Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-04 17:13:29

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -13,7 +13,6 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **argocd** | [![argocd](https://ag.hexor.cy/api/badge?name=argocd&revision=true)](https://ag.hexor.cy/applications/argocd/argocd) |
-| **auth-proxy** | [![auth-proxy](https://ag.hexor.cy/api/badge?name=auth-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/auth-proxy) |
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
@@ -23,6 +22,7 @@ ArgoCD homelab project
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
+| **oauth2-proxy** | [![oauth2-proxy](https://ag.hexor.cy/api/badge?name=oauth2-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/oauth2-proxy) |
 | **postgresql** | [![postgresql](https://ag.hexor.cy/api/badge?name=postgresql&revision=true)](https://ag.hexor.cy/applications/argocd/postgresql) |
 | **prom-stack** | [![prom-stack](https://ag.hexor.cy/api/badge?name=prom-stack&revision=true)](https://ag.hexor.cy/applications/argocd/prom-stack) |
 | **system-upgrade** | [![system-upgrade](https://ag.hexor.cy/api/badge?name=system-upgrade&revision=true)](https://ag.hexor.cy/applications/argocd/system-upgrade) |

k8s/apps/gitea/deployment.yaml

@@ -70,7 +70,7 @@ kind: Deployment
 metadata:
   name: gitea-runner
 spec:
-  replicas: 2
+  replicas: 1
   selector:
     matchLabels:
       app: gitea-runner
@@ -79,19 +79,11 @@ spec:
       labels:
         app: gitea-runner
     spec:
-      dnsConfig:
-        options:
-          - name: ndots
-            value: "2"
       tolerations:
         - key: workload
           operator: Equal
           value: desktop
           effect: NoSchedule
-        - key: workload
-          operator: Equal
-          value: ai
-          effect: NoSchedule
       volumes:
         - name: docker-sock
           hostPath:
@@ -101,12 +93,6 @@ spec:
           emptyDir:
             sizeLimit: 30Gi
       affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app: gitea-runner
-              topologyKey: kubernetes.io/hostname
         nodeAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
           - weight: 100
@@ -116,7 +102,6 @@ spec:
                 operator: In
                 values:
                 - uk-desktop.tail2fe2d.ts.net
-                - ai.tail2fe2d.ts.net
           - weight: 50
             preference:
               matchExpressions:
@@ -124,7 +109,22 @@ spec:
                 operator: In
                 values:
                 - home.homenet
+          - weight: 30
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - master.tail2fe2d.ts.net
+          - weight: 10
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
                 - it.tail2fe2d.ts.net
+                - ch.tail2fe2d.ts.net
+                - us.tail2fe2d.ts.net
       containers:
         - name: gitea-runner
           image: gitea/act_runner:nightly
@@ -144,18 +144,13 @@ spec:
               mountPath: /data
           env:
             - name: GITEA_INSTANCE_URL
-              #value: "http://gitea.gitea.svc.cluster.local"
               value: "https://gt.hexor.cy"
             - name: GITEA_RUNNER_REGISTRATION_TOKEN
               valueFrom:
                 secretKeyRef:
                   name: gitea-runner-act-runner-secrets
                   key: token
-            - name: NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
             - name: GITEA_RUNNER_NAME
-              value: "$(NODE_NAME)"
+              value: "k8s-runner"
             - name: GITEA_RUNNER_LABELS
               value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"

k8s/apps/k8s-secrets/ingress.yaml

@@ -1,46 +0,0 @@
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: auth-proxy
-spec:
-  forwardAuth:
-    address: http://auth-proxy.auth-proxy.svc:80/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-Auth-Request-User
-      - X-Auth-Request-Email
-      - X-Auth-Request-Groups
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: secret-reader
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`pass.hexor.cy`)
-      kind: Rule
-      middlewares:
-        - name: auth-proxy
-      services:
-        - name: secret-reader
-          port: 80
-  tls:
-    secretName: secret-reader-tls
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: secret-reader-tls
-spec:
-  secretName: secret-reader-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  dnsNames:
-    - pass.hexor.cy
-

