modified: deploy/act-runners/mf/app/kustomization.yaml

modified:   deploy/act-runners/myLimbo/app/kustomization.yaml

.gitea/workflows/app-continous-deploy.yaml

@@ -1,88 +0,0 @@
-on:
-  schedule:
-    - cron: '0 9 * * 0' # every sunday 9 am
-  push:
-    branches:
-      - main
-  pull_request:
-      branches:
-      - main
-jobs:
-  continuous-deploy:
-    runs-on: ["deploy", "kubectl"]
-    env:
-      GITHUB_TEMP: ${{ runner.temp }} # fix missing GITHUB_TEMP on gitea
-    steps:
-
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: limbo public actions
-        env: 
-          WORKSPACE: "${{ gitea.workspace }}"
-        run: |
-          curl -fsSL https://git.limbosolutions.com/kb/gitea/raw/branch/main/cloud-scripts/setup-limbo-actions.sh | bash 2>&1
-
-
-      # limbo custom actions required https://git.limbosolutions.com/kb/gitea/raw/branch/main
-      - name: Configure kubectl config
-        uses: ./.gitea/limbo_actions/kubectl-setup
-        with:
-          kube_server: ${{ secrets.HOSTING_KUBE_SERVER }}
-          kube_ca_base64: ${{ secrets.HOSTING_KUBE_CA_BASE64 }}
-          kube_token: ${{ secrets.HOSTING_KUBE_TOKEN }}
-
-      - name: Deploy
-        shell: bash
-        env:
-          # cron jobs env
-          CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY }}
-          CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD }}
-          CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT }}
-          CRONJOBS_BACKUPS_SECRETS_BORG_REPO: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_REPO }}
-          CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE }}
-          CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER }}
-          CRONJOBS_BACKUPS_SECRETS_ID_RSA: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_ID_RSA }}
-          CRONJOBS_BACKUPS_SECRETS_BORG_KEY: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_KEY }}
-
-          # helm chart values
-          APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD: ${{ secrets.APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD }}
-          APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD }}
-          APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD }}
-          APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE }}
-          APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME }}
-          APP_HELM_VALUE_GITEA_ADMIN_USERNAME: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_USERNAME }}
-          APP_HELM_VALUE_GITEA_ADMIN_PASSWORD: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_PASSWORD }}
-          APP_HELM_VALUE_GITEA_ADMIN_EMAIL: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_EMAIL }}
-          APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET }}
-          APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET }}
-          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY }}
-          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES }}
-          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN }}
-          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO }}
-          APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET }}
-
-        run: |
-          set -euo pipefail
-
-          # ensure cleanup always runs
-          trap 'rm -f \
-                    deploy/backups/.env.d/*' EXIT
-
-          # setup secrets files
-          echo "PBS_REPOSITORY=${CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY}" >> deploy/backups/.env.d/secrets
-          echo "PBS_PASSWORD=${CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD}" >> deploy/backups/.env.d/secrets
-          echo "PBS_FINGERPRINT=${CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT}" >> deploy/backups/.env.d/secrets
-          echo "BORG_REPO=${CRONJOBS_BACKUPS_SECRETS_BORG_REPO}" >> deploy/backups/.env.d/secrets
-          echo "BORG_PASSPHRASE=${CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE}" >> deploy/backups/.env.d/secrets
-          echo "OFFSITE_TARGET_FOLDER=${CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER}" >> deploy/backups/.env.d/secrets
-          echo "${CRONJOBS_BACKUPS_SECRETS_ID_RSA}" >> deploy/backups/.env.d/id_rsa
-          echo "${CRONJOBS_BACKUPS_SECRETS_BORG_KEY}" >> deploy/backups/.env.d/borg_key
-          
-          # enforce secrets files security
-          chmod 600 deploy/backups/.env.d/secrets
-          chmod 600 deploy/backups/.env.d/id_rsa
-          chmod 600 deploy/backups/.env.d/borg_key
-
-          # invoke deploy script
-          ops-scripts/apply-app.sh

.gitignore

@@ -1,5 +1,5 @@
 tmp
 **.env
-**.private.**
+**.dec.**
 **.local.**
 .kube/**

.sops.yaml

@@ -0,0 +1,11 @@
+creation_rules:
+  # encrypt all values from file
+  - path_regex: \.private\.dec\.yaml$
+    encrypted_regex: '^(.*)$'
+    age:
+      - age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
+  # encrypt secrets files
+  - path_regex: .*.yaml
+    encrypted_regex: ^(data|stringData)$
+    age: 
+      - age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g

README.md

@@ -6,9 +6,6 @@ Using [gitea](https://git.limbosolutions.com/kb/gitea) as git server.
 
 - [SSO](#sso)
 - [Deploy](#deploy)
-  - [Continuous Deploy](#continuous-deploy)
-  - [App](#app)
-  - [Infra](#infra)
 - [Backups](#backups)
 
 ## SSO
@@ -22,35 +19,57 @@ References:
 - <https://gitea.com/gitea/helm-gitea>
 - <https://dl.gitea.com/charts/>
 
-### Continuous Deploy
+Migration to flux.
 
-Executes [App Deploy](#app) using [Gitea workflow](./.gitea/workflows/app-continous-deploy.yaml).
+For fluxcd setup execute.
-
-### App
-
-**Environment files:**
-
-- ./deploy/backups/cronjobs/.env.d/secrets [Example](./deploy/backups/.env.d/secrets.example)
-- ./deploy/backups/cronjobs/.env.d/borg_key [Example](./deploy/backups/.env.d/borg_key.example)
-- ./deploy/backups/cronjobs/.env.d/id_rsa [Example](./deploy/backups/.env.d/id_rsa.example)
-- ./deploy/app/.env [Example](./deploy/app/.env.example)
-
-Deploy App
 
 ```bash
-./ops-scripts/apply-app.sh
+ops-scripts/apply-flux.sh
 ```
 
