Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-03-14 13:17:11 This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.
2026-03-14 13:17:11 +00:00
9 changed files with 24 additions and 268 deletions
--- a/README.md
+++ b/README.md
@@ -49,7 +49,6 @@ ArgoCD homelab project
 | **k8s-secrets** | [![k8s-secrets](https://ag.hexor.cy/api/badge?name=k8s-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
 | **khm** | [![khm](https://ag.hexor.cy/api/badge?name=khm&revision=true)](https://ag.hexor.cy/applications/argocd/khm) |
 | **lidarr** | [![lidarr](https://ag.hexor.cy/api/badge?name=lidarr&revision=true)](https://ag.hexor.cy/applications/argocd/lidarr) |
 | **matrix** | [![matrix](https://ag.hexor.cy/api/badge?name=matrix&revision=true)](https://ag.hexor.cy/applications/argocd/matrix) |
 | **mtproxy** | [![mtproxy](https://ag.hexor.cy/api/badge?name=mtproxy&revision=true)](https://ag.hexor.cy/applications/argocd/mtproxy) |
 | **n8n** | [![n8n](https://ag.hexor.cy/api/badge?name=n8n&revision=true)](https://ag.hexor.cy/applications/argocd/n8n) |
 | **ollama** | [![ollama](https://ag.hexor.cy/api/badge?name=ollama&revision=true)](https://ag.hexor.cy/applications/argocd/ollama) |
--- a/k8s/apps/matrix/app.yaml
+++ b/k8s/apps/matrix/app.yaml
@@ -1,20 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: matrix
  namespace: argocd
 spec:
  project: apps
  destination:
    namespace: matrix
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
    path: k8s/apps/matrix
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/k8s/apps/matrix/external-secrets.yaml
+++ b/k8s/apps/matrix/external-secrets.yaml
@@ -1,95 +0,0 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: matrix-postgres-creds
 spec:
  target:
    name: matrix-postgres-creds
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        synapse_db_password: |-
          {{ .synapse_db_password }}
        mas_db_password: |-
          {{ .mas_db_password }}
  data:
    - secretKey: synapse_db_password
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[14].value
    - secretKey: mas_db_password
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[15].value
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: matrix-oidc-config
 spec:
  target:
    name: matrix-oidc-config
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        mas-oidc.yaml: |
          upstream_oauth2:
            providers:
              - id: 001KKV4EKY7KG98W2M9T806K6A
                human_name: Authentik
                issuer: https://idm.hexor.cy/application/o/matrix/
                client_id: "{{ .oauth_client_id }}"
                client_secret: "{{ .oauth_client_secret }}"
                token_endpoint_auth_method: client_secret_post
                scope: "openid profile email"
                claims_imports:
                  localpart:
                    action: require
                    template: "{{ `{{ user.preferred_username }}` }}"
                  displayname:
                    action: suggest
                    template: "{{ `{{ user.name }}` }}"
                  email:
                    action: suggest
                    template: "{{ `{{ user.email }}` }}"
                    set_email_verification: always
  data:
    - secretKey: oauth_client_id
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
        property: fields[0].value
    - secretKey: oauth_client_secret
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
        property: fields[1].value
--- a/k8s/apps/matrix/kustomization.yaml
+++ b/k8s/apps/matrix/kustomization.yaml
@@ -1,15 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - app.yaml
  - external-secrets.yaml
 helmCharts:
  - name: matrix-stack
    repo: oci://ghcr.io/element-hq/ess-helm
    version: 26.2.3
    releaseName: matrix-stack
    namespace: matrix
    valuesFile: matrix-stack-values.yaml
    includeCRDs: true
--- a/k8s/apps/matrix/matrix-stack-values.yaml
+++ b/k8s/apps/matrix/matrix-stack-values.yaml
@@ -1,90 +0,0 @@
 ## Matrix server name - appears in @user:matrix.hexor.cy
 serverName: matrix.hexor.cy
 ## Use letsencrypt cluster issuer for all ingresses
 certManager:
  clusterIssuer: letsencrypt
 ## Global ingress settings
 ingress:
  className: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
 ## Disable built-in PostgreSQL - using external database
 postgres:
  enabled: false
 ## Disable components we don't need yet
 matrixRTC:
  enabled: false
 hookshot:
  enabled: false
 ## Synapse homeserver
 synapse:
  enabled: true
  ingress:
    host: matrix.hexor.cy
