Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-06-04 16:39:52

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -13,15 +13,19 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **argocd** | [![argocd](https://ag.hexor.cy/api/badge?name=argocd&revision=true)](https://ag.hexor.cy/applications/argocd/argocd) |
+| **auth-proxy** | [![auth-proxy](https://ag.hexor.cy/api/badge?name=auth-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/auth-proxy) |
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
+| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
+| **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
 | **postgresql** | [![postgresql](https://ag.hexor.cy/api/badge?name=postgresql&revision=true)](https://ag.hexor.cy/applications/argocd/postgresql) |
 | **prom-stack** | [![prom-stack](https://ag.hexor.cy/api/badge?name=prom-stack&revision=true)](https://ag.hexor.cy/applications/argocd/prom-stack) |
+| **reloader** | [![reloader](https://ag.hexor.cy/api/badge?name=reloader&revision=true)](https://ag.hexor.cy/applications/argocd/reloader) |
 | **system-upgrade** | [![system-upgrade](https://ag.hexor.cy/api/badge?name=system-upgrade&revision=true)](https://ag.hexor.cy/applications/argocd/system-upgrade) |
 
 ### Games
@@ -39,8 +43,7 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **comfyui** | [![comfyui](https://ag.hexor.cy/api/badge?name=comfyui&revision=true)](https://ag.hexor.cy/applications/argocd/comfyui) |
-| **furumi-dev** | [![furumi-dev](https://ag.hexor.cy/api/badge?name=furumi-dev&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-dev) |
-| **furumi-server** | [![furumi-server](https://ag.hexor.cy/api/badge?name=furumi-server&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-server) |
+| **furumi** | [![furumi](https://ag.hexor.cy/api/badge?name=furumi&revision=true)](https://ag.hexor.cy/applications/argocd/furumi) |
 | **gitea** | [![gitea](https://ag.hexor.cy/api/badge?name=gitea&revision=true)](https://ag.hexor.cy/applications/argocd/gitea) |
 | **greece-notifier** | [![greece-notifier](https://ag.hexor.cy/api/badge?name=greece-notifier&revision=true)](https://ag.hexor.cy/applications/argocd/greece-notifier) |
 | **hexound** | [![hexound](https://ag.hexor.cy/api/badge?name=hexound&revision=true)](https://ag.hexor.cy/applications/argocd/hexound) |
@@ -50,6 +53,7 @@ ArgoCD homelab project
 | **k8s-secrets** | [![k8s-secrets](https://ag.hexor.cy/api/badge?name=k8s-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
 | **khm** | [![khm](https://ag.hexor.cy/api/badge?name=khm&revision=true)](https://ag.hexor.cy/applications/argocd/khm) |
 | **lidarr** | [![lidarr](https://ag.hexor.cy/api/badge?name=lidarr&revision=true)](https://ag.hexor.cy/applications/argocd/lidarr) |
+| **llamacpp** | [![llamacpp](https://ag.hexor.cy/api/badge?name=llamacpp&revision=true)](https://ag.hexor.cy/applications/argocd/llamacpp) |
 | **matrix** | [![matrix](https://ag.hexor.cy/api/badge?name=matrix&revision=true)](https://ag.hexor.cy/applications/argocd/matrix) |
 | **mtproxy** | [![mtproxy](https://ag.hexor.cy/api/badge?name=mtproxy&revision=true)](https://ag.hexor.cy/applications/argocd/mtproxy) |
 | **n8n** | [![n8n](https://ag.hexor.cy/api/badge?name=n8n&revision=true)](https://ag.hexor.cy/applications/argocd/n8n) |
@@ -62,9 +66,12 @@ ArgoCD homelab project
 | **sonarr-stack** | [![sonarr-stack](https://ag.hexor.cy/api/badge?name=sonarr-stack&revision=true)](https://ag.hexor.cy/applications/argocd/sonarr-stack) |
 | **stirling-pdf** | [![stirling-pdf](https://ag.hexor.cy/api/badge?name=stirling-pdf&revision=true)](https://ag.hexor.cy/applications/argocd/stirling-pdf) |
 | **syncthing** | [![syncthing](https://ag.hexor.cy/api/badge?name=syncthing&revision=true)](https://ag.hexor.cy/applications/argocd/syncthing) |
+| **teamspeak** | [![teamspeak](https://ag.hexor.cy/api/badge?name=teamspeak&revision=true)](https://ag.hexor.cy/applications/argocd/teamspeak) |
 | **tg-bots** | [![tg-bots](https://ag.hexor.cy/api/badge?name=tg-bots&revision=true)](https://ag.hexor.cy/applications/argocd/tg-bots) |
 | **vaultwarden** | [![vaultwarden](https://ag.hexor.cy/api/badge?name=vaultwarden&revision=true)](https://ag.hexor.cy/applications/argocd/vaultwarden) |
 | **vpn** | [![vpn](https://ag.hexor.cy/api/badge?name=vpn&revision=true)](https://ag.hexor.cy/applications/argocd/vpn) |
+| **web-petting** | [![web-petting](https://ag.hexor.cy/api/badge?name=web-petting&revision=true)](https://ag.hexor.cy/applications/argocd/web-petting) |
+| **wedding** | [![wedding](https://ag.hexor.cy/api/badge?name=wedding&revision=true)](https://ag.hexor.cy/applications/argocd/wedding) |
 | **xandikos** | [![xandikos](https://ag.hexor.cy/api/badge?name=xandikos&revision=true)](https://ag.hexor.cy/applications/argocd/xandikos) |
 