-- [backups-kustomization](/deploy/app/kustomization.yaml)
+**sops / age:**
 
-### Infra
+``` bash
+age-keygen -o deploy/flux/.env.d/age.agekey
+cat deploy/flux/.env.d/age.agekey | \
+kubectl create secret generic flux-sops-age \
+--namespace=git-limbosolutions-com \
+--from-file=age.agekey=/dev/stdin
+
+cat deploy/flux/.env.d/age.agekey | \
+kubectl create secret generic flux-sops-age \
+--namespace=kb-cicd \
+--from-file=age.agekey=/dev/stdin
+
+cat deploy/flux/.env.d/age.agekey | \
+kubectl create secret generic flux-sops-age \
+--namespace=limbosolutions-com-cicd \
+--from-file=age.agekey=/dev/stdin
+
+cat deploy/flux/.env.d/age.agekey | \
+kubectl create secret generic flux-sops-age \
+--namespace=mf-cicd \
+--from-file=age.agekey=/dev/stdin
+
+
+cat deploy/flux/.env.d/age.agekey | \
+kubectl create secret generic flux-sops-age \
+--namespace=mylimbo-com-cicd \
+--from-file=age.agekey=/dev/stdin
 
-```bash
-./ops-scripts/apply-infra.sh
 ```
 
-- [kustomization](/deploy/infra/kustomization.yaml)
+**Encrypt secrets:**
-  
+
+``` bash
+sops -e deploy/app/helm-values.private.dec.yaml > deploy/app/helm-values.private.yaml
+sops -e deploy/backups/secrets.dec.yaml > deploy/backups/secrets.yaml
+sops -e deploy/act-runners/kb/app/secrets.dec.yaml > deploy/act-runners/kb/app/secrets.yaml
+sops -e deploy/act-runners/limbosolutions-com/app/secrets.dec.yaml > deploy/act-runners/limbosolutions-com/app/secrets.yaml
+sops -e deploy/act-runners/mf/app/secrets.dec.yaml > deploy/act-runners/mf/app/secrets.yaml
+sops -e deploy/act-runners/myLimbo/app/secrets.dec.yaml > deploy/act-runners/myLimbo/app/secrets.yaml
+```
+
 ## Backups
 
 for more information [check readme](./docs/backups.md).

deploy/act-runners/kb/README.md

@@ -1,13 +0,0 @@
-# kb - act-runner
-
-**Deploy app:**
-
-```bash
-./ops-scripts/apply-app.sh
-```
-
-**Deploy Infra:**
-
-```bash
-./ops-scripts/apply-infra.sh
-```

deploy/act-runners/kb/app/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kb-cicd 
+resources:
+  - configmap.yaml
+  - deployment.yaml
+  - secrets.yaml

deploy/act-runners/kb/app/secrets.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: act-runner
+type: Opaque
+data:
+    GITEA_INSTANCE_URL: ENC[AES256_GCM,data:hu+3h7SrBqcg6/vJGlhfPKr0Ba/3sPLMAcB41UNTNNnq4h4Zlmy1pw==,iv:lVuWe2qSB6IovHQS0x+0Em28WhWCqvYrXRLgoZ8mc7s=,tag:YDycHwytzyQAdNL7ohQN7g==,type:str]
+    GITEA_RUNNER_NAME: ENC[AES256_GCM,data:YFBl0zauAt4c0pbGCmE6nw==,iv:AdNNfliMcV2cigwllAZDLf1FOELDLiZ1QQ6Sfxieos4=,tag:h943Vkz/pE3psHuAjmqowg==,type:str]
+    GITEA_RUNNER_REGISTRATION_TOKEN: ENC[AES256_GCM,data:aYl9ACO+XTJyak6Zbij+iynn6Vjyk+c1jTca8nRqU1GcsBgTA1BtkOJB4xlEZSFZJD+xxh3bS6g=,iv:FV7a7KolBwfwyNpDC+FFU0COfVHvze2U/eVhXffjh9E=,tag:af5xpYsycoNFo4OhZrw8Jg==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUT1Q0emFPZnE5YlRhdTRD
+            VU8rTVJOaXd5emZURk5wajFiWksrNXNLRzJVCkdEQjE1WXFkY21VWTMzL0w1TzFX
+            N09tRWtjQitnblU1ZFE1TE5iQzFocFkKLS0tIGU1Ukh3Wk5aVk5ZbWh4RVdIc2p1
+            clJSQ09mUU5LdnR4VTFBUDY2OGpUblkKfwkVzWWmQ3GUbMLzeIs7ai/qJn0gHPpa
+            CEXd9dMotRJ12cWawN4MdagRE1UL50GPy24rsGMXfqrNGsWnJP7y0Q==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
+    encrypted_regex: ^(data|stringData)$
+    lastmodified: "2026-06-04T22:22:42Z"
+    mac: ENC[AES256_GCM,data:BTJ6wKJotmvNMwP1SAqwwx3BPUkVoOmXCdvI0HTwQUWsS5y0X5fQLwW6wz46g7GgVMwuoH2SEEkIl27UViYNUM7ObYFgN3y1isBjE1Xhcp1rC7BqRqYPtQ5HHMTF1dAo1+eHBYUE9vvaud87FOvePAYiaez3dK/helvqlb7A41I=,iv:j2HOYSIlXdn3TQc936PYcmIA/6SIyVtNZVchtjCxrQU=,tag:eD9d5OIpI9V3mpo7DtsOzg==,type:str]
+    version: 3.13.1

deploy/act-runners/kb/deploy/app/.env.d/.gitignore

@@ -1,2 +0,0 @@
-**
-!.gitignore

deploy/act-runners/kb/deploy/app/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - configmap.yaml
-  - deployment.yaml
-
-generatorOptions:
-  disableNameSuffixHash: true
-
-secretGenerator:
-  - name: act-runner
-    envs: 
-      - .env.d/.env
-

deploy/act-runners/kb/ops-scripts/apply-app.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-set -e
-NAMESPACE=kb-cicd
-kubectl kustomize deploy/app | kubectl --namespace ${NAMESPACE} apply -f -

deploy/act-runners/kb/ops-scripts/apply-infra.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-set -e
-NAMESPACE=kb-cicd
-kubectl create namespace ${NAMESPACE} || true

deploy/act-runners/limbosolutions-com/README.md

@@ -1,13 +0,0 @@
-# limbosolutions.com - act-runner
-
-**Deploy app:**
-
-```bash
-./ops-scripts/apply-app.sh
-```
-
-**Deploy Infra:**
-
-```bash
-./ops-scripts/apply-infra.sh
-```

