version': chart.get('version', ''),
+                                'namespace': chart.get('namespace', service.namespace)
+                            })
+                    else:
+                        service.deployment_type = "Kustomize"
+                
+                # Deployment
+                elif kind == 'Deployment':
+                    service.deployments.append({
+                        'name': metadata.get('name', ''),
+                        'namespace': metadata.get('namespace', service.namespace),
+                        'replicas': doc.get('spec', {}).get('replicas', 1),
+                        'containers': [c.get('name', '') for c in doc.get('spec', {}).get('template', {}).get('spec', {}).get('containers', [])]
+                    })
+                    if service.deployment_type == "Unknown":
+                        service.deployment_type = "YAML Manifests"
+                
+                # Service
+                elif kind == 'Service':
+                    svc_spec = doc.get('spec', {})
+                    service.services.append({
+                        'name': metadata.get('name', ''),
+                        'type': svc_spec.get('type', 'ClusterIP'),
+                        'ports': svc_spec.get('ports', [])
+                    })
+                
+                # Ingress
+                elif kind == 'Ingress':
+                    rules = doc.get('spec', {}).get('rules', [])
+                    hosts = []
+                    for rule in rules:
+                        if 'host' in rule:
+                            hosts.append(rule['host'])
+                    service.ingresses.append({
+                        'name': metadata.get('name', ''),
+                        'hosts': hosts
+                    })
+                
+                # ExternalSecret
+                elif kind == 'ExternalSecret':
+                    service.external_secrets.append({
+                        'name': metadata.get('name', ''),
+                        'store': doc.get('spec', {}).get('secretStoreRef', {}).get('name', '')
+                    })
+                
+                # PersistentVolumeClaim
+                elif kind == 'PersistentVolumeClaim':
+                    service.pvcs.append({
+                        'name': metadata.get('name', ''),
+                        'size': doc.get('spec', {}).get('resources', {}).get('requests', {}).get('storage', '')
+                    })
+    
+    # If no specific deployment type found but has YAML files
+    if service.deployment_type == "Unknown" and service.files:
+        service.deployment_type = "YAML Manifests"
+    
+    return service
+
+def generate_markdown_table(services):
+    """Generate markdown table for services"""
+    markdown = []
+    markdown.append("# Kubernetes Services")
+    markdown.append("")
+    markdown.append(f"*Automatically generated: {datetime.now().strftime('%Y-%m-%d %H:%M:%S UTC')}*")
+    markdown.append("")
+    
+    # Group by category
+    categories = defaultdict(list)
+    for service in services:
+        categories[service.category].append(service)
+    
+    # Statistics
+    markdown.append("## Statistics")
+    markdown.append("")
+    markdown.append(f"- **Total Services**: {len(services)}")
+    markdown.append(f"- **Categories**: {len(categories)}")
+    helm_count = sum(1 for s in services if s.deployment_type == "Helm Chart")
+    kustomize_count = sum(1 for s in services if s.deployment_type == "Kustomize")
+    yaml_count = sum(1 for s in services if s.deployment_type == "YAML Manifests")
+    markdown.append(f"- **Helm Charts**: {helm_count}")
+    markdown.append(f"- **Kustomize**: {kustomize_count}")
+    markdown.append(f"- **YAML Manifests**: {yaml_count}")
+    markdown.append("")
+    
+    # Main table
+    markdown.append("## All Services")
+    markdown.append("")
+    markdown.append("| Service | Category | Type | Namespace | Ingresses | Services | Secrets | Auto-Sync |")
+    markdown.append("|---------|----------|------|-----------|-----------|----------|---------|-----------|")
+    
+    for category in sorted(categories.keys()):
+        for service in sorted(categories[category], key=lambda x: x.name):
+            # Service name with link to directory
+            name_link = f"[{service.name}](k8s/{service.category}/{service.name}/)"
+            
+            # Deployment type with emoji
+            type_emoji = {
+                "Helm Chart": "🎩",
+                "Kustomize": "🔧",
+                "YAML Manifests": "📄",
+                "Unknown": "❓"
+            }
+            type_str = f"{type_emoji.get(service.deployment_type, '')} {service.deployment_type}"
+            
+            # Ingresses
+            ingresses = []
+            for ing in service.ingresses:
+                for host in ing['hosts']:
+                    ingresses.append(f"[{host}](https://{host})")
+            ingress_str = "<br>".join(ingresses) if ingresses else "-"
+            
+            # Services
+            svc_list = []
+            for svc in service.services:
+                ports = [f"{p.get('port', '?')}" for p in svc['ports']]
+                svc_list.append(f"`{svc['name']}:{','.join(ports)}`")
+            svc_str = "<br>".join(svc_list) if svc_list else "-"
+            
+            # External Secrets
+            secrets_str = f"{len(service.external_secrets)} secrets" if service.external_secrets else "-"
+            
+            # Auto-sync
+            auto_sync = "✅" if service.argo_app and service.argo_app.get('auto_sync') else "❌"
+            
+            markdown.append(f"| **{name_link}** | {category} | {type_str} | {service.namespace or '-'} | {ingress_str} | {svc_str} | {secrets_str} | {auto_sync} |")
+    
+    markdown.append("")
+    
+    # Detailed sections by category
+    for category in sorted(categories.keys()):
+        markdown.append(f"## {category.title()} Services")
+        markdown.append("")
+        
+        for service in sorted(categories[category], key=lambda x: x.name):
+            markdown.append(f"### {service.name}")
+            markdown.append("")
+            
+            # Basic info
+            markdown.append(f"- **Type**: {service.deployment_type}")
+            markdown.append(f"- **Namespace**: {service.namespace or 'Not specified'}")
+            markdown.append(f"- **Path**: `{service.path}`")
+            
+            # Helm charts
+            if service.helm_charts:
+                markdown.append("- **Helm Charts**:")
+                for chart in service.helm_charts:
+                    markdown.append(f"  - {chart['name']} v{chart['version']} from {chart['repo']}")
+            
+            # Deployments
+            if service.deployments:
+                markdown.append("- **Deployments**:")
+                for dep in service.deployments:
+                    containers = ', '.join(dep['containers'])
+                    markdown.append(f"  - {dep['name']} ({dep['replicas']} replicas) - Containers: {containers}")
+            
+            # Files
+            if service.files:
+                markdown.append(f"- **Files**: {', '.join(sorted(service.files))}")
+            
+            markdown.append("")
+    
+    markdown.append("---")
+    markdown.append("*This page is automatically generated from k8s/ directory via CI/CD*")
+    
+    return "\n".join(markdown)
+
+def main():
+    if len(sys.argv) < 2:
+        print("Usage: generate-k8s-wiki.py <k8s-directory> [output-file]")
+        sys.exit(1)
+    
+    k8s_dir = sys.argv[1]
+    output_file = sys.argv[2] if len(sys.argv) > 2 else "Kubernetes-Services.md"
+    
+    if not os.path.exists(k8s_dir):
+        print(f"❌ Directory {k8s_dir} not found")
+        sys.exit(1)
+    
+    print(f"📂 Scanning {k8s_dir}...")
+    
+    services = []
+    
+    # Scan each category directory
+    for category in ['apps', 'core', 'games']:
+        category_path = os.path.join(k8s_dir, category)
+        if not os.path.exists(category_path):
+            print(f"  ⚠️  Category {category} not found")
+            continue
+        
+        print(f"📁 Processing {category}/...")
+        
+        # Scan each service in category
+        for service_name in os.listdir(category_path):
+            service_path = os.path.join(category_path, service_name)
+            if os.path.isdir(service_path):
+                print(f"  🔍 Analyzing {service_name}...")
+                service = analyze_service_directory(service_path, service_name, category)
+                services.append(service)
+    
+    print(f"\n✅ Found {len(services)} services")
+    
+    # Generate markdown
+    markdown = generate_markdown_table(services)
+    
+    # Write output
+    with open(output_file, 'w', encoding='utf-8') as f:
+        f.write(markdown)
+    
+    print(f"📄 Wiki page generated: {output_file}")
+    print(f"📊 Total services: {len(services)}")
+
+if __name__ == "__main__":
+    main()
--- a/.gitea/scripts/process-terraform-output.py
+++ b/.gitea/scripts/process-terraform-output.py
@@ -0,0 +1,105 @@
+#!/usr/bin/env python3
+"""
+Process Terraform output to extract applications_for_wiki data
+Handles various output formats and cleans up invalid JSON
+"""
+
+import json
+import sys
+import os
+
+def clean_command_prefix(content):
+    """Remove [command] prefix if present"""
+    if content.startswith('[command]'):
+        lines = content.split('\n', 1)
+        if len(lines) > 1:
+            return lines[1]
+    return content
+
+def extract_valid_json(content):
+    """Extract valid JSON from content that might have extra data"""
+    # Find first { and last matching }
+    start = content.find('{')
+    if start < 0:
+        return None
+    
+    count = 0
+    end = start
+    for i in range(start, len(content)):
+        if content[i] == '{':
+            count += 1
+        elif content[i] == '}':
+            count -= 1
+            if count == 0:
+                end = i + 1
+                break
+    
+    if end > start and count == 0:
+        return content[start:end]
+    return None
+
+def extract_value(data):
+    """Extract value from Terraform output format"""
+    if isinstance(data, dict) and 'value' in data:
+        return data['value']
+    return data
+
+def main():
+    if len(sys.argv) != 3:
+        print("Usage: process-terraform-output.py <input-file> <output-file>")
+        sys.exit(1)
+    
+    input_file = sys.argv[1]
+    output_file = sys.argv[2]
+    
+    try:
+        # Read input file
+        with open(input_file, 'r') as f:
+            content = f.read()
+        
+        # Clean command prefix if present
+        content = clean_command_prefix(content)
+        
+        # Try to parse JSON directly
+        try:
+            data = json.loads(content)
+            print("✅ Valid JSON parsed successfully")
+        except json.JSONDecodeError as e:
+            print(f"⚠️  Initial JSON parse failed: {e}")
+            print("🔍 Attempting to extract valid JSON portion...")
+            
+            # Try to extract valid JSON
+            valid_json = extract_valid_json(content)
+            if valid_json:
+                try:
+                    data = json.loads(valid_json)
+                    print("✅ Extracted valid JSON successfully")
+                except json.JSONDecodeError as e2:
+                    print(f"❌ Failed to parse extracted JSON: {e2}")
+                    sys.exit(1)
+            else:
+                print("❌ Could not extract valid JSON from content")
+                sys.exit(1)
+        
+        # Extract value if it's wrapped in Terraform output format
+        result = extract_value(data)
+        
+        # Write output
+        with open(output_file, 'w') as f:
+            json.dump(result, f, indent=2)
+        
+        print(f"✅ Processed output written to {output_file}")
+        
+        # Show preview
+        preview = json.dumps(result, indent=2)[:200]
+        print(f"📄 Preview: {preview}...")
+        
+    except FileNotFoundError:
+        print(f"❌ Input file {input_file} not found")
+        sys.exit(1)
+    except Exception as e:
+        print(f"❌ Error: {e}")
+        sys.exit(1)
+
+if __name__ == "__main__":
+    main()
--- a/.gitea/workflows/authentik-apps.yaml
+++ b/.gitea/workflows/authentik-apps.yaml
@@ -0,0 +1,139 @@
+name: 'Terraform'
+
+on:
+  push:
+    branches: [ "main" ]
+    paths:
+      - 'terraform/authentik/**'
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  terraform:
+    name: 'Terraform'
+    runs-on: ubuntu-latest
+    environment: production
+
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v2
+      with:
+        cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+
+    - name: Terraform Init
+      run: terraform init
+      working-directory: ./terraform/authentik
+
+    - name: Terraform Format
+      run: terraform fmt -check
+      continue-on-error: true
+      working-directory: ./terraform/authentik
+
+    - name: Terraform Apply
+      run: terraform apply -var-file proxy-apps.tfvars -var-file oauth2-apps.tfvars -var-file terraform.tfvars -var-file groups.tfvars -input=false -auto-approve -parallelism=100
+      working-directory: ./terraform/authentik
+
+    - name: Generate Wiki Content  
+      if: success()
+      continue-on-error: true
+      run: |
+        echo "📋 Starting Wiki generation..."
+        cd ./terraform/authentik
+        
+        # Get terraform output
+        echo "🔍 Generating Terraform output..."
+        terraform output -json applications_for_wiki > terraform-raw-output.json 2>&1
+        
+        # Process output to extract clean JSON
+        echo "📤 Processing Terraform output..."
+        python3 ../../.gitea/scripts/process-terraform-output.py terraform-raw-output.json terraform-output.json
+        
+        # Run wiki generation
+        echo "📊 Running wiki generation script..."
+        if python3 ../../.gitea/scripts/generate-apps-wiki.py terraform-output.json; then
+          echo "✅ Wiki content generated successfully"
+        else
+          echo "⚠️ Wiki generation failed, retrying with debug..."
+          python3 ../../.gitea/scripts/generate-apps-wiki.py terraform-output.json --debug || echo "⚠️ Wiki generation failed"
+        fi
+        
+        # Check results
+        if [ -f "Applications.md" ]; then
+          echo "✅ Wiki file created: $(wc -l < Applications.md) lines"
+        else
+          echo "⚠️ Wiki content not generated"
+          exit 0
+        fi
+      working-directory: ./
+
+    - name: Upload Wiki to Gitea
+      if: success()  
+      continue-on-error: true
+      run: |
+        cd ./terraform/authentik
+        
+        # Set variables
+        GITEA_URL="${{ secrets.GT_URL }}"
+        GITEA_TOKEN="${{ secrets.GT_WIKI_TOKEN }}"
+        GITEA_OWNER="${{ secrets.GT_OWNER }}"
+        GITEA_REPO="${{ secrets.GT_REPO }}"
+        
+        # Debug variables (without exposing token)
+        echo "🔍 Checking variables..."
+        echo "GITEA_URL: ${GITEA_URL:-NOT SET}"
+        echo "GITEA_OWNER: ${GITEA_OWNER:-NOT SET}"
+        echo "GITEA_REPO: ${GITEA_REPO:-NOT SET}"
+        echo "GITEA_TOKEN: $(if [ -n "$GITEA_TOKEN" ]; then echo "SET"; else echo "NOT SET"; fi)"
+        
+        # Check if file exists
+        if [ ! -f "Applications.md" ]; then
+          echo "⚠️ Applications.md not found, skipping wiki update"
+          exit 0
+        fi
+        
+        echo "📤 Uploading to Gitea Wiki..."
+        
+        # Encode content to base64
+        CONTENT=$(base64 -w 0 Applications.md)
+        
+        # Check if wiki page exists
+        WIKI_PAGE_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
+          -H "Authorization: token $GITEA_TOKEN" \
+          "$GITEA_URL/api/v1/repos/$GITEA_OWNER/$GITEA_REPO/wiki/page/Applications" || echo "000")
+        
+        if [ "$WIKI_PAGE_EXISTS" = "200" ]; then
+          echo "📝 Updating existing wiki page..."
+          curl -X PATCH \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{
+              \"title\": \"Applications\",
+              \"content_base64\": \"$CONTENT\",
+              \"message\": \"Update applications list from CI/CD [$(date)]\"
+            }" \
+            "$GITEA_URL/api/v1/repos/$GITEA_OWNER/$GITEA_REPO/wiki/page/Applications" || echo "⚠️ Wiki update failed"
+        else
+          echo "📄 Creating new wiki page..."
+          curl -X POST \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{
+              \"title\": \"Applications\", 
+              \"content_base64\": \"$CONTENT\",
+              \"message\": \"Create applications list from CI/CD [$(date)]\"
+            }" \
+            "$GITEA_URL/api/v1/repos/$GITEA_OWNER/$GITEA_REPO/wiki/new" || echo "⚠️ Wiki creation failed"
+        fi
+        
+        echo "✅ Wiki update process completed"
+      working-directory: ./
+
--- a/.gitea/workflows/k8s-wiki.yaml
+++ b/.gitea/workflows/k8s-wiki.yaml
@@ -0,0 +1,111 @@
+name: 'Update Kubernetes Services Wiki'
+
+on:
+  push:
+    branches: [ "main" ]
+#   paths:
+#     - 'k8s/**'
+#     - '.gitea/scripts/generate-k8s-wiki.py'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  update-k8s-wiki:
+    name: 'Generate and Update K8s Wiki'
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Install Python dependencies
+      run: |
+        pip install pyyaml
+
+    - name: Generate K8s Services Wiki
+      run: |
+        echo "📋 Starting K8s wiki generation..."
+        python3 .gitea/scripts/generate-k8s-wiki.py k8s/ Kubernetes-Services.md
+        
+        if [ -f "Kubernetes-Services.md" ]; then
+          echo "✅ Wiki content generated successfully"
+          echo "📄 File size: $(wc -c < Kubernetes-Services.md) bytes"
+          echo "📄 Lines: $(wc -l < Kubernetes-Services.md)"
+        else
+          echo "❌ Wiki content not generated"
+          exit 1
+        fi
+
+    - name: Upload Wiki to Gitea
+      continue-on-error: true
+      run: |
+        # Set variables
+        GITEA_URL="${{ secrets.GT_URL }}"
+        GITEA_TOKEN="${{ secrets.GT_WIKI_TOKEN }}"
+        GITEA_OWNER="${{ secrets.GT_OWNER }}"
+        GITEA_REPO="${{ secrets.GT_REPO }}"
+        
+        # Debug variables (without exposing token)
+        echo "🔍 Checking variables..."
+        echo "GITEA_URL: ${GITEA_URL:-NOT SET}"
+        echo "GITEA_OWNER: ${GITEA_OWNER:-NOT SET}"
+        echo "GITEA_REPO: ${GITEA_REPO:-NOT SET}"
+        echo "GITEA_TOKEN: $(if [ -n "$GITEA_TOKEN" ]; then echo "SET"; else echo "NOT SET"; fi)"
+        
+        if [ ! -f "Kubernetes-Services.md" ]; then
+          echo "❌ Kubernetes-Services.md not found"
+          exit 1
+        fi
+        
+        echo "📤 Uploading to Gitea Wiki..."
+        
+        # Encode content to base64
+        CONTENT=$(base64 -w 0 Kubernetes-Services.md)
+        
+        # Check if wiki page exists
+        WIKI_PAGE_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
+          -H "Authorization: token $GITEA_TOKEN" \
+          "$GITEA_URL/api/v1/repos/$GITEA_OWNER/$GITEA_REPO/wiki/page/Kubernetes-Services" || echo "000")
+        
+        if [ "$WIKI_PAGE_EXISTS" = "200" ]; then
+          echo "📝 Updating existing wiki page..."
+          curl -X PATCH \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{
+              \"title\": \"Kubernetes-Services\",
+              \"content_base64\": \"$CONTENT\",
+              \"message\": \"Update K8s services list from CI/CD [$(date)]\"
+            }" \
+            "$GITEA_URL/api/v1/repos/$GITEA_OWNER/$GITEA_REPO/wiki/page/Kubernetes-Services" || echo "⚠️ Wiki update failed"
+        else
+          echo "📄 Creating new wiki page..."
+          curl -X POST \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{
+              \"title\": \"Kubernetes-Services\", 
+              \"content_base64\": \"$CONTENT\",
+              \"message\": \"Create K8s services list from CI/CD [$(date)]\"
+            }" \
+            "$GITEA_URL/api/v1/repos/$GITEA_OWNER/$GITEA_REPO/wiki/new" || echo "⚠️ Wiki creation failed"
+        fi
+        
+        echo "✅ Wiki update process completed"
+        echo "🔗 Wiki URL: $GITEA_URL/$GITEA_OWNER/$GITEA_REPO/wiki/Kubernetes-Services"
+
+    - name: Summary
+      if: always()
+      run: |
+        echo "## 📊 K8s Wiki Update Summary" >> $GITHUB_STEP_SUMMARY
+        if [ -f "Kubernetes-Services.md" ]; then
+          echo "- ✅ K8s services analyzed" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Wiki page generated" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Services found:** $(grep -c '^|' Kubernetes-Services.md || echo 0)" >> $GITHUB_STEP_SUMMARY
+        else
+          echo "- ❌ Wiki generation failed" >> $GITHUB_STEP_SUMMARY
+        fi
+        echo "**Generated at:** $(date)" >> $GITHUB_STEP_SUMMARY
--- a/.gitea/workflows/lint.yaml
+++ b/.gitea/workflows/lint.yaml
@@ -2,6 +2,8 @@ name: Check with kubeconform
 on:
  push:
    branches: [ main ]
+    paths:
+      - 'k8s/**'
 jobs:
  lint:
    runs-on: ubuntu-latest
@@ -98,4 +100,4 @@ jobs:
            