k8s/apps/mtproxy/secret-reader-ingress.yaml

@@ -1,18 +1,5 @@
 ---
 apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: auth-proxy
-spec:
-  forwardAuth:
-    address: http://auth-proxy.auth-proxy.svc:80/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-Auth-Request-User
-      - X-Auth-Request-Email
-      - X-Auth-Request-Groups
----
-apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: secret-reader
@@ -25,7 +12,8 @@ spec:
     - match: Host(`secret-reader.hexor.cy`)
       kind: Rule
       middlewares:
-        - name: auth-proxy
+        - name: keycloak-auth
+          namespace: oauth2-proxy
       services:
         - name: secret-reader
           port: 80

k8s/core/argocd/values.yaml

@@ -25,7 +25,7 @@ configs:
     timeout.reconciliation: 60s
     oidc.config: |
       name: Authentik
-      issuer: https://auth.hexor.cy/auth/realms/hexor
+      issuer: https://idm.hexor.cy/application/o/argocd/
       clientID: $oidc-creds:id
       clientSecret: $oidc-creds:secret
       requestedScopes: ["openid", "profile", "email", "groups", "offline_access"]
@@ -35,19 +35,20 @@ configs:
     create: true
     policy.default: ""
     policy.csv: |
-        g, game-servers-managers, GameServersManagersRole
-        # Role permissions
-        p, GameServersManagersRole, applications, get, games/*, allow
-        p, GameServersManagersRole, applications, update, games/*, allow
-        p, GameServersManagersRole, applications, sync, games/*, allow
-        p, GameServersManagersRole, applications, override, games/*, allow
-        p, GameServersManagersRole, applications, action/*, games/*, allow
-        p, GameServersManagersRole, exec, create, games/*, allow
-        p, GameServersManagersRole, logs, get, games/*, allow
-        p, GameServersManagersRole, applications, delete, games/*, deny
-    
-        # Admin policy
-        g, argocd-admins, role:admin
+      # Bound OIDC Group and internal role
+      g, Game Servers Managers, GameServersManagersRole
+      # Role permissions
+      p, GameServersManagersRole, applications, get, games/*, allow
+      p, GameServersManagersRole, applications, update, games/*, allow
+      p, GameServersManagersRole, applications, sync, games/*, allow
+      p, GameServersManagersRole, applications, override, games/*, allow
+      p, GameServersManagersRole, applications, action/*, games/*, allow
+      p, GameServersManagersRole, exec, create, games/*, allow
+      p, GameServersManagersRole, logs, get, games/*, allow
+      p, GameServersManagersRole, applications, delete, games/*, deny
+
+      # Admin policy
+      g, ArgoCD Admins, role:admin
 
   secret:
     createSecret: true

k8s/core/auth-proxy/deployment.yaml

@@ -1,79 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: auth-proxy
-  labels:
-    app: auth-proxy
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: auth-proxy
-  template:
-    metadata:
-      labels:
-        app: auth-proxy
-    spec:
-      containers:
-        - name: auth-proxy
-          image: ultradesu/rsauth2-proxy:latest
-          ports:
-            - containerPort: 8080
-              name: http
-              protocol: TCP
-          envFrom:
-            - secretRef:
-                name: auth-proxy-creds
-          env:
-            - name: AUTH_PROXY_OIDC_ISSUER
-              value: "https://auth.hexor.cy/auth/realms/hexor"
-            - name: AUTH_PROXY_COOKIE_DOMAIN
-              value: ".hexor.cy"
-            - name: AUTH_PROXY_CALLBACK_URL
-              value: "https://oauth.hexor.cy/callback"
-            - name: AUTH_PROXY_ROUTES_FILE
-              value: "/config/routes.yaml"
-            - name: AUTH_PROXY_LOG_LEVEL
-              value: "debug"
-          volumeMounts:
-            - name: routes
-              mountPath: /config
-              readOnly: true
-          resources:
-            requests:
-              cpu: 50m
-              memory: 32Mi
-            limits:
-              cpu: 200m
-              memory: 64Mi
-          readinessProbe:
-            httpGet:
-              path: /health
-              port: 8080
-            initialDelaySeconds: 3
-            periodSeconds: 10
-          livenessProbe:
-            httpGet:
-              path: /health
-              port: 8080
-            initialDelaySeconds: 5
-            periodSeconds: 30
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            runAsUser: 1000
-            runAsGroup: 1000
-            capabilities:
-              drop:
-                - ALL
-      volumes:
-        - name: routes
-          configMap:
-            name: auth-proxy-routes
-      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      tolerations:
-        - key: node-role.kubernetes.io/master
-          effect: NoSchedule

