From 673756b1ed79f52e0449b82cf638136ffe711350 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= Date: Tue, 2 Jun 2026 22:40:42 +0000 Subject: [PATCH] flux: add backup sync --- .sops.yaml | 7 ++++++- README.md | 1 + deploy/app/kustomization.yaml | 4 ++-- deploy/backups/.gitignore | 1 + deploy/backups/kustomization.yaml | 14 ++------------ deploy/backups/secrets.yaml | 30 ++++++++++++++++++++++++++++++ deploy/flux/backups-sync.yaml | 16 ++++++++++++++++ deploy/flux/gitea-sync.yaml | 6 +++++- 8 files changed, 63 insertions(+), 16 deletions(-) create mode 100644 deploy/backups/.gitignore create mode 100644 deploy/backups/secrets.yaml create mode 100644 deploy/flux/backups-sync.yaml diff --git a/.sops.yaml b/.sops.yaml index f07f7a5..86d5522 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,11 @@ creation_rules: - # encrypt all values + # encrypt all values from file - path_regex: \.private\.dec\.yaml$ encrypted_regex: '^(.*)$' age: + - age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g + # encrypt secrets files + - path_regex: .*.yaml + encrypted_regex: ^(data|stringData)$ + age: - age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g \ No newline at end of file diff --git a/README.md b/README.md index 1c5d849..d91d3e9 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,7 @@ kubectl create secret generic flux-sops-age \ ``` bash sops -e deploy/app/helm-values.private.dec.yaml > deploy/app/helm-values.private.yaml +sops -e deploy/backups/secrets.dec.yaml > deploy/backups/secrets.yaml ``` ### Continuous Deploy diff --git a/deploy/app/kustomization.yaml b/deploy/app/kustomization.yaml index f7518c5..d90108f 100644 --- a/deploy/app/kustomization.yaml +++ b/deploy/app/kustomization.yaml @@ -5,9 +5,9 @@ resources: - gitea-helm-repo.yaml secretGenerator: - - name: gitea-helm-values + - name: gitea-helm-install-values files: - values.yaml=helm-values.yaml - values.private.yaml=helm-values.private.yaml generatorOptions: - disableNameSuffixHash: true \ No newline at end of file + disableNameSuffixHash: true diff --git a/deploy/backups/.gitignore b/deploy/backups/.gitignore new file mode 100644 index 0000000..6e1fd1b --- /dev/null +++ b/deploy/backups/.gitignore @@ -0,0 +1 @@ +**.dec.