Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-03-13 10:42:20

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -49,7 +49,6 @@ ArgoCD homelab project
 | **k8s-secrets** | [![k8s-secrets](https://ag.hexor.cy/api/badge?name=k8s-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
 | **khm** | [![khm](https://ag.hexor.cy/api/badge?name=khm&revision=true)](https://ag.hexor.cy/applications/argocd/khm) |
 | **lidarr** | [![lidarr](https://ag.hexor.cy/api/badge?name=lidarr&revision=true)](https://ag.hexor.cy/applications/argocd/lidarr) |
-| **matrix** | [![matrix](https://ag.hexor.cy/api/badge?name=matrix&revision=true)](https://ag.hexor.cy/applications/argocd/matrix) |
 | **mtproxy** | [![mtproxy](https://ag.hexor.cy/api/badge?name=mtproxy&revision=true)](https://ag.hexor.cy/applications/argocd/mtproxy) |
 | **n8n** | [![n8n](https://ag.hexor.cy/api/badge?name=n8n&revision=true)](https://ag.hexor.cy/applications/argocd/n8n) |
 | **ollama** | [![ollama](https://ag.hexor.cy/api/badge?name=ollama&revision=true)](https://ag.hexor.cy/applications/argocd/ollama) |

k8s/apps/furumi-server/deployment.yaml

@@ -18,43 +18,13 @@ spec:
         kubernetes.io/hostname: master.tail2fe2d.ts.net
       containers:
         - name: furumi-server
-          image: ultradesu/furumi-server:trunk
+          image: ultradesu/furumi-server:latest
           imagePullPolicy: Always
           env:
             - name: FURUMI_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: TOKEN
-            - name: FURUMI_OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_ID
-            - name: FURUMI_OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_SECRET
-            - name: FURUMI_OIDC_ISSUER_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_ISSUER_URL
-            - name: FURUMI_OIDC_REDIRECT_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_REDIRECT_URL
-            - name: FURUMI_OIDC_SESSION_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_SESSION_SECRET
+              value: "f38387266e75effe891b7953eb9c06b4"
             - name: FURUMI_ROOT
               value: "/media"
-            - name: RUST_LOG
-              value: "info"
           ports:
             - name: grpc
               containerPort: 50051
@@ -62,9 +32,6 @@ spec:
             - name: metrics
               containerPort: 9090
               protocol: TCP
-            - name: web-ui
-              containerPort: 8080
-              protocol: TCP
           volumeMounts:
             - name: music
               mountPath: /media

k8s/apps/furumi-server/external-secrets.yaml

@@ -1,65 +0,0 @@
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: furumi-ng-creds
-spec:
-  target:
-    name: furumi-ng-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        TOKEN: |-
-          {{ .token }}
-        OIDC_CLIENT_ID: |-
-          {{ .client_id }}
-        OIDC_CLIENT_SECRET: |-
-          {{ .client_secret }}
-        OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-ng-web/
-        OIDC_REDIRECT_URL: https://music.hexor.cy/auth/callback
-        OIDC_SESSION_SECRET: |-
-          {{ .session_secret }}
-        PG_STRING: |-
-          postgres://furumi:{{ .pg_pass }}@psql.psql.svc:5432/furumi
-  data:
-    - secretKey: token
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
-        property: fields[0].value
-    - secretKey: client_id
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
-        property: fields[1].value
-    - secretKey: client_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
-        property: fields[2].value
-    - secretKey: session_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
-        property: fields[3].value
-    - secretKey: pg_pass
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[16].value

