Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-04 14:27:24 This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.
2026-05-04 14:27:24 +00:00
34 changed files with 104 additions and 1103 deletions
@@ -13,13 +13,10 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **argocd** | [![argocd](https://ag.hexor.cy/api/badge?name=argocd&revision=true)](https://ag.hexor.cy/applications/argocd/argocd) |
 | **auth-proxy** | [![auth-proxy](https://ag.hexor.cy/api/badge?name=auth-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/auth-proxy) |
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
 | **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
 | **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
@@ -70,7 +70,7 @@ kind: Deployment
 metadata:
  name: gitea-runner
 spec:
-  replicas: 2
+  replicas: 1
  selector:
    matchLabels:
      app: gitea-runner
@@ -79,19 +79,11 @@ spec:
      labels:
        app: gitea-runner
    spec:
      dnsConfig:
        options:
          - name: ndots
            value: "2"
      tolerations:
        - key: workload
          operator: Equal
          value: desktop
          effect: NoSchedule
        - key: workload
          operator: Equal
          value: ai
          effect: NoSchedule
      volumes:
        - name: docker-sock
          hostPath:
@@ -101,12 +93,6 @@ spec:
          emptyDir:
            sizeLimit: 30Gi
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  app: gitea-runner
              topologyKey: kubernetes.io/hostname
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
@@ -116,7 +102,6 @@ spec:
                operator: In
                values:
                - uk-desktop.tail2fe2d.ts.net
                - ai.tail2fe2d.ts.net
          - weight: 50
            preference:
              matchExpressions:
@@ -124,7 +109,22 @@ spec:
                operator: In
                values:
                - home.homenet
          - weight: 30
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - master.tail2fe2d.ts.net
          - weight: 10
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - it.tail2fe2d.ts.net
                - ch.tail2fe2d.ts.net
                - us.tail2fe2d.ts.net
      containers:
        - name: gitea-runner
          image: gitea/act_runner:nightly
@@ -144,18 +144,13 @@ spec:
              mountPath: /data
          env:
            - name: GITEA_INSTANCE_URL
              #value: "http://gitea.gitea.svc.cluster.local"
              value: "https://gt.hexor.cy"
            - name: GITEA_RUNNER_REGISTRATION_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitea-runner-act-runner-secrets
                  key: token
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: GITEA_RUNNER_NAME
-              value: "$(NODE_NAME)"
+              value: "k8s-runner"
            - name: GITEA_RUNNER_LABELS
              value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"
@@ -1,46 +0,0 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: auth-proxy
 spec:
  forwardAuth:
    address: http://auth-proxy.auth-proxy.svc:80/auth
    trustForwardHeader: true
    authResponseHeaders:
      - X-Auth-Request-User
      - X-Auth-Request-Email
      - X-Auth-Request-Groups
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: secret-reader
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`pass.hexor.cy`)
      kind: Rule
      middlewares:
        - name: auth-proxy
      services:
        - name: secret-reader
          port: 80
  tls:
    secretName: secret-reader-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: secret-reader-tls
 spec:
  secretName: secret-reader-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
    - pass.hexor.cy
@@ -12,5 +12,4 @@ resources:
  - ./telemt-servicemonitor.yaml
  - ./service.yaml
  - ./secret-reader.yaml
  - ./secret-reader-ingress.yaml
 # - ./storage.yaml
@@ -1,45 +0,0 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: auth-proxy
 spec:
  forwardAuth:
    address: http://auth-proxy.auth-proxy.svc:80/auth
    trustForwardHeader: true
    authResponseHeaders:
      - X-Auth-Request-User
      - X-Auth-Request-Email
      - X-Auth-Request-Groups
