Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-05 13:57:20

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -13,10 +13,13 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **argocd** | [![argocd](https://ag.hexor.cy/api/badge?name=argocd&revision=true)](https://ag.hexor.cy/applications/argocd/argocd) |
+| **auth-proxy** | [![auth-proxy](https://ag.hexor.cy/api/badge?name=auth-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/auth-proxy) |
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
+| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
+| **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
@@ -62,9 +65,12 @@ ArgoCD homelab project
 | **sonarr-stack** | [![sonarr-stack](https://ag.hexor.cy/api/badge?name=sonarr-stack&revision=true)](https://ag.hexor.cy/applications/argocd/sonarr-stack) |
 | **stirling-pdf** | [![stirling-pdf](https://ag.hexor.cy/api/badge?name=stirling-pdf&revision=true)](https://ag.hexor.cy/applications/argocd/stirling-pdf) |
 | **syncthing** | [![syncthing](https://ag.hexor.cy/api/badge?name=syncthing&revision=true)](https://ag.hexor.cy/applications/argocd/syncthing) |
+| **teamspeak** | [![teamspeak](https://ag.hexor.cy/api/badge?name=teamspeak&revision=true)](https://ag.hexor.cy/applications/argocd/teamspeak) |
 | **tg-bots** | [![tg-bots](https://ag.hexor.cy/api/badge?name=tg-bots&revision=true)](https://ag.hexor.cy/applications/argocd/tg-bots) |
 | **vaultwarden** | [![vaultwarden](https://ag.hexor.cy/api/badge?name=vaultwarden&revision=true)](https://ag.hexor.cy/applications/argocd/vaultwarden) |
 | **vpn** | [![vpn](https://ag.hexor.cy/api/badge?name=vpn&revision=true)](https://ag.hexor.cy/applications/argocd/vpn) |
+| **web-petting** | [![web-petting](https://ag.hexor.cy/api/badge?name=web-petting&revision=true)](https://ag.hexor.cy/applications/argocd/web-petting) |
+| **wedding** | [![wedding](https://ag.hexor.cy/api/badge?name=wedding&revision=true)](https://ag.hexor.cy/applications/argocd/wedding) |
 | **xandikos** | [![xandikos](https://ag.hexor.cy/api/badge?name=xandikos&revision=true)](https://ag.hexor.cy/applications/argocd/xandikos) |
 
 </td>

k8s/apps/gitea/deployment.yaml

@@ -88,6 +88,10 @@ spec:
           operator: Equal
           value: desktop
           effect: NoSchedule
+        - key: workload
+          operator: Equal
+          value: ai
+          effect: NoSchedule
       volumes:
         - name: docker-sock
           hostPath:

k8s/apps/mtproxy/secret-reader-ingress.yaml

@@ -2,10 +2,10 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: keycloak-auth
+  name: auth-proxy
 spec:
   forwardAuth:
-    address: http://oauth2-proxy.oauth2-proxy.svc:80
+    address: http://auth-proxy.auth-proxy.svc:80/auth
     trustForwardHeader: true
     authResponseHeaders:
       - X-Auth-Request-User
@@ -25,7 +25,7 @@ spec:
     - match: Host(`secret-reader.hexor.cy`)
       kind: Rule
       middlewares:
-        - name: keycloak-auth
+        - name: auth-proxy
       services:
         - name: secret-reader
           port: 80

k8s/core/auth-proxy/app.yaml

@@ -1,17 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: oauth2-proxy
+  name: auth-proxy
   namespace: argocd
 spec:
   project: core
   destination:
-    namespace: oauth2-proxy
+    namespace: auth-proxy
     server: https://kubernetes.default.svc
   source:
     repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
     targetRevision: HEAD
-    path: k8s/core/oauth2-proxy
+    path: k8s/core/auth-proxy
   syncPolicy:
     automated:
       selfHeal: true