            Invalid files:
            ${{ env.INVALID_FILES }}
-            <a href="https://gt.hexor.cy/${{ github.repository }}/actions/runs/${{ github.run_number }}">🔗 Check details</a>
+            <a href="https://gt.hexor.cy/${{ github.repository }}/actions/runs/${{ github.run_number }}">🔗 Check details</a>
--- a/.gitignore
+++ b/.gitignore
@@ -10,13 +10,6 @@
 crash.log
 crash.*.log

-# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
-# to change depending on the environment.
-*.tfvars
-*.tfvars.json
-
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf
--- a/k8s/apps/hexound/ingress.yaml
+++ b/k8s/apps/hexound/ingress.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hexound-tls-ingress
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  rules:
+    - host: hexound.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: hexound
+                port:
+                  number: 80
+    - host: hexound.hexor.ru
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: hexound
+                port:
+                  number: 80
+  tls:
+    - secretName: hexound-tls
+      hosts:
+        - hexound.hexor.cy
+        - hexound.hexor.ru
--- a/k8s/apps/hexound/kustomization.yaml
+++ b/k8s/apps/hexound/kustomization.yaml
@@ -5,4 +5,5 @@ resources:
  - app.yaml
  - deployment.yaml
  - service.yaml
+  - ingress.yaml

--- a/k8s/apps/paperless/external-secrets.yaml
+++ b/k8s/apps/paperless/external-secrets.yaml
@@ -2,7 +2,7 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: postgres-creds
+  name: postgres-and-oauth-creds
 spec:
  target:
    name: postgres-creds
--- a/k8s/apps/paperless/paperless-values.yaml
+++ b/k8s/apps/paperless/paperless-values.yaml
@@ -1,5 +1,5 @@
 image:
-  tag: 2.18.2
+  tag: 2.18.4
 resources:
  requests:
    memory: "1Gi"
--- a/k8s/apps/syncthing/kustomization.yaml
+++ b/k8s/apps/syncthing/kustomization.yaml
@@ -4,6 +4,8 @@ kind: Kustomization

