Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-05 17:37:47

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -13,10 +13,13 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **argocd** | [![argocd](https://ag.hexor.cy/api/badge?name=argocd&revision=true)](https://ag.hexor.cy/applications/argocd/argocd) |
+| **auth-proxy** | [![auth-proxy](https://ag.hexor.cy/api/badge?name=auth-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/auth-proxy) |
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
+| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
+| **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |

k8s/apps/gitea/deployment.yaml

@@ -70,7 +70,7 @@ kind: Deployment
 metadata:
   name: gitea-runner
 spec:
-  replicas: 1
+  replicas: 2
   selector:
     matchLabels:
       app: gitea-runner
@@ -79,11 +79,19 @@ spec:
       labels:
         app: gitea-runner
     spec:
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "2"
       tolerations:
         - key: workload
           operator: Equal
           value: desktop
           effect: NoSchedule
+        - key: workload
+          operator: Equal
+          value: ai
+          effect: NoSchedule
       volumes:
         - name: docker-sock
           hostPath:
@@ -93,6 +101,12 @@ spec:
           emptyDir:
             sizeLimit: 30Gi
       affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: gitea-runner
+              topologyKey: kubernetes.io/hostname
         nodeAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
           - weight: 100
@@ -102,6 +116,7 @@ spec:
                 operator: In
                 values:
                 - uk-desktop.tail2fe2d.ts.net
+                - ai.tail2fe2d.ts.net
           - weight: 50
             preference:
               matchExpressions:
@@ -109,22 +124,7 @@ spec:
                 operator: In
                 values:
                 - home.homenet
-          - weight: 30
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
-                - master.tail2fe2d.ts.net
-          - weight: 10
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
                 - it.tail2fe2d.ts.net
-                - ch.tail2fe2d.ts.net
-                - us.tail2fe2d.ts.net
       containers:
         - name: gitea-runner
           image: gitea/act_runner:nightly
@@ -144,13 +144,18 @@ spec:
               mountPath: /data
           env:
             - name: GITEA_INSTANCE_URL
+              #value: "http://gitea.gitea.svc.cluster.local"
               value: "https://gt.hexor.cy"
             - name: GITEA_RUNNER_REGISTRATION_TOKEN
               valueFrom:
                 secretKeyRef:
                   name: gitea-runner-act-runner-secrets
                   key: token
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
             - name: GITEA_RUNNER_NAME
-              value: "k8s-runner"
+              value: "$(NODE_NAME)"
             - name: GITEA_RUNNER_LABELS
               value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"

k8s/apps/k8s-secrets/ingress.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: auth-proxy
+spec:
+  forwardAuth:
+    address: http://auth-proxy.auth-proxy.svc:80/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Auth-Request-User
+      - X-Auth-Request-Email
+      - X-Auth-Request-Groups
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: secret-reader
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`pass.hexor.cy`)
+      kind: Rule
+      middlewares:
+        - name: auth-proxy
+      services:
+        - name: secret-reader
+          port: 80
+  tls:
+    secretName: secret-reader-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: secret-reader-tls
+spec:
+  secretName: secret-reader-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - pass.hexor.cy
+

k8s/apps/mtproxy/kustomization.yaml

@@ -12,4 +12,5 @@ resources:
   - ./telemt-servicemonitor.yaml
   - ./service.yaml
   - ./secret-reader.yaml
+  - ./secret-reader-ingress.yaml
 # - ./storage.yaml

k8s/apps/mtproxy/secret-reader-ingress.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: auth-proxy
+spec:
+  forwardAuth:
+    address: http://auth-proxy.auth-proxy.svc:80/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Auth-Request-User
+      - X-Auth-Request-Email
+      - X-Auth-Request-Groups
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: secret-reader
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`secret-reader.hexor.cy`)
+      kind: Rule
+      middlewares:
+        - name: auth-proxy
+      services:
+        - name: secret-reader
+          port: 80
+  tls:
+    secretName: secret-reader-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: secret-reader-tls
+spec:
+  secretName: secret-reader-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - secret-reader.hexor.cy

