more apps

app-of-apps/authentik.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: authentik
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: authentik
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: authentik
+    repoURL: http://gitea.gitea.svc.k8s.undercloud.local:3000/Undercloud/k8s-apps.git
+    targetRevision: HEAD

app-of-apps/checkmk.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ckeckmk
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: ckeckmk
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: ckeckmk
+    repoURL: http://gitea.gitea.svc.k8s.undercloud.local:3000/Undercloud/k8s-apps.git
+    targetRevision: HEAD

app-of-apps/openbao.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openbao
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: openbao
+    repoURL: http://gitea.gitea.svc.k8s.undercloud.local:3000/Undercloud/k8s-apps.git
+    targetRevision: HEAD

app-of-apps/uptime-kuma.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: uptime-kuma
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: uptime-kuma
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: uptime-kuma
+    repoURL: http://gitea.gitea.svc.k8s.undercloud.local:3000/Undercloud/k8s-apps.git
+    targetRevision: HEAD

authentik/README.md

@@ -0,0 +1,39 @@
+# 🔐 authentik
+
+## Description
+authentik is a **modern identity provider (IdP) and access management platform** that enables Single Sign-On (SSO), user management, and fine-grained access control for applications.  
+It supports OAuth2, OpenID Connect (OIDC), and SAML, and can integrate with existing directories like LDAP.
+
+authentik can also act as a **forward authentication gateway**, allowing protection of applications even if they do not natively support authentication.
+
+## Why authentik (instead of Keycloak)
+authentik was chosen over Keycloak for the following reasons:
+
+- **Better suited for homelab / Kubernetes environments**
+- **Simpler and more intuitive configuration model** (flow-based authentication)
+- **Easier integration with ingress / reverse proxies** (forward auth)
+- Built-in **policy engine** and flexible access rules
+- Lighter operational overhead compared to Keycloak
+- More convenient for protecting apps that **do not support OIDC/SAML**
+
+Keycloak is a powerful enterprise IAM solution, but it introduces more complexity (realms, clients, roles) and is less flexible for reverse-proxy-based access control.
+
+## Website
+https://goauthentik.io
+
+## Kubernetes Notes
+- Requires **persistent storage** (database + media)
+- Typically deployed with:
+  - PostgreSQL (external or bundled)
+  - Redis (for caching / background tasks)
+- Multiple components:
+  - server (API + web UI)
+  - worker (background jobs)
+- Works best with **Ingress + forward auth integration**
+- Configure **outposts** for proxy-based authentication
+- Integrates with LDAP as a **user backend (optional)**
+- Use **OIDC for most applications** instead of LDAP
+- Enable **MFA (2FA)** for improved security
+- Important to configure:
+  - external URL correctly
+  - trusted proxies (when behind ingress)

checkmk/README.md

@@ -0,0 +1,18 @@
+# 📊 Checkmk
+
+## Description
+Checkmk is a **comprehensive infrastructure monitoring system** focused on servers, network devices, and hardware.  
+It provides agent-based monitoring, SNMP support, alerting, and detailed system insights.
+
+## Website
+https://checkmk.com
+
+## Kubernetes Notes
+- Runs as a **stateful monolithic application**
+- Requires **persistent volume** (`/omd/sites`)
+- Not horizontally scalable → use **1 replica only**
+- Prefer running **outside Kubernetes** (VM or dedicated host)
+- If deployed in K8s:
+  - Disable aggressive restarts (slow startup)
+  - Use **NodePort/Ingress** for web UI
+- Best suited for **external infrastructure monitoring**, not cluster internals

homer/configmaps.yaml

@@ -194,6 +194,12 @@ data:
             tag: "polly"
             keywords: "doodle polly termine appointments"
             url: "https://polly.apps.undercloud.dev"
+          - name: "Authentik"
+            logo: "assets/logos/doodle.png"
+            subtitle: "SSO"
+            tag: "authentik"
+            keywords: "auth sso authentik"
+            url: "https://auth.apps.undercloud.dev"
       
