Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-03-18 11:31:34 This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.
Update k8s/core/authentik/values.yaml
2026-03-18 11:31:34 +00:00 · 2026-03-18 11:30:53 +00:00 · 2026-03-18 11:26:42 +00:00 · 2026-03-18 03:51:32 +00:00 · 2026-03-18 03:27:14 +00:00 · 2026-03-18 03:24:31 +00:00
81 changed files with 87313 additions and 432 deletions
--- a/.gitea/workflows/authentik-apps.yaml
+++ b/.gitea/workflows/authentik-apps.yaml
@@ -25,7 +25,7 @@ jobs:
      uses: actions/checkout@v3

    - name: Setup Terraform
-      uses: hashicorp/setup-terraform@v2
+      uses: hashicorp/setup-terraform@v4.0.0
      with:
        cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}

@@ -45,7 +45,7 @@ jobs:
    - name: Terraform Apply
      env:
        TF_VAR_authentik_token: ${{ secrets.AUTHENTIK_TOKEN }}
-      run: terraform apply -var-file proxy-apps.tfvars -var-file oauth2-apps.tfvars -var-file terraform.tfvars -var-file groups.tfvars -input=false -auto-approve -parallelism=100
+      run: terraform apply -input=false -auto-approve -parallelism=100
      working-directory: ./terraform/authentik

    - name: Generate Wiki Content  
--- a/.gitignore
+++ b/.gitignore
@@ -13,6 +13,7 @@ crash.*.log
 *.tfvars
 *.tfvars.json
 !*terraform.tfvars
+!*.auto.tfvars

 # claude ai
 .claude/
--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@ ArgoCD homelab project
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
+| **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
@@ -37,6 +38,8 @@ ArgoCD homelab project

