feat(age): add sops age to new cluster

.sops.yaml

@@ -1,12 +1,12 @@
 ---
 creation_rules:
-  - path_regex: kubernetes/.*\.sops\.ya?ml
+  - path_regex: kubernetes/main/.*\.sops\.ya?ml
     encrypted_regex: "^(data|stringData)$"
     key_groups:
       - age:
-          - "age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8"
-          - "age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj"
-  - path_regex: ansible/.*\.sops\.ya?ml
-    key_groups:
-      - age:
-          - "age17ary36xtm566uptguuhsj7xmuqzyz06ce54tcf6p3mge2thphqfs3gln40"
+        - 'age17ary36xtm566uptguuhsj7xmuqzyz06ce54tcf6p3mge2thphqfs3gln40'
+  - path_regex: kubernetes/(raspberry|turing)/.*\.sops\.ya?ml
+    encrypted_regex: "^(data|stringData)$"
+    age: >-
+      age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8,
+      age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj

kubernetes/raspberry/flux-system/cluster-secrets.sops.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cluster-secrets
+    namespace: flux-system
+stringData:
+    SECRET_DOMAIN: ENC[AES256_GCM,data:yxxmAaiQIgNNKuTP,iv:ijCjY0DZPDt2u/gjMxQ91V+a3okd/7J5rmSNqaABawM=,tag:1cEBaYTiQMxF6sJd1dSpWw==,type:str]
+    SECRET_ACME_EMAIL: ENC[AES256_GCM,data:NROOEvv2p/BqnKG5OVYv,iv:tLsrO8xW4rTEdaHm9bE60w1+pVtlQkmh3nfkOa6TK4Y=,tag:cY3VDLexaCOqwBZ+7hbM6g==,type:str]
+    SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:n91Brd4fEXGq0JhoHOBOOj6EAoRkVqk4w1VoqM/JUHOO8hgN,iv:ssaWwZdr9efj5TBQ6XB8TVbpSABlXqDQMC0sp8k1eAk=,tag:hJMlfE/ZJ6opKUbx6I6SIQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UjVQcC9QMTFOV0pxSWRy
+            YzZPYVZvZGtwMUtXT2dGSW1MUUxXMnZyNHdJCmgxc3M1Z25ldmc0V3F2cG9DSHp5
+            ajkwblhIeVNHd01VMzZQeDhVRFdsL0EKLS0tIGsyTjFSQXBvdmJrODNGRjk2cXli
+            R0RacFZvLzBnUkhvUzJCMTZUd3M1bDQKmHqDRkTzwNVwwSqBdHJoDAZ0256fLMuF
+            Xnhyp3qLpz1RP6MylZnQwTmsZBVvQFi6gac7Yu7jEGEyJJQ384IqEQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Uk1TZTV1N3l4SW5oYUZr
+            ckwrY0Y0M05JK2piSDV5R1dIb1BBamJqbHgwCmlrSVY4V3kwSTI0RVlSQWNwR2Mv
+            UjFKQUpneVZ6cDN5eURleG5Oa0N2WHcKLS0tIG5rNExDdHNYR3BoeDh6M2VOWEJU
+            Tys4alpFdlVHZVBqeEIxaHgyTXJrSlEKayFLG7MILTO8Dapjn90S0pvFYDmSvlPQ
+            hVPLuWEwNNNVSfuRLPkQi3spegTCeyos3k+e0OQmdU1h1+W8CON/6A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-24T11:18:41Z"
+    mac: ENC[AES256_GCM,data:qh3OXT9opRkUqhy3xn2AVFSFz/B62VBOfppkr5mYxanOgFjz5RIqQlbBoSZTMq/0Dg1tc0oxxfv1seScatbROObdRSvDFbrDq82z8mKHVFxGm70bwEp1ZsZy2JUEyA6df3XPUuEivzcSvudivK1diBz89P0EpSvPpeb73LjHiaI=,iv:6wtwADYNqgZ98wb3Mu/PMeUQdFMmtUQIU7sZB07anPM=,tag:qaB403+Uk5IAsBigO4IJHA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

