fixup! ♻️ migration externalsecrets

kubernetes/apps/default/authelia/app/config/configuration.yaml

@@ -1,15 +1,15 @@
 ---
 session:
-  redis:
+  # redis:
-    high_availability:
+  #   high_availability:
-      sentinel_name: redis-master
+  #     sentinel_name: redis-master
-      nodes:
+  #     nodes:
-        - host: redis-node-0.redis-headless.default.svc.cluster.local.
+  #       - host: redis-node-0.redis-headless.default.svc.cluster.local.
-          port: 26379
+  #         port: 26379
-        - host: redis-node-1.redis-headless.default.svc.cluster.local.
+  #       - host: redis-node-1.redis-headless.default.svc.cluster.local.
-          port: 26379
+  #         port: 26379
-        - host: redis-node-2.redis-headless.default.svc.cluster.local.
+  #       - host: redis-node-2.redis-headless.default.svc.cluster.local.
-          port: 26379
+  #         port: 26379
 
 access_control:
   ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any

kubernetes/apps/default/authelia/app/helmrelease.yaml

@@ -77,7 +77,7 @@ spec:
       AUTHELIA_SESSION_DOMAIN: ${SECRET_CLUSTER_DOMAIN}
       AUTHELIA_SESSION_NAME: authelia-home-ops
       AUTHELIA_SESSION_REDIS_DATABASE_INDEX: 14
-      AUTHELIA_SESSION_REDIS_HOST: redis.database.svc.cluster.local.
+      AUTHELIA_SESSION_REDIS_HOST: redis-master.default.svc.cluster.local.
       AUTHELIA_SESSION_REDIS_PORT: 6379
       AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia
       AUTHELIA_STORAGE_POSTGRES_HOST: ${POSTGRES_HOST}

kubernetes/apps/default/ghostfolio/app/helmrelease.yaml

@@ -43,7 +43,7 @@ spec:
       tag: 1.288.0
     env:
       NODE_ENV: production
-      REDIS_HOST: redis-headless.default.svc.cluster.local
+      REDIS_HOST: redis-master.default.svc.cluster.local
       REDIS_PORT: 6379
     envFrom: *envFrom
     service:

kubernetes/apps/default/lychee/app/helmrelease.yaml

@@ -44,7 +44,7 @@ spec:
       TIMEZONE: ${TIMEZONE}
       APP_NAME: Lychee
       DB_CONNECTION: pgsql
-      REDIS_HOST: redis.default.svc.cluster.local.
+      REDIS_HOST: redis-master.default.svc.cluster.local.
       REDIS_PORT: 6379
     envFrom:
       - secretRef:

kubernetes/apps/default/nitter/app/config/config.yml

@@ -10,7 +10,7 @@ hostname = "nitter.${SECRET_CLUSTER_DOMAIN}"
 [Cache]
 listMinutes = 240  # how long to cache list info (not the tweets, so keep it high)
 rssMinutes = 10  # how long to cache rss queries
-redisHost = "redis.default.svc.cluster.local."  # Change to "nitter-redis" if using docker-compose
+redisHost = "redis-master.default.svc.cluster.local."  # Change to "nitter-redis" if using docker-compose
 redisPort = 6379
 redisPassword = ""
 redisConnections = 20  # connection pool size

kubernetes/apps/default/paperless/app/externalsecret.yaml

@@ -16,8 +16,8 @@ spec:
       engineVersion: v2
       data:
         # App
-        PAPERLESS_ADMIN_USER: "{{ .USERNAME }}"
+        PAPERLESS_ADMIN_USER: "{{ .PAPERLESS_ADMIN_USER }}"
-        PAPERLESS_ADMIN_PASSWORD: "{{ .PASSWORD }}"
+        PAPERLESS_ADMIN_PASSWORD: "{{ .PAPERLESS_ADMIN_PASSWORD }}"
         PAPERLESS_SECRET_KEY: "{{ .PAPERLESS_SECRET_KEY }}"
         PAPERLESS_DBUSER: &dbUser "{{ .POSTGRES_USER }}"
         PAPERLESS_DBPASS: &dbPass "{{ .POSTGRES_PASS }}"