k8s/core/auth-proxy/ingress.yaml

@@ -1,28 +0,0 @@
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: auth-proxy
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`oauth.hexor.cy`)
-      kind: Rule
-      services:
-        - name: auth-proxy
-          port: 80
-  tls:
-    secretName: auth-proxy-tls
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: auth-proxy-tls
-spec:
-  secretName: auth-proxy-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  dnsNames:
-    - oauth.hexor.cy

k8s/core/auth-proxy/kustomization.yaml

@@ -1,10 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-  - deployment.yaml
-  - service.yaml
-  - ingress.yaml
-# routes.yaml ConfigMap is managed by Terraform (kubernetes_config_map)

k8s/core/auth-proxy/service.yaml

@@ -1,15 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: auth-proxy
-  labels:
-    app: auth-proxy
-spec:
-  ports:
-    - name: http
-      port: 80
-      targetPort: 8080
-      protocol: TCP
-  selector:
-    app: auth-proxy

k8s/core/oauth2-proxy/app.yaml

@@ -1,17 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: auth-proxy
+  name: oauth2-proxy
   namespace: argocd
 spec:
   project: core
   destination:
-    namespace: auth-proxy
+    namespace: oauth2-proxy
     server: https://kubernetes.default.svc
   source:
     repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
     targetRevision: HEAD
-    path: k8s/core/auth-proxy
+    path: k8s/core/oauth2-proxy
   syncPolicy:
     automated:
       selfHeal: true

k8s/core/oauth2-proxy/external-secrets.yaml

@@ -2,18 +2,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: auth-proxy-creds
+  name: oauth2-proxy-creds
 spec:
   target:
-    name: auth-proxy-creds
+    name: oauth2-proxy-creds
     deletionPolicy: Delete
     template:
       type: Opaque
       data:
-        AUTH_PROXY_CLIENT_ID: rsauth2-proxy
-        AUTH_PROXY_CLIENT_SECRET: |-
+        client_id: oauth2-proxy
+        client_secret: |-
           {{ .client_secret }}
-        AUTH_PROXY_COOKIE_SECRET: |-
+        cookie_secret: |-
           {{ .cookie_secret }}
   data:
     - secretKey: client_secret

k8s/core/oauth2-proxy/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+  - middleware.yaml
+
+helmCharts:
+  - name: oauth2-proxy
+    repo: https://oauth2-proxy.github.io/manifests
+    version: 10.4.3
+    releaseName: oauth2-proxy
+    namespace: oauth2-proxy
+    valuesFile: values.yaml

k8s/core/oauth2-proxy/middleware.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: keycloak-auth
+spec:
+  forwardAuth:
+    address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Auth-Request-User
+      - X-Auth-Request-Email
+      - X-Auth-Request-Groups
+      - Authorization

