Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-05 17:37:47

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -13,10 +13,13 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **argocd** | [![argocd](https://ag.hexor.cy/api/badge?name=argocd&revision=true)](https://ag.hexor.cy/applications/argocd/argocd) |
+| **auth-proxy** | [![auth-proxy](https://ag.hexor.cy/api/badge?name=auth-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/auth-proxy) |
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
+| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
+| **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
@@ -62,9 +65,12 @@ ArgoCD homelab project
 | **sonarr-stack** | [![sonarr-stack](https://ag.hexor.cy/api/badge?name=sonarr-stack&revision=true)](https://ag.hexor.cy/applications/argocd/sonarr-stack) |
 | **stirling-pdf** | [![stirling-pdf](https://ag.hexor.cy/api/badge?name=stirling-pdf&revision=true)](https://ag.hexor.cy/applications/argocd/stirling-pdf) |
 | **syncthing** | [![syncthing](https://ag.hexor.cy/api/badge?name=syncthing&revision=true)](https://ag.hexor.cy/applications/argocd/syncthing) |
+| **teamspeak** | [![teamspeak](https://ag.hexor.cy/api/badge?name=teamspeak&revision=true)](https://ag.hexor.cy/applications/argocd/teamspeak) |
 | **tg-bots** | [![tg-bots](https://ag.hexor.cy/api/badge?name=tg-bots&revision=true)](https://ag.hexor.cy/applications/argocd/tg-bots) |
 | **vaultwarden** | [![vaultwarden](https://ag.hexor.cy/api/badge?name=vaultwarden&revision=true)](https://ag.hexor.cy/applications/argocd/vaultwarden) |
 | **vpn** | [![vpn](https://ag.hexor.cy/api/badge?name=vpn&revision=true)](https://ag.hexor.cy/applications/argocd/vpn) |
+| **web-petting** | [![web-petting](https://ag.hexor.cy/api/badge?name=web-petting&revision=true)](https://ag.hexor.cy/applications/argocd/web-petting) |
+| **wedding** | [![wedding](https://ag.hexor.cy/api/badge?name=wedding&revision=true)](https://ag.hexor.cy/applications/argocd/wedding) |
 | **xandikos** | [![xandikos](https://ag.hexor.cy/api/badge?name=xandikos&revision=true)](https://ag.hexor.cy/applications/argocd/xandikos) |
 
 </td>

k8s/apps/gitea/deployment.yaml

@@ -70,7 +70,7 @@ kind: Deployment
 metadata:
   name: gitea-runner
 spec:
-  replicas: 1
+  replicas: 2
   selector:
     matchLabels:
       app: gitea-runner
@@ -79,11 +79,19 @@ spec:
       labels:
         app: gitea-runner
     spec:
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "2"
       tolerations:
         - key: workload
           operator: Equal
           value: desktop
           effect: NoSchedule
+        - key: workload
+          operator: Equal
+          value: ai
+          effect: NoSchedule
       volumes:
         - name: docker-sock
           hostPath:
@@ -93,6 +101,12 @@ spec:
           emptyDir:
             sizeLimit: 30Gi
       affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: gitea-runner
+              topologyKey: kubernetes.io/hostname
         nodeAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
           - weight: 100
@@ -102,6 +116,7 @@ spec:
                 operator: In
                 values:
                 - uk-desktop.tail2fe2d.ts.net
+                - ai.tail2fe2d.ts.net
           - weight: 50
             preference:
               matchExpressions:
@@ -109,22 +124,7 @@ spec:
                 operator: In
                 values:
                 - home.homenet
-          - weight: 30
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
-                - master.tail2fe2d.ts.net
-          - weight: 10
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
                 - it.tail2fe2d.ts.net
-                - ch.tail2fe2d.ts.net
-                - us.tail2fe2d.ts.net
       containers:
         - name: gitea-runner
           image: gitea/act_runner:nightly
@@ -144,13 +144,18 @@ spec:
               mountPath: /data
           env:
             - name: GITEA_INSTANCE_URL
+              #value: "http://gitea.gitea.svc.cluster.local"
               value: "https://gt.hexor.cy"
             - name: GITEA_RUNNER_REGISTRATION_TOKEN
               valueFrom:
                 secretKeyRef:
                   name: gitea-runner-act-runner-secrets
                   key: token
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
             - name: GITEA_RUNNER_NAME
-              value: "k8s-runner"
+              value: "$(NODE_NAME)"
             - name: GITEA_RUNNER_LABELS
               value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"

