[ci skip] Refactor knowledge: CLAUDE.md 881→190 lines, extract reference data

CLAUDE.md changes:
- Extract service catalog + Cloudflare domains → .claude/reference/service-catalog.md
- Extract Proxmox VMs, hardware, network → .claude/reference/proxmox-inventory.md
- Extract GitHub/Drone API patterns → .claude/reference/github-drone-api.md
- Extract Authentik state snapshot → .claude/reference/authentik-state.md
- Remove Init Container pattern (duplicates setup-project skill)
- Remove Poison Fountain service notes (duplicates Anti-AI section)
- Consolidate Authentik section (link to skills + reference)
- Remove resource limit tables (kept tier definitions inline)

Skill merges (37→32):
- helm-release-force-rerender + helm-stuck-release-recovery → helm-release-troubleshooting
- containerd-multi-registry-pull-through-cache + k8s-docker-registry-cache-bypass → k8s-container-image-caching
- (traefik merges in previous commits)

.claude/reference/authentik-state.md

@@ -0,0 +1,50 @@
+# Authentik Current State
+
+> Snapshot of applications, groups, users, and flows. Use `authentik` skill for management tasks.
+
+## Applications (9)
+| Application | Provider Type | Auth Flow |
+|-------------|--------------|-----------|
+| Cloudflare Access | OAuth2/OIDC | explicit consent |
+| Domain wide catch all | Proxy (forward auth) | implicit consent |
+| Grafana | OAuth2/OIDC | implicit consent |
+| Headscale | OAuth2/OIDC | explicit consent |
+| Immich | OAuth2/OIDC | explicit consent |
+| Kubernetes | OAuth2/OIDC (public) | implicit consent |
+| linkwarden | OAuth2/OIDC | explicit consent |
+| Matrix | OAuth2/OIDC | implicit consent |
+| wrongmove | OAuth2/OIDC | implicit consent |
+
+## Groups (9)
+| Group | Parent | Superuser | Purpose |
+|-------|--------|-----------|---------|
+| Allow Login Users | — | No | Parent group for login-permitted users |
+| authentik Admins | — | Yes | Full admin access |
+| authentik Read-only | — | No | Read-only access (has role) |
+| Headscale Users | Allow Login Users | No | VPN access |
+| Home Server Admins | Allow Login Users | No | Server admin access |
+| Wrongmove Users | Allow Login Users | No | Real-estate app access |
+| kubernetes-admins | — | No | K8s cluster-admin RBAC |
+| kubernetes-power-users | — | No | K8s power-user RBAC |
+| kubernetes-namespace-owners | — | No | K8s namespace-owner RBAC |
+
+## Users (7 real)
+| Username | Name | Type | Groups |
+|----------|------|------|--------|
+| akadmin | authentik Default Admin | internal | authentik Admins, Home Server Admins, Headscale Users |
+| vbarzin@gmail.com | Viktor Barzin | internal | authentik Admins, Home Server Admins, Wrongmove Users, Headscale Users |
+| emil.barzin@gmail.com | Emil Barzin | internal | Home Server Admins, Headscale Users |
+| ancaelena98@gmail.com | Anca Milea | external | Wrongmove Users, Headscale Users |
+| vabbit81@gmail.com | GHEORGHE Milea | external | Headscale Users |
+| valentinakolevabarzina@gmail.com | Валентина Колева-Барзина | internal | Headscale Users |
+| anca.r.cristian10@gmail.com | — | internal | Wrongmove Users |
+| kadir.tugan@gmail.com | Kadir | internal | Wrongmove Users |
+
+## Login Sources
+- **Google** (OAuth) — user matching by identifier
+- **GitHub** (OAuth) — user matching by email_link
+- **Facebook** (OAuth) — user matching by email_link
+
+## Authorization Flows
+- **Explicit consent** (`default-provider-authorization-explicit-consent`): Shows consent screen
+- **Implicit consent** (`default-provider-authorization-implicit-consent`): Auto-redirects

