Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-04-06 11:02:27 This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.
2026-04-06 11:02:27 +00:00
127 changed files with 86334 additions and 5132 deletions
@@ -1,10 +1,10 @@
-name: 'Keycloak Terraform'
+name: 'Terraform'

 on:
  push:
    branches: [ "main" ]
    paths:
-      - 'terraform/keycloak/**'
+      - 'terraform/authentik/**'
  pull_request:

 permissions:
@@ -29,25 +29,119 @@ jobs:
      with:
        cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}

-    - name: Setup kubeconfig
-      run: |
-        mkdir -p ~/.kube
-        echo "${{ secrets.KUBECONFIG }}" > ~/.kube/config
-        chmod 600 ~/.kube/config
-
    - name: Terraform Init
+      env:
+        TF_VAR_authentik_token: ${{ secrets.AUTHENTIK_TOKEN }}
      run: terraform init
-      working-directory: ./terraform/keycloak
+      working-directory: ./terraform/authentik

    - name: Terraform Format
+      env:
+        TF_VAR_authentik_token: ${{ secrets.AUTHENTIK_TOKEN }}
      run: terraform fmt -check
      continue-on-error: true
-      working-directory: ./terraform/keycloak
+      working-directory: ./terraform/authentik

    - name: Terraform Apply
      env:
-        TF_VAR_keycloak_client_secret: ${{ secrets.KEYCLOAK_CLIENT_SECRET }}
-        TF_VAR_google_client_id: ${{ secrets.GOOGLE_CLIENT_ID }}
-        TF_VAR_google_client_secret: ${{ secrets.GOOGLE_CLIENT_SECRET }}
+        TF_VAR_authentik_token: ${{ secrets.AUTHENTIK_TOKEN }}
      run: terraform apply -input=false -auto-approve -parallelism=100
-      working-directory: ./terraform/keycloak
+      working-directory: ./terraform/authentik
+
+    - name: Generate Wiki Content  
+      if: success()
+      continue-on-error: true
+      env:
+        TF_VAR_authentik_token: ${{ secrets.AUTHENTIK_TOKEN }}
+      run: |
+        echo "📋 Starting Wiki generation..."
+        cd ./terraform/authentik
+        
+        # Get terraform output
+        echo "🔍 Generating Terraform output..."
+        terraform output -json applications_for_wiki > terraform-raw-output.json 2>&1
+        
+        # Process output to extract clean JSON
+        echo "📤 Processing Terraform output..."
+        python3 ../../.gitea/scripts/process-terraform-output.py terraform-raw-output.json terraform-output.json
+        
+        # Run wiki generation
+        echo "📊 Running wiki generation script..."
+        if python3 ../../.gitea/scripts/generate-apps-wiki.py terraform-output.json; then
+          echo "✅ Wiki content generated successfully"
+        else
+          echo "⚠️ Wiki generation failed, retrying with debug..."
+          python3 ../../.gitea/scripts/generate-apps-wiki.py terraform-output.json --debug || echo "⚠️ Wiki generation failed"
+        fi
+        
+        # Check results
+        if [ -f "Applications.md" ]; then
+          echo "✅ Wiki file created: $(wc -l < Applications.md) lines"
+        else
+          echo "⚠️ Wiki content not generated"
+          exit 0
+        fi
+      working-directory: ./
+
+    - name: Upload Wiki to Gitea
+      if: success()  
+      continue-on-error: true
+      run: |
+        cd ./terraform/authentik
+        
+        # Set variables
+        GITEA_URL="${{ secrets.GT_URL }}"
+        GITEA_TOKEN="${{ secrets.GT_WIKI_TOKEN }}"
+        GITEA_OWNER="${{ secrets.GT_OWNER }}"
+        GITEA_REPO="${{ secrets.GT_REPO }}"
+        
+        # Debug variables (without exposing token)
+        echo "🔍 Checking variables..."
+        echo "GITEA_URL: ${GITEA_URL:-NOT SET}"
+        echo "GITEA_OWNER: ${GITEA_OWNER:-NOT SET}"
+        echo "GITEA_REPO: ${GITEA_REPO:-NOT SET}"
+        echo "GITEA_TOKEN: $(if [ -n "$GITEA_TOKEN" ]; then echo "SET"; else echo "NOT SET"; fi)"
+        
+        # Check if file exists
+        if [ ! -f "Applications.md" ]; then
+          echo "⚠️ Applications.md not found, skipping wiki update"
+          exit 0
+        fi
+        
+        echo "📤 Uploading to Gitea Wiki..."
+        
+        # Encode content to base64
+        CONTENT=$(base64 -w 0 Applications.md)
+        
+        # Check if wiki page exists
+        WIKI_PAGE_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
+          -H "Authorization: token $GITEA_TOKEN" \
+          "$GITEA_URL/api/v1/repos/$GITEA_OWNER/$GITEA_REPO/wiki/page/Applications" || echo "000")
+        
+        if [ "$WIKI_PAGE_EXISTS" = "200" ]; then
+          echo "📝 Updating existing wiki page..."
+          curl -X PATCH \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{
+              \"title\": \"Applications\",
+              \"content_base64\": \"$CONTENT\",
+              \"message\": \"Update applications list from CI/CD [$(date)]\"
+            }" \
+            "$GITEA_URL/api/v1/repos/$GITEA_OWNER/$GITEA_REPO/wiki/page/Applications" || echo "⚠️ Wiki update failed"
+        else
+          echo "📄 Creating new wiki page..."
+          curl -X POST \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{
+              \"title\": \"Applications\", 
+              \"content_base64\": \"$CONTENT\",
+              \"message\": \"Create applications list from CI/CD [$(date)]\"
+            }" \
+            "$GITEA_URL/api/v1/repos/$GITEA_OWNER/$GITEA_REPO/wiki/new" || echo "⚠️ Wiki creation failed"
+        fi
+        
+        echo "✅ Wiki update process completed"
+      working-directory: ./
+
@@ -13,19 +13,15 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **argocd** | [![argocd](https://ag.hexor.cy/api/badge?name=argocd&revision=true)](https://ag.hexor.cy/applications/argocd/argocd) |
-| **auth-proxy** | [![auth-proxy](https://ag.hexor.cy/api/badge?name=auth-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/auth-proxy) |
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
-| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
-| **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
 | **postgresql** | [![postgresql](https://ag.hexor.cy/api/badge?name=postgresql&revision=true)](https://ag.hexor.cy/applications/argocd/postgresql) |
 | **prom-stack** | [![prom-stack](https://ag.hexor.cy/api/badge?name=prom-stack&revision=true)](https://ag.hexor.cy/applications/argocd/prom-stack) |
-| **reloader** | [![reloader](https://ag.hexor.cy/api/badge?name=reloader&revision=true)](https://ag.hexor.cy/applications/argocd/reloader) |
 | **system-upgrade** | [![system-upgrade](https://ag.hexor.cy/api/badge?name=system-upgrade&revision=true)](https://ag.hexor.cy/applications/argocd/system-upgrade) |

 ### Games
@@ -42,9 +38,9 @@ ArgoCD homelab project

 | Application | Status |
 | :--- | :---: |
-| **amnezia** | [![amnezia](https://ag.hexor.cy/api/badge?name=amnezia&revision=true)](https://ag.hexor.cy/applications/argocd/amnezia) |
 | **comfyui** | [![comfyui](https://ag.hexor.cy/api/badge?name=comfyui&revision=true)](https://ag.hexor.cy/applications/argocd/comfyui) |
-| **furumi** | [![furumi](https://ag.hexor.cy/api/badge?name=furumi&revision=true)](https://ag.hexor.cy/applications/argocd/furumi) |
+| **furumi-dev** | [![furumi-dev](https://ag.hexor.cy/api/badge?name=furumi-dev&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-dev) |
+| **furumi-server** | [![furumi-server](https://ag.hexor.cy/api/badge?name=furumi-server&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-server) |
 | **gitea** | [![gitea](https://ag.hexor.cy/api/badge?name=gitea&revision=true)](https://ag.hexor.cy/applications/argocd/gitea) |
 | **greece-notifier** | [![greece-notifier](https://ag.hexor.cy/api/badge?name=greece-notifier&revision=true)](https://ag.hexor.cy/applications/argocd/greece-notifier) |
 | **hexound** | [![hexound](https://ag.hexor.cy/api/badge?name=hexound&revision=true)](https://ag.hexor.cy/applications/argocd/hexound) |
@@ -54,7 +50,6 @@ ArgoCD homelab project
 | **k8s-secrets** | [![k8s-secrets](https://ag.hexor.cy/api/badge?name=k8s-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
 | **khm** | [![khm](https://ag.hexor.cy/api/badge?name=khm&revision=true)](https://ag.hexor.cy/applications/argocd/khm) |
 | **lidarr** | [![lidarr](https://ag.hexor.cy/api/badge?name=lidarr&revision=true)](https://ag.hexor.cy/applications/argocd/lidarr) |
-| **llamacpp** | [![llamacpp](https://ag.hexor.cy/api/badge?name=llamacpp&revision=true)](https://ag.hexor.cy/applications/argocd/llamacpp) |
 | **matrix** | [![matrix](https://ag.hexor.cy/api/badge?name=matrix&revision=true)](https://ag.hexor.cy/applications/argocd/matrix) |
 | **mtproxy** | [![mtproxy](https://ag.hexor.cy/api/badge?name=mtproxy&revision=true)](https://ag.hexor.cy/applications/argocd/mtproxy) |
 | **n8n** | [![n8n](https://ag.hexor.cy/api/badge?name=n8n&revision=true)](https://ag.hexor.cy/applications/argocd/n8n) |
@@ -67,12 +62,9 @@ ArgoCD homelab project
 | **sonarr-stack** | [![sonarr-stack](https://ag.hexor.cy/api/badge?name=sonarr-stack&revision=true)](https://ag.hexor.cy/applications/argocd/sonarr-stack) |
 | **stirling-pdf** | [![stirling-pdf](https://ag.hexor.cy/api/badge?name=stirling-pdf&revision=true)](https://ag.hexor.cy/applications/argocd/stirling-pdf) |
 | **syncthing** | [![syncthing](https://ag.hexor.cy/api/badge?name=syncthing&revision=true)](https://ag.hexor.cy/applications/argocd/syncthing) |
-| **teamspeak** | [![teamspeak](https://ag.hexor.cy/api/badge?name=teamspeak&revision=true)](https://ag.hexor.cy/applications/argocd/teamspeak) |
 | **tg-bots** | [![tg-bots](https://ag.hexor.cy/api/badge?name=tg-bots&revision=true)](https://ag.hexor.cy/applications/argocd/tg-bots) |
 | **vaultwarden** | [![vaultwarden](https://ag.hexor.cy/api/badge?name=vaultwarden&revision=true)](https://ag.hexor.cy/applications/argocd/vaultwarden) |
 | **vpn** | [![vpn](https://ag.hexor.cy/api/badge?name=vpn&revision=true)](https://ag.hexor.cy/applications/argocd/vpn) |
-| **web-petting** | [![web-petting](https://ag.hexor.cy/api/badge?name=web-petting&revision=true)](https://ag.hexor.cy/applications/argocd/web-petting) |
-| **wedding** | [![wedding](https://ag.hexor.cy/api/badge?name=wedding&revision=true)](https://ag.hexor.cy/applications/argocd/wedding) |
 | **xandikos** | [![xandikos](https://ag.hexor.cy/api/badge?name=xandikos&revision=true)](https://ag.hexor.cy/applications/argocd/xandikos) |