 </td>

k8s/apps/llamacpp/app.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: llamacpp
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: llamacpp
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/llamacpp
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true

k8s/apps/llamacpp/configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: llamacpp-config
+data:
+  LLAMA_CACHE: /models
+  LLAMA_ARG_HOST: 0.0.0.0
+  LLAMA_ARG_PORT: "8080"
+  LLAMA_ARG_HF_REPO: "unsloth/Qwen3.6-35B-A3B-MTP-GGUF:UD-Q6_K"
+  LLAMA_ARG_CTX_SIZE: "32768"
+  LLAMA_ARG_FLASH_ATTN: auto
+  LLAMA_ARG_FIT: "on"

k8s/apps/llamacpp/deployment.yaml

@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: llamacpp
+  annotations:
+    reloader.stakater.com/auto: "true"
+  labels:
+    app: llamacpp
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: llamacpp
+  template:
+    metadata:
+      labels:
+        app: llamacpp
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: ai.tail2fe2d.ts.net
+      tolerations:
+        - key: workload
+          operator: Equal
+          value: ai
+          effect: NoSchedule
+      containers:
+        - name: llamacpp
+          image: ghcr.io/ggml-org/llama.cpp:server-rocm-b9501 
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: llamacpp-config
+          env:
+            - name: HF_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: llamacpp-hf-token
+                  key: token
+                  optional: true
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          resources:
+            limits:
+              amd.com/gpu: 1
+          startupProbe:
+            httpGet:
+              path: /health
+              port: http
+            failureThreshold: 180
+            periodSeconds: 10
+            timeoutSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            failureThreshold: 3
+            periodSeconds: 10
+            timeoutSeconds: 5
+          volumeMounts:
+            - name: models
+              mountPath: /models
+      volumes:
+        - name: models
+          hostPath:
+            path: /k8s/llamacpp/models
+            type: DirectoryOrCreate

k8s/apps/llamacpp/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - configmap.yaml
+  - deployment.yaml
+  - service.yaml

k8s/apps/llamacpp/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: llamacpp
+  labels:
+    app: llamacpp
+spec:
+  type: ClusterIP
+  selector:
+    app: llamacpp
+  ports:
+    - name: http
+      port: 8080
+      targetPort: http
+      protocol: TCP

k8s/apps/mtproxy/secret-reader-ingress.yaml

@@ -22,7 +22,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`secret-reader.hexor.cy`)
+    - match: Host(`proxy.hexor.cy`)
       kind: Rule
       middlewares:
         - name: auth-proxy
@@ -30,16 +30,16 @@ spec:
         - name: secret-reader
           port: 80
   tls:
-    secretName: secret-reader-tls
+    secretName: proxy-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: secret-reader-tls
+  name: proxy-tls
 spec:
-  secretName: secret-reader-tls
+  secretName: proxy-tls
   issuerRef:
     name: letsencrypt
     kind: ClusterIssuer
   dnsNames:
-    - secret-reader.hexor.cy
+    - proxy.hexor.cy

