Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-03-16 10:11:56

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -49,6 +49,7 @@ ArgoCD homelab project
 | **k8s-secrets** | [![k8s-secrets](https://ag.hexor.cy/api/badge?name=k8s-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
 | **khm** | [![khm](https://ag.hexor.cy/api/badge?name=khm&revision=true)](https://ag.hexor.cy/applications/argocd/khm) |
 | **lidarr** | [![lidarr](https://ag.hexor.cy/api/badge?name=lidarr&revision=true)](https://ag.hexor.cy/applications/argocd/lidarr) |
+| **matrix** | [![matrix](https://ag.hexor.cy/api/badge?name=matrix&revision=true)](https://ag.hexor.cy/applications/argocd/matrix) |
 | **mtproxy** | [![mtproxy](https://ag.hexor.cy/api/badge?name=mtproxy&revision=true)](https://ag.hexor.cy/applications/argocd/mtproxy) |
 | **n8n** | [![n8n](https://ag.hexor.cy/api/badge?name=n8n&revision=true)](https://ag.hexor.cy/applications/argocd/n8n) |
 | **ollama** | [![ollama](https://ag.hexor.cy/api/badge?name=ollama&revision=true)](https://ag.hexor.cy/applications/argocd/ollama) |

k8s/apps/matrix/app.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: matrix
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: matrix
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/matrix
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true

k8s/apps/matrix/external-secrets.yaml

@@ -0,0 +1,82 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-postgres-creds
+spec:
+  target:
+    name: matrix-postgres-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        synapse_db_password: |-
+          {{ .synapse_db_password }}
+        mas_db_password: |-
+          {{ .mas_db_password }}
+  data:
+    - secretKey: synapse_db_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: CHANGE_ME
+        property: CHANGE_ME
+    - secretKey: mas_db_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: CHANGE_ME
+        property: CHANGE_ME
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-oidc-config
+spec:
+  target:
+    name: matrix-oidc-config
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        mas-oidc.yaml: |
+          upstream_oauth2:
+            providers:
+              - id: authentik
+                human_name: Authentik
+                issuer: https://idm.hexor.cy/application/o/matrix/
+                client_id: {{ .oauth_client_id }}
+                client_secret: {{ .oauth_client_secret }}
+                scope: "openid profile email"
+                claims_imports:
+                  localpart:
+                    action: require
+                    template: "{{ `{{ user.preferred_username }}` }}"
+                  displayname:
+                    action: suggest
+                    template: "{{ `{{ user.name }}` }}"
+                  email:
+                    action: suggest
+                    template: "{{ `{{ user.email }}` }}"
+                    set_email_verification: always
+  data:
+    - secretKey: oauth_client_id
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: CHANGE_ME
+        property: CHANGE_ME
+    - secretKey: oauth_client_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: CHANGE_ME
+        property: CHANGE_ME

k8s/apps/matrix/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+
+helmCharts:
+  - name: matrix-stack
+    repo: oci://ghcr.io/element-hq/ess-helm
+    version: 26.2.3
+    releaseName: matrix-stack
+    namespace: matrix
+    valuesFile: matrix-stack-values.yaml
+    includeCRDs: true

k8s/apps/matrix/matrix-stack-values.yaml

@@ -0,0 +1,85 @@
+## Matrix server name - appears in @user:matrix.hexor.cy
+serverName: matrix.hexor.cy
+
+## Use letsencrypt cluster issuer for all ingresses
+certManager:
+  clusterIssuer: letsencrypt
+
+## Global ingress settings
+ingress:
+  className: traefik
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+
+## Disable built-in PostgreSQL - using external database
+postgres:
+  enabled: false
+
+## Disable components we don't need yet
+matrixRTC:
+  enabled: false
+hookshot:
+  enabled: false
+haproxy:
+  enabled: false
+
+## Synapse homeserver
+synapse:
+  enabled: true
+  postgres:
+    host: psql.psql.svc
+    port: 5432
+    user: synapse
+    database: synapse
+    sslMode: prefer
+    password:
+      secret: matrix-postgres-creds
+      secretKey: synapse_db_password
+  media:
+    storage:
+      size: 20Gi
+    maxUploadSize: 100M
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Matrix Authentication Service
+matrixAuthenticationService:
+  enabled: true
+  postgres:
+    host: psql.psql.svc
+    port: 5432
+    user: mas
+    database: mas
+    sslMode: prefer
+    password:
+      secret: matrix-postgres-creds
+      secretKey: mas_db_password
+  ## Authentik OIDC upstream provider
+  additional:
+    0-oidc:
+      configSecret: matrix-oidc-config
+      configSecretKey: mas-oidc.yaml
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Element Web client
+elementWeb:
+  enabled: true
+  ingress:
+    host: chat.hexor.cy
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Element Admin panel
+elementAdmin:
+  enabled: true
+  ingress:
+    host: matrix-admin.hexor.cy
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Well-known delegation on the base domain
+wellKnownDelegation:
+  enabled: true
+  ingress:
+    host: matrix.hexor.cy

k8s/core/cert-manager/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 helmCharts:
   - name: cert-manager
     repo: https://charts.jetstack.io
-    version: 1.19.1
+    version: 1.20.0
     releaseName: cert-manager
     namespace: cert-manager
     valuesFile: values.yaml

k8s/core/postgresql/external-secrets.yaml

@@ -127,6 +127,10 @@ spec:
           {{ .mmdl }}
         USER_n8n: |-
           {{ .n8n }}
+        USER_synapse: |-
+          {{ .synapse }}
+        USER_mas: |-
+          {{ .mas }}
   data:
     - secretKey: authentik
       sourceRef:
@@ -271,4 +275,26 @@ spec:
         metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[13].value
+    - secretKey: synapse
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[14].value
+    - secretKey: mas
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[15].value
 

terraform/authentik/.claude/settings.local.json

@@ -1,23 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "WebSearch",
-      "WebFetch(domain:registry.terraform.io)",
-      "Bash(C:UsersabAppDataLocalMicrosoftWinGetPackagesHashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbweterraform.exe apply -auto-approve)",
-      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve)",
-      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve -lock=false)",
-      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" plan -lock=false)",
-      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -replace=\"authentik_outpost.outposts[\"\"kubernetes-outpost\"\"]\" -auto-approve -lock=false)",
-      "Bash(terraform plan:*)",
-      "Bash(terraform state:*)",
-      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform plan:*)",
-      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform force-unlock:*)",
-      "Bash(git:*)",
-      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform state:*)",
-      "Bash(terraform version:*)",
-      "Bash(curl:*)"
-    ],
-    "deny": [],
-    "ask": []
-  }
-}