 | Application | Status |
 | :--- | :---: |
+| **comfyui** | [![comfyui](https://ag.hexor.cy/api/badge?name=comfyui&revision=true)](https://ag.hexor.cy/applications/argocd/comfyui) |
+| **furumi-server** | [![furumi-server](https://ag.hexor.cy/api/badge?name=furumi-server&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-server) |
 | **gitea** | [![gitea](https://ag.hexor.cy/api/badge?name=gitea&revision=true)](https://ag.hexor.cy/applications/argocd/gitea) |
 | **greece-notifier** | [![greece-notifier](https://ag.hexor.cy/api/badge?name=greece-notifier&revision=true)](https://ag.hexor.cy/applications/argocd/greece-notifier) |
 | **hexound** | [![hexound](https://ag.hexor.cy/api/badge?name=hexound&revision=true)](https://ag.hexor.cy/applications/argocd/hexound) |
@@ -45,6 +48,9 @@ ArgoCD homelab project
 | **jellyfin** | [![jellyfin](https://ag.hexor.cy/api/badge?name=jellyfin&revision=true)](https://ag.hexor.cy/applications/argocd/jellyfin) |
 | **k8s-secrets** | [![k8s-secrets](https://ag.hexor.cy/api/badge?name=k8s-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
 | **khm** | [![khm](https://ag.hexor.cy/api/badge?name=khm&revision=true)](https://ag.hexor.cy/applications/argocd/khm) |
+| **lidarr** | [![lidarr](https://ag.hexor.cy/api/badge?name=lidarr&revision=true)](https://ag.hexor.cy/applications/argocd/lidarr) |
+| **matrix** | [![matrix](https://ag.hexor.cy/api/badge?name=matrix&revision=true)](https://ag.hexor.cy/applications/argocd/matrix) |
+| **mtproxy** | [![mtproxy](https://ag.hexor.cy/api/badge?name=mtproxy&revision=true)](https://ag.hexor.cy/applications/argocd/mtproxy) |
 | **n8n** | [![n8n](https://ag.hexor.cy/api/badge?name=n8n&revision=true)](https://ag.hexor.cy/applications/argocd/n8n) |
 | **ollama** | [![ollama](https://ag.hexor.cy/api/badge?name=ollama&revision=true)](https://ag.hexor.cy/applications/argocd/ollama) |
 | **paperless** | [![paperless](https://ag.hexor.cy/api/badge?name=paperless&revision=true)](https://ag.hexor.cy/applications/argocd/paperless) |
--- a/k8s/apps/comfyui/app.yaml
+++ b/k8s/apps/comfyui/app.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: comfyui
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: comfyui
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/comfyui
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/k8s/apps/comfyui/deployment.yaml
+++ b/k8s/apps/comfyui/deployment.yaml
@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: comfyui
+  namespace: comfyui
+  labels:
+    app: comfyui
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: comfyui
+  template:
+    metadata:
+      labels:
+        app: comfyui
+    spec:
+      runtimeClassName: nvidia
+      tolerations:
+        - key: workload
+          operator: Equal
+          value: desktop
+          effect: NoSchedule
+      nodeSelector:
+        kubernetes.io/hostname: uk-desktop.tail2fe2d.ts.net
+      # Fix permissions mismatch usually happening when mapping host paths
+      securityContext:
+        runAsUser: 0
+      initContainers:
+        - name: create-data-dir
+          image: busybox
+          command: ["sh", "-c", "mkdir -p /host.data && chown -R 1000:1000 /host.data"]
+          volumeMounts:
+            - name: data
+              mountPath: /host.data
+      containers:
+        - name: comfyui
+          image: runpod/comfyui:latest-5090
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: COMFYUI_PORT
+              value: "8188"
+          ports:
+            - containerPort: 8188
+              name: http
+              protocol: TCP
+          resources:
+            limits:
+              nvidia.com/gpu: 1
+          volumeMounts:
+            - name: data
+              # For ai-dock images, /workspace is the persistent user directory
+              mountPath: /workspace
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: comfyui-data-pvc
--- a/k8s/apps/comfyui/kustomization.yaml
+++ b/k8s/apps/comfyui/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - local-pv.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - service.yaml
--- a/k8s/apps/comfyui/local-pv.yaml
+++ b/k8s/apps/comfyui/local-pv.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: comfyui-data-pv
+spec:
+  capacity:
+    storage: 200Gi
+  volumeMode: Filesystem
+  accessModes:
+  - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: local-path
+  local:
+    path: /data/comfyui
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: kubernetes.io/hostname
+          operator: In
+          values:
+          - uk-desktop.tail2fe2d.ts.net
--- a/k8s/apps/comfyui/namespace.yaml
+++ b/k8s/apps/comfyui/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: comfyui
--- a/k8s/apps/comfyui/pvc.yaml
+++ b/k8s/apps/comfyui/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: comfyui-data-pvc
+  namespace: comfyui
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 200Gi
--- a/k8s/apps/comfyui/service.yaml
+++ b/k8s/apps/comfyui/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: comfyui
+  namespace: comfyui
+  labels:
+    app: comfyui
+spec:
+  ports:
+    - name: http
+      port: 8188
+      targetPort: 8188
+      protocol: TCP
+  selector:
+    app: comfyui
--- a/k8s/apps/furumi-server/app.yaml
+++ b/k8s/apps/furumi-server/app.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: furumi-server
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: furumi-server
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/furumi-server
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/k8s/apps/furumi-server/deployment.yaml
+++ b/k8s/apps/furumi-server/deployment.yaml
@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: furumi-server
+  labels:
+    app: furumi-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: furumi-server
+  template:
+    metadata:
+      labels:
+        app: furumi-server
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: furumi-server
+          image: ultradesu/furumi-server:trunk
+          imagePullPolicy: Always
+          env:
+            - name: FURUMI_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: TOKEN
+            - name: FURUMI_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_ID
+            - name: FURUMI_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_SECRET
+            - name: FURUMI_OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_ISSUER_URL
+            - name: FURUMI_OIDC_REDIRECT_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_REDIRECT_URL
+            - name: FURUMI_OIDC_SESSION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_SESSION_SECRET
+            - name: FURUMI_ROOT
+              value: "/media"
+            - name: RUST_LOG
+              value: "info"
+          ports:
+            - name: grpc
+              containerPort: 50051
+              protocol: TCP
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
+            - name: web-ui
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - name: music
+              mountPath: /media
+      volumes:
+        - name: music
+          hostPath:
+            path: /k8s/media/downloads/Lidarr_Music
+            type: DirectoryOrCreate
--- a/k8s/apps/furumi-server/external-secrets.yaml
+++ b/k8s/apps/furumi-server/external-secrets.yaml
@@ -0,0 +1,65 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: furumi-ng-creds
+spec:
+  target:
+    name: furumi-ng-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        TOKEN: |-
+          {{ .token }}
+        OIDC_CLIENT_ID: |-
+          {{ .client_id }}
+        OIDC_CLIENT_SECRET: |-
+          {{ .client_secret }}
+        OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-ng-web/
+        OIDC_REDIRECT_URL: https://music.hexor.cy/auth/callback
+        OIDC_SESSION_SECRET: |-
+          {{ .session_secret }}
+        PG_STRING: |-
+          postgres://furumi:{{ .pg_pass }}@psql.psql.svc:5432/furumi
+  data:
+    - secretKey: token
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
+        property: fields[0].value
+    - secretKey: client_id
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
+        property: fields[1].value
+    - secretKey: client_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
+        property: fields[2].value
+    - secretKey: session_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
+        property: fields[3].value
+    - secretKey: pg_pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[16].value
--- a/k8s/apps/furumi-server/ingress.yaml
+++ b/k8s/apps/furumi-server/ingress.yaml
@@ -0,0 +1,59 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: admin-strip
+spec:
+  stripPrefix:
+    prefixes:
+      - /admin
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: furumi-tls-ingress
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  rules:
+    - host: music.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: furumi-web-player
+                port:
+                  number: 8080
+  tls:
+    - secretName: furumi-tls
+      hosts:
+        - '*.hexor.cy'
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: furumi-admin-ingress
+  annotations:
+    ingressClassName: traefik
+    traefik.ingress.kubernetes.io/router.middlewares: furumi-server-admin-strip@kubernetescrd,kube-system-https-redirect@kubernetescrd
+spec:
+  rules:
+    - host: music.hexor.cy
+      http:
+        paths:
+          - path: /admin
+            pathType: Prefix
+            backend:
+              service:
+                name: furumi-metadata-agent
+                port:
+                  number: 8090
+  tls:
+    - secretName: furumi-tls
+      hosts:
+        - '*.hexor.cy'
--- a/k8s/apps/furumi-server/kustomization.yaml
+++ b/k8s/apps/furumi-server/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - deployment.yaml
+  - service.yaml
+  - servicemonitor.yaml
+  - external-secrets.yaml
+  - ingress.yaml
+  - web-player.yaml
+  - metadata-agent.yaml
--- a/k8s/apps/furumi-server/metadata-agent.yaml
+++ b/k8s/apps/furumi-server/metadata-agent.yaml
@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: furumi-metadata-agent
+  labels:
+    app: furumi-metadata-agent
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: furumi-metadata-agent
+  template:
+    metadata:
+      labels:
+        app: furumi-metadata-agent
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: furumi-metadata-agent
+          image: ultradesu/furumi-metadata-agent:trunk
+          imagePullPolicy: Always
+          env:
+            - name: FURUMI_AGENT_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: PG_STRING
+            - name: FURUMI_AGENT_INBOX_DIR
+              value: "/inbox"
+            - name: FURUMI_AGENT_STORAGE_DIR
+              value: "/media"
+            - name: FURUMI_AGENT_OLLAMA_URL
+              value: "http://ollama.ollama.svc:11434"
+            - name: FURUMI_AGENT_OLLAMA_MODEL
+              value: "qwen3:14b"
+            - name: FURUMI_AGENT_POLL_INTERVAL_SECS
+              value: "10"
+            - name: RUST_LOG
+              value: "info"
+          ports:
+            - name: admin-ui
+              containerPort: 8090
+              protocol: TCP
+          volumeMounts:
+            - name: library
+              mountPath: /media
+            - name: inbox
+              mountPath: /inbox
+      volumes:
+        - name: library
+          hostPath:
+            path: /k8s/furumi/library
+            type: DirectoryOrCreate
+        - name: inbox
+          hostPath:
+            path: /k8s/furumi/inbox
+            type: DirectoryOrCreate
+
--- a/k8s/apps/furumi-server/service.yaml
+++ b/k8s/apps/furumi-server/service.yaml
@@ -0,0 +1,62 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-server-grpc
+spec:
+  type: LoadBalancer
+  selector:
+    app: furumi-server
+  ports:
+    - name: grpc
+      protocol: TCP
+      port: 50051
+      targetPort: 50051
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-server-metrics
+  labels:
+    app: furumi-server
+spec:
+  type: ClusterIP
+  selector:
+    app: furumi-server
+  ports:
+    - name: metrics
+      protocol: TCP
+      port: 9090
+      targetPort: 9090
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-metadata-agent
+  labels:
+    app: furumi-metadata-agent
+spec:
+  type: ClusterIP
+  selector:
+    app: furumi-metadata-agent
+  ports:
+    - name: admin-ui
+      protocol: TCP
+      port: 8090
+      targetPort: 8090
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-web-player
+  labels:
+    app: furumi-web-player
+spec:
+  type: ClusterIP
+  selector:
+    app: furumi-web-player
+  ports:
+    - name: web-ui
+      protocol: TCP
+      port: 8080
+      targetPort: 8080
--- a/k8s/apps/furumi-server/servicemonitor.yaml
+++ b/k8s/apps/furumi-server/servicemonitor.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: furumi-server-metrics
+  labels:
+    app: furumi-server
+    release: prometheus
+spec:
+  selector:
+    matchLabels:
+      app: furumi-server
+  endpoints:
+    - port: metrics
+      path: /metrics
+      interval: 30s
+      scrapeTimeout: 10s
+      honorLabels: true
+  namespaceSelector:
+    matchNames:
+      - furumi-server
--- a/k8s/apps/furumi-server/web-player.yaml
+++ b/k8s/apps/furumi-server/web-player.yaml
@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: furumi-web-player
+  labels:
+    app: furumi-web-player
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: furumi-web-player
+  template:
+    metadata:
+      labels:
+        app: furumi-web-player
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: furumi-web-player
+          image: ultradesu/furumi-web-player:trunk
+          imagePullPolicy: Always
+          env:
+            - name: FURUMI_PLAYER_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_ID
+            - name: FURUMI_PLAYER_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_SECRET
+            - name: FURUMI_PLAYER_OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_ISSUER_URL
+            - name: FURUMI_PLAYER_OIDC_REDIRECT_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_REDIRECT_URL
+            - name: FURUMI_PLAYER_OIDC_SESSION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_SESSION_SECRET
+            - name: FURUMI_PLAYER_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: PG_STRING
+            - name: FURUMI_PLAYER_STORAGE_DIR
+              value: "/media"
+            - name: RUST_LOG
+              value: "info"
+          ports:
+            - name: web-ui
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - name: music
+              mountPath: /media
+      volumes:
+        - name: music
+          hostPath:
+            path: /k8s/furumi/library
+            type: DirectoryOrCreate
+
--- a/k8s/apps/gitea/deployment.yaml
+++ b/k8s/apps/gitea/deployment.yaml
@@ -77,8 +77,11 @@ spec:
      labels:
        app: gitea-runner
    spec:
-      #nodeSelector:
-      #  kubernetes.io/hostname: home.homenet
+      tolerations:
+        - key: workload
+          operator: Equal
+          value: desktop
+          effect: NoSchedule
      volumes:
        - name: docker-sock
          hostPath:
@@ -90,21 +93,28 @@ spec:
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 1
+          - weight: 100
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - uk-desktop.tail2fe2d.ts.net
+          - weight: 50
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - home.homenet
-          - weight: 2
+          - weight: 30
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - master.tail2fe2d.ts.net
-          - weight: 3
+          - weight: 10
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
@@ -113,18 +123,6 @@ spec:
                - it.tail2fe2d.ts.net
                - ch.tail2fe2d.ts.net
                - us.tail2fe2d.ts.net
-
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
-                - home.homenet
-                - it.tail2fe2d.ts.net
-                - ch.tail2fe2d.ts.net
-                - us.tail2fe2d.ts.net
-                - master.tail2fe2d.ts.net
      containers:
        - name: gitea-runner
          image: gitea/act_runner:nightly
@@ -132,11 +130,11 @@ spec:
            requests:
              cpu: "100m"
              memory: "256Mi"
-              ephemeral-storage: "1Gi"   # reserve ephemeral storage
+              ephemeral-storage: "1Gi"
            limits:
              cpu: "3000m"
              memory: "4Gi"
-              ephemeral-storage: "28Gi"   # hard cap for /data usage
+              ephemeral-storage: "28Gi"
          volumeMounts:
            - name: docker-sock
              mountPath: /var/run/docker.sock
--- a/k8s/apps/lidarr/app.yaml
+++ b/k8s/apps/lidarr/app.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: lidarr
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: lidarr
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/lidarr
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/k8s/apps/lidarr/kustomization.yaml
+++ b/k8s/apps/lidarr/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+
+helmCharts:
+  - name: lidarr
+    repo: https://k8s-home-lab.github.io/helm-charts/
+    version: 15.3.0
+    releaseName: lidarr
+    namespace: lidarr
+    valuesFile: lidarr-values.yaml
+    includeCRDs: true
--- a/k8s/apps/lidarr/lidarr-values.yaml
+++ b/k8s/apps/lidarr/lidarr-values.yaml
@@ -0,0 +1,27 @@
+env:
+  TZ: Asia/Nicosia
+
+resources:
+  requests:
+    memory: "512Mi"
+    cpu: "200m"
+  limits:
+    memory: "2Gi"
+    cpu: "1500m"
+
+nodeSelector:
+  kubernetes.io/hostname: master.tail2fe2d.ts.net
+
+persistence:
+  config:
+    enabled: true
+    type: hostPath
+    hostPath: /k8s/lidarr
+    mountPath: /config
+
+  downloads:
+    enabled: true
+    type: hostPath
+    hostPath: /k8s/media/downloads
+    mountPath: /downloads
+    accessMode: ReadWriteOnce
--- a/k8s/apps/matrix/app.yaml
+++ b/k8s/apps/matrix/app.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: matrix
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: matrix
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/matrix
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/k8s/apps/matrix/external-secrets.yaml
+++ b/k8s/apps/matrix/external-secrets.yaml
@@ -0,0 +1,95 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-postgres-creds
+spec:
+  target:
+    name: matrix-postgres-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        synapse_db_password: |-
+          {{ .synapse_db_password }}
+        mas_db_password: |-
+          {{ .mas_db_password }}
+  data:
+    - secretKey: synapse_db_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[14].value
+    - secretKey: mas_db_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[15].value
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-oidc-config
+spec:
+  target:
+    name: matrix-oidc-config
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        mas-oidc.yaml: |
+          upstream_oauth2:
+            providers:
+              - id: 001KKV4EKY7KG98W2M9T806K6A
+                human_name: Authentik
+                issuer: https://idm.hexor.cy/application/o/matrix/
+                client_id: "{{ .oauth_client_id }}"
+                client_secret: "{{ .oauth_client_secret }}"
+                token_endpoint_auth_method: client_secret_post
+                scope: "openid profile email"
+                claims_imports:
+                  localpart:
+                    action: suggest
+                    template: "{{ `{{ user.preferred_username | split(\"@\") | first }}` }}"
+                  displayname:
+                    action: suggest
+                    template: "{{ `{{ user.name }}` }}"
+                  email:
+                    action: suggest
+                    template: "{{ `{{ user.email }}` }}"
+                    set_email_verification: always
+  data:
+    - secretKey: oauth_client_id
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
+        property: fields[0].value
+    - secretKey: oauth_client_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
+        property: fields[1].value
--- a/k8s/apps/matrix/kustomization.yaml
+++ b/k8s/apps/matrix/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+
+helmCharts:
+  - name: matrix-stack
+    repo: oci://ghcr.io/element-hq/ess-helm
+    version: 26.2.3
+    releaseName: matrix-stack
+    namespace: matrix
+    valuesFile: matrix-stack-values.yaml
+    includeCRDs: true
--- a/k8s/apps/matrix/matrix-stack-values.yaml
+++ b/k8s/apps/matrix/matrix-stack-values.yaml
@@ -0,0 +1,112 @@
+## Matrix server name - appears in @user:matrix.hexor.cy
+serverName: matrix.hexor.cy
+
+## Use letsencrypt cluster issuer for all ingresses
+certManager:
+  clusterIssuer: letsencrypt
+
+## Global ingress settings
+ingress:
+  className: traefik
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+
+## Disable built-in PostgreSQL - using external database
+postgres:
+  enabled: false
+
+## Disable components we don't need yet
+hookshot:
+  enabled: false
+
+## MatrixRTC - voice/video calls via LiveKit SFU
+matrixRTC:
+  enabled: true
+  ingress:
+    host: livekit.matrix.hexor.cy
+  sfu:
+    enabled: true
+    manualIP: "138.201.61.182"
+    nodeSelector:
+      kubernetes.io/hostname: master.tail2fe2d.ts.net
+    exposedServices:
+      rtcTcp:
+        enabled: true
+        port: 30881
+      rtcMuxedUdp:
+        enabled: true
+        port: 30882
+      turnTLS:
+        enabled: true
+        port: 31443
+        domain: turn.matrix.hexor.cy
+        tlsTerminationOnPod: true
+
+## Synapse homeserver
+synapse:
+  enabled: true
+  ingress:
+    host: synapse.matrix.hexor.cy
+  postgres:
+    host: psql.psql.svc
+    port: 5432
+    user: synapse
+    database: synapse
+    sslMode: prefer
+    password:
+      secret: matrix-postgres-creds
+      secretKey: synapse_db_password
+  media:
+    storage:
+      size: 20Gi
+    maxUploadSize: 100M
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Matrix Authentication Service
+matrixAuthenticationService:
+  enabled: true
+  ingress:
+    host: auth.matrix.hexor.cy
+  postgres:
+    host: psql.psql.svc
+    port: 5432
+    user: mas
+    database: mas
+    sslMode: prefer
+    password:
+      secret: matrix-postgres-creds
+      secretKey: mas_db_password
+  ## Admin policy
+  additional:
+    0-admin-policy:
+      config: |
+        policy:
+          data:
+            admin_users:
+              - username: ultradesu
+    1-oidc:
+      configSecret: matrix-oidc-config
+      configSecretKey: mas-oidc.yaml
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Element Web client
+elementWeb:
+  enabled: true
+  ingress:
+    host: chat.matrix.hexor.cy
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Element Admin panel
+elementAdmin:
+  enabled: true
+  ingress:
+    host: admin.matrix.hexor.cy
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Well-known delegation on the base domain (host is derived from serverName)
+wellKnownDelegation:
+  enabled: true
--- a/k8s/apps/mtproxy/Dockerfile
+++ b/k8s/apps/mtproxy/Dockerfile
@@ -0,0 +1,53 @@
+FROM --platform=$BUILDPLATFORM debian:bookworm-slim AS builder
+
+ARG TARGETARCH
+
+RUN apt-get update && apt-get install -y \
+    git curl make gcc libssl-dev zlib1g-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN if [ "$(dpkg --print-architecture)" != "$TARGETARCH" ]; then \
+      dpkg --add-architecture $TARGETARCH && \
+      apt-get update && \
+      case "$TARGETARCH" in \
+        arm64) apt-get install -y gcc-aarch64-linux-gnu libssl-dev:arm64 zlib1g-dev:arm64 ;; \
+        amd64) apt-get install -y gcc-x86-64-linux-gnu libssl-dev:amd64 zlib1g-dev:amd64 ;; \
+      esac && \
+      rm -rf /var/lib/apt/lists/*; \
+    fi
+
+RUN git clone https://github.com/TelegramMessenger/MTProxy.git /src
+WORKDIR /src
+
+RUN NATIVE=$(dpkg --print-architecture) && \
+    if [ "$NATIVE" != "$TARGETARCH" ]; then \
+      case "$TARGETARCH" in \
+        arm64) export CC=aarch64-linux-gnu-gcc ;; \
+        amd64) export CC=x86_64-linux-gnu-gcc ;; \
+      esac; \
+    fi && \
+    make -j$(nproc)
+
+FROM debian:bookworm-slim
+
+ENV PROXY_PORT=30443
+ENV STATS_PORT=8888
+ENV WORKERS=1
+ENV RUN_USER=nobody
+
+RUN apt-get update && apt-get install -y \
+    curl libssl3 zlib1g xxd \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /src/objs/bin/mtproto-proxy /usr/local/bin/mtproto-proxy
+
+RUN curl -s https://core.telegram.org/getProxySecret -o /etc/mtproxy/proxy-secret --create-dirs && \
+    curl -s https://core.telegram.org/getProxyConfig -o /etc/mtproxy/proxy-multi.conf
+
+ENTRYPOINT mtproto-proxy \
+    -u ${RUN_USER} \
+    -p ${STATS_PORT} \
+    -H ${PROXY_PORT} \
+    -M ${WORKERS} \
+    --aes-pwd /etc/mtproxy/proxy-secret \
+    /etc/mtproxy/proxy-multi.conf
--- a/k8s/apps/mtproxy/daemonset.yaml
+++ b/k8s/apps/mtproxy/daemonset.yaml
@@ -0,0 +1,117 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: mtproxy
+  labels:
+    app: mtproxy
+spec:
+  selector:
+    matchLabels:
+      app: mtproxy
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: mtproxy
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: mtproxy
+                    operator: Exists
+      serviceAccountName: mtproxy
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+        - name: register-proxy
+          image: bitnami/kubectl:latest
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: tgproxy-secret
+                  key: SECRET
+            - name: PORT
+              valueFrom:
+                secretKeyRef:
+                  name: tgproxy-secret
+                  key: PORT
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -e
+              curl -s https://core.telegram.org/getProxySecret -o /data/proxy-secret
+              curl -s https://core.telegram.org/getProxyConfig -o /data/proxy-multi.conf
+              NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+              SERVER=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.mtproxy}')
+              if [ -z "${SERVER}" ]; then
+                echo "ERROR: node ${NODE_NAME} has no mtproxy label"
+                exit 1
+              fi
+              LINK="tg://proxy?server=${SERVER}&port=${PORT}&secret=${SECRET}"
+              echo "Registering: ${SERVER} -> ${LINK}"
+              if kubectl get secret mtproxy-links -n "${NAMESPACE}" &>/dev/null; then
+                kubectl patch secret mtproxy-links -n "${NAMESPACE}" \
+                  --type merge -p "{\"stringData\":{\"${SERVER}\":\"${LINK}\"}}"
+              else
+                kubectl create secret generic mtproxy-links -n "${NAMESPACE}" \
+                  --from-literal="${SERVER}=${LINK}"
+              fi
+              echo "Done"
+      containers:
+        - name: mtproxy
+          image: telegrammessenger/proxy:latest
+          # image: ultradesu/mtproxy:v0.02
+          imagePullPolicy: Always
+          ports:
+            - name: proxy
+              containerPort: 30443
+              protocol: TCP
+          command:
+            - /bin/sh
+            - -c
+            - >-
+              mtproto-proxy
+              -u nobody
+              -p 8888
+              -H $(PORT)
+              -M 1
+              -S $(SECRET)
+              --aes-pwd /data/proxy-secret
+              /data/proxy-multi.conf
+          env:
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: tgproxy-secret
+                  key: SECRET
+            - name: PORT
+              valueFrom:
+                secretKeyRef:
+                  name: tgproxy-secret
+                  key: PORT
+          volumeMounts:
+            - name: data
+              mountPath: /data
+         #resources:
+         #  requests:
+         #    memory: "128Mi"
+         #    cpu: "100m"
+         #  limits:
+         #    memory: "256Mi"
+         #    cpu: "500m"
+      volumes:
+        - name: data
+          emptyDir: {}
--- a/k8s/apps/mtproxy/deployment.yaml
+++ b/k8s/apps/mtproxy/deployment.yaml
@@ -1,49 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: mtproxy
-  labels:
-    app: mtproxy
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: mtproxy
-  template:
-    metadata:
-      labels:
-        app: mtproxy
-    spec:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: xray-node-address
-                    operator: Exists
-      containers:
-        - name: mtproxy
-          image: telegrammessenger/proxy:latest
-          imagePullPolicy: Always
-          ports:
-            - name: proxy
-              containerPort: 443
-              protocol: TCP
-          env:
-            - name: SECRET
-              value: "00baadf00d15abad1deaa51sbaadcafe"
-          volumeMounts:
-            - name: data
-              mountPath: /data
-          resources:
-            requests:
-              memory: "128Mi"
-              cpu: "100m"
-            limits:
-              memory: "256Mi"
-              cpu: "500m"
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: mtproxy-data
--- a/k8s/apps/mtproxy/external-secrets.yaml
+++ b/k8s/apps/mtproxy/external-secrets.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: tgproxy-secret
+spec:
+  target:
+    name: tgproxy-secret
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        SECRET: |-
+          {{ .secret }}
+        PORT: "30443"
+  data:
+    - secretKey: secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 58a37daf-72d8-430d-86bd-6152aa8f888d
+        property: fields[0].value
+
--- a/k8s/apps/mtproxy/kustomization.yaml
+++ b/k8s/apps/mtproxy/kustomization.yaml
@@ -3,6 +3,9 @@ kind: Kustomization

