Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-03-17 14:50:32 This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.
2026-03-17 14:50:32 +00:00
30 changed files with 108 additions and 1375 deletions
--- a/README.md
+++ b/README.md
@@ -39,7 +39,6 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **comfyui** | [![comfyui](https://ag.hexor.cy/api/badge?name=comfyui&revision=true)](https://ag.hexor.cy/applications/argocd/comfyui) |
 | **furumi-dev** | [![furumi-dev](https://ag.hexor.cy/api/badge?name=furumi-dev&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-dev) |
 | **furumi-server** | [![furumi-server](https://ag.hexor.cy/api/badge?name=furumi-server&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-server) |
 | **gitea** | [![gitea](https://ag.hexor.cy/api/badge?name=gitea&revision=true)](https://ag.hexor.cy/applications/argocd/gitea) |
 | **greece-notifier** | [![greece-notifier](https://ag.hexor.cy/api/badge?name=greece-notifier&revision=true)](https://ag.hexor.cy/applications/argocd/greece-notifier) |
--- a/k8s/apps/furumi-dev/app.yaml
+++ b/k8s/apps/furumi-dev/app.yaml
@@ -1,20 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: furumi-dev
  namespace: argocd
 spec:
  project: apps
  destination:
    namespace: furumi-dev
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
    path: k8s/apps/furumi-dev
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/k8s/apps/furumi-dev/external-secrets.yaml
+++ b/k8s/apps/furumi-dev/external-secrets.yaml
@@ -1,65 +0,0 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: furumi-ng-creds
 spec:
  target:
    name: furumi-ng-creds
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        OIDC_CLIENT_ID: |-
          {{ .client_id }}
        OIDC_CLIENT_SECRET: |-
          {{ .client_secret }}
        OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-dev/
        OIDC_REDIRECT_URL: https://music-dev.hexor.cy/auth/callback
        OIDC_SESSION_SECRET: |-
          {{ .session_secret }}
        PG_STRING: |-
          postgres://furumi_dev:{{ .pg_pass }}@psql.psql.svc:5432/furumi_dev
        PLAYER_API_KEY: |-
          {{ .player_api_key }}
  data:
    - secretKey: client_id
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
        property: fields[0].value
    - secretKey: client_secret
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
        property: fields[1].value
    - secretKey: session_secret
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
        property: fields[2].value
    - secretKey: player_api_key
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
        property: fields[3].value
    - secretKey: pg_pass
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[17].value
--- a/k8s/apps/furumi-dev/ingress.yaml
+++ b/k8s/apps/furumi-dev/ingress.yaml
@@ -1,59 +0,0 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: admin-strip
 spec:
  stripPrefix:
    prefixes:
      - /admin
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: furumi-tls-ingress
  annotations:
    ingressClassName: traefik
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
    acme.cert-manager.io/http01-edit-in-place: "true"
 spec:
  rules:
    - host: music-dev.hexor.cy
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: furumi-dev-web-player
                port:
                  number: 8080
  tls:
    - secretName: furumi-tls
      hosts:
        - '*.hexor.cy'
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: furumi-dev-admin-ingress
  annotations:
    ingressClassName: traefik
    traefik.ingress.kubernetes.io/router.middlewares: furumi-server-admin-strip@kubernetescrd,kube-system-https-redirect@kubernetescrd
 spec:
  rules:
    - host: music-dev.hexor.cy
      http:
        paths:
          - path: /admin
            pathType: Prefix
            backend:
              service:
                name: furumi-dev-metadata-agent
                port:
                  number: 8090
  tls:
    - secretName: furumi-tls
      hosts:
        - '*.hexor.cy'
--- a/k8s/apps/furumi-dev/kustomization.yaml
+++ b/k8s/apps/furumi-dev/kustomization.yaml
@@ -1,10 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - app.yaml
  - service.yaml
  - external-secrets.yaml
  - ingress.yaml
  - web-player.yaml
  - metadata-agent.yaml
--- a/k8s/apps/furumi-dev/metadata-agent.yaml
+++ b/k8s/apps/furumi-dev/metadata-agent.yaml
@@ -1,59 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: furumi-dev-metadata-agent
  labels:
    app: furumi-dev-metadata-agent
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: furumi-dev-metadata-agent
  template:
    metadata:
      labels:
        app: furumi-dev-metadata-agent
    spec:
      nodeSelector:
        kubernetes.io/hostname: master.tail2fe2d.ts.net
      containers:
        - name: furumi-dev-metadata-agent
          image: ultradesu/furumi-metadata-agent:dev
          imagePullPolicy: Always
          env:
            - name: FURUMI_AGENT_DATABASE_URL
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: PG_STRING
            - name: FURUMI_AGENT_INBOX_DIR
              value: "/inbox"
            - name: FURUMI_AGENT_STORAGE_DIR
              value: "/media"
            - name: FURUMI_AGENT_OLLAMA_URL
              value: "http://ollama.ollama.svc:11434"
            - name: FURUMI_AGENT_OLLAMA_MODEL
              value: "qwen3:14b"
            - name: FURUMI_AGENT_POLL_INTERVAL_SECS
              value: "10"
            - name: RUST_LOG
              value: "info"
          ports:
