Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-06-16 01:24:46

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -53,6 +53,7 @@ ArgoCD homelab project
 | **k8s-secrets** | [![k8s-secrets](https://ag.hexor.cy/api/badge?name=k8s-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
 | **khm** | [![khm](https://ag.hexor.cy/api/badge?name=khm&revision=true)](https://ag.hexor.cy/applications/argocd/khm) |
 | **lidarr** | [![lidarr](https://ag.hexor.cy/api/badge?name=lidarr&revision=true)](https://ag.hexor.cy/applications/argocd/lidarr) |
+| **llamacpp** | [![llamacpp](https://ag.hexor.cy/api/badge?name=llamacpp&revision=true)](https://ag.hexor.cy/applications/argocd/llamacpp) |
 | **matrix** | [![matrix](https://ag.hexor.cy/api/badge?name=matrix&revision=true)](https://ag.hexor.cy/applications/argocd/matrix) |
 | **mtproxy** | [![mtproxy](https://ag.hexor.cy/api/badge?name=mtproxy&revision=true)](https://ag.hexor.cy/applications/argocd/mtproxy) |
 | **n8n** | [![n8n](https://ag.hexor.cy/api/badge?name=n8n&revision=true)](https://ag.hexor.cy/applications/argocd/n8n) |

k8s/apps/llamacpp/configmap.yaml

@@ -6,7 +6,7 @@ data:
   LLAMA_CACHE: /models
   LLAMA_ARG_HOST: 0.0.0.0
   LLAMA_ARG_PORT: "8080"
-  LLAMA_ARG_HF_REPO: unsloth/Qwen3.6-35B-A3B-MTP-GGUF:UD-Q6_K
+  LLAMA_ARG_HF_REPO: "unsloth/Qwen3.6-35B-A3B-MTP-GGUF:UD-Q6_K"
   LLAMA_ARG_CTX_SIZE: "32768"
   LLAMA_ARG_FLASH_ATTN: auto
   LLAMA_ARG_FIT: "on"

k8s/apps/llamacpp/deployment.yaml

@@ -18,6 +18,7 @@ spec:
       labels:
         app: llamacpp
     spec:
+      dnsPolicy: Default
       nodeSelector:
         kubernetes.io/hostname: ai.tail2fe2d.ts.net
       tolerations:

k8s/apps/matrix/external-secrets.yaml

@@ -53,8 +53,8 @@ spec:
           upstream_oauth2:
             providers:
               - id: 001KKV4EKY7KG98W2M9T806K6A
-                human_name: Authentik
-                issuer: https://idm.hexor.cy/application/o/matrix/
+                human_name: SSO Login
+                issuer: https://auth.hexor.cy/auth/realms/hexor
                 client_id: "{{ .oauth_client_id }}"
                 client_secret: "{{ .oauth_client_secret }}"
                 token_endpoint_auth_method: client_secret_post
@@ -93,3 +93,4 @@ spec:
         metadataPolicy: None
         key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
         property: fields[1].value
+                    on_conflict: replace

k8s/apps/paperless/external-secrets.yaml

@@ -18,8 +18,8 @@ spec:
             "openid_connect": {
               "APPS": [
                 {
-                  "provider_id": "authentik",
-                  "name": "Authentik",
+                  "provider_id": "keycloak",
+                  "name": "Keycloak",
                   "client_id": "{{ .oauth_id }}",
                   "secret": "{{ .oauth_secret }}",
                   "settings": {

k8s/apps/pasarguard/daemonset.yaml

@@ -46,7 +46,7 @@ spec:
               mountPath: /scripts
       containers:
         - name: pasarguard-node
-          image: pasarguard/node:v0.5.0
+          image: pasarguard/node:v0.5.2
           imagePullPolicy: Always
           command:
             - /bin/sh

k8s/apps/pasarguard/deployment.yaml

@@ -34,7 +34,7 @@ spec:
               mountPath: /templates/subscription
       containers:
         - name: pasarguard-web
-          image: pasarguard/panel:v4.0.2
+          image: pasarguard/panel:v5.0.1
           imagePullPolicy: Always
           envFrom:
             - secretRef:

k8s/core/kube-system-custom/kustomization.yaml

@@ -6,6 +6,7 @@ resources:
   - nfs-storage.yaml
   - coredns-internal-resolve.yaml
   - https-middleware.yaml
+  - node-external-ip-labeler.yaml
 
 helmCharts:
   - name: csi-driver-nfs
@@ -15,4 +16,3 @@ helmCharts:
     namespace: kube-system
     #valuesFile: values.yaml
     includeCRDs: true
-