 resources:
  - ./app.yaml
-  - ./deployment.yaml
+  - ./rbac.yaml
+  - ./daemonset.yaml
+  - ./external-secrets.yaml
  - ./service.yaml
-  - ./storage.yaml
+  - ./secret-reader.yaml
+# - ./storage.yaml
--- a/k8s/apps/mtproxy/rbac.yaml
+++ b/k8s/apps/mtproxy/rbac.yaml
@@ -0,0 +1,58 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mtproxy
+  labels:
+    app: mtproxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: mtproxy-node-reader
+  labels:
+    app: mtproxy
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: mtproxy-node-reader
+  labels:
+    app: mtproxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mtproxy-node-reader
+subjects:
+  - kind: ServiceAccount
+    name: mtproxy
+    namespace: mtproxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: mtproxy-secret-manager
+  labels:
+    app: mtproxy
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: mtproxy-secret-manager
+  labels:
+    app: mtproxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mtproxy-secret-manager
+subjects:
+  - kind: ServiceAccount
+    name: mtproxy
--- a/k8s/apps/mtproxy/secret-reader.yaml
+++ b/k8s/apps/mtproxy/secret-reader.yaml
@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: secret-reader
+  labels:
+    app: secret-reader
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secret-reader
+  template:
+    metadata:
+      labels:
+        app: secret-reader
+    spec:
+      serviceAccountName: mtproxy
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+      - name: secret-reader
+        image: ultradesu/k8s-secrets:0.2.1
+        imagePullPolicy: Always
+        args:
+          - "--secrets"
+          - "mtproxy-links"
+          - "--namespace"
+          - "mtproxy"
+          - "--port"
+          - "3000"
+        ports:
+        - containerPort: 3000
+          name: http
+        env:
+        - name: RUST_LOG
+          value: "info"
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "50m"
+          limits:
+            memory: "128Mi"
+            cpu: "150m"
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 10
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
--- a/k8s/apps/mtproxy/service.yaml
+++ b/k8s/apps/mtproxy/service.yaml
@@ -2,13 +2,15 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: mtproxy
+  name: secret-reader
+  labels:
+    app: secret-reader
 spec:
-  type: LoadBalancer
+  type: ClusterIP
  selector:
-    app: mtproxy
+    app: secret-reader
  ports:
-    - name: proxy
-      port: 30443
-      targetPort: 443
-      protocol: TCP
+  - port: 80
+    targetPort: 3000
+    protocol: TCP
+    name: http
--- a/k8s/apps/n8n/deployment-main.yaml
+++ b/k8s/apps/n8n/deployment-main.yaml
@@ -50,10 +50,12 @@ spec:
          runAsNonRoot: true
      containers:
      - name: n8n
-        image: docker.n8n.io/n8nio/n8n:latest
+        image: n8nio/n8n:latest
        ports:
        - containerPort: 5678
          name: http
+        - containerPort: 5679
+          name: task-broker
        env:
        - name: PATH
          value: "/opt/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -73,14 +75,24 @@ spec:
          value: "true"
        - name: N8N_RUNNERS_MODE
          value: "external"
+        - name: N8N_RUNNERS_BROKER_LISTEN_ADDRESS
+          value: "0.0.0.0"
+        - name: N8N_LISTEN_ADDRESS
+          value: "0.0.0.0"
+        - name: N8N_RUNNERS_BROKER_PORT
+          value: "5679"
        - name: EXECUTIONS_MODE
          value: "queue"
        - name: QUEUE_BULL_REDIS_HOST
          value: "n8n-redis"
+        - name: QUEUE_BULL_REDIS_PORT
+          value: "6379"
        - name: NODE_ENV
          value: "production"
        - name: WEBHOOK_URL
          value: "https://n8n.hexor.cy/"
+        - name: N8N_PROXY_HOPS
+          value: "1"
        - name: GENERIC_TIMEZONE
          value: "Europe/Moscow"
        - name: TZ
@@ -122,23 +134,23 @@ spec:
            memory: 512Mi
          limits:
            cpu: 4000m
-            memory: 2048Gi
+            memory: 2048Mi
        livenessProbe:
          httpGet:
            path: /healthz
            port: http
-          initialDelaySeconds: 120
+          initialDelaySeconds: 240
          periodSeconds: 30
-          timeoutSeconds: 10
-          failureThreshold: 6
+          timeoutSeconds: 20
+          failureThreshold: 10
        readinessProbe:
          httpGet:
            path: /healthz/readiness
            port: http
-          initialDelaySeconds: 60
+          initialDelaySeconds: 120
          periodSeconds: 10
          timeoutSeconds: 5
-          failureThreshold: 10
+          failureThreshold: 15
      volumes:
      - name: n8n-data
        persistentVolumeClaim:
--- a/k8s/apps/n8n/deployment-runner.yaml
+++ b/k8s/apps/n8n/deployment-runner.yaml
@@ -0,0 +1,87 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: n8n-runner
+  labels:
+    app: n8n
+    component: runner
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: n8n
+      component: runner
+  template:
+    metadata:
+      labels:
+        app: n8n
+        component: runner
+    spec:
+      serviceAccountName: n8n
+      containers:
+      - name: n8n-runner
+        image: n8nio/runners:latest
+        ports:
+        - containerPort: 5680
+          name: health
+        env:
+        - name: PATH
+          value: "/opt/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        - name: HOME
+          value: "/home/node"
+        - name: N8N_RUNNERS_TASK_BROKER_URI
+          value: "http://n8n:5679"
+        - name: N8N_RUNNERS_LAUNCHER_LOG_LEVEL
+          value: "info"
+        - name: N8N_RUNNERS_MAX_CONCURRENCY
+          value: "10"
+        - name: GENERIC_TIMEZONE
+          value: "Europe/Moscow"
+        - name: TZ
+          value: "Europe/Moscow"
+        - name: N8N_RUNNERS_AUTH_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: credentials
+              key: runnertoken
+        volumeMounts:
+        - name: n8n-data
+          mountPath: /home/node/.n8n
+        - name: tools
+          mountPath: /opt/tools
+        resources:
+          requests:
+            cpu: 500m
+            memory: 512Mi
+          limits:
+            cpu: 2000m
+            memory: 2048Mi
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 5680
+          initialDelaySeconds: 30
+          periodSeconds: 30
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 5680
+          initialDelaySeconds: 15
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+      volumes:
+      - name: n8n-data
+        persistentVolumeClaim:
+          claimName: n8n-data
+      - name: tools
+        persistentVolumeClaim:
+          claimName: n8n-tools
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        fsGroup: 1000
--- a/k8s/apps/n8n/deployment-worker.yaml
+++ b/k8s/apps/n8n/deployment-worker.yaml
@@ -21,29 +21,21 @@ spec:
      serviceAccountName: n8n
      containers:
      - name: n8n-worker
-        image: docker.n8n.io/n8nio/n8n:latest
-        command: ["n8n", "worker"]
+        image: n8nio/n8n:latest
+        command:
+        - n8n
+        - worker
        env:
-        - name: PATH
-          value: "/opt/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        - name: HOME
          value: "/home/node"
-        - name: NODES_EXCLUDE
-          value: "[]"
        - name: N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS
          value: "true"
-        - name: N8N_RUNNERS_ENABLED
-          value: "true"
-        - name: N8N_RUNNERS_MODE
-          value: "external"
-        - name: N8N_PORT
-          value: "80"
        - name: EXECUTIONS_MODE
          value: "queue"
        - name: QUEUE_BULL_REDIS_HOST
          value: "n8n-redis"
-        - name: N8N_RUNNERS_TASK_BROKER_URI
-          value: "http://n8n:80"
+        - name: QUEUE_BULL_REDIS_PORT
+          value: "6379"
        - name: NODE_ENV
          value: "production"
        - name: GENERIC_TIMEZONE
@@ -71,40 +63,20 @@ spec:
            secretKeyRef:
              name: credentials
              key: encryptionkey
-        - name: N8N_RUNNERS_AUTH_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: credentials
-              key: runnertoken
        volumeMounts:
        - name: n8n-data
          mountPath: /home/node/.n8n
-        - name: tools
-          mountPath: /opt/tools
        resources:
          requests:
-            cpu: 2000m
+            cpu: 500m
            memory: 512Mi
          limits:
-            cpu: 4000m
-            memory: 2048Gi
-        livenessProbe:
-          exec:
-            command:
-            - /bin/sh
-            - -c
-            - "ps aux | grep '[n]8n worker' || exit 1"
-          initialDelaySeconds: 30
-          periodSeconds: 30
-          timeoutSeconds: 5
-          failureThreshold: 3
+            cpu: 2000m
+            memory: 2048Mi
      volumes:
      - name: n8n-data
        persistentVolumeClaim:
          claimName: n8n-data
-      - name: tools
-        persistentVolumeClaim:
-          claimName: n8n-tools
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
--- a/k8s/apps/n8n/kustomization.yaml
+++ b/k8s/apps/n8n/kustomization.yaml
@@ -7,8 +7,11 @@ resources:
  - rbac.yaml
  - redis-deployment.yaml
  - redis-service.yaml
+  - paddleocr-deployment.yaml
+  - paddleocr-service.yaml
  - deployment-main.yaml
  - deployment-worker.yaml
+  - deployment-runner.yaml
  - service.yaml
  - ingress.yaml