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: secret-reader
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`secret-reader.hexor.cy`)
      kind: Rule
      middlewares:
        - name: auth-proxy
      services:
        - name: secret-reader
          port: 80
  tls:
    secretName: secret-reader-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: secret-reader-tls
 spec:
  secretName: secret-reader-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
    - secret-reader.hexor.cy
@@ -1,5 +1,71 @@
 ---
-image: &image 'pasarguard/node:v0.4.0'
+apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: pasarguard-node
  labels:
    app: pasarguard-node
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: pasarguard-node-configmap
  labels:
    app: pasarguard-node
 rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "create", "update", "patch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["services", "endpoints"]
    verbs: ["get", "list", "create", "update", "patch", "delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: pasarguard-node-configmap
  labels:
    app: pasarguard-node
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pasarguard-node-configmap
 subjects:
  - kind: ServiceAccount
    name: pasarguard-node
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: pasarguard-node-reader
  labels:
    app: pasarguard-node
 rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: pasarguard-node-reader
  labels:
    app: pasarguard-node
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: pasarguard-node-reader
 subjects:
  - kind: ServiceAccount
    name: pasarguard-node
    namespace: pasarguard
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -47,7 +113,7 @@ spec:
              mountPath: /scripts
      containers:
        - name: pasarguard-node
-          image: *image
+          image: 'pasarguard/node:v0.3.0'
          imagePullPolicy: Always
          command:
            - /bin/sh
@@ -153,71 +219,3 @@ spec:
          configMap:
            name: pasarguard-scripts
            defaultMode: 0755
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: pasarguard-node
  labels:
    app: pasarguard-node
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: pasarguard-node-configmap
  labels:
    app: pasarguard-node
 rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "create", "update", "patch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["services", "endpoints"]
    verbs: ["get", "list", "create", "update", "patch", "delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: pasarguard-node-configmap
  labels:
    app: pasarguard-node
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pasarguard-node-configmap
 subjects:
  - kind: ServiceAccount
    name: pasarguard-node
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: pasarguard-node-reader
  labels:
    app: pasarguard-node
 rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: pasarguard-node-reader
  labels:
    app: pasarguard-node
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: pasarguard-node-reader
 subjects:
  - kind: ServiceAccount
    name: pasarguard-node
    namespace: pasarguard
@@ -1,5 +1,4 @@
 ---
 image: &image 'pasarguard/panel:v3.1.0'
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -35,7 +34,7 @@ spec:
              mountPath: /templates/subscription
      containers:
        - name: pasarguard-web
-          image: *image
+          image: 'pasarguard/panel:v3.1.0'
          imagePullPolicy: Always
          envFrom:
            - secretRef:
@@ -24,30 +24,31 @@ configs:
    statusbadge.enabled: true
    timeout.reconciliation: 60s
    oidc.config: |
-      name: Keycloak
+      name: Authentik
-      issuer: https://auth.hexor.cy/auth/realms/hexor
+      issuer: https://idm.hexor.cy/application/o/argocd/
      clientID: $oidc-creds:id
      clientSecret: $oidc-creds:secret
-      requestedScopes: ["openid", "profile", "email", "offline_access"]
+      requestedScopes: ["openid", "profile", "email", "groups", "offline_access"]
      requestedIDTokenClaims: {"groups": {"essential": true}}
      refreshTokenThreshold: 2m
  rbac:
    create: true
    policy.default: ""
    policy.csv: |
