Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-03-13 10:48:41 This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.
2026-03-13 10:48:41 +00:00
87 changed files with 152 additions and 3070 deletions
@@ -17,12 +17,9 @@ ArgoCD homelab project
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
-| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
-| **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
-| **oauth2-proxy** | [![oauth2-proxy](https://ag.hexor.cy/api/badge?name=oauth2-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/oauth2-proxy) |
 | **postgresql** | [![postgresql](https://ag.hexor.cy/api/badge?name=postgresql&revision=true)](https://ag.hexor.cy/applications/argocd/postgresql) |
 | **prom-stack** | [![prom-stack](https://ag.hexor.cy/api/badge?name=prom-stack&revision=true)](https://ag.hexor.cy/applications/argocd/prom-stack) |
 | **system-upgrade** | [![system-upgrade](https://ag.hexor.cy/api/badge?name=system-upgrade&revision=true)](https://ag.hexor.cy/applications/argocd/system-upgrade) |
@@ -42,7 +39,6 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **comfyui** | [![comfyui](https://ag.hexor.cy/api/badge?name=comfyui&revision=true)](https://ag.hexor.cy/applications/argocd/comfyui) |
-| **furumi-dev** | [![furumi-dev](https://ag.hexor.cy/api/badge?name=furumi-dev&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-dev) |
 | **furumi-server** | [![furumi-server](https://ag.hexor.cy/api/badge?name=furumi-server&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-server) |
 | **gitea** | [![gitea](https://ag.hexor.cy/api/badge?name=gitea&revision=true)](https://ag.hexor.cy/applications/argocd/gitea) |
 | **greece-notifier** | [![greece-notifier](https://ag.hexor.cy/api/badge?name=greece-notifier&revision=true)](https://ag.hexor.cy/applications/argocd/greece-notifier) |
@@ -53,7 +49,6 @@ ArgoCD homelab project
 | **k8s-secrets** | [![k8s-secrets](https://ag.hexor.cy/api/badge?name=k8s-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
 | **khm** | [![khm](https://ag.hexor.cy/api/badge?name=khm&revision=true)](https://ag.hexor.cy/applications/argocd/khm) |
 | **lidarr** | [![lidarr](https://ag.hexor.cy/api/badge?name=lidarr&revision=true)](https://ag.hexor.cy/applications/argocd/lidarr) |
-| **matrix** | [![matrix](https://ag.hexor.cy/api/badge?name=matrix&revision=true)](https://ag.hexor.cy/applications/argocd/matrix) |
 | **mtproxy** | [![mtproxy](https://ag.hexor.cy/api/badge?name=mtproxy&revision=true)](https://ag.hexor.cy/applications/argocd/mtproxy) |
 | **n8n** | [![n8n](https://ag.hexor.cy/api/badge?name=n8n&revision=true)](https://ag.hexor.cy/applications/argocd/n8n) |
 | **ollama** | [![ollama](https://ag.hexor.cy/api/badge?name=ollama&revision=true)](https://ag.hexor.cy/applications/argocd/ollama) |
@@ -65,12 +60,9 @@ ArgoCD homelab project
 | **sonarr-stack** | [![sonarr-stack](https://ag.hexor.cy/api/badge?name=sonarr-stack&revision=true)](https://ag.hexor.cy/applications/argocd/sonarr-stack) |
 | **stirling-pdf** | [![stirling-pdf](https://ag.hexor.cy/api/badge?name=stirling-pdf&revision=true)](https://ag.hexor.cy/applications/argocd/stirling-pdf) |
 | **syncthing** | [![syncthing](https://ag.hexor.cy/api/badge?name=syncthing&revision=true)](https://ag.hexor.cy/applications/argocd/syncthing) |
-| **teamspeak** | [![teamspeak](https://ag.hexor.cy/api/badge?name=teamspeak&revision=true)](https://ag.hexor.cy/applications/argocd/teamspeak) |
 | **tg-bots** | [![tg-bots](https://ag.hexor.cy/api/badge?name=tg-bots&revision=true)](https://ag.hexor.cy/applications/argocd/tg-bots) |
 | **vaultwarden** | [![vaultwarden](https://ag.hexor.cy/api/badge?name=vaultwarden&revision=true)](https://ag.hexor.cy/applications/argocd/vaultwarden) |
 | **vpn** | [![vpn](https://ag.hexor.cy/api/badge?name=vpn&revision=true)](https://ag.hexor.cy/applications/argocd/vpn) |
-| **web-petting** | [![web-petting](https://ag.hexor.cy/api/badge?name=web-petting&revision=true)](https://ag.hexor.cy/applications/argocd/web-petting) |
-| **wedding** | [![wedding](https://ag.hexor.cy/api/badge?name=wedding&revision=true)](https://ag.hexor.cy/applications/argocd/wedding) |
 | **xandikos** | [![xandikos](https://ag.hexor.cy/api/badge?name=xandikos&revision=true)](https://ag.hexor.cy/applications/argocd/xandikos) |

 </td>
@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: furumi-dev
-  namespace: argocd
-spec:
-  project: apps
-  destination:
-    namespace: furumi-dev
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/apps/furumi-dev
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
@@ -1,55 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: furumi-ng-creds
-spec:
-  target:
-    name: furumi-ng-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        OIDC_CLIENT_ID: |-
-          {{ .client_id }}
-        OIDC_CLIENT_SECRET: |-
-          {{ .client_secret }}
-        OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-dev/
-        OIDC_REDIRECT_URL: https://music-dev.hexor.cy/auth/callback
-        OIDC_SESSION_SECRET: |-
-          {{ .session_secret }}
-        PG_STRING: |-
-          postgres://furumi_dev:{{ .pg_pass }}@psql.psql.svc:5432/furumi_dev
-  data:
-    - secretKey: client_id
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
-        property: fields[0].value
-    - secretKey: client_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
-        property: fields[1].value
-    - secretKey: session_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
-        property: fields[2].value
-    - secretKey: pg_pass
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[17].value
@@ -1,66 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: admin-strip
-spec:
-  stripPrefix:
-    prefixes:
-      - /admin
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: furumi-tls-ingress
-  annotations:
-    ingressClassName: traefik
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  rules:
-    - host: music-dev.hexor.cy
-      http:
-        paths:
-          - path: /api
-            pathType: Prefix
-            backend:
-              service:
-                name: furumi-dev-web-player
-                port:
-                  number: 8080
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: furumi-dev-node-player
-                port:
-                  number: 3001
-  tls:
-    - secretName: furumi-tls
-      hosts:
-        - '*.hexor.cy'
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: furumi-dev-admin-ingress
-  annotations:
-    ingressClassName: traefik
-    traefik.ingress.kubernetes.io/router.middlewares: furumi-server-admin-strip@kubernetescrd,kube-system-https-redirect@kubernetescrd
-spec:
-  rules:
-    - host: music-dev.hexor.cy
-      http:
-        paths:
-          - path: /admin
-            pathType: Prefix
-            backend:
-              service:
-                name: furumi-dev-metadata-agent
-                port:
-                  number: 8090
-  tls:
-    - secretName: furumi-tls
-      hosts:
-        - '*.hexor.cy'
@@ -1,11 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - service.yaml
-  - external-secrets.yaml
-  - ingress.yaml
-  - web-player.yaml
-  - node-player.yaml
-  - metadata-agent.yaml
@@ -1,59 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: furumi-dev-metadata-agent
-  labels:
-    app: furumi-dev-metadata-agent
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: furumi-dev-metadata-agent
-  template:
-    metadata:
-      labels:
-        app: furumi-dev-metadata-agent
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      containers:
-        - name: furumi-dev-metadata-agent
-          image: ultradesu/furumi-metadata-agent:dev
-          imagePullPolicy: Always
-          env:
-            - name: FURUMI_AGENT_DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: PG_STRING
-            - name: FURUMI_AGENT_INBOX_DIR
-              value: "/inbox"
-            - name: FURUMI_AGENT_STORAGE_DIR
-              value: "/media"
-            - name: FURUMI_AGENT_OLLAMA_URL
-              value: "http://100.120.76.49:1234"
-            - name: FURUMI_AGENT_OLLAMA_MODEL
-              value: "qwen2.5-32b-instruct"
-            - name: FURUMI_AGENT_POLL_INTERVAL_SECS
-              value: "10"
-            - name: RUST_LOG
-              value: "info"
-          ports:
-            - name: admin-ui
-              containerPort: 8090
-              protocol: TCP
-          volumeMounts:
-            - name: library
-              mountPath: /media
-            - name: inbox
-              mountPath: /inbox
-      volumes:
-        - name: library
-          hostPath:
-            path: /k8s/furumi-dev/library
-            type: DirectoryOrCreate
-        - name: inbox
-          hostPath:
-            path: /k8s/furumi-dev/inbox
-            type: DirectoryOrCreate
-
@@ -1,53 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: furumi-dev-node-player
-  labels:
-    app: furumi-dev-node-player
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: furumi-dev-node-player
-  template:
-    metadata:
-      labels:
-        app: furumi-dev-node-player
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      containers:
-        - name: furumi-dev-node-player
-          image: ultradesu/furumi-node-player:dev
-          imagePullPolicy: Always
-          env:
-            - name: PORT
-              value: "3001"
-            - name: BASE_URL
-              value: "https://music-dev.hexor.cy"
-            - name: FRONTEND_ORIGIN
-              value: "https://music-dev.hexor.cy"
-            - name: SESSION_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_SESSION_SECRET
-            - name: OIDC_ISSUER_BASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_ISSUER_URL
-            - name: OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_ID
-            - name: OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_SECRET
-          ports:
-            - name: http
-              containerPort: 3001
-              protocol: TCP
@@ -1,48 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: furumi-dev-metadata-agent
-  labels:
-    app: furumi-dev-metadata-agent
-spec:
-  type: ClusterIP
-  selector:
-    app: furumi-dev-metadata-agent
-  ports:
-    - name: admin-ui
-      protocol: TCP
-      port: 8090
-      targetPort: 8090
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: furumi-dev-web-player
-  labels:
-    app: furumi-dev-web-player
-spec:
-  type: ClusterIP
-  selector:
-    app: furumi-dev-web-player
-  ports:
-    - name: http
-      protocol: TCP
-      port: 8080
-      targetPort: 8080
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: furumi-dev-node-player
-  labels:
-    app: furumi-dev-node-player
-spec:
-  type: ClusterIP
-  selector:
-    app: furumi-dev-node-player
-  ports:
-    - name: http
-      protocol: TCP
-      port: 3001
-      targetPort: 3001
@@ -1,69 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: furumi-dev-web-player
-  labels:
-    app: furumi-dev-web-player
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: furumi-dev-web-player
-  template:
-    metadata:
-      labels:
-        app: furumi-dev-web-player
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      containers:
-        - name: furumi-dev-web-player
-          image: ultradesu/furumi-web-player:dev
-          imagePullPolicy: Always
-          env:
-            - name: FURUMI_PLAYER_OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_ID
-            - name: FURUMI_PLAYER_OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_SECRET
-            - name: FURUMI_PLAYER_OIDC_ISSUER_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_ISSUER_URL
-            - name: FURUMI_PLAYER_OIDC_REDIRECT_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_REDIRECT_URL
-            - name: FURUMI_PLAYER_OIDC_SESSION_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_SESSION_SECRET