--- a/k8s/apps/n8n/paddleocr-deployment.yaml
+++ b/k8s/apps/n8n/paddleocr-deployment.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: paddleocr
+  labels:
+    app: paddleocr
+    component: n8n
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: paddleocr
+      component: n8n
+  template:
+    metadata:
+      labels:
+        app: paddleocr
+        component: n8n
+    spec:
+      containers:
+      - name: paddleocr
+        image: c403/paddleocr
+        ports:
+        - containerPort: 5000
+          name: http
+        resources:
+          requests:
+            cpu: 200m
+            memory: 512Mi
+          limits:
+            cpu: 1000m
+            memory: 2Gi
+        livenessProbe:
+          tcpSocket:
+            port: 5000
+          initialDelaySeconds: 60
+          periodSeconds: 30
+        readinessProbe:
+          tcpSocket:
+            port: 5000
+          initialDelaySeconds: 30
+          periodSeconds: 10
--- a/k8s/apps/n8n/paddleocr-service.yaml
+++ b/k8s/apps/n8n/paddleocr-service.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: paddleocr
+  labels:
+    app: paddleocr
+    component: n8n
+spec:
+  selector:
+    app: paddleocr
+    component: n8n
+  ports:
+  - name: http
+    port: 80
+    targetPort: 5000
+    protocol: TCP
+  type: ClusterIP
--- a/k8s/apps/n8n/service.yaml
+++ b/k8s/apps/n8n/service.yaml
@@ -14,4 +14,8 @@ spec:
    port: 80
    targetPort: 5678
    protocol: TCP
+  - name: task-broker
+    port: 5679
+    targetPort: 5679
+    protocol: TCP
  type: ClusterIP
--- a/k8s/apps/ollama/kustomization.yaml
+++ b/k8s/apps/ollama/kustomization.yaml
@@ -3,19 +3,24 @@ kind: Kustomization

 resources:
  - external-secrets.yaml
+  - local-pv.yaml
+  - open-terminal.yaml
  
 helmCharts:
  - name: ollama
    repo: https://otwld.github.io/ollama-helm/
-    version: 0.4.0
+    version: 1.49.0
    releaseName: ollama
    namespace: ollama
    valuesFile: ollama-values.yaml
    includeCRDs: true
  - name: open-webui
    repo: https://helm.openwebui.com/
-    version: 8.14.0
+    version: 12.10.0
    releaseName: openweb-ui
    namespace: ollama
    valuesFile: openweb-ui-values.yaml
-    includeCRDs: true
+    includeCRDs: true
+
+patches:
+  - path: patch-runtimeclass.yaml
--- a/k8s/apps/ollama/local-pv.yaml
+++ b/k8s/apps/ollama/local-pv.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: ollama-local-pv
+spec:
+  capacity:
+    storage: 100Gi
+  volumeMode: Filesystem
+  accessModes:
+  - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: local-path
+  local:
+    path: /var/lib/ollama
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: kubernetes.io/hostname
+          operator: In
+          values:
+          - uk-desktop.tail2fe2d.ts.net
--- a/k8s/apps/ollama/ollama-values.yaml
+++ b/k8s/apps/ollama/ollama-values.yaml
@@ -3,6 +3,20 @@ image:
  pullPolicy: Always
  tag: "latest"
 nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
+  kubernetes.io/hostname: uk-desktop.tail2fe2d.ts.net
+tolerations:
+  - key: workload
+    operator: Equal
+    value: desktop
+    effect: NoSchedule
 ingress:
    enabled: false
+ollama:
+  gpu:
+    enabled: true
+    type: 'nvidia'
+    number: 1
+persistentVolume:
+  enabled: true
+  size: 100Gi
+  storageClass: "local-path"
--- a/k8s/apps/ollama/open-terminal.yaml
+++ b/k8s/apps/ollama/open-terminal.yaml
@@ -0,0 +1,53 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: open-terminal
+  labels:
+    app: open-terminal
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: open-terminal
+  template:
+    metadata:
+      labels:
+        app: open-terminal
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: uk-desktop.tail2fe2d.ts.net
+      tolerations:
+        - key: workload
+          operator: Equal
+          value: desktop
+          effect: NoSchedule
+      containers:
+        - name: open-terminal
+          image: ghcr.io/open-webui/open-terminal:latest
+          ports:
+            - containerPort: 8000
+          env:
+            - name: OPEN_TERMINAL_API_KEY
+              value: "LOCAL_ACCESS_TOKEN"
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              cpu: "2"
+              memory: 2Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: open-terminal
+  labels:
+    app: open-terminal
+spec:
+  selector:
+    app: open-terminal
+  ports:
+    - port: 8000
+      targetPort: 8000
+      protocol: TCP
--- a/k8s/apps/ollama/openweb-ui-values.yaml
+++ b/k8s/apps/ollama/openweb-ui-values.yaml
@@ -1,4 +1,4 @@
-clusterDomain: ai.hexor.cy
+clusterDomain: cluster.local

 extraEnvVars:
  GLOBAL_LOG_LEVEL: debug
@@ -32,12 +32,22 @@ ollama:
        
 pipelines:
  enabled: true
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
  
 tika:
  enabled: true
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
  
 websocket:
  enabled: true
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
+  redis:
+    master:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net

 ingress:
    enabled: true
@@ -46,7 +56,5 @@ ingress:
      cert-manager.io/cluster-issuer: letsencrypt
      traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
    host: "ai.hexor.cy"
-    tls:
-      - hosts:
-          - '*.hexor.cy'
-        secretName: ollama-tls
+    tls: true
+    existingSecret: ollama-tls
--- a/k8s/apps/ollama/patch-runtimeclass.yaml
+++ b/k8s/apps/ollama/patch-runtimeclass.yaml
@@ -0,0 +1,9 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ollama
+  namespace: ollama
+spec:
+  template:
+    spec:
+      runtimeClassName: nvidia
--- a/k8s/apps/paperless/paperless-values.yaml
+++ b/k8s/apps/paperless/paperless-values.yaml
@@ -1,5 +1,5 @@
 image:
-  tag: 2.20.3
+  tag: latest
 resources:
  requests:
    memory: "1Gi"
@@ -9,7 +9,7 @@ resources:
    cpu: "3000m"
 initContainers:
  install-tesseract-langs:
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.18.2
+    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    resources:
      requests:
        memory: "256Mi"
--- a/k8s/core/argocd/app.yaml
+++ b/k8s/core/argocd/app.yaml
@@ -18,4 +18,5 @@ spec:
      prune: true
    syncOptions:
      - CreateNamespace=true
+      - ServerSideApply=true

--- a/k8s/core/argocd/external-secrets.yaml
+++ b/k8s/core/argocd/external-secrets.yaml
@@ -23,6 +23,9 @@ spec:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
        key: 1062e5b4-5380-49f1-97c3-340f26f3487e
        property: fields[0].value
    - secretKey: client_secret
@@ -31,6 +34,9 @@ spec:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
        key: 1062e5b4-5380-49f1-97c3-340f26f3487e
        property: fields[1].value

--- a/k8s/core/argocd/kustomization.yaml
+++ b/k8s/core/argocd/kustomization.yaml
@@ -10,7 +10,7 @@ resources:
 helmCharts:
  - name: argo-cd
    repo: https://argoproj.github.io/argo-helm
-    version: 9.1.4
+    version: 9.4.10
    releaseName: argocd
    namespace: argocd
    valuesFile: values.yaml
--- a/k8s/core/argocd/values.yaml
+++ b/k8s/core/argocd/values.yaml
@@ -28,8 +28,9 @@ configs:
      issuer: https://idm.hexor.cy/application/o/argocd/
      clientID: $oidc-creds:id
      clientSecret: $oidc-creds:secret
-      requestedScopes: ["openid", "profile", "email", "groups"]
+      requestedScopes: ["openid", "profile", "email", "groups", "offline_access"]
      requestedIDTokenClaims: {"groups": {"essential": true}}
+      refreshTokenThreshold: 2m
  rbac:
    create: true
    policy.default: ""
--- a/k8s/core/authentik/app.yaml
+++ b/k8s/core/authentik/app.yaml
@@ -18,4 +18,4 @@ spec:
      prune: true
    syncOptions:
      - CreateNamespace=true
-
+      - ServerSideApply=true
--- a/k8s/core/authentik/external-secrets.yaml
+++ b/k8s/core/authentik/external-secrets.yaml
@@ -19,6 +19,14 @@ spec:
          {{ .password }}
        AUTHENTIK_SECRET_KEY: |-
          {{ .secret_key }}
+        POSTGRES_PASSWORD: |-
+          {{ .password }}
+        POSTGRES_USER: |-
+          {{ .username }}
+        username: |-
+          {{ .password }}
+        password: |-
+          {{ .username }}
  data:
    - secretKey: password
      sourceRef:
@@ -26,6 +34,9 @@ spec:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
        key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
        property: login.password
    - secretKey: username
@@ -34,6 +45,9 @@ spec:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
        key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
        property: login.username
    - secretKey: secret_key
@@ -42,6 +56,9 @@ spec:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
        key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
        property: fields[0].value

--- a/k8s/core/authentik/kustomization.yaml
+++ b/k8s/core/authentik/kustomization.yaml
@@ -5,12 +5,12 @@ resources:
  - app.yaml
  - external-secrets.yaml
  - https-middleware.yaml
-  - worker-restart.yaml
+# - worker-restart.yaml

 helmCharts:
  - name: authentik
    repo: https://charts.goauthentik.io
-    version: 2025.10.1
+    version: 2026.2.1
    releaseName: authentik
    namespace: authentik
    valuesFile: values.yaml
--- a/k8s/core/authentik/values.yaml
+++ b/k8s/core/authentik/values.yaml
@@ -1,8 +1,6 @@
 global:
  image:
-    tag: "2025.10.1"
-  nodeSelector:
-    kubernetes.io/hostname: master.tail2fe2d.ts.net
+    tag: "2026.2.1"

 authentik:
    error_reporting:
@@ -15,14 +13,35 @@ worker:
  envFrom:
    - secretRef:
        name: authentik-creds
-  volumes:
-    - name: dshm
-      emptyDir:
-        medium: Memory
-        sizeLimit: 512Mi
-  volumeMounts:
-    - name: dshm
-      mountPath: /dev/shm
+# volumes:
+#   - name: dshm
+#     emptyDir:
+#       medium: Memory
+#       sizeLimit: 512Mi
+# volumeMounts:
+#   - name: dshm
+#     mountPath: /dev/shm
+# livenessProbe:
+#   exec:
+#     command: ["/bin/sh", "-c", "kill -0 1"]
+#   initialDelaySeconds: 5
+#   periodSeconds: 10
+#   failureThreshold: 3
+#   timeoutSeconds: 3
+# readinessProbe:
+#   exec:
+#     command: ["/bin/sh", "-c", "kill -0 1"]
+#   initialDelaySeconds: 5
+#   periodSeconds: 10
+#   failureThreshold: 3
+#   timeoutSeconds: 3
+# startupProbe:
+#   exec:
+#     command: ["/bin/sh", "-c", "kill -0 1"]
+#   initialDelaySeconds: 30
+#   periodSeconds: 10
+#   failureThreshold: 60
+#   timeoutSeconds: 3
 server:
  envFrom:
    - secretRef:
@@ -35,23 +54,11 @@ server:
        traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
      hosts:
        - idm.hexor.cy
-        - nas.hexor.cy       # TrueNAS Limassol
-        - nc.hexor.cy        # NaxtCloud
-        - of.hexor.cy        # Outfleet-v2
-        - k8s.hexor.cy       # k8s dashboard
-        - qbt.hexor.cy       # qBittorent for Jellyfin
-        - prom.hexor.cy      # Prometheus
-        - khm.hexor.cy       # Known Hosts keys Manager
-        - backup.hexor.cy    # Kopia Backup UI
-        - fm.hexor.cy        # Filemanager
-        - minecraft.hexor.cy # Minecraft UI and server
-        - pass.hexor.cy      # k8s-secret for openai
-        - ps.hexor.cy        # pasarguard UI
-#       - rw.hexor.cy        # RemnaWave UI
+        - ollama.hexor.cy
      tls:
        - secretName: idm-tls
          hosts:
            - '*.hexor.cy'
 redis:
-    enabled: true
+    enabled: false

--- a/k8s/core/cert-manager/issuer.yaml
+++ b/k8s/core/cert-manager/issuer.yaml
@@ -37,4 +37,5 @@ spec:
          dnsZones:
            - "ps.hexor.cy"
            - "of.hexor.cy"
+            - "matrix.hexor.cy"

--- a/k8s/core/cert-manager/kustomization.yaml
+++ b/k8s/core/cert-manager/kustomization.yaml
@@ -10,7 +10,7 @@ resources:
 helmCharts:
  - name: cert-manager
    repo: https://charts.jetstack.io
-    version: 1.19.1
+    version: 1.20.0
    releaseName: cert-manager
    namespace: cert-manager
    valuesFile: values.yaml
--- a/k8s/core/gpu/app.yaml
+++ b/k8s/core/gpu/app.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gpu-system
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: gpu-system
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/gpu
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/k8s/core/gpu/kustomization.yaml
+++ b/k8s/core/gpu/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - runtime-class.yaml
+
+helmCharts:
+  - name: nvidia-device-plugin
+    repo: https://nvidia.github.io/k8s-device-plugin
+    version: 0.17.0
+    releaseName: nvidia-device-plugin
+    namespace: gpu-system
+    valuesFile: values.yaml
+    includeCRDs: true
--- a/k8s/core/gpu/runtime-class.yaml
+++ b/k8s/core/gpu/runtime-class.yaml
@@ -0,0 +1,5 @@
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: nvidia
+handler: nvidia
--- a/k8s/core/gpu/values.yaml
+++ b/k8s/core/gpu/values.yaml
@@ -0,0 +1,23 @@
+nodeSelector:
+  kubernetes.io/hostname: uk-desktop.tail2fe2d.ts.net
+
+tolerations:
+  - key: workload
+    operator: Equal
+    value: desktop
+    effect: NoSchedule
+
+runtimeClassName: nvidia
+
+setAsDefault: false
+
+config:
+  default: any
+  map:
+    any: |-
+      version: v1
+      sharing:
+        timeSlicing:
+          resources:
+          - name: nvidia.com/gpu
+            replicas: 4
--- a/k8s/core/postgresql/external-secrets.yaml
+++ b/k8s/core/postgresql/external-secrets.yaml
@@ -127,6 +127,12 @@ spec:
          {{ .mmdl }}
        USER_n8n: |-
          {{ .n8n }}
+        USER_synapse: |-
+          {{ .synapse }}
+        USER_mas: |-
+          {{ .mas }}
+        USER_furumi: |-
+          {{ .furumi }}
  data:
    - secretKey: authentik
      sourceRef:
@@ -271,4 +277,37 @@ spec:
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[13].value
+    - secretKey: synapse
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[14].value
+    - secretKey: mas
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[15].value
+    - secretKey: furumi
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[16].value