            - name: admin-ui
              containerPort: 8090
              protocol: TCP
          volumeMounts:
            - name: library
              mountPath: /media
            - name: inbox
              mountPath: /inbox
      volumes:
        - name: library
          hostPath:
            path: /k8s/furumi-dev/library
            type: DirectoryOrCreate
        - name: inbox
          hostPath:
            path: /k8s/furumi-dev/inbox
            type: DirectoryOrCreate
--- a/k8s/apps/furumi-dev/service.yaml
+++ b/k8s/apps/furumi-dev/service.yaml
@@ -1,32 +0,0 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: furumi-dev-metadata-agent
  labels:
    app: furumi-dev-metadata-agent
 spec:
  type: ClusterIP
  selector:
    app: furumi-dev-metadata-agent
  ports:
    - name: admin-ui
      protocol: TCP
      port: 8090
      targetPort: 8090
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: furumi-dev-web-player
  labels:
    app: furumi-dev-web-player
 spec:
  type: ClusterIP
  selector:
    app: furumi-dev-web-player
  ports:
    - name: web-ui
      protocol: TCP
      port: 8080
      targetPort: 8080
--- a/k8s/apps/furumi-dev/web-player.yaml
+++ b/k8s/apps/furumi-dev/web-player.yaml
@@ -1,75 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: furumi-dev-web-player
  labels:
    app: furumi-dev-web-player
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: furumi-dev-web-player
  template:
    metadata:
      labels:
        app: furumi-dev-web-player
    spec:
      nodeSelector:
        kubernetes.io/hostname: master.tail2fe2d.ts.net
      containers:
        - name: furumi-dev-web-player
          image: ultradesu/furumi-web-player:dev
          imagePullPolicy: Always
          env:
            - name: FURUMI_PLAYER_OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_CLIENT_ID
            - name: FURUMI_PLAYER_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_CLIENT_SECRET
            - name: FURUMI_PLAYER_OIDC_ISSUER_URL
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_ISSUER_URL
            - name: FURUMI_PLAYER_OIDC_REDIRECT_URL
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_REDIRECT_URL
            - name: FURUMI_PLAYER_OIDC_SESSION_SECRET
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_SESSION_SECRET
            - name: FURUMI_PLAYER_DATABASE_URL
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: PG_STRING
            - name: FURUMI_PLAYER_API_KEY
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: PLAYER_API_KEY
            - name: FURUMI_PLAYER_STORAGE_DIR
              value: "/media"
            - name: RUST_LOG
              value: "info"
          ports:
            - name: web-ui
              containerPort: 8080
              protocol: TCP
          volumeMounts:
            - name: music
              mountPath: /media
      volumes:
        - name: music
          hostPath:
            path: /k8s/furumi-dev/library
            type: DirectoryOrCreate
--- a/k8s/apps/furumi-server/deployment.yaml
+++ b/k8s/apps/furumi-server/deployment.yaml
@@ -18,7 +18,7 @@ spec:
        kubernetes.io/hostname: master.tail2fe2d.ts.net
      containers:
        - name: furumi-server
-          image: ultradesu/furumi-server:trunk
+          image: ultradesu/furumi-server:latest
          imagePullPolicy: Always
          env:
            - name: FURUMI_TOKEN
@@ -46,15 +46,10 @@ spec:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_REDIRECT_URL
            - name: FURUMI_OIDC_SESSION_SECRET
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_SESSION_SECRET
            - name: FURUMI_ROOT
              value: "/media"
            - name: RUST_LOG
-              value: "info"
+              value: "debug"
          ports:
            - name: grpc
              containerPort: 50051
--- a/k8s/apps/furumi-server/external-secrets.yaml
+++ b/k8s/apps/furumi-server/external-secrets.yaml
@@ -18,10 +18,6 @@ spec:
          {{ .client_secret }}
        OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-ng-web/
        OIDC_REDIRECT_URL: https://music.hexor.cy/auth/callback
        OIDC_SESSION_SECRET: |-
          {{ .session_secret }}
        PG_STRING: |-
          postgres://furumi:{{ .pg_pass }}@psql.psql.svc:5432/furumi
  data:
    - secretKey: token
      sourceRef:
@@ -47,19 +43,3 @@ spec:
      remoteRef:
        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
        property: fields[2].value
    - secretKey: session_secret
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
        property: fields[3].value
    - secretKey: pg_pass
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[16].value
--- a/k8s/apps/furumi-server/ingress.yaml
+++ b/k8s/apps/furumi-server/ingress.yaml
@@ -1,13 +1,4 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: admin-strip
 spec:
  stripPrefix:
    prefixes:
      - /admin
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -26,34 +17,12 @@ spec:
            pathType: Prefix
            backend:
              service:
-                name: furumi-web-player
+                name: furumi-server-web
                port:
                  number: 8080
  tls:
    - secretName: furumi-tls
      hosts:
        - '*.hexor.cy'
---
+
-apiVersion: networking.k8s.io/v1
+
 kind: Ingress
 metadata:
  name: furumi-admin-ingress
  annotations:
    ingressClassName: traefik
    traefik.ingress.kubernetes.io/router.middlewares: furumi-server-admin-strip@kubernetescrd,kube-system-https-redirect@kubernetescrd
 spec:
  rules:
    - host: music.hexor.cy
      http:
        paths:
          - path: /admin
            pathType: Prefix
            backend:
              service:
                name: furumi-metadata-agent
                port:
                  number: 8090
  tls:
    - secretName: furumi-tls
      hosts:
        - '*.hexor.cy'
--- a/k8s/apps/furumi-server/kustomization.yaml
+++ b/k8s/apps/furumi-server/kustomization.yaml
@@ -8,5 +8,3 @@ resources:
  - servicemonitor.yaml
  - external-secrets.yaml
  - ingress.yaml
  - web-player.yaml
  - metadata-agent.yaml
--- a/k8s/apps/furumi-server/metadata-agent.yaml
+++ b/k8s/apps/furumi-server/metadata-agent.yaml
@@ -1,59 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: furumi-metadata-agent
  labels:
    app: furumi-metadata-agent
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: furumi-metadata-agent
  template:
    metadata:
      labels:
        app: furumi-metadata-agent
    spec:
      nodeSelector:
        kubernetes.io/hostname: master.tail2fe2d.ts.net
      containers:
        - name: furumi-metadata-agent
          image: ultradesu/furumi-metadata-agent:trunk
          imagePullPolicy: Always
          env:
            - name: FURUMI_AGENT_DATABASE_URL
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: PG_STRING
            - name: FURUMI_AGENT_INBOX_DIR
              value: "/inbox"
            - name: FURUMI_AGENT_STORAGE_DIR
              value: "/media"
            - name: FURUMI_AGENT_OLLAMA_URL
              value: "http://ollama.ollama.svc:11434"
            - name: FURUMI_AGENT_OLLAMA_MODEL
              value: "qwen3.5:9b"
            - name: FURUMI_AGENT_POLL_INTERVAL_SECS
              value: "10"
            - name: RUST_LOG
              value: "info"
          ports:
            - name: admin-ui
              containerPort: 8090
              protocol: TCP
          volumeMounts:
            - name: library
              mountPath: /media
            - name: inbox
              mountPath: /inbox
      volumes:
        - name: library
          hostPath:
            path: /k8s/furumi/library
            type: DirectoryOrCreate
        - name: inbox
          hostPath:
            path: /k8s/furumi/inbox
            type: DirectoryOrCreate
--- a/k8s/apps/furumi-server/service.yaml
+++ b/k8s/apps/furumi-server/service.yaml
@@ -32,29 +32,13 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: furumi-metadata-agent
+  name: furumi-server-web
  labels:
-    app: furumi-metadata-agent
+    app: furumi-server
 spec:
  type: ClusterIP
  selector:
-    app: furumi-metadata-agent
+    app: furumi-server
  ports:
    - name: admin-ui
      protocol: TCP
      port: 8090
      targetPort: 8090
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: furumi-web-player
  labels:
    app: furumi-web-player
 spec:
  type: ClusterIP
  selector:
    app: furumi-web-player
  ports:
    - name: web-ui
      protocol: TCP
--- a/k8s/apps/furumi-server/web-player.yaml
+++ b/k8s/apps/furumi-server/web-player.yaml
@@ -1,70 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: furumi-web-player
  labels:
    app: furumi-web-player
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: furumi-web-player
  template:
    metadata:
      labels:
        app: furumi-web-player
    spec:
      nodeSelector:
        kubernetes.io/hostname: master.tail2fe2d.ts.net
      containers:
        - name: furumi-web-player
          image: ultradesu/furumi-web-player:trunk
          imagePullPolicy: Always
          env:
            - name: FURUMI_PLAYER_OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_CLIENT_ID
            - name: FURUMI_PLAYER_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_CLIENT_SECRET
            - name: FURUMI_PLAYER_OIDC_ISSUER_URL
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_ISSUER_URL
            - name: FURUMI_PLAYER_OIDC_REDIRECT_URL
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_REDIRECT_URL
            - name: FURUMI_PLAYER_OIDC_SESSION_SECRET
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: OIDC_SESSION_SECRET
            - name: FURUMI_PLAYER_DATABASE_URL
              valueFrom:
                secretKeyRef:
                  name: furumi-ng-creds
                  key: PG_STRING
            - name: FURUMI_PLAYER_STORAGE_DIR
              value: "/media"
            - name: RUST_LOG
              value: "info"
          ports:
            - name: web-ui
              containerPort: 8080
              protocol: TCP
          volumeMounts:
            - name: music
              mountPath: /media
      volumes:
        - name: music
          hostPath:
            path: /k8s/furumi/library
            type: DirectoryOrCreate
--- a/k8s/apps/gitea/deployment.yaml
+++ b/k8s/apps/gitea/deployment.yaml
@@ -77,6 +77,101 @@ spec:
      labels:
        app: gitea-runner
    spec:
      #nodeSelector:
      #  kubernetes.io/hostname: home.homenet
      volumes:
        - name: docker-sock
          hostPath:
            path: /var/run/docker.sock
            type: Socket
        - name: runner-data
          emptyDir:
            sizeLimit: 30Gi
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 1
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - home.homenet
          - weight: 2
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - master.tail2fe2d.ts.net
          - weight: 3
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - it.tail2fe2d.ts.net
                - ch.tail2fe2d.ts.net