kubernetes/apps/default/paperless/app/helmrelease.yaml

@@ -33,7 +33,7 @@ spec:
         imagePullPolicy: IfNotPresent
         envFrom: &envFrom
           - secretRef:
-              name: &secret outline-secret
+              name: &secret paperless-secret
     image:
       repository: ghcr.io/paperless-ngx/paperless-ngx
       tag: 1.16.5
@@ -48,7 +48,7 @@ spec:
       PAPERLESS_OCR_LANGUAGE: fra
       PAPERLESS_PORT: 8000
       PAPERLESS_DBNAME: paperless
-      PAPERLESS_REDIS: redis://paperless-redis.default.svc.cluster.local:6379
+      PAPERLESS_REDIS: redis://redis-master.default.svc.cluster.local:6379
       PAPERLESS_TASK_WORKERS: 2
       PAPERLESS_TIME_ZONE: "Europe/Paris"
       PAPERLESS_URL: https://paperless.${SECRET_CLUSTER_DOMAIN}

kubernetes/apps/default/paperless/app/kustomization.yaml

@@ -6,4 +6,3 @@ namespace: default
 resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
-  - ./redis

kubernetes/apps/default/paperless/app/redis/helmrelease.yaml

@@ -1,38 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: &app paperless-redis
-  namespace: default
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: app-template
-      version: 1.5.1
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    global:
-      nameOverride: *app
-    image:
-      repository: docker.io/library/redis
-      tag: 7.0.12
-    service:
-      main:
-        ports:
-          http:
-            enabled: false
-          redis:
-            enabled: true
-            port: 6379

kubernetes/apps/default/paperless/app/redis/kustomization.yaml

@@ -1,7 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: default
-resources:
-  - ./helmrelease.yaml

kubernetes/apps/default/pgadmin/app/backups/kustomization.yaml

@@ -1,7 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./replicationsource.yaml
-  - ./restic.sops.yaml

kubernetes/apps/default/pgadmin/app/backups/replicationsource.yaml

@@ -1,25 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: pgadmin
-  namespace: default
-spec:
-  sourcePVC: pgadmin-config
-  trigger:
-    schedule: "0 0 * * *"
-  restic:
-    copyMethod: Snapshot
-    pruneIntervalDays: 10
-    repository: pgadmin-restic
-    cacheCapacity: 2Gi
-    volumeSnapshotClassName: csi-ceph-blockpool
-    storageClassName: rook-ceph-block
-    moverSecurityContext:
-      runAsUser: 5050
-      runAsGroup: 0
-      fsGroup: 0
-    retain:
-      daily: 10
-      within: 3d

kubernetes/apps/default/pgadmin/app/backups/restic.sops.yaml

@@ -1,34 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: pgadmin-restic
-type: Opaque
-stringData:
-    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
-    RESTIC_REPOSITORY: ENC[AES256_GCM,data:qryOEQuCawQ2v33QSxpTdhcuHoGh2ruI1wvMYn/En8K3FcoZaKMv7v6oXCgNPgbWgJDTYJfYfK5v,iv:8Eh981HkHI1igvBSd5M6GFjRVYfbqU8lHnabyTOF67Y=,tag:Nqs2IAcPtperhP+t5u+cJw==,type:str]
-    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
-    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
-    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
-    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
-    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
-    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
-            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
-            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
-            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
-            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-28T16:07:48Z"
-    mac: ENC[AES256_GCM,data:IgxbLSa14K4zKdl/+xNxkubLynB2+BcAdwU9GeLby5F/hwEHlfychYYJoP+tx7tXC0xSA+m1HvA7H3LKY4pY8rpdkBBFbBrP/10rxhs3etoXkNhn+KmkMgECbiIhk8z1CWj+8H60vQJZfIogDr850Fk5cff3oOELObEHwKF1gfU=,iv:kaZ1uNoiDWrgq7IBnBhMzo8vRDTmVkMYn1CaipE7Gb0=,tag:QZzim5SMJPxonXw7X3sATQ==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/default/pgadmin/app/externalsecret.yaml

@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: pgadmin
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: pgadmin-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        # App
+        PGADMIN_DEFAULT_EMAIL: pgadmin@xpander.eml.cc
+        PGADMIN_DEFAULT_PASSWORD: X9VCaWrsCr9PoF
+  dataFrom:
+    - extract:
+        key: cloudnative-pg
+    - extract:
+        key: pgadmin

kubernetes/apps/default/pgadmin/app/helmrelease.yaml

@@ -34,7 +34,7 @@ spec:
       PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION: "False"
     envFrom:
       - secretRef:
-          name: *app
+          name: pgadmin-secret
     initContainers:
       volume-permissions:
         image: dpage/pgadmin4:7.4

