fixup! ♻️ migration externalsecrets

2025-09-17 18:24:14 +02:00 · 2023-07-13 18:33:28 +02:00
parent 4021dac4df
commit eacff455da
125 changed files with 1061 additions and 1474 deletions
--- a/kubernetes/apps/default/firefly-iii/app/externalsecret.yaml
+++ b/kubernetes/apps/default/firefly-iii/app/externalsecret.yaml
@@ -18,7 +18,7 @@ spec:
        # App
        APP_KEY: "{{ .FIREFLY_APP_KEY }}"
        DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}"
-        DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
+        DB_PASSWORD: &dbPass "{{ .POSTGRES_USER }}"
        FIREFLY_III_ACCESS_TOKEN: "{{ .FIREFLY_ACCESS_TOKEN }}"
        # Postgres Init
        INIT_POSTGRES_DBNAME: firefly-iii
--- a/kubernetes/apps/default/pgadmin/app/helmrelease.yaml
+++ b/kubernetes/apps/default/pgadmin/app/helmrelease.yaml
@@ -27,6 +27,9 @@ spec:
  uninstall:
    keepHistory: false
  values:
    controller:
      annotations:
        reloader.stakater.com/auto: "true"
    image:
      repository: dpage/pgadmin4
      tag: "7.4"
--- a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml
@@ -27,6 +27,9 @@ spec:
  uninstall:
    keepHistory: false
  values:
    controller:
      annotations:
        reloader.stakater.com/auto: "true"
    image:
      repository: ghcr.io/onedr0p/prowlarr-nightly
      tag: 1.7.2.3700@sha256:4c74dbd28e86519c683cfd8f2b87d5e8f72cc5c5c8f9d4112185f769c612c4a6
--- a/kubernetes/apps/default/radarr/app/backups/replicationsource.yaml
+++ b/kubernetes/apps/default/radarr/app/backups/replicationsource.yaml
@@ -1,25 +0,0 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: radarr
  namespace: default
 spec:
  sourcePVC: radarr-config
  trigger:
    schedule: "0 0 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 10
    repository: radarr-restic
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 10
      within: 3d
--- a/kubernetes/apps/default/radarr/app/backups/restic.sops.yaml
+++ b/kubernetes/apps/default/radarr/app/backups/restic.sops.yaml
@@ -1,35 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: radarr-restic
    namespace: default
 type: Opaque
 stringData:
    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
    RESTIC_REPOSITORY: ENC[AES256_GCM,data:Mwfqvvc/7p7ih8sPZY1uFswPCwDPB3Uw8u0IStIxsje5YS6pZpCH+POaxpMNifr8OIQBEP0xq7k=,iv:ibk8gAjTqDB3F0WAAEfqg+vHSOfg8OgFxR1IlF/gzXc=,tag:+a0WDJxsIWarDR81vWRvSQ==,type:str]
    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T15:40:20Z"
    mac: ENC[AES256_GCM,data:J9bpaDGW5zzW0OrW78rbXUNwRpGh0QviME4Lg1uQuVjosOepWxopG+QNyI0BHddIF7NnDfuSZy6LnclMEFl2vcpZXZTi6kSJEYPPbcLzAQG0FbkK4nSnW2JlL5cy83P81plYzqggXoqvgZWpRikg7iI2KJy6dXDKV5ZtVEy0myA=,iv:cmtmvn96UQvbJbrtVx+GGVEDFGB4QpndTMyYikwQ1BI=,tag:zvhhBHOLjYZy6Z6S/dR9QQ==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/radarr/app/externalsecret.yaml
+++ b/kubernetes/apps/default/radarr/app/externalsecret.yaml
@@ -0,0 +1,39 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: radarr
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: radarr-secret
    creationPolicy: Owner
    template:
      data:
        # App
        RADARR__API_KEY: "{{ .RADARR__API_KEY }}"
        # RADARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
        # RADARR__POSTGRES_PORT: "5432"
        # RADARR__POSTGRES_USER: &dbUser "{{ .RADARR__POSTGRES_USER }}"
        # RADARR__POSTGRES_PASSWORD: &dbPass "{{ .RADARR__POSTGRES_PASSWORD }}"
        # RADARR__POSTGRES_MAIN_DB: radarr_main
        # RADARR__POSTGRES_LOG_DB: radarr_log
        PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}"
        PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}"
        # Postgres Init
        INIT_POSTGRES_DBNAME: radarr_main radarr_log
        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
        INIT_POSTGRES_USER: "{{ .RADARR__POSTGRES_USER }}"
        INIT_POSTGRES_PASS: "{{ .RADARR__POSTGRES_PASSWORD }}"
        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
  dataFrom:
    - extract:
        key: cloudnative-pg
    - extract:
        key: pushover
    - extract:
        key: radarr
--- a/kubernetes/apps/default/radarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/radarr/app/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: &app radarr
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -27,6 +27,17 @@ spec:
  uninstall:
    keepHistory: false
  values:
    initContainers:
      01-init-db:
        image: ghcr.io/onedr0p/postgres-init:14.8
        imagePullPolicy: IfNotPresent
        envFrom: &envFrom
          - secretRef:
              name: &secret radarr-secret
    controller:
      annotations:
        configmap.reloader.stakater.com/reload: radarr-pushover
        reloader.stakater.com/auto: "true"
    image:
      repository: ghcr.io/onedr0p/radarr-develop
      tag: 4.7.0.7588@sha256:2cd821b4ecf67a69ae16e49cc3321e867c274efdd42096d1fef3bd92dfcf2f46
@@ -40,7 +51,7 @@ spec:
      RADARR__LOG_LEVEL: info
    envFrom:
      - secretRef:
-          name: *app
+          name: radarr-secret
    service:
      main:
        ports:
@@ -97,9 +108,6 @@ spec:
        mountPath: /scripts/pushover-notify.sh
        defaultMode: 0775
        readOnly: true
    podAnnotations:
      configmap.reloader.stakater.com/reload: radarr-pushover
      secret.reloader.stakater.com/reload: *app
    resources:
      requests:
        cpu: 500m
--- a/kubernetes/apps/default/radarr/app/kustomization.yaml
+++ b/kubernetes/apps/default/radarr/app/kustomization.yaml
@@ -4,9 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./backups
+  - ./externalsecret.yaml
  - ./helmrelease.yaml
-  - ./secret.sops.yaml
+  - ./volsync.yaml
  - ./volume.yaml
 configMapGenerator:
  - name: radarr-pushover
--- a/kubernetes/apps/default/radarr/app/scripts/pushover-notify.sh
+++ b/kubernetes/apps/default/radarr/app/scripts/pushover-notify.sh
@@ -4,7 +4,7 @@ PUSHOVER_DEBUG="${PUSHOVER_DEBUG:-"true"}"
 # kubectl port-forward service/radarr -n default 7878:7878
 # export PUSHOVER_STARR_INSTANCE_NAME=Radarr;
 # export PUSHOVER_APP_URL="";
-# export PUSHOVER_TOKEN="";
+# export PUSHOVER_API_TOKEN="";
 # export PUSHOVER_USER_KEY="";
 # export radarr_eventtype=Download;
 # ./notify.sh
@@ -26,7 +26,7 @@ PUSHOVER_STARR_INSTANCE_NAME="$(xmlstarlet sel -t -v "//InstanceName" -nl ${CONF
 # Required
 PUSHOVER_APP_URL="${PUSHOVER_APP_URL:-}" && [[ -z "${PUSHOVER_APP_URL}" ]] && ERRORS+=("PUSHOVER_APP_URL not defined")
 PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-}" && [[ -z "${PUSHOVER_USER_KEY}" ]] && ERRORS+=("PUSHOVER_USER_KEY not defined")
-PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-}" && [[ -z "${PUSHOVER_TOKEN}" ]] && ERRORS+=("PUSHOVER_TOKEN not defined")
+PUSHOVER_API_TOKEN="${PUSHOVER_API_TOKEN:-}" && [[ -z "${PUSHOVER_API_TOKEN}" ]] && ERRORS+=("PUSHOVER_API_TOKEN not defined")
 # Optional
 PUSHOVER_DEVICE="${PUSHOVER_DEVICE:-}"
 PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
@@ -76,7 +76,7 @@ if [[ "${radarr_eventtype:-}" == "Download" ]]; then
 fi
 notification=$(jq -n \
