diff --git a/kube/1-clusters/Biohazard/2-config/kustomization.yaml b/kube/1-clusters/Biohazard/2-config/kustomization.yaml index d9635523..d7841b77 100644 --- a/kube/1-clusters/Biohazard/2-config/kustomization.yaml +++ b/kube/1-clusters/Biohazard/2-config/kustomization.yaml @@ -4,8 +4,9 @@ kind: Kustomization resources: - 1-flux-install.yaml - 2-flux-repo.yaml - - 3-secrets.yaml - - 4-vars.yaml + # - 3-secrets.yaml + # - 4-vars.yaml + - ../../../clusters/biohazard/flux/ - 5-deploy.yaml - ceph-rgw-ext-users.yaml - ../../../3-deploy/1-core/05-ingress/cloudflare/ diff --git a/kube/clusters/biohazard/config/kustomization.yaml b/kube/clusters/biohazard/config/kustomization.yaml index 036a81c4..4815ff81 100644 --- a/kube/clusters/biohazard/config/kustomization.yaml +++ b/kube/clusters/biohazard/config/kustomization.yaml @@ -12,4 +12,6 @@ secretGenerator: envs: - ./secrets.sops.env generatorOptions: - disableNameSuffixHash: true + disableNameSuffixHash: false +configurations: + - ./kustomizeconfig.yaml diff --git a/kube/clusters/biohazard/config/kustomizeconfig.yaml b/kube/clusters/biohazard/config/kustomizeconfig.yaml new file mode 100644 index 00000000..280a7ec4 --- /dev/null +++ b/kube/clusters/biohazard/config/kustomizeconfig.yaml @@ -0,0 +1,12 @@ +--- +nameReference: +- kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/postBuild/substituteFrom/name + kind: Kustomization +- kind: Secret + version: v1 + fieldSpecs: + - path: spec/postBuild/substituteFrom/name + kind: Kustomization diff --git a/kube/clusters/biohazard/config/vars.sops.env b/kube/clusters/biohazard/config/vars.sops.env index 5c593b4d..57bda90a 100644 --- a/kube/clusters/biohazard/config/vars.sops.env +++ b/kube/clusters/biohazard/config/vars.sops.env @@ -88,6 +88,8 @@ APP_UID_NTFY=ENC[AES256_GCM,data:R7IcBw==,iv:B7eH37KXKOg9Ne1I1bL+aJZZoY6Jm8Rdz4v APP_DNS_HEADSCALE=ENC[AES256_GCM,data:jrDDMcrtJiypHgUu,iv:hJzK20p5fs6zzkOBucY18/TsaeXR6WvyXJTch9yoGTI=,tag:fmLoy9oeWovG9X6hXcUFRw==,type:str] APP_IP_HEADSCALE=ENC[AES256_GCM,data:aNR6DaOYhrBwjow=,iv:ebNhlLaP5YmE16q+GBe9bDyTQSiWVSSjXdlL56Ub3yA=,tag:YPx1qrTSa+UHKr1qpzxnTQ==,type:str] APP_UID_HEADSCALE=ENC[AES256_GCM,data:6e/cSbU=,iv:Smgl5XdNjsTKLKy1sq058GHu6q6I+l/m3F03YGV1z4Q=,tag:A4mfg7ldwAtvtO78GQSXPA==,type:str] +APP_DNS_ZIPLINE=ENC[AES256_GCM,data:2UR2igsE8xgV,iv:jR1B3UlR47dEEHDDAC9AXX2OTg7EmlOL7kHQsteLNaw=,tag:Vp4Cc53uG7JsJ2ex6/67IQ==,type:str] +APP_UID_ZIPLINE=ENC[AES256_GCM,data:xA3YFZI=,iv:ch21o7iJ0StUOcIx0G8qSkineWdsmDKtqAyxHkqnGos=,tag:lb3HNddZpvYoPARVvAu0Gg==,type:str] CONFIG_MINECRAFT_OPS=ENC[AES256_GCM,data:al3glJDrtuqtTM2z4