k8s/apps/k8s-secrets/ingress.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: auth-proxy
+spec:
+  forwardAuth:
+    address: http://auth-proxy.auth-proxy.svc:80/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Auth-Request-User
+      - X-Auth-Request-Email
+      - X-Auth-Request-Groups
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: secret-reader
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`pass.hexor.cy`)
+      kind: Rule
+      middlewares:
+        - name: auth-proxy
+      services:
+        - name: secret-reader
+          port: 80
+  tls:
+    secretName: secret-reader-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: secret-reader-tls
+spec:
+  secretName: secret-reader-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - pass.hexor.cy
+

k8s/apps/mtproxy/secret-reader-ingress.yaml

@@ -2,10 +2,10 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: keycloak-auth
+  name: auth-proxy
 spec:
   forwardAuth:
-    address: http://oauth2-proxy.oauth2-proxy.svc:80
+    address: http://auth-proxy.auth-proxy.svc:80/auth
     trustForwardHeader: true
     authResponseHeaders:
       - X-Auth-Request-User
@@ -25,7 +25,7 @@ spec:
     - match: Host(`secret-reader.hexor.cy`)
       kind: Rule
       middlewares:
-        - name: keycloak-auth
+        - name: auth-proxy
       services:
         - name: secret-reader
           port: 80

k8s/core/argocd/values.yaml

@@ -25,7 +25,7 @@ configs:
     timeout.reconciliation: 60s
     oidc.config: |
       name: Authentik
-      issuer: https://idm.hexor.cy/application/o/argocd/
+      issuer: https://auth.hexor.cy/auth/realms/hexor
       clientID: $oidc-creds:id
       clientSecret: $oidc-creds:secret
       requestedScopes: ["openid", "profile", "email", "groups", "offline_access"]
@@ -35,20 +35,19 @@ configs:
     create: true
     policy.default: ""
     policy.csv: |
-      # Bound OIDC Group and internal role
-      g, Game Servers Managers, GameServersManagersRole
-      # Role permissions
-      p, GameServersManagersRole, applications, get, games/*, allow
-      p, GameServersManagersRole, applications, update, games/*, allow
-      p, GameServersManagersRole, applications, sync, games/*, allow
-      p, GameServersManagersRole, applications, override, games/*, allow
-      p, GameServersManagersRole, applications, action/*, games/*, allow
-      p, GameServersManagersRole, exec, create, games/*, allow
-      p, GameServersManagersRole, logs, get, games/*, allow
-      p, GameServersManagersRole, applications, delete, games/*, deny
-
-      # Admin policy
-      g, ArgoCD Admins, role:admin
+        g, game-servers-managers, GameServersManagersRole
+        # Role permissions
+        p, GameServersManagersRole, applications, get, games/*, allow
+        p, GameServersManagersRole, applications, update, games/*, allow
+        p, GameServersManagersRole, applications, sync, games/*, allow
+        p, GameServersManagersRole, applications, override, games/*, allow
+        p, GameServersManagersRole, applications, action/*, games/*, allow
+        p, GameServersManagersRole, exec, create, games/*, allow
+        p, GameServersManagersRole, logs, get, games/*, allow
+        p, GameServersManagersRole, applications, delete, games/*, deny
+    
+        # Admin policy
+        g, argocd-admins, role:admin
 
   secret:
     createSecret: true

k8s/core/auth-proxy/app.yaml

@@ -1,17 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: oauth2-proxy
+  name: auth-proxy
   namespace: argocd
 spec:
   project: core
   destination:
-    namespace: oauth2-proxy
+    namespace: auth-proxy
     server: https://kubernetes.default.svc
   source:
     repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
     targetRevision: HEAD
-    path: k8s/core/oauth2-proxy
+    path: k8s/core/auth-proxy
   syncPolicy:
     automated:
       selfHeal: true

k8s/core/auth-proxy/deployment.yaml

@@ -0,0 +1,79 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: auth-proxy
+  labels:
+    app: auth-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: auth-proxy
+  template:
+    metadata:
+      labels:
+        app: auth-proxy
+    spec:
+      containers:
+        - name: auth-proxy
+          image: ultradesu/rsauth2-proxy:latest
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+          envFrom:
+            - secretRef:
+                name: auth-proxy-creds
+          env:
+            - name: AUTH_PROXY_OIDC_ISSUER
+              value: "https://auth.hexor.cy/auth/realms/hexor"
+            - name: AUTH_PROXY_COOKIE_DOMAIN
+              value: ".hexor.cy"
+            - name: AUTH_PROXY_CALLBACK_URL
+              value: "https://oauth.hexor.cy/callback"
+            - name: AUTH_PROXY_ROUTES_FILE
+              value: "/config/routes.yaml"
+            - name: AUTH_PROXY_LOG_LEVEL
+              value: "debug"
+          volumeMounts:
+            - name: routes
+              mountPath: /config
+              readOnly: true
+          resources:
+            requests:
+              cpu: 50m
+              memory: 32Mi
+            limits:
+              cpu: 200m
+              memory: 64Mi
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 30
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - name: routes
+          configMap:
+            name: auth-proxy-routes
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule

k8s/core/auth-proxy/external-secrets.yaml

@@ -2,18 +2,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: oauth2-proxy-creds
+  name: auth-proxy-creds
 spec:
   target:
-    name: oauth2-proxy-creds
+    name: auth-proxy-creds
     deletionPolicy: Delete
     template:
       type: Opaque
       data:
-        client-id: oauth2-proxy
-        client-secret: |-
+        AUTH_PROXY_CLIENT_ID: rsauth2-proxy
+        AUTH_PROXY_CLIENT_SECRET: |-
           {{ .client_secret }}
-        cookie-secret: |-
+        AUTH_PROXY_COOKIE_SECRET: |-
           {{ .cookie_secret }}
   data:
     - secretKey: client_secret

k8s/core/auth-proxy/ingress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: auth-proxy
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`oauth.hexor.cy`)
+      kind: Rule
+      services:
+        - name: auth-proxy
+          port: 80
+  tls:
+    secretName: auth-proxy-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: auth-proxy-tls
+spec:
+  secretName: auth-proxy-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - oauth.hexor.cy

k8s/core/auth-proxy/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+# routes.yaml ConfigMap is managed by Terraform (kubernetes_config_map)

k8s/core/auth-proxy/service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: auth-proxy
+  labels:
+    app: auth-proxy
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+      protocol: TCP
+  selector:
+    app: auth-proxy

k8s/core/oauth2-proxy/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-
-helmCharts:
-  - name: oauth2-proxy
-    repo: https://oauth2-proxy.github.io/manifests
-    version: 10.4.3
-    releaseName: oauth2-proxy
-    namespace: oauth2-proxy
-    valuesFile: values.yaml

k8s/core/oauth2-proxy/middleware.yaml

@@ -1,3 +0,0 @@
-# Middleware is deployed per-namespace alongside each IngressRoute
-# because Traefik does not allow cross-namespace middleware references.
-# See k8s/apps/mtproxy/secret-reader-ingress.yaml for example.

k8s/core/oauth2-proxy/values.yaml

@@ -1,51 +0,0 @@
-replicaCount: 1
-
-config:
-  existingSecret: oauth2-proxy-creds
-  configFile: |-
-    provider = "keycloak-oidc"
-    provider_display_name = "Keycloak"
-    oidc_issuer_url = "https://auth.hexor.cy/auth/realms/hexor"
-    redirect_url = "https://oauth.hexor.cy/oauth2/callback"
-    email_domains = ["*"]
-    cookie_domains = [".hexor.cy"]
-    whitelist_domains = [".hexor.cy"]
-    cookie_secure = true
-    cookie_samesite = "lax"
-    upstreams = ["static://200"]
-    reverse_proxy = true
-    set_xauthrequest = true
-    set_authorization_header = true
-    pass_access_token = true
-    pass_authorization_header = true
-    skip_provider_button = true
-    code_challenge_method = "S256"
-    scope = "openid profile email"
-
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-  hosts:
-    - oauth.hexor.cy
-  tls:
-    - secretName: oauth2-proxy-tls
-      hosts:
-        - oauth.hexor.cy
-
-resources:
-  requests:
-    cpu: 50m
-    memory: 64Mi
-  limits:
-    cpu: 200m
-    memory: 128Mi
-
-nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-tolerations:
-  - key: node-role.kubernetes.io/master
-    effect: NoSchedule