k8s/core/kube-system-custom/node-external-ip-labeler.yaml

@@ -0,0 +1,173 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: node-external-ip-labeler
+  namespace: kube-system
+  labels:
+    app: node-external-ip-labeler
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-external-ip-labeler
+  labels:
+    app: node-external-ip-labeler
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-external-ip-labeler
+  labels:
+    app: node-external-ip-labeler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-external-ip-labeler
+subjects:
+  - kind: ServiceAccount
+    name: node-external-ip-labeler
+    namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: node-external-ip-labeler
+  namespace: kube-system
+  labels:
+    app: node-external-ip-labeler
+rules:
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: node-external-ip-labeler
+  namespace: kube-system
+  labels:
+    app: node-external-ip-labeler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: node-external-ip-labeler
+subjects:
+  - kind: ServiceAccount
+    name: node-external-ip-labeler
+    namespace: kube-system
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: node-external-ip-labeler
+  namespace: kube-system
+  labels:
+    app: node-external-ip-labeler
+spec:
+  schedule: "17 3 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        metadata:
+          labels:
+            app: node-external-ip-labeler
+        spec:
+          serviceAccountName: node-external-ip-labeler
+          restartPolicy: Never
+          tolerations:
+            - operator: Exists
+          containers:
+            - name: fanout
+              image: bitnami/kubectl:latest
+              imagePullPolicy: IfNotPresent
+              command:
+                - /bin/bash
+                - -lc
+              args:
+                - |
+                  set -euo pipefail
+
+                  clean_name() {
+                    echo "$1" \
+                      | tr '[:upper:]' '[:lower:]' \
+                      | tr -c 'a-z0-9-' '-' \
+                      | sed 's/^-*//;s/-*$//' \
+                      | cut -c1-45
+                  }
+
+                  for NODE_NAME in $(kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'); do
+                    NODE_CLEAN="$(clean_name "${NODE_NAME}")"
+                    JOB_NAME="node-external-ip-${NODE_CLEAN}"
+
+                    kubectl delete job "${JOB_NAME}" -n kube-system --ignore-not-found=true --wait=true --timeout=60s
+
+                    cat <<EOF | kubectl apply -f -
+                  apiVersion: batch/v1
+                  kind: Job
+                  metadata:
+                    name: ${JOB_NAME}
+                    namespace: kube-system
+                    labels:
+                      app: node-external-ip-labeler
+                      target-node: "${NODE_CLEAN}"
+                  spec:
+                    ttlSecondsAfterFinished: 86400
+                    backoffLimit: 2
+                    template:
+                      metadata:
+                        labels:
+                          app: node-external-ip-labeler
+                          target-node: "${NODE_CLEAN}"
+                      spec:
+                        serviceAccountName: node-external-ip-labeler
+                        nodeName: "${NODE_NAME}"
+                        hostNetwork: true
+                        dnsPolicy: ClusterFirstWithHostNet
+                        restartPolicy: Never
+                        tolerations:
+                          - operator: Exists
+                        containers:
+                          - name: label-node
+                            image: bitnami/kubectl:latest
+                            imagePullPolicy: IfNotPresent
+                            env:
+                              - name: NODE_NAME
+                                value: "${NODE_NAME}"
+                            command:
+                              - /bin/bash
+                              - -lc
+                            args:
+                              - |
+                                set -euo pipefail
+
+                                json_ip() {
+                                  sed -n 's/.*"ip"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p'
+                                }
+
+                                IPV4="\$(curl -fsS --connect-timeout 10 --max-time 30 'https://api.ipify.org?format=json' | json_ip)"
+                                IP64="\$(curl -fsS --connect-timeout 10 --max-time 30 'https://api64.ipify.org?format=json' | json_ip || true)"
+
+                                if [ -z "\${IPV4}" ]; then
+                                  echo "Unable to detect external IPv4 for node ${NODE_NAME}"
+                                  exit 1
+                                fi
+
+                                kubectl label node "${NODE_NAME}" external-ipv4="\${IPV4}" --overwrite
+                                kubectl annotate node "${NODE_NAME}" homelab.hexor.cy/external-ipv4="\${IPV4}" --overwrite
+
+                                if echo "\${IP64}" | grep -q ':'; then
+                                  kubectl annotate node "${NODE_NAME}" homelab.hexor.cy/external-ipv6="\${IP64}" --overwrite
+                                elif [ -n "\${IP64}" ]; then
+                                  kubectl annotate node "${NODE_NAME}" homelab.hexor.cy/external-ipv4-api64="\${IP64}" --overwrite
+                                fi
+                  EOF
+                  done

k8s/core/postgresql/kustomization.yaml

@@ -13,7 +13,7 @@ resources:
 helmCharts:
   - name: pgadmin4
     repo: https://helm.runix.net
-    version: 1.50.0
+    version: 1.64.0
     releaseName: pgmanager
     namespace: psql
     valuesFile: pgadmin4-values.yaml