kubernetes/apps/default/pgadmin/app/kustomization.yaml

@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./backups
+  - ./externalsecret.yaml
   - ./helmrelease.yaml
-  - ./secret.sops.yaml
+  - ./volsync.yaml
   - ./volume.yaml

kubernetes/apps/default/pgadmin/app/secret.sops.yaml

@@ -1,30 +0,0 @@
-# yamllint disable
-apiVersion: v1
-kind: Secret
-metadata:
-    name: pgadmin
-    namespace: default
-type: Opaque
-stringData:
-    PGADMIN_DEFAULT_EMAIL: ENC[AES256_GCM,data:Wd9Qcm7AmuvGHWyfe277NnCDaRiKQw==,iv:rP1B90nsQs5s0OAGvTAW9X99fprpTMa9Y1COgtrcPOI=,tag:odhJmt+W6yoXfEhYPj0Rcw==,type:str]
-    PGADMIN_DEFAULT_PASSWORD: ENC[AES256_GCM,data:SWUqh0QUjYWjCruuZPQ=,iv:F1rwMkkHu2lgFDlUK5ZPtvY4KWh9kF8S5B0VnsiBUoE=,tag:Haa3c8UsJpQDsYG9hWWj/Q==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
-            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
-            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
-            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
-            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-17T07:32:43Z"
-    mac: ENC[AES256_GCM,data:iWV6sSItfSAGEjpEytnA/33bkseU+rguCuF3OG7ZAnECFgfLOkTqu4prATJwSKnowom+BcjjqbFMNuS3dQ5l+IIrOVkftpjJEXT0L2/5iry7NBePgqraqOvxSMJ9roxk+yHI1GOWo0UEKehYhLxoCe3g32YqTB4ASflKWJU5bzU=,iv:apZ2IbkwLG4Pppu1tvlXAWmsCZLKwbgRh/QBru4kUBI=,tag:hR5dIbKT3IZcQSCOToWFsw==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/default/pgadmin/app/volsync.yaml

@@ -0,0 +1,49 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: pgadmin-restic
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: pgadmin-restic-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/pgadmin'
+        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
+        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
+        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
+  dataFrom:
+    - extract:
+        key: volsync-restic-template
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: pgadmin
+  namespace: default
+spec:
+  sourcePVC: pgadmin-config
+  trigger:
+    schedule: "0 7 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 7
+    repository: pgadmin-restic-secret
+    cacheCapacity: 10Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    moverSecurityContext:
+      runAsUser: 568
+      runAsGroup: 568
+      fsGroup: 568
+    retain:
+      daily: 7
+      within: 3d

kubernetes/apps/default/pgadmin/ks.yaml

@@ -15,6 +15,7 @@ spec:
     name: home-ops-kubernetes
   dependsOn:
     - name: cluster-apps-rook-ceph-cluster
+    - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-volsync-app
   healthChecks:
     - apiVersion: helm.toolkit.fluxcd.io/v2beta1

kubernetes/apps/default/prowlarr/app/backups/kustomization.yaml

@@ -1,7 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./replicationsource.yaml
-  - ./restic.sops.yaml

kubernetes/apps/default/prowlarr/app/backups/replicationsource.yaml

@@ -1,25 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: prowlarr
-  namespace: default
-spec:
-  sourcePVC: prowlarr-config
-  trigger:
-    schedule: "0 0 * * *"
-  restic:
-    copyMethod: Snapshot
-    pruneIntervalDays: 10
-    repository: prowlarr-restic
-    cacheCapacity: 2Gi
-    volumeSnapshotClassName: csi-ceph-blockpool
-    storageClassName: rook-ceph-block
-    moverSecurityContext:
-      runAsUser: 568
-      runAsGroup: 568
-      fsGroup: 568
-    retain:
-      daily: 10
-      within: 3d