--- a/k8s/core/prom-stack/dashboards/furumi-server.json
+++ b/k8s/core/prom-stack/dashboards/furumi-server.json
@@ -0,0 +1,647 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": null,
+  "links": [],
+  "liveNow": false,
+  "panels": [
+    {
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "area",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calc": "lastNotNull",
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "expr": "furumi_active_streams",
+          "refId": "A"
+        }
+      ],
+      "title": "Active Streams",
+      "type": "stat"
+    },
+    {
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 6,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "area",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calc": "rate",
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "expr": "rate(furumi_bytes_read_total[$__rate_interval])",
+          "refId": "A"
+        }
+      ],
+      "title": "Bytes Read / Sec",
+      "type": "stat",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "Bps"
+        },
+        "overrides": []
+      }
+    },
+    {
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 12,
+        "y": 0
+      },
+      "id": 3,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "area",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calc": "lastNotNull",
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "expr": "sum(increase(furumi_file_open_errors_total[$__rate_interval]))",
+          "refId": "A"
+        }
+      ],
+      "title": "File Open Errors (Rate)",
+      "type": "stat",
+       "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+             "mode": "absolute",
+             "steps": [
+               { "color": "green", "value": null },
+               { "color": "red", "value": 1 }
+             ]
+           }
+        },
+        "overrides": []
+      }
+    },
+    {
+      "gridPos": {
+        "h": 4,
+        "w": 6,
+        "x": 18,
+        "y": 0
+      },
+      "id": 4,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "area",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "reduceOptions": {
+          "calc": "lastNotNull",
+          "fields": "",
+          "values": false
+        },
+        "textMode": "auto"
+      },
+      "pluginVersion": "10.0.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "expr": "sum(increase(furumi_auth_failures_total[$__rate_interval]))",
+          "refId": "A"
+        }
+      ],
+      "title": "Auth Failures (Rate)",
+      "type": "stat",
+       "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+             "mode": "absolute",
+             "steps": [
+               { "color": "green", "value": null },
+               { "color": "red", "value": 1 }
+             ]
+           }
+        },
+        "overrides": []
+      }
+    },
+    {
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 0,
+        "y": 4
+      },
+      "id": 5,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "10.0.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "expr": "sum by (method, status) (rate(furumi_grpc_requests_total[$__rate_interval]))",
+          "legendFormat": "{{method}} - {{status}}",
+          "refId": "A"
+        }
+      ],
+      "title": "gRPC Request Rate by Method & Status",
+      "type": "timeseries",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 2,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "reqps"
+        },
+        "overrides": []
+      }
+    },
+    {
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 12,
+        "y": 4
+      },
+      "id": 6,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "10.0.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "expr": "histogram_quantile(0.95, sum(rate(furumi_grpc_request_duration_seconds_bucket[$__rate_interval])) by (le, method))",
+          "legendFormat": "p95 {{method}}",
+          "refId": "A"
+        },
+         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "expr": "histogram_quantile(0.99, sum(rate(furumi_grpc_request_duration_seconds_bucket[$__rate_interval])) by (le, method))",
+          "legendFormat": "p99 {{method}}",
+          "refId": "B"
+        }
+      ],
+      "title": "gRPC Request Duration (p95, p99)",
+      "type": "timeseries",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 2,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": []
+      }
+    },
+    {
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 0,
+        "y": 12
+      },
+      "id": 7,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "10.0.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "expr": "sum(process_resident_memory_bytes) / 1024 / 1024",
+          "legendFormat": "Resident Memory",
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "expr": "sum(process_virtual_memory_bytes) / 1024 / 1024",
+          "legendFormat": "Virtual Memory",
+          "refId": "B"
+        }
+      ],
+      "title": "Process Memory Usage",
+      "type": "timeseries",
+       "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 15,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 2,
+             "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+               { "color": "green", "value": null }
+            ]
+          },
+          "unit": "megbytes"
+        },
+        "overrides": []
+      }
+    },
+    {
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 12,
+        "y": 12
+      },
+      "id": 8,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "10.0.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "expr": "process_open_fds",
+          "legendFormat": "Open FDs",
+          "refId": "A"
+        },
+        {
+           "datasource": {
+            "type": "prometheus",
+            "uid": "${datasource}"
+          },
+          "expr": "process_max_fds",
+          "legendFormat": "Max FDs",
+          "refId": "B"
+        }
+      ],
+      "title": "Process File Descriptors",
+      "type": "timeseries",
+       "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+             "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 2,
+            "pointSize": 5,
+            "scaleDistribution": {
+               "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+             "thresholdsStyle": {
+              "mode": "off"
+             }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+               { "color": "green", "value": null }
+            ]
+          },
+          "unit": "short"
+        },
+        "overrides": []
+      }
+    }
+  ],
+  "refresh": "10s",
+  "schemaVersion": 38,
+  "style": "dark",
+  "tags": [
+    "furumi-server",
+    "grpc"
+  ],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "selected": false,
+          "text": "Prometheus",
+          "value": "Prometheus"
+        },
+        "hide": 0,
+        "includeAll": false,
+        "multi": false,
+        "name": "datasource",
+        "options": [],
+        "query": "prometheus",
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "type": "datasource"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-1h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Furumi Server Metrics",
+  "uid": "furumi-metrics",
+  "version": 1
+}
--- a/k8s/core/prom-stack/furumi-dashboard-cm.yaml
+++ b/k8s/core/prom-stack/furumi-dashboard-cm.yaml
@@ -0,0 +1,669 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: furumi-server-dashboard
+  labels:
+    grafana_dashboard: "1"
+data:
+  furumi-server.json: |-
+    {
+      "annotations": {
+        "list": [
+          {
+            "builtIn": 1,
+            "datasource": {
+              "type": "grafana",
+              "uid": "-- Grafana --"
+            },
+            "enable": true,
+            "hide": true,
+            "iconColor": "rgba(0, 211, 255, 1)",
+            "name": "Annotations & Alerts",
+            "type": "dashboard"
+          }
+        ]
+      },
+      "editable": true,
+      "fiscalYearStartMonth": 0,
+      "graphTooltip": 0,
+      "id": null,
+      "links": [],
+      "liveNow": false,
+      "panels": [
+        {
+          "gridPos": {
+            "h": 4,
+            "w": 6,
+            "x": 0,
+            "y": 0
+          },
+          "id": 1,
+          "options": {
+            "colorMode": "value",
+            "graphMode": "area",
+            "justifyMode": "auto",
+            "orientation": "auto",
+            "reduceOptions": {
+              "calc": "lastNotNull",
+              "fields": "",
+              "values": false
+            },
+            "textMode": "auto"
+          },
+          "pluginVersion": "10.0.0",
+          "targets": [
+            {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${datasource}"
+              },
+              "expr": "sum(furumi_active_streams)",
+              "refId": "A"
+            }
+          ],
+          "title": "Active Streams",
+          "type": "stat"
+        },
+        {
+          "gridPos": {
+            "h": 4,
+            "w": 6,
+            "x": 6,
+            "y": 0
+          },
+          "id": 2,
+          "options": {
+            "colorMode": "value",
+            "graphMode": "area",
+            "justifyMode": "auto",
+            "orientation": "auto",
+            "reduceOptions": {
+              "calc": "rate",
+              "fields": "",
+              "values": false
+            },
+            "textMode": "auto"
+          },
+          "pluginVersion": "10.0.0",
+          "targets": [
+            {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${datasource}"
+              },
+              "expr": "sum(rate(furumi_bytes_read_total[$__rate_interval]))",
+              "refId": "A"
+            }
+          ],
+          "title": "Bytes Read / Sec",
+          "type": "stat",
+          "fieldConfig": {
+            "defaults": {
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "axisBorderShow": false,
+                "axisCenteredZero": false,
+                "axisColorMode": "text",
+                "axisLabel": "",
+                "axisPlacement": "auto",
+                "barAlignment": 0,
+                "drawStyle": "line",
+                "fillOpacity": 0,
+                "gradientMode": "none",
+                "hideFrom": {
+                  "legend": false,
+                  "tooltip": false,
+                  "viz": false
+                },
+                "insertNulls": false,
+                "lineInterpolation": "linear",
+                "lineWidth": 1,
+                "pointSize": 5,
+                "scaleDistribution": {
+                  "type": "linear"
+                },
+                "showPoints": "auto",
+                "spanNulls": false,
+                "stacking": {
+                  "group": "A",
+                  "mode": "none"
+                },
+                "thresholdsStyle": {
+                  "mode": "off"
+                }
+              },
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  }
+                ]
+              },
+              "unit": "Bps"
+            },
+            "overrides": []
+          }
+        },
+        {
+          "gridPos": {
+            "h": 4,
+            "w": 6,
+            "x": 12,
+            "y": 0
+          },
+          "id": 3,
+          "options": {
+            "colorMode": "value",
+            "graphMode": "area",
+            "justifyMode": "auto",
+            "orientation": "auto",
+            "reduceOptions": {
+              "calc": "lastNotNull",
+              "fields": "",
+              "values": false
+            },
+            "textMode": "auto"
+          },
+          "pluginVersion": "10.0.0",
+          "targets": [
+            {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${datasource}"
+              },
+              "expr": "sum(increase(furumi_file_open_errors_total[$__rate_interval]))",
+              "refId": "A"
+            }
+          ],
+          "title": "File Open Errors (Rate)",
+          "type": "stat",
+           "fieldConfig": {
+            "defaults": {
+              "color": {
+                "mode": "thresholds"
+              },
+              "mappings": [],
+              "thresholds": {
+                 "mode": "absolute",
+                 "steps": [
+                   { "color": "green", "value": null },
+                   { "color": "red", "value": 1 }
+                 ]
+               }
+            },
+            "overrides": []
+          }
+        },
+        {
+          "gridPos": {
+            "h": 4,
+            "w": 6,
+            "x": 18,
+            "y": 0
+          },
+          "id": 4,
+          "options": {
+            "colorMode": "value",
+            "graphMode": "area",
+            "justifyMode": "auto",
+            "orientation": "auto",
+            "reduceOptions": {
+              "calc": "lastNotNull",
+              "fields": "",
+              "values": false
+            },
+            "textMode": "auto"
+          },
+          "pluginVersion": "10.0.0",
+          "targets": [
+            {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${datasource}"
+              },
+              "expr": "sum(increase(furumi_auth_failures_total[$__rate_interval]))",
+              "refId": "A"
+            }
+          ],
+          "title": "Auth Failures (Rate)",
+          "type": "stat",
+           "fieldConfig": {
+            "defaults": {
+              "color": {
+                "mode": "thresholds"
+              },
+              "mappings": [],
+              "thresholds": {
+                 "mode": "absolute",
+                 "steps": [
+                   { "color": "green", "value": null },
+                   { "color": "red", "value": 1 }
+                 ]
+               }
+            },
+            "overrides": []
+          }
+        },
+        {
+          "gridPos": {
+            "h": 8,
+            "w": 12,
+            "x": 0,
+            "y": 4
+          },
+          "id": 5,
+          "options": {
+            "legend": {
+              "calcs": [],
+              "displayMode": "list",
+              "placement": "bottom",
+              "showLegend": true
+            },
+            "tooltip": {
+              "mode": "single",
+              "sort": "none"
+            }
+          },
+          "pluginVersion": "10.0.0",
+          "targets": [
+            {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${datasource}"
+              },
+              "expr": "sum by (method, status) (rate(furumi_grpc_requests_total[$__rate_interval]))",
+              "legendFormat": "{{method}} - {{status}}",
+              "refId": "A"
+            }
+          ],
+          "title": "gRPC Request Rate by Method & Status",
+          "type": "timeseries",
+          "fieldConfig": {
+            "defaults": {
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "axisBorderShow": false,
+                "axisCenteredZero": false,
+                "axisColorMode": "text",
+                "axisLabel": "",
+                "axisPlacement": "auto",
+                "barAlignment": 0,
+                "drawStyle": "line",
+                "fillOpacity": 10,
+                "gradientMode": "none",
+                "hideFrom": {
+                  "legend": false,
+                  "tooltip": false,
+                  "viz": false
+                },
+                "insertNulls": false,
+                "lineInterpolation": "linear",
+                "lineWidth": 2,
+                "pointSize": 5,
+                "scaleDistribution": {
+                  "type": "linear"
+                },
+                "showPoints": "auto",
+                "spanNulls": false,
+                "stacking": {
+                  "group": "A",
+                  "mode": "none"
+                },
+                "thresholdsStyle": {
+                  "mode": "off"
+                }
+              },
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  }
+                ]
+              },
+              "unit": "reqps"
+            },
+            "overrides": []
+          }
+        },
+        {
+          "gridPos": {
+            "h": 8,
+            "w": 12,
+            "x": 12,
+            "y": 4
+          },
+          "id": 6,
+          "options": {
+            "legend": {
+              "calcs": [],
+              "displayMode": "list",
+              "placement": "bottom",
+              "showLegend": true
+            },
+            "tooltip": {
+              "mode": "single",
+              "sort": "none"
+            }
+          },
+          "pluginVersion": "10.0.0",
+          "targets": [
+            {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${datasource}"
+              },
+              "expr": "histogram_quantile(0.95, sum(rate(furumi_grpc_request_duration_seconds_bucket[$__rate_interval])) by (le, method))",
+              "legendFormat": "p95 {{method}}",
+              "refId": "A"
+            },
+             {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${datasource}"
+              },
+              "expr": "histogram_quantile(0.99, sum(rate(furumi_grpc_request_duration_seconds_bucket[$__rate_interval])) by (le, method))",
+              "legendFormat": "p99 {{method}}",
+              "refId": "B"
+            }
+          ],
+          "title": "gRPC Request Duration (p95, p99)",
+          "type": "timeseries",
+          "fieldConfig": {
+            "defaults": {
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "axisBorderShow": false,
+                "axisCenteredZero": false,
+                "axisColorMode": "text",
+                "axisLabel": "",
+                "axisPlacement": "auto",
+                "barAlignment": 0,
+                "drawStyle": "line",
+                "fillOpacity": 0,
+                "gradientMode": "none",
+                "hideFrom": {
+                  "legend": false,
+                  "tooltip": false,
+                  "viz": false
+                },
+                "insertNulls": false,
+                "lineInterpolation": "linear",
+                "lineWidth": 2,
+                "pointSize": 5,
+                "scaleDistribution": {
+                  "type": "linear"
+                },
+                "showPoints": "auto",
+                "spanNulls": false,
+                "stacking": {
+                  "group": "A",
+                  "mode": "none"
+                },
+                "thresholdsStyle": {
+                  "mode": "off"
+                }
+              },
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  }
+                ]
+              },
+              "unit": "s"
+            },
+            "overrides": []
+          }
+        },
+        {
+          "collapsed": true,
+          "gridPos": {
+            "h": 1,
+            "w": 24,
+            "x": 0,
+            "y": 12
+          },
+          "id": 99,
+          "panels": [
+            {
+              "gridPos": {
+                "h": 8,
+                "w": 12,
+                "x": 0,
+                "y": 13
+              },
+              "id": 7,
+              "options": {
+                "legend": {
+                  "calcs": [],
+                  "displayMode": "list",
+                  "placement": "bottom",
+                  "showLegend": true
+                },
+                "tooltip": {
+                  "mode": "single",
+                  "sort": "none"
+                }
+              },
+              "pluginVersion": "10.0.0",
+              "targets": [
+                {
+                  "datasource": {
+                    "type": "prometheus",
+                    "uid": "${datasource}"
+                  },
+                  "expr": "process_resident_memory_bytes / 1024 / 1024",
+                  "legendFormat": "Resident Memory",
+                  "refId": "A"
+                },
+                {
+                  "datasource": {
+                    "type": "prometheus",
+                    "uid": "${datasource}"
+                  },
+                  "expr": "process_virtual_memory_bytes / 1024 / 1024",
+                  "legendFormat": "Virtual Memory",
+                  "refId": "B"
+                }
+              ],
+              "title": "Process Memory Usage",
+              "type": "timeseries",
+               "fieldConfig": {
+                "defaults": {
+                  "color": {
+                    "mode": "palette-classic"
+                  },
+                  "custom": {
+                    "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "drawStyle": "line",
+                    "fillOpacity": 15,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                      "legend": false,
+                      "tooltip": false,
+                      "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 2,
+                     "pointSize": 5,
+                    "scaleDistribution": {
+                      "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "spanNulls": false,
+                    "stacking": {
+                      "group": "A",
+                      "mode": "none"
+                    },
+                    "thresholdsStyle": {
+                      "mode": "off"
+                    }
+                  },
+                  "mappings": [],
+                  "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                       { "color": "green", "value": null }
+                    ]
+                  },
+                  "unit": "megbytes"
+                },
+                "overrides": []
+              }
+            },
+            {
+              "gridPos": {
+                "h": 8,
+                "w": 12,
+                "x": 12,
+                "y": 13
+              },
+              "id": 8,
+              "options": {
+                "legend": {
+                  "calcs": [],
+                  "displayMode": "list",
+                  "placement": "bottom",
+                  "showLegend": true
+                },
+                "tooltip": {
+                  "mode": "single",
+                  "sort": "none"
+                }
+              },
+              "pluginVersion": "10.0.0",
+              "targets": [
+                {
+                  "datasource": {
+                    "type": "prometheus",
+                    "uid": "${datasource}"
+                  },
+                  "expr": "process_open_fds",
+                  "legendFormat": "Open FDs",
+                  "refId": "A"
+                },
+                {
+                   "datasource": {
+                    "type": "prometheus",
+                    "uid": "${datasource}"
+                  },
+                  "expr": "process_max_fds",
+                  "legendFormat": "Max FDs",
+                  "refId": "B"
+                }
+              ],
+              "title": "Process File Descriptors",
+              "type": "timeseries",
+               "fieldConfig": {
+                "defaults": {
+                  "color": {
+                    "mode": "palette-classic"
+                  },
+                  "custom": {
+                     "axisBorderShow": false,
+                    "axisCenteredZero": false,
+                    "axisColorMode": "text",
+                    "axisLabel": "",
+                    "axisPlacement": "auto",
+                    "barAlignment": 0,
+                    "drawStyle": "line",
+                    "fillOpacity": 10,
+                    "gradientMode": "none",
+                    "hideFrom": {
+                      "legend": false,
+                      "tooltip": false,
+                      "viz": false
+                    },
+                    "insertNulls": false,
+                    "lineInterpolation": "linear",
+                    "lineWidth": 2,
+                    "pointSize": 5,
+                    "scaleDistribution": {
+                       "type": "linear"
+                    },
+                    "showPoints": "auto",
+                    "spanNulls": false,
+                    "stacking": {
+                      "group": "A",
+                      "mode": "none"
+                    },
+                     "thresholdsStyle": {
+                      "mode": "off"
+                     }
+                  },
+                  "mappings": [],
+                  "thresholds": {
+                    "mode": "absolute",
+                    "steps": [
+                       { "color": "green", "value": null }
+                    ]
+                  },
+                  "unit": "short"
+                },
+                "overrides": []
+              }
+            }
+          ],
+          "title": "Process Metrics (Memory, FDs)",
+          "type": "row"
+        }
+      ],
+      "refresh": "10s",
+      "schemaVersion": 38,
+      "style": "dark",
+      "tags": [
+        "furumi-server",
+        "grpc"
+      ],
+      "templating": {
+        "list": [
+          {
+            "current": {
+              "selected": false,
+              "text": "Prometheus",
+              "value": "Prometheus"
+            },
+            "hide": 0,
+            "includeAll": false,
+            "multi": false,
+            "name": "datasource",
+            "options": [],
+            "query": "prometheus",
+            "refresh": 1,
+            "regex": "",
+            "skipUrlSync": false,
+            "type": "datasource"
+          }
+        ]
+      },
+      "time": {
+        "from": "now-1h",
+        "to": "now"
+      },
+      "timepicker": {},
+      "timezone": "",
+      "title": "Furumi Server Metrics",
+      "uid": "furumi-metrics",
+      "version": 1
+    }
--- a/k8s/core/prom-stack/grafana-alerting-configmap.yaml
+++ b/k8s/core/prom-stack/grafana-alerting-configmap.yaml
@@ -20,7 +20,7 @@ data:
                relativeTimeRange:
                  from: 600
                  to: 0
-                datasourceUid: P76F38748CEC837F0
+                datasourceUid: prometheus
                model:
                  expr: 'rate(container_cpu_cfs_throttled_periods_total{container="pasarguard-node"}[5m])'
                  refId: A
@@ -73,7 +73,7 @@ data:
                relativeTimeRange:
                  from: 600
                  to: 0
-                datasourceUid: P76F38748CEC837F0
+                datasourceUid: prometheus
                model:
                  expr: 'kube_node_status_condition{condition="Ready",status="false"}'
                  refId: A
@@ -119,7 +119,7 @@ data:
                relativeTimeRange:
                  from: 300
                  to: 0
-                datasourceUid: P76F38748CEC837F0
+                datasourceUid: prometheus
                model:
                  expr: '(1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes)) * 100'
                  refId: A
@@ -165,7 +165,7 @@ data:
                relativeTimeRange:
                  from: 300
                  to: 0
-                datasourceUid: P76F38748CEC837F0
+                datasourceUid: prometheus
                model:
                  expr: '100 - (avg by(instance) (rate(node_cpu_seconds_total{mode="idle"}[5m])) * 100)'
                  refId: A
@@ -211,7 +211,7 @@ data:
                relativeTimeRange:
                  from: 300
                  to: 0
-                datasourceUid: P76F38748CEC837F0
+                datasourceUid: prometheus
                model:
                  expr: '(1 - (node_filesystem_avail_bytes{fstype=~"ext[234]|xfs|zfs|btrfs"} / node_filesystem_size_bytes)) * 100'
                  refId: A
@@ -258,9 +258,9 @@ data:
                relativeTimeRange:
                  from: 300
                  to: 0
-                datasourceUid: P76F38748CEC837F0
+                datasourceUid: prometheus
                model:
-                  expr: 'node_load5 / on(instance) group_left count by(instance)(node_cpu_seconds_total{mode="idle"})'
+                  expr: 'node_load15 / on(instance) group_left count by(instance)(node_cpu_seconds_total{mode="idle"})'
                  refId: A
                  intervalMs: 1000
                  maxDataPoints: 43200
@@ -273,7 +273,7 @@ data:
                  conditions:
                    - evaluator:
                        params:
-                          - 0.8
+                          - 2
                        type: gt
                      operator:
                        type: and
@@ -283,16 +283,16 @@ data:
                    type: __expr__
                    uid: __expr__
                  expression: A
-                  reducer: max
+                  reducer: last
                  refId: B
                  type: reduce
            noDataState: NoData
            execErrState: Alerting
-            for: 5m
+            for: 15m
            annotations:
              node: '{{ $labels.instance }}'
              load_average: '{{ printf "%.2f" $values.A }}'
-              summary: 'Node load average is high relative to CPU count'
+              summary: 'Node load average is critically high relative to CPU count'
            labels:
              severity: warning