 </td>
@@ -1,151 +0,0 @@
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: amneziawg-scripts
-data:
-  firewall-up.sh: |
-    #!/usr/bin/env bash
-    set -euo pipefail
-
-    PORT="${1:-5847}"
-    VPN_CIDR="${2:-10.8.1.0/24}"
-
-    external_interface() {
-      ip route get 1.1.1.1 | awk '{for (i=1;i<=NF;i++) if ($i=="dev") {print $(i+1); exit}}'
-    }
-
-    ensure_insert_rule() {
-      local table_args=()
-      if [ "${1:-}" = "-t" ]; then
-        table_args=("$1" "$2")
-        shift 2
-      fi
-
-      local chain="$1"
-      shift
-
-      if ! iptables "${table_args[@]}" -C "${chain}" "$@" >/dev/null 2>&1; then
-        iptables "${table_args[@]}" -I "${chain}" 1 "$@"
-      fi
-    }
-
-    ensure_append_rule() {
-      local table_args=()
-      if [ "${1:-}" = "-t" ]; then
-        table_args=("$1" "$2")
-        shift 2
-      fi
-
-      local chain="$1"
-      shift
-
-      if ! iptables "${table_args[@]}" -C "${chain}" "$@" >/dev/null 2>&1; then
-        iptables "${table_args[@]}" -A "${chain}" "$@"
-      fi
-    }
-
-    EXT_IF="$(external_interface || true)"
-    if [ -z "${EXT_IF}" ]; then
-      EXT_IF="$(ip route show default | awk '{print $5; exit}')"
-    fi
-    if [ -z "${EXT_IF}" ]; then
-      echo "Unable to detect external interface"
-      exit 1
-    fi
-
-    sysctl -w net.ipv4.ip_forward=1
-
-    ensure_insert_rule INPUT -i "${EXT_IF}" -p udp --dport "${PORT}" -m comment --comment amneziawg-allow-external -j ACCEPT
-    ensure_insert_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
-    ensure_append_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
-    ensure_append_rule FORWARD -i awg0 -m comment --comment amneziawg-forward-in -j ACCEPT
-    ensure_append_rule FORWARD -o awg0 -m comment --comment amneziawg-forward-out -j ACCEPT
-    ensure_append_rule -t nat POSTROUTING -s "${VPN_CIDR}" -o "${EXT_IF}" -m comment --comment amneziawg-masquerade -j MASQUERADE
-
-  firewall-down.sh: |
-    #!/usr/bin/env bash
-    set -euo pipefail
-
-    PORT="${1:-5847}"
-    VPN_CIDR="${2:-10.8.1.0/24}"
-
-    external_interface() {
-      ip route get 1.1.1.1 | awk '{for (i=1;i<=NF;i++) if ($i=="dev") {print $(i+1); exit}}'
-    }
-
-    delete_rule() {
-      local table_args=()
-      if [ "${1:-}" = "-t" ]; then
-        table_args=("$1" "$2")
-        shift 2
-      fi
-
-      local chain="$1"
-      shift
-
-      while iptables "${table_args[@]}" -D "${chain}" "$@" >/dev/null 2>&1; do
-        true
-      done
-    }
-
-    EXT_IF="$(external_interface || true)"
-    if [ -z "${EXT_IF}" ]; then
-      EXT_IF="$(ip route show default | awk '{print $5; exit}')"
-    fi
-
-    if [ -n "${EXT_IF}" ]; then
-      delete_rule INPUT -i "${EXT_IF}" -p udp --dport "${PORT}" -m comment --comment amneziawg-allow-external -j ACCEPT
-      delete_rule -t nat POSTROUTING -s "${VPN_CIDR}" -o "${EXT_IF}" -m comment --comment amneziawg-masquerade -j MASQUERADE
-    fi
-
-    delete_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
-    delete_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
-    delete_rule FORWARD -i awg0 -m comment --comment amneziawg-forward-in -j ACCEPT
-    delete_rule FORWARD -o awg0 -m comment --comment amneziawg-forward-out -j ACCEPT
-
-  run.sh: |
-    #!/usr/bin/env bash
-    set -euo pipefail
-
-    SERVER_CONFIG="/etc/amnezia/server/awg0.conf"
-    CLIENTS_DIR="/etc/amnezia/clients"
-    RUNTIME_CONFIG="/run/amnezia/awg0.conf"
-
-    cleanup() {
-      if awg show awg0 >/dev/null 2>&1; then
-        awg-quick down "${RUNTIME_CONFIG}" || ip link delete awg0 || true
-      fi
-    }
-
-    render_config() {
-      mkdir -p "$(dirname "${RUNTIME_CONFIG}")"
-      cp "${SERVER_CONFIG}" "${RUNTIME_CONFIG}"
-      chmod 0600 "${RUNTIME_CONFIG}"
-
-      local clients_found=0
-      for client_config in "${CLIENTS_DIR}"/*; do
-        [ -f "${client_config}" ] || continue
-        [ -s "${client_config}" ] || continue
-        printf '\n' >> "${RUNTIME_CONFIG}"
-        cat "${client_config}" >> "${RUNTIME_CONFIG}"
-        clients_found=1
-      done
-
-      if [ "${clients_found}" = "0" ]; then
-        echo "No client peer configs found in ${CLIENTS_DIR}; starting without peers"
-      fi
-    }
-
-    trap cleanup EXIT
-    trap 'exit 0' TERM INT
-
-    render_config
-    cleanup
-    awg-quick up "${RUNTIME_CONFIG}"
-    awg show awg0 || true
-
-    while true; do
-      sleep 3600 &
-      wait "$!"
-    done
@@ -1,148 +0,0 @@
---
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: amneziawg
-  labels:
-    app: amneziawg
-  annotations:
-    reloader.stakater.com/auto: "true"
-    secret.reloader.stakater.com/reload: "amneziawg-server,amneziawg-clients"
-spec:
-  selector:
-    matchLabels:
-      app: amneziawg
-  updateStrategy:
-    type: RollingUpdate
-  template:
-    metadata:
-      labels:
-        app: amneziawg
-    spec:
-      serviceAccountName: amneziawg
-      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
-      nodeSelector:
-        amnezia-vpn: "true"
-      tolerations:
-        - operator: Exists
-      initContainers:
-        - name: register-endpoint
-          image: bitnami/kubectl:latest
-          imagePullPolicy: IfNotPresent
-          env:
-            - name: NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-            - name: PORT
-              value: "5847"
-          command:
-            - /bin/bash
-            - -lc
-            - |
-              set -euo pipefail
-
-              NAMESPACE="$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)"
-              ENDPOINT="$(kubectl get node "${NODE_NAME}" -o jsonpath="{.metadata.labels['external-ipv4']}")"
-
-              if [ -z "${ENDPOINT}" ]; then
-                ENDPOINT="$(kubectl get node "${NODE_NAME}" -o jsonpath='{range .status.addresses[?(@.type=="ExternalIP")]}{.address}{end}')"
-              fi
-
-              if [ -z "${ENDPOINT}" ]; then
-                echo "ERROR: node ${NODE_NAME} has no external-ipv4 label and no ExternalIP"
-                exit 1
-              fi
-
-              VALUE="${ENDPOINT}:${PORT}"
-              echo "Registering AmneziaWG endpoint: ${NODE_NAME} -> ${VALUE}"
-
-              if kubectl get secret amneziawg-endpoints -n "${NAMESPACE}" >/dev/null 2>&1; then
-                kubectl patch secret amneziawg-endpoints -n "${NAMESPACE}" \
-                  --type merge -p "{\"stringData\":{\"${NODE_NAME}\":\"${VALUE}\"}}"
-              else
-                kubectl create secret generic amneziawg-endpoints -n "${NAMESPACE}" \
-                  --from-literal="${NODE_NAME}=${VALUE}"
-              fi
-      containers:
-        - name: amneziawg
-          image: amneziavpn/amneziawg-go:latest
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            privileged: true
-            capabilities:
-              add:
-                - NET_ADMIN
-                - SYS_MODULE
-          command:
-            - /bin/bash
-            - /scripts/run.sh
-          ports:
-            - name: awg
-              containerPort: 5847
-              protocol: UDP
-          readinessProbe:
-            exec:
-              command:
-                - /bin/bash
-                - -lc
-                - awg show awg0 >/dev/null 2>&1
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            timeoutSeconds: 3
-            failureThreshold: 3
-          livenessProbe:
-            exec:
-              command:
-                - /bin/bash
-                - -lc
-                - awg show awg0 >/dev/null 2>&1
-            initialDelaySeconds: 30
-            periodSeconds: 30
-            timeoutSeconds: 5
-            failureThreshold: 3
-          resources:
-            requests:
-              memory: "64Mi"
-              cpu: "50m"
-            limits:
-              memory: "256Mi"
-              cpu: "500m"
-          volumeMounts:
-            - name: server-config
-              mountPath: /etc/amnezia/server
-              readOnly: true
-            - name: client-config
-              mountPath: /etc/amnezia/clients
-              readOnly: true
-            - name: scripts
-              mountPath: /scripts
-              readOnly: true
-            - name: runtime-config
-              mountPath: /run/amnezia
-            - name: dev-net-tun
-              mountPath: /dev/net/tun
-      volumes:
-        - name: server-config
-          secret:
-            secretName: amneziawg-server
-            defaultMode: 0600
-            items:
-              - key: awg0.conf
-                path: awg0.conf
-        - name: client-config
-          secret:
-            secretName: amneziawg-clients
-            optional: true
-            defaultMode: 0600
-        - name: scripts
-          configMap:
-            name: amneziawg-scripts
-            defaultMode: 0755
-        - name: runtime-config
-          emptyDir: {}
-        - name: dev-net-tun
-          hostPath:
-            path: /dev/net/tun
-            type: CharDevice
@@ -1,50 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: amneziawg-server
-spec:
-  target:
-    name: amneziawg-server
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        server-public-key: |-
-          {{ .server_public_key }}
-        awg0.conf: |-
-          [Interface]
-          PrivateKey = {{ .server_private_key }}
-          Address = 10.8.1.1/24
-          ListenPort = 5847
-          MTU = 1376
-          Jc = 4
-          Jmin = 64
-          Jmax = 128
-          S1 = 15
-          S2 = 18
-          S3 = 20
-          S4 = 23
-          H1 = 1020325451
-          H2 = 3288052141
-          H3 = 1766607858
-          H4 = 2528465083
-          PostUp = /scripts/firewall-up.sh 5847 10.8.1.0/24
-          PostDown = /scripts/firewall-down.sh 5847 10.8.1.0/24
-  data:
-    - secretKey: server_private_key
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 3092dc7c-41dd-461a-9f7a-377727f47e93
-        property: fields[0].value
-    - secretKey: server_public_key
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 3092dc7c-41dd-461a-9f7a-377727f47e93
-        property: fields[1].value
@@ -1,10 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - namespace.yaml
-  - external-secrets.yaml
-  - configmap-scripts.yaml
-  - rbac.yaml
-  - daemonset.yaml
@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: amnezia
-  labels:
-    pod-security.kubernetes.io/enforce: privileged
-    pod-security.kubernetes.io/audit: privileged
-    pod-security.kubernetes.io/warn: privileged
@@ -1,58 +0,0 @@
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: amneziawg
-  labels:
-    app: amneziawg
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: amneziawg-node-reader
-  labels:
-    app: amneziawg
-rules:
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: amneziawg-node-reader
-  labels:
-    app: amneziawg
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: amneziawg-node-reader
-subjects:
-  - kind: ServiceAccount
-    name: amneziawg
-    namespace: amnezia
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: amneziawg-endpoint-manager
-  labels:
-    app: amneziawg
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "create", "patch"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: amneziawg-endpoint-manager
-  labels:
-    app: amneziawg
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: amneziawg-endpoint-manager
-subjects:
-  - kind: ServiceAccount
-    name: amneziawg
@@ -1,17 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: amnezia
+  name: furumi-dev
  namespace: argocd
 spec:
  project: apps
  destination:
-    namespace: amnezia
+    namespace: furumi-dev
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
-    path: k8s/apps/amnezia
+    path: k8s/apps/furumi-dev
  syncPolicy:
    automated:
      selfHeal: true
@@ -0,0 +1,65 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: furumi-ng-creds
+spec:
+  target:
+    name: furumi-ng-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        OIDC_CLIENT_ID: |-
+          {{ .client_id }}
+        OIDC_CLIENT_SECRET: |-
+          {{ .client_secret }}
+        OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-dev/
+        OIDC_REDIRECT_URL: https://music-dev.hexor.cy/auth/callback
+        OIDC_SESSION_SECRET: |-
+          {{ .session_secret }}
+        PG_STRING: |-
+          postgres://furumi_dev:{{ .pg_pass }}@psql.psql.svc:5432/furumi_dev
+        PLAYER_API_KEY: |-
+          {{ .player_api_key }}
+  data:
+    - secretKey: client_id
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
+        property: fields[0].value
+    - secretKey: client_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
+        property: fields[1].value
+    - secretKey: session_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
+        property: fields[2].value
+    - secretKey: player_api_key
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
+        property: fields[3].value
+    - secretKey: pg_pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[17].value
@@ -0,0 +1,59 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: admin-strip
+spec:
+  stripPrefix:
+    prefixes:
+      - /admin
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: furumi-tls-ingress
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  rules:
+    - host: music-dev.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: furumi-dev-web-player
+                port:
+                  number: 8080
+  tls:
+    - secretName: furumi-tls
+      hosts:
+        - '*.hexor.cy'
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: furumi-dev-admin-ingress
+  annotations:
+    ingressClassName: traefik
+    traefik.ingress.kubernetes.io/router.middlewares: furumi-server-admin-strip@kubernetescrd,kube-system-https-redirect@kubernetescrd
+spec:
+  rules:
+    - host: music-dev.hexor.cy
+      http:
+        paths:
+          - path: /admin
+            pathType: Prefix
+            backend:
+              service:
+                name: furumi-dev-metadata-agent
+                port:
+                  number: 8090
+  tls:
+    - secretName: furumi-tls
+      hosts:
+        - '*.hexor.cy'
@@ -3,8 +3,8 @@ kind: Kustomization

 resources:
  - app.yaml
-  - deployment.yaml
  - service.yaml
+  - external-secrets.yaml
  - ingress.yaml
-  - storage.yaml
-
+  - web-player.yaml
+  - metadata-agent.yaml
@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: furumi-dev-metadata-agent
+  labels:
+    app: furumi-dev-metadata-agent
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: furumi-dev-metadata-agent
+  template:
+    metadata:
+      labels:
+        app: furumi-dev-metadata-agent
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: furumi-dev-metadata-agent
+          image: ultradesu/furumi-metadata-agent:dev
+          imagePullPolicy: Always
+          env:
+            - name: FURUMI_AGENT_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: PG_STRING
+            - name: FURUMI_AGENT_INBOX_DIR
+              value: "/inbox"
+            - name: FURUMI_AGENT_STORAGE_DIR
+              value: "/media"
+            - name: FURUMI_AGENT_OLLAMA_URL
+              value: "http://ollama.ollama.svc:11434"
+            - name: FURUMI_AGENT_OLLAMA_MODEL
+              value: "qwen3:14b"
+            - name: FURUMI_AGENT_POLL_INTERVAL_SECS
+              value: "10"
+            - name: RUST_LOG
+              value: "info"
+          ports:
+            - name: admin-ui
+              containerPort: 8090
+              protocol: TCP
+          volumeMounts:
+            - name: library
+              mountPath: /media
+            - name: inbox
+              mountPath: /inbox
+      volumes:
+        - name: library
+          hostPath:
+            path: /k8s/furumi-dev/library
+            type: DirectoryOrCreate
+        - name: inbox
+          hostPath:
+            path: /k8s/furumi-dev/inbox
+            type: DirectoryOrCreate
+
@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-dev-metadata-agent
+  labels:
+    app: furumi-dev-metadata-agent
+spec:
+  type: ClusterIP
+  selector:
+    app: furumi-dev-metadata-agent
+  ports:
+    - name: admin-ui
+      protocol: TCP
+      port: 8090
+      targetPort: 8090
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-dev-web-player
+  labels:
+    app: furumi-dev-web-player
+spec:
+  type: ClusterIP
+  selector:
+    app: furumi-dev-web-player
+  ports:
+    - name: web-ui
+      protocol: TCP
+      port: 8080
+      targetPort: 8080
@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: furumi-dev-web-player
+  labels:
+    app: furumi-dev-web-player
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: furumi-dev-web-player
+  template:
+    metadata:
+      labels:
+        app: furumi-dev-web-player
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: furumi-dev-web-player
+          image: ultradesu/furumi-web-player:dev
+          imagePullPolicy: Always
+          env:
+            - name: FURUMI_PLAYER_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_ID
+            - name: FURUMI_PLAYER_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_SECRET
+            - name: FURUMI_PLAYER_OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_ISSUER_URL
+            - name: FURUMI_PLAYER_OIDC_REDIRECT_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_REDIRECT_URL
+            - name: FURUMI_PLAYER_OIDC_SESSION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_SESSION_SECRET
+            - name: FURUMI_PLAYER_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: PG_STRING
+            - name: FURUMI_PLAYER_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: PLAYER_API_KEY
+            - name: FURUMI_PLAYER_STORAGE_DIR
+              value: "/media"
+            - name: RUST_LOG
+              value: "info"
+          ports:
+            - name: web-ui
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - name: music
+              mountPath: /media
+      volumes:
+        - name: music
+          hostPath:
+            path: /k8s/furumi-dev/library
+            type: DirectoryOrCreate
+
@@ -1,17 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: furumi
+  name: furumi-server
  namespace: argocd
 spec:
  project: apps
  destination:
-    namespace: furumi
+    namespace: furumi-server
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
-    path: k8s/apps/furumi
+    path: k8s/apps/furumi-server
  syncPolicy:
    automated:
      selfHeal: true
@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: furumi-server
+  labels:
+    app: furumi-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: furumi-server
+  template:
+    metadata:
+      labels:
+        app: furumi-server
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: furumi-server
+          image: ultradesu/furumi-server:trunk
+          imagePullPolicy: Always
+          env:
+            - name: FURUMI_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: TOKEN
+            - name: FURUMI_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_ID
+            - name: FURUMI_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_SECRET
+            - name: FURUMI_OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_ISSUER_URL
+            - name: FURUMI_OIDC_REDIRECT_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_REDIRECT_URL
+            - name: FURUMI_OIDC_SESSION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_SESSION_SECRET
+            - name: FURUMI_ROOT
+              value: "/media"
+            - name: RUST_LOG
+              value: "info"
+          ports:
+            - name: grpc
+              containerPort: 50051
+              protocol: TCP
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
+            - name: web-ui
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - name: music
+              mountPath: /media
+      volumes:
+        - name: music
+          hostPath:
+            path: /k8s/media/downloads/Lidarr_Music
+            type: DirectoryOrCreate
@@ -0,0 +1,65 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: furumi-ng-creds
+spec:
+  target:
+    name: furumi-ng-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        TOKEN: |-
+          {{ .token }}
+        OIDC_CLIENT_ID: |-
+          {{ .client_id }}
+        OIDC_CLIENT_SECRET: |-
+          {{ .client_secret }}
+        OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-ng-web/
+        OIDC_REDIRECT_URL: https://music.hexor.cy/auth/callback
+        OIDC_SESSION_SECRET: |-
+          {{ .session_secret }}
+        PG_STRING: |-
+          postgres://furumi:{{ .pg_pass }}@psql.psql.svc:5432/furumi
+  data:
+    - secretKey: token
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
+        property: fields[0].value
+    - secretKey: client_id
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
+        property: fields[1].value
+    - secretKey: client_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
+        property: fields[2].value
+    - secretKey: session_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
+        property: fields[3].value
+    - secretKey: pg_pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[16].value
@@ -0,0 +1,59 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: admin-strip
+spec:
+  stripPrefix:
+    prefixes:
+      - /admin
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: furumi-tls-ingress
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  rules:
+    - host: music.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: furumi-web-player
+                port:
+                  number: 8080
+  tls:
+    - secretName: furumi-tls
+      hosts:
+        - '*.hexor.cy'
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: furumi-admin-ingress
+  annotations:
+    ingressClassName: traefik
+    traefik.ingress.kubernetes.io/router.middlewares: furumi-server-admin-strip@kubernetescrd,kube-system-https-redirect@kubernetescrd
+spec:
+  rules:
+    - host: music.hexor.cy
+      http:
+        paths:
+          - path: /admin
+            pathType: Prefix
+            backend:
+              service:
+                name: furumi-metadata-agent
+                port:
+                  number: 8090
+  tls:
+    - secretName: furumi-tls
+      hosts:
+        - '*.hexor.cy'
@@ -3,8 +3,10 @@ kind: Kustomization

 resources:
  - app.yaml
+  - deployment.yaml
  - service.yaml
+  - servicemonitor.yaml
  - external-secrets.yaml
  - ingress.yaml
-  - deployment.yaml
-  - servicemonitor.yaml
+  - web-player.yaml
+  - metadata-agent.yaml
@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: furumi-metadata-agent
+  labels:
+    app: furumi-metadata-agent
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: furumi-metadata-agent
+  template:
+    metadata:
+      labels:
+        app: furumi-metadata-agent
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: furumi-metadata-agent
+          image: ultradesu/furumi-metadata-agent:trunk
+          imagePullPolicy: Always
+          env:
+            - name: FURUMI_AGENT_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: PG_STRING
+            - name: FURUMI_AGENT_INBOX_DIR
+              value: "/inbox"
+            - name: FURUMI_AGENT_STORAGE_DIR
+              value: "/media"
+            - name: FURUMI_AGENT_OLLAMA_URL
+              value: "http://ollama.ollama.svc:11434"
+            - name: FURUMI_AGENT_OLLAMA_MODEL
+              value: "qwen3.5:9b"
+            - name: FURUMI_AGENT_POLL_INTERVAL_SECS
+              value: "10"
+            - name: RUST_LOG
+              value: "info"
+          ports:
+            - name: admin-ui
+              containerPort: 8090
+              protocol: TCP
+          volumeMounts:
+            - name: library
+              mountPath: /media
+            - name: inbox
+              mountPath: /inbox
+      volumes:
+        - name: library
+          hostPath:
+            path: /k8s/furumi/library
+            type: DirectoryOrCreate
+        - name: inbox
+          hostPath:
+            path: /k8s/furumi/inbox
+            type: DirectoryOrCreate
+
@@ -0,0 +1,62 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-server-grpc
+spec:
+  type: LoadBalancer
+  selector:
+    app: furumi-server
+  ports:
+    - name: grpc
+      protocol: TCP
+      port: 50051
+      targetPort: 50051
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-server-metrics
+  labels:
+    app: furumi-server
+spec:
+  type: ClusterIP
+  selector:
+    app: furumi-server
+  ports:
+    - name: metrics
+      protocol: TCP
+      port: 9090
+      targetPort: 9090
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-metadata-agent
+  labels:
+    app: furumi-metadata-agent
+spec:
+  type: ClusterIP
+  selector:
+    app: furumi-metadata-agent
+  ports:
+    - name: admin-ui
+      protocol: TCP
+      port: 8090
+      targetPort: 8090
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-web-player
+  labels:
+    app: furumi-web-player
+spec:
+  type: ClusterIP
+  selector:
+    app: furumi-web-player
+  ports:
+    - name: web-ui
+      protocol: TCP
+      port: 8080
+      targetPort: 8080
@@ -2,20 +2,20 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: furumi-player-metrics
+  name: furumi-server-metrics
  labels:
-    app: furumi-player
+    app: furumi-server
    release: prometheus
 spec:
  selector:
    matchLabels:
-      app: furumi-player
+      app: furumi-server
  endpoints:
-    - port: http
+    - port: metrics
      path: /metrics
      interval: 30s
      scrapeTimeout: 10s
      honorLabels: true
  namespaceSelector:
    matchNames:
-      - furumi
+      - furumi-server
@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: furumi-web-player
+  labels:
+    app: furumi-web-player
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: furumi-web-player
+  template:
+    metadata:
+      labels:
+        app: furumi-web-player
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: furumi-web-player
+          image: ultradesu/furumi-web-player:trunk
+          imagePullPolicy: Always
+          env:
+            - name: FURUMI_PLAYER_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_ID
+            - name: FURUMI_PLAYER_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_SECRET
+            - name: FURUMI_PLAYER_OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_ISSUER_URL
+            - name: FURUMI_PLAYER_OIDC_REDIRECT_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_REDIRECT_URL
+            - name: FURUMI_PLAYER_OIDC_SESSION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_SESSION_SECRET
+            - name: FURUMI_PLAYER_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: PG_STRING
+            - name: FURUMI_PLAYER_STORAGE_DIR
+              value: "/media"
+            - name: RUST_LOG
+              value: "info"
+          ports:
+            - name: web-ui
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - name: music
+              mountPath: /media
+      volumes:
+        - name: music
+          hostPath:
+            path: /k8s/furumi/library
+            type: DirectoryOrCreate
+
@@ -1,46 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: furumi-player
-  labels:
-    app: furumi-player
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: furumi-player
-  template:
-    metadata:
-      labels:
-        app: furumi-player
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: music.tail2fe2d.ts.net
-      containers:
-        - name: furumi-player
-          image: ultradesu/furumusic:latest
-          imagePullPolicy: Always
-          env:
-            - name: FURU_DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: furumi-creds
-                  key: PG_STRING
-          ports:
-          - containerPort: 8000
-            name: http
-          volumeMounts:
-            - name: library
-              mountPath: /media
-            - name: inbox
-              mountPath: /inbox
-      volumes:
-        - name: library
-          hostPath:
-            path: /data/furumi/library
-            type: DirectoryOrCreate
-        - name: inbox
-          hostPath:
-            path: /data/furumi/inbox
-            type: DirectoryOrCreate
-
@@ -1,55 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: furumi-ng-creds
-spec:
-  target:
-    name: furumi-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-       #OIDC_CLIENT_ID: |-
-       #  {{ .client_id }}
-       #OIDC_CLIENT_SECRET: |-
-       #  {{ .client_secret }}
-       #OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi/
-       #OIDC_REDIRECT_URL: https://music.hexor.cy/auth/callback
-       #OIDC_SESSION_SECRET: |-
-       #  {{ .session_secret }}
-        PG_STRING: |-
-          postgresql://furumi_dev:{{ .pg_pass }}@psql.psql.svc/furumi_dev
-  data:
-  # - secretKey: client_id
-  #   sourceRef:
-  #     storeRef:
-  #       name: vaultwarden-login
-  #       kind: ClusterSecretStore
-  #   remoteRef:
-  #     key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
-  #     property: fields[0].value
-  # - secretKey: client_secret
-  #   sourceRef:
-  #     storeRef:
-  #       name: vaultwarden-login
-  #       kind: ClusterSecretStore
-  #   remoteRef:
-  #     key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
-  #     property: fields[1].value
-  # - secretKey: session_secret
-  #   sourceRef:
-  #     storeRef:
-  #       name: vaultwarden-login
-  #       kind: ClusterSecretStore
-  #   remoteRef:
-  #     key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
-  #     property: fields[2].value
-    - secretKey: pg_pass
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[17].value
@@ -1,27 +0,0 @@
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: furumi-tls-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  ingressClassName: traefik
-  rules:
-    - host: music.hexor.cy
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: furumi-player
-                port:
-                  number: 8000
-  tls:
-    - secretName: furumi-tls
-      hosts:
-        - music.hexor.cy
-
@@ -1,16 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: furumi-player
-  labels:
-    app: furumi-player
-spec:
-  type: ClusterIP
-  selector:
-    app: furumi-player
-  ports:
-    - name: http
-      protocol: TCP
-      port: 8000
-      targetPort: 8000
@@ -48,8 +48,6 @@ spec:
              value: "true"
            - name: GITEA__service__CAPTCHA_TYPE
              value: "hcaptcha"
-            - name: GITEA__webhook__ALLOWED_HOST_LIST
-              value: "*"
          envFrom:
          - secretRef:
              name: gitea-recapcha-creds
@@ -79,19 +77,11 @@ spec:
      labels:
        app: gitea-runner
    spec:
-      dnsConfig:
-        options:
-          - name: ndots
-            value: "2"
      tolerations:
        - key: workload
          operator: Equal
          value: desktop
          effect: NoSchedule
-        - key: workload
-          operator: Equal
-          value: ai
-          effect: NoSchedule
      volumes:
        - name: docker-sock
          hostPath:
@@ -101,12 +91,6 @@ spec:
          emptyDir:
            sizeLimit: 30Gi
      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app: gitea-runner
-              topologyKey: kubernetes.io/hostname
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
@@ -115,8 +99,7 @@ spec:
              - key: kubernetes.io/hostname
                operator: In
                values:
-                #- uk-desktop.tail2fe2d.ts.net
-                - ai.tail2fe2d.ts.net
+                - uk-desktop.tail2fe2d.ts.net
          - weight: 50
            preference:
              matchExpressions:
@@ -124,19 +107,34 @@ spec:
                operator: In
                values:
                - home.homenet
+          - weight: 30
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                - master.tail2fe2d.ts.net
+          - weight: 10
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
                - it.tail2fe2d.ts.net
+                - ch.tail2fe2d.ts.net
+                - us.tail2fe2d.ts.net
      containers:
        - name: gitea-runner
          image: gitea/act_runner:nightly
          resources:
-            #requests:
-            #  cpu: "100m"
-            #  memory: "256Mi"
-            #  ephemeral-storage: "1Gi"
-            #limits:
-            #  cpu: "3000m"
-            #  memory: "4Gi"
-            #  ephemeral-storage: "28Gi"
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+              ephemeral-storage: "1Gi"
+            limits:
+              cpu: "3000m"
+              memory: "4Gi"
+              ephemeral-storage: "28Gi"
          volumeMounts:
            - name: docker-sock
              mountPath: /var/run/docker.sock
@@ -144,18 +142,13 @@ spec:
              mountPath: /data
          env:
            - name: GITEA_INSTANCE_URL
-              #value: "http://gitea.gitea.svc.cluster.local"
              value: "https://gt.hexor.cy"
            - name: GITEA_RUNNER_REGISTRATION_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitea-runner-act-runner-secrets
                  key: token
-            - name: NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
            - name: GITEA_RUNNER_NAME
-              value: "$(NODE_NAME)"
+              value: "k8s-runner"
            - name: GITEA_RUNNER_LABELS
              value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"
@@ -4,11 +4,11 @@ kind: Ingress
 metadata:
  name: gitea-tls-ingress
  annotations:
+    ingressClassName: traefik
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
    acme.cert-manager.io/http01-edit-in-place: "true"
 spec:
-  ingressClassName: traefik
  rules:
    - host: gt.hexor.cy
      http:
@@ -1,46 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: auth-proxy
-spec:
-  forwardAuth:
-    address: http://auth-proxy.auth-proxy.svc:80/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-Auth-Request-User
-      - X-Auth-Request-Email
-      - X-Auth-Request-Groups
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: secret-reader
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`pass.hexor.cy`)
-      kind: Rule
-      middlewares:
-        - name: auth-proxy
-      services:
-        - name: secret-reader
-          port: 80
-  tls:
-    secretName: secret-reader-tls
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: secret-reader-tls
-spec:
-  secretName: secret-reader-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  dnsNames:
-    - pass.hexor.cy
-
@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: llamacpp
-  namespace: argocd
-spec:
-  project: apps
-  destination:
-    namespace: llamacpp
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/apps/llamacpp
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: llamacpp-config
-data:
-  LLAMA_CACHE: /models
-  LLAMA_ARG_HOST: 0.0.0.0
-  LLAMA_ARG_PORT: "8080"
-  LLAMA_ARG_HF_REPO: "unsloth/Qwen3.6-35B-A3B-MTP-GGUF:UD-Q6_K"
-  LLAMA_ARG_CTX_SIZE: "32768"
-  LLAMA_ARG_FLASH_ATTN: auto
-  LLAMA_ARG_FIT: "on"
@@ -1,71 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: llamacpp
-  annotations:
-    reloader.stakater.com/auto: "true"
-  labels:
-    app: llamacpp
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: llamacpp
-  template:
-    metadata:
-      labels:
-        app: llamacpp
-    spec:
-      dnsPolicy: Default
-      nodeSelector:
-        kubernetes.io/hostname: ai.tail2fe2d.ts.net
-      tolerations:
-        - key: workload
-          operator: Equal
-          value: ai
-          effect: NoSchedule
-      containers:
-        - name: llamacpp
-          image: ghcr.io/ggml-org/llama.cpp:server-rocm-b9501 
-          imagePullPolicy: IfNotPresent
-          envFrom:
-            - configMapRef:
-                name: llamacpp-config
-          env:
-            - name: HF_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: llamacpp-hf-token
-                  key: token
-                  optional: true
-          ports:
-            - name: http
-              containerPort: 8080
-              protocol: TCP
-          resources:
-            limits:
-              amd.com/gpu: 1
-          startupProbe:
-            httpGet:
-              path: /health
-              port: http
-            failureThreshold: 180
-            periodSeconds: 10
-            timeoutSeconds: 5
-          readinessProbe:
-            httpGet:
-              path: /health
-              port: http
-            failureThreshold: 3
-            periodSeconds: 10
-            timeoutSeconds: 5
-          volumeMounts:
-            - name: models
-              mountPath: /models
-      volumes:
-        - name: models
-          hostPath:
-            path: /k8s/llamacpp/models
-            type: DirectoryOrCreate
@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - configmap.yaml
-  - deployment.yaml
-  - service.yaml
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: llamacpp
-  labels:
-    app: llamacpp
-spec:
-  type: ClusterIP
-  selector:
-    app: llamacpp
-  ports:
-    - name: http
-      port: 8080
-      targetPort: http
-      protocol: TCP
@@ -53,8 +53,8 @@ spec:
          upstream_oauth2:
            providers:
              - id: 001KKV4EKY7KG98W2M9T806K6A
-                human_name: SSO Login
-                issuer: https://auth.hexor.cy/auth/realms/hexor
+                human_name: Authentik
+                issuer: https://idm.hexor.cy/application/o/matrix/
                client_id: "{{ .oauth_client_id }}"
                client_secret: "{{ .oauth_client_secret }}"
                token_endpoint_auth_method: client_secret_post
@@ -93,4 +93,3 @@ spec:
        metadataPolicy: None
        key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
        property: fields[1].value
-                    on_conflict: replace
@@ -26,9 +26,9 @@ matrixRTC:
    host: livekit.matrix.hexor.cy
  sfu:
    enabled: true
-    manualIP: "78.24.180.234"
+    manualIP: "138.201.61.182"
    nodeSelector:
-      kubernetes.io/hostname: spb.tail2fe2d.ts.net
+      kubernetes.io/hostname: master.tail2fe2d.ts.net
    exposedServices:
      rtcTcp:
        enabled: true
@@ -45,14 +45,6 @@ matrixRTC:
 ## Synapse homeserver
 synapse:
  enabled: true
-  additional:
-    0-search-config:
-      config: |
-        user_directory:
-          enabled: true
-          search_all_users: true
-          prefer_local_users: true
-        enable_room_list_search: true
  ingress:
    host: synapse.matrix.hexor.cy
  postgres:
@@ -64,12 +56,12 @@ synapse:
    password:
      secret: matrix-postgres-creds
      secretKey: synapse_db_password
-  nodeSelector:
-    kubernetes.io/hostname: master.tail2fe2d.ts.net
  media:
    storage:
      size: 20Gi
    maxUploadSize: 100M
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet

 ## Matrix Authentication Service
 matrixAuthenticationService:
@@ -96,24 +88,24 @@ matrixAuthenticationService:
    1-oidc:
      configSecret: matrix-oidc-config
      configSecretKey: mas-oidc.yaml
-  nodeSelector:
-    kubernetes.io/hostname: master.tail2fe2d.ts.net
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet

 ## Element Web client
 elementWeb:
  enabled: true
  ingress:
    host: chat.matrix.hexor.cy
-  nodeSelector:
-    kubernetes.io/hostname: master.tail2fe2d.ts.net
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet

 ## Element Admin panel
 elementAdmin:
  enabled: true
  ingress:
    host: admin.matrix.hexor.cy
-  nodeSelector:
-    kubernetes.io/hostname: master.tail2fe2d.ts.net
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet

 ## Well-known delegation on the base domain (host is derived from serverName)
 wellKnownDelegation:
@@ -8,9 +8,6 @@ resources:
  - ./telemt-daemonset.yaml
  - ./external-secrets.yaml
  - ./telemt-external-secrets.yaml
-  - ./telemt-service.yaml
-  - ./telemt-servicemonitor.yaml
  - ./service.yaml
  - ./secret-reader.yaml
-  - ./secret-reader-ingress.yaml
 # - ./storage.yaml
@@ -1,45 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: auth-proxy
-spec:
-  forwardAuth:
-    address: http://auth-proxy.auth-proxy.svc:80/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-Auth-Request-User
-      - X-Auth-Request-Email
-      - X-Auth-Request-Groups
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: secret-reader
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`proxy.hexor.cy`)
-      kind: Rule
-      middlewares:
-        - name: auth-proxy
-      services:
-        - name: secret-reader
-          port: 80
-  tls:
-    secretName: proxy-tls
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: proxy-tls
-spec:
-  secretName: proxy-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  dnsNames:
-    - proxy.hexor.cy
@@ -55,10 +55,10 @@ spec:
                echo "ERROR: node ${NODE_NAME} has no mtproxy label"
                exit 1
              fi
-              # Build ee-prefixed secret: ee + secret + hex(tls_domain)
+              # Build dd-prefixed secret for TLS mode: dd + secret + hex(tls_domain)
              # "ya.ru" = 79612e7275
-              EE_SECRET="ee${SECRET}79612e7275"
-              LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${EE_SECRET}"
+              DD_SECRET="dd${SECRET}79612e7275"
+              LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${DD_SECRET}"
              echo "Registering telemt: ${SERVER} -> ${LINK}"
              if kubectl get secret telemt-links -n "${NAMESPACE}" &>/dev/null; then
                kubectl patch secret telemt-links -n "${NAMESPACE}" \
@@ -29,8 +29,6 @@ spec:

          [server]
          port = 30444
-          metrics_port = 9090
-          metrics_whitelist = ["0.0.0.0/0"]

          [server.api]
          enabled = true
@@ -1,17 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: telemt-metrics
-  labels:
-    app: telemt
-spec:
-  type: ClusterIP
-  clusterIP: None
-  selector:
-    app: telemt
-  ports:
-    - port: 9090
-      targetPort: 9090
-      protocol: TCP
-      name: metrics
@@ -1,24 +0,0 @@
---
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: telemt-metrics
-  labels:
-    app: telemt
-    release: prometheus
-spec:
-  selector:
-    matchLabels:
-      app: telemt
-  endpoints:
-    - port: metrics
-      path: /metrics
-      interval: 30s
-      scrapeTimeout: 10s
-      honorLabels: true
-      relabelings:
-        - sourceLabels: [__meta_kubernetes_pod_node_name]
-          targetLabel: node
-  namespaceSelector:
-    matchNames:
-      - mtproxy
@@ -9,18 +9,18 @@ resources:
 helmCharts:
  - name: ollama
    repo: https://otwld.github.io/ollama-helm/
-    version: 1.58.0
+    version: 1.49.0
    releaseName: ollama
    namespace: ollama
    valuesFile: ollama-values.yaml
    includeCRDs: true
  - name: open-webui
    repo: https://helm.openwebui.com/
-    version: 14.8.0
+    version: 12.10.0
    releaseName: openweb-ui
    namespace: ollama
    valuesFile: openweb-ui-values.yaml
    includeCRDs: true

 patches:
-  - path: patch-runtimeclass.yaml
+  - path: patch-runtimeclass.yaml
@@ -2,8 +2,8 @@ clusterDomain: cluster.local

 extraEnvVars:
  GLOBAL_LOG_LEVEL: debug
-  OAUTH_PROVIDER_NAME: keycloak
-  OPENID_PROVIDER_URL: https://auth.hexor.cy/auth/realms/hexor/.well-known/openid-configuration
+  OAUTH_PROVIDER_NAME: authentik
+  OPENID_PROVIDER_URL: https://idm.hexor.cy/application/o/openwebui/.well-known/openid-configuration
  OPENID_REDIRECT_URI: https://ai.hexor.cy/oauth/oidc/callback
  WEBUI_URL: https://ai.hexor.cy
  # Allows auto-creation of new users using OAuth. Must be paired with ENABLE_LOGIN_FORM=false.
@@ -31,7 +31,7 @@ ollama:
        - qwen3-vl:8b
        
 pipelines:
-  enabled: false
+  enabled: true
  nodeSelector:
    kubernetes.io/hostname: master.tail2fe2d.ts.net
  
@@ -57,4 +57,4 @@ ingress:
      traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
    host: "ai.hexor.cy"
    tls: true
-    existingSecret: ollama-tls
+    existingSecret: ollama-tls
@@ -18,8 +18,8 @@ spec:
            "openid_connect": {
              "APPS": [
                {
-                  "provider_id": "keycloak",
-                  "name": "Keycloak",
+                  "provider_id": "authentik",
+                  "name": "Authentik",
                  "client_id": "{{ .oauth_id }}",
                  "secret": "{{ .oauth_secret }}",
                  "settings": {
@@ -236,52 +236,29 @@ data:

    cd /app
    
-    write_xray_api_port() {
-      API_PORT="$1"
-      case "$API_PORT" in
-        ""|*[!0-9]*)
-          return
-          ;;
-      esac
-
-      CURRENT_PORT=""
-      if [ -f /shared/xray-api-port ]; then
-        CURRENT_PORT=$(cat /shared/xray-api-port)
-      fi
-
-      if [ "$API_PORT" != "$CURRENT_PORT" ]; then
-        echo "Found xray API port: $API_PORT"
-        echo -n "$API_PORT" > /shared/xray-api-port
-      fi
-    }
-
-    LOG_PIPE="/tmp/pasarguard-main.log"
-    rm -f "$LOG_PIPE"
-    mkfifo "$LOG_PIPE"
-
-    # Capture main logs so the Xray API listener is not confused with Xray's metrics listener.
-    {
-      while IFS= read -r line; do
-        echo "$line"
-        case "$line" in
-          *"transport/internet/tcp: listening TCP on 127.0.0.1:"*)
-            API_PORT=$(echo "$line" | sed -n 's/.*listening TCP on 127\.0\.0\.1:\([0-9][0-9]*\).*/\1/p')
-            write_xray_api_port "$API_PORT"
-            ;;
-        esac
-      done
-    } < "$LOG_PIPE" &
-    LOG_READER_PID=$!
-
    # Start main process in background
-    ./main > "$LOG_PIPE" 2>&1 &
+    ./main &
    MAIN_PID=$!
-
+    
+    # Start continuous port monitoring in background
+    {
+      sleep 10  # Wait for xray to start initially
+      LAST_PORT=""
+      
+      while true; do
+        API_PORT=$(netstat -tlpn | grep xray | grep 127.0.0.1 | awk '{print $4}' | cut -d: -f2 | head -1)
+        if [ -n "$API_PORT" ] && [ "$API_PORT" != "$LAST_PORT" ]; then
+          echo "Found xray API port: $API_PORT"
+          echo -n "$API_PORT" > /shared/xray-api-port
+          LAST_PORT="$API_PORT"
+        fi
+        sleep 5  # Check every 5 seconds
+      done
+    } &
+    PORT_MONITOR_PID=$!
+    
    # Wait for main process to finish
    wait $MAIN_PID
-    MAIN_STATUS=$?
-
-    # Clean up log reader
-    wait $LOG_READER_PID 2>/dev/null
-    rm -f "$LOG_PIPE"
-    exit $MAIN_STATUS
+    
+    # Clean up port monitor
+    kill $PORT_MONITOR_PID 2>/dev/null
@@ -1,4 +1,71 @@
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pasarguard-node
+  labels:
+    app: pasarguard-node
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pasarguard-node-configmap
+  labels:
+    app: pasarguard-node
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "create", "update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["services", "endpoints"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pasarguard-node-configmap
+  labels:
+    app: pasarguard-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pasarguard-node-configmap
+subjects:
+  - kind: ServiceAccount
+    name: pasarguard-node
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pasarguard-node-reader
+  labels:
+    app: pasarguard-node
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pasarguard-node-reader
+  labels:
+    app: pasarguard-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pasarguard-node-reader
+subjects:
+  - kind: ServiceAccount
+    name: pasarguard-node
+    namespace: pasarguard
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -46,7 +113,7 @@ spec:
              mountPath: /scripts
      containers:
        - name: pasarguard-node
-          image: pasarguard/node:v0.5.2
+          image: 'pasarguard/node:v0.2.1'
          imagePullPolicy: Always
          command:
            - /bin/sh
@@ -116,20 +183,14 @@ spec:
            - name: metrics
              containerPort: 9550
              protocol: TCP
-          startupProbe:
+          livenessProbe:
            httpGet:
              path: /scrape
              port: metrics
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 36
-          livenessProbe:
-            tcpSocket:
-              port: metrics
            initialDelaySeconds: 60
            periodSeconds: 30
            timeoutSeconds: 10
-            failureThreshold: 6
+            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /scrape
@@ -158,71 +219,3 @@ spec:
          configMap:
            name: pasarguard-scripts
            defaultMode: 0755
-
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: pasarguard-node
-  labels:
-    app: pasarguard-node
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: pasarguard-node-configmap
-  labels:
-    app: pasarguard-node
-rules:
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["get", "list", "create", "update", "patch"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list"]
-  - apiGroups: [""]
-    resources: ["services", "endpoints"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: pasarguard-node-configmap
-  labels:
-    app: pasarguard-node
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: pasarguard-node-configmap
-subjects:
-  - kind: ServiceAccount
-    name: pasarguard-node
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: pasarguard-node-reader
-  labels:
-    app: pasarguard-node
-rules:
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: pasarguard-node-reader
-  labels:
-    app: pasarguard-node
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: pasarguard-node-reader
-subjects:
-  - kind: ServiceAccount
-    name: pasarguard-node
-    namespace: pasarguard
@@ -34,7 +34,7 @@ spec:
              mountPath: /templates/subscription
      containers:
        - name: pasarguard-web
-          image: pasarguard/panel:v5.0.1
+          image: 'pasarguard/panel:latest'
          imagePullPolicy: Always
          envFrom:
            - secretRef:
@@ -1,26 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: pasarguard-transport
-spec:
-  serverName: ps.hexor.cy
-  insecureSkipVerify: true
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: pasarguard
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`ps.hexor.cy`)
-      kind: Rule
-      services:
-        - name: pasarguard
-          port: 80
-          scheme: https
-          serversTransport: pasarguard-transport
-  tls:
-    secretName: pasarguard-tls
@@ -9,4 +9,3 @@ resources:
  - ./certificate.yaml
  - ./configmap-scripts.yaml
  - ./servicemonitor.yaml
-  - ./ingress.yaml
@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: teamspeak
-  namespace: argocd
-spec:
-  project: apps
-  destination:
-    namespace: teamspeak
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/apps/teamspeak
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
@@ -1,49 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: teamspeak
-  labels:
-    app: teamspeak
-spec:
-  selector:
-    matchLabels:
-      app: teamspeak
-  replicas: 1
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app: teamspeak
-    spec:
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: teamspeak-data
-      containers:
-        - name: teamspeak
-          image: 'teamspeak:latest'
-          env:
-            - name: TS3SERVER_LICENSE
-              value: "accept"
-          resources:
-            requests:
-              memory: "256Mi"
-              cpu: "100m"
-            limits:
-              memory: "512Mi"
-              cpu: "1000m"
-          ports:
-            - name: voice
-              containerPort: 9987
-              protocol: UDP
-            - name: filetransfer
-              containerPort: 30033
-              protocol: TCP
-            - name: serverquery
-              containerPort: 10011
-              protocol: TCP
-          volumeMounts:
-            - name: data
-              mountPath: /var/ts3server
@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - storage.yaml
-  - deployment.yaml
-  - service.yaml
@@ -1,22 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: teamspeak
-spec:
-  type: LoadBalancer
-  selector:
-    app: teamspeak
-  ports:
-    - name: voice
-      protocol: UDP
-      port: 9987
-      targetPort: 9987
-    - name: filetransfer
-      protocol: TCP
-      port: 30033
-      targetPort: 30033
-    - name: serverquery
-      protocol: TCP
-      port: 10011
-      targetPort: 10011
@@ -1,12 +0,0 @@
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: teamspeak-data
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 5Gi
@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: web-petting
-  namespace: argocd
-spec:
-  project: apps
-  destination:
-    namespace: web-petting
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/apps/web-petting
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-
@@ -1,52 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: web-petting
-  labels:
-    app: web-petting
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: web-petting
-  template:
-    metadata:
-      labels:
-        app: web-petting
-    spec:
-      nodeSelector:
-        kubernetes.io/os: linux
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: web-petting-data
-      containers:
-      - name: web-petting
-        image: ultradesu/web-petting:latest
-        imagePullPolicy: Always
-        args:
-#         - "tail"
-#         - "-F"
-#         - "/1"
-          - "web-petting"
-          - "-l"
-          - "0.0.0.0:3000"
-        ports:
-        - containerPort: 3000
-          name: http
-        volumeMounts:
-          - name: data
-            mountPath: /data
-        env:
-        - name: RUST_LOG
-          value: "info"
-        - name: WEB_PETTING_DEBUG
-          value: "false"
-        resources:
-          requests:
-            memory: "256Mi"
-          limits:
-            memory: "1Gi"
@@ -1,40 +0,0 @@
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: web-petting-tls-ingress
-  annotations:
-    ingressClassName: traefik
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  rules:
-    - host: pet.hexor.cy
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: web-petting
-                port:
-                  number: 80
-    - host: xn--l1acako8eb.xn--p1ai
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: web-petting
-                port:
-                  number: 80
-  tls:
-    - secretName: web-petting-tls
-      hosts:
-        - pet.hexor.cy
-    - secretName: web-petting-murnyanya-tls
-      hosts:
-        - xn--l1acako8eb.xn--p1ai
-
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: web-petting
-  labels:
-    app: web-petting
-spec:
-  type: ClusterIP
-  selector:
-    app: web-petting
-  ports:
-  - port: 80
-    targetPort: 3000
-    protocol: TCP
-    name: http
@@ -1,12 +0,0 @@
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: web-petting-data
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 10Gi
@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: wedding
-  namespace: argocd
-spec:
-  project: apps
-  destination:
-    namespace: wedding
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/apps/wedding
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
@@ -1,69 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wedding
-  labels:
-    app: wedding
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: wedding
-  template:
-    metadata:
-      labels:
-        app: wedding
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: spb.tail2fe2d.ts.net
-      initContainers:
-        - name: git-clone
-          image: alpine/git:latest
-          command:
-            - sh
-            - -c
-            - git clone --depth 1 https://gt.hexor.cy/ab/wedding.git /src
-          volumeMounts:
-            - name: source
-              mountPath: /src
-        - name: zola-build
-          image: ghcr.io/getzola/zola:v0.22.1
-          command:
-            - /bin/zola
-          args:
-            - --root
-            - /src
-            - build
-            - --base-url
-            - https://wedding.hexor.cy/
-            - --output-dir
-            - /public/html
-          volumeMounts:
-            - name: source
-              mountPath: /src
-            - name: public
-              mountPath: /public
-      containers:
-        - name: nginx
-          image: nginx:alpine
-          ports:
-            - containerPort: 80
-              protocol: TCP
-          volumeMounts:
-            - name: public
-              mountPath: /usr/share/nginx/html
-              subPath: html
-              readOnly: true
-          resources:
-            requests:
-              memory: 32Mi
-              cpu: 10m
-            limits:
-              memory: 64Mi
-              cpu: 100m
-      volumes:
-        - name: source
-          emptyDir: {}
-        - name: public
-          emptyDir: {}
@@ -1,26 +0,0 @@
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: wedding-tls-ingress
-  annotations:
-    ingressClassName: traefik
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  rules:
-    - host: wedding.hexor.cy
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: wedding
-                port:
-                  number: 80
-  tls:
-    - secretName: wedding-tls
-      hosts:
-        - wedding.hexor.cy
@@ -1,10 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - rbac.yaml
-  - deployment.yaml
-  - service.yaml
-  - ingress.yaml
-  - webhook.yaml
@@ -1,42 +0,0 @@
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: wedding-deployer
-  namespace: wedding
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: wedding-deployer-token
-  namespace: wedding
-  annotations:
-    kubernetes.io/service-account.name: wedding-deployer
-type: kubernetes.io/service-account-token
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: wedding-restart
-  namespace: wedding
-rules:
-  - apiGroups: ["apps"]
-    resources: ["deployments"]
-    verbs: ["get", "patch"]
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: wedding-deployer-restart
-  namespace: wedding
-subjects:
-  - kind: ServiceAccount
-    name: wedding-deployer
-    namespace: wedding
-roleRef:
-  kind: Role
-  name: wedding-restart
-  apiGroup: rbac.authorization.k8s.io
@@ -1,12 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: wedding
-spec:
-  selector:
-    app: wedding
-  ports:
-    - port: 80
-      targetPort: 80
-      protocol: TCP
@@ -1,71 +0,0 @@
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: webhook-script
-data:
-  serve.sh: |
-    #!/bin/sh
-    echo "Webhook server listening on :8080"
-    while true; do
-      echo -e "HTTP/1.1 200 OK\r\nContent-Length: 2\r\nConnection: close\r\n\r\nok" \
-        | nc -l -p 8080 > /dev/null
-      echo "Received webhook, restarting deployment..."
-      kubectl rollout restart deployment/wedding
-    done
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wedding-webhook
-  labels:
-    app: wedding-webhook
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: wedding-webhook
-  template:
-    metadata:
-      labels:
-        app: wedding-webhook
-    spec:
-      nodeSelector:
-        kubernetes.io/hostname: spb.tail2fe2d.ts.net
-      serviceAccountName: wedding-deployer
-      containers:
-        - name: webhook
-          image: alpine/k8s:1.32.3
-          command: ["sh", "/scripts/serve.sh"]
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-          volumeMounts:
-            - name: script
-              mountPath: /scripts
-              readOnly: true
-          resources:
-            requests:
-              memory: 16Mi
-              cpu: 5m
-            limits:
-              memory: 32Mi
-              cpu: 50m
-      volumes:
-        - name: script
-          configMap:
-            name: webhook-script
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: wedding-webhook
-spec:
-  selector:
-    app: wedding-webhook
-  ports:
-    - port: 8080
-      targetPort: 8080
-      protocol: TCP
@@ -23,39 +23,32 @@ configs:
    admin.enabled: false
    statusbadge.enabled: true
    timeout.reconciliation: 60s
-    dex.config: |
-      connectors:
-      - type: oidc
-        id: keycloak
-        name: Keycloak
-        config:
-          issuer: https://auth.hexor.cy/auth/realms/hexor
-          clientID: $oidc-creds:id
-          clientSecret: $oidc-creds:secret
-          insecureEnableGroups: true
-          scopes:
-            - openid
-            - profile
-            - email
-            - offline_access
-          getUserInfo: true
+    oidc.config: |
+      name: Authentik
+      issuer: https://idm.hexor.cy/application/o/argocd/
+      clientID: $oidc-creds:id
+      clientSecret: $oidc-creds:secret
+      requestedScopes: ["openid", "profile", "email", "groups", "offline_access"]
+      requestedIDTokenClaims: {"groups": {"essential": true}}
+      refreshTokenThreshold: 2m
  rbac:
    create: true
    policy.default: ""
    policy.csv: |
-        g, game-servers-managers, GameServersManagersRole
-        # Role permissions
-        p, GameServersManagersRole, applications, get, games/*, allow
-        p, GameServersManagersRole, applications, update, games/*, allow
-        p, GameServersManagersRole, applications, sync, games/*, allow
-        p, GameServersManagersRole, applications, override, games/*, allow
-        p, GameServersManagersRole, applications, action/*, games/*, allow
-        p, GameServersManagersRole, exec, create, games/*, allow
-        p, GameServersManagersRole, logs, get, games/*, allow
-        p, GameServersManagersRole, applications, delete, games/*, deny
-    
-        # Admin policy
-        g, argocd-admins, role:admin
+      # Bound OIDC Group and internal role
+      g, Game Servers Managers, GameServersManagersRole
+      # Role permissions
+      p, GameServersManagersRole, applications, get, games/*, allow
+      p, GameServersManagersRole, applications, update, games/*, allow
+      p, GameServersManagersRole, applications, sync, games/*, allow
+      p, GameServersManagersRole, applications, override, games/*, allow
+      p, GameServersManagersRole, applications, action/*, games/*, allow
+      p, GameServersManagersRole, exec, create, games/*, allow
+      p, GameServersManagersRole, logs, get, games/*, allow
+      p, GameServersManagersRole, applications, delete, games/*, deny
+
+      # Admin policy
+      g, ArgoCD Admins, role:admin

  secret:
    createSecret: true
@@ -72,7 +65,7 @@ dex:
  replicas: 1
  nodeSelector:
    <<: *nodeSelector
-  enabled: true
+  enabled: false

