From 86fda959d205c80f9fd503f26e7feaa3f1bdf0c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= <marcio.fernandes@outlook.pt>
Date: Sat, 6 Jun 2026 04:06:16 +0000
Subject: [PATCH] fluxcd: add act runners

---
 .gitignore                                    |  1 +
 services/casa-vlan-cicd-runners/.sops.yaml    | 11 ++++++++
 services/casa-vlan-cicd-runners/README.md     | 16 ++++++++++++
 .../deploy/{ => app}/configmap.yaml           |  0
 .../deploy/{ => app}/deployment.yaml          |  0
 .../deploy/app/kustomization.yaml             |  7 +++++
 .../deploy/app/secret.yaml                    | 26 +++++++++++++++++++
 .../deploy/kustomization.yaml                 | 14 ----------
 .../flux/.env.d/.gitignore                    |  2 ++
 .../casa-vlan-cicd-runners/flux/app-sync.yaml | 16 ++++++++++++
 .../flux/kustomization.yaml                   | 11 ++++++++
 .../ops-scripts/apply-app.sh                  |  4 ---
 .../ops-scripts/apply-flux.sh                 |  4 +++
 .../ops-scripts/apply-infra.sh                |  4 ---
 services/node-red/.gitignore                  |  1 -
 services/node-red/README.md                   |  1 -
 services/node-red/deploy/app/.gitignore       |  1 -
 17 files changed, 94 insertions(+), 25 deletions(-)
 create mode 100644 services/casa-vlan-cicd-runners/.sops.yaml
 create mode 100644 services/casa-vlan-cicd-runners/README.md
 rename services/casa-vlan-cicd-runners/deploy/{ => app}/configmap.yaml (100%)
 rename services/casa-vlan-cicd-runners/deploy/{ => app}/deployment.yaml (100%)
 create mode 100644 services/casa-vlan-cicd-runners/deploy/app/kustomization.yaml
 create mode 100644 services/casa-vlan-cicd-runners/deploy/app/secret.yaml
 delete mode 100644 services/casa-vlan-cicd-runners/deploy/kustomization.yaml
 create mode 100644 services/casa-vlan-cicd-runners/flux/.env.d/.gitignore
 create mode 100644 services/casa-vlan-cicd-runners/flux/app-sync.yaml
 create mode 100644 services/casa-vlan-cicd-runners/flux/kustomization.yaml
 delete mode 100755 services/casa-vlan-cicd-runners/ops-scripts/apply-app.sh
 create mode 100755 services/casa-vlan-cicd-runners/ops-scripts/apply-flux.sh
 delete mode 100755 services/casa-vlan-cicd-runners/ops-scripts/apply-infra.sh
 delete mode 100644 services/node-red/.gitignore
 delete mode 100644 services/node-red/deploy/app/.gitignore

diff --git a/.gitignore b/.gitignore
index 0b433ec..00dd014 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,4 @@ ansible/inventory.yml
 .env.d/*
 .tmp/**
 storage-limbosolutions-com/deploy/helm/values.private.yaml
+**.dec.**
diff --git a/services/casa-vlan-cicd-runners/.sops.yaml b/services/casa-vlan-cicd-runners/.sops.yaml
new file mode 100644
index 0000000..9fa527f
--- /dev/null
+++ b/services/casa-vlan-cicd-runners/.sops.yaml
@@ -0,0 +1,11 @@
+creation_rules:
+  # encrypt all values from file
+  - path_regex: \.private\.dec\.yaml$
+    encrypted_regex: '^(.*)$'
+    age:
+      - age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju
+  # encrypt secrets files
+  - path_regex: .*.yaml
+    encrypted_regex: ^(data|stringData)$
+    age: 
+      - age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju
\ No newline at end of file
diff --git a/services/casa-vlan-cicd-runners/README.md b/services/casa-vlan-cicd-runners/README.md
new file mode 100644
index 0000000..1efd16a
--- /dev/null
+++ b/services/casa-vlan-cicd-runners/README.md
@@ -0,0 +1,16 @@
+# act-runners
+
+
+## Setup
+
+Using flux for reconciliation.