.claude/reference/github-drone-api.md

@@ -0,0 +1,50 @@
+# GitHub & Drone CI API Reference
+
+> Token locations and common API patterns.
+
+## GitHub API
+- **Username**: `ViktorBarzin`
+- **Token**: `grep github_pat terraform.tfvars | cut -d'"' -f2` (git-crypt encrypted)
+- **Scopes**: Full access (repo, admin:public_key, admin:repo_hook, delete_repo, admin:org, workflow, write:packages)
+- **`gh` CLI**: Blocked by sandbox — use `curl` instead
+
+```bash
+GITHUB_TOKEN=$(grep github_pat terraform.tfvars | cut -d'"' -f2)
+
+# List repos
+curl -s -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/users/ViktorBarzin/repos?per_page=100"
+
+# Create repo
+curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/user/repos" \
+  -d '{"name":"repo-name","private":true}'
+
+# Add deploy key
+curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/repos/ViktorBarzin/<repo>/keys" \
+  -d '{"title":"key-name","key":"ssh-ed25519 ...","read_only":false}'
+
+# Create webhook
+curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/repos/ViktorBarzin/<repo>/hooks" \
+  -d '{"config":{"url":"https://drone.viktorbarzin.me/hook","content_type":"json","secret":"..."},"events":["push","pull_request"]}'
+```
+
+## Drone CI API
+- **Server**: `https://drone.viktorbarzin.me`
+- **Token**: `grep drone_api_token terraform.tfvars | cut -d'"' -f2`
+
+```bash
+DRONE_TOKEN=$(grep drone_api_token terraform.tfvars | cut -d'"' -f2)
+
+# Activate repo
+curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin/<repo>"
+
+# Trigger build
+curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin/<repo>/builds"
+
+# Add secret
+curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin/<repo>/secrets" \
+  -d '{"name":"secret_name","data":"secret_value"}'
+```
+
+## Capabilities
+- **GitHub**: Create/delete repos, push code, manage SSH/deploy keys, manage webhooks, manage org settings, manage packages
+- **Drone CI**: Activate repos, trigger/monitor builds, manage secrets, configure pipelines

.claude/reference/proxmox-inventory.md

@@ -0,0 +1,52 @@
+# Proxmox Inventory & Infrastructure
+
+> Static reference for VMs, hardware, and network topology.
+
+## Proxmox Host Hardware
+- **CPU**: Intel Xeon E5-2699 v4 @ 2.20GHz (22 cores / 44 threads, single socket)
+- **RAM**: 142 GB (Dell R730 server)
+- **GPU**: NVIDIA Tesla T4 (PCIe passthrough to k8s-node1)
+- **Disks**: 1.1TB + 931GB + 10.7TB (local storage)
+- **Proxmox access**: `ssh root@192.168.1.127`
+
+## Network Topology
+```
+10.0.10.0/24 - Management: Wizard (10.0.10.10), TrueNAS NFS (10.0.10.15)
+10.0.20.0/24 - Kubernetes: pfSense GW (10.0.20.1), Registry (10.0.20.10),
+               k8s-master (10.0.20.100), DNS (10.0.20.101), MetalLB (10.0.20.102-200)
+192.168.1.0/24 - Physical: Proxmox (192.168.1.127)
+```
+
+## Network Bridges
+- **vmbr0**: Physical bridge on `eno1`, IP `192.168.1.127/24` — physical/home network
+- **vmbr1**: Internal-only bridge, VLAN-aware — VLAN 10 (management) and VLAN 20 (kubernetes)
+
+## VM Inventory
+
+| VMID | Name | Status | CPUs | RAM | Network | Disk | Notes |
+|------|------|--------|------|-----|---------|------|-------|
+| 101 | pfsense | running | 8 | 16GB | vmbr0, vmbr1:vlan10, vmbr1:vlan20 | 32G | Gateway/firewall |
+| 102 | devvm | running | 16 | 8GB | vmbr1:vlan10 | 100G | Development VM |
+| 103 | home-assistant | running | 8 | 16GB | vmbr0 | 32G | HA, net0(vlan10) disabled |
+| 105 | pbs | stopped | 16 | 8GB | vmbr1:vlan10 | 32G | Proxmox Backup (unused) |
+| 200 | k8s-master | running | 8 | 16GB | vmbr1:vlan20 | 64G | Control plane (10.0.20.100) |
+| 201 | k8s-node1 | running | 16 | 24GB | vmbr1:vlan20 | 128G | GPU node, Tesla T4 |
+| 202 | k8s-node2 | running | 8 | 16GB | vmbr1:vlan20 | 64G | Worker |
+| 203 | k8s-node3 | running | 8 | 16GB | vmbr1:vlan20 | 64G | Worker |
+| 204 | k8s-node4 | running | 8 | 16GB | vmbr1:vlan20 | 64G | Worker |
+| 220 | docker-registry | running | 4 | 4GB | vmbr1:vlan20 | 64G | MAC DE:AD:BE:EF:22:22 (10.0.20.10) |
+| 300 | Windows10 | running | 16 | 8GB | vmbr0 | 100G | Windows VM |
+| 9000 | truenas | running | 16 | 16GB | vmbr1:vlan10 | 32G+7x256G+1T | NFS (10.0.10.15) |
+
+## VM Templates
+| VMID | Name | Purpose |
+|------|------|---------|
+| 1000 | ubuntu-2404-cloudinit-non-k8s-template | Base for non-K8s VMs |
+| 1001 | docker-registry-template | Docker registry VM |
+| 2000 | ubuntu-2404-cloudinit-k8s-template | Base for K8s nodes |
+
+## GPU Node (k8s-node1)
+- **VMID**: 201, **PCIe**: `0000:06:00.0` (NVIDIA Tesla T4)
+- **Taint**: `nvidia.com/gpu=true:NoSchedule`, **Label**: `gpu=true`
+- GPU workloads need: `node_selector = { "gpu": "true" }` + nvidia toleration
+- Taint applied via `null_resource.gpu_node_taint` in `modules/kubernetes/nvidia/main.tf`