* \ No newline at end of file diff --git a/deploy/backups/kustomization.yaml b/deploy/backups/kustomization.yaml index 9746b4a..25b6cdd 100644 --- a/deploy/backups/kustomization.yaml +++ b/deploy/backups/kustomization.yaml @@ -1,17 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - secrets.yaml - cronjobs/backup-borg-offsite.yaml - cronjobs/backup-pbs.yaml - -secretGenerator: -- name: gitea-backup - namespace: git-limbosolutions-com - envs: - - .env.d/secrets - files: - - BORG_KEY=.env.d/borg_key - - SSH_ID_RSA=.env.d/id_rsa - -generatorOptions: - disableNameSuffixHash: true \ No newline at end of file +namespace: git-limbosolutions-com diff --git a/deploy/backups/secrets.yaml b/deploy/backups/secrets.yaml new file mode 100644 index 0000000..48a629c --- /dev/null +++ b/deploy/backups/secrets.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Secret +metadata: + name: backup-secrets + namespace: vault-limbosolutions-com +type: Opaque +stringData: + PBS_REPOSITORY: ENC[AES256_GCM,data:iQEcqc53uvtfyQtgEHFsXZ5PTTIoUT90+61/7HbF5AAz8V1u17rP0vPAld+XyQ==,iv:7WsMOWfahr0XX7rEnoxf0kQ+s0mjQCdg0lb/U7LL/Bc=,tag:hj0wDcjSBvEh08o6BiNPmw==,type:str] + PBS_PASSWORD: ENC[AES256_GCM,data:79GsmmVidvgxnjvC/Sjf8vna,iv:Ft5gwmrK4tM09eFp2Bqw0fhYA9GWgDZwXxp0E8i8kL0=,tag:USxzan0pJOjMFOYLZT2rYA==,type:str] + PBS_FINGERPRINT: ENC[AES256_GCM,data:CqrmVjqIMyZqmH4YLHndFnuX01sT3e7j/uB6itW17QR7V70a7T6BPriXyWrrRGF2lDOXvq3Zgfat0/d4NuwiezGwPSkew5rxmIji9Zv6X6MW5f75g1/kJs2zDqg68Q4=,iv:+TAdM5E4MxLXyYQ9drNXvrhs4EWqZxRB6Jm5+hNaS8E=,tag:TTtIjn8jvJbbFBWCw9AeSA==,type:str] + BORG_REPO: ENC[AES256_GCM,data:in1oGO6G3uLKXjysoCKRliafsEYEDhayWoU9tAQh3Iiufe6dj9uWo0cgPtcyHKlEuhaaVBDUUFX90Dp2blzfo5EKC6RyRw==,iv:zRS2lz4DtX+y3b2zNtQJnCqFvv6vXYEVNU9b4/xprzE=,tag:yj0pzwOas9UeyRQVha08+w==,type:str] + BORG_PASSPHRASE: ENC[AES256_GCM,data:F3Vu10RXAgkVEbJf0dw=,iv:L4E5MCmmv1nqrnPP+O6t98zYvXcxB4w3MMJJXBKoJeo=,tag:89LbuIX6fxFaJ0LL6SNu+g==,type:str] + OFFSITE_TARGET_FOLDER: ENC[AES256_GCM,data:GWFXrD6G2TLQPE9bUpHdPNqBbW/hAJIDpf9II9AE4YDJfzX6WNKu5UycZ9ppesLy,iv:5W/vPfAEIYLpSgQRDppa0q73I72oZitk6xzY30OuPlY=,tag:Pi9IXgJsfcFuY8NMyfpWhw==,type:str] + BORG_KEY: ENC[AES256_GCM,data:uOeNg+gg5C3pQqx/1PygSGBc5RxZ4mun+hTFLv5MUBQnLPl/8amv21dJO3jmG2eXcietLxLVtAt/Pzt7pM5jaDMMiBCOj+pXz+4dim3KIUmQWBtPjuTZXBcTrT/CnNVvEQAjAvQ+H9o8laqjEeTMuHK2/eSF/TZhYG9VwpBNUg46WViyt8iebokvwJ3C09hmoAZPcNVNuIAH8MNBjcdC+VVatFL89cr3C6ZUliH/xMmH5eiw9nVgrkaQ0cDbjUcGOrnPfh1/ugbQGRQWxk9KxYhmbOOvGIoOAO2QIjmD/zQOH/QVA+4giGgnsxWrZsxmKAHmaXsTO205C5/UBaHsVgLy1RLxNDPgrVrAiA6/ru/0m0th7jgUE0YDlGs7a6GlBXIMgntaNTRH5q6dQKk+5r9/BAtE5pSJJsRJIID1NO8ocL1DgaFzJAA1Pq61t335fUtGekUrzY683bAFLVe3DZQJhn7P7JBAu6fAppAWjXDTT/b5gf8dvzbZCP0QNP7NcC+aO7K7U1PxLms7RkGAYTSb3nFMkqpDUU1tRpwphNggIanb2kMNfAZ6H9R5s2KZAZ2UWiM8JHJjrDiXFC7lmyDA4KcaW8CHNkYbYUJj9VOipT+X91WoHC81BlfvuVmOthkJVR+WeKIZas+La7a3ZRekuRtlhFdI4bBgm8y7Mn//KxIyOVPNF95LUnqBm2k47xC7DweCCuuo9qXcNFwJmuswWgIJRyEhLw==,iv:c+mPnAWIUs3tVX49IUX4iUz6wxtNRK4s/65RCsLiMS4=,tag:OuiOgB6kfjA7Vt8nBt7IQw==,type:str] + SSH_ID_RSA: ENC[AES256_GCM,data:Z79+TzR5yRmPxfPwb8TeuSbihtqV3nlGBTDkxGfFBATCO0bxVCXCdNWCvlf4kTHidaHW1p75spO1Rr3w9IN4F7N3Rv9Pnjy/gc25upcJ7pZhgXhCHgRh1MbkAiG7NiIiyJPeWNn40dm8Ss3QGBqIop6mCDiGNGHS/n7vHRdTG8VyeTJUd/uQdNGKNUv0dvzp/5ZpgujeY7xyx6HyZQEC1/9C+WFW2IqK1cClwGn0MK5pGPKdUTvFOmL0m6D50i9k7yungHr/pIWc7DORY/LvRjr14wRh8Y5zpOc9Wwb8CVXcuGguToRH1ypkccSqR+PhaAQ5SE5HPhO6Qlz1vkky/SVTTlr9u/511a0NHFvt89g96YiQW3Gv+nCUMR5Qzt7RORXPwGgGLbM2c9yfLOCQx5wTG7tx6REcgEIYhlsILa7CtOQo5CnyUCIFZtXqrzLTTy1oUnFauD7nZPtGXEjb48JqbNYAiAJO4E+c6Z1k0rc/XgyT1WPD7J1WDRaM19p+tvzeiiV81hx8I9iQDmxi,iv:wVVVpPTt6etX7Z8eWCECR/zgmKxixVV/Z02qqaEP8hU=,tag:KqWTmFM570ezTudFnOiBPw==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0c09FbHdaK2xLby85dXJW + aXcyL0VWU1VOMTdLdE5wVHJLdjd0SFFZWkRnCkorRXVWQUZmTlBDSEI2MFJUUFVx + TDZvSzczVEdNbFBPRWhUS09iVEZQTGMKLS0tIGFDQkJKaG1CaFd3djNPcnR3Z0py + Uy9WekF1ZjlRRFl2bXBSc05jMFNucjQKhh8dCmVq51obNvreAcZ9pQUW5fil8GkA + 1sW4QT+zSqcuzs72dQlmMu8oKv22qd2/yxK7JlSL4KhurBMNaFlZbA== + -----END AGE ENCRYPTED FILE----- + recipient: age1d62ex36xre08g87tyl9l2zlewsvsrf0t6le2ulsce4fnj7q893dqlykky6 + encrypted_regex: ^(data|stringData)$ + lastmodified: "2026-06-02T22:33:01Z" + mac: ENC[AES256_GCM,data:qGRz6P6DubsBU4kthRPK15CvLg8sHEEYZ/euCyzaYklS9fXgkErduxj+wMZ1PHlvnWJLfBZjKZ6Z4Hdj5MZY9quG1ArIodvH8vvphK0SjPW0K4mDuPRNDWNpbEaG2Q75jnalCcqQ3ZOOC+99KWVpHvCMmKsCtQmEc+w2EAPQ3xM=,iv:hDwrzXSQt01ZO7+Ik/gnjZzXisGbiVsPxltnyKVQooE=,tag:2sQl1gPahssG4MHtHUMooA==,type:str] + version: 3.13.1 diff --git a/deploy/flux/backups-sync.yaml b/deploy/flux/backups-sync.yaml new file mode 100644 index 0000000..37d1c88 --- /dev/null +++ b/deploy/flux/backups-sync.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: vaultwarden-app + namespace: vault-limbosolutions-com +spec: + interval: 1m + sourceRef: + kind: GitRepository + name: git-limbosolutions-com + path: deploy/backups + prune: true + decryption: + provider: sops + secretRef: + name: flux-sops-age \ No newline at end of file diff --git a/deploy/flux/gitea-sync.yaml b/deploy/flux/gitea-sync.yaml index 6a03e9a..698518f 100644 --- a/deploy/flux/gitea-sync.yaml +++ b/deploy/flux/gitea-sync.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: gitea-sync + name: gitea namespace: git-limbosolutions-com spec: interval: 1m @@ -10,3 +10,7 @@ spec: name: git-limbosolutions-com path: deploy/app prune: true + decryption: + provider: sops + secretRef: + name: flux-sops-age \ No newline at end of file