commit ef51fa9649b495c78bbd69b8b445a41f65b31579
Author: Martyn Ranyard <m@rtyn.berlin>
Date:   Sun Jun 29 07:54:14 2025 +0000

    ingress, ssl, auth, nc (no persist)
    
    Signed-off-by: Martyn Ranyard <m@rtyn.berlin>

diff --git a/apps/cert-manager.yaml b/apps/cert-manager.yaml
new file mode 100644
index 0000000..1de82dd
--- /dev/null
+++ b/apps/cert-manager.yaml
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nextcloud
+  namespace: argocd
+spec:
+  destination:
+    namespace: nextcloud
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    chart: nextcloud
+    helm:
+      parameters:
+      - name: nextcloud.host
+        value: nc.martyn.berlin
+      - name: ingress.enabled
+        value: "true"
+      values: |-
+        ingress:
+          tls:
+          - hosts:
+            - nc.martyn.berlin
+            secretName: nc-tls
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt
+          className: nginx
+    repoURL: https://nextcloud.github.io/helm/
+    targetRevision: 6.6.10
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/apps/cluster-ingress.yaml b/apps/cluster-ingress.yaml
new file mode 100644
index 0000000..e24c0c8
--- /dev/null
+++ b/apps/cluster-ingress.yaml
@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cluster-ingress
+  namespace: argocd
+operation:
+  initiatedBy:
+    automated: true
+  retry:
+    limit: 5
+  sync:
+    prune: true
+    revision: 4.12.3
+spec:
+  destination:
+    namespace: cluster-ingress
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    chart: ingress-nginx
+    helm:
+      parameters:
+      - name: controller.hostNetwork
+        value: "true"
+      - name: controller.service.type
+        value: "ClusterIP"
+    repoURL: https://kubernetes.github.io/ingress-nginx
+    targetRevision: 4.12.3
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/apps/dex.yaml b/apps/dex.yaml
new file mode 100644
index 0000000..f74f4c1
--- /dev/null
+++ b/apps/dex.yaml
@@ -0,0 +1,72 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dex
+  namespace: argocd
+spec:
+  destination:
+    namespace: auth
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    chart: dex
+    helm:
+      values: |
+        # Configures the ingress for Dex
+        ingress:
+          enabled: true
+          className: nginx
+          hosts:
+            - host: "auth.martyn.berlin"
+              paths:
+                - path: /dex
+                  pathType: Prefix
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt
+          tls:
+            - hosts:
+                - "auth.martyn.berlin"
+              secretName: dex-cert
+
+        # Configures the Dex instance          
+        config:
+          issuer: https://auth.martyn.berlin/dex
+          storage:
+            type: kubernetes
+            config:
+              inCluster: true
+          web:
+            http: 0.0.0.0:8080
+          oauth2:
+            responseTypes: ["code", "token", "id_token"]
+
+          # Configures the Client configuration
+          staticClients:
+            - id: f7f67ba843f06f244857b01d96cbe7bc
+              secret: 2774dc53beb0570e5ea7bc342d2a8f4e47d2d16986ad542d4ce776505043238f
+              name: "Oauth2 Proxy Static Client"
+              redirectURIs:
+                - https://auth.martyn.berlin/oauth2/callback
+            - id: 8e01cf63a42c451a2254ea8c2f1dd7d2
+              secret: 451d158110098dc7029d5588cc5c452a9295d30cdc12132d431d4e0850cd6ade
+              name: "NextClouD"
+              redirectURIs:
+                - https://nc.martyn.berlin/apps/user_oidc/code
+
+          staticPasswords:
+            - email: "martyn@ranyard.info"
+              # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
+              hash: "$2y$10$RYKealLEcxXNnXdtLXw.eOTJPSgegzQd0SRYxSE/y7Iivt1ECeVgy"
+              username: "martyn"
+              userID: "fdcb225b-0a6f-4bec-b7c9-3d87dbf64ab8"
+
+          enablePasswordDB: true
+          # Allow password grants with local users
+          oauth2:
+            passwordConnector: local
+    repoURL: https://charts.dexidp.io
+    targetRevision: 0.23.0
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/apps/letsencrypt.yaml b/apps/letsencrypt.yaml
new file mode 100644
index 0000000..2ba5812
--- /dev/null
+++ b/apps/letsencrypt.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+spec:
+  destination:
+    namespace: cert-manager
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    chart: cert-manager
+    repoURL: https://charts.jetstack.io
+    targetRevision: v1.17.1
+    helm:
+      parameters:
+      - name: installCRDs
+        value: "true"
+  syncPolicy:
+    automated:
+      selfHeal: true
diff --git a/apps/nextcloud.yaml b/apps/nextcloud.yaml
new file mode 100644
index 0000000..1de82dd
--- /dev/null
+++ b/apps/nextcloud.yaml
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nextcloud
+  namespace: argocd
+spec:
+  destination:
+    namespace: nextcloud
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    chart: nextcloud
+    helm:
+      parameters:
+      - name: nextcloud.host
+        value: nc.martyn.berlin
+      - name: ingress.enabled
+        value: "true"
+      values: |-
+        ingress:
+          tls:
+          - hosts:
+            - nc.martyn.berlin
+            secretName: nc-tls
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt
+          className: nginx
+    repoURL: https://nextcloud.github.io/helm/
+    targetRevision: 6.6.10
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/apps/oauth2proxy.yaml b/apps/oauth2proxy.yaml
new file mode 100644
index 0000000..473b689
--- /dev/null
+++ b/apps/oauth2proxy.yaml
@@ -0,0 +1,45 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: oauth2proxy
+  namespace: argocd
+spec:
+  destination:
+    namespace: auth
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    chart: oauth2-proxy
+    helm:
+      parameters:
+      - name: config.clientID
+        value: f7f67ba843f06f244857b01d96cbe7bc
+      - name: config.clientSecret
+        value: 2774dc53beb0570e5ea7bc342d2a8f4e47d2d16986ad542d4ce776505043238f
+      - name: config.cookieSecret
+        value: iRNHJrMvm3Lv3UUe3j0ZBWTic3y5XuZQ-mdLVAdmNV4=
+      values: |-
+        ingress:
+          enabled: true
+          className: nginx
+          path: /oauth2
+          pathType: Prefix
+          hosts:
+          - auth.martyn.berlin
+          tls:
+          - hosts:
+            - auth.martyn.berlin
+            secretName: dex-cert
+        extraArgs:
+        - --provider=oidc
+        - --oidc-issuer-url=https://auth.martyn.berlin/dex
+        - "--scope=openid profile email"
+        - "--email-domain=*"
+        - "--upstream=static://200"
+        - "--http-address=0.0.0.0:4180"
+    repoURL: https://oauth2-proxy.github.io/manifests
+    targetRevision: 7.12.18
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/manifests/clusterissuer.yaml b/manifests/clusterissuer.yaml
new file mode 100644
index 0000000..41ff137
--- /dev/null
+++ b/manifests/clusterissuer.yaml
@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    email: m@rtyn.berlin
+    preferredChain: ""
+    privateKeySecretRef:
+      name: cluster-issuer-account-key
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    - http01:
+        ingress:
+          class: nginx