k8s/apps/ollama/kustomization.yaml

@@ -9,18 +9,18 @@ resources:
 helmCharts:
   - name: ollama
     repo: https://otwld.github.io/ollama-helm/
-    version: 1.49.0
+    version: 1.58.0
     releaseName: ollama
     namespace: ollama
     valuesFile: ollama-values.yaml
     includeCRDs: true
   - name: open-webui
     repo: https://helm.openwebui.com/
-    version: 12.10.0
+    version: 14.8.0
     releaseName: openweb-ui
     namespace: ollama
     valuesFile: openweb-ui-values.yaml
     includeCRDs: true
 
 patches:
-  - path: patch-runtimeclass.yaml
+  - path: patch-runtimeclass.yaml

k8s/apps/ollama/openweb-ui-values.yaml

@@ -2,8 +2,8 @@ clusterDomain: cluster.local
 
 extraEnvVars:
   GLOBAL_LOG_LEVEL: debug
-  OAUTH_PROVIDER_NAME: authentik
-  OPENID_PROVIDER_URL: https://idm.hexor.cy/application/o/openwebui/.well-known/openid-configuration
+  OAUTH_PROVIDER_NAME: keycloak
+  OPENID_PROVIDER_URL: https://auth.hexor.cy/auth/realms/hexor/.well-known/openid-configuration
   OPENID_REDIRECT_URI: https://ai.hexor.cy/oauth/oidc/callback
   WEBUI_URL: https://ai.hexor.cy
   # Allows auto-creation of new users using OAuth. Must be paired with ENABLE_LOGIN_FORM=false.
@@ -31,7 +31,7 @@ ollama:
         - qwen3-vl:8b
         
 pipelines:
-  enabled: true
+  enabled: false
   nodeSelector:
     kubernetes.io/hostname: master.tail2fe2d.ts.net
   
@@ -57,4 +57,4 @@ ingress:
       traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
     host: "ai.hexor.cy"
     tls: true
-    existingSecret: ollama-tls
+    existingSecret: ollama-tls

k8s/apps/pasarguard/configmap-scripts.yaml

@@ -236,29 +236,52 @@ data:
 
     cd /app
     
-    # Start main process in background
-    ./main &
-    MAIN_PID=$!
-    
-    # Start continuous port monitoring in background
+    write_xray_api_port() {
+      API_PORT="$1"
+      case "$API_PORT" in
+        ""|*[!0-9]*)
+          return
+          ;;
+      esac
+
+      CURRENT_PORT=""
+      if [ -f /shared/xray-api-port ]; then
+        CURRENT_PORT=$(cat /shared/xray-api-port)
+      fi
+
+      if [ "$API_PORT" != "$CURRENT_PORT" ]; then
+        echo "Found xray API port: $API_PORT"
+        echo -n "$API_PORT" > /shared/xray-api-port
+      fi
+    }
+
+    LOG_PIPE="/tmp/pasarguard-main.log"
+    rm -f "$LOG_PIPE"
+    mkfifo "$LOG_PIPE"
+
+    # Capture main logs so the Xray API listener is not confused with Xray's metrics listener.
     {
-      sleep 10  # Wait for xray to start initially
-      LAST_PORT=""
-      
-      while true; do
-        API_PORT=$(netstat -tlpn | grep xray | grep 127.0.0.1 | awk '{print $4}' | cut -d: -f2 | head -1)
-        if [ -n "$API_PORT" ] && [ "$API_PORT" != "$LAST_PORT" ]; then
-          echo "Found xray API port: $API_PORT"
-          echo -n "$API_PORT" > /shared/xray-api-port
-          LAST_PORT="$API_PORT"
-        fi
-        sleep 5  # Check every 5 seconds
+      while IFS= read -r line; do
+        echo "$line"
+        case "$line" in
+          *"transport/internet/tcp: listening TCP on 127.0.0.1:"*)
+            API_PORT=$(echo "$line" | sed -n 's/.*listening TCP on 127\.0\.0\.1:\([0-9][0-9]*\).*/\1/p')
+            write_xray_api_port "$API_PORT"
+            ;;
+        esac
       done
-    } &
-    PORT_MONITOR_PID=$!
-    
+    } < "$LOG_PIPE" &
+    LOG_READER_PID=$!
+
+    # Start main process in background
+    ./main > "$LOG_PIPE" 2>&1 &
+    MAIN_PID=$!
+
     # Wait for main process to finish
     wait $MAIN_PID
-    
-    # Clean up port monitor
-    kill $PORT_MONITOR_PID 2>/dev/null
+    MAIN_STATUS=$?
+
+    # Clean up log reader
+    wait $LOG_READER_PID 2>/dev/null
+    rm -f "$LOG_PIPE"
+    exit $MAIN_STATUS