kubernetes/apps/default/prowlarr/app/backups/restic.sops.yaml

@@ -1,35 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: prowlarr-restic
-    namespace: default
-type: Opaque
-stringData:
-    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
-    RESTIC_REPOSITORY: ENC[AES256_GCM,data:zMuiIhvBSTPAzRgFb+vkJH9oKcqDWhm/HDmyOZw90u9Jyk/x1ECBUjYZV92L1n45FFgad+Ar5itA3A==,iv:8xMm1z4MOeShBffaX3D4/DmTkiQVUXhfJ2vtmGrN47s=,tag:1VaRnhpsc6lRVf7seUcTxQ==,type:str]
-    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
-    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
-    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
-    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
-    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
-    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
-            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
-            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
-            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
-            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-28T15:43:42Z"
-    mac: ENC[AES256_GCM,data:RJagSpJ1MfpGmDgIjMyAwinS76tekbRu1OO8AXVWjAnVkV5qYuxaXZv1q2tIkPmx6whTqaywsewEwUQuatuh6cfP0u2Owtf5iSd6kPEnRSNsHt/1Eyy/mZWrFO5F9N644u4ZGKqt3/uYofrMPlWdGb5iDSS5gCu6Pkp/PiQGpdY=,iv:d7n+V0Cc5RngOo1s8bpbHzm++2iMfWqvXma+z2DjarY=,tag:0oVwIAaapVTMn8TFlNXCvQ==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/default/prowlarr/app/externalsecret.yaml

@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: prowlarr
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: prowlarr-secret
+    creationPolicy: Owner
+  dataFrom:
+    - extract:
+        # PROWLARR__API_KEY
+        key: prowlarr

kubernetes/apps/default/prowlarr/app/helmrelease.yaml

@@ -6,7 +6,7 @@ metadata:
   name: &app prowlarr
   namespace: default
 spec:
-  interval: 15m
+  interval: 30m
   chart:
     spec:
       chart: app-template
@@ -15,7 +15,7 @@ spec:
         kind: HelmRepository
         name: bjw-s
         namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
   install:
     createNamespace: true
     remediation:
@@ -37,7 +37,7 @@ spec:
       PROWLARR__LOG_LEVEL: info
     envFrom:
       - secretRef:
-          name: *app
+          name: prowlarr-secret
     service:
       main:
         ports:

kubernetes/apps/default/prowlarr/app/kustomization.yaml

@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./backups
+  - ./externalsecret.yaml
   - ./helmrelease.yaml
-  - ./secret.sops.yaml
+  - ./volsync.yaml
   - ./volume.yaml

kubernetes/apps/default/prowlarr/app/secret.sops.yaml

@@ -1,29 +0,0 @@
-# yamllint disable
-apiVersion: v1
-kind: Secret
-metadata:
-    name: prowlarr
-    namespace: default
-type: Opaque
-stringData:
-    PROWLARR__API_KEY: ENC[AES256_GCM,data:6/3B+g9AJAUGfsMW1AUVtqaoVf5h3QYfzT3sxSw2eNU=,iv:/Zy/DImNcALRqNpC+A1/9SzXMOQBUfMIS6AfpITluqQ=,tag:nDfX44CMACwX1DNHoGzSIQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
-            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
-            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
-            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
-            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-28T15:42:44Z"
-    mac: ENC[AES256_GCM,data:hr3DFNBsVq0evyvpIDz9NXOqX48pLhTI+dCbJ9mIGoEeTxdNtJk1RsSrZIF6+wEZcYfryKY5Pdx8RMXyoGklCfrd5gIFmmwip+Z2IqvuXb0OsvvShtfgBzmefS+gUJmuIT0PSs6SjFxJsGUrFAd4R+KGlg4L++sW3TcZ18UEQR4=,iv:zTzHCXD+5JxQzovryzBueqgiNef/yf+Eb6pB9I7cH5I=,tag:iXneOonTSlJsDjycK6z68A==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/default/prowlarr/app/volsync.yaml

@@ -0,0 +1,49 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: prowlarr-restic
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: prowlarr-restic-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/prowlarr'
+        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
+        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
+        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
+  dataFrom:
+    - extract:
+        key: volsync-restic-template
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: prowlarr
+  namespace: default
+spec:
+  sourcePVC: prowlarr-config
+  trigger:
+    schedule: "0 7 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 7
+    repository: prowlarr-restic-secret
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    moverSecurityContext:
+      runAsUser: 568
+      runAsGroup: 568
+      fsGroup: 568
+    retain:
+      daily: 7
+      within: 3d

kubernetes/apps/default/prowlarr/ks.yaml

@@ -9,6 +9,7 @@ metadata:
     substitution.flux.home.arpa/enabled: "true"
 spec:
   dependsOn:
+    - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-rook-ceph-cluster
     - name: cluster-apps-volsync-app
   path: ./kubernetes/apps/default/prowlarr/app

kubernetes/apps/default/pyload/app/backups/kustomization.yaml

@@ -1,7 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./replicationsource.yaml
-  - ./restic.sops.yaml