@@ -304,7 +304,7 @@ data:
                relativeTimeRange:
                  from: 300
                  to: 0
-                datasourceUid: P76F38748CEC837F0
+                datasourceUid: prometheus
                model:
                  expr: 'up{job="node-exporter"}'
                  refId: A
--- a/k8s/core/prom-stack/grafana-values.yaml
+++ b/k8s/core/prom-stack/grafana-values.yaml
@@ -1,85 +0,0 @@
-envFromSecret: grafana-admin
-nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-admin:
-  existingSecret: grafana-admin
-  userKey: username
-  passwordKey: password
-
-grafana.ini:
-  auth:
-    signout_redirect_url: https://idm.hexor.cy/application/o/grafana/end-session/
-    # oauth_auto_login: true
-  auth.generic_oauth:
-    name: authentik
-    enabled: true
-    scopes: "openid profile email"
-    auth_url: https://idm.hexor.cy/application/o/authorize/
-    token_url: https://idm.hexor.cy/application/o/token/
-    api_url: https://idm.hexor.cy/application/o/userinfo/
-    role_attribute_path: >-
-      contains(groups, 'Grafana Admin') && 'Admin' ||
-      contains(groups, 'Grafana Editors') && 'Editor' ||
-      contains(groups, 'Grafana Viewer') && 'Viewer'
-  database:
-    type: postgres
-    host: psql.psql.svc:5432
-    name: grafana
-    user: grafana
-    ssl_mode: disable
-
-datasources:
-  datasources.yaml:
-    apiVersion: 1
-    datasources:
-      - name: Prometheus Local
-        type: prometheus
-        url: http://prometheus-kube-prometheus-prometheus.prometheus.svc:9090
-        access: proxy
-        isDefault: true
-      - name: Loki
-        type: loki
-        url: http://loki-gateway.prometheus.svc:80
-        access: proxy
-
-ingress:
-  enabled: true
-  ingressClassName: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-  hosts:
-    - gf.hexor.cy
-  tls:
-    - secretName: grafana-tls
-      hosts:
-        - '*.hexor.cy'
-
-extraConfigmapMounts:
-  - name: grafana-alerting-rules
-    mountPath: /etc/grafana/provisioning/alerting/rules.yaml
-    configMap: grafana-alerting
-    subPath: rules.yaml
-    readOnly: true
-  - name: grafana-alerting-contactpoints
-    mountPath: /etc/grafana/provisioning/alerting/contactpoints.yaml
-    configMap: grafana-alerting
-    subPath: contactpoints.yaml
-    readOnly: true
-  - name: grafana-alerting-policies
-    mountPath: /etc/grafana/provisioning/alerting/policies.yaml
-    configMap: grafana-alerting
-    subPath: policies.yaml
-    readOnly: true
-
-envValueFrom:
-  TELEGRAM_BOT_TOKEN:
-    secretKeyRef:
-      name: grafana-telegram
-      key: bot-token
-  TELEGRAM_CHAT_ID:
-    secretKeyRef:
-      name: grafana-telegram
-      key: chat-id
-
--- a/k8s/core/prom-stack/kustomization.yaml
+++ b/k8s/core/prom-stack/kustomization.yaml
@@ -6,24 +6,17 @@ resources:
  - external-secrets.yaml
  - grafana-alerting-configmap.yaml
  - alertmanager-config.yaml
+  - furumi-dashboard-cm.yaml

 helmCharts:
  - name: kube-prometheus-stack
    repo: https://prometheus-community.github.io/helm-charts
-    version: 79.7.1
+    version: 82.10.3
    releaseName: prometheus
    namespace: prometheus
    valuesFile: prom-values.yaml
    includeCRDs: true