W7n+tPNf6XVfK64Jdb9s5RAE5NUwxyK,iv:kYqlsOabsa2iBZKgqjOpFYJo0DMFuoo3ZWCqb/Xzi5c=,tag:nIqPXvBvxdi8crMj1CYsEw==,type:str] CONFIG_MINECRAFT_ICON=ENC[AES256_GCM,data:nNzsyRclLnPZ+8Td/WJg2u8V/QKf/xowrghmTaKRNb9a5BMOxtzmiyAt6Us8OoY=,iv:b7fHZQdOjc4oCCLtLhopNg6G7IS2u9NUdBLCN6CjSKc=,tag:+cPgP1oK/9+EK2tB9Y45zw==,type:str] CONFIG_MINECRAFT_NAME=ENC[AES256_GCM,data:1qSqJGmGON9BhJKRJA==,iv:Sdwq0LLLdBQlr3m+0Ey2IE9FcRtVKOtXsswLMMp9A5A=,tag:WpaTzqSO3+N+vnJkGI+pCQ==,type:str] @@ -101,12 +103,12 @@ CONFIG_SANDSTORM_INIT_SCENARIO=ENC[AES256_GCM,data:199SWIbX0ecKR9r5VjxL/aZROg==, CONFIG_ZEROTIER_ENDPOINT=ENC[AES256_GCM,data:tOyIlrzdn8sck7um7OSicq5T0XWAmymaRLn2ENL1EyPGVdXZhi/IDRTNxmBzCVkUdju0D79EKB29qTw=,iv:FjiBFYt68V1J+/AOEptVDQ6IoXxGevvN9NCB54Rs9ws=,tag:bWkb2QIS32ltJKCrHWL0gw==,type:str] CONFIG_AUTHENTIK_REMOTE_HOST=ENC[AES256_GCM,data:Iv7k3CoKsLrQf0PRIfhGMCAjOU3AdweS+LFWMeEQoWc=,iv:TsRwWDUrI3zAgBgFRkZAYUNlZV0Q/gOlGjKFrheM0nE=,tag:38OGfWYEm/h/+FH7IsIH3Q==,type:str] CONFIG_HEADSCALE_IPV4=ENC[AES256_GCM,data:EZ7GMHA6u1wWPS5g6Pg=,iv:W1hcseQ4Q6CisTXnDLI7hWTy18fIVKtZ46tudCyhfa4=,tag:2WnnNjuZhwUPG07OKTQt2g==,type:str] -sops_mac=ENC[AES256_GCM,data:3HHUAhRZeOvhDwhO+61mW+P3Na999SO8gsmGBuBGbifnko+QW0crQSoQmleX7AL/FK7cNZOoZFklZK8WYQMK7/2/pcclRQCzWhF7g2nIVvNcLOCvOzO6ZRalv7SB5KM9qIGPJL1eQ/byx82IZIXdcpAndfxQc79NlQYxwdWJLPM=,iv:2GaKTN5hCS426H8AaHzxVStujvYXDz4pQZseYhKhiQA=,tag:MkarwG1MJTV0mPYL27jCqw==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n -sops_lastmodified=2023-06-01T18:01:05Z -sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z -sops_unencrypted_suffix=_unencrypted -sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n -sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 +sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj +sops_lastmodified=2023-06-03T02:20:13Z +sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z sops_version=3.7.3 +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n +sops_mac=ENC[AES256_GCM,data:bpld2gCyFxQogDqJUNDhATAhN8NIHLnMg+bGihu/7UM31nEhnuXs5+4rgsSsePCIMC5i5j2oFcQNlO7QqflbRjP84UmaKSjssFU3LEYUhhV7VU8qakK8PPG57h0oVdNNUIzQhQvtBa7TL4M2an4dh76/EHDhTCYlIV/xX2ktSTw=,iv:LVlMgboJppY4wSTMC731uM+XxZrVFas7SLMnbnzcBvo=,tag:ov4qykh8zHZve2fTUOZ2lQ==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml new file mode 100644 index 00000000..92d55d15 --- /dev/null +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../config/ + - secrets-age.sops.yaml + - secrets-ssh.sops.yaml + # - flux-install.yaml + # - flux-repo.yaml + # - ceph-rgw-ext-users.yaml + # - ../../../3-deploy/1-core/05-ingress/cloudflare/ + # - ../../../3-deploy/1-core/05-ingress/external-proxy-x/ + # - ../../../3-deploy/1-core/06-monitoring/1-deps/ + # - ../../../3-deploy/1-core/06-monitoring/node-exporter/ + # - ../../../3-deploy/1-core/db/pg/ + # - ../../../3-deploy/2-apps/default/ + # - ../../../3-deploy/2-apps/flux-system/ + # - ../../../3-deploy/2-apps/authentik/ + # - ../../../3-deploy/2-apps/kanidm/ + # - ../../../3-deploy/2-apps/syncthing/ + # - ../../../3-deploy/2-apps/excalidraw/ + # - ../../../3-deploy/2-apps/velociraptor/ + # - ../../../3-deploy/2-apps/gotosocial/ + # - ../../../3-deploy/2-apps/ntfy/ + # - ../../../3-deploy/2-apps/satisfactory/ + # - ../../../3-deploy/2-apps/headscale/ diff --git a/kube/clusters/biohazard/flux/secrets-age.sops.yaml b/kube/clusters/biohazard/flux/secrets-age.sops.yaml new file mode 100644 index 00000000..725ac85d --- /dev/null +++ b/kube/clusters/biohazard/flux/secrets-age.sops.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Secret +metadata: + name: biohazard-secrets-decrypt-sops-age + namespace: flux-system +data: + age.agekey: ENC[AES256_GCM,data:HcCh7EHyUGdps1OlgJrN/xI9YKTr/l2NLQtor6OmHmgolRJMx9CAhnY1scSaP4qT6nlXLGqlpj+uQCuJ7OaOuYIDzl60/mFD3gLuWYZQcjcWwVZlScLmKQ4liuQp6fb8DyOHXa1ka//3acRJSZ9afpM80mIWyYXvIZ0IjrlMOgvxF640p51bRiGl3DZZPXwNd3WbOCuPENF6GwlkO9I8lcE1wN97dHo4LVwZ63d8qcqpT6f7u5AGNP60SuTDtChXPGW5ecPaiRjOH0bZUo3RpSMUKU8AlzVUHuhRq8SwFwapmG5r4AVtI6fndxSmr/wfiJYrJSy6ruRlOBiH,iv:wRQhJ4hbsLYR5VjmOX9YawozfY5vYvCuH3hVni3tmBs=,tag:bXNQDAq430WpiR8F0t51aA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6c2s0WUxZTUFVdlVLbHhZ + VnRTR3gvZkRVT0M0S1FQTDBScVhLTUZjYkZrCldSWHlhemRaSDB5TUUzVHJzTVU2 + TzhoemJzU3NWYTR4dTVTRzhaSzJ6UGsKLS0tIDBRNk1oT3JRQnh4aUFuVFpzbmd1 + ajNqNHRtRUROVkRKVVZ4ZDVlVE1mdG8KMq5dnfyVliHwP33oh8Zp28nNp/3JD22E + 2soIMUki5f6KaFwenIGqadcyWBpD6FL9cezN4219gEyPj48xdOUhjA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-06-01T21:23:06Z" + mac: ENC[AES256_GCM,data:2QBVLkp4k92C8AEFqxF796GkqwSLfZdqM9+2x60uVMAvEXKjP89ROIsThZybibfBe0yEGZs6Z0pXpyPX099823l5wgbmPnAlYx+oQ621+uLpKuIkJ1OtxjzlKreZOtDBURDhIFM+evQNCvgKZvuAb+bE42PfkaWOjTCKhd6H80I=,iv:kLQTzbYh7xX8/OgzlZA9qgRccZDmjGQrTGpNCuElOrs=,tag:e7XKHQL7Jm+cF/IkepXoJA==,type:str] + pgp: + - created_at: "2023-06-01T21:22:55Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DAAAAAAAAAAASAQdAlbR90R8aSTOAm2xXopzcX8FsUBn+xDE9e/iuQnTrJnww + HrvOnCgOiXFlL+RT1UBpeXAqJqLCVY1i3RT+ixoXrFphoeqfPeeyiI9OJyDLtykj + 0l4BTdlio7BZRm/82NHfY4sMyJ0P4OJWwg+ItlhgxnuDgd4QdPbbmASzNBjJd2Bm + 8HpP2yq+6NtAQ2C5l997LaPNC5l0O3xmZsR8zftRn4MgOHeYDHT3IY7xmF95AUh/ + =ENhw + -----END PGP MESSAGE----- + fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kube/clusters/biohazard/flux/secrets-ssh.sops.yaml b/kube/clusters/biohazard/flux/secrets-ssh.sops.yaml new file mode 100644 index 00000000..6fa33df7 --- /dev/null +++ b/kube/clusters/biohazard/flux/secrets-ssh.sops.