Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-05 18:13:54

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

.gitea/workflows/authentik-apps.yaml

@@ -13,7 +13,6 @@ permissions:
 jobs:
   terraform:
     name: 'Terraform'
-    if: false
     runs-on: ubuntu-latest
     environment: production
 

README.md

@@ -13,10 +13,13 @@ ArgoCD homelab project
 | Application | Status |
 | :--- | :---: |
 | **argocd** | [![argocd](https://ag.hexor.cy/api/badge?name=argocd&revision=true)](https://ag.hexor.cy/applications/argocd/argocd) |
+| **auth-proxy** | [![auth-proxy](https://ag.hexor.cy/api/badge?name=auth-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/auth-proxy) |
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
+| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
+| **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
@@ -62,9 +65,12 @@ ArgoCD homelab project
 | **sonarr-stack** | [![sonarr-stack](https://ag.hexor.cy/api/badge?name=sonarr-stack&revision=true)](https://ag.hexor.cy/applications/argocd/sonarr-stack) |
 | **stirling-pdf** | [![stirling-pdf](https://ag.hexor.cy/api/badge?name=stirling-pdf&revision=true)](https://ag.hexor.cy/applications/argocd/stirling-pdf) |
 | **syncthing** | [![syncthing](https://ag.hexor.cy/api/badge?name=syncthing&revision=true)](https://ag.hexor.cy/applications/argocd/syncthing) |
+| **teamspeak** | [![teamspeak](https://ag.hexor.cy/api/badge?name=teamspeak&revision=true)](https://ag.hexor.cy/applications/argocd/teamspeak) |
 | **tg-bots** | [![tg-bots](https://ag.hexor.cy/api/badge?name=tg-bots&revision=true)](https://ag.hexor.cy/applications/argocd/tg-bots) |
 | **vaultwarden** | [![vaultwarden](https://ag.hexor.cy/api/badge?name=vaultwarden&revision=true)](https://ag.hexor.cy/applications/argocd/vaultwarden) |
 | **vpn** | [![vpn](https://ag.hexor.cy/api/badge?name=vpn&revision=true)](https://ag.hexor.cy/applications/argocd/vpn) |
+| **web-petting** | [![web-petting](https://ag.hexor.cy/api/badge?name=web-petting&revision=true)](https://ag.hexor.cy/applications/argocd/web-petting) |
+| **wedding** | [![wedding](https://ag.hexor.cy/api/badge?name=wedding&revision=true)](https://ag.hexor.cy/applications/argocd/wedding) |
 | **xandikos** | [![xandikos](https://ag.hexor.cy/api/badge?name=xandikos&revision=true)](https://ag.hexor.cy/applications/argocd/xandikos) |
 
 </td>

k8s/apps/web-petting/deployment.yaml

@@ -22,7 +22,7 @@ spec:
             claimName: web-petting-data
       containers:
       - name: web-petting
-        image: ultradesu/web-petting:v0.1.6
+        image: ultradesu/web-petting:0.1.0
         imagePullPolicy: Always
         args:
 #         - "tail"

k8s/apps/web-petting/ingress.yaml

@@ -20,21 +20,8 @@ spec:
                 name: web-petting
                 port:
                   number: 80
-    - host: xn--l1acako8eb.xn--p1ai
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: web-petting
-                port:
-                  number: 80
   tls:
     - secretName: web-petting-tls
       hosts:
         - pet.hexor.cy
-    - secretName: web-petting-murnyanya-tls
-      hosts:
-        - xn--l1acako8eb.xn--p1ai
 

k8s/core/argocd/values.yaml

@@ -23,22 +23,14 @@ configs:
     admin.enabled: false
     statusbadge.enabled: true
     timeout.reconciliation: 60s
-    dex.config: |
-      connectors:
-      - type: oidc
-        id: keycloak
-        name: Keycloak
-        config:
-          issuer: https://auth.hexor.cy/auth/realms/hexor
-          clientID: $oidc-creds:id
-          clientSecret: $oidc-creds:secret
-          insecureEnableGroups: true
-          scopes:
-            - openid
-            - profile
-            - email
-            - offline_access
-          getUserInfo: true
+    oidc.config: |
+      name: Keycloak
+      issuer: https://auth.hexor.cy/auth/realms/hexor
+      clientID: $oidc-creds:id
+      clientSecret: $oidc-creds:secret
+      requestedScopes: ["openid", "profile", "email", "offline_access"]
+      requestedIDTokenClaims: {"groups": {"essential": true}}
+      refreshTokenThreshold: 2m
   rbac:
     create: true
     policy.default: ""
@@ -72,7 +64,7 @@ dex:
   replicas: 1
   nodeSelector:
     <<: *nodeSelector
-  enabled: true
+  enabled: false
 
 # Standard Redis disabled because Redis HA is enabled
 redis:

k8s/core/cert-manager/issuer.yaml

@@ -35,6 +35,4 @@ spec:
           dnsZones:
             - "*.hexor.cy"
             - "hexor.cy"
-            - "*.xn--l1acako8eb.xn--p1ai"
-            - "xn--l1acako8eb.xn--p1ai"
 

k8s/core/prom-stack/prom-values.yaml

@@ -109,26 +109,17 @@ grafana:
   grafana.ini:
     auth:
       signout_redirect_url: https://auth.hexor.cy/auth/realms/hexor/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Fgf.hexor.cy%2Flogin&client_id=Grafana
-      oauth_allow_insecure_email_lookup: true
     auth.generic_oauth:
       name: Keycloak
       enabled: true
       scopes: "openid profile email"
-      allow_sign_up: true
       auth_url: https://auth.hexor.cy/auth/realms/hexor/protocol/openid-connect/auth
       token_url: https://auth.hexor.cy/auth/realms/hexor/protocol/openid-connect/token
       api_url: https://auth.hexor.cy/auth/realms/hexor/protocol/openid-connect/userinfo
-      email_attribute_path: email
-      login_attribute_path: preferred_username
-      name_attribute_path: name
+      #         #contains(groups, 'Grafana Editors') && 'Editor' ||
       role_attribute_path: >-
-        contains(groups[*], 'hexor-admin') && 'Admin' ||
-        contains(groups[*], 'hexor-guest') && 'Viewer' ||
-        'Viewer'
-      role_attribute_strict: false
-    log:
-      level: debug
-      filters: "oauth.generic_oauth:debug"
+        contains(groups, 'hexor-admin') && 'Admin' ||
+        contains(groups, 'hexor-guest') && 'Viewer'
     database:
       type: postgres
       host: psql.psql.svc:5432

terraform/authentik/proxy-apps.auto.tfvars

@@ -43,6 +43,23 @@ proxy_applications = {
     access_groups                = ["admins"]
   }
 
+  "kubernetes-secrets" = {
+    name                         = "kubernetes-secrets"
+    slug                         = "k8s-secret"
+    group                        = "Core"
+    external_host                = "https://pass.hexor.cy"
+    internal_host                = "http://secret-reader.k8s-secret.svc:80"
+    internal_host_ssl_validation = false
+    meta_description             = ""
+    skip_path_regex              = <<-EOT
+/webhook
+EOT
+    meta_icon                    = "https://img.icons8.com/ios-filled/50/password.png"
+    mode                         = "proxy"
+    outpost                      = "kubernetes-outpost"
+    create_group                 = true
+    access_groups                = ["admins"]
+  }
   "mtproxy-links" = {
     name                         = "mtproxy-links"
     slug                         = "mtproxy-links"

terraform/keycloak/main.tf

@@ -167,7 +167,9 @@ resource "keycloak_openid_client_optional_scopes" "oauth2_app" {
 }
 
 resource "keycloak_group" "oauth2_app" {
-  for_each = var.oauth2_applications
+  for_each = {
+    for k, v in var.oauth2_applications : k => v if length(v.allowed_groups) > 0
+  }
 
   realm_id = keycloak_realm.hexor.id
   name     = "app-${each.key}"