k8s/core/argocd/values.yaml

@@ -25,7 +25,7 @@ configs:
     timeout.reconciliation: 60s
     oidc.config: |
       name: Authentik
-      issuer: https://idm.hexor.cy/application/o/argocd/
+      issuer: https://auth.hexor.cy/auth/realms/hexor
       clientID: $oidc-creds:id
       clientSecret: $oidc-creds:secret
       requestedScopes: ["openid", "profile", "email", "groups", "offline_access"]
@@ -35,20 +35,19 @@ configs:
     create: true
     policy.default: ""
     policy.csv: |
-      # Bound OIDC Group and internal role
-      g, Game Servers Managers, GameServersManagersRole
-      # Role permissions
-      p, GameServersManagersRole, applications, get, games/*, allow
-      p, GameServersManagersRole, applications, update, games/*, allow
-      p, GameServersManagersRole, applications, sync, games/*, allow
-      p, GameServersManagersRole, applications, override, games/*, allow
-      p, GameServersManagersRole, applications, action/*, games/*, allow
-      p, GameServersManagersRole, exec, create, games/*, allow
-      p, GameServersManagersRole, logs, get, games/*, allow
-      p, GameServersManagersRole, applications, delete, games/*, deny
-
-      # Admin policy
-      g, ArgoCD Admins, role:admin
+        g, game-servers-managers, GameServersManagersRole
+        # Role permissions
+        p, GameServersManagersRole, applications, get, games/*, allow
+        p, GameServersManagersRole, applications, update, games/*, allow
+        p, GameServersManagersRole, applications, sync, games/*, allow
+        p, GameServersManagersRole, applications, override, games/*, allow
+        p, GameServersManagersRole, applications, action/*, games/*, allow
+        p, GameServersManagersRole, exec, create, games/*, allow
+        p, GameServersManagersRole, logs, get, games/*, allow
+        p, GameServersManagersRole, applications, delete, games/*, deny
+    
+        # Admin policy
+        g, argocd-admins, role:admin
 
   secret:
     createSecret: true

k8s/core/auth-proxy/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: auth-proxy
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: auth-proxy
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/auth-proxy
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/auth-proxy/deployment.yaml

@@ -0,0 +1,79 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: auth-proxy
+  labels:
+    app: auth-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: auth-proxy
+  template:
+    metadata:
+      labels:
+        app: auth-proxy
+    spec:
+      containers:
+        - name: auth-proxy
+          image: ultradesu/rsauth2-proxy:latest
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+          envFrom:
+            - secretRef:
+                name: auth-proxy-creds
+          env:
+            - name: AUTH_PROXY_OIDC_ISSUER
+              value: "https://auth.hexor.cy/auth/realms/hexor"
+            - name: AUTH_PROXY_COOKIE_DOMAIN
+              value: ".hexor.cy"
+            - name: AUTH_PROXY_CALLBACK_URL
+              value: "https://oauth.hexor.cy/callback"
+            - name: AUTH_PROXY_ROUTES_FILE
+              value: "/config/routes.yaml"
+            - name: AUTH_PROXY_LOG_LEVEL
+              value: "debug"
+          volumeMounts:
+            - name: routes
+              mountPath: /config
+              readOnly: true
+          resources:
+            requests:
+              cpu: 50m
+              memory: 32Mi
+            limits:
+              cpu: 200m
+              memory: 64Mi
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 30
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - name: routes
+          configMap:
+            name: auth-proxy-routes
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule

k8s/core/auth-proxy/external-secrets.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: auth-proxy-creds
+spec:
+  target:
+    name: auth-proxy-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        AUTH_PROXY_CLIENT_ID: rsauth2-proxy
+        AUTH_PROXY_CLIENT_SECRET: |-
+          {{ .client_secret }}
+        AUTH_PROXY_COOKIE_SECRET: |-
+          {{ .cookie_secret }}
+  data:
+    - secretKey: client_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
+        property: login.password
+    - secretKey: cookie_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
+        property: fields[0].value