k8s/core/oauth2-proxy/values.yaml

@@ -0,0 +1,67 @@
+replicaCount: 1
+
+config:
+  configFile: |-
+    provider = "keycloak-oidc"
+    provider_display_name = "Keycloak"
+    oidc_issuer_url = "https://auth.hexor.cy/auth/realms/hexor"
+    redirect_url = "https://oauth.hexor.cy/oauth2/callback"
+    email_domains = ["*"]
+    cookie_domains = [".hexor.cy"]
+    whitelist_domains = [".hexor.cy"]
+    cookie_secure = true
+    cookie_samesite = "lax"
+    upstreams = ["static://200"]
+    reverse_proxy = true
+    set_xauthrequest = true
+    set_authorization_header = true
+    pass_access_token = true
+    pass_authorization_header = true
+    skip_provider_button = true
+    code_challenge_method = "S256"
+    scope = "openid profile email"
+
+extraEnv:
+  - name: OAUTH2_PROXY_CLIENT_ID
+    valueFrom:
+      secretKeyRef:
+        name: oauth2-proxy-creds
+        key: client_id
+  - name: OAUTH2_PROXY_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: oauth2-proxy-creds
+        key: client_secret
+  - name: OAUTH2_PROXY_COOKIE_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: oauth2-proxy-creds
+        key: cookie_secret
+
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+  hosts:
+    - oauth.hexor.cy
+  tls:
+    - secretName: oauth2-proxy-tls
+      hosts:
+        - oauth.hexor.cy
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 200m
+    memory: 128Mi
+
+nodeSelector:
+  kubernetes.io/hostname: master.tail2fe2d.ts.net
+
+tolerations:
+  - key: node-role.kubernetes.io/master
+    effect: NoSchedule

terraform/keycloak/.terraform.lock.hcl

@@ -1,47 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/kubernetes" {
-  version     = "3.1.0"
-  constraints = ">= 2.0.0"
-  hashes = [
-    "h1:G9QqKNpcztBRqrywtlNylFJSpGzDfRFtO8hcWLdkvRY=",
-    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
-    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
-    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
-    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
-    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
-    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
-    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
-    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
-    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
-    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
-  ]
-}
-
-provider "registry.terraform.io/keycloak/keycloak" {
-  version     = "5.7.0"
-  constraints = ">= 5.0.0"
-  hashes = [
-    "h1:3DuKdVeOxwULh7l6bvJKWZvsgSZo92rtnrdvyp+X2Lc=",
-    "zh:19be4505b17e4818db121a82917cb6723019cf379cfb82b720eaa2886f15bede",
-    "zh:2bd1565ed22db6a9fb50d60626e22c277f3b034a71f65e6c0011e42f56cad2bb",
-    "zh:34a9e2dfb06331dc6146491c4a0721001195c6a769cdc2d4546edb2acf2b39bd",
-    "zh:3f86bf9eac6d73eeaa926471826b6888da77950f68e6a3a95dc2d9201a4a88fa",
-    "zh:4b9053fde2c8dee6469c8b273bf5491a27228a1df28e30b86714118f0f876baf",
-    "zh:522aa6bcecc6b8d517415237f4ec079488ef7de0e980a634bf6a8b481c13effc",
-    "zh:52f85208815ca65b8d3cd5465b28005ba63f854122bc61fbf04925c986d48e78",
-    "zh:636555042a6051d2e1113e5f945edb9f432e2d09b81cf6e50a59a534819d98dd",
-    "zh:73a1fecfb3d9666bf87c2eb7d001281b8cfcd7132573b8c3d4febc2db55f0a2f",
-    "zh:76fa26d055ceeb0869a50e4b63871f4b07f55045af6b46b83686016531e9fb22",
-    "zh:8df147e619d7ac3d3f9840ba0d1895d34bde179e818863e2e7b52e2c05c12f58",
-    "zh:9c830253990e13ec284d0d312fea562938e4a8fc664dacb3af5f1eb16dcae1ae",
-    "zh:abd0bd630b362cd6f77fbb33625bc6f515782eb58cb096b4ce69dea252254aef",
-    "zh:d1474a67ffc3288b2d0c99f6e8edc937ac8ef54afed0306e3c6f033aa836a5f6",
-    "zh:ed19408f15667bfb572120858bdde929a20ce2d1f29468973905980c03299767",
-    "zh:ef8bc311f7d1ad821b65ba43af92e2ce835e739d391098b13e01a61747b5c648",
-    "zh:f57319d9a7ac387d5070c909fd0084ccfc296f1f3193efde995ae24aa1729a39",
-  ]
-}