terraform/keycloak/.terraform.lock.hcl

@@ -0,0 +1,47 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "3.1.0"
+  constraints = ">= 2.0.0"
+  hashes = [
+    "h1:G9QqKNpcztBRqrywtlNylFJSpGzDfRFtO8hcWLdkvRY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/keycloak/keycloak" {
+  version     = "5.7.0"
+  constraints = ">= 5.0.0"
+  hashes = [
+    "h1:3DuKdVeOxwULh7l6bvJKWZvsgSZo92rtnrdvyp+X2Lc=",
+    "zh:19be4505b17e4818db121a82917cb6723019cf379cfb82b720eaa2886f15bede",
+    "zh:2bd1565ed22db6a9fb50d60626e22c277f3b034a71f65e6c0011e42f56cad2bb",
+    "zh:34a9e2dfb06331dc6146491c4a0721001195c6a769cdc2d4546edb2acf2b39bd",
+    "zh:3f86bf9eac6d73eeaa926471826b6888da77950f68e6a3a95dc2d9201a4a88fa",
+    "zh:4b9053fde2c8dee6469c8b273bf5491a27228a1df28e30b86714118f0f876baf",
+    "zh:522aa6bcecc6b8d517415237f4ec079488ef7de0e980a634bf6a8b481c13effc",
+    "zh:52f85208815ca65b8d3cd5465b28005ba63f854122bc61fbf04925c986d48e78",
+    "zh:636555042a6051d2e1113e5f945edb9f432e2d09b81cf6e50a59a534819d98dd",
+    "zh:73a1fecfb3d9666bf87c2eb7d001281b8cfcd7132573b8c3d4febc2db55f0a2f",
+    "zh:76fa26d055ceeb0869a50e4b63871f4b07f55045af6b46b83686016531e9fb22",
+    "zh:8df147e619d7ac3d3f9840ba0d1895d34bde179e818863e2e7b52e2c05c12f58",
+    "zh:9c830253990e13ec284d0d312fea562938e4a8fc664dacb3af5f1eb16dcae1ae",
+    "zh:abd0bd630b362cd6f77fbb33625bc6f515782eb58cb096b4ce69dea252254aef",
+    "zh:d1474a67ffc3288b2d0c99f6e8edc937ac8ef54afed0306e3c6f033aa836a5f6",
+    "zh:ed19408f15667bfb572120858bdde929a20ce2d1f29468973905980c03299767",
+    "zh:ef8bc311f7d1ad821b65ba43af92e2ce835e739d391098b13e01a61747b5c648",
+    "zh:f57319d9a7ac387d5070c909fd0084ccfc296f1f3193efde995ae24aa1729a39",
+  ]
+}

terraform/keycloak/main.tf

@@ -0,0 +1,172 @@
+# =============================================================================
+# Realm
+# =============================================================================
+
+resource "keycloak_realm" "hexor" {
+  realm   = "hexor"
+  enabled = true
+
+  display_name = "Hexor"
+
+  login_theme   = "keycloak"
+  account_theme = "keycloak.v3"
+
+  registration_allowed     = false
+  reset_password_allowed   = true
+  remember_me              = true
+  verify_email             = false
+  login_with_email_allowed = true
+  duplicate_emails_allowed = false
+
+  ssl_required = "external"
+}
+
+# =============================================================================
+# Google Identity Provider
+# =============================================================================
+
+resource "keycloak_oidc_google_identity_provider" "google" {
+  realm         = keycloak_realm.hexor.id
+  client_id     = var.google_client_id
+  client_secret = var.google_client_secret
+
+  trust_email = true
+  sync_mode   = "IMPORT"
+}
+
+# =============================================================================
+# Standalone groups
+# =============================================================================
+
+resource "keycloak_group" "standalone" {
+  for_each = toset(var.groups)
+
+  realm_id = keycloak_realm.hexor.id
+  name     = each.value
+}
+
+resource "keycloak_default_groups" "default" {
+  realm_id  = keycloak_realm.hexor.id
+  group_ids = [for g in keycloak_group.standalone : g.id if g.name == "users"]
+}
+
+# =============================================================================
+# rsauth2-proxy client (production)
+# =============================================================================
+
+resource "keycloak_openid_client" "rsauth2_proxy" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = "rsauth2-proxy"
+
+  name                         = "rsauth2-proxy"
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = false
+
+  valid_redirect_uris = [
+    "https://oauth.hexor.cy/callback",
+  ]
+
+  web_origins = [
+    "https://oauth.hexor.cy",
+  ]
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_groups" {
+  realm_id   = keycloak_realm.hexor.id
+  client_id  = keycloak_openid_client.rsauth2_proxy.id
+  name       = "groups"
+  claim_name = "groups"
+  full_path  = false
+}
+
+resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.rsauth2_proxy.id
+
+  default_scopes = [
+    "openid",
+    "profile",
+    "email",
+  ]
+}
+
+# =============================================================================
+# rsauth2-proxy client (localhost testing)
+# =============================================================================
+
+resource "keycloak_openid_client" "rsauth2_proxy_dev" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = "rsauth2-proxy-dev"
+
+  name                         = "rsauth2-proxy (dev)"
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = false
+
+  valid_redirect_uris = [
+    "http://localhost:8080/callback",
+  ]
+
+  web_origins = [
+    "http://localhost:8080",
+  ]
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" {
+  realm_id   = keycloak_realm.hexor.id
+  client_id  = keycloak_openid_client.rsauth2_proxy_dev.id
+  name       = "groups"
+  claim_name = "groups"
+  full_path  = false
+}
+
+resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.rsauth2_proxy_dev.id
+
+  default_scopes = [
+    "openid",
+    "profile",
+    "email",
+  ]
+}
+
+# =============================================================================
+# Proxy applications — auto-created groups + routes ConfigMap
+# =============================================================================
+
+resource "keycloak_group" "app" {
+  for_each = var.proxy_applications
+
+  realm_id = keycloak_realm.hexor.id
+  name     = "app-${each.key}"
+}
+
+locals {
+  app_allowed_groups = {
+    for k, v in var.proxy_applications : k => concat(
+      ["app-${k}"],
+      v.allowed_groups
+    )
+  }
+}
+
+resource "kubernetes_config_map" "auth_proxy_routes" {
+  metadata {
+    name      = "auth-proxy-routes"
+    namespace = "auth-proxy"
+  }
+
+  data = {
+    "routes.yaml" = yamlencode({
+      routes = {
+        for k, v in var.proxy_applications : v.domain => {
+          allowed_groups = local.app_allowed_groups[k]
+        }
+      }
+    })
+  }
+}