-            - name: FURUMI_PLAYER_DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: PG_STRING
-            - name: FURUMI_PLAYER_STORAGE_DIR
-              value: "/media"
-            - name: RUST_LOG
-              value: "info"
-          ports:
-            - name: http
-              containerPort: 8080
-              protocol: TCP
-          volumeMounts:
-            - name: music
-              mountPath: /media
-      volumes:
-        - name: music
-          hostPath:
-            path: /k8s/furumi-dev/library
-            type: DirectoryOrCreate
@@ -18,43 +18,13 @@ spec:
        kubernetes.io/hostname: master.tail2fe2d.ts.net
      containers:
        - name: furumi-server
-          image: ultradesu/furumi-server:trunk
+          image: ultradesu/furumi-server:latest
          imagePullPolicy: Always
          env:
            - name: FURUMI_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: TOKEN
-            - name: FURUMI_OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_ID
-            - name: FURUMI_OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_SECRET
-            - name: FURUMI_OIDC_ISSUER_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_ISSUER_URL
-            - name: FURUMI_OIDC_REDIRECT_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_REDIRECT_URL
-            - name: FURUMI_OIDC_SESSION_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_SESSION_SECRET
+              value: "f38387266e75effe891b7953eb9c06b4"
            - name: FURUMI_ROOT
              value: "/media"
-            - name: RUST_LOG
-              value: "info"
          ports:
            - name: grpc
              containerPort: 50051
@@ -62,9 +32,6 @@ spec:
            - name: metrics
              containerPort: 9090
              protocol: TCP
-            - name: web-ui
-              containerPort: 8080
-              protocol: TCP
          volumeMounts:
            - name: music
              mountPath: /media
@@ -1,65 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: furumi-ng-creds
-spec:
-  target:
-    name: furumi-ng-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        TOKEN: |-
-          {{ .token }}
-        OIDC_CLIENT_ID: |-
-          {{ .client_id }}
-        OIDC_CLIENT_SECRET: |-
-          {{ .client_secret }}
-        OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-ng-web/
-        OIDC_REDIRECT_URL: https://music.hexor.cy/auth/callback
-        OIDC_SESSION_SECRET: |-
-          {{ .session_secret }}
-        PG_STRING: |-
-          postgres://furumi:{{ .pg_pass }}@psql.psql.svc:5432/furumi
-  data:
-    - secretKey: token
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
-        property: fields[0].value
-    - secretKey: client_id
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
-        property: fields[1].value
-    - secretKey: client_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
-        property: fields[2].value
-    - secretKey: session_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
-        property: fields[3].value
-    - secretKey: pg_pass
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[16].value
@@ -1,59 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: admin-strip
-spec:
-  stripPrefix:
-    prefixes:
-      - /admin
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: furumi-tls-ingress
-  annotations:
-    ingressClassName: traefik
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  rules:
-    - host: music.hexor.cy
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: furumi-web-player
-                port:
-                  number: 8080
-  tls:
-    - secretName: furumi-tls
-      hosts:
-        - '*.hexor.cy'
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: furumi-admin-ingress
-  annotations:
-    ingressClassName: traefik
-    traefik.ingress.kubernetes.io/router.middlewares: furumi-server-admin-strip@kubernetescrd,kube-system-https-redirect@kubernetescrd
-spec:
-  rules:
-    - host: music.hexor.cy
-      http:
-        paths:
-          - path: /admin
-            pathType: Prefix
-            backend:
-              service:
-                name: furumi-metadata-agent
-                port:
-                  number: 8090
-  tls:
-    - secretName: furumi-tls
-      hosts:
-        - '*.hexor.cy'
@@ -6,7 +6,3 @@ resources:
  - deployment.yaml
  - service.yaml
  - servicemonitor.yaml
-  - external-secrets.yaml
-  - ingress.yaml
-  - web-player.yaml
-  - metadata-agent.yaml
@@ -1,59 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: furumi-metadata-agent
-  labels:
-    app: furumi-metadata-agent
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: furumi-metadata-agent
-  template:
-    metadata:
-      labels:
-        app: furumi-metadata-agent
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      containers:
-        - name: furumi-metadata-agent
-          image: ultradesu/furumi-metadata-agent:trunk
-          imagePullPolicy: Always
-          env:
-            - name: FURUMI_AGENT_DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: PG_STRING
-            - name: FURUMI_AGENT_INBOX_DIR
-              value: "/inbox"
-            - name: FURUMI_AGENT_STORAGE_DIR
-              value: "/media"
-            - name: FURUMI_AGENT_OLLAMA_URL
-              value: "http://100.120.76.49:1234"
-            - name: FURUMI_AGENT_OLLAMA_MODEL
-              value: "google/gemma-4-26b-a4b"
-            - name: FURUMI_AGENT_POLL_INTERVAL_SECS
-              value: "10"
-            - name: RUST_LOG
-              value: "info"
-          ports:
-            - name: admin-ui
-              containerPort: 8090
-              protocol: TCP
-          volumeMounts:
-            - name: library
-              mountPath: /media
-            - name: inbox
-              mountPath: /inbox
-      volumes:
-        - name: library
-          hostPath:
-            path: /k8s/furumi/library
-            type: DirectoryOrCreate
-        - name: inbox
-          hostPath:
-            path: /k8s/furumi/inbox
-            type: DirectoryOrCreate
-
@@ -28,35 +28,3 @@ spec:
      protocol: TCP
      port: 9090
      targetPort: 9090
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: furumi-metadata-agent
-  labels:
-    app: furumi-metadata-agent
-spec:
-  type: ClusterIP
-  selector:
-    app: furumi-metadata-agent
-  ports:
-    - name: admin-ui
-      protocol: TCP
-      port: 8090
-      targetPort: 8090
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: furumi-web-player
-  labels:
-    app: furumi-web-player
-spec:
-  type: ClusterIP
-  selector:
-    app: furumi-web-player
-  ports:
-    - name: web-ui
-      protocol: TCP
-      port: 8080
-      targetPort: 8080
@@ -1,70 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: furumi-web-player
-  labels:
-    app: furumi-web-player
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: furumi-web-player
-  template:
-    metadata:
-      labels:
-        app: furumi-web-player
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      containers:
-        - name: furumi-web-player
-          image: ultradesu/furumi-web-player:trunk
-          imagePullPolicy: Always
-          env:
-            - name: FURUMI_PLAYER_OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_ID
-            - name: FURUMI_PLAYER_OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_CLIENT_SECRET
-            - name: FURUMI_PLAYER_OIDC_ISSUER_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_ISSUER_URL
-            - name: FURUMI_PLAYER_OIDC_REDIRECT_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_REDIRECT_URL
-            - name: FURUMI_PLAYER_OIDC_SESSION_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: OIDC_SESSION_SECRET
-            - name: FURUMI_PLAYER_DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-ng-creds
-                  key: PG_STRING
-            - name: FURUMI_PLAYER_STORAGE_DIR
-              value: "/media"
-            - name: RUST_LOG
-              value: "info"
-          ports:
-            - name: web-ui
-              containerPort: 8080
-              protocol: TCP
-          volumeMounts:
-            - name: music
-              mountPath: /media
-      volumes:
-        - name: music
-          hostPath:
-            path: /k8s/furumi/library
-            type: DirectoryOrCreate
-
@@ -48,8 +48,6 @@ spec:
              value: "true"
            - name: GITEA__service__CAPTCHA_TYPE
              value: "hcaptcha"
-            - name: GITEA__webhook__ALLOWED_HOST_LIST
-              value: "*"
          envFrom:
          - secretRef:
              name: gitea-recapcha-creds
@@ -79,11 +77,8 @@ spec:
      labels:
        app: gitea-runner
    spec:
-      tolerations:
-        - key: workload
-          operator: Equal
-          value: desktop
-          effect: NoSchedule
+      #nodeSelector:
+      #  kubernetes.io/hostname: home.homenet
      volumes:
        - name: docker-sock
          hostPath:
@@ -95,28 +90,21 @@ spec:
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
-                - uk-desktop.tail2fe2d.ts.net
-          - weight: 50
+          - weight: 1
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - home.homenet
-          - weight: 30
+          - weight: 2
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - master.tail2fe2d.ts.net
-          - weight: 10
+          - weight: 3
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
@@ -125,18 +113,30 @@ spec:
                - it.tail2fe2d.ts.net
                - ch.tail2fe2d.ts.net
                - us.tail2fe2d.ts.net
+
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - home.homenet
+                - it.tail2fe2d.ts.net
+                - ch.tail2fe2d.ts.net
+                - us.tail2fe2d.ts.net
+                - master.tail2fe2d.ts.net
      containers:
        - name: gitea-runner
          image: gitea/act_runner:nightly
          resources:
-            #requests:
-            #  cpu: "100m"
-            #  memory: "256Mi"
-            #  ephemeral-storage: "1Gi"
-            #limits:
-            #  cpu: "3000m"
-            #  memory: "4Gi"
-            #  ephemeral-storage: "28Gi"
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+              ephemeral-storage: "1Gi"   # reserve ephemeral storage
+            limits:
+              cpu: "3000m"
+              memory: "4Gi"
+              ephemeral-storage: "28Gi"   # hard cap for /data usage
          volumeMounts:
            - name: docker-sock
              mountPath: /var/run/docker.sock
@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: matrix
-  namespace: argocd
-spec:
-  project: apps
-  destination:
-    namespace: matrix
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/apps/matrix
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
@@ -1,95 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: matrix-postgres-creds
-spec:
-  target:
-    name: matrix-postgres-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        synapse_db_password: |-
-          {{ .synapse_db_password }}
-        mas_db_password: |-
-          {{ .mas_db_password }}
-  data:
-    - secretKey: synapse_db_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[14].value
-    - secretKey: mas_db_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[15].value
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: matrix-oidc-config
-spec:
-  target:
-    name: matrix-oidc-config
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        mas-oidc.yaml: |
-          upstream_oauth2:
-            providers:
-              - id: 001KKV4EKY7KG98W2M9T806K6A
-                human_name: Authentik
-                issuer: https://idm.hexor.cy/application/o/matrix/
-                client_id: "{{ .oauth_client_id }}"
-                client_secret: "{{ .oauth_client_secret }}"
-                token_endpoint_auth_method: client_secret_post
-                scope: "openid profile email"
-                claims_imports:
-                  localpart:
-                    action: suggest
-                    template: "{{ `{{ user.preferred_username | split(\"@\") | first }}` }}"
-                  displayname:
-                    action: suggest
-                    template: "{{ `{{ user.name }}` }}"
-                  email:
-                    action: suggest
-                    template: "{{ `{{ user.email }}` }}"
-                    set_email_verification: always
-  data:
-    - secretKey: oauth_client_id
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
-        property: fields[0].value
-    - secretKey: oauth_client_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
-        property: fields[1].value
@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-
-helmCharts:
-  - name: matrix-stack
-    repo: oci://ghcr.io/element-hq/ess-helm
-    version: 26.2.3
-    releaseName: matrix-stack
-    namespace: matrix
-    valuesFile: matrix-stack-values.yaml
-    includeCRDs: true
@@ -1,120 +0,0 @@
-## Matrix server name - appears in @user:matrix.hexor.cy
-serverName: matrix.hexor.cy
-
-## Use letsencrypt cluster issuer for all ingresses
-certManager:
-  clusterIssuer: letsencrypt
-
-## Global ingress settings
-ingress:
-  className: traefik
-  annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-
-## Disable built-in PostgreSQL - using external database
-postgres:
-  enabled: false
-
-## Disable components we don't need yet
-hookshot:
-  enabled: false
-
-## MatrixRTC - voice/video calls via LiveKit SFU
-matrixRTC:
-  enabled: true
-  ingress:
-    host: livekit.matrix.hexor.cy
-  sfu:
-    enabled: true
-    manualIP: "78.24.180.234"
-    nodeSelector:
-      kubernetes.io/hostname: spb.tail2fe2d.ts.net
-    exposedServices:
-      rtcTcp:
-        enabled: true
-        port: 30881
-      rtcMuxedUdp:
-        enabled: true
-        port: 30882
-      turnTLS:
-        enabled: true
-        port: 31443
-        domain: turn.matrix.hexor.cy
-        tlsTerminationOnPod: true
-
-## Synapse homeserver
-synapse:
-  enabled: true
-  additional:
-    0-search-config:
-      config: |
-        user_directory:
-          enabled: true
-          search_all_users: true
-          prefer_local_users: true
-        enable_room_list_search: true
-  ingress:
-    host: synapse.matrix.hexor.cy
-  postgres:
-    host: psql.psql.svc
-    port: 5432
-    user: synapse
-    database: synapse
-    sslMode: prefer
-    password:
-      secret: matrix-postgres-creds
-      secretKey: synapse_db_password
-  nodeSelector:
-    kubernetes.io/hostname: master.tail2fe2d.ts.net
-  media:
-    storage:
-      size: 20Gi
-    maxUploadSize: 100M
-
-## Matrix Authentication Service
-matrixAuthenticationService:
-  enabled: true
-  ingress:
-    host: auth.matrix.hexor.cy
-  postgres:
-    host: psql.psql.svc
-    port: 5432
-    user: mas
-    database: mas
-    sslMode: prefer
-    password:
-      secret: matrix-postgres-creds
-      secretKey: mas_db_password
-  ## Admin policy
-  additional:
-    0-admin-policy:
-      config: |
-        policy:
-          data:
-            admin_users:
-              - username: ultradesu
-    1-oidc:
-      configSecret: matrix-oidc-config
-      configSecretKey: mas-oidc.yaml
-  nodeSelector:
-    kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-## Element Web client
-elementWeb:
-  enabled: true
-  ingress:
-    host: chat.matrix.hexor.cy
-  nodeSelector:
-    kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-## Element Admin panel
-elementAdmin:
-  enabled: true
-  ingress:
-    host: admin.matrix.hexor.cy
-  nodeSelector:
-    kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-## Well-known delegation on the base domain (host is derived from serverName)
-wellKnownDelegation:
-  enabled: true
@@ -5,12 +5,7 @@ resources:
  - ./app.yaml
  - ./rbac.yaml
  - ./daemonset.yaml
-  - ./telemt-daemonset.yaml
  - ./external-secrets.yaml
-  - ./telemt-external-secrets.yaml
-  - ./telemt-service.yaml
-  - ./telemt-servicemonitor.yaml
  - ./service.yaml
  - ./secret-reader.yaml
-  - ./secret-reader-ingress.yaml
 # - ./storage.yaml
@@ -1,33 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: secret-reader
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`secret-reader.hexor.cy`)
-      kind: Rule
-      middlewares:
-        - name: keycloak-auth
-          namespace: oauth2-proxy
-      services:
-        - name: secret-reader
-          port: 80
-  tls:
-    secretName: secret-reader-tls
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: secret-reader-tls
-spec:
-  secretName: secret-reader-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  dnsNames:
-    - secret-reader.hexor.cy
@@ -23,7 +23,7 @@ spec:
        imagePullPolicy: Always
        args:
          - "--secrets"
-          - "mtproxy-links,telemt-links"
+          - "mtproxy-links"
          - "--namespace"
          - "mtproxy"
          - "--port"
@@ -1,115 +0,0 @@
---
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: telemt
-  labels:
-    app: telemt
-spec:
-  selector:
-    matchLabels:
-      app: telemt
-  updateStrategy:
-    type: RollingUpdate
-  template:
-    metadata:
-      labels:
-        app: telemt
-    spec:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: mtproxy
-                    operator: Exists
-      serviceAccountName: mtproxy
-      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
-      initContainers:
-        - name: register-proxy
-          image: bitnami/kubectl:latest
-          env:
-            - name: NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-            - name: SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: tgproxy-secret
-                  key: SECRET
-            - name: TELEMT_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: telemt-secret
-                  key: PORT
-          command:
-            - /bin/bash
-            - -c
-            - |
-              set -e
-              NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
-              SERVER=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.mtproxy}')
-              if [ -z "${SERVER}" ]; then
-                echo "ERROR: node ${NODE_NAME} has no mtproxy label"
-                exit 1
-              fi
-              # Build ee-prefixed secret: ee + secret + hex(tls_domain)
-              # "ya.ru" = 79612e7275
-              EE_SECRET="ee${SECRET}79612e7275"
-              LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${EE_SECRET}"
-              echo "Registering telemt: ${SERVER} -> ${LINK}"
-              if kubectl get secret telemt-links -n "${NAMESPACE}" &>/dev/null; then
-                kubectl patch secret telemt-links -n "${NAMESPACE}" \
-                  --type merge -p "{\"stringData\":{\"${SERVER}\":\"${LINK}\"}}"
-              else
-                kubectl create secret generic telemt-links -n "${NAMESPACE}" \
-                  --from-literal="${SERVER}=${LINK}"
-              fi
-              echo "Done"
-      containers:
-        - name: telemt
-          image: ghcr.io/telemt/telemt:latest
-          imagePullPolicy: Always
-          ports:
-            - name: proxy
-              containerPort: 30444
-              protocol: TCP
-            - name: api
-              containerPort: 9091
-              protocol: TCP
-          workingDir: /run/telemt
-          env:
-            - name: RUST_LOG
-              value: info
-          volumeMounts:
-            - name: workdir
-              mountPath: /run/telemt
-            - name: config
-              mountPath: /run/telemt/config.toml
-              subPath: config.toml
-              readOnly: true
-            - name: etcdir
-              mountPath: /etc/telemt
-          securityContext:
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
-      volumes:
-        - name: config
-          secret:
-            secretName: telemt-secret
-            items:
-              - key: config.toml
-                path: config.toml
-        - name: workdir
-          emptyDir:
-            medium: Memory
-            sizeLimit: 1Mi
-        - name: etcdir
-          emptyDir:
-            medium: Memory
-            sizeLimit: 1Mi
@@ -1,59 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: telemt-secret
-spec:
-  target:
-    name: telemt-secret
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        SECRET: |-
-          {{ .secret }}
-        PORT: "30444"
-        config.toml: |
-          [general]
-          use_middle_proxy = true
-          log_level = "normal"
-
-          [general.modes]
-          classic = false
-          secure = false
-          tls = true
-
-          [general.links]
-          show = "*"
-          public_port = 30444
-
-          [server]
-          port = 30444
-          metrics_port = 9090
-          metrics_whitelist = ["0.0.0.0/0"]
-
-          [server.api]
-          enabled = true
-          listen = "0.0.0.0:9091"
-          whitelist = ["0.0.0.0/0"]
-
-          [[server.listeners]]
-          ip = "0.0.0.0"
-
-          [censorship]
-          tls_domain = "ya.ru"
-          mask = true
-          tls_emulation = true
-          tls_front_dir = "tlsfront"
-
-          [access.users]
-          user = "{{ .secret }}"
-  data:
-    - secretKey: secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 58a37daf-72d8-430d-86bd-6152aa8f888d
-        property: fields[0].value
@@ -1,17 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: telemt-metrics
-  labels:
-    app: telemt
-spec:
-  type: ClusterIP
-  clusterIP: None
-  selector:
-    app: telemt
-  ports:
-    - port: 9090
-      targetPort: 9090
-      protocol: TCP
-      name: metrics
@@ -1,24 +0,0 @@
---
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: telemt-metrics
-  labels:
-    app: telemt
-    release: prometheus
-spec:
-  selector:
-    matchLabels:
-      app: telemt
-  endpoints:
-    - port: metrics
-      path: /metrics
-      interval: 30s
-      scrapeTimeout: 10s
-      honorLabels: true
-      relabelings:
-        - sourceLabels: [__meta_kubernetes_pod_node_name]
-          targetLabel: node
-  namespaceSelector:
-    matchNames:
-      - mtproxy
@@ -4,7 +4,6 @@ kind: Kustomization
 resources:
  - external-secrets.yaml
  - local-pv.yaml
-  - open-terminal.yaml
  
 helmCharts:
  - name: ollama
@@ -16,7 +15,7 @@ helmCharts:
    includeCRDs: true
  - name: open-webui
    repo: https://helm.openwebui.com/
-    version: 12.10.0
+    version: 12.8.1
    releaseName: openweb-ui
    namespace: ollama
    valuesFile: openweb-ui-values.yaml
@@ -1,53 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: open-terminal
-  labels:
-    app: open-terminal
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: open-terminal
-  template:
-    metadata:
-      labels:
-        app: open-terminal
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: uk-desktop.tail2fe2d.ts.net
-      tolerations:
-        - key: workload
-          operator: Equal
-          value: desktop
-          effect: NoSchedule
-      containers:
-        - name: open-terminal
-          image: ghcr.io/open-webui/open-terminal:latest
-          ports:
-            - containerPort: 8000
-          env:
-            - name: OPEN_TERMINAL_API_KEY
-              value: "LOCAL_ACCESS_TOKEN"
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-            limits:
-              cpu: "2"
-              memory: 2Gi
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: open-terminal
-  labels:
-    app: open-terminal
-spec:
-  selector:
-    app: open-terminal
-  ports:
-    - port: 8000
-      targetPort: 8000
-      protocol: TCP
@@ -1,5 +1,71 @@
 ---
-image: &image 'pasarguard/node:v0.4.0'
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pasarguard-node
+  labels:
+    app: pasarguard-node
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pasarguard-node-configmap
+  labels:
+    app: pasarguard-node
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "create", "update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["services", "endpoints"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pasarguard-node-configmap
+  labels:
+    app: pasarguard-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pasarguard-node-configmap
+subjects:
+  - kind: ServiceAccount
+    name: pasarguard-node
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pasarguard-node-reader
+  labels:
+    app: pasarguard-node
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pasarguard-node-reader
+  labels:
+    app: pasarguard-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pasarguard-node-reader
+subjects:
+  - kind: ServiceAccount
+    name: pasarguard-node
+    namespace: pasarguard
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -47,7 +113,7 @@ spec:
              mountPath: /scripts
      containers:
        - name: pasarguard-node
-          image: *image
+          image: 'pasarguard/node:v0.2.1'
          imagePullPolicy: Always
          command:
            - /bin/sh
@@ -153,71 +219,3 @@ spec:
          configMap:
            name: pasarguard-scripts
            defaultMode: 0755
-
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: pasarguard-node
-  labels:
-    app: pasarguard-node
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: pasarguard-node-configmap
-  labels:
-    app: pasarguard-node
-rules:
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["get", "list", "create", "update", "patch"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list"]
-  - apiGroups: [""]
-    resources: ["services", "endpoints"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: pasarguard-node-configmap
-  labels:
-    app: pasarguard-node
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: pasarguard-node-configmap
-subjects:
-  - kind: ServiceAccount
-    name: pasarguard-node
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: pasarguard-node-reader
-  labels:
-    app: pasarguard-node
-rules:
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: pasarguard-node-reader
-  labels:
-    app: pasarguard-node
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: pasarguard-node-reader
-subjects:
-  - kind: ServiceAccount
-    name: pasarguard-node
-    namespace: pasarguard
@@ -1,5 +1,4 @@
 ---
-image: &image 'pasarguard/panel:v3.1.0'
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -35,7 +34,7 @@ spec:
              mountPath: /templates/subscription
      containers:
        - name: pasarguard-web
-          image: *image
+          image: 'pasarguard/panel:latest'
          imagePullPolicy: Always
          envFrom:
            - secretRef:
@@ -76,9 +75,6 @@ apiVersion: v1
 kind: Service
 metadata:
  name: pasarguard
-  annotations:
-    traefik.ingress.kubernetes.io/service.serversscheme: https
-    traefik.ingress.kubernetes.io/service.serverstransport: pasarguard-pasarguard-transport@kubernetescrd
 spec:
  selector:
    app: pasarguard
@@ -1,31 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: pasarguard-transport
-spec:
-  insecureSkipVerify: true
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: pasarguard-ingress
-  annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-spec:
-  ingressClassName: traefik
-  rules:
-    - host: ps.hexor.cy
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: pasarguard
-                port:
-                  number: 80
-  tls:
-    - secretName: pasarguard-tls
-      hosts:
-        - ps.hexor.cy
@@ -9,4 +9,3 @@ resources:
  - ./certificate.yaml
  - ./configmap-scripts.yaml
  - ./servicemonitor.yaml
-  - ./ingress.yaml
@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: teamspeak
-  namespace: argocd
-spec:
-  project: apps
-  destination:
-    namespace: teamspeak
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/apps/teamspeak
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
@@ -1,49 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: teamspeak
-  labels:
-    app: teamspeak
-spec:
-  selector:
-    matchLabels:
-      app: teamspeak
-  replicas: 1
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app: teamspeak
-    spec:
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: teamspeak-data
-      containers:
-        - name: teamspeak
-          image: 'teamspeak:latest'
-          env:
-            - name: TS3SERVER_LICENSE
-              value: "accept"
-          resources:
-            requests:
-              memory: "256Mi"
-              cpu: "100m"
-            limits:
-              memory: "512Mi"
-              cpu: "1000m"
-          ports:
-            - name: voice
-              containerPort: 9987
-              protocol: UDP
-            - name: filetransfer
-              containerPort: 30033
-              protocol: TCP
-            - name: serverquery
-              containerPort: 10011
-              protocol: TCP
-          volumeMounts:
-            - name: data
-              mountPath: /var/ts3server
@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - storage.yaml
-  - deployment.yaml
-  - service.yaml
@@ -1,22 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: teamspeak
-spec:
-  type: LoadBalancer
-  selector:
-    app: teamspeak
-  ports:
-    - name: voice
-      protocol: UDP
-      port: 9987
-      targetPort: 9987
-    - name: filetransfer
-      protocol: TCP
-      port: 30033
-      targetPort: 30033
-    - name: serverquery
-      protocol: TCP
-      port: 10011
-      targetPort: 10011
@@ -1,12 +0,0 @@
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: teamspeak-data
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 5Gi
@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: web-petting
-  namespace: argocd
-spec:
-  project: apps
-  destination:
-    namespace: web-petting
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/apps/web-petting
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-
@@ -1,49 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: web-petting
-  labels:
-    app: web-petting
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: web-petting
-  template:
-    metadata:
-      labels:
-        app: web-petting
-    spec:
-      nodeSelector:
-        kubernetes.io/os: linux
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: web-petting-data
-      containers:
-      - name: web-petting
-        image: ultradesu/web-petting:0.1.0
-        imagePullPolicy: Always
-        args:
-#         - "tail"
-#         - "-F"
-#         - "/1"
-          - "web-petting"
-          - "-l"
-          - "0.0.0.0:3000"
-        ports:
-        - containerPort: 3000
-          name: http
-        volumeMounts:
-          - name: data
-            mountPath: /data
-        env:
-        - name: RUST_LOG
-          value: "info"
-        resources:
-          requests:
-            memory: "64Mi"
-            cpu: "50m"
-          limits:
-            memory: "128Mi"
-            cpu: "150m"
@@ -1,27 +0,0 @@
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: web-petting-tls-ingress
-  annotations:
-    ingressClassName: traefik
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  rules:
-    - host: pet.hexor.cy
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: web-petting
-                port:
-                  number: 80
-  tls:
-    - secretName: web-petting-tls
-      hosts:
-        - pet.hexor.cy
-
@@ -1,10 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - deployment.yaml
-  - service.yaml
-  - ingress.yaml
-  - storage.yaml
-
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: web-petting
-  labels:
-    app: web-petting
-spec:
-  type: ClusterIP
-  selector:
-    app: web-petting
-  ports:
-  - port: 80
-    targetPort: 3000
-    protocol: TCP
-    name: http
@@ -1,12 +0,0 @@
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: web-petting-data
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 10Gi
@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: wedding
-  namespace: argocd
-spec:
-  project: apps
-  destination:
-    namespace: wedding
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/apps/wedding
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
@@ -1,69 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wedding
-  labels:
-    app: wedding
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: wedding
-  template:
-    metadata:
-      labels:
-        app: wedding
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: spb.tail2fe2d.ts.net
-      initContainers:
-        - name: git-clone
-          image: alpine/git:latest
-          command:
-            - sh
-            - -c
-            - git clone --depth 1 https://gt.hexor.cy/ab/wedding.git /src
-          volumeMounts:
-            - name: source
-              mountPath: /src
-        - name: zola-build
-          image: ghcr.io/getzola/zola:v0.22.1
-          command:
-            - /bin/zola
-          args:
-            - --root
-            - /src
-            - build
-            - --base-url
-            - https://wedding.hexor.cy/
-            - --output-dir
-            - /public/html
-          volumeMounts:
-            - name: source
-              mountPath: /src
-            - name: public
-              mountPath: /public
-      containers:
-        - name: nginx
-          image: nginx:alpine
-          ports:
-            - containerPort: 80
-              protocol: TCP
-          volumeMounts:
-            - name: public
-              mountPath: /usr/share/nginx/html
-              subPath: html
-              readOnly: true
-          resources:
-            requests:
-              memory: 32Mi
-              cpu: 10m
-            limits:
-              memory: 64Mi
-              cpu: 100m
-      volumes:
-        - name: source
-          emptyDir: {}
-        - name: public
-          emptyDir: {}
@@ -1,26 +0,0 @@
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: wedding-tls-ingress
-  annotations:
-    ingressClassName: traefik
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  rules:
-    - host: wedding.hexor.cy
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: wedding
-                port:
-                  number: 80
-  tls:
-    - secretName: wedding-tls
-      hosts:
-        - wedding.hexor.cy
@@ -1,10 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - rbac.yaml
-  - deployment.yaml
-  - service.yaml
-  - ingress.yaml
-  - webhook.yaml
@@ -1,42 +0,0 @@
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: wedding-deployer
-  namespace: wedding
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: wedding-deployer-token
-  namespace: wedding
-  annotations:
-    kubernetes.io/service-account.name: wedding-deployer
-type: kubernetes.io/service-account-token
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: wedding-restart
-  namespace: wedding
-rules:
-  - apiGroups: ["apps"]
-    resources: ["deployments"]
-    verbs: ["get", "patch"]
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: wedding-deployer-restart
-  namespace: wedding
-subjects:
-  - kind: ServiceAccount
-    name: wedding-deployer
-    namespace: wedding
-roleRef:
-  kind: Role
-  name: wedding-restart
-  apiGroup: rbac.authorization.k8s.io
@@ -1,12 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: wedding
-spec:
-  selector:
-    app: wedding
-  ports:
-    - port: 80
-      targetPort: 80
-      protocol: TCP
@@ -1,71 +0,0 @@
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: webhook-script
-data:
-  serve.sh: |
-    #!/bin/sh
-    echo "Webhook server listening on :8080"
-    while true; do
-      echo -e "HTTP/1.1 200 OK\r\nContent-Length: 2\r\nConnection: close\r\n\r\nok" \
-        | nc -l -p 8080 > /dev/null
-      echo "Received webhook, restarting deployment..."
-      kubectl rollout restart deployment/wedding
-    done
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wedding-webhook
-  labels:
-    app: wedding-webhook
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: wedding-webhook
-  template:
-    metadata:
-      labels:
-        app: wedding-webhook
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: spb.tail2fe2d.ts.net
-      serviceAccountName: wedding-deployer
-      containers:
-        - name: webhook
-          image: alpine/k8s:1.32.3
-          command: ["sh", "/scripts/serve.sh"]
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-          volumeMounts:
-            - name: script
-              mountPath: /scripts
-              readOnly: true
-          resources:
-            requests:
-              memory: 16Mi
-              cpu: 5m
-            limits:
-              memory: 32Mi
-              cpu: 50m
-      volumes:
-        - name: script
-          configMap:
-            name: webhook-script
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: wedding-webhook
-spec:
-  selector:
-    app: wedding-webhook
-  ports:
-    - port: 8080
-      targetPort: 8080
-      protocol: TCP
@@ -34,9 +34,6 @@ spec:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
        key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
        property: login.password
    - secretKey: username
@@ -45,9 +42,6 @@ spec:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
        key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
        property: login.username
    - secretKey: secret_key
@@ -56,9 +50,6 @@ spec:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
        key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
        property: fields[0].value

@@ -5,13 +5,12 @@ resources:
  - app.yaml
  - external-secrets.yaml
  - https-middleware.yaml
-  - outpost-selector-fix.yaml
 # - worker-restart.yaml

 helmCharts:
  - name: authentik
    repo: https://charts.goauthentik.io
-    version: 2026.2.2
+    version: 2026.2.1
    releaseName: authentik
    namespace: authentik
    valuesFile: values.yaml
@@ -1,81 +0,0 @@
-## Workaround for authentik bug: embedded outpost controller creates
-## a Service with selectors that don't match the pod labels it sets.
-## Remove this after upgrading to a version with the fix.
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: outpost-selector-fix
-  namespace: authentik
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: outpost-selector-fix
-  namespace: authentik
-rules:
-  - apiGroups: [""]
-    resources: ["services"]
-    verbs: ["get", "patch"]
-  - apiGroups: [""]
-    resources: ["endpoints"]
-    verbs: ["get"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: outpost-selector-fix
-  namespace: authentik
-subjects:
-  - kind: ServiceAccount
-    name: outpost-selector-fix
-    namespace: authentik
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: outpost-selector-fix
---
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: outpost-selector-fix
-  namespace: authentik
-spec:
-  schedule: "* * * * *"
-  successfulJobsHistoryLimit: 1
-  failedJobsHistoryLimit: 3
-  concurrencyPolicy: Replace
-  jobTemplate:
-    spec:
-      ttlSecondsAfterFinished: 300
-      template:
-        spec:
-          serviceAccountName: outpost-selector-fix
-          restartPolicy: OnFailure
-          containers:
-            - name: fix
-              image: bitnami/kubectl:latest
-              command:
-                - /bin/sh
-                - -c
-                - |
-                  SVC="ak-outpost-authentik-embedded-outpost"
-                  # check if endpoints are populated
-                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
-                  if [ -n "$ADDRS" ]; then
-                    echo "Endpoints OK ($ADDRS), nothing to fix"
-                    exit 0
-                  fi
-                  echo "No endpoints for $SVC, patching selector..."
-                  kubectl patch svc "$SVC" -n authentik --type=json -p '[
-                    {"op":"remove","path":"/spec/selector/app.kubernetes.io~1component"},
-                    {"op":"replace","path":"/spec/selector/app.kubernetes.io~1name","value":"authentik-outpost-proxy"}
-                  ]'
-                  echo "Patched. Verifying..."
-                  sleep 2
-                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
-                  if [ -n "$ADDRS" ]; then
-                    echo "Fix confirmed, endpoints: $ADDRS"
-                  else
-                    echo "WARNING: still no endpoints after patch"
-                    exit 1
-                  fi
@@ -1,6 +1,6 @@
 global:
  image:
-    tag: "2026.2.2"
+    tag: "2026.2.1"

 authentik:
    error_reporting:
@@ -54,6 +54,19 @@ server:
        traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
      hosts:
        - idm.hexor.cy
+        - nas.hexor.cy       # TrueNAS Limassol
+        - nc.hexor.cy        # NaxtCloud
+        - of.hexor.cy        # Outfleet-v2
+        - k8s.hexor.cy       # k8s dashboard
+        - qbt.hexor.cy       # qBittorent for Jellyfin
+        - prom.hexor.cy      # Prometheus
+        - khm.hexor.cy       # Known Hosts keys Manager
+        - backup.hexor.cy    # Kopia Backup UI
+        - fm.hexor.cy        # Filemanager
+        - minecraft.hexor.cy # Minecraft UI and server
+        - pass.hexor.cy      # k8s-secret for openai
+        - ps.hexor.cy        # pasarguard UI
+#       - rw.hexor.cy        # RemnaWave UI
      tls:
        - secretName: idm-tls
          hosts:
@@ -18,9 +18,11 @@ spec:
              key: apiKey
        selector:
          dnsZones:
+            - "*.hexor.cy"
            - "*.hexor.ru"
            - "*.btwiusearch.net"
            - "hexor.ru"
+            - "hexor.cy"
            - "btwiusearch.net"
      - dns01:
          route53:
@@ -33,6 +35,6 @@ spec:
              key: secretKey
        selector:
          dnsZones:
-            - "*.hexor.cy"
-            - "hexor.cy"
+            - "ps.hexor.cy"
+            - "of.hexor.cy"

@@ -10,7 +10,7 @@ resources:
 helmCharts:
  - name: cert-manager
    repo: https://charts.jetstack.io
-    version: 1.20.0
+    version: 1.19.1
    releaseName: cert-manager
    namespace: cert-manager
    valuesFile: values.yaml
@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: kanidm
-  namespace: argocd
-spec:
-  project: core
-  destination:
-    namespace: kanidm
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/core/kanidm
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
@@ -1,12 +0,0 @@
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: kanidm-tls
-spec:
-  secretName: kanidm-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  dnsNames:
-    - auth.hexor.cy
@@ -1,19 +0,0 @@
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: kanidm-config
-data:
-  server.toml: |
-    bindaddress = "[::]:443"
-    db_path = "/data/kanidm.db"
-    tls_chain = "/certs/tls.crt"
-    tls_key = "/certs/tls.key"
-    domain = "auth.hexor.cy"
-    origin = "https://auth.hexor.cy"
-    log_level = "info"
-
-    [online_backup]
-    path = "/data/backups/"
-    schedule = "00 22 * * *"
-    versions = 7
@@ -1,20 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: kanidm
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`auth.hexor.cy`)
-      kind: Rule
-      services:
-        - name: kanidm
-          port: 443
-          scheme: https
-          serversTransport: kanidm-transport
-  tls:
-    secretName: kanidm-ingress-tls
@@ -1,11 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - configmap.yaml
-  - certificate.yaml
-  - statefulset.yaml
-  - service.yaml
-  - ingress.yaml
-  - servers-transport.yaml
@@ -1,7 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: kanidm-transport
-spec:
-  insecureSkipVerify: true
@@ -1,15 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: kanidm
-  labels:
-    app: kanidm
-spec:
-  ports:
-    - name: https
-      port: 443
-      targetPort: 443
-      protocol: TCP
-  selector:
-    app: kanidm
@@ -1,86 +0,0 @@
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: kanidm
-  labels:
-    app: kanidm
-spec:
-  serviceName: kanidm
-  replicas: 1
-  selector:
-    matchLabels:
-      app: kanidm
-  template:
-    metadata:
-      labels:
-        app: kanidm
-    spec:
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-      containers:
-        - name: kanidm
-          image: kanidm/server:1.9.3
-          ports:
-            - containerPort: 443
-              name: https
-              protocol: TCP
-          volumeMounts:
-            - name: kanidm-data
-              mountPath: /data
-            - name: kanidm-config
-              mountPath: /data/server.toml
-              subPath: server.toml
-              readOnly: true
-            - name: kanidm-tls
-              mountPath: /certs
-              readOnly: true
-          resources:
-            requests:
-              memory: "128Mi"
-              cpu: "100m"
-            limits:
-              memory: "512Mi"
-              cpu: "500m"
-          readinessProbe:
-            httpGet:
-              path: /status
-              port: 443
-              scheme: HTTPS
-            initialDelaySeconds: 5
-            periodSeconds: 10
-          livenessProbe:
-            httpGet:
-              path: /status
-              port: 443
-              scheme: HTTPS
-            initialDelaySeconds: 15
-            periodSeconds: 30
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: false
-            runAsUser: 1000
-            runAsGroup: 1000
-      volumes:
-        - name: kanidm-config
-          configMap:
-            name: kanidm-config
-        - name: kanidm-tls
-          secret:
-            secretName: kanidm-tls
-      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      tolerations:
-        - key: node-role.kubernetes.io/master
-          effect: NoSchedule
-  volumeClaimTemplates:
-    - metadata:
-        name: kanidm-data
-      spec:
-        accessModes: ["ReadWriteOnce"]
-        storageClassName: longhorn
-        resources:
-          requests:
-            storage: 1Gi
@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: keycloak
-  namespace: argocd
-spec:
-  project: core
-  destination:
-    namespace: keycloak