kubernetes/apps/default/pyload/app/backups/replicationsource.yaml

@@ -1,25 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: pyload
-  namespace: default
-spec:
-  sourcePVC: pyload-config
-  trigger:
-    schedule: "0 0 * * *"
-  restic:
-    copyMethod: Snapshot
-    pruneIntervalDays: 10
-    repository: pyload-restic
-    cacheCapacity: 2Gi
-    volumeSnapshotClassName: csi-ceph-blockpool
-    storageClassName: rook-ceph-block
-    moverSecurityContext:
-      runAsUser: 568
-      runAsGroup: 568
-      fsGroup: 568
-    retain:
-      daily: 10
-      within: 3d

kubernetes/apps/default/pyload/app/backups/restic.sops.yaml

@@ -1,35 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: pyload-restic
-    namespace: default
-type: Opaque
-stringData:
-    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
-    RESTIC_REPOSITORY: ENC[AES256_GCM,data:66YmP6yktbN5r4eToOnNylKG0vCriq3u7Q1q93xAPb7sp19x4CptSVGXY5DjY1/i1t9ozHC1LCE=,iv:4D7U693SKgtTpwOxgzEKmureeP+0AQUKdpycFApe4xo=,tag:ZJq5MZjqeMxA3yqftRFLlg==,type:str]
-    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
-    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
-    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
-    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
-    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
-    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
-            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
-            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
-            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
-            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-28T08:24:18Z"
-    mac: ENC[AES256_GCM,data:GbJlDb+SkHtJoVFrb/reEfI8GdRIpYSJxK5P3qZ2OAAdSqMs6P94czKPrdGVBZnOZZaZX3OUJlumbiZV4zZlnSztd04ayDEUU5pCP2r8ODMNa/fpTOnZr8a++GVgYsk84JR3R1XEWHnfCqspZENC+spSVvbIO1zu/FlLm4bj/Og=,iv:8CVcYPkssvedzgAtO/6vNspyPjBfvMnGO3n7fNhsayo=,tag:BkCiGbMys+Jfny7SC39mlg==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/default/pyload/app/helmrelease.yaml

@@ -6,7 +6,7 @@ metadata:
   name: &app pyload
   namespace: default
 spec:
-  interval: 15m
+  interval: 30m
   chart:
     spec:
       chart: app-template
@@ -15,7 +15,7 @@ spec:
         kind: HelmRepository
         name: bjw-s
         namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
   install:
     createNamespace: true
     remediation:

kubernetes/apps/default/pyload/app/kustomization.yaml

@@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./backups
   - ./helmrelease.yaml
+  - ./volsync.yaml
   - ./volume.yaml

kubernetes/apps/default/pyload/app/volsync.yaml

@@ -0,0 +1,49 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: pyload-restic
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: pyload-restic-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/pyload'
+        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
+        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
+        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
+  dataFrom:
+    - extract:
+        key: volsync-restic-template
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: pyload
+  namespace: default
+spec:
+  sourcePVC: pyload-config
+  trigger:
+    schedule: "0 7 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 7
+    repository: pyload-restic-secret
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    moverSecurityContext:
+      runAsUser: 568
+      runAsGroup: 568
+      fsGroup: 568
+    retain:
+      daily: 7
+      within: 3d

kubernetes/apps/default/pyload/ks.yaml

@@ -9,6 +9,7 @@ metadata:
     substitution.flux.home.arpa/enabled: "true"
 spec:
   dependsOn:
+    - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-rook-ceph-cluster
     - name: cluster-apps-volsync-app
   path: ./kubernetes/apps/default/pyload/app

kubernetes/apps/default/qbittorrent/app/backups/kustomization.yaml

@@ -1,7 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./replicationsource.yaml
-  - ./restic.sops.yaml

kubernetes/apps/default/qbittorrent/app/backups/replicationsource.yaml

@@ -1,25 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: qbittorrent
-  namespace: default
-spec:
-  sourcePVC: qbittorrent-config
-  trigger:
-    schedule: "0 0 * * *"
-  restic:
-    copyMethod: Snapshot
-    pruneIntervalDays: 10
-    repository: qbittorrent-restic
-    cacheCapacity: 2Gi
-    volumeSnapshotClassName: csi-ceph-blockpool
-    storageClassName: rook-ceph-block
-    moverSecurityContext:
-      runAsUser: 568
-      runAsGroup: 568
-      fsGroup: 568
-    retain:
-      daily: 10
-      within: 3d