deploy/act-runners/limbosolutions-com/app/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: limbosolutions-com
+resources:
+  - configmap.yaml
+  - deployment.yaml
+  - secrets.yaml
+

deploy/act-runners/limbosolutions-com/app/secrets.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: act-runner
+type: Opaque
+data:
+    GITEA_INSTANCE_URL: ENC[AES256_GCM,data:OPQWugTT+aXgNo2yy6LZ/QTs4U1CKkK/o4tR+gMNpQTLaLIPLquCDw==,iv:ZfBVdS2GKTy7DwjV7t8Fho2p1pDinfsEdwKtJ1z2o9k=,tag:x131kXwsOeE0ywOUsDE9fQ==,type:str]
+    GITEA_RUNNER_NAME: ENC[AES256_GCM,data:f+3pB+TpYt8iyhhb49xva50VywtWlO0ST/v4OxPMEnxdugyz4BOVcg==,iv:ifniki5AG6VkKR3MFYOCF8G8yYrNrlq2oTgDzIDMD4E=,tag:cVOM6myolTbwczVBgrx1Qw==,type:str]
+    GITEA_RUNNER_REGISTRATION_TOKEN: ENC[AES256_GCM,data:2yM7JegoIMFohpJlAj7KYMiwkYpVq4HgWcIjVbfpS07TwJa0cnuZ8kYb950An6vSKb8h27DuKjA=,iv:7mLiZYQ/HX/p8NU4mWB2P3nEUpxcsLOvP/3AcyFrhtU=,tag:UU+GSiTwtODbJNVUEmcR+A==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4anZFOG5VK2FnUGxEVkh0
+            eGJ5QWNyanVGbEJicDJXY0tsTU1PdXdoTGxFCktnOW9jVHFQVjVRc0lLT0JTbUFN
+            R3hiR0ZtUnAxc0NYeGUvNWF3SUt0cTgKLS0tIG11Qk93aDhOdGxBME1URERGazdz
+            aFRzZGVKVjdjcUE5U0FoV1c3ZVE2QTAKC9RWFz1b31kBGLe9GJHHT+96xE3QPLRH
+            PKHnlIaEfygSN1yss2LIgA6Ns05ge/hp4v/z3f1og+euKJdj10rd3w==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
+    encrypted_regex: ^(data|stringData)$
+    lastmodified: "2026-06-04T22:22:42Z"
+    mac: ENC[AES256_GCM,data:+bkTNhQqZvPOxiwgrDISexjvVbssqyxH6MV2grywZlZPxNXnCLnLSlFUx7J0L9DNefMQsOp6HvH0cz3cA6+I41g2SgjXWSxxQoIAvDbHH4e12bDAOchx4ZBIljTlmzIyWEgkH6DPPvha4PH8qMXjQPCJWE8rpUohj40QqjFgUCQ=,iv:st9SsBDbmZ2FVzPPDoLouJe1zn4zOW1d0tzS0fhc+3k=,tag:n3KH71UxmmjvwjWXU9aCKA==,type:str]
+    version: 3.13.1

deploy/act-runners/limbosolutions-com/deploy/app/.env.d/.gitignore

@@ -1,2 +0,0 @@
-**
-!.gitignore

deploy/act-runners/limbosolutions-com/deploy/app/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - configmap.yaml
-  - deployment.yaml
-
-generatorOptions:
-  disableNameSuffixHash: true
-
-secretGenerator:
-  - name: act-runner
-    envs: 
-      - .env.d/.env
-

deploy/act-runners/limbosolutions-com/ops-scripts/apply-app.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-set -e
-NAMESPACE=limbosolutions-com-cicd
-kubectl kustomize deploy/app | kubectl --namespace ${NAMESPACE} apply -f - 

deploy/act-runners/limbosolutions-com/ops-scripts/apply-infra.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-set -e
-NAMESPACE=limbosolutions-com-cicd
-kubectl create namespace ${NAMESPACE} || true

deploy/act-runners/mf/README.md

@@ -1,13 +0,0 @@
-# mylimbo - act-runner
-
-**Deploy app:**
-
-```bash
-./ops-scripts/apply-app.sh
-```
-
-**Deploy Infra:**
-
-```bash
-./ops-scripts/apply-infra.sh
-```

deploy/act-runners/mf/app/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: mf-cicd
+resources:
+  - configmap.yaml
+  - deployment.yaml
+  - secrets.yaml
+
+

deploy/act-runners/mf/app/secrets.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: act-runner
+type: Opaque
+data:
+    GITEA_INSTANCE_URL: ENC[AES256_GCM,data:Obz1y5FaUsux2DjItdnJMG+rfF3vuO9o4wmpeOU2xxs70ijWUIoEyg==,iv:TLqspEhTvo8lGSGirZMeN0ikKyKmvsuJZ3s2ePL/Hv4=,tag:ju8t2qk2Dgz63Cgte0Wmxw==,type:str]
+    GITEA_RUNNER_NAME: ENC[AES256_GCM,data:u9/zD8aDRx8OSXLZfRP8ww==,iv:tnO1oZGS1dCRGonL3KLaubUr1JtbJvaD7wjBcpCpL2Y=,tag:HtPlkQgSHKVE7Zndo+U2mA==,type:str]
+    GITEA_RUNNER_REGISTRATION_TOKEN: ENC[AES256_GCM,data:9qfwY9IjXnOOFb8SsIJ0HCBv4KlTt1QNy20v59hZt+fPI688mrGpAhzbZfdZwRbAI74H/Gm5Hfk=,iv:q38chmaHIo4nSsDUhpBeFpszTdtwFEFOFIjPTdfNX5A=,tag:tCndZLIBo6RQXQN4V6tbCQ==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVTk1JVDBJQURtd0VIMlc4
+            WjR4UUp6cHExWC9CVE55UzJLT1ZNU3lFY0JBCnkvK0xvSHRuWi9mUHVMMU5LN3dQ
+            Ujh3cU9pMkNKenRza1FyZjlWaW41T1EKLS0tIGx0WFlQSmtCc3VmWGhhdWNteC9S
+            YTR3S3FpN0pjM29aNTA3NG9TYVE5VW8KguSIXnaxjzcAcvsJAnsz6VdpM6QJoWos
+            5EO8pwi1KF6q/RNv9Qg8XWpenBNJJt4BUms6Lej6xcgntxIVc8Fx5A==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
+    encrypted_regex: ^(data|stringData)$
+    lastmodified: "2026-06-04T22:26:34Z"
+    mac: ENC[AES256_GCM,data:12FZB5VqHBDoFpatMhF9wHnseW5LAHRLDDxGQGkBqRbVEq1mWKzERAwBh7emeQvUNnIIAUU9OKjrVhboDPn3t2Te9/z70CIJ/UDoPql0DTxezN6ulL4EYfrhtQvs+4m3JTcAFaF5JWL8ogh46vIL9hxaibuSdi856MnR6Zpiw2Y=,iv:KbLpaU3es78wjEqgpwn1cqqIGQdRy+PDByoJhELlO0I=,tag:62rZQkGKWkgkxAglLqyjaw==,type:str]
+    version: 3.13.1

deploy/act-runners/mf/deploy/app/.env.d/.gitignore

@@ -1,2 +0,0 @@
-**
-!.gitignore