                - us.tail2fe2d.ts.net
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - home.homenet
                - it.tail2fe2d.ts.net
                - ch.tail2fe2d.ts.net
                - us.tail2fe2d.ts.net
                - master.tail2fe2d.ts.net
      containers:
        - name: gitea-runner
          image: gitea/act_runner:nightly
          resources:
            requests:
              cpu: "100m"
              memory: "256Mi"
              ephemeral-storage: "1Gi"   # reserve ephemeral storage
            limits:
              cpu: "3000m"
              memory: "4Gi"
              ephemeral-storage: "28Gi"   # hard cap for /data usage
          volumeMounts:
            - name: docker-sock
              mountPath: /var/run/docker.sock
            - name: runner-data
              mountPath: /data
          env:
            - name: GITEA_INSTANCE_URL
              value: "https://gt.hexor.cy"
            - name: GITEA_RUNNER_REGISTRATION_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitea-runner-act-runner-secrets
                  key: token
            - name: GITEA_RUNNER_NAME
              value: "k8s-runner"
            - name: GITEA_RUNNER_LABELS
              value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: gitea-runner-desktop
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitea-runner-desktop
  template:
    metadata:
      labels:
        app: gitea-runner-desktop
    spec:
      nodeSelector:
        kubernetes.io/hostname: uk-desktop.tail2fe2d.ts.net
      tolerations:
        - key: workload
          operator: Equal
@@ -90,39 +185,6 @@ spec:
        - name: runner-data
          emptyDir:
            sizeLimit: 30Gi
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - uk-desktop.tail2fe2d.ts.net
          - weight: 50
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - home.homenet
          - weight: 30
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - master.tail2fe2d.ts.net
          - weight: 10
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - it.tail2fe2d.ts.net
                - ch.tail2fe2d.ts.net
                - us.tail2fe2d.ts.net
      containers:
        - name: gitea-runner
          image: gitea/act_runner:nightly
@@ -149,6 +211,6 @@ spec:
                  name: gitea-runner-act-runner-secrets
                  key: token
            - name: GITEA_RUNNER_NAME
-              value: "k8s-runner"
+              value: "k8s-runner-desktop"
            - name: GITEA_RUNNER_LABELS
              value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"
--- a/k8s/apps/mtproxy/kustomization.yaml
+++ b/k8s/apps/mtproxy/kustomization.yaml
@@ -5,11 +5,7 @@ resources:
  - ./app.yaml
  - ./rbac.yaml
  - ./daemonset.yaml
  - ./telemt-daemonset.yaml
  - ./external-secrets.yaml
  - ./telemt-external-secrets.yaml
  - ./telemt-service.yaml
  - ./telemt-servicemonitor.yaml
  - ./service.yaml
  - ./secret-reader.yaml
 # - ./storage.yaml
--- a/k8s/apps/mtproxy/secret-reader.yaml
+++ b/k8s/apps/mtproxy/secret-reader.yaml
@@ -23,7 +23,7 @@ spec:
        imagePullPolicy: Always
        args:
          - "--secrets"
-          - "mtproxy-links,telemt-links"
+          - "mtproxy-links"
          - "--namespace"
          - "mtproxy"
          - "--port"
--- a/k8s/apps/mtproxy/telemt-daemonset.yaml
+++ b/k8s/apps/mtproxy/telemt-daemonset.yaml
@@ -1,115 +0,0 @@
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: telemt
  labels:
    app: telemt
 spec:
  selector:
    matchLabels:
      app: telemt
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: telemt
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: mtproxy
                    operator: Exists
      serviceAccountName: mtproxy
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      initContainers:
        - name: register-proxy
          image: bitnami/kubectl:latest
          env:
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: tgproxy-secret
                  key: SECRET
            - name: TELEMT_PORT
              valueFrom:
                secretKeyRef:
                  name: telemt-secret
                  key: PORT
          command:
            - /bin/bash
            - -c
            - |
              set -e
              NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
              SERVER=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.mtproxy}')
              if [ -z "${SERVER}" ]; then
                echo "ERROR: node ${NODE_NAME} has no mtproxy label"
                exit 1
              fi
              # Build ee-prefixed secret: ee + secret + hex(tls_domain)
              # "ya.ru" = 79612e7275
              EE_SECRET="ee${SECRET}79612e7275"
              LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${EE_SECRET}"
              echo "Registering telemt: ${SERVER} -> ${LINK}"
              if kubectl get secret telemt-links -n "${NAMESPACE}" &>/dev/null; then
                kubectl patch secret telemt-links -n "${NAMESPACE}" \
                  --type merge -p "{\"stringData\":{\"${SERVER}\":\"${LINK}\"}}"
              else
                kubectl create secret generic telemt-links -n "${NAMESPACE}" \
                  --from-literal="${SERVER}=${LINK}"
              fi
              echo "Done"
      containers:
        - name: telemt
          image: ghcr.io/telemt/telemt:latest
          imagePullPolicy: Always
          ports:
            - name: proxy
              containerPort: 30444
              protocol: TCP
            - name: api