       - name: "Communication"
         icon: "fas fa-cloud"
@@ -244,6 +250,7 @@ data:
             tag: "netbox"
             keywords: "ip address"
             url: "https://netbox.apps.undercloud.dev"
+          
       - name: "Kubernetes"
         icon: "fas fa-cloud"
         items:
@@ -271,6 +278,12 @@ data:
             tag: "harbor"
             keywords: "harbor docker repository"
             url: "https://docker-repo.apps.undercloud.dev"
+          - name: "openbao"
+            logo: "assets/logos/netbox.png"
+            subtitle: "secret management"
+            tag: "openbao"
+            keywords: "secrets openbao"
+            url: "https://openbao.apps.undercloud.dev"
           
       - name: "Communication Backend"
         icon: "fas fa-cloud"
@@ -504,6 +517,18 @@ data:
           #  tag: "kibana"
           #  keywords: "kibana logging monitoring"
           #  url: "https://kibana.apps.undercloud.dev"
+          - name: "checkmk"
+            logo: "assets/logos/netbox.png"
+            subtitle: "IP Address Management"
+            tag: "checkmk"
+            keywords: "checkmk monitoring"
+            url: "https://checkmk.apps.undercloud.dev"
+          - name: "uptime-kuma"
+            logo: "assets/logos/netbox.png"
+            subtitle: "monitoring"
+            tag: "uptime-kuma"
+            keywords: "monitoring uptime kuma"
+            url: "https://uptime-kuma.apps.undercloud.dev"
       - name: "Test"
         icon: "fas fa-cloud"
         items:
@@ -530,25 +555,25 @@ data:
         items:
           - name: "Ceph"
             logo: "assets/logos/cockpit.png"
-            subtitle: "Ceph-hyper1"
-            tag: "hypervisor"
-            keywords: "hyper1 proxmox ceph"
-            url: "https://hyper1-ceph.apps.undercloud.dev"
-            #target: "_blank" # optional html a tag target attribute
-          - name: "Ceph"
-            logo: "assets/logos/cockpit.png"
-            subtitle: "Ceph-hyper2"
-            tag: "hypervisor"
-            keywords: "hyper2 proxmox ceph"
-            url: "https://hyper2-ceph.apps.undercloud.dev"
-            #target: "_blank" # optional html a tag target attribute
-          - name: "Ceph"
-            logo: "assets/logos/cockpit.png"
-            subtitle: "Ceph-hyper3"
-            tag: "hypervisor"
-            keywords: "hyper3 proxmox ceph"
-            url: "https://hyper3-ceph.apps.undercloud.dev"
+            subtitle: "Ceph-Dashboard"
+            tag: "ceph"
+            keywords: "storage proxmox ceph"
+            url: "https://ceph-dashboard.apps.undercloud.dev"
             #target: "_blank" # optional html a tag target attribute
+          #- name: "Ceph"
+          #  logo: "assets/logos/cockpit.png"
+          #  subtitle: "Ceph-hyper2"
+          #  tag: "hypervisor"
+          #  keywords: "hyper2 proxmox ceph"
+          #  url: "https://hyper2-ceph.apps.undercloud.dev"
+          #  #target: "_blank" # optional html a tag target attribute
+          #- name: "Ceph"
+          #  logo: "assets/logos/cockpit.png"
+          #  subtitle: "Ceph-hyper3"
+          #  tag: "hypervisor"
+          #  keywords: "hyper3 proxmox ceph"
+          #  url: "https://hyper3-ceph.apps.undercloud.dev"
+          #  #target: "_blank" # optional html a tag target attribute
       - name: "External Links"
         icon: "fas fa-cloud"
         items:

ingress-external-devices/ceph.yaml

@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ceph-dashboard
+  namespace: ingress-external
+spec:
+  ports:
+    - name: https
+      port: 8443
+      targetPort: 8443
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: ceph-dashboard
+  namespace: ingress-external
+subsets:
+  - addresses:
+      - ip: fd00:0:0:2::61
+      - ip: fd00:0:0:2::62
+      - ip: fd00:0:0:2::63
+      # optional IPv4 too, but usually one family is enough:
+      # - ip: 10.0.2.61
+      # - ip: 10.0.2.62
+      # - ip: 10.0.2.63
+    ports:
+      - port: 8443
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ceph-dashboard
+  namespace: ingress-external
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt
+
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+
+    nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout http_500 http_502 http_503 http_504"
+    nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "3"
+spec:
+  tls:
+    - hosts:
+        - ceph-dashboard.apps.undercloud.dev
+      secretName: ceph-dashboard-tls
+  rules:
+    - host: ceph-dashboard.apps.undercloud.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: ceph-dashboard
+                port:
+                  number: 8443