k8s/core/auth-proxy/deployment.yaml

@@ -0,0 +1,79 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: auth-proxy
+  labels:
+    app: auth-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: auth-proxy
+  template:
+    metadata:
+      labels:
+        app: auth-proxy
+    spec:
+      containers:
+        - name: auth-proxy
+          image: ultradesu/rsauth2-proxy:0.1.0
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+          envFrom:
+            - secretRef:
+                name: auth-proxy-creds
+          env:
+            - name: AUTH_PROXY_OIDC_ISSUER
+              value: "https://auth.hexor.cy/auth/realms/hexor"
+            - name: AUTH_PROXY_COOKIE_DOMAIN
+              value: ".hexor.cy"
+            - name: AUTH_PROXY_CALLBACK_URL
+              value: "https://oauth.hexor.cy/callback"
+            - name: AUTH_PROXY_ROUTES_FILE
+              value: "/config/routes.yaml"
+            - name: AUTH_PROXY_LOG_LEVEL
+              value: "info"
+          volumeMounts:
+            - name: routes
+              mountPath: /config
+              readOnly: true
+          resources:
+            requests:
+              cpu: 50m
+              memory: 32Mi
+            limits:
+              cpu: 200m
+              memory: 64Mi
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 30
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - name: routes
+          configMap:
+            name: auth-proxy-routes
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule

k8s/core/auth-proxy/external-secrets.yaml

@@ -2,18 +2,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: oauth2-proxy-creds
+  name: auth-proxy-creds
 spec:
   target:
-    name: oauth2-proxy-creds
+    name: auth-proxy-creds
     deletionPolicy: Delete
     template:
       type: Opaque
       data:
-        client-id: oauth2-proxy
-        client-secret: |-
+        AUTH_PROXY_CLIENT_ID: rsauth2-proxy
+        AUTH_PROXY_CLIENT_SECRET: |-
           {{ .client_secret }}
-        cookie-secret: |-
+        AUTH_PROXY_COOKIE_SECRET: |-
           {{ .cookie_secret }}
   data:
     - secretKey: client_secret

k8s/core/auth-proxy/ingress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: auth-proxy
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`oauth.hexor.cy`)
+      kind: Rule
+      services:
+        - name: auth-proxy
+          port: 80
+  tls:
+    secretName: auth-proxy-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: auth-proxy-tls
+spec:
+  secretName: auth-proxy-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - oauth.hexor.cy

k8s/core/auth-proxy/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+  - routes.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml

k8s/core/auth-proxy/routes.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: auth-proxy-routes
+data:
+  routes.yaml: |
+    routes:
+      secret-reader.hexor.cy:
+        allowed_groups: []

k8s/core/auth-proxy/service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: auth-proxy
+  labels:
+    app: auth-proxy
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+      protocol: TCP
+  selector:
+    app: auth-proxy

k8s/core/oauth2-proxy/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-
-helmCharts:
-  - name: oauth2-proxy
-    repo: https://oauth2-proxy.github.io/manifests
-    version: 10.4.3
-    releaseName: oauth2-proxy
-    namespace: oauth2-proxy
-    valuesFile: values.yaml

k8s/core/oauth2-proxy/middleware.yaml

@@ -1,3 +0,0 @@
-# Middleware is deployed per-namespace alongside each IngressRoute
-# because Traefik does not allow cross-namespace middleware references.
-# See k8s/apps/mtproxy/secret-reader-ingress.yaml for example.

k8s/core/oauth2-proxy/values.yaml

@@ -1,51 +0,0 @@
-replicaCount: 1
-
-config:
-  existingSecret: oauth2-proxy-creds
-  configFile: |-
-    provider = "keycloak-oidc"
-    provider_display_name = "Keycloak"
-    oidc_issuer_url = "https://auth.hexor.cy/auth/realms/hexor"
-    redirect_url = "https://oauth.hexor.cy/oauth2/callback"
-    email_domains = ["*"]
-    cookie_domains = [".hexor.cy"]
-    whitelist_domains = [".hexor.cy"]
-    cookie_secure = true
-    cookie_samesite = "lax"
-    upstreams = ["static://200"]
-    reverse_proxy = true
-    set_xauthrequest = true
-    set_authorization_header = true
-    pass_access_token = true
-    pass_authorization_header = true
-    skip_provider_button = true
-    code_challenge_method = "S256"
-    scope = "openid profile email"
-
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-  hosts:
-    - oauth.hexor.cy
-  tls:
-    - secretName: oauth2-proxy-tls
-      hosts:
-        - oauth.hexor.cy
-
-resources:
-  requests:
-    cpu: 50m
-    memory: 64Mi
-  limits:
-    cpu: 200m
-    memory: 128Mi
-
-nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-tolerations:
-  - key: node-role.kubernetes.io/master
-    effect: NoSchedule