terraform/keycloak/main.tf

@@ -1,172 +0,0 @@
-# =============================================================================
-# Realm
-# =============================================================================
-
-resource "keycloak_realm" "hexor" {
-  realm   = "hexor"
-  enabled = true
-
-  display_name = "Hexor"
-
-  login_theme   = "keycloak"
-  account_theme = "keycloak.v3"
-
-  registration_allowed     = false
-  reset_password_allowed   = true
-  remember_me              = true
-  verify_email             = false
-  login_with_email_allowed = true
-  duplicate_emails_allowed = false
-
-  ssl_required = "external"
-}
-
-# =============================================================================
-# Google Identity Provider
-# =============================================================================
-
-resource "keycloak_oidc_google_identity_provider" "google" {
-  realm         = keycloak_realm.hexor.id
-  client_id     = var.google_client_id
-  client_secret = var.google_client_secret
-
-  trust_email = true
-  sync_mode   = "IMPORT"
-}
-
-# =============================================================================
-# Standalone groups
-# =============================================================================
-
-resource "keycloak_group" "standalone" {
-  for_each = toset(var.groups)
-
-  realm_id = keycloak_realm.hexor.id
-  name     = each.value
-}
-
-resource "keycloak_default_groups" "default" {
-  realm_id  = keycloak_realm.hexor.id
-  group_ids = [for g in keycloak_group.standalone : g.id if g.name == "users"]
-}
-
-# =============================================================================
-# rsauth2-proxy client (production)
-# =============================================================================
-
-resource "keycloak_openid_client" "rsauth2_proxy" {
-  realm_id  = keycloak_realm.hexor.id
-  client_id = "rsauth2-proxy"
-
-  name                         = "rsauth2-proxy"
-  enabled                      = true
-  access_type                  = "CONFIDENTIAL"
-  standard_flow_enabled        = true
-  direct_access_grants_enabled = false
-
-  valid_redirect_uris = [
-    "https://oauth.hexor.cy/callback",
-  ]
-
-  web_origins = [
-    "https://oauth.hexor.cy",
-  ]
-}
-
-resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_groups" {
-  realm_id   = keycloak_realm.hexor.id
-  client_id  = keycloak_openid_client.rsauth2_proxy.id
-  name       = "groups"
-  claim_name = "groups"
-  full_path  = false
-}
-
-resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" {
-  realm_id  = keycloak_realm.hexor.id
-  client_id = keycloak_openid_client.rsauth2_proxy.id
-
-  default_scopes = [
-    "openid",
-    "profile",
-    "email",
-  ]
-}
-
-# =============================================================================
-# rsauth2-proxy client (localhost testing)
-# =============================================================================
-
-resource "keycloak_openid_client" "rsauth2_proxy_dev" {
-  realm_id  = keycloak_realm.hexor.id
-  client_id = "rsauth2-proxy-dev"
-
-  name                         = "rsauth2-proxy (dev)"
-  enabled                      = true
-  access_type                  = "CONFIDENTIAL"
-  standard_flow_enabled        = true
-  direct_access_grants_enabled = false
-
-  valid_redirect_uris = [
-    "http://localhost:8080/callback",
-  ]
-
-  web_origins = [
-    "http://localhost:8080",
-  ]
-}
-
-resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" {
-  realm_id   = keycloak_realm.hexor.id
-  client_id  = keycloak_openid_client.rsauth2_proxy_dev.id
-  name       = "groups"
-  claim_name = "groups"
-  full_path  = false
-}
-
-resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
-  realm_id  = keycloak_realm.hexor.id
-  client_id = keycloak_openid_client.rsauth2_proxy_dev.id
-
-  default_scopes = [
-    "openid",
-    "profile",
-    "email",
-  ]
-}
-
-# =============================================================================
-# Proxy applications — auto-created groups + routes ConfigMap
-# =============================================================================
-
-resource "keycloak_group" "app" {
-  for_each = var.proxy_applications
-
-  realm_id = keycloak_realm.hexor.id
-  name     = "app-${each.key}"
-}
-
-locals {
-  app_allowed_groups = {
-    for k, v in var.proxy_applications : k => concat(
-      ["app-${k}"],
-      v.allowed_groups
-    )
-  }
-}
-
-resource "kubernetes_config_map" "auth_proxy_routes" {
-  metadata {
-    name      = "auth-proxy-routes"
-    namespace = "auth-proxy"
-  }
-
-  data = {
-    "routes.yaml" = yamlencode({
-      routes = {
-        for k, v in var.proxy_applications : v.domain => {
-          allowed_groups = local.app_allowed_groups[k]
-        }
-      }
-    })
-  }
-}