k8s/core/auth-proxy/ingress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: auth-proxy
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`oauth.hexor.cy`)
+      kind: Rule
+      services:
+        - name: auth-proxy
+          port: 80
+  tls:
+    secretName: auth-proxy-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: auth-proxy-tls
+spec:
+  secretName: auth-proxy-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - oauth.hexor.cy

k8s/core/auth-proxy/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+# routes.yaml ConfigMap is managed by Terraform (kubernetes_config_map)

k8s/core/auth-proxy/service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: auth-proxy
+  labels:
+    app: auth-proxy
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+      protocol: TCP
+  selector:
+    app: auth-proxy

k8s/core/kanidm/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kanidm
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: kanidm
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/kanidm
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/kanidm/certificate.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kanidm-tls
+spec:
+  secretName: kanidm-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - auth.hexor.cy

k8s/core/kanidm/configmap.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kanidm-config
+data:
+  server.toml: |
+    bindaddress = "[::]:443"
+    db_path = "/data/kanidm.db"
+    tls_chain = "/certs/tls.crt"
+    tls_key = "/certs/tls.key"
+    domain = "auth.hexor.cy"
+    origin = "https://auth.hexor.cy"
+    log_level = "info"
+
+    [online_backup]
+    path = "/data/backups/"
+    schedule = "00 22 * * *"
+    versions = 7

k8s/core/kanidm/ingress.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kanidm
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`auth.hexor.cy`)
+      kind: Rule
+      services:
+        - name: kanidm
+          port: 443
+          scheme: https
+          serversTransport: kanidm-transport
+  tls:
+    secretName: kanidm-ingress-tls

k8s/core/kanidm/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - configmap.yaml
+  - certificate.yaml
+  - statefulset.yaml
+  - service.yaml
+  - ingress.yaml
+  - servers-transport.yaml

k8s/core/kanidm/servers-transport.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: kanidm-transport
+spec:
+  insecureSkipVerify: true

k8s/core/kanidm/service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kanidm
+  labels:
+    app: kanidm
+spec:
+  ports:
+    - name: https
+      port: 443
+      targetPort: 443
+      protocol: TCP
+  selector:
+    app: kanidm

k8s/core/kanidm/statefulset.yaml

@@ -0,0 +1,86 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: kanidm
+  labels:
+    app: kanidm
+spec:
+  serviceName: kanidm
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kanidm
+  template:
+    metadata:
+      labels:
+        app: kanidm
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: kanidm
+          image: kanidm/server:1.9.3
+          ports:
+            - containerPort: 443
+              name: https
+              protocol: TCP
+          volumeMounts:
+            - name: kanidm-data
+              mountPath: /data
+            - name: kanidm-config
+              mountPath: /data/server.toml
+              subPath: server.toml
+              readOnly: true
+            - name: kanidm-tls
+              mountPath: /certs
+              readOnly: true
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+          readinessProbe:
+            httpGet:
+              path: /status
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /status
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 15
+            periodSeconds: 30
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            runAsUser: 1000
+            runAsGroup: 1000
+      volumes:
+        - name: kanidm-config
+          configMap:
+            name: kanidm-config
+        - name: kanidm-tls
+          secret:
+            secretName: kanidm-tls
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+  volumeClaimTemplates:
+    - metadata:
+        name: kanidm-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: longhorn
+        resources:
+          requests:
+            storage: 1Gi

k8s/core/keycloak/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: keycloak
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: keycloak
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/keycloak
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/keycloak/external-secrets.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: keycloak-creds
+spec:
+  target:
+    name: keycloak-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        KC_DB_USERNAME: keycloak
+        KC_DB_PASSWORD: |-
+          {{ .db_password }}
+        KC_BOOTSTRAP_ADMIN_USERNAME: admin
+        KC_BOOTSTRAP_ADMIN_PASSWORD: |-
+          {{ .admin_password }}
+  data:
+    - secretKey: db_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[18].value
+    - secretKey: admin_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 9422b636-a91d-40e4-bf98-925b2a3f831d
+        property: login.password

k8s/core/keycloak/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+
+helmCharts:
+  - name: keycloakx
+    repo: https://codecentric.github.io/helm-charts
+    version: 7.1.11
+    releaseName: keycloak
+    namespace: keycloak
+    valuesFile: values.yaml

k8s/core/keycloak/values.yaml

@@ -0,0 +1,67 @@
+replicas: 1
+
+image:
+  repository: quay.io/keycloak/keycloak
+  tag: "26.5.6"
+
+command:
+  - "/opt/keycloak/bin/kc.sh"
+  - "start"
+  - "--http-port=8080"
+  - "--hostname-strict=false"
+  - "--proxy-headers=xforwarded"
+
+extraEnvFrom: |
+  - secretRef:
+      name: keycloak-creds
+
+extraEnv: |
+  - name: KC_HOSTNAME
+    value: auth.hexor.cy
+  - name: JAVA_OPTS_APPEND
+    value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc"
+
+dbchecker:
+  enabled: true
+
+database:
+  vendor: postgres
+  hostname: psql.psql.svc
+  port: 5432
+  database: keycloak
+  existingSecret: keycloak-creds
+  existingSecretKey: KC_DB_PASSWORD
+
+service:
+  type: ClusterIP
+
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+  rules:
+    - host: auth.hexor.cy
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: keycloak-tls
+      hosts:
+        - auth.hexor.cy
+
+resources:
+  requests:
+    cpu: 200m
+    memory: 512Mi
+  limits:
+    cpu: "1"
+    memory: 1Gi
+
+nodeSelector:
+  kubernetes.io/hostname: master.tail2fe2d.ts.net
+
+tolerations:
+  - key: node-role.kubernetes.io/master
+    effect: NoSchedule

k8s/core/postgresql/external-secrets.yaml

@@ -135,6 +135,8 @@ spec:
           {{ .furumi }}
         USER_furumi_dev: |-
           {{ .furumi_dev }}
+        USER_keycloak: |-
+          {{ .keycloak }}
   data:
     - secretKey: authentik
       sourceRef:
@@ -323,4 +325,14 @@ spec:
         metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[17].value
-
+    - secretKey: keycloak
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[18].value

terraform/keycloak/.terraform.lock.hcl

@@ -0,0 +1,47 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "3.1.0"
+  constraints = ">= 2.0.0"
+  hashes = [
+    "h1:G9QqKNpcztBRqrywtlNylFJSpGzDfRFtO8hcWLdkvRY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/keycloak/keycloak" {
+  version     = "5.7.0"
+  constraints = ">= 5.0.0"
+  hashes = [
+    "h1:3DuKdVeOxwULh7l6bvJKWZvsgSZo92rtnrdvyp+X2Lc=",
+    "zh:19be4505b17e4818db121a82917cb6723019cf379cfb82b720eaa2886f15bede",
+    "zh:2bd1565ed22db6a9fb50d60626e22c277f3b034a71f65e6c0011e42f56cad2bb",
+    "zh:34a9e2dfb06331dc6146491c4a0721001195c6a769cdc2d4546edb2acf2b39bd",
+    "zh:3f86bf9eac6d73eeaa926471826b6888da77950f68e6a3a95dc2d9201a4a88fa",
+    "zh:4b9053fde2c8dee6469c8b273bf5491a27228a1df28e30b86714118f0f876baf",
+    "zh:522aa6bcecc6b8d517415237f4ec079488ef7de0e980a634bf6a8b481c13effc",
+    "zh:52f85208815ca65b8d3cd5465b28005ba63f854122bc61fbf04925c986d48e78",
+    "zh:636555042a6051d2e1113e5f945edb9f432e2d09b81cf6e50a59a534819d98dd",
+    "zh:73a1fecfb3d9666bf87c2eb7d001281b8cfcd7132573b8c3d4febc2db55f0a2f",
+    "zh:76fa26d055ceeb0869a50e4b63871f4b07f55045af6b46b83686016531e9fb22",
+    "zh:8df147e619d7ac3d3f9840ba0d1895d34bde179e818863e2e7b52e2c05c12f58",
+    "zh:9c830253990e13ec284d0d312fea562938e4a8fc664dacb3af5f1eb16dcae1ae",
+    "zh:abd0bd630b362cd6f77fbb33625bc6f515782eb58cb096b4ce69dea252254aef",
+    "zh:d1474a67ffc3288b2d0c99f6e8edc937ac8ef54afed0306e3c6f033aa836a5f6",
+    "zh:ed19408f15667bfb572120858bdde929a20ce2d1f29468973905980c03299767",
+    "zh:ef8bc311f7d1ad821b65ba43af92e2ce835e739d391098b13e01a61747b5c648",
+    "zh:f57319d9a7ac387d5070c909fd0084ccfc296f1f3193efde995ae24aa1729a39",
+  ]
+}

terraform/keycloak/main.tf

@@ -0,0 +1,172 @@
+# =============================================================================
+# Realm
+# =============================================================================
+
+resource "keycloak_realm" "hexor" {
+  realm   = "hexor"
+  enabled = true
+
+  display_name = "Hexor"
+
+  login_theme   = "keycloak"
+  account_theme = "keycloak.v3"
+
+  registration_allowed     = false
+  reset_password_allowed   = true
+  remember_me              = true
+  verify_email             = false
+  login_with_email_allowed = true
+  duplicate_emails_allowed = false
+
+  ssl_required = "external"
+}
+
+# =============================================================================
+# Google Identity Provider
+# =============================================================================
+
+resource "keycloak_oidc_google_identity_provider" "google" {
+  realm         = keycloak_realm.hexor.id
+  client_id     = var.google_client_id
+  client_secret = var.google_client_secret
+
+  trust_email = true
+  sync_mode   = "IMPORT"
+}
+
+# =============================================================================
+# Standalone groups
+# =============================================================================
+
+resource "keycloak_group" "standalone" {
+  for_each = toset(var.groups)
+
+  realm_id = keycloak_realm.hexor.id
+  name     = each.value
+}
+
+resource "keycloak_default_groups" "default" {
+  realm_id  = keycloak_realm.hexor.id
+  group_ids = [for g in keycloak_group.standalone : g.id if g.name == "users"]
+}
+
+# =============================================================================
+# rsauth2-proxy client (production)
+# =============================================================================
+
+resource "keycloak_openid_client" "rsauth2_proxy" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = "rsauth2-proxy"
+
+  name                         = "rsauth2-proxy"
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = false
+
+  valid_redirect_uris = [
+    "https://oauth.hexor.cy/callback",
+  ]
+
+  web_origins = [
+    "https://oauth.hexor.cy",
+  ]
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_groups" {
+  realm_id   = keycloak_realm.hexor.id
+  client_id  = keycloak_openid_client.rsauth2_proxy.id
+  name       = "groups"
+  claim_name = "groups"
+  full_path  = false
+}
+
+resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.rsauth2_proxy.id
+
+  default_scopes = [
+    "openid",
+    "profile",
+    "email",
+  ]
+}
+
+# =============================================================================
+# rsauth2-proxy client (localhost testing)
+# =============================================================================
+
+resource "keycloak_openid_client" "rsauth2_proxy_dev" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = "rsauth2-proxy-dev"
+
+  name                         = "rsauth2-proxy (dev)"
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = false
+
+  valid_redirect_uris = [
+    "http://localhost:8080/callback",
+  ]
+
+  web_origins = [
+    "http://localhost:8080",
+  ]
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" {
+  realm_id   = keycloak_realm.hexor.id
+  client_id  = keycloak_openid_client.rsauth2_proxy_dev.id
+  name       = "groups"
+  claim_name = "groups"
+  full_path  = false
+}
+
+resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.rsauth2_proxy_dev.id
+
+  default_scopes = [
+    "openid",
+    "profile",
+    "email",
+  ]
+}
+
+# =============================================================================
+# Proxy applications — auto-created groups + routes ConfigMap
+# =============================================================================
+
+resource "keycloak_group" "app" {
+  for_each = var.proxy_applications
+
+  realm_id = keycloak_realm.hexor.id
+  name     = "app-${each.key}"
+}
+
+locals {
+  app_allowed_groups = {
+    for k, v in var.proxy_applications : k => concat(
+      ["app-${k}"],
+      v.allowed_groups
+    )
+  }
+}
+
+resource "kubernetes_config_map" "auth_proxy_routes" {
+  metadata {
+    name      = "auth-proxy-routes"
+    namespace = "auth-proxy"
+  }
+
+  data = {
+    "routes.yaml" = yamlencode({
+      routes = {
+        for k, v in var.proxy_applications : v.domain => {
+          allowed_groups = local.app_allowed_groups[k]
+        }
+      }
+    })
+  }
+}

