From 5ba9c8ae7bbc4d2a62cc891c3b1921606f7cb0ec Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Tue, 21 May 2024 13:49:34 +0800 Subject: [PATCH] feat!: Flux localhost bootstrap from 1P, add Sinon cluster - installs Flux in hostNetwork mode binded to localhost to new clusters - rework Taskfiles for new bootstrap flow, including loading secrets direct from 1Password with no SOPS for secret zero - use 1Password for both talsecret and talenv for talhelper genconfig - remove SOPS secrets - add Sinon cluster, used as NAS - cleanup ExternalSecret and 1P Connect's Flux ks for smoother bootstrap - try out 1Password Connect as extraContainer in external-secrets deployment to avoid secrets going over network - general cleanup --- .../clusters/biohazard/flux/flux-install.yaml | 0 .gitignore | 6 + .rtx.toml => .mise.toml | 26 +- .taskfiles/1p/Taskfile.dist.yaml | 0 .taskfiles/bootstrap/Taskfile.dist.yaml | 72 ++++ .taskfiles/flux/Taskfile.dist.yaml | 15 +- .taskfiles/k8s/Taskfile.dist.yaml | 26 +- .taskfiles/pg/Taskfile.dist.yaml | 31 +- .taskfiles/talos/Taskfile.dist.yaml | 40 +- .taskfiles/volsync/Taskfile.dist.yaml | 200 ++++----- .vscode/settings.json | 2 +- Taskfile.dist.yaml | 9 +- kube/bootstrap/README.md | 5 + .../flux/flux-install-localhost.yaml | 24 +- kube/bootstrap/flux/kustomization.yaml | 5 - .../biohazard/flux/externalsecret.yaml | 48 +++ kube/clusters/biohazard/flux/flux-repo.yaml | 23 +- .../biohazard/flux/kustomization.yaml | 5 +- .../biohazard/flux/secrets-age.sops.yaml | 39 -- .../biohazard/flux/secrets-ssh.sops.yaml | 40 -- kube/clusters/biohazard/talos/talconfig.yaml | 27 +- .../biohazard/talos/talsecret.sops.yaml | 45 -- kube/clusters/biohazard/talos/talsecret.yaml | 23 ++ .../clusters/hercules/config/secrets.sops.env | 159 ------- kube/clusters/hercules/config/vars.sops.env | 183 --------- .../hercules/talos/install-from-rescue.sh | 14 + kube/clusters/nuclear/config/secrets.sops.env | 79 ---- kube/clusters/nuclear/config/vars.sops.env | 138 ------- .../nuclear/flux/secrets-age.sops.yaml | 38 -- .../nuclear/flux/secrets-ssh.sops.yaml | 40 -- .../nuclear/talos/talsecret.sops.yaml | 45 -- kube/clusters/sinon/README.md | 10 + .../sinon/config/externalsecret-secrets.yaml | 20 + .../sinon/config/externalsecret-vars.yaml | 23 ++ kube/clusters/sinon/config/kustomization.yaml | 20 + kube/clusters/sinon/flux/externalsecret.yaml | 48 +++ kube/clusters/sinon/flux/flux-repo.yaml | 387 ++++++++++++++++++ kube/clusters/sinon/flux/kustomization.yaml | 129 ++++++ kube/clusters/sinon/talos/talconfig.yaml | 203 +++++++++ kube/clusters/sinon/talos/talsecret.yaml | 23 ++ .../app/config/biohazard/helm-values.yaml | 14 +- .../cilium/app/config/sinon/helm-values.yaml | 110 +++++ .../app/config/sinon/kustomization.yaml | 16 + .../core/_networking/cilium/app/hr.yaml | 3 +- .../netpols/cluster-default-kube-dns.yaml | 33 +- .../cilium/netpols/labelled-allow-egress.yaml | 60 ++- .../externalsecret-1password-credentials.yaml | 29 ++ .../core/secrets/external-secrets/app/hr.yaml | 93 ++++- .../secrets/external-secrets/app/netpol.yaml | 59 +++ .../stores/1password/clustersecretstore.yaml | 5 +- .../1password/externalsecret-token.yaml | 23 ++ .../stores/1password/secrets.yaml | 9 - .../onepassword-connect/app/netpol.yaml | 22 +- .../core/secrets/onepassword-connect/ks.yaml | 3 +- kube/templates/test/app/es.yaml | 4 + kube/templates/test/app/hr.yaml | 152 +++---- 56 files changed, 1818 insertions(+), 1087 deletions(-) rename {kube => .archive/kube}/clusters/biohazard/flux/flux-install.yaml (100%) rename .rtx.toml => .mise.toml (55%) create mode 100644 .taskfiles/1p/Taskfile.dist.yaml create mode 100644 .taskfiles/bootstrap/Taskfile.dist.yaml create mode 100644 kube/bootstrap/README.md rename kube/{clusters/biohazard => bootstrap}/flux/flux-install-localhost.yaml (93%) delete mode 100644 kube/bootstrap/flux/kustomization.yaml create mode 100644 kube/clusters/biohazard/flux/externalsecret.yaml delete mode 100644 kube/clusters/biohazard/flux/secrets-age.sops.yaml delete mode 100644 kube/clusters/biohazard/flux/secrets-ssh.sops.yaml delete mode 100755 kube/clusters/biohazard/talos/talsecret.sops.yaml create mode 100644 kube/clusters/biohazard/talos/talsecret.yaml delete mode 100644 kube/clusters/hercules/config/secrets.sops.env delete mode 100644 kube/clusters/hercules/config/vars.sops.env create mode 100644 kube/clusters/hercules/talos/install-from-rescue.sh delete mode 100644 kube/clusters/nuclear/config/secrets.sops.env delete mode 100644 kube/clusters/nuclear/config/vars.sops.env delete mode 100644 kube/clusters/nuclear/flux/secrets-age.sops.yaml delete mode 100644 kube/clusters/nuclear/flux/secrets-ssh.sops.yaml delete mode 100755 kube/clusters/nuclear/talos/talsecret.sops.yaml create mode 100644 kube/clusters/sinon/README.md create mode 100644 kube/clusters/sinon/config/externalsecret-secrets.yaml create mode 100644 kube/clusters/sinon/config/externalsecret-vars.yaml create mode 100644 kube/clusters/sinon/config/kustomization.yaml create mode 100644 kube/clusters/sinon/flux/externalsecret.yaml create mode 100644 kube/clusters/sinon/flux/flux-repo.yaml create mode 100644 kube/clusters/sinon/flux/kustomization.yaml create mode 100755 kube/clusters/sinon/talos/talconfig.yaml create mode 100644 kube/clusters/sinon/talos/talsecret.yaml create mode 100644 kube/deploy/core/_networking/cilium/app/config/sinon/helm-values.yaml create mode 100644 kube/deploy/core/_networking/cilium/app/config/sinon/kustomization.yaml create mode 100644 kube/deploy/core/secrets/external-secrets/app/externalsecret-1password-credentials.yaml create mode 100644 kube/deploy/core/secrets/external-secrets/app/netpol.yaml create mode 100644 kube/deploy/core/secrets/external-secrets/stores/1password/externalsecret-token.yaml delete mode 100644 kube/deploy/core/secrets/external-secrets/stores/1password/secrets.yaml diff --git a/kube/clusters/biohazard/flux/flux-install.yaml b/.archive/kube/clusters/biohazard/flux/flux-install.yaml similarity index 100% rename from kube/clusters/biohazard/flux/flux-install.yaml rename to .archive/kube/clusters/biohazard/flux/flux-install.yaml diff --git a/.gitignore b/.gitignore index d3bd8a533b..3a37d20489 100644 --- a/.gitignore +++ b/.gitignore @@ -16,5 +16,11 @@ clusterconfig/ .agekey Admins.txt GameUserSettings.ini +!ostree/*-jj.repo +ostree/*.repo *.sops.*.tmp *.code-workspace +*venv* +*venv*/** +.decrypted~* +.ignore~* diff --git a/.rtx.toml b/.mise.toml similarity index 55% rename from .rtx.toml rename to .mise.toml index 1975cf38f9..13ede524eb 100644 --- a/.rtx.toml +++ b/.mise.toml @@ -1,23 +1,25 @@ -[env] -KUBECTL_INTERACTIVE_DELETE = "true" -KUBECTL_COMMAND_HEADERS = "true" -#SSH_AUTH_SOCK = $(gpgconf --list-dirs agent-ssh-socket) - [tools] -# kubectl = [""] -# krew = [""] -# kubectx = [""] +kubectl = ["1.29.2"] +krew = ["0.4.4"] +kubectx = ["0.9.5"] +fzf = ["0.52.1"] # used by kubectx interactive mode kustomize = ["5.3.0"] -# kubecolor = [""] -flux2 = ["2.2.3"] -talosctl = ["1.5.4", "1.3.6"] +flux2 = "2.2.3" +talosctl = ["1.6.7", "1.5.4", "1.3.6"] talhelper = ["1.16.2"] cilium-cli= ["0.15.14"] 1password-cli = ["2.24.0"] restic = ["0.16.4"] k9s = ["0.32.4"] - +soft-serve = ["0.7.4"] #pulumi = ["3.95.0"] +python = ["3.11"] + +[env] +KUBECTL_INTERACTIVE_DELETE = "true" +KUBECTL_COMMAND_HEADERS = "true" +#SSH_AUTH_SOCK = $(gpgconf --list-dirs agent-ssh-socket) +_.python.venv = { path = ".venv", create = true } # create the venv if it doesn't exist [plugins] talhelper = "https://github.com/bjw-s/asdf-talhelper.git" diff --git a/.taskfiles/1p/Taskfile.dist.yaml b/.taskfiles/1p/Taskfile.dist.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/.taskfiles/bootstrap/Taskfile.dist.yaml b/.taskfiles/bootstrap/Taskfile.dist.yaml new file mode 100644 index 0000000000..9d087d5a5c --- /dev/null +++ b/.taskfiles/bootstrap/Taskfile.dist.yaml @@ -0,0 +1,72 @@ +--- +# Tasks related to multi-cluster or cluster-level management, e.g. bootstrap +version: "3" + +includes: + flux: + internal: true + taskfile: ../flux + +vars: + C: '{{.C | default "biohazard"}}' + # APPLY: '{{.APPLY | default "0"}}' + +tasks: + 1p-vars-env-yq: + vars: + C: &c '{{ or .C (fail "Missing C environment variable for cluster!") }}' + OUT: &out '{{ .OUT | default "yaml" }}' + cmds: + - op item get --vault {{.C}} ".{{.C}}-vars" --format=json | yq --input-format json --output-format {{ .OUT | default "yaml" }} '.fields | with(.[]; (.label | key) = "key") | (.[] | select(has("value") | not) | .value) |= "" | from_entries' + + 1p-vars-env-shell: + aliases: [1penv, openv] + vars: + C: *c + # OUT: *out + PRE_ARGS: '{{.PRE_ARGS}}' + POST_ARGS: '{{.POST_ARGS}}' + cmds: + - | + {{.PRE_ARGS}}op item get --vault {{.C}} ".{{.C}}-vars" --format=json | yq --input-format json '.fields | with(.[]; (.label | key) = "key") | (.[] | select(has("value") | not) | .value) |= "" | map(.key + "=" + (.value | @sh)) | .[]'{{.POST_ARGS}} {{.CLI_ARGS}} + + 1p-vars-env-run: + dir: '{{.USER_WORKING_DIR}}' + vars: + C: &c '{{ or .C (fail "Missing C environment variable for cluster!") }}' + # OUT: *out + cmds: + - export $(task --taskfile /{{.ROOT_DIR}}/Taskfile.dist.yaml 1p-vars-env-shell C={{.C}}); {{.CLI_ARGS}} + + k8s-1p-connect-load-credentials: + vars: + C: *c + cmds: + - kubectl get namespace external-secrets || kubectl create namespace external-secrets + - kubectl get namespace onepassword-connect || kubectl create namespace onepassword-connect + # - kubectl delete secret -n onepassword-connect onepassword-connect-secrets || true + - op read "op://{{.C}}/$(op item get --vault {{.C}} '{{.C}} Credentials File' --format=json | yq '.id')/1password-credentials.json" | kubectl create secret -n external-secrets generic onepassword-connect-secrets --from-file=1password-credentials.json=/dev/stdin + - op read "op://{{.C}}/$(op item get --vault {{.C}} '{{.C}} Credentials File' --format=json | yq '.id')/1password-credentials.json" | kubectl create secret -n onepassword-connect generic onepassword-connect-secrets --from-file=1password-credentials.json=/dev/stdin + # - kubectl rollout restart -n onepassword-connect deploy/onepassword-connect || true + + bootstrap: + aliases: [bs] + desc: Bootstrap Kubernetes to a GitOps managed stage after OS install. + vars: + C: *c + cmds: + - | + kubectx || kubectl config current-context; read -p "BOOTSTRAP + Press ENTER to confirm the Kubernetes context to bootstrap, or Control+C to exit. + > "; read -p "RECONFIRM: Press ENTER again to really confirm. + > " + - task: flux:install + - task: k8s-1p-connect-load-credentials + vars: + C: *c + - task: 1p-vars-env-shell + vars: + C: *c + POST_ARGS: " | kubectl create secret generic -n flux-system sinon-vars --from-env-file=/dev/stdin" + - kubectl create secret generic -n flux-system sinon-secrets # currently nothing hopefully maybe? + - op read "op://{{.C}}/Flux/agekey" | kubectl create secret generic -n flux-system agekey --from-file=age.agekey=/dev/stdin \ No newline at end of file diff --git a/.taskfiles/flux/Taskfile.dist.yaml b/.taskfiles/flux/Taskfile.dist.yaml index bf5f70e67f..b2875b900e 100644 --- a/.taskfiles/flux/Taskfile.dist.yaml +++ b/.taskfiles/flux/Taskfile.dist.yaml @@ -6,8 +6,21 @@ version: "3" tasks: install: + vars: + FLUXDIR: + sh: mktemp -d + # renovate: datasource=docker depName=ghcr.io/fluxcd/flux-manifests + FLUX_DEFAULT_VERSION: "v2.2.3" + FLUXVER: '{{ .FLUXVER | default .FLUX_DEFAULT_VERSION }}' + C: '{{ .C | default "biohazard" }}' cmds: - - kubectl apply --server-side --kustomize /{{.ROOT_DIR}}/kube/bootstrap/flux/ + #- defer: rm {{.FLUXDIR}}/*.yaml && rmdir {{.FLUXDIR}} + - flux pull artifact oci://ghcr.io/fluxcd/flux-manifests:{{.FLUXVER}} --output {{.FLUXDIR}} + - | + kubectx || kubectl config current-context; read -p "Press ENTER to confirm the Kubernetes context to install Flux to, or Control+C to exit. + > " + - flux build kustomization zzz-flux --path {{.FLUXDIR}} --kustomization-file /{{.ROOT_DIR}}/kube/bootstrap/flux/flux-install-localhost.yaml --dry-run | kubectl delete -f - + - flux build kustomization zzz-flux --path {{.FLUXDIR}} --kustomization-file /{{.ROOT_DIR}}/kube/bootstrap/flux/flux-install-localhost.yaml --dry-run | kubectl apply --server-side -f - get-all-watch: aliases: [ga, fga, getall] diff --git a/.taskfiles/k8s/Taskfile.dist.yaml b/.taskfiles/k8s/Taskfile.dist.yaml index 9d94248f53..bc301f71fa 100644 --- a/.taskfiles/k8s/Taskfile.dist.yaml +++ b/.taskfiles/k8s/Taskfile.dist.yaml @@ -25,12 +25,13 @@ tasks: NAME: &name-fail '{{ or .NAME (fail "Missing `NAME` environment variable!") }}' NS: *ns-fail cmds: - - until [[ $(kubectl -n {{.NS}} get pod {{.NAME}} -o jsonpath='{.items[*].status.phase}') == "Pending" ]]; do sleep 1; done + - | + until [[ $(kubectl -n {{.NS}} get pod {{.NAME}} -o jsonpath='{.items[*].status.phase}') == "Pending" ]]; do sleep 1; done wait-pod-running: aliases: [waitr] internal: true - desc: Wait for a job's pod to change its status to running + desc: "Wait for a job's pod to change its status to running" vars: NAME: *name-fail NS: *ns-fail @@ -44,7 +45,8 @@ tasks: NAME: *name-fail NS: *ns-fail cmds: - - until kubectl wait pod -n {{.NS}} {{.NAME}} --for-jsonpath='{.items[*].status.phase}'=Running --timeout=-; do sleep 1; done + - | + until kubectl wait pod -n {{.NS}} {{.NAME}} --for-jsonpath='{.items[*].status.phase}'=Running --timeout=-; do sleep 1; done wait-pod-ready: internal: true @@ -134,8 +136,8 @@ tasks: shortnames: desc: List all installed CRDs and their short names. cmds: - - |- - kubectl get crds -o jsonpath='{range .items[*]}{.spec.names.kind}: {.spec.names.shortNames}{"\n"}{end}' + - | + kubectl get crds -o jsonpath '{range .items[*]}{.spec.names.kind}: {.spec.names.shortNames}{"\n"}{end}' clear-old-pods: aliases: [cop] @@ -147,6 +149,20 @@ tasks: kubectl delete pod -A --field-selector=status.phase==Succeeded || true; done + delete-stuck-pvc: + aliases: [delpvc] + desc: Delete PVC which is stuck, e.g. if it's a local-path PVC and the node has been wiped and reset. + vars: + NS: '{{ or .NS (fail "Missing `NS` environment variable!") }}' + PVC: '{{ or .PVC (fail "Missing `PVC` environment variable!") }}' + cmds: + - | + kubectl delete pvc -n {{.NS}} {{.PVC}} --wait=false + - | + kubectl patch pvc -n {{.NS}} {{.PVC}} --type='json' -p '[{"op": "remove", "path": "/metadata/finalizers"}]' + - | + until kubectl wait --for=delete pvc -n {{.NS}} {{.PVC}} --timeout=3600s; do sleep 1; done + iperf2: desc: Start a iperf2 server on one node, and iperf2 client on another node, to benchmark network performance. dir: "/{{.ROOT_DIR}}/.taskfiles/k8s/template/iperf2" diff --git a/.taskfiles/pg/Taskfile.dist.yaml b/.taskfiles/pg/Taskfile.dist.yaml index 391c5d90ec..4d65391388 100644 --- a/.taskfiles/pg/Taskfile.dist.yaml +++ b/.taskfiles/pg/Taskfile.dist.yaml @@ -6,7 +6,7 @@ version: "3" # NS: '{{.NS | default "pg"}}' tasks: - rw: + cnpg-rw: desc: Get current CloudNativePG master (writable) instance to run command against. dir: "{{.USER_WORKING_DIR}}" vars: @@ -22,6 +22,25 @@ tasks: cmds: - kubectl get clusters.postgresql.cnpg.io -n {{.NS}} {{.PG}} -o yaml | yq '.status.currentPrimary' | xargs -o -I% kubectl -n {{.NS}} {{.CLI_ARGS}} + crunchy-master: + desc: Get current Crunchy-PGO master (writable) instance to run command against. + dir: "{{.USER_WORKING_DIR}}" + vars: + APP: "{{.APP}}" + PG: &pg-default + sh: |- + [[ -n "{{.PG}}" ]] && ( echo -n "{{.PG}}" && exit 0 ) || ( [[ -n "{{.APP}}" ]] && echo -n "pg-{{.APP}}" || echo -n "pg-default" ) + NS: &ns-default + sh: |- + [[ -n "{{.NS}}" ]] && echo -n "{{.NS}}" || ( [[ -n "{{.APP}}" ]] && echo -n "{{.APP}}" || echo -n "pg" ) + MASTER: + sh: |- + kubectl get pod -n {{.NS}} -l postgres-operator.crunchydata.com/cluster={{.PG}},postgres-operator.crunchydata.com/role=master -o name + # PG: '{{ or .PG (fail "Missing `PG` environment variable!") }}' + # NS: &ns-default '{{.NS | default "pg"}}' + cmds: + - kubectl exec -it -n {{.NS}} {{.MASTER}} --container database -- {{.CLI_ARGS}} + adminer: desc: Use kubectl netshoot krew plugin to deploy adminer as sidecar to the current primary CNPG replica pod. dir: "{{.USER_WORKING_DIR}}" @@ -98,3 +117,13 @@ tasks: cmds: - kubectl exec -it --container database -n {{.NS}} {{.CRUNCHY_PRIMARY}} -- /bin/bash -c 'rm -rf {{.CP_DIR}}/dump.psql && pg_dump --dbname {{.DBNAME}} {{.ARGS}} --file {{.CP_DIR}}/dump.psql' - kubectl cp --container database {{.NS}}/{{.CRUNCHY_PRIMARY}}:{{.CP_DIR}}/dump.psql {{.DUMP}} + + crunchy-expire: + desc: Expire unused backups on dedicated pgBackRest repo host pod of a CrunchyData Postgres cluster. + dir: "{{.USER_WORKING_DIR}}" + vars: + APP: "{{.APP}}" + PG: *pg-default + NS: *ns-default + cmds: + - kubectl get pods -n {{.NS}} -l postgres-operator.crunchydata.com/pgbackrest-dedicated=,postgres-operator.crunchydata.com/cluster={{.PG}} -o name | xargs -oI% kubectl exec -it -n {{.NS}} % -c pgbackrest -- pgbackrest expire --stanza=db --repo=1 --repo1-retention-full=1 --repo1-retention-diff=1 diff --git a/.taskfiles/talos/Taskfile.dist.yaml b/.taskfiles/talos/Taskfile.dist.yaml index 64478b3fc1..df676339e4 100644 --- a/.taskfiles/talos/Taskfile.dist.yaml +++ b/.taskfiles/talos/Taskfile.dist.yaml @@ -8,6 +8,9 @@ includes: cluster: internal: true taskfile: ../cluster + # bootstrap: + # internal: true + # taskfile: ../bootstrap vars: C: '{{.C | default "biohazard"}}' @@ -18,12 +21,27 @@ tasks: dir: "/{{.ROOT_DIR}}/kube/clusters/{{.C}}/talos" vars: C: '{{ or .C (fail "Missing C environment variable for cluster!") }}' + # dotenv: + # - "/{{.ROOT_DIR}}/.taskfiles/talos/talhelper-secrets-1p.env" + env: + cluster_id: "op://{{.C}}/.{{.C}}-talos/Secrets/cluster_id" + cluster_secret: "op://{{.C}}/.{{.C}}-talos/Secrets/cluster_secret" + secrets_bootstraptoken: "op://{{.C}}/.{{.C}}-talos/Secrets/secrets_bootstraptoken" + secrets_secretboxencryptionsecret: "op://{{.C}}/.{{.C}}-talos/Secrets/secrets_secretboxencryptionsecret" + trustdinfo_token: "op://{{.C}}/.{{.C}}-talos/Secrets/trustdinfo_token" + certs_etcd_crt: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_etcd_crt" + certs_etcd_key: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_etcd_key" + certs_k8s_crt: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_k8s_crt" + certs_k8s_key: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_k8s_key" + certs_k8saggregator_crt: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_k8saggregator_crt" + certs_k8saggregator_key: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_k8saggregator_key" + certs_k8sserviceaccount_key: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_k8sserviceaccount_key" + certs_os_crt: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_os_crt" + certs_os_key: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_os_key" cmds: - pwd - - sops --decrypt {{.ROOT_DIR}}/kube/clusters/{{.C}}/config/vars.sops.env | sops --config {{.ROOT_DIR}}/.sops-stdin.yaml --encrypt --output-type yaml --output ./talenv.sops.yaml /dev/stdin - - talhelper genconfig -e ./talenv.sops.yaml - - defer: rm -rf ./talenv.sops.yaml - + - op user get --me # check signin status, fail if not signed in + - op run -- task --taskfile /{{.ROOT_DIR}}/.taskfiles/bootstrap/Taskfile.dist.yaml 1p-vars-env-run C={{.C}} -- talhelper genconfig bootstrap: aliases: [bs] @@ -42,13 +60,13 @@ tasks: - until talosctl kubeconfig --talosconfig /{{.ROOT_DIR}}/kube/clusters/{{.C}}/talos/clusterconfig/talosconfig --endpoints {{.IP}} --nodes {{.IP}} --context {{.C}} ; do sleep 1; done - | sed -i 's/current-context: admin@.*/current-context: admin@{{.C}}/g' ~/.kube/config || true - - task: cilium-bootstrap-apply - vars: - C: '{{.C | default "biohazard"}}' - - task: cluster:cluster-init-config - vars: - C: '{{.C | default "biohazard"}}' - APPLY: "1" + # - task: cilium-bootstrap-apply + # vars: + # C: '{{.C | default "biohazard"}}' + # - task: cluster:cluster-init-config + # vars: + # C: '{{.C | default "biohazard"}}' + # APPLY: "1" reboot: desc: Reboot nodes based on Kubernetes InternalIP. Assumes only 1 IP in InternalIP, and the IP known to Kubernetes is the same used by `talosctl`. diff --git a/.taskfiles/volsync/Taskfile.dist.yaml b/.taskfiles/volsync/Taskfile.dist.yaml index 3205947503..646ee40681 100644 --- a/.taskfiles/volsync/Taskfile.dist.yaml +++ b/.taskfiles/volsync/Taskfile.dist.yaml @@ -25,103 +25,103 @@ tasks: REPO: *restic-repo cmds: - env $(kubectl get secrets -n {{.NS}} {{.REPO}} -o yaml | yq '.data | to_entries | map(.key + "=" + (.value | @base64d | @sh)) | join("\n")') restic {{.CLI_ARGS}} - restore: - desc: Restore VolSync data into PVCs - dir: "/{{.ROOT_DIR}}/.taskfiles/volsync/template" - vars: &restore-vars - # APP: '{{ or .APP (fail "Missing `APP` environment variable!") }}' - NS: - sh: |- - [[ -n "{{.RSRC}}" ]] && echo "{{.RSRC}}" || [[ -n "{{.APP}}" ]] && echo "{{.APP}}" || ( echo "Missing NS or APP environment variable for Namespace!"; exit 1 ) - # RSRC: '{{ or .RSRC (fail "Missing `RSRC` environment variable!") }}' - RSRC: - sh: |- - [[ -n "{{.RSRC}}" ]] && echo "{{.RSRC}}" || [[ -n "{{.APP}}" ]] && echo "{{.APP}}-restic" || ( echo "Missing RSRC or APP environment variable for VolSync ReplicationSource!"; exit 1 ) - REPO: - sh: |- - [[ -n "{{.REPO}}" ]] && echo "{{.REPO}}" || kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.spec.restic.repository}' - KS: - sh: |- - [[ -n "{{.KS}}" ]] && echo "{{.KS}}" || kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.metadata.labels.kustomize\.toolkit\.fluxcd\.io/name}' - PVC: - sh: |- - [[ -n "{{.PVC}}" ]] && echo "{{.PVC}}" || kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.spec.sourcePVC}' - SC: - sh: |- - [[ -n "{{.SC}}" ]] && echo "{{.SC}}" || kubectl get pvc -n {{.NS}} {{.PVC}} -o jsonpath='{.spec.storageClassName}' - APP: - sh: |- - [[ -n "{{.APP}}" ]] && echo "{{.APP}}" || kubectl get pvc -n {{.NS}} {{.PVC}} -o jsonpath="{.metadata.labels.app\.kubernetes\.io/name}" - CTRL: - sh: |- - ( [[ -n "{{.CTRL}}" && -n "{{.APP}}" ]] && echo "{{.CTRL}}/{{.APP}}" ) || ( [[ -z "{{.CTRL}}" ]] && kubectl get -n {{.NS}} deployments.apps/{{.APP}} 2>&1 2>/dev/null && echo "deployments.apps/{{.APP}}" || echo "statefulsets.apps/{{.APP}}" ) - RESTORE: - sh: |- - [[ -n "{{.PREV}}" ]] && echo "{{.PREV}}" || [[ -n "{{.ASOF}}" ]] && echo "{{.ASOF}}" || ( echo "Missing PREV or ASOF environment variable to select snapshot to restore!"; exit 1 ) - RSRCDEL: '{{ .RSRCDEL | default "true" }}' - RUID: - sh: |- - kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.spec.restic.moverSecurityContext.runAsUser}' - RGID: - sh: |- - kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.spec.restic.moverSecurityContext.runAsGroup}' - RFSG: - sh: |- - kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.spec.restic.moverSecurityContext.fsGroup}' - RSRCYAML: - sh: |- - kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o yaml | yq 'del(.metadata["uid", "resourceVersion", "creationTimestamp", "generation"],.status,.metadata.annotations."kubectl.kubernetes.io/last-applied-configuration")' | tee ./rsrc.tmp.yaml - STSDEL: '{{ .STSDEL | default "false" }}' # delete StatefulSet PVC before recreating - STSREC: '{{ .STSREC | default "false" }}' # scale up and down StatefulSet to create PVC - env: # pass Task vars as env vars, can't anchor vars to env as values will be duplicated - NS: '{{.NS}}' - RSRC: '{{.RSRC}}' - REPO: '{{.REPO}}' - KS: '{{.KS}}' - PVC: '{{.PVC}}' - SC: '{{.SC}}' - APP: '{{.APP}}' - CTRL: '{{.CTRL}}' - RESTORE: '{{.RESTORE}}' - TIMENOW: '{{.TIMENOW}}' - RUID: '{{.RUID}}' - RGID: '{{.RGID}}' - RFSG: '{{.RFSG}}' - STSDEL: '{{.STSDEL}}' - STSREC: '{{.STSREC}}' # StatefulSet recreate PVC by scaling up and down # TODO: currently assumes 1 replica and 1 VCT PVC - # RSRCYAML: '{{.RSRCYAML}}' - cmds: - # - echo ${RDESTYAML} - # - echo ${RSRCYAML} - - |- # if true, delete StatefulSet PVC - [[ "{{.STSDEL}}" == "true" ]] && kubectl delete pvc -n {{.NS}} {{.PVC}} - - |- # if not false, scale up and down StatefulSet to recreate PVC - [[ "{{.STSREC}}" != "false" ]] && kubectl patch -n {{.NS}} {{.CTRL}} --type merge -p '{"spec":{"template":{"spec":{"nodeSelector":{"recreate-sts-pvc.volsync.home.arpa":"$TIMENOW"}}}}}' && kubectl scale -n {{.NS}} {{.CTRL}} --replicas 1 && kubectl scale -n {{.NS}} {{.CTRL}} --replicas 0 && until kubectl wait --for=jsonpath='{.status.phase}'=Bound -n {{.NS}} pvc/{{.PVC}}; do sleep 1; done && kubectl patch -n {{.NS}} {{.CTRL}} --type=json -p='[{"op": "remove", "path": "/spec/template/spec/nodeSelector/recreate-sts-pvc.volsync.home.arpa"}]' - - echo "{{.RSRCYAML}}" - - echo ${RSRC} ${NS} ${REPO} ${KS} ${PVC} ${SC} ${APP} ${CTRL} ${RESTORE} - - |- - [[ "{{.RSRCDEL}}" != "false" ]] && echo "{{.RSRCYAML}}" | yq | kubectl delete -f - - # [[ "{{.RSRCDEL}}" != "false" ]] && kubectl delete -f ./rsrc.tmp.yaml - - task: k8s:scale-to-0 - vars: - <<: *restore-vars - REASON: 'volsync-restore-{{.RSRC}}-{{.PVC}}-{{.TIMENOW}}' - - cat ./wipe-pvc.tmpl.yaml | envsubst | kubectl apply -f - - - task: k8s:wait-finish - vars: - NAME: 'wipe-{{.PVC}}-{{.TIMENOW}}' - NS: '{{.NS}}' - - |- - cat ./ReplicationDestination.tmpl.yaml | envsubst | ( [[ -n "{{.PREV}}" ]] && yq '.spec.restic.previous = {{.PREV}}' || [[ -n "{{.ASOF}}" ]] && yq '.spec.restic.restoreAsOf = "{{.ASOF}}"' || exit 1 ) | kubectl apply -f - - - task: k8s:wait-finish - vars: - NAME: 'volsync-dst-{{.PVC}}-{{.TIMENOW}}' - NS: '{{.NS}}' - - cat ./ReplicationDestination.tmpl.yaml | envsubst | kubectl delete -f - - - task: k8s:scale-back-up - vars: - <<: *restore-vars - - defer: |- - [[ "{{.RSRCDEL}}" != "false" ]] && echo "{{.RSRCYAML}}" | yq | kubectl apply -f - - # [[ "{{.RSRCDEL}}" != "false" ]] && kubectl apply -f ./rsrc.tmp.yaml - - defer: rm ./rsrc.tmp.yaml \ No newline at end of file + #restore: + # desc: Restore VolSync data into PVCs + # dir: "/{{.ROOT_DIR}}/.taskfiles/volsync/template" + # vars: &restore-vars + # # APP: '{{ or .APP (fail "Missing `APP` environment variable!") }}' + # NS: + # sh: |- + # [[ -n "{{.RSRC}}" ]] && echo "{{.RSRC}}" || [[ -n "{{.APP}}" ]] && echo "{{.APP}}" || ( echo "Missing NS or APP environment variable for Namespace!"; exit 1 ) + # # RSRC: '{{ or .RSRC (fail "Missing `RSRC` environment variable!") }}' + # RSRC: + # sh: |- + # [[ -n "{{.RSRC}}" ]] && echo "{{.RSRC}}" || [[ -n "{{.APP}}" ]] && echo "{{.APP}}-restic" || ( echo "Missing RSRC or APP environment variable for VolSync ReplicationSource!"; exit 1 ) + # REPO: + # sh: |- + # [[ -n "{{.REPO}}" ]] && echo "{{.REPO}}" || kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.spec.restic.repository}' + # KS: + # sh: |- + # [[ -n "{{.KS}}" ]] && echo "{{.KS}}" || kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.metadata.labels.kustomize\.toolkit\.fluxcd\.io/name}' + # PVC: + # sh: |- + # [[ -n "{{.PVC}}" ]] && echo "{{.PVC}}" || kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.spec.sourcePVC}' + # SC: + # sh: |- + # [[ -n "{{.SC}}" ]] && echo "{{.SC}}" || kubectl get pvc -n {{.NS}} {{.PVC}} -o jsonpath='{.spec.storageClassName}' + # APP: + # sh: |- + # [[ -n "{{.APP}}" ]] && echo "{{.APP}}" || kubectl get pvc -n {{.NS}} {{.PVC}} -o jsonpath="{.metadata.labels.app\.kubernetes\.io/name}" + # CTRL: + # sh: |- + # ( [[ -n "{{.CTRL}}" && -n "{{.APP}}" ]] && echo "{{.CTRL}}/{{.APP}}" ) || ( [[ -z "{{.CTRL}}" ]] && kubectl get -n {{.NS}} deployments.apps/{{.APP}} 2>&1 2>/dev/null && echo "deployments.apps/{{.APP}}" || echo "statefulsets.apps/{{.APP}}" ) + # RESTORE: + # sh: |- + # [[ -n "{{.PREV}}" ]] && echo "{{.PREV}}" || [[ -n "{{.ASOF}}" ]] && echo "{{.ASOF}}" || ( echo "Missing PREV or ASOF environment variable to select snapshot to restore!"; exit 1 ) + # RSRCDEL: '{{ .RSRCDEL | default "true" }}' + # RUID: + # sh: |- + # kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.spec.restic.moverSecurityContext.runAsUser}' + # RGID: + # sh: |- + # kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.spec.restic.moverSecurityContext.runAsGroup}' + # RFSG: + # sh: |- + # kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o jsonpath='{.spec.restic.moverSecurityContext.fsGroup}' + # RSRCYAML: + # sh: |- + # kubectl get replicationsource -n {{.NS}} {{.RSRC}} -o yaml | yq 'del(.metadata["uid", "resourceVersion", "creationTimestamp", "generation"],.status,.metadata.annotations."kubectl.kubernetes.io/last-applied-configuration")' | tee ./rsrc.tmp.yaml + # STSDEL: '{{ .STSDEL | default "false" }}' # delete StatefulSet PVC before recreating + # STSREC: '{{ .STSREC | default "false" }}' # scale up and down StatefulSet to create PVC + # env: # pass Task vars as env vars, can't anchor vars to env as values will be duplicated + # NS: '{{.NS}}' + # RSRC: '{{.RSRC}}' + # REPO: '{{.REPO}}' + # KS: '{{.KS}}' + # PVC: '{{.PVC}}' + # SC: '{{.SC}}' + # APP: '{{.APP}}' + # CTRL: '{{.CTRL}}' + # RESTORE: '{{.RESTORE}}' + # TIMENOW: '{{.TIMENOW}}' + # RUID: '{{.RUID}}' + # RGID: '{{.RGID}}' + # RFSG: '{{.RFSG}}' + # STSDEL: '{{.STSDEL}}' + # STSREC: '{{.STSREC}}' # StatefulSet recreate PVC by scaling up and down # TODO: currently assumes 1 replica and 1 VCT PVC + # # RSRCYAML: '{{.RSRCYAML}}' + # cmds: + # # - echo ${RDESTYAML} + # # - echo ${RSRCYAML} + # - |- # if true, delete StatefulSet PVC + # [[ "{{.STSDEL}}" == "true" ]] && kubectl delete pvc -n {{.NS}} {{.PVC}} + # - |- # if not false, scale up and down StatefulSet to recreate PVC + # [[ "{{.STSREC}}" != "false" ]] && kubectl patch -n {{.NS}} {{.CTRL}} --type merge -p '{"spec":{"template":{"spec":{"nodeSelector":{"recreate-sts-pvc.volsync.home.arpa":"$TIMENOW"}}}}}' && kubectl scale -n {{.NS}} {{.CTRL}} --replicas 1 && kubectl scale -n {{.NS}} {{.CTRL}} --replicas 0 && until kubectl wait --for=jsonpath='{.status.phase}'=Bound -n {{.NS}} pvc/{{.PVC}}; do sleep 1; done && kubectl patch -n {{.NS}} {{.CTRL}} --type=json -p '[{"op": "remove", "path": "/spec/template/spec/nodeSelector/recreate-sts-pvc.volsync.home.arpa"}]' + # - echo "{{.RSRCYAML}}" + # - echo ${RSRC} ${NS} ${REPO} ${KS} ${PVC} ${SC} ${APP} ${CTRL} ${RESTORE} + # - |- + # [[ "{{.RSRCDEL}}" != "false" ]] && echo "{{.RSRCYAML}}" | yq | kubectl delete -f - + # # [[ "{{.RSRCDEL}}" != "false" ]] && kubectl delete -f ./rsrc.tmp.yaml + # - task: k8s:scale-to-0 + # vars: + # <<: *restore-vars + # REASON: 'volsync-restore-{{.RSRC}}-{{.PVC}}-{{.TIMENOW}}' + # - cat ./wipe-pvc.tmpl.yaml | envsubst | kubectl apply -f - + # - task: k8s:wait-finish + # vars: + # NAME: 'wipe-{{.PVC}}-{{.TIMENOW}}' + # NS: '{{.NS}}' + # - |- + # cat ./ReplicationDestination.tmpl.yaml | envsubst | ( [[ -n "{{.PREV}}" ]] && yq '.spec.restic.previous = {{.PREV}}' || [[ -n "{{.ASOF}}" ]] && yq '.spec.restic.restoreAsOf = "{{.ASOF}}"' || exit 1 ) | kubectl apply -f - + # - task: k8s:wait-finish + # vars: + # NAME: 'volsync-dst-{{.PVC}}-{{.TIMENOW}}' + # NS: '{{.NS}}' + # - cat ./ReplicationDestination.tmpl.yaml | envsubst | kubectl delete -f - + # - task: k8s:scale-back-up + # vars: + # <<: *restore-vars + # - defer: |- + # [[ "{{.RSRCDEL}}" != "false" ]] && echo "{{.RSRCYAML}}" | yq | kubectl apply -f - + # # [[ "{{.RSRCDEL}}" != "false" ]] && kubectl apply -f ./rsrc.tmp.yaml + # - defer: rm ./rsrc.tmp.yaml diff --git a/.vscode/settings.json b/.vscode/settings.json index b1a09e4248..ceb7e54ab9 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -43,7 +43,7 @@ "git.branchProtectionPrompt": "alwaysPrompt", "git.countBadge": "all", "git.enableCommitSigning": true, - "git.inputValidation": "warn", + "git.inputValidation": true, "git.mergeEditor": true, "git.terminalGitEditor": true, "git.terminalAuthentication": true, diff --git a/Taskfile.dist.yaml b/Taskfile.dist.yaml index bd83eec8d7..a94daafe12 100644 --- a/Taskfile.dist.yaml +++ b/Taskfile.dist.yaml @@ -2,9 +2,12 @@ version: "3" includes: - cluster: - aliases: [c] - taskfile: .taskfiles/cluster/Taskfile.dist.yaml + bootstrap: + aliases: [bs] + taskfile: .taskfiles/bootstrap/Taskfile.dist.yaml + # cluster: + # aliases: [c] + # taskfile: .taskfiles/cluster/Taskfile.dist.yaml flux: aliases: [f] taskfile: .taskfiles/flux/Taskfile.dist.yaml diff --git a/kube/bootstrap/README.md b/kube/bootstrap/README.md new file mode 100644 index 0000000000..51a81fc632 --- /dev/null +++ b/kube/bootstrap/README.md @@ -0,0 +1,5 @@ +# Bootstrap Kubernetes cluster + +1. Install Flux in hostNetwork mode binded to localhost +2. Load `${CLUSTER_NAME}-vars` (including 1Password and Hubble Vars) and 1Password Connect secrets (Connect credentials and ESO client token) from 1Password +3. Load root ks (flux-repo.yaml) which installs Cilium \ No newline at end of file diff --git a/kube/clusters/biohazard/flux/flux-install-localhost.yaml b/kube/bootstrap/flux/flux-install-localhost.yaml similarity index 93% rename from kube/clusters/biohazard/flux/flux-install-localhost.yaml rename to kube/bootstrap/flux/flux-install-localhost.yaml index c558012514..3228426d62 100644 --- a/kube/clusters/biohazard/flux/flux-install-localhost.yaml +++ b/kube/bootstrap/flux/flux-install-localhost.yaml @@ -9,7 +9,7 @@ spec: interval: 10m url: oci://ghcr.io/fluxcd/flux-manifests ref: - tag: v2.2.3 + tag: "${FLUXCD_VERSION:=v2.2.3}" --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -56,6 +56,16 @@ spec: path: /spec/template/spec/containers/0/readinessProbe - op: remove path: /spec/template/spec/containers/0/ports + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: KUBERNETES_SERVICE_HOST + value: "127.0.0.1" + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: KUBERNETES_SERVICE_PORT + value: "6443" - op: add path: /spec/template/spec/containers/0/env/- value: @@ -160,6 +170,13 @@ spec: target: kind: Deployment name: notification-controller + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --events-addr=http://127.0.0.1:9690/ + target: + kind: Deployment + name: "(kustomize-controller|helm-controller|source-controller)" # cgroups - patch: | - op: add @@ -191,9 +208,6 @@ spec: # Increase the number of reconciliations that can be performed in parallel and bump the resources limits # https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --events-addr=http://127.0.0.1:9690/ - op: add path: /spec/template/spec/containers/0/args/- value: --concurrent=100 @@ -250,7 +264,7 @@ spec: - op: add path: /metadata/annotations value: - secret.reloader.stakater.com/reload: biohazard-vars,biohazard-secrets + secret.reloader.stakater.com/reload: biohazard-vars,biohazard-secrets,nuclear-vars,nuclear-secrets,herclues-vars,hercules-secrets,sinon-vars,sinon-secrets target: kind: Deployment name: kustomize-controller diff --git a/kube/bootstrap/flux/kustomization.yaml b/kube/bootstrap/flux/kustomization.yaml deleted file mode 100644 index 43223792a3..0000000000 --- a/kube/bootstrap/flux/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - github.com/fluxcd/flux2/manifests/install?ref=v2.2.3 diff --git a/kube/clusters/biohazard/flux/externalsecret.yaml b/kube/clusters/biohazard/flux/externalsecret.yaml new file mode 100644 index 0000000000..f8cc3a6805 --- /dev/null +++ b/kube/clusters/biohazard/flux/externalsecret.yaml @@ -0,0 +1,48 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name agekey + namespace: flux-system +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "Flux" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: Opaque + data: + age.agekey: '{{ .agekey }}' +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name github-ssh + namespace: flux-system +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "Flux" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: Opaque + data: + identity: '{{ .identity_b64 | b64dec }}' + identity.pub: '{{ .identity_pub_b64 | b64dec }}' + known_hosts: '{{ .known_hosts_b64 | b64dec }}' \ No newline at end of file diff --git a/kube/clusters/biohazard/flux/flux-repo.yaml b/kube/clusters/biohazard/flux/flux-repo.yaml index 60b60ca605..0a44b4e24f 100644 --- a/kube/clusters/biohazard/flux/flux-repo.yaml +++ b/kube/clusters/biohazard/flux/flux-repo.yaml @@ -10,7 +10,7 @@ spec: ref: branch: main secretRef: - name: biohazard-flux-github-ssh-key + name: github-ssh ignore: | # exclude all to whitelist /* @@ -39,8 +39,11 @@ spec: decryption: provider: sops secretRef: - name: biohazard-secrets-decrypt-sops-age + name: agekey postBuild: + substitute: + # renovate: datasource=docker depName=ghcr.io/fluxcd/flux-manifests + FLUXCD_VERSION: "v2.2.3" substituteFrom: - kind: Secret name: biohazard-vars @@ -157,12 +160,12 @@ spec: metadata: name: not-used spec: - prune: true + prune: false target: group: kustomize.toolkit.fluxcd.io version: v1 kind: Kustomization - labelSelector: prune.flux.home.arpa/disabled notin (true) + labelSelector: prune.flux.home.arpa/disabled notin (true) # default - patch: |- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -198,7 +201,7 @@ spec: group: kustomize.toolkit.fluxcd.io version: v1 kind: Kustomization - labelSelector: wait.flux.home.arpa/disabled notin (true) + labelSelector: wait.flux.home.arpa/disabled notin (true) # default - patch: |- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -211,16 +214,6 @@ spec: version: v1 kind: Kustomization labelSelector: wait.flux.home.arpa/disabled=true - - patch: |- - - op: replace - path: /metadata/name - value: 1-core-storage-rook-ceph-cluster - target: - group: kustomize.toolkit.fluxcd.io - version: v1 - kind: Kustomization - name: 1-core-storage-rook-ceph-pve-cluster - # labelSelector: rook.flux.home.arpa/pve=patch - patch: |- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index e8c58a43e2..91dbab3a79 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -2,11 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - secrets-age.sops.yaml - - secrets-ssh.sops.yaml + - flux-secrets.yaml - ../config/ #- flux-install.yaml - - flux-install-localhost.yaml + - ../../../bootstrap/flux/flux-install-localhost.yaml - flux-repo.yaml - ../../../repos/flux/ - ../../../deploy/core/_networking/cilium/ diff --git a/kube/clusters/biohazard/flux/secrets-age.sops.yaml b/kube/clusters/biohazard/flux/secrets-age.sops.yaml deleted file mode 100644 index 12ecd98701..0000000000 --- a/kube/clusters/biohazard/flux/secrets-age.sops.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: biohazard-secrets-decrypt-sops-age - namespace: flux-system -stringData: - age.agekey: ENC[AES256_GCM,data:53pX9mIkHDC2Jwq7hn+csSbHT9bn7UuGqWCGoecLBQhzvDFLHmYC+ygxPdEG+FsoDr8ahZFpN7x3pGONBPiNo31deC6wyDN1r8g+cE7Ax46Vqc7IMgCHyHvbk1Cui3vwl0Qh7FOntCaTLu5/EJ116/jcv13+Ouup18JCbG6J0ZBJ4Ul7aIV3seiZDfGEmvl/VeFCetpqjOehHRuDX6yDoPWJFXqj019as3QSYEyqJ6GQZAuimw60s1VzSGO/,iv:DW1I9MHAz1uPSzm2z+QDIWw3TrBtqAFqY487rRNU3d0=,tag:uC0CQcNwMMC5kKd35c9kSg==,type:str] - SOPS_AGE_KEY: ENC[AES256_GCM,data:/2sY6njNC8eRVICfl4VcpnGCxm+Xjgoqb/AZ8exnb0WFNdPNpSD3xgrpF5ldnTEnVbB9J970E6tFkjvvBuueovXuj7RoLxQ/FhM=,iv:uRAHV9/Qfr4pHguHkm+PFbgknZAJskeuWpL5IDd+5Jk=,tag:TxEr187y3jU4nfM5RrAvfA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6c2s0WUxZTUFVdlVLbHhZ - VnRTR3gvZkRVT0M0S1FQTDBScVhLTUZjYkZrCldSWHlhemRaSDB5TUUzVHJzTVU2 - TzhoemJzU3NWYTR4dTVTRzhaSzJ6UGsKLS0tIDBRNk1oT3JRQnh4aUFuVFpzbmd1 - ajNqNHRtRUROVkRKVVZ4ZDVlVE1mdG8KMq5dnfyVliHwP33oh8Zp28nNp/3JD22E - 2soIMUki5f6KaFwenIGqadcyWBpD6FL9cezN4219gEyPj48xdOUhjA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-02T05:05:28Z" - mac: ENC[AES256_GCM,data:wNURr/Ci7LV5Th4JcsEYMhPgCgPt/9fTjDbHSoNzh5SSF2TFlbxSO1fnEMaZTSdhZocXgDdkyI7AmVgAN/SEWHb0Dl+oZt9BuZmmFLwwjLJ4N4q9tkKLMS+dCfwbDkEB5j37Up7rnEKDPqcixMCI0yLasWQ9rSo/inDYKPkufeg=,iv:pBFx3pYuapQl+Twlax85Cgdkq0Crgj6E4/q8Y/SsbrE=,tag:8HGLdTtopyQck/mjyCKALw==,type:str] - pgp: - - created_at: "2023-06-01T21:22:55Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdAlbR90R8aSTOAm2xXopzcX8FsUBn+xDE9e/iuQnTrJnww - HrvOnCgOiXFlL+RT1UBpeXAqJqLCVY1i3RT+ixoXrFphoeqfPeeyiI9OJyDLtykj - 0l4BTdlio7BZRm/82NHfY4sMyJ0P4OJWwg+ItlhgxnuDgd4QdPbbmASzNBjJd2Bm - 8HpP2yq+6NtAQ2C5l997LaPNC5l0O3xmZsR8zftRn4MgOHeYDHT3IY7xmF95AUh/ - =ENhw - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(data|stringData)$ - version: 3.8.1 diff --git a/kube/clusters/biohazard/flux/secrets-ssh.sops.yaml b/kube/clusters/biohazard/flux/secrets-ssh.sops.yaml deleted file mode 100644 index 6fa33df7aa..0000000000 --- a/kube/clusters/biohazard/flux/secrets-ssh.sops.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: biohazard-flux-github-ssh-key - namespace: flux-system -data: - identity: ENC[AES256_GCM,data:8J9nsNM9nvxNadzkrs7rIS3quaD4+yqgNBYwaE3xMotIlYLQpctdhrBqM7vbd8R9Z++2jUAVRwgTK+j35OtCWClxcJMVAOq/c8ZLgwj6LDeWvJyaHVLiOuFa6Lw4w5hE56+0gbc+XiuqRfHospjX42ABoK3KlhLyM51cWgQlLG5C0v1euro0/yLCoDZO27PB9NGDIQkSWO+bBVfJPodCFA==,iv:robp1VBiiwLUVN2PQHrOK4Fola/Szo4fvrq3U+usyCA=,tag:reuTnlDKmscgKcSB5HWUvw==,type:str] - identity.pub: ENC[AES256_GCM,data:6zX6aJk3LmBDv4PFNVbCuHIIsg3iRi4f5POcfzCa0rrkLVh7V+7vJrr4rAp6vpd0b3hfzpo446qHIKNDtFMc7YcmZwtxZ74t+5oS9KqKbbPYJAZeciZrK1BcIkcNBULsJ8fSNoR8sWDZmnqV,iv:sl1Knv8Nsu+biY4+FnCiglLrleRO7potThsIcURFVWY=,tag:+syqveX9qKNaKnnADCVNTA==,type:str] - known_hosts: ENC[AES256_GCM,data:KNPpLQdSfrLU04WTAgsiQAIlpbYRUG7Aqnrqgc/A1HOoGO4vakBtwDjyJFbzc3wUGAGgakdKi9Abg54bypaUaFPe9sziXb2PqSOUtBaayf4rzmZsE9GQ9AGa2yA0nvkEo8bjoY4iFJv8nFGC+tPZy14moMRG0ggepHsZmBAjr65ZaSQ3exxGZWGa9vHjvQ9ZgG1gRFlV5U3sLXnhS8fVouFy1Rl1jB91m+Ss7oBFEU2qX9U+8o8d/hE6vtoE54kJdbRqPazt/kqAt7t6STCUemdxL9tMLySfK4uRk1E5FXHAUnFe,iv:SrMFr8cIxBe1eQqZYeSU1FXV8MtixJsGT31HqaqPuSo=,tag:hQp37ZwXWtNE//PzRXyBDQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5bGRFejJrK040Tm8yNGR4 - dDExL0k2Yi9EVlNmY1hHTzd0bG9qeEtUbDI4CmdsR1JMUC9oYzdBYldOYkVPaXV1 - bzgrWVV2UWhNUWN2eTBzZG5rR3pHMzQKLS0tIHJkd1NmOG1Ic2p6WWF0eC8vQzIy - Z2R4WkRqSFhlSjBsck5YMndoWGxRSk0KVTc4km7pba0LW9KCnSd19876ii6e+xQw - UYBj5hv2gFF1agwpXaxwBB6JCkvzgteotgaR0m5RT0lAQnBvQKgwxQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-06-01T21:23:17Z" - mac: ENC[AES256_GCM,data:0eCu9y+cLvvRFTTQqyqbBj0rfXp7ExZYyMomEbVT475uTMMvZ4ec3rdDDkXeRenX9YgcVOqydt9wdkhNXaaK4YyMs0sPovy7x2URIN6Y6vb+bryBGgbv6wHulSlhGFin72ZohdSBziYjcS5gi2NlwXbL0ir1IvwlCntV2/Uu+gY=,iv:Dl4lS0CxmBgpI8PcxPOD+gX8IY1qZcLqfvscvlPGpm4=,tag:22luTxapli4mrnC37+u7UQ==,type:str] - pgp: - - created_at: "2023-06-01T21:23:13Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdASu2rIOU/pY0E9bxsX+sTmBgYc+ti8RtlSWsLC+l+pRww - GyrhnCB6c+eye/mWOpRVTXIoJXbwx+WRc/C5/VS8+w1AihdYWykP+HHVCyT3rJ1Q - 0lwBYq5m5KnwCZ2stDyivpDiLpNh20UXZo9gYtkV0IkYDiHVKLeGj+yVCfvnJEm1 - UzRv/XGeLdHMKNOeAniJKfD10crSQHwMWmEHq1kTSVHHQHBwDJgtBD0BHXdEvQ== - =A7F8 - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kube/clusters/biohazard/talos/talconfig.yaml b/kube/clusters/biohazard/talos/talconfig.yaml index ca96e4287a..95bc508846 100755 --- a/kube/clusters/biohazard/talos/talconfig.yaml +++ b/kube/clusters/biohazard/talos/talconfig.yaml @@ -1,7 +1,7 @@ --- clusterName: biohazard -talosVersion: v1.5.4 -kubernetesVersion: v1.28.2 +talosVersion: v1.6.4 +kubernetesVersion: v1.29.2 endpoint: "https://c.${DNS_CLUSTER}:6443" allowSchedulingOnMasters: true allowSchedulingOnControlPlanes: true @@ -155,8 +155,11 @@ patches: machine: udev: rules: - - |- - ATTR{queue/scheduler}="none" + # set all disks to `none` scheduler (optimal setting for Ceph and ZFS) + - SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ATTR{queue/scheduler}="none" + # allow GID 44 (video) to use Intel GPU + #- SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660" + - SUBSYSTEM=="drm", GROUP="44", MODE="0660" - &kubeletExtraArgs |- - op: add @@ -227,20 +230,6 @@ patches: extraConfig: maxPods: 200 - # Rook Ceph encrypted OSDs - # TODO: https://github.com/siderolabs/talos/issues/3129 - - |- - machine: - files: - - op: overwrite - path: /etc/lvm/lvm.conf - permissions: 0o644 - content: | - backup { - backup = 0 - archive = 0 - } - # patch containerd for spegel (discard) - |- machine: @@ -262,7 +251,7 @@ controlPlane: - op: add path: /cluster/apiServer/extraArgs value: - feature-gates: CronJobTimeZone=true,GracefulNodeShutdown=true,ServerSideApply=true + feature-gates: GracefulNodeShutdown=true,ServerSideApply=true - &apiServerResources |- cluster: diff --git a/kube/clusters/biohazard/talos/talsecret.sops.yaml b/kube/clusters/biohazard/talos/talsecret.sops.yaml deleted file mode 100755 index 4cfb8e3075..0000000000 --- a/kube/clusters/biohazard/talos/talsecret.sops.yaml +++ /dev/null @@ -1,45 +0,0 @@ -cluster: - id: ENC[AES256_GCM,data:AWW6l4Zq4o9cmu7ZgWuhtv1u5+Rh3JtSQa75SIEOll7Wsj0yXce1t7k12GE=,iv:HV/zbB2EJpf5mtq27o870P8FbIMHKPYuB2LK7KlGyag=,tag:Yt3oSvYPPknkqdyEZ6w0Mw==,type:str] - secret: ENC[AES256_GCM,data:csdjYHizHtfUss0KVwxhue8P4oyYJTuAvC799t3xgrj6seR9gENH0SYR53k=,iv:TSWgOe2jpHNqesdvWBDjsnlIby8GVBflSNBPgPe1vME=,tag:XlHgOJSMPZNFhnkTTmc/5A==,type:str] -secrets: - bootstraptoken: ENC[AES256_GCM,data:NIo5x7/wbYwxGabMFXqjR68lb0gHQ00=,iv:ARs+532azj8VHxeoDQLW5xWEJAKhHcpZHB49XzJyL/0=,tag:l+bN780+0SjGsgv/qi9NTQ==,type:str] - secretboxencryptionsecret: ENC[AES256_GCM,data:YtbU4u7OjiEe+OE+jDNgOazSKLX4d0Dy7vHD2rFHAkX00PsP94ubtyohBH8=,iv:0qQ9tAkp1mEaCWjtAoK3aSOMm1ULQJzFqSUxmA8REeo=,tag:1RdI/WpmQlswngsJCumnKQ==,type:str] -trustdinfo: - token: ENC[AES256_GCM,data:BSuaFOLFN0U/GQ/fiia6N8FtdPPNUZA=,iv:4eZuVSWkH1znkoAtlY0dDnQUhtiAUFIMi5TJYCI8Go4=,tag:L9kmiiVwO4z9piTgkwfoMQ==,type:str] -certs: - etcd: - crt: ENC[AES256_GCM,data:sQN2wc5+YtIa4y45Qz02+Ry0rR/H9hbFNsUxWo6Az0f3dfw9udRue7esgAtsafrYl6yObAkjbra2mj54wntDCimji8gZMjmGXVmotM9FAAu2XkG0S7A1kR7ovZvp/j+p29TAQJwm2srLAXjdCOfhNMr2kNbI7XBWow3LtxfiiP+G2yn4I0xDqZF7eNRqK+b6aaEI0XLixj/G6Ajsq89U6mXgT5PfdrsbKtd9TpR/iYuFeKPIY86e1ghk1LZle1SxFByRDUKujYfLMotoOCbGYcIQgdrc7Tf3ylQyW2C2Q6dkJrYifsi/fs+6dbIS7o5GWccG2FJIr9GF4JW8HMZ6NU1HUncoGWMzBNfTRtZLEbu4XVGSaLA9KotLPuevWFjy8g4/9rVvZwjHmSrmSG/dAeKm/3/MAi/sLRbo3chsJk9gDWAqXAhsyH2gadInXw/o66k6NDFD6VBI1gfgp14/ylqbnYW5OlULJ+xYufIymJLVcKcuQELG5Emcyc92pDq25poK3g2MgOQcZu6rVNxmHvfKJpOnW6blAcZUeATGlppEAS5Iv5NLHsa5lHWQK7eSTzXer/L/3RXt5Mx93JWcBKZrK94eARZLF0Dp0qinZpSlcRmPmjaqlbCvNgM8/zPD27vzKudCWQoAw2GEx72Hilh99dCw/3uyzgQA3trnL2op07QWQf4y0qVUvPDH6wGjMmfMeLHbXIvtC80BV0VWemEDobUK+0vSxOWz69APZRXDcivB0XeVvZ5bhsYtVq8S10qEnYV5kEjY8WuhWMH/Cn/Mt0LhO2WOIRjcKOUQ5jV3C3WlbHhIboLAnoaJlXnAMr4IQveiUFN2ieobHT9oK5XZKhruIHW3StzoP7QH1H8Ec+F9B4/WI6p6C7Pv4TjWl+7x0z6F+quAR5cQy3+udxY9H4cRSAJTmb3b3MUZRs0IlY1ennggas+Wex/qiX4PyN93I1FAAcYtNdFLGeQrJQXcwEQaWXk1ZjO8GXMexe80ga9+FfdO2S7bAoL6seM+0N3rjQ==,iv:n5+hhUBZ9d6wrCEI6WorZmYS+ALX6FF8lbV9RJrWz78=,tag:TxgRSw4ZxmGNzFApiPvPgg==,type:str] - key: ENC[AES256_GCM,data:mgsZvF9lBLqAVEg6mutF+u2aY1JMqnclTAHFuSGu7m27XIoA8PcpkvXvCxKmPaBc6jMarQBZ2j0y1YN8KFqWQw4dKQmNkzRH8c9T33Na/zoD0Q71DXdmiYw4/boly8vAvfIIKUfTlMGA94IjkuAABK6xqTjDORNCvhl8PglwTL+Wz2CEBG6LG8jaq3/6JDHJON1tuT4w7CRKq9GyvDr7hm/zXsj7y8nH+79j89D3lxFs0CdBamZZNllt/s5PKzKLl9pu+RuvzkCorozKB+LYIvbLkbc9tT559H0yQwD6dFxFodcuYvLixvUlmHPd2+8m6LARMEqTNvFuPWCp9j+4EVMsdIekkPxh0sWbE5EoZR8n2Mqct7ft0anxROQEQXhJdQnnCQXbdAApFWj/QNCYIA==,iv:h+TPclqdI+ed9+9/puBu/kOI0qVS+mtAI43sHbJB4G0=,tag:w1WsXZLGaMszbNVhH60+PA==,type:str] - k8s: - crt: ENC[AES256_GCM,data:A95H0ogyIaQb9Y6mT4p8P53tFLaHQMOkad1vNycehgy4aVgq3NcHupNoJ/0+Bw+OOi3bgg8/xE+9G6i9ja9oDNhDyvt59vljwHlnfd+sWG+QPvrVKKSlgj7xqrOwYuTCFEnQsj7H9SVlncqrb/XmQ1m4DTxXwwSk2Gvu8tZFgtP7cwdo3pC7IyRorK6THuPs9HswsMOXkwCKLqF5KiRTPOYx7JoaG4lbY+i35Jjzi4Cwp30vnamNo9bVTAzm+HWGdS6QVrbNXjrLSXQSRoq07jYEgoLeg8Y14w4YmVtvG3FeqQKZJZFYRBEJfoJs5nNPpfqiCQYU84SNpQUjJw0wdt+v52mUXh0QRA/ewhUBFjSHIJqg8Pp3uno+jsuH7MPd5C98A0iiG4P+S2N437OQAZQADwPVJDetD3g6wkQLaqqSH4BeGV0xzQtwlvJozAxqtdTeQrxI+tdAJCJ98zuEgUWV7wGmeQdPPZ/XDFtk+KxZl9zEDG5NKxHq8YV6u5atSv//Hhaj4sHxMpSiqY796jPT6Ubb1yhR84rBAf87FppZ7P6fEdBgKwRWg5JeXZ951UM82R402cBBf6qFjrOUXZ+7bPxaU5oNRow6JM2z8ZKUTMD0DZrUgH7zClyKmkcLp1Bn9foAsx1TqRkPiILDALL6mqM0qRBz3UGOUzZz6MN2mHadd3kMasgKJN4RfSodbCMPlcSND8uc/pMhO2iUPJ2BI4L9DnuvLgaEpSz472dtb5IP7jVFRuv/EhykeQi1SW+lSvfiegxPntkj30LXbjotBWNhrqSyMcHPnyynAJamFCQrsr3z+yFj9Q0Eqi0tvySO3jBoDFd/SQEm7/uA1uRI2oYJP2t8Y8FOnjiVV8bWQDCY1WdVXTXmfujnVsHmxNXNlXt1CfSSLlpie+oBQtpKcpm8S8bof0GAUBK3DfmIHSCPXmazTR52jmLpRuCGY0QC5XY9shL3rTK3ml6/wi7HUXm+LjwFuSM8U7ELxsJKa+jaf4a572xTl4vt2Xkc7MejHL5IRoDwNpmuXjQ9PynVxPxJj2h5u4yDSA==,iv:RKmJsWoVKt/krl4wzHfAluqhSZ+0w+44NqPjWf1CmAw=,tag:UywGABmGbyz9DqXknYg01g==,type:str] - key: ENC[AES256_GCM,data:KxS1No/FIdEr8qr+DYmcIXDU2Hlo1WJOQbnPVblpVMui79752fn3CM7pMwCzVAX2jnTFsgPiKavTAG+wxZ7b148hrCHDaO1X+ISIo29cUbp2zOXrITSabaVvT30LlsmEjDG87apuSjl9VOo209OfIQDy6T73I7277WWNRZseeb0B9RXBHYYwsoJNPtnluDuJlyXjLbJgKIBChpQaydBAxJ8XcwAU36RoAWIr6+GPkEaOO7Md+JKrPG/VZpbwWIXZpLIPFshIEAB52DfgKbIKR2VwyZRe2qEBbH2SWqQLuLUETHj7USEXP3++Xm6uSdcWHqzjo8Cra1cTM59dQ0buIh8O+Ivin/NCcLIXO7+3CKHmxdCAWWUzXWUxx38NHnsw/fa1+csF/tkvK6kjoAzPHQ==,iv:B8lZKqLfl7cbUAyiW2+9RDWR+wZEUR/2bTgPEekpRp8=,tag:TMfZGCUqztTrO5cTGHhfsQ==,type:str] - k8saggregator: - crt: ENC[AES256_GCM,data:Ie4e5xP+WeoZ1s2yBcNm2BrjtlL/wlzc50I+/bHtfS3rMbnJWHUJfrZf+KL9Ouy7zwZI+bNACPWjVx1lygeUlp3h2U1wqBNx3iF8KjF6iKJd23zt9PunIR6CcgtyLqggeRc4f6OZKKU2nKoUN8p+JEnMP817isyNncBYSQtMp7KcSOYNfVXcknFY/cKzkhA6/pXKrQiwCl4ozaF+2wozSDQuRtz6ZJ7Zzhs3zF8x1efRxp0uzFhGft205SfcyGfeaib8z2UfcsZfOFCKAj+w7uCkrde0YjP61f7jOsunWIq5mpTJDLnTZw6GKe5VHbgfGRaUwlClqg7IQQbVMMld7hOzLxFR1q3vF11G5XH4YZfwqvSlWCNzQqs2ip4u8dFQvstMrU4umn59GRcMKuLZk3lbUdFSS1zzV/vuC3CC9Xm82E68ikuPwSMSvD69rs1lrvhNaUH1rRarxHRSA6PoM/qAbBN3Y8SV8S4QcYEY7rvsE1yBLco87cHlYG85UZSqU1WJrTXJaE5y+yOFFbGBY0kHHoYIOOIck3KIiSkW7aoQDpYFjLlCOsSQEmo90orDhRvvXZDAWZrYqup9f4HUbBW6QHYYZtPIbTekYwyffBHOB5zKyuJJoHz9IgmjjIN0n52yo+98mTwdPvlUe6HJ+jxyDg9aoKI6yDnWBNNEyT1tgajDSWwfh5+jXgROEMD20PbXvp60X5O789C0Vo2aJesnSGVHXjDzuO9aoXkOGanrbZCIw/p+JKg3KfQMzOy+uV1AZ52lOwPnfbVbBzIrs2PZjltQLCety6VNLm5tKOhphhj9C6hMTM6ZIujHenf6qCah5W2nv9jhqltokQx8Xs+XvjIL5ZNkn/26r/wZe4pNQCfdCg6ROKDRVs1x0MXu15NTDypB+w4de36KqIroBnp/8+iDyq65EbV0gUSdrBiwZm78KUcexckHxURJMahB,iv:sqwv+PsbLYDaiRVYPuTmkjIy+Vg4QSmrn/Bpb+byAaU=,tag:9BfVsNU2StmjMIg/HXDLPA==,type:str] - key: ENC[AES256_GCM,data:j7kUBNHQJgedBxJ32RFqfGfr4zdCZn1gU7cIv4sqaaQRHt5U6iQCIv1PY8pvy5+NyOJJC8rrCetoUpeFLohsQgWzCXmXNJglw81cT2cUy8wWwJLG2EdMFaf3NGBn7u4H7VWWooOu2fNlnrTSf8nxDURIWRJKhg1rX+MLIsOZAPUt1y3tuV7YItSsOLaiNdblA8MVloWZqFeFFS/EJ6TFNFO0msbIBQvHLuJaMlzCnpJMTNONHkMsixOIkJUsZQWCCggTnPuZHuE36r7O1dLYwjmRU+y//rj6TEJl6xeepu6UT58qGCbbI1qCFDJomQJWAEJjcSqRz8WMlQpkYBlUamuVKJSEx1CcEC0Lx6OL25R6Eb6Bm/rXmZ69JuSb1RFQi+p1dD2gtOEpWnl/DtJGgw==,iv:GW8smVoDuQU3yxUzkSidoLBB6b0V/0w7EciTdlRCB+Q=,tag:cO7QkC6mg+1dTYNRROnEvg==,type:str] - k8sserviceaccount: - key: ENC[AES256_GCM,data:4q6+DmYqytRp/spZKuxhBYl6LYrBsriZVo4807psBHZm/2OOcVnI58Palbpve9O+zSUl4fho2EqdP4rk+nQnbu+3P0u94QNxP9epzmhuLmdjskCKYn5P0993pXiruF8hiBTmMWbIYhR5crqPbKgjrjlBhgao1qr0i1BA3FxegDLPN+ehhQlcL9vNs5K6OqMdyh46nPNm+vTTemfcI6wdYuBYkrmMFy/g/3LyfJXvSwB6s8GGj230YZ5SAt3Kb0Gmn9O9IA+20bjdFc3lxuPtlDdlck+V4C9hjORnE8FDOFWPgtB+LdmO0c0Kp1j40x5CIY2aEQOx82hhvcQMBZ0oA2GkjKHrizgodSd0jchTbqDSe4qa8avrB5/mxM2fHDO74Q3XYZpcd0l+UZJo54bqfw==,iv:1Whh5UTUlbK7gctkpGQOs3IKxrcP1NOxtK75UQovpl0=,tag:P8PRlPQzzaCiL06BoRVHlQ==,type:str] - os: - crt: ENC[AES256_GCM,data:7/u5Q6Xjw8BnwAIh7JeZgWTvxHrLGBQxAjii5gr4B1JPIsGFagSXSxO7z/Ii9pL+YrWbVBDudG1UrAhmYfJbzMm28oi9V25AdkQ//vsTvG0Z+2kmLqdClFCN+Koc0DGidCD1f8+snOWHibwK82N5LK2m6D33yK7dXUkg4/XRAa+wGxR6GgHZPrleiesji4/hFbK4ZWbb+kHnYi8hBoqh2xkY4qSuEtfzZPHzO6PMsNDKtxA6xcH0I9k4ZoN69YYXxZkZGr3U+6agb/esuzTMprPLFmT3SBcgjJ97eogBqNQO2ME3DFmHchvqlX3EVV7OZONLHHwOf+E3U4spV06DnsNMxN7siraxyzEDkzy9VDHxEwM6A1gWDByofROoMStSuKXX2y/DdkWTK5YAadSaV6dFAiEk8zwR+cQGX5d51TCUTxg5VIubgQsNiJdhEGcLhFbDTAk9uUUkPatE9TRCDyljuVH4snFIyw2Sic0w/zcPs6+Ofn3yn4D75VtMnWsQTUtrdfYmrV0RmkeVr4yGpi/hM+mnz0SH90SResaQUClr3HQwkyR8KTyTi3vjVtaN63a4FDt1cPNY7kTTSjsq1ITjKqRwLTuHd7t0TGVYZcUvtWMqmXjZaZSNnCmU2TcOTkeS/Ge0qzR/Wg14sIwxD8HIqMoqnFiE80s94D0DZQ1cYeIF+fB3zT10bTUfOj77GSDCyop2eHRc8V/oAoe83aihx5vPW9n0EPoB+59UzjswploW5+mnS7AbDyNkZ5XLC/58RdlwgzXL3BzER75MwyDPocM3k1f7mSlcfY4hU7u9H35MiJGU/AcuaR20/r6It4Ycg69g+Go3CAgbr3U2u0VCzKzCCYoGTN8i2EcedyoLr6h5,iv:T+HYunjm/5OZ7r15u7/QwRsNOB/ZAOTJ18QBXoqgqdM=,tag:SSzv5IunkgiYpqCNuxtyTA==,type:str] - key: ENC[AES256_GCM,data:tQ92q4vh0XNWYMk2cL0gV6BZhcesRiPUmWIoPXRDKVHUsG8gaAxXDNRFApN/7q5BxYSllAy7/Du9RW6Ap0luFQpaRvrZF6jk5mwRedXBzpGtbAkDyrPQm9OBa/v34uZCw5zcqTB5wPiLYaJMmdUDXjd747V5wQBgBzbS5JpOIJXYRj7ZPbEyWdHHDeiwE02+teb25CNHfcRZSDLeSaeWfVoGS7qhIKMblDcf6dp0QMUKxA6e,iv:xnWvidkOS3y38cOSvn2AOU2Ndj5pJIQ3tHLkRkXc+is=,tag:FNZV033ea77ku2HBIIv3/Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2023-01-27T22:22:26Z" - mac: ENC[AES256_GCM,data:ki34oHeKj6Pj5iLQttO6Mc4kHsPgowLBfo6L9xQ7HBGYFpzS3dQbVSk2veJAeI3g4C5ixak6RiCtnwokUsm8+Ay48lIFFnaiUNq5jyiyp1u3xkFCCTsWE9ZDorFKeX+XrgzttyIxxMCP6z+k2f9r6qB/9aLCpZtBfvQBZrz+lP0=,iv:lIhMBTAfykz6+BthhsTyPynIPkBw0jPNP1M2nyJrXAw=,tag:fVMpz2UGYP8LL7isCyrrWg==,type:str] - pgp: - - created_at: "2023-01-27T22:22:25Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdAa6eYQ3sdOzCP/XGmuq+KANM5eVi57M4nnVmj2cDZ3iIw - PBdPbh6EYRDhpxzwmWPxEzq+mJAHJGmRs51N5qjeuXaI6pk/J6maZ1b2LI3E+YMX - 0l4B6beXkzBIG8QU3RDL4h2+zilMO8E4viChKB+gpT8sHybz7BRysf5iyuJi2PCG - a4yC+6dhWjWXBjoEehcXcTnINXyKQMKW7Termn0nrl+u5A4eL4BimagMMFWYFCqu - =JxEq - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/kube/clusters/biohazard/talos/talsecret.yaml b/kube/clusters/biohazard/talos/talsecret.yaml new file mode 100644 index 0000000000..a39756e8e3 --- /dev/null +++ b/kube/clusters/biohazard/talos/talsecret.yaml @@ -0,0 +1,23 @@ +cluster: + id: '${cluster_id}' + secret: '${cluster_secret}' +secrets: + bootstraptoken: '${secrets_bootstraptoken}' + secretboxencryptionsecret: '${secrets_secretboxencryptionsecret}' +trustdinfo: + token: '${trustdinfo_token}' +certs: + etcd: + crt: '${certs_etcd_crt}' + key: '${certs_etcd_key}' + k8s: + crt: '${certs_k8s_crt}' + key: '${certs_k8s_key}' + k8saggregator: + crt: '${certs_k8saggregator_crt}' + key: '${certs_k8saggregator_key}' + k8sserviceaccount: + key: '${certs_k8sserviceaccount_key}' + os: + crt: '${certs_os_crt}' + key: '${certs_os_key}' diff --git a/kube/clusters/hercules/config/secrets.sops.env b/kube/clusters/hercules/config/secrets.sops.env deleted file mode 100644 index 895bdf7e98..0000000000 --- a/kube/clusters/hercules/config/secrets.sops.env +++ /dev/null @@ -1,159 +0,0 @@ -SECRET_HERCULES_WG_PRIVKEY=ENC[AES256_GCM,data:I4GmeSZuUb71lQiOWV6O41EMx7o1cyM2DTpPlVFWLLNuupI3tPpN/6GJz78=,iv:UCx/LqV5AZ4aeH9fhJ1Y8M+jLG9N0LH5Mo9yRZypLQQ=,tag:+T57kfCHoc++mlBcc/iQbQ==,type:str] -SECRET_HERCULES_WG_ADDRESS_V4=ENC[AES256_GCM,data:zn9tISNc960X,iv:Fivudq9dF1nIXlGP5GJ19al+RWLb0GnGSjh0sxb+szk=,tag:JO/wV1bhGcOby9J4BfcdDg==,type:str] -SECRET_HERCULES_WG_ADDRESS_V6=ENC[AES256_GCM,data:7CSJVcUVLEIcnQ==,iv:6EDog1iukVOa9Cj+lcs/opf1d32q80yTV6ZrXmiVlOE=,tag:tkTzFs9xKM87/0OTUxFO8w==,type:str] -SECRET_HERCULES_WG_DNS=ENC[AES256_GCM,data:l53QHTYqtzo=,iv:OVCCp9BIc67E3efFm6cDMylkYOWjtFfdPHEofzOvLmA=,tag:qSnWfkEiaWYk411xckORcg==,type:str] -SECRET_HERCULES_WG_LISTEN=ENC[AES256_GCM,data:O8RHaSY=,iv:HmDAIeKGDK+Z8ECgYEbbvW3DYyLshBHWAlm8dSfXG0g=,tag:wR0gyrZEhVSEWW0VULtmOg==,type:str] -SECRET_HERCULES_WG_PEERKEY=ENC[AES256_GCM,data:cXNWTt2UI53tRhQ2ZIKbBJfE12FXxC2UwD9DI22u2z3dcF5LyPxDFh639fc=,iv:QfrCmJNjpdMdTWPZ0FX0YEvLQR4U9Aw3ijqJ16JTODo=,tag:M14n1dYcqlZQQ71q6djmcw==,type:str] -SECRET_HERCULES_WG_PEERPSK=ENC[AES256_GCM,data:qM4B0KDpLTtgbhIr+rCZoiWq+htU+hv294zkcPZItbQ3PQkCBxNKzbg57/w=,iv:IlAzdP6hX5ntM11XygZ2oCPY/TgCwtlUB5putzmID2w=,tag:C2ACjMSECzKvguRb0ni7pg==,type:str] -SECRET_HERCULES_WG_ALLOWEDIPS=ENC[AES256_GCM,data:TiUB3N5Se9y63DNx9OCGtOIsf6a+5kjQYXE7kmRP45VmfyquIfHeuze/T4QYf8W7t1kdzc+ONKHV6EyG+zNtwB+U1N+kGqcVeNVng7KuxRbC6hfnQexRGvdallk88gXKiKBXqjG6P1LkMqimUZG+JpscJJ8qIQPGSkW6UVWrkEdVd2c=,iv:wmkAGT2sIUS74h43c2A3z5s/l7sdIIs6/yFB9fmANQU=,tag:Hjz43iTBD1jaVz3o3QaKvA==,type:str] -SECRET_SANDSTORM_ADMIN_PASSWORD=ENC[AES256_GCM,data:eBh/GfUuZ3CwYbUMo2aP,iv:fH1xCn0YVffgmKaFAwyxnsBhw+DK2WJQ4BJkPvxdpYY=,tag:r64Jt+OlThR58oJRPTfVfg==,type:str] -SECRET_FLUX_WEBHOOK_GITHUB=ENC[AES256_GCM,data:rN1JGPiLKJGZaPky7M7Wy2aujMvYJeHVKOz6gmZnSvn0OGmP7kyMyg==,iv:Bs4nBXkzUmeXPqYx4bggZT/BmJMDrb3STeal3Y7JUrE=,tag:38CcnMHf5EThZyf8AA3gJg==,type:str] -CLOUDFLARE_EMAIL=ENC[AES256_GCM,data:JAlEqZHuEjlPoAY237I5lYDixh5Fcw==,iv:OcmCUMi9G4FF1lw8nRSk4iOE3cPB/VIvS9mAgnPGITA=,tag:ykLJwkqfp3zthaJuXJlQyw==,type:str] -CLOUDFLARE_API_KEY=ENC[AES256_GCM,data:hyTDXeqe2Mksl+qI8Go0j24bnUoroMPB4wsMiIY/dOAzHANoESJegQ==,iv:I4wRJoylTLs8IjUfz++eU9UheqPGDhLYok7h382sOPU=,tag:0P4is0yvhJzdRJnew94bkg==,type:str] -SECRET_CLOUDFLARE_TUNNEL_ID=ENC[AES256_GCM,data:j5mJIX0gXhdqXjNM1fcC4jFqA2pLIqf1hj4jNAldP8sjK2b8,iv:fIJI3+7P4YUtUIw9ea8TL7jGWSDKfii3QlBEkWH9kns=,tag:WdxKDP58VZuU5uzdQgXbmA==,type:str] -SECRET_CLOUDFLARE_TUNNEL_CREDS=ENC[AES256_GCM,data:yEqTrxiMKq6ntVhU4DssCj9hLYN5Nav++TlQt3o++avhxTNxumc0g28Gg9Ya1kQgZythoJc+Yi65wfDYnk7A3aJgfURvXgXKjv1aNON6mXVj+6MKyh8scPUUFcwwjd9h2n8/GsO2z8RS/BmwsLs9JTuPq8RvMuhiy5+qT/TU88ldIVieCAi8Wn6dDqpNThGtaazkbRBZweejm392IYSbVeU=,iv:l6WNAXBeWrgO4N9bmA7k3yqvNeEjH1BKjNgeEqLiw+o=,tag:eHekh9D6mvwzSdHBv0O16A==,type:str] -SECRET_MULLVAD_PRIVKEY=ENC[AES256_GCM,data:aFiXq2rjPQlw6qTinNchc606GsuaCLmpvVtpDQ98UhWskXq7Di6moF+5FGQ=,iv:wJWqLFESh3S63oT0qWwT435qTrS0WJP+4/vzAyc+EYI=,tag:siSakSYuSMaAWVP3XC8ToA==,type:str] -SECRET_MULLVAD_PUBKEY=ENC[AES256_GCM,data:RdPu0bgr1b4p/Bcp25KykPbfDmOJX698phqJz2Y+r9JG8sz9vrfbs09yDKM=,iv:zPGBBpt6mhhWXJb2WYMW9yDEruu/jpNxi3Bo24t+Sg0=,tag:Mv9cfJ20KJks4ZZQBXrOTw==,type:str] -SECRET_MULLVAD_IPV4=ENC[AES256_GCM,data:9aC8Q7ExhyFZp5udpA==,iv:D+rkAJZT05z9v0Gt4I/LmcLh0rQky1kOR7vRazfVKvA=,tag:pic5NTHOt9Td66pdctRggQ==,type:str] -SECRET_MULLVAD_IPV6=ENC[AES256_GCM,data:A+ZOR6urcp0HwRoODwgKqlZhyrGeXnvSlAD8,iv:talZ2jyaWyoltSZenMxKv0aqSQtRsyAQemtllFVuKdA=,tag:fPM2KM7Rybr/0d3oEgVBRw==,type:str] -SECRET_PG_DEFAULT_SUPER_PASS=ENC[AES256_GCM,data:MDxda4O8zX7woBdPMFKI3AdpGoiTEMXp2B/tm698zYGL3qB3hiogf9eIxXCwcvfPLgCSK9wUDuaLEXan/E6ujvlFzktYqyymexS6kaD7lgFMlBu/NzAUlso4zk5+BvBKB4cDPssHM/O2JwiT+Xd9lIuK9Fl2newjE78QwvdyfdxOoPE11dFqDcjR09bFCMDWPnDMV+CYiPnYqDT/ZzMyc6ZhuhXnm5KQRZnyopIerVUvlno5xbaWzP49BRavnfRpmvr1vPlRDtEEq1qUZWNC0Lg0pjr44GsTIeugwN2HUh9xz6OpehladlCgwJU1ltVqqnV8W61gLJ0kifkyTQYtFX2+lsnvvXWR44vG1w==,iv:WWYfNV+ZTZQlDuuQSqI+QsAsoWaA9ICGX1xvaKBZaZw=,tag:ehH4y3E1XXOEHAfvkldCbg==,type:str] -SECRET_PG_ENC_SUPER_PASS=ENC[AES256_GCM,data:0kXAEw572Yftd4h/XwaRPYQf9nukluWhrmxp9D2LnfiBsgxXwfwWsUEYNVRuIaOcTpb32inez3sj0RdPtwCNBNS8X1NE78xoMS9iMVv45gxcrD1z9nTvNH4M/nbmNOT5Gtj4mKVlqYEeaBk50iHmmTA4nCn+MPewGSasiWs6H07X5Gtsf/eE5ukgrL0lb/lKyt1bzbFZ8o9IrHA1ErQi0HY1V5pcAcoIFVCht9FK2zXgWZ9RDBk1lmR4LIWO5ciCXriPpare8CyP7x/to/VsxSSdZ9ftgshky8elWNRcRjrk9/w9eKhRjxpydPLlk76ogsBeeBz0z88Uzjr7882GwQ==,iv:dAIQR4NU7nQew5k8dfyJUn736/IyQpTIq582JIoQffU=,tag:0PY2Whfe+SC8Wp6Fepvpbw==,type:str] -SECRET_AUTHENTIK_SECRET_KEY=ENC[AES256_GCM,data:z8PyuXNulKsvt4tNgK7ihVgi25MrMC0xV9/PfyEG0Ga0a3wKyfuju+y7tWGDM6MxR18=,iv:JjNbyo3X4sup9PmnaBsQt5GdpH0R/IlaNc1KItMuIIY=,tag:MFIudyTHxW4gCPssz14IvA==,type:str] -SECRET_AUTHENTIK_PG_SUPER_PASS=ENC[AES256_GCM,data:nrf9OxjH9kLO8a5amBgBw/9uldQNM4k2bk8lBjcTgmLv2X8ZHvEf/OOx0wxlFd79w/k7rURDAvzKtnUiuyaB8Su9tqXu9nIeZJbFTQyxm/QzNlsb7OHXJDdqnv4oODdxLgAdpYgGMPRc3nWen2NODI5LSzM3lplWq5jLVHI+qqGlY2zHhpe3Rr4WUiHTtBjQTOuAE91vsayhjDAYOyi7gNsIK4nFCd/uaGNOav5RjCGICI5tC2FgEbti6je+a+rtiedLSx7mp5UuYkAVK+1cQwDnEhojm0H23rdeybi0STv4wnErp2nTYPRZdunKf7krTHoL8Pk/biAf8L/Sw3ATnypompLr0f9+cwIzlA==,iv:iLBFXhF6OnGh8f/GBD9nBfcD8ryQpMac5//KtvPh6us=,tag:kb/70IRB9urZm6QvPt9F+g==,type:str] -SECRET_AUTHENTIK_SMTP_HOST=ENC[AES256_GCM,data:xKMQWNOHeKpqID8IRRXDclG74k1D9zTmn7VA+21BzdnzJzwCRH3L,iv:/xtuLp3PFN/IVk4/v3+1qgNkkCkPDUzW6jXctNNE180=,tag:rmXafknKpeS4Mi4rq+1YoA==,type:str] -SECRET_AUTHENTIK_SMTP_FROM=ENC[AES256_GCM,data:D1UhPUWc7S8bh1qIwsgTDfRDzA==,iv:VQImJJL8FW+AG/y0gijqzP26eZ7lmPUIUjncjuciP/A=,tag:3qd5NSwy7jimLD/0MRcDQA==,type:str] -SECRET_AUTHENTIK_SMTP_USERNAME=ENC[AES256_GCM,data:1rEiJfdxMJzLsPkiD4oTd2vczzA=,iv:704boc2UO4b2yaUh+jEJAm9y+qa6yLfoorhgQgPLpuc=,tag:YLzsBgHuYhq6WurZoYE6gg==,type:str] -SECRET_AUTHENTIK_SMTP_PASSWORD=ENC[AES256_GCM,data:oT8AnkYa8Jq1emuP6dnDchKltNMNFPEI7L5QGw56TUCgxhC7NHaQdA==,iv:9hfYTWmwb0Oqddknk2kZFDHbatlKUg5AV4DOHI9TH+k=,tag:7fB/vCFBZzOBAzfUfhhs0g==,type:str] -SECRET_AUTHENTIK_REDIS_PASSWORD=ENC[AES256_GCM,data:3IQpYUHxjbkQOvP4zayJKrs23vbdo3zgNPU7BBUoKKlL4vS6w2scZJV74d1ltjU+l3GojsExyhXzGPUZm3ZNOzXH9vL/MPlDwhrSmRBK25fAN0I5eckCf8yF2tVoiOaYNVjZv13eFQyZTbrWa6kNX2H8sU5qrz+3hE+rFMKSEt2oGVyYY8SigU2HalWjaSYp1mNEJhrS70ndBdxMSjtMvQ==,iv:Wz06/Zl58RiowOEI/bSfXKN2/6r7t+mmPzWeagJD4FA=,tag:wjheK4Nq81D/sI3bS4YrvQ==,type:str] -SECRET_AUTHENTIK_REMOTE_TOKEN=ENC[AES256_GCM,data:GSPPuSgS+nvXBPOiu1jhK9jTiBE4t/AZgVutT+j8FgLx2TboCtXZh/09mEu6capG7TYwO7C0fUgyXzxD,iv:K5VX3471g3RA3t+KxnalAaane2Q+7RhMwVa1ICtFDQs=,tag:2benS6z/VBDqkwxoi3IIXw==,type:str] -SECRET_AUTHENTIK_OIDC_URL_AUTHZ=ENC[AES256_GCM,data:nQOUFH4EofqbavU2rqDY7ZBVP6HYFiPJwR1ewvuPlS0CZpwLmva/GIBqbKo0iNN8fEnIww==,iv:PLigYh0PaOx2a97NmrXqji6Y6gPiqoMs4DZ7ua95CR8=,tag:0VvJaP8EYPz2jlxjTI8GQQ==,type:str] -SECRET_AUTHENTIK_OIDC_URL_TOKEN=ENC[AES256_GCM,data:7siWNEfEXQSgDDzgDw1eZwXSmT7grd7k6lPa9aY7ENaEb+c4eXm+MtJujnLuCCAL,iv:K/L+WZIkawK2sYuQ5or3XpYy5R5rg2DqGBVPpK5QJCw=,tag:RgOlx+g3Jc1RIG5ZHMegQg==,type:str] -SECRET_AUTHENTIK_OIDC_URL_USERINFO=ENC[AES256_GCM,data:VF43D1lJ3mPAzQ0AvWicpLLnyQC61PwDhKYNGxLPG/nMlGAEvh7u6K7ylnnwZ1drLIad,iv:1nJaKrCGVxo/uAywjC8BDIiq0nYy62MP5D0jQoj66/I=,tag:J/1gN3YQ4ppvYa4A/iH2DQ==,type:str] -SECRET_AUTHENTIK_OIDC_URL_JWKS=ENC[AES256_GCM,data:anaZi933ydMnPMb1tWq6RMCN8HiwougI4Peu745aS6hPT4yUYZEL/Q2qGfw915UXusJmwmNTyw==,iv:6pEBTN6QCSZ9kqIuzt1Mbbi9cLF6uhGg1CHnkvxeLAA=,tag:bMPp64J8VNMSKeOzWSSaEA==,type:str] -SECRET_AUTHENTIK_LDAP_TOKEN=ENC[AES256_GCM,data:ZTQ1ATgld0DyK5uMadIx7fIfG2vPIFOIBdqZSHQwFu+fiVn0wDtgXOaDNCbXuSxVb/aJpsTS5izORm2j,iv:trud8O3g8XoT2AYT2MzGDInWo03MrNFmyRqDQXsLPUk=,tag:c8xai3HOrg5CZHht5HsONg==,type:str] -SECRET_ZEROTIER_UI_USERNAME=ENC[AES256_GCM,data:uX29YVrv+w==,iv:GytrIqAli2p6xB5EPmlzebvz+/YJxMvPs1AiFR2VMus=,tag:500ev3YTZ+uAexNBDXqg6A==,type:str] -SECRET_ZEROTIER_UI_PASSWORD=ENC[AES256_GCM,data:AjXB9OQHAy6AcF6L7ZY0De8sM5Z+nG60,iv:VgTmfPaSmlZMISnm+dIoyam6Ld6kZ5xXn4izHm+WHJQ=,tag:wkTsy9M4gzoEDgnH6eDHKw==,type:str] -SECRET_R2_ENDPOINT=ENC[AES256_GCM,data:Reb3vKjtSg9jWh96aZK7Gpq2EVzlqt3X21KqGSzSi45NBbC8HPSkwLLw4Gl0iLFK3rkeBn/i1mZtFxXUKnnqsbg=,iv:eSK3urext0SnUkND9DSUD0RMw912G+p+fKLn/DPxoAM=,tag:ZlsW7jXE8nA3BHvIp9iIBA==,type:str] -SECRET_VOLSYNC_B2_PASSWORD=ENC[AES256_GCM,data:t/+cR3xd3ypKtFc7z1321FmZIadMT3ly7yk+cLQQwJIgdLJIUrTqcm72rJMBPQaf9b9PeXDESvEuz3/LDfgrwvjcQfpf4B8sCa9XwHuiq4IrAAHC1s83gAIvy1pa4eQboy+simy1bsuOdr9Isv4NAR6IM4DPpJqe1zy33KTAq08Guzlxq2w2zoFmggozwqEdWVtKj8wSd2QMaLUNNS/Uc+BJV8tMHokSptOJCg==,iv:OaKMY8DBjrjM6qi/exsqf8qDHfQ6avMgfcJhTU+UZoc=,tag:idOjIyXAsR4fRhNgHu4d2w==,type:str] -SECRET_VOLSYNC_B2_REPO=ENC[AES256_GCM,data:UqWKBqzr15PMDAl8is+3Dw==,iv:pfLAtH2ai1rIG52ySxtz2UqIgaWmgkpUu1kdPUSbXEs=,tag:6cFZRBgSa4Vr5AqqtapnQw==,type:str] -SECRET_VOLSYNC_B2_ID=ENC[AES256_GCM,data:c3VHNtcfTvpsVG01NVmHjwNDO9UnytF40w==,iv:N6TyrbbtyXet8+lF2DHm8nm71/8B9ty2IRM6jqdEfP4=,tag:excwWeYPmQMIvusoibZnag==,type:str] -SECRET_VOLSYNC_B2_KEY=ENC[AES256_GCM,data:DOKhhQDH2kTrchx116574Ps8yEm2i1UdbSezRB9YiQ==,iv:jzu+AabEbrtu+uV6zT2WwEW7sHkBBp5djDBlzIVKe40=,tag:wBHdpMd5ObUvmY8TCVFbXA==,type:str] -SECRET_VOLSYNC_PASSWORD=ENC[AES256_GCM,data:luZbC66TEN90ZeovPH9ycVVzvYiBk3x249sBwV8yfiwkE7lHn0Lxo6MbXB2uC0BVgFZvQKJMIpqO05YL1hqJkpH1zToL9NsyDN7T96ZiE8/R6IlmtSIlyrudH30yi+VRHT/mXht/pm9LtmtLnlqpXkviu7Z6An9oRT+4LSLfCxd7h6IXM8dwFB92Z8HxvKSNFG2EU8UR6h0Dk3GXllIdmpHCaBrtL4z2y/G1eA==,iv:tI22YPx46u5ZZyxG/tgzu4EkZU2gyOTYjlVFofvHtJY=,tag:EzyDYuNE7xP/Wz8j+KGBiw==,type:str] -SECRET_VOLSYNC_R2_REPO=ENC[AES256_GCM,data:mbO4iS61FII8EXfMcRRu6kK69pnbdCLLARPWmlt4ta5F/lq20Byl/0ZVojbRPHLMmivgb6+z3dlxALjjJTvZrLGOGDCc8+BmNHxFjialAm3aNPr9ept0HlD8k71tSf8CY/s=,iv:NYDLCCzZ35mpUZBjh+zEc8M0c58RcNdWNfvLzL9F6dM=,tag:RHQcR8Lwkr129jXwN1vhnA==,type:str] -SECRET_VOLSYNC_R2_ID=ENC[AES256_GCM,data:MKOfV3t/LDQ0FUYXXcL3DzgMoCz9uGfJkkG3L+Zpmyk=,iv:591+OgMLhbU18DJmTgl494mLpEp2gWCpeWg84262N6M=,tag:cllraQY6pSZmAVIS42PbPA==,type:str] -SECRET_VOLSYNC_R2_KEY=ENC[AES256_GCM,data:880BQx/r+lp73c2vqDgs7JCyQs58D2qpgU2/U6ekrD0KEv9vWOm9Xg3Sttkow11ZTr7QBZv6vJatRUSqjWsJ2Q==,iv:M2zvGkT/wfZYS8jp7FIa1UwsSMHJTd4M3hmqykPpU1Y=,tag:SnPuOnmpr4X0kciaGbdVFA==,type:str] -SECRET_PG_ENC_WAL_R2_BUCKET=ENC[AES256_GCM,data:wFANknkPocCVwP+iXCRp36ZIelNCvb/62zU=,iv:IOOWAKCdTvVO/VyQDt+dAIiwZi6wkYfMaXggExNGcU4=,tag:8Qr8kU5zs1QDOkSIFprTyw==,type:str] -SECRET_PG_ENC_WAL_R2_CFAPI=ENC[AES256_GCM,data:PGk5EQaPOsTrR9hS9MtLg1kIPm6hV8DUTcwaJrMXCY8Y3SeHY+sPhQ==,iv:LaBb/xbQ4ekmxAmyF6XL+o6WxZURj32s0HUZm+86J/E=,tag:J4aA+csjfXUs6OuyvOaBhw==,type:str] -SECRET_PG_ENC_WAL_R2_ID=ENC[AES256_GCM,data:WzaNMtOIG7UAQ+kF0xBGFYPf3B98lIR/RsbN7xEUyF8=,iv:+Za/LjS1YBd1OMEMheyg9kD9yd+iM3ZnFq4IT//gmD4=,tag:AIpeixOdTJIauptfPIqxUQ==,type:str] -SECRET_PG_ENC_WAL_R2_KEY=ENC[AES256_GCM,data:GsiM6xFxMSrMQSq4dWwlvUjV6hAyL3smCa5bXW4fU8tGg44n6lxtauxSvw1QcCfrGdPpgTo+FndIZgEBOzUoOw==,iv:49UT1YvUEoCIsb71DMhwrMtwAZB6rR3e1hGwX3VVn1U=,tag:/XAFs/tv/YKSqlBfu9EE+w==,type:str] -SECRET_LITESTREAM_R2_ENDPOINT=ENC[AES256_GCM,data:CSuNeRnUeT2iLsexWEzKqS43tHntAUiKkY/YaKqt/kSLn/AXuJJojRwOpu9E8ORDv5+mRlKpZHMDor9zCjVYPGoz,iv:jWBQEOyGGT4trOXdANeLY6asfgpVrPAvqLmraOIhxao=,tag:wj7a4PpcjMVJgiBH3kIKUw==,type:str] -SECRET_LITESTREAM_R2_BUCKET=ENC[AES256_GCM,data:xTxuAmmfze5aJjYHuuvUrJW7tiLTtGjHh4TixCPNzlE=,iv:0Lsnayr1ZT103PSl/QAjdVYHUO1NrlJ49v7BEyv1ePE=,tag:ASeMFgeyE0/kNcZ3S+ZhEQ==,type:str] -SECRET_LITESTREAM_R2_ID=ENC[AES256_GCM,data:Q05+0+50OTfbsKKvd9VWaBTrDKM1GVlVDOr0VIzTV9o=,iv:e/ooKrR4qMiIN+/tuiduO9VpejAkHS2oVoKrF3B5oRw=,tag:rHgBV15JS8VkVbBlbVdPbw==,type:str] -SECRET_LITESTREAM_R2_KEY=ENC[AES256_GCM,data:AWoRP83JxNNd+3AnjyD0rblQRU4PqCGeSEiJSodY+M4oFxjL5De+jwoUAzKQqqEDYCbG9AQCleenEsKAvXYzYw==,iv:gmSAdTKoc8pJY2IAQ5tdRVdO/dh4TJKV/YnqLje2+wM=,tag:vzLHuPrfdjZN5MkAF4qUnA==,type:str] -SECRET_LITESTREAM_R2_AGE_SECRET=ENC[AES256_GCM,data:yeWLXkOQS4DEFJaL1Crwn4i2CS900YOLht27U4ufWdItsJClwHd6MGaTd7/26Fqw4ZthcpsDrM1xMCCLpRvKGRxHR6RgLSviuQw=,iv:tRsGyu+Pih7GZNW4P2D3fRfv+CAcr7iosh88bnNX0NU=,tag:qIwajTDGI7wBMwNarrIrgA==,type:str] -SECRET_LITESTREAM_R2_AGE_PUBKEY=ENC[AES256_GCM,data:iuhbkyUGkhTeYWpnTBYpmig3GcMf3TRT3Tc4vw8h7JnroBcBXNPuYrTDXwkquM9yhpEQxOSl6fA8WIhQsCw=,iv:CG+v8OHfU3bHdBt5rn06w/56PDvWmrd0iLHxoqzk+xM=,tag:8DM4yvPBPcRwE+0eAJnp3Q==,type:str] -SECRET_GRAFANA_OIDC_ID=ENC[AES256_GCM,data:SN3VRQ9yqkSyENOyphwilukguOb9j4yDFAEw+eKnYQRUEtKXZQ3WYQ==,iv:d0fAQZTYT21JWwPIxN+omovxxZxMcUptgsc24AnDHkE=,tag:acj6i/Adt7SvmZBbHPs2hQ==,type:str] -SECRET_GRAFANA_OIDC_SECRET=ENC[AES256_GCM,data:g1slCCYzItuKAarADs7FqoyvbjCm89Ms/eYOvNLSWOcI3K+IyiTQQJCRA+7XDybSGZdDSEdT7rvgSAxYFkDl1M7PhvAXhYmj9FGYQPeP6jUODWc3NT0Ch+p3gc38FvFdfBEPIvpXQnhehGc0TCiqCDmeS4QJUGV0j7BRT768CSQ=,iv:+M3ozpf+2G/w7coF8LbhgM4b9SfTVtuL+lzpzoyEa3Q=,tag:1yH5tSvJlSQWszBjZRPDxg==,type:str] -SECRET_GRAFANA_OIDC_URL_SIGNOUT=ENC[AES256_GCM,data:srqHdaeL7hqtTI9sbwu8dIw1uLG5CEJ69DhwmvG7jjnBwfwaZ32jWl36EDRXkyy/GImuP9zV0IFx2KW74JM=,iv:2VxPgqjtaKtdGEVZLLX1bl/SwSENF+bb+fwY65mwN/E=,tag:uJhcSuFKXTbuMdEh7ZiOZA==,type:str] -SECRET_GTS_OIDC_ISSUER=ENC[AES256_GCM,data:gxmtaBfHW0zVy1NhhFiotX28ubZ4yPm4sDHd7saFDoKvk89yiG7Jggr3ZnUk382BuL0+ABQh,iv:DXj+asZEemXXT2XrGZ5bFu8CAFNli8IIt5q7xC6YiaA=,tag:FXWUO3AmUZ4IYaiyD5sZZQ==,type:str] -SECRET_GTS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:4z9tVTkc2OXIq/lDEXmHJZnN1SiMAl7NfOLJq9wLpdrwPSdbx61QxA==,iv:wyutHo0Gw/jL93kf4xyy/JNn+tyTuicWBLAIyz6+J8I=,tag:e4gfFhY66NVr/kjOolg5Dw==,type:str] -SECRET_GTS_OIDC_CLIENT_SECRET=ENC[AES256_GCM,data:Zzak+jXxJvupbm3pO81+elm2EV6hdt7o2T1lneN0+dIZqjchFF8ljPAtY28J7aLgCFUS1KclputyzMqA5f2gCxBleH2TfEFtRkrCI9fBjGkWGC2o9RsJ9mTJwrxu9kdezQJtBYC3sP1SlrThjKPZVC+TOV076J7rIn7qvQYE+5g=,iv:IiQA0Vt1xmQFoVlealmgizGXbB74xJCnkIoc1EwPHoI=,tag:XcXE69tVkCNQcM+m/Pr78Q==,type:str] -SECRET_GTS_PG_DBNAME=ENC[AES256_GCM,data:CwL2phhvCJ+idQ==,iv:GQA/ivqdbKqDIJGpEj1/BsP3/OvhBdD+eIubjn4viUc=,tag:HdB7cvVxwJ3YOSTwuppWmw==,type:str] -SECRET_GTS_PG_USER=ENC[AES256_GCM,data:v8RyelkxqTxq9iIVFSD3JzZVIWA=,iv:Y+f0qRmYU/YlGwxuLkriRjgFPIadfKICIhlJg7lHkak=,tag:kpSfBtzqaTDWmQDaS+II8g==,type:str] -SECRET_GTS_PG_PASS=ENC[AES256_GCM,data:q6lg5v4cvt6UbGscq2/BAW9cfkukfGXqyJAy9vZfAZ7e8e+n5HiQCrxjvBrr6Eo6coES36yczwJBbVwV8kT2VhiLtWUgzJx8+SOv7N3QytxuF+hD9lUsKYp2sWcKpYg8LHTZ0cJb/+/ofyoqoPuwSjo4m9DYVU6cZG9ObjCBdHna7Mj4Cy35tF+0o9zVFFdolPIbbhlaPMr/vIXLNuNB9USbAaFKG8PcgIaYMZB4UoICPcC6ZjgcNGf3+PB47sBFetq+ge5rtNQ=,iv:dTX3uCXZL+HgCzAfYWWkhhMLjW+Ctt7tiGl1y+SNjxg=,tag:B6WR6ph1Kyzgn3c21ie0qw==,type:str] -SECRET_HEADSCALE_PRIVKEY=ENC[AES256_GCM,data:RMffLZz0voMEhodl9aMoQaNUDamJSeBP8N1x6+KFtzAlkl3ygWLvtmKMgoPxf2HVKqnqaqK46owjbSLkbNXzAkkbUmzlry+h,iv:A105o2WRKX88ZOfGkXSJQ25wTdfo0oj5MJiT50cAuxM=,tag:NDXOXwhPgbXaJMPM0WeNOg==,type:str] -SECRET_HEADSCALE_NOISEKEY=ENC[AES256_GCM,data:Tpc+fhG7u6dHrqqRHDOZ4bCN85DCIF32AzqGfbi2sLGAjJkXpFuwVQzi+Km2kkJ2kHYejXTU6QDFGl0KAqcWQIuBpkViHCa/,iv:Uxx793urHXOvJRvm1nw1hCNecK84qSiYhcRJss4b93w=,tag:uxYGfRKb6OKagVvddNm/CA==,type:str] -SECRET_HEADSCALE_PG_DBNAME=ENC[AES256_GCM,data:UdQtadWqYJWf+HG9kGt6haJOpkZ2617SRcQeUm1GrAEVC6oT+YS8Dg==,iv:dPWSB+MTx8nrFJ2auDlwzP7CNE/LWMltD90olUPEjes=,tag:R7yWBizNi4wDCfOmyLypWQ==,type:str] -SECRET_HEADSCALE_PG_USER=ENC[AES256_GCM,data:quOGbj2KjLAbGTSXSJ3E8SDFjc6tpGSuRc8Lg1t8CdIZf+8RVwNZxWwZOV/bERhofJ+1sviOJRDeNswtbymNGA==,iv:RNtYkqFbp8pDnIuZcY6C1hqltx1ogiWNXhPNnaZmnX0=,tag:U5NZmp4sPJQe68RX5j5mMA==,type:str] -SECRET_HEADSCALE_PG_PASS=ENC[AES256_GCM,data:9k7/jiIq29R7Qzm36IvaROJPQaTJM26JJsQV0SCr3gqjnnZ5DLLiStQi3O7sNTAQNU6xFmqWsgyTIB1Ivys0mSI9MrEqk9mCeuL/vLpaaDtLAIv31QQ+QE3cNFLK8t5y1Sf3GLG2WDt/TzjGGY51Bqg4dYD/eMesfmpzShWbdMlMBH3+KbuvOODA1WrIbK1KsqHI/kUz3hqWgnDzY+QoNw==,iv:aW/xqTsQmsEeIBmfg2nVUvmLnQWVglzDjOZ/nSdi/mA=,tag:Uu6jFE8xolJcpAdltBzyoQ==,type:str] -SECRET_HEADSCALE_OIDC_URL=ENC[AES256_GCM,data:Y0SHVAfaaCrRjHGdU5HAp+y6z3J0qWU20D4TsIH6xlOX7SC2tQiF3YukbhB0cJJk2LpkOQeV4DKn,iv:Uh/Zxij7aqe4/tsy+7h6K5HcgzYCh31pqKWWR/Bx8g8=,tag:YkQYT4yc03xPzWCRq1uzpQ==,type:str] -SECRET_HEADSCALE_OIDC_ID=ENC[AES256_GCM,data:AeL8W43fbHiqElAAwCynaoJD8BwnSVH1EWlBO29ysf+vGhJ7CidDJQ==,iv:BrH92xlpI/ApKq8hg/0EylI6Fo76B5Eg6lWrWDfgei8=,tag:UXYlOY4T0Bh/q+ySRfW2ew==,type:str] -SECRET_HEADSCALE_OIDC_SECRET=ENC[AES256_GCM,data:dJjmjRWQ12JCtXsGDJICIRMqdsc5HfpH+6fh6WgpOZ8tyNdrSRP2ow1Jag7zEMIeMyi+vh2T/s9DnnRFBbFQDcmon3WuI5xIjEmDU4/IPIkhoE4FKBjgHib6ML4IxcIFnq0haur3FJS1/StvcVONyrkaHOjAEs7Tazl61BlFQN0=,iv:eo0hsCL9K0HhMRFWeaoUs56f5zexnKoECnWL16o9YJM=,tag:tYMAZGLNqZ8dXJrlgpJRdw==,type:str] -SECRET_ZIPLINE_CORE_SECRET=ENC[AES256_GCM,data:7SaUQTrItXAPYmDL7n2PS16wuCCtOMqkHEG1u4J2jt86lWAvRi5egx71a15iQGtWkaXialPRlD6ok8Nw8CJsYTNeSMp5DPgMWX3455maFwK1scRf5EhFwO3NimEBGki/nfNrW9WPNePW9IW4jPgAfYlQ9a4wMVVN/xfA3760rL/fir4zrV9dQiv1JYaDXd4HcoopSBBvB/9wMjqJPmCOQXru+4A342cYcEpuzg==,iv:tE2qKJ2q1ejQ2f4kyMdwlUTdLyWOIKz6OjukyZDFmu4=,tag:BO1zBDh4c1Z9bQMDAFcTag==,type:str] -SECRET_ZIPLINE_PG_DBNAME=ENC[AES256_GCM,data:1n/7RoIBs7aYFvj5j/gY1MY3cNb89/3HSNn8/rvVl1k8v03hBpt2nw==,iv:8hWz49X3Uh0E0NLNNdPEBJvUmIuBnfMS7urcYcjnHk0=,tag:pTMxq1umMkdAdHmrMyMTVQ==,type:str] -SECRET_ZIPLINE_PG_USER=ENC[AES256_GCM,data:0Gywyf7j50UpHf1m/tmxYnJFYHptB1WbTSI8JXmJgvuqpGjtW4X7mm1tuB13XmF1JaeIDBWwuQdy+6YcYC7IwA==,iv:owyh+uvQGR2OvsfuV7agXaVY3nnvoNyrMyYP68Elb6E=,tag:mFsupknAyRTYnk3eL/2Baw==,type:str] -SECRET_ZIPLINE_PG_PASS=ENC[AES256_GCM,data:mUvEAvWgzRR7580m0b6YYamZTMQbRbhdb0SSITbF7YrrejUXImqmUqhPiarVKwoFXCJNsxKXncJyPiYauQqtrqM/92MNqnqWYJlrswbOSIO5r+PnQYTaROGNPbQ5+aD+S6aMhOdoX/CdR/VQBr2Fj5+NC3C7hZCZDafIDnwmqQE=,iv:9Jd8vAemgxhQizAx+Cx6nFpBQIyErnJYrxLqmBhJ4zM=,tag:OsPY2dqQ9YBUvVGvZVIOTA==,type:str] -SECRET_KAHIRC_OPERNAME=ENC[AES256_GCM,data:yUITJwobTVD5,iv:w2VBgexxe5+M6+rXlRX3eJ+3SdvEwAogklZSMlhs0OE=,tag:Gvs0zbaBy0hjQmVGKrQrXQ==,type:str] -SECRET_KAHIRC_OPERMAIL=ENC[AES256_GCM,data:u+JZd9WKEid/fqs=,iv:uL9VW9b0VwismaM7JxJM22dbzV1UwShatfEaTw+nEjs=,tag:P2W2I7AAHwF6ZVwGF1Lwog==,type:str] -SECRET_KAHIRC_OPERHASH=ENC[AES256_GCM,data:T9pKsQ/CMPI26vErFrfeoeUOoyfPRsdCNKx13d2QVhcL3FAoJg7bdjHvhsVhNFpqLl2G2NacxtxRbgmr,iv:qBx3MXO5bl9ZNmFBqyg8OsBQ9xt5hO9oect4HzwxKss=,tag:Zrk+ajkU0UuyTfrWPlToyQ==,type:str] -SECRET_KAHIRC_PEER1_NAME=ENC[AES256_GCM,data:YP0YAS6B2LuGwmI6,iv:NgZIVBi039IwwyLxNW+DiRI1sCi+XKt2CaVpXxnQV80=,tag:VNOu503+/+J56Uq1P8aXnA==,type:str] -SECRET_KAHIRC_PEER1_ADDR=ENC[AES256_GCM,data:Jm7Q/qVGLOzzMrbbwwpuAgU=,iv:ROSFTW/aeRHZEidyDTT6LgYM8IGmK0OhMzKfUSQJJH8=,tag:SP3QFXaG/mMikNDiLZUBCg==,type:str] -SECRET_KAHIRC_PEER1_RECVPASS=ENC[AES256_GCM,data:q1hb/97UszbCNHyRPBZbsUrN7V1svVUIvjPc2pteLpPFIPP+kBetK035rWNGXd/A5iaz,iv:G6+O8wanY+H/eA1PDV3WPPFOow4pyHyRr1yZ7tF74/E=,tag:RwIkO3rm0FAg6wUpgTF/9g==,type:str] -SECRET_KAHIRC_PEER1_SENDPASS=ENC[AES256_GCM,data:3DtWmcPJ/KY75q0BnY1fuhb7Um0JrcWdxIw9SEs0Ku5oCKZdaujRyAYhUtBJjsUax28o,iv:I2NVjCij0zjOMdYVokMauGbWW1XGpd685f2w+Fhf1is=,tag:Pvk5Cdut6r7kLDL4yXTntA==,type:str] -SECRET_KAHIRC_PEER2_NAME=ENC[AES256_GCM,data:57/P4bu9j3AM2ecZDpvaSucFeo4=,iv:SnEWTnKerwYkkGIKCHQnHjqlVfZ1sHzyWOlojR3nbAk=,tag:Ri4jm3Z3vUHHjGVx35WzHg==,type:str] -SECRET_KAHIRC_PEER2_ADDR=ENC[AES256_GCM,data:13rHGEFtu+NncRMf/fEf3Spvr9A=,iv:qjpsXCSVPTV+AuiBu0WR1t/Jb+hIDfq7TxwAkZHE7ns=,tag:BnZ19MA4oeNIDJgnN0oNQw==,type:str] -SECRET_KAHIRC_PEER2_RECVPASS=ENC[AES256_GCM,data:Cm4BuPTrxlRIwU/rPPloQP7lbLX1+XQbR7Umk5U=,iv:NRkqrUMdsoWS35HVCczT/wf3jCB+Qra1vs4h6rXRgnE=,tag:tn+5nVs5xsHlbiCxK74Isw==,type:str] -SECRET_KAHIRC_PEER2_SENDPASS=ENC[AES256_GCM,data:277wybsXLrXRvML66d8pRSwACpFnG9W0ftKYw5s=,iv:RJA5qmbTgvcHiXz+pdSIjN+lg/r1Dya+ZrAwoBAJGXI=,tag:c95FChrqDmb54Z7252XRYg==,type:str] -SECRET_KAHIRC_CLOAKKEY=ENC[AES256_GCM,data:BrARTM0ZfC841D7xNg2ub0A0Dk0ogri4io+b/0PXcCUVCOKcXZDAaATbIb2HS4x3,iv:QfBkc2398qiVRWuxMIkkbK2NjhmoFJerq5AJCrjmtUo=,tag:gnfii8Ww8h8OE8GHs5howQ==,type:str] -SECRET_ATUIN_PG_DBNAME=ENC[AES256_GCM,data:ii5FQKwJUHslIjTvdg3sw5goEI4p6xIM3gljXu++ge4HTEbwq2tWPw==,iv:LXiWmPcNCV3KUR+zt8RlCXaFGKB7ExvDkcrB9M+11iY=,tag:JdhiCoRwmeTEov8dBb7S4A==,type:str] -SECRET_ATUIN_PG_USER=ENC[AES256_GCM,data:R7OxwP9GJIVH75nXVbjc/F4AiUGfFJGaHUU2cTCtzjygAZ5TwpX+mptKj4m/e0KaImAe4Hg5d3Tq5ZRZkkfCuQ==,iv:qyK8ww/o9KJ12wMm2fK9YuZ9WEFiXz0N7EJySJRzJrk=,tag:ZUduwQmPFPYJHZgFavWZYQ==,type:str] -SECRET_ATUIN_PG_PASS=ENC[AES256_GCM,data:yCcFbOqD89kRk0vQl3DzW2kZe6OhFjOY3vN4T3kfPXIFO75DHgvNlV0W8mOiBNdkRh/x5ufqkK+AnpvP53s2/9btkXJudKUsIrd8H4ITv77HCsguM06rtY0SIbNLkgUJNAvpR64nIKT1ok7uSbo8inGndb/F18V0bPuzFVbeyTGjYniLKuVO9sAL03Jqwl2TsaSkOuBYQ/yp5uEiC32LFbGULwjjHA==,iv:y6qE5Ss3A4MHL9L4IFAjN+axmh6XbwGsvYKJMkA3jzk=,tag:zNGuPAAIWDCw4WvBADzuYA==,type:str] -SECRET_MINIFLUX_ADMIN_USERNAME=ENC[AES256_GCM,data:Qofw3MQz,iv:LxYBCR1dIqh2xlgGcTv5Y7fnSYc2eVX0bdBUA6QfWYM=,tag:zpK/wQxI4e79tgbkp0O2bg==,type:str] -SECRET_MINIFLUX_ADMIN_PASSWORD=ENC[AES256_GCM,data:OBGQZM+Yk4cRLZqG1Tq7Zo5FAED/zT7Rvh4rWphXuBlrq8lIxe6GYV/kPF6o6bhj,iv:x2KAEH5rnaMjtH2nfd3cfXThm2fqnWAxsUcyt/XG5IE=,tag:ypNBgv7Pl16ly9er6veBEA==,type:str] -SECRET_MINIFLUX_OIDC_ID=ENC[AES256_GCM,data:1CqKNuEdymDEmPlsDSjPrOF53cHc611kfl6CcFG6Cn8u2LdkJrrYzA==,iv:uAW7dRRgvR335o6OsUSc+AZgXB5z8gZ5RSizVoLddvY=,tag:uGuFFD0ePxa9Wo1wR3tJ+A==,type:str] -SECRET_MINIFLUX_OIDC_SECRET=ENC[AES256_GCM,data:QVNDP4WNuH7VVvc9r+xZREGfNc5p/X8QXQP/Xg1Si3RgiaZgy9LLEzN/SwIm2eSJSpP2hlXlFGbr6mr1Q4/4gOwSped3Q2GIRcZtv4vjtq86B5xVjzT8qclay1xLX5nK702An2ttL1CjOEPN2PPExSYe6YzhCWwgRlAEOW6T0Fg=,iv:gXypds64tga0sOaF/Kf/jXHPlYqjUlCL/aHG4eC44H4=,tag:ALy9C5FEtT21WS5PNHI3SA==,type:str] -SECRET_MINIFLUX_PG_DBNAME=ENC[AES256_GCM,data:Gh38/ljUWkU=,iv:JPsEPf/aiDXFncN3ogLqV5FlUqWm7EQ5R4+fEf13yLA=,tag:tOzrhackOD9UdTwNBBBFvw==,type:str] -SECRET_MINIFLUX_PG_USER=ENC[AES256_GCM,data:qMBC7e5KW98=,iv:wu2+CK0pRy+uwQzDng/WM4asUAkXu2EMU6cjSDPcccY=,tag:29+QVjETJ4jwP3x0nwjERQ==,type:str] -SECRET_MINIFLUX_PG_PASS=ENC[AES256_GCM,data:rLuVT8S9hkQTE/T0Z6M06qgmzIt8ufC8drdofL1n19uefnLsU4WqgLZ/KYGrxQ==,iv:oLcrZilIuQf+QHCJYiQllummr4yRz6aflDhNb21GNUE=,tag:H4XCkfmJl8jQogvGDCVZOw==,type:str] -SECRET_OVENMEDIAENGINE_SIGNEDPOLICY_SECRETKEY=ENC[AES256_GCM,data:5RF5A82+VFFBExTrY2QRRjUBuEq3peY/MAXDh7K/U6U3z6tzqqa+Cw==,iv:qz9k3l+Xi/O/13FPRTzIwozAVdRdGhjrFxxeo/YjUdE=,tag:aLNBq5qlxpJptIhGqLMCxg==,type:str] -SECRET_OVENMEDIAENGINE_ACCESSTOKEN=ENC[AES256_GCM,data:5wq3Eh0MR/yZ09VIOCoiPO4bxRHkMU3S8AVlsR0BZVQpm/q/8WBjh+E7rxb2NlX+D2Lsdsy2VkGVKlD7DU2ysOe+h40HmxmW66A9dZAS/IoQfxfE3QXquVmHrRvdd7GEPi36sw51ZDstfWiL1YRA0TV6mfAi+Z/1UgD3bMlL7QI=,iv:rczJrTn9trKCWd1qdw1DyZDdLhjEE8nfNysYtkiXV1s=,tag:Gnd8kEAGLScgRW5ffWiOpQ==,type:str] -SECRET_FIREFLY_APP_KEY=ENC[AES256_GCM,data:3QESMqZ4oVXlczAALYAPBgPcP/PZKF8gyhK6efYU4Jk=,iv:xNd99n5fwWG/6Aa1ZCDRaRHOq5Cj3tjIHVS3KnGesPM=,tag:oWn0Bx2XYOaqYvGpqMMQJg==,type:str] -SECRET_FIREFLY_PG_SUPER_PASS=ENC[AES256_GCM,data:5xfK7H3pl1mLlhgehQu+zLrT5RB+2N5oD30zoTNpWzAzKWtsUghV42D6nT8lFAhdFK0IAE8aQFwE4jjgVLUsn3mdwNYHQehp3fHEUpRUBP9quq8YmL+alhSE,iv:qXDnjdj2PLw7BYL1OVFXYOLb4dlwK1K18mdkUyR2mn8=,tag:pxc4154huxbvBAlmloDfAA==,type:str] -SECRET_FIREFLY_PG_DBNAME=ENC[AES256_GCM,data:YWImvKEg5pW9SqqsOBon4tS5,iv:Wsjrc2wUIGSj3MEUGGU1t/tPWpL7IK6HHcOLr/9mJOA=,tag:Ewlw7yxh6J2zwfxyuhaGbw==,type:str] -SECRET_FIREFLY_PG_USER=ENC[AES256_GCM,data:Xeh6jDsPqPeHSOKxedY=,iv:sUATOnvR4kIkXiujbJ0nMxsttakjBKjivmcEVTONS6o=,tag:HmcFImGIO+phQXEDp2G1xA==,type:str] -SECRET_SEARXNG_SECRET_KEY=ENC[AES256_GCM,data:VtboiMo1EFkxVahzVyM5iUckLZO+bcH1qVWgd9BS54HjBoTemaNSMd07nLoZ5aRSyl3Rit8vzmiZcAXk6StS72WB0/cGsC8V7tlYBmFzK5BD7sfXXE1hHmqE,iv:RiibgPHtHCgDaDschpssXFMs8GvZOFvIUYuSR82g50w=,tag:Ha6D9i/keJ4bTmcMM7xRYQ==,type:str] -SECRET_SEARXNG_REDIS_PASSWORD=ENC[AES256_GCM,data:Xxgp+yS+9bYH27fyFAHcIuonX5+uPS6/E2sEhpY40HB3WEp0h/whZMrBD9frM8+X5QYdWjNyeiQ8MaymV1h2YmRXDT+nFzQDfA803uZfy/ZImgXFRUo/t6RY,iv:r1UFYNhW780OxCvjLToL8HcXoOaaU1bqM/vI3dfCkkg=,tag:vnqwGagTKaImF5raF5EP7A==,type:str] -SECRET_THELOUNGE_LDAP_SEARCH_USERNAME=ENC[AES256_GCM,data:XeKNbTJ75iZbrlsHpZ2WUS0HcgLuSR88J4KyEL8kG6W1kgQqNZFUHcpk2K2NxQsdFDwKouR/almnFz363xsuJE9LKmuWDItUtmElMIY9ruTXvu6C,iv:vUFmZmOnsGTV/iMZ9koNYtaulwA8P9D7TngGjULnBWg=,tag:0rxMVuA7+1BR3AMpwQ1wlQ==,type:str] -SECRET_THELOUNGE_LDAP_SEARCH_PASSWORD=ENC[AES256_GCM,data:r+R9nyvW/Hi/rnLliQEfHo0CKIUWhFJQky3N5E4CiZCON3/9nhu3hD13aYVnNvikd2Nv7+uxZ2RB3XHY,iv:b5Th8HMosoz/VtvHq316zNTuZu9T4FdZ5O9P46p4O4I=,tag:/rlmdtl27LwLpyYEC8aGDg==,type:str] -SECRET_ADMIN_SSH_PUBKEY_1=ENC[AES256_GCM,data:rQrOCrBq5Pxb+JHz+M13TaAciap84AGL1IaLK0oajfS1bovgWoq+3eRw2WBKK/zyCBzO1Rnt2JdWHN7o6UNFY8BxgQ6f+eAiZWHfLneTKPc+T74yfag0RAWt2kky+xd2RNC9KA+teXUctjEf4THk8/qpzw3zSjRwnvMLDfGIh2Ky,iv:uBYoaZu16pokpAWZGfXn854+3uTcfjKgwZILK1HxtoI=,tag:0xosFd0HKKMuVWjt0qDIpQ==,type:str] -SECRET_ADMIN_SSH_PUBKEY_2=ENC[AES256_GCM,data:ChKAm92Z5GPniUDmrFYMBZ7yOBsLGRWQj40wPuCsaPrdKkhjKPYe1c1Wvxl9phDade9rwKhb7+AAttboTtHMa+R+696aXG06E5BQXqRLxr/XDZQJQzRWvRerogIucCrddpJtW+cXF/8sjD1C7ge2ZU3objBHiwW5OMqKRuxVTTinci3Wi5UvK3tzXklV1d158WsTGh8=,iv:qqtgjHdE7rNKoJ5iTPI/TSH2DIf7Qrpb9fr0ReExzsk=,tag:hs87MOtk5ONbXq2vyZPmSA==,type:str] -SECRET_ADMIN_SSH_PUBKEY_3=ENC[AES256_GCM,data:WcHtsToeNjP0ZNms9xR0C6VOs0UZhBbVn+5FOGKYl9Wipg8CeT6c90B23jkYQwjCELw8GdSlP0/HXtDa4XgbsfvRMxW4Xc8L2o7/xUdx8oecGKJ1vX8Uo33kFvBytMUGSq7/ugKfW9DcnAGYWUIQO5kn+PjelqM8IUdAHbLaRhmpq/60LbF14gAPEhs9+vPa08EKlA==,iv:7dDhdOFP+jqOsXR+ArTSE4NrcAAsYArVCKOz+U3iFls=,tag:2dvTgG4R92kohj/ftNgBqw==,type:str] -SECRET_ADMIN_SSH_PUBKEY_4=ENC[AES256_GCM,data:LbOsXrAJ7bN9hKH2caLAh7n9uKM8dN+dZZwls1dXuyQ4ah+YPSdz+YZIalTcVNMlVTd/e2ulcQY2UiKjUX2YmcZQS5d0c4xQ8Ne4zleIfeFpmdfFarR1edz3+sLPU7aZuB/y5UXesgpTFbkdS9zuwIPxWgkN6GTmG8JBSShZsG9rlNeSFqcEwNl+Cuxw/5reQfxK+TAS,iv:NRcdE2EaZTwom2L/5osU7c1r8C41TYr7OHmr7G71LA8=,tag:h6irZpyK0SjP3bnA4tri8A==,type:str] -SECRET_SOFT_SERVE_PG_USER=ENC[AES256_GCM,data:AoWziImY3+61gbzDdSWl6CAfqx4=,iv:t8hovrN43fpG1B2dPTmh6X4mxC8Ss97DV2Ms/FBpXZ4=,tag:kfgRcN3272WK1zULMTalIg==,type:str] -SECRET_SOFT_SERVE_PG_PASS=ENC[AES256_GCM,data:GUzxtIwYyDiyUvdVUCrlw+lLJIhanUOGiI3SdLajRURseoZNNRjmp4gZ5YFXS1kLpt9hcigSDDaJbtaySdW0ZyD3gpRtDcHSKRyL6RjmW/lqTYrKmUizefxR,iv:OQ8nQgBgE6LKsB+xd6htB9dGqVmbjuOapT0Js+gQvew=,tag:KcBJBTC+L8/lXGxkj16d+w==,type:str] -SECRET_SOFT_SERVE_PG_DBNAME=ENC[AES256_GCM,data:Gl8L9+Vo34EvTAQ3FQ8fYVGZqEs=,iv:ZCC3qVRFSST4/G21kHOuubYQUWYn1fhKNvC/ihSy7zo=,tag:5RtzoHgQf0POt+hLvRAGgQ==,type:str] -SECRET_NEKO_XFCE_USER_PASSWORD=ENC[AES256_GCM,data:BylehHbX5P7nux34Cp4uQOwxJS1+OMG+lX+Td1JXsVq2F3x3uWvc2Yi91OZp3tDHFkalZ3/f7qK4TRJxbGnWq+UdetIXeJMQdha4t8DveSQpTG/EmXe890Fy,iv:C83AiZZxzu6DbCigikCoBbvrpwfHlc8LBptcHaJHIw0=,tag:nrldolyiIQOiTl6FpbjagQ==,type:str] -SECRET_NEKO_XFCE_ADMIN_PASSWORD=ENC[AES256_GCM,data:lOl3nfvDaX3aRWDAyjouZdpjhWaTtg9g5XD9JY8Qe2lrtjEGYwlrnkNlerOEVtcHP1LQA5EKWMXD6RLAYuiMM0i0SgRwHaXUH3nhC3X6Z/H8oKZHVQeqd+gn,iv:HmkRe916M/rGi8f0Ky+7rUcv9NPf0g5dsJE7875euvM=,tag:1kG9f1ipuU/svvdJB/tmlw==,type:str] -