flux: add backup sync

2026-06-02 22:40:42 +00:00
parent a34f1100c5
commit 673756b1ed
8 changed files with 63 additions and 16 deletions
@@ -1,6 +1,11 @@
 creation_rules:
-  # encrypt all values
+  # encrypt all values from file
  - path_regex: \.private\.dec\.yaml$
    encrypted_regex: '^(.*)$'
    age:
+      - age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
+  # encrypt secrets files
+  - path_regex: .*.yaml
+    encrypted_regex: ^(data|stringData)$
+    age: 
      - age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
@@ -43,6 +43,7 @@ kubectl create secret generic flux-sops-age \

 ``` bash
 sops -e deploy/app/helm-values.private.dec.yaml > deploy/app/helm-values.private.yaml
+sops -e deploy/backups/secrets.dec.yaml > deploy/backups/secrets.yaml
 ```

 ### Continuous Deploy
@@ -5,9 +5,9 @@ resources:
 - gitea-helm-repo.yaml 

 secretGenerator:
-  - name: gitea-helm-values
+  - name: gitea-helm-install-values
    files:
      - values.yaml=helm-values.yaml
      - values.private.yaml=helm-values.private.yaml
 generatorOptions:
-  disableNameSuffixHash: true
+  disableNameSuffixHash: true
@@ -0,0 +1 @@
+**.dec.*
@@ -1,17 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - secrets.yaml
  - cronjobs/backup-borg-offsite.yaml
  - cronjobs/backup-pbs.yaml
-
-secretGenerator:
- name: gitea-backup
-  namespace: git-limbosolutions-com
-  envs:
-    - .env.d/secrets
-  files:
-    - BORG_KEY=.env.d/borg_key
-    - SSH_ID_RSA=.env.d/id_rsa
-    
-generatorOptions:
-  disableNameSuffixHash: true
+namespace: git-limbosolutions-com
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: backup-secrets
+    namespace: vault-limbosolutions-com
+type: Opaque
+stringData:
+    PBS_REPOSITORY: ENC[AES256_GCM,data:iQEcqc53uvtfyQtgEHFsXZ5PTTIoUT90+61/7HbF5AAz8V1u17rP0vPAld+XyQ==,iv:7WsMOWfahr0XX7rEnoxf0kQ+s0mjQCdg0lb/U7LL/Bc=,tag:hj0wDcjSBvEh08o6BiNPmw==,type:str]
+    PBS_PASSWORD: ENC[AES256_GCM,data:79GsmmVidvgxnjvC/Sjf8vna,iv:Ft5gwmrK4tM09eFp2Bqw0fhYA9GWgDZwXxp0E8i8kL0=,tag:USxzan0pJOjMFOYLZT2rYA==,type:str]
+    PBS_FINGERPRINT: ENC[AES256_GCM,data:CqrmVjqIMyZqmH4YLHndFnuX01sT3e7j/uB6itW17QR7V70a7T6BPriXyWrrRGF2lDOXvq3Zgfat0/d4NuwiezGwPSkew5rxmIji9Zv6X6MW5f75g1/kJs2zDqg68Q4=,iv:+TAdM5E4MxLXyYQ9drNXvrhs4EWqZxRB6Jm5+hNaS8E=,tag:TTtIjn8jvJbbFBWCw9AeSA==,type:str]
+    BORG_REPO: ENC[AES256_GCM,data:in1oGO6G3uLKXjysoCKRliafsEYEDhayWoU9tAQh3Iiufe6dj9uWo0cgPtcyHKlEuhaaVBDUUFX90Dp2blzfo5EKC6RyRw==,iv:zRS2lz4DtX+y3b2zNtQJnCqFvv6vXYEVNU9b4/xprzE=,tag:yj0pzwOas9UeyRQVha08+w==,type:str]
+    BORG_PASSPHRASE: ENC[AES256_GCM,data:F3Vu10RXAgkVEbJf0dw=,iv:L4E5MCmmv1nqrnPP+O6t98zYvXcxB4w3MMJJXBKoJeo=,tag:89LbuIX6fxFaJ0LL6SNu+g==,type:str]
+    OFFSITE_TARGET_FOLDER: ENC[AES256_GCM,data:GWFXrD6G2TLQPE9bUpHdPNqBbW/hAJIDpf9II9AE4YDJfzX6WNKu5UycZ9ppesLy,iv:5W/vPfAEIYLpSgQRDppa0q73I72oZitk6xzY30OuPlY=,tag:Pi9IXgJsfcFuY8NMyfpWhw==,type:str]
