Add Flux bootstrap and Gotify notifications

- Added SOPS-encrypted Gotify API token
- Created Gotify notification provider for Flux alerts
- Added bootstrap Kustomization for notifications
- Updated .sops.yaml to handle bootstrap directory
- Configured alerts for all GitRepository, Kustomization, and HelmRelease events

.sops.yaml

@@ -1,4 +1,9 @@
 creation_rules:
+  # Bootstrap secrets
+  - path_regex: bootstrap/.*\.yaml$
+    encrypted_regex: ^(data|stringData|password|token|apiKey|secret|key)$
+    age: age1c7ke5ajhtzua7lrvzsg2p7krnnqv5jhvafh4lsl2s022j46jggnss4rxry
+
   # Default rule for all encrypted files
   - path_regex: .*\.enc\.yaml$
     encrypted_regex: ^(data|stringData|password|token|apiKey|secret|key)$

bootstrap/gotify-secret.enc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gotify-token
+    namespace: flux-system
+type: Opaque
+stringData:
+    token: ENC[AES256_GCM,data:q3e9fmen46+ucVkUHHXa,iv:cKA2irq9Sqq+bKdlPClSfDW0POsNZUuLpbM7VcKNg2M=,tag:zVyuACVWPDb+whd/aWFPLg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1c7ke5ajhtzua7lrvzsg2p7krnnqv5jhvafh4lsl2s022j46jggnss4rxry
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWTBCM0ozK2hJcjJNWlM3
+            aS9zdkgyM29MYkYyTGpQamNYTnpFWWs0U0RJCmwzWFd5Zy9rTUZEQ2hwcXl0c2Nv
+            YmdvT1pqeUkxMjhpR2dqZjd4bEJNNjQKLS0tIEgwQ1Ura1d3VDU3ZzVINUIxait4
+            WFBsZkRpbmNNMTBjTGxlUjMyZmVTWHMKZSjo5xdp6y0A0PCIbMLNiQDc5x2B9wi/
+            t5hdkUYndg2pyPimP0LObNnjsMReMXPjrbp/ll/OxhFdP41ZRrjkfg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-16T07:33:40Z"
+    mac: ENC[AES256_GCM,data:Bfg2nICuC/Sh5jZYtbjaG95G22LuScyDOdKwp61fbiA02fUUB3KhCB8WQK8oODlYHKkF6D7C/nh2pj+uPpifzI58qrcwMA1f+0k0ht+bM0BL8I5J5VH5KgtVxBgE5WlOW7I9NP3Ppe3+1AWH1DrTCGSBWXsW1K6xD553wJihsJg=,iv:z+runjrD/bMJe1ywGmskq0paPKMBEyiwNL2fdVkwDyA=,tag:HV2+KI/YyqpfbeTTuxTRVg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData|password|token|apiKey|secret|key)$
+    version: 3.9.2

bootstrap/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: flux-system
+
+resources:
+  - gotify-secret.enc.yaml
+  - notification-provider.yaml

bootstrap/notification-provider.yaml

@@ -0,0 +1,29 @@
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: gotify
+  namespace: flux-system
+spec:
+  type: gotify
+  address: http://gotify.gotify.svc.cluster.local
+  secretRef:
+    name: gotify-token
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: homelab-alerts
+  namespace: flux-system
+spec:
+  providerRef:
+    name: gotify
+  eventSeverity: info
+  eventSources:
+    - kind: GitRepository
+      name: '*'
+    - kind: Kustomization
+      name: '*'
+    - kind: HelmRelease
+      name: '*'
+    - kind: HelmRepository
+      name: '*'

clusters/production/bootstrap.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: bootstrap
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: homelab
+  path: ./bootstrap
+  prune: true
+  wait: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age