k8s/apps/furumi-server/ingress.yaml

@@ -1,59 +0,0 @@
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: admin-strip
-spec:
-  stripPrefix:
-    prefixes:
-      - /admin
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: furumi-tls-ingress
-  annotations:
-    ingressClassName: traefik
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  rules:
-    - host: music.hexor.cy
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: furumi-web-player
-                port:
-                  number: 8080
-  tls:
-    - secretName: furumi-tls
-      hosts:
-        - '*.hexor.cy'
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: furumi-admin-ingress
-  annotations:
-    ingressClassName: traefik
-    traefik.ingress.kubernetes.io/router.middlewares: furumi-server-admin-strip@kubernetescrd,kube-system-https-redirect@kubernetescrd
-spec:
-  rules:
-    - host: music.hexor.cy
-      http:
-        paths:
-          - path: /admin
-            pathType: Prefix
-            backend:
-              service:
-                name: furumi-metadata-agent
-                port:
-                  number: 8090
-  tls:
-    - secretName: furumi-tls
-      hosts:
-        - '*.hexor.cy'

k8s/apps/furumi-server/kustomization.yaml

@@ -6,7 +6,3 @@ resources:
   - deployment.yaml
   - service.yaml
   - servicemonitor.yaml
-  - external-secrets.yaml
-  - ingress.yaml
-  - web-player.yaml
-  - metadata-agent.yaml

k8s/apps/furumi-server/metadata-agent.yaml

@@ -1,59 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: furumi-metadata-agent
-  labels:
-    app: furumi-metadata-agent
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: furumi-metadata-agent
-  template:
-    metadata:
-      labels:
-        app: furumi-metadata-agent
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      containers:
-        - name: furumi-metadata-agent
-          image: ultradesu/furumi-metadata-agent:trunk
-          imagePullPolicy: Always
-          env:
-            - name: FURUMI_AGENT_DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: PG_STRING
-            - name: FURUMI_AGENT_INBOX_DIR
-              value: "/inbox"
-            - name: FURUMI_AGENT_STORAGE_DIR
-              value: "/media"
-            - name: FURUMI_AGENT_OLLAMA_URL
-              value: "http://ollama.ollama.svc:11434"
-            - name: FURUMI_AGENT_OLLAMA_MODEL
-              value: "qwen3:14b"
-            - name: FURUMI_AGENT_POLL_INTERVAL_SECS
-              value: "10"
-            - name: RUST_LOG
-              value: "info"
-          ports:
-            - name: admin-ui
-              containerPort: 8090
-              protocol: TCP
-          volumeMounts:
-            - name: library
-              mountPath: /media
-            - name: inbox
-              mountPath: /inbox
-      volumes:
-        - name: library
-          hostPath:
-            path: /k8s/furumi/library
-            type: DirectoryOrCreate
-        - name: inbox
-          hostPath:
-            path: /k8s/furumi/inbox
-            type: DirectoryOrCreate
-

k8s/apps/furumi-server/service.yaml

@@ -28,35 +28,3 @@ spec:
       protocol: TCP
       port: 9090
       targetPort: 9090
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: furumi-metadata-agent
-  labels:
-    app: furumi-metadata-agent
-spec:
-  type: ClusterIP
-  selector:
-    app: furumi-metadata-agent
-  ports:
-    - name: admin-ui
-      protocol: TCP
-      port: 8090
-      targetPort: 8090
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: furumi-web-player
-  labels:
-    app: furumi-web-player
-spec:
-  type: ClusterIP
-  selector:
-    app: furumi-web-player
-  ports:
-    - name: web-ui
-      protocol: TCP
-      port: 8080
-      targetPort: 8080

k8s/apps/furumi-server/web-player.yaml

@@ -1,70 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: furumi-web-player
-  labels:
-    app: furumi-web-player
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: furumi-web-player
-  template:
-    metadata:
-      labels:
-        app: furumi-web-player
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      containers:
-        - name: furumi-web-player
-          image: ultradesu/furumi-web-player:trunk
-          imagePullPolicy: Always
-          env:
-            - name: FURUMI_PLAYER_OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_ID
-            - name: FURUMI_PLAYER_OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_SECRET
-            - name: FURUMI_PLAYER_OIDC_ISSUER_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_ISSUER_URL
-            - name: FURUMI_PLAYER_OIDC_REDIRECT_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_REDIRECT_URL
-            - name: FURUMI_PLAYER_OIDC_SESSION_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_SESSION_SECRET
-            - name: FURUMI_PLAYER_DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: PG_STRING
-            - name: FURUMI_PLAYER_STORAGE_DIR
-              value: "/media"
-            - name: RUST_LOG
-              value: "info"
-          ports:
-            - name: web-ui
-              containerPort: 8080
-              protocol: TCP
-          volumeMounts:
-            - name: music
-              mountPath: /media
-      volumes:
-        - name: music
-          hostPath:
-            path: /k8s/furumi/library
-            type: DirectoryOrCreate
-