kubernetes/apps/default/qbittorrent/app/backups/restic.sops.yaml

@@ -1,35 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: qbittorrent-restic
-    namespace: default
-type: Opaque
-stringData:
-    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
-    RESTIC_REPOSITORY: ENC[AES256_GCM,data:IjRX4eF0Dy6uP3ocLiw+LV9bdgI6L3n8T4PTdrb+74CoNRRa8IxiWuCqDje6tgPGPwbTbtalanwnWlQFfg==,iv:9V0Z70klLCtYzbiQbHqzXxxxGOLvkax4iJ2b4+xfb5A=,tag:iGwhiZQiI0EB7QQm/rvPVg==,type:str]
-    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
-    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
-    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
-    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
-    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
-    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
-            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
-            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
-            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
-            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-28T08:19:27Z"
-    mac: ENC[AES256_GCM,data:pMKVC4IP3YD6kxtLzWNh6sBDCNzDgpHSsF9Ol8G0k5cRgNptV6htHOccOtZ5/gEWbGC9P8413zVDU6dMO27ejQbrf1NdpcaW2PjYAo3qfNGSyV31EKVC72odbSNBhcNzNUm7A6pGy7WwA7H0zhvBjEw1xwT1O9WuC+YX+CqJeTg=,iv:1htxNecL/xznVUhaH3ABkqwuxRMfiRJ9RhwTFb+1Ggk=,tag:3g2C2dfmb4Jx5Sunmrdhwg==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/default/qbittorrent/app/helmrelease.yaml

@@ -6,7 +6,7 @@ metadata:
   name: &app qbittorrent
   namespace: default
 spec:
-  interval: 15m
+  interval: 30m
   chart:
     spec:
       chart: app-template
@@ -15,7 +15,7 @@ spec:
         kind: HelmRepository
         name: bjw-s
         namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
   install:
     createNamespace: true
     remediation:

kubernetes/apps/default/qbittorrent/app/kustomization.yaml

@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./backups
   - ./helmrelease.yaml
   - ./jobs
+  - ./volsync.yaml
   - ./volume.yaml

kubernetes/apps/default/qbittorrent/app/volsync.yaml

@@ -0,0 +1,49 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: qbittorrent-restic
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: qbittorrent-restic-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/qbittorrent'
+        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
+        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
+        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
+  dataFrom:
+    - extract:
+        key: volsync-restic-template
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: qbittorrent
+  namespace: default
+spec:
+  sourcePVC: qbittorrent-config
+  trigger:
+    schedule: "0 7 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 7
+    repository: qbittorrent-restic-secret
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    moverSecurityContext:
+      runAsUser: 568
+      runAsGroup: 568
+      fsGroup: 568
+    retain:
+      daily: 7
+      within: 3d

kubernetes/apps/default/redis/app/helmrelease.yaml

@@ -27,20 +27,18 @@ spec:
   uninstall:
     keepHistory: false
   values:
-    global:
-      # imageRegistry: public.ecr.aws
-      storageClass: rook-ceph-block
     auth:
       enabled: false
       sentinel: false
-      # existingSecret: *app
+    master:
-    sentinel:
+      persistence:
-      enabled: true
+        enabled: false
-      masterSet: redis-master
+    replica:
-      getMasterTimeout: 10
+      persistence:
-      startupProbe:
+        enabled: false
-        failureThreshold: 2
+    architecture: standalone
     metrics:
       enabled: true
       serviceMonitor:
         enabled: true
+        interval: 1m

kubernetes/apps/default/wallabag/app/backups/kustomization.yaml

@@ -1,7 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./replicationsource.yaml
-  - ./restic.sops.yaml

kubernetes/apps/default/wallabag/app/backups/replicationsource.yaml

@@ -1,21 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: wallabag
-  namespace: default
-spec:
-  sourcePVC: wallabag-images
-  trigger:
-    schedule: "0 0 * * *"
-  restic:
-    copyMethod: Snapshot
-    pruneIntervalDays: 10
-    repository: wallabag-restic
-    cacheCapacity: 2Gi
-    volumeSnapshotClassName: csi-ceph-blockpool
-    storageClassName: rook-ceph-block
-    retain:
-      daily: 10
-      within: 3d