k8s/apps/pasarguard/daemonset.yaml

@@ -116,14 +116,20 @@ spec:
             - name: metrics
               containerPort: 9550
               protocol: TCP
-          livenessProbe:
+          startupProbe:
             httpGet:
               path: /scrape
               port: metrics
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 36
+          livenessProbe:
+            tcpSocket:
+              port: metrics
             initialDelaySeconds: 60
             periodSeconds: 30
             timeoutSeconds: 10
-            failureThreshold: 3
+            failureThreshold: 6
           readinessProbe:
             httpGet:
               path: /scrape

k8s/core/gpu/amd-gpu-values.yaml

@@ -0,0 +1,31 @@
+nfd:
+  enabled: false
+
+labeller:
+  enabled: false
+
+dp:
+  image:
+    repository: docker.io/rocm/k8s-device-plugin
+    tag: "1.31.0.9"
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+
+tolerations:
+  - key: workload
+    operator: Equal
+    value: ai
+    effect: NoSchedule
+
+node_selector_enabled: true
+node_selector:
+  kubernetes.io/arch: amd64
+  kubernetes.io/hostname: ai.tail2fe2d.ts.net

k8s/core/gpu/kustomization.yaml

@@ -13,3 +13,24 @@ helmCharts:
     namespace: gpu-system
     valuesFile: values.yaml
     includeCRDs: true
+  - name: amd-gpu
+    repo: https://rocm.github.io/k8s-device-plugin/
+    version: 0.21.0
+    releaseName: amd-gpu-device-plugin
+    namespace: gpu-system
+    valuesFile: amd-gpu-values.yaml
+    includeCRDs: true
+
+patches:
+  - target:
+      group: apps
+      version: v1
+      kind: DaemonSet
+      name: amd-gpu-device-plugin-daemonset
+      namespace: gpu-system
+    patch: |-
+      - op: replace
+        path: /spec/template/spec/nodeSelector
+        value:
+          kubernetes.io/arch: amd64
+          kubernetes.io/hostname: ai.tail2fe2d.ts.net

terraform/keycloak/terraform.tfvars

@@ -9,12 +9,12 @@ groups = [
 
 proxy_applications = {
   secret-reader = {
-    domain         = "secret-reader.hexor.cy"
-    allowed_groups = ["hexor-guest", "hexor-admin"]
+    domain         = "proxy.hexor.cy"
+    allowed_groups = ["hexor-admin", "app-pass"]
   }
   pass = {
     domain         = "pass.hexor.cy"
-    allowed_groups = ["hexor-guest", "hexor-admin"]
+    allowed_groups = ["hexor-admin", "app-pass"]
   }
 }
 
@@ -40,6 +40,11 @@ oauth2_applications = {
     web_origins               = ["https://gf.hexor.cy"]
     post_logout_redirect_uris = ["https://gf.hexor.cy/*"]
   }
+  openwebui = {
+    redirect_uris             = ["https://ai.hexor.cy/oauth/oidc/callback"]
+    web_origins               = ["https://ai.hexor.cy"]
+    post_logout_redirect_uris = ["https://ai.hexor.cy/*"]
+  }
   FuruMusic = {
     redirect_uris             = ["https://music.hexor.cy/auth/oidc/callback"]
     web_origins               = ["https://music.hexor.cy"]
@@ -56,4 +61,3 @@ oauth2_applications = {
     post_logout_redirect_uris = ["https://pet.hexor.cy/*", "https://xn--l1acako8eb.xn--p1ai/*", "https://мурняня.рф/*"]
   }
 }
-