-    --arg token "${PUSHOVER_TOKEN}" \
+    --arg token "${PUSHOVER_API_TOKEN}" \
    --arg user "${PUSHOVER_USER_KEY}" \
    --arg title "${PUSHOVER_TITLE}" \
    --arg message "${PUSHOVER_MESSAGE:-"Unable to obtain plot summary"}" \
--- a/kubernetes/apps/default/radarr/app/secret.sops.yaml
+++ b/kubernetes/apps/default/radarr/app/secret.sops.yaml
@@ -1,31 +0,0 @@
 # yamllint disable
 apiVersion: v1
 kind: Secret
 metadata:
    name: radarr
    namespace: default
 type: Opaque
 stringData:
    PUSHOVER_TOKEN: ENC[AES256_GCM,data:StcjXKnJz7NbKuMtzWd/FXE1pqY0TSLO8o8AioYe,iv:Cw6dA2Fr3le6d70+TSGmBCjEX6mHFk21ck9IQqKx71o=,tag:4ANhz87eqkbvSNy5Yp6Edw==,type:str]
    PUSHOVER_USER_KEY: ENC[AES256_GCM,data:3UbR7hAnBAAjw/tdB8TSMZw3inuJJhJx9AiIN4tZ,iv:GuB8Kf/pAOp32SiVhpSLFisIeoEg1VxdYm2Raw2stRM=,tag:A8nDFwYPcZ7fOPG/UPYYzQ==,type:str]
    RADARR__API_KEY: ENC[AES256_GCM,data:G9ik2e/t2hwFFDvt3LJRdvo8v1T86RvXwTgjWyCW9Lc=,iv:oTPUMOXB8ZvHBChMhmm9CmpSOSQNEnvkrwGa0rTwXUI=,tag:wFJkxS/pNuExTn2UywghYA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T15:40:44Z"
    mac: ENC[AES256_GCM,data:P3hPFflDuXXnshmEDOIZ+yfmcdJsckZshmacp3MP+cQM2Vvb8j6u+w4CQU+Mlpdd04O+x+XWXKC4BvNGXLryvFsjrezP8hrVIQuHX4kTNMOzHNFhzdMab2LpWYOCzT8WfPvLY+RTqf8hj8/ppouJh/R+tzBvQZfvGGRkAqGfj0M=,iv:4GmbEkfLOp2yzvOLlBKRdMZl7mKURBCIovuj5ZKIvbE=,tag:chGlnHNB+kCM/hcyNDeg7Q==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/radarr/app/volsync.yaml
+++ b/kubernetes/apps/default/radarr/app/volsync.yaml
@@ -0,0 +1,49 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: radarr-restic
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: radarr-restic-secret
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/radarr'
        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
  dataFrom:
    - extract:
        key: volsync-restic-template
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: radarr
  namespace: default
 spec:
  sourcePVC: radarr-config
  trigger:
    schedule: "0 7 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 7
    repository: radarr-restic-secret
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 7
      within: 3d
--- a/kubernetes/apps/default/radarr/ks.yaml
+++ b/kubernetes/apps/default/radarr/ks.yaml
@@ -9,6 +9,8 @@ metadata:
    substitution.flux.home.arpa/enabled: "true"
 spec:
  dependsOn:
    - name: cluster-apps-cloudnative-pg-cluster
    - name: cluster-apps-external-secrets-stores
    - name: cluster-apps-rook-ceph-cluster
    - name: cluster-apps-volsync-app
  path: ./kubernetes/apps/default/radarr/app
--- a/kubernetes/apps/default/readarr/app/backups/kustomization.yaml
+++ b/kubernetes/apps/default/readarr/app/backups/kustomization.yaml
@@ -1,7 +0,0 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./replicationsource.yaml
  - ./restic.sops.yaml
--- a/kubernetes/apps/default/readarr/app/backups/replicationsource.yaml
+++ b/kubernetes/apps/default/readarr/app/backups/replicationsource.yaml
@@ -1,25 +0,0 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: readarr
  namespace: default
 spec:
  sourcePVC: readarr-config
  trigger:
    schedule: "0 0 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 10
    repository: readarr-restic
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 10
      within: 3d
--- a/kubernetes/apps/default/readarr/app/backups/restic.sops.yaml
+++ b/kubernetes/apps/default/readarr/app/backups/restic.sops.yaml
@@ -1,35 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: readarr-restic
    namespace: default
 type: Opaque
 stringData:
    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
    RESTIC_REPOSITORY: ENC[AES256_GCM,data:9NP9PR2gAtRF6m2Nla934qz/p7uETdIM8Ifx4WWwd/SLqKaR/vklmwF3N4pd1hAsVLjbg3KQzcKp,iv:yTSY9TmEYn7niuDqAYr0uGflq9K5CgQTss1k+wnUNB0=,tag:jj+vrqoKE7DldNycnQ/eag==,type:str]
    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T15:44:52Z"
    mac: ENC[AES256_GCM,data:Jxa7Xz8ZPnAbBhU3gr92KMfnqDi4BSaywtykVFQ+S9FHsl0Qsk796SHz0pxfvO95o894a0/sTwFTyzulrs+aIojbZn771PX1LbluJeC7zqjXEqbyKclK7luHIo+B2CqvVP4H3WvSgFD+pOFUQzOfo0Mk6pSvWTra+A0fzveNPrM=,iv:4uObp+QoXWSR+Q+bsmwiDzJG+8G6+8bCKnE9lA2UKpE=,tag:1UR7FJOBxRsXsbn3R5ktBA==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/readarr/app/externalsecret.yaml
+++ b/kubernetes/apps/default/readarr/app/externalsecret.yaml
@@ -0,0 +1,25 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: readarr
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: readarr-secret
    creationPolicy: Owner
    template:
      data:
        # App
        READARR__API_KEY: "{{ .READARR__API_KEY }}"
        PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}"
        PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}"
  dataFrom:
    - extract:
        key: pushover
    - extract:
        key: readarr
--- a/kubernetes/apps/default/readarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/readarr/app/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: &app readarr
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -27,6 +27,9 @@ spec:
  uninstall:
    keepHistory: false
  values:
    controller:
      annotations:
        reloader.stakater.com/auto: "true"
    image:
      repository: ghcr.io/onedr0p/readarr-nightly
      tag: 0.2.3.1948@sha256:c042ba9164015fd00ea1eacf93ea5ba1c39b0a101666dc52150d4dc1517e4198
@@ -37,7 +40,7 @@ spec:
      READARR__LOG_LEVEL: info
    envFrom:
      - secretRef:
-          name: *app
+          name: readarr-secret
    service:
      main:
        ports:
--- a/kubernetes/apps/default/readarr/app/kustomization.yaml
+++ b/kubernetes/apps/default/readarr/app/kustomization.yaml
@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./backups
+  - ./externalsecret.yaml
  - ./helmrelease.yaml
-  - ./secret.sops.yaml
+  - ./volsync.yaml
  - ./volume.yaml
--- a/kubernetes/apps/default/readarr/app/secret.sops.yaml
+++ b/kubernetes/apps/default/readarr/app/secret.sops.yaml
@@ -1,29 +0,0 @@
 # yamllint disable
 apiVersion: v1
 kind: Secret
 metadata:
    name: readarr
    namespace: default
 type: Opaque
 stringData:
    READARR__API_KEY: ENC[AES256_GCM,data:x/TOFsYuY8sOvAyJPqkZbmOJuhtxeIQKau6PiO+p18Q=,iv:GHnX9rSOWjOVNZpUWxDzt95JrzK9sj+tcPv38SPY7UU=,tag:APu6Ux2bdZV6HXG0IUTq2A==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T15:45:04Z"
    mac: ENC[AES256_GCM,data:KFi15cAw/4EkyfTd9fydTbhMXlhOyxPGYvy08dWk6PRXhG7VgV7UC/VnLIzuNkWFKT593fmwg9RBwrcR/v1oS0Zq4IB0vHLHqd4QhwSYTm+ChxeOOWoxkTY5DRMU0g6KGQGktDVm54E3jY9S1/NQJkVRJkpBAsTvFLfIWOOnjM4=,iv:NhJWTB7T+MkuDCicu9GAxS97T2Ql0kRVMkTy781OE/k=,tag:GZo4b5gku+lDuinvVGjhtQ==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/readarr/app/volsync.yaml
+++ b/kubernetes/apps/default/readarr/app/volsync.yaml
@@ -0,0 +1,49 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: readarr-restic
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: readarr-restic-secret
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/readarr'
        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
  dataFrom:
    - extract:
        key: volsync-restic-template
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: readarr
  namespace: default
 spec:
  sourcePVC: readarr-config
  trigger:
    schedule: "0 7 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 7
    repository: readarr-restic-secret
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 7
      within: 3d
--- a/kubernetes/apps/default/readarr/ks.yaml
+++ b/kubernetes/apps/default/readarr/ks.yaml
@@ -9,6 +9,7 @@ metadata:
    substitution.flux.home.arpa/enabled: "true"
 spec:
  dependsOn:
    - name: cluster-apps-external-secrets-stores
    - name: cluster-apps-rook-ceph-cluster
    - name: cluster-apps-volsync-app
  path: ./kubernetes/apps/default/readarr/app
--- a/kubernetes/apps/default/recyclarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/recyclarr/app/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: recyclarr
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -40,9 +40,9 @@ spec:
    args: ["sync"]
    envFrom:
      - secretRef:
-          name: radarr
+          name: radarr-secret
      - secretRef:
-          name: sonarr
+          name: sonarr-secret
    service:
      main:
        enabled: false
--- a/kubernetes/apps/default/redis/app/helmrelease.yaml
+++ b/kubernetes/apps/default/redis/app/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: &app redis
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: redis
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bitnami
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
--- a/kubernetes/apps/default/redis/app/kustomization.yaml
+++ b/kubernetes/apps/default/redis/app/kustomization.yaml
@@ -4,5 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
  - ./secret.sops.yaml
  - ./helmrelease.yaml
--- a/kubernetes/apps/default/redis/app/secret.sops.yaml
+++ b/kubernetes/apps/default/redis/app/secret.sops.yaml
@@ -1,29 +0,0 @@
 # yamllint disable
 apiVersion: v1
 kind: Secret
 metadata:
    name: redis
    namespace: default
 type: Opaque
 stringData:
    redis-password: ENC[AES256_GCM,data:jDOKfnXB3U1z/aV86U5euK27edk=,iv:9a946UDG5b8CdjVFqcIG5Hfyz/L62gxN4SEhj3Uzo8Q=,tag:/2ZfSSzXnjEcqXhEV/aHFg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVWZVaFFvMVJRRWR1eUU3
            QzI5cjNscE83czk0TG9Ra1JvVmExa0hWbWt3Ck1YY1htcXhDamwxY1pVcE0wS2U3
            WWNQbTJFK1dFdEhkMk8vbG9pQlJzN1kKLS0tIDBUTUZhMUF2VVJhbFNpQ1FTNWZC
            ZUZsSDdUYXFVb3JROEFnaC8yRU1zZ0UK1klzjeo3oaS6n1Apy0nY746ax2Uxxddg
            Mn61QDtkPf8FLNBC3tFTe3pWzhWseD/89WaW3f3GScJxy34SFUZxLQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-09-12T21:08:53Z"
    mac: ENC[AES256_GCM,data:vTtJo+nCb8eK9f4jUJHbq2zUXb8kZf5P91qPsfOfBV1wgMbM3YtlkKQFYsg/eAac/JBoRvUGhzsyFc/MEX3mCGVsU8BQ5cPuM54EVGAkrOAHzm3dXVqf1FDVwfeSXuMZ4iHsfKSyTPLcoZfJq5WQ9p/hIA3PSVsVQrmElS4S8/E=,iv:AxOjOctewK7bUrrSH+kfravg7UKBawUD1q/QBdpPDVw=,tag:j5/wMeAh+FdG/RDOpBt4jw==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/resilio-sync/claude/backups/kustomization.yaml
+++ b/kubernetes/apps/default/resilio-sync/claude/backups/kustomization.yaml
@@ -1,7 +0,0 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./replicationsource.yaml
  - ./restic.sops.yaml
--- a/kubernetes/apps/default/resilio-sync/claude/backups/replicationsource.yaml
+++ b/kubernetes/apps/default/resilio-sync/claude/backups/replicationsource.yaml
@@ -1,25 +0,0 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: resilio-claude
  namespace: default
 spec:
  sourcePVC: resilio-claude-config
  trigger:
    schedule: "0 0 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 10
    repository: resilio-claude-restic