 resources:
  - app.yaml
+  - nginx-router.yaml
+  - traefik-simple.yaml

 helmCharts:
  - name: syncthing
@@ -28,4 +30,4 @@ helmCharts:
    releaseName: syncthing-nas
    namespace: syncthing
    valuesFile: syncthing-nas.yaml
-    includeCRDs: true
+    includeCRDs: true
--- a/k8s/apps/syncthing/nginx-router.yaml
+++ b/k8s/apps/syncthing/nginx-router.yaml
@@ -0,0 +1,276 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-config
+  namespace: syncthing
+data:
+  default.conf: |
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    server {
+        listen 80;
+        server_name _;
+
+        # Landing page
+        location = / {
+            root /usr/share/nginx/html;
+            try_files /index.html =404;
+        }
+
+        # NAS instance
+        location /nas {
+            rewrite ^/nas$ /nas/ permanent;
+        }
+
+        # NAS API endpoints
+        location ~ ^/nas/(rest|meta)/ {
+            rewrite ^/nas/(.*) /$1 break;
+            proxy_pass http://syncthing-nas:8384;
+            
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            # Handle websockets
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_read_timeout 86400;
+        }
+
+        location /nas/ {
+            proxy_pass http://syncthing-nas:8384/;
+            
+            # Important: tell syncthing that we're using /nas as base path
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            # Handle websockets
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_read_timeout 86400;
+            
+            # Sub filter to fix asset paths
+            sub_filter 'href="/' 'href="/nas/';
+            sub_filter 'src="/' 'src="/nas/';
+            sub_filter 'url(/' 'url(/nas/';
+            sub_filter '"/meta' '"/nas/meta';
+            sub_filter '"/rest' '"/nas/rest';
+            sub_filter '"/vendor' '"/nas/vendor';
+            sub_filter '"/theme-assets' '"/nas/theme-assets';
+            sub_filter '"/syncthing' '"/nas/syncthing';
+            sub_filter_once off;
+            sub_filter_types text/html text/css application/javascript;
+        }
+
+
+        # Master instance
+        location /master {
+            rewrite ^/master$ /master/ permanent;
+        }
+
+        # Master API endpoints
+        location ~ ^/master/(rest|meta)/ {
+            rewrite ^/master/(.*) /$1 break;
+            proxy_pass http://syncthing-master:8384;
+            
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            # Handle websockets
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_read_timeout 86400;
+        }
+        
+        location /master/ {
+            proxy_pass http://syncthing-master:8384/;
+            
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            
+            sub_filter 'href="/' 'href="/master/';
+            sub_filter 'src="/' 'src="/master/';
+            sub_filter 'url(/' 'url(/master/';
+            sub_filter '"/meta' '"/master/meta';
+            sub_filter '"/rest' '"/master/rest';
+            sub_filter '"/vendor' '"/master/vendor';
+            sub_filter '"/theme-assets' '"/master/theme-assets';
+            sub_filter '"/syncthing' '"/master/syncthing';
+            sub_filter_once off;
+            sub_filter_types text/html text/css application/javascript;
+        }
+
+
+        # Iris instance  
+        location /iris {
+            rewrite ^/iris$ /iris/ permanent;
+        }
+
+        # Iris API endpoints
+        location ~ ^/iris/(rest|meta)/ {
+            rewrite ^/iris/(.*) /$1 break;
+            proxy_pass http://syncthing-khv:8384;
+            
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            # Handle websockets
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_read_timeout 86400;
+        }
+        
+        location /iris/ {
+            proxy_pass http://syncthing-khv:8384/;
+            
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            
+            sub_filter 'href="/' 'href="/iris/';
+            sub_filter 'src="/' 'src="/iris/';
+            sub_filter 'url(/' 'url(/iris/';
+            sub_filter '"/meta' '"/iris/meta';
+            sub_filter '"/rest' '"/iris/rest';
+            sub_filter '"/vendor' '"/iris/vendor';
+            sub_filter '"/theme-assets' '"/iris/theme-assets';
+            sub_filter '"/syncthing' '"/iris/syncthing';
+            sub_filter_once off;
+            sub_filter_types text/html text/css application/javascript;
+        }
+
+    }
+
+  index.html: |
+    <!DOCTYPE html>
+    <html>
+    <head>
+        <title>Syncthing Instances</title>
+        <style>
+            body {
+                font-family: Arial, sans-serif;
+                display: flex;
+                justify-content: center;
+                align-items: center;
+                height: 100vh;
+                margin: 0;
+                background-color: #f0f0f0;
+            }
+            .container {
+                text-align: center;
+                background: white;
+                padding: 40px;
+                border-radius: 10px;
+                box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+            }
+            h1 {
+                color: #333;
+                margin-bottom: 30px;
+            }
+            .links {
+                display: flex;
+                flex-direction: column;
+                gap: 15px;
+            }
+            a {
+                display: inline-block;
+                padding: 15px 30px;
+                background-color: #0078e7;
+                color: white;
+                text-decoration: none;
+                border-radius: 5px;
+                transition: background-color 0.3s;
+            }
+            a:hover {
+                background-color: #0056b3;
+            }
+        </style>
+    </head>
+    <body>
+        <div class="container">
+            <h1>Syncthing Instances</h1>
+            <div class="links">
+                <a href="/nas/">NAS Instance</a>
+                <a href="/master/">Master Instance</a>
+                <a href="/iris/">Iris Instance</a>
+            </div>
+        </div>
+    </body>
+    </html>
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: syncthing-router
+  namespace: syncthing
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: syncthing-router
+  template:
+    metadata:
+      labels:
+        app: syncthing-router
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:alpine
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - name: config
+          mountPath: /etc/nginx/conf.d
+        - name: html
+          mountPath: /usr/share/nginx/html
+      volumes:
+      - name: config
+        configMap:
+          name: nginx-config
+          items:
+          - key: default.conf
+            path: default.conf
+      - name: html
+        configMap:
+          name: nginx-config
+          items:
+          - key: index.html
+            path: index.html
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: syncthing-router
+  namespace: syncthing
+spec:
+  selector:
+    app: syncthing-router
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
--- a/k8s/apps/syncthing/traefik-simple.yaml
+++ b/k8s/apps/syncthing/traefik-simple.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: syncthing-ingressroute
+  namespace: syncthing
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`ss.hexor.cy`)
+      kind: Rule
+      services:
+        - name: syncthing-router
+          port: 80
+      middlewares:
+        - name: authentik-forward-auth
+          namespace: syncthing
+  tls:
+    secretName: syncthing-tls
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: authentik-forward-auth
+  namespace: syncthing
+spec:
+  forwardAuth:
+    address: http://authentik-server.authentik.svc.cluster.local/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
--- a/k8s/apps/vpn/config.yaml
+++ b/k8s/apps/vpn/config.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: outfleet-rs-config
+data:
+  config.toml: |-
+    [database]
+    url = "postgres://outfleet_rs:FMj#bA0XW14Pd2@psql.psql.svc:5432/outfleet_rs"
+
+    [web]
+    host = "0.0.0.0"
+    port = 8080
+    base_url = "https://vpn.hexor.cy"
+
+    [telegram]
+    enabled = false
+    admin_chat_ids = []
+    allowed_users = []
+
+    [xray]
+    config_path = "./templates"
+
+    [log]
+    level = "debug"
+
--- a/k8s/apps/vpn/deployment.yaml
+++ b/k8s/apps/vpn/deployment.yaml
@@ -0,0 +1,66 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: outfleet-rs
+  labels:
+    app: outfleet-rs
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  selector:
+    matchLabels:
+      app: outfleet-rs
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: outfleet-rs
+    spec:
+      hostname: outfleet-rs
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: outfleet-rs
+          image: 'ultradesu/outfleet:rs-0.2'
+          imagePullPolicy: Always
+          command: ["/bin/sh"]
+          args:
+            - "-c"
+            - |
+              set -x
+              /app/xray-admin --host 0.0.0.0 --port 8080
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          env:
+            - name: RUST_LOG
+              value: "info"
+          volumeMounts:
+            - name: outfleet-config
+              mountPath: /app/config.toml    # <-- target path inside container
+              subPath: config.toml           # <-- use the specific key as a file
+              readOnly: true
+      volumes:
+        - name: outfleet-config
+          configMap:
+            name: outfleet-rs-config
+            items:
+              - key: config.toml
+                path: config.toml
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: outfleet-rs
+spec:
+  selector:
+    app: outfleet-rs
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
--- a/k8s/apps/vpn/kustomization.yaml
+++ b/k8s/apps/vpn/kustomization.yaml
@@ -6,4 +6,7 @@ resources:
  - ./external-secrets.yaml
  - ./outfleet.yaml
  - ./shadowsocks.yaml
+  - ./deployment.yaml
+  - ./config.yaml
+  - ./xray.yaml

--- a/k8s/apps/vpn/xray.yaml
+++ b/k8s/apps/vpn/xray.yaml
@@ -0,0 +1,209 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: xray-config-template
+data:
+  config.json.template: |
+    {
+      "log": {
+        "loglevel": "warning"
+      },
+      "api": {
+        "tag": "api",
+        "listen": "TAILSCALE_IP:10086",
+        "services": [
+          "HandlerService",
+          "StatsService",
+          "LoggerService",
+          "RoutingService",
+          "ReflectionService"
+        ]
+      },
+      "stats": {},
+      "policy": {
+        "system": {
+          "statsInboundDownlink": true,
+          "statsInboundUplink": true,
+          "statsOutboundDownlink": true,
+          "statsOutboundUplink": true
+        }
+      },
+      "inbounds": [],
+      "outbounds": [
+        {
+          "tag": "direct",
+          "protocol": "freedom",
+          "settings": {}
+        }
+      ],
+      "routing": {
+        "rules": []
+      }
+    }
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: xray-init-script
+data:
+  init.sh: |
+    #!/bin/sh
+    set -e
+    
+    echo "Starting Xray configuration setup..."
+    
+    # Find xray binary location
+    XRAY_BIN=""
+    for path in /usr/bin/xray /usr/local/bin/xray /bin/xray /opt/xray/xray; do
+        if [ -x "$path" ]; then
+            XRAY_BIN="$path"
+            echo "Found Xray binary at: $XRAY_BIN"
+            break
+        fi
+    done
+    
+    if [ -z "$XRAY_BIN" ]; then
+        echo "Error: Xray binary not found"
+        echo "Available files in common locations:"
+        ls -la /usr/bin/xray* 2>/dev/null || echo "No xray in /usr/bin/"
+        ls -la /usr/local/bin/xray* 2>/dev/null || echo "No xray in /usr/local/bin/"
+        ls -la /bin/xray* 2>/dev/null || echo "No xray in /bin/"
+        exit 1
+    fi
+    
+    # Get Tailscale IP address
+    TAILSCALE_IP=""
+    
+    # Try different ways to get Tailscale IP
+    if command -v ip >/dev/null 2>&1; then
+        TAILSCALE_IP=$(ip addr show tailscale0 2>/dev/null | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1 | head -n1)
+    fi
+    
+    # Fallback: try to find any interface with 100.x.x.x IP (typical Tailscale range)
+    if [ -z "$TAILSCALE_IP" ]; then
+        TAILSCALE_IP=$(ip route get 8.8.8.8 2>/dev/null | grep -o 'src [0-9\.]*' | grep '100\.' | awk '{print $2}' | head -n1)
+    fi
+    
+    # Another fallback: check all interfaces for 100.x.x.x
+    if [ -z "$TAILSCALE_IP" ]; then
+        TAILSCALE_IP=$(ip addr show 2>/dev/null | grep -o 'inet 100\.[0-9\.]*' | awk '{print $2}' | head -n1)
+    fi
+    
+    # Final fallback: use localhost if no Tailscale IP found
+    if [ -z "$TAILSCALE_IP" ]; then
+        echo "Warning: Could not find Tailscale IP, using 127.0.0.1"
+        TAILSCALE_IP="127.0.0.1"
+    else
+        echo "Found Tailscale IP: $TAILSCALE_IP"
+    fi
+    
+    # Create config directory
+    mkdir -p /usr/local/etc/xray
+    
+    # Replace TAILSCALE_IP placeholder in config template
+    sed "s/TAILSCALE_IP/$TAILSCALE_IP/g" /config-template/config.json.template > /usr/local/etc/xray/config.json
+    
+    echo "Generated Xray config:"
+    cat /usr/local/etc/xray/config.json
+    
+    # Increase file descriptor limits
+    ulimit -n 65536 2>/dev/null || echo "Warning: Could not increase file descriptor limit"
+    
+    echo "Starting Xray with binary: $XRAY_BIN"
+    exec "$XRAY_BIN" run -c /usr/local/etc/xray/config.json
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: xray-daemon
+  labels:
+    app: xray
+spec:
+  selector:
+    matchLabels:
+      app: xray
+  template:
+    metadata:
+      labels:
+        app: xray
+    spec:
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      nodeSelector:
+        xray: "true"
+      tolerations:
+      - operator: Exists
+        effect: NoSchedule
+      containers:
+      - name: xray
+        image: teddysun/xray:latest
+        command: ["/bin/sh"]
+        args: ["/scripts/init.sh"]
+        securityContext:
+          privileged: true
+          capabilities:
+            add:
+            - NET_ADMIN
+            - NET_RAW
+        volumeMounts:
+        - name: config-template
+          mountPath: /config-template
+          readOnly: true
+        - name: init-script
+          mountPath: /scripts
+          readOnly: true
+        - name: xray-config
+          mountPath: /usr/local/etc/xray
+        ports:
+        - containerPort: 10086
+          protocol: TCP
+          name: api
+        livenessProbe:
+          tcpSocket:
+            port: 10086
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          tcpSocket:
+            port: 10086
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        resources:
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+          requests:
+            memory: "256Mi"
+            cpu: "250m"
+      volumes:
+      - name: config-template
+        configMap:
+          name: xray-config-template
+          defaultMode: 0644
+      - name: init-script
+        configMap:
+          name: xray-init-script
+          defaultMode: 0755
+      - name: xray-config
+        emptyDir: {}
+      restartPolicy: Always
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: xray-api-service
+  labels:
+    app: xray
+spec:
+  type: ClusterIP
+  ports:
+  - port: 10086
+    targetPort: 10086
+    protocol: TCP
+    name: api
+  selector:
+    app: xray
--- a/k8s/core/authentik/values.yaml
+++ b/k8s/core/authentik/values.yaml
@@ -15,8 +15,14 @@ worker:
  envFrom:
    - secretRef:
        name: authentik-creds
-  #nodeSelector:
-  #  kubernetes.io/hostname: home.homenet
+  volumes:
+    - name: dshm
+      emptyDir:
+        medium: Memory
+        sizeLimit: 512Mi
+  volumeMounts:
+    - name: dshm
+      mountPath: /dev/shm
 server:
  envFrom:
    - secretRef:
@@ -32,14 +38,12 @@ server:
        - nas.hexor.cy       # TrueNAS Limassol
        - nc.hexor.cy        # NaxtCloud
        - of.hexor.cy        # Outfleet-v2
-        - master.hexor.cy    # k8s dashboard
+        - k8s.hexor.cy    # k8s dashboard
        - qbt.hexor.cy       # qBittorent for Jellyfin
        - prom.hexor.cy      # Prometheus
-        - ss.hexor.cy        # Syncthing UI
        - khm.hexor.cy       # Known Hosts keys Manager
        - backup.hexor.cy    # Kopia Backup UI
        - fm.hexor.cy        # Filemanager
-        - hexound.hexor.cy   # Hexound
        - minecraft.hexor.cy # Minecraft UI and server
        - pass.hexor.cy      # k8s-secret for openai
      tls:
--- a/k8s/core/postgresql/external-secrets.yaml
+++ b/k8s/core/postgresql/external-secrets.yaml
@@ -115,6 +115,8 @@ spec:
          {{ .khm }}
        USER_kanjai: |-
          {{ .kanjai }}
+        USER_outfleet_rs: |-
+          {{ .outfleet_rs }}
  data:
    - secretKey: authentik
      sourceRef:
@@ -193,3 +195,14 @@ spec:
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[7].value
+    - secretKey: outfleet_rs
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[8].value
--- a/k8s/core/postgresql/kustomization.yaml
+++ b/k8s/core/postgresql/kustomization.yaml
@@ -13,7 +13,7 @@ resources:
 helmCharts:
  - name: pgadmin4
    repo: https://helm.runix.net
-    version: 1.37.0
+    version: 1.50.0
    releaseName: pgmanager
    namespace: psql
    valuesFile: pgadmin4-values.yaml
--- a/k8s/core/postgresql/pgadmin4-values.yaml
+++ b/k8s/core/postgresql/pgadmin4-values.yaml
@@ -1,5 +1,5 @@
 image:
-  tag: "9.3"
+  tag: "9.8"
  pullPolicy: Always
 env:
  email: "postgres@hexor.cy"
--- a/k8s/core/prometheus/grafana-values.yaml
+++ b/k8s/core/prometheus/grafana-values.yaml
@@ -10,7 +10,7 @@ admin:
 grafana.ini:
  auth:
    signout_redirect_url: https://idm.hexor.cy/application/o/grafana/end-session/
-    oauth_auto_login: true
+    # oauth_auto_login: true
  auth.generic_oauth:
    name: authentik
    enabled: true
--- a/k8s/core/system-upgrade/plan.yaml
+++ b/k8s/core/system-upgrade/plan.yaml
@@ -16,7 +16,7 @@ spec:
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
-  version: v1.33.4+k3s1
+  version: v1.34.1+k3s1
 ---
 # Agent plan
 apiVersion: upgrade.cattle.io/v1
@@ -39,5 +39,5 @@ spec:
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
-  version: v1.33.4+k3s1
+  version: v1.34.1+k3s1