+
+``` bash
+./ops-scripts/apply-flux.sh
+```
+
+**Encrypt secrets:**
+
+``` bash
+sops -e deploy/app/secret.dec.yaml > deploy/app/secret.yaml
+```
diff --git a/services/casa-vlan-cicd-runners/deploy/configmap.yaml b/services/casa-vlan-cicd-runners/deploy/app/configmap.yaml
similarity index 100%
rename from services/casa-vlan-cicd-runners/deploy/configmap.yaml
rename to services/casa-vlan-cicd-runners/deploy/app/configmap.yaml
diff --git a/services/casa-vlan-cicd-runners/deploy/deployment.yaml b/services/casa-vlan-cicd-runners/deploy/app/deployment.yaml
similarity index 100%
rename from services/casa-vlan-cicd-runners/deploy/deployment.yaml
rename to services/casa-vlan-cicd-runners/deploy/app/deployment.yaml
diff --git a/services/casa-vlan-cicd-runners/deploy/app/kustomization.yaml b/services/casa-vlan-cicd-runners/deploy/app/kustomization.yaml
new file mode 100644
index 0000000..6750f82
--- /dev/null
+++ b/services/casa-vlan-cicd-runners/deploy/app/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: casa-vlan-cicd
+resources:
+  - configmap.yaml
+  - deployment.yaml
+  - secret.yaml
diff --git a/services/casa-vlan-cicd-runners/deploy/app/secret.yaml b/services/casa-vlan-cicd-runners/deploy/app/secret.yaml
new file mode 100644
index 0000000..fe28d1e
--- /dev/null
+++ b/services/casa-vlan-cicd-runners/deploy/app/secret.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: act-runner
+type: Opaque
+data:
+    GITEA_INSTANCE_URL: ENC[AES256_GCM,data:DFI/mFprPbTjBNbpASIzfxkQYOxEDVAanWWNqWTEIHzNuR5SD/bv8w==,iv:kAYTWAna344hy4oZ+MH/fiPoE4bZCt92niVg6S/PgsM=,tag:g5T6R2wEzjIiy2762N/H7A==,type:str]
+    GITEA_MYLIMBO_RUNNER_NAME: ENC[AES256_GCM,data:gW/DOukYZHrFzbc78Roi70kk9p7vUcHyl1w/bAB7q7M=,iv:Ip3aTsh73bM9GoNaSScvFaYmoiUz2iuGuVu2K5yHyrI=,tag:32w120l0xRU38NghfRx02A==,type:str]
+    GITEA_MYLIMBO_RUNNER_REGISTRATION_TOKEN: ENC[AES256_GCM,data:JJyMTbnjEoufj6c4KT3ssGm2c91eh7mY+fuYt4YY8bBfozhGlytoHgGEm5u1u3Dq1TNCx+lhIBI=,iv:T/IvhkBMFtU/1Mgtn3sHMsgGIk/7GVA7m/QSSSHkDgo=,tag:r3ON2jjlkA2j0AQfGwFg3A==,type:str]
+    GITEA_MF_RUNNER_NAME: ENC[AES256_GCM,data:QRjb2g6hTGHGjjC8T8s9rvP+y55qqRCFjeUz2Cb/fps=,iv:RRB6Gw1y2bRucIoae7oyz796u8KXnLylqwmxDSzsjc0=,tag:Y03ndziszoo1LepOibfEdQ==,type:str]
+    GITEA_MF_RUNNER_REGISTRATION_TOKEN: ENC[AES256_GCM,data:zXJjCwzEn9647VPiZqMaPKuwDxVf95g+df4dOnOj1Fj4TrND94SfsEjB5AaTbJquO7GDB6n9Ziw=,iv:JzCr0tbalWcwnP4AzF6UXIeIJMm5GFE9iPcjwGlc4+k=,tag:VBuSw0gRIhpyDU1DK505dA==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyK0RDL2pQTFoyN0cxd1ZM
+            TGZ0UitKbGh4QW1qQTQ2aDJ1a04yR0NzQ0RNCld1K3ovbmxCejhJTGlPZ01YZWtK
+            YXhvQjFBdFBQcUM5RDk1NERNYTd2dFkKLS0tIG5TVVpDY1M5OE4vdUYwNXYyUVVB
+            dS9CRDQzbGhKSzRBR2lKSEhIVVBKeFUKN4MK71sU1Tm4rxKq7xq1Qux23KaEAIzO
+            Aw6TMCE7li6PDhojderS8Ctp8fLEoE5PuaVOjeejGZtsjZcY4jcT1A==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju
+    encrypted_regex: ^(data|stringData)$
+    lastmodified: "2026-06-06T04:03:55Z"
+    mac: ENC[AES256_GCM,data:w5aSmw0vxMC7cnnwUl0MUFAoYZdxEWS5jO20lgwzR8co837gVXZbEzig8D8e0Q5ACRum0DEwKCymUVufPt34bgNV/QilW6mP3hh10oIo9NSktLH7u6VgCI4hdHaUsYbHNhkA9Tl8LK7FajjzrCv0Ha908HZ49grbPg1CTVAioF4=,iv:3+6shBcadgY32xmiDKsAqPGmHBYL7GIODR30BZ3qHNk=,tag:6YmQtL77ynfjv8/zgBBFBA==,type:str]
+    version: 3.13.1
diff --git a/services/casa-vlan-cicd-runners/deploy/kustomization.yaml b/services/casa-vlan-cicd-runners/deploy/kustomization.yaml
deleted file mode 100644
index 443fe3f..0000000
--- a/services/casa-vlan-cicd-runners/deploy/kustomization.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - configmap.yaml
-  - deployment.yaml
-
