Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-04 16:08:54

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -17,6 +17,7 @@ ArgoCD homelab project
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
+| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
@@ -62,9 +63,12 @@ ArgoCD homelab project
 | **sonarr-stack** | [![sonarr-stack](https://ag.hexor.cy/api/badge?name=sonarr-stack&revision=true)](https://ag.hexor.cy/applications/argocd/sonarr-stack) |
 | **stirling-pdf** | [![stirling-pdf](https://ag.hexor.cy/api/badge?name=stirling-pdf&revision=true)](https://ag.hexor.cy/applications/argocd/stirling-pdf) |
 | **syncthing** | [![syncthing](https://ag.hexor.cy/api/badge?name=syncthing&revision=true)](https://ag.hexor.cy/applications/argocd/syncthing) |
+| **teamspeak** | [![teamspeak](https://ag.hexor.cy/api/badge?name=teamspeak&revision=true)](https://ag.hexor.cy/applications/argocd/teamspeak) |
 | **tg-bots** | [![tg-bots](https://ag.hexor.cy/api/badge?name=tg-bots&revision=true)](https://ag.hexor.cy/applications/argocd/tg-bots) |
 | **vaultwarden** | [![vaultwarden](https://ag.hexor.cy/api/badge?name=vaultwarden&revision=true)](https://ag.hexor.cy/applications/argocd/vaultwarden) |
 | **vpn** | [![vpn](https://ag.hexor.cy/api/badge?name=vpn&revision=true)](https://ag.hexor.cy/applications/argocd/vpn) |
+| **web-petting** | [![web-petting](https://ag.hexor.cy/api/badge?name=web-petting&revision=true)](https://ag.hexor.cy/applications/argocd/web-petting) |
+| **wedding** | [![wedding](https://ag.hexor.cy/api/badge?name=wedding&revision=true)](https://ag.hexor.cy/applications/argocd/wedding) |
 | **xandikos** | [![xandikos](https://ag.hexor.cy/api/badge?name=xandikos&revision=true)](https://ag.hexor.cy/applications/argocd/xandikos) |
 
 </td>

k8s/apps/matrix/matrix-stack-values.yaml

@@ -26,9 +26,9 @@ matrixRTC:
     host: livekit.matrix.hexor.cy
   sfu:
     enabled: true
-    manualIP: "138.201.61.182"
+    manualIP: "78.24.180.234"
     nodeSelector:
-      kubernetes.io/hostname: master.tail2fe2d.ts.net
+      kubernetes.io/hostname: spb.tail2fe2d.ts.net
     exposedServices:
       rtcTcp:
         enabled: true
@@ -45,6 +45,14 @@ matrixRTC:
 ## Synapse homeserver
 synapse:
   enabled: true
+  additional:
+    0-search-config:
+      config: |
+        user_directory:
+          enabled: true
+          search_all_users: true
+          prefer_local_users: true
+        enable_room_list_search: true
   ingress:
     host: synapse.matrix.hexor.cy
   postgres:
@@ -56,12 +64,12 @@ synapse:
     password:
       secret: matrix-postgres-creds
       secretKey: synapse_db_password
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
   media:
     storage:
       size: 20Gi
     maxUploadSize: 100M
-    nodeSelector:
-      kubernetes.io/hostname: master.tail2fe2d.ts.net
 
 ## Matrix Authentication Service
 matrixAuthenticationService:
@@ -88,8 +96,8 @@ matrixAuthenticationService:
     1-oidc:
       configSecret: matrix-oidc-config
       configSecretKey: mas-oidc.yaml
-    nodeSelector:
-      kubernetes.io/hostname: master.tail2fe2d.ts.net
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
 
 ## Element Web client
 elementWeb:

k8s/apps/pasarguard/daemonset.yaml

@@ -1,71 +1,5 @@
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: pasarguard-node
-  labels:
-    app: pasarguard-node
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: pasarguard-node-configmap
-  labels:
-    app: pasarguard-node
-rules:
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["get", "list", "create", "update", "patch"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list"]
-  - apiGroups: [""]
-    resources: ["services", "endpoints"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: pasarguard-node-configmap
-  labels:
-    app: pasarguard-node
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: pasarguard-node-configmap
-subjects:
-  - kind: ServiceAccount
-    name: pasarguard-node
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: pasarguard-node-reader
-  labels:
-    app: pasarguard-node
-rules:
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: pasarguard-node-reader
-  labels:
-    app: pasarguard-node
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: pasarguard-node-reader
-subjects:
-  - kind: ServiceAccount
-    name: pasarguard-node
-    namespace: pasarguard
----
+image: &image 'pasarguard/node:v0.4.0'
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -113,7 +47,7 @@ spec:
               mountPath: /scripts
       containers:
         - name: pasarguard-node
-          image: 'pasarguard/node:v0.3.0'
+          image: *image
           imagePullPolicy: Always
           command:
             - /bin/sh
@@ -219,3 +153,71 @@ spec:
           configMap:
             name: pasarguard-scripts
             defaultMode: 0755
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pasarguard-node
+  labels:
+    app: pasarguard-node
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pasarguard-node-configmap
+  labels:
+    app: pasarguard-node
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "create", "update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["services", "endpoints"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pasarguard-node-configmap
+  labels:
+    app: pasarguard-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pasarguard-node-configmap
+subjects:
+  - kind: ServiceAccount
+    name: pasarguard-node
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pasarguard-node-reader
+  labels:
+    app: pasarguard-node
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pasarguard-node-reader
+  labels:
+    app: pasarguard-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pasarguard-node-reader
+subjects:
+  - kind: ServiceAccount
+    name: pasarguard-node
+    namespace: pasarguard