-  - name: grafana
-    repo: https://grafana.github.io/helm-charts
-    version: 10.2.0
-    releaseName: grafana
-    namespace: prometheus
-    valuesFile: grafana-values.yaml
-    includeCRDs: true
-
  - name: loki
    repo: https://grafana.github.io/helm-charts
    version: 6.29.0
--- a/k8s/core/prom-stack/out.yaml
+++ b/k8s/core/prom-stack/out.yaml
--- a/k8s/core/prom-stack/prom-values.yaml
+++ b/k8s/core/prom-stack/prom-values.yaml
@@ -1,5 +1,4 @@
-grafana:
-  enabled: false
+

 alertmanager:
  config:
@@ -92,3 +91,88 @@ prometheus:
            requests:
              storage: 400Gi

+grafana:
+  enabled: true
+  
+  serviceAccount:
+    create: true
+    name: "prom-grafana-sa"
+
+  envFromSecret: grafana-admin
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
+
+  admin:
+    existingSecret: grafana-admin
+    userKey: username
+    passwordKey: password
+
+  grafana.ini:
+    auth:
+      signout_redirect_url: https://idm.hexor.cy/application/o/grafana/end-session/
+    auth.generic_oauth:
+      name: authentik
+      enabled: true
+      scopes: "openid profile email"
+      auth_url: https://idm.hexor.cy/application/o/authorize/
+      token_url: https://idm.hexor.cy/application/o/token/
+      api_url: https://idm.hexor.cy/application/o/userinfo/
+      role_attribute_path: >-
+        contains(groups, 'Grafana Admin') && 'Admin' ||
+        contains(groups, 'Grafana Editors') && 'Editor' ||
+        contains(groups, 'Grafana Viewer') && 'Viewer'
+    database:
+      type: postgres
+      host: psql.psql.svc:5432
+      name: grafana
+      user: grafana
+      ssl_mode: disable
+
+  # The Loki datasource config needs to be preserved, 
+  # but instead of "datasources.datasources.yaml", we define it like this for the prometheus-stack chart:
+  additionalDataSources:
+    - name: Loki
+      type: loki
+      url: http://loki-gateway.prometheus.svc:80
+      access: proxy
+      orgId: 1
+
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt
+      traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    hosts:
+      - gf.hexor.cy
+    tls:
+      - secretName: grafana-tls
+        hosts:
+          - '*.hexor.cy'
+
+  extraConfigmapMounts:
+    - name: grafana-alerting-rules
+      mountPath: /etc/grafana/provisioning/alerting/rules.yaml
+      configMap: grafana-alerting
+      subPath: rules.yaml
+      readOnly: true
+    - name: grafana-alerting-contactpoints
+      mountPath: /etc/grafana/provisioning/alerting/contactpoints.yaml
+      configMap: grafana-alerting
+      subPath: contactpoints.yaml
+      readOnly: true
+    - name: grafana-alerting-policies
+      mountPath: /etc/grafana/provisioning/alerting/policies.yaml
+      configMap: grafana-alerting
+      subPath: policies.yaml
+      readOnly: true
+
+  envValueFrom:
+    TELEGRAM_BOT_TOKEN:
+      secretKeyRef:
+        name: grafana-telegram
+        key: bot-token
+    TELEGRAM_CHAT_ID:
+      secretKeyRef:
+        name: grafana-telegram
+        key: chat-id
--- a/k8s/core/system-upgrade/plan.yaml
+++ b/k8s/core/system-upgrade/plan.yaml
@@ -16,7 +16,7 @@ spec:
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
-  version: v1.34.3+k3s1
+  version: v1.35.2+k3s1
 ---
 # Agent plan
 apiVersion: upgrade.cattle.io/v1
@@ -39,5 +39,4 @@ spec:
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
-  version: v1.34.3+k3s1
-
+  version: v1.35.2+k3s1
--- a/terraform/authentik/.claude/settings.local.json
+++ b/terraform/authentik/.claude/settings.local.json
@@ -1,16 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "WebSearch",
-      "WebFetch(domain:registry.terraform.io)",
-      "Bash(C:UsersabAppDataLocalMicrosoftWinGetPackagesHashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbweterraform.exe apply -auto-approve)",
-      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve)",
-      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve -lock=false)",
-      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" plan -lock=false)",
-      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -replace=\"authentik_outpost.outposts[\"\"kubernetes-outpost\"\"]\" -auto-approve -lock=false)",
-      "Bash(terraform plan:*)"
-    ],
-    "deny": [],
-    "ask": []
-  }
-}
--- a/terraform/authentik/.terraform.lock.hcl
+++ b/terraform/authentik/.terraform.lock.hcl
@@ -2,43 +2,43 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/goauthentik/authentik" {
-  version     = "2025.8.1"
-  constraints = ">= 2023.10.0, 2025.8.1"
+  version     = "2025.12.1"
+  constraints = ">= 2023.10.0, 2025.12.1"
  hashes = [
-    "h1:R3h8ADB0Kkv/aoY0AaHkBiX2/P4+GnW8sSgkN30kJfQ=",
-    "zh:0c3f1083fd48f20ed06959401ff1459fbb5d454d81c8175b5b6d321b308c0be3",
-    "zh:21c6d93f8d26e688da38a660d121b5624e3597c426c671289f31a17a9771abbf",
-    "zh:301b5763ffc4c5fe47aa7e851ce0b19f71bab4fae5c81003ad81b38775e85f78",
-    "zh:4f7ee6473f6a687340538ddac0ec4a0453664186b15fdb0bb2fb5fcd8fb3ad30",
-    "zh:7927f4f634c9e072d4aa6620d09e97dc83eeb1dbd0667102086779cd5fc495c1",
-    "zh:84e7c2a3f3de721a54abe4c971d9a163127f5e4af91d023260fea305ac74bcf4",
-    "zh:92af52aaac518c426164eb731d282f51a5825e64e6a02b0695952177a7af7d9c",
-    "zh:a6920a54d5df69342f4ea2d903676145b00e7375d2f2eecc0840858d83b3b4a8",
-    "zh:ac8a60801fc55fd05b3471778f908ed43072e046997c0082644c9602b84dafec",
-    "zh:b1cc29e2878aa94a3827fd5e1dd8cffb98397aa4093d6a4852c6e53157e9b35f",
-    "zh:c2d78f308c4d70a16ef4f6d1f4822a64f8f160d0a207f2121904cdd6f4942db4",
-    "zh:ca970e5776f408059a84b4e17f6ac257ec92afae956be74f3807c548e4567eaa",
-    "zh:eb2e3650ee0eec033207b6d72fcb938dc5846c6feb8a61ae30d61981ea411269",
-    "zh:fcb93e51c84ba592bc2b075d7342e475126e5029620959666999b5b1bd11cb98",
+    "h1:p9AGeRqK50wTHEIp7z7O4MUP83cs+lt7wPajZ9m9TB8=",
+    "zh:0e856d3b13614bc32346a236a8e84ba55ecd17238c2008d4b3e71aa8cb49f515",
+    "zh:2dcc44cd499c18ebbc4f763eff97a7b725763c8ac8fbb5d69c935413ccdc4962",
+    "zh:434100fc75ec7cd6b64cc9497e8273e79325fa8d285e9fd9d341c1a67421643b",
+    "zh:483484f66d2e8ce6fa4bfd91e824ceebf07d10acb5df5f366397c55227c4ae91",
+    "zh:596743a6f1c77a6f103b06ef8d932fe8f2376793b92478853dc84571d17c429f",
+    "zh:5ed2d5eb7db13229baaf042c725d5c64b58ffdcc641370175e0a88900af94bf1",
+    "zh:8aecd4cf782c82bee01098f72fe4ffff83707516007b32a01c7fcb19a9260338",
+    "zh:928c05ecac309287ff7d73ed6e478350fe3003557658ae5dc2be817a4268dba7",
+    "zh:9b9fd36dfb3e75da8b4478485272505ae9a3c67b10db173e1d2d76cfe2b637b8",
+    "zh:ab7cd8c61ab67a045854e32f0be1940a92746770dbf3c17bbe923e0259c4f897",
+    "zh:bb1360ec19a4fc1095d0ef1b7b6c5c3c1a91daac7cd1957d43a4cdbb7356a2e3",
+    "zh:d2186f4063aa1a547b52a53745d472e43f5343bc1674f2bbb91421c61b0fab50",
+    "zh:d74bbb67a77951b18ffd7b2863954e70ac03450ad2023cc305c66a5ff25d8d18",
+    "zh:f5970569ea0a479bbfbf2d452f5962e1c9bd472b82756db822d0e951363daa25",
  ]
 }

 provider "registry.terraform.io/hashicorp/random" {
-  version     = "3.7.2"
+  version     = "3.8.1"
  constraints = ">= 3.5.0"
  hashes = [
-    "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=",
-    "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f",
-    "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc",
-    "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab",
-    "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3",
-    "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212",
-    "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f",
+    "h1:u8AKlWVDTH5r9YLSeswoVEjiY72Rt4/ch7U+61ZDkiQ=",
+    "zh:08dd03b918c7b55713026037c5400c48af5b9f468f483463321bd18e17b907b4",
+    "zh:0eee654a5542dc1d41920bbf2419032d6f0d5625b03bd81339e5b33394a3e0ae",
+    "zh:229665ddf060aa0ed315597908483eee5b818a17d09b6417a0f52fd9405c4f57",
+    "zh:2469d2e48f28076254a2a3fc327f184914566d9e40c5780b8d96ebf7205f8bc0",
+    "zh:37d7eb334d9561f335e748280f5535a384a88675af9a9eac439d4cfd663bcb66",
+    "zh:741101426a2f2c52dee37122f0f4a2f2d6af6d852cb1db634480a86398fa3511",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34",
-    "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967",
-    "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d",
-    "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62",
-    "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0",
+    "zh:a902473f08ef8df62cfe6116bd6c157070a93f66622384300de235a533e9d4a9",
+    "zh:b85c511a23e57a2147355932b3b6dce2a11e856b941165793a0c3d7578d94d05",
+    "zh:c5172226d18eaac95b1daac80172287b69d4ce32750c82ad77fa0768be4ea4b8",
+    "zh:dab4434dba34aad569b0bc243c2d3f3ff86dd7740def373f2a49816bd2ff819b",
+    "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
  ]
 }
--- a/terraform/authentik/README.md
+++ b/terraform/authentik/README.md
@@ -1,55 +1,81 @@
-# Authentik Terraform Module
+# Authentik Terraform Configuration

-Terraform module for managing Authentik applications with OAuth2/OpenID and Proxy providers, including automatic Outpost assignment.
+Root Terraform configuration for managing Authentik SSO — applications (OAuth2/OIDC, Proxy, SAML), groups, outposts, flows, certificates, and property mappings.
+
+State is stored in Terraform Cloud (organization `ultradesu`, workspace `Authentik`).
+
+## Structure
+
+```
+.
+├── main.tf                      # Resources: groups, outposts, policy bindings, module calls
+├── variables.tf                 # Input variable definitions
+├── outputs.tf                   # Outputs (app details, groups, flows, wiki data)
+├── providers.tf                 # Authentik provider (goauthentik/authentik 2025.12.1)
+├── state.tf                     # Terraform Cloud backend
+├── terraform.tfvars             # General settings: authentik_url, outposts, flows, tags
+├── oauth2-apps.auto.tfvars      # OAuth2/OIDC application definitions
+├── proxy-apps.auto.tfvars       # Proxy application definitions
+├── groups.auto.tfvars           # Group definitions
+└── modules/
+    ├── oauth-provider/          # OAuth2/OIDC provider + application
+    ├── proxy-provider/          # Proxy provider + application
+    └── saml-provider/           # SAML provider + application
+```