terraform/keycloak/outputs.tf

@@ -0,0 +1,37 @@
+output "realm_id" {
+  value = keycloak_realm.hexor.id
+}
+
+output "google_idp_alias" {
+  value = keycloak_oidc_google_identity_provider.google.alias
+}
+
+output "rsauth2_proxy_client_id" {
+  value = keycloak_openid_client.rsauth2_proxy.client_id
+}
+
+output "rsauth2_proxy_client_secret" {
+  value     = keycloak_openid_client.rsauth2_proxy.client_secret
+  sensitive = true
+}
+
+output "rsauth2_proxy_dev_client_id" {
+  value = keycloak_openid_client.rsauth2_proxy_dev.client_id
+}
+
+output "rsauth2_proxy_dev_client_secret" {
+  value     = keycloak_openid_client.rsauth2_proxy_dev.client_secret
+  sensitive = true
+}
+
+output "standalone_groups" {
+  value = [for g in keycloak_group.standalone : g.name]
+}
+
+output "app_groups" {
+  value = { for k, g in keycloak_group.app : k => g.name }
+}
+
+output "app_allowed_groups" {
+  value = local.app_allowed_groups
+}

terraform/keycloak/providers.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    keycloak = {
+      source  = "keycloak/keycloak"
+      version = ">= 5.0.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.0.0"
+    }
+  }
+}
+
+provider "keycloak" {
+  url           = var.keycloak_url
+  base_path     = "/auth"
+  client_id     = var.keycloak_client_id
+  client_secret = var.keycloak_client_secret
+}
+
+provider "kubernetes" {
+  config_path = var.kubeconfig_path
+}

terraform/keycloak/state.tf

@@ -0,0 +1,8 @@
+terraform {
+  cloud {
+    organization = "ultradesu"
+    workspaces {
+      name = "Keycloak"
+    }
+  }
+}

terraform/keycloak/variables.tf

@@ -0,0 +1,49 @@
+variable "keycloak_url" {
+  description = "Keycloak URL (set via TF_VAR_keycloak_url)"
+  type        = string
+  default     = "https://auth.hexor.cy"
+}
+
+variable "keycloak_client_id" {
+  description = "Keycloak Terraform client ID (set via TF_VAR_keycloak_client_id)"
+  type        = string
+  default     = "terraform"
+}
+
+variable "keycloak_client_secret" {
+  description = "Keycloak Terraform client secret (set via TF_VAR_keycloak_client_secret)"
+  type        = string
+  sensitive   = true
+}
+
+variable "kubeconfig_path" {
+  description = "Path to kubeconfig (set via TF_VAR_kubeconfig_path or KUBE_CONFIG_PATH)"
+  type        = string
+  default     = "~/.kube/config"
+}
+
+variable "google_client_id" {
+  description = "Google OAuth client ID (set via TF_VAR_google_client_id)"
+  type        = string
+}
+
+variable "google_client_secret" {
+  description = "Google OAuth client secret (set via TF_VAR_google_client_secret)"
+  type        = string
+  sensitive   = true
+}
+
+variable "groups" {
+  description = "Standalone Keycloak groups"
+  type        = list(string)
+  default     = []
+}
+
+variable "proxy_applications" {
+  description = "Proxy applications protected by rsauth2-proxy"
+  type = map(object({
+    domain         = string
+    allowed_groups = optional(list(string), [])
+  }))
+  default = {}
+}