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/core/keycloak
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
@@ -1,41 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: keycloak-creds
-spec:
-  target:
-    name: keycloak-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        KC_DB_USERNAME: keycloak
-        KC_DB_PASSWORD: |-
-          {{ .db_password }}
-        KC_BOOTSTRAP_ADMIN_USERNAME: admin
-        KC_BOOTSTRAP_ADMIN_PASSWORD: |-
-          {{ .admin_password }}
-  data:
-    - secretKey: db_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[18].value
-    - secretKey: admin_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 9422b636-a91d-40e4-bf98-925b2a3f831d
-        property: login.password
@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-
-helmCharts:
-  - name: keycloakx
-    repo: https://codecentric.github.io/helm-charts
-    version: 7.1.11
-    releaseName: keycloak
-    namespace: keycloak
-    valuesFile: values.yaml
@@ -1,67 +0,0 @@
-replicas: 1
-
-image:
-  repository: quay.io/keycloak/keycloak
-  tag: "26.5.6"
-
-command:
-  - "/opt/keycloak/bin/kc.sh"
-  - "start"
-  - "--http-port=8080"
-  - "--hostname-strict=false"
-  - "--proxy-headers=xforwarded"
-
-extraEnvFrom: |
-  - secretRef:
-      name: keycloak-creds
-
-extraEnv: |
-  - name: KC_HOSTNAME
-    value: auth.hexor.cy
-  - name: JAVA_OPTS_APPEND
-    value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc"
-
-dbchecker:
-  enabled: true
-
-database:
-  vendor: postgres
-  hostname: psql.psql.svc
-  port: 5432
-  database: keycloak
-  existingSecret: keycloak-creds
-  existingSecretKey: KC_DB_PASSWORD
-
-service:
-  type: ClusterIP
-
-ingress:
-  enabled: true
-  ingressClassName: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-  rules:
-    - host: auth.hexor.cy
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: keycloak-tls
-      hosts:
-        - auth.hexor.cy
-
-resources:
-  requests:
-    cpu: 200m
-    memory: 512Mi
-  limits:
-    cpu: "1"
-    memory: 1Gi
-
-nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-tolerations:
-  - key: node-role.kubernetes.io/master
-    effect: NoSchedule
@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: oauth2-proxy
-  namespace: argocd
-spec:
-  project: core
-  destination:
-    namespace: oauth2-proxy
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/core/oauth2-proxy
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
@@ -1,40 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: oauth2-proxy-creds
-spec:
-  target:
-    name: oauth2-proxy-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        client-id: oauth2-proxy
-        client-secret: |-
-          {{ .client_secret }}
-        cookie-secret: |-
-          {{ .cookie_secret }}
-  data:
-    - secretKey: client_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
-        property: login.password
-    - secretKey: cookie_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
-        property: fields[0].value
@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-  - middleware.yaml
-
-helmCharts:
-  - name: oauth2-proxy
-    repo: https://oauth2-proxy.github.io/manifests
-    version: 10.4.3
-    releaseName: oauth2-proxy
-    namespace: oauth2-proxy
-    valuesFile: values.yaml
@@ -1,14 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: keycloak-auth
-spec:
-  forwardAuth:
-    address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-Auth-Request-User
-      - X-Auth-Request-Email
-      - X-Auth-Request-Groups
-      - Authorization
@@ -1,51 +0,0 @@
-replicaCount: 1
-
-config:
-  existingSecret: oauth2-proxy-creds
-  configFile: |-
-    provider = "keycloak-oidc"
-    provider_display_name = "Keycloak"
-    oidc_issuer_url = "https://auth.hexor.cy/auth/realms/hexor"
-    redirect_url = "https://oauth.hexor.cy/oauth2/callback"
-    email_domains = ["*"]
-    cookie_domains = [".hexor.cy"]
-    whitelist_domains = [".hexor.cy"]
-    cookie_secure = true
-    cookie_samesite = "lax"
-    upstreams = ["static://200"]
-    reverse_proxy = true
-    set_xauthrequest = true
-    set_authorization_header = true
-    pass_access_token = true
-    pass_authorization_header = true
-    skip_provider_button = true
-    code_challenge_method = "S256"
-    scope = "openid profile email"
-
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-  hosts:
-    - oauth.hexor.cy
-  tls:
-    - secretName: oauth2-proxy-tls
-      hosts:
-        - oauth.hexor.cy
-
-resources:
-  requests:
-    cpu: 50m
-    memory: 64Mi
-  limits:
-    cpu: 200m
-    memory: 128Mi
-
-nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-tolerations:
-  - key: node-role.kubernetes.io/master
-    effect: NoSchedule
@@ -127,16 +127,6 @@ spec:
          {{ .mmdl }}
        USER_n8n: |-
          {{ .n8n }}
-        USER_synapse: |-
-          {{ .synapse }}
-        USER_mas: |-
-          {{ .mas }}
-        USER_furumi: |-
-          {{ .furumi }}
-        USER_furumi_dev: |-
-          {{ .furumi_dev }}
-        USER_keycloak: |-
-          {{ .keycloak }}
  data:
    - secretKey: authentik
      sourceRef:
@@ -281,58 +271,4 @@ spec:
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[13].value
-    - secretKey: synapse
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[14].value
-    - secretKey: mas
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[15].value
-    - secretKey: furumi
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[16].value
-    - secretKey: furumi_dev
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[17].value
-    - secretKey: keycloak
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[18].value
+
@@ -449,7 +449,7 @@
            "type": "prometheus",
            "uid": "${datasource}"
          },
-          "expr": "sum(process_resident_memory_bytes) / 1024 / 1024",
+          "expr": "process_resident_memory_bytes / 1024 / 1024",
          "legendFormat": "Resident Memory",
          "refId": "A"
        },
@@ -458,7 +458,7 @@
            "type": "prometheus",
            "uid": "${datasource}"
          },
-          "expr": "sum(process_virtual_memory_bytes) / 1024 / 1024",
+          "expr": "process_virtual_memory_bytes / 1024 / 1024",
          "legendFormat": "Virtual Memory",
          "refId": "B"
        }
@@ -7,12 +7,11 @@ resources:
  - grafana-alerting-configmap.yaml
  - alertmanager-config.yaml
  - furumi-dashboard-cm.yaml
-  - telemt-dashboard-cm.yaml

 helmCharts:
  - name: kube-prometheus-stack
    repo: https://prometheus-community.github.io/helm-charts
-    version: 82.10.3
+    version: 79.7.1
    releaseName: prometheus
    namespace: prometheus
    valuesFile: prom-values.yaml
@@ -20,12 +20,8 @@ loki:
    filesystem:
      chunks_directory: /var/loki/chunks
      rules_directory: /var/loki/rules
-  compactor:
-    retention_enabled: true
-    delete_request_store: filesystem
  limits_config:
    reject_old_samples: false
-    retention_period: 1440h
    ingestion_rate_mb: 16
    ingestion_burst_size_mb: 32
    max_query_parallelism: 32
@@ -78,7 +78,7 @@ prometheus:
          - targets: ['prom-a2s-exporter.counter-strike.svc:9841']
            labels: {instance: master}

-    retention: "380d"
+    retention: "99999d"
    retentionSize: "0"
    nodeSelector:
      kubernetes.io/hostname: master.tail2fe2d.ts.net
@@ -1,409 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: telemt-dashboard
-  labels:
-    grafana_dashboard: "1"
-data:
-  telemt.json: |-
-    {
-      "annotations": { "list": [] },
-      "editable": true,
-      "fiscalYearStartMonth": 0,
-      "graphTooltip": 1,
-      "id": null,
-      "links": [],
-      "liveNow": false,
-      "panels": [
-        {
-          "title": "Nodes Overview",
-          "type": "table",
-          "gridPos": { "h": 8, "w": 24, "x": 0, "y": 0 },
-          "id": 1,
-          "fieldConfig": {
-            "defaults": {
-              "custom": {
-                "align": "auto",
-                "cellOptions": { "type": "auto" },
-                "inspect": false
-              },
-              "thresholds": {
-                "mode": "absolute",
-                "steps": [
-                  { "color": "green", "value": null }
-                ]
-              }
-            },
-            "overrides": [
-              {
-                "matcher": { "id": "byName", "options": "Uptime" },
-                "properties": [
-                  { "id": "unit", "value": "dtdurations" },
-                  { "id": "custom.width", "value": 140 }
-                ]
-              },
-              {
-                "matcher": { "id": "byName", "options": "Bad Conn" },
-                "properties": [
-                  { "id": "thresholds", "value": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "yellow", "value": 10 }, { "color": "red", "value": 100 }] } },
-                  { "id": "custom.cellOptions", "value": { "type": "color-background", "mode": "basic" } }
-                ]
-              },
-              {
-                "matcher": { "id": "byName", "options": "Writers" },
-                "properties": [
-                  { "id": "thresholds", "value": { "mode": "absolute", "steps": [{ "color": "red", "value": null }, { "color": "green", "value": 1 }] } },
-                  { "id": "custom.cellOptions", "value": { "type": "color-background", "mode": "basic" } }
-                ]
-              }
-            ]
-          },
-          "options": {
-            "showHeader": true,
-            "sortBy": [{ "displayName": "Node", "desc": false }],
-            "frameIndex": 0,
-            "footer": { "show": false }
-          },
-          "transformations": [
-            {
-              "id": "joinByField",
-              "options": { "byField": "node", "mode": "outer" }
-            },
-            {
-              "id": "filterFieldsByName",
-              "options": {
-                "include": { "pattern": "^(node|Value.*)$" }
-              }
-            },
-            {
-              "id": "organize",
-              "options": {
-                "renameByName": {
-                  "node": "Node",
-                  "Value #uptime": "Uptime",
-                  "Value #writers": "Writers",
-                  "Value #buffers": "Buffers In Use",
-                  "Value #connections": "Connections",
-                  "Value #bad": "Bad Conn",
-                  "Value #hs_timeout": "HS Timeouts"
-                }
-              }
-            }
-          ],
-          "targets": [
-            {
-              "expr": "telemt_uptime_seconds{node=~\"$node\"}",
-              "legendFormat": "",
-              "refId": "uptime",
-              "format": "table",
-              "instant": true
-            },
-            {
-              "expr": "telemt_me_writers_active_current{node=~\"$node\"}",
-              "legendFormat": "",
-              "refId": "writers",
-              "format": "table",
-              "instant": true
-            },
-            {
-              "expr": "telemt_buffer_pool_buffers_total{node=~\"$node\", kind=\"in_use\"}",
-              "legendFormat": "",
-              "refId": "buffers",
-              "format": "table",
-              "instant": true
-            },
-            {
-              "expr": "telemt_connections_total{node=~\"$node\"}",
-              "legendFormat": "",
-              "refId": "connections",
-              "format": "table",
-              "instant": true
-            },
-            {
-              "expr": "telemt_connections_bad_total{node=~\"$node\"}",
-              "legendFormat": "",
-              "refId": "bad",
-              "format": "table",
-              "instant": true
-            },
-            {
-              "expr": "telemt_handshake_timeouts_total{node=~\"$node\"}",
-              "legendFormat": "",
-              "refId": "hs_timeout",
-              "format": "table",
-              "instant": true
-            }
-          ],
-          "datasource": { "type": "prometheus", "uid": "${datasource}" }
-        },
-        {
-          "title": "Connections Rate",
-          "type": "timeseries",
-          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 8 },
-          "id": 10,
-          "fieldConfig": {
-            "defaults": {
-              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
-              "unit": "cps",
-              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
-            },
-            "overrides": []
-          },
-          "options": {
-            "tooltip": { "mode": "multi", "sort": "desc" },
-            "legend": { "displayMode": "list", "placement": "bottom" }
-          },
-          "targets": [
-            { "expr": "rate(telemt_connections_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} accepted", "refId": "A" },
-            { "expr": "rate(telemt_connections_bad_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} bad", "refId": "B" },
-            { "expr": "rate(telemt_handshake_timeouts_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} hs timeout", "refId": "C" }
-          ],
-          "datasource": { "type": "prometheus", "uid": "${datasource}" }
-        },
-        {
-          "title": "Upstream Connect",
-          "type": "timeseries",
-          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 8 },
-          "id": 11,
-          "fieldConfig": {
-            "defaults": {
-              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
-              "unit": "cps",
-              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
-            },
-            "overrides": []
-          },
-          "options": {
-            "tooltip": { "mode": "multi", "sort": "desc" },
-            "legend": { "displayMode": "list", "placement": "bottom" }
-          },
-          "targets": [
-            { "expr": "rate(telemt_upstream_connect_success_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} success", "refId": "A" },
-            { "expr": "rate(telemt_upstream_connect_fail_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} fail", "refId": "B" }
-          ],
-          "datasource": { "type": "prometheus", "uid": "${datasource}" }
-        },
-        {
-          "title": "Upstream Connect Duration (success)",
-          "type": "timeseries",
-          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 16 },
-          "id": 12,
-          "fieldConfig": {
-            "defaults": {
-              "custom": { "drawStyle": "bars", "fillOpacity": 50, "stacking": { "mode": "normal" } },
-              "unit": "short",
-              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
-            },
-            "overrides": []
-          },
-          "options": {
-            "tooltip": { "mode": "multi", "sort": "desc" },
-            "legend": { "displayMode": "list", "placement": "bottom" }
-          },
-          "targets": [
-            { "expr": "increase(telemt_upstream_connect_duration_success_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} {{bucket}}", "refId": "A" }
-          ],
-          "datasource": { "type": "prometheus", "uid": "${datasource}" }
-        },
-        {
-          "title": "ME Writers & Pool",
-          "type": "timeseries",
-          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 16 },
-          "id": 13,
-          "fieldConfig": {
-            "defaults": {
-              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
-              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
-            },
-            "overrides": []
-          },
-          "options": {
-            "tooltip": { "mode": "multi", "sort": "desc" },
-            "legend": { "displayMode": "list", "placement": "bottom" }
-          },
-          "targets": [
-            { "expr": "telemt_me_writers_active_current{node=~\"$node\"}", "legendFormat": "{{node}} active", "refId": "A" },
-            { "expr": "telemt_me_writers_warm_current{node=~\"$node\"}", "legendFormat": "{{node}} warm", "refId": "B" },
-            { "expr": "telemt_pool_drain_active{node=~\"$node\"}", "legendFormat": "{{node}} draining", "refId": "C" }
-          ],
-          "datasource": { "type": "prometheus", "uid": "${datasource}" }
-        },
-        {
-          "title": "Per-User Active Connections",
-          "type": "timeseries",
-          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 24 },
-          "id": 20,
-          "fieldConfig": {
-            "defaults": {
-              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
-              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
-            },
-            "overrides": []
-          },
-          "options": {
-            "tooltip": { "mode": "multi", "sort": "desc" },
-            "legend": { "displayMode": "list", "placement": "bottom" }
-          },
-          "targets": [
-            { "expr": "telemt_user_connections_current{node=~\"$node\"}", "legendFormat": "{{node}} {{user}}", "refId": "A" }
-          ],
-          "datasource": { "type": "prometheus", "uid": "${datasource}" }
-        },
-        {
-          "title": "Per-User Traffic",
-          "type": "timeseries",
-          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 24 },
-          "id": 21,
-          "fieldConfig": {
-            "defaults": {
-              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
-              "unit": "Bps",
-              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
-            },
-            "overrides": []
-          },
-          "options": {
-            "tooltip": { "mode": "multi", "sort": "desc" },
-            "legend": { "displayMode": "list", "placement": "bottom" }
-          },
-          "targets": [
-            { "expr": "rate(telemt_user_octets_from_client{node=~\"$node\"}[5m])", "legendFormat": "{{node}} {{user}} rx", "refId": "A" },
-            { "expr": "rate(telemt_user_octets_to_client{node=~\"$node\"}[5m])", "legendFormat": "{{node}} {{user}} tx", "refId": "B" }
-          ],
-          "datasource": { "type": "prometheus", "uid": "${datasource}" }
-        },
-        {
-          "title": "DC->Client Payload",
-          "type": "timeseries",
-          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 32 },
-          "id": 30,
-          "fieldConfig": {
-            "defaults": {
-              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
-              "unit": "Bps",
-              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
-            },
-            "overrides": []
-          },
-          "options": {
-            "tooltip": { "mode": "multi", "sort": "desc" },
-            "legend": { "displayMode": "list", "placement": "bottom" }
-          },
-          "targets": [
-            { "expr": "rate(telemt_me_d2c_payload_bytes_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} payload", "refId": "A" }
-          ],
-          "datasource": { "type": "prometheus", "uid": "${datasource}" }
-        },
-        {
-          "title": "ME Errors & Anomalies",
-          "type": "timeseries",
-          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 32 },
-          "id": 31,
-          "fieldConfig": {
-            "defaults": {
-              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
-              "unit": "cps",
-              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
-            },
-            "overrides": []
-          },
-          "options": {
-            "tooltip": { "mode": "multi", "sort": "desc" },
-            "legend": { "displayMode": "list", "placement": "bottom" }
-          },
-          "targets": [
-            { "expr": "rate(telemt_me_reconnect_attempts_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} reconnect", "refId": "A" },
-            { "expr": "rate(telemt_me_handshake_reject_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} hs reject", "refId": "B" },
-            { "expr": "rate(telemt_me_crc_mismatch_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} crc mismatch", "refId": "C" },
-            { "expr": "rate(telemt_desync_total{node=~\"$node\"}[5m])", "legendFormat": "{{node}} desync", "refId": "D" }
-          ],
-          "datasource": { "type": "prometheus", "uid": "${datasource}" }
-        },
-        {
-          "title": "Per-User Unique IPs",
-          "type": "timeseries",
-          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 40 },
-          "id": 40,
-          "fieldConfig": {
-            "defaults": {
-              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
-              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
-            },
-            "overrides": []
-          },
-          "options": {
-            "tooltip": { "mode": "multi", "sort": "desc" },
-            "legend": { "displayMode": "list", "placement": "bottom" }
-          },
-          "targets": [
-            { "expr": "telemt_user_unique_ips_current{node=~\"$node\"}", "legendFormat": "{{node}} {{user}} active", "refId": "A" },
-            { "expr": "telemt_user_unique_ips_recent_window{node=~\"$node\"}", "legendFormat": "{{node}} {{user}} recent", "refId": "B" }
-          ],
-          "datasource": { "type": "prometheus", "uid": "${datasource}" }
-        },
-        {
-          "title": "Conntrack",
-          "type": "timeseries",
-          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 40 },
-          "id": 41,
-          "fieldConfig": {
-            "defaults": {
-              "custom": { "drawStyle": "line", "lineInterpolation": "smooth", "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" },
-              "unit": "cps",
-              "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] }
-            },
-            "overrides": []
-          },
-          "options": {
-            "tooltip": { "mode": "multi", "sort": "desc" },
-            "legend": { "displayMode": "list", "placement": "bottom" }
-          },
-          "targets": [
-            { "expr": "rate(telemt_conntrack_delete_total{node=~\"$node\", result=\"attempt\"}[5m])", "legendFormat": "{{node}} delete attempt", "refId": "A" },
-            { "expr": "rate(telemt_conntrack_delete_total{node=~\"$node\", result=\"error\"}[5m])", "legendFormat": "{{node}} delete error", "refId": "B" },
-            { "expr": "telemt_conntrack_event_queue_depth{node=~\"$node\"}", "legendFormat": "{{node}} queue depth", "refId": "C" }
-          ],
-          "datasource": { "type": "prometheus", "uid": "${datasource}" }
-        }
-      ],
-      "refresh": "30s",
-      "schemaVersion": 39,
-      "tags": ["telemt", "mtproxy", "telegram"],
-      "templating": {
-        "list": [
-          {
-            "current": {},
-            "hide": 0,
-            "includeAll": false,
-            "label": "Datasource",
-            "multi": false,
-            "name": "datasource",
-            "options": [],
-            "query": "prometheus",
-            "refresh": 1,
-            "regex": "",
-            "skipUrlSync": false,
-            "type": "datasource"
-          },
-          {
-            "current": {},
-            "datasource": { "type": "prometheus", "uid": "${datasource}" },
-            "definition": "label_values(telemt_uptime_seconds, node)",
-            "hide": 0,
-            "includeAll": true,
-            "label": "Node",
-            "multi": true,
-            "name": "node",
-            "query": "label_values(telemt_uptime_seconds, node)",
-            "refresh": 2,
-            "regex": "",
-            "skipUrlSync": false,
-            "sort": 1,
-            "type": "query"
-          }
-        ]
-      },
-      "time": { "from": "now-6h", "to": "now" },
-      "title": "Telemt MTProxy",
-      "uid": "telemt-mtproxy"
-    }
@@ -7,8 +7,6 @@ metadata:
 spec:
  concurrency: 1
  cordon: true
-  tolerations:
-  - operator: Exists
  nodeSelector:
    matchExpressions:
    - key: node-role.kubernetes.io/control-plane
@@ -18,7 +16,7 @@ spec:
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
-  version: v1.35.4+k3s1
+  version: v1.34.3+k3s1
 ---
 # Agent plan
 apiVersion: upgrade.cattle.io/v1
@@ -29,8 +27,6 @@ metadata:
 spec:
  concurrency: 1
  cordon: true
-  tolerations:
-  - operator: Exists
  nodeSelector:
    matchExpressions:
    - key: node-role.kubernetes.io/control-plane
@@ -43,4 +39,5 @@ spec:
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
-  version: v1.35.4+k3s1
+  version: v1.34.3+k3s1
+
@@ -35,7 +35,7 @@ spec:
      terminationGracePeriodSeconds: 10
      containers:
        - name: minecraft
-          image: 'eclipse-temurin:8-jdk-ubi10-minimal'
+          image: 'openjdk:8-jdk-alpine'
          command: ["java"]
          args:
            - -Xms4G
@@ -0,0 +1,23 @@
+{
+  "permissions": {
+    "allow": [
+      "WebSearch",
+      "WebFetch(domain:registry.terraform.io)",
+      "Bash(C:UsersabAppDataLocalMicrosoftWinGetPackagesHashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbweterraform.exe apply -auto-approve)",
+      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve)",
+      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve -lock=false)",
+      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" plan -lock=false)",
+      "Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -replace=\"authentik_outpost.outposts[\"\"kubernetes-outpost\"\"]\" -auto-approve -lock=false)",
+      "Bash(terraform plan:*)",
+      "Bash(terraform state:*)",
+      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform plan:*)",
+      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform force-unlock:*)",
+      "Bash(git:*)",
+      "Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform state:*)",
+      "Bash(terraform version:*)",
+      "Bash(curl:*)"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}
@@ -292,60 +292,7 @@ resource "authentik_outpost" "outposts" {
    authentik_host_browser         = ""
    object_naming_template         = "ak-outpost-%(name)s"
    authentik_host_insecure        = false
-    kubernetes_json_patches = {
-      deployment = [
-        {
-          op   = "add"
-          path = "/spec/template/spec/containers/0/env/-"
-          value = {
-            name  = "AUTHENTIK_POSTGRESQL__HOST"
-            value = "psql.psql.svc"
-          }
-        },
-        {
-          op   = "add"
-          path = "/spec/template/spec/containers/0/env/-"
-          value = {
-            name  = "AUTHENTIK_POSTGRESQL__PORT"
-            value = "5432"
-          }
-        },
-        {
-          op   = "add"
-          path = "/spec/template/spec/containers/0/env/-"
-          value = {
-            name  = "AUTHENTIK_POSTGRESQL__NAME"
-            value = "authentik"
-          }
-        },
-        {
-          op   = "add"
-          path = "/spec/template/spec/containers/0/env/-"
-          value = {
-            name = "AUTHENTIK_POSTGRESQL__USER"
-            valueFrom = {
-              secretKeyRef = {
-                name = "authentik-creds"
-                key  = "AUTHENTIK_POSTGRESQL__USER"
-              }
-            }
-          }
-        },
-        {
-          op   = "add"
-          path = "/spec/template/spec/containers/0/env/-"
-          value = {
-            name = "AUTHENTIK_POSTGRESQL__PASSWORD"
-            valueFrom = {
-              secretKeyRef = {
-                name = "authentik-creds"
-                key  = "AUTHENTIK_POSTGRESQL__PASSWORD"
-              }
-            }
-          }
-        }
-      ]
-    }
+    kubernetes_json_patches        = null
    kubernetes_service_type        = "ClusterIP"
    kubernetes_image_pull_secrets  = []
    kubernetes_ingress_class_name  = null
@@ -188,45 +188,5 @@ oauth_applications = {
    create_group               = true
    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
  }
-  "matrix" = {
-    name             = "Matrix Chat"
-    slug             = "matrix"
-    group            = "Tools"
-    meta_description = "Matrix Chat"
-    meta_icon        = "https://img.icons8.com/ios/100/40C057/matrix-logo.png"
-    redirect_uris = [
-      "https://auth.matrix.hexor.cy/upstream/callback/001KKV4EKY7KG98W2M9T806K6A",
-    ]
-    meta_launch_url            = "https://chat.matrix.hexor.cy"
-    client_type                = "confidential"
-    include_claims_in_id_token = true
-    access_code_validity       = "minutes=1"
-    access_token_validity      = "minutes=5"
-    refresh_token_validity     = "days=30"
-    scope_mappings             = ["openid", "profile", "email"]
-    access_groups              = []
-    create_group               = false
-    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
-  }
-  "furumi-ng-web" = {
-    name             = "Furumi Web Player"
-    slug             = "furumi-ng-web"
-    group            = "Tools"
-    meta_description = "Furumi Web Player"
-    meta_icon        = "https://img.icons8.com/pulsar-color/48/music.png"
-    redirect_uris = [
-      "https://music.hexor.cy/auth/callback",
-    ]
-    meta_launch_url            = "https://music.hexor.cy"
-    client_type                = "confidential"
-    include_claims_in_id_token = true
-    access_code_validity       = "minutes=1"
-    access_token_validity      = "minutes=5"
-    refresh_token_validity     = "days=30"
-    scope_mappings             = ["openid", "profile", "email"]
-    access_groups              = []
-    create_group               = true
-    signing_key                = "1b1b5bec-034a-4d96-871a-133f11322360"
-  }
 }

@@ -151,7 +151,7 @@ EOT
    meta_icon                    = "https://img.icons8.com/liquid-glass/48/key.png"
    mode                         = "proxy"
    outpost                      = "kubernetes-outpost"
-    access_groups                = ["admins", "khm"]
+    access_groups                = ["admins", "khm"] # Используем существующие группы
    create_group                 = true
    access_groups                = ["admins"]
  }
@@ -191,20 +191,5 @@ EOT
    create_group                 = true
    access_groups                = ["admins"]
  }
-  "ollama-public" = {
-    name                         = "Ollama Public"
-    slug                         = "ollama-public"
-    group                        = "AI"
-    external_host                = "https://ollama.hexor.cy"
-    internal_host                = "http://ollama.ollama.svc:11434"
-    internal_host_ssl_validation = false
-    meta_description             = ""
-    meta_icon                    = "https://img.icons8.com/external-icongeek26-outline-icongeek26/64/external-llama-animal-head-icongeek26-outline-icongeek26.png"
-    mode                         = "proxy"
-    outpost                      = "kubernetes-outpost"
-    intercept_header_auth        = true
-    create_group                 = true
-    access_groups                = ["admins"]
-  }
 }