-        g, game-servers-managers, GameServersManagersRole
+      # Bound OIDC Group and internal role
-        # Role permissions
+      g, Game Servers Managers, GameServersManagersRole
-        p, GameServersManagersRole, applications, get, games/*, allow
+      # Role permissions
-        p, GameServersManagersRole, applications, update, games/*, allow
+      p, GameServersManagersRole, applications, get, games/*, allow
-        p, GameServersManagersRole, applications, sync, games/*, allow
+      p, GameServersManagersRole, applications, update, games/*, allow
-        p, GameServersManagersRole, applications, override, games/*, allow
+      p, GameServersManagersRole, applications, sync, games/*, allow
-        p, GameServersManagersRole, applications, action/*, games/*, allow
+      p, GameServersManagersRole, applications, override, games/*, allow
-        p, GameServersManagersRole, exec, create, games/*, allow
+      p, GameServersManagersRole, applications, action/*, games/*, allow
-        p, GameServersManagersRole, logs, get, games/*, allow
+      p, GameServersManagersRole, exec, create, games/*, allow
-        p, GameServersManagersRole, applications, delete, games/*, deny
+      p, GameServersManagersRole, logs, get, games/*, allow
-    
+      p, GameServersManagersRole, applications, delete, games/*, deny
-        # Admin policy
+
-        g, argocd-admins, role:admin
+      # Admin policy
      g, ArgoCD Admins, role:admin
  secret:
    createSecret: true
@@ -1,21 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: auth-proxy
  namespace: argocd
 spec:
  project: core
  destination:
    namespace: auth-proxy
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
    path: k8s/core/auth-proxy
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
@@ -1,79 +0,0 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: auth-proxy
  labels:
    app: auth-proxy
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: auth-proxy
  template:
    metadata:
      labels:
        app: auth-proxy
    spec:
      containers:
        - name: auth-proxy
          image: ultradesu/rsauth2-proxy:latest
          ports:
            - containerPort: 8080
              name: http
              protocol: TCP
          envFrom:
            - secretRef:
                name: auth-proxy-creds
          env:
            - name: AUTH_PROXY_OIDC_ISSUER
              value: "https://auth.hexor.cy/auth/realms/hexor"
            - name: AUTH_PROXY_COOKIE_DOMAIN
              value: ".hexor.cy"
            - name: AUTH_PROXY_CALLBACK_URL
              value: "https://oauth.hexor.cy/callback"
            - name: AUTH_PROXY_ROUTES_FILE
              value: "/config/routes.yaml"
            - name: AUTH_PROXY_LOG_LEVEL
              value: "debug"
          volumeMounts:
            - name: routes
              mountPath: /config
              readOnly: true
          resources:
            requests:
              cpu: 50m
              memory: 32Mi
            limits:
              cpu: 200m
              memory: 64Mi
          readinessProbe:
            httpGet:
              path: /health
              port: 8080
            initialDelaySeconds: 3
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /health
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1000
            runAsGroup: 1000
            capabilities:
              drop:
                - ALL
      volumes:
        - name: routes
          configMap:
            name: auth-proxy-routes
      nodeSelector:
        kubernetes.io/hostname: master.tail2fe2d.ts.net
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
@@ -1,40 +0,0 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: auth-proxy-creds
 spec:
  target:
    name: auth-proxy-creds
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        AUTH_PROXY_CLIENT_ID: rsauth2-proxy
        AUTH_PROXY_CLIENT_SECRET: |-
          {{ .client_secret }}
        AUTH_PROXY_COOKIE_SECRET: |-
          {{ .cookie_secret }}
  data:
    - secretKey: client_secret
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
        property: login.password
    - secretKey: cookie_secret
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
        property: fields[0].value
@@ -1,28 +0,0 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: auth-proxy
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`oauth.hexor.cy`)
      kind: Rule
      services:
        - name: auth-proxy
          port: 80
  tls:
    secretName: auth-proxy-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: auth-proxy-tls
 spec:
  secretName: auth-proxy-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
    - oauth.hexor.cy
@@ -1,11 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - app.yaml
  - external-secrets.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
  - servicemonitor.yaml
 # routes.yaml ConfigMap is managed by Terraform (kubernetes_config_map)
@@ -1,15 +0,0 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: auth-proxy
  labels:
    app: auth-proxy
 spec:
  ports:
    - name: http
      port: 80
      targetPort: 8080
      protocol: TCP
  selector:
    app: auth-proxy
@@ -1,21 +0,0 @@
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: auth-proxy-metrics
  labels:
    app: auth-proxy
    release: prometheus
 spec:
  selector:
    matchLabels:
      app: auth-proxy
  endpoints:
    - port: http
      path: /metrics
      interval: 30s
      scrapeTimeout: 10s
      honorLabels: true
  namespaceSelector:
    matchNames:
      - auth-proxy
@@ -1,21 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kanidm
  namespace: argocd
 spec:
  project: core
  destination:
    namespace: kanidm
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
    path: k8s/core/kanidm
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
@@ -1,12 +0,0 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: kanidm-tls
 spec:
  secretName: kanidm-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
    - auth.hexor.cy
@@ -1,19 +0,0 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: kanidm-config
 data:
  server.toml: |
    bindaddress = "[::]:443"
    db_path = "/data/kanidm.db"
    tls_chain = "/certs/tls.crt"
    tls_key = "/certs/tls.key"
    domain = "auth.hexor.cy"
    origin = "https://auth.hexor.cy"
    log_level = "info"
    [online_backup]
    path = "/data/backups/"
    schedule = "00 22 * * *"
    versions = 7
@@ -1,20 +0,0 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: kanidm
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`auth.hexor.cy`)
      kind: Rule
      services:
        - name: kanidm
          port: 443
          scheme: https
          serversTransport: kanidm-transport
  tls:
    secretName: kanidm-ingress-tls
@@ -1,11 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - app.yaml
  - configmap.yaml
  - certificate.yaml
  - statefulset.yaml
  - service.yaml
  - ingress.yaml
  - servers-transport.yaml
@@ -1,7 +0,0 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: ServersTransport
 metadata:
  name: kanidm-transport
 spec:
  insecureSkipVerify: true
@@ -1,15 +0,0 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: kanidm
  labels:
    app: kanidm
 spec:
  ports:
    - name: https
      port: 443
      targetPort: 443
      protocol: TCP
  selector:
    app: kanidm
@@ -1,86 +0,0 @@
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: kanidm
  labels:
    app: kanidm
 spec:
  serviceName: kanidm
  replicas: 1
  selector:
    matchLabels:
      app: kanidm
  template:
    metadata:
      labels:
        app: kanidm
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      containers:
        - name: kanidm
          image: kanidm/server:1.9.3
          ports:
            - containerPort: 443
              name: https
              protocol: TCP
          volumeMounts:
            - name: kanidm-data
              mountPath: /data
            - name: kanidm-config
              mountPath: /data/server.toml
              subPath: server.toml
              readOnly: true
            - name: kanidm-tls
              mountPath: /certs
              readOnly: true
          resources:
            requests:
              memory: "128Mi"
              cpu: "100m"
            limits:
              memory: "512Mi"
              cpu: "500m"
          readinessProbe:
            httpGet:
              path: /status