.claude/reference/service-catalog.md

@@ -0,0 +1,132 @@
+# Service Catalog
+
+> Auto-maintained reference. See `.claude/CLAUDE.md` for operational guidance.
+
+## Critical - Network & Auth (Tier: core)
+| Service | Description | Stack |
+|---------|-------------|-------|
+| wireguard | VPN server | platform |
+| technitium | DNS server (10.0.20.101) | platform |
+| headscale | Tailscale control server | platform |
+| traefik | Ingress controller (Helm) | platform |
+| xray | Proxy/tunnel | platform |
+| authentik | Identity provider (SSO) | platform |
+| cloudflared | Cloudflare tunnel | platform |
+| authelia | Auth middleware | platform |
+| monitoring | Prometheus/Grafana/Loki stack | platform |
+
+## Storage & Security (Tier: cluster)
+| Service | Description | Stack |
+|---------|-------------|-------|
+| vaultwarden | Bitwarden-compatible password manager | platform |
+| redis | Shared Redis at `redis.redis.svc.cluster.local` | platform |
+| immich | Photo management (GPU) | immich |
+| nvidia | GPU device plugin | platform |
+| metrics-server | K8s metrics | platform |
+| uptime-kuma | Status monitoring | platform |
+| crowdsec | Security/WAF | platform |
+| kyverno | Policy engine | platform |
+
+## Admin
+| Service | Description | Stack |
+|---------|-------------|-------|
+| k8s-dashboard | Kubernetes dashboard | platform |
+| reverse-proxy | Generic reverse proxy | platform |
+
+## Active Use
+| Service | Description | Stack |
+|---------|-------------|-------|
+| mailserver | Email (docker-mailserver) | mailserver |
+| shadowsocks | Proxy | shadowsocks |
+| webhook_handler | Webhook processing | webhook_handler |
+| tuya-bridge | Smart home bridge | tuya-bridge |
+| dawarich | Location history | dawarich |
+| owntracks | Location tracking | owntracks |
+| nextcloud | File sync/share | nextcloud |
+| calibre | E-book management | calibre |
+| onlyoffice | Document editing | onlyoffice |
+| f1-stream | F1 streaming | f1-stream |
+| rybbit | Analytics | rybbit |
+| isponsorblocktv | SponsorBlock for TV | isponsorblocktv |
+| actualbudget | Budgeting (factory pattern) | actualbudget |
+
+## Optional
+| Service | Description | Stack |
+|---------|-------------|-------|
+| blog | Personal blog | blog |
+| descheduler | Pod descheduler | descheduler |
+| drone | CI/CD | drone |
+| hackmd | Collaborative markdown | hackmd |
+| kms | Key management | kms |
+| privatebin | Encrypted pastebin | privatebin |
+| vault | HashiCorp Vault | vault |
+| reloader | ConfigMap/Secret reloader | reloader |
+| city-guesser | Game | city-guesser |
+| echo | Echo server | echo |
+| url | URL shortener | url |
+| excalidraw | Whiteboard | excalidraw |
+| travel_blog | Travel blog | travel_blog |
+| dashy | Dashboard | dashy |
+| send | Firefox Send | send |
