From 527346566bb89335830a2ab78e20357a81becc46 Mon Sep 17 00:00:00 2001
From: j <repobase@j7b.net>
Date: Thu, 21 Aug 2025 22:27:43 +1000
Subject: [PATCH 1/2] Add annotations for hostname and wildcard ssl

---
 applications/40-authentik/authentik.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/applications/40-authentik/authentik.yaml b/applications/40-authentik/authentik.yaml
index 4aa2b92..9603b06 100644
--- a/applications/40-authentik/authentik.yaml
+++ b/applications/40-authentik/authentik.yaml
@@ -25,11 +25,19 @@ spec:
         authentik:
           ingress:
             enabled: true
+            annotations:
+              external-dns.alpha.kubernetes.io/hostname: auth.hxme.net
+              nginx.ingress.kubernetes.io/server-snippet: |
+                add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
             hosts:
               - host: auth.hxme.net
                 paths:
                   - path: /
                     pathType: Prefix
+            tls:
+              - hosts:
+                  - auth.hxme.net
+                secretName: wildcard-hxme-net
   destination:
     server: https://kubernetes.default.svc
     namespace: home-server

From b18a87315742b41639ec7022941c15fec05e9c7d Mon Sep 17 00:00:00 2001
From: j <repobase@j7b.net>
Date: Thu, 21 Aug 2025 22:29:17 +1000
Subject: [PATCH 2/2] Add private

---
 applications/80-private/private.yaml | 23 +++++++++++++++++++++++
 deploy/server.yaml                   |  5 +++++
 2 files changed, 28 insertions(+)
 create mode 100644 applications/80-private/private.yaml

diff --git a/applications/80-private/private.yaml b/applications/80-private/private.yaml
new file mode 100644
index 0000000..3272adc
--- /dev/null
+++ b/applications/80-private/private.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: home-server-private
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://repobase.net/j/home-server-private.git
+    path: .
+    targetRevision: HEAD
+    kustomize:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: home-server-private
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/deploy/server.yaml b/deploy/server.yaml
index e311d6d..5c72609 100644
--- a/deploy/server.yaml
+++ b/deploy/server.yaml
@@ -49,6 +49,11 @@ spec:
             namespace: home-server
             wave: 8
 
+          - name: deploy-private
+            path: applications/80-private
+            namespace: home-server-private
+            wave: 9
+
   template:
     metadata:
       name: "{{.name}}"