terraform/keycloak/outputs.tf

@@ -0,0 +1,37 @@
+output "realm_id" {
+  value = keycloak_realm.hexor.id
+}
+
+output "google_idp_alias" {
+  value = keycloak_oidc_google_identity_provider.google.alias
+}
+
+output "rsauth2_proxy_client_id" {
+  value = keycloak_openid_client.rsauth2_proxy.client_id
+}
+
+output "rsauth2_proxy_client_secret" {
+  value     = keycloak_openid_client.rsauth2_proxy.client_secret
+  sensitive = true
+}
+
+output "rsauth2_proxy_dev_client_id" {
+  value = keycloak_openid_client.rsauth2_proxy_dev.client_id
+}
+
+output "rsauth2_proxy_dev_client_secret" {
+  value     = keycloak_openid_client.rsauth2_proxy_dev.client_secret
+  sensitive = true
+}
+
+output "standalone_groups" {
+  value = [for g in keycloak_group.standalone : g.name]
+}
+
+output "app_groups" {
+  value = { for k, g in keycloak_group.app : k => g.name }
+}
+
+output "app_allowed_groups" {
+  value = local.app_allowed_groups
+}

terraform/keycloak/providers.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    keycloak = {
+      source  = "keycloak/keycloak"
+      version = ">= 5.0.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.0.0"
+    }
+  }
+}
+
+provider "keycloak" {
+  url           = var.keycloak_url
+  base_path     = "/auth"
+  client_id     = var.keycloak_client_id
+  client_secret = var.keycloak_client_secret
+}
+
+provider "kubernetes" {
+  config_path = var.kubeconfig_path
+}

terraform/keycloak/state.tf

@@ -0,0 +1,8 @@
+terraform {
+  cloud {
+    organization = "ultradesu"
+    workspaces {
+      name = "Keycloak"
+    }
+  }
+}

terraform/keycloak/variables.tf

@@ -0,0 +1,49 @@
+variable "keycloak_url" {
+  description = "Keycloak URL (set via TF_VAR_keycloak_url)"
+  type        = string
+  default     = "https://auth.hexor.cy"
+}
+
+variable "keycloak_client_id" {
+  description = "Keycloak Terraform client ID (set via TF_VAR_keycloak_client_id)"
+  type        = string
+  default     = "terraform"
+}
+
+variable "keycloak_client_secret" {
+  description = "Keycloak Terraform client secret (set via TF_VAR_keycloak_client_secret)"
+  type        = string
+  sensitive   = true
+}
+
+variable "kubeconfig_path" {
+  description = "Path to kubeconfig (set via TF_VAR_kubeconfig_path or KUBE_CONFIG_PATH)"
+  type        = string
+  default     = "~/.kube/config"
+}
+
+variable "google_client_id" {
+  description = "Google OAuth client ID (set via TF_VAR_google_client_id)"
+  type        = string
+}
+
+variable "google_client_secret" {
+  description = "Google OAuth client secret (set via TF_VAR_google_client_secret)"
+  type        = string
+  sensitive   = true
+}
+
+variable "groups" {
+  description = "Standalone Keycloak groups"
+  type        = list(string)
+  default     = []
+}
+
+variable "proxy_applications" {
+  description = "Proxy applications protected by rsauth2-proxy"
+  type = map(object({
+    domain         = string
+    allowed_groups = optional(list(string), [])
+  }))
+  default = {}
+}