              port: 443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /status
              port: 443
              scheme: HTTPS
            initialDelaySeconds: 15
            periodSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: false
            runAsUser: 1000
            runAsGroup: 1000
      volumes:
        - name: kanidm-config
          configMap:
            name: kanidm-config
        - name: kanidm-tls
          secret:
            secretName: kanidm-tls
      nodeSelector:
        kubernetes.io/hostname: master.tail2fe2d.ts.net
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
  volumeClaimTemplates:
    - metadata:
        name: kanidm-data
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: longhorn
        resources:
          requests:
            storage: 1Gi
@@ -1,21 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: keycloak
  namespace: argocd
 spec:
  project: core
  destination:
    namespace: keycloak
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
    path: k8s/core/keycloak
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
@@ -1,41 +0,0 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: keycloak-creds
 spec:
  target:
    name: keycloak-creds
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        KC_DB_USERNAME: keycloak
        KC_DB_PASSWORD: |-
          {{ .db_password }}
        KC_BOOTSTRAP_ADMIN_USERNAME: admin
        KC_BOOTSTRAP_ADMIN_PASSWORD: |-
          {{ .admin_password }}
  data:
    - secretKey: db_password
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[18].value
    - secretKey: admin_password
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 9422b636-a91d-40e4-bf98-925b2a3f831d
        property: login.password
@@ -1,14 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - app.yaml
  - external-secrets.yaml
 helmCharts:
  - name: keycloakx
    repo: https://codecentric.github.io/helm-charts
    version: 7.1.11
    releaseName: keycloak
    namespace: keycloak
    valuesFile: values.yaml
@@ -1,67 +0,0 @@
 replicas: 1
 image:
  repository: quay.io/keycloak/keycloak
  tag: "26.5.6"
 command:
  - "/opt/keycloak/bin/kc.sh"
  - "start"
  - "--http-port=8080"
  - "--hostname-strict=false"
  - "--proxy-headers=xforwarded"
 extraEnvFrom: |
  - secretRef:
      name: keycloak-creds
 extraEnv: |
  - name: KC_HOSTNAME
    value: auth.hexor.cy
  - name: JAVA_OPTS_APPEND
    value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc"
 dbchecker:
  enabled: true
 database:
  vendor: postgres
  hostname: psql.psql.svc
  port: 5432
  database: keycloak
  existingSecret: keycloak-creds
  existingSecretKey: KC_DB_PASSWORD
 service:
  type: ClusterIP
 ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
  rules:
    - host: auth.hexor.cy
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: keycloak-tls
      hosts:
        - auth.hexor.cy
 resources:
  requests:
    cpu: 200m
    memory: 512Mi
  limits:
    cpu: "1"
    memory: 1Gi
 nodeSelector:
  kubernetes.io/hostname: master.tail2fe2d.ts.net
 tolerations:
  - key: node-role.kubernetes.io/master
    effect: NoSchedule
@@ -135,8 +135,6 @@ spec:
          {{ .furumi }}
        USER_furumi_dev: |-
          {{ .furumi_dev }}
        USER_keycloak: |-
          {{ .keycloak }}
  data:
    - secretKey: authentik
      sourceRef:
@@ -325,14 +323,4 @@ spec:
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[17].value
-    - secretKey: keycloak
+
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[18].value
@@ -1,47 +0,0 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/kubernetes" {
  version     = "3.1.0"
  constraints = ">= 2.0.0"
  hashes = [
    "h1:G9QqKNpcztBRqrywtlNylFJSpGzDfRFtO8hcWLdkvRY=",
    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
  ]
 }
 provider "registry.terraform.io/keycloak/keycloak" {
  version     = "5.7.0"
  constraints = ">= 5.0.0"
  hashes = [
    "h1:3DuKdVeOxwULh7l6bvJKWZvsgSZo92rtnrdvyp+X2Lc=",
    "zh:19be4505b17e4818db121a82917cb6723019cf379cfb82b720eaa2886f15bede",
    "zh:2bd1565ed22db6a9fb50d60626e22c277f3b034a71f65e6c0011e42f56cad2bb",
    "zh:34a9e2dfb06331dc6146491c4a0721001195c6a769cdc2d4546edb2acf2b39bd",
    "zh:3f86bf9eac6d73eeaa926471826b6888da77950f68e6a3a95dc2d9201a4a88fa",
    "zh:4b9053fde2c8dee6469c8b273bf5491a27228a1df28e30b86714118f0f876baf",
    "zh:522aa6bcecc6b8d517415237f4ec079488ef7de0e980a634bf6a8b481c13effc",
    "zh:52f85208815ca65b8d3cd5465b28005ba63f854122bc61fbf04925c986d48e78",
    "zh:636555042a6051d2e1113e5f945edb9f432e2d09b81cf6e50a59a534819d98dd",
    "zh:73a1fecfb3d9666bf87c2eb7d001281b8cfcd7132573b8c3d4febc2db55f0a2f",
    "zh:76fa26d055ceeb0869a50e4b63871f4b07f55045af6b46b83686016531e9fb22",
    "zh:8df147e619d7ac3d3f9840ba0d1895d34bde179e818863e2e7b52e2c05c12f58",
    "zh:9c830253990e13ec284d0d312fea562938e4a8fc664dacb3af5f1eb16dcae1ae",
    "zh:abd0bd630b362cd6f77fbb33625bc6f515782eb58cb096b4ce69dea252254aef",
    "zh:d1474a67ffc3288b2d0c99f6e8edc937ac8ef54afed0306e3c6f033aa836a5f6",
    "zh:ed19408f15667bfb572120858bdde929a20ce2d1f29468973905980c03299767",
    "zh:ef8bc311f7d1ad821b65ba43af92e2ce835e739d391098b13e01a61747b5c648",
    "zh:f57319d9a7ac387d5070c909fd0084ccfc296f1f3193efde995ae24aa1729a39",
  ]
 }
@@ -1,172 +0,0 @@
 # =============================================================================
 # Realm
 # =============================================================================
 resource "keycloak_realm" "hexor" {
  realm   = "hexor"
  enabled = true
  display_name = "Hexor"
  login_theme   = "keycloak"
  account_theme = "keycloak.v3"
  registration_allowed     = false
  reset_password_allowed   = true
  remember_me              = true
  verify_email             = false
  login_with_email_allowed = true
  duplicate_emails_allowed = false
  ssl_required = "external"
 }
 # =============================================================================
 # Google Identity Provider
 # =============================================================================
 resource "keycloak_oidc_google_identity_provider" "google" {
  realm         = keycloak_realm.hexor.id
  client_id     = var.google_client_id
  client_secret = var.google_client_secret
  trust_email = true
  sync_mode   = "IMPORT"
 }
 # =============================================================================
 # Standalone groups
 # =============================================================================
 resource "keycloak_group" "standalone" {
  for_each = toset(var.groups)
  realm_id = keycloak_realm.hexor.id
  name     = each.value
 }
 resource "keycloak_default_groups" "default" {
  realm_id  = keycloak_realm.hexor.id
  group_ids = [for g in keycloak_group.standalone : g.id if g.name == "users"]
 }
 # =============================================================================
 # rsauth2-proxy client (production)
 # =============================================================================
 resource "keycloak_openid_client" "rsauth2_proxy" {
  realm_id  = keycloak_realm.hexor.id
  client_id = "rsauth2-proxy"
  name                         = "rsauth2-proxy"
  enabled                      = true
  access_type                  = "CONFIDENTIAL"
  standard_flow_enabled        = true
  direct_access_grants_enabled = false
  valid_redirect_uris = [
    "https://oauth.hexor.cy/callback",
  ]
  web_origins = [
    "https://oauth.hexor.cy",
  ]
 }
 resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_groups" {
  realm_id   = keycloak_realm.hexor.id
  client_id  = keycloak_openid_client.rsauth2_proxy.id
  name       = "groups"
  claim_name = "groups"
  full_path  = false
 }
 resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" {
  realm_id  = keycloak_realm.hexor.id
  client_id = keycloak_openid_client.rsauth2_proxy.id
  default_scopes = [
    "openid",
    "profile",
    "email",
  ]
 }
 # =============================================================================
 # rsauth2-proxy client (localhost testing)
 # =============================================================================
 resource "keycloak_openid_client" "rsauth2_proxy_dev" {
  realm_id  = keycloak_realm.hexor.id
  client_id = "rsauth2-proxy-dev"
  name                         = "rsauth2-proxy (dev)"
  enabled                      = true
  access_type                  = "CONFIDENTIAL"
  standard_flow_enabled        = true
  direct_access_grants_enabled = false
  valid_redirect_uris = [