deploy/act-runners/mf/deploy/app/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - configmap.yaml
-  - deployment.yaml
-
-generatorOptions:
-  disableNameSuffixHash: true
-
-secretGenerator:
-  - name: act-runner
-    envs: 
-      - .env.d/.env
-

deploy/act-runners/mf/ops-scripts/apply-app.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-set -e
-NAMESPACE=mf-cicd
-kubectl kustomize deploy/app | kubectl --namespace ${NAMESPACE} apply -f - 

deploy/act-runners/mf/ops-scripts/apply-infra.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-set -e
-NAMESPACE=mf-cicd
-kubectl create namespace ${NAMESPACE} || true

deploy/act-runners/myLimbo/README.md

@@ -1,13 +0,0 @@
-# mylimbo - act-runner
-
-**Deploy app:**
-
-```bash
-./ops-scripts/apply-app.sh
-```
-
-**Deploy Infra:**
-
-```bash
-./ops-scripts/apply-infra.sh
-```

deploy/act-runners/myLimbo/app/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: mylimbo-com-cicd
+resources:
+  - configmap.yaml
+  - deployment.yaml
+  - secrets.yaml
+

deploy/act-runners/myLimbo/app/secrets.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: act-runner
+type: Opaque
+data:
+    GITEA_INSTANCE_URL: ENC[AES256_GCM,data:BATws1oD1oaQehXZGiAWasKVWYlGUOB2xxdRe2+OdJds5LUdzXx4SA==,iv:6ox8QZJDhUdR8IVyOyk+nPa9c/lhlAYOb/pY/l+wOy0=,tag:nJVE3shYschhfhfFkwHQpQ==,type:str]
+    GITEA_RUNNER_NAME: ENC[AES256_GCM,data:P7yDwNE/bSl34HfEqSwQNmIf9OLP4ayD,iv:kDcRIaeULPF5XckCqK6qlKpZBWw2cSyGHKaKQiGlzhk=,tag:kzynWwCu4brmVRoSCemtOA==,type:str]
+    GITEA_RUNNER_REGISTRATION_TOKEN: ENC[AES256_GCM,data:P4yLgfdOTRscbU0QBaeGU4iZjHTazAAOtPzjAtinP196CFeJ177T58qU419WNSYZeutZB96Gzgw=,iv:YIbPzLSFMT+RlDkCuIfv2AkAk5v31cfmF/KRMBAV6kE=,tag:1htUmlUDedLXecT24wSIDQ==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4cEEyZmk3dnhPN2JxUytr
+            WUtCMDlrK2pmb2xJSG8yaEVSZ3FsQkFaUWpJCk5iRjZtdFUvL1ZDdXlkUG5QWVNF
+            NXFxSkQrQjJIQ3g5dmdGNXRzUEIrNUEKLS0tIEpzdlJuR1dQV2NMc1JvdmJOUlpm
+            TVpYQlY0dDNTaTE5KzNzMUdQbXFnNnMK3uirf3+95s/D5bztGWphGOGJBl7BGGHh
+            y4kwM4DzlZioy9sLT8DpEQJi9eazkwRCJfAw89HQML2waTzc3j8kDg==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
+    encrypted_regex: ^(data|stringData)$
+    lastmodified: "2026-06-04T22:31:22Z"
+    mac: ENC[AES256_GCM,data:jJQJe1C0ebtg6n2nEQHaMgC31rGOfPRDtEeBwUaE3r7JxBqPZA9zLi91wMtO2ULTiTVzEVq4uKUo21JIozkdKFcBvO7sQUPgCcxJ9p67/2zyM499I03yq9EnruvV30qVcLm7Ts+mXOt3Hnbb4hj7MR5nYAszf2ZmHNNRNLSHGwg=,iv:yjgKkJT+HQReEks7aVn2Q9besmzvTwbiDtECriCRxwU=,tag:6hyb/r21vtUI03CfrcXo4Q==,type:str]
+    version: 3.13.1

deploy/act-runners/myLimbo/deploy/app/.env.d/.gitignore

@@ -1,2 +0,0 @@
-**
-!.gitignore

deploy/act-runners/myLimbo/deploy/app/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - configmap.yaml
-  - deployment.yaml
-
-generatorOptions:
-  disableNameSuffixHash: true
-
-secretGenerator:
-  - name: act-runner
-    envs: 
-      - .env.d/.env
-

deploy/act-runners/myLimbo/ops-scripts/apply-app.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-set -e
-NAMESPACE=mylimbo-com-cicd
-kubectl kustomize deploy/app | kubectl --namespace ${NAMESPACE} apply -f - 

deploy/act-runners/myLimbo/ops-scripts/apply-infra.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-set -e
-NAMESPACE=mylimbo-com-cicd
-kubectl create namespace ${NAMESPACE} || true

deploy/app/.env.d/.env.example

@@ -1,15 +0,0 @@
-APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD="????"
-APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD="????"
-APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD="????"
-APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE="????"
-APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME="????"
-APP_HELM_VALUE_GITEA_ADMIN_USERNAME="????"
-APP_HELM_VALUE_GITEA_ADMIN_PASSWORD="????"
-APP_HELM_VALUE_GITEA_ADMIN_EMAIL="????"
-APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET="????"
-APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET="????"
-APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY="????"
-APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES="????"
-APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN="????"
-APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO="????"
-APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET="????"

deploy/app/.gitignore

@@ -0,0 +1 @@
+**.dec.*

deploy/app/gitea-helm-release.yaml

@@ -0,0 +1,25 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: gitea
+  namespace: git-limbosolutions-com
+spec:
+
+  releaseName: gitea
+  interval: 24h
+  chart:
+    spec:
+      chart: gitea
+      version: '12.x.x'
+      sourceRef:
+        kind: HelmRepository
+        name: gitea
+        namespace: git-limbosolutions-com
+      interval: 24h
+  valuesFrom:
+    - kind: Secret
+      name: gitea-helm-install-values
+      valuesKey: values.yaml
+    - kind: Secret
+      name: gitea-helm-install-values
+      valuesKey: values.private.yaml

deploy/app/gitea-helm-repo.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: gitea
+  namespace: git-limbosolutions-com
+spec:
+  interval: 24m
+  url: https://dl.gitea.com/charts

deploy/app/helm-values.private.yaml

@@ -0,0 +1,45 @@
+valkey:
+    global:
+        valkey:
+            password: ENC[AES256_GCM,data:pSdaIZ6fWZs=,iv:MDjfyBPaatrkuhwtKjcjFiAf7LNPvkWfHkhAyPOAUjw=,tag:lqU3LAXxQt8rbF6X5wMd+g==,type:str]
+postgresql:
+    global:
+        postgresql:
+            auth:
+                postgresPassword: ENC[AES256_GCM,data:Zxg6KKLL/v+168g=,iv:TZfnUG2q5P6w8lCEFHwfkhkgEaxkV6ncbQt62JTodDk=,tag:R2+Z+gAFcl6KnoefttQw9w==,type:str]
+                password: ENC[AES256_GCM,data:C87emEwF5NdWPyE/Dg==,iv:wFDlccwVRH10eAfoqnXbhQF51fZDUAjPIsbQcWI73BQ=,tag:BAyhnlvoBdyN4dDijXVAQw==,type:str]
+                database: ENC[AES256_GCM,data:HveuoAw=,iv:OKisTxR4A82jAOvuaj+YeNCPh7tkPSnKXzI3GVYJl/A=,tag:nv78Ek+ev2Oi08Q3te+lew==,type:str]
+                username: ENC[AES256_GCM,data:naDgowoC1lEKZGo=,iv:zQxu1xsF/uCdpX+ynGQChl0VoSTjeNICwp36Jn2CVyg=,tag:HspzndRsO47fuB0tsNQRMQ==,type:str]
+gitea:
+    admin:
+        username: ENC[AES256_GCM,data:38iBf1ML/xE=,iv:L2rr19z7cCi7BUnk2rmo+Nx2AbItgXWRtcha5oBZ+ks=,tag:PIyiW/LpUNmqH4sQe7g28g==,type:str]
+        password: ENC[AES256_GCM,data:+MRVFRaEZ2R66sEhu+OK6sUt3TbUfQ==,iv:m7tdbehrZ2BkgubzH07HzE2hTIE4SbF5AwyzqXf11Qk=,tag:6vx96txumL1mXp+Ag70zXg==,type:str]
+        email: ENC[AES256_GCM,data:wvmi5gG2PTuHXUMvaCdk,iv:ugw8hLlljyoICHoQUKkjlF9ct7IYv1XM4f4e7L90Hns=,tag:XCMKeRZufSBa1LAl9+adHQ==,type:str]
+    config:
+        oauth2:
+            JWT_SECRET: ENC[AES256_GCM,data:o7GoJVCrtmn0uySHS5hStNS9k030b4tirLLrPF1FJ2N4hfTdWVdNQwu48w==,iv:EgmOz3/yach8LuCcg0Ru7VdtBKULATq3RjnXJQ0Fb2c=,tag:2NGICbfnigfLBUsGvWygMA==,type:str]
+        server:
+            LFS_JWT_SECRET: ENC[AES256_GCM,data:gPilnhnWtFm/RfSFyCO0oo+HE2MeyanhpXvzhA/RaY+CrEukuFjb0WWUIA==,iv:8kjT2KZuPJXQAqrOljBPdk7EghbTAgYHXTmxi3E+hf0=,tag:4x+eblz47MVGUG3mYRXiTw==,type:str]
+        security:
+            SECRET_KEY: ENC[AES256_GCM,data:Y9c4p54t4ZQQnPwPm8DO4mkGkYS+VG2Oc2ctBwHyiUsBgITON3qhItonCFyJknktP2qXwtuwymTTR+RkACmOHjW8F6336sOzlcj5xV2seOHk8iFaNFfs2CXI8DfY65BePwCmCfrYGXqmPsSoh+fEoMCzoZncoQ==,iv:SBCTWDf4FTM4A3FGXsc9HH+5UbvCKqwngb32nGTzT0I=,tag:zDSORRYbaiwhNMjW8G1XZw==,type:str]
+            REVERSE_PROXY_TRUSTED_PROXIES: ENC[AES256_GCM,data:fw==,iv:6kDt7mGQUJztVdu5yr8V1jy1RRwtqOc2StuCXgvFGwk=,tag:v8Lxpcx7zpn/DgOJ5p/l+w==,type:str]
+            INTERNAL_TOKEN: ENC[AES256_GCM,data:u7iTEUff/9RTORiQ8PjoPJAsBeXO5r4vIbB06UnOtvXjQY6/TT5NGjiGg5R5iZO8B6VXoBZ37ah4r7gQfIV+ajl+esLWWZR1LiQIAwdu2/Pb08fjQUNdBQ+WF6oafmPPwM7tAYMBdaOv,iv:zN6m59qtjztxAv/LOj329S7itEEr+U1AywN9g8l1B/8=,tag:IHVeZHFuxqzwivpJRJbCOA==,type:str]
+            PASSWORD_HASH_ALGO: ENC[AES256_GCM,data:96oPJI9e,iv:solaA+iHhJPidx1FDY7HuMwyBX1ANrPPo3LEE4fvtzY=,tag:/VXnq/ZV77C6rb9baIuc4Q==,type:str]
+        service:
+            oauth2:
+                JWT_SECRET: ENC[AES256_GCM,data:PPhdi1kIURr4wY07qVDUbtP/UWu30aFB9oyt4V8m7aHEmnBtuPPrb6Efwg==,iv:j4K77dfdswCzUmj0q2umCOPFEJBpHdqrt4X7xXntc4Y=,tag:hm+N0VwiOlUWBQuVv1Oytw==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZnloRmM0NHUvdGZPSWl0
+            aHFXS25iWlNzczIxUzJTUGJPaldYZUUrZEN3CkxuUmFoWVlQNlpiRWJaSmJrcnNU
+            TUNXT3h5VGcxRVhOTUo5VFhHS3grR1kKLS0tIGxTeVg0eFRRbEFqelpFQjUzYzlx
+            QTR6aVRFUUxkSHIvWHlrSUgxRFRxdlUKX7kxcJX22vlOpsTzEGbiXbpDU4Z1AodC
+            QeI3xVWjGdHxRV57IqJpHDRScFA59hv35onF0aWiS72t7jOAWu33DA==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
+    encrypted_regex: ^(.*)$
+    lastmodified: "2026-06-03T00:47:06Z"
+    mac: ENC[AES256_GCM,data:sR4Q3MDUFJUN7RaUFPI0FURX53abD9B/Det8jxQwuWpbEWojiTku7nDSKslj4gqMwmZiicOqV+tjlEpgnq8MPPh3VVFpjNUCqX7qQwXZC3eK6L17uI3aWDNDODgiqC6fBSsZ50AQAkn+FZKpOdmWUlLUAeN3ap28l+Y3C8DJC9Q=,iv:r/7weuw69KsIvCZX9HVLJ61kekJvBMGfPyh6CgU67eY=,tag:xDXnI6CLH+8YtrZs/A1Skw==,type:str]
+    version: 3.13.1

deploy/app/helm-values.yaml

@@ -17,7 +17,7 @@ image:
   #
   # This ensures the container includes OpenSSH and can expose the SSH port.
   repository: gitea/gitea
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