+    BORG_KEY: ENC[AES256_GCM,data:uOeNg+gg5C3pQqx/1PygSGBc5RxZ4mun+hTFLv5MUBQnLPl/8amv21dJO3jmG2eXcietLxLVtAt/Pzt7pM5jaDMMiBCOj+pXz+4dim3KIUmQWBtPjuTZXBcTrT/CnNVvEQAjAvQ+H9o8laqjEeTMuHK2/eSF/TZhYG9VwpBNUg46WViyt8iebokvwJ3C09hmoAZPcNVNuIAH8MNBjcdC+VVatFL89cr3C6ZUliH/xMmH5eiw9nVgrkaQ0cDbjUcGOrnPfh1/ugbQGRQWxk9KxYhmbOOvGIoOAO2QIjmD/zQOH/QVA+4giGgnsxWrZsxmKAHmaXsTO205C5/UBaHsVgLy1RLxNDPgrVrAiA6/ru/0m0th7jgUE0YDlGs7a6GlBXIMgntaNTRH5q6dQKk+5r9/BAtE5pSJJsRJIID1NO8ocL1DgaFzJAA1Pq61t335fUtGekUrzY683bAFLVe3DZQJhn7P7JBAu6fAppAWjXDTT/b5gf8dvzbZCP0QNP7NcC+aO7K7U1PxLms7RkGAYTSb3nFMkqpDUU1tRpwphNggIanb2kMNfAZ6H9R5s2KZAZ2UWiM8JHJjrDiXFC7lmyDA4KcaW8CHNkYbYUJj9VOipT+X91WoHC81BlfvuVmOthkJVR+WeKIZas+La7a3ZRekuRtlhFdI4bBgm8y7Mn//KxIyOVPNF95LUnqBm2k47xC7DweCCuuo9qXcNFwJmuswWgIJRyEhLw==,iv:c+mPnAWIUs3tVX49IUX4iUz6wxtNRK4s/65RCsLiMS4=,tag:OuiOgB6kfjA7Vt8nBt7IQw==,type:str]
+    SSH_ID_RSA: ENC[AES256_GCM,data:Z79+TzR5yRmPxfPwb8TeuSbihtqV3nlGBTDkxGfFBATCO0bxVCXCdNWCvlf4kTHidaHW1p75spO1Rr3w9IN4F7N3Rv9Pnjy/gc25upcJ7pZhgXhCHgRh1MbkAiG7NiIiyJPeWNn40dm8Ss3QGBqIop6mCDiGNGHS/n7vHRdTG8VyeTJUd/uQdNGKNUv0dvzp/5ZpgujeY7xyx6HyZQEC1/9C+WFW2IqK1cClwGn0MK5pGPKdUTvFOmL0m6D50i9k7yungHr/pIWc7DORY/LvRjr14wRh8Y5zpOc9Wwb8CVXcuGguToRH1ypkccSqR+PhaAQ5SE5HPhO6Qlz1vkky/SVTTlr9u/511a0NHFvt89g96YiQW3Gv+nCUMR5Qzt7RORXPwGgGLbM2c9yfLOCQx5wTG7tx6REcgEIYhlsILa7CtOQo5CnyUCIFZtXqrzLTTy1oUnFauD7nZPtGXEjb48JqbNYAiAJO4E+c6Z1k0rc/XgyT1WPD7J1WDRaM19p+tvzeiiV81hx8I9iQDmxi,iv:wVVVpPTt6etX7Z8eWCECR/zgmKxixVV/Z02qqaEP8hU=,tag:KqWTmFM570ezTudFnOiBPw==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0c09FbHdaK2xLby85dXJW
+            aXcyL0VWU1VOMTdLdE5wVHJLdjd0SFFZWkRnCkorRXVWQUZmTlBDSEI2MFJUUFVx
+            TDZvSzczVEdNbFBPRWhUS09iVEZQTGMKLS0tIGFDQkJKaG1CaFd3djNPcnR3Z0py
+            Uy9WekF1ZjlRRFl2bXBSc05jMFNucjQKhh8dCmVq51obNvreAcZ9pQUW5fil8GkA
+            1sW4QT+zSqcuzs72dQlmMu8oKv22qd2/yxK7JlSL4KhurBMNaFlZbA==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1d62ex36xre08g87tyl9l2zlewsvsrf0t6le2ulsce4fnj7q893dqlykky6
+    encrypted_regex: ^(data|stringData)$
+    lastmodified: "2026-06-02T22:33:01Z"
+    mac: ENC[AES256_GCM,data:qGRz6P6DubsBU4kthRPK15CvLg8sHEEYZ/euCyzaYklS9fXgkErduxj+wMZ1PHlvnWJLfBZjKZ6Z4Hdj5MZY9quG1ArIodvH8vvphK0SjPW0K4mDuPRNDWNpbEaG2Q75jnalCcqQ3ZOOC+99KWVpHvCMmKsCtQmEc+w2EAPQ3xM=,iv:hDwrzXSQt01ZO7+Ik/gnjZzXisGbiVsPxltnyKVQooE=,tag:2sQl1gPahssG4MHtHUMooA==,type:str]
+    version: 3.13.1
@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: vaultwarden-app
+  namespace: vault-limbosolutions-com
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: git-limbosolutions-com
+  path: deploy/backups
+  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops-age  
@@ -1,7 +1,7 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: gitea-sync
+  name: gitea
  namespace: git-limbosolutions-com
 spec:
  interval: 1m
@@ -10,3 +10,7 @@ spec:
    name: git-limbosolutions-com
  path: deploy/app
  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops-age