--- a/terraform/authentik/.claude/settings.local.json
+++ b/terraform/authentik/.claude/settings.local.json
@@ -7,7 +7,8 @@
      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve)",
      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve -lock=false)",
      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" plan -lock=false)",
-      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -replace=\"authentik_outpost.outposts[\"\"kubernetes-outpost\"\"]\" -auto-approve -lock=false)"
+      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -replace=\"authentik_outpost.outposts[\"\"kubernetes-outpost\"\"]\" -auto-approve -lock=false)",
+      "Bash(terraform plan:*)"
    ],
    "deny": [],
    "ask": []
--- a/terraform/authentik/.terraform.lock.hcl
+++ b/terraform/authentik/.terraform.lock.hcl
@@ -3,9 +3,9 @@

 provider "registry.terraform.io/goauthentik/authentik" {
  version     = "2025.8.1"
-  constraints = ">= 2023.10.0"
+  constraints = ">= 2023.10.0, 2025.8.1"
  hashes = [
-    "h1:L3Fh0LyQ066laexCAeqLd+AVuSPDemwCmYgq1Bges6c=",
+    "h1:R3h8ADB0Kkv/aoY0AaHkBiX2/P4+GnW8sSgkN30kJfQ=",
    "zh:0c3f1083fd48f20ed06959401ff1459fbb5d454d81c8175b5b6d321b308c0be3",
    "zh:21c6d93f8d26e688da38a660d121b5624e3597c426c671289f31a17a9771abbf",
    "zh:301b5763ffc4c5fe47aa7e851ce0b19f71bab4fae5c81003ad81b38775e85f78",
@@ -27,7 +27,7 @@ provider "registry.terraform.io/hashicorp/random" {
  version     = "3.7.2"
  constraints = ">= 3.5.0"
  hashes = [
-    "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=",
+    "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=",
    "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f",
    "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc",
    "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab",
--- a/terraform/authentik/groups.tfvars
+++ b/terraform/authentik/groups.tfvars
@@ -0,0 +1,10 @@
+groups = {
+  "admins" = {
+    name         = "Administrators"
+    is_superuser = true
+    attributes = {
+      notes = "Managed by Terraform"
+    }
+  }
+}
+
--- a/terraform/authentik/main.tf
+++ b/terraform/authentik/main.tf
@@ -11,21 +11,69 @@ data "authentik_flow" "default_invalidation_flow" {
  slug = var.default_invalidation_flow
 }

-resource "authentik_group" "groups" {
-  for_each = var.groups
+# Root groups (without parent)
+resource "authentik_group" "root_groups" {
+  for_each = {
+    for k, v in var.groups : k => v
+    if v.parent == null
+  }

  name         = each.value.name
  is_superuser = each.value.is_superuser
-  parent       = each.value.parent
  attributes   = jsonencode(each.value.attributes)
 }

+# Child groups (with parent)
+resource "authentik_group" "child_groups" {
+  for_each = {
+    for k, v in var.groups : k => v
+    if v.parent != null
+  }
+
+  name         = each.value.name
+  is_superuser = each.value.is_superuser
+  parent       = authentik_group.root_groups[each.value.parent].id
+  attributes   = jsonencode(each.value.attributes)
+
+  depends_on = [authentik_group.root_groups]
+}
+
+# Auto-created groups for proxy applications
+resource "authentik_group" "proxy_app_groups" {
+  for_each = {
+    for k, v in var.proxy_applications : k => v
+    if v.create_group == true
+  }
+
+  name         = "TF-${each.value.name} Users"
+  is_superuser = false
+  attributes = jsonencode({
+    notes    = "Auto-created for ${each.value.name} application"
+    app_slug = each.value.slug
+  })
+}
+
+# Auto-created groups for OAuth applications
+resource "authentik_group" "oauth_app_groups" {
+  for_each = {
+    for k, v in var.oauth_applications : k => v
+    if v.create_group == true
+  }
+
+  name         = "TF-${each.value.name} Users"
+  is_superuser = false
+  attributes = jsonencode({
+    notes    = "Auto-created for ${each.value.name} application"
+    app_slug = each.value.slug
+  })
+}
+
 resource "authentik_certificate_key_pair" "certificates" {
  for_each = var.certificates

  name             = each.value.name
  certificate_data = each.value.certificate_data
-  key_data        = each.value.key_data
+  key_data         = each.value.key_data
 }


@@ -52,9 +100,9 @@ resource "authentik_property_mapping_provider_scope" "oidc_mappings" {
    if v.oidc_scope != null
  }

-  name        = each.value.name
-  scope_name  = each.value.oidc_scope
-  expression  = each.value.expression
+  name       = each.value.name
+  scope_name = each.value.oidc_scope
+  expression = each.value.expression
 }

 resource "authentik_property_mapping_provider_saml" "saml_mappings" {
@@ -70,55 +118,135 @@ resource "authentik_property_mapping_provider_saml" "saml_mappings" {

 module "oauth_applications" {
  source = "./modules/oauth-provider"
-  
+
  for_each = var.oauth_applications

  name                       = each.value.name
-  app_name                  = each.value.name
-  app_slug                  = each.value.slug
-  app_group                 = each.value.group
-  client_id                 = each.value.client_id
-  authorization_flow        = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
-  invalidation_flow         = data.authentik_flow.default_invalidation_flow.id
-  redirect_uris             = each.value.redirect_uris
-  client_type               = each.value.client_type
+  app_name                   = each.value.name
+  app_slug                   = each.value.slug
+  app_group                  = each.value.group
+  client_id                  = each.value.client_id
+  authorization_flow         = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
+  invalidation_flow          = data.authentik_flow.default_invalidation_flow.id
+  redirect_uris              = each.value.redirect_uris
+  client_type                = each.value.client_type
  include_claims_in_id_token = each.value.include_claims_in_id_token
-  access_code_validity      = each.value.access_code_validity
-  access_token_validity     = each.value.access_token_validity
-  refresh_token_validity    = each.value.refresh_token_validity
-  property_mappings         = each.value.property_mappings
-  signing_key              = each.value.signing_key
-  policy_engine_mode       = each.value.policy_engine_mode
-  meta_description         = each.value.meta_description
-  meta_launch_url          = each.value.meta_launch_url
-  meta_icon                = each.value.meta_icon
+  access_code_validity       = each.value.access_code_validity
+  access_token_validity      = each.value.access_token_validity
+  refresh_token_validity     = each.value.refresh_token_validity
+  property_mappings          = each.value.property_mappings
+  signing_key                = each.value.signing_key
+  policy_engine_mode         = each.value.policy_engine_mode
+  meta_description           = each.value.meta_description
+  meta_launch_url            = each.value.meta_launch_url
+  meta_icon                  = each.value.meta_icon
+  scope_mappings             = each.value.scope_mappings
+
+  # Access control - only pass explicitly defined groups
+  access_groups = [
+    for group_key in each.value.access_groups :
+    try(
+      authentik_group.root_groups[group_key].id,
+      authentik_group.child_groups[group_key].id
+    )
+  ]
 }

 module "proxy_applications" {
  source = "./modules/proxy-provider"
-  
+
  for_each = var.proxy_applications