k8s/apps/gitea/deployment.yaml

@@ -77,11 +77,8 @@ spec:
       labels:
         app: gitea-runner
     spec:
-      tolerations:
-        - key: workload
-          operator: Equal
-          value: desktop
-          effect: NoSchedule
+      #nodeSelector:
+      #  kubernetes.io/hostname: home.homenet
       volumes:
         - name: docker-sock
           hostPath:
@@ -93,28 +90,21 @@ spec:
       affinity:
         nodeAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
-                - uk-desktop.tail2fe2d.ts.net
-          - weight: 50
+          - weight: 1
             preference:
               matchExpressions:
               - key: kubernetes.io/hostname
                 operator: In
                 values:
                 - home.homenet
-          - weight: 30
+          - weight: 2
             preference:
               matchExpressions:
               - key: kubernetes.io/hostname
                 operator: In
                 values:
                 - master.tail2fe2d.ts.net
-          - weight: 10
+          - weight: 3
             preference:
               matchExpressions:
               - key: kubernetes.io/hostname
@@ -123,6 +113,18 @@ spec:
                 - it.tail2fe2d.ts.net
                 - ch.tail2fe2d.ts.net
                 - us.tail2fe2d.ts.net
+
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - home.homenet
+                - it.tail2fe2d.ts.net
+                - ch.tail2fe2d.ts.net
+                - us.tail2fe2d.ts.net
+                - master.tail2fe2d.ts.net
       containers:
         - name: gitea-runner
           image: gitea/act_runner:nightly
@@ -130,11 +132,11 @@ spec:
             requests:
               cpu: "100m"
               memory: "256Mi"
-              ephemeral-storage: "1Gi"
+              ephemeral-storage: "1Gi"   # reserve ephemeral storage
             limits:
               cpu: "3000m"
               memory: "4Gi"
-              ephemeral-storage: "28Gi"
+              ephemeral-storage: "28Gi"   # hard cap for /data usage
           volumeMounts:
             - name: docker-sock
               mountPath: /var/run/docker.sock

k8s/apps/matrix/app.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: matrix
-  namespace: argocd
-spec:
-  project: apps
-  destination:
-    namespace: matrix
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/apps/matrix
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true

k8s/apps/matrix/external-secrets.yaml

@@ -1,95 +0,0 @@
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: matrix-postgres-creds
-spec:
-  target:
-    name: matrix-postgres-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        synapse_db_password: |-
-          {{ .synapse_db_password }}
-        mas_db_password: |-
-          {{ .mas_db_password }}
-  data:
-    - secretKey: synapse_db_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[14].value
-    - secretKey: mas_db_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[15].value
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: matrix-oidc-config
-spec:
-  target:
-    name: matrix-oidc-config
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        mas-oidc.yaml: |
-          upstream_oauth2:
-            providers:
-              - id: 001KKV4EKY7KG98W2M9T806K6A
-                human_name: Authentik
-                issuer: https://idm.hexor.cy/application/o/matrix/
-                client_id: "{{ .oauth_client_id }}"
-                client_secret: "{{ .oauth_client_secret }}"
-                token_endpoint_auth_method: client_secret_post
-                scope: "openid profile email"
-                claims_imports:
-                  localpart:
-                    action: suggest
-                    template: "{{ `{{ user.preferred_username | split(\"@\") | first }}` }}"
-                  displayname:
-                    action: suggest
-                    template: "{{ `{{ user.name }}` }}"
-                  email:
-                    action: suggest
-                    template: "{{ `{{ user.email }}` }}"
-                    set_email_verification: always
-  data:
-    - secretKey: oauth_client_id
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
-        property: fields[0].value
-    - secretKey: oauth_client_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
-        property: fields[1].value