 valkey-cluster:
   enabled: false
 
@@ -165,6 +165,12 @@ gitea:
     password: "???"
     email: "???"
   config:
+    log:
+      LEVEL: Warn
+    packages:
+      ENABLED: false
+    registry:
+      ENABLED: false
     oauth2:
       JWT_SECRET: "???"
     actions:

deploy/app/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: git-limbosolutions-com
+resources:
+ - gitea-helm-repo.yaml 
+ - gitea-helm-release.yaml 
+secretGenerator:
+  - name: gitea-helm-install-values
+    files:
+      - values.yaml=helm-values.yaml
+      - values.private.yaml=helm-values.private.yaml
+generatorOptions:
+  disableNameSuffixHash: true

deploy/backups/.env.d/.gitignore

@@ -1,3 +0,0 @@
-**
-!.gitignore
-!*.example

deploy/backups/.env.d/borg_key.example

@@ -1 +0,0 @@
-BORG_KEY an valid borg key

deploy/backups/.env.d/id_rsa.example

@@ -1,3 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-AND VALID PRIVATE SSH KEY WITH ACCESS TO SSH SERVER  
------END OPENSSH PRIVATE KEY-----

deploy/backups/.env.d/secrets.example

@@ -1,7 +0,0 @@
-PBS_REPOSITORY=xxx@pbs@server_address:collection
-PBS_PASSWORD=pbs access password
-PBS_FINGERPRINT=00:00:00:00:00 # pbs server fingerprint
-BORG_REPO="ssh://user@server/path" # required by offsite backup
-BORG_PASSPHRASE="borg passphrase" # required by offsite backup
-OFFSITE_TARGET_FOLDER="test:target_path" # follow rclone naming convention
-

deploy/backups/.gitignore

@@ -0,0 +1 @@
+**.dec.*

deploy/backups/kustomization.yaml

@@ -1,17 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - secrets.yaml
   - cronjobs/backup-borg-offsite.yaml
   - cronjobs/backup-pbs.yaml
-
+namespace: git-limbosolutions-com
-secretGenerator:
-- name: gitea-backup
-  namespace: git-limbosolutions-com
-  envs:
-    - .env.d/secrets
-  files:
-    - BORG_KEY=.env.d/borg_key
-    - SSH_ID_RSA=.env.d/id_rsa
-    
-generatorOptions:
-  disableNameSuffixHash: true

deploy/backups/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: backup-secrets
+    namespace: vault-limbosolutions-com
+type: Opaque
+data:
+    PBS_REPOSITORY: ENC[AES256_GCM,data:J6SvjhGs2KBMik/7EgqJQ+p37pWdPU0sdOzctaMLZ1aVCEyJtPSDoalcjeJ66kX29dhnw2mMVs/SYbw5PuzAHg==,iv:Xk0WgNv74GBExnhO9mAezcORnooMs3G2AFw6RjRP8cE=,tag:ZaFptBCAPvwsAERzk/ztyQ==,type:str]
+    PBS_PASSWORD: ENC[AES256_GCM,data:5J5gg8auOc5pK35GkshH8+iXUj0cp5Zy,iv:+3kN7vKzYY8KBxuIQxSTpiqmLT8lP+tIs9lgO02c3QQ=,tag:+mODrIU0Bj/Ucieqkh8ivA==,type:str]
+    PBS_FINGERPRINT: ENC[AES256_GCM,data:lTU1CGwbTD5J/wQf88MXvyOBF5BQI4lIzQnUk+qCxzPyrWLKB9Ynzt+yewIeyAT4ccBCal8Rtjmx/VwI4+95Y9PzGIJ0JpoQbF05U2gw4CPoVSQg6ay17TSVwFxEmMiD3BMMMXzf6Rd8NZ092SBNiS8EBL4EXTxZjpSze5TWfe0=,iv:8ugBr8q5hORU2ueuBC2QI3ucurYOvm8fj4rJL9gOZ+A=,tag:kn/oKsy/t3RJ0SXHIlvz1A==,type:str]
+    BORG_REPO: ENC[AES256_GCM,data:1P2iejfP3cwShT4tzu+XLfWSsCeFdMALWyWkHKMGjUUwZv9e+NxAj8FAFpzXlaMLk5P4iRTLs9hb+RCXw5iETy2q6BlPtZhjxKEQ33Ri6IqVqZX2cZbnJnLRNLr3LVr5,iv:meP/cg9TDFf89NxW1o6s5o/hHgrnPeOG0KXcwa7leLw=,tag:nPXlA34hQ0ltTdcHeqpekg==,type:str]
+    BORG_PASSPHRASE: ENC[AES256_GCM,data:vWqEVX9bjmN2+YptTdA5u+VXtTA=,iv:0bxjLMSYXXejwlmU9DFOjvtsGLTWLDGO0UYrSS56f/w=,tag:lCi/QWPYzopoBmK467EDyA==,type:str]
+    OFFSITE_TARGET_FOLDER: ENC[AES256_GCM,data:Pw5Pu/JW8Y2zWhToutZPBXBu7MxgPOgqoTUisGMM9x11/qh0fBjMtZ2SexsPyfKihM/ueRGmvbynibaZk5paLg==,iv:D5TdetBMGl/cjqGWcImY79iV3gk8bj2qE6rEO4Z4KLM=,tag:aLID2pLmD7mO64+yxOZzAQ==,type:str]
+    BORG_KEY: ENC[AES256_GCM,data:tFhHyObMFP3Pc+Ow45qVxieRVENo2bRy38/6yJl8/Gwl2sgyy15EF/QXcCEmzLHuSsVonEVTUlzgdAlGd4cevfShk0ttx+4UqqCIsj36IsEkLc/0m+9wm0D9V7+k2ymuuQ2IrSknoDzW9o25Y78DOefh9rO61Exf3oSD8aU7SbUvvaRs5Cuq/dOLDJdvSZ8UzWyAWDiOHHpoasjfoNFBOM5S1pC6MHszmFzCh7k9ZacqcagW7cHHwFCTImt/QobxGqnz94Jh9sR8ZsQ36cjsFkseDhKwJqn2sW3iYFAnrNRMkr31Awk3DADxACuqRURVxI7tOq2GTIocHtElEN+IPXnYAUmbE2GcZq3uweMIdwthMk+s4dPQonYIPgWiPOnS52nOjL2Akn89RuiRTL+vadL+0kZqI80r+DdMH6H3wX5ttf2fKrOgMdfA3p1XVR6fh0OhVyDUgeXmt3IoxZ/rOQCm9nzFI4FzqswmmLwbGtyzh27PvKeWPQzx0dNZ/5qWkps3n/Hs8O5Il4NsVMHEz2rM3l+kn6+iY/lP3K4GAc1pASqtn9pij2uAJdz4mtRUHOMdNO10890F00lRYlE3AP8uFwie1ZqkTwg8gtNrzd9yGwM/TKZ9B4XnBQ3aSE18WcscA/0bcaXWVy37BLK2YG/nWP0hnWOa6bmvOsnret0MarHF5JbJMbgLG059+JTSaWTCcrqhaSuA1F6y+M/h2Sx5wV/VZsMALt7vrfdkIfTi9lGKY5MiFsXr8rJXkn885IaGIFqHSxojb7A/HBCnQvOWE8yFzUGoNfb5hC2VKMMz8E7G22cuT4t4gWttENlvtMtPpKeSoPY3GiEvhO2xqRcQOXft6JwvrnCQFLORGvAkxBhCNS3gxkYvSs4dwVSjAT8YmVJZunJ1aiVZC3+2l1IgkR3zUE296NRvbX9taf1GlC1JPjDvHPYnpFTLvX2vsGFdvEuhb4d5Wnr6SB9tCQ==,iv:WiT+WCx3c4MXUjizPkNfgt/rHLKApgauG11+4c6umTs=,tag:bC2fI4PAQeECLCGCewc21Q==,type:str]