-  name                         = each.value.name
-  app_name                    = each.value.name
-  app_slug                    = each.value.slug
-  app_group                   = each.value.group
-  external_host               = each.value.external_host
-  internal_host               = each.value.internal_host
-  internal_host_ssl_validation = each.value.internal_host_ssl_validation
-  authorization_flow          = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
-  invalidation_flow           = data.authentik_flow.default_invalidation_flow.id
-  mode                        = each.value.mode
-  intercept_header_auth       = each.value.intercept_header_auth
-  basic_auth_enabled          = each.value.basic_auth_enabled
-  basic_auth_user_attribute   = each.value.basic_auth_username_attribute
+  name                          = each.value.name
+  app_name                      = each.value.name
+  app_slug                      = each.value.slug
+  app_group                     = each.value.group
+  external_host                 = each.value.external_host
+  internal_host                 = each.value.internal_host
+  internal_host_ssl_validation  = each.value.internal_host_ssl_validation
+  authorization_flow            = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
+  invalidation_flow             = data.authentik_flow.default_invalidation_flow.id
+  mode                          = each.value.mode
+  intercept_header_auth         = each.value.intercept_header_auth
+  basic_auth_enabled            = each.value.basic_auth_enabled
+  basic_auth_user_attribute     = each.value.basic_auth_username_attribute
  basic_auth_password_attribute = each.value.basic_auth_password_attribute
-  cookie_domain              = each.value.cookie_domain
-  skip_path_regex           = each.value.skip_path_regex
-  policy_engine_mode        = each.value.policy_engine_mode
-  meta_description          = each.value.meta_description
-  meta_launch_url           = each.value.meta_launch_url
-  meta_icon                 = each.value.meta_icon
+  cookie_domain                 = each.value.cookie_domain
+  skip_path_regex               = each.value.skip_path_regex
+  policy_engine_mode            = each.value.policy_engine_mode
+  meta_description              = each.value.meta_description
+  meta_launch_url               = each.value.meta_launch_url
+  meta_icon                     = each.value.meta_icon
+
+  # Access control - only pass explicitly defined groups
+  access_groups = [
+    for group_key in each.value.access_groups :
+    try(
+      authentik_group.root_groups[group_key].id,
+      authentik_group.child_groups[group_key].id
+    )
+  ]
+}
+
+# Binding auto-created groups to their applications
+resource "authentik_policy_binding" "auto_group_bindings" {
+  for_each = {
+    for k, v in var.proxy_applications : k => v
+    if v.create_group == true
+  }
+
+  target = module.proxy_applications[each.key].application_uuid
+  group  = authentik_group.proxy_app_groups[each.key].id
+  order  = 100
+
+  depends_on = [
+    module.proxy_applications,
+    authentik_group.proxy_app_groups
+  ]
+}
+
+# Binding auto-created groups to their OAuth applications
+resource "authentik_policy_binding" "oauth_auto_group_bindings" {
+  for_each = {
+    for k, v in var.oauth_applications : k => v
+    if v.create_group == true
+  }
+
+  target = module.oauth_applications[each.key].application_uuid
+  group  = authentik_group.oauth_app_groups[each.key].id
+  order  = 100
+
+  depends_on = [
+    module.oauth_applications,
+    authentik_group.oauth_app_groups
+  ]
+}
+
+module "saml_applications" {
+  source = "./modules/saml-provider"
+
+  for_each = var.saml_applications
+
+  name                            = each.value.name
+  app_name                        = each.value.name
+  app_slug                        = each.value.slug
+  app_group                       = each.value.group
+  authorization_flow              = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
+  invalidation_flow               = data.authentik_flow.default_invalidation_flow.id
+  acs_url                         = each.value.acs_url
+  issuer                          = each.value.issuer
+  audience                        = each.value.audience
+  sp_binding                      = each.value.sp_binding
+  signing_key                     = each.value.signing_key
+  property_mappings               = [for pm in each.value.property_mappings : authentik_property_mapping_provider_saml.saml_mappings[pm].id]
+  name_id_mapping                 = each.value.name_id_mapping != null ? authentik_property_mapping_provider_saml.saml_mappings[each.value.name_id_mapping].id : null
+  assertion_valid_not_before      = each.value.assertion_valid_not_before
+  assertion_valid_not_on_or_after = each.value.assertion_valid_not_on_or_after
+  session_valid_not_on_or_after   = each.value.session_valid_not_on_or_after
+  policy_engine_mode              = each.value.policy_engine_mode
+  meta_description                = each.value.meta_description
+  meta_launch_url                 = each.value.meta_launch_url
+  meta_icon                       = each.value.meta_icon
 }

 locals {
@@ -126,18 +254,18 @@ locals {
    for app_key, app in var.oauth_applications : app_key => app.outpost
    if app.outpost != null
  }
-  
+
  proxy_outpost_assignments = {
    for app_key, app in var.proxy_applications : app_key => app.outpost
    if app.outpost != null
  }
-  
+
  outpost_providers = {
    for outpost_key, outpost in var.outposts : outpost_key => concat(
-      [for app_key, app_outpost in local.oauth_outpost_assignments : 
-        module.oauth_applications[app_key].provider_id if app_outpost == outpost_key],
-      [for app_key, app_outpost in local.proxy_outpost_assignments : 
-        module.proxy_applications[app_key].provider_id if app_outpost == outpost_key]
+      [for app_key, app_outpost in local.oauth_outpost_assignments :
+      module.oauth_applications[app_key].provider_id if app_outpost == outpost_key],
+      [for app_key, app_outpost in local.proxy_outpost_assignments :
+      module.proxy_applications[app_key].provider_id if app_outpost == outpost_key]
    )
  }
 }
@@ -153,27 +281,27 @@ resource "authentik_outpost" "outposts" {
  protocol_providers = local.outpost_providers[each.key]
  service_connection = data.authentik_service_connection_kubernetes.local_k8s.id
  config = jsonencode({
-    log_level                       = "info"
-    docker_labels                   = null
-    authentik_host                  = var.authentik_url
-    docker_network                  = null
-    container_image                 = null
-    docker_map_ports                = true
-    refresh_interval                = "minutes=5"
-    kubernetes_replicas             = 1
-    kubernetes_namespace            = "authentik"
-    authentik_host_browser          = ""
-    object_naming_template          = "ak-outpost-%(name)s"
-    authentik_host_insecure         = false
-    kubernetes_json_patches         = null
-    kubernetes_service_type         = "ClusterIP"
-    kubernetes_image_pull_secrets   = []
-    kubernetes_ingress_class_name   = null
-    kubernetes_disabled_components  = []
-    kubernetes_ingress_annotations  = {}
-    kubernetes_ingress_secret_name  = "authentik-outpost-tls"
+    log_level                      = "info"
+    docker_labels                  = null
+    authentik_host                 = var.authentik_url
+    docker_network                 = null
+    container_image                = null
+    docker_map_ports               = true
+    refresh_interval               = "minutes=5"
+    kubernetes_replicas            = 1
+    kubernetes_namespace           = "authentik"
+    authentik_host_browser         = ""
+    object_naming_template         = "ak-outpost-%(name)s"
+    authentik_host_insecure        = false
+    kubernetes_json_patches        = null
+    kubernetes_service_type        = "ClusterIP"
+    kubernetes_image_pull_secrets  = []
+    kubernetes_ingress_class_name  = null
+    kubernetes_disabled_components = []
+    kubernetes_ingress_annotations = {}
+    kubernetes_ingress_secret_name = "authentik-outpost-tls"
  })
-  
+
  depends_on = [
    module.oauth_applications,
    module.proxy_applications
--- a/terraform/authentik/modules/oauth-provider/main.tf
+++ b/terraform/authentik/modules/oauth-provider/main.tf
@@ -11,6 +11,30 @@ terraform {
  }
 }

+# Get all available scope mappings
+data "authentik_property_mapping_provider_scope" "all_scopes" {
+  managed_list = [
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-openid", 
+    "goauthentik.io/providers/oauth2/scope-profile"
+  ]
+}
+
+# Filter scope mappings based on requested scopes
+locals {
+  scope_name_mapping = {
+    "openid"  = "goauthentik.io/providers/oauth2/scope-openid"
+    "profile" = "goauthentik.io/providers/oauth2/scope-profile"
+    "email"   = "goauthentik.io/providers/oauth2/scope-email"
+  }
+  
+  selected_scope_ids = [
+    for scope in var.scope_mappings : 
+      data.authentik_property_mapping_provider_scope.all_scopes.ids[index(data.authentik_property_mapping_provider_scope.all_scopes.managed_list, local.scope_name_mapping[scope])]
+    if contains(keys(local.scope_name_mapping), scope)
+  ]
+}
+
 resource "random_password" "client_secret" {
  count   = var.client_secret == null ? 1 : 0
  length  = 40
@@ -25,8 +49,19 @@ resource "authentik_provider_oauth2" "provider" {
  authorization_flow         = var.authorization_flow
  invalidation_flow          = var.invalidation_flow
  include_claims_in_id_token = var.include_claims_in_id_token
+  access_code_validity       = var.access_code_validity
+  access_token_validity      = var.access_token_validity
+  refresh_token_validity     = var.refresh_token_validity
+  signing_key                = var.signing_key
  
-  property_mappings         = var.property_mappings
+  allowed_redirect_uris = [
+    for uri in var.redirect_uris : {
+      matching_mode = "strict"
+      url           = uri
+    }
+  ]
+  
+  property_mappings         = length(var.property_mappings) > 0 ? var.property_mappings : local.selected_scope_ids
 }

 resource "random_id" "client_id" {
@@ -56,4 +91,13 @@ resource "authentik_policy_binding" "app_access" {
  timeout    = lookup(each.value, "timeout", 30)
  negate     = lookup(each.value, "negate", false)
  failure_result = lookup(each.value, "failure_result", true)
+}
+
+# Binding groups to the application
+resource "authentik_policy_binding" "group_bindings" {
+  for_each = { for idx, group_id in var.access_groups : idx => group_id }
+
+  target = authentik_application.app.uuid
+  group  = each.value
+  order  = 10 + each.key
 }
--- a/terraform/authentik/modules/oauth-provider/outputs.tf
+++ b/terraform/authentik/modules/oauth-provider/outputs.tf
@@ -10,7 +10,7 @@ output "application_id" {

 output "application_uuid" {
  description = "UUID of the application"
-  value       = authentik_application.app.id
+  value       = authentik_application.app.uuid
 }

 output "client_id" {
--- a/terraform/authentik/modules/oauth-provider/variables.tf
+++ b/terraform/authentik/modules/oauth-provider/variables.tf
@@ -135,4 +135,16 @@ variable "access_policies" {
    failure_result = optional(bool, true)
  }))
  default = {}
+}
+
+variable "access_groups" {
+  description = "List of group IDs that have access to the application"
+  type        = list(string)
+  default     = []
+}
+
+variable "scope_mappings" {
+  description = "List of scope mappings for the OAuth provider"
+  type        = list(string)
+  default     = ["openid", "profile", "email"]
 }
--- a/terraform/authentik/modules/proxy-provider/main.tf
+++ b/terraform/authentik/modules/proxy-provider/main.tf
@@ -46,4 +46,13 @@ resource "authentik_policy_binding" "app_access" {
  timeout        = lookup(each.value, "timeout", 30)
  negate         = lookup(each.value, "negate", false)
  failure_result = lookup(each.value, "failure_result", true)
+}
+
+# Binding groups to the application
+resource "authentik_policy_binding" "group_bindings" {
+  for_each = { for idx, group_id in var.access_groups : idx => group_id }
+
+  target = authentik_application.app.uuid
+  group  = each.value
+  order  = 10 + each.key
 }
--- a/terraform/authentik/modules/proxy-provider/outputs.tf
+++ b/terraform/authentik/modules/proxy-provider/outputs.tf
@@ -10,7 +10,7 @@ output "application_id" {

 output "application_uuid" {
  description = "UUID of the application"
-  value       = authentik_application.app.id
+  value       = authentik_application.app.uuid
 }

 output "application_slug" {
--- a/terraform/authentik/modules/proxy-provider/variables.tf
+++ b/terraform/authentik/modules/proxy-provider/variables.tf
@@ -142,4 +142,10 @@ variable "access_policies" {
    failure_result = optional(bool, true)
  }))
  default = {}
+}
+
+variable "access_groups" {
+  description = "List of group IDs that have access to the application"
+  type        = list(string)
+  default     = []
 }
--- a/terraform/authentik/modules/saml-provider/main.tf
+++ b/terraform/authentik/modules/saml-provider/main.tf
@@ -0,0 +1,53 @@
+terraform {
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = ">= 2023.10.0"
+    }
+  }
+}
+
+data "authentik_certificate_key_pair" "default" {
+  name = "authentik Self-signed Certificate"
+}
+
+resource "authentik_provider_saml" "provider" {
+  name               = var.name
+  authorization_flow = var.authorization_flow
+  invalidation_flow  = var.invalidation_flow
+  acs_url            = var.acs_url
+  issuer             = var.issuer
+  audience           = var.audience
+  sp_binding         = var.sp_binding
+  signing_kp         = var.signing_key != null ? var.signing_key : data.authentik_certificate_key_pair.default.id
+  property_mappings  = var.property_mappings
+  name_id_mapping    = var.name_id_mapping
+  
+  assertion_valid_not_before = var.assertion_valid_not_before
+  assertion_valid_not_on_or_after = var.assertion_valid_not_on_or_after
+  session_valid_not_on_or_after = var.session_valid_not_on_or_after
+}
+
+resource "authentik_application" "app" {
+  name                = var.app_name
+  slug                = var.app_slug
+  protocol_provider   = authentik_provider_saml.provider.id
+  group              = var.app_group
+  policy_engine_mode = var.policy_engine_mode
+  meta_description   = var.meta_description
+  meta_launch_url    = var.meta_launch_url
+  meta_icon          = var.meta_icon
+}
+
+resource "authentik_policy_binding" "app_access" {
+  for_each = var.access_policies
+
+  target = authentik_application.app.id
+  policy = each.value.policy_id
+  order  = each.value.order
+  
+  enabled    = lookup(each.value, "enabled", true)
+  timeout    = lookup(each.value, "timeout", 30)
+  negate     = lookup(each.value, "negate", false)
+  failure_result = lookup(each.value, "failure_result", true)
+}
--- a/terraform/authentik/modules/saml-provider/outputs.tf
+++ b/terraform/authentik/modules/saml-provider/outputs.tf
@@ -0,0 +1,24 @@
+output "provider_id" {
+  description = "ID of the SAML provider"
+  value       = authentik_provider_saml.provider.id
+}
+
+output "application_id" {
+  description = "ID of the application"
+  value       = authentik_application.app.id
+}
+
+output "provider_name" {
+  description = "Name of the SAML provider"
+  value       = authentik_provider_saml.provider.name
+}
+
+output "acs_url" {
+  description = "Assertion Consumer Service URL"
+  value       = authentik_provider_saml.provider.acs_url
+}
+
+output "issuer" {
+  description = "SAML Issuer"
+  value       = authentik_provider_saml.provider.issuer
+}
--- a/terraform/authentik/modules/saml-provider/variables.tf
+++ b/terraform/authentik/modules/saml-provider/variables.tf
@@ -0,0 +1,124 @@
+variable "name" {
+  description = "Name of the SAML provider"
+  type        = string
+}
+
+variable "app_name" {
+  description = "Name of the application"
+  type        = string
+}
+
+variable "app_slug" {
+  description = "Slug of the application"
+  type        = string
+}
+
+variable "app_group" {
+  description = "Group of the application"
+  type        = string
+  default     = ""
+}
+
+variable "authorization_flow" {
+  description = "Authorization flow ID"
+  type        = string
+}
+
+variable "invalidation_flow" {
+  description = "Invalidation flow ID"
+  type        = string
+}
+
+variable "acs_url" {
+  description = "Assertion Consumer Service URL"
+  type        = string
+}
+
+variable "issuer" {
+  description = "SAML Issuer"
+  type        = string
+}
+
+variable "audience" {
+  description = "SAML Audience"
+  type        = string
+}
+
+variable "sp_binding" {
+  description = "Service Provider binding (post or redirect)"
+  type        = string
+  default     = "post"
+}
+
+variable "signing_key" {
+  description = "Certificate key pair ID for signing"
+  type        = string
+  default     = null
+}
+
+variable "property_mappings" {
+  description = "List of property mapping IDs"
+  type        = list(string)
+  default     = []
+}
+
+variable "name_id_mapping" {
+  description = "Property mapping ID for NameID"
+  type        = string
+  default     = null
+}
+
+variable "assertion_valid_not_before" {
+  description = "Assertion valid not before"
+  type        = string
+  default     = "minutes=-5"
+}
+
+variable "assertion_valid_not_on_or_after" {
+  description = "Assertion valid not on or after"
+  type        = string
+  default     = "minutes=5"
+}
+
+variable "session_valid_not_on_or_after" {
+  description = "Session valid not on or after"
+  type        = string
+  default     = "minutes=86400"
+}
+
+variable "policy_engine_mode" {
+  description = "Policy engine mode"
+  type        = string
+  default     = "all"
+}
+
+variable "meta_description" {
+  description = "Application description"
+  type        = string
+  default     = ""
+}
+
+variable "meta_launch_url" {
+  description = "Application launch URL"
+  type        = string
+  default     = ""
+}
+
+variable "meta_icon" {
+  description = "Application icon URL"
+  type        = string
+  default     = ""
+}
+
+variable "access_policies" {
+  description = "Access policies for the application"
+  type = map(object({
+    policy_id      = string
+    order          = number
+    enabled        = optional(bool, true)
+    timeout        = optional(number, 30)
+    negate         = optional(bool, false)
+    failure_result = optional(bool, true)
+  }))
+  default = {}
+}
--- a/terraform/authentik/oauth2-apps.tfvars
+++ b/terraform/authentik/oauth2-apps.tfvars
@@ -0,0 +1,171 @@
+oauth_applications = {
+  "paperless" = {
+    name                       = "Paperless-NGX"
+    slug                       = "paperless"
+    group                      = "Tools"
+    meta_description           = "Document management system"
+    meta_icon                  = "https://img.icons8.com/fluency/48/documents.png"
+    redirect_uris              = ["https://docs.hexor.cy/accounts/oidc/authentik/login/callback/"]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    create_group               = true
+    access_groups              = ["admins"]
+  }
+
+  "gitea" = {
+    name                       = "Gitea"
+    slug                       = "gitea"
+    group                      = "Tools"
+    meta_description           = "Git repository hosting"
+    meta_icon                  = "https://img.icons8.com/?size=100&id=20906&format=png&color=000000"
+    redirect_uris              = ["https://gt.hexor.cy/user/oauth2/Authentik/callback"]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=10"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+  }
+
+  "jellyfin" = {
+    name             = "Jellyfin"
+    slug             = "jellyfin"
+    group            = "Media and Storage"
+    meta_description = "Media streaming server"
+    meta_icon        = "https://img.icons8.com/plasticine/100/jellyfin.png"
+    redirect_uris = [
+      "https://jf.hexor.cy/sso/OID/r/authentik",
+      "https://jf.hexor.cy/sso/OID/redirect/authentik"
+    ]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=10"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+  }
+
+  "argocd" = {
+    name                       = "ArgoCD"
+    slug                       = "argocd"
+    group                      = "Core"
+    meta_description           = "GitOps deployment tool"
+    meta_icon                  = "https://img.icons8.com/color-glass/48/octopus.png"
+    redirect_uris              = ["https://ag.hexor.cy/auth/callback"]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+    access_groups              = ["admins"]
+  }
+
+  "grafana" = {
+    name                       = "Grafana"
+    slug                       = "grafana"
+    group                      = "Core"
+    meta_description           = "Monitoring and observability"
+    meta_icon                  = "https://img.icons8.com/fluency/48/grafana.png"
+    redirect_uris              = ["https://gf.hexor.cy/login/generic_oauth"]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+  }
+
+  "immich" = {
+    name             = "Immich"
+    slug             = "immich"
+    group            = "Media and Storage"
+    meta_description = "Photo and video management"
+    meta_icon        = "https://img.icons8.com/fluency/48/photos.png"
+    redirect_uris = [
+      "https://photos.hexor.cy/auth/login",
+      "https://photos.hexor.cy/user-settings",
+      "app.immich:///oauth-callback",
+      "http://photos.homenet:30283/auth/login",
+      "http://photos.homenet:30283/user-settings"
+    ]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+    access_groups              = ["admins"]
+    create_group               = true
+  }
+
+  "pgadmin" = {
+    name                       = "Postgres WEB Admin"
+    slug                       = "pgadmin"
+    group                      = "Core"
+    meta_description           = "PostgreSQL WEB administration"
+    meta_icon                  = "https://img.icons8.com/?size=100&id=JRnxU7ZWP4mi&format=png&color=000000"
+    redirect_uris              = ["https://pg.hexor.cy/oauth2/authorize"]
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+  }
+
+  "home-assistant-lms" = {
+    name                       = "Home Assistant LMS"
+    slug                       = "home-assistant-lms"
+    group                      = "Internal"
+    meta_description           = "Home Assistant Limassol"
+    meta_icon                  = "https://img.icons8.com/stickers/100/smart-home-automation.png"
+    redirect_uris              = [
+      "http://ha-lms:8123/auth/oidc/callback",
+      "http://ha-lms.homenet:8123/auth/oidc/callback",
+      ]
+    meta_launch_url            = "http://ha-lms:8123/auth/oidc/welcome"
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+    create_group               = true
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+  }
+  "home-assistant-london" = {
+    name                       = "Home Assistant London"
+    slug                       = "home-assistant-london"
+    group                      = "Internal"
+    meta_description           = "Home Assistant London"
+    meta_icon                  = "https://img.icons8.com/stickers/100/smart-home-automation.png"
+    redirect_uris              = [
+      "http://ha-london:8123/auth/oidc/callback",
+      "http://ha-london.tail2fe2d.ts.net:8123/auth/oidc/callback",
+      ]
+    meta_launch_url            = "http://ha-london:8123/auth/oidc/welcome"
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = ["admins"]
+    create_group               = true
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+  }
+}
+
--- a/terraform/authentik/outputs.tf
+++ b/terraform/authentik/outputs.tf
@@ -4,9 +4,9 @@ output "oauth_applications" {
    for k, v in module.oauth_applications : k => {
      application_id   = v.application_id
      application_uuid = v.application_uuid
-      client_id       = v.client_id
-      client_secret   = v.client_secret
-      slug            = v.application_slug
+      client_id        = v.client_id
+      client_secret    = v.client_secret
+      slug             = v.application_slug
    }
  }
  sensitive = true
@@ -18,9 +18,9 @@ output "proxy_applications" {
    for k, v in module.proxy_applications : k => {
      application_id   = v.application_id
      application_uuid = v.application_uuid
-      external_host   = v.external_host
-      internal_host   = v.internal_host
-      slug            = v.application_slug
+      external_host    = v.external_host
+      internal_host    = v.internal_host
+      slug             = v.application_slug
    }
  }
 }
@@ -38,12 +38,36 @@ output "outposts" {

 output "groups" {
  description = "Groups details"
-  value = {
-    for k, v in authentik_group.groups : k => {
-      id   = v.id
-      name = v.name
+  value = merge(
+    {
+      for k, v in authentik_group.root_groups : k => {
+        id   = v.id
+        name = v.name
+      }
+    },
+    {
+      for k, v in authentik_group.child_groups : k => {
+        id   = v.id
+        name = v.name
+      }
+    },
+    {
+      for k, v in authentik_group.proxy_app_groups : k => {
+        id           = v.id
+        name         = v.name
+        auto_created = true
+        type         = "proxy"
+      }
+    },
+    {
+      for k, v in authentik_group.oauth_app_groups : k => {
+        id           = v.id
+        name         = v.name
+        auto_created = true
+        type         = "oauth"
+      }
    }
-  }
+  )
 }