k8s/apps/matrix/kustomization.yaml

@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-
-helmCharts:
-  - name: matrix-stack
-    repo: oci://ghcr.io/element-hq/ess-helm
-    version: 26.2.3
-    releaseName: matrix-stack
-    namespace: matrix
-    valuesFile: matrix-stack-values.yaml
-    includeCRDs: true

k8s/apps/matrix/matrix-stack-values.yaml

@@ -1,112 +0,0 @@
-## Matrix server name - appears in @user:matrix.hexor.cy
-serverName: matrix.hexor.cy
-
-## Use letsencrypt cluster issuer for all ingresses
-certManager:
-  clusterIssuer: letsencrypt
-
-## Global ingress settings
-ingress:
-  className: traefik
-  annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-
-## Disable built-in PostgreSQL - using external database
-postgres:
-  enabled: false
-
-## Disable components we don't need yet
-hookshot:
-  enabled: false
-
-## MatrixRTC - voice/video calls via LiveKit SFU
-matrixRTC:
-  enabled: true
-  ingress:
-    host: livekit.matrix.hexor.cy
-  sfu:
-    enabled: true
-    manualIP: "138.201.61.182"
-    nodeSelector:
-      kubernetes.io/hostname: master.tail2fe2d.ts.net
-    exposedServices:
-      rtcTcp:
-        enabled: true
-        port: 30881
-      rtcMuxedUdp:
-        enabled: true
-        port: 30882
-      turnTLS:
-        enabled: true
-        port: 31443
-        domain: turn.matrix.hexor.cy
-        tlsTerminationOnPod: true
-
-## Synapse homeserver
-synapse:
-  enabled: true
-  ingress:
-    host: synapse.matrix.hexor.cy
-  postgres:
-    host: psql.psql.svc
-    port: 5432
-    user: synapse
-    database: synapse
-    sslMode: prefer
-    password:
-      secret: matrix-postgres-creds
-      secretKey: synapse_db_password
-  media:
-    storage:
-      size: 20Gi
-    maxUploadSize: 100M
-  # nodeSelector:
-  #   kubernetes.io/hostname: nas.homenet
-
-## Matrix Authentication Service
-matrixAuthenticationService:
-  enabled: true
-  ingress:
-    host: auth.matrix.hexor.cy
-  postgres:
-    host: psql.psql.svc
-    port: 5432
-    user: mas
-    database: mas
-    sslMode: prefer
-    password:
-      secret: matrix-postgres-creds
-      secretKey: mas_db_password
-  ## Admin policy
-  additional:
-    0-admin-policy:
-      config: |
-        policy:
-          data:
-            admin_users:
-              - username: ultradesu
-    1-oidc:
-      configSecret: matrix-oidc-config
-      configSecretKey: mas-oidc.yaml
-  # nodeSelector:
-  #   kubernetes.io/hostname: nas.homenet
-
-## Element Web client
-elementWeb:
-  enabled: true
-  ingress:
-    host: chat.matrix.hexor.cy
-  # nodeSelector:
-  #   kubernetes.io/hostname: nas.homenet
-
-## Element Admin panel
-elementAdmin:
-  enabled: true
-  ingress:
-    host: admin.matrix.hexor.cy
-  # nodeSelector:
-  #   kubernetes.io/hostname: nas.homenet
-
-## Well-known delegation on the base domain (host is derived from serverName)
-wellKnownDelegation:
-  enabled: true

k8s/apps/ollama/kustomization.yaml

@@ -4,7 +4,6 @@ kind: Kustomization
 resources:
   - external-secrets.yaml
   - local-pv.yaml
-  - open-terminal.yaml
   
 helmCharts:
   - name: ollama
@@ -16,7 +15,7 @@ helmCharts:
     includeCRDs: true
   - name: open-webui
     repo: https://helm.openwebui.com/
-    version: 12.10.0
+    version: 12.8.1
     releaseName: openweb-ui
     namespace: ollama
     valuesFile: openweb-ui-values.yaml