kaniko/README.md

@@ -1,2 +1,19 @@
-# Kaniko
-## Kaniko can be used to automate docker image creation
+# 🏗️ Kaniko
+
+## Description
+Kaniko is a **container image builder designed to run inside containers and Kubernetes**.  
+It allows building Docker images **without requiring a Docker daemon**, making it ideal for secure, cloud-native environments.
+
+Kaniko executes Dockerfile instructions in userspace and pushes the resulting image directly to a container registry.
+
+## Website
+https://github.com/GoogleContainerTools/kaniko
+
+## Kubernetes Notes
+- Does **not require privileged containers** (unlike Docker-in-Docker)
+- Typically runs as:
+  - Kubernetes Job
+  - CI/CD pipeline step (e.g. ArgoCD, GitLab CI)
+- Requires access to:
+  - build context (Git repo, PVC, or object storage)
+  - container registry (push credentials)

netbox/README.md

@@ -1,2 +1,56 @@
-# Netbox
-## Ip Address Management
+# 📦 NetBox
+
+## Description
+NetBox is a **network source of truth and IP address management (IPAM/DCIM) platform**.  
+It is used to model and document networks, including IP address space, VLANs, devices, racks, and connections.
+
+NetBox provides a clean web UI and API to manage infrastructure data and is often used as the **central inventory system** for network and infrastructure automation.
+
+## Website
+https://netbox.dev
+
+## Kubernetes Notes
+- Requires **persistent storage** for:
+  - database (PostgreSQL)
+  - media files (uploads, reports, scripts)
+- Requires:
+  - PostgreSQL database
+  - Redis (cache + background jobs)
+- Multiple components:
+  - web (Django app)
+  - worker (background jobs / rq)
+- Needs proper **initialization (migrations + superuser)**
+- Can be exposed via **Ingress with TLS**
+- Environment variables are critical for configuration
+- Use **readiness/liveness probes carefully** (startup can take time)
+- Not horizontally scalable without careful tuning
+
+---
+
+## 🔌 Custom Container with Plugins
+
+The official NetBox image does not include additional plugins by default.  
+To support required functionality, we **build a custom container image** with the desired plugins pre-installed.
+
+### Why
+- Ensure **reproducible deployments**
+- Avoid installing plugins at runtime
+- Keep NetBox instances **immutable and version-controlled**
+- Simplify upgrades and rollbacks
+
+### How it works
+We extend the official NetBox image and install plugins during build time.
+
+Example:
+
+```Dockerfile
+FROM ghcr.io/netbox-community/netbox:latest
+
+USER root
+
+# Install plugins
+RUN pip install \
+    netbox-topology-views \
+    netbox-plugin-dns
+
+USER netbox

openbao/README.md

@@ -0,0 +1,16 @@
+# 🔐 OpenBao
+
+## Description
+OpenBao is a **centralized secrets management system** designed to securely store, manage, and distribute sensitive data such as passwords, API keys, and certificates.  
+It provides dynamic secrets, encryption-as-a-service, and fine-grained access control.
+
+## Website
+https://openbao.org
+
+## Kubernetes Notes
+- Requires **persistent storage** (data loss = secrets loss)
+- Use **Kubernetes auth method** for pod access (service account tokens)
+- Seal/unseal mechanism must be handled (auto-unseal recommended for production)
+- Avoid storing root tokens in manifests → use external secret bootstrap
+- Typically deployed via **Helm chart**
+- Network policies recommended (restrict access to API)

uptime-kuma/README.md

@@ -0,0 +1,16 @@
+# ⏱️ Uptime Kuma
+
+## Description
+Uptime Kuma is a **self-hosted monitoring tool** for tracking service availability via HTTP, TCP, ping, and more.  
+It provides a clean UI, alerting, and optional public status pages.
+
+## Website
+https://uptimekuma.org
+
+## Kubernetes Notes
+- Lightweight and easy to containerize
+- Requires **persistent storage** for history and configuration
+- Single instance recommended (no clustering)
+- Works well behind **Ingress with TLS**
+- Can monitor both **internal cluster services and external endpoints**
+- Complements Prometheus/Grafana rather than replacing them