k8s/games/counter-strike-16/deployments.yaml

@@ -36,7 +36,7 @@ spec:
     spec:
       nodeSelector:
         #kubernetes.io/hostname: home.homenet
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
+        kubernetes.io/hostname: music.tail2fe2d.ts.net
       terminationGracePeriodSeconds: 10
       containers:
         - name: prom-a2s-exporter

terraform/keycloak/terraform.tfvars

@@ -46,18 +46,49 @@ oauth2_applications = {
     post_logout_redirect_uris = ["https://ai.hexor.cy/*"]
   }
   FuruMusic = {
-    redirect_uris             = ["https://music.hexor.cy/auth/oidc/callback"]
+    redirect_uris             = ["https://music.hexor.cy/auth/oidc/callback", "https://music.hexor.cy/auth/mobile/oidc/callback"]
     web_origins               = ["https://music.hexor.cy"]
     post_logout_redirect_uris = ["https://music.hexor.cy/*"]
   }
   FuruMusic-dev = {
-    redirect_uris             = ["https://music-dev.hexor.cy/auth/oidc/callback", "http://127.0.0.1:3000/auth/oidc/callback", "http://10.0.5.103:3000/auth/oidc/callback"]
-    web_origins               = ["https://music-dev.hexor.cy", "http://127.0.0.1:3000", "http://10.0.5.103:3000"]
-    post_logout_redirect_uris = ["https://music-dev.hexor.cy/*", "http://127.0.0.1:3000/*", "http://10.0.5.103:3000/*"]
+    redirect_uris             = ["http://127.0.0.1:3000/auth/oidc/callback", "http://10.0.5.104:3000/auth/oidc/callback", "http://10.0.5.104:3000/auth/mobile/oidc/callback"]
+    web_origins               = ["http://127.0.0.1:3000", "http://10.0.5.104:3000"]
+    post_logout_redirect_uris = ["http://127.0.0.1:3000/*", "http://10.0.5.104:3000/*"]
   }
   Web-Petting = {
     redirect_uris             = ["https://pet.hexor.cy/admin/oidc/callback", "https://xn--l1acako8eb.xn--p1ai/admin/oidc/callback", "https://мурняня.рф/admin/oidc/callback"]
     web_origins               = ["https://pet.hexor.cy", "https://xn--l1acako8eb.xn--p1ai", "https://мурняня.рф", ]
     post_logout_redirect_uris = ["https://pet.hexor.cy/*", "https://xn--l1acako8eb.xn--p1ai/*", "https://мурняня.рф/*"]
   }
+  Paperless-ngx = {
+    redirect_uris             = ["https://docs.hexor.cy/accounts/oidc/authentik/login/callback/"]
+    web_origins               = ["https://docs.hexor.cy"]
+    post_logout_redirect_uris = ["https://docs.hexor.cy/*"]
+  }
+  Immich = {
+    redirect_uris             = [
+      "https://photos.hexor.cy/auth/login",
+      "https://photos.hexor.cy/user-settings",
+      "app.immich:///oauth-callback",
+      "http://photos.homenet:30283/auth/login",
+      "http://photos.homenet:30283/user-settings"
+    ]
+    web_origins               = ["https://photos.hexor.cy", "http://photos.homenet:30283"]
+    post_logout_redirect_uris = ["https://photos.hexor.cy/*", "http://photos.homenet:30283/*"]
+  }
+  HomeAssistant-LMS = {
+    redirect_uris             = ["http://ha-lms:8123/auth/oidc/callback", "http://ha-lms.homenet:8123/auth/oidc/callback"]
+    web_origins               = ["http://ha-lms:8123", "http://ha-lms.homenet:8123"]
+    post_logout_redirect_uris = ["http://ha-lms:8123/*", "http://ha-lms.homenet:8123/*"]
+  }
+  HomeAssistant-LND = {
+    redirect_uris             = ["http://ha-london:8123/auth/oidc/callback", "http://ha-london.tail2fe2d.ts.net:8123/auth/oidc/callback"]
+    web_origins               = ["http://ha-london:8123", "http://ha-london.tail2fe2d.ts.net:8123"]
+    post_logout_redirect_uris = ["http://ha-london:8123/*", "http://ha-london.tail2fe2d.ts.net:8123/*"]
+  }
+  Matrix-Chat = {
+    redirect_uris             = ["https://auth.matrix.hexor.cy/upstream/callback/001KKV4EKY7KG98W2M9T806K6A"]
+    web_origins               = ["https://auth.matrix.hexor.cy"]
+    post_logout_redirect_uris = ["https://auth.matrix.hexor.cy/*"]
+  }
 }