SECRET_EXTERNAL_SECRETS_AWS_SSM_ROLE=ENC[AES256_GCM,data:C69+Wu4Nij3W8AQFM2x3V7zIZe+Jr/FwYFL9040WPCJEalSJIR4BekTG2U/rCJ+pEXbJBl1A9JAnbvcTTA3SQL2iMKff,iv:hHkoDqVbs1MWYZdzlF0etAtj8aibd3PYXYVPdt9ZoWI=,tag:FPgFDDgyJ8FpJMRGj4UP4A==,type:str] -SECRET_EXTERNAL_SECRETS_AWS_SSM_REGION=ENC[AES256_GCM,data:szcCIFJc/RTn5DVjRcs=,iv:Lb/nmYOBagG7zX1+6SL43Mh4BJ8HI+8NELif17wTueQ=,tag:m2voqb3YQUBs9BzmcHmbkA==,type:str] -SECRET_EXTERNAL_SECRETS_AWS_SSM_ACCESS_KEY=ENC[AES256_GCM,data:4JPwnwPwialiKgeKsJDjfM+f4qk=,iv:xB4YrC6pkxhL4fUnD/L+Wb33L3Ie/sjdgOZUe5glB6E=,tag:B633Sjxx68dp0U6rTxfN6A==,type:str] -SECRET_EXTERNAL_SECRETS_AWS_SSM_SECRET_KEY=ENC[AES256_GCM,data:b3QXES0u2oGtFsFWVq3LEDoOC2RCvPCKyt6PJtzoWu2j7b/OaxWAPg==,iv:LmMoJw/W0FJrVjgiLiV6zwEOYF34769PSGYwb4YMfd4=,tag:gJzQodrnUDxo3kLvjWbuUg==,type:str] -SECRET_JOPLIN_PG_DBNAME=ENC[AES256_GCM,data:9lKuAG1l66cQo6SD0B2W+mL3z7k=,iv:H9cEtDD5n1/LjNJV9OBJSUmyWtbOHYr9/GDEVfvc7CA=,tag:XoB3LhbqiBizL47pFrnLPQ==,type:str] -SECRET_JOPLIN_PG_USER=ENC[AES256_GCM,data:8PIuGRLIvx4C9Azly1ou99JxB/k=,iv:gUxeLx8Gw1jaj5uhPcXqiJHR+5xNgAieIWmTGE7emHE=,tag:oV0ZSABFcRz2cvD/7tCH5Q==,type:str] -SECRET_JOPLIN_PG_PASS=ENC[AES256_GCM,data:sSAsGsjzjmV/QiHV+ZDrigmrZqbMSAfqcnu6ts7oz+sGiLrYAPfjkA/TU4LJLvVHi//fK6xPee7fvcPx2zUWgySukFNVH7mPyePNVtXjeh8Q/ZptIIO9qTvT,iv:hMhNie5ZQ9OAPU66EmdqvJd6S042DLmYe//A6aZ1jLc=,tag:uzyigFfF+/QaIQXKCjcizg==,type:str] -SECRET_JUICEFS_R2_BUCKET=ENC[AES256_GCM,data:fK6Z+B5WpXvCflza5zuk+24p5AY=,iv:Q5Ycmq3YcV6nnk5oVfndvuhkoIIRsuTfgj3txtd+j/I=,tag:E1mO3asMi5wpez2A7/kXow==,type:str] -SECRET_JUICEFS_R2_ACCESS=ENC[AES256_GCM,data:5T05tzBtcTq+aFRs15agAoGP0YNRwT0U5cIO05Qp2+o=,iv:CAc2Nvq7DSZD9b3yE68+jA7q83HcYkz5E3l/DT5bQjo=,tag:s2jn7WfRqk6IXoq5n/E1aA==,type:str] -SECRET_JUICEFS_R2_SECRET=ENC[AES256_GCM,data:61b8N8QpqZNGlP00ZCGMak2O60ABI6djS1z+vyBzhO3EZwtRVcv2d2kJmHiQIe57z4abjC9t/zyP90/uWU8zsQ==,iv:ch4mQPq1DYU4HjtNFkmcNyabTB/WQWNyfmjzGEcAveE=,tag:6XiZHDBzb9rS86RJlNo8Hw==,type:str] -SECRET_JUICEFS_R2_ENCRYPT_PASS=ENC[AES256_GCM,data:95OJpBfMUp+XTWWFxTcHGlxDrZpzTWf/3ZNw/l/4kLLzVjfXlw+QtMhhSb3FnqRJ9gWURUotv7jKBxsO5RXU+hyrJTYkdrNs+bAEOj8TyIIPErNYxXO4RhSE5XPRakBn3ZILFSkdtQGOigsl3IcdA8rWcWvl/iUgl4Jr35+MQL5pfnbfeeI/E7Kt5ZPdjioUHIah4a/kLsXPQB7XeOoNUcWU1SRpXwIg+Id20UEVWf4iv1ONASdF84zjHiE+t+yGnLXbE4NV1gnx3XmKiGIPm6o/wlA1vVrRN+l9BUr4jpsIuYSumpA9UCJlJOVYGMTIZ0syaEuoZ047aq3n+SQbhrq7WUDQH00hwy/YgZOibQxsqDQFQr24fnuPuZi2sd8+oBhnVFccRt9D2hC6flGU+tLWZcRFRE7wU2EtjU1Nvb0e1sdemBjEppuf6cgSvPtlTt7fw4Mj26BABr5LCXVmnOL8zqe3G+Vgbo8XsfCYoo5AQH4c9/yPOlwiJADLCToawTKHLzX2twiV0QgvvlbNHQ+obyp6p1020BoQmHzMBZLr/gw5MKy6TVus6HHz7hQOVwuiQOqUShrNJn6Nltp5viHWOr25RlPoAyv6QoSqfTc7kdexcJIn1nMTC2KnOJhohDKTu3wdyE6McEb8V7smHrAN75ZmhkIAeZAzQdOLhJJxgHxwii3pEugA7JWBMP0Jfe6bTbCzpDrM5tYUH89Za3sgFjR0v+9cjYqQDt1yC4Z6AYs/v4h3r1x9xPAxV+PmkMZyQre1VnuSAEdy58MAajSIZVeIImX5qtww4hC97Jf9VLLQJaIcj7+UAo1yYkXdvWd+mmCc+hYWl5ul7ul4ftm7UCe7E8I1Mas1nQMP+YOLbT/s+ruok8WdIfam9h7h2MiKDGDyIGGz1oDKsZWX/OC9pyxOMm1czVp9nU/Cp1xdKV305LtwEHSY0ltsn/pkm6Z/NauU2Sbos57zRWErSxpgsQsBaBInvcBcNdty25TyYr5Jme8thjla3YpMY23T9pHRtGpAgTRDp5Dq5JrqNmiTS9MSy+CNat/56203JjbKzBfNb2WEOjasbKW6JqnVDhM2hZh9A1txcVL0GEOkw+DPJeJ8fO/U0vXxODX+XiUwLEQkDqrvg+zMytZqMSSLxsFsaXY+OHHnN7GfC2O2f+uoe90dHRKVlS/bv+jBnJ5ZvvfpKh5y+8G91RV7Yx2tvIj3+fR8vIdwC5FhsIg1ch9GQjA5SnnlBY4XAGEifrxHHUVzDk5yQMTshZwS5iYX5weUtAPj2E9HBtjcaeDzRetuS6qrHYugFwC8nTT1shM8tBaJTdiA5w==,iv:Xc2ZRw42M905sf2qhisJxBfS4G/u0kr+h9NYhlGW+Xw=,tag:CeNovntTkEhw7JjwEC1UBw==,type:str] -SECRET_JUICEFS_R2_PG_SUPERUSER=ENC[AES256_GCM,data:E+pRAaZKW7Qed6y3LXmx7Gyw00e/hIS4q4RWy2snP7k4Aovqrr4XQ2cwvrmm248v,iv:zhrMx1ttlA6d3Y2YS5slAV7zcmWsKCTNy+5Mb6W5dIw=,tag:O7k7fJoyJLaEC0Cj/NGzmA==,type:str] -SECRET_JUICEFS_R2_PG_USER=ENC[AES256_GCM,data:ldpv+2rIjsU=,iv:5bgvIX4xMGH3iMrlUvYRRmv6iO6VDInvNaQG7p26s5A=,tag:5Wm+RE/KjOw3yNHi1PPpvg==,type:str] -SECRET_JUICEFS_R2_PG_PASS=ENC[AES256_GCM,data:sJ8hp3us709xAwWNyq8GL7QFPEnAZi2iZgN0IoBD+o6MKA+//PiQaz7gz+AOFZ1q,iv:7p1yHnXtA0UwFaUjdK2teatJSeRrSYxQ4DJTTS6nR7g=,tag:M8Jj67MUdIAB8AfiqO/Lgg==,type:str] -SECRET_PIPED_PG_DBNAME=ENC[AES256_GCM,data:uDj99nCYIvGRM3+ueROxIHJuWkg=,iv:j1IKPj6lrTAxXOm+GJ5ViX6kb2tHxIJVYoGZUvycZzc=,tag:OTYHIBjcJgvM3v3yUdC/dg==,type:str] -SECRET_PIPED_PG_USER=ENC[AES256_GCM,data:XIWxjutEWAe7Mja6j8vNO1jt5b4=,iv:oDUUBqdHBz2H1e0LtjZLxo8jOsxfc190O/S2c7dvrEw=,tag:RrVySm9LZE+VOBSXg88fGw==,type:str] -SECRET_PIPED_PG_PASS=ENC[AES256_GCM,data:6Kw+ShaMlYO+RqJo8ZGGPFBWiE7IgnUdmBFji0w8HKmUk/mQAXOa7a7UZMAt7Gx3TwQHm09SF5Ov2c2L7dVVWema8LRX+M8jRKjE/gg7z5H1df59uqqwquDGdKeqlgKeLip9Lw==,iv:nqw6PM8+AlgzddDlKbkQxDqtrPfyELUHgV6z4CXW/GI=,tag:9KirXajkTDCZ5bArwaE2Cw==,type:str] -SECRET_PSONO_SECRET_KEY=ENC[AES256_GCM,data:Xaq6Q+zuyeXhY5FZrgavIaQ3Lv2IW75UwGxP1tDfyaAhl2xeRMF0CdaXM1o2WPs7hs0ZPihzXEEF5VQ6pL5Xqg==,iv:nIMDAGyM/E46UWLHVzMWRXOa7tZhXkW0G7C2+cNeXYE=,tag:MKZg/7+DomAI6H3ju4Gryw==,type:str] -SECRET_PSONO_ACTIVATION_LINK_SECRET=ENC[AES256_GCM,data:t35y6KuVKjRJw3WssWfUU+0JWr3v/kc83h4+yigohDerpojv81FXix1REPJt6sMzw9Wtzb1VQogqFZzEGlwq/Q==,iv:LhcG7Ugmd+SL3B7DY5RUR9mC2DSSqj8CFOMm2h+bzSg=,tag:YJwy7wyXmdp4LmNkr2eX+A==,type:str] -SECRET_PSONO_DB_SECRET=ENC[AES256_GCM,data:YuPsGvGECZVQarIJ615Cpu2AkweS3qgpljCeeepAkR+uCdrK3qU+eqYfMcvQAFocpwvvqA4XdHwUitIX0GBOmQ==,iv:YkpGFPMIb97EylTDkfA8FtqNsw9Za3b51WluPTJetG0=,tag:oFwT/uhnHX7i3ktXz05FkQ==,type:str] -SECRET_PSONO_EMAIL_SECRET_SALT=ENC[AES256_GCM,data:tEB7wvteB1DfPQpmBJa+fkCs32uhwTAFV7VOrZE=,iv:+qDfp0UpGr1QBEevznaYImDAcUAMN9Nizq/jBPjZGdY=,tag:pK0yNywb9RNkeMoPn58l7Q==,type:str] -SECRET_PSONO_PRIVATE_KEY=ENC[AES256_GCM,data:MrG4TqMyE2dRII3Th0qfUoSWxouy71NDgNu0DD8YHzCvhzF4iPf5rEIBGholws/LrKHKUpAWvSy/0azC/HoXmw==,iv:ec/oOX2jZBs8psQX6oC3rXbT7nJUaaY5gM6If0X/DEE=,tag:ubnDjxrtPZJwZJs57TXbZw==,type:str] -SECRET_PSONO_PUBLIC_KEY=ENC[AES256_GCM,data:CYStu4uzisCU8EumA5oXgQFGo0+Dm/MPNpQFi6fkx0KqU7qBVWegfT4nlphaXDbLUo6A2VEUrI3WKXKL3le4QQ==,iv:gkbgTsxUBti83tydfdCZ7L9uy47/wHIjQr3KaPQZGx8=,tag:jw+6aAodYbSDAvK5bJLlRQ==,type:str] -SECRET_PSONO_YUBIKEY_CLIENT_ID=ENC[AES256_GCM,data:WgxXAxt7ig==,iv:L0FEmcG5rjTzJ+N8RD6C8B3TVLRvi2BBmBqIYdRS4M4=,tag:GWu1JKKM7X6c6cezzwJ8yQ==,type:str] -SECRET_PSONO_YUBIKEY_SECRET_KEY=ENC[AES256_GCM,data:9iHxEENidFomCJ6y9pfcGzn/df3nB4OEEJB3Gg==,iv:Znut4JgsCY3j1W77K4MMs+ebGQ6E8c9UpjGwOVX1hFQ=,tag:op7H93ZXndOLhMntOMD8OQ==,type:str] -SECRET_PSONO_DUO_INTEGRATION_KEY=ENC[AES256_GCM,data:1MIYfqJlTrtekV4CEs+0wE1WBcg=,iv:X8Z5qf4WbpxXhB2vdRnvSfZQra4Z3VmVwgbDxfHSbnw=,tag:LUAIx3wdqI2C40tkSx6ZPA==,type:str] -SECRET_PSONO_DUO_SECRET_KEY=ENC[AES256_GCM,data:/Xo9zlOM6Kd2q+EwgaRb1F+CvgxBCrF04cOSsK06iU9BSw0RlA/4fQ==,iv:6FfwEJdQV0oGzkgN7pzo0kL9Xt+GB6/cxhqDhMiN20w=,tag:+ynn1fc7OgO+z6yKul5sQg==,type:str] -SECRET_PSONO_DUO_API_HOSTNAME=ENC[AES256_GCM,data:+j8U94xLjiF7s0r2DUTn3A7W24vAllzqO8ymJA==,iv:Xi2gPNjAySzhzyCwAhSMmlUT04f+23N5dPAz+w/RJmI=,tag:ahTCp6CQGE4DpZMDI565wQ==,type:str] -SECRET_PSONO_OIDC_RP_CLIENT_ID=ENC[AES256_GCM,data:R/RdoGTp2MjbxQmCDImilhSd64p5qAaguUuU9xH8kWvepPpLU9jGqA==,iv:X9QOPawSoQR16PygjtvuFkNj24n0aRyXyefQdscZ8Zc=,tag:e+oeJygJFL3hPnGGWiG0vw==,type:str] -SECRET_PSONO_OIDC_RP_CLIENT_SECRET=ENC[AES256_GCM,data:V6xh/LSkUj39PLLX9h2nSjQpJKQJ9+2NuI8uWxWCfThiE0lr/Nu0/LSy0xpPhCVQM/1pXbxBtfBysq4SulT4RaAhw5WCT5pjvULVep/qUC7ydb+cemN85p+nKJCwlG6ot+Vku/tOgubs6iGRPq90GJIwiFIqzYRxgFkNOLAdvaE=,iv:DYlDLoQE6Cs2SIrw6boTK05beHCFfg/S5DPRtcjsmas=,tag:N0vcHoA0nVJgdQA8trRFtA==,type:str] -SECRET_PSONO_OIDC_OP_JWKS_ENDPOINT=ENC[AES256_GCM,data:PcOBs8LX0EFl6vZK+uT05+AwMFsmn78cUJuRyrLfIZ3Wu4p9z9blUGehCzJmmkyIjCFUdApxBEfG6s5wBi7NEbPV357IaADLvYDoGEo+,iv:8S9Rst1kk1c5+3i805UE4uZXOL3rVgiqm0QCBNUO188=,tag:gpq5qg8VztqJaCd1+nUn1g==,type:str] -SECRET_PSONO_PG_DBNAME=ENC[AES256_GCM,data:+Zcr9YXL43kkna5YcPx4u2Hs5YQ=,iv:yKYl7nXiPfmVuit/lFBSZ9uiWihsf3X+ugHFPlR/PgE=,tag:8F6KPXy4RzyHyWzy5yvQ3A==,type:str] -SECRET_PSONO_PG_USER=ENC[AES256_GCM,data:kFevvNDbJd+iLVrzVIlDisNZn74=,iv:/wojqQ19PRPh3D40R6btSf5rYk7XFKuEhlmgnS5a5OQ=,tag:Gdc03/4nQIezAa0VodPTlA==,type:str] -SECRET_PSONO_PG_PASS=ENC[AES256_GCM,data:kU7ezoxikIDEIifjNoC7c27B4b3ZXn+yPClTVJHPSqrW4zeaBs+xkxlTR5FMiURVW+Bq69FbF7CoMMyq0QynPfAGgjd6zn0OZZbw+Dl8w541RIgBn59nxLwGmtWZt5h0YX2fMg==,iv:xAaiyyXpMU/YmezWRwCrElWAnLJkzOmO1maYwtX21MU=,tag:lJbq/42e861q5YSRxfFAMQ==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n -sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_lastmodified=2023-12-06T03:41:23Z -sops_mac=ENC[AES256_GCM,data:WYqodDfHHS1W2vZJrLg65vwCwLD7Q/GmoSg89mMfpZZiU1hcGDORszpoBv3wE0nePgIPpSMENUSktR8+Gb2PQFMhYA+VLnVVE8ykYALoU8KgVyvjWsOpPOnP3nK1j1CaPktcY046NcDDkWrWlxF2NGD2Kl1jTu5SO3B9J0jve3E=,iv:p5SoXxDaWuHr2lkTAcqKKFds4PobrYE8vS0KTClEBRs=,tag:sp2sQPzM+kjbNMxdqVJs5Q==,type:str] -sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z -sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n -sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 -sops_unencrypted_suffix=_unencrypted -sops_version=3.8.1 diff --git a/kube/clusters/hercules/config/vars.sops.env b/kube/clusters/hercules/config/vars.sops.env deleted file mode 100644 index b46c75d985..0000000000 --- a/kube/clusters/hercules/config/vars.sops.env +++ /dev/null @@ -1,183 +0,0 @@ -CLUSTER_NAME=ENC[AES256_GCM,data:G0syFTAucfg=,iv:ufdD1ipDt9lbqnxKCdXb7ZFfHHBEE/G7lr8hvgwxLvI=,tag:UStb+q9x29kEPLix8W4FZw==,type:str] -CLUSTER_NAME_UPPER=ENC[AES256_GCM,data:QoA2vUQTtdk=,iv:wAY60ekOE4eLQ5A9ajgNlNVa9lT7CEg4qAko6zobD0w=,tag:FUiHc14/vshT4vtFZYmC3Q==,type:str] -CONFIG_CILIUM_CLUSTER_ID=ENC[AES256_GCM,data:tWP3,iv:YwM+Q8g+xvQ7xg+lTrOMVrA9CPIiLoW3oP//C32cKEA=,tag:y60jraGvGA+lzOOLuxEYvw==,type:str] -CONFIG_TZ=ENC[AES256_GCM,data:yjenwiH185SgIz1gDHs=,iv:zWulurvktdU7e+866iNrafkjqAuqZSnJtx8kq7RhNTM=,tag:M5IkAMqEep8dIIbHGXetIg==,type:str] -ADMIN_EMAIL=ENC[AES256_GCM,data:wbMUdJNx+sDHW4CsPjXygR9o7NDSDw==,iv:r692Zq4sXcNuqfOfqTQOvO70XekdRcJLcvaZVrOW6Io=,tag:SoRRgPh7doIrAaI8a4iSRw==,type:str] -USERS_1_UID=ENC[AES256_GCM,data:DY9qIA==,iv:M0E4LpIkCL4gABzOEzLVBHjGfXpPtYXb1ssezvN4D9o=,tag:wopQ/2iWx7aoxnLaQrYgFg==,type:str] -USERS_1_ID=ENC[AES256_GCM,data:KC5Etz5c60gQ,iv:1kEHHkNqOxZVC+2InmSigQ+cnezXtZtSRTkzuaqYIAE=,tag:jMTC/BjiH8O+Tzfa//a3ig==,type:str] -USERS_1_NAME=ENC[AES256_GCM,data:sPOtMDyiXKKt,iv:Qx2Kbrtgh6qhD5kIe4P6mEZ6H4mGhFHs1exEeiiwJew=,tag:TcmlQ+lx/3soaPDQ0WYRTA==,type:str] -USERS_1_EMAIL=ENC[AES256_GCM,data:vAsIA/i3ZEmeAmVVp8kmS3s=,iv:WDafq/rY87HSyHcr44ruSEMwVMmlfpYDULf1/5ILHx4=,tag:6B/DARRtroZDxQculVmVUw==,type:str] -USERS_2_UID=ENC[AES256_GCM,data:IzHgGQ==,iv:CxwO+pvNIo2GAc96tB7b0ATWnuk/umXAuq7ZXY3LHok=,tag:a2qIk8fcMWFw7z6GXV0Zfg==,type:str] -USERS_2_ID=ENC[AES256_GCM,data:1ZwdfnI=,iv:FDymvXYpPR7pm0vIWwZZ506tRDbp9wTuCkzM6XSXbFs=,tag:q68gBOpUMihms7Rdzai1AA==,type:str] -USERS_2_NAME=ENC[AES256_GCM,data:pUEVSALW2LY=,iv:j6zAgL+Z35H1t5RAA6BK9xk99UuDP+BRHH7lYanYMU4=,tag:EXq0yos64O3rvpS00a18Fg==,type:str] -USERS_3_UID=ENC[AES256_GCM,data:o8/3bQ==,iv:YoXHve6RHidEJ6nJMqOEHGtK2FeH3wHBwYUMxDAfwK0=,tag:jFE66SO+b6xyetCrxd8Zwg==,type:str] -USERS_3_ID=ENC[AES256_GCM,data:uWqHb+s=,iv:j7M/X2+tyLD5qyoulaH9urRoy7zg74UMAzAr8i+TU24=,tag:w93RZByuEOfC39nC7I5wlw==,type:str] -USERS_3_NAME=ENC[AES256_GCM,data:BxSWnRnQwXfHqg==,iv:JmzuZmZZnuQnhI9SYt1TBmBLojmm/gI0ttaLUfXrXpw=,tag:59diPvcbD4Lexj4PVpO3Ig==,type:str] -ASN_CLUSTER=ENC[AES256_GCM,data:W/IlCgA=,iv:7G80F6Yv5pQfAw9a28G9/75wc1vNGOjF8d379/3FlJ4=,tag:aqaxFlW0rXrDeumsz9etxg==,type:str] -ASN_ROUTER=ENC[AES256_GCM,data:BOsXM8M=,iv:r3nQXW4EpXII2itTeDP1/6wJk4PDYUQH6kZCCcf7AuM=,tag:JWd9XL5hbAe6d3yxYlvFog==,type:str] -ASN_EC2_INGRESS=ENC[AES256_GCM,data:FSkZESA=,iv:ihDOVFJWor83O4T3cX3Y3XgSXiDikPWWdRjzLHLIXJs=,tag:xIgs8PNpfki25SVJ7SkPYQ==,type:str] -IP_HERCULES_PUBLIC_V4=ENC[AES256_GCM,data:5nuej15lQyaRAlwDGkM=,iv:M19ZcJT1L9i8+d7vj5p1pZMeBIJXsDhsUSZA1y1LdpY=,tag:hUUj5UN1F2pRzHfWxjfAtg==,type:str] -IP_ROUTER_LAN=ENC[AES256_GCM,data:q+9MIIuBLPA=,iv:pzWM3e0qgyRLgYtXv3aoKqX6ZOnpQURGBWaLZZRfQGc=,tag:xEiU2fV3Wt0YHd60hALsUQ==,type:str] -IP_ROUTER_LAN_CIDR=ENC[AES256_GCM,data:VBNZEYACQMQduOU=,iv:is1RkkLkgUYuNPypTFRm7krP9nb1rkrZ64pkQT+5LEM=,tag:opkUbEo8JR1Gp13pklKz7g==,type:str] -IP_ROUTER_VLAN_K8S=ENC[AES256_GCM,data:BF7rMLUGyiMb,iv:H+s1v1sl6ZNJEvF1QO5kIYE7jquhLrDXbPnpE2PywUY=,tag:Sux+8RhfEHfZDXT2z4S5Jw==,type:str] -IP_ROUTER_VLAN_K8S_CIDR=ENC[AES256_GCM,data:ofSpO4zPW15NjV5U,iv:NiFUvxTyLkN6pamnvvdDp4jrvIDyjUL29iytz6WtQ5o=,tag:J3EfAU0XGsyLM3LyJhqUXA==,type:str] -IP_ROUTER_VLAN_K8S_PREFIX=ENC[AES256_GCM,data:pVFBAx8dAsw=,iv:ndak+3+LKjeKH//APQxiOZQbxOXTIXxZJ3zvO1guUjs=,tag:PjH3+/k0+REN6K1wJJMg+Q==,type:str] -IP_ADMIN_CIDR=ENC[AES256_GCM,data:/gOvzGKzPJK5a03HT50=,iv:d4gc4tmDVstZAof5GFmT8Gw5U+nMULS9zhqDAJlKOd4=,tag:Msi9/nQ44llnAvZvfk1y9Q==,type:str] -IP_WG_USER_1_V4=ENC[AES256_GCM,data:6kwe/D0YVGEG7CMWhr8=,iv:B4Dk4AaljCym/cxatpO/5WMZ2E4KMiNH+tCLH+yVsf8=,tag:nqqze7vKrsWTBWG5/Ou/Ag==,type:str] -IP_WG_GUEST_V4=ENC[AES256_GCM,data:zNwOAgzou0T8cAduDBY=,iv:matZ/IhxDQ+CGO3IelqlszVfmAr12dgWXIH9YLGGDOs=,tag:/MJRFYmH69ldrHfdjSQSpA==,type:str] -#ENC[AES256_GCM,data:BxkEvMxTU/+yKrBE1dFKsdpCKg==,iv:dqAxo3Fm28bJjbbfqcdRNuFyhC/AKG7QtBUywtA3SrM=,tag:kBkWMhz5Yh3sQo+u2+TWiA==,type:comment] -IP_POD_CIDR_V4=ENC[AES256_GCM,data:Vh2gzEXJJ7vOdV+zgA==,iv:YommPRN8bLc3U1Duhk+WeyoV9ewfMAwPoGlpmUL0aXI=,tag:NGTxCTR85/leTCRKi1R7BA==,type:str] -IP_SVC_CIDR_V4=ENC[AES256_GCM,data:WAVcVXbIa3BRBLNrbg==,iv:Uf6BhDieazUgD7CUxzu4N9ToPODgSRaURTIzWhk0bvs=,tag:tqRX158GvDWIcEsBjgDpbQ==,type:str] -IP_LB_CIDR=ENC[AES256_GCM,data:q+vxXa0hFfo65IjPdg==,iv:TbK+R9rPqbWM39gKGS8Duy6pu6LsIiB75W/aVD4+Udc=,tag:NCphqMYEfobbAbVDHTU9Ow==,type:str] -IP_LB_DNS_CIDR=ENC[AES256_GCM,data:o75/iGFsYskn+ZSl/xg=,iv:2de8pHSi8vIvBLmTO1VsKZwN/IDsKJMLfxBonfecdPo=,tag:SeATXXsI1V57QQZPHTYlLw==,type:str] -IP_LB_DNS=ENC[AES256_GCM,data:DAYiEIkMy4dhZ1k=,iv:ZDPt/A8wBJzwXfl68hk5HCLUVbcTxZbF9wTYvtLmHjA=,tag:ipQc5ZNqHvZ854wGdB4Wqg==,type:str] -IP_HOME_DNS=ENC[AES256_GCM,data:DYHmmMvvUTM=,iv:LJUKgLaNSCiXirjF1sEBu7/iwuJ4rZtdQExjLId558o=,tag:WWLhj0WofzJHrtNIZkXJ3g==,type:str] -IP_EC2_PRIVATE=ENC[AES256_GCM,data:mpvik7PGTay9RIDT,iv:GZ7ais+/ALtZ6MrXEVmXvTchwttb+DJgvKAVp5D2ZlA=,tag:r3/sIsLZBkZLMkwtEgxyvQ==,type:str] -IP_EC2_NON_K8S=ENC[AES256_GCM,data:7jtsVqq+odY4/Ys=,iv:P90o7KO47NfR71mRU0Mbf3apZkX+DJx78hBBFgvd/r0=,tag:bWzo5EZ6ltHPsqueFHE2YA==,type:str] -IP_EC2_INGRESS=ENC[AES256_GCM,data:omO7wXHHdXAMtw==,iv:CjT+gLZ1qXlojRhO4aqASOPN4HF88zLRVmclV4F6uUM=,tag:x0IKg+E79HgKE43fzse7Dg==,type:str] -IP_OLD_DOCKER=ENC[AES256_GCM,data:P0UtR+GaYgiL,iv:4fUoNHCJNRPeKxdRTGIqTsCygXWzjNzLv+6j6M5HKTE=,tag:AvTs/+R6Z1gkZuSVwXLFBg==,type:str] -IP_TRUENAS=ENC[AES256_GCM,data:FmYxX0MfwAa5,iv:IQ2RDyFfWMB81+KWAdViSaI9wsG7ZeuWHqP8WHLxcjo=,tag:zKLAvj9Bv7LUxTzCgxzATw==,type:str] -IP_PVE_CEPH_CIDR=ENC[AES256_GCM,data:pZQiINu+zq+Eu817QSs=,iv:HNqO1t6CIYKYFu79ZIa7drta6nHrusbIAvDMZOqTjQ8=,tag:c7twZOYfyoWFtM7EsCQGYg==,type:str] -IP_PVE_CEPH_PREFIX=ENC[AES256_GCM,data:qTb2oGx0lYVYXg==,iv:LHvEoa8FOfyFgkbofpGL2Fxywh0IovaqDd4f/KuD5gA=,tag:toyC1fok90KGTSV/i+J3lA==,type:str] -IP_PVE_CEPH_1=ENC[AES256_GCM,data:4XniDxEiYapl8jE=,iv:tsUuu/zQRlpg3FP5D0xskegvri0Ff/gzIDhDEfMBSqI=,tag:ZyNRjxrcPFdwtVrOjzoQ0A==,type:str] -IP_PVE_CEPH_2=ENC[AES256_GCM,data:7grFGVPdQVfvWUw=,iv:wFUEr0oLNKh596/osnZFPEB2K2DrK9YJAQ1UGp6+Ro8=,tag:K0hI4bYhVWZ34OtDo20F4Q==,type:str] -IP_PVE_CEPH_3=ENC[AES256_GCM,data:gcpKOsqmtwse/y8=,iv:S6mFA3zgOjWia3H3yEiygaUNDz7mPaDjGhLOZuIb2kM=,tag:dwAzKWIxG+d6Cp1sMtBS2w==,type:str] -DNS_CLUSTER=ENC[AES256_GCM,data:HFI0tk0nn1o=,iv:VgNeJ+CQmXu2Z4bxnwbCB+3BjVkV9O+s/6+zWAbZjaQ=,tag:KsRBPu49UW1PQ8oHMGhlew==,type:str] -DNS_SHORT=ENC[AES256_GCM,data:EeZAaxyx,iv:LcdxoKzqL9G70jDilGoIAYsdeLu2JNHsVOeTOC8uk5A=,tag:jqCIJN3AYeD2OKk5fyp77A==,type:str] -DNS_SHORT_CF=ENC[AES256_GCM,data:kZ3ByoCW2yv2mp6yWZI=,iv:4NvOKhdE0oYIh0NxJBx0nUEf+OfLjBeDCJRdkZP5xvU=,tag:fODE8S43xC2XTm54xt+dFg==,type:str] -DNS_MAIN=ENC[AES256_GCM,data:v/CMPVrWz2KDOa4XNaU=,iv://GkKFQHnySPz4v2F70k8NDygfgzOOa7kymx53fKEGQ=,tag:kiJDOn7nWMBbX9xtSB1qmA==,type:str] -DNS_MAIN_CF=ENC[AES256_GCM,data:ZH6W503kd+Cz3pGD1TsJcMs1pKCieg==,iv:Vzb/Z0tD4uRtZMe88TOlzQo8txrHaUyoN/rPLjumlJo=,tag:4+0bETwn5qvs9nidp3F/ng==,type:str] -DNS_VPN=ENC[AES256_GCM,data:ex//+QFhseX5,iv:2VNtm+2DBDwD9cxfaulVHHODVZW7V98Hr19H5EFS70o=,tag:WOBz55Cnna8lUMEMLnW0gw==,type:str] -DNS_STREAM=ENC[AES256_GCM,data:IQKPb0HvNNCjH66+H56oybM4,iv:YcV2u1p3hLIcNGG/G3POubEjjVkKCE87+pxHBoYP15g=,tag:XZlkSYw+r6KK+SRuYt0jkQ==,type:str] -DNS_ME=ENC[AES256_GCM,data:mvkrtneuOQ==,iv:tXwnnd4pILQJZcu8S2U6iX4Tu34y7AVKdje98tBGzhc=,tag:VD0Ov9KL8j2RGBTGU0MFAg==,type:str] -DNS_HOME=ENC[AES256_GCM,data://qMySXhwLc=,iv:FZ3g2rmlpTxRDxZp2K551Ar+m5XMExobObaM6uf9prw=,tag:/cY6U53sjCbaVwlE7A9A1g==,type:str] -DNS_INTERNAL=ENC[AES256_GCM,data:IjMxQ4Ev7yk=,iv:nFKR0p8T1099khSAOWQBdfGU660n3vMSfhyET3mOdkY=,tag:G4nNPjJym7uT5E2A0y+l7Q==,type:str] -DNS_KAH=ENC[AES256_GCM,data:MUJI1U6bNmvzvAU=,iv:1eTSLdbbuMwx1YVo0STg8wL9lKy3OaR9KLMznw9LZFs=,tag:BYnkE2X/jKM5Fr/9/6GbfQ==,type:str] -DNS_NAS=ENC[AES256_GCM,data:tXgzzi0q8Q/4GSL8oPpw3JzgobLF+Zhl/A==,iv:Qr+PpJwgzvSjo4dUA5lnszfwIkdnyT/Y+O7WP8vppls=,tag:eeht1Fj20CJHIWA4o2YW/g==,type:str] -DNS_OLD_DOCKER=ENC[AES256_GCM,data:9nDHAHXCge/1+Ht8ufHWbqCoCC61,iv:8OsS2kwc+wM91JP2UGAOk9pIV1NMbJftivNRHpS7GMo=,tag:ahE6gj74E60iszNOGrqSzQ==,type:str] -PATH_NAS_MEDIA=ENC[AES256_GCM,data:ZpKa4xnMHKWOO9pDQ1b1NlHWQPfuybn81u4uQ409,iv:dB84+0jnUJDylWpOABTdylsT0gR10l2LNGE6trHZtNk=,tag:l/bt9asoFhEosRlpfLncgw==,type:str] -PATH_NAS_PERSIST_K8S=ENC[AES256_GCM,data:nS9umA3p29pVqWJoB5HpupInDSrg0N6GSvjEkM0l8uVaOcL2,iv:+3mMWya4stoQ3KHO1HmPUQ+Q4bq3y5farOhRJw5xPws=,tag:Jo9eSG8dfR1qn6mu6n7HDg==,type:str] -PATH_NAS_BACKUPS_K8S=ENC[AES256_GCM,data:XQiudCzciERVNC+EJ4pU/Y91Zp6MwEqleIjI57EUB/Ahb2hc,iv:EuOd7eXnKkpKBSZafcgnJxB6lZ7cKBIao/5IeabwBbs=,tag:BDHXnmljGz/7IjSuSo7IDg==,type:str] -UID_NAS_BACKUPS_K8S=ENC[AES256_GCM,data:e5JN5w==,iv:bXwb5LuwvZyFhjhbpbnabvNKX03VPB/9XY402CoBwx0=,tag:hDXYQzou/ZPpEbLYkQDl+A==,type:str] -APP_IP_NGINX=ENC[AES256_GCM,data:Mdm/bUsZTsv9iQ==,iv:LIbtBukgaQBVkx+bIrMlIGH4OnuuQTPFDYoXhfElALE=,tag:nwhE5BSEFGlojABTYzfJsw==,type:str] -APP_IP_K8S_GATEWAY=ENC[AES256_GCM,data:mNfGiLFSLx4dpAo=,iv:CYo6xNLE+bunmdTbvCGMI86VXi4t9r+FMqCp6arFeYg=,tag:u8tTxJquRYb13UyiQXVSKQ==,type:str] -APP_IP_HAPROXY_PROXY_X=ENC[AES256_GCM,data:yBoLaUWZ1Ul/05o=,iv:AkmKj+GrlAyhl1/6w7WScRlzk5Fw/sFwy1ROvjjZyHw=,tag:a2/hZAf2UjJvWaVhzs/Z5g==,type:str] -APP_UID_HAPROXY_PROXY_X=ENC[AES256_GCM,data:B3G6nA==,iv:e5UIYZa52kQ8GFBD30d4/U8WMito6albh4CMgYhHOpg=,tag:8TBer2t4zGGYIC3bmO5FLA==,type:str] -APP_DNS_FLUX_WEBHOOK=ENC[AES256_GCM,data:LeEVKkgJzTyJGRqr+LMQynh7+pPqSaxd,iv:f4FPxbRGwAa359vlbqr7MTPYItIgcjNo6RwFSKf5T6k=,tag:k6yyN1FRRLKNW0Prdyc25A==,type:str] -APP_DNS_CEPH=ENC[AES256_GCM,data:LRh6eTrCFET+iw8=,iv:Q2Ff7U4XOJ5jsGQRLvBm5NDx6SZQRdG5meD9f6mRhj8=,tag:E45XZUHW4MuckwGOf9Rzpw==,type:str] -APP_DNS_RADOSGW=ENC[AES256_GCM,data:f7vMFBNWRtQZ,iv:lAXYTkBTE4/PW/bm25c4ZzrIxlgQsOfpXJeyNYqtwr0=,tag:PDSUP4+4eHauhpORu+Z7Ig==,type:str] -APP_IP_RADOSGW=ENC[AES256_GCM,data:3ndMvS7qVTZxSg==,iv:n/5arRlOykLfrk8kGqPMaZegYI9FNHlkIPzmawdGsDc=,tag:+V6LDeK6U2sxJ5a+KNyxqw==,type:str] -APP_DNS_RGW_S3=ENC[AES256_GCM,data:X/DlP3vIFc07Sg==,iv:HlJ/AbTqCuOuszK8Lll8qsSNpuZOoty0lsnYCt1UF48=,tag:nFoxdgyYyZArPflmm2DwHQ==,type:str] -APP_DNS_INGRESS_WILDCARD=ENC[AES256_GCM,data:aPYf3BwPvNA=,iv:Kgey2Z4+1JFa9JOOzG98QmBBMIp4fTPm8VPLw5d9gLw=,tag:R8Hb5kcuLFlIP0m1Aopdpg==,type:str] -APP_DNS_HUBBLE=ENC[AES256_GCM,data:IcbmzSNwcLqbtg==,iv:qGuMNgCu39RMcdKjsGia8wCZ1Vpj8MVcDO2QQv4wONY=,tag:mqwjMLhKR4q0tjftCS25Lw==,type:str] -APP_IP_KANIDM=ENC[AES256_GCM,data:VGm8gzd5D5x3phU=,iv:yS1pT2TSGKsTeFB0ouYUyTYEGD88d3DebpwSJ6lJpSs=,tag:kpa8wKJm4gdyCWKJ1A4n1w==,type:str] -APP_UID_KANIDM=ENC[AES256_GCM,data:plVe/N8=,iv:sss67JiY8gaa0+UMs7rb1K+nDWP6BCKsnKuqj2txXSQ=,tag:exDjUeioDOBrkFQPF0tl+Q==,type:str] -APP_DNS_KANIDM=ENC[AES256_GCM,data:Zthi8C9YcOVG,iv:NY8E+/Ij1w4Uq68bCfA7Fev5keEsg1uY100BvGDzCaE=,tag:wRGFWFr5wgGybwIB5EM4/Q==,type:str] -APP_IP_ZEROTIER=ENC[AES256_GCM,data:y72VWQdUzAyElkA=,iv:GEvQVKj1fHridrBc/kZggsw/3SjEqJvQwabGRLkykFc=,tag:yYaK4ZeOuNk4H6u4FvA64g==,type:str] -APP_DNS_ZEROTIER=ENC[AES256_GCM,data:Aux4pBfNqEdjJ5o3,iv:whsIzd6AKjIjMFhQgsBl2c2GeLfTPzZ1qzlBsrJ89HY=,tag:+w050FLUcdzZyYerTpF9mQ==,type:str] -APP_UID_MINECRAFT=ENC[AES256_GCM,data:fTM1V0A=,iv:WYxSqDa/qUlixCiNort3+Mi6eM3pdFz3Vyz+5FG03Vo=,tag:b+7VX6rwGSynwwkXZL5YKQ==,type:str] -APP_DNS_MINECRAFT=ENC[AES256_GCM,data:im1MkquJeuTB,iv:Zs13ttFqPj8bL6fZVJ3Rm1cjN3L6LwgsTdL2VOI2nsA=,tag:Gx5TGBaiXz9vno+6VqmZVA==,type:str] -APP_IP_MINECRAFT=ENC[AES256_GCM,data:hwYSdbW2u7mcF2Q=,iv:q0HnEBpEjV2yd56kIlZ20EhMizuGQabSI4NxbTHuaTI=,tag:Qo76HJ/hwxnYHZh+hg/itQ==,type:str] -APP_DNS_WHOOGLE=ENC[AES256_GCM,data:/lG5yy8vuvCX,iv:CL/f2hDpDbnjfKkdSCNu9t5Rw8Bq45Lt0hgh9W/T1gM=,tag:ujw+GVCdAJIGiM9ZwJKyiA==,type:str] -APP_UID_WHOOGLE=ENC[AES256_GCM,data:Sgyrku0=,iv:FKgGBZ8hPBuBaItlvzf/1FnMV9PNMKZarf/lyo0qtv8=,tag:6dq4UZRjQuYzRKvv6FfG4A==,type:str] -APP_DNS_SEARXNG=ENC[AES256_GCM,data:Mb1/MoKfcUg=,iv:s8S+nlHwmsGesUAzckug+Tvvqovfyf7dc449l+DR7WI=,tag:DNnXLseCXBvcrOHWr1Dagw==,type:str] -APP_UID_SEARXNG=ENC[AES256_GCM,data:IpNOLUE=,iv:GcKM8sB6kcdVJfQM/C83oj+uvK+R7F317rcyURBQ2eU=,tag:4uF+BK47qeXOqalBYl/lYg==,type:str] -APP_DNS_GOKAPI=ENC[AES256_GCM,data:tYHe7WqM4ZHmxytgsm4o4dpt2zo/,iv:W+cjCJ0GWLvW6T11sXi7tNyn40G6u5RnJWu//VeelAg=,tag:/Y3tXxkzN3QLV7A6OT1/sw==,type:str] -APP_IP_SANDSTORM=ENC[AES256_GCM,data:Va65oCAjFqw8kGA=,iv:nvncnDjvfqxSQxCkXlMYLOP+5AOHiAXVWvjYRj0TS2w=,tag:i72IseTfwPl8Dn9Y4nf0eQ==,type:str] -APP_DNS_SANDSTORM=ENC[AES256_GCM,data:aPn+NI+iY6XYIg==,iv:2P9cV9V9uiUvRhshjeO42kdPXw6B4/gunohQlK1qKeU=,tag:usif8kRZX0z6cYnz33z/9g==,type:str] -APP_IP_SATISFACTORY=ENC[AES256_GCM,data:bH0ma0ugy1I1X9c=,iv:o0tEH8i+DJFvOL+Hvqv9RKjmQ59GCQjnkfAG1H6Nj5E=,tag:7cM9c8hwBcq9tZhplANb0w==,type:str] -APP_UID_SATISFACTORY=ENC[AES256_GCM,data:nuVL2gs=,iv:LsaAEsq6f2C2LDbT472gIJ9ikGKEz1yLgZA+E0xoMjo=,tag:xJpPI3LX5zSs+1lDZtwCzw==,type:str] -APP_IP_SYNCTHING_USER_1=ENC[AES256_GCM,data:5TFttY9RxF4ZXIpG,iv:Zxl3Tz6i0yeJH2jUCRPiYDoGKOvgmce8JFqCG/UQSbQ=,tag:5rnymxpGSukseJRQtMLQdg==,type:str] -APP_DNS_SYNCTHING_USER_1=ENC[AES256_GCM,data:CPLql1XphBbMmVQ=,iv:O4i2oh1iD4gRbZNu8WolBnIu+R7JmgG+Ern92hmA8X8=,tag:iUNh7FTVU6ULBno6blbw6g==,type:str] -APP_DNS_AUTH=ENC[AES256_GCM,data:sXFjbTpoaVJlfWOwsbgnNNLTGQ==,iv:FMrKU4bV2DvvO37Awjb+n23/kLJo36IpSPfCdQCvqtU=,tag:P4u0pgHGytRxVku3EWKDvQ==,type:str] -APP_DNS_AUTHENTIK=ENC[AES256_GCM,data:M9CPbMYyI8xbW3IIWcLIJnPqdA==,iv:Bk9o+S8qShQ2uqa4AUiZpTl8aFUGqygMeZRhRG1dWD4=,tag:+Clc/DEP6a6HyTaJfLkC9Q==,type:str] -APP_IP_AUTHENTIK=ENC[AES256_GCM,data:DGzwzD82RHVqZ8M=,iv:wyhgGqYYfxDLW/E/RpUjP46XIXON2pw+VwLYDpX2ubk=,tag:v4bwql52jgDCNw6rjBobpA==,type:str] -APP_DNS_AUTHENTIK_OUTPOST=ENC[AES256_GCM,data:CUBRYiO12Ai6VNc=,iv:jdbf2R6Z49YfLw2NDcJqk0+ltAdWMcx07pdxyRcYcL8=,tag:qpEZVfFbuCO6SPJfU3jB9w==,type:str] -APP_DNS_AUTHENTIK_LDAP=ENC[AES256_GCM,data:NC5lTKVutxW8gP7ilQzMFQXJhuIiouU9,iv:Ev0ibhCOzESTHhntsAyMDZxiGadhXCBRjwjlcOw1IBs=,tag:WhbZzT588uwLY+ooUVLWbQ==,type:str] -APP_IP_AUTHENTIK_LDAP=ENC[AES256_GCM,data:OcWjCRWLrFTY4Kg=,iv:CudN+4EuS6FY2/XxE/bTEWo7i5Rr6g1t9Wn8fkk8VBE=,tag:MlH4IP9+SBReyXsFHAJ+AA==,type:str] -APP_UID_AUTHENTIK_LDAP=ENC[AES256_GCM,data:pAfgYJQ=,iv:ld7B9UJIWc5EZ25X/JH3koOoJ00gtKSECA30eWVfYOE=,tag:jwUHD0lRlOUgPDOZNw3Rvw==,type:str] -APP_DNS_MATRIX_1=ENC[AES256_GCM,data:4vltr5J1tNy5VNDh9C5FKdgFAA==,iv:53YO9hfqLp8+FuILGaSnxhsRcODxNu4cV69tfymJPxE=,tag:Pf8Vti0yvAhkyH4bv9vQtw==,type:str] -APP_DNS_MATRIX_2=ENC[AES256_GCM,data:a/Kw6TPyjHzo80PXS3aiLMfYqC4e,iv:sD530ugJuIc+oBuDFObb60Lda/9O5vKEUawI1/J9hKI=,tag:J5nwJIZA34PbVvEwFrcv0A==,type:str] -APP_DNS_JELLYFIN=ENC[AES256_GCM,data:+wo0dUgtw3HWRQk=,iv:/iYgZ69uoao4Fvz3dsrMfig3Fts1KTtN7AdHu73TWL4=,tag:ixsS6XPDurrFz5i5nj+CQA==,type:str] -APP_DNS_KAVITA=ENC[AES256_GCM,data:rO/E3JpIQM7Q8Cc=,iv:njYtAgrN3G8Ztr0YlwPQWIs6Jc3nNOjSeQLicZwTqsE=,tag:9sgOxSHwmyikC/ztGXP4Nw==,type:str] -APP_DNS_EXCALIDRAW=ENC[AES256_GCM,data:j6Gv79Jrcz7ptFw=,iv:HbX/T3fi0Qb0PUTqLBlah/OnNFHMTt+q7FU880VHgEg=,tag:WRvd7XQuvuUK54sHf232yQ==,type:str] -APP_DNS_VELOCIRAPTOR=ENC[AES256_GCM,data:VNQaIlYb2gBYkw==,iv:9UHL8rgKqJkzm4VirsJ075+0QqdkdoXeMCA1uLl1v9I=,tag:LFHtNaXz8JB4XCUEhcECFQ==,type:str] -APP_DNS_NTFY=ENC[AES256_GCM,data:bLiGh7y14VifM/86/Q==,iv:6A82eZ4M+pOVCTzQlvy4LhESrpB4SqB7jQYLu3ud1JM=,tag:ODkIE7vEtFL/SfltJm9qVA==,type:str] -APP_DNS_NTFY_MX=ENC[AES256_GCM,data:ibcI8V/1XurEp7Rkqp0W,iv:/uEBwzo7nT3zx3UpHDsF2604RVht8yMqbtSoL2cx+fM=,tag:8xbOoIIXFrz882JPCWWWQw==,type:str] -APP_IP_NTFY_MX=ENC[AES256_GCM,data:9xCCoU+efWUrWcc=,iv:meMQ/VGno2geWqKnzY50yUuQYCSQfX2r1+rNOe/Mk88=,tag:4SHtDvzQY87fF0REFk+jfw==,type:str] -APP_UID_NTFY=ENC[AES256_GCM,data:R7IcBw==,iv:B7eH37KXKOg9Ne1I1bL+aJZZoY6Jm8Rdz4vtYxUn8WE=,tag:X5F/ony/M+qAeYntJTwLIg==,type:str] -APP_DNS_HEADSCALE=ENC[AES256_GCM,data:jrDDMcrtJiypHgUu,iv:hJzK20p5fs6zzkOBucY18/TsaeXR6WvyXJTch9yoGTI=,tag:fmLoy9oeWovG9X6hXcUFRw==,type:str] -APP_IP_HEADSCALE=ENC[AES256_GCM,data:aNR6DaOYhrBwjow=,iv:ebNhlLaP5YmE16q+GBe9bDyTQSiWVSSjXdlL56Ub3yA=,tag:YPx1qrTSa+UHKr1qpzxnTQ==,type:str] -APP_UID_HEADSCALE=ENC[AES256_GCM,data:6e/cSbU=,iv:Smgl5XdNjsTKLKy1sq058GHu6q6I+l/m3F03YGV1z4Q=,tag:A4mfg7ldwAtvtO78GQSXPA==,type:str] -APP_DNS_ZIPLINE=ENC[AES256_GCM,data:2UR2igsE8xgV,iv:jR1B3UlR47dEEHDDAC9AXX2OTg7EmlOL7kHQsteLNaw=,tag:Vp4Cc53uG7JsJ2ex6/67IQ==,type:str] -APP_UID_ZIPLINE=ENC[AES256_GCM,data:xA3YFZI=,iv:ch21o7iJ0StUOcIx0G8qSkineWdsmDKtqAyxHkqnGos=,tag:lb3HNddZpvYoPARVvAu0Gg==,type:str] -APP_DNS_KAHIRC=ENC[AES256_GCM,data:QVH8YasOwjCmCvN7zEXf,iv:ZHxV/7HHYWlCsxyRsPZl0I5oypCki4eHP0k1nuTDGK4=,tag:/i1wlfs2pUmeCR83ExUkVA==,type:str] -APP_IP_KAHIRC=ENC[AES256_GCM,data:Hd42pccz05+sAEA=,iv:EDz241GJi6I72ci0v0HLYJ9vHUEm21bcr0Yflkbu7Vs=,tag:4lYEE9DQGcqaRL7OZBkSmg==,type:str] -APP_IP_EXT_KAHIRC=ENC[AES256_GCM,data:mXsI2gcpCILfPg==,iv:Emy5L1vWHhZpaAABpsKEPQzDfWJEkF59LoUAc4pYZlc=,tag:DIb77Erul2CpqYltJFuoKA==,type:str] -APP_UID_KAHIRC=ENC[AES256_GCM,data:oYaz184=,iv:IXl3d6G64DstmHl51Tctjzt0+Z+EQPc/4X6FPlAENa8=,tag:8LjzPnO8mpUGV+uUq6JOaA==,type:str] -APP_DNS_THELOUNGE=ENC[AES256_GCM,data:fHz/b2sx+pfVyA==,iv:TJv4KJ/jHYdSEP3NTdtQY+ltJE8PtBa2fFJhMzho8G4=,tag:rPEPK8WuE/EmGQcO8I6Gkg==,type:str] -APP_UID_THELOUNGE=ENC[AES256_GCM,data:1tveWKc=,iv:hVzKI+xZykP6b2w/eodnrUotlFUWxcyKZkoPtiBNxGQ=,tag:4DqgBXQVmWcnjjMQkABaww==,type:str] -APP_DNS_ATUIN=ENC[AES256_GCM,data:Kgs4WlWUPIJYD+87,iv:uUeziXEoVAFqfUWE2o/onryjeTOjNThRSAA6Jp/oAZ8=,tag:lNoFMwrAS8AgKPI/uXVNJg==,type:str] -APP_UID_ATUIN=ENC[AES256_GCM,data:HYuHZ24=,iv:zHsrDTCdO0T4+RCAun8PRVyRiIlQHI4ijxIn+XS21x4=,tag:lFgExxN5ltzTzJtAvxy6rQ==,type:str] -APP_DNS_MINIFLUX=ENC[AES256_GCM,data:BbbqsaMScHlifA==,iv:fIj1yKEoPyqvQoyMz5tghISWAcNL1A/3U4i2qBdt22c=,tag:/AVqrNyeL+Dm+F79ZbxyFA==,type:str] -APP_UID_MINIFLUX=ENC[AES256_GCM,data:voTUTRE=,iv:uI1q5m+6yoQU+PtGVTrHU5uEgeC34Uow6g4gu8Agk3E=,tag:0/x8Il74NMp7gssnPNn61Q==,type:str] -APP_DNS_FIREFLY=ENC[AES256_GCM,data:Z63+ioekJKPZatek,iv:BOx+OthYjX6Gwn8XxHPUIS9dHcF9yAN70iIO7rwfrMA=,tag:Cm384NVsLFjTjtphYRfZUw==,type:str] -APP_UID_FIREFLY=ENC[AES256_GCM,data:jWRGD+8=,iv:dVYdD0RaflZjsMLD5+PZOlvOE1RvTKGTiGrc046aVw8=,tag:M9rY2p0BdfViDh3p48wbCg==,type:str] -APP_DNS_OVENMEDIAENGINE=ENC[AES256_GCM,data:dyvSaVilJkBbBF88NW6aIsuVx1iTZss=,iv:Gb7V+4xmtYou/r0Y7avvX/oxtuMUiQ34vNnvhV3K3d0=,tag:lCrVrZ8PQzeRL1XC3nncVg==,type:str] -APP_IP_OVENMEDIAENGINE=ENC[AES256_GCM,data:DkdaSMMW5NOTRHA=,iv:rbSo41gsGni4JvrMEnF2JyVKDvUc94EwJCwgpFAlNCo=,tag:C8gGscAF5TEq2krvXWkE7Q==,type:str] -APP_UID_OVENMEDIAENGINE=ENC[AES256_GCM,data:ikSvegw=,iv:uWQZ+ECxaauHa5e77lxvr0CH20Ya7+jui7gZqYCVciA=,tag:YTfpLstA7TvvxvkXwWWi7A==,type:str] -APP_DNS_OVENPLAYER=ENC[AES256_GCM,data:cO0mxSjLC85vRUbXESkbPqT+31yDOudb,iv:DzVFkRWX5lcO75zKefGl6s2TvybHRAXKL+315m1K80w=,tag:YMUcbyQrxuGSs2lVE9wZAQ==,type:str] -APP_UID_OVENPLAYER=ENC[AES256_GCM,data:LCBe0Eo=,iv:4xhgOx05qdnFvFH0iFdbaha3Kc4V5WCVh7dx0888N+8=,tag:uBJ2+g0PcgprLRjih2KAyw==,type:str] -APP_DNS_CYBERCHEF=ENC[AES256_GCM,data:Bp68OfLoJeZS1tE=,iv:bTt5owz7wx+Xr+/6NfuRZmcALg/cahdNmi6Ouuj63qI=,tag:T1YKPu3MjNCt+9yfhZQbaA==,type:str] -APP_UID_CYBERCHEF=ENC[AES256_GCM,data:Q4C7NNI=,iv:o9zaPN5gux5y2iTgkr6yCWgr5N/RXTYEbX6bOACj/Dg=,tag:ksUC7t6XPHpNy7usrG2NQA==,type:str] -APP_DNS_LIBREDDIT=ENC[AES256_GCM,data:hA/9NMienSmhMN8=,iv:s2niG6wsb2ERh4kCHU2xtEuvznqWcY+MA28/NGLfc80=,tag:caH/pzlP6oWlqN2faagzSg==,type:str] -APP_UID_LIBREDDIT=ENC[AES256_GCM,data:yZwEWLs=,iv:BcPS6Kzf+UMLMIu+LLWSdooVaIVgYKLV1uD/a5dMnbQ=,tag:M4lml+4ce0c2X7Wi/15SKQ==,type:str] -APP_DNS_SOFT_SERVE=ENC[AES256_GCM,data:sLfoJfeEI8hZpQ==,iv:IEgTevFxve1iMtjnuGgtm0BOv0JlHnfuHOzqSuqFI7A=,tag:5mhEYykgUX6ErJfsfYzrpA==,type:str] -APP_DNS_SOFT_SERVE_HTTPS=ENC[AES256_GCM,data:cqyOSwAqoCGkj6g=,iv:reGfB0BGgn2NeaTjGyZ/PwJZZJv02XLs4+8XcPUPNxQ=,tag:ZIspovR5scJcMesb3mXi0A==,type:str] -APP_IP_SOFT_SERVE=ENC[AES256_GCM,data:9k1IB1HRR9WHD6jS,iv:9Ybhz0UckiuFRRIeaqfqCmGqpAeyBfGXLNkDp6Pdq9k=,tag:8l7msewWHZFCVCQEMbCYRQ==,type:str] -APP_UID_SOFT_SERVE=ENC[AES256_GCM,data:KdcXyYI=,iv:+qDOkWcxNm4cONEo5Q1u67UwShVbtVADddh7GjxGYHg=,tag:BVEe66cpMMeEIKJkmic96A==,type:str] -APP_DNS_NEKO_XFCE=ENC[AES256_GCM,data:X2qh7/i6IQeDZgI=,iv:KYProjKkutUSvnUvl/Xw1MPcgAhTanWVFSDFmQBrVpo=,tag:w+6MQ0ppVt8ImVUC0stcqA==,type:str] -APP_IP_NEKO_XFCE=ENC[AES256_GCM,data:mQnENTlh4ex62MGX,iv:LvYbyD5Wqosm7zhtmez52Q1utstdkAPNndLMqzD0eH0=,tag:nvoeu/7MeYfg7u3DqWU//w==,type:str] -APP_UID_NEKO_XFCE=ENC[AES256_GCM,data:gdBYxw==,iv:2XW9QyctihMHU+Dhud/tWD5J09ORGtEUaeCdRp3tKR0=,tag:w0yeOuHRtQWzZ3z2Lc+9QQ==,type:str] -APP_DNS_NEKO_FIREFOX=ENC[AES256_GCM,data:Zn2tA94irbmaYrA4DsQ=,iv:749OXzSCKPp5216oGXd08lPYDmtksX5Ba11CLG4Btd4=,tag:C0nfP1oc4A4DzOlhPe9L/w==,type:str] -APP_IP_NEKO_FIREFOX=ENC[AES256_GCM,data:FW4kONbT5gS04bmD,iv:I56V9DTO5m+3XkBTpHi6obC/mBT/NbsnaXqQyfuC/30=,tag:ns46QyV9bRVN4SHpW5LzhA==,type:str] -APP_UID_NEKO_FIREFOX=ENC[AES256_GCM,data:YxS15sQ=,iv:wQCmX8j6DU3/E7qLfOC56AfMAI5BxEzUEJVsMA4YKng=,tag:6sLu+cpAK/KtEVQpBlh2LA==,type:str] -APP_DNS_NEKO_CHROME=ENC[AES256_GCM,data:ZOIEQ9VSiiHpc24fEw==,iv:dOhuBg+lW27ohz0ffYaMV5e9TZC+HYlufwtIfAgnsV0=,tag:nP4Xk5nQrb0LiWwSbLf9Nw==,type:str] -APP_IP_NEKO_CHROME=ENC[AES256_GCM,data:2HiM3lV/G2O3ScuQ,iv:oVv3s8nAbP9iVPK2W4pHng6bSHrpAHT3u5144UMJWRg=,tag:e+Cask6syEa44c88je2Q9g==,type:str] -APP_UID_NEKO_CHROME=ENC[AES256_GCM,data:mRgGf9g=,iv:6SREW1PI5WpaK3ov9M5vdtb4NYvi4Kv69T2mJck1JP8=,tag:T8JhM3gl94KyjBXyZAVEKg==,type:str] -APP_DNS_JOPLIN=ENC[AES256_GCM,data:wGMXxPB3hT/M3Hz3tA==,iv:JiaqehdxqlzVHsBdZRBi8K09gT8H0hj3+YhS4XUyi3E=,tag:TU7XsBQ74zSrGdy24r7etA==,type:str] -APP_UID_JOPLIN=ENC[AES256_GCM,data:glHlBL0=,iv:P+lUtKlCWrjx6Pox180RboM7lTpQCkeTclvrvgiloPg=,tag:vnDXJCsONB+NwW93wRefvw==,type:str] -APP_DNS_PIPED_FRONTEND=ENC[AES256_GCM,data:LvTLUdxsjaEQ,iv:Fg1l8DxfUuqFrTcJjsV8j81GjwzNb/5z9EHBBwhH7fM=,tag:F4myEWy1jssILcB8hUDZCA==,type:str] -APP_DNS_PIPED_BACKEND=ENC[AES256_GCM,data:6lZL2lNBzzxjEfGm,iv:lKdaVbS8Glbw2GoalGSMchAaH69PG53aMaMYh96vWKk=,tag:/1Uf+klIblaT2zZDztum1A==,type:str] -APP_DNS_PIPED_YTPROXY=ENC[AES256_GCM,data:ZENfx6QxT/f1ETdf7lZ9vfIGEfg=,iv:xHduYNR/ubq7mgo3NSPBqUDx99jbV0fL2Gw94aqvbCo=,tag:fkt6aAl6wrjR3QSwgMMflQ==,type:str] -APP_UID_PIPED=ENC[AES256_GCM,data:D0yen4k=,iv:Fl+HAcRCyVHKLj7MfRkEjN1H18nQBCTW+J9SN6Y4/30=,tag:AKHP2so3Dv2AZHpWXk9caA==,type:str] -APP_DNS_PSONO=ENC[AES256_GCM,data:EbJv9qNUARI=,iv:X6L+tBZPqktQrXJyIwbrJrzSEfhYO57hTmyglgRSbHo=,tag:J3SQdZ/7J1W9WVg4yoUxkA==,type:str] -APP_UID_PSONO=ENC[AES256_GCM,data:DKrojDA=,iv:Dvre4644JTo7vjYLSMAhft8mXOxe9TEzRnVfQkl4VIs=,tag:xwHbePe7E3Z6jhxm+8YZ/g==,type:str] -APP_DNS_AUDIOBOOKSHELF=ENC[AES256_GCM,data:Gosvdx/AQdYEOw==,iv:pPnNaXCnSG9ntwetQ5m/RmbwTRyFfJXYhQsVyKqEc4o=,tag:xaNUeQin3Lo663eIJZ2Lcg==,type:str] -APP_UID_AUDIOBOOKSHELF=ENC[AES256_GCM,data:DGQ+bQ==,iv:kFL64SX84gkPlq82VK97w1y+5LZf+mdcpHGRj4Ke+/o=,tag:yjL3bOmFstKPWTgdsoA/Ew==,type:str] -CONFIG_MINECRAFT_OPS=ENC[AES256_GCM,data:al3glJDrtuqtTM2z4W7n+tPNf6XVfK64Jdb9s5RAE5NUwxyK,iv:kYqlsOabsa2iBZKgqjOpFYJo0DMFuoo3ZWCqb/Xzi5c=,tag:nIqPXvBvxdi8crMj1CYsEw==,type:str] -CONFIG_MINECRAFT_ICON=ENC[AES256_GCM,data:nNzsyRclLnPZ+8Td/WJg2u8V/QKf/xowrghmTaKRNb9a5BMOxtzmiyAt6Us8OoY=,iv:b7fHZQdOjc4oCCLtLhopNg6G7IS2u9NUdBLCN6CjSKc=,tag:+cPgP1oK/9+EK2tB9Y45zw==,type:str] -CONFIG_MINECRAFT_NAME=ENC[AES256_GCM,data:1qSqJGmGON9BhJKRJA==,iv:Sdwq0LLLdBQlr3m+0Ey2IE9FcRtVKOtXsswLMMp9A5A=,tag:WpaTzqSO3+N+vnJkGI+pCQ==,type:str] -CONFIG_SANDSTORM_NAME=ENC[AES256_GCM,data:x7RyVOJ6R5QKc3uo1CgtecErXj5GlmxOJBfiMg==,iv:MuSWIJ2nBxLca3a6hjn44Og6uZBf/FpTQsPcnNZ+VH8=,tag:ejpMZLeYEEv9O0gkwVAEYg==,type:str] -CONFIG_SANDSTORM_MODS=ENC[AES256_GCM,data:f1pzS94FkuD5/25yejseZTIt07ICfoazeFE5Bf5iY5q0lEhG4C6Qn6mMHtZRo/8GpaHcm7iJko6EVB2IrfZ/NowaDdQqu5zki0JrwXl6Z4TshaN9JKoI,iv:hvDVOrD+NFw+l3xh84o3fRKD1qrCIiGRtMkS6Jq8Lf0=,tag:BfC2LVhlkEpm/brsjKNCOg==,type:str] -CONFIG_SANDSTORM_PORT=ENC[AES256_GCM,data:IhpWvis=,iv:N4di6I6i4ypMqgycH9RyK0kpF0bLGWknGH0lMxCEiA0=,tag:ZPkPGHhso2Upns3odJjUhg==,type:str] -CONFIG_SANDSTORM_QUERYPORT=ENC[AES256_GCM,data:H3gBIH8=,iv:EztmDP/le6lKN8rYJy7nHQeM+1TZntYlMFyPHETs4Gc=,tag:AUgi9vENhYaPUNfQ7IT10A==,type:str] -CONFIG_SANDSTORM_MUTATORS=ENC[AES256_GCM,data:LcYbfHuPODan47eOVUUiwNVvp+c6ULlYCZeWKom9adN1SHUfw1qwaqZwBxh5x86UGD9cvOPlzV9+4iAhVZZ8KtNPVuPWYmy+YOepYgJKOYPPnqDjHiL31qHvCOxj9vv3pFiRciEcLGOBmevSj6rLE04sedVSlGfFl/dROORFMg9g9MP+IckY2ghn7EOtM6zjgtB9EmASVbwLH7vVqpY=,iv:JByWLAO7WI72p4BOl7zwDH1ZGWL5BXmGs907hE2fEks=,tag:9lrxKDs6B5enZ/GeUfOn3A==,type:str] -CONFIG_SANDSTORM_INIT_MAP=ENC[AES256_GCM,data:nuXErWy14oau8Q==,iv:b6jxjPqj6IprhX+kAJZR+GOPWVMzjY2OpkDiSR2XBwU=,tag:2Qs6v/PrSN6tQTzmWTWR9Q==,type:str] -CONFIG_SANDSTORM_INIT_SCENARIO=ENC[AES256_GCM,data:199SWIbX0ecKR9r5VjxL/aZROg==,iv:GCgAH7zBalcQgELUyzzTVTATU5omyWYAplCXUQEMMhk=,tag:lHKjNig917ZvlH7UMLNltw==,type:str] -CONFIG_ZEROTIER_ENDPOINT=ENC[AES256_GCM,data:tOyIlrzdn8sck7um7OSicq5T0XWAmymaRLn2ENL1EyPGVdXZhi/IDRTNxmBzCVkUdju0D79EKB29qTw=,iv:FjiBFYt68V1J+/AOEptVDQ6IoXxGevvN9NCB54Rs9ws=,tag:bWkb2QIS32ltJKCrHWL0gw==,type:str] -CONFIG_AUTHENTIK_REMOTE_HOST=ENC[AES256_GCM,data:Iv7k3CoKsLrQf0PRIfhGMCAjOU3AdweS+LFWMeEQoWc=,iv:TsRwWDUrI3zAgBgFRkZAYUNlZV0Q/gOlGjKFrheM0nE=,tag:38OGfWYEm/h/+FH7IsIH3Q==,type:str] -CONFIG_HEADSCALE_IPV4=ENC[AES256_GCM,data:EZ7GMHA6u1wWPS5g6Pg=,iv:W1hcseQ4Q6CisTXnDLI7hWTy18fIVKtZ46tudCyhfa4=,tag:2WnnNjuZhwUPG07OKTQt2g==,type:str] -CONFIG_OVENMEDIAENGINE_NAME=ENC[AES256_GCM,data:58CuH8bcUHWXBZA=,iv:BN7x6aAJPbzIn25sNoycsHRE5pugkubLS2VrM77+g/E=,tag:6JAsRjU0L6wbZtns3rk6KQ==,type:str] -CONFIG_THELOUNGE_USERNAME=ENC[AES256_GCM,data:+C2aABtqq8YG,iv:4DYpguAvmaqPedRgrflDlKfX5jJEhyWXKuRS+UVgHLo=,tag:vfJko+R2D8ct7KZC2Vnujw==,type:str] -CONFIG_THELOUNGE_JOIN=ENC[AES256_GCM,data:ocuC,iv:9Cn9zp2+iIVrEXYxklEtkpftmJwTGsWnff2xIG9KNec=,tag:3UL9Gn+kHoXu+40CFkP7sg==,type:str] -CONFIG_PSONO_TITLE=ENC[AES256_GCM,data:ORXmkTqtuka3l5M0pdu1NKxdX3Pes3xdEMw=,iv:Mbw/KUQJcIdYdcWby6qeCY4Q31Vc+dUOjLLprHL5P9E=,tag:HavoGugubPrunCoOkL40Mw==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n -sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_lastmodified=2023-12-08T04:50:43Z -sops_mac=ENC[AES256_GCM,data:32rhGkZpoIAuV5mlkCM+AyMDyvCnf4WFxLpimzMakfgICKvYtRTK8migSOQg11EzqRrUDychmeg2y7ThHXSDykDoKDLc2yDKpUdrtNR/fDKmvwH6ehExJDki4xRflI1s8r1oGjbwAODeqpau23rcPrQYnC8JZDqGN2n674rDqGQ=,iv:EqBPRX8HxZoYhApo9vxDNhaGKqXGVXDrM7AZON8HnbE=,tag:DLoYMdm7/da+48XAe/3MSQ==,type:str] -sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z -sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n -sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 -sops_unencrypted_suffix=_unencrypted -sops_version=3.8.1 diff --git a/kube/clusters/hercules/talos/install-from-rescue.sh b/kube/clusters/hercules/talos/install-from-rescue.sh new file mode 100644 index 0000000000..a4e509ead8 --- /dev/null +++ b/kube/clusters/hercules/talos/install-from-rescue.sh @@ -0,0 +1,14 @@ +#!/bin/sh +SSH_KNOWN_HOSTS=/dev/null ssh root@${IP} /bin/bash -c "\ + curl -vLO 'https://github.com/siderolabs/talos/releases/download/v${TALOS_VERSION:=1.6.7}/metal-amd64.raw.xz'; + fdisk -l ${DISK:=/dev/sdb}; + sgdisk --zap-all ${DISK}; + sgdisk --zap-all ${DISK}; + wipefs --all --backup ${DISK}; + wipefs --all --backup ${DISK}; + fdisk -l ${DISK:=/dev/sdb}; + + xz -vv -d -c ./metal-amd64.raw.xz | dd of=${DISK} status=progress; + sync; + echo 3 > /proc/sys/vm/drop_caches; +" diff --git a/kube/clusters/nuclear/config/secrets.sops.env b/kube/clusters/nuclear/config/secrets.sops.env deleted file mode 100644 index fcde7d2bae..0000000000 --- a/kube/clusters/nuclear/config/secrets.sops.env +++ /dev/null @@ -1,79 +0,0 @@ -SECRET_SANDSTORM_ADMIN_PASSWORD=ENC[AES256_GCM,data:eBh/GfUuZ3CwYbUMo2aP,iv:fH1xCn0YVffgmKaFAwyxnsBhw+DK2WJQ4BJkPvxdpYY=,tag:r64Jt+OlThR58oJRPTfVfg==,type:str] -SECRET_FLUX_WEBHOOK_GITHUB=ENC[AES256_GCM,data:rN1JGPiLKJGZaPky7M7Wy2aujMvYJeHVKOz6gmZnSvn0OGmP7kyMyg==,iv:Bs4nBXkzUmeXPqYx4bggZT/BmJMDrb3STeal3Y7JUrE=,tag:38CcnMHf5EThZyf8AA3gJg==,type:str] -CLOUDFLARE_EMAIL=ENC[AES256_GCM,data:JAlEqZHuEjlPoAY237I5lYDixh5Fcw==,iv:OcmCUMi9G4FF1lw8nRSk4iOE3cPB/VIvS9mAgnPGITA=,tag:ykLJwkqfp3zthaJuXJlQyw==,type:str] -CLOUDFLARE_API_KEY=ENC[AES256_GCM,data:hyTDXeqe2Mksl+qI8Go0j24bnUoroMPB4wsMiIY/dOAzHANoESJegQ==,iv:I4wRJoylTLs8IjUfz++eU9UheqPGDhLYok7h382sOPU=,tag:0P4is0yvhJzdRJnew94bkg==,type:str] -SECRET_CLOUDFLARE_TUNNEL_ID=ENC[AES256_GCM,data:j5mJIX0gXhdqXjNM1fcC4jFqA2pLIqf1hj4jNAldP8sjK2b8,iv:fIJI3+7P4YUtUIw9ea8TL7jGWSDKfii3QlBEkWH9kns=,tag:WdxKDP58VZuU5uzdQgXbmA==,type:str] -SECRET_CLOUDFLARE_TUNNEL_CREDS=ENC[AES256_GCM,data:yEqTrxiMKq6ntVhU4DssCj9hLYN5Nav++TlQt3o++avhxTNxumc0g28Gg9Ya1kQgZythoJc+Yi65wfDYnk7A3aJgfURvXgXKjv1aNON6mXVj+6MKyh8scPUUFcwwjd9h2n8/GsO2z8RS/BmwsLs9JTuPq8RvMuhiy5+qT/TU88ldIVieCAi8Wn6dDqpNThGtaazkbRBZweejm392IYSbVeU=,iv:l6WNAXBeWrgO4N9bmA7k3yqvNeEjH1BKjNgeEqLiw+o=,tag:eHekh9D6mvwzSdHBv0O16A==,type:str] -SECRET_MULLVAD_PRIVKEY=ENC[AES256_GCM,data:aFiXq2rjPQlw6qTinNchc606GsuaCLmpvVtpDQ98UhWskXq7Di6moF+5FGQ=,iv:wJWqLFESh3S63oT0qWwT435qTrS0WJP+4/vzAyc+EYI=,tag:siSakSYuSMaAWVP3XC8ToA==,type:str] -SECRET_MULLVAD_PUBKEY=ENC[AES256_GCM,data:RdPu0bgr1b4p/Bcp25KykPbfDmOJX698phqJz2Y+r9JG8sz9vrfbs09yDKM=,iv:zPGBBpt6mhhWXJb2WYMW9yDEruu/jpNxi3Bo24t+Sg0=,tag:Mv9cfJ20KJks4ZZQBXrOTw==,type:str] -SECRET_MULLVAD_IPV4=ENC[AES256_GCM,data:9aC8Q7ExhyFZp5udpA==,iv:D+rkAJZT05z9v0Gt4I/LmcLh0rQky1kOR7vRazfVKvA=,tag:pic5NTHOt9Td66pdctRggQ==,type:str] -SECRET_MULLVAD_IPV6=ENC[AES256_GCM,data:A+ZOR6urcp0HwRoODwgKqlZhyrGeXnvSlAD8,iv:talZ2jyaWyoltSZenMxKv0aqSQtRsyAQemtllFVuKdA=,tag:fPM2KM7Rybr/0d3oEgVBRw==,type:str] -SECRET_PG_DEFAULT_SUPER_PASS=ENC[AES256_GCM,data:MDxda4O8zX7woBdPMFKI3AdpGoiTEMXp2B/tm698zYGL3qB3hiogf9eIxXCwcvfPLgCSK9wUDuaLEXan/E6ujvlFzktYqyymexS6kaD7lgFMlBu/NzAUlso4zk5+BvBKB4cDPssHM/O2JwiT+Xd9lIuK9Fl2newjE78QwvdyfdxOoPE11dFqDcjR09bFCMDWPnDMV+CYiPnYqDT/ZzMyc6ZhuhXnm5KQRZnyopIerVUvlno5xbaWzP49BRavnfRpmvr1vPlRDtEEq1qUZWNC0Lg0pjr44GsTIeugwN2HUh9xz6OpehladlCgwJU1ltVqqnV8W61gLJ0kifkyTQYtFX2+lsnvvXWR44vG1w==,iv:WWYfNV+ZTZQlDuuQSqI+QsAsoWaA9ICGX1xvaKBZaZw=,tag:ehH4y3E1XXOEHAfvkldCbg==,type:str] -SECRET_AUTHENTIK_SECRET_KEY=ENC[AES256_GCM,data:z8PyuXNulKsvt4tNgK7ihVgi25MrMC0xV9/PfyEG0Ga0a3wKyfuju+y7tWGDM6MxR18=,iv:JjNbyo3X4sup9PmnaBsQt5GdpH0R/IlaNc1KItMuIIY=,tag:MFIudyTHxW4gCPssz14IvA==,type:str] -SECRET_AUTHENTIK_PG_SUPER_PASS=ENC[AES256_GCM,data:nrf9OxjH9kLO8a5amBgBw/9uldQNM4k2bk8lBjcTgmLv2X8ZHvEf/OOx0wxlFd79w/k7rURDAvzKtnUiuyaB8Su9tqXu9nIeZJbFTQyxm/QzNlsb7OHXJDdqnv4oODdxLgAdpYgGMPRc3nWen2NODI5LSzM3lplWq5jLVHI+qqGlY2zHhpe3Rr4WUiHTtBjQTOuAE91vsayhjDAYOyi7gNsIK4nFCd/uaGNOav5RjCGICI5tC2FgEbti6je+a+rtiedLSx7mp5UuYkAVK+1cQwDnEhojm0H23rdeybi0STv4wnErp2nTYPRZdunKf7krTHoL8Pk/biAf8L/Sw3ATnypompLr0f9+cwIzlA==,iv:iLBFXhF6OnGh8f/GBD9nBfcD8ryQpMac5//KtvPh6us=,tag:kb/70IRB9urZm6QvPt9F+g==,type:str] -SECRET_AUTHENTIK_SMTP_HOST=ENC[AES256_GCM,data:xKMQWNOHeKpqID8IRRXDclG74k1D9zTmn7VA+21BzdnzJzwCRH3L,iv:/xtuLp3PFN/IVk4/v3+1qgNkkCkPDUzW6jXctNNE180=,tag:rmXafknKpeS4Mi4rq+1YoA==,type:str] -SECRET_AUTHENTIK_SMTP_FROM=ENC[AES256_GCM,data:D1UhPUWc7S8bh1qIwsgTDfRDzA==,iv:VQImJJL8FW+AG/y0gijqzP26eZ7lmPUIUjncjuciP/A=,tag:3qd5NSwy7jimLD/0MRcDQA==,type:str] -SECRET_AUTHENTIK_SMTP_USERNAME=ENC[AES256_GCM,data:1rEiJfdxMJzLsPkiD4oTd2vczzA=,iv:704boc2UO4b2yaUh+jEJAm9y+qa6yLfoorhgQgPLpuc=,tag:YLzsBgHuYhq6WurZoYE6gg==,type:str] -SECRET_AUTHENTIK_SMTP_PASSWORD=ENC[AES256_GCM,data:oT8AnkYa8Jq1emuP6dnDchKltNMNFPEI7L5QGw56TUCgxhC7NHaQdA==,iv:9hfYTWmwb0Oqddknk2kZFDHbatlKUg5AV4DOHI9TH+k=,tag:7fB/vCFBZzOBAzfUfhhs0g==,type:str] -SECRET_AUTHENTIK_REDIS_PASSWORD=ENC[AES256_GCM,data:3IQpYUHxjbkQOvP4zayJKrs23vbdo3zgNPU7BBUoKKlL4vS6w2scZJV74d1ltjU+l3GojsExyhXzGPUZm3ZNOzXH9vL/MPlDwhrSmRBK25fAN0I5eckCf8yF2tVoiOaYNVjZv13eFQyZTbrWa6kNX2H8sU5qrz+3hE+rFMKSEt2oGVyYY8SigU2HalWjaSYp1mNEJhrS70ndBdxMSjtMvQ==,iv:Wz06/Zl58RiowOEI/bSfXKN2/6r7t+mmPzWeagJD4FA=,tag:wjheK4Nq81D/sI3bS4YrvQ==,type:str] -SECRET_AUTHENTIK_REMOTE_TOKEN=ENC[AES256_GCM,data:GSPPuSgS+nvXBPOiu1jhK9jTiBE4t/AZgVutT+j8FgLx2TboCtXZh/09mEu6capG7TYwO7C0fUgyXzxD,iv:K5VX3471g3RA3t+KxnalAaane2Q+7RhMwVa1ICtFDQs=,tag:2benS6z/VBDqkwxoi3IIXw==,type:str] -SECRET_AUTHENTIK_OIDC_URL_AUTHZ=ENC[AES256_GCM,data:nQOUFH4EofqbavU2rqDY7ZBVP6HYFiPJwR1ewvuPlS0CZpwLmva/GIBqbKo0iNN8fEnIww==,iv:PLigYh0PaOx2a97NmrXqji6Y6gPiqoMs4DZ7ua95CR8=,tag:0VvJaP8EYPz2jlxjTI8GQQ==,type:str] -SECRET_AUTHENTIK_OIDC_URL_TOKEN=ENC[AES256_GCM,data:7siWNEfEXQSgDDzgDw1eZwXSmT7grd7k6lPa9aY7ENaEb+c4eXm+MtJujnLuCCAL,iv:K/L+WZIkawK2sYuQ5or3XpYy5R5rg2DqGBVPpK5QJCw=,tag:RgOlx+g3Jc1RIG5ZHMegQg==,type:str] -SECRET_AUTHENTIK_OIDC_URL_USERINFO=ENC[AES256_GCM,data:VF43D1lJ3mPAzQ0AvWicpLLnyQC61PwDhKYNGxLPG/nMlGAEvh7u6K7ylnnwZ1drLIad,iv:1nJaKrCGVxo/uAywjC8BDIiq0nYy62MP5D0jQoj66/I=,tag:J/1gN3YQ4ppvYa4A/iH2DQ==,type:str] -SECRET_AUTHENTIK_OIDC_URL_JWKS=ENC[AES256_GCM,data:anaZi933ydMnPMb1tWq6RMCN8HiwougI4Peu745aS6hPT4yUYZEL/Q2qGfw915UXusJmwmNTyw==,iv:6pEBTN6QCSZ9kqIuzt1Mbbi9cLF6uhGg1CHnkvxeLAA=,tag:bMPp64J8VNMSKeOzWSSaEA==,type:str] -SECRET_ZEROTIER_UI_USERNAME=ENC[AES256_GCM,data:uX29YVrv+w==,iv:GytrIqAli2p6xB5EPmlzebvz+/YJxMvPs1AiFR2VMus=,tag:500ev3YTZ+uAexNBDXqg6A==,type:str] -SECRET_ZEROTIER_UI_PASSWORD=ENC[AES256_GCM,data:AjXB9OQHAy6AcF6L7ZY0De8sM5Z+nG60,iv:VgTmfPaSmlZMISnm+dIoyam6Ld6kZ5xXn4izHm+WHJQ=,tag:wkTsy9M4gzoEDgnH6eDHKw==,type:str] -SECRET_VOLSYNC_B2_PASSWORD=ENC[AES256_GCM,data:t/+cR3xd3ypKtFc7z1321FmZIadMT3ly7yk+cLQQwJIgdLJIUrTqcm72rJMBPQaf9b9PeXDESvEuz3/LDfgrwvjcQfpf4B8sCa9XwHuiq4IrAAHC1s83gAIvy1pa4eQboy+simy1bsuOdr9Isv4NAR6IM4DPpJqe1zy33KTAq08Guzlxq2w2zoFmggozwqEdWVtKj8wSd2QMaLUNNS/Uc+BJV8tMHokSptOJCg==,iv:OaKMY8DBjrjM6qi/exsqf8qDHfQ6avMgfcJhTU+UZoc=,tag:idOjIyXAsR4fRhNgHu4d2w==,type:str] -SECRET_VOLSYNC_B2_REPO=ENC[AES256_GCM,data:UqWKBqzr15PMDAl8is+3Dw==,iv:pfLAtH2ai1rIG52ySxtz2UqIgaWmgkpUu1kdPUSbXEs=,tag:6cFZRBgSa4Vr5AqqtapnQw==,type:str] -SECRET_VOLSYNC_B2_ID=ENC[AES256_GCM,data:c3VHNtcfTvpsVG01NVmHjwNDO9UnytF40w==,iv:N6TyrbbtyXet8+lF2DHm8nm71/8B9ty2IRM6jqdEfP4=,tag:excwWeYPmQMIvusoibZnag==,type:str] -SECRET_VOLSYNC_B2_KEY=ENC[AES256_GCM,data:DOKhhQDH2kTrchx116574Ps8yEm2i1UdbSezRB9YiQ==,iv:jzu+AabEbrtu+uV6zT2WwEW7sHkBBp5djDBlzIVKe40=,tag:wBHdpMd5ObUvmY8TCVFbXA==,type:str] -SECRET_VOLSYNC_PASSWORD=ENC[AES256_GCM,data:luZbC66TEN90ZeovPH9ycVVzvYiBk3x249sBwV8yfiwkE7lHn0Lxo6MbXB2uC0BVgFZvQKJMIpqO05YL1hqJkpH1zToL9NsyDN7T96ZiE8/R6IlmtSIlyrudH30yi+VRHT/mXht/pm9LtmtLnlqpXkviu7Z6An9oRT+4LSLfCxd7h6IXM8dwFB92Z8HxvKSNFG2EU8UR6h0Dk3GXllIdmpHCaBrtL4z2y/G1eA==,iv:tI22YPx46u5ZZyxG/tgzu4EkZU2gyOTYjlVFofvHtJY=,tag:EzyDYuNE7xP/Wz8j+KGBiw==,type:str] -SECRET_VOLSYNC_R2_REPO=ENC[AES256_GCM,data:mbO4iS61FII8EXfMcRRu6kK69pnbdCLLARPWmlt4ta5F/lq20Byl/0ZVojbRPHLMmivgb6+z3dlxALjjJTvZrLGOGDCc8+BmNHxFjialAm3aNPr9ept0HlD8k71tSf8CY/s=,iv:NYDLCCzZ35mpUZBjh+zEc8M0c58RcNdWNfvLzL9F6dM=,tag:RHQcR8Lwkr129jXwN1vhnA==,type:str] -SECRET_VOLSYNC_R2_ID=ENC[AES256_GCM,data:MKOfV3t/LDQ0FUYXXcL3DzgMoCz9uGfJkkG3L+Zpmyk=,iv:591+OgMLhbU18DJmTgl494mLpEp2gWCpeWg84262N6M=,tag:cllraQY6pSZmAVIS42PbPA==,type:str] -SECRET_VOLSYNC_R2_KEY=ENC[AES256_GCM,data:880BQx/r+lp73c2vqDgs7JCyQs58D2qpgU2/U6ekrD0KEv9vWOm9Xg3Sttkow11ZTr7QBZv6vJatRUSqjWsJ2Q==,iv:M2zvGkT/wfZYS8jp7FIa1UwsSMHJTd4M3hmqykPpU1Y=,tag:SnPuOnmpr4X0kciaGbdVFA==,type:str] -SECRET_GRAFANA_OIDC_ID=ENC[AES256_GCM,data:SN3VRQ9yqkSyENOyphwilukguOb9j4yDFAEw+eKnYQRUEtKXZQ3WYQ==,iv:d0fAQZTYT21JWwPIxN+omovxxZxMcUptgsc24AnDHkE=,tag:acj6i/Adt7SvmZBbHPs2hQ==,type:str] -SECRET_GRAFANA_OIDC_SECRET=ENC[AES256_GCM,data:g1slCCYzItuKAarADs7FqoyvbjCm89Ms/eYOvNLSWOcI3K+IyiTQQJCRA+7XDybSGZdDSEdT7rvgSAxYFkDl1M7PhvAXhYmj9FGYQPeP6jUODWc3NT0Ch+p3gc38FvFdfBEPIvpXQnhehGc0TCiqCDmeS4QJUGV0j7BRT768CSQ=,iv:+M3ozpf+2G/w7coF8LbhgM4b9SfTVtuL+lzpzoyEa3Q=,tag:1yH5tSvJlSQWszBjZRPDxg==,type:str] -SECRET_GRAFANA_OIDC_URL_SIGNOUT=ENC[AES256_GCM,data:srqHdaeL7hqtTI9sbwu8dIw1uLG5CEJ69DhwmvG7jjnBwfwaZ32jWl36EDRXkyy/GImuP9zV0IFx2KW74JM=,iv:2VxPgqjtaKtdGEVZLLX1bl/SwSENF+bb+fwY65mwN/E=,tag:uJhcSuFKXTbuMdEh7ZiOZA==,type:str] -SECRET_GTS_OIDC_ISSUER=ENC[AES256_GCM,data:gxmtaBfHW0zVy1NhhFiotX28ubZ4yPm4sDHd7saFDoKvk89yiG7Jggr3ZnUk382BuL0+ABQh,iv:DXj+asZEemXXT2XrGZ5bFu8CAFNli8IIt5q7xC6YiaA=,tag:FXWUO3AmUZ4IYaiyD5sZZQ==,type:str] -SECRET_GTS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:4z9tVTkc2OXIq/lDEXmHJZnN1SiMAl7NfOLJq9wLpdrwPSdbx61QxA==,iv:wyutHo0Gw/jL93kf4xyy/JNn+tyTuicWBLAIyz6+J8I=,tag:e4gfFhY66NVr/kjOolg5Dw==,type:str] -SECRET_GTS_OIDC_CLIENT_SECRET=ENC[AES256_GCM,data:Zzak+jXxJvupbm3pO81+elm2EV6hdt7o2T1lneN0+dIZqjchFF8ljPAtY28J7aLgCFUS1KclputyzMqA5f2gCxBleH2TfEFtRkrCI9fBjGkWGC2o9RsJ9mTJwrxu9kdezQJtBYC3sP1SlrThjKPZVC+TOV076J7rIn7qvQYE+5g=,iv:IiQA0Vt1xmQFoVlealmgizGXbB74xJCnkIoc1EwPHoI=,tag:XcXE69tVkCNQcM+m/Pr78Q==,type:str] -SECRET_GTS_PG_DBNAME=ENC[AES256_GCM,data:CwL2phhvCJ+idQ==,iv:GQA/ivqdbKqDIJGpEj1/BsP3/OvhBdD+eIubjn4viUc=,tag:HdB7cvVxwJ3YOSTwuppWmw==,type:str] -SECRET_GTS_PG_USER=ENC[AES256_GCM,data:v8RyelkxqTxq9iIVFSD3JzZVIWA=,iv:Y+f0qRmYU/YlGwxuLkriRjgFPIadfKICIhlJg7lHkak=,tag:kpSfBtzqaTDWmQDaS+II8g==,type:str] -SECRET_GTS_PG_PASS=ENC[AES256_GCM,data:q6lg5v4cvt6UbGscq2/BAW9cfkukfGXqyJAy9vZfAZ7e8e+n5HiQCrxjvBrr6Eo6coES36yczwJBbVwV8kT2VhiLtWUgzJx8+SOv7N3QytxuF+hD9lUsKYp2sWcKpYg8LHTZ0cJb/+/ofyoqoPuwSjo4m9DYVU6cZG9ObjCBdHna7Mj4Cy35tF+0o9zVFFdolPIbbhlaPMr/vIXLNuNB9USbAaFKG8PcgIaYMZB4UoICPcC6ZjgcNGf3+PB47sBFetq+ge5rtNQ=,iv:dTX3uCXZL+HgCzAfYWWkhhMLjW+Ctt7tiGl1y+SNjxg=,tag:B6WR6ph1Kyzgn3c21ie0qw==,type:str] -SECRET_HEADSCALE_PRIVKEY=ENC[AES256_GCM,data:RMffLZz0voMEhodl9aMoQaNUDamJSeBP8N1x6+KFtzAlkl3ygWLvtmKMgoPxf2HVKqnqaqK46owjbSLkbNXzAkkbUmzlry+h,iv:A105o2WRKX88ZOfGkXSJQ25wTdfo0oj5MJiT50cAuxM=,tag:NDXOXwhPgbXaJMPM0WeNOg==,type:str] -SECRET_HEADSCALE_NOISEKEY=ENC[AES256_GCM,data:Tpc+fhG7u6dHrqqRHDOZ4bCN85DCIF32AzqGfbi2sLGAjJkXpFuwVQzi+Km2kkJ2kHYejXTU6QDFGl0KAqcWQIuBpkViHCa/,iv:Uxx793urHXOvJRvm1nw1hCNecK84qSiYhcRJss4b93w=,tag:uxYGfRKb6OKagVvddNm/CA==,type:str] -SECRET_HEADSCALE_PG_DBNAME=ENC[AES256_GCM,data:UdQtadWqYJWf+HG9kGt6haJOpkZ2617SRcQeUm1GrAEVC6oT+YS8Dg==,iv:dPWSB+MTx8nrFJ2auDlwzP7CNE/LWMltD90olUPEjes=,tag:R7yWBizNi4wDCfOmyLypWQ==,type:str] -SECRET_HEADSCALE_PG_USER=ENC[AES256_GCM,data:quOGbj2KjLAbGTSXSJ3E8SDFjc6tpGSuRc8Lg1t8CdIZf+8RVwNZxWwZOV/bERhofJ+1sviOJRDeNswtbymNGA==,iv:RNtYkqFbp8pDnIuZcY6C1hqltx1ogiWNXhPNnaZmnX0=,tag:U5NZmp4sPJQe68RX5j5mMA==,type:str] -SECRET_HEADSCALE_PG_PASS=ENC[AES256_GCM,data:9k7/jiIq29R7Qzm36IvaROJPQaTJM26JJsQV0SCr3gqjnnZ5DLLiStQi3O7sNTAQNU6xFmqWsgyTIB1Ivys0mSI9MrEqk9mCeuL/vLpaaDtLAIv31QQ+QE3cNFLK8t5y1Sf3GLG2WDt/TzjGGY51Bqg4dYD/eMesfmpzShWbdMlMBH3+KbuvOODA1WrIbK1KsqHI/kUz3hqWgnDzY+QoNw==,iv:aW/xqTsQmsEeIBmfg2nVUvmLnQWVglzDjOZ/nSdi/mA=,tag:Uu6jFE8xolJcpAdltBzyoQ==,type:str] -SECRET_HEADSCALE_OIDC_URL=ENC[AES256_GCM,data:Y0SHVAfaaCrRjHGdU5HAp+y6z3J0qWU20D4TsIH6xlOX7SC2tQiF3YukbhB0cJJk2LpkOQeV4DKn,iv:Uh/Zxij7aqe4/tsy+7h6K5HcgzYCh31pqKWWR/Bx8g8=,tag:YkQYT4yc03xPzWCRq1uzpQ==,type:str] -SECRET_HEADSCALE_OIDC_ID=ENC[AES256_GCM,data:AeL8W43fbHiqElAAwCynaoJD8BwnSVH1EWlBO29ysf+vGhJ7CidDJQ==,iv:BrH92xlpI/ApKq8hg/0EylI6Fo76B5Eg6lWrWDfgei8=,tag:UXYlOY4T0Bh/q+ySRfW2ew==,type:str] -SECRET_HEADSCALE_OIDC_SECRET=ENC[AES256_GCM,data:dJjmjRWQ12JCtXsGDJICIRMqdsc5HfpH+6fh6WgpOZ8tyNdrSRP2ow1Jag7zEMIeMyi+vh2T/s9DnnRFBbFQDcmon3WuI5xIjEmDU4/IPIkhoE4FKBjgHib6ML4IxcIFnq0haur3FJS1/StvcVONyrkaHOjAEs7Tazl61BlFQN0=,iv:eo0hsCL9K0HhMRFWeaoUs56f5zexnKoECnWL16o9YJM=,tag:tYMAZGLNqZ8dXJrlgpJRdw==,type:str] -SECRET_ZIPLINE_CORE_SECRET=ENC[AES256_GCM,data:7SaUQTrItXAPYmDL7n2PS16wuCCtOMqkHEG1u4J2jt86lWAvRi5egx71a15iQGtWkaXialPRlD6ok8Nw8CJsYTNeSMp5DPgMWX3455maFwK1scRf5EhFwO3NimEBGki/nfNrW9WPNePW9IW4jPgAfYlQ9a4wMVVN/xfA3760rL/fir4zrV9dQiv1JYaDXd4HcoopSBBvB/9wMjqJPmCOQXru+4A342cYcEpuzg==,iv:tE2qKJ2q1ejQ2f4kyMdwlUTdLyWOIKz6OjukyZDFmu4=,tag:BO1zBDh4c1Z9bQMDAFcTag==,type:str] -SECRET_ZIPLINE_PG_DBNAME=ENC[AES256_GCM,data:1n/7RoIBs7aYFvj5j/gY1MY3cNb89/3HSNn8/rvVl1k8v03hBpt2nw==,iv:8hWz49X3Uh0E0NLNNdPEBJvUmIuBnfMS7urcYcjnHk0=,tag:pTMxq1umMkdAdHmrMyMTVQ==,type:str] -SECRET_ZIPLINE_PG_USER=ENC[AES256_GCM,data:0Gywyf7j50UpHf1m/tmxYnJFYHptB1WbTSI8JXmJgvuqpGjtW4X7mm1tuB13XmF1JaeIDBWwuQdy+6YcYC7IwA==,iv:owyh+uvQGR2OvsfuV7agXaVY3nnvoNyrMyYP68Elb6E=,tag:mFsupknAyRTYnk3eL/2Baw==,type:str] -SECRET_ZIPLINE_PG_PASS=ENC[AES256_GCM,data:mUvEAvWgzRR7580m0b6YYamZTMQbRbhdb0SSITbF7YrrejUXImqmUqhPiarVKwoFXCJNsxKXncJyPiYauQqtrqM/92MNqnqWYJlrswbOSIO5r+PnQYTaROGNPbQ5+aD+S6aMhOdoX/CdR/VQBr2Fj5+NC3C7hZCZDafIDnwmqQE=,iv:9Jd8vAemgxhQizAx+Cx6nFpBQIyErnJYrxLqmBhJ4zM=,tag:OsPY2dqQ9YBUvVGvZVIOTA==,type:str] -SECRET_KAHIRC_HASH=ENC[AES256_GCM,data:W9COiS07lKcFu3rST32KymOX7snnuyBLvULnyi53xonBYWjWGzROJ3Du0KXusFjFwRTmlWujh8ejH4YQ,iv:ncZkulJuWOp3XxGt1r/3iMw0javiMb6RseCmaYUqZ/8=,tag:Xe43fidPrep+GjWtaVNQsw==,type:str] -SECRET_KAHIRC_ENO1DEV_IP=ENC[AES256_GCM,data:Dgny2/eaGODCKELQ,iv:/o+9sD7ua3ncilb4eO9vMbBAxq6GZSmoE8bKdW/QinM=,tag:wzGGhlnJQgF0/DCSSadGmg==,type:str] -SECRET_KAHIRC_ENO1DEV_RECVPASS=ENC[AES256_GCM,data:RfJaouvks2DBKZdo8Z0psDnp7uGe83uf2bGpi8sp5u4mDnZlbCp2yXjWo9F2a5SOU5aV,iv:jvn+gwN6z7j+2Kdaw7iWBJ8PyMkOqUzs+YwoTjDDkPI=,tag:RNlYvdEbNa1jx3eXqQgZ/g==,type:str] -SECRET_KAHIRC_ENO1DEV_SENDPASS=ENC[AES256_GCM,data:x2ibpAnes91GZ9PyMXlbVnigh39lpLI7m+DvN/IsNOeTSwiE76Br/0jRpxbi/TErA8FS,iv:Gpbl/qzHx5X9Y9pJYDab+dsWykRnQAbCjutlWnO9M/c=,tag:0FC8CRu+7yZ7LIW8PsCFYw==,type:str] -SECRET_ATUIN_PG_DBNAME=ENC[AES256_GCM,data:ii5FQKwJUHslIjTvdg3sw5goEI4p6xIM3gljXu++ge4HTEbwq2tWPw==,iv:LXiWmPcNCV3KUR+zt8RlCXaFGKB7ExvDkcrB9M+11iY=,tag:JdhiCoRwmeTEov8dBb7S4A==,type:str] -SECRET_ATUIN_PG_USER=ENC[AES256_GCM,data:R7OxwP9GJIVH75nXVbjc/F4AiUGfFJGaHUU2cTCtzjygAZ5TwpX+mptKj4m/e0KaImAe4Hg5d3Tq5ZRZkkfCuQ==,iv:qyK8ww/o9KJ12wMm2fK9YuZ9WEFiXz0N7EJySJRzJrk=,tag:ZUduwQmPFPYJHZgFavWZYQ==,type:str] -SECRET_ATUIN_PG_PASS=ENC[AES256_GCM,data:yCcFbOqD89kRk0vQl3DzW2kZe6OhFjOY3vN4T3kfPXIFO75DHgvNlV0W8mOiBNdkRh/x5ufqkK+AnpvP53s2/9btkXJudKUsIrd8H4ITv77HCsguM06rtY0SIbNLkgUJNAvpR64nIKT1ok7uSbo8inGndb/F18V0bPuzFVbeyTGjYniLKuVO9sAL03Jqwl2TsaSkOuBYQ/yp5uEiC32LFbGULwjjHA==,iv:y6qE5Ss3A4MHL9L4IFAjN+axmh6XbwGsvYKJMkA3jzk=,tag:zNGuPAAIWDCw4WvBADzuYA==,type:str] -SECRET_MINIFLUX_ADMIN_USERNAME=ENC[AES256_GCM,data:Qofw3MQz,iv:LxYBCR1dIqh2xlgGcTv5Y7fnSYc2eVX0bdBUA6QfWYM=,tag:zpK/wQxI4e79tgbkp0O2bg==,type:str] -SECRET_MINIFLUX_ADMIN_PASSWORD=ENC[AES256_GCM,data:OBGQZM+Yk4cRLZqG1Tq7Zo5FAED/zT7Rvh4rWphXuBlrq8lIxe6GYV/kPF6o6bhj,iv:x2KAEH5rnaMjtH2nfd3cfXThm2fqnWAxsUcyt/XG5IE=,tag:ypNBgv7Pl16ly9er6veBEA==,type:str] -SECRET_MINIFLUX_OIDC_ID=ENC[AES256_GCM,data:1CqKNuEdymDEmPlsDSjPrOF53cHc611kfl6CcFG6Cn8u2LdkJrrYzA==,iv:uAW7dRRgvR335o6OsUSc+AZgXB5z8gZ5RSizVoLddvY=,tag:uGuFFD0ePxa9Wo1wR3tJ+A==,type:str] -SECRET_MINIFLUX_OIDC_SECRET=ENC[AES256_GCM,data:QVNDP4WNuH7VVvc9r+xZREGfNc5p/X8QXQP/Xg1Si3RgiaZgy9LLEzN/SwIm2eSJSpP2hlXlFGbr6mr1Q4/4gOwSped3Q2GIRcZtv4vjtq86B5xVjzT8qclay1xLX5nK702An2ttL1CjOEPN2PPExSYe6YzhCWwgRlAEOW6T0Fg=,iv:gXypds64tga0sOaF/Kf/jXHPlYqjUlCL/aHG4eC44H4=,tag:ALy9C5FEtT21WS5PNHI3SA==,type:str] -SECRET_MINIFLUX_PG_DBNAME=ENC[AES256_GCM,data:Gh38/ljUWkU=,iv:JPsEPf/aiDXFncN3ogLqV5FlUqWm7EQ5R4+fEf13yLA=,tag:tOzrhackOD9UdTwNBBBFvw==,type:str] -SECRET_MINIFLUX_PG_USER=ENC[AES256_GCM,data:qMBC7e5KW98=,iv:wu2+CK0pRy+uwQzDng/WM4asUAkXu2EMU6cjSDPcccY=,tag:29+QVjETJ4jwP3x0nwjERQ==,type:str] -SECRET_MINIFLUX_PG_PASS=ENC[AES256_GCM,data:rLuVT8S9hkQTE/T0Z6M06qgmzIt8ufC8drdofL1n19uefnLsU4WqgLZ/KYGrxQ==,iv:oLcrZilIuQf+QHCJYiQllummr4yRz6aflDhNb21GNUE=,tag:H4XCkfmJl8jQogvGDCVZOw==,type:str] -SECRET_OVENMEDIAENGINE_SIGNEDPOLICY_SECRETKEY=ENC[AES256_GCM,data:5RF5A82+VFFBExTrY2QRRjUBuEq3peY/MAXDh7K/U6U3z6tzqqa+Cw==,iv:qz9k3l+Xi/O/13FPRTzIwozAVdRdGhjrFxxeo/YjUdE=,tag:aLNBq5qlxpJptIhGqLMCxg==,type:str] -SECRET_OVENMEDIAENGINE_ACCESSTOKEN=ENC[AES256_GCM,data:5wq3Eh0MR/yZ09VIOCoiPO4bxRHkMU3S8AVlsR0BZVQpm/q/8WBjh+E7rxb2NlX+D2Lsdsy2VkGVKlD7DU2ysOe+h40HmxmW66A9dZAS/IoQfxfE3QXquVmHrRvdd7GEPi36sw51ZDstfWiL1YRA0TV6mfAi+Z/1UgD3bMlL7QI=,iv:rczJrTn9trKCWd1qdw1DyZDdLhjEE8nfNysYtkiXV1s=,tag:Gnd8kEAGLScgRW5ffWiOpQ==,type:str] -sops_unencrypted_suffix=_unencrypted -sops_version=3.7.3 -sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_lastmodified=2023-06-24T22:17:31Z -sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n -sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n -sops_mac=ENC[AES256_GCM,data:Q97o4w/Ge5ZNtrei4yuwqPhZcVGAVfyAgvaGSiUvb5Sav/u4+T2uxZSdbf5p+nlLgszVo5CmW7hw1dvn1edKTB/RqHCJk2U/Ue1cpWZ8M/3rj3IioR4GybHIxKpQiTNCmIBn00YJx8l+0new0ohxnaWfGxsXcYboHxPninSOkpI=,iv:GLzaZSJvMjEvLCWqKajP2x9qmE9mieiaSEOQngqB0Fc=,tag:iAtNDY7Zq9lpT0E/zZTZZw==,type:str] -sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/clusters/nuclear/config/vars.sops.env b/kube/clusters/nuclear/config/vars.sops.env deleted file mode 100644 index 15a5c4bf8d..0000000000 --- a/kube/clusters/nuclear/config/vars.sops.env +++ /dev/null @@ -1,138 +0,0 @@ -CLUSTER_NAME=ENC[AES256_GCM,data:2+nGC/y5wQ==,iv:RqgHf52ZoDNHJf5AVGBTo8SsBT8gzJhsnvhz98sun9I=,tag:STAHjYtADDzurFEz1OaJbw==,type:str] -CONFIG_CILIUM_CLUSTER_ID=ENC[AES256_GCM,data:Cnzo,iv:QJdjKEzA9YddM/S9RumzzB8I+KRdoKlsmE7RlrmM06A=,tag:Tzr6v7jI4rzN/NbrNA3eHg==,type:str] -CONFIG_TZ=ENC[AES256_GCM,data:yjenwiH185SgIz1gDHs=,iv:zWulurvktdU7e+866iNrafkjqAuqZSnJtx8kq7RhNTM=,tag:M5IkAMqEep8dIIbHGXetIg==,type:str] -ADMIN_EMAIL=ENC[AES256_GCM,data:f60WOn10SewXRdlxiEHja4PixJpV0A==,iv:Sg8Cwsg5djIkozK4Fo5/YC8iTWSlPTdVPlz576mZdnw=,tag:GoPxq5UABX9OtS22LXfOTQ==,type:str] -USERS_1_UID=ENC[AES256_GCM,data:DY9qIA==,iv:M0E4LpIkCL4gABzOEzLVBHjGfXpPtYXb1ssezvN4D9o=,tag:wopQ/2iWx7aoxnLaQrYgFg==,type:str] -USERS_1_ID=ENC[AES256_GCM,data:KC5Etz5c60gQ,iv:1kEHHkNqOxZVC+2InmSigQ+cnezXtZtSRTkzuaqYIAE=,tag:jMTC/BjiH8O+Tzfa//a3ig==,type:str] -USERS_1_NAME=ENC[AES256_GCM,data:sPOtMDyiXKKt,iv:Qx2Kbrtgh6qhD5kIe4P6mEZ6H4mGhFHs1exEeiiwJew=,tag:TcmlQ+lx/3soaPDQ0WYRTA==,type:str] -USERS_1_EMAIL=ENC[AES256_GCM,data:vAsIA/i3ZEmeAmVVp8kmS3s=,iv:WDafq/rY87HSyHcr44ruSEMwVMmlfpYDULf1/5ILHx4=,tag:6B/DARRtroZDxQculVmVUw==,type:str] -USERS_2_UID=ENC[AES256_GCM,data:IzHgGQ==,iv:CxwO+pvNIo2GAc96tB7b0ATWnuk/umXAuq7ZXY3LHok=,tag:a2qIk8fcMWFw7z6GXV0Zfg==,type:str] -USERS_2_ID=ENC[AES256_GCM,data:1ZwdfnI=,iv:FDymvXYpPR7pm0vIWwZZ506tRDbp9wTuCkzM6XSXbFs=,tag:q68gBOpUMihms7Rdzai1AA==,type:str] -USERS_2_NAME=ENC[AES256_GCM,data:pUEVSALW2LY=,iv:j6zAgL+Z35H1t5RAA6BK9xk99UuDP+BRHH7lYanYMU4=,tag:EXq0yos64O3rvpS00a18Fg==,type:str] -USERS_3_UID=ENC[AES256_GCM,data:o8/3bQ==,iv:YoXHve6RHidEJ6nJMqOEHGtK2FeH3wHBwYUMxDAfwK0=,tag:jFE66SO+b6xyetCrxd8Zwg==,type:str] -USERS_3_ID=ENC[AES256_GCM,data:uWqHb+s=,iv:j7M/X2+tyLD5qyoulaH9urRoy7zg74UMAzAr8i+TU24=,tag:w93RZByuEOfC39nC7I5wlw==,type:str] -USERS_3_NAME=ENC[AES256_GCM,data:BxSWnRnQwXfHqg==,iv:JmzuZmZZnuQnhI9SYt1TBmBLojmm/gI0ttaLUfXrXpw=,tag:59diPvcbD4Lexj4PVpO3Ig==,type:str] -ASN_CLUSTER=ENC[AES256_GCM,data:wn1SX5w=,iv:MgRKQER5ywSoSzWCMMSY3WqKuT3KYY/1FVUzGrz3GZk=,tag:Nu+ZcEfA+6xH5n8UFYd3GQ==,type:str] -ASN_ROUTER=ENC[AES256_GCM,data:sgCa3Sk=,iv:/XWKgNMwZkznrYiVgCcDsWZp3GjQXd6gz+bcT7RI+Os=,tag:YU6F1U5YEXi2c4jfR5wkiQ==,type:str] -ASN_EC2_INGRESS=ENC[AES256_GCM,data:wLsuBoM=,iv:LEgE9JaYszsY62EGXWHF6IrqKH15JrIeJZl73ZDhKtY=,tag:nblIhZueKlV49Xh8JvPyXA==,type:str] -IP_ROUTER_LAN=ENC[AES256_GCM,data:q+9MIIuBLPA=,iv:pzWM3e0qgyRLgYtXv3aoKqX6ZOnpQURGBWaLZZRfQGc=,tag:xEiU2fV3Wt0YHd60hALsUQ==,type:str] -IP_ROUTER_LAN_CIDR=ENC[AES256_GCM,data:VBNZEYACQMQduOU=,iv:is1RkkLkgUYuNPypTFRm7krP9nb1rkrZ64pkQT+5LEM=,tag:opkUbEo8JR1Gp13pklKz7g==,type:str] -IP_VLAN_BLACKFISH=ENC[AES256_GCM,data:wiVRuonuaoqL,iv:lseWVabezSqniU8ncWoZpxtCmFrm9wJJoPi52WYA7co=,tag:4kIj2ruVmUM44OMu/EY6ww==,type:str] -IP_VLAN_HUMMING=ENC[AES256_GCM,data:2lL0ykXl15We,iv:PK4u09416w41bjrsEZVxAB4xA6jJDU01QbFkqqOxE3I=,tag:VRiy/gjaeY3SF69rwFHG3g==,type:str] -IP_ROUTER_VLAN_K8S=ENC[AES256_GCM,data:Z+H3tR1U+MmC,iv:Rl11kpvATZrjv45C9RLPJFoGweeM352c1o/qJkUMf6A=,tag:aJl9yEaZyGXY12JH6dPdQQ==,type:str] -IP_ROUTER_VLAN_K8S_CIDR=ENC[AES256_GCM,data:BtcBqN2Hxl/2oTDt,iv:1YL9YjMHc1qA5J2bEkdWM6AVJjiDmnlR3X4mtYd4aAM=,tag:0BhGSz34C/Ljh2xpaGRLaQ==,type:str] -IP_ROUTER_VLAN_K8S_PREFIX=ENC[AES256_GCM,data:cy9mQoDa9G0=,iv:9VksTTvKmyimYJkHFS2cGuUOYkT4gpf/CozFEuJ8Nfg=,tag:DttdwyYJyKA2dCDThxBikw==,type:str] -IP_K8S_BLACKFISH=ENC[AES256_GCM,data:0xrxPf7ZaGM2,iv:9lB7hHZ8PEOViL9VQTy9AWvVkghEvdYIPkFeAw/n0pc=,tag:Cf6nTauqLx92mehA9SOiSw==,type:str] -IP_K8S_HUMMING=ENC[AES256_GCM,data:YRFHEf22lp7q,iv:xi0YAQRiebOqADNsN5yNacZkBElA/LTq89LgvbdZn8s=,tag:hUE9x0WmzUpd58tZFC6trA==,type:str] -IP_WG_USER_1_V4=ENC[AES256_GCM,data:6kwe/D0YVGEG7CMWhr8=,iv:B4Dk4AaljCym/cxatpO/5WMZ2E4KMiNH+tCLH+yVsf8=,tag:nqqze7vKrsWTBWG5/Ou/Ag==,type:str] -IP_WG_GUEST_V4=ENC[AES256_GCM,data:zNwOAgzou0T8cAduDBY=,iv:matZ/IhxDQ+CGO3IelqlszVfmAr12dgWXIH9YLGGDOs=,tag:/MJRFYmH69ldrHfdjSQSpA==,type:str] -IP_CLUSTER_VIP=ENC[AES256_GCM,data:MNeXioeLb5V6,iv:q5y+X1OUn0NNubISgD3fftMjwX7D3JuiRkPAQaDOn40=,tag:l0BJ2o5O/leFLyWl5MMqqw==,type:str] -IP_POD_CIDR_V4=ENC[AES256_GCM,data:FmWuihOESnZkCKL4Nw==,iv:/gzFG6EXHQbxUXY8sUlBHgfrc6CznxWTEKkwpvNXnZ4=,tag:Fd+EHKVQL2NqWceu47pTpQ==,type:str] -IP_SVC_CIDR_V4=ENC[AES256_GCM,data:izGONZgkmYdt5//n0w==,iv:Xz0/5ZkNsT/weEjPqsGYmVq0CEyioJzXxLPlpyvwwH0=,tag:f1WG/GSvCcCDOMRkH/C80A==,type:str] -IP_LB_CIDR=ENC[AES256_GCM,data:IEDyGQUWrkG9LLUEG2s=,iv:9f143ZAPjlk/qrXj6a4fjQoAwTHGcinBCzPcbdhvkg4=,tag:pc+tuo8/7ftgmifnxgSdMw==,type:str] -IP_LB_DNS_CIDR=ENC[AES256_GCM,data:n++ZYPrjSQCEaNC6YVM=,iv:LnTTl2kaFgKK8HZLotkZBLqpCFEBH6GOAkTFihgXpHY=,tag:w4PLDrN/Ba/KAVEoOBn2wA==,type:str] -IP_LB_DNS=ENC[AES256_GCM,data:LX0wu1WB2Hj0Dyc=,iv:rxdCTNbgCvLmJ7MMz6O3E+BXcdKgT3atSM0pbYPOgQ4=,tag:oJmPV4avTj6qbyCRCxUC3Q==,type:str] -IP_HOME_DNS=ENC[AES256_GCM,data:DYHmmMvvUTM=,iv:LJUKgLaNSCiXirjF1sEBu7/iwuJ4rZtdQExjLId558o=,tag:WWLhj0WofzJHrtNIZkXJ3g==,type:str] -IP_EC2_PRIVATE=ENC[AES256_GCM,data:mpvik7PGTay9RIDT,iv:GZ7ais+/ALtZ6MrXEVmXvTchwttb+DJgvKAVp5D2ZlA=,tag:r3/sIsLZBkZLMkwtEgxyvQ==,type:str] -IP_EC2_NON_K8S=ENC[AES256_GCM,data:7jtsVqq+odY4/Ys=,iv:P90o7KO47NfR71mRU0Mbf3apZkX+DJx78hBBFgvd/r0=,tag:bWzo5EZ6ltHPsqueFHE2YA==,type:str] -IP_EC2_INGRESS=ENC[AES256_GCM,data:omO7wXHHdXAMtw==,iv:CjT+gLZ1qXlojRhO4aqASOPN4HF88zLRVmclV4F6uUM=,tag:x0IKg+E79HgKE43fzse7Dg==,type:str] -IP_OLD_DOCKER=ENC[AES256_GCM,data:P0UtR+GaYgiL,iv:4fUoNHCJNRPeKxdRTGIqTsCygXWzjNzLv+6j6M5HKTE=,tag:AvTs/+R6Z1gkZuSVwXLFBg==,type:str] -IP_TRUENAS=ENC[AES256_GCM,data:FmYxX0MfwAa5,iv:IQ2RDyFfWMB81+KWAdViSaI9wsG7ZeuWHqP8WHLxcjo=,tag:zKLAvj9Bv7LUxTzCgxzATw==,type:str] -IP_PVE_CEPH_CIDR=ENC[AES256_GCM,data:pZQiINu+zq+Eu817QSs=,iv:HNqO1t6CIYKYFu79ZIa7drta6nHrusbIAvDMZOqTjQ8=,tag:c7twZOYfyoWFtM7EsCQGYg==,type:str] -IP_PVE_CEPH_PREFIX=ENC[AES256_GCM,data:qTb2oGx0lYVYXg==,iv:LHvEoa8FOfyFgkbofpGL2Fxywh0IovaqDd4f/KuD5gA=,tag:toyC1fok90KGTSV/i+J3lA==,type:str] -IP_PVE_CEPH_1=ENC[AES256_GCM,data:4XniDxEiYapl8jE=,iv:tsUuu/zQRlpg3FP5D0xskegvri0Ff/gzIDhDEfMBSqI=,tag:ZyNRjxrcPFdwtVrOjzoQ0A==,type:str] -IP_PVE_CEPH_2=ENC[AES256_GCM,data:7grFGVPdQVfvWUw=,iv:wFUEr0oLNKh596/osnZFPEB2K2DrK9YJAQ1UGp6+Ro8=,tag:K0hI4bYhVWZ34OtDo20F4Q==,type:str] -IP_PVE_CEPH_3=ENC[AES256_GCM,data:gcpKOsqmtwse/y8=,iv:S6mFA3zgOjWia3H3yEiygaUNDz7mPaDjGhLOZuIb2kM=,tag:dwAzKWIxG+d6Cp1sMtBS2w==,type:str] -DNS_CLUSTER=ENC[AES256_GCM,data:KFyrQcmwWD5S,iv:PxKrqcnx/MH9/IlTb0px9JLs96JDTfDpuwQPXC6WD7A=,tag:fW6BT/BLseUFMZf5tO//dg==,type:str] -DNS_SHORT=ENC[AES256_GCM,data:HMYPDRpU0Q==,iv:bodQSYE0/p6DBqVJ/Q4hCNqAiX8mjLTkhor7lYRY7tk=,tag:uwdStgFJulK8J9Iyg//z3w==,type:str] -DNS_SHORT_CF=ENC[AES256_GCM,data:XbrHICmtyfVml4MAHr/5,iv:Jl07ZwJ5vOSOKIQev1Cqw4iAGAschkTTcIakTFXs414=,tag:5QazxRt0c5bO7fM01u3gTA==,type:str] -DNS_MAIN=ENC[AES256_GCM,data:3nalBetOs+F6lKxvFA==,iv:H80p4JKa+K8EViUMgyEcAJo+5uWA2c1Itl9X9DTu40k=,tag:8W49TomAfez0D+8rhH4BsQ==,type:str] -DNS_MAIN_CF=ENC[AES256_GCM,data:7s2brw+W5kop9l+WMZ5c8snQWzNw,iv:cjVBC+Tg8bD0O2967i2pOuLpovzWqQzsmz516ir+yZM=,tag:gxvE+Rmko1fMf8AXTyR8ew==,type:str] -DNS_VPN=ENC[AES256_GCM,data:ex//+QFhseX5,iv:2VNtm+2DBDwD9cxfaulVHHODVZW7V98Hr19H5EFS70o=,tag:WOBz55Cnna8lUMEMLnW0gw==,type:str] -DNS_STREAM=ENC[AES256_GCM,data:IQKPb0HvNNCjH66+H56oybM4,iv:YcV2u1p3hLIcNGG/G3POubEjjVkKCE87+pxHBoYP15g=,tag:XZlkSYw+r6KK+SRuYt0jkQ==,type:str] -DNS_NAS=ENC[AES256_GCM,data:he1iizywPpZlpksCWYBEJ1mR+uKm1wHB,iv:PilqCEoRnUIqix5sLhzo41N1+GBMDLjDv6oyGxoinlE=,tag:U6indYvXYAHAq2tcjCLrzw==,type:str] -DNS_OLD_DOCKER=ENC[AES256_GCM,data:fCwDMY6nyZ/hPsTOApGLP02m7to=,iv:JAdXT0jKfydpiElj1T/XuzSQhHbssaKsRg3tp3/lUL0=,tag:0LuY9zZVC+IH3ORFaPU0mg==,type:str] -PATH_NAS_MEDIA=ENC[AES256_GCM,data:ZpKa4xnMHKWOO9pDQ1b1NlHWQPfuybn81u4uQ409,iv:dB84+0jnUJDylWpOABTdylsT0gR10l2LNGE6trHZtNk=,tag:l/bt9asoFhEosRlpfLncgw==,type:str] -PATH_NAS_PERSIST_K8S=ENC[AES256_GCM,data:nS9umA3p29pVqWJoB5HpupInDSrg0N6GSvjEkM0l8uVaOcL2,iv:+3mMWya4stoQ3KHO1HmPUQ+Q4bq3y5farOhRJw5xPws=,tag:Jo9eSG8dfR1qn6mu6n7HDg==,type:str] -PATH_NAS_BACKUPS_K8S=ENC[AES256_GCM,data:XQiudCzciERVNC+EJ4pU/Y91Zp6MwEqleIjI57EUB/Ahb2hc,iv:EuOd7eXnKkpKBSZafcgnJxB6lZ7cKBIao/5IeabwBbs=,tag:BDHXnmljGz/7IjSuSo7IDg==,type:str] -UID_NAS_BACKUPS_K8S=ENC[AES256_GCM,data:e5JN5w==,iv:bXwb5LuwvZyFhjhbpbnabvNKX03VPB/9XY402CoBwx0=,tag:hDXYQzou/ZPpEbLYkQDl+A==,type:str] -APP_IP_NGINX=ENC[AES256_GCM,data:HQvYDG4MOg2d0Qw=,iv:0VPM8Xgs4O/HhISoocgwkJvauivMVxeHwTEP1EMYkXs=,tag:ozEvweJ+pk8OyrTpoD3QHg==,type:str] -APP_IP_K8S_GATEWAY=ENC[AES256_GCM,data:OwsOAO2jzTqrjULN,iv:EFsZhmlSDA8iHkyJgpE7BcFakxoQA9TIx4aBkwVyQGQ=,tag:VRzJr2wtaRLSWVl7wd1IDw==,type:str] -APP_IP_HAPROXY_PROXY_X=ENC[AES256_GCM,data:X4OtM9iKr9RKllTb,iv:tl5zMdaYKu9iZF23860bLHxyxwgFMl0Y7cCMD1mI8wY=,tag:tCkyCrYQjOYJHuUdlDnyZw==,type:str] -APP_UID_HAPROXY_PROXY_X=ENC[AES256_GCM,data:B3G6nA==,iv:e5UIYZa52kQ8GFBD30d4/U8WMito6albh4CMgYhHOpg=,tag:8TBer2t4zGGYIC3bmO5FLA==,type:str] -APP_DNS_FLUX_WEBHOOK=ENC[AES256_GCM,data:/vKJ0ACjgrnQdz93O0IXCy3q1Ttv8yFsJA==,iv:mbL57+d+xn9XuggscB9KiaP9t2mTZi57j+89Whhw7Ro=,tag:q37t5QXvLjTqZXhQWoT7gw==,type:str] -APP_DNS_CEPH=ENC[AES256_GCM,data:d3Rr47Rs6vLEAGOb,iv:oRwmj7gvc9nVHg7vvPNN/EdqXKwtm+BjeEvEZx5fUvQ=,tag:EjR15rnCAc+K/cwYgwgJAA==,type:str] -APP_DNS_RADOSGW=ENC[AES256_GCM,data:H5CKxKXf3imtuA==,iv:PKnd+pSP7eEHHUA5YLsHOEEBxApAakvJq3WzfVQGymY=,tag:2uZdzZ8ZDCkFdCQ/n9KSGQ==,type:str] -APP_IP_RADOSGW=ENC[AES256_GCM,data:OYs5/gWPQkPbYc8=,iv:HxElYcvv/+hQCfOa+TD04Vp/tM7jzlGApK3Z/kp/q0s=,tag:gWUtQiWgIIkfG9Yd4WC0fg==,type:str] -APP_DNS_RGW_S3=ENC[AES256_GCM,data:MD1ldDBMlPsyGNY=,iv:4lkGMXZSU6Ygsy5EkHFvg8dSDw49NfEJ0/1u48gXXmo=,tag:ICeMEHR6zPA3sbxUloXYoQ==,type:str] -APP_DNS_INGRESS_WILDCARD=ENC[AES256_GCM,data:zajTPuIFOlWK,iv:jOXVLrnknU5LOspzKTnEFX/+WLby8MTLXwmhZbM2CRM=,tag:AdXsZuwWoUoU6pew0LZ8Eg==,type:str] -APP_DNS_HUBBLE=ENC[AES256_GCM,data:oEZrrtl+k4vM4dk=,iv:+MKAnqYImiL1ddghSNoEtpcd3JqIYXuYNyEDRWYAs/Q=,tag:Ihqd0p8O45+2SpH0ikOfkg==,type:str] -APP_IP_KANIDM=ENC[AES256_GCM,data:h0xqulHufE9LQ/2s,iv:CMBwCwai2dqrEohngdXnLX+wn7Bu0RDH/Xl2cTxnnUk=,tag:W4Hu4UtGwvSo0AU0O0pKFg==,type:str] -APP_UID_KANIDM=ENC[AES256_GCM,data:plVe/N8=,iv:sss67JiY8gaa0+UMs7rb1K+nDWP6BCKsnKuqj2txXSQ=,tag:exDjUeioDOBrkFQPF0tl+Q==,type:str] -APP_DNS_KANIDM=ENC[AES256_GCM,data:gABLikMI3fy/dA==,iv:WBop0EmHO6uzHFmz11hLiFOnoUjD8/TbymqHMtch3yU=,tag:VgrGM6brK6ObzG8sRcFVOA==,type:str] -APP_IP_ZEROTIER=ENC[AES256_GCM,data:9Wb0nNZ8ZNbm4NJo,iv:Q/u2fjWs2bVmdsZ6ys2EjtbJuN+WoGQDs+bdlUOC/ZU=,tag:xxyfTCDvg+wUZ6v3FvZ+DQ==,type:str] -APP_DNS_ZEROTIER=ENC[AES256_GCM,data:Aux4pBfNqEdjJ5o3,iv:whsIzd6AKjIjMFhQgsBl2c2GeLfTPzZ1qzlBsrJ89HY=,tag:+w050FLUcdzZyYerTpF9mQ==,type:str] -APP_UID_MINECRAFT=ENC[AES256_GCM,data:fTM1V0A=,iv:WYxSqDa/qUlixCiNort3+Mi6eM3pdFz3Vyz+5FG03Vo=,tag:b+7VX6rwGSynwwkXZL5YKQ==,type:str] -APP_DNS_MINECRAFT=ENC[AES256_GCM,data:NiWcEavImLjEBw==,iv:YCjT1xGQ/2h1rjceAKNhkhRc23BUCamXmFwIYmFcrlY=,tag:Yb2lNm3Dj7ZAzWhMNbAiQw==,type:str] -APP_IP_MINECRAFT=ENC[AES256_GCM,data:be5OXt8nGoklZMjT,iv:Rs7deW97myaaGmxX9/w1H/yxaXYpjeoGl9FML/VkVJ8=,tag:W4ORO2ZgW3yVa/EWpsPV+Q==,type:str] -APP_DNS_WHOOGLE=ENC[AES256_GCM,data:1c/7u0M32hIi,iv:8IYUN0w1uUXrozyfe3NB0QHX3uMncumGd4AAjg4Mx50=,tag:Y3XAPEyrLo5xFLHed0LBOA==,type:str] -APP_DNS_GOKAPI=ENC[AES256_GCM,data:dLy9Bq8m5QS/C2eUgjQ50qNRb+k=,iv:BAfzricoyaBfcCa/miF+QmwhEV7/zdleLlorfHnvGUI=,tag:clz4ZIr4Govu8BETCyrSXA==,type:str] -APP_IP_SANDSTORM=ENC[AES256_GCM,data:2y8+59viax2xturn,iv:PdhUvhzsCnIwyHQw0Suwd/QYesAKhhWUhEZawN8g33k=,tag:0jtk1m/RFaQqwrX6qqj6Wg==,type:str] -APP_DNS_SANDSTORM=ENC[AES256_GCM,data:7mKMU5q6CrUUaps=,iv:ksv25j9ny1T7FmPNzA0Jdg9h9WUeug7xBzL0+XVJ38c=,tag:XJk9K69N+DEvBTrp5N3dyw==,type:str] -APP_IP_SATISFACTORY=ENC[AES256_GCM,data:bFGKtJRfYNMZxy1T,iv:9WgIcgT3XcNAYKKeilxSjSzdPnEl5NuJyUBL9dYg+Kw=,tag:Tg0xTtMGhhfoxfUDPaba8g==,type:str] -APP_UID_SATISFACTORY=ENC[AES256_GCM,data:nuVL2gs=,iv:LsaAEsq6f2C2LDbT472gIJ9ikGKEz1yLgZA+E0xoMjo=,tag:xJpPI3LX5zSs+1lDZtwCzw==,type:str] -APP_IP_SYNCTHING_USER_1=ENC[AES256_GCM,data:NmPMwJZ/aFbmeGVyQg==,iv:QO/gvUL1RqKbOhxcs1D8vjLA4urKVLPsFd9r3+I5aoI=,tag:vmqvtGzpOe2uXWwPDu9swQ==,type:str] -APP_DNS_SYNCTHING_USER_1=ENC[AES256_GCM,data:L0vhl2ywUXqhOvWV,iv:y1mZFV7yRfDVUoQqXkuuSaPPpYGrIvyQrHw/YSRIfSo=,tag:v2GQPh6qeEZjMP15DCjAYA==,type:str] -APP_DNS_AUTH=ENC[AES256_GCM,data:i2uwllGkGyWYwgRXb1kdkdxV,iv:4KVHvlnlvZCZ/tMR7Wzm9knhbCYIDHediCljMKCOfzM=,tag:vK0co4dCW2zwfHWN7n63JQ==,type:str] -APP_DNS_AUTHENTIK=ENC[AES256_GCM,data:XLcDJ5AKJ77t9Zpg/YZ0qyxi,iv:m35g0RFzXCgKURjEhkPSrpZZUxyVbUAWtTqybC7tJTE=,tag:1RPTVJ7eTnfByb7SyoyRmg==,type:str] -APP_IP_AUTHENTIK=ENC[AES256_GCM,data:8tt5JIxkSkFTm9Y1,iv:HsvNrxY3QqoqNezjWse47q6dtu9M3dLSUDpVqoAx4o4=,tag:b7ADjFPo73THiP+E36SOSw==,type:str] -APP_DNS_AUTHENTIK_OUTPOST=ENC[AES256_GCM,data:T4vik8pjUz3KVcQ6,iv:opuT/8CtWZWgxlJE642juQbgmX5basvnOYKhpYu5oIc=,tag:CRAFsSiK4d3wXuAeYqYh6A==,type:str] -APP_DNS_MATRIX_1=ENC[AES256_GCM,data:G38bR8gz4qS03ZSLMpYwDhPy,iv:jvN7gKtviH1yM6YMCjor8/64AMQbuqmGA2ReS8ZgGP4=,tag:9yJv7/kk9K6bDay9hsqb9Q==,type:str] -APP_DNS_MATRIX_2=ENC[AES256_GCM,data:fA9KkOI2GI/u+fgTyap6zvLF0aA=,iv:k6064HV5i0WgwzO4fDRyY4upGkgmixuGmepNkWhJI6M=,tag:cFVHtjyuqqa8GYqJ5G3l1g==,type:str] -APP_DNS_JELLYFIN=ENC[AES256_GCM,data:yYUC16YN708T8X+I,iv:Qyo+oBsIkZJwfHtVL42UgMuSQc4iAmGLmGaiD0hjMm8=,tag:Zb0YbuGgmCmTBc+1ZlAjUw==,type:str] -APP_DNS_KAVITA=ENC[AES256_GCM,data:9DH7DjuaNlN8mKj1,iv:kZyYhAQKlOsO3b/eBn6lxiK0pmevlW/BItymOy2GWfc=,tag:ybdTE4g0p9VmIj3jDnfSoQ==,type:str] -APP_DNS_EXCALIDRAW=ENC[AES256_GCM,data:3Q45Ff/gcG2m9S3/,iv:AErcbJntpieI418rE1x6Y6CC+yZRASNATp12D9Fgadk=,tag:xWYhOOTRwR+4/wGaETMNjg==,type:str] -APP_DNS_VELOCIRAPTOR=ENC[AES256_GCM,data:9954I0z60tQ87w4=,iv:MGP5wqaU725Hdht9DCaAIavG/rWRSZE3lrxOqfwHImY=,tag:qI/GLQ7E2jkrT8abKf7hKQ==,type:str] -APP_DNS_NTFY=ENC[AES256_GCM,data:57nxYGDcw27rVWikiyg=,iv:LYd2+OO31/UiJVMAOs7LJhNIWx+uE5Khlm0SxGCD6N8=,tag:q9ybEtincYbPOOIush1osQ==,type:str] -APP_DNS_NTFY_MX=ENC[AES256_GCM,data:0pufq8gDy9+OBnSBpX8L1Q==,iv:cKsnnGaROdqzHy4giz5Iukt3NwnzkSpRZ8ca4kx8b2Q=,tag:WeojlEs+LjlS/aeW2oY1IA==,type:str] -APP_IP_NTFY_MX=ENC[AES256_GCM,data:BmMAhTVG6EvAIof2,iv:g3BgVOp0GCQT7MuqZbCfh6H+49dzsvnO+vsLsqflO9U=,tag:ja5lWyPilvQENi6R5oZ0Lg==,type:str] -APP_UID_NTFY=ENC[AES256_GCM,data:R7IcBw==,iv:B7eH37KXKOg9Ne1I1bL+aJZZoY6Jm8Rdz4vtYxUn8WE=,tag:X5F/ony/M+qAeYntJTwLIg==,type:str] -APP_DNS_HEADSCALE=ENC[AES256_GCM,data:jrDDMcrtJiypHgUu,iv:hJzK20p5fs6zzkOBucY18/TsaeXR6WvyXJTch9yoGTI=,tag:fmLoy9oeWovG9X6hXcUFRw==,type:str] -APP_IP_HEADSCALE=ENC[AES256_GCM,data:13A651pz5u9u/cEW,iv:RA6G9W1t+y/UInoz0yk+UAqax61oxNy67Y613+IOcP0=,tag:+YMuE+Cm6fVx0qKLuWI1eA==,type:str] -APP_UID_HEADSCALE=ENC[AES256_GCM,data:6e/cSbU=,iv:Smgl5XdNjsTKLKy1sq058GHu6q6I+l/m3F03YGV1z4Q=,tag:A4mfg7ldwAtvtO78GQSXPA==,type:str] -APP_DNS_ZIPLINE=ENC[AES256_GCM,data:AI0ua5wY9oxJCQ==,iv:BAttItUiN+YhTZ0kyc4TiJwcB/xvLi23JMxxYMoB+nY=,tag:HAsKDT4iVDfYtRwray0o/A==,type:str] -APP_UID_ZIPLINE=ENC[AES256_GCM,data:xA3YFZI=,iv:ch21o7iJ0StUOcIx0G8qSkineWdsmDKtqAyxHkqnGos=,tag:lb3HNddZpvYoPARVvAu0Gg==,type:str] -APP_IP_KAHIRC=ENC[AES256_GCM,data:ptrY7Nqdf6IXlHrT,iv:4tOORgnKOMA9wG/EfB0libAzffHmyJmkUYpemVEurFQ=,tag:D69S/Hr2fSEbUN7NrpK0Cw==,type:str] -APP_UID_KAHIRC=ENC[AES256_GCM,data:oYaz184=,iv:IXl3d6G64DstmHl51Tctjzt0+Z+EQPc/4X6FPlAENa8=,tag:8LjzPnO8mpUGV+uUq6JOaA==,type:str] -APP_DNS_ATUIN=ENC[AES256_GCM,data:mVCOsSkSGq1CkGFC1w==,iv:jL4Cog5ax/lOC/HyYmOGAiIKPhRXbqKiu5q3r49JYlc=,tag:gQZcMjcVQM+jc7EyPilnCQ==,type:str] -APP_UID_ATUIN=ENC[AES256_GCM,data:HYuHZ24=,iv:zHsrDTCdO0T4+RCAun8PRVyRiIlQHI4ijxIn+XS21x4=,tag:lFgExxN5ltzTzJtAvxy6rQ==,type:str] -APP_DNS_MINIFLUX=ENC[AES256_GCM,data:fxxlpeiEjxYirco=,iv:1hdSCEzHQS1EDM8WOMhyl30bRbtJNT2cYiIjc/L07J8=,tag:vtgWoNazrFtY22gGFrDH2A==,type:str] -APP_UID_MINIFLUX=ENC[AES256_GCM,data:voTUTRE=,iv:uI1q5m+6yoQU+PtGVTrHU5uEgeC34Uow6g4gu8Agk3E=,tag:0/x8Il74NMp7gssnPNn61Q==,type:str] -APP_DNS_OVENMEDIAENGINE=ENC[AES256_GCM,data:dyvSaVilJkBbBF88NW6aIsuVx1iTZss=,iv:Gb7V+4xmtYou/r0Y7avvX/oxtuMUiQ34vNnvhV3K3d0=,tag:lCrVrZ8PQzeRL1XC3nncVg==,type:str] -APP_IP_OVENMEDIAENGINE=ENC[AES256_GCM,data:cT0Pz/RYvZHFmjd8,iv:mWOIzyX2dZwt4GmdLqpPZTS/2/79bgoRPdklYkJ14wA=,tag:uLD2XxdGM4BSL7FMNMvG5A==,type:str] -APP_UID_OVENMEDIAENGINE=ENC[AES256_GCM,data:ikSvegw=,iv:uWQZ+ECxaauHa5e77lxvr0CH20Ya7+jui7gZqYCVciA=,tag:YTfpLstA7TvvxvkXwWWi7A==,type:str] -APP_DNS_OVENPLAYER=ENC[AES256_GCM,data:cO0mxSjLC85vRUbXESkbPqT+31yDOudb,iv:DzVFkRWX5lcO75zKefGl6s2TvybHRAXKL+315m1K80w=,tag:YMUcbyQrxuGSs2lVE9wZAQ==,type:str] -APP_UID_OVENPLAYER=ENC[AES256_GCM,data:LCBe0Eo=,iv:4xhgOx05qdnFvFH0iFdbaha3Kc4V5WCVh7dx0888N+8=,tag:uBJ2+g0PcgprLRjih2KAyw==,type:str] -CONFIG_MINECRAFT_OPS=ENC[AES256_GCM,data:al3glJDrtuqtTM2z4W7n+tPNf6XVfK64Jdb9s5RAE5NUwxyK,iv:kYqlsOabsa2iBZKgqjOpFYJo0DMFuoo3ZWCqb/Xzi5c=,tag:nIqPXvBvxdi8crMj1CYsEw==,type:str] -CONFIG_MINECRAFT_ICON=ENC[AES256_GCM,data:nNzsyRclLnPZ+8Td/WJg2u8V/QKf/xowrghmTaKRNb9a5BMOxtzmiyAt6Us8OoY=,iv:b7fHZQdOjc4oCCLtLhopNg6G7IS2u9NUdBLCN6CjSKc=,tag:+cPgP1oK/9+EK2tB9Y45zw==,type:str] -CONFIG_MINECRAFT_NAME=ENC[AES256_GCM,data:1qSqJGmGON9BhJKRJA==,iv:Sdwq0LLLdBQlr3m+0Ey2IE9FcRtVKOtXsswLMMp9A5A=,tag:WpaTzqSO3+N+vnJkGI+pCQ==,type:str] -CONFIG_SANDSTORM_NAME=ENC[AES256_GCM,data:x7RyVOJ6R5QKc3uo1CgtecErXj5GlmxOJBfiMg==,iv:MuSWIJ2nBxLca3a6hjn44Og6uZBf/FpTQsPcnNZ+VH8=,tag:ejpMZLeYEEv9O0gkwVAEYg==,type:str] -CONFIG_SANDSTORM_MODS=ENC[AES256_GCM,data:f1pzS94FkuD5/25yejseZTIt07ICfoazeFE5Bf5iY5q0lEhG4C6Qn6mMHtZRo/8GpaHcm7iJko6EVB2IrfZ/NowaDdQqu5zki0JrwXl6Z4TshaN9JKoI,iv:hvDVOrD+NFw+l3xh84o3fRKD1qrCIiGRtMkS6Jq8Lf0=,tag:BfC2LVhlkEpm/brsjKNCOg==,type:str] -CONFIG_SANDSTORM_PORT=ENC[AES256_GCM,data:IhpWvis=,iv:N4di6I6i4ypMqgycH9RyK0kpF0bLGWknGH0lMxCEiA0=,tag:ZPkPGHhso2Upns3odJjUhg==,type:str] -CONFIG_SANDSTORM_QUERYPORT=ENC[AES256_GCM,data:H3gBIH8=,iv:EztmDP/le6lKN8rYJy7nHQeM+1TZntYlMFyPHETs4Gc=,tag:AUgi9vENhYaPUNfQ7IT10A==,type:str] -CONFIG_SANDSTORM_MUTATORS=ENC[AES256_GCM,data:LcYbfHuPODan47eOVUUiwNVvp+c6ULlYCZeWKom9adN1SHUfw1qwaqZwBxh5x86UGD9cvOPlzV9+4iAhVZZ8KtNPVuPWYmy+YOepYgJKOYPPnqDjHiL31qHvCOxj9vv3pFiRciEcLGOBmevSj6rLE04sedVSlGfFl/dROORFMg9g9MP+IckY2ghn7EOtM6zjgtB9EmASVbwLH7vVqpY=,iv:JByWLAO7WI72p4BOl7zwDH1ZGWL5BXmGs907hE2fEks=,tag:9lrxKDs6B5enZ/GeUfOn3A==,type:str] -CONFIG_SANDSTORM_INIT_MAP=ENC[AES256_GCM,data:nuXErWy14oau8Q==,iv:b6jxjPqj6IprhX+kAJZR+GOPWVMzjY2OpkDiSR2XBwU=,tag:2Qs6v/PrSN6tQTzmWTWR9Q==,type:str] -CONFIG_SANDSTORM_INIT_SCENARIO=ENC[AES256_GCM,data:199SWIbX0ecKR9r5VjxL/aZROg==,iv:GCgAH7zBalcQgELUyzzTVTATU5omyWYAplCXUQEMMhk=,tag:lHKjNig917ZvlH7UMLNltw==,type:str] -CONFIG_ZEROTIER_ENDPOINT=ENC[AES256_GCM,data:tOyIlrzdn8sck7um7OSicq5T0XWAmymaRLn2ENL1EyPGVdXZhi/IDRTNxmBzCVkUdju0D79EKB29qTw=,iv:FjiBFYt68V1J+/AOEptVDQ6IoXxGevvN9NCB54Rs9ws=,tag:bWkb2QIS32ltJKCrHWL0gw==,type:str] -CONFIG_AUTHENTIK_REMOTE_HOST=ENC[AES256_GCM,data:K0SOweZKXdAhlKQrZQ42UQ3Eg7u3KTF5nCemjkz2XA==,iv:65Qret7KcDIZRoLzRwoY6sXGNUGfrhsMugJ+jeO5O6Y=,tag:qkv/mksEiPuMtylKvIs/Yw==,type:str] -CONFIG_HEADSCALE_IPV4=ENC[AES256_GCM,data:EZ7GMHA6u1wWPS5g6Pg=,iv:W1hcseQ4Q6CisTXnDLI7hWTy18fIVKtZ46tudCyhfa4=,tag:2WnnNjuZhwUPG07OKTQt2g==,type:str] -CONFIG_OVENMEDIAENGINE_NAME=ENC[AES256_GCM,data:58CuH8bcUHWXBZA=,iv:BN7x6aAJPbzIn25sNoycsHRE5pugkubLS2VrM77+g/E=,tag:6JAsRjU0L6wbZtns3rk6KQ==,type:str] -sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z -sops_version=3.7.3 -sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_lastmodified=2023-07-16T20:56:16Z -sops_mac=ENC[AES256_GCM,data:iaPDZrU1j2rUTaMygUdzQsUqPeCt5spfQXikdMCNXmZy9Qx5IyxbWIcZ5qrkxjXOErLW0eI3gLpYitTfKSyMO/6QZFvJElmnMnqY1oKlKFQqq9IHKaNAAhrQw1WnYuOf8X/dpg2p4qXWDCYljbA3kauhaGT8c7CXk5vRswotw88=,iv:jDBQtWjFT7VcfGkJ0otoOEp38n6MAr3rYbmkwz2XHhE=,tag:Ze59rLjzsSkwiz9Gq6aahg==,type:str] -sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n -sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 -sops_unencrypted_suffix=_unencrypted -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n diff --git a/kube/clusters/nuclear/flux/secrets-age.sops.yaml b/kube/clusters/nuclear/flux/secrets-age.sops.yaml deleted file mode 100644 index e9fa36acb8..0000000000 --- a/kube/clusters/nuclear/flux/secrets-age.sops.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: nuclear-secrets-decrypt-sops-age - namespace: flux-system -data: - age.agekey: ENC[AES256_GCM,data:HcCh7EHyUGdps1OlgJrN/xI9YKTr/l2NLQtor6OmHmgolRJMx9CAhnY1scSaP4qT6nlXLGqlpj+uQCuJ7OaOuYIDzl60/mFD3gLuWYZQcjcWwVZlScLmKQ4liuQp6fb8DyOHXa1ka//3acRJSZ9afpM80mIWyYXvIZ0IjrlMOgvxF640p51bRiGl3DZZPXwNd3WbOCuPENF6GwlkO9I8lcE1wN97dHo4LVwZ63d8qcqpT6f7u5AGNP60SuTDtChXPGW5ecPaiRjOH0bZUo3RpSMUKU8AlzVUHuhRq8SwFwapmG5r4AVtI6fndxSmr/wfiJYrJSy6ruRlOBiH,iv:wRQhJ4hbsLYR5VjmOX9YawozfY5vYvCuH3hVni3tmBs=,tag:bXNQDAq430WpiR8F0t51aA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6c2s0WUxZTUFVdlVLbHhZ - VnRTR3gvZkRVT0M0S1FQTDBScVhLTUZjYkZrCldSWHlhemRaSDB5TUUzVHJzTVU2 - TzhoemJzU3NWYTR4dTVTRzhaSzJ6UGsKLS0tIDBRNk1oT3JRQnh4aUFuVFpzbmd1 - ajNqNHRtRUROVkRKVVZ4ZDVlVE1mdG8KMq5dnfyVliHwP33oh8Zp28nNp/3JD22E - 2soIMUki5f6KaFwenIGqadcyWBpD6FL9cezN4219gEyPj48xdOUhjA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-06-27T07:30:39Z" - mac: ENC[AES256_GCM,data:3uxg1mq8sTaOSSREKS4j/ggD81APU9QmENCYx4uhL+3nMP4CFTc98R0d5SgoFGra5OsO8LTnqckecO5vGmsI34ixHUAv1eKaM3jVMfU33YKk3mjj4owztW9u7P0/TwCIrmW10FYiSRJ/SbkqLDtCC8+VdHtFe8Eti8H0DoOYg80=,iv:iqeSPrkn/aE4m/kcbqgjtTZPkejs64cx6XnVXzulDSY=,tag:JxTXuPA1Yr4FSNkqds1Dtw==,type:str] - pgp: - - created_at: "2023-06-01T21:22:55Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdAlbR90R8aSTOAm2xXopzcX8FsUBn+xDE9e/iuQnTrJnww - HrvOnCgOiXFlL+RT1UBpeXAqJqLCVY1i3RT+ixoXrFphoeqfPeeyiI9OJyDLtykj - 0l4BTdlio7BZRm/82NHfY4sMyJ0P4OJWwg+ItlhgxnuDgd4QdPbbmASzNBjJd2Bm - 8HpP2yq+6NtAQ2C5l997LaPNC5l0O3xmZsR8zftRn4MgOHeYDHT3IY7xmF95AUh/ - =ENhw - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kube/clusters/nuclear/flux/secrets-ssh.sops.yaml b/kube/clusters/nuclear/flux/secrets-ssh.sops.yaml deleted file mode 100644 index b554295280..0000000000 --- a/kube/clusters/nuclear/flux/secrets-ssh.sops.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: nuclear-flux-github-ssh-key - namespace: flux-system -stringData: - identity: ENC[AES256_GCM,data:YfJg+yK0vYJyreYWm+F4+kK1/1TSBZtjnTgWwYQ/glOccFdf4vQFgqMwCnsuj3ED4U48gDhfMiIMVrzrMb7uIaGkSGD6STyuknAAY35D9olTT3cwm2A9Y1jRpSUPIpntAKya+WxMqphKiVx6D5dBn+2vvpIbZQc=,iv:lM9m3/UnJhxNVTgGRk0DNTNDzoDBFHcUqB8/ebZeHqU=,tag:hXuQOZ5WHOED/trjI6wJ8Q==,type:str] - identity.pub: ENC[AES256_GCM,data:wDqDYXlsyR1SuL1DG4gFpFccTLKXkzl2VWtigOYL9ty8N1cC3TgLmjxieEyZjxLUQxvMcajqb3wa+qFXA8NFRNykpOgBvzxYppzc1zIbpAal,iv:LHYq3cDbXSnope6S1mY4MfOrHYy9VlRFbXjpP7b1ir4=,tag:kIvd2NA05Exhj4Rz9Y7ovA==,type:str] - known_hosts: ENC[AES256_GCM,data:n+ko5l0lOW1kkZlpvZQhvFPTgnGB45TA9nqs7CXiWuZ+tfOvzfVWSvlVVyLTYPyIB6YRrYirea7NlQoAywsdOmcK9evAqWFkHL9bTbn3znz7ItQim5eQv4j5iK/uA4Eywi2LaJjLR1mz90K3ee/EEzI4NmLpUn6jlJZNBk4jClusm2BnWefRkeLDEbDGvBwuNqNR4hwO1KUKJbWT0UC3JiQPJ4pDKV/8wH1/,iv:F4+uXhGDeF4WBo9+nY4y7J41SZwXSsF0Nw3YQ+uKX6I=,tag:qf3rmF8l3qUJZ5r02BCAPg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQU1crNjdQU05jZm0xbzRU - Tmx6eUgzUyt2QXRSQ2MvS2VwSnJja1c2THg0CkhhazlLQXFwT2FvSjJiODRmaGFz - a1hSQlJjWkllTERCOVlrcEFCZVVmejgKLS0tIC9wakcxcVVxczAvY05ZSmJnM3c0 - akVpeWJLMjlmZjlSR3B1Y2l6S3RBSWsKr9LWyvft1A3Rn6rH0+JkOEHrk0GoNQrF - yM03kxlegzpoCZrngFhcy96vcA7w5u6Hd1rjK22/Rr3NmuRkDUJL9A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-06-27T07:30:15Z" - mac: ENC[AES256_GCM,data:RmJCqTSSRCawqIzb+4NXrHf+u5CtRJC50IT45DlBylgEIDV+YSOyk2f4JRxP3FAcimKuKQk4XuX9/LAJjQRco+eHHJS+kCU2SaoS0gvOZmyYuiY1365B5b2wI5o49qqHIxfSarMIg77ihm8WZjMKDxyDW1upymQFYeRl7dLFsXQ=,iv:HXvGWtCDwPsvMCNk/mSlItpTN6xne4rYnpAWZ36yeVc=,tag:zWqLG4k7d5o2/+aHmSNyUg==,type:str] - pgp: - - created_at: "2023-06-27T07:30:14Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdA/1WdSi1FrzsaBiH5H+KMHAQgbZXbAiJhhzzwBpRZWwYw - gBjR6oiN48j7CsOI/6rqFFphlQC/hGB9yxZI2+9ZD8j6Ve1n7qqfy3cs9CVgeXOo - 0l4B/rVsZkdAOLUFEovh8QKfTlQuqtV6+RGqeGWzXZ73/R0gtQnYvpL3sjbJ6V9x - iBbSvy6dKUmg24ignptSASETOWZ0FTyO57AXMB5OnYXPe6strB8CAXhjrvfCEduH - =gRfw - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kube/clusters/nuclear/talos/talsecret.sops.yaml b/kube/clusters/nuclear/talos/talsecret.sops.yaml deleted file mode 100755 index 512cac599c..0000000000 --- a/kube/clusters/nuclear/talos/talsecret.sops.yaml +++ /dev/null @@ -1,45 +0,0 @@ -cluster: - id: ENC[AES256_GCM,data:Hjl0Uc8mEc4kYmsD499d2h/PmFty4ZOBXW8y0GWLCR+mNXwtrGG94ByQ2iE=,iv:N1qRC/a23Peb9jUlVzeTo6OYNGRju7hPcVr1ir67KvM=,tag:Nu0Qz7nafa5Lxl7NAhzI7A==,type:str] - secret: ENC[AES256_GCM,data:g+Ix7FZhih6aY5rDWUts2C18LIOCe4H55mn3VghkK8Z8vRu/ph483H/YiQ4=,iv:/HqH+PCgbkupKMLYislTktV3QmULuAqRBF+Bwf22lPk=,tag:ic8P0rNs08me3u3B1qSVAA==,type:str] -secrets: - bootstraptoken: ENC[AES256_GCM,data:4oqbwVMjJndhUCQbVmWPCq4DhNNpCYA=,iv:TqCN+ktXGV9xh/L8iyxhBiFlHeAoWpw9RSUkpN397dU=,tag:mA5wvaQtxsGs4mCEuowWkg==,type:str] - secretboxencryptionsecret: ENC[AES256_GCM,data:q3Rloe8r1L/SuChUy/tDL0512iHTPxkAaaj8ikp+SGP605gFLYi6cVsnGqc=,iv:pZ5aGcjDV6sqSPV5pRWn1Fg/UfklwRjVEfLIHHs2cPg=,tag:2RVONJm/fZc6Kz3NyZ0L8A==,type:str] -trustdinfo: - token: ENC[AES256_GCM,data:KPknDsGq9wpNYLnZ4TBDrOJGSpadrt0=,iv:DXLOKjyOu6M9jsCIlOm3qwRz08EV0BiVGpseAE7NfNo=,tag:AroVPobJw7ZmB4/CrJMgsw==,type:str] -certs: - etcd: - crt: ENC[AES256_GCM,data:rXTTHuHPiZpmMymakjHbdvGhNoT3uV6xEtpZR0uzaIQa5acCvw9uKrqYbvaAy4t/wnwCE4MaXHWx7s5tGGEzAOZrDaGkO/r7VMQ0K+oyuHtX4cYEeD2zMKxa6qD9r8H4JFKV3GkeJXU50B5R4N1Kk1tsvbkmAolta1R5WuEihSjUpVhgg5CpxV7agACEmSwYdbgcoPsbRAddjW+L4D/R75/u3CwN0ssPXr9jjNh2CXsI919F5Z76iXpgoy+S3kZCYJtSMbRpSOoPU8dZP76xxvSvVcfY73OdOfi+KE7jzkWUw8OBDp6dZMyKKNWu4KgeB+Tbwj1iCGpL2ZOOK1oMlft5lVuKdlRcEOAOokGvsTD8A0BOCtqiZSZ+qK2ojv47nffFB1uluQcIU4u0lvGix/tg2QMDHFtnqr5Z9SXAk+Pmv4ApMGuGLmC8yjuJdxeNLtlVZMhRvQr/eFSrnUZo1XazJmHIwFbYvmvEnI51LGspM8FrJzVwyjV3xnLRZX1GAa5kDwosra+uNZicgs5TApHhtvv0c1lLUMQ0xhifOZayyWqG0iqaZKYx/sxRrEQfX7jgdZjbgIwKtq0gkp6uHnMdMEv6jgsXJTFPTxRUxg86OqHU+Bxk0Q0JfsHgGS03HzktPiRZnjQgE3cJTIboXOm+a6SbhGjJ0eWmW4SB2wbgJruHbXZSGNkMzXESjbuzEohVTm8iyEbyNX4KrTrH8LTPlY8o5QnAe2WBy2v89tbLjIBGaxojNyLMYelaMrI28OgDVIakAV87En77vZP+R8YnAn7xJIfnhRpLxbajmpbY9eXGAWpQpOLoTLY4haCAX3a/GvmWDkdeZRN3rNxeNre4WuKI55RgGWLotimUWS101jVPZ81krM9Or2HeYDIi6xM+kngxzcQKjB/PyjsVO473NN2TopokzJ0JsMXgVi9gCsMdb5rf5J2ecPNUbSyiy4+MhVTwJVd+J3By4k3PxPcmHGSO6bgj6zDk2UsWDKLLFCH/0F1ijvL3Z7l8zVR2+Y1RFg==,iv:xCPZKGJzHoYey8YyDkKAysMMsbSNqkdVL1VQUz97KgU=,tag:aDhnIU5Z/wPoXTmtussOGw==,type:str] - key: ENC[AES256_GCM,data:ue0xhMdZzp0MFXW6GhflUDCiGIHxFQHtWq0TWF+uNQpwqCNM8OUj2IugvYk/yhgsQJTbpzHUmOy1un6tUx4wPVFU0xIzfIBnUSG918C/Rcs+FRxM8bHxfXuDnjMp/7XxhTY8lmNPskXmNcZtlznOLllxRKwM0u7JRR5Kp6f+PP8+Cc5Mg+DQat+GL1zx5T1KTrxXn+XShe0DKxKfiwWS5g8Ne/vg36b9cfUjHX+yZYZhCKscQewFJjM4qpF9XdyGQUhPCCnmklyJZhFVkW7BiJ2oSihKAmvwrYoAi9QOTN6NxSfnDI5gWcjT5/zPa0VQPOdpioRb518jfbnwawQkukaa8VnsfL2hs+iBJtKBPIXLHMSiInqpfo04TM/HlIZVhU9k/v8AGA/qatJgLIqN/w==,iv:yJA7cp3cQ7uoE/Pta5isj2ktCiwtriyvMv8BhQASRyo=,tag:v/KVj6Dppqe/ELpwvd8ToA==,type:str] - k8s: - crt: ENC[AES256_GCM,data:0Yh6KGhx79kx3bBu3Xwm7Ae8sh7LU1PuC6+C4cVk9urhgWCuAJ9hTMiEnhZG4kA5IwyZJ89E3YNjsIMbi2trwr1s55KleIwI8OMCMrnfhyJWKvgotG5ImbYsk5Pa1X5Ef4pB4kTtyWoKZpC/xcxTV2xZddeonWNZfx4eShHmPswQmDo3Jz2i7v7PllubMorC+U2Xcof3KLZ82atSSZ3uBowgMaMnXzjISasizN5PHuA9Mg+NHyrdn+FL78ENxxN15xhI4spSaVv7e4y2mGAh+sH15DNjlT0A5ab/ps0R9U69TIyHnWhqKddg2UwaLT8OZIF1vo2jNv2wyie/SgiVd8OAktu6aNf7skW28IBNDOnVQrSbj/a89f3YXMTNF3gm+UpL7ZJBcvtomhwSlcdmgaPduFCG/clSh4F88ZiMnDxB5C9RX7BlC2YGdKXi+M5/A1hl4Iyjg5BA9B30WVHO8VC+QYEZ20wtUGNVLvtScddg0q27qRIj7xWUnwhItaK86gn+FIS2JXQHLSpHFjJNFWPtSqYMwUNOXWcxgAzwUqCV8p+8I6pUvXf3OCo9L7641CmJC2QnD2Q0vnrr1MWLN884wC8jmoOiWAfrId8tt9589bT2RBiGaR/SE51zkGyoACCW5YFgYuAVwkLuhKAqcYzEIKuADUFwbOHpRaQeWVH5GR68gAHt3XYd8fvGjmb3ihFLk0tyrwaS9KnL4DEFmYcgm8xLgHB7wXos2axVfrmq8adCDCvH5d8ace5oLOx0MRkzTGFCHJ99yZpnvKK0SVN0rPd0URCIkKqGEE3qJPv3KIdMF1Pos8TdlpXT6TsujjcSkqYgzDZEppJC5DTsyUCExs1C9OEN0PjzhiM/Fl7areVQfNydlj6SpxtIfPn69duyQd0MMSoHUWJdAyKiDDuPYApixmvYkdShp8lgXAul6fYuqhXKRl6LjWRfNg9MU/c9+V4vJCxGqjiFFBcQSkNKUopNqxEFVE5/n7j8nQW+/6fK49qsOc3Z5Hc8aWdJwoX3dDoxJHCX6vMj/Dm6sjiaW/PCoW9sBv/85Q==,iv:qFnsfSmwNYU0vrvBeUXfn5my0tvuBrfuyHuVtElq8bA=,tag:a7ozpArpcbaLKR67pWe22A==,type:str] - key: ENC[AES256_GCM,data:HPU37fM1PCPmJRVvb6MpyGj01Bfnw+Env75MDZ0IyJuaMFhMtSAp2AsEXuyWSp0NbJmU/D1cj/V3KgVsIsC5FVFTr82lstLkzVP5sX5WpfjzdPL/jOhPAKwOEclZVkPHZdOb5TCVc89rE+3CzqRksuGfnlxGbLNkLDJ52paDjKgXVJZ1DYgtNvby6pNGPYJwDg1Sdd6qw2LUbUZRtNUS2RddUXM3mBbA6iIQsuRZtR8hkmZ/zjHLz36oAGZS4T1kMvybGkiO3Mw04um7GxuQ7v08fOqVTaSDi6higeJrzVkG/AjpVwyK9ZlyHqxj/ao9D8BP2oojJuOJzYL6g9o3z3m4Cqz8o6Y6NasqRR+tLmWAP8lrGh+kIfmTbfJJqQAeRJ1VuRycJA3r6lflT61Yfg==,iv:lDzMYK2cObsGVhWpBBB8HIXDdmmTRw3KExDXLdateiA=,tag:uwsCGa0cOAmNDfc1nsXvsQ==,type:str] - k8saggregator: - crt: ENC[AES256_GCM,data:dcJ5ZZ3uSs2zzuFrEnTyRQdjdaFsgEuX+67FSLXWkqS6+ldx4i352A17oWGcKf+c7AkF+GoJVhib9qTuHkm6FX2EO5V6nnmuuQhhBEfU/Go2x4nIeph1Gw4fPlzDV2DLooExUql1PEMxHAQCkXUzrcYMYSb3rJtu8ViNJS/tJWby/XQbl1Dqvk5KqeQ4rMqWZEu2RlpTXlmw0FcxDXQLSEGjlZEdh3FOhQPNE41/csPhydM4+bgGlRzzrbZbzsCMRGC5viaZDYhJo0ryOgLa878WX1MmYA9JOT8/LldtOlsfGotSqqLtttNXY4IDV0cbpG55w8hkAb8HwMDi/Z+aJOoGJOG0IT40EkYOdg4sphEU73QIHYLyDbjxuDYiQmlgzfx0o/iCMNVgMizXTTKNlJBDjPLd3KWfZ2NICawpd5ZufjNXpIyaNiFFDkD9Nv6AzmdkKWF6e1/+skILYYtSRIP6kIZt2nHppJfkUY84A8sjE47EkrMGRT7quRMHBVDFqggFEBM/+QSzCe4Dtw9x6cZZWnMoOZRJs6D1oI2XW1cEPifnMMAnRQf9nhBniaZ31mOAusmEdSnWcCBu7IIiHRQ6xHpRekR4SMhrTLjTg9+nDVzfctD1LG+wkCFLeKLYg1E6XnYOHZ2rqDC9xgbM41Nl8yZmMDhNps9gT3fvQRiWjI7wIs46xrtZy0o2VbiXxaOTSxQCjJv60ZU7A7nRgp+TN+2XAC1lMf7ZJrnKP986vpCV2UqymHAoDrvZsyqFlBlXjH8nKFN7LgRbOz5fJB7SjKa1GIrfQHexU382OUjLzxr1ctHGB7uPxWGxq1TkM7Q+3GwUz26la/kMZKkKcEJ2H6pgGjQddL2r0jffhUP4YdzQ9oJf89t6nYdj1Q3ahvIIuWG3qjQ4WqXGwRjB9NP7mJXjlmlP/+5qYiKJvbhOCkxcwBm0WzR2Asgh1LMU,iv://qdUCJlDeMsPpSwe++9TJ2A1TY7d8vesT0ELdYPi/U=,tag:aZZx39tiY8SLlNXE0wJ/Eg==,type:str] - key: ENC[AES256_GCM,data:lmvEWzEEYojXdWjEYZ2/gJsBBTLiploCe9uirtQifCXsFzOJEi08sqTGWgpw+0qf/igX/Hq3er/yMPclPAqAHdZeCzuBlgrMAZHazjIdApMMAgpCUdbKvavnemwF13rHweH5P6xOdiYUPpRw0Wyu8HlcnIF4qTPnndYDPT7PFLkQkjFFkbwMjZCTc4oXiah0iv5NiQgJ40e3A4s3V2jROd2armqV1jXGQKJjaP1/WWIq2tkX1SqFScRBA8DjyHzqCW77TTlvfuiOEg9HWl1RTs9V/18Ul17nt1PzSx4C85p8EegjaGjnLLVMIUmiUj35KLHx2lPfJ+zIArixlfnBNH4Qj5+seBA0TtAXMe2gJwmfASM8wLK8gjZiYVEf1BOFifXWGXQzJOYKcweO1q2pAg==,iv:0TVVYck5eQ6mG5Pynd/l8YQWgWkDvYPnRKJWazOQlVM=,tag:/YqoVVebXQY7/29Kq5n3jw==,type:str] - k8sserviceaccount: - key: ENC[AES256_GCM,data:zwrCupR/p4Oby7xuwt+2Q2HPJfL+8BchVpjFqFH9vqNEJzhLv5nyrrfGcobCZgYgqaEYqXkXNuapXICpnQ2Tnr9LlxolVrdmDg6FReOhI/Ld7AfyCKvgUyrANd57DevoZJzOrsVuxEgT2j+95ja4lg3FS5ddOdLkLXlV1ulyy+EynOsbXfumxHcwhWa0iuXTIJ9siZmwgdkV3d+FYfQsRcKwDWfehB2KwDxDvnfi0aKDo+7jjWCeTb4dDMdajzFgwX6DQhdGLqGCErX71KBYth8OEEOJ7QWZM4MsUvoM1XCHRWDsDn5jyxzP55J1Clc7Dx7J8gMU/J3qbSGKXEmOyqsspeJHC1bMsVASz9Zwp6/D2ibTAVARhLjb+M3+vXZKij3hVSETN0fVULpKTfy+1A==,iv:3S5G/gqIQxcfnypYGN/1t2gIyj9BW89Jr8lVDHgVPUQ=,tag:pDSFf0nEePYP6woyBDxFzQ==,type:str] - os: - crt: ENC[AES256_GCM,data:VCncWdGLRn9CPAkitqU2J/fsDHKkCFcxXgDch2JeRNttAnm+ExjyBFXpXrc8QshKzxtpBjiJNRuacm6asx20bms/PUZNoTBRDQHEmtjX1a2gQ21UtFkiOQKIgj7H201VmlE9XRL7EqWeb74gDGPU7ikNasIRWMcDx37RLJ2kQPqEl7Krh3YN6SRXwoSTCbbfqqeY7DZ5w5x//+BmBdgRmkNUvcZ2qab7b9EHSHUMiCEK3I/nfSKSplYt9hObFO6ChYfk0Jbg/qNvz+jHP+8qN4JDEuACUrDSEBNKTjO3UjBfTEYNUN6ODWub00m9usE/dU1xyPhN0L/EblQd0bE243gm37IUchJ3la9SJeRW6jbVRtgfmnGeVrxV5rVcsegw4J0DdMH+6cgOUGsP3f0csjI7FT0aUsQ8674vFgWkNvBIfS141jH/WFwU1y2MdknGv5aDBZtHMLabVGeO3H6yI5w0/9WkdC5yox+k9uwL8HbTOcIRp0C6XIZxhb1KidwO2rusVIlAl3d+3xQG65842mh5KNBobSXiRLwLLeXiBGdVUHm9as0BeMMsBhvyixb/zYo3AA6IudJ+PM1+itwwfL8LmeWLR5R3tOwLsxgT2z3qMcmhsL/B1U0CGg/9BRVoc4mRYvKn2IIOn40ZY/JpRGAgXN85whv8YtDVk+3SNS5pzfOI0aZMD7UDScST32mqlT2PjayMnMjip/+SUr5BZTDVQRflOXT2xHMvKPQM0K5JhKrxOh6ikk4MzFYMjQP5V9pw3yR81tk/Mey+8G9AyoY6SkmwZOcxbbnu4VuA/UT5Ik6Fqd4jzQ0imvnlMvqiOkkZcu6Yp1A+ekUSBUjNwcRo3sOiWB0LXh6Z0ixleb7yI5gx,iv:XxUD55GCU1EsbZ1j3CxYRmt/U2NHQc/8rHyz5RuzyS4=,tag:auQ2Gs+nXCkZApsPluzgCg==,type:str] - key: ENC[AES256_GCM,data:Coe+VcliMgfSSXvhsd+3tiQNP2ChR48+y48h3Y1kCDEOjvR3ZPhmEnUxc4y29okGtULW4bcL2VS5on72aI/ETEGsWVRHFGmQtS5cB+7MZ0dh17U1rfA1MhxUFyAEoUDMZcqFMC/qcjRGWV4E31WXIyISLaB9fnTqahgrzWSbKnJluE8KTyD9S6HPndLNkSO7xwhE45q1TKwpMwIMTZAkZokqsfqjU8XCjjo6DXTynfackLO+,iv:OxmnwsclTEbuLIBaL2lgBUnVWjshF0TZodKD2dFHNTU=,tag:Kz5O3q1yvoqaGag/YRyT7Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2023-06-27T07:11:41Z" - mac: ENC[AES256_GCM,data:J0VUt+mmtWyYIqMkU0i3EPGKI0iJrldYEa+uWFOrtrc10/5AlkIqF+u7mz2GRXBTPr5Z19q02CM0TIsInyK210n1qzqvRXxRi6dsv4u8wchxcVurj6lNTSBlgqfHufm81d+ug384GEXjJRoRC3Hn/6Uqgr4N9pyPaCjou+Xj8KM=,iv:jnmaDP9ZcKvyGm4yX5MH37jIGt9kIeUPDJ/3Ux6jfLI=,tag:zbHsF/JFTH7IooJ1WJm2rw==,type:str] - pgp: - - created_at: "2023-06-27T07:11:39Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdAQqNa+xw+f+ShTmVKzg5qvRqnBt+jrFKMpUxL8AyaA3sw - rcGk629KpXzDqVhylNlE7a8YoVNe4za/TBBCV3oVHPoy+IhRk0OHEzK4mcU6Zh9h - 0lwBWRpXOTOMlp222+a5WH/awUgQ3mz69C1k8w2X07CLuQ85NycqF2zFh9KYoaLx - usE0TXudJ0WuQEk0Vunx59PTTsA4nfVL/PJm01nE+HHoDZOgwCdwxS8OhlRpyg== - =47CK - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/kube/clusters/sinon/README.md b/kube/clusters/sinon/README.md new file mode 100644 index 0000000000..b8eff1ca04 --- /dev/null +++ b/kube/clusters/sinon/README.md @@ -0,0 +1,10 @@ +# Sinon NAS +Single-node NAS, powered by Talos. + +## Hardware ++ i7-6700k ++ 32GB RAM ++ Mellanox ConnectX 2 10GbE ++ ASUS ROG MAXIMUS VIII HERO ++ 480GB Intel DC S3500 SATA SSD ++ 2x WD Red Plus 12TB diff --git a/kube/clusters/sinon/config/externalsecret-secrets.yaml b/kube/clusters/sinon/config/externalsecret-secrets.yaml new file mode 100644 index 0000000000..7334a1604f --- /dev/null +++ b/kube/clusters/sinon/config/externalsecret-secrets.yaml @@ -0,0 +1,20 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name sinon-secrets + namespace: flux-system +spec: + refreshInterval: "1m" + secretStoreRef: + kind: ClusterSecretStore + name: 1p + target: + name: *name + creationPolicy: Owner + deletionPolicy: Retain + dataFrom: + - find: + name: + regexp: "^SECRET_*" diff --git a/kube/clusters/sinon/config/externalsecret-vars.yaml b/kube/clusters/sinon/config/externalsecret-vars.yaml new file mode 100644 index 0000000000..3d996fcf34 --- /dev/null +++ b/kube/clusters/sinon/config/externalsecret-vars.yaml @@ -0,0 +1,23 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name sinon-vars + namespace: flux-system +spec: + refreshInterval: "1m" + secretStoreRef: + kind: ClusterSecretStore + name: 1p + target: + name: *name + creationPolicy: Owner + deletionPolicy: Retain + dataFrom: + - extract: + key: ".sinon-vars" + - find: + name: + #regexp: "^(CLUSTER|DNS|IP|UID|PATH|VM|OSPF|ASN|APP_DNS|APP_IP|APP_UID|CONFIG|USERS|ADMIN)_*" + regexp: "(^(?:CLUSTER|DNS|IP|UID|PATH|VM|OSPF|ASN|APP_DNS|APP_IP|APP_UID|CONFIG|USERS|ADMIN)_.*)" diff --git a/kube/clusters/sinon/config/kustomization.yaml b/kube/clusters/sinon/config/kustomization.yaml new file mode 100644 index 0000000000..7695436387 --- /dev/null +++ b/kube/clusters/sinon/config/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret-secrets.yaml + - ./externalsecret-vars.yaml +#secretGenerator: +# - name: biohazard-secrets +# namespace: flux-system +# envs: +# - ./secrets.sops.env +# - name: biohazard-vars +# namespace: flux-system +# envs: +# - ./vars.sops.env +generatorOptions: + disableNameSuffixHash: true + labels: + kustomize.toolkit.fluxcd.io/ssa: "merge" + kustomize.toolkit.fluxcd.io/prune: "disabled" diff --git a/kube/clusters/sinon/flux/externalsecret.yaml b/kube/clusters/sinon/flux/externalsecret.yaml new file mode 100644 index 0000000000..f8cc3a6805 --- /dev/null +++ b/kube/clusters/sinon/flux/externalsecret.yaml @@ -0,0 +1,48 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name agekey + namespace: flux-system +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "Flux" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: Opaque + data: + age.agekey: '{{ .agekey }}' +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name github-ssh + namespace: flux-system +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "Flux" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: Opaque + data: + identity: '{{ .identity_b64 | b64dec }}' + identity.pub: '{{ .identity_pub_b64 | b64dec }}' + known_hosts: '{{ .known_hosts_b64 | b64dec }}' \ No newline at end of file diff --git a/kube/clusters/sinon/flux/flux-repo.yaml b/kube/clusters/sinon/flux/flux-repo.yaml new file mode 100644 index 0000000000..0efc3df48d --- /dev/null +++ b/kube/clusters/sinon/flux/flux-repo.yaml @@ -0,0 +1,387 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: flux-system + namespace: flux-system +spec: + interval: 10m0s + url: ssh://git@github.com/JJGadgets/Biohazard + ref: + branch: main + #secretRef: + # name: github-ssh + ignore: | + # exclude all to whitelist + /* + # include Kubernetes + !/kube +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 0-sinon-config + # I wanna see it on the top lol + namespace: flux-system + labels: + kustomization.flux.home.arpa/name: "flux" + kustomization.flux.home.arpa/default: "false" + wait.flux.home.arpa/disabled: "true" + kustomization.flux.home.arpa/helmpatches: "false" +spec: + interval: 5m0s + path: ./kube/clusters/sinon/flux + prune: false + wait: false + sourceRef: + kind: GitRepository + name: flux-system + decryption: + provider: sops + secretRef: + name: agekey + postBuild: + substitute: + # renovate: datasource=docker depName=ghcr.io/fluxcd/flux-manifests + FLUXCD_VERSION: "v2.2.3" + substituteFrom: + - kind: Secret + name: sinon-vars + optional: false + - kind: Secret + name: sinon-secrets + optional: false + # - kind: ConfigMap + # name: sinon-versions + # optional: false + patches: + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + interval: 5m0s + timeout: 10m0s + decryption: + provider: sops + secretRef: + name: agekey + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + sourceRef: + kind: GitRepository + name: flux-system + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: kustomization.flux.home.arpa/default notin (false) + - patch: | + - op: add + path: /spec/dependsOn/- + value: + name: 0-sinon-config + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: kustomization.flux.home.arpa/default notin (false) + - patch: | + - op: add + path: /spec/dependsOn/- + value: + name: 1-core-1-networking-cilium-app + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: kustomization.flux.home.arpa/name notin (cilium, flux, kubevirt) + - patch: | + - op: add + path: /spec/dependsOn/- + value: + name: 1-core-kyverno-crds + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: kustomization.flux.home.arpa/default notin (false) + - patch: | + - op: add + path: /spec/dependsOn/- + value: + name: 1-core-monitoring-prom-crds + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: kustomization.flux.home.arpa/default notin (false) + - patch: | + - op: add + path: /spec/dependsOn/- + value: + name: zzz-flux-repos-helm + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: kustomization.flux.home.arpa/default notin (false) + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + postBuild: + substituteFrom: + - kind: Secret + name: sinon-vars + optional: false + - kind: Secret + name: sinon-secrets + optional: false + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: substitution.flux.home.arpa/disabled notin (true) + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + prune: true + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: prune.flux.home.arpa/disabled notin (true) + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + prune: false + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: prune.flux.home.arpa/disabled=true + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + prune: true + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: prune.flux.home.arpa/enabled=true + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + wait: true + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: wait.flux.home.arpa/disabled notin (true) + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + wait: false + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: wait.flux.home.arpa/disabled=true + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + patches: + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + metadata: + name: not-used + spec: + interval: 5m + timeout: 15m + maxHistory: 10 + install: + crds: CreateReplace + createNamespace: true + remediation: + retries: 5 + upgrade: + crds: CreateReplace + cleanupOnFail: true + remediation: + retries: 5 + strategy: rollback + rollback: + recreate: true + cleanupOnFail: true + uninstall: + keepHistory: false + target: + group: helm.toolkit.fluxcd.io + version: v2beta1 + kind: HelmRelease + labelSelector: helm.flux.home.arpa/default notin (false) + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + metadata: + name: not-used + spec: + chart: + spec: + chart: app-template + version: 1.2.1 + sourceRef: + name: bjw-s + target: + group: helm.toolkit.fluxcd.io + version: v2beta1 + kind: HelmRelease + labelSelector: helm.flux.home.arpa/app-template=true + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + metadata: + name: not-used + spec: + values: + ingress: + main: + annotations: + nginx.ingress.kubernetes.io/auth-url: |- + http://authentik.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + nginx.ingress.kubernetes.io/auth-response-headers: |- + Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Host $http_host; + target: + group: helm.toolkit.fluxcd.io + version: v2beta1 + kind: HelmRelease + labelSelector: nginx.ingress.home.arpa/type in (auth, auth-external, auth-external-only) + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + metadata: + name: not-used + spec: + values: + ingress: + main: + annotations: + nginx.ingress.kubernetes.io/satisfy: "any" + nginx.ingress.kubernetes.io/whitelist-source-range: | + 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10 + target: + group: helm.toolkit.fluxcd.io + version: v2beta1 + kind: HelmRelease + labelSelector: nginx.ingress.home.arpa/type in (auth-external-only) + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2beta2 + kind: HelmRelease + metadata: + name: not-used + spec: + interval: 5m + timeout: 15m + maxHistory: 10 + install: + crds: CreateReplace + createNamespace: true + remediation: + retries: 5 + upgrade: + crds: CreateReplace + cleanupOnFail: true + remediation: + retries: 5 + strategy: uninstall + rollback: + recreate: true + cleanupOnFail: true + uninstall: + keepHistory: false + driftDetection: + mode: warn # TODO: verify all running apps don't have drift, and enable + ignore: + - paths: ["/spec/replicas"] # helpful for scaling things down during debugging/troubleshooting without Helm interfering + target: + group: helm.toolkit.fluxcd.io + version: v2beta2 + kind: HelmRelease + labelSelector: helm.flux.home.arpa/default notin (false) + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2beta2 + kind: HelmRelease + metadata: + name: not-used + spec: + values: + ingress: + main: + annotations: + nginx.ingress.kubernetes.io/auth-url: |- + http://authentik.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + nginx.ingress.kubernetes.io/auth-response-headers: |- + Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Host $http_host; + target: + group: helm.toolkit.fluxcd.io + version: v2beta2 + kind: HelmRelease + labelSelector: nginx.ingress.home.arpa/type in (auth, auth-external, auth-external-only) + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2beta2 + kind: HelmRelease + metadata: + name: not-used + spec: + values: + ingress: + main: + annotations: + nginx.ingress.kubernetes.io/satisfy: "any" + nginx.ingress.kubernetes.io/whitelist-source-range: | + 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10 + target: + group: helm.toolkit.fluxcd.io + version: v2beta2 + kind: HelmRelease + labelSelector: nginx.ingress.home.arpa/type in (auth-external-only) + target: + group: kustomize.toolkit.fluxcd.io + version: v1 + kind: Kustomization + labelSelector: kustomization.flux.home.arpa/helmpatches notin (false) diff --git a/kube/clusters/sinon/flux/kustomization.yaml b/kube/clusters/sinon/flux/kustomization.yaml new file mode 100644 index 0000000000..77243940c4 --- /dev/null +++ b/kube/clusters/sinon/flux/kustomization.yaml @@ -0,0 +1,129 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - externalsecret.yaml + - ../config/ + #- flux-install.yaml + - ../../../bootstrap/flux/flux-install-localhost.yaml + - flux-repo.yaml + - ../../../repos/flux/ + - ../../../deploy/core/_networking/cilium/ + #- ../../../deploy/core/_networking/multus/ + #- ../../../deploy/core/_networking/tailscale/ + # - ../../../deploy/core/_networking/frr/ + #- ../../../deploy/core/_networking/bird/ + - ../../../deploy/core/spegel/ + - ../../../deploy/core/kyverno/_deps/ + #- ../../../deploy/core/kyverno/ + - ../../../deploy/core/monitoring/_deps/ + - ../../../deploy/core/secrets/onepassword-connect/ + - ../../../deploy/core/secrets/external-secrets/ + - ../../../deploy/core/secrets/reflector/ + - ../../../deploy/core/storage/fstrim/ + ##- ../../../deploy/core/storage/minio-nas/ + #- ../../../deploy/core/storage/_external-snapshotter/ + #- ../../../deploy/core/storage/_csi-addons/ + #- ../../../deploy/core/storage/rook-ceph/ + ##- ../../../deploy/core/storage/rook-ceph/cluster/ + #- ../../../deploy/core/storage/democratic-csi/_deps/ + #- ../../../deploy/core/storage/democratic-csi/local-hostpath/ + #- ../../../deploy/core/storage/democratic-csi/manual/ + ##- ../../../deploy/core/storage/csi-driver-nfs/ + #- ../../../deploy/core/storage/volsync/ + #- ../../../deploy/core/tls/cert-manager/ + #- ../../../deploy/core/dns/internal/_deps/ + #- ../../../deploy/core/dns/internal/k8s-gateway/ + #- ../../../deploy/core/dns/external-dns/ + #- ../../../deploy/core/ingress/_deps/ + #- ../../../deploy/core/ingress/secrets-sync/ + #- ../../../deploy/core/ingress/ingress-nginx/ + #- ../../../deploy/core/ingress/cloudflare/ + #- ../../../deploy/core/ingress/external-proxy-x/ + ##- ../../../deploy/core/db/pg/ + ##- ../../../deploy/core/db/pg/clusters/default/ + ##- ../../../deploy/core/db/pg/clusters/home/ + #- ../../../deploy/core/monitoring/metrics-server/ + #- ../../../deploy/core/monitoring/kps/ + #- ../../../deploy/core/monitoring/victoria/ + #- ../../../deploy/core/monitoring/grafana/ + #- ../../../deploy/core/monitoring/alertmanager/ + #- ../../../deploy/core/monitoring/karma/ + #- ../../../deploy/core/monitoring/node-exporter/ + #- ../../../deploy/core/monitoring/smartctl-exporter/ + #- ../../../deploy/core/monitoring/intel-gpu-exporter/ + #- ../../../deploy/core/hardware/node-feature-discovery/ + #- ../../../deploy/core/hardware/intel-device-plugins/ + #- ../../../deploy/core/flux-system/ + - ../../../deploy/core/reloader/ + ##- ../../../deploy/core/system-upgrade-controller/ + ##- ../../../deploy/core/system-upgrade-controller/plans/talos/ + - ../../../deploy/apps/ # for the namespace + #- ../../../deploy/apps/tetragon/ + ## - ../../../deploy/apps/renovate/ + ## - ../../../deploy/apps/kubevirt/ + #- ../../../deploy/apps/default/ + ##- ../../../deploy/apps/whoogle/ + ##- ../../../deploy/apps/searxng/ + ##- ../../../deploy/apps/cyberchef/ + ##- ../../../deploy/apps/gokapi/ + ##- ../../../deploy/apps/minecraft/ + ##- ../../../deploy/apps/minecraft2/ + ##- ../../../deploy/apps/sandstorm/ + ##- ../../../deploy/apps/jellyfin/ + ##- ../../../deploy/apps/kavita/ + ##- ../../../deploy/apps/authentik/ + ##- ../../../deploy/apps/kanidm/ + ###- ../../../deploy/apps/syncthing/ # TODO: re-add once fixed up + ##- ../../../deploy/apps/excalidraw/ + ##- ../../../deploy/apps/velociraptor/ + ##- ../../../deploy/apps/gotosocial/ + ##- ../../../deploy/apps/ntfy/ + ##- ../../../deploy/apps/satisfactory/ + ### - ../../../deploy/apps/headscale/ + ##- ../../../deploy/apps/zipline/ + ##- ../../../deploy/apps/kah/ + ##- ../../../deploy/apps/thelounge/ + ##- ../../../deploy/apps/atuin/ + ##- ../../../deploy/apps/miniflux/ + ##- ../../../deploy/apps/elk/ + ##- ../../../deploy/apps/firefly/ + ##- ../../../deploy/apps/libreddit/ + ###- ../../../deploy/apps/livestream/ + ###- ../../../deploy/apps/livestream/oven + ##- ../../../deploy/apps/soft-serve/ + ##- ../../../deploy/apps/neko/ + ##- ../../../deploy/apps/joplin/ + ##- ../../../deploy/apps/piped/ + ##- ../../../deploy/apps/phanpy/ + ###- ../../../deploy/apps/psono/ + ##- ../../../deploy/apps/audiobookshelf/ + ##- ../../../deploy/apps/paperless-ngx/ + ##- ../../../deploy/apps/grocy/ + ###- ../../../deploy/apps/nextcloud/ + ##- ../../../deploy/apps/nfs-web/ + ##- ../../../deploy/apps/readeck/ + ##- ../../../deploy/apps/k8s-schemas/ + ##- ../../../deploy/apps/restic-rest-nfs/ + ##- ../../../deploy/apps/home-assistant/ + ##- ../../../deploy/apps/go-discord-modtools/ + ##- ../../../deploy/apps/findmydeviceserver/ + ##- ../../../deploy/apps/redbot/ + ##- ../../../deploy/apps/code-server/ + ##- ../../../deploy/apps/media-edit/ + ##- ../../../deploy/apps/homebox/ + ##- ../../../deploy/apps/vikunja/ + ##- ../../../deploy/apps/reactive-resume/ + ##- ../../../deploy/apps/linkding/ + ##- ../../../deploy/apps/collabora/ + ##- ../../../deploy/apps/ocis/ + ##- ../../../deploy/apps/navidrome/ + ##- ../../../deploy/apps/goatcounter/ + ##- ../../../deploy/apps/ollama/ + ##- ../../../deploy/apps/davis/ + ##- ../../../deploy/apps/immich/ + ##- ../../../deploy/apps/kromgo/ + ##- ../../../deploy/vm/_kubevirt/ + ###- ../../../deploy/vm/_base/ + ##- ../../../deploy/vm/ad/ + ##- ../../../deploy/vm/jj/ diff --git a/kube/clusters/sinon/talos/talconfig.yaml b/kube/clusters/sinon/talos/talconfig.yaml new file mode 100755 index 0000000000..5209bec8ac --- /dev/null +++ b/kube/clusters/sinon/talos/talconfig.yaml @@ -0,0 +1,203 @@ +--- +clusterName: sinon +talosVersion: v1.6.4 +kubernetesVersion: v1.29.2 +endpoint: "https://sinon.${DNS_CLUSTER}:6443" +allowSchedulingOnMasters: true +allowSchedulingOnControlPlanes: true + +cniConfig: + name: none + #name: custom + #urls: + # - https://raw.githubusercontent.com/cloudnativelabs/kube-router/v2.1.1/daemonset/generic-kuberouter-all-features.yaml + +clusterPodNets: + - "${IP_POD_CIDR_V4}" + #- "${IP_POD_CIDR_V6}" +clusterSvcNets: + - "${IP_SVC_CIDR_V4}" + #- "${IP_SVC_CIDR_V6}" + +additionalApiServerCertSans: &san + - "127.0.0.1" # KubePrism +additionalMachineCertSans: *san + +nodes: + + - &m720q + hostname: "sinon.${DNS_CLUSTER}" # i7-6700k 4C8T, 32GB RAM, 480GB OS Intel DC S3500 SATA SSD + ipAddress: "${IP_SINON}" + controlPlane: true + installDiskSelector: + size: "<= 600GB" + type: "ssd" + nameservers: ["${IP_HOME_DNS}"] + disableSearchDomain: true + networkInterfaces: + - interface: lo + addresses: ["127.0.0.1/8", "127.0.0.31/8", "127.0.0.32/8", "127.0.0.33/8"] + - &m720q-net + mtu: 1500 + dhcp: false + deviceSelector: + driver: "e1000e" + vlans: + - &m720q-v58 + vlanId: 58 + mtu: 1500 + dhcp: false + addresses: ["${IP_SINON}/28", "${IP_SINON_V6}/64"] + routes: + - network: "${IP_ROUTER_VLAN_K8S_CIDR}" + metric: 1 + - network: "0.0.0.0/0" + gateway: "${IP_ROUTER_VLAN_K8S}" + #machineFiles: + # - &ts + # op: create + # path: /var/etc/tailscale/auth.env + # permissions: 0o600 + # content: | + # TS_KUBE_SECRET="" + # TS_STATE_DIR=/var/lib/tailscale + # TS_USERSPACE=false + # TS_ACCEPT_DNS=false + # - &tsNode + # op: append + # path: /var/etc/tailscale/auth.env + # permissions: 0o600 + # content: | + # TS_HOSTNAME=sinon + # TS_EXTRA_ARGS=--accept-routes=false --netfilter-mode=off --snat-subnet-routes=false --advertise-tags=tag:talos,tag:sinon + # TS_AUTHKEY=${SECRET_TAILSCALE_TALOS_AUTHKEY_SINON} + # TS_ROUTES=${IP_SINON}/32 + schematic: + customization: + systemExtensions: + officialExtensions: + - siderolabs/i915-ucode + - siderolabs/intel-ucode + - siderolabs/iscsi-tools + #- siderolabs/tailscale + +patches: + # set all disks to no scheduler + - |- + machine: + udev: + rules: + - |- + SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ATTR{queue/scheduler}="none" + + - &kubeletExtraArgs |- + - op: add + path: /machine/kubelet/extraArgs + value: + feature-gates: GracefulNodeShutdown=true,ServerSideApply=true + + - &machinePatch |- + machine: + install: + bootloader: true + network: + extraHostEntries: + - ip: "${IP_SINON}" + aliases: ["sinon.${DNS_CLUSTER}"] + - ip: "${IP_BIOHAZARD_VIP}" + aliases: ["c.${DNS_BIOHAZARD}"] + - ip: "${IP_ROUTER_VLAN_K8S}" + aliases: ["c.${DNS_BIOHAZARD}"] + - ip: "${IP_ROUTER_VLAN_K8S_PREFIX}1" + aliases: ["c.${DNS_BIOHAZARD}", "ange.${DNS_BIOHAZARD}", "biohazard.mesh.cilium.io"] + - ip: "${IP_ROUTER_VLAN_K8S_PREFIX}2" + aliases: ["c.${DNS_BIOHAZARD}", "charlotte.${DNS_BIOHAZARD}", "biohazard.mesh.cilium.io"] + - ip: "${IP_ROUTER_VLAN_K8S_PREFIX}3" + aliases: ["c.${DNS_BIOHAZARD}", "chise.