              containerPort: 9091
              protocol: TCP
          workingDir: /run/telemt
          env:
            - name: RUST_LOG
              value: info
          volumeMounts:
            - name: workdir
              mountPath: /run/telemt
            - name: config
              mountPath: /run/telemt/config.toml
              subPath: config.toml
              readOnly: true
            - name: etcdir
              mountPath: /etc/telemt
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
      volumes:
        - name: config
          secret:
            secretName: telemt-secret
            items:
              - key: config.toml
                path: config.toml
        - name: workdir
          emptyDir:
            medium: Memory
            sizeLimit: 1Mi
        - name: etcdir
          emptyDir:
            medium: Memory
            sizeLimit: 1Mi
--- a/k8s/apps/mtproxy/telemt-external-secrets.yaml
+++ b/k8s/apps/mtproxy/telemt-external-secrets.yaml
@@ -1,59 +0,0 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: telemt-secret
 spec:
  target:
    name: telemt-secret
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        SECRET: |-
          {{ .secret }}
        PORT: "30444"
        config.toml: |
          [general]
          use_middle_proxy = true
          log_level = "normal"
          [general.modes]
          classic = false
          secure = false
          tls = true
          [general.links]
          show = "*"
          public_port = 30444
          [server]
          port = 30444
          metrics_port = 9090
          metrics_whitelist = ["0.0.0.0/0"]
          [server.api]
          enabled = true
          listen = "0.0.0.0:9091"
          whitelist = ["0.0.0.0/0"]
          [[server.listeners]]
          ip = "0.0.0.0"
          [censorship]
          tls_domain = "ya.ru"
          mask = true
          tls_emulation = true
          tls_front_dir = "tlsfront"
          [access.users]
          user = "{{ .secret }}"
  data:
    - secretKey: secret
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 58a37daf-72d8-430d-86bd-6152aa8f888d
        property: fields[0].value
--- a/k8s/apps/mtproxy/telemt-service.yaml
+++ b/k8s/apps/mtproxy/telemt-service.yaml
@@ -1,17 +0,0 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: telemt-metrics
  labels:
    app: telemt
 spec:
  type: ClusterIP
  clusterIP: None
  selector:
    app: telemt
  ports:
    - port: 9090
      targetPort: 9090
      protocol: TCP
      name: metrics
--- a/k8s/apps/mtproxy/telemt-servicemonitor.yaml
+++ b/k8s/apps/mtproxy/telemt-servicemonitor.yaml
@@ -1,24 +0,0 @@
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: telemt-metrics
  labels:
    app: telemt
    release: prometheus
 spec:
  selector:
    matchLabels:
      app: telemt
  endpoints:
    - port: metrics
      path: /metrics
      interval: 30s
      scrapeTimeout: 10s
      honorLabels: true
      relabelings:
        - sourceLabels: [__meta_kubernetes_pod_node_name]
          targetLabel: node
  namespaceSelector:
    matchNames:
      - mtproxy
--- a/k8s/core/authentik/kustomization.yaml
+++ b/k8s/core/authentik/kustomization.yaml
@@ -5,7 +5,6 @@ resources:
  - app.yaml
  - external-secrets.yaml
  - https-middleware.yaml
  - outpost-selector-fix.yaml
 # - worker-restart.yaml
 helmCharts:
--- a/k8s/core/authentik/outpost-selector-fix.yaml
+++ b/k8s/core/authentik/outpost-selector-fix.yaml
@@ -1,81 +0,0 @@
 ## Workaround for authentik bug: embedded outpost controller creates
 ## a Service with selectors that don't match the pod labels it sets.
 ## Remove this after upgrading to a version with the fix.
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: outpost-selector-fix
  namespace: authentik
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: outpost-selector-fix
  namespace: authentik
 rules:
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "patch"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: outpost-selector-fix
  namespace: authentik
 subjects:
  - kind: ServiceAccount
    name: outpost-selector-fix
    namespace: authentik
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: outpost-selector-fix
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: outpost-selector-fix
  namespace: authentik
 spec:
  schedule: "* * * * *"
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  concurrencyPolicy: Replace
  jobTemplate:
    spec:
      ttlSecondsAfterFinished: 300
      template:
        spec:
          serviceAccountName: outpost-selector-fix
          restartPolicy: OnFailure
          containers:
            - name: fix
              image: bitnami/kubectl:latest
              command:
                - /bin/sh
                - -c
                - |
                  SVC="ak-outpost-authentik-embedded-outpost"
                  # check if endpoints are populated
                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
                  if [ -n "$ADDRS" ]; then
                    echo "Endpoints OK ($ADDRS), nothing to fix"
                    exit 0
                  fi
                  echo "No endpoints for $SVC, patching selector..."
                  kubectl patch svc "$SVC" -n authentik --type=json -p '[
                    {"op":"remove","path":"/spec/selector/app.kubernetes.io~1component"},
                    {"op":"replace","path":"/spec/selector/app.kubernetes.io~1name","value":"authentik-outpost-proxy"}
                  ]'
                  echo "Patched. Verifying..."