 ## Usage

+```bash
+# Set the API token
+export TF_VAR_authentik_token="..."
+
+terraform init
+terraform plan
+terraform apply
+```
+
+All `*.auto.tfvars` files are loaded automatically — no `-var-file` flags needed.
+
+## Adding applications
+
+OAuth2/OIDC — add to `oauth2-apps.auto.tfvars`:
+
 ```hcl
-module "authentik" {
-  source = "./authentik"
-
-  authentik_url   = "https://auth.example.com"
-  authentik_token = var.authentik_token
-
-  oauth_applications = {
-    "gitlab" = {
-      name         = "GitLab OAuth"
-      slug         = "gitlab"
-      redirect_uris = ["https://gitlab.example.com/users/auth/openid_connect/callback"]
-    }
-  }
-
-  proxy_applications = {
-    "portainer" = {
-      name          = "Portainer"
-      slug          = "portainer"
-      external_host = "https://portainer.example.com"
-      internal_host = "http://portainer:9000"
-      outpost       = "k8s-outpost"
-    }
-  }
-
-  outposts = {
-    "k8s-outpost" = {
-      name = "Kubernetes Outpost"
-      type = "proxy"
-      service_connection = "k8s-local"
-    }
+oauth_applications = {
+  "my-app" = {
+    name          = "My App"
+    slug          = "my-app"
+    group         = "Tools"
+    redirect_uris = ["https://my-app.example.com/callback"]
+    create_group  = true
+    access_groups = ["admins"]
  }
 }
 ```

-## Structure
+Proxy — add to `proxy-apps.auto.tfvars`:

- `main.tf` - Main configuration
- `variables.tf` - Input variables  
- `outputs.tf` - Output values
- `modules/oauth-provider/` - OAuth2/OIDC provider module
- `modules/proxy-provider/` - Proxy provider module
- `terraform.tfvars.example` - Configuration example
+```hcl
+proxy_applications = {
+  "my-proxy" = {
+    name          = "My Proxy"
+    slug          = "my-proxy"
+    group         = "Tools"
+    external_host = "https://my-proxy.example.com"
+    internal_host = "http://my-service.namespace.svc:80"
+    outpost       = "kubernetes-outpost"
+    create_group  = true
+    access_groups = ["admins"]
+  }
+}
+```
+
+## CI/CD
+
+Managed via Gitea Actions (`.gitea/workflows/authentik-apps.yaml`). Runs `terraform apply` on push to `main` when files in `terraform/authentik/` change. Also generates a wiki page with the applications list.

 ## Requirements

 - Terraform >= 1.0
- Authentik provider >= 2023.10.0
- Authentik API token with admin permissions
+- goauthentik/authentik provider 2025.12.1
+- Authentik API token with admin permissions
--- a/terraform/authentik/groups.auto.tfvars
+++ b/terraform/authentik/groups.auto.tfvars
--- a/terraform/authentik/main.tf
+++ b/terraform/authentik/main.tf
@@ -31,7 +31,7 @@ resource "authentik_group" "child_groups" {

  name         = each.value.name
  is_superuser = each.value.is_superuser
-  parent       = authentik_group.root_groups[each.value.parent].id
+  parents      = authentik_group.root_groups[each.value.parent].id
  attributes   = jsonencode(each.value.attributes)

  depends_on = [authentik_group.root_groups]
@@ -305,4 +305,4 @@ resource "authentik_outpost" "outposts" {
    module.oauth_applications,
    module.proxy_applications
  ]
-}
+}
--- a/terraform/authentik/oauth2-apps.auto.tfvars
+++ b/terraform/authentik/oauth2-apps.auto.tfvars
@@ -126,15 +126,15 @@ oauth_applications = {
  }

  "home-assistant-lms" = {
-    name                       = "Home Assistant LMS"
-    slug                       = "home-assistant-lms"
-    group                      = "Internal"
-    meta_description           = "Home Assistant Limassol"
-    meta_icon                  = "https://img.icons8.com/stickers/100/smart-home-automation.png"
-    redirect_uris              = [
+    name             = "Home Assistant LMS"
+    slug             = "home-assistant-lms"
+    group            = "Internal"
+    meta_description = "Home Assistant Limassol"
+    meta_icon        = "https://img.icons8.com/stickers/100/smart-home-automation.png"
+    redirect_uris = [
      "http://ha-lms:8123/auth/oidc/callback",
      "http://ha-lms.homenet:8123/auth/oidc/callback",
-      ]
+    ]
    meta_launch_url            = "http://ha-lms:8123/auth/oidc/welcome"
    client_type                = "confidential"
    include_claims_in_id_token = true
@@ -147,15 +147,15 @@ oauth_applications = {
    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
  }
  "home-assistant-london" = {
-    name                       = "Home Assistant London"
-    slug                       = "home-assistant-london"
-    group                      = "Internal"
-    meta_description           = "Home Assistant London"
-    meta_icon                  = "https://img.icons8.com/stickers/100/smart-home-automation.png"
-    redirect_uris              = [
+    name             = "Home Assistant London"
+    slug             = "home-assistant-london"
+    group            = "Internal"
+    meta_description = "Home Assistant London"
+    meta_icon        = "https://img.icons8.com/stickers/100/smart-home-automation.png"
+    redirect_uris = [
      "http://ha-london:8123/auth/oidc/callback",
      "http://ha-london.tail2fe2d.ts.net:8123/auth/oidc/callback",
-      ]
+    ]
    meta_launch_url            = "http://ha-london:8123/auth/oidc/welcome"
    client_type                = "confidential"
    include_claims_in_id_token = true
@@ -169,14 +169,14 @@ oauth_applications = {
  }

  "openwebui" = {
-    name                       = "OpenWeb UI"
-    slug                       = "openwebui"
-    group                      = "Tools"
-    meta_description           = "OpenWeb UI"
-    meta_icon                  = "https://ollama.com/public/ollama.png"
-    redirect_uris              = [
+    name             = "OpenWeb UI"
+    slug             = "openwebui"
+    group            = "Tools"
+    meta_description = "OpenWeb UI"
+    meta_icon        = "https://ollama.com/public/ollama.png"
+    redirect_uris = [
      "https://ai.hexor.cy/oauth/oidc/callback",
-      ]
+    ]
    meta_launch_url            = "https://ai.hexor.cy"
    client_type                = "confidential"
    include_claims_in_id_token = true
@@ -188,5 +188,45 @@ oauth_applications = {
    create_group               = true
    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
  }
+  "matrix" = {
+    name             = "Matrix Chat"
+    slug             = "matrix"
+    group            = "Tools"
+    meta_description = "Matrix Chat"
+    meta_icon        = "https://img.icons8.com/ios/100/40C057/matrix-logo.png"
+    redirect_uris = [
+      "https://auth.matrix.hexor.cy/upstream/callback/001KKV4EKY7KG98W2M9T806K6A",
+    ]
+    meta_launch_url            = "https://chat.matrix.hexor.cy"
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = []
+    create_group               = false
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+  }
+  "furumi-ng-web" = {
+    name             = "Furumi Web Player"
+    slug             = "furumi-ng-web"
+    group            = "Tools"
+    meta_description = "Furumi Web Player"
+    meta_icon        = "https://img.icons8.com/pulsar-color/48/music.png"
+    redirect_uris = [
+      "https://music.hexor.cy/auth/callback",
+    ]
+    meta_launch_url            = "https://music.hexor.cy"
+    client_type                = "confidential"
+    include_claims_in_id_token = true
+    access_code_validity       = "minutes=1"
+    access_token_validity      = "minutes=5"
+    refresh_token_validity     = "days=30"
+    scope_mappings             = ["openid", "profile", "email"]
+    access_groups              = []
+    create_group               = true
+    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
+  }
 }

--- a/terraform/authentik/providers.tf
+++ b/terraform/authentik/providers.tf
@@ -2,7 +2,7 @@ terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
-      version = "2025.8.1"
+      version = "2025.12.1"
    }
  }
 }
@@ -10,4 +10,4 @@ terraform {
 provider "authentik" {
  url   = var.authentik_url
  token = var.authentik_token
-}
+}
--- a/terraform/authentik/proxy-apps.auto.tfvars
+++ b/terraform/authentik/proxy-apps.auto.tfvars
@@ -53,6 +53,23 @@ proxy_applications = {
    meta_description             = ""
    skip_path_regex              = <<-EOT
 /webhook
+EOT
+    meta_icon                    = "https://img.icons8.com/ios-filled/50/password.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
+  "mtproxy-links" = {
+    name                         = "mtproxy-links"
+    slug                         = "mtproxy-links"
+    group                        = "Core"
+    external_host                = "https://proxy.hexor.cy"
+    internal_host                = "http://secret-reader.mtproxy.svc:80"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    skip_path_regex              = <<-EOT
+/webhook
 EOT
    meta_icon                    = "https://img.icons8.com/ios-filled/50/password.png"
    mode                         = "proxy"
@@ -62,45 +79,6 @@ EOT
  }

  # Tools applications
-  "vpn" = {
-    name                         = "VPN"
-    slug                         = "vpn"
-    group                        = "Tools"
-    external_host                = "https://of.hexor.cy"
-    internal_host                = "http://outfleet.vpn.svc"
-    internal_host_ssl_validation = false
-    meta_description             = ""
-    skip_path_regex              = <<-EOT
-/u/
-/stat/
-/ss/
-/xray/
-/dynamic/
-EOT
-    meta_icon                    = "https://img.icons8.com/?size=100&id=fqAD3lAB6zTe&format=png&color=000000"
-    mode                         = "proxy"
-    outpost                      = "kubernetes-outpost"
-    create_group                 = true
-    access_groups                = ["admins"]
-  }
-
-  "outfleet-rs" = {
-    name                         = "OutFleet"
-    slug                         = "outfleet-rs"
-    group                        = "Tools"
-    external_host                = "https://vpn.hexor.cy"
-    internal_host                = "http://outfleet-rs.vpn.svc"
-    internal_host_ssl_validation = false
-    meta_description             = ""
-    skip_path_regex              = <<-EOT
-/sub/
-EOT
-    meta_icon                    = "https://img.icons8.com/?size=100&id=fqAD3lAB6zTe&format=png&color=000000"
-    mode                         = "proxy"
-    outpost                      = "kubernetes-outpost"
-    create_group                 = true
-    access_groups                = ["admins"]
-  }
  "qbittorrent" = {
    name                         = "qBittorent"
    slug                         = "qbittorent"
@@ -173,7 +151,7 @@ EOT
    meta_icon                    = "https://img.icons8.com/liquid-glass/48/key.png"
    mode                         = "proxy"
    outpost                      = "kubernetes-outpost"
-    access_groups                = ["admins", "khm"] # Используем существующие группы
+    access_groups                = ["admins", "khm"]
    create_group                 = true
    access_groups                = ["admins"]
  }
@@ -213,5 +191,20 @@ EOT
    create_group                 = true
    access_groups                = ["admins"]
  }
+  "ollama-public" = {
+    name                         = "Ollama Public"
+    slug                         = "ollama-public"
+    group                        = "AI"
+    external_host                = "https://ollama.hexor.cy"
+    internal_host                = "http://ollama.ollama.svc:11434"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    meta_icon                    = "https://img.icons8.com/external-icongeek26-outline-icongeek26/64/external-llama-animal-head-icongeek26-outline-icongeek26.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    access_groups                = ["admins"]
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
 }

--- a/terraform/authentik/variables.tf
+++ b/terraform/authentik/variables.tf
@@ -4,7 +4,7 @@ variable "oauth_applications" {
    name                       = string
    slug                       = string
    group                      = optional(string, "")
-    policy_engine_mode         = optional(string, "all")
+    policy_engine_mode         = optional(string, "any")
    meta_description           = optional(string, "")
    meta_launch_url            = optional(string, "")
    meta_icon                  = optional(string, "")
@@ -32,7 +32,7 @@ variable "proxy_applications" {
    name                          = string
    slug                          = string
    group                         = optional(string, "")
-    policy_engine_mode            = optional(string, "all")
+    policy_engine_mode            = optional(string, "any")
    meta_description              = optional(string, "")
    meta_launch_url               = optional(string, "")
    meta_icon                     = optional(string, "")
@@ -60,7 +60,7 @@ variable "saml_applications" {
    name                            = string
    slug                            = string
    group                           = optional(string, "")
-    policy_engine_mode              = optional(string, "all")
+    policy_engine_mode              = optional(string, "any")
    meta_description                = optional(string, "")
    meta_launch_url                 = optional(string, "")
    meta_icon                       = optional(string, "")
@@ -95,7 +95,7 @@ variable "flows" {
    title              = string
    slug               = string
    designation        = string
-    policy_engine_mode = optional(string, "all")
+    policy_engine_mode = optional(string, "any")
    compatibility_mode = optional(bool, false)
    layout             = optional(string, "stacked")
    denied_action      = optional(string, "message_continue")