${DNS_BIOHAZARD}", "biohazard.mesh.cilium.io"] + - ip: "${IP_HERCULES}" + aliases: ["hercules.mesh.cilium.io"] + time: + disabled: false + servers: ["${IP_ROUTER_LAN}"] + bootTimeout: 2m0s + + - &clusterPatch |- + cluster: + allowSchedulingOnMasters: true + allowSchedulingOnControlPlanes: true + discovery: + enabled: true + registries: + kubernetes: + disabled: false + service: + disabled: true + proxy: + disabled: true + + - &kubePrism |- + machine: + features: + kubePrism: + enabled: true + port: 7445 + + - &kubeletSubnet |- + machine: + kubelet: + nodeIP: + validSubnets: + - "${IP_ROUTER_VLAN_K8S_CIDR}" + + - &kubeletConfig |- + machine: + kubelet: + extraConfig: + maxPods: 200 + + # patch containerd for spegel (discard) + - |- + machine: + files: + - op: create + path: /etc/cri/conf.d/20-customization.part + permissions: 0o644 + content: | + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + [plugins."io.containerd.grpc.v1.cri".containerd] + discard_unpacked_layers = false + +controlPlane: + patches: + + - &apiServerExtraArgs |- + - op: add + path: /cluster/apiServer/extraArgs + value: + feature-gates: GracefulNodeShutdown=true,ServerSideApply=true + + - &apiServerResources |- + cluster: + apiServer: + resources: + requests: + cpu: 200m + memory: 2Gi + limits: + memory: 8Gi + + - &nodeCidrSize |- + - op: add + path: /cluster/controllerManager/extraArgs + value: + node-cidr-mask-size: 24 + + - &etcdSubnetMetrics |- + cluster: + etcd: + advertisedSubnets: + - "${IP_ROUTER_VLAN_K8S_CIDR}" + extraArgs: + listen-metrics-urls: "http://0.0.0.0:2381" diff --git a/kube/clusters/sinon/talos/talsecret.yaml b/kube/clusters/sinon/talos/talsecret.yaml new file mode 100644 index 0000000000..a39756e8e3 --- /dev/null +++ b/kube/clusters/sinon/talos/talsecret.yaml @@ -0,0 +1,23 @@ +cluster: + id: '${cluster_id}' + secret: '${cluster_secret}' +secrets: + bootstraptoken: '${secrets_bootstraptoken}' + secretboxencryptionsecret: '${secrets_secretboxencryptionsecret}' +trustdinfo: + token: '${trustdinfo_token}' +certs: + etcd: + crt: '${certs_etcd_crt}' + key: '${certs_etcd_key}' + k8s: + crt: '${certs_k8s_crt}' + key: '${certs_k8s_key}' + k8saggregator: + crt: '${certs_k8saggregator_crt}' + key: '${certs_k8saggregator_key}' + k8sserviceaccount: + key: '${certs_k8sserviceaccount_key}' + os: + crt: '${certs_os_crt}' + key: '${certs_os_key}' diff --git a/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml b/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml index 9e00c76795..83cb2c8599 100644 --- a/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml +++ b/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml @@ -71,9 +71,9 @@ externalIPs: # leaseDuration: "120s" # leaseRenewDeadline: "60s" # leaseRetryPeriod: "1s" -#k8sClientRateLimit: # I set this high so I don't have to think about it later LOL -# qps: 50 -# burst: 100 +k8sClientRateLimit: # I set this high so I don't have to think about it later LOL + qps: 50 + burst: 100 ## NOTE: Cilium additional features and/or CRDs bpf: @@ -81,16 +81,16 @@ bpf: tproxy: true # L7 netpols stuff l7Proxy: true # enables L7 netpols dnsProxy: - #enableTransparentMode: false # TODO: verify if this reduces Cilium resource usage enableTransparentMode: true socketLB: - hostNamespaceOnly: true # KubeVirt + enabled: true # supposed to be default off, but it's enabled anyway, and looks fun lol + hostNamespaceOnly: true # KubeVirt compatibility bgpControlPlane: enabled: true ### `bgpControlPlane.enabled: true` is newer GoBGP implementation, while `bgp.enabled: true` and `bgp.announce` uses older MetalLB BGP implementation that is planned to be deprecated in Cilium v1.15. ### `bgp.announce` block is replaced by CiliumBGPPeeringPolicy CRD used by bgpControlPlane, for more fine grained control over announced addresses -localRedirectPolicy: true +localRedirectPolicy: false nodePort: enabled: true range: "9993,32767" @@ -100,7 +100,7 @@ bandwidthManager: enableIPv6BIGTCP: false # cannot enable if routingMode=tunnel ### `kubectl get` and `kubectl describe` will reflect CiliumNetworkPolicy (policy enforcement etc) with the below enabled ### endpointStatus no longer enabled since it can cause large apiserver resource usage and latency spikes, check Cilium docs on alternative -enableCnpStatusUpdates: true +enableCnpStatusUpdates: false endpointStatus: enabled: false # wellKnownIdentities: # for use in netpols, by having well-known endpoint labels # TODO: broken on 1.14? diff --git a/kube/deploy/core/_networking/cilium/app/config/sinon/helm-values.yaml b/kube/deploy/core/_networking/cilium/app/config/sinon/helm-values.yaml new file mode 100644 index 0000000000..bab737f778 --- /dev/null +++ b/kube/deploy/core/_networking/cilium/app/config/sinon/helm-values.yaml @@ -0,0 +1,110 @@ +--- +## NOTE: required for Talos +securityContext: + #privileged: true + capabilities: + ciliumAgent: [CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID] + cleanCiliumState: [NET_ADMIN,SYS_ADMIN,SYS_RESOURCE] +cgroup: + autoMount: + enabled: false + hostRoot: "/sys/fs/cgroup" + +## NOTE: Cluster identification, mainly for ClusterMesh +cluster: + name: "sinon" + id: "2" + +## NOTE: ClusterMesh, for connecting multiple clusters +# clustermesh: +# useAPIServer: true +# apiserver: +# replicas: 1 +# service: +# type: "NodePort" +# nodePort: 32371 +# # type: "LoadBalancer" +# # annotations: +# # "io.cilium/lb-ipam-ips": "${IP_CILIUM_CLUSTERMESH_BIOHAZARD}" +# config: +# enabled: true +# clusters: +# - name: "hercules" +# port: 32372 +# ips: ["${IP_HERCULES}"] + +## NOTE: Cilium's routing modes for inter-nodes pod traffic +routingMode: native +autoDirectNodeRoutes: true +ipv4NativeRoutingCIDR: "${IP_POD_CIDR_V4}" +loadBalancer: + algorithm: maglev + mode: dsr +### using Geneve tunnel for simpler routing and easier ClusterMesh across WireGuard +# routingMode: tunnel +# tunnelProtocol: geneve +# loadBalancer: +# algorithm: maglev +# mode: dsr +# dsrDispatch: geneve + # acceleration: best-effort + +## NOTE: Cilium's networking internals +ipam: + mode: kubernetes +kubeProxyReplacement: strict +### Talos 1.5 and above come with KubePrism which is an internal TCP load balancer for kube-apiserver. DO NOT COPY IF NOT ON TALOS OR A KUBEPRISM-SUPPORTED KUBERNETES DISTRIBUTION!!! +k8sServiceHost: "127.0.0.1" +k8sServicePort: "7445" +kubeProxyReplacementHealthzBindAddr: "0.0.0.0:10256" + +## NOTE: Cilium can automatically kill and respawn pods upon ConfigMap updates or other resource changes +rollOutCiliumPods: true +operator: + rollOutPods: true + +## NOTE: Cilium L2 LoadBalancer service IP announcements +externalIPs: + enabled: true +l2announcements: + enabled: true + leaseDuration: "120s" + leaseRenewDeadline: "60s" + leaseRetryPeriod: "1s" +k8sClientRateLimit: # I set this high so I don't have to think about it later LOL + qps: 50 + burst: 100 + +## NOTE: Cilium additional features and/or CRDs +bpf: + masquerade: false # not beneficial for homelab, and tends to conflict with other networking stuff + tproxy: true # L7 netpols stuff +l7Proxy: true # enables L7 netpols +dnsProxy: + enableTransparentMode: true +socketLB: + enabled: true # supposed to be default off, but it's enabled anyway, and looks fun lol + hostNamespaceOnly: true # KubeVirt compatibility + +bgpControlPlane: + enabled: true +localRedirectPolicy: false +nodePort: + enabled: true + range: "9993,32767" +bandwidthManager: + enabled: true + bbr: false # enable after Talos kernel updated to >= 5.18 +enableIPv6BIGTCP: false # cannot enable if routingMode=tunnel + +## NOTE: Hubble observability +hubble: + enabled: true + peerService: + clusterDomain: cluster.local + relay: + enabled: true + rollOutPods: true + ui: + enabled: true + rollOutPods: true diff --git a/kube/deploy/core/_networking/cilium/app/config/sinon/kustomization.yaml b/kube/deploy/core/_networking/cilium/app/config/sinon/kustomization.yaml new file mode 100644 index 0000000000..f826780b44 --- /dev/null +++ b/kube/deploy/core/_networking/cilium/app/config/sinon/kustomization.yaml @@ -0,0 +1,16 @@ +--- +# this Kustomization is only for bootstrapping with `kustomize build --enable-helm` +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +helmCharts: + - name: cilium + repo: https://helm.cilium.io/ + version: 1.15.3 + releaseName: cilium + namespace: kube-system + valuesFile: helm-values.yaml +commonAnnotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system +commonLabels: + app.kubernetes.io/managed-by: Helm diff --git a/kube/deploy/core/_networking/cilium/app/hr.yaml b/kube/deploy/core/_networking/cilium/app/hr.yaml index 235b88d9b2..77f983a557 100644 --- a/kube/deploy/core/_networking/cilium/app/hr.yaml +++ b/kube/deploy/core/_networking/cilium/app/hr.yaml @@ -32,8 +32,7 @@ spec: ## NOTE: Cilium Agent API rate limit configuration ### upon reboot/untaint/uncordon, burst(s) of pod creations causes Cilium to 429 rate limit pods from getting their network configuration ### current config stolen from https://github.com/cilium/cilium/issues/24361#issuecomment-1564825275 - apiRateLimit: | - endpoint-create=auto-adjust:true,mean-over:15 + apiRateLimit: "endpoint-create=auto-adjust:true,estimated-processing-duration:1s,mean-over:15" ## NOTE: BGP for LoadBalancer services ### `bgpControlPlane.enabled: true` is newer GoBGP implementation, while `bgp.enabled: true` and `bgp.announce` uses older MetalLB BGP implementation that is planned to be deprecated in Cilium v1.15. ### `bgp.announce` block is replaced by CiliumBGPPeeringPolicy CRD used by bgpControlPlane, for more fine grained control over announced addresses diff --git a/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml b/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml index 7c10780828..79f7a91c85 100644 --- a/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml +++ b/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml @@ -20,19 +20,46 @@ spec: apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: - name: "cluster-default-kube-dns-egress" + name: "cluster-default-kube-dns-egress-l7" spec: description: "Policy for egress allow to kube-dns from all Cilium managed endpoints in the cluster" - endpointSelector: {} + endpointSelector: + matchExpressions: + - {key: dns.home.arpa/l7, operator: NotIn, values: ["false"]} egress: - toEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": kube-system "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns toPorts: - ports: - port: "53" protocol: "ANY" rules: dns: - - matchPattern: "*" \ No newline at end of file + - matchPattern: "*" +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: "cluster-default-kube-dns-egress" +spec: + description: "Policy for egress allow to kube-dns from all Cilium managed endpoints in the cluster" + endpointSelector: + matchExpressions: + - {key: dns.home.arpa/l7, operator: In, values: ["false"]} + egress: + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" diff --git a/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml b/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml index 302327470d..0c7d134a21 100644 --- a/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml +++ b/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml @@ -176,7 +176,7 @@ spec: matchLabels: egress.home.arpa/r2: allow egress: - - toFQDNs: + - toFQDNs: &dns - matchPattern: "*.r2.cloudflarestorage.com" toPorts: - ports: @@ -184,6 +184,19 @@ spec: protocol: "TCP" - port: "443" protocol: "UDP" + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: *dns --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json apiVersion: cilium.io/v2 @@ -195,7 +208,7 @@ spec: matchLabels: egress.home.arpa/github: allow egress: - - toFQDNs: + - toFQDNs: &dns - matchPattern: "github.com" - matchPattern: "*.github.com" - matchPattern: "*.github.dev" @@ -208,6 +221,19 @@ spec: protocol: "TCP" - port: "443" protocol: "UDP" + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: *dns --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json apiVersion: cilium.io/v2 @@ -219,7 +245,7 @@ spec: matchLabels: egress.home.arpa/discord: allow egress: - - toFQDNs: + - toFQDNs: &dns - matchPattern: "discord.com" - matchPattern: "*.discord.com" - matchPattern: "discordapp.com" @@ -233,6 +259,19 @@ spec: protocol: "TCP" - port: "443" protocol: "UDP" + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: *dns --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json apiVersion: cilium.io/v2 @@ -244,7 +283,7 @@ spec: matchLabels: egress.home.arpa/pypi: allow egress: - - toFQDNs: + - toFQDNs: &dns - matchPattern: "pypi.org" toPorts: - ports: @@ -252,6 +291,19 @@ spec: protocol: "TCP" - port: "443" protocol: "UDP" + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: *dns --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json apiVersion: cilium.io/v2 diff --git a/kube/deploy/core/secrets/external-secrets/app/externalsecret-1password-credentials.yaml b/kube/deploy/core/secrets/external-secrets/app/externalsecret-1password-credentials.yaml new file mode 100644 index 0000000000..f67b5aa177 --- /dev/null +++ b/kube/deploy/core/secrets/external-secrets/app/externalsecret-1password-credentials.yaml @@ -0,0 +1,29 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name onepassword-connect-secrets + namespace: external-secrets +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + data: + - secretKey: "credentials" + remoteRef: + key: "${CLUSTER_NAME:=biohazard} Credentials File" + property: "1password-credentials.json" + # dataFrom: + # - extract: + # key: "${CLUSTER_NAME:=biohazard} Credentials File" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: Opaque + data: + 1password-credentials.json: '{{ .credentials }}' # Document type in 1Password saved directly from Connect Server web wizard + # 1password-credentials.json: '{{ .1password-credentials.json }}' diff --git a/kube/deploy/core/secrets/external-secrets/app/hr.yaml b/kube/deploy/core/secrets/external-secrets/app/hr.yaml index a6f4994c6e..7a12c1177b 100644 --- a/kube/deploy/core/secrets/external-secrets/app/hr.yaml +++ b/kube/deploy/core/secrets/external-secrets/app/hr.yaml @@ -21,7 +21,7 @@ spec: egress.home.arpa/onepassword-connect: "allow" prom.home.arpa/kps: "allow" # scheduling - replicaCount: 2 + replicaCount: 1 # 1Password can't scale leaderElect: true topologySpreadConstraints: - maxSkew: 1 @@ -48,3 +48,94 @@ spec: podLabels: # netpols ingress.home.arpa/apiserver: "allow" prom.home.arpa/kps: "allow" + # 1Password Connect + extraContainers: + - name: onepassword-connect-api + image: docker.io/1password/connect-api:1.7.2@sha256:0c5ae74396e3c18c3b65acb89cb76d31088968cf0c25deca3818c72b01586606 + imagePullPolicy: IfNotPresent + env: + - name: TZ + value: Asia/Singapore + - name: OP_BUS_PEERS + value: 127.0.0.1:60002 + - name: OP_BUS_PORT + value: "60001" + - name: OP_HTTP_PORT + value: "8443" + - name: OP_SESSION + value: /config/1password-credentials.json + - name: OP_LOG_LEVEL + value: info + - name: XDG_DATA_HOME + value: /data + volumeMounts: &1p-mnt + - name: 1p + mountPath: /config + readOnly: true + - name: 1p-tmp + mountPath: /data + securityContext: &1p-sc + runAsUser: 999 + runAsGroup: 999 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + resources: + requests: + cpu: 10m + limits: + cpu: "3" + memory: 512Mi + - name: onepassword-connect-api + image: docker.io/1password/connect-api:1.7.2@sha256:0c5ae74396e3c18c3b65acb89cb76d31088968cf0c25deca3818c72b01586606 + imagePullPolicy: IfNotPresent + env: + - name: TZ + value: Asia/Singapore + - name: OP_BUS_PEERS + value: 127.0.0.1:60001 + - name: OP_BUS_PORT + value: "60002" + - name: OP_HTTP_PORT + value: "57832" + - name: OP_SESSION + value: /config/1password-credentials.json + - name: OP_LOG_LEVEL + value: info + - name: XDG_DATA_HOME + value: /data + volumeMounts: *1p-mnt + securityContext: *1p-sc + resources: + requests: + cpu: 10m + limits: + cpu: "3" + memory: 512Mi + extraVolumes: + - name: 1p + secret: + secretName: onepassword-connect-secrets + defaultMode: 0400 + - name: 1p-tmp + emptyDir: + medium: Memory + postRenderers: + - kustomize: + patches: + - target: + kind: Deployment + labelSelector: app.kubernetes.io/name=external-secrets + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: not-used + namespace: not-used + spec: + template: + spec: + hostAliases: + - ip: "${APP_IP_ONEPASSWORD_CONNECT}" + hostnames: ["${APP_DNS_ONEPASSWORD_CONNECT}"] diff --git a/kube/deploy/core/secrets/external-secrets/app/netpol.yaml b/kube/deploy/core/secrets/external-secrets/app/netpol.yaml new file mode 100644 index 0000000000..9ee278f509 --- /dev/null +++ b/kube/deploy/core/secrets/external-secrets/app/netpol.yaml @@ -0,0 +1,59 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/cilium.io/ciliumnetworkpolicy_v2.json +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app external-secrets + namespace: *app +spec: + endpointSelector: {} + ingress: + - fromEntities: + - kube-apiserver + - host + - remote-node + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: onepassword-connect + toPorts: + - ports: + - port: "8443" + protocol: "TCP" + - port: "8443" + protocol: "UDP" + - toEntities: + - kube-apiserver + - host + toPorts: + - ports: + - port: "6443" + protocol: "TCP" + - port: "6443" + protocol: "UDP" + # 1Password Connect + - toFQDNs: &dns + - matchPattern: "1password.com" + - matchPattern: "*.1password.com" + - matchPattern: "1passwordusercontent.com" + - matchPattern: "*.1passwordusercontent.com" + toPorts: + - ports: + - port: "443" + protocol: "ANY" + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: *dns \ No newline at end of file diff --git a/kube/deploy/core/secrets/external-secrets/stores/1password/clustersecretstore.yaml b/kube/deploy/core/secrets/external-secrets/stores/1password/clustersecretstore.yaml index ed20041959..42f7555f89 100644 --- a/kube/deploy/core/secrets/external-secrets/stores/1password/clustersecretstore.yaml +++ b/kube/deploy/core/secrets/external-secrets/stores/1password/clustersecretstore.yaml @@ -8,7 +8,8 @@ spec: refreshInterval: 60 provider: onepassword: - connectHost: "https://${APP_DNS_ONEPASSWORD_CONNECT}" + #connectHost: "https://${APP_DNS_ONEPASSWORD_CONNECT}" + connectHost: "http://127.0.0.1:8443" vaults: "${CLUSTER_NAME}": 1 auth: @@ -16,4 +17,4 @@ spec: connectTokenSecretRef: name: "onepassword-connect-secrets" namespace: "external-secrets" - key: "token" \ No newline at end of file + key: "token" diff --git a/kube/deploy/core/secrets/external-secrets/stores/1password/externalsecret-token.yaml b/kube/deploy/core/secrets/external-secrets/stores/1password/externalsecret-token.yaml new file mode 100644 index 0000000000..ee8cd55223 --- /dev/null +++ b/kube/deploy/core/secrets/external-secrets/stores/1password/externalsecret-token.yaml @@ -0,0 +1,23 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name onepassword-connect-secrets + namespace: external-secrets +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "${CLUSTER_NAME:=biohazard} Access Token: ${CLUSTER_NAME:=biohazard}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: Opaque + data: + token: '{{ .credential }}' # JSON Web Token type in 1Password saved directly from Connect Server web wizard diff --git a/kube/deploy/core/secrets/external-secrets/stores/1password/secrets.yaml b/kube/deploy/core/secrets/external-secrets/stores/1password/secrets.yaml deleted file mode 100644 index eba48e5728..0000000000 --- a/kube/deploy/core/secrets/external-secrets/stores/1password/secrets.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: "onepassword-connect-secrets" - namespace: "external-secrets" -type: Opaque -stringData: - token: "${SECRET_EXTERNAL_SECRETS_ONEPASSWORD_CONNECT_TOKEN}" diff --git a/kube/deploy/core/secrets/onepassword-connect/app/netpol.yaml b/kube/deploy/core/secrets/onepassword-connect/app/netpol.yaml index 558e04de1c..7b26fb8e64 100644 --- a/kube/deploy/core/secrets/onepassword-connect/app/netpol.yaml +++ b/kube/deploy/core/secrets/onepassword-connect/app/netpol.yaml @@ -19,12 +19,15 @@ spec: toPorts: - ports: - port: "8443" + protocol: "TCP" + - port: "8443" + protocol: "UDP" egress: # same namespace - toEndpoints: - matchLabels: io.kubernetes.pod.namespace: *app - - toFQDNs: + - toFQDNs: &dns - matchPattern: "1password.com" - matchPattern: "*.1password.com" - matchPattern: "1passwordusercontent.com" @@ -32,6 +35,20 @@ spec: toPorts: - ports: - port: "443" + protocol: "ANY" + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: *dns --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json apiVersion: cilium.io/v2 @@ -50,3 +67,6 @@ spec: toPorts: - ports: - port: "8443" + protocol: "TCP" + - port: "8443" + protocol: "UDP" diff --git a/kube/deploy/core/secrets/onepassword-connect/ks.yaml b/kube/deploy/core/secrets/onepassword-connect/ks.yaml index 7314697354..c1cde6e45c 100644 --- a/kube/deploy/core/secrets/onepassword-connect/ks.yaml +++ b/kube/deploy/core/secrets/onepassword-connect/ks.yaml @@ -11,4 +11,5 @@ spec: labels: *l path: ./kube/deploy/core/secrets/onepassword-connect/app targetNamespace: "onepassword-connect" - dependsOn: [] + dependsOn: + - name: 1-core-1-networking-cilium-loadbalanacer diff --git a/kube/templates/test/app/es.yaml b/kube/templates/test/app/es.yaml index 31d86dab82..b8ddb44516 100644 --- a/kube/templates/test/app/es.yaml +++ b/kube/templates/test/app/es.yaml @@ -17,3 +17,7 @@ spec: creationPolicy: Owner deletionPolicy: Retain name: *name + # template: + # type: Opaque + # data: + # age.agekey: '{{ .agekey }}' \ No newline at end of file diff --git a/kube/templates/test/app/hr.yaml b/kube/templates/test/app/hr.yaml index 9d2b35f955..3db891b65d 100644 --- a/kube/templates/test/app/hr.yaml +++ b/kube/templates/test/app/hr.yaml @@ -9,48 +9,50 @@ spec: chart: spec: chart: app-template - version: "2.6.0" + version: 3.1.0 sourceRef: name: bjw-s kind: HelmRepository namespace: flux-system values: controllers: - main: + ${APPNAME}: # type: statefulset type: deployment replicas: 1 pod: labels: - ingress.home.arpa/nginx-internal: "allow" - db.home.arpa/pg: "pg-default" + ingress.home.arpa/nginx-internal: allow + db.home.arpa/pg: pg-default s3.home.arpa/store: "rgw-${CLUSTER_NAME}" - # egress.home.arpa/internet: "allow" + # authentik.home.arpa/https: allow + # prom.home.arpa/kps: allow + # egress.home.arpa/internet: allow containers: main: image: &img - repository: "ghcr.io/${APPNAME}/${APPNAME}" - tag: "v" - env: + repository: ghcr.io/${APPNAME}/${APPNAME} + tag: v + env: &env TZ: "${CONFIG_TZ}" _APPNAME_DATABASE_SOURCE: valueFrom: secretKeyRef: - name: "pg-default-pguser-${APPNAME}" - key: "pgbouncer-uri" + name: pg-default-pguser-${APPNAME} + key: pgbouncer-uri GTS_STORAGE_S3_ACCESS_KEY: valueFrom: secretKeyRef: - name: "${APPNAME}-data-s3" - key: "AWS_ACCESS_KEY_ID" + name: ${APPNAME}-data-s3 + key: AWS_ACCESS_KEY_ID GTS_STORAGE_S3_SECRET_KEY: valueFrom: secretKeyRef: - name: "${APPNAME}-media-s3" - key: "AWS_SECRET_ACCESS_KEY" - envFrom: + name: ${APPNAME}-media-s3 + key: AWS_SECRET_ACCESS_KEY + envFrom: &envFrom - secretRef: - name: "${APPNAME}-secrets" + name: ${APPNAME}-secrets securityContext: &sc readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -63,6 +65,13 @@ spec: limits: cpu: "3000m" memory: "6Gi" + probes: + liveness: + enabled: true + readiness: + enabled: true + #startup: + # enabled: true # statefulset: # volumeClaimTemplates: # - name: data @@ -71,69 +80,66 @@ spec: # accessMode: ReadWriteOnce # advancedMounts: # main: # only container name here - # - path: "/data" + # - path: /data # 01-init-${APPNAME}-admin-password: - # - path: "/data" + # - path: /data # - name: backup # accessMode: ReadWriteOnce # size: 20Gi # storageClass: block # globalMounts: - # - path: "/backup" + # - path: /backup initContainers: 01-init-${APPNAME}-admin-password: + image: *img command: - /bin/sh - -c - "[ -s /data/${APPNAME}.db ] || /sbin/${APPNAME}d recover_account -c /data/server.toml admin" - image: *img - imagePullPolicy: IfNotPresent - # TODO: add example PVC initContainer mounts to persistence/volumeClaimTemplates + securityContext: *sc + #resources: 01-init-db: image: repository: "ghcr.io/onedr0p/postgres-init" tag: "15.5@sha256:70b4c228f2e86de39008a35211c76c1ac6de1dcdf0e908ac09ede6a11e2344e2" - imagePullPolicy: IfNotPresent envFrom: [secretRef: { name: "${APPNAME}-pg-superuser" }] + securityContext: *sc + #resources: service: - main: + ${APPNAME}: + controller: ${APPNAME} ports: http: port: 8080 - ssh: - enabled: true + protocol: HTTP + appProtocol: http + expose: primary: false - controller: main + controller: ${APPNAME} type: LoadBalancer - externalTrafficPolicy: Cluster annotations: coredns.io/hostname: "${APP_DNS_APPNAME}" "io.cilium/lb-ipam-ips": "${APP_IP_APPNAME}" ports: http: - enabled: true port: 443 targetPort: 8443 protocol: HTTPS ldap-tcp: - enabled: true port: 636 targetPort: 3636 protocol: TCP ldap-udp: - enabled: true port: 636 targetPort: 3636 protocol: UDP ingress: main: - enabled: true - primary: true - className: "nginx-internal" + className: nginx-internal annotations: external-dns.alpha.kubernetes.io/target: "${DNS_CF}" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + nginx.ingress.kubernetes.io/backend-protocol: HTTPS # https://github.com/kubernetes/ingress-nginx/issues/6728 nginx.ingress.kubernetes.io/server-snippet: | proxy_ssl_name ${APP_DNS_APPNAME}; @@ -147,17 +153,21 @@ spec: - path: / pathType: Prefix service: - name: main + identifier: ${APPNAME} port: http tls: - hosts: [*host] tailscale: - enabled: true - primary: true - className: "tailscale" + primary: false + className: tailscale hosts: - host: &host "${APPNAME}.${DNS_TS}" - paths: *paths + paths: &paths + - path: / + pathType: Prefix + service: + name: frontend + port: http tls: - hosts: [*host] # dnsConfig: @@ -166,52 +176,43 @@ spec: # value: "1" persistence: config: - enabled: true type: configMap - name: "${APPNAME}-config" + name: ${APPNAME}-config advancedMounts: main: main: - - subPath: "server.toml" - path: "/data/server.toml" - readOnly: true + - subPath: server.toml + path: /data/server.toml data: - enabled: true - existingClaim: "${APPNAME}-data" + existingClaim: ${APPNAME}-data globalMounts: - - subPath: "data" - path: "/data" + - subPath: data + path: /data nfs: - enabled: true type: nfs server: "${IP_TRUENAS}" path: "${PATH_NAS_PERSIST_K8S}" - advancedMounts: - main: - main: - - subPath: "${APPNAME}" - path: "/nfs" + globalMounts: + - subPath: ${APPNAME} + path: /nfs tmp: - enabled: true type: emptyDir medium: Memory globalMounts: - - subPath: "tmp" - path: "/tmp" - readOnly: false + - subPath: tmp + path: /tmp tls: - enabled: true type: secret - name: "${APPNAME}-tls" + name: ${APPNAME}-tls defaultMode: 0400 advancedMounts: main: main: - - subPath: "tls.crt" - path: "/tls/fullchain.pem" + - subPath: tls.crt + path: /tls/fullchain.pem readOnly: true - - subPath: "tls.key" - path: "/tls/privkey.pem" + - subPath: tls.key + path: /tls/privkey.pem readOnly: true configMaps: config: @@ -236,17 +237,20 @@ spec: defaultPodOptions: automountServiceAccountToken: false enableServiceLinks: false + hostAliases: + - ip: "${APP_IP_AUTHENTIK}" + hostnames: ["${APP_DNS_AUTHENTIK}"] securityContext: runAsNonRoot: true runAsUser: &uid ${APP_UID_APPNAME} runAsGroup: *uid fsGroup: *uid - fsGroupChangePolicy: "Always" + fsGroupChangePolicy: Always seccompProfile: { type: "RuntimeDefault" } topologySpreadConstraints: - maxSkew: 1 - topologyKey: "kubernetes.io/hostname" - whenUnsatisfiable: "DoNotSchedule" + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app.kubernetes.io/name: *app @@ -255,5 +259,13 @@ spec: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - - key: "fuckoff.home.arpa/${APPNAME}" - operator: "DoesNotExist" + - key: fuckoff.home.arpa/${APPNAME} + operator: DoesNotExist + networkpolicies: + same-ns: + controller: ${APPNAME} + podSelector: {} + policyTypes: [Ingress, Egress] + rules: + ingress: [from: [{podSelector: {}}]] + egress: [to: [{podSelector: {}}]]