diff --git a/.sops.yaml b/.sops.yaml index 201904d..e053c26 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,4 +1,9 @@ creation_rules: + # Bootstrap secrets + - path_regex: bootstrap/.*\.yaml$ + encrypted_regex: ^(data|stringData|password|token|apiKey|secret|key)$ + age: age1c7ke5ajhtzua7lrvzsg2p7krnnqv5jhvafh4lsl2s022j46jggnss4rxry + # Default rule for all encrypted files - path_regex: .*\.enc\.yaml$ encrypted_regex: ^(data|stringData|password|token|apiKey|secret|key)$ diff --git a/bootstrap/gotify-secret.enc.yaml b/bootstrap/gotify-secret.enc.yaml new file mode 100644 index 0000000..24e75ed --- /dev/null +++ b/bootstrap/gotify-secret.enc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gotify-token + namespace: flux-system +type: Opaque +stringData: + token: ENC[AES256_GCM,data:q3e9fmen46+ucVkUHHXa,iv:cKA2irq9Sqq+bKdlPClSfDW0POsNZUuLpbM7VcKNg2M=,tag:zVyuACVWPDb+whd/aWFPLg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1c7ke5ajhtzua7lrvzsg2p7krnnqv5jhvafh4lsl2s022j46jggnss4rxry + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWTBCM0ozK2hJcjJNWlM3 + aS9zdkgyM29MYkYyTGpQamNYTnpFWWs0U0RJCmwzWFd5Zy9rTUZEQ2hwcXl0c2Nv + YmdvT1pqeUkxMjhpR2dqZjd4bEJNNjQKLS0tIEgwQ1Ura1d3VDU3ZzVINUIxait4 + WFBsZkRpbmNNMTBjTGxlUjMyZmVTWHMKZSjo5xdp6y0A0PCIbMLNiQDc5x2B9wi/ + t5hdkUYndg2pyPimP0LObNnjsMReMXPjrbp/ll/OxhFdP41ZRrjkfg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-11-16T07:33:40Z" + mac: ENC[AES256_GCM,data:Bfg2nICuC/Sh5jZYtbjaG95G22LuScyDOdKwp61fbiA02fUUB3KhCB8WQK8oODlYHKkF6D7C/nh2pj+uPpifzI58qrcwMA1f+0k0ht+bM0BL8I5J5VH5KgtVxBgE5WlOW7I9NP3Ppe3+1AWH1DrTCGSBWXsW1K6xD553wJihsJg=,iv:z+runjrD/bMJe1ywGmskq0paPKMBEyiwNL2fdVkwDyA=,tag:HV2+KI/YyqpfbeTTuxTRVg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData|password|token|apiKey|secret|key)$ + version: 3.9.2 diff --git a/bootstrap/kustomization.yaml b/bootstrap/kustomization.yaml new file mode 100644 index 0000000..92701d2 --- /dev/null +++ b/bootstrap/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: flux-system + +resources: + - gotify-secret.enc.yaml + - notification-provider.yaml diff --git a/bootstrap/notification-provider.yaml b/bootstrap/notification-provider.yaml new file mode 100644 index 0000000..5511ff4 --- /dev/null +++ b/bootstrap/notification-provider.yaml @@ -0,0 +1,29 @@ +apiVersion: notification.toolkit.fluxcd.io/v1beta3 +kind: Provider +metadata: + name: gotify + namespace: flux-system +spec: + type: gotify + address: http://gotify.gotify.svc.cluster.local + secretRef: + name: gotify-token +--- +apiVersion: notification.toolkit.fluxcd.io/v1beta3 +kind: Alert +metadata: + name: homelab-alerts + namespace: flux-system +spec: + providerRef: + name: gotify + eventSeverity: info + eventSources: + - kind: GitRepository + name: '*' + - kind: Kustomization + name: '*' + - kind: HelmRelease + name: '*' + - kind: HelmRepository + name: '*' diff --git a/clusters/production/bootstrap.yaml b/clusters/production/bootstrap.yaml new file mode 100644 index 0000000..88a388e --- /dev/null +++ b/clusters/production/bootstrap.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: bootstrap + namespace: flux-system +spec: + interval: 10m + timeout: 5m + sourceRef: + kind: GitRepository + name: homelab + path: ./bootstrap + prune: true + wait: true + decryption: + provider: sops + secretRef: + name: sops-age