+    SSH_ID_RSA: ENC[AES256_GCM,data:8xY0kCnJvimE2RXkGQ5RUAijrDyoFTEAQp6u48nXreWsYs2zDZrCpSBuMQ2QxUX5WjSiAeakBOoUbMVUaCnRNzRRVAPEuuCjiEI4VF9JhinoWrIQp3YW877q5/1HVn28xZ3PkH0Y9eRJQcndmufKmEpw2aJNSnZWdImwvjKp037c1cxNYvJoCj2DUWreQ0a1Iq5d3J9RmdE3/dZ7gdlmI5Jtsk+WPfg4GKriLVuq52FlUZgT3U7MqZL/AASwNORI15W2pRJBi6MxQigsWpzO7+8RNKPaRNUlZA1JTR0GcSuf9nto4MkAM7PT66ndSRY8quJBpLb0ggbzqApEc+uX3qi9fSY2k6EG55rL2j80dUZTlz5yytbw6d/vt+d14vup8+fJdg19GX/AZIdfxNo4/UxwF1A8lZHO901F66iUso5iogGcGCIkS6p3QvbXL4s4Tzt8wWB/XRItHRpSbGSiPfSH3IJHDBBOlcB/DSnRN/2BYV8shJXvMlpqvZMs8vit3epn4f3eziejXypi8WUoLumcIi5PMyKF1fs+yCYvARoisBku6x1SgTnpajBvxftVKIlOXayflsF9bR/C/TqQcRrjeimEgKOPji9D+Xxm/J5TGcJylv/R2GfVEPEYJZVvKNYdJJB9NP6q94+PQeNS3YHIvCUqmeC4lCYWbbWU+a2i4TzjFRmS5FMt3exSzIVHDDL06g==,iv:6/e5MXOylULPq1YqzywKv4zN4+98SjY7EHYY6K3M9cM=,tag:QUX+Iyyn/1jU+5udESYbMg==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUTJKaFJmaFBjaUxvd3Nm
+            MHZ1MWlpSVVlRmJHL0VOc0VYRHpaOFRteWljCmlHN05OcXJDbXI2eVoxSU05ZklG
+            K1puZld3VFk4cUtMcDZ5R1FlMm84M1kKLS0tIGlrWGZxQXJORmhGNTZyU2lkM1B5
+            VC9zMzRTKzUzRmFjR2pCYzhqZThOeHMK7pRWZdI2gxl5qffvWnZsiS9N2reZd3JS
+            ikGT8Z+TBuSWg6avbHdPqv/6okMKxFiJzgRVjOWGcexeY/y4HgPoKg==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
+    encrypted_regex: ^(data|stringData)$
+    lastmodified: "2026-06-02T22:45:11Z"
+    mac: ENC[AES256_GCM,data:JEVswbWD7GunyzB8NmJItzgKOrAa8yNWEQvhG8jLZSco8J+pZhufQyAERLVEhfd+mhVXWPejfVb7OpDWqQZcTcHebGtMXWPpm01iLkXbScuqmTwrtvxGvG71HowpGfHeTK42ANT1Q2JvsmqHbxbMoWhUZNUvY5kwIWMLzin41lA=,iv:P8I3M4wAD6NWq7zfMlAl+fd+OkY6MzFOGmksBJUqx5w=,tag:FEBcv0oKfb57FH6juDT+lA==,type:str]
+    version: 3.13.1

deploy/flux/.env.d/.gitignore

@@ -0,0 +1,3 @@
+**
+!.sops.pub.asc
+!.gitignore

deploy/flux/act-runner-kb-sync.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: act-runner-kb-sync
+  namespace: kb-cicd
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: git-limbosolutions-com
+    namespace: git-limbosolutions-com
+  path: deploy/act-runners/kb/app
+  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops-age

deploy/flux/act-runner-limbosolutions-com-sync.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: act-runner-sync
+  namespace: limbosolutions-com-cicd
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: git-limbosolutions-com
+    namespace: git-limbosolutions-com
+  path: deploy/act-runners/limbosolutions-com/app
+  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops-age

deploy/flux/act-runner-mf-sync.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: act-runner-sync
+  namespace: mf-cicd
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: git-limbosolutions-com
+    namespace: git-limbosolutions-com
+  path: deploy/act-runners/mf/app
+  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops-age

deploy/flux/act-runner-myLimbo-sync.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: act-runner-sync
+  namespace: mylimbo-com-cicd
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: git-limbosolutions-com
+    namespace: git-limbosolutions-com
+  path: deploy/act-runners/myLimbo/app
+  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops-age

deploy/flux/backups-sync.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: backups
+  namespace: git-limbosolutions-com
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: git-limbosolutions-com
+  path: deploy/backups
+  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops-age  

deploy/flux/git-repo.yaml

@@ -0,0 +1,12 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: git-limbosolutions-com
+  namespace: git-limbosolutions-com
+spec:
+  interval: 1m0s
+  url: ssh://git@git.limbosolutions.com:2222/limbosolutions.com/git.limbosolutions.com.git
+  ref:
+    branch: main
+  secretRef:
+    name: flux-repo-ssh-credentials

deploy/flux/gitea-sync.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: gitea
+  namespace: git-limbosolutions-com
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: git-limbosolutions-com
+  path: deploy/app
+  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops-age

deploy/flux/infra-sync.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra
+  namespace: git-limbosolutions-com
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: git-limbosolutions-com
+  path: deploy/infra
+  prune: true

deploy/flux/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - git-repo.yaml
+ - infra-sync.yaml
+ - gitea-sync.yaml
+ - backups-sync.yaml
+ - act-runner-kb-sync.yaml
+ - act-runner-limbosolutions-com-sync.yaml