terraform/keycloak/.terraform.lock.hcl

@@ -0,0 +1,27 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/keycloak/keycloak" {
+  version     = "5.7.0"
+  constraints = ">= 5.0.0"
+  hashes = [
+    "h1:3DuKdVeOxwULh7l6bvJKWZvsgSZo92rtnrdvyp+X2Lc=",
+    "zh:19be4505b17e4818db121a82917cb6723019cf379cfb82b720eaa2886f15bede",
+    "zh:2bd1565ed22db6a9fb50d60626e22c277f3b034a71f65e6c0011e42f56cad2bb",
+    "zh:34a9e2dfb06331dc6146491c4a0721001195c6a769cdc2d4546edb2acf2b39bd",
+    "zh:3f86bf9eac6d73eeaa926471826b6888da77950f68e6a3a95dc2d9201a4a88fa",
+    "zh:4b9053fde2c8dee6469c8b273bf5491a27228a1df28e30b86714118f0f876baf",
+    "zh:522aa6bcecc6b8d517415237f4ec079488ef7de0e980a634bf6a8b481c13effc",
+    "zh:52f85208815ca65b8d3cd5465b28005ba63f854122bc61fbf04925c986d48e78",
+    "zh:636555042a6051d2e1113e5f945edb9f432e2d09b81cf6e50a59a534819d98dd",
+    "zh:73a1fecfb3d9666bf87c2eb7d001281b8cfcd7132573b8c3d4febc2db55f0a2f",
+    "zh:76fa26d055ceeb0869a50e4b63871f4b07f55045af6b46b83686016531e9fb22",
+    "zh:8df147e619d7ac3d3f9840ba0d1895d34bde179e818863e2e7b52e2c05c12f58",
+    "zh:9c830253990e13ec284d0d312fea562938e4a8fc664dacb3af5f1eb16dcae1ae",
+    "zh:abd0bd630b362cd6f77fbb33625bc6f515782eb58cb096b4ce69dea252254aef",
+    "zh:d1474a67ffc3288b2d0c99f6e8edc937ac8ef54afed0306e3c6f033aa836a5f6",
+    "zh:ed19408f15667bfb572120858bdde929a20ce2d1f29468973905980c03299767",
+    "zh:ef8bc311f7d1ad821b65ba43af92e2ce835e739d391098b13e01a61747b5c648",
+    "zh:f57319d9a7ac387d5070c909fd0084ccfc296f1f3193efde995ae24aa1729a39",
+  ]
+}