terraform/keycloak/outputs.tf

@@ -1,37 +0,0 @@
-output "realm_id" {
-  value = keycloak_realm.hexor.id
-}
-
-output "google_idp_alias" {
-  value = keycloak_oidc_google_identity_provider.google.alias
-}
-
-output "rsauth2_proxy_client_id" {
-  value = keycloak_openid_client.rsauth2_proxy.client_id
-}
-
-output "rsauth2_proxy_client_secret" {
-  value     = keycloak_openid_client.rsauth2_proxy.client_secret
-  sensitive = true
-}
-
-output "rsauth2_proxy_dev_client_id" {
-  value = keycloak_openid_client.rsauth2_proxy_dev.client_id
-}
-
-output "rsauth2_proxy_dev_client_secret" {
-  value     = keycloak_openid_client.rsauth2_proxy_dev.client_secret
-  sensitive = true
-}
-
-output "standalone_groups" {
-  value = [for g in keycloak_group.standalone : g.name]
-}
-
-output "app_groups" {
-  value = { for k, g in keycloak_group.app : k => g.name }
-}
-
-output "app_allowed_groups" {
-  value = local.app_allowed_groups
-}

terraform/keycloak/providers.tf

@@ -1,23 +0,0 @@
-terraform {
-  required_providers {
-    keycloak = {
-      source  = "keycloak/keycloak"
-      version = ">= 5.0.0"
-    }
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = ">= 2.0.0"
-    }
-  }
-}
-
-provider "keycloak" {
-  url           = var.keycloak_url
-  base_path     = "/auth"
-  client_id     = var.keycloak_client_id
-  client_secret = var.keycloak_client_secret
-}
-
-provider "kubernetes" {
-  config_path = var.kubeconfig_path
-}

terraform/keycloak/state.tf

@@ -1,8 +0,0 @@
-terraform {
-  cloud {
-    organization = "ultradesu"
-    workspaces {
-      name = "Keycloak"
-    }
-  }
-}

terraform/keycloak/variables.tf

@@ -1,49 +0,0 @@
-variable "keycloak_url" {
-  description = "Keycloak URL (set via TF_VAR_keycloak_url)"
-  type        = string
-  default     = "https://auth.hexor.cy"
-}
-
-variable "keycloak_client_id" {
-  description = "Keycloak Terraform client ID (set via TF_VAR_keycloak_client_id)"
-  type        = string
-  default     = "terraform"
-}
-
-variable "keycloak_client_secret" {
-  description = "Keycloak Terraform client secret (set via TF_VAR_keycloak_client_secret)"
-  type        = string
-  sensitive   = true
-}
-
-variable "kubeconfig_path" {
-  description = "Path to kubeconfig (set via TF_VAR_kubeconfig_path or KUBE_CONFIG_PATH)"
-  type        = string
-  default     = "~/.kube/config"
-}
-
-variable "google_client_id" {
-  description = "Google OAuth client ID (set via TF_VAR_google_client_id)"
-  type        = string
-}
-
-variable "google_client_secret" {
-  description = "Google OAuth client secret (set via TF_VAR_google_client_secret)"
-  type        = string
-  sensitive   = true
-}
-
-variable "groups" {
-  description = "Standalone Keycloak groups"
-  type        = list(string)
-  default     = []
-}
-
-variable "proxy_applications" {
-  description = "Proxy applications protected by rsauth2-proxy"
-  type = map(object({
-    domain         = string
-    allowed_groups = optional(list(string), [])
-  }))
-  default = {}
-}