kubernetes/raspberry/flux-system/github-deploy-key.sops.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-deploy-key
+    namespace: flux-system
+stringData:
+    identity: ENC[AES256_GCM,data:IdcylpYFLEx6gzJYOXUX2PdUrhb75KqaTkUyKkZVwwHPdBDphMXatuVkL6LLyJKXgRGN5BwAn/v+3tNVCQpTBlX+2TJMTbPfnrICQ6IuXFCnADvlGBWxqm7PgrwT9RFzwDVEjhDMx8HvSFCDnASpfP3CqPzT5QjLaMhBA2e1/dQay0TscN2TVXzbHLV8qIoayM6vtQhshNmwY9TJEW1Vb51Jg9HbPSE5xov2brBFDQYZCSERW9ov2FI/jisTHaxTvsE9Ckf/12obE01m6CGMTv+vtMhHk26tk4fd2FTbTWC4PPQ4jQ25KararNe6STlbWV5AzeTDWXtF3b8SgY053wQmJjCMW8Kc8w8A2SqBQBYNs0ZiR+CsKIpDLhUNdijOvmLwVpf/bO3QHo39vX0JnGLQNH+sP/raVpXfMNGKusETYYe7PukP/W9Lbk8O9a5tls8ev8GaZMBp1ZGYxAnexeDd9DR3Pa6/jctCW2a4IXBJqOSaznpsdha67JmI9inw1T5ziSylOXwVKn6CacCO1/gQhgycVmZfgjGV,iv:iNb3RiKwQNtmZaTydA9Hwle42OMkHA8/17Qn6R1B4ik=,tag:mQBxGU+FHxcLzoyyuz/dIw==,type:str]
+    known_hosts: ENC[AES256_GCM,data:Gg9sIatOPh97GqutZ9B078KsHWgsdgOighWUeEFOCaHOnOTkh+iLd9iluiysoWqRCaMBZ2o3C/dYbm+ffMi4VxsKohEpzMGaktf2pQ8wJOABc6Wd3xMfziRPgkgiv+WC8FwN74HvpzXGdnpWLWnlCmEQxvYbHRijmaLzkHddE/Rn81+cqtOrWq75gAVTH10rhad/I+3pTM4hsndhdEXErT4DUYz5kcXJRQF0CC4VhQueDAmDlseyTQRo8zmAWXoXlfd3NbdmYhv1S1Jw1eIXLyicR+6IoJ9QJ6gaUtaJjdKKzqZXHIIKzCoWrXi7RP9QN75dM1jE6eJ42DAIUpV9JrRScQTiQ897L1+wuZ3AlyfAlSZ4L6BroDLxpM91z1ZpmTbUFR9x4Qshpc7SS50z0gwdeEWIh+b5eNPqmcJ+Ho8n83TsLKWMNcfQcgskC9hCnmCAtT7Zd4jUXFsonIEFtQi9u8lJDCoG8nhltJOZwL4F4I9qlj4Ue46EY7dLs7uP9ZaKifHqgYuT/6Sop0TppsgUn+7vbMlyfW8eXmZ+l8Law6EbJSD8A/kImaNdLG0ae6VpJuNmax398JnoU46GlAcd7OMgVJhKMoPeiFH1qNVWvoanmSWXYAN0dA6YLr6+v3BbnTVProYNMmwTD8NrNloU5VG5UoAVgvApX+733QauWvAnP26/tINvemdlLo36aIhHWnXbMOrb9pGvWLX9kOC03L3jMdPAu5YUp0+lED1Pwax9cD/WjuMpGxhUkrDESaOzQOOwYkyLcxbzViCU1t2rnrqF/ugOTwz5dogBGRZJw3ICVJV7lDGfRjSithmJfLvUW4a72AT5hOvwYMEDSr6wZf0iO9VM+R9yK7G1EIUx6mo/ThZYBSw+bx2xeuMfYsLl5jDTVSb7Nm2sFeH4BeJWT4U9Z5NTWRUYvVQfn1VAZtj2JBx0+OP0wPxJnDJQ1/fE2ss5b/kF0fSzmXZ0Xp/jqXRCsOPFU/pugZyftXdXsjJLDMryH91uwWkLyl2plM5elKVFqZ4klhhuSHbVwJA+8xtfhKQiVGKRqCs90DjF6PkUxVZDayvyJ59eV54jLg1rh8bMgxBZ18Wo,iv:m5OkxMR9uYjcavgJ3u81nqr2t42hdevS6Avrvm1i8Ao=,tag:jhqYJLmFUMffbxHYm/7ZtA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhU0dGdUE5b2l3ZXlQUC9N
+            NGhlYzV1a0tzZXM3aEYrdU9hQzZCRVFHMnpBCmhUU2tSWVdWWHlDdmp6NjU2elRK
+            SXBQdkV2a25RajJXU2pDWkRPTlJ3QW8KLS0tIEJEYm52MWhSZlRjSjhUdHc3cWpG
+            Uzkyd1RuY1hNUGMrRUV1MDYrQXhLQ3cKPo4fcEdmsuXf9bU0c0JscC7zssRMneYw
+            e7C1XtQwaf5TKJr1bywU1a/M/WFmBTOXE5jBR4RYsjoc+AdX7PdFAw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eWRXeVRjM0k1dnpYenZi
+            ZFg5aERUc2RrMUhZUjY1ZVlQeHhzWmtGYmtvCmMxM2Ixa1lIZnZ4NlE3QUNvRmZs
+            T3V0cUFKcmJxUXhZbjVIMnF3UVR6bEkKLS0tIHdjdGZwejlLNmxSQ3ppdVp3QndP
+            QmQ0cWtzUHZSVE5xak91R20rSkFmclkKPZMf4QhC2yRHcjZ+RLCNILWuqe1x3kzG
+            u5pUravwkV9SiHSayVZbdJlzRYMLv05L3+eEjto9eEOJtKm611Xu0Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-24T10:58:47Z"
+    mac: ENC[AES256_GCM,data:yAB00zb6rFGnatc+/K6Y/vy8ukNVgiK7Z7LFIKamOf97QtrhRdljnPCdtx1kAm1z6/Jxs1HQR6yha8ehJCxqeGo6iGCmhaAPPVgH/TxvAyIz7PIjnx0LRcva2wDXQ5+orHxklDsjXS1SM9L+8oG/vlS9Ls/+SS8OOPs0mmzYjck=,iv:OKqPrQz1KaPZMKGPAgzZpgBBeM7W1gsJbC00kZAePaM=,tag:SDQfn1sIdGjBXUXxhANlmg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

kubernetes/raspberry/flux-system/gotk-sync.yaml

@@ -1,18 +1,19 @@
-# This manifest was generated by flux. DO NOT EDIT.
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/refs/heads/main/gitrepository-source-v1.json
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: flux-system
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   ref:
     branch: main
   secretRef:
-    name: flux-system
-  url: ssh://[email protected]/willianpaixao/homelab.git
+    name: github-deploy-key
+  url: ssh://[email protected]:22/willianpaixao/homelab.git
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@@ -25,3 +26,30 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: cluster-secrets
+  patches:
+    - patch: |-
+        apiVersion: kustomize.toolkit.fluxcd.io/v1
+        kind: Kustomization
+        metadata:
+          name: not-used
+        spec:
+          decryption:
+            provider: sops
+            secretRef:
+              name: sops-age
+          postBuild:
+            substituteFrom:
+              - kind: Secret
+                name: cluster-secrets
+      target:
+        group: kustomize.toolkit.fluxcd.io
+        kind: Kustomization
+        labelSelector: substitution.flux.home.arpa/disabled notin (true)

kubernetes/raspberry/flux-system/kustomization.yaml

@@ -1,5 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- gotk-components.yaml
-- gotk-sync.yaml
+  - cluster-secrets.sops.yaml
+  - github-deploy-key.sops.yaml
+  - gotk-components.yaml
+  - gotk-sync.yaml
+  - sops-age.sops.yaml

kubernetes/raspberry/flux-system/sops-age.sops.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: sops-age
+    namespace: flux-system
+type: Opaque
+data:
+    age.agekey: ENC[AES256_GCM,data:4dlQlnQh950mu7SAX+mobGt8OWqB5s+sffCxG3BxMMIpsPgwWBQMEAnh0+BHtBIHZdMGMOl8rnmls6tZul9lOp90gx8qy8KCQ9kW7Iy3pzeeA8pHOwW7RhJaUuM2XBBw8TWOQrvVWnl8kau/FqvkEwU6qH33ZrAyHmS5SRzsf9uKE5OTPDjszFC3TM46XMPxaF7Rx0Jig8VYIPyz1SW1skr8mNkXyWsrP8rxvlP1l/KSnG0kxkYekipZxIh27q1hmGeFiQTYjkOcgsFk4jOKrS+ZZgd9s3vLgz/V6BYi0AY+SgodAUr9TdVVk+1mCZhnLt18trmPj0cu/3RL,iv:gfDivrS+MJ9hyHxlgyt51b0FnTpLn9K/naBWfLr28cg=,tag:Bw74hYCpKL62AY8kD+uk3w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNmd0WnZxT0lYb2NVb284
+            cG83ekkyQW15L1RHQWxUWkd0Und3ZUozK0ZrClBEMHB3RmthYTAySUhXeWxvWTJP
+            cXkyNkFhRGhKV3JvOUZkUXFhTS9GWlkKLS0tIEU2TDNhbzMxVHpHcjd2Z2RtZEtF
+            UmRaZnNtck9HTkErSWR1VDVnUGIyZTQKMRzaAzRE6QcJZVMdLDQnuwpq6QWsSd8X
+            tnR7L2ec47EkWmShCUudqfpLM+HzYkXmBCjVZTyKaHFIvN91LneMeQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybXZPdFlrOTdqSFhNZ3h6
+            L1BtVnRVSXE0YjZZSURUQzBCMWFKRTNaa1ZVCklvcXFzT2dVVFlzSFpVblp2aU4r
+            V2w2Slhja1RVcm05VkszN01kL3JMSFEKLS0tIEh0ckpLcjNmVnRLVG9uZjhnWXpB
+            WWZwK29XS1krV1V0SzRscDMwOFNQZlUK3IqcARti2jKt57rXeCmJHIs4XBOPwHbW
+            L65yBrvQyGNJ4ICMTMLYvqnduIA7ZOWPiF1JWj0m05Iyg7euYEr2JA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-24T11:07:08Z"
+    mac: ENC[AES256_GCM,data:fKQ8G2NP9hJuo1s3ZNQo3bADHxqU5CfRWWPsAfCAUMrwMSl6X1NoQKOm3FnXqxD24hgJbhGMTiC5xfQwbxYa4lFQkWBVP9CTZQupsgvHpBQqrBhf1bv0jpjoGciGoPKL91gxtG2vOoa6DT7yW1Egz00fqIRslqy+TLVoIsWYn2M=,iv:ozZ/cKuMYAUVqa2Nsibl8yGZuMSNTyM+vbGYCi1b9j8=,tag:iAnBpsc3sYbuCfI/x2Ms3Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

kubernetes/turing/flux-system/gotk-sync.yaml

@@ -1,12 +1,12 @@
-# This manifest was generated by flux. DO NOT EDIT.
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/refs/heads/main/gitrepository-source-v1.json
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: flux-system
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   ref:
     branch: main
   secretRef: