Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-04 15:58:39

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -17,6 +17,7 @@ ArgoCD homelab project
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
+| **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
@@ -62,9 +63,12 @@ ArgoCD homelab project
 | **sonarr-stack** | [![sonarr-stack](https://ag.hexor.cy/api/badge?name=sonarr-stack&revision=true)](https://ag.hexor.cy/applications/argocd/sonarr-stack) |
 | **stirling-pdf** | [![stirling-pdf](https://ag.hexor.cy/api/badge?name=stirling-pdf&revision=true)](https://ag.hexor.cy/applications/argocd/stirling-pdf) |
 | **syncthing** | [![syncthing](https://ag.hexor.cy/api/badge?name=syncthing&revision=true)](https://ag.hexor.cy/applications/argocd/syncthing) |
+| **teamspeak** | [![teamspeak](https://ag.hexor.cy/api/badge?name=teamspeak&revision=true)](https://ag.hexor.cy/applications/argocd/teamspeak) |
 | **tg-bots** | [![tg-bots](https://ag.hexor.cy/api/badge?name=tg-bots&revision=true)](https://ag.hexor.cy/applications/argocd/tg-bots) |
 | **vaultwarden** | [![vaultwarden](https://ag.hexor.cy/api/badge?name=vaultwarden&revision=true)](https://ag.hexor.cy/applications/argocd/vaultwarden) |
 | **vpn** | [![vpn](https://ag.hexor.cy/api/badge?name=vpn&revision=true)](https://ag.hexor.cy/applications/argocd/vpn) |
+| **web-petting** | [![web-petting](https://ag.hexor.cy/api/badge?name=web-petting&revision=true)](https://ag.hexor.cy/applications/argocd/web-petting) |
+| **wedding** | [![wedding](https://ag.hexor.cy/api/badge?name=wedding&revision=true)](https://ag.hexor.cy/applications/argocd/wedding) |
 | **xandikos** | [![xandikos](https://ag.hexor.cy/api/badge?name=xandikos&revision=true)](https://ag.hexor.cy/applications/argocd/xandikos) |
 
 </td>

k8s/apps/mtproxy/kustomization.yaml

@@ -12,5 +12,4 @@ resources:
   - ./telemt-servicemonitor.yaml
   - ./service.yaml
   - ./secret-reader.yaml
-  - ./secret-reader-ingress.yaml
 # - ./storage.yaml

k8s/apps/mtproxy/secret-reader-ingress.yaml

@@ -1,45 +0,0 @@
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: keycloak-auth
-spec:
-  forwardAuth:
-    address: http://oauth2-proxy.oauth2-proxy.svc:80
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-Auth-Request-User
-      - X-Auth-Request-Email
-      - X-Auth-Request-Groups
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: secret-reader
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`secret-reader.hexor.cy`)
-      kind: Rule
-      middlewares:
-        - name: keycloak-auth
-      services:
-        - name: secret-reader
-          port: 80
-  tls:
-    secretName: secret-reader-tls
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: secret-reader-tls
-spec:
-  secretName: secret-reader-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  dnsNames:
-    - secret-reader.hexor.cy

k8s/core/kanidm/ingress.yaml

@@ -1,20 +1,25 @@
 ---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
   name: kanidm
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/service.serversscheme: https
 spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`auth.hexor.cy`)
-      kind: Rule
-      services:
-        - name: kanidm
-          port: 443
-          scheme: https
-          serversTransport: kanidm-transport
   tls:
+    - hosts:
+        - auth.hexor.cy
       secretName: kanidm-ingress-tls
+  rules:
+    - host: auth.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: kanidm
+                port:
+                  number: 443

k8s/core/kanidm/kustomization.yaml

@@ -8,4 +8,3 @@ resources:
   - statefulset.yaml
   - service.yaml
   - ingress.yaml
-  - servers-transport.yaml

k8s/core/kanidm/servers-transport.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: kanidm-transport
-spec:
-  insecureSkipVerify: true

k8s/core/kanidm/statefulset.yaml

@@ -16,10 +16,6 @@ spec:
       labels:
         app: kanidm
     spec:
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
       containers:
         - name: kanidm
           image: kanidm/server:1.9.3

k8s/core/keycloak/app.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: keycloak
-  namespace: argocd
-spec:
-  project: core
-  destination:
-    namespace: keycloak
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/core/keycloak
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true

k8s/core/keycloak/external-secrets.yaml

@@ -1,41 +0,0 @@
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: keycloak-creds
-spec:
-  target:
-    name: keycloak-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        KC_DB_USERNAME: keycloak
-        KC_DB_PASSWORD: |-
-          {{ .db_password }}
-        KC_BOOTSTRAP_ADMIN_USERNAME: admin
-        KC_BOOTSTRAP_ADMIN_PASSWORD: |-
-          {{ .admin_password }}
-  data:
-    - secretKey: db_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[18].value
-    - secretKey: admin_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 9422b636-a91d-40e4-bf98-925b2a3f831d
-        property: login.password

k8s/core/keycloak/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-
-helmCharts:
-  - name: keycloakx
-    repo: https://codecentric.github.io/helm-charts
-    version: 7.1.11
-    releaseName: keycloak
-    namespace: keycloak
-    valuesFile: values.yaml

k8s/core/keycloak/values.yaml

@@ -1,67 +0,0 @@
-replicas: 1
-
-image:
-  repository: quay.io/keycloak/keycloak
-  tag: "26.5.6"
-
-command:
-  - "/opt/keycloak/bin/kc.sh"
-  - "start"
-  - "--http-port=8080"
-  - "--hostname-strict=false"
-  - "--proxy-headers=xforwarded"
-
-extraEnvFrom: |
-  - secretRef:
-      name: keycloak-creds
-
-extraEnv: |
-  - name: KC_HOSTNAME
-    value: auth.hexor.cy
-  - name: JAVA_OPTS_APPEND
-    value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc"
-
-dbchecker:
-  enabled: true
-
-database:
-  vendor: postgres
-  hostname: psql.psql.svc
-  port: 5432
-  database: keycloak
-  existingSecret: keycloak-creds
-  existingSecretKey: KC_DB_PASSWORD
-
-service:
-  type: ClusterIP
-
-ingress:
-  enabled: true
-  ingressClassName: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-  rules:
-    - host: auth.hexor.cy
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: keycloak-tls
-      hosts:
-        - auth.hexor.cy
-
-resources:
-  requests:
-    cpu: 200m
-    memory: 512Mi
-  limits:
-    cpu: "1"
-    memory: 1Gi
-
-nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-tolerations:
-  - key: node-role.kubernetes.io/master
-    effect: NoSchedule

k8s/core/oauth2-proxy/app.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: oauth2-proxy
-  namespace: argocd
-spec:
-  project: core
-  destination:
-    namespace: oauth2-proxy
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/core/oauth2-proxy
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true

k8s/core/oauth2-proxy/external-secrets.yaml

@@ -1,40 +0,0 @@
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: oauth2-proxy-creds
-spec:
-  target:
-    name: oauth2-proxy-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        client-id: oauth2-proxy
-        client-secret: |-
-          {{ .client_secret }}
-        cookie-secret: |-
-          {{ .cookie_secret }}
-  data:
-    - secretKey: client_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
-        property: login.password
-    - secretKey: cookie_secret
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
-        property: fields[0].value

k8s/core/oauth2-proxy/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-
-helmCharts:
-  - name: oauth2-proxy
-    repo: https://oauth2-proxy.github.io/manifests
-    version: 10.4.3
-    releaseName: oauth2-proxy
-    namespace: oauth2-proxy
-    valuesFile: values.yaml

k8s/core/oauth2-proxy/middleware.yaml

@@ -1,3 +0,0 @@
-# Middleware is deployed per-namespace alongside each IngressRoute
-# because Traefik does not allow cross-namespace middleware references.
-# See k8s/apps/mtproxy/secret-reader-ingress.yaml for example.

k8s/core/oauth2-proxy/values.yaml

@@ -1,51 +0,0 @@
-replicaCount: 1
-
-config:
-  existingSecret: oauth2-proxy-creds
-  configFile: |-
-    provider = "keycloak-oidc"
-    provider_display_name = "Keycloak"
-    oidc_issuer_url = "https://auth.hexor.cy/auth/realms/hexor"
-    redirect_url = "https://oauth.hexor.cy/oauth2/callback"
-    email_domains = ["*"]
-    cookie_domains = [".hexor.cy"]
-    whitelist_domains = [".hexor.cy"]
-    cookie_secure = true
-    cookie_samesite = "lax"
-    upstreams = ["static://200"]
-    reverse_proxy = true
-    set_xauthrequest = true
-    set_authorization_header = true
-    pass_access_token = true
-    pass_authorization_header = true
-    skip_provider_button = true
-    code_challenge_method = "S256"
-    scope = "openid profile email"
-
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-  hosts:
-    - oauth.hexor.cy
-  tls:
-    - secretName: oauth2-proxy-tls
-      hosts:
-        - oauth.hexor.cy
-
-resources:
-  requests:
-    cpu: 50m
-    memory: 64Mi
-  limits:
-    cpu: 200m
-    memory: 128Mi
-
-nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-tolerations:
-  - key: node-role.kubernetes.io/master
-    effect: NoSchedule

k8s/core/postgresql/external-secrets.yaml

@@ -135,8 +135,6 @@ spec:
           {{ .furumi }}
         USER_furumi_dev: |-
           {{ .furumi_dev }}
-        USER_keycloak: |-
-          {{ .keycloak }}
   data:
     - secretKey: authentik
       sourceRef:
@@ -325,14 +323,4 @@ spec:
         metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[17].value
-    - secretKey: keycloak
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[18].value
+