k8s/apps/ollama/open-terminal.yaml

@@ -1,53 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: open-terminal
-  labels:
-    app: open-terminal
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: open-terminal
-  template:
-    metadata:
-      labels:
-        app: open-terminal
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: uk-desktop.tail2fe2d.ts.net
-      tolerations:
-        - key: workload
-          operator: Equal
-          value: desktop
-          effect: NoSchedule
-      containers:
-        - name: open-terminal
-          image: ghcr.io/open-webui/open-terminal:latest
-          ports:
-            - containerPort: 8000
-          env:
-            - name: OPEN_TERMINAL_API_KEY
-              value: "LOCAL_ACCESS_TOKEN"
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-            limits:
-              cpu: "2"
-              memory: 2Gi
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: open-terminal
-  labels:
-    app: open-terminal
-spec:
-  selector:
-    app: open-terminal
-  ports:
-    - port: 8000
-      targetPort: 8000
-      protocol: TCP

k8s/core/argocd/app.yaml

@@ -18,5 +18,4 @@ spec:
       prune: true
     syncOptions:
       - CreateNamespace=true
-      - ServerSideApply=true
 

k8s/core/argocd/external-secrets.yaml

@@ -23,9 +23,6 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
         key: 1062e5b4-5380-49f1-97c3-340f26f3487e
         property: fields[0].value
     - secretKey: client_secret
@@ -34,9 +31,6 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
         key: 1062e5b4-5380-49f1-97c3-340f26f3487e
         property: fields[1].value
 

k8s/core/authentik/external-secrets.yaml

@@ -34,9 +34,6 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
         key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
         property: login.password
     - secretKey: username
@@ -45,9 +42,6 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
         key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
         property: login.username
     - secretKey: secret_key
@@ -56,9 +50,6 @@ spec:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
         key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
         property: fields[0].value
 

k8s/core/authentik/values.yaml

@@ -54,6 +54,19 @@ server:
         traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
       hosts:
         - idm.hexor.cy
+        - nas.hexor.cy       # TrueNAS Limassol
+        - nc.hexor.cy        # NaxtCloud
+        - of.hexor.cy        # Outfleet-v2
+        - k8s.hexor.cy       # k8s dashboard
+        - qbt.hexor.cy       # qBittorent for Jellyfin
+        - prom.hexor.cy      # Prometheus
+        - khm.hexor.cy       # Known Hosts keys Manager
+        - backup.hexor.cy    # Kopia Backup UI
+        - fm.hexor.cy        # Filemanager
+        - minecraft.hexor.cy # Minecraft UI and server
+        - pass.hexor.cy      # k8s-secret for openai
+        - ps.hexor.cy        # pasarguard UI
+#       - rw.hexor.cy        # RemnaWave UI
       tls:
         - secretName: idm-tls
           hosts:

k8s/core/cert-manager/issuer.yaml

@@ -37,5 +37,4 @@ spec:
           dnsZones:
             - "ps.hexor.cy"
             - "of.hexor.cy"
-            - "matrix.hexor.cy"
 

k8s/core/cert-manager/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 helmCharts:
   - name: cert-manager
     repo: https://charts.jetstack.io
-    version: 1.20.0
+    version: 1.19.1
     releaseName: cert-manager
     namespace: cert-manager
     valuesFile: values.yaml

k8s/core/postgresql/external-secrets.yaml

@@ -127,12 +127,6 @@ spec:
           {{ .mmdl }}
         USER_n8n: |-
           {{ .n8n }}
-        USER_synapse: |-
-          {{ .synapse }}
-        USER_mas: |-
-          {{ .mas }}
-        USER_furumi: |-
-          {{ .furumi }}
   data:
     - secretKey: authentik
       sourceRef:
@@ -277,37 +271,4 @@ spec:
         metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[13].value
-    - secretKey: synapse
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[14].value
-    - secretKey: mas
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[15].value
-    - secretKey: furumi
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[16].value
 

k8s/core/prom-stack/dashboards/furumi-server.json

@@ -449,7 +449,7 @@
             "type": "prometheus",
             "uid": "${datasource}"
           },
-          "expr": "sum(process_resident_memory_bytes) / 1024 / 1024",
+          "expr": "process_resident_memory_bytes / 1024 / 1024",
           "legendFormat": "Resident Memory",
           "refId": "A"
         },
@@ -458,7 +458,7 @@
             "type": "prometheus",
             "uid": "${datasource}"
           },
-          "expr": "sum(process_virtual_memory_bytes) / 1024 / 1024",
+          "expr": "process_virtual_memory_bytes / 1024 / 1024",
           "legendFormat": "Virtual Memory",
           "refId": "B"
         }

k8s/core/prom-stack/kustomization.yaml

@@ -11,7 +11,7 @@ resources:
 helmCharts:
   - name: kube-prometheus-stack
     repo: https://prometheus-community.github.io/helm-charts
-    version: 82.10.3
+    version: 79.7.1
     releaseName: prometheus
     namespace: prometheus
     valuesFile: prom-values.yaml

k8s/core/system-upgrade/plan.yaml

@@ -16,7 +16,7 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  version: v1.35.2+k3s1
+  version: v1.34.3+k3s1
 ---
 # Agent plan
 apiVersion: upgrade.cattle.io/v1
@@ -39,4 +39,5 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  version: v1.35.2+k3s1
+  version: v1.34.3+k3s1
+

terraform/authentik/.claude/settings.local.json

@@ -0,0 +1,23 @@
+{
+  "permissions": {
+    "allow": [
+      "WebSearch",
+      "WebFetch(domain:registry.terraform.io)",
+      "Bash(C:UsersabAppDataLocalMicrosoftWinGetPackagesHashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbweterraform.exe apply -auto-approve)",
+      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve)",
+      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve -lock=false)",
+      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" plan -lock=false)",
+      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -replace=\"authentik_outpost.outposts[\"\"kubernetes-outpost\"\"]\" -auto-approve -lock=false)",
+      "Bash(terraform plan:*)",
+      "Bash(terraform state:*)",
+      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform plan:*)",
+      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform force-unlock:*)",
+      "Bash(git:*)",
+      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform state:*)",
+      "Bash(terraform version:*)",
+      "Bash(curl:*)"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}

terraform/authentik/oauth2-apps.auto.tfvars

@@ -188,45 +188,5 @@ oauth_applications = {
     create_group               = true
     signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
   }
-  "matrix" = {
-    name             = "Matrix Chat"
-    slug             = "matrix"
-    group            = "Tools"
-    meta_description = "Matrix Chat"
-    meta_icon        = "https://img.icons8.com/ios/100/40C057/matrix-logo.png"
-    redirect_uris = [
-      "https://auth.matrix.hexor.cy/upstream/callback/001KKV4EKY7KG98W2M9T806K6A",
-    ]
-    meta_launch_url            = "https://chat.matrix.hexor.cy"
-    client_type                = "confidential"
-    include_claims_in_id_token = true
-    access_code_validity       = "minutes=1"
-    access_token_validity      = "minutes=5"
-    refresh_token_validity     = "days=30"
-    scope_mappings             = ["openid", "profile", "email"]
-    access_groups              = []
-    create_group               = false
-    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
-  }
-  "furumi-ng-web" = {
-    name             = "Furumi Web Player"
-    slug             = "furumi-ng-web"
-    group            = "Tools"
-    meta_description = "Furumi Web Player"
-    meta_icon        = "https://img.icons8.com/pulsar-color/48/music.png"
-    redirect_uris = [
-      "https://music.hexor.cy/auth/callback",
-    ]
-    meta_launch_url            = "https://music.hexor.cy"
-    client_type                = "confidential"
-    include_claims_in_id_token = true
-    access_code_validity       = "minutes=1"
-    access_token_validity      = "minutes=5"
-    refresh_token_validity     = "days=30"
-    scope_mappings             = ["openid", "profile", "email"]
-    access_groups              = []
-    create_group               = true
-    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
-  }
 }