kubernetes/apps/default/wallabag/app/backups/restic.sops.yaml

@@ -1,35 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: wallabag-restic
-    namespace: default
-type: Opaque
-stringData:
-    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
-    RESTIC_REPOSITORY: ENC[AES256_GCM,data:DmxzZkxk68HJTj0BQviWqKcwkR/QI/6clRDeyXzhs/y25kKiVUAjEOoo7pjx12lGPJLkHEehs6szag==,iv:qC2aHOajpp3bm/XDUFlt8VCx1lWWNjHoBn61y+IFVQM=,tag:BiSD1EyP/BPIXZYXkJ9+kQ==,type:str]
-    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
-    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
-    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
-    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
-    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
-    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
-            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
-            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
-            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
-            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-28T06:25:57Z"
-    mac: ENC[AES256_GCM,data:wDJZL3xNohPiuk/rwKYvRTv2CJSg5M467+Yu7Ce8qAHQakvmYd7gTuyBXQn7EMTQLhuGgISc+S0RZOVbIimNKj/Th7OPsAeBoQr/OwawpiN+UNZ/0gDn+VdsKE2ZaRY6QXpqZF1D4ZCc8DLCExbifY2T9lgQzryVoky3WRsLpl0=,iv:2mQMILQiKRIL6EPYFAH7a8RZ96+EnZL45gqjbSB40Eg=,tag:TiLoMFbodTD+8m24xwKwvA==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/default/wallabag/app/externalsecret.yaml

@@ -0,0 +1,34 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: wallabag
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: wallabag-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        # App
+        SYMFONY__ENV__DATABASE_USER: &dbUser "{{ .POSTGRES_USER }}"
+        SYMFONY__ENV__DATABASE_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}"
+        SYMFONY__ENV__DATABASE_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        SYMFONY__ENV__DATABASE_PORT: "5432"
+        SYMFONY__ENV__DATABASE_NAME: &dbName wallabag
+        # Postgres Init
+        INIT_POSTGRES_DBNAME: *dbName
+        INIT_POSTGRES_HOST: *dbHost
+        INIT_POSTGRES_USER: *dbUser
+        INIT_POSTGRES_PASS: *dbPass
+        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
+  dataFrom:
+    - extract:
+        key: cloudnative-pg
+    - extract:
+        key: wallabag

kubernetes/apps/default/wallabag/app/helmrelease.yaml

@@ -6,7 +6,7 @@ metadata:
   name: &app wallabag
   namespace: default
 spec:
-  interval: 15m
+  interval: 30m
   chart:
     spec:
       chart: app-template
@@ -15,7 +15,7 @@ spec:
         kind: HelmRepository
         name: bjw-s
         namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
   install:
     createNamespace: true
     remediation:
@@ -28,14 +28,29 @@ spec:
     keepHistory: false
   values:
     controller:
-      replicas: 1
+      annotations:
-      strategy: Recreate
+        reloader.stakater.com/auto: "true"
+    initContainers:
+      01-init-db:
+        image: ghcr.io/onedr0p/postgres-init:14.8
+        imagePullPolicy: IfNotPresent
+        envFrom: &envFrom
+          - secretRef:
+              name: wallabag-secret
     image:
       repository: wallabag/wallabag
       tag: 2.5.4
-    envFrom:
+    envFrom: &envFrom
       - secretRef:
-          name: *app
+          name: wallabag-secret
+    env:
+      SYMFONY__ENV__DATABASE_DRIVER: pdo_pgsql
+      SYMFONY__ENV__REDIS_HOST: redis-master.default.svc.cluster.local.
+      SYMFONY__ENV__DOMAIN_NAME: https://wallabag.${SECRET_CLUSTER_DOMAIN}
+      SYMFONY__ENV__SERVER_NAME: Wallabag
+      SYMFONY__ENV__FOSUSER_REGISTRATION: "false"
+      SYMFONY__ENV__FOSUSER_CONFIRMATION: "false"
+      POPULATE_DATABASE: "false"
     enableServiceLinks: false
     service:
       main:
@@ -63,8 +78,6 @@ spec:
       images:
         enabled: true
         existingClaim: wallabag-images
-    podAnnotations:
-      secret.reloader.stakater.com/reload: *app
     resources:
       requests:
         cpu: 100m

kubernetes/apps/default/wallabag/app/kustomization.yaml

@@ -4,10 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./backups
+  - ./externalsecret.yaml
   - ./helmrelease.yaml
-  - ./secret.sops.yaml
+  - ./volsync.yaml
   - ./volume.yaml
-patchesStrategicMerge:
-  - ./patches/env.yaml
-  - ./patches/postgres.yaml