-generatorOptions:
-  disableNameSuffixHash: true
-
-secretGenerator:
-  - name: casa-vlan-cicd-runners
-    envs: 
-      - .env.d/.env
-
diff --git a/services/casa-vlan-cicd-runners/flux/.env.d/.gitignore b/services/casa-vlan-cicd-runners/flux/.env.d/.gitignore
new file mode 100644
index 0000000..d29675e
--- /dev/null
+++ b/services/casa-vlan-cicd-runners/flux/.env.d/.gitignore
@@ -0,0 +1,2 @@
+**
+!.gitignore
\ No newline at end of file
diff --git a/services/casa-vlan-cicd-runners/flux/app-sync.yaml b/services/casa-vlan-cicd-runners/flux/app-sync.yaml
new file mode 100644
index 0000000..c138dcd
--- /dev/null
+++ b/services/casa-vlan-cicd-runners/flux/app-sync.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: act-runners
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: casa
+    namespace: casa-limbosolutions-com
+  path: services/casa-vlan-cicd-runners/deploy/app
+  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops-age
diff --git a/services/casa-vlan-cicd-runners/flux/kustomization.yaml b/services/casa-vlan-cicd-runners/flux/kustomization.yaml
new file mode 100644
index 0000000..aecb932
--- /dev/null
+++ b/services/casa-vlan-cicd-runners/flux/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: casa-vlan-cicd
+resources:
+ - app-sync.yaml
+secretGenerator:
+  - name: flux-sops-age
+    files:
+      - "age.agekey=./.env.d/age.agekey"
+generatorOptions:
+  disableNameSuffixHash: true
\ No newline at end of file
diff --git a/services/casa-vlan-cicd-runners/ops-scripts/apply-app.sh b/services/casa-vlan-cicd-runners/ops-scripts/apply-app.sh
deleted file mode 100755
index 1f871be..0000000
--- a/services/casa-vlan-cicd-runners/ops-scripts/apply-app.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/bash
-set -e
-NAMESPACE=casa-vlan-cicd
-kubectl kustomize ./services/casa-vlan-cicd-runners/deploy | kubectl --namespace ${NAMESPACE} apply -f -
\ No newline at end of file
diff --git a/services/casa-vlan-cicd-runners/ops-scripts/apply-flux.sh b/services/casa-vlan-cicd-runners/ops-scripts/apply-flux.sh
new file mode 100755
index 0000000..a7cb73a
--- /dev/null
+++ b/services/casa-vlan-cicd-runners/ops-scripts/apply-flux.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+NAMESPACE=casa-vlan-cicd
+kubectl kustomize ./services/casa-vlan-cicd-runners/deploy/flux | kubectl --namespace ${NAMESPACE} apply -f -
\ No newline at end of file
diff --git a/services/casa-vlan-cicd-runners/ops-scripts/apply-infra.sh b/services/casa-vlan-cicd-runners/ops-scripts/apply-infra.sh
deleted file mode 100755
index c9618b0..0000000
--- a/services/casa-vlan-cicd-runners/ops-scripts/apply-infra.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/bash
-set -e
-NAMESPACE=casa-vlan-cicd
-kubectl create namespace ${NAMESPACE} || true
diff --git a/services/node-red/.gitignore b/services/node-red/.gitignore
deleted file mode 100644
index c5d7d92..0000000
--- a/services/node-red/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-**.dec.**
\ No newline at end of file
diff --git a/services/node-red/README.md b/services/node-red/README.md
index 8764a72..3f831fd 100644
--- a/services/node-red/README.md
+++ b/services/node-red/README.md
@@ -1,6 +1,5 @@
 # node-red
 
-
 ``` bash
 #npm install bcryptjs
 node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" YOUR-PASSWORD
diff --git a/services/node-red/deploy/app/.gitignore b/services/node-red/deploy/app/.gitignore
deleted file mode 100644
index 3aaad90..0000000
--- a/services/node-red/deploy/app/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-node-red-settings.js
\ No newline at end of file