                  sleep 2
                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
                  if [ -n "$ADDRS" ]; then
                    echo "Fix confirmed, endpoints: $ADDRS"
                  else
                    echo "WARNING: still no endpoints after patch"
                    exit 1
                  fi
--- a/k8s/core/postgresql/external-secrets.yaml
+++ b/k8s/core/postgresql/external-secrets.yaml
@@ -131,10 +131,6 @@ spec:
          {{ .synapse }}
        USER_mas: |-
          {{ .mas }}
        USER_furumi: |-
          {{ .furumi }}
        USER_furumi_dev: |-
          {{ .furumi_dev }}
  data:
    - secretKey: authentik
      sourceRef:
@@ -301,26 +297,4 @@ spec:
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[15].value
    - secretKey: furumi
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[16].value
    - secretKey: furumi_dev
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[17].value
--- a/k8s/core/prom-stack/kustomization.yaml
+++ b/k8s/core/prom-stack/kustomization.yaml
@@ -7,7 +7,6 @@ resources:
  - grafana-alerting-configmap.yaml
  - alertmanager-config.yaml
  - furumi-dashboard-cm.yaml
  - telemt-dashboard-cm.yaml
 helmCharts:
  - name: kube-prometheus-stack
--- a/k8s/core/prom-stack/telemt-dashboard-cm.yaml
+++ b/k8s/core/prom-stack/telemt-dashboard-cm.yaml
@@ -1,409 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: telemt-dashboard
  labels:
    grafana_dashboard: "1"
 data:
  telemt.json: |-
    {
      "annotations": { "list": [] },
      "editable": true,
      "fiscalYearStartMonth": 0,
      "graphTooltip": 1,
      "id": null,
      "links": [],
      "liveNow": false,
      "panels": [
        {
          "title": "Nodes Overview",
          "type": "table",
          "gridPos": { "h": 8, "w": 24, "x": 0, "y": 0 },
          "id": 1,
          "fieldConfig": {
            "defaults": {
              "custom": {
                "align": "auto",
                "cellOptions": { "type": "auto" },
                "inspect": false
              },
              "thresholds": {
                "mode": "absolute",
                "steps": [
                  { "color": "green", "value": null }
                ]
              }
            },
            "overrides": [
              {
                "matcher": { "id": "byName", "options": "Uptime" },
                "properties": [
                  { "id": "unit", "value": "dtdurations" },
                  { "id": "custom.width", "value": 140 }
                ]
              },
              {
                "matcher": { "id": "byName", "options": "Bad Conn" },
                "properties": [
                  { "id": "thresholds", "value": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "yellow", "value": 10 }, { "color": "red", "value": 100 }] } },
                  { "id": "custom.cellOptions", "value": { "type": "color-background", "mode": "basic" } }
                ]
              },
              {
                "matcher": { "id": "byName", "options": "Writers" },
                "properties": [
                  { "id": "thresholds", "value": { "mode": "absolute", "steps": [{ "color": "red", "value": null }, { "color": "green", "value": 1 }] } },
                  { "id": "custom.cellOptions", "value": { "type": "color-background", "mode": "basic" } }
                ]
              }
            ]
          },
          "options": {
            "showHeader": true,
            "sortBy": [{ "displayName": "Node", "desc": false }],
            "frameIndex": 0,
            "footer": { "show": false }
          },
          "transformations": [
            {
              "id": "joinByField",
              "options": { "byField": "node", "mode": "outer" }
            },
            {
              "id": "filterFieldsByName",
              "options": {
                "include": { "pattern": "^(node|Value.*)$" }
              }
            },
            {
              "id": "organize",
              "options": {
                "renameByName": {
                  "node": "Node",
                  "Value #uptime": "Uptime",
                  "Value #writers": "Writers",
                  "Value #buffers": "Buffers In Use",
                  "Value #connections": "Connections",
                  "Value #bad": "Bad Conn",
                  "Value #hs_timeout": "HS Timeouts"
                }
              }
            }
          ],
          "targets": [
            {
              "expr": "telemt_uptime_seconds{node=~\"$node\"}",
              "legendFormat": "",
              "refId": "uptime",
              "format": "table",
              "instant": true
            },
            {
              "expr": "telemt_me_writers_active_current{node=~\"$node\"}",
              "legendFormat": "",
              "refId": "writers",
              "format": "table",
              "instant": true
            },
            {
              "expr": "telemt_buffer_pool_buffers_total{node=~\"$node\", kind=\"in_use\"}",
              "legendFormat": "",
              "refId": "buffers",
              "format": "table",
              "instant": true
            },
            {
              "expr": "telemt_connections_total{node=~\"$node\"}",
              "legendFormat": "",
              "refId": "connections",
              "format": "table",
              "instant": true
            },
            {
              "expr": "telemt_connections_bad_total{node=~\"$node\"}",
              "legendFormat": "",
              "refId": "bad",
              "format": "table",
              "instant": true
            },
            {
              "expr": "telemt_handshake_timeouts_total{node=~\"$node\"}",
              "legendFormat": "",
              "refId": "hs_timeout",
              "format": "table",
              "instant": true
            }
          ],
          "datasource": { "type": "prometheus", "uid": "${datasource}" }
        },
        {
          "title": "Connections Rate",
          "type": "timeseries",
          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 8 },
          "id": 10,
          "fieldConfig": {
            "defaults": {
              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
              "unit": "cps",
              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
            },
            "overrides": []
          },
          "options": {
            "tooltip": { "mode": "multi", "sort": "desc" },
            "legend": { "displayMode": "list", "placement": "bottom" }
          },
          "targets": [
            { "expr": "rate(telemt_connections_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} accepted", "refId": "A" },
            { "expr": "rate(telemt_connections_bad_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} bad", "refId": "B" },
            { "expr": "rate(telemt_handshake_timeouts_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} hs timeout", "refId": "C" }