 # Standard Redis disabled because Redis HA is enabled
 redis:
@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: auth-proxy
-  namespace: argocd
-spec:
-  project: core
-  destination:
-    namespace: auth-proxy
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/core/auth-proxy
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
@@ -1,79 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: auth-proxy
-  labels:
-    app: auth-proxy
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: auth-proxy
-  template:
-    metadata:
-      labels:
-        app: auth-proxy
-    spec:
-      containers:
-        - name: auth-proxy
-          image: ultradesu/rsauth2-proxy:latest
-          ports:
-            - containerPort: 8080
-              name: http
-              protocol: TCP
-          envFrom:
-            - secretRef:
-                name: auth-proxy-creds
-          env:
-            - name: AUTH_PROXY_OIDC_ISSUER
-              value: "https://auth.hexor.cy/auth/realms/hexor"
-            - name: AUTH_PROXY_COOKIE_DOMAIN
-              value: ".hexor.cy"
-            - name: AUTH_PROXY_CALLBACK_URL
-              value: "https://oauth.hexor.cy/callback"
-            - name: AUTH_PROXY_ROUTES_FILE
-              value: "/config/routes.yaml"
-            - name: AUTH_PROXY_LOG_LEVEL
-              value: "debug"
-          volumeMounts:
-            - name: routes
-              mountPath: /config
-              readOnly: true
-          resources:
-            requests:
-              cpu: 50m
-              memory: 32Mi
-            limits:
-              cpu: 200m
-              memory: 64Mi
-          readinessProbe:
-            httpGet:
-              path: /health
-              port: 8080
-            initialDelaySeconds: 3
-            periodSeconds: 10
-          livenessProbe:
-            httpGet:
-              path: /health
-              port: 8080
-            initialDelaySeconds: 5
-            periodSeconds: 30
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            runAsUser: 1000
-            runAsGroup: 1000
-            capabilities:
-              drop:
-                - ALL
-      volumes:
-        - name: routes
-          configMap:
-            name: auth-proxy-routes
-      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      tolerations:
-        - key: node-role.kubernetes.io/master
-          effect: NoSchedule
@@ -1,40 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: auth-proxy-creds
-spec:
-  target:
-    name: auth-proxy-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        AUTH_PROXY_CLIENT_ID: rsauth2-proxy
-        AUTH_PROXY_CLIENT_SECRET: |-
-          {{ .client_secret }}
-        AUTH_PROXY_COOKIE_SECRET: |-
-          {{ .cookie_secret }}
-  data:
-    - secretKey: client_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
-        property: login.password
-    - secretKey: cookie_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
-        property: fields[0].value
@@ -1,28 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: auth-proxy
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`oauth.hexor.cy`)
-      kind: Rule
-      services:
-        - name: auth-proxy
-          port: 80
-  tls:
-    secretName: auth-proxy-tls
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: auth-proxy-tls
-spec:
-  secretName: auth-proxy-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  dnsNames:
-    - oauth.hexor.cy
@@ -1,11 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-  - deployment.yaml
-  - service.yaml
-  - ingress.yaml
-  - servicemonitor.yaml
-# routes.yaml ConfigMap is managed by Terraform (kubernetes_config_map)
@@ -1,15 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: auth-proxy
-  labels:
-    app: auth-proxy
-spec:
-  ports:
-    - name: http
-      port: 80
-      targetPort: 8080
-      protocol: TCP
-  selector:
-    app: auth-proxy
@@ -1,21 +0,0 @@
---
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: auth-proxy-metrics
-  labels:
-    app: auth-proxy
-    release: prometheus
-spec:
-  selector:
-    matchLabels:
-      app: auth-proxy
-  endpoints:
-    - port: http
-      path: /metrics
-      interval: 30s
-      scrapeTimeout: 10s
-      honorLabels: true
-  namespaceSelector:
-    matchNames:
-      - auth-proxy
@@ -4,13 +4,14 @@ kind: Kustomization
 resources:
  - app.yaml
  - external-secrets.yaml
+  - https-middleware.yaml
  - outpost-selector-fix.yaml
 # - worker-restart.yaml

 helmCharts:
  - name: authentik
    repo: https://charts.goauthentik.io
-    version: 2026.2.2
+    version: 2026.2.1
    releaseName: authentik
    namespace: authentik
    valuesFile: values.yaml
@@ -1,6 +1,6 @@
 global:
  image:
-    tag: "2026.2.2"
+    tag: "2026.2.1"

 authentik:
    error_reporting:
@@ -18,9 +18,11 @@ spec:
              key: apiKey
        selector:
          dnsZones:
+            - "*.hexor.cy"
            - "*.hexor.ru"
            - "*.btwiusearch.net"
            - "hexor.ru"
+            - "hexor.cy"
            - "btwiusearch.net"
      - dns01:
          route53:
@@ -33,8 +35,7 @@ spec:
              key: secretKey
        selector:
          dnsZones:
-            - "*.hexor.cy"
-            - "hexor.cy"
-            - "*.xn--l1acako8eb.xn--p1ai"
-            - "xn--l1acako8eb.xn--p1ai"
+            - "ps.hexor.cy"
+            - "of.hexor.cy"
+            - "matrix.hexor.cy"

@@ -1,31 +0,0 @@
-nfd:
-  enabled: false
-
-labeller:
-  enabled: false
-
-dp:
-  image:
-    repository: docker.io/rocm/k8s-device-plugin
-    tag: "1.31.0.9"
-  updateStrategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 1
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - ALL
-
-tolerations:
-  - key: workload
-    operator: Equal
-    value: ai
-    effect: NoSchedule
-
-node_selector_enabled: true
-node_selector:
-  kubernetes.io/arch: amd64
-  kubernetes.io/hostname: ai.tail2fe2d.ts.net
@@ -13,24 +13,3 @@ helmCharts:
    namespace: gpu-system
    valuesFile: values.yaml
    includeCRDs: true
-  - name: amd-gpu
-    repo: https://rocm.github.io/k8s-device-plugin/
-    version: 0.21.0
-    releaseName: amd-gpu-device-plugin
-    namespace: gpu-system
-    valuesFile: amd-gpu-values.yaml
-    includeCRDs: true
-
-patches:
-  - target:
-      group: apps
-      version: v1
-      kind: DaemonSet
-      name: amd-gpu-device-plugin-daemonset
-      namespace: gpu-system
-    patch: |-
-      - op: replace
-        path: /spec/template/spec/nodeSelector
-        value:
-          kubernetes.io/arch: amd64
-          kubernetes.io/hostname: ai.tail2fe2d.ts.net
@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: kanidm
-  namespace: argocd
-spec:
-  project: core
-  destination:
-    namespace: kanidm
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/core/kanidm
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
@@ -1,12 +0,0 @@
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: kanidm-tls
-spec:
-  secretName: kanidm-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  dnsNames:
-    - auth.hexor.cy
@@ -1,19 +0,0 @@
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: kanidm-config
-data:
-  server.toml: |
-    bindaddress = "[::]:443"
-    db_path = "/data/kanidm.db"
-    tls_chain = "/certs/tls.crt"
-    tls_key = "/certs/tls.key"
-    domain = "auth.hexor.cy"
-    origin = "https://auth.hexor.cy"
-    log_level = "info"
-
-    [online_backup]
-    path = "/data/backups/"
-    schedule = "00 22 * * *"
-    versions = 7
@@ -1,20 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: kanidm
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`auth.hexor.cy`)
-      kind: Rule
-      services:
-        - name: kanidm
-          port: 443
-          scheme: https
-          serversTransport: kanidm-transport
-  tls:
-    secretName: kanidm-ingress-tls
@@ -1,11 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - configmap.yaml
-  - certificate.yaml
-  - statefulset.yaml
-  - service.yaml
-  - ingress.yaml
-  - servers-transport.yaml
@@ -1,7 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: kanidm-transport
-spec:
-  insecureSkipVerify: true
@@ -1,15 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: kanidm
-  labels:
-    app: kanidm
-spec:
-  ports:
-    - name: https
-      port: 443
-      targetPort: 443
-      protocol: TCP
-  selector:
-    app: kanidm
@@ -1,86 +0,0 @@
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: kanidm
-  labels:
-    app: kanidm
-spec:
-  serviceName: kanidm
-  replicas: 1
-  selector:
-    matchLabels:
-      app: kanidm
-  template:
-    metadata:
-      labels:
-        app: kanidm
-    spec:
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-      containers:
-        - name: kanidm
-          image: kanidm/server:1.9.3
-          ports:
-            - containerPort: 443
-              name: https
-              protocol: TCP
-          volumeMounts:
-            - name: kanidm-data
-              mountPath: /data
-            - name: kanidm-config
-              mountPath: /data/server.toml
-              subPath: server.toml
-              readOnly: true
-            - name: kanidm-tls
-              mountPath: /certs
-              readOnly: true
-          resources:
-            requests:
-              memory: "128Mi"
-              cpu: "100m"
-            limits:
-              memory: "512Mi"
-              cpu: "500m"
-          readinessProbe:
-            httpGet:
-              path: /status
-              port: 443
-              scheme: HTTPS
-            initialDelaySeconds: 5
-            periodSeconds: 10
-          livenessProbe:
-            httpGet:
-              path: /status
-              port: 443
-              scheme: HTTPS
-            initialDelaySeconds: 15
-            periodSeconds: 30
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: false
-            runAsUser: 1000
-            runAsGroup: 1000
-      volumes:
-        - name: kanidm-config
-          configMap:
-            name: kanidm-config
-        - name: kanidm-tls
-          secret:
-            secretName: kanidm-tls
-      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
-      tolerations:
-        - key: node-role.kubernetes.io/master
-          effect: NoSchedule
-  volumeClaimTemplates:
-    - metadata:
-        name: kanidm-data
-      spec:
-        accessModes: ["ReadWriteOnce"]
-        storageClassName: longhorn
-        resources:
-          requests:
-            storage: 1Gi
@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: keycloak
-  namespace: argocd
-spec:
-  project: core
-  destination:
-    namespace: keycloak
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/core/keycloak
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
@@ -1,41 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: keycloak-creds
-spec:
-  target:
-    name: keycloak-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        KC_DB_USERNAME: keycloak
-        KC_DB_PASSWORD: |-
-          {{ .db_password }}
-        KC_BOOTSTRAP_ADMIN_USERNAME: admin
-        KC_BOOTSTRAP_ADMIN_PASSWORD: |-
-          {{ .admin_password }}
-  data:
-    - secretKey: db_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[18].value
-    - secretKey: admin_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 9422b636-a91d-40e4-bf98-925b2a3f831d
-        property: login.password
@@ -1,366 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: keycloak-hacker-theme
-  namespace: keycloak
-data:
-  theme.properties: |
-    parent=keycloak.v2
-    import=common/keycloak
-
-    styles=css/hacker.css
-
-  hacker.css: |
-    /* ============================================================
-       HEXOR — Hacker Terminal Theme for Keycloak
-       ============================================================ */
-
-    @import url('https://fonts.googleapis.com/css2?family=Fira+Code:wght@400;600&display=swap');
-
-    :root {
-      --hk-bg: #0a0a0a;
-      --hk-panel: #0d0d0d;
-      --hk-border: #00ff4180;
-      --hk-green: #00ff41;
-      --hk-green-dim: #00cc33;
-      --hk-green-glow: rgba(0, 255, 65, 0.15);
-      --hk-green-glow-strong: rgba(0, 255, 65, 0.35);
-      --hk-cyan: #00e5ff;
-      --hk-red: #ff3333;
-      --hk-text: #b0ffb0;
-      --hk-text-dim: #5a8a5a;
-      --hk-input-bg: #050505;
-      --hk-font: 'Fira Code', 'Cascadia Code', 'JetBrains Mono', monospace;
-    }
-
-    /* -- Force dark always --------------------------------------------------- */
-    html.login-pf,
-    html.login-pf.pf-v5-theme-dark {
-      color-scheme: dark;
-    }
-
-    /* -- Background: scanlines + CRT ---------------------------------------- */
-    body#keycloak-bg {
-      font-family: var(--hk-font) !important;
-      background: var(--hk-bg) !important;
-      color: var(--hk-text) !important;
-      min-height: 100vh;
-      position: relative;
-    }
-
-    body#keycloak-bg::before {
-      content: '';
-      position: fixed;
-      inset: 0;
-      background: repeating-linear-gradient(
-        0deg,
-        transparent,
-        transparent 2px,
-        rgba(0, 255, 65, 0.03) 2px,
-        rgba(0, 255, 65, 0.03) 4px
-      );
-      pointer-events: none;
-      z-index: 9999;
-    }
-
-    /* -- Login container ----------------------------------------------------- */
-    .pf-v5-c-login {
-      background: transparent !important;
-    }
-
-    .pf-v5-c-login__container {
-      max-width: 480px !important;
-    }
-
-    /* -- Header / Brand ------------------------------------------------------ */
-    #kc-header-wrapper {
-      font-family: var(--hk-font) !important;
-      color: var(--hk-green) !important;
-      text-shadow: 0 0 10px var(--hk-green), 0 0 30px var(--hk-green-glow);
-      font-size: 1.5rem !important;
-      letter-spacing: 0.15em;
-      text-transform: uppercase;
-    }
-
-    #kc-header-wrapper .kc-logo-text span::before {
-      content: '> ';
-      opacity: 0.6;
-    }
-
-    /* -- Main card ----------------------------------------------------------- */
-    .pf-v5-c-login__main {
-      background: var(--hk-panel) !important;
-      border: 1px solid var(--hk-border) !important;
-      border-radius: 0 !important;
-      box-shadow:
-        0 0 15px var(--hk-green-glow),
-        inset 0 0 30px rgba(0, 0, 0, 0.5) !important;
-    }
-
-    /* -- Title --------------------------------------------------------------- */
-    h1#kc-page-title,
-    .pf-v5-c-title {
-      font-family: var(--hk-font) !important;
-      color: var(--hk-green) !important;
-      text-shadow: 0 0 8px var(--hk-green-glow);
-      font-weight: 600 !important;
-      font-size: 1.25rem !important;
-      letter-spacing: 0.05em;
-    }
-
-    /* -- Labels -------------------------------------------------------------- */
-    .pf-v5-c-form__label-text {
-      font-family: var(--hk-font) !important;
-      color: var(--hk-green-dim) !important;
-      font-size: 0.85rem !important;
-      text-transform: uppercase;
-      letter-spacing: 0.08em;
-    }
-
-    /* -- Input fields -------------------------------------------------------- */
-    .pf-v5-c-form-control {
-      background-color: var(--hk-input-bg) !important;
-      border: 1px solid var(--hk-border) !important;
-      border-radius: 0 !important;
-      color: var(--hk-green) !important;
-      font-family: var(--hk-font) !important;
-      font-size: 0.9rem !important;
-      caret-color: var(--hk-green);
-      transition: border-color 0.2s, box-shadow 0.2s;
-    }
-
-    .pf-v5-c-form-control:focus-within,
-    .pf-v5-c-form-control:focus {
-      border-color: var(--hk-green) !important;
-      box-shadow: 0 0 8px var(--hk-green-glow), inset 0 0 4px var(--hk-green-glow) !important;
-      outline: none !important;
-    }
-
-    .pf-v5-c-form-control input {
-      color: var(--hk-green) !important;
-      font-family: var(--hk-font) !important;
-    }
-
-    .pf-v5-c-form-control input::placeholder {
-      color: var(--hk-text-dim) !important;
-    }
-
-    /* -- Primary button (Sign In) -------------------------------------------- */
-    .pf-v5-c-button.pf-m-primary {
-      background: transparent !important;
-      border: 1px solid var(--hk-green) !important;
-      border-radius: 0 !important;
-      color: var(--hk-green) !important;
-      font-family: var(--hk-font) !important;
-      font-weight: 600 !important;
-      text-transform: uppercase;
-      letter-spacing: 0.12em;
-      font-size: 0.9rem !important;
-      transition: all 0.2s;
-      position: relative;
-      overflow: hidden;
-    }
-
-    .pf-v5-c-button.pf-m-primary:hover {
-      background: var(--hk-green-glow) !important;
-      box-shadow: 0 0 15px var(--hk-green-glow-strong), inset 0 0 15px var(--hk-green-glow) !important;
-      color: #fff !important;
-      text-shadow: 0 0 5px var(--hk-green);
-    }
-
-    /* -- Secondary button (Try Another Way, Passkey) ------------------------- */
-    .pf-v5-c-button.pf-m-secondary {
-      background: transparent !important;
-      border: 1px solid var(--hk-cyan) !important;
-      border-radius: 0 !important;
-      color: var(--hk-cyan) !important;
-      font-family: var(--hk-font) !important;
-      text-transform: uppercase;
-      letter-spacing: 0.1em;
-      font-size: 0.85rem !important;
-      transition: all 0.2s;
-    }
-
-    .pf-v5-c-button.pf-m-secondary:hover {
-      background: rgba(0, 229, 255, 0.1) !important;
-      box-shadow: 0 0 12px rgba(0, 229, 255, 0.3) !important;
-      color: #fff !important;
-    }
-
-    /* -- Passkey authenticate button ----------------------------------------- */
-    #authenticateWebAuthnButton {
-      background: transparent !important;
-      border: 1px solid var(--hk-cyan) !important;
-      border-radius: 0 !important;
-      color: var(--hk-cyan) !important;
-      font-family: var(--hk-font) !important;
-      text-transform: uppercase;
-      letter-spacing: 0.1em;
-      font-size: 0.85rem !important;
-      padding: 0.75rem 1rem;
-      display: block;
-      width: 100%;
-      text-align: center;
-      text-decoration: none;
-      transition: all 0.2s;
-      margin-top: 1rem;
-    }
-
-    #authenticateWebAuthnButton::before {
-      content: '\f084  ';
-      font-family: 'Font Awesome 6 Free', 'FontAwesome';
-      font-weight: 900;
-    }
-
-    #authenticateWebAuthnButton:hover {
-      background: rgba(0, 229, 255, 0.1) !important;
-      box-shadow: 0 0 15px rgba(0, 229, 255, 0.3), inset 0 0 10px rgba(0, 229, 255, 0.1) !important;
-      color: #fff !important;
-      text-shadow: 0 0 5px var(--hk-cyan);
-    }
-
-    /* -- Show password button ------------------------------------------------ */
-    .pf-v5-c-button.pf-m-control {
-      background: var(--hk-input-bg) !important;
-      border: 1px solid var(--hk-border) !important;
-      border-left: none !important;
-      border-radius: 0 !important;
-      color: var(--hk-text-dim) !important;
-    }
-
-    .pf-v5-c-button.pf-m-control:hover {
-      color: var(--hk-green) !important;
-    }
-
-    /* -- Social providers (Google, etc) -------------------------------------- */
-    .pf-v5-c-login__main-footer {
-      border-top: 1px solid var(--hk-border) !important;
-    }
-
-    .kc-social-section .pf-v5-c-button.pf-m-secondary {
-      border-color: var(--hk-text-dim) !important;
-      color: var(--hk-text) !important;
-    }
-
-    .kc-social-section .pf-v5-c-button.pf-m-secondary:hover {
-      border-color: var(--hk-green) !important;
-      color: var(--hk-green) !important;
-      box-shadow: 0 0 10px var(--hk-green-glow) !important;
-    }
-
-    /* -- Try another way link ------------------------------------------------ */
-    #try-another-way {
-      color: var(--hk-cyan) !important;
-      text-decoration: none !important;
-      font-family: var(--hk-font) !important;
-    }
-
-    #try-another-way:hover {
-      text-shadow: 0 0 8px rgba(0, 229, 255, 0.5);
-    }
-
-    /* -- Links --------------------------------------------------------------- */
-    a {
-      color: var(--hk-cyan) !important;
-      text-decoration: none;
-      transition: text-shadow 0.2s;
-    }
-
-    a:hover {
-      text-shadow: 0 0 6px rgba(0, 229, 255, 0.4);
-    }
-
-    /* -- Alerts / messages --------------------------------------------------- */
-    .pf-v5-c-alert {
-      background: rgba(0, 255, 65, 0.05) !important;
-      border: 1px solid var(--hk-border) !important;
-      border-radius: 0 !important;
-      font-family: var(--hk-font) !important;
-    }
-
-    .pf-v5-c-alert.pf-m-danger {
-      border-color: var(--hk-red) !important;
-      background: rgba(255, 51, 51, 0.05) !important;
-    }
-
-    .pf-v5-c-alert__title {
-      color: var(--hk-text) !important;
-      font-family: var(--hk-font) !important;
-    }
-
-    /* -- Checkbox (Remember me) ---------------------------------------------- */
-    .pf-v5-c-check__label {
-      color: var(--hk-text-dim) !important;
-      font-family: var(--hk-font) !important;
-      font-size: 0.8rem !important;
-    }
-
-    /* -- Helper text (Forgot password, etc.) --------------------------------- */
-    .pf-v5-c-helper-text .pf-v5-c-button.pf-m-link {
-      color: var(--hk-cyan) !important;
-      font-family: var(--hk-font) !important;
-      font-size: 0.8rem !important;
-    }
-
-    /* -- Select auth list (Try another way options) -------------------------- */
-    .select-auth-container {
-      background: var(--hk-panel) !important;
-      font-family: var(--hk-font) !important;
-    }
-
-    .pf-v5-c-data-list__item {
-      border-color: var(--hk-border) !important;
-      background: transparent !important;
-    }
-
-    .pf-v5-c-data-list__item:hover {
-      background: var(--hk-green-glow) !important;
-    }
-
-    .select-auth-box-headline {
-      color: var(--hk-green) !important;
-    }
-
-    .select-auth-box-desc {
-      color: var(--hk-text-dim) !important;
-    }
-
-    /* -- Footer -------------------------------------------------------------- */
-    .pf-v5-c-login__main-footer-band {
-      background: transparent !important;
-      border-top: 1px solid var(--hk-border) !important;
-    }
-
-    /* -- Language selector --------------------------------------------------- */
-    select#login-select-toggle {
-      background: var(--hk-input-bg) !important;
-      color: var(--hk-green) !important;
-      border-color: var(--hk-border) !important;
-      font-family: var(--hk-font) !important;
-    }
-
-    /* -- Blinking cursor animation for header -------------------------------- */
-    @keyframes blink {
-      0%, 100% { opacity: 1; }
-      50% { opacity: 0; }
-    }
-
-    #kc-header-wrapper::after {
-      content: '_';
-      animation: blink 1s step-end infinite;
-      color: var(--hk-green);
-    }
-
-    /* -- Subtle CRT flicker ------------------------------------------------- */
-    @keyframes flicker {
-      0% { opacity: 0.97; }
-      5% { opacity: 0.95; }
-      10% { opacity: 0.98; }
-      15% { opacity: 0.96; }
-      20% { opacity: 0.99; }
-      100% { opacity: 0.98; }
-    }
-
-    .pf-v5-c-login__main {
-      animation: flicker 4s infinite;
-    }
@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-  - hacker-theme-configmap.yaml
-
-helmCharts:
-  - name: keycloakx
-    repo: https://codecentric.github.io/helm-charts
-    version: 7.1.11
-    releaseName: keycloak
-    namespace: keycloak
-    valuesFile: values.yaml
@@ -1,353 +0,0 @@
-/* ============================================================
-   HEXOR — Hacker Terminal Theme for Keycloak
-   ============================================================ */
-
-@import url('https://fonts.googleapis.com/css2?family=Fira+Code:wght@400;600&display=swap');
-
-:root {
-  --hk-bg: #0a0a0a;
-  --hk-panel: #0d0d0d;
-  --hk-border: #00ff4180;
-  --hk-green: #00ff41;
-  --hk-green-dim: #00cc33;
-  --hk-green-glow: rgba(0, 255, 65, 0.15);
-  --hk-green-glow-strong: rgba(0, 255, 65, 0.35);
-  --hk-cyan: #00e5ff;
-  --hk-red: #ff3333;
-  --hk-text: #b0ffb0;
-  --hk-text-dim: #5a8a5a;
-  --hk-input-bg: #050505;
-  --hk-font: 'Fira Code', 'Cascadia Code', 'JetBrains Mono', monospace;
-}
-
-/* -- Force dark always --------------------------------------------------- */
-html.login-pf,
-html.login-pf.pf-v5-theme-dark {
-  color-scheme: dark;
-}
-
-/* -- Background: scanlines + CRT ---------------------------------------- */
-body#keycloak-bg {
-  font-family: var(--hk-font) !important;
-  background: var(--hk-bg) !important;
-  color: var(--hk-text) !important;
-  min-height: 100vh;
-  position: relative;
-}
-
-body#keycloak-bg::before {
-  content: '';
-  position: fixed;
-  inset: 0;
-  background: repeating-linear-gradient(
-    0deg,
-    transparent,
-    transparent 2px,
-    rgba(0, 255, 65, 0.03) 2px,
-    rgba(0, 255, 65, 0.03) 4px
-  );
-  pointer-events: none;
-  z-index: 9999;
-}
-
-/* -- Login container ----------------------------------------------------- */
-.pf-v5-c-login {
-  background: transparent !important;
-}
-
-.pf-v5-c-login__container {
-  max-width: 480px !important;
-}
-
-/* -- Header / Brand ------------------------------------------------------ */
-#kc-header-wrapper {
-  font-family: var(--hk-font) !important;
-  color: var(--hk-green) !important;
-  text-shadow: 0 0 10px var(--hk-green), 0 0 30px var(--hk-green-glow);
-  font-size: 1.5rem !important;
-  letter-spacing: 0.15em;
-  text-transform: uppercase;
-}
-
-#kc-header-wrapper .kc-logo-text span::before {
-  content: '> ';
-  opacity: 0.6;
-}
-
-/* -- Main card ----------------------------------------------------------- */
-.pf-v5-c-login__main {
-  background: var(--hk-panel) !important;
-  border: 1px solid var(--hk-border) !important;
-  border-radius: 0 !important;
-  box-shadow:
-    0 0 15px var(--hk-green-glow),
-    inset 0 0 30px rgba(0, 0, 0, 0.5) !important;
-}
-
-/* -- Title --------------------------------------------------------------- */
-h1#kc-page-title,
-.pf-v5-c-title {
-  font-family: var(--hk-font) !important;
-  color: var(--hk-green) !important;
-  text-shadow: 0 0 8px var(--hk-green-glow);
-  font-weight: 600 !important;
-  font-size: 1.25rem !important;
-  letter-spacing: 0.05em;
-}
-
-/* -- Labels -------------------------------------------------------------- */
-.pf-v5-c-form__label-text {
-  font-family: var(--hk-font) !important;
-  color: var(--hk-green-dim) !important;
-  font-size: 0.85rem !important;
-  text-transform: uppercase;
-  letter-spacing: 0.08em;
-}
-
-/* -- Input fields -------------------------------------------------------- */
-.pf-v5-c-form-control {
-  background-color: var(--hk-input-bg) !important;
-  border: 1px solid var(--hk-border) !important;
-  border-radius: 0 !important;
-  color: var(--hk-green) !important;
-  font-family: var(--hk-font) !important;
-  font-size: 0.9rem !important;
-  caret-color: var(--hk-green);
-  transition: border-color 0.2s, box-shadow 0.2s;
-}
-
-.pf-v5-c-form-control:focus-within,
-.pf-v5-c-form-control:focus {
-  border-color: var(--hk-green) !important;
-  box-shadow: 0 0 8px var(--hk-green-glow), inset 0 0 4px var(--hk-green-glow) !important;
-  outline: none !important;
-}
-
-.pf-v5-c-form-control input {
-  color: var(--hk-green) !important;
-  font-family: var(--hk-font) !important;
-}
-
-.pf-v5-c-form-control input::placeholder {
-  color: var(--hk-text-dim) !important;
-}
-
-/* -- Primary button (Sign In) -------------------------------------------- */
-.pf-v5-c-button.pf-m-primary {
-  background: transparent !important;
-  border: 1px solid var(--hk-green) !important;
-  border-radius: 0 !important;
-  color: var(--hk-green) !important;
-  font-family: var(--hk-font) !important;
-  font-weight: 600 !important;
-  text-transform: uppercase;
-  letter-spacing: 0.12em;
-  font-size: 0.9rem !important;
-  transition: all 0.2s;
-  position: relative;
-  overflow: hidden;
-}
-
-.pf-v5-c-button.pf-m-primary:hover {
-  background: var(--hk-green-glow) !important;
-  box-shadow: 0 0 15px var(--hk-green-glow-strong), inset 0 0 15px var(--hk-green-glow) !important;
-  color: #fff !important;
-  text-shadow: 0 0 5px var(--hk-green);
-}
-
-/* -- Secondary button (Try Another Way, Passkey) ------------------------- */
-.pf-v5-c-button.pf-m-secondary {
-  background: transparent !important;
-  border: 1px solid var(--hk-cyan) !important;
-  border-radius: 0 !important;
-  color: var(--hk-cyan) !important;
-  font-family: var(--hk-font) !important;
-  text-transform: uppercase;
-  letter-spacing: 0.1em;
-  font-size: 0.85rem !important;
-  transition: all 0.2s;
-}
-
-.pf-v5-c-button.pf-m-secondary:hover {
-  background: rgba(0, 229, 255, 0.1) !important;
-  box-shadow: 0 0 12px rgba(0, 229, 255, 0.3) !important;
-  color: #fff !important;
-}
-
-/* -- Passkey authenticate button ----------------------------------------- */
-#authenticateWebAuthnButton {
-  background: transparent !important;
-  border: 1px solid var(--hk-cyan) !important;
-  border-radius: 0 !important;
-  color: var(--hk-cyan) !important;
-  font-family: var(--hk-font) !important;
-  text-transform: uppercase;
-  letter-spacing: 0.1em;
-  font-size: 0.85rem !important;
-  padding: 0.75rem 1rem;
-  display: block;
-  width: 100%;
-  text-align: center;
-  text-decoration: none;
-  transition: all 0.2s;
-  margin-top: 1rem;
-}
-
-#authenticateWebAuthnButton::before {
-  content: '\f084  ';
-  font-family: 'Font Awesome 6 Free', 'FontAwesome';
-  font-weight: 900;
-}
-
-#authenticateWebAuthnButton:hover {
-  background: rgba(0, 229, 255, 0.1) !important;
-  box-shadow: 0 0 15px rgba(0, 229, 255, 0.3), inset 0 0 10px rgba(0, 229, 255, 0.1) !important;
-  color: #fff !important;
-  text-shadow: 0 0 5px var(--hk-cyan);
-}
-
-/* -- Show password button ------------------------------------------------ */
-.pf-v5-c-button.pf-m-control {
-  background: var(--hk-input-bg) !important;
-  border: 1px solid var(--hk-border) !important;
-  border-left: none !important;
-  border-radius: 0 !important;
-  color: var(--hk-text-dim) !important;
-}
-
-.pf-v5-c-button.pf-m-control:hover {
-  color: var(--hk-green) !important;
-}
-
-/* -- Social providers (Google, etc) -------------------------------------- */
-.pf-v5-c-login__main-footer {
-  border-top: 1px solid var(--hk-border) !important;
-}
-
-.kc-social-section .pf-v5-c-button.pf-m-secondary {
-  border-color: var(--hk-text-dim) !important;
-  color: var(--hk-text) !important;
-}
-
-.kc-social-section .pf-v5-c-button.pf-m-secondary:hover {
-  border-color: var(--hk-green) !important;
-  color: var(--hk-green) !important;
-  box-shadow: 0 0 10px var(--hk-green-glow) !important;
-}
-
-/* -- Try another way link ------------------------------------------------ */
-#try-another-way {
-  color: var(--hk-cyan) !important;
-  text-decoration: none !important;
-  font-family: var(--hk-font) !important;
-}
-
-#try-another-way:hover {
-  text-shadow: 0 0 8px rgba(0, 229, 255, 0.5);
-}
-
-/* -- Links --------------------------------------------------------------- */
-a {
-  color: var(--hk-cyan) !important;
-  text-decoration: none;
-  transition: text-shadow 0.2s;
-}
-
-a:hover {
-  text-shadow: 0 0 6px rgba(0, 229, 255, 0.4);
-}
-
-/* -- Alerts / messages --------------------------------------------------- */
-.pf-v5-c-alert {
-  background: rgba(0, 255, 65, 0.05) !important;
-  border: 1px solid var(--hk-border) !important;
-  border-radius: 0 !important;
-  font-family: var(--hk-font) !important;
-}
-
-.pf-v5-c-alert.pf-m-danger {
-  border-color: var(--hk-red) !important;
-  background: rgba(255, 51, 51, 0.05) !important;
-}
-
-.pf-v5-c-alert__title {
-  color: var(--hk-text) !important;
-  font-family: var(--hk-font) !important;
-}
-
-/* -- Checkbox (Remember me) ---------------------------------------------- */
-.pf-v5-c-check__label {
-  color: var(--hk-text-dim) !important;
-  font-family: var(--hk-font) !important;
-  font-size: 0.8rem !important;
-}
-
-/* -- Helper text (Forgot password, etc.) --------------------------------- */
-.pf-v5-c-helper-text .pf-v5-c-button.pf-m-link {
-  color: var(--hk-cyan) !important;
-  font-family: var(--hk-font) !important;
-  font-size: 0.8rem !important;
-}
-
-/* -- Select auth list (Try another way options) -------------------------- */
-.select-auth-container {
-  background: var(--hk-panel) !important;
-  font-family: var(--hk-font) !important;
-}
-
-.pf-v5-c-data-list__item {
-  border-color: var(--hk-border) !important;
-  background: transparent !important;
-}
-
-.pf-v5-c-data-list__item:hover {
-  background: var(--hk-green-glow) !important;
-}
-
-.select-auth-box-headline {
-  color: var(--hk-green) !important;
-}
-
-.select-auth-box-desc {
-  color: var(--hk-text-dim) !important;
-}
-
-/* -- Footer -------------------------------------------------------------- */
-.pf-v5-c-login__main-footer-band {
-  background: transparent !important;
-  border-top: 1px solid var(--hk-border) !important;
-}
-
-/* -- Language selector --------------------------------------------------- */
-select#login-select-toggle {
-  background: var(--hk-input-bg) !important;
-  color: var(--hk-green) !important;
-  border-color: var(--hk-border) !important;
-  font-family: var(--hk-font) !important;
-}
-
-/* -- Blinking cursor animation for header -------------------------------- */
-@keyframes blink {
-  0%, 100% { opacity: 1; }
-  50% { opacity: 0; }
-}
-
-#kc-header-wrapper::after {
-  content: '_';
-  animation: blink 1s step-end infinite;
-  color: var(--hk-green);
-}
-
-/* -- Subtle CRT flicker ------------------------------------------------- */
-@keyframes flicker {
-  0% { opacity: 0.97; }
-  5% { opacity: 0.95; }
-  10% { opacity: 0.98; }
-  15% { opacity: 0.96; }
-  20% { opacity: 0.99; }
-  100% { opacity: 0.98; }
-}
-
-.pf-v5-c-login__main {
-  animation: flicker 4s infinite;
-}
@@ -1,4 +0,0 @@
-parent=keycloak.v2
-import=common/keycloak
-
-styles=css/hacker.css
@@ -1,80 +0,0 @@
-replicas: 1
-
-image:
-  repository: quay.io/keycloak/keycloak
-  tag: "26.5.6"
-
-command:
-  - "/opt/keycloak/bin/kc.sh"
-  - "start"
-  - "--http-port=8080"
-  - "--hostname-strict=false"
-  - "--proxy-headers=xforwarded"
-
-extraEnvFrom: |
-  - secretRef:
-      name: keycloak-creds
-
-extraEnv: |
-  - name: KC_HOSTNAME
-    value: auth.hexor.cy
-  - name: JAVA_OPTS_APPEND
-    value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc"
-
-extraVolumes: |
-  - name: hacker-theme
-    configMap:
-      name: keycloak-hacker-theme
-
-extraVolumeMounts: |
-  - name: hacker-theme
-    mountPath: /opt/keycloak/themes/hacker/login/theme.properties
-    subPath: theme.properties
-  - name: hacker-theme
-    mountPath: /opt/keycloak/themes/hacker/login/css/hacker.css
-    subPath: hacker.css
-
-dbchecker:
-  enabled: true
-
-database:
-  vendor: postgres
-  hostname: psql.psql.svc
-  port: 5432
-  database: keycloak
-  existingSecret: keycloak-creds
-  existingSecretKey: KC_DB_PASSWORD
-
-service:
-  type: ClusterIP
-
-ingress:
-  enabled: true
-  ingressClassName: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-  rules:
-    - host: auth.hexor.cy
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: keycloak-tls
-      hosts:
-        - auth.hexor.cy
-
-resources:
-  requests:
-    cpu: 200m
-    memory: 512Mi
-  limits:
-    cpu: "1"
-    memory: 1Gi
-
-nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-tolerations:
-  - key: node-role.kubernetes.io/master
-    effect: NoSchedule
@@ -1,10 +0,0 @@
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: https-redirect
-  namespace: kube-system
-spec:
-  redirectScheme:
-    scheme: https
-    permanent: true
@@ -5,8 +5,6 @@ resources:
  - app.yaml
  - nfs-storage.yaml
  - coredns-internal-resolve.yaml
-  - https-middleware.yaml
-  - node-external-ip-labeler.yaml

 helmCharts:
  - name: csi-driver-nfs
@@ -16,3 +14,4 @@ helmCharts:
    namespace: kube-system
    #valuesFile: values.yaml
    includeCRDs: true
+
@@ -1,173 +0,0 @@
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: node-external-ip-labeler
-  namespace: kube-system
-  labels:
-    app: node-external-ip-labeler
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: node-external-ip-labeler
-  labels:
-    app: node-external-ip-labeler
-rules:
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list", "patch", "update"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: node-external-ip-labeler
-  labels:
-    app: node-external-ip-labeler
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: node-external-ip-labeler
-subjects:
-  - kind: ServiceAccount
-    name: node-external-ip-labeler
-    namespace: kube-system
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: node-external-ip-labeler
-  namespace: kube-system
-  labels:
-    app: node-external-ip-labeler
-rules:
-  - apiGroups: ["batch"]
-    resources: ["jobs"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: node-external-ip-labeler
-  namespace: kube-system
-  labels:
-    app: node-external-ip-labeler
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: node-external-ip-labeler
-subjects:
-  - kind: ServiceAccount
-    name: node-external-ip-labeler
-    namespace: kube-system
---
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: node-external-ip-labeler
-  namespace: kube-system
-  labels:
-    app: node-external-ip-labeler
-spec:
-  schedule: "17 3 * * *"
-  concurrencyPolicy: Forbid
-  successfulJobsHistoryLimit: 3
-  failedJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      backoffLimit: 1
-      template:
-        metadata:
-          labels:
-            app: node-external-ip-labeler
-        spec:
-          serviceAccountName: node-external-ip-labeler
-          restartPolicy: Never
-          tolerations:
-            - operator: Exists
-          containers:
-            - name: fanout
-              image: bitnami/kubectl:latest
-              imagePullPolicy: IfNotPresent
-              command:
-                - /bin/bash
-                - -lc
-              args:
-                - |
-                  set -euo pipefail
-
-                  clean_name() {
-                    echo "$1" \
-                      | tr '[:upper:]' '[:lower:]' \
-                      | tr -c 'a-z0-9-' '-' \
-                      | sed 's/^-*//;s/-*$//' \
-                      | cut -c1-45
-                  }
-
-                  for NODE_NAME in $(kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'); do
-                    NODE_CLEAN="$(clean_name "${NODE_NAME}")"
-                    JOB_NAME="node-external-ip-${NODE_CLEAN}"
-
-                    kubectl delete job "${JOB_NAME}" -n kube-system --ignore-not-found=true --wait=true --timeout=60s
-
-                    cat <<EOF | kubectl apply -f -
-                  apiVersion: batch/v1
-                  kind: Job
-                  metadata:
-                    name: ${JOB_NAME}
-                    namespace: kube-system
-                    labels:
-                      app: node-external-ip-labeler
-                      target-node: "${NODE_CLEAN}"
-                  spec:
-                    ttlSecondsAfterFinished: 86400
-                    backoffLimit: 2
-                    template:
-                      metadata:
-                        labels:
-                          app: node-external-ip-labeler
-                          target-node: "${NODE_CLEAN}"
-                      spec:
-                        serviceAccountName: node-external-ip-labeler
-                        nodeName: "${NODE_NAME}"
-                        hostNetwork: true
-                        dnsPolicy: ClusterFirstWithHostNet
-                        restartPolicy: Never
-                        tolerations:
-                          - operator: Exists
-                        containers:
-                          - name: label-node
-                            image: bitnami/kubectl:latest
-                            imagePullPolicy: IfNotPresent
-                            env:
-                              - name: NODE_NAME
-                                value: "${NODE_NAME}"
-                            command:
-                              - /bin/bash
-                              - -lc
-                            args:
-                              - |
-                                set -euo pipefail
-
-                                json_ip() {
-                                  sed -n 's/.*"ip"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p'
-                                }
-
-                                IPV4="\$(curl -fsS --connect-timeout 10 --max-time 30 'https://api.ipify.org?format=json' | json_ip)"
-                                IP64="\$(curl -fsS --connect-timeout 10 --max-time 30 'https://api64.ipify.org?format=json' | json_ip || true)"
-
-                                if [ -z "\${IPV4}" ]; then
-                                  echo "Unable to detect external IPv4 for node ${NODE_NAME}"
-                                  exit 1
-                                fi
-
-                                kubectl label node "${NODE_NAME}" external-ipv4="\${IPV4}" --overwrite
-                                kubectl annotate node "${NODE_NAME}" homelab.hexor.cy/external-ipv4="\${IPV4}" --overwrite
-
-                                if echo "\${IP64}" | grep -q ':'; then
-                                  kubectl annotate node "${NODE_NAME}" homelab.hexor.cy/external-ipv6="\${IP64}" --overwrite
-                                elif [ -n "\${IP64}" ]; then
-                                  kubectl annotate node "${NODE_NAME}" homelab.hexor.cy/external-ipv4-api64="\${IP64}" --overwrite
-                                fi
-                  EOF
-                  done
--- a/Show More
+++ b/Show More