Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-05 18:06:25

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

.gitea/workflows/authentik-apps.yaml

@@ -13,7 +13,6 @@ permissions:
 jobs:
   terraform:
     name: 'Terraform'
-    if: false
     runs-on: ubuntu-latest
     environment: production
 

README.md

@@ -13,10 +13,13 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **argocd** | [![argocd](https://ag.hexor.cy/api/badge?name=argocd&revision=true)](https://ag.hexor.cy/applications/argocd/argocd) |
+| **auth-proxy** | [![auth-proxy](https://ag.hexor.cy/api/badge?name=auth-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/auth-proxy) |
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
+| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
+| **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
@@ -62,9 +65,12 @@ ArgoCD homelab project
 | **sonarr-stack** | [![sonarr-stack](https://ag.hexor.cy/api/badge?name=sonarr-stack&revision=true)](https://ag.hexor.cy/applications/argocd/sonarr-stack) |
 | **stirling-pdf** | [![stirling-pdf](https://ag.hexor.cy/api/badge?name=stirling-pdf&revision=true)](https://ag.hexor.cy/applications/argocd/stirling-pdf) |
 | **syncthing** | [![syncthing](https://ag.hexor.cy/api/badge?name=syncthing&revision=true)](https://ag.hexor.cy/applications/argocd/syncthing) |
+| **teamspeak** | [![teamspeak](https://ag.hexor.cy/api/badge?name=teamspeak&revision=true)](https://ag.hexor.cy/applications/argocd/teamspeak) |
 | **tg-bots** | [![tg-bots](https://ag.hexor.cy/api/badge?name=tg-bots&revision=true)](https://ag.hexor.cy/applications/argocd/tg-bots) |
 | **vaultwarden** | [![vaultwarden](https://ag.hexor.cy/api/badge?name=vaultwarden&revision=true)](https://ag.hexor.cy/applications/argocd/vaultwarden) |
 | **vpn** | [![vpn](https://ag.hexor.cy/api/badge?name=vpn&revision=true)](https://ag.hexor.cy/applications/argocd/vpn) |
+| **web-petting** | [![web-petting](https://ag.hexor.cy/api/badge?name=web-petting&revision=true)](https://ag.hexor.cy/applications/argocd/web-petting) |
+| **wedding** | [![wedding](https://ag.hexor.cy/api/badge?name=wedding&revision=true)](https://ag.hexor.cy/applications/argocd/wedding) |
 | **xandikos** | [![xandikos](https://ag.hexor.cy/api/badge?name=xandikos&revision=true)](https://ag.hexor.cy/applications/argocd/xandikos) |
 
 </td>

k8s/apps/web-petting/deployment.yaml

@@ -6,8 +6,6 @@ metadata:
     app: web-petting
 spec:
   replicas: 1
-  strategy:
-    type: Recreate
   selector:
     matchLabels:
       app: web-petting
@@ -24,7 +22,7 @@ spec:
             claimName: web-petting-data
       containers:
       - name: web-petting
-        image: ultradesu/web-petting:latest
+        image: ultradesu/web-petting:0.1.0
         imagePullPolicy: Always
         args:
 #         - "tail"

k8s/apps/web-petting/ingress.yaml

@@ -20,21 +20,8 @@ spec:
                 name: web-petting
                 port:
                   number: 80
-    - host: xn--l1acako8eb.xn--p1ai
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: web-petting
-                port:
-                  number: 80
   tls:
     - secretName: web-petting-tls
       hosts:
         - pet.hexor.cy
-    - secretName: web-petting-murnyanya-tls
-      hosts:
-        - xn--l1acako8eb.xn--p1ai
 

k8s/core/argocd/values.yaml

@@ -23,22 +23,14 @@ configs:
     admin.enabled: false
     statusbadge.enabled: true
     timeout.reconciliation: 60s
-    dex.config: |
+    oidc.config: |
-      connectors:
-      - type: oidc
-        id: keycloak
       name: Keycloak
-        config:
       issuer: https://auth.hexor.cy/auth/realms/hexor
       clientID: $oidc-creds:id
       clientSecret: $oidc-creds:secret
-          insecureEnableGroups: true
+      requestedScopes: ["openid", "profile", "email", "offline_access"]
-          scopes:
+      requestedIDTokenClaims: {"groups": {"essential": true}}
-            - openid
+      refreshTokenThreshold: 2m
-            - profile
-            - email
-            - offline_access
-          getUserInfo: true
   rbac:
     create: true
     policy.default: ""
@@ -72,7 +64,7 @@ dex:
   replicas: 1
   nodeSelector:
     <<: *nodeSelector
-  enabled: true
+  enabled: false
 
 # Standard Redis disabled because Redis HA is enabled
 redis:

k8s/core/cert-manager/issuer.yaml

@@ -35,6 +35,4 @@ spec:
           dnsZones:
             - "*.hexor.cy"
             - "hexor.cy"
-            - "*.xn--l1acako8eb.xn--p1ai"
-            - "xn--l1acako8eb.xn--p1ai"
 

k8s/core/prom-stack/prom-values.yaml

@@ -1,4 +1,5 @@
 
+
 alertmanager:
   config:
     global:
@@ -108,27 +109,18 @@ grafana:
 
   grafana.ini:
     auth:
-      signout_redirect_url: https://auth.hexor.cy/auth/realms/hexor/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Fgf.hexor.cy%2Flogin&client_id=Grafana
+      signout_redirect_url: https://idm.hexor.cy/application/o/grafana/end-session/
-      oauth_allow_insecure_email_lookup: true
     auth.generic_oauth:
-      name: Keycloak
+      name: authentik
       enabled: true
       scopes: "openid profile email"
-      allow_sign_up: true
+      auth_url: https://idm.hexor.cy/application/o/authorize/
-      auth_url: https://auth.hexor.cy/auth/realms/hexor/protocol/openid-connect/auth
+      token_url: https://idm.hexor.cy/application/o/token/
-      token_url: https://auth.hexor.cy/auth/realms/hexor/protocol/openid-connect/token
+      api_url: https://idm.hexor.cy/application/o/userinfo/
-      api_url: https://auth.hexor.cy/auth/realms/hexor/protocol/openid-connect/userinfo
-      email_attribute_path: email
-      login_attribute_path: preferred_username
-      name_attribute_path: name
       role_attribute_path: >-
-        contains(groups[*], 'hexor-admin') && 'Admin' ||
+        contains(groups, 'Grafana Admin') && 'Admin' ||
-        contains(groups[*], 'hexor-guest') && 'Viewer' ||
+        contains(groups, 'Grafana Editors') && 'Editor' ||
-        'Viewer'
+        contains(groups, 'Grafana Viewer') && 'Viewer'
-      role_attribute_strict: false
-    log:
-      level: debug
-      filters: "oauth.generic_oauth:debug"
     database:
       type: postgres
       host: psql.psql.svc:5432

terraform/authentik/proxy-apps.auto.tfvars

@@ -43,6 +43,23 @@ proxy_applications = {
     access_groups                = ["admins"]
   }
 
+  "kubernetes-secrets" = {
+    name                         = "kubernetes-secrets"
+    slug                         = "k8s-secret"
+    group                        = "Core"
+    external_host                = "https://pass.hexor.cy"
+    internal_host                = "http://secret-reader.k8s-secret.svc:80"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    skip_path_regex              = <<-EOT
+/webhook
+EOT
+    meta_icon                    = "https://img.icons8.com/ios-filled/50/password.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
   "mtproxy-links" = {
     name                         = "mtproxy-links"
     slug                         = "mtproxy-links"

terraform/keycloak/main.tf

@@ -167,7 +167,9 @@ resource "keycloak_openid_client_optional_scopes" "oauth2_app" {
 }
 
 resource "keycloak_group" "oauth2_app" {
-  for_each = var.oauth2_applications
+  for_each = {
+    for k, v in var.oauth2_applications : k => v if length(v.allowed_groups) > 0
+  }
 
   realm_id = keycloak_realm.hexor.id
   name     = "app-${each.key}"