          ],
          "datasource": { "type": "prometheus", "uid": "${datasource}" }
        },
        {
          "title": "Upstream Connect",
          "type": "timeseries",
          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 8 },
          "id": 11,
          "fieldConfig": {
            "defaults": {
              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
              "unit": "cps",
              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
            },
            "overrides": []
          },
          "options": {
            "tooltip": { "mode": "multi", "sort": "desc" },
            "legend": { "displayMode": "list", "placement": "bottom" }
          },
          "targets": [
            { "expr": "rate(telemt_upstream_connect_success_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} success", "refId": "A" },
            { "expr": "rate(telemt_upstream_connect_fail_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} fail", "refId": "B" }
          ],
          "datasource": { "type": "prometheus", "uid": "${datasource}" }
        },
        {
          "title": "Upstream Connect Duration (success)",
          "type": "timeseries",
          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 16 },
          "id": 12,
          "fieldConfig": {
            "defaults": {
              "custom": { "drawStyle": "bars", "fillOpacity": 50, "stacking": { "mode": "normal" } },
              "unit": "short",
              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
            },
            "overrides": []
          },
          "options": {
            "tooltip": { "mode": "multi", "sort": "desc" },
            "legend": { "displayMode": "list", "placement": "bottom" }
          },
          "targets": [
            { "expr": "increase(telemt_upstream_connect_duration_success_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} {{bucket}}", "refId": "A" }
          ],
          "datasource": { "type": "prometheus", "uid": "${datasource}" }
        },
        {
          "title": "ME Writers & Pool",
          "type": "timeseries",
          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 16 },
          "id": 13,
          "fieldConfig": {
            "defaults": {
              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
            },
            "overrides": []
          },
          "options": {
            "tooltip": { "mode": "multi", "sort": "desc" },
            "legend": { "displayMode": "list", "placement": "bottom" }
          },
          "targets": [
            { "expr": "telemt_me_writers_active_current{node=~\"$node\"}", "legendFormat": "{{node}} active", "refId": "A" },
            { "expr": "telemt_me_writers_warm_current{node=~\"$node\"}", "legendFormat": "{{node}} warm", "refId": "B" },
            { "expr": "telemt_pool_drain_active{node=~\"$node\"}", "legendFormat": "{{node}} draining", "refId": "C" }
          ],
          "datasource": { "type": "prometheus", "uid": "${datasource}" }
        },
        {
          "title": "Per-User Active Connections",
          "type": "timeseries",
          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 24 },
          "id": 20,
          "fieldConfig": {
            "defaults": {
              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
            },
            "overrides": []
          },
          "options": {
            "tooltip": { "mode": "multi", "sort": "desc" },
            "legend": { "displayMode": "list", "placement": "bottom" }
          },
          "targets": [
            { "expr": "telemt_user_connections_current{node=~\"$node\"}", "legendFormat": "{{node}} {{user}}", "refId": "A" }
          ],
          "datasource": { "type": "prometheus", "uid": "${datasource}" }
        },
        {
          "title": "Per-User Traffic",
          "type": "timeseries",
          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 24 },
          "id": 21,
          "fieldConfig": {
            "defaults": {
              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
              "unit": "Bps",
              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
            },
            "overrides": []
          },
          "options": {
            "tooltip": { "mode": "multi", "sort": "desc" },
            "legend": { "displayMode": "list", "placement": "bottom" }
          },
          "targets": [
            { "expr": "rate(telemt_user_octets_from_client{node=~\"$node\"}[5m])", "legendFormat": "{{node}} {{user}} rx", "refId": "A" },
            { "expr": "rate(telemt_user_octets_to_client{node=~\"$node\"}[5m])", "legendFormat": "{{node}} {{user}} tx", "refId": "B" }
          ],
          "datasource": { "type": "prometheus", "uid": "${datasource}" }
        },
        {
          "title": "DC->Client Payload",
          "type": "timeseries",
          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 32 },
          "id": 30,
          "fieldConfig": {
            "defaults": {
              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
              "unit": "Bps",
              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
            },
            "overrides": []
          },
          "options": {
            "tooltip": { "mode": "multi", "sort": "desc" },
            "legend": { "displayMode": "list", "placement": "bottom" }
          },
          "targets": [
            { "expr": "rate(telemt_me_d2c_payload_bytes_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} payload", "refId": "A" }
          ],
          "datasource": { "type": "prometheus", "uid": "${datasource}" }
        },
        {
          "title": "ME Errors & Anomalies",
          "type": "timeseries",
          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 32 },
          "id": 31,
          "fieldConfig": {
            "defaults": {
              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
              "unit": "cps",
              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
            },
            "overrides": []
          },
          "options": {
            "tooltip": { "mode": "multi", "sort": "desc" },
            "legend": { "displayMode": "list", "placement": "bottom" }
          },
          "targets": [
            { "expr": "rate(telemt_me_reconnect_attempts_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} reconnect", "refId": "A" },
            { "expr": "rate(telemt_me_handshake_reject_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} hs reject", "refId": "B" },
            { "expr": "rate(telemt_me_crc_mismatch_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} crc mismatch", "refId": "C" },
            { "expr": "rate(telemt_desync_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} desync", "refId": "D" }
          ],
          "datasource": { "type": "prometheus", "uid": "${datasource}" }
        },
        {