terraform/keycloak/main.tf

@@ -0,0 +1,133 @@
+# =============================================================================
+# Realm
+# =============================================================================
+
+resource "keycloak_realm" "hexor" {
+  realm   = "hexor"
+  enabled = true
+
+  display_name = "Hexor"
+
+  login_theme   = "keycloak"
+  account_theme = "keycloak.v3"
+
+  registration_allowed     = false
+  reset_password_allowed   = true
+  remember_me              = true
+  verify_email             = false
+  login_with_email_allowed = true
+  duplicate_emails_allowed = false
+
+  ssl_required = "external"
+}
+
+# =============================================================================
+# Google Identity Provider
+# =============================================================================
+
+resource "keycloak_oidc_google_identity_provider" "google" {
+  realm         = keycloak_realm.hexor.id
+  client_id     = var.google_client_id
+  client_secret = var.google_client_secret
+
+  trust_email = true
+  sync_mode   = "IMPORT"
+}
+
+# =============================================================================
+# Default groups
+# =============================================================================
+
+resource "keycloak_group" "users" {
+  realm_id = keycloak_realm.hexor.id
+  name     = "users"
+}
+
+resource "keycloak_default_groups" "default" {
+  realm_id  = keycloak_realm.hexor.id
+  group_ids = [keycloak_group.users.id]
+}
+
+# =============================================================================
+# rsauth2-proxy client (production)
+# =============================================================================
+
+resource "keycloak_openid_client" "rsauth2_proxy" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = "rsauth2-proxy"
+
+  name                         = "rsauth2-proxy"
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = false
+
+  valid_redirect_uris = [
+    "https://oauth.hexor.cy/callback",
+  ]
+
+  web_origins = [
+    "https://oauth.hexor.cy",
+  ]
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_groups" {
+  realm_id   = keycloak_realm.hexor.id
+  client_id  = keycloak_openid_client.rsauth2_proxy.id
+  name       = "groups"
+  claim_name = "groups"
+  full_path  = false
+}
+
+resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.rsauth2_proxy.id
+
+  default_scopes = [
+    "openid",
+    "profile",
+    "email",
+  ]
+}
+
+# =============================================================================
+# rsauth2-proxy client (localhost testing)
+# =============================================================================
+
+resource "keycloak_openid_client" "rsauth2_proxy_dev" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = "rsauth2-proxy-dev"
+
+  name                         = "rsauth2-proxy (dev)"
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = false
+
+  valid_redirect_uris = [
+    "http://localhost:8080/callback",
+  ]
+
+  web_origins = [
+    "http://localhost:8080",
+  ]
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" {
+  realm_id   = keycloak_realm.hexor.id
+  client_id  = keycloak_openid_client.rsauth2_proxy_dev.id
+  name       = "groups"
+  claim_name = "groups"
+  full_path  = false
+}
+
+resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.rsauth2_proxy_dev.id
+
+  default_scopes = [
+    "openid",
+    "profile",
+    "email",
+  ]
+}

terraform/keycloak/outputs.tf

@@ -0,0 +1,25 @@
+output "realm_id" {
+  value = keycloak_realm.hexor.id
+}
+
+output "google_idp_alias" {
+  value = keycloak_oidc_google_identity_provider.google.alias
+}
+
+output "rsauth2_proxy_client_id" {
+  value = keycloak_openid_client.rsauth2_proxy.client_id
+}
+
+output "rsauth2_proxy_client_secret" {
+  value     = keycloak_openid_client.rsauth2_proxy.client_secret
+  sensitive = true
+}
+
+output "rsauth2_proxy_dev_client_id" {
+  value = keycloak_openid_client.rsauth2_proxy_dev.client_id
+}
+
+output "rsauth2_proxy_dev_client_secret" {
+  value     = keycloak_openid_client.rsauth2_proxy_dev.client_secret
+  sensitive = true
+}

terraform/keycloak/providers.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    keycloak = {
+      source  = "keycloak/keycloak"
+      version = ">= 5.0.0"
+    }
+  }
+}
+
+provider "keycloak" {
+  url           = var.keycloak_url
+  base_path     = "/auth"
+  client_id     = var.keycloak_client_id
+  client_secret = var.keycloak_client_secret
+}

terraform/keycloak/state.tf

@@ -0,0 +1,8 @@
+terraform {
+  cloud {
+    organization = "ultradesu"
+    workspaces {
+      name = "Keycloak"
+    }
+  }
+}

terraform/keycloak/variables.tf

@@ -0,0 +1,28 @@
+variable "keycloak_url" {
+  description = "Keycloak URL (set via TF_VAR_keycloak_url)"
+  type        = string
+  default     = "https://auth.hexor.cy"
+}
+
+variable "keycloak_client_id" {
+  description = "Keycloak Terraform client ID (set via TF_VAR_keycloak_client_id)"
+  type        = string
+  default     = "terraform"
+}
+
+variable "keycloak_client_secret" {
+  description = "Keycloak Terraform client secret (set via TF_VAR_keycloak_client_secret)"
+  type        = string
+  sensitive   = true
+}
+
+variable "google_client_id" {
+  description = "Google OAuth client ID (set via TF_VAR_google_client_id)"
+  type        = string
+}
+
+variable "google_client_secret" {
+  description = "Google OAuth client secret (set via TF_VAR_google_client_secret)"
+  type        = string
+  sensitive   = true
+}