 output "flows" {
@@ -61,10 +85,40 @@ output "certificates" {
  description = "Certificates details"
  value = {
    for k, v in authentik_certificate_key_pair.certificates : k => {
-      id               = v.id
-      name            = v.name
+      id                 = v.id
+      name               = v.name
      fingerprint_sha256 = v.fingerprint_sha256
      fingerprint_sha1   = v.fingerprint_sha1
    }
  }
+}
+
+# Output for applications table generation
+output "applications_for_wiki" {
+  description = "Applications data formatted for wiki table generation"
+  value = {
+    proxy_apps = {
+      for k, v in var.proxy_applications : k => {
+        name         = v.name
+        type         = "Proxy"
+        url          = v.external_host
+        internal_url = v.internal_host
+        group        = v.group
+        description  = v.meta_description
+        icon         = v.meta_icon
+        slug         = v.slug
+      }
+    }
+    oauth_apps = {
+      for k, v in var.oauth_applications : k => {
+        name        = v.name
+        type        = "OAuth2/OpenID"
+        url         = length(v.redirect_uris) > 0 ? "https://${split("/", replace(v.redirect_uris[0], "https://", ""))[0]}" : ""
+        group       = v.group
+        description = v.meta_description
+        icon        = v.meta_icon
+        slug        = v.slug
+      }
+    }
+  }
 }
--- a/terraform/authentik/providers.tf
+++ b/terraform/authentik/providers.tf
@@ -1,7 +1,7 @@
 terraform {
  required_providers {
    authentik = {
-      source = "goauthentik/authentik"
+      source  = "goauthentik/authentik"
      version = "2025.8.1"
    }
  }
--- a/terraform/authentik/proxy-apps.tfvars
+++ b/terraform/authentik/proxy-apps.tfvars
@@ -0,0 +1,191 @@
+proxy_applications = {
+  "k8s-dashboard" = {
+    name                         = "K8S dashboard"
+    slug                         = "k8s-dashboard-ns"
+    group                        = "Core"
+    external_host                = "https://k8s.hexor.cy"
+    internal_host                = "http://kubernetes-dashboard.kubernetes-dashboard.svc"
+    internal_host_ssl_validation = false
+    meta_description             = "K8S dashboard chart"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    meta_icon                    = "https://img.icons8.com/color/48/kubernetes.png"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+  "filemanager" = {
+    name                         = "FM filemanager"
+    slug                         = "fm-filemanager"
+    group                        = "Core"
+    external_host                = "https://fm.hexor.cy"
+    internal_host                = "http://fb-filemanager-filebrowser.syncthing.svc"
+    internal_host_ssl_validation = false
+    meta_description             = "K8S dashboard chart"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    meta_icon                    = "https://img.icons8.com/external-anggara-flat-anggara-putra/32/external-folder-basic-user-interface-anggara-flat-anggara-putra.png"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "prometheus" = {
+    name                         = "Prometheus"
+    slug                         = "prometheus"
+    group                        = "Core"
+    external_host                = "https://prom.hexor.cy"
+    internal_host                = "http://prometheus-kube-prometheus-prometheus.prometheus.svc:9090"
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/fluency/48/prometheus-app.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    internal_host_ssl_validation = false
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "kubernetes-secrets" = {
+    name                         = "kubernetes-secrets"
+    slug                         = "k8s-secret"
+    group                        = "Core"
+    external_host                = "https://pass.hexor.cy"
+    internal_host                = "http://secret-reader.k8s-secret.svc:80"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/ios-filled/50/password.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  # Tools applications
+  "vpn" = {
+    name                         = "VPN"
+    slug                         = "vpn"
+    group                        = "Tools"
+    external_host                = "https://of.hexor.cy"
+    internal_host                = "http://outfleet.vpn.svc"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    skip_path_regex              = <<-EOT
+/u/
+/stat/
+/ss/
+/xray/
+/dynamic/
+EOT
+    meta_icon                    = "https://img.icons8.com/?size=100&id=fqAD3lAB6zTe&format=png&color=000000"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "outfleet-rs" = {
+    name                         = "OutFleet"
+    slug                         = "outfleet-rs"
+    group                        = "Tools"
+    external_host                = "https://vpn.hexor.cy"
+    internal_host                = "http://outfleet-rs.vpn.svc"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    skip_path_regex              = <<-EOT
+/sub/
+EOT
+    meta_icon                    = "https://img.icons8.com/?size=100&id=fqAD3lAB6zTe&format=png&color=000000"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+  "qbittorrent" = {
+    name                         = "qBittorent"
+    slug                         = "qbittorent"
+    group                        = "Tools"
+    external_host                = "https://qbt.hexor.cy"
+    internal_host                = "http://qbittorrent.jellyfin.svc"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/nolan/64/qbittorrent--v2.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  # Media and Storage applications
+  "kopia" = {
+    name                         = "Kopia"
+    slug                         = "kopia"
+    group                        = "Media and Storage"
+    external_host                = "https://backup.hexor.cy"
+    internal_host                = "http://100.72.135.2:51515"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/external-flaticons-lineal-color-flat-icons/64/external-backup-productivity-flaticons-lineal-color-flat-icons.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "syncthing-master" = {
+    name                         = "Syncthing-master"
+    slug                         = "syncthing-master"
+    group                        = "Media and Storage"
+    external_host                = "https://ss.hexor.cy"
+    internal_host                = "https://syncthing-master.syncthing.svc:8384"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/?size=100&id=Id4NcEcXcYzF&format=png&color=000000"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "truenas" = {
+    name                         = "TrueNAS"
+    slug                         = "truenas-proxy"
+    group                        = "Media and Storage"
+    external_host                = "https://nas.hexor.cy"
+    internal_host                = "http://10.0.5.107:81"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/dusk/64/nas.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "khm" = {
+    name                         = "KHM"
+    slug                         = "khm"
+    group                        = "Media and Storage"
+    external_host                = "https://khm.hexor.cy"
+    internal_host                = "http://khm.khm.svc:8080"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/liquid-glass/48/key.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    access_groups                = ["admins", "khm"] # Используем существующие группы
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+
+  "minecraft" = {
+    name                         = "Minecraft"
+    slug                         = "minecraft"
+    group                        = "Media and Storage"
+    external_host                = "https://minecraft.hexor.cy"
+    internal_host                = "http://minecraft-dynmap.minecraft.svc"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/color/48/minecraft-grass-cube.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+  }
+}
+
--- a/terraform/authentik/state.tf
+++ b/terraform/authentik/state.tf
@@ -0,0 +1,8 @@
+terraform {
+  cloud {
+    organization = "ultradesu"
+    workspaces {
+      name = "Authentik"
+    }
+  }
+}
--- a/terraform/authentik/terraform.tfvars
+++ b/terraform/authentik/terraform.tfvars
@@ -0,0 +1,28 @@
+authentik_url = "https://idm.hexor.cy"
+
+
+flows = {
+}
+
+tags = {
+  environment = "production"
+  managed_by  = "terraform"
+  project     = "homelab"
+}
+
+
+
+outposts = {
+  "kubernetes-outpost" = {
+    name               = "authentik Embedded Outpost"
+    type               = "proxy"
+    service_connection = "k8s-cluster"
+    config = {
+      authentik_host          = "https://idm.hexor.cy"
+      authentik_host_insecure = false
+      log_level               = "info"
+      error_reporting         = true
+      #container_image        = null
+    }
+  }
+}
--- a/terraform/authentik/variables.tf
+++ b/terraform/authentik/variables.tf
@@ -1,24 +1,27 @@
 variable "oauth_applications" {
  description = "Map of OAuth2/OpenID applications"
  type = map(object({
-    name                = string
-    slug                = string
-    group               = optional(string, "")
-    policy_engine_mode  = optional(string, "all")
-    meta_description    = optional(string, "")
-    meta_launch_url     = optional(string, "")
-    meta_icon           = optional(string, "")
-    redirect_uris       = list(string)
-    client_type         = optional(string, "confidential")
-    client_id           = optional(string, null)
+    name                       = string
+    slug                       = string
+    group                      = optional(string, "")
+    policy_engine_mode         = optional(string, "all")
+    meta_description           = optional(string, "")
+    meta_launch_url            = optional(string, "")
+    meta_icon                  = optional(string, "")
+    redirect_uris              = list(string)
+    client_type                = optional(string, "confidential")
+    client_id                  = optional(string, null)
    include_claims_in_id_token = optional(bool, true)
-    access_code_validity = optional(string, "minutes=1")
-    access_token_validity = optional(string, "minutes=5")
-    refresh_token_validity = optional(string, "days=30")
-    property_mappings   = optional(list(string), [])
-    authorization_flow  = optional(string, null)
-    signing_key        = optional(string, null)
-    outpost            = optional(string, null)
+    access_code_validity       = optional(string, "minutes=1")
+    access_token_validity      = optional(string, "minutes=5")
+    refresh_token_validity     = optional(string, "days=30")
+    property_mappings          = optional(list(string), [])
+    authorization_flow         = optional(string, null)
+    signing_key                = optional(string, null)
+    outpost                    = optional(string, null)
+    create_group               = optional(bool, false)
+    access_groups              = optional(list(string), [])
+    scope_mappings             = optional(list(string), ["openid", "profile", "email"])
  }))
  default = {}
 }
@@ -26,25 +29,52 @@ variable "oauth_applications" {
 variable "proxy_applications" {
  description = "Map of Proxy applications"
  type = map(object({
-    name                = string
-    slug                = string
-    group               = optional(string, "")
-    policy_engine_mode  = optional(string, "all")
-    meta_description    = optional(string, "")
-    meta_launch_url     = optional(string, "")
-    meta_icon           = optional(string, "")
-    external_host       = string
-    internal_host       = optional(string, "")
-    internal_host_ssl_validation = optional(bool, true)
-    mode                = optional(string, "proxy")
-    intercept_header_auth = optional(bool, false)
-    basic_auth_enabled  = optional(bool, false)
+    name                          = string
+    slug                          = string
+    group                         = optional(string, "")
+    policy_engine_mode            = optional(string, "all")
+    meta_description              = optional(string, "")
+    meta_launch_url               = optional(string, "")
+    meta_icon                     = optional(string, "")
+    external_host                 = string
+    internal_host                 = optional(string, "")
+    internal_host_ssl_validation  = optional(bool, true)
+    mode                          = optional(string, "proxy")
+    intercept_header_auth         = optional(bool, false)
+    basic_auth_enabled            = optional(bool, false)
    basic_auth_username_attribute = optional(string, "")
    basic_auth_password_attribute = optional(string, "")
-    cookie_domain       = optional(string, "")
-    authorization_flow  = optional(string, null)
-    skip_path_regex    = optional(string, "")
-    outpost            = optional(string, null)
+    cookie_domain                 = optional(string, "")
+    authorization_flow            = optional(string, null)
+    skip_path_regex               = optional(string, "")
+    outpost                       = optional(string, null)
+    create_group                  = optional(bool, false)
+    access_groups                 = optional(list(string), [])
+  }))
+  default = {}
+}
+
+variable "saml_applications" {
+  description = "Map of SAML applications"
+  type = map(object({
+    name                            = string
+    slug                            = string
+    group                           = optional(string, "")
+    policy_engine_mode              = optional(string, "all")
+    meta_description                = optional(string, "")
+    meta_launch_url                 = optional(string, "")
+    meta_icon                       = optional(string, "")
+    acs_url                         = string
+    issuer                          = string
+    audience                        = string
+    sp_binding                      = optional(string, "post")
+    signing_key                     = optional(string, null)
+    property_mappings               = optional(list(string), [])
+    name_id_mapping                 = optional(string, null)
+    assertion_valid_not_before      = optional(string, "minutes=-5")
+    assertion_valid_not_on_or_after = optional(string, "minutes=5")
+    session_valid_not_on_or_after   = optional(string, "minutes=86400")
+    authorization_flow              = optional(string, null)
  }))
  default = {}
 }
@@ -76,10 +106,10 @@ variable "flows" {
 variable "groups" {
  description = "Map of user groups"
  type = map(object({
-    name        = string
+    name         = string
    is_superuser = optional(bool, false)
-    parent      = optional(string, null)
-    attributes  = optional(map(any), {})
+    parent       = optional(string, null)
+    attributes   = optional(map(any), {})
  }))
  default = {}
 }
@@ -87,8 +117,8 @@ variable "groups" {
 variable "certificates" {
  description = "Map of certificates for HTTPS"
  type = map(object({
-    name              = string
-    certificate_data  = string
+    name             = string
+    certificate_data = string
    key_data         = string
    managed          = optional(string, null)
  }))
@@ -114,7 +144,7 @@ variable "default_authorization_flow" {
 }