          "title": "Per-User Unique IPs",
          "type": "timeseries",
          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 40 },
          "id": 40,
          "fieldConfig": {
            "defaults": {
              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
            },
            "overrides": []
          },
          "options": {
            "tooltip": { "mode": "multi", "sort": "desc" },
            "legend": { "displayMode": "list", "placement": "bottom" }
          },
          "targets": [
            { "expr": "telemt_user_unique_ips_current{node=~\"$node\"}", "legendFormat": "{{node}} {{user}} active", "refId": "A" },
            { "expr": "telemt_user_unique_ips_recent_window{node=~\"$node\"}", "legendFormat": "{{node}} {{user}} recent", "refId": "B" }
          ],
          "datasource": { "type": "prometheus", "uid": "${datasource}" }
        },
        {
          "title": "Conntrack",
          "type": "timeseries",
          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 40 },
          "id": 41,
          "fieldConfig": {
            "defaults": {
              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
              "unit": "cps",
              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
            },
            "overrides": []
          },
          "options": {
            "tooltip": { "mode": "multi", "sort": "desc" },
            "legend": { "displayMode": "list", "placement": "bottom" }
          },
          "targets": [
            { "expr": "rate(telemt_conntrack_delete_total{node=~\"$node\", result=\"attempt\"}[5m])", "legendFormat": "{{node}} delete attempt", "refId": "A" },
            { "expr": "rate(telemt_conntrack_delete_total{node=~\"$node\", result=\"error\"}[5m])", "legendFormat": "{{node}} delete error", "refId": "B" },
            { "expr": "telemt_conntrack_event_queue_depth{node=~\"$node\"}", "legendFormat": "{{node}} queue depth", "refId": "C" }
          ],
          "datasource": { "type": "prometheus", "uid": "${datasource}" }
        }
      ],
      "refresh": "30s",
      "schemaVersion": 39,
      "tags": ["telemt", "mtproxy", "telegram"],
      "templating": {
        "list": [
          {
            "current": {},
            "hide": 0,
            "includeAll": false,
            "label": "Datasource",
            "multi": false,
            "name": "datasource",
            "options": [],
            "query": "prometheus",
            "refresh": 1,
            "regex": "",
            "skipUrlSync": false,
            "type": "datasource"
          },
          {
            "current": {},
            "datasource": { "type": "prometheus", "uid": "${datasource}" },
            "definition": "label_values(telemt_uptime_seconds, node)",
            "hide": 0,
            "includeAll": true,
            "label": "Node",
            "multi": true,
            "name": "node",
            "query": "label_values(telemt_uptime_seconds, node)",
            "refresh": 2,
            "regex": "",
            "skipUrlSync": false,
            "sort": 1,
            "type": "query"
          }
        ]
      },
      "time": { "from": "now-6h", "to": "now" },
      "title": "Telemt MTProxy",
      "uid": "telemt-mtproxy"
    }
--- a/terraform/authentik/main.tf
+++ b/terraform/authentik/main.tf
@@ -292,60 +292,7 @@ resource "authentik_outpost" "outposts" {
    authentik_host_browser         = ""
    object_naming_template         = "ak-outpost-%(name)s"
    authentik_host_insecure        = false
-    kubernetes_json_patches = {
+    kubernetes_json_patches        = null
      deployment = [
        {
          op   = "add"
          path = "/spec/template/spec/containers/0/env/-"
          value = {
            name  = "AUTHENTIK_POSTGRESQL__HOST"
            value = "psql.psql.svc"
          }
        },
        {
          op   = "add"
          path = "/spec/template/spec/containers/0/env/-"
          value = {
            name  = "AUTHENTIK_POSTGRESQL__PORT"
            value = "5432"
          }
        },
        {
          op   = "add"
          path = "/spec/template/spec/containers/0/env/-"
          value = {
            name  = "AUTHENTIK_POSTGRESQL__NAME"
            value = "authentik"
          }
        },
        {
          op   = "add"
          path = "/spec/template/spec/containers/0/env/-"
          value = {
            name = "AUTHENTIK_POSTGRESQL__USER"
            valueFrom = {
              secretKeyRef = {
                name = "authentik-creds"
                key  = "AUTHENTIK_POSTGRESQL__USER"
              }
            }
          }
        },
        {
          op   = "add"
          path = "/spec/template/spec/containers/0/env/-"
          value = {
            name = "AUTHENTIK_POSTGRESQL__PASSWORD"
            valueFrom = {
              secretKeyRef = {
                name = "authentik-creds"
                key  = "AUTHENTIK_POSTGRESQL__PASSWORD"
              }
            }
          }
        }
      ]
    }
    kubernetes_service_type        = "ClusterIP"
    kubernetes_image_pull_secrets  = []
    kubernetes_ingress_class_name  = null
--- a/terraform/authentik/oauth2-apps.auto.tfvars
+++ b/terraform/authentik/oauth2-apps.auto.tfvars
@@ -225,7 +225,7 @@ oauth_applications = {
    refresh_token_validity     = "days=30"
    scope_mappings             = ["openid", "profile", "email"]
    access_groups              = []
-    create_group               = true
+    create_group               = false
    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
  }
 }
--- a/terraform/authentik/proxy-apps.auto.tfvars
+++ b/terraform/authentik/proxy-apps.auto.tfvars
@@ -151,7 +151,7 @@ EOT
    meta_icon                    = "https://img.icons8.com/liquid-glass/48/key.png"
    mode                         = "proxy"
    outpost                      = "kubernetes-outpost"
-    access_groups                = ["admins", "khm"]
+    access_groups                = ["admins", "khm"] # Используем существующие группы
    create_group                 = true
    access_groups                = ["admins"]
  }
@@ -191,20 +191,5 @@ EOT
    create_group                 = true
    access_groups                = ["admins"]
  }
  "ollama-public" = {
    name                         = "Ollama Public"
    slug                         = "ollama-public"
    group                        = "AI"
    external_host                = "https://ollama.hexor.cy"
    internal_host                = "http://ollama.ollama.svc:11434"
    internal_host_ssl_validation = false
    meta_description             = ""
    meta_icon                    = "https://img.icons8.com/external-icongeek26-outline-icongeek26/64/external-llama-animal-head-icongeek26-outline-icongeek26.png"
    mode                         = "proxy"
    outpost                      = "kubernetes-outpost"
    intercept_header_auth        = true
    create_group                 = true
    access_groups                = ["admins"]
  }
 }