kubernetes/apps/default/wallabag/app/patches/env.yaml

@@ -1,20 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: wallabag
-  namespace: default
-spec:
-  values:
-    env:
-      SYMFONY__ENV__DATABASE_DRIVER: pdo_pgsql
-      SYMFONY__ENV__DATABASE_HOST: ${POSTGRES_HOST}
-      SYMFONY__ENV__DATABASE_PORT: ${POSTGRES_PORT}
-      SYMFONY__ENV__DATABASE_NAME: wallabag
-      SYMFONY__ENV__REDIS_HOST: redis.default.svc.cluster.local.
-      SYMFONY__ENV__DOMAIN_NAME: https://wallabag.${SECRET_CLUSTER_DOMAIN}
-      SYMFONY__ENV__SERVER_NAME: Wallabag
-      SYMFONY__ENV__FOSUSER_REGISTRATION: "false"
-      SYMFONY__ENV__FOSUSER_CONFIRMATION: "false"
-      POPULATE_DATABASE: "false"

kubernetes/apps/default/wallabag/app/patches/postgres.yaml

@@ -1,32 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: wallabag
-  namespace: default
-spec:
-  values:
-    initContainers:
-      init-db:
-        image: ghcr.io/onedr0p/postgres-initdb:14.8
-        env:
-          - name: POSTGRES_HOST
-            value: ${POSTGRES_HOST}
-          - name: POSTGRES_DB
-            value: wallabag
-          - name: POSTGRES_SUPER_PASS
-            valueFrom:
-              secretKeyRef:
-                name: postgres-superuser
-                key: password
-          - name: POSTGRES_USER
-            valueFrom:
-              secretKeyRef:
-                name: wallabag
-                key: SYMFONY__ENV__DATABASE_USER
-          - name: POSTGRES_PASS
-            valueFrom:
-              secretKeyRef:
-                name: wallabag
-                key: SYMFONY__ENV__DATABASE_PASSWORD

kubernetes/apps/default/wallabag/app/secret.sops.yaml

@@ -1,30 +0,0 @@
-# yamllint disable
-apiVersion: v1
-kind: Secret
-metadata:
-    name: wallabag
-    namespace: default
-type: Opaque
-stringData:
-    SYMFONY__ENV__DATABASE_USER: ENC[AES256_GCM,data:h8pfT3ZnClc=,iv:2zW23/OmEWJJIf1NFJKqnVBenNsB+NA4qchYNLzuiJ4=,tag:JCl+8+z2tCByWzEomYsiCQ==,type:str]
-    SYMFONY__ENV__DATABASE_PASSWORD: ENC[AES256_GCM,data:1fIzVV2zPYBs/NUimG8=,iv:4LiY6LJtmV7UHlvw+GQn0HmISm3WL11y382gkPl+aCQ=,tag:CCL/dmqz2JolNe7H8ybDVg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2
-            akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC
-            Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT
-            Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq
-            DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-16T09:15:34Z"
-    mac: ENC[AES256_GCM,data:RQzfap7GaeaS0dnZs0wdzPsNT4T1Wsz0ovSO1d766U/w9FlfU2nLfmVCHjKdmhCDq99gxazA5mKzaE1sUPtRrtO1td80G4KTe7jm8DDOLMQOQXgo+QN+W6hJ398uCfkrobtaQFE3YCa9sGyON5Rq2jubQ3+WyvZv/gV1oIvCVAU=,iv:o/wxk2bB97j9wcKqM3/T4kCYWrrKSGlIqgFhvTo9H9E=,tag:0VKKqxudYaNBDjGUm9O/ww==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/default/wallabag/app/volsync.yaml

@@ -0,0 +1,45 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: wallabag-restic
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: wallabag-restic-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/wallabag'
+        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
+        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
+        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
+  dataFrom:
+    - extract:
+        key: volsync-restic-template
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: wallabag
+  namespace: default
+spec:
+  sourcePVC: wallabag-images
+  trigger:
+    schedule: "0 7 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 7
+    repository: wallabag-restic-secret
+    cacheCapacity: 10Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    retain:
+      daily: 7
+      within: 3d

kubernetes/apps/default/wallabag/ks.yaml

@@ -15,6 +15,7 @@ spec:
     name: home-ops-kubernetes
   dependsOn:
     - name: cluster-apps-cloudnative-pg-cluster
+    - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-rook-ceph-cluster
     - name: cluster-apps-volsync-app
   healthChecks: