Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-04 17:22:21

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -16,9 +16,13 @@ ArgoCD homelab project
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
+| **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
+| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
+| **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
+| **oauth2-proxy** | [![oauth2-proxy](https://ag.hexor.cy/api/badge?name=oauth2-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/oauth2-proxy) |
 | **postgresql** | [![postgresql](https://ag.hexor.cy/api/badge?name=postgresql&revision=true)](https://ag.hexor.cy/applications/argocd/postgresql) |
 | **prom-stack** | [![prom-stack](https://ag.hexor.cy/api/badge?name=prom-stack&revision=true)](https://ag.hexor.cy/applications/argocd/prom-stack) |
 | **system-upgrade** | [![system-upgrade](https://ag.hexor.cy/api/badge?name=system-upgrade&revision=true)](https://ag.hexor.cy/applications/argocd/system-upgrade) |
@@ -37,6 +41,9 @@ ArgoCD homelab project
 
 | Application | Status |
 | :--- | :---: |
+| **comfyui** | [![comfyui](https://ag.hexor.cy/api/badge?name=comfyui&revision=true)](https://ag.hexor.cy/applications/argocd/comfyui) |
+| **furumi-dev** | [![furumi-dev](https://ag.hexor.cy/api/badge?name=furumi-dev&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-dev) |
+| **furumi-server** | [![furumi-server](https://ag.hexor.cy/api/badge?name=furumi-server&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-server) |
 | **gitea** | [![gitea](https://ag.hexor.cy/api/badge?name=gitea&revision=true)](https://ag.hexor.cy/applications/argocd/gitea) |
 | **greece-notifier** | [![greece-notifier](https://ag.hexor.cy/api/badge?name=greece-notifier&revision=true)](https://ag.hexor.cy/applications/argocd/greece-notifier) |
 | **hexound** | [![hexound](https://ag.hexor.cy/api/badge?name=hexound&revision=true)](https://ag.hexor.cy/applications/argocd/hexound) |
@@ -45,6 +52,9 @@ ArgoCD homelab project
 | **jellyfin** | [![jellyfin](https://ag.hexor.cy/api/badge?name=jellyfin&revision=true)](https://ag.hexor.cy/applications/argocd/jellyfin) |
 | **k8s-secrets** | [![k8s-secrets](https://ag.hexor.cy/api/badge?name=k8s-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
 | **khm** | [![khm](https://ag.hexor.cy/api/badge?name=khm&revision=true)](https://ag.hexor.cy/applications/argocd/khm) |
+| **lidarr** | [![lidarr](https://ag.hexor.cy/api/badge?name=lidarr&revision=true)](https://ag.hexor.cy/applications/argocd/lidarr) |
+| **matrix** | [![matrix](https://ag.hexor.cy/api/badge?name=matrix&revision=true)](https://ag.hexor.cy/applications/argocd/matrix) |
+| **mtproxy** | [![mtproxy](https://ag.hexor.cy/api/badge?name=mtproxy&revision=true)](https://ag.hexor.cy/applications/argocd/mtproxy) |
 | **n8n** | [![n8n](https://ag.hexor.cy/api/badge?name=n8n&revision=true)](https://ag.hexor.cy/applications/argocd/n8n) |
 | **ollama** | [![ollama](https://ag.hexor.cy/api/badge?name=ollama&revision=true)](https://ag.hexor.cy/applications/argocd/ollama) |
 | **paperless** | [![paperless](https://ag.hexor.cy/api/badge?name=paperless&revision=true)](https://ag.hexor.cy/applications/argocd/paperless) |
@@ -55,9 +65,12 @@ ArgoCD homelab project
 | **sonarr-stack** | [![sonarr-stack](https://ag.hexor.cy/api/badge?name=sonarr-stack&revision=true)](https://ag.hexor.cy/applications/argocd/sonarr-stack) |
 | **stirling-pdf** | [![stirling-pdf](https://ag.hexor.cy/api/badge?name=stirling-pdf&revision=true)](https://ag.hexor.cy/applications/argocd/stirling-pdf) |
 | **syncthing** | [![syncthing](https://ag.hexor.cy/api/badge?name=syncthing&revision=true)](https://ag.hexor.cy/applications/argocd/syncthing) |
+| **teamspeak** | [![teamspeak](https://ag.hexor.cy/api/badge?name=teamspeak&revision=true)](https://ag.hexor.cy/applications/argocd/teamspeak) |
 | **tg-bots** | [![tg-bots](https://ag.hexor.cy/api/badge?name=tg-bots&revision=true)](https://ag.hexor.cy/applications/argocd/tg-bots) |
 | **vaultwarden** | [![vaultwarden](https://ag.hexor.cy/api/badge?name=vaultwarden&revision=true)](https://ag.hexor.cy/applications/argocd/vaultwarden) |
 | **vpn** | [![vpn](https://ag.hexor.cy/api/badge?name=vpn&revision=true)](https://ag.hexor.cy/applications/argocd/vpn) |
+| **web-petting** | [![web-petting](https://ag.hexor.cy/api/badge?name=web-petting&revision=true)](https://ag.hexor.cy/applications/argocd/web-petting) |
+| **wedding** | [![wedding](https://ag.hexor.cy/api/badge?name=wedding&revision=true)](https://ag.hexor.cy/applications/argocd/wedding) |
 | **xandikos** | [![xandikos](https://ag.hexor.cy/api/badge?name=xandikos&revision=true)](https://ag.hexor.cy/applications/argocd/xandikos) |
 
 </td>

k8s/apps/furumi-dev/external-secrets.yaml

@@ -20,8 +20,6 @@ spec:
           {{ .session_secret }}
         PG_STRING: |-
           postgres://furumi_dev:{{ .pg_pass }}@psql.psql.svc:5432/furumi_dev
-        PLAYER_API_KEY: |-
-          {{ .player_api_key }}
   data:
     - secretKey: client_id
       sourceRef:
@@ -47,14 +45,6 @@ spec:
       remoteRef:
         key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
         property: fields[2].value
-    - secretKey: player_api_key
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
-        property: fields[3].value
     - secretKey: pg_pass
       sourceRef:
         storeRef:

k8s/apps/furumi-dev/ingress.yaml

@@ -22,13 +22,20 @@ spec:
     - host: music-dev.hexor.cy
       http:
         paths:
-          - path: /
+          - path: /api
             pathType: Prefix
             backend:
               service:
                 name: furumi-dev-web-player
                 port:
                   number: 8080
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: furumi-dev-node-player
+                port:
+                  number: 3001
   tls:
     - secretName: furumi-tls
       hosts:

k8s/apps/furumi-dev/kustomization.yaml

@@ -7,4 +7,5 @@ resources:
   - external-secrets.yaml
   - ingress.yaml
   - web-player.yaml
+  - node-player.yaml
   - metadata-agent.yaml

k8s/apps/furumi-dev/metadata-agent.yaml

@@ -31,9 +31,9 @@ spec:
             - name: FURUMI_AGENT_STORAGE_DIR
               value: "/media"
             - name: FURUMI_AGENT_OLLAMA_URL
-              value: "http://ollama.ollama.svc:11434"
+              value: "http://100.120.76.49:1234"
             - name: FURUMI_AGENT_OLLAMA_MODEL
-              value: "qwen3:14b"
+              value: "qwen2.5-32b-instruct"
             - name: FURUMI_AGENT_POLL_INTERVAL_SECS
               value: "10"
             - name: RUST_LOG

k8s/apps/furumi-dev/node-player.yaml

@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: furumi-dev-node-player
+  labels:
+    app: furumi-dev-node-player
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: furumi-dev-node-player
+  template:
+    metadata:
+      labels:
+        app: furumi-dev-node-player
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: furumi-dev-node-player
+          image: ultradesu/furumi-node-player:dev
+          imagePullPolicy: Always
+          env:
+            - name: PORT
+              value: "3001"
+            - name: BASE_URL
+              value: "https://music-dev.hexor.cy"
+            - name: FRONTEND_ORIGIN
+              value: "https://music-dev.hexor.cy"
+            - name: SESSION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_SESSION_SECRET
+            - name: OIDC_ISSUER_BASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_ISSUER_URL
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_ID
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_SECRET
+          ports:
+            - name: http
+              containerPort: 3001
+              protocol: TCP

k8s/apps/furumi-dev/service.yaml

@@ -26,7 +26,23 @@ spec:
   selector:
     app: furumi-dev-web-player
   ports:
-    - name: web-ui
+    - name: http
       protocol: TCP
       port: 8080
       targetPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-dev-node-player
+  labels:
+    app: furumi-dev-node-player
+spec:
+  type: ClusterIP
+  selector:
+    app: furumi-dev-node-player
+  ports:
+    - name: http
+      protocol: TCP
+      port: 3001
+      targetPort: 3001

k8s/apps/furumi-dev/web-player.yaml

@@ -51,17 +51,12 @@ spec:
                 secretKeyRef:
                   name: furumi-ng-creds
                   key: PG_STRING
-            - name: FURUMI_PLAYER_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: PLAYER_API_KEY
             - name: FURUMI_PLAYER_STORAGE_DIR
               value: "/media"
             - name: RUST_LOG
               value: "info"
           ports:
-            - name: web-ui
+            - name: http
               containerPort: 8080
               protocol: TCP
           volumeMounts:
@@ -72,4 +67,3 @@ spec:
           hostPath:
             path: /k8s/furumi-dev/library
             type: DirectoryOrCreate
-

k8s/apps/furumi-server/metadata-agent.yaml

@@ -31,9 +31,9 @@ spec:
             - name: FURUMI_AGENT_STORAGE_DIR
               value: "/media"
             - name: FURUMI_AGENT_OLLAMA_URL
-              value: "http://ollama.ollama.svc:11434"
+              value: "http://100.120.76.49:1234"
             - name: FURUMI_AGENT_OLLAMA_MODEL
-              value: "qwen3.5:9b"
+              value: "google/gemma-4-26b-a4b"
             - name: FURUMI_AGENT_POLL_INTERVAL_SECS
               value: "10"
             - name: RUST_LOG

k8s/apps/gitea/deployment.yaml

@@ -48,6 +48,8 @@ spec:
               value: "true"
             - name: GITEA__service__CAPTCHA_TYPE
               value: "hcaptcha"
+            - name: GITEA__webhook__ALLOWED_HOST_LIST
+              value: "*"
           envFrom:
           - secretRef:
               name: gitea-recapcha-creds
@@ -127,14 +129,14 @@ spec:
         - name: gitea-runner
           image: gitea/act_runner:nightly
           resources:
-            requests:
-              cpu: "100m"
-              memory: "256Mi"
-              ephemeral-storage: "1Gi"
-            limits:
-              cpu: "3000m"
-              memory: "4Gi"
-              ephemeral-storage: "28Gi"
+            #requests:
+            #  cpu: "100m"
+            #  memory: "256Mi"
+            #  ephemeral-storage: "1Gi"
+            #limits:
+            #  cpu: "3000m"
+            #  memory: "4Gi"
+            #  ephemeral-storage: "28Gi"
           volumeMounts:
             - name: docker-sock
               mountPath: /var/run/docker.sock

k8s/apps/matrix/matrix-stack-values.yaml

@@ -26,9 +26,9 @@ matrixRTC:
     host: livekit.matrix.hexor.cy
   sfu:
     enabled: true
-    manualIP: "138.201.61.182"
+    manualIP: "78.24.180.234"
     nodeSelector:
-      kubernetes.io/hostname: master.tail2fe2d.ts.net
+      kubernetes.io/hostname: spb.tail2fe2d.ts.net
     exposedServices:
       rtcTcp:
         enabled: true
@@ -45,6 +45,14 @@ matrixRTC:
 ## Synapse homeserver
 synapse:
   enabled: true
+  additional:
+    0-search-config:
+      config: |
+        user_directory:
+          enabled: true
+          search_all_users: true
+          prefer_local_users: true
+        enable_room_list_search: true
   ingress:
     host: synapse.matrix.hexor.cy
   postgres:
@@ -56,12 +64,12 @@ synapse:
     password:
       secret: matrix-postgres-creds
       secretKey: synapse_db_password
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
   media:
     storage:
       size: 20Gi
     maxUploadSize: 100M
-  # nodeSelector:
-  #   kubernetes.io/hostname: nas.homenet
 
 ## Matrix Authentication Service
 matrixAuthenticationService:
@@ -88,24 +96,24 @@ matrixAuthenticationService:
     1-oidc:
       configSecret: matrix-oidc-config
       configSecretKey: mas-oidc.yaml
-  # nodeSelector:
-  #   kubernetes.io/hostname: nas.homenet
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
 
 ## Element Web client
 elementWeb:
   enabled: true
   ingress:
     host: chat.matrix.hexor.cy
-  # nodeSelector:
-  #   kubernetes.io/hostname: nas.homenet
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
 
 ## Element Admin panel
 elementAdmin:
   enabled: true
   ingress:
     host: admin.matrix.hexor.cy
-  # nodeSelector:
-  #   kubernetes.io/hostname: nas.homenet
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
 
 ## Well-known delegation on the base domain (host is derived from serverName)
 wellKnownDelegation:

k8s/apps/mtproxy/kustomization.yaml

@@ -12,4 +12,5 @@ resources:
   - ./telemt-servicemonitor.yaml
   - ./service.yaml
   - ./secret-reader.yaml
+  - ./secret-reader-ingress.yaml
 # - ./storage.yaml

k8s/apps/mtproxy/secret-reader-ingress.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: keycloak-auth
+spec:
+  forwardAuth:
+    address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Auth-Request-User
+      - X-Auth-Request-Email
+      - X-Auth-Request-Groups
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: secret-reader
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`secret-reader.hexor.cy`)
+      kind: Rule
+      middlewares:
+        - name: keycloak-auth
+      services:
+        - name: secret-reader
+          port: 80
+  tls:
+    secretName: secret-reader-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: secret-reader-tls
+spec:
+  secretName: secret-reader-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - secret-reader.hexor.cy

k8s/apps/mtproxy/telemt-daemonset.yaml

@@ -55,8 +55,9 @@ spec:
                 echo "ERROR: node ${NODE_NAME} has no mtproxy label"
                 exit 1
               fi
-              # Build ee-prefixed secret for secure mode
-              EE_SECRET="ee${SECRET}"
+              # Build ee-prefixed secret: ee + secret + hex(tls_domain)
+              # "ya.ru" = 79612e7275
+              EE_SECRET="ee${SECRET}79612e7275"
               LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${EE_SECRET}"
               echo "Registering telemt: ${SERVER} -> ${LINK}"
               if kubectl get secret telemt-links -n "${NAMESPACE}" &>/dev/null; then

k8s/apps/mtproxy/telemt-external-secrets.yaml

@@ -30,6 +30,7 @@ spec:
           [server]
           port = 30444
           metrics_port = 9090
+          metrics_whitelist = ["0.0.0.0/0"]
 
           [server.api]
           enabled = true

k8s/apps/mtproxy/telemt-servicemonitor.yaml

@@ -16,6 +16,9 @@ spec:
       interval: 30s
       scrapeTimeout: 10s
       honorLabels: true
+      relabelings:
+        - sourceLabels: [__meta_kubernetes_pod_node_name]
+          targetLabel: node
   namespaceSelector:
     matchNames:
       - mtproxy

k8s/apps/pasarguard/daemonset.yaml

@@ -1,71 +1,5 @@
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: pasarguard-node
-  labels:
-    app: pasarguard-node
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: pasarguard-node-configmap
-  labels:
-    app: pasarguard-node
-rules:
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["get", "list", "create", "update", "patch"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list"]
-  - apiGroups: [""]
-    resources: ["services", "endpoints"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: pasarguard-node-configmap
-  labels:
-    app: pasarguard-node
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: pasarguard-node-configmap
-subjects:
-  - kind: ServiceAccount
-    name: pasarguard-node
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: pasarguard-node-reader
-  labels:
-    app: pasarguard-node
-rules:
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: pasarguard-node-reader
-  labels:
-    app: pasarguard-node
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: pasarguard-node-reader
-subjects:
-  - kind: ServiceAccount
-    name: pasarguard-node
-    namespace: pasarguard
----
+image: &image 'pasarguard/node:v0.4.0'
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -113,7 +47,7 @@ spec:
               mountPath: /scripts
       containers:
         - name: pasarguard-node
-          image: 'pasarguard/node:v0.2.1'
+          image: *image
           imagePullPolicy: Always
           command:
             - /bin/sh
@@ -219,3 +153,71 @@ spec:
           configMap:
             name: pasarguard-scripts
             defaultMode: 0755
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pasarguard-node
+  labels:
+    app: pasarguard-node
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pasarguard-node-configmap
+  labels:
+    app: pasarguard-node
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "create", "update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["services", "endpoints"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pasarguard-node-configmap
+  labels:
+    app: pasarguard-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pasarguard-node-configmap
+subjects:
+  - kind: ServiceAccount
+    name: pasarguard-node
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pasarguard-node-reader
+  labels:
+    app: pasarguard-node
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pasarguard-node-reader
+  labels:
+    app: pasarguard-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pasarguard-node-reader
+subjects:
+  - kind: ServiceAccount
+    name: pasarguard-node
+    namespace: pasarguard

k8s/apps/pasarguard/deployment.yaml

@@ -1,4 +1,5 @@
 ---
+image: &image 'pasarguard/panel:v3.1.0'
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -34,7 +35,7 @@ spec:
               mountPath: /templates/subscription
       containers:
         - name: pasarguard-web
-          image: 'pasarguard/panel:latest'
+          image: *image
           imagePullPolicy: Always
           envFrom:
             - secretRef:
@@ -75,6 +76,9 @@ apiVersion: v1
 kind: Service
 metadata:
   name: pasarguard
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+    traefik.ingress.kubernetes.io/service.serverstransport: pasarguard-pasarguard-transport@kubernetescrd
 spec:
   selector:
     app: pasarguard

k8s/apps/pasarguard/ingress.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: pasarguard-transport
+spec:
+  insecureSkipVerify: true
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pasarguard-ingress
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: ps.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: pasarguard
+                port:
+                  number: 80
+  tls:
+    - secretName: pasarguard-tls
+      hosts:
+        - ps.hexor.cy

k8s/apps/pasarguard/kustomization.yaml

@@ -9,3 +9,4 @@ resources:
   - ./certificate.yaml
   - ./configmap-scripts.yaml
   - ./servicemonitor.yaml
+  - ./ingress.yaml

k8s/apps/teamspeak/app.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: teamspeak
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: teamspeak
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/teamspeak
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true

k8s/apps/teamspeak/deployment.yaml

@@ -0,0 +1,49 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: teamspeak
+  labels:
+    app: teamspeak
+spec:
+  selector:
+    matchLabels:
+      app: teamspeak
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: teamspeak
+    spec:
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: teamspeak-data
+      containers:
+        - name: teamspeak
+          image: 'teamspeak:latest'
+          env:
+            - name: TS3SERVER_LICENSE
+              value: "accept"
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "1000m"
+          ports:
+            - name: voice
+              containerPort: 9987
+              protocol: UDP
+            - name: filetransfer
+              containerPort: 30033
+              protocol: TCP
+            - name: serverquery
+              containerPort: 10011
+              protocol: TCP
+          volumeMounts:
+            - name: data
+              mountPath: /var/ts3server

k8s/apps/teamspeak/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - storage.yaml
+  - deployment.yaml
+  - service.yaml

k8s/apps/teamspeak/service.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: teamspeak
+spec:
+  type: LoadBalancer
+  selector:
+    app: teamspeak
+  ports:
+    - name: voice
+      protocol: UDP
+      port: 9987
+      targetPort: 9987
+    - name: filetransfer
+      protocol: TCP
+      port: 30033
+      targetPort: 30033
+    - name: serverquery
+      protocol: TCP
+      port: 10011
+      targetPort: 10011

k8s/apps/teamspeak/storage.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: teamspeak-data
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 5Gi

k8s/apps/web-petting/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: web-petting
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: web-petting
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/web-petting
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+

k8s/apps/web-petting/deployment.yaml

@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web-petting
+  labels:
+    app: web-petting
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: web-petting
+  template:
+    metadata:
+      labels:
+        app: web-petting
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: web-petting-data
+      containers:
+      - name: web-petting
+        image: ultradesu/web-petting:0.1.0
+        imagePullPolicy: Always
+        args:
+#         - "tail"
+#         - "-F"
+#         - "/1"
+          - "web-petting"
+          - "-l"
+          - "0.0.0.0:3000"
+        ports:
+        - containerPort: 3000
+          name: http
+        volumeMounts:
+          - name: data
+            mountPath: /data
+        env:
+        - name: RUST_LOG
+          value: "info"
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "50m"
+          limits:
+            memory: "128Mi"
+            cpu: "150m"

k8s/apps/web-petting/ingress.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: web-petting-tls-ingress
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  rules:
+    - host: pet.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: web-petting
+                port:
+                  number: 80
+  tls:
+    - secretName: web-petting-tls
+      hosts:
+        - pet.hexor.cy
+

k8s/apps/web-petting/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - storage.yaml
+

k8s/apps/web-petting/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: web-petting
+  labels:
+    app: web-petting
+spec:
+  type: ClusterIP
+  selector:
+    app: web-petting
+  ports:
+  - port: 80
+    targetPort: 3000
+    protocol: TCP
+    name: http

k8s/apps/web-petting/storage.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: web-petting-data
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 10Gi

k8s/apps/wedding/app.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: wedding
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: wedding
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/wedding
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true

k8s/apps/wedding/deployment.yaml

@@ -0,0 +1,69 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wedding
+  labels:
+    app: wedding
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: wedding
+  template:
+    metadata:
+      labels:
+        app: wedding
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: spb.tail2fe2d.ts.net
+      initContainers:
+        - name: git-clone
+          image: alpine/git:latest
+          command:
+            - sh
+            - -c
+            - git clone --depth 1 https://gt.hexor.cy/ab/wedding.git /src
+          volumeMounts:
+            - name: source
+              mountPath: /src
+        - name: zola-build
+          image: ghcr.io/getzola/zola:v0.22.1
+          command:
+            - /bin/zola
+          args:
+            - --root
+            - /src
+            - build
+            - --base-url
+            - https://wedding.hexor.cy/
+            - --output-dir
+            - /public/html
+          volumeMounts:
+            - name: source
+              mountPath: /src
+            - name: public
+              mountPath: /public
+      containers:
+        - name: nginx
+          image: nginx:alpine
+          ports:
+            - containerPort: 80
+              protocol: TCP
+          volumeMounts:
+            - name: public
+              mountPath: /usr/share/nginx/html
+              subPath: html
+              readOnly: true
+          resources:
+            requests:
+              memory: 32Mi
+              cpu: 10m
+            limits:
+              memory: 64Mi
+              cpu: 100m
+      volumes:
+        - name: source
+          emptyDir: {}
+        - name: public
+          emptyDir: {}

k8s/apps/wedding/ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: wedding-tls-ingress
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  rules:
+    - host: wedding.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: wedding
+                port:
+                  number: 80
+  tls:
+    - secretName: wedding-tls
+      hosts:
+        - wedding.hexor.cy

k8s/apps/wedding/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - rbac.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - webhook.yaml

k8s/apps/wedding/rbac.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: wedding-deployer
+  namespace: wedding
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wedding-deployer-token
+  namespace: wedding
+  annotations:
+    kubernetes.io/service-account.name: wedding-deployer
+type: kubernetes.io/service-account-token
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: wedding-restart
+  namespace: wedding
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "patch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: wedding-deployer-restart
+  namespace: wedding
+subjects:
+  - kind: ServiceAccount
+    name: wedding-deployer
+    namespace: wedding
+roleRef:
+  kind: Role
+  name: wedding-restart
+  apiGroup: rbac.authorization.k8s.io

k8s/apps/wedding/service.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: wedding
+spec:
+  selector:
+    app: wedding
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP

k8s/apps/wedding/webhook.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: webhook-script
+data:
+  serve.sh: |
+    #!/bin/sh
+    echo "Webhook server listening on :8080"
+    while true; do
+      echo -e "HTTP/1.1 200 OK\r\nContent-Length: 2\r\nConnection: close\r\n\r\nok" \
+        | nc -l -p 8080 > /dev/null
+      echo "Received webhook, restarting deployment..."
+      kubectl rollout restart deployment/wedding
+    done
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wedding-webhook
+  labels:
+    app: wedding-webhook
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: wedding-webhook
+  template:
+    metadata:
+      labels:
+        app: wedding-webhook
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: spb.tail2fe2d.ts.net
+      serviceAccountName: wedding-deployer
+      containers:
+        - name: webhook
+          image: alpine/k8s:1.32.3
+          command: ["sh", "/scripts/serve.sh"]
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - name: script
+              mountPath: /scripts
+              readOnly: true
+          resources:
+            requests:
+              memory: 16Mi
+              cpu: 5m
+            limits:
+              memory: 32Mi
+              cpu: 50m
+      volumes:
+        - name: script
+          configMap:
+            name: webhook-script
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: wedding-webhook
+spec:
+  selector:
+    app: wedding-webhook
+  ports:
+    - port: 8080
+      targetPort: 8080
+      protocol: TCP

k8s/core/authentik/kustomization.yaml

@@ -11,7 +11,7 @@ resources:
 helmCharts:
   - name: authentik
     repo: https://charts.goauthentik.io
-    version: 2026.2.1
+    version: 2026.2.2
     releaseName: authentik
     namespace: authentik
     valuesFile: values.yaml

k8s/core/authentik/values.yaml

@@ -1,6 +1,6 @@
 global:
   image:
-    tag: "2026.2.1"
+    tag: "2026.2.2"
 
 authentik:
     error_reporting:

k8s/core/cert-manager/issuer.yaml

@@ -18,11 +18,9 @@ spec:
               key: apiKey
         selector:
           dnsZones:
-            - "*.hexor.cy"
             - "*.hexor.ru"
             - "*.btwiusearch.net"
             - "hexor.ru"
-            - "hexor.cy"
             - "btwiusearch.net"
       - dns01:
           route53:
@@ -35,7 +33,6 @@ spec:
               key: secretKey
         selector:
           dnsZones:
-            - "ps.hexor.cy"
-            - "of.hexor.cy"
-            - "matrix.hexor.cy"
+            - "*.hexor.cy"
+            - "hexor.cy"
 

k8s/core/kanidm/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kanidm
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: kanidm
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/kanidm
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/kanidm/certificate.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kanidm-tls
+spec:
+  secretName: kanidm-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - auth.hexor.cy

k8s/core/kanidm/configmap.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kanidm-config
+data:
+  server.toml: |
+    bindaddress = "[::]:443"
+    db_path = "/data/kanidm.db"
+    tls_chain = "/certs/tls.crt"
+    tls_key = "/certs/tls.key"
+    domain = "auth.hexor.cy"
+    origin = "https://auth.hexor.cy"
+    log_level = "info"
+
+    [online_backup]
+    path = "/data/backups/"
+    schedule = "00 22 * * *"
+    versions = 7

k8s/core/kanidm/ingress.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kanidm
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`auth.hexor.cy`)
+      kind: Rule
+      services:
+        - name: kanidm
+          port: 443
+          scheme: https
+          serversTransport: kanidm-transport
+  tls:
+    secretName: kanidm-ingress-tls

k8s/core/kanidm/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - configmap.yaml
+  - certificate.yaml
+  - statefulset.yaml
+  - service.yaml
+  - ingress.yaml
+  - servers-transport.yaml

k8s/core/kanidm/servers-transport.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: kanidm-transport
+spec:
+  insecureSkipVerify: true

k8s/core/kanidm/service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kanidm
+  labels:
+    app: kanidm
+spec:
+  ports:
+    - name: https
+      port: 443
+      targetPort: 443
+      protocol: TCP
+  selector:
+    app: kanidm

k8s/core/kanidm/statefulset.yaml

@@ -0,0 +1,86 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: kanidm
+  labels:
+    app: kanidm
+spec:
+  serviceName: kanidm
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kanidm
+  template:
+    metadata:
+      labels:
+        app: kanidm
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: kanidm
+          image: kanidm/server:1.9.3
+          ports:
+            - containerPort: 443
+              name: https
+              protocol: TCP
+          volumeMounts:
+            - name: kanidm-data
+              mountPath: /data
+            - name: kanidm-config
+              mountPath: /data/server.toml
+              subPath: server.toml
+              readOnly: true
+            - name: kanidm-tls
+              mountPath: /certs
+              readOnly: true
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+          readinessProbe:
+            httpGet:
+              path: /status
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /status
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 15
+            periodSeconds: 30
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            runAsUser: 1000
+            runAsGroup: 1000
+      volumes:
+        - name: kanidm-config
+          configMap:
+            name: kanidm-config
+        - name: kanidm-tls
+          secret:
+            secretName: kanidm-tls
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+  volumeClaimTemplates:
+    - metadata:
+        name: kanidm-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: longhorn
+        resources:
+          requests:
+            storage: 1Gi

k8s/core/keycloak/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: keycloak
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: keycloak
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/keycloak
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/keycloak/external-secrets.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: keycloak-creds
+spec:
+  target:
+    name: keycloak-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        KC_DB_USERNAME: keycloak
+        KC_DB_PASSWORD: |-
+          {{ .db_password }}
+        KC_BOOTSTRAP_ADMIN_USERNAME: admin
+        KC_BOOTSTRAP_ADMIN_PASSWORD: |-
+          {{ .admin_password }}
+  data:
+    - secretKey: db_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[18].value
+    - secretKey: admin_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 9422b636-a91d-40e4-bf98-925b2a3f831d
+        property: login.password

k8s/core/keycloak/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+
+helmCharts:
+  - name: keycloakx
+    repo: https://codecentric.github.io/helm-charts
+    version: 7.1.11
+    releaseName: keycloak
+    namespace: keycloak
+    valuesFile: values.yaml

k8s/core/keycloak/values.yaml

@@ -0,0 +1,67 @@
+replicas: 1
+
+image:
+  repository: quay.io/keycloak/keycloak
+  tag: "26.5.6"
+
+command:
+  - "/opt/keycloak/bin/kc.sh"
+  - "start"
+  - "--http-port=8080"
+  - "--hostname-strict=false"
+  - "--proxy-headers=xforwarded"
+
+extraEnvFrom: |
+  - secretRef:
+      name: keycloak-creds
+
+extraEnv: |
+  - name: KC_HOSTNAME
+    value: auth.hexor.cy
+  - name: JAVA_OPTS_APPEND
+    value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc"
+
+dbchecker:
+  enabled: true
+
+database:
+  vendor: postgres
+  hostname: psql.psql.svc
+  port: 5432
+  database: keycloak
+  existingSecret: keycloak-creds
+  existingSecretKey: KC_DB_PASSWORD
+
+service:
+  type: ClusterIP
+
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+  rules:
+    - host: auth.hexor.cy
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: keycloak-tls
+      hosts:
+        - auth.hexor.cy
+
+resources:
+  requests:
+    cpu: 200m
+    memory: 512Mi
+  limits:
+    cpu: "1"
+    memory: 1Gi
+
+nodeSelector:
+  kubernetes.io/hostname: master.tail2fe2d.ts.net
+
+tolerations:
+  - key: node-role.kubernetes.io/master
+    effect: NoSchedule

k8s/core/oauth2-proxy/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: oauth2-proxy
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: oauth2-proxy
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/oauth2-proxy
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/oauth2-proxy/external-secrets.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: oauth2-proxy-creds
+spec:
+  target:
+    name: oauth2-proxy-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        client-id: oauth2-proxy
+        client-secret: |-
+          {{ .client_secret }}
+        cookie-secret: |-
+          {{ .cookie_secret }}
+  data:
+    - secretKey: client_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
+        property: login.password
+    - secretKey: cookie_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
+        property: fields[0].value

k8s/core/oauth2-proxy/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+
+helmCharts:
+  - name: oauth2-proxy
+    repo: https://oauth2-proxy.github.io/manifests
+    version: 10.4.3
+    releaseName: oauth2-proxy
+    namespace: oauth2-proxy
+    valuesFile: values.yaml

k8s/core/oauth2-proxy/middleware.yaml

@@ -0,0 +1,3 @@
+# Middleware is deployed per-namespace alongside each IngressRoute
+# because Traefik does not allow cross-namespace middleware references.
+# See k8s/apps/mtproxy/secret-reader-ingress.yaml for example.

k8s/core/oauth2-proxy/values.yaml

@@ -0,0 +1,51 @@
+replicaCount: 1
+
+config:
+  existingSecret: oauth2-proxy-creds
+  configFile: |-
+    provider = "keycloak-oidc"
+    provider_display_name = "Keycloak"
+    oidc_issuer_url = "https://auth.hexor.cy/auth/realms/hexor"
+    redirect_url = "https://oauth.hexor.cy/oauth2/callback"
+    email_domains = ["*"]
+    cookie_domains = [".hexor.cy"]
+    whitelist_domains = [".hexor.cy"]
+    cookie_secure = true
+    cookie_samesite = "lax"
+    upstreams = ["static://200"]
+    reverse_proxy = true
+    set_xauthrequest = true
+    set_authorization_header = true
+    pass_access_token = true
+    pass_authorization_header = true
+    skip_provider_button = true
+    code_challenge_method = "S256"
+    scope = "openid profile email"
+
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+  hosts:
+    - oauth.hexor.cy
+  tls:
+    - secretName: oauth2-proxy-tls
+      hosts:
+        - oauth.hexor.cy
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 200m
+    memory: 128Mi
+
+nodeSelector:
+  kubernetes.io/hostname: master.tail2fe2d.ts.net
+
+tolerations:
+  - key: node-role.kubernetes.io/master
+    effect: NoSchedule

k8s/core/postgresql/external-secrets.yaml

@@ -135,6 +135,8 @@ spec:
           {{ .furumi }}
         USER_furumi_dev: |-
           {{ .furumi_dev }}
+        USER_keycloak: |-
+          {{ .keycloak }}
   data:
     - secretKey: authentik
       sourceRef:
@@ -323,4 +325,14 @@ spec:
         metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[17].value
-
+    - secretKey: keycloak
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[18].value

k8s/core/prom-stack/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
   - grafana-alerting-configmap.yaml
   - alertmanager-config.yaml
   - furumi-dashboard-cm.yaml
+  - telemt-dashboard-cm.yaml
 
 helmCharts:
   - name: kube-prometheus-stack

k8s/core/prom-stack/loki-values.yaml

@@ -20,8 +20,12 @@ loki:
     filesystem:
       chunks_directory: /var/loki/chunks
       rules_directory: /var/loki/rules
+  compactor:
+    retention_enabled: true
+    delete_request_store: filesystem
   limits_config:
     reject_old_samples: false
+    retention_period: 1440h
     ingestion_rate_mb: 16
     ingestion_burst_size_mb: 32
     max_query_parallelism: 32

k8s/core/prom-stack/prom-values.yaml

@@ -78,7 +78,7 @@ prometheus:
           - targets: ['prom-a2s-exporter.counter-strike.svc:9841']
             labels: {instance: master}
 
-    retention: "99999d"
+    retention: "380d"
     retentionSize: "0"
     nodeSelector:
       kubernetes.io/hostname: master.tail2fe2d.ts.net

k8s/core/prom-stack/telemt-dashboard-cm.yaml

@@ -0,0 +1,409 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: telemt-dashboard
+  labels:
+    grafana_dashboard: "1"
+data:
+  telemt.json: |-
+    {
+      "annotations": { "list": [] },
+      "editable": true,
+      "fiscalYearStartMonth": 0,
+      "graphTooltip": 1,
+      "id": null,
+      "links": [],
+      "liveNow": false,
+      "panels": [
+        {
+          "title": "Nodes Overview",
+          "type": "table",
+          "gridPos": { "h": 8, "w": 24, "x": 0, "y": 0 },
+          "id": 1,
+          "fieldConfig": {
+            "defaults": {
+              "custom": {
+                "align": "auto",
+                "cellOptions": { "type": "auto" },
+                "inspect": false
+              },
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  { "color": "green", "value": null }
+                ]
+              }
+            },
+            "overrides": [
+              {
+                "matcher": { "id": "byName", "options": "Uptime" },
+                "properties": [
+                  { "id": "unit", "value": "dtdurations" },
+                  { "id": "custom.width", "value": 140 }
+                ]
+              },
+              {
+                "matcher": { "id": "byName", "options": "Bad Conn" },
+                "properties": [
+                  { "id": "thresholds", "value": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "yellow", "value": 10 }, { "color": "red", "value": 100 }] } },
+                  { "id": "custom.cellOptions", "value": { "type": "color-background", "mode": "basic" } }
+                ]
+              },
+              {
+                "matcher": { "id": "byName", "options": "Writers" },
+                "properties": [
+                  { "id": "thresholds", "value": { "mode": "absolute", "steps": [{ "color": "red", "value": null }, { "color": "green", "value": 1 }] } },
+                  { "id": "custom.cellOptions", "value": { "type": "color-background", "mode": "basic" } }
+                ]
+              }
+            ]
+          },
+          "options": {
+            "showHeader": true,
+            "sortBy": [{ "displayName": "Node", "desc": false }],
+            "frameIndex": 0,
+            "footer": { "show": false }
+          },
+          "transformations": [
+            {
+              "id": "joinByField",
+              "options": { "byField": "node", "mode": "outer" }
+            },
+            {
+              "id": "filterFieldsByName",
+              "options": {
+                "include": { "pattern": "^(node|Value.*)$" }
+              }
+            },
+            {
+              "id": "organize",
+              "options": {
+                "renameByName": {
+                  "node": "Node",
+                  "Value #uptime": "Uptime",
+                  "Value #writers": "Writers",
+                  "Value #buffers": "Buffers In Use",
+                  "Value #connections": "Connections",
+                  "Value #bad": "Bad Conn",
+                  "Value #hs_timeout": "HS Timeouts"
+                }
+              }
+            }
+          ],
+          "targets": [
+            {
+              "expr": "telemt_uptime_seconds{node=~\"$node\"}",
+              "legendFormat": "",
+              "refId": "uptime",
+              "format": "table",
+              "instant": true
+            },
+            {
+              "expr": "telemt_me_writers_active_current{node=~\"$node\"}",
+              "legendFormat": "",
+              "refId": "writers",
+              "format": "table",
+              "instant": true
+            },
+            {
+              "expr": "telemt_buffer_pool_buffers_total{node=~\"$node\", kind=\"in_use\"}",
+              "legendFormat": "",
+              "refId": "buffers",
+              "format": "table",
+              "instant": true
+            },
+            {
+              "expr": "telemt_connections_total{node=~\"$node\"}",
+              "legendFormat": "",
+              "refId": "connections",
+              "format": "table",
+              "instant": true
+            },
+            {
+              "expr": "telemt_connections_bad_total{node=~\"$node\"}",
+              "legendFormat": "",
+              "refId": "bad",
+              "format": "table",
+              "instant": true
+            },
+            {
+              "expr": "telemt_handshake_timeouts_total{node=~\"$node\"}",
+              "legendFormat": "",
+              "refId": "hs_timeout",
+              "format": "table",
+              "instant": true
+            }
+          ],
+          "datasource": { "type": "prometheus", "uid": "${datasource}" }
+        },
+        {
+          "title": "Connections Rate",
+          "type": "timeseries",
+          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 8 },
+          "id": 10,
+          "fieldConfig": {
+            "defaults": {
+              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
+              "unit": "cps",
+              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
+            },
+            "overrides": []
+          },
+          "options": {
+            "tooltip": { "mode": "multi", "sort": "desc" },
+            "legend": { "displayMode": "list", "placement": "bottom" }
+          },
+          "targets": [
+            { "expr": "rate(telemt_connections_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} accepted", "refId": "A" },
+            { "expr": "rate(telemt_connections_bad_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} bad", "refId": "B" },
+            { "expr": "rate(telemt_handshake_timeouts_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} hs timeout", "refId": "C" }
+          ],
+          "datasource": { "type": "prometheus", "uid": "${datasource}" }
+        },
+        {
+          "title": "Upstream Connect",
+          "type": "timeseries",
+          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 8 },
+          "id": 11,
+          "fieldConfig": {
+            "defaults": {
+              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
+              "unit": "cps",
+              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
+            },
+            "overrides": []
+          },
+          "options": {
+            "tooltip": { "mode": "multi", "sort": "desc" },
+            "legend": { "displayMode": "list", "placement": "bottom" }
+          },
+          "targets": [
+            { "expr": "rate(telemt_upstream_connect_success_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} success", "refId": "A" },
+            { "expr": "rate(telemt_upstream_connect_fail_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} fail", "refId": "B" }
+          ],
+          "datasource": { "type": "prometheus", "uid": "${datasource}" }
+        },
+        {
+          "title": "Upstream Connect Duration (success)",
+          "type": "timeseries",
+          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 16 },
+          "id": 12,
+          "fieldConfig": {
+            "defaults": {
+              "custom": { "drawStyle": "bars", "fillOpacity": 50, "stacking": { "mode": "normal" } },
+              "unit": "short",
+              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
+            },
+            "overrides": []
+          },
+          "options": {
+            "tooltip": { "mode": "multi", "sort": "desc" },
+            "legend": { "displayMode": "list", "placement": "bottom" }
+          },
+          "targets": [
+            { "expr": "increase(telemt_upstream_connect_duration_success_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} {{bucket}}", "refId": "A" }
+          ],
+          "datasource": { "type": "prometheus", "uid": "${datasource}" }
+        },
+        {
+          "title": "ME Writers & Pool",
+          "type": "timeseries",
+          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 16 },
+          "id": 13,
+          "fieldConfig": {
+            "defaults": {
+              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
+              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
+            },
+            "overrides": []
+          },
+          "options": {
+            "tooltip": { "mode": "multi", "sort": "desc" },
+            "legend": { "displayMode": "list", "placement": "bottom" }
+          },
+          "targets": [
+            { "expr": "telemt_me_writers_active_current{node=~\"$node\"}", "legendFormat": "{{node}} active", "refId": "A" },
+            { "expr": "telemt_me_writers_warm_current{node=~\"$node\"}", "legendFormat": "{{node}} warm", "refId": "B" },
+            { "expr": "telemt_pool_drain_active{node=~\"$node\"}", "legendFormat": "{{node}} draining", "refId": "C" }
+          ],
+          "datasource": { "type": "prometheus", "uid": "${datasource}" }
+        },
+        {
+          "title": "Per-User Active Connections",
+          "type": "timeseries",
+          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 24 },
+          "id": 20,
+          "fieldConfig": {
+            "defaults": {
+              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
+              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
+            },
+            "overrides": []
+          },
+          "options": {
+            "tooltip": { "mode": "multi", "sort": "desc" },
+            "legend": { "displayMode": "list", "placement": "bottom" }
+          },
+          "targets": [
+            { "expr": "telemt_user_connections_current{node=~\"$node\"}", "legendFormat": "{{node}} {{user}}", "refId": "A" }
+          ],
+          "datasource": { "type": "prometheus", "uid": "${datasource}" }
+        },
+        {
+          "title": "Per-User Traffic",
+          "type": "timeseries",
+          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 24 },
+          "id": 21,
+          "fieldConfig": {
+            "defaults": {
+              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
+              "unit": "Bps",
+              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
+            },
+            "overrides": []
+          },
+          "options": {
+            "tooltip": { "mode": "multi", "sort": "desc" },
+            "legend": { "displayMode": "list", "placement": "bottom" }
+          },
+          "targets": [
+            { "expr": "rate(telemt_user_octets_from_client{node=~\"$node\"}[5m])", "legendFormat": "{{node}} {{user}} rx", "refId": "A" },
+            { "expr": "rate(telemt_user_octets_to_client{node=~\"$node\"}[5m])", "legendFormat": "{{node}} {{user}} tx", "refId": "B" }
+          ],
+          "datasource": { "type": "prometheus", "uid": "${datasource}" }
+        },
+        {
+          "title": "DC->Client Payload",
+          "type": "timeseries",
+          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 32 },
+          "id": 30,
+          "fieldConfig": {
+            "defaults": {
+              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
+              "unit": "Bps",
+              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
+            },
+            "overrides": []
+          },
+          "options": {
+            "tooltip": { "mode": "multi", "sort": "desc" },
+            "legend": { "displayMode": "list", "placement": "bottom" }
+          },
+          "targets": [
+            { "expr": "rate(telemt_me_d2c_payload_bytes_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} payload", "refId": "A" }
+          ],
+          "datasource": { "type": "prometheus", "uid": "${datasource}" }
+        },
+        {
+          "title": "ME Errors & Anomalies",
+          "type": "timeseries",
+          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 32 },
+          "id": 31,
+          "fieldConfig": {
+            "defaults": {
+              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
+              "unit": "cps",
+              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
+            },
+            "overrides": []
+          },
+          "options": {
+            "tooltip": { "mode": "multi", "sort": "desc" },
+            "legend": { "displayMode": "list", "placement": "bottom" }
+          },
+          "targets": [
+            { "expr": "rate(telemt_me_reconnect_attempts_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} reconnect", "refId": "A" },
+            { "expr": "rate(telemt_me_handshake_reject_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} hs reject", "refId": "B" },
+            { "expr": "rate(telemt_me_crc_mismatch_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} crc mismatch", "refId": "C" },
+            { "expr": "rate(telemt_desync_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} desync", "refId": "D" }
+          ],
+          "datasource": { "type": "prometheus", "uid": "${datasource}" }
+        },
+        {
+          "title": "Per-User Unique IPs",
+          "type": "timeseries",
+          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 40 },
+          "id": 40,
+          "fieldConfig": {
+            "defaults": {
+              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
+              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
+            },
+            "overrides": []
+          },
+          "options": {
+            "tooltip": { "mode": "multi", "sort": "desc" },
+            "legend": { "displayMode": "list", "placement": "bottom" }
+          },
+          "targets": [
+            { "expr": "telemt_user_unique_ips_current{node=~\"$node\"}", "legendFormat": "{{node}} {{user}} active", "refId": "A" },
+            { "expr": "telemt_user_unique_ips_recent_window{node=~\"$node\"}", "legendFormat": "{{node}} {{user}} recent", "refId": "B" }
+          ],
+          "datasource": { "type": "prometheus", "uid": "${datasource}" }
+        },
+        {
+          "title": "Conntrack",
+          "type": "timeseries",
+          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 40 },
+          "id": 41,
+          "fieldConfig": {
+            "defaults": {
+              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
+              "unit": "cps",
+              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
+            },
+            "overrides": []
+          },
+          "options": {
+            "tooltip": { "mode": "multi", "sort": "desc" },
+            "legend": { "displayMode": "list", "placement": "bottom" }
+          },
+          "targets": [
+            { "expr": "rate(telemt_conntrack_delete_total{node=~\"$node\", result=\"attempt\"}[5m])", "legendFormat": "{{node}} delete attempt", "refId": "A" },
+            { "expr": "rate(telemt_conntrack_delete_total{node=~\"$node\", result=\"error\"}[5m])", "legendFormat": "{{node}} delete error", "refId": "B" },
+            { "expr": "telemt_conntrack_event_queue_depth{node=~\"$node\"}", "legendFormat": "{{node}} queue depth", "refId": "C" }
+          ],
+          "datasource": { "type": "prometheus", "uid": "${datasource}" }
+        }
+      ],
+      "refresh": "30s",
+      "schemaVersion": 39,
+      "tags": ["telemt", "mtproxy", "telegram"],
+      "templating": {
+        "list": [
+          {
+            "current": {},
+            "hide": 0,
+            "includeAll": false,
+            "label": "Datasource",
+            "multi": false,
+            "name": "datasource",
+            "options": [],
+            "query": "prometheus",
+            "refresh": 1,
+            "regex": "",
+            "skipUrlSync": false,
+            "type": "datasource"
+          },
+          {
+            "current": {},
+            "datasource": { "type": "prometheus", "uid": "${datasource}" },
+            "definition": "label_values(telemt_uptime_seconds, node)",
+            "hide": 0,
+            "includeAll": true,
+            "label": "Node",
+            "multi": true,
+            "name": "node",
+            "query": "label_values(telemt_uptime_seconds, node)",
+            "refresh": 2,
+            "regex": "",
+            "skipUrlSync": false,
+            "sort": 1,
+            "type": "query"
+          }
+        ]
+      },
+      "time": { "from": "now-6h", "to": "now" },
+      "title": "Telemt MTProxy",
+      "uid": "telemt-mtproxy"
+    }

k8s/core/system-upgrade/plan.yaml

@@ -7,6 +7,8 @@ metadata:
 spec:
   concurrency: 1
   cordon: true
+  tolerations:
+  - operator: Exists
   nodeSelector:
     matchExpressions:
     - key: node-role.kubernetes.io/control-plane
@@ -16,7 +18,7 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  version: v1.35.2+k3s1
+  version: v1.35.4+k3s1
 ---
 # Agent plan
 apiVersion: upgrade.cattle.io/v1
@@ -27,6 +29,8 @@ metadata:
 spec:
   concurrency: 1
   cordon: true
+  tolerations:
+  - operator: Exists
   nodeSelector:
     matchExpressions:
     - key: node-role.kubernetes.io/control-plane
@@ -39,4 +43,4 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  version: v1.35.2+k3s1
+  version: v1.35.4+k3s1

k8s/games/minecraft/deployments.yaml

@@ -35,7 +35,7 @@ spec:
       terminationGracePeriodSeconds: 10
       containers:
         - name: minecraft
-          image: 'openjdk:8-jdk-alpine'
+          image: 'eclipse-temurin:8-jdk-ubi10-minimal'
           command: ["java"]
           args:
             - -Xms4G