  postgres:
    host: psql.psql.svc
    port: 5432
    user: synapse
    database: synapse
    sslMode: prefer
    password:
      secret: matrix-postgres-creds
      secretKey: synapse_db_password
  additional:
    0-unsafe-locale:
      config: |
        database:
          allow_unsafe_locale: true
  media:
    storage:
      size: 20Gi
    maxUploadSize: 100M
  # nodeSelector:
  #   kubernetes.io/hostname: nas.homenet
 ## Matrix Authentication Service
 matrixAuthenticationService:
  enabled: true
  ingress:
    host: auth.matrix.hexor.cy
  postgres:
    host: psql.psql.svc
    port: 5432
    user: mas
    database: mas
    sslMode: prefer
    password:
      secret: matrix-postgres-creds
      secretKey: mas_db_password
  ## Authentik OIDC upstream provider
  additional:
    0-oidc:
      configSecret: matrix-oidc-config
      configSecretKey: mas-oidc.yaml
  # nodeSelector:
  #   kubernetes.io/hostname: nas.homenet
 ## Element Web client
 elementWeb:
  enabled: true
  ingress:
    host: chat.hexor.cy
  # nodeSelector:
  #   kubernetes.io/hostname: nas.homenet
 ## Element Admin panel
 elementAdmin:
  enabled: true
  ingress:
    host: matrix-admin.hexor.cy
  # nodeSelector:
  #   kubernetes.io/hostname: nas.homenet
 ## Well-known delegation on the base domain (host is derived from serverName)
 wellKnownDelegation:
  enabled: true
--- a/k8s/core/cert-manager/kustomization.yaml
+++ b/k8s/core/cert-manager/kustomization.yaml
@@ -10,7 +10,7 @@ resources:
 helmCharts:
  - name: cert-manager
    repo: https://charts.jetstack.io
-    version: 1.20.0
+    version: 1.19.1
    releaseName: cert-manager
    namespace: cert-manager
    valuesFile: values.yaml
--- a/k8s/core/postgresql/external-secrets.yaml
+++ b/k8s/core/postgresql/external-secrets.yaml
@@ -127,10 +127,6 @@ spec:
          {{ .mmdl }}
        USER_n8n: |-
          {{ .n8n }}
        USER_synapse: |-
          {{ .synapse }}
        USER_mas: |-
          {{ .mas }}
  data:
    - secretKey: authentik
      sourceRef:
@@ -275,26 +271,4 @@ spec:
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[13].value
    - secretKey: synapse
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[14].value
    - secretKey: mas
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[15].value
--- a/terraform/authentik/.claude/settings.local.json
+++ b/terraform/authentik/.claude/settings.local.json
@@ -0,0 +1,23 @@
 {
  "permissions": {
    "allow": [
      "WebSearch",
      "WebFetch(domain:registry.terraform.io)",
      "Bash(C:UsersabAppDataLocalMicrosoftWinGetPackagesHashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbweterraform.exe apply -auto-approve)",
      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve)",
      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve -lock=false)",
      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" plan -lock=false)",
      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -replace=\"authentik_outpost.outposts[\"\"kubernetes-outpost\"\"]\" -auto-approve -lock=false)",
      "Bash(terraform plan:*)",
      "Bash(terraform state:*)",
      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform plan:*)",
      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform force-unlock:*)",
      "Bash(git:*)",
      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform state:*)",
      "Bash(terraform version:*)",
      "Bash(curl:*)"
    ],
    "deny": [],
    "ask": []
  }
 }
--- a/terraform/authentik/oauth2-apps.auto.tfvars
+++ b/terraform/authentik/oauth2-apps.auto.tfvars
@@ -188,25 +188,5 @@ oauth_applications = {
    create_group               = true
    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
  }
  "matrix" = {
    name             = "Matrix Chat"
    slug             = "matrix"
    group            = "Tools"
    meta_description = "Matrix Chat"
    meta_icon        = "https://img.icons8.com/ios/100/40C057/matrix-logo.png"
    redirect_uris = [
      "https://matrix.hexor.cy/_matrix/client/unstable/org.matrix.msc2965/auth/upstream/callback",
    ]
    meta_launch_url            = "https://matrix.hexor.cy"
    client_type                = "confidential"
    include_claims_in_id_token = true
    access_code_validity       = "minutes=1"
    access_token_validity      = "minutes=5"
    refresh_token_validity     = "days=30"
    scope_mappings             = ["openid", "profile", "email"]
    access_groups              = []
    create_group               = true
    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
  }
 }