+| ytdlp | YouTube downloader | ytdlp |
+| wealthfolio | Finance tracking | wealthfolio |
+| audiobookshelf | Audiobook server | audiobookshelf |
+| paperless-ngx | Document management | paperless-ngx |
+| jsoncrack | JSON visualizer | jsoncrack |
+| servarr | Media automation (Sonarr/Radarr/etc) | servarr |
+| ntfy | Push notifications | ntfy |
+| cyberchef | Data transformation | cyberchef |
+| diun | Docker image update notifier | diun |
+| meshcentral | Remote management | meshcentral |
+| homepage | Dashboard/startpage | homepage |
+| matrix | Matrix chat server | matrix |
+| linkwarden | Bookmark manager | linkwarden |
+| changedetection | Web change detection | changedetection |
+| tandoor | Recipe manager | tandoor |
+| n8n | Workflow automation | n8n |
+| real-estate-crawler | Property crawler | real-estate-crawler |
+| tor-proxy | Tor proxy | tor-proxy |
+| forgejo | Git forge | forgejo |
+| freshrss | RSS reader | freshrss |
+| navidrome | Music streaming | navidrome |
+| networking-toolbox | Network tools | networking-toolbox |
+| stirling-pdf | PDF tools | stirling-pdf |
+| speedtest | Speed testing | speedtest |
+| freedify | Music streaming (factory pattern) | freedify |
+| netbox | Network documentation | netbox |
+| infra-maintenance | Maintenance jobs | infra-maintenance |
+| ollama | LLM server (GPU) | ollama |
+| frigate | NVR/camera (GPU) | frigate |
+| ebook2audiobook | E-book to audio (GPU) | ebook2audiobook |
+| affine | Visual canvas/whiteboard (PostgreSQL + Redis) | affine |
+| health | Apple Health data dashboard (PostgreSQL) | health |
+| whisper | Wyoming Faster Whisper STT (CPU on GPU node) | whisper |
+| grampsweb | Genealogy web app (Gramps Web) | grampsweb |
+| openclaw | AI agent gateway (OpenClaw) | openclaw |
+| poison-fountain | Anti-AI scraping (tarpit + poison) | poison-fountain |
+
+## Cloudflare Domains
+
+### Proxied (CDN + WAF enabled)
+```
+blog, hackmd, privatebin, url, echo, f1tv, excalidraw, send,
+audiobookshelf, jsoncrack, ntfy, cyberchef, homepage, linkwarden,
+changedetection, tandoor, n8n, stirling-pdf, dashy, city-guesser,
+travel, netbox
+```
+
+### Non-Proxied (Direct DNS)
+```
+mail, wg, headscale, immich, calibre, vaultwarden, drone,
+mailserver-antispam, mailserver-admin, webhook, uptime,
+owntracks, dawarich, tuya, meshcentral, nextcloud, actualbudget,
+onlyoffice, forgejo, freshrss, navidrome, ollama, openwebui,
+isponsorblocktv, speedtest, freedify, rybbit, paperless,
+servarr, prowlarr, bazarr, radarr, sonarr, flaresolverr,
+jellyfin, jellyseerr, tdarr, affine, health, family, openclaw
+```
+
+### Special Subdomains
+- `*.viktor.actualbudget` - Actualbudget factory instances
+- `*.freedify` - Freedify factory instances
+- `mailserver.*` - Mail server components (antispam, admin)