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Secret +metadata: + name: biohazard-flux-github-ssh-key + namespace: flux-system +data: + identity: ENC[AES256_GCM,data:8J9nsNM9nvxNadzkrs7rIS3quaD4+yqgNBYwaE3xMotIlYLQpctdhrBqM7vbd8R9Z++2jUAVRwgTK+j35OtCWClxcJMVAOq/c8ZLgwj6LDeWvJyaHVLiOuFa6Lw4w5hE56+0gbc+XiuqRfHospjX42ABoK3KlhLyM51cWgQlLG5C0v1euro0/yLCoDZO27PB9NGDIQkSWO+bBVfJPodCFA==,iv:robp1VBiiwLUVN2PQHrOK4Fola/Szo4fvrq3U+usyCA=,tag:reuTnlDKmscgKcSB5HWUvw==,type:str] + identity.pub: ENC[AES256_GCM,data:6zX6aJk3LmBDv4PFNVbCuHIIsg3iRi4f5POcfzCa0rrkLVh7V+7vJrr4rAp6vpd0b3hfzpo446qHIKNDtFMc7YcmZwtxZ74t+5oS9KqKbbPYJAZeciZrK1BcIkcNBULsJ8fSNoR8sWDZmnqV,iv:sl1Knv8Nsu+biY4+FnCiglLrleRO7potThsIcURFVWY=,tag:+syqveX9qKNaKnnADCVNTA==,type:str] + known_hosts: ENC[AES256_GCM,data:KNPpLQdSfrLU04WTAgsiQAIlpbYRUG7Aqnrqgc/A1HOoGO4vakBtwDjyJFbzc3wUGAGgakdKi9Abg54bypaUaFPe9sziXb2PqSOUtBaayf4rzmZsE9GQ9AGa2yA0nvkEo8bjoY4iFJv8nFGC+tPZy14moMRG0ggepHsZmBAjr65ZaSQ3exxGZWGa9vHjvQ9ZgG1gRFlV5U3sLXnhS8fVouFy1Rl1jB91m+Ss7oBFEU2qX9U+8o8d/hE6vtoE54kJdbRqPazt/kqAt7t6STCUemdxL9tMLySfK4uRk1E5FXHAUnFe,iv:SrMFr8cIxBe1eQqZYeSU1FXV8MtixJsGT31HqaqPuSo=,tag:hQp37ZwXWtNE//PzRXyBDQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5bGRFejJrK040Tm8yNGR4 + dDExL0k2Yi9EVlNmY1hHTzd0bG9qeEtUbDI4CmdsR1JMUC9oYzdBYldOYkVPaXV1 + bzgrWVV2UWhNUWN2eTBzZG5rR3pHMzQKLS0tIHJkd1NmOG1Ic2p6WWF0eC8vQzIy + Z2R4WkRqSFhlSjBsck5YMndoWGxRSk0KVTc4km7pba0LW9KCnSd19876ii6e+xQw + UYBj5hv2gFF1agwpXaxwBB6JCkvzgteotgaR0m5RT0lAQnBvQKgwxQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-06-01T21:23:17Z" + mac: ENC[AES256_GCM,data:0eCu9y+cLvvRFTTQqyqbBj0rfXp7ExZYyMomEbVT475uTMMvZ4ec3rdDDkXeRenX9YgcVOqydt9wdkhNXaaK4YyMs0sPovy7x2URIN6Y6vb+bryBGgbv6wHulSlhGFin72ZohdSBziYjcS5gi2NlwXbL0ir1IvwlCntV2/Uu+gY=,iv:Dl4lS0CxmBgpI8PcxPOD+gX8IY1qZcLqfvscvlPGpm4=,tag:22luTxapli4mrnC37+u7UQ==,type:str] + pgp: + - created_at: "2023-06-01T21:23:13Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DAAAAAAAAAAASAQdASu2rIOU/pY0E9bxsX+sTmBgYc+ti8RtlSWsLC+l+pRww + GyrhnCB6c+eye/mWOpRVTXIoJXbwx+WRc/C5/VS8+w1AihdYWykP+HHVCyT3rJ1Q + 0lwBYq5m5KnwCZ2stDyivpDiLpNh20UXZo9gYtkV0IkYDiHVKLeGj+yVCfvnJEm1 + UzRv/XGeLdHMKNOeAniJKfD10crSQHwMWmEHq1kTSVHHQHBwDJgtBD0BHXdEvQ== + =A7F8 + -----END PGP MESSAGE----- + fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 + encrypted_regex: ^(data|stringData)$ + version: 3.7.3