    "http://localhost:8080/callback",
  ]
  web_origins = [
    "http://localhost:8080",
  ]
 }
 resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" {
  realm_id   = keycloak_realm.hexor.id
  client_id  = keycloak_openid_client.rsauth2_proxy_dev.id
  name       = "groups"
  claim_name = "groups"
  full_path  = false
 }
 resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
  realm_id  = keycloak_realm.hexor.id
  client_id = keycloak_openid_client.rsauth2_proxy_dev.id
  default_scopes = [
    "openid",
    "profile",
    "email",
  ]
 }
 # =============================================================================
 # Proxy applications — auto-created groups + routes ConfigMap
 # =============================================================================
 resource "keycloak_group" "app" {
  for_each = var.proxy_applications
  realm_id = keycloak_realm.hexor.id
  name     = "app-${each.key}"
 }
 locals {
  app_allowed_groups = {
    for k, v in var.proxy_applications : k => concat(
      ["app-${k}"],
      v.allowed_groups
    )
  }
 }
 resource "kubernetes_config_map" "auth_proxy_routes" {
  metadata {
    name      = "auth-proxy-routes"
    namespace = "auth-proxy"
  }
  data = {
    "routes.yaml" = yamlencode({
      routes = {
        for k, v in var.proxy_applications : v.domain => {
          allowed_groups = local.app_allowed_groups[k]
        }
      }
    })
  }
 }
@@ -1,37 +0,0 @@
 output "realm_id" {
  value = keycloak_realm.hexor.id
 }
 output "google_idp_alias" {
  value = keycloak_oidc_google_identity_provider.google.alias
 }
 output "rsauth2_proxy_client_id" {
  value = keycloak_openid_client.rsauth2_proxy.client_id
 }
 output "rsauth2_proxy_client_secret" {
  value     = keycloak_openid_client.rsauth2_proxy.client_secret
  sensitive = true
 }
 output "rsauth2_proxy_dev_client_id" {
  value = keycloak_openid_client.rsauth2_proxy_dev.client_id
 }
 output "rsauth2_proxy_dev_client_secret" {
  value     = keycloak_openid_client.rsauth2_proxy_dev.client_secret
  sensitive = true
 }
 output "standalone_groups" {
  value = [for g in keycloak_group.standalone : g.name]
 }
 output "app_groups" {
  value = { for k, g in keycloak_group.app : k => g.name }
 }
 output "app_allowed_groups" {
  value = local.app_allowed_groups
 }
@@ -1,23 +0,0 @@
 terraform {
  required_providers {
    keycloak = {
      source  = "keycloak/keycloak"
      version = ">= 5.0.0"
    }
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = ">= 2.0.0"
    }
  }
 }
 provider "keycloak" {
  url           = var.keycloak_url
  base_path     = "/auth"
  client_id     = var.keycloak_client_id
  client_secret = var.keycloak_client_secret
 }
 provider "kubernetes" {
  config_path = var.kubeconfig_path
 }
@@ -1,8 +0,0 @@
 terraform {
  cloud {
    organization = "ultradesu"
    workspaces {
      name = "Keycloak"
    }
  }
 }
@@ -1,49 +0,0 @@
 variable "keycloak_url" {
  description = "Keycloak URL (set via TF_VAR_keycloak_url)"
  type        = string
  default     = "https://auth.hexor.cy"
 }
 variable "keycloak_client_id" {
  description = "Keycloak Terraform client ID (set via TF_VAR_keycloak_client_id)"
  type        = string
  default     = "terraform"
 }
 variable "keycloak_client_secret" {
  description = "Keycloak Terraform client secret (set via TF_VAR_keycloak_client_secret)"
  type        = string
  sensitive   = true
 }
 variable "kubeconfig_path" {
  description = "Path to kubeconfig (set via TF_VAR_kubeconfig_path or KUBE_CONFIG_PATH)"
  type        = string
  default     = "~/.kube/config"
 }
 variable "google_client_id" {
  description = "Google OAuth client ID (set via TF_VAR_google_client_id)"
  type        = string
 }
 variable "google_client_secret" {
  description = "Google OAuth client secret (set via TF_VAR_google_client_secret)"
  type        = string
  sensitive   = true
 }
 variable "groups" {
  description = "Standalone Keycloak groups"
  type        = list(string)
  default     = []
 }
 variable "proxy_applications" {
  description = "Proxy applications protected by rsauth2-proxy"
  type = map(object({
    domain         = string
    allowed_groups = optional(list(string), [])
  }))
  default = {}
 }