k8s/apps/pasarguard/deployment.yaml

@@ -1,4 +1,5 @@
 ---
+image: &image 'pasarguard/panel:v3.1.0'
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -34,7 +35,7 @@ spec:
               mountPath: /templates/subscription
       containers:
         - name: pasarguard-web
-          image: 'pasarguard/panel:v3.0.1'
+          image: *image
           imagePullPolicy: Always
           envFrom:
             - secretRef:

k8s/apps/web-petting/deployment.yaml

@@ -25,6 +25,9 @@ spec:
         image: ultradesu/web-petting:0.1.0
         imagePullPolicy: Always
         args:
+#         - "tail"
+#         - "-F"
+#         - "/1"
           - "web-petting"
           - "-l"
           - "0.0.0.0:3000"
@@ -44,11 +47,3 @@ spec:
           limits:
             memory: "128Mi"
             cpu: "150m"
-        securityContext:
-          runAsNonRoot: true
-          runAsUser: 1000
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          capabilities:
-            drop:
-            - ALL

k8s/core/kanidm/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kanidm
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: kanidm
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/kanidm
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/kanidm/certificate.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kanidm-tls
+spec:
+  secretName: kanidm-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - auth.hexor.cy

k8s/core/kanidm/configmap.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kanidm-config
+data:
+  server.toml: |
+    bindaddress = "[::]:443"
+    db_path = "/data/kanidm.db"
+    tls_chain = "/certs/tls.crt"
+    tls_key = "/certs/tls.key"
+    domain = "auth.hexor.cy"
+    origin = "https://auth.hexor.cy"
+    log_level = "info"
+
+    [online_backup]
+    path = "/data/backups/"
+    schedule = "00 22 * * *"
+    versions = 7

k8s/core/kanidm/ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kanidm
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+    traefik.ingress.kubernetes.io/service.serverstransport: kanidm-kanidm-transport@kubernetescrd
+spec:
+  tls:
+    - hosts:
+        - auth.hexor.cy
+      secretName: kanidm-ingress-tls
+  rules:
+    - host: auth.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: kanidm
+                port:
+                  number: 443

k8s/core/kanidm/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - configmap.yaml
+  - certificate.yaml
+  - statefulset.yaml
+  - service.yaml
+  - ingress.yaml
+  - servers-transport.yaml

k8s/core/kanidm/servers-transport.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: kanidm-transport
+spec:
+  insecureSkipVerify: true

k8s/core/kanidm/service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kanidm
+  labels:
+    app: kanidm
+spec:
+  ports:
+    - name: https
+      port: 443
+      targetPort: 443
+      protocol: TCP
+  selector:
+    app: kanidm

k8s/core/kanidm/statefulset.yaml

@@ -0,0 +1,86 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: kanidm
+  labels:
+    app: kanidm
+spec:
+  serviceName: kanidm
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kanidm
+  template:
+    metadata:
+      labels:
+        app: kanidm
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: kanidm
+          image: kanidm/server:1.9.3
+          ports:
+            - containerPort: 443
+              name: https
+              protocol: TCP
+          volumeMounts:
+            - name: kanidm-data
+              mountPath: /data
+            - name: kanidm-config
+              mountPath: /data/server.toml
+              subPath: server.toml
+              readOnly: true
+            - name: kanidm-tls
+              mountPath: /certs
+              readOnly: true
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+          readinessProbe:
+            httpGet:
+              path: /status
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /status
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 15
+            periodSeconds: 30
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            runAsUser: 1000
+            runAsGroup: 1000
+      volumes:
+        - name: kanidm-config
+          configMap:
+            name: kanidm-config
+        - name: kanidm-tls
+          secret:
+            secretName: kanidm-tls
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+  volumeClaimTemplates:
+    - metadata:
+        name: kanidm-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: longhorn
+        resources:
+          requests:
+            storage: 1Gi