+ - act-runner-mf-sync.yaml
+ - act-runner-myLimbo-sync.yaml
+secretGenerator:
+  - name: flux-repo-ssh-credentials
+    namespace: git-limbosolutions-com
+    files:
+      - "identity=./.env.d/flux-repo-ssh-key"
+      - "known_hosts=./.env.d/flux-repo-ssh-known_hosts"
+      - "pubkey=./.env.d/flux-repo-ssh-key.pub"
+      
+generatorOptions:
+  disableNameSuffixHash: true

deploy/infra/cd-serviceaccount.yaml

@@ -1,53 +0,0 @@
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: continuous-deploy
-  namespace: git-limbosolutions-com
-
----
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: continuous-deploy
-  annotations:
-    kubernetes.io/service-account.name: continuous-deploy
-type: kubernetes.io/service-account-token
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: git-limbosolutions-com
-  name: continuous-deploy
-rules:
-- apiGroups: [""]
-  resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims"]
-  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
-
-- apiGroups: ["apps"]
-  resources: ["deployments", "statefulsets"]
-  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
-
-- apiGroups: ["batch"]
-  resources: ["cronjobs", "jobs"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: continuous-deploy
-  namespace:  git-limbosolutions-com
-subjects:
-- kind: ServiceAccount
-  name: continuous-deploy
-  namespace: git-limbosolutions-com
-roleRef:
-  kind: Role
-  name: continuous-deploy
-  apiGroup: rbac.authorization.k8s.io
-

deploy/infra/kustomization.yaml

@@ -1,15 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: git-limbosolutions-com
 resources:
-  - namespace.yaml
-  - cd-serviceaccount.yaml
   - network-policies.yaml
   - certificate.yaml
   - ingress-web.yaml
   - ingress-web-public.yaml
   - ingress-ssh.yaml
   - ingress-ssh-public.yaml
-generatorOptions:
-  disableNameSuffixHash: true
-
 

ops-scripts/apply-app.sh

@@ -1,40 +0,0 @@
-#/bin/bash
-
-# load environment variables from file
-
-if [ -f "deploy/app/.env.d/.env" ]; then
-  # Export all variables from the file
-  echo "export variables from file deploy/app/.env.d/.env" 
-  set -a
-  . deploy/app/.env.d/.env
-  set +a
-fi
-
-if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then
-
-    echo "Executing helm deploy."
-
-    helm repo add gitea-charts https://dl.gitea.com/charts/ --force-update
-
-    helm upgrade --install gitea gitea-charts/gitea --version 12.5.3 \
-    --values deploy/app/helm-values.yaml \
-    --set valkey.global.valkey.password=${APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD} \
-    --set postgresql.global.postgresql.auth.postgresPassword=${APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD} \
-    --set postgresql.global.postgresql.auth.password=${APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD} \
-    --set postgresql.global.postgresql.auth.database=${APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE} \
-    --set postgresql.global.postgresql.auth.username=${APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME} \
-    --set gitea.admin.username=${APP_HELM_VALUE_GITEA_ADMIN_USERNAME} \
-    --set gitea.admin.password=${APP_HELM_VALUE_GITEA_ADMIN_PASSWORD} \
-    --set gitea.admin.email=${APP_HELM_VALUE_GITEA_ADMIN_EMAIL} \
-    --set gitea.config.oauth2.JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET} \
-    --set gitea.config.server.LFS_JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET} \
-    --set gitea.config.security.SECRET_KEY=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY} \
-    --set gitea.config.security.REVERSE_PROXY_TRUSTED_PROXIES=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES} \
-    --set gitea.config.security.INTERNAL_TOKEN=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN} \
-    --set gitea.config.security.PASSWORD_HASH_ALGO=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO} \
-    --set gitea.config.service.oauth2.JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET} \
-    --namespace=git-limbosolutions-com
-
-    echo "executing deploy of backups jobs."
-    kubectl kustomize deploy/backups | kubectl -n git-limbosolutions-com apply -f -
-fi

ops-scripts/apply-flux.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+echo "Executing infra deploy."
+
+kubectl kustomize deploy/flux | kubectl apply -f -
+
+
+

ops-scripts/apply-infra.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-set -e
-echo "Executing infra deploy."
-
-kubectl kustomize deploy/infra | kubectl -n git-limbosolutions-com apply -f -
-
-