 variable "default_authentication_flow" {
-  description = "Default authentication flow slug"  
+  description = "Default authentication flow slug"
  type        = string
  default     = "default-authentication-flow"
 }
@@ -134,4 +164,5 @@ variable "tags" {
 variable "authentik_url" {
  description = "Authentik URL"
  type        = string
-}
+  default     = "https://idm.hexor.cy"
+}
Author	SHA1	Message	Date
ab	bed8f5b7c3	Update k8s/core/authentik/values.yaml All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 11s Details Check with kubeconform / lint (push) Successful in 13s Details	2025-10-22 15:49:23 +00:00
ab	676a81852a	Disable hexound All checks were successful Terraform / Terraform (push) Successful in 45s Details Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 12s Details	2025-10-22 15:31:09 +00:00
ab	73c09f80f7	Update k8s/apps/hexound/kustomization.yaml All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 10s Details Check with kubeconform / lint (push) Successful in 12s Details	2025-10-22 15:30:09 +00:00
ab	104d67bfb3	Add k8s/apps/hexound/ingress.yaml All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 12s Details Check with kubeconform / lint (push) Successful in 13s Details	2025-10-22 15:29:34 +00:00
AB from home.homenet	71e5101604	Deployed OF django back All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 13s Details Check with kubeconform / lint (push) Successful in 14s Details	2025-10-22 15:19:13 +03:00
AB from home.homenet	5783db189a	Deployed outfleet-rs All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 17s Details Check with kubeconform / lint (push) Successful in 18s Details	2025-10-22 15:08:13 +03:00
ab	5659e4455b	Update terraform/authentik/proxy-apps.tfvars All checks were successful Terraform / Terraform (push) Successful in 44s Details Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 12s Details	2025-10-19 11:28:03 +00:00
AB from home.homenet	36e8c5c36b	Fix: Drop nginx magic All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 11s Details Check with kubeconform / lint (push) Successful in 12s Details	2025-10-12 15:16:59 +03:00
AB from home.homenet	a6e0165027	Fix: Changed syncthing access and auth scheme All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 11s Details Check with kubeconform / lint (push) Successful in 12s Details	2025-10-12 14:24:07 +03:00
AB from home.homenet	09526f4e91	Fix: Changed syncthing access and auth scheme All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 12s Details Check with kubeconform / lint (push) Successful in 12s Details	2025-10-12 14:18:42 +03:00
AB from home.homenet	d1922019ab	Fix: Changed syncthing access and auth scheme All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 11s Details Check with kubeconform / lint (push) Successful in 12s Details	2025-10-12 14:17:16 +03:00
AB from home.homenet	118a1c431a	Fix: Changed syncthing access and auth scheme All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 11s Details Check with kubeconform / lint (push) Successful in 11s Details	2025-10-12 14:13:05 +03:00
AB from home.homenet	b9667ea5e7	Fix: Changed syncthing access and auth scheme All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 11s Details Check with kubeconform / lint (push) Successful in 13s Details	2025-10-12 14:09:18 +03:00
AB from home.homenet	b1446c53cd	Fix: Changed syncthing access and auth scheme All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 11s Details Check with kubeconform / lint (push) Successful in 12s Details	2025-10-12 13:44:39 +03:00
AB from home.homenet	56fa6a5e05	Fix: Changed syncthing access and auth scheme All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 12s Details Check with kubeconform / lint (push) Successful in 13s Details	2025-10-12 13:36:39 +03:00
AB from home.homenet	aa19cd8e61	Fix: Changed syncthing access and auth scheme All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 12s Details Check with kubeconform / lint (push) Successful in 13s Details	2025-10-12 13:29:10 +03:00
AB from home.homenet	00837fb238	Changed syncthing access and auth scheme All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 11s Details Check with kubeconform / lint (push) Successful in 12s Details	2025-10-12 13:16:39 +03:00
ab	479a2a02ea	Update k8s/core/authentik/values.yaml All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 11s Details Check with kubeconform / lint (push) Successful in 19s Details	2025-10-12 10:04:04 +00:00
AB from home.homenet	95e12df43d	Changed syncthing access and auth scheme Some checks failed Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 40s Details Check with kubeconform / lint (push) Has been cancelled Details	2025-10-12 13:02:32 +03:00
ab	5a33337aa1	Update k8s/core/prometheus/grafana-values.yaml All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 10s Details Check with kubeconform / lint (push) Successful in 23s Details	2025-10-06 13:07:16 +00:00
ab	ce9ba3661b	Update terraform/authentik/oauth2-apps.tfvars All checks were successful Terraform / Terraform (push) Successful in 38s Details Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 11s Details	2025-10-06 12:43:58 +00:00
ab	8bcba25f7e	Update terraform/authentik/oauth2-apps.tfvars All checks were successful Terraform / Terraform (push) Successful in 35s Details Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 9s Details	2025-10-06 11:26:42 +00:00
ab	be9f42afa7	Update terraform/authentik/oauth2-apps.tfvars All checks were successful Terraform / Terraform (push) Successful in 37s Details Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 10s Details	2025-10-06 11:09:09 +00:00
ab	656ec121d2	Update k8s/core/postgresql/kustomization.yaml All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 10s Details Check with kubeconform / lint (push) Successful in 12s Details	2025-10-04 03:26:37 +00:00
ab	240fc4127f	Update k8s/core/postgresql/pgadmin4-values.yaml All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 12s Details Check with kubeconform / lint (push) Successful in 13s Details	2025-10-04 03:26:01 +00:00
ab	9b19d8ddd8	Update k8s/apps/paperless/paperless-values.yaml All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 13s Details Check with kubeconform / lint (push) Successful in 13s Details	2025-10-04 03:22:38 +00:00
ab	0b8fe99ee1	Update k8s/core/system-upgrade/plan.yaml All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 8s Details Check with kubeconform / lint (push) Successful in 11s Details	2025-10-04 02:53:55 +00:00
Ultradesu	cff6c28b72	extended shared memory for authentik worker All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 20s Details Check with kubeconform / lint (push) Successful in 23s Details	2025-10-04 03:00:00 +01:00
ab	99a63eb840	Update terraform/authentik/proxy-apps.tfvars All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 10s Details Terraform / Terraform (push) Successful in 39s Details	2025-09-20 16:55:22 +00:00
ab	4f3be5b14a	Update k8s/core/postgresql/external-secrets.yaml All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 8s Details Check with kubeconform / lint (push) Successful in 9s Details	2025-09-17 14:36:58 +00:00
ab	9f5ec499dc	Update k8s/core/postgresql/external-secrets.yaml All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 9s Details Check with kubeconform / lint (push) Successful in 12s Details	2025-09-17 14:35:02 +00:00
AB from home.homenet	7b169b8e6d	Added wiki generator All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 9s Details	2025-09-16 16:35:11 +03:00
ab	a79003740a	Update .gitea/workflows/authentik-apps.yaml	2025-09-16 13:30:48 +00:00
AB from home.homenet	6276d543bc	Added wiki generator All checks were successful Terraform / Terraform (push) Successful in 34s Details	2025-09-16 16:26:18 +03:00
AB from home.homenet	18a9bfa22a	Added wiki generator All checks were successful Terraform / Terraform (push) Successful in 33s Details	2025-09-16 16:24:30 +03:00
AB from home.homenet	4b6090910c	Added wiki generator All checks were successful Terraform / Terraform (push) Successful in 34s Details	2025-09-16 16:21:24 +03:00
AB from home.homenet	cfa796cc94	Added wiki generator All checks were successful Terraform / Terraform (push) Successful in 38s Details	2025-09-16 16:17:30 +03:00
AB from home.homenet	3e4f5500d2	Added wiki generator All checks were successful Terraform / Terraform (push) Successful in 31s Details	2025-09-16 16:15:39 +03:00
AB from home.homenet	9dd761bc8e	Added wiki generator	2025-09-16 16:13:26 +03:00
AB from home.homenet	eb3b5183b0	Added wiki generator	2025-09-16 16:11:28 +03:00
AB from home.homenet	c9c75c791b	Added wiki generator All checks were successful Terraform / Terraform (push) Successful in 31s Details	2025-09-16 16:09:48 +03:00
AB from home.homenet	8b959fec49	Added wiki generator Some checks failed Terraform / Terraform (push) Has been cancelled Details Update Authentik Applications Wiki / Generate and Update Wiki (push) Failing after 20s Details	2025-09-16 16:04:18 +03:00
AB from home.homenet	1184ff9060	Added wiki generator Some checks failed Terraform / Terraform (push) Has been cancelled Details Update Authentik Applications Wiki / Generate and Update Wiki (push) Failing after 19s Details	2025-09-16 16:01:41 +03:00
AB from home.homenet	18c64ef812	Added wiki generator Some checks failed Terraform / Terraform (push) Has been cancelled Details Update Authentik Applications Wiki / Generate and Update Wiki (push) Failing after 21s Details	2025-09-16 15:59:44 +03:00
AB from home.homenet	993cf1985d	Added wiki generator Some checks failed Terraform / Terraform (push) Has been cancelled Details Update Authentik Applications Wiki / Generate and Update Wiki (push) Failing after 19s Details	2025-09-16 15:57:48 +03:00
AB from home.homenet	3daf7cf79a	Added wiki generator Some checks failed Terraform / Terraform (push) Successful in 29s Details Check with kubeconform / lint (push) Successful in 8s Details Update Authentik Applications Wiki / Generate and Update Wiki (push) Failing after 20s Details	2025-09-16 15:56:17 +03:00
AB from home.homenet	caa3354b33	Added wiki generator Some checks failed Terraform / Terraform (push) Has been cancelled Details Check with kubeconform / lint (push) Successful in 9s Details Update Authentik Applications Wiki / Generate and Update Wiki (push) Failing after 42s Details	2025-09-16 15:53:42 +03:00
AB from home.homenet	68ca195735	Added wiki generator All checks were successful Terraform / Terraform (push) Successful in 28s Details Check with kubeconform / lint (push) Successful in 9s Details	2025-09-16 15:52:35 +03:00
AB from home.homenet	93d7cb6bf1	Added Authentik TF code All checks were successful Terraform / Terraform (push) Successful in 28s Details Check with kubeconform / lint (push) Successful in 10s Details	2025-09-16 15:51:21 +03:00
ab	600a1dfb6e	Update .gitea/workflows/authentik-apps.yaml All checks were successful Check with kubeconform / lint (push) Successful in 10s Details Terraform / Terraform (push) Successful in 27s Details	2025-09-16 12:36:03 +00:00
AB from home.homenet	a8c089d9ec	Added Authentik TF code Some checks failed Terraform / Terraform (push) Has been cancelled Details Check with kubeconform / lint (push) Has been cancelled Details	2025-09-16 15:35:36 +03:00
ab	e516f95f77	Update .gitea/workflows/authentik-apps.yaml Some checks failed Terraform / Terraform (push) Failing after 20s Details Check with kubeconform / lint (push) Successful in 9s Details	2025-09-16 12:33:20 +00:00
ab	84dcdc343a	Update .gitea/workflows/authentik-apps.yaml Some checks failed Terraform / Terraform (push) Failing after 19s Details Check with kubeconform / lint (push) Successful in 9s Details	2025-09-16 12:31:54 +00:00
ab	094d80896a	Add .gitea/workflows/authentik-apps.yaml Some checks failed Check with kubeconform / lint (push) Successful in 10s Details Terraform / Terraform (push) Failing after 9s Details	2025-09-16 12:29:20 +00:00
AB from home.homenet	4ffc42af97	Added Authentik TF code All checks were successful Check with kubeconform / lint (push) Successful in 12s Details	2025-09-16 15:28:50 +03:00
ab	b1183896f9	Update k8s/core/argocd/values.yaml All checks were successful Check with kubeconform / lint (push) Successful in 12s Details	2025-09-16 11:57:50 +00:00
ab	6f17dc23f1	Update k8s/core/argocd/values.yaml All checks were successful Check with kubeconform / lint (push) Successful in 11s Details	2025-09-16 11:23:59 +00:00
ab	e353751031	Update k8s/apps/paperless/external-secrets.yaml All checks were successful Check with kubeconform / lint (push) Successful in 11s Details	2025-09-16 10:11:17 +00:00
ab	f3baf90672	Update k8s/core/authentik/values.yaml All checks were successful Check with kubeconform / lint (push) Successful in 12s Details	2025-09-15 22:23:52 +00:00
AB from home.homenet	d71935d063	fmt All checks were successful Check with kubeconform / lint (push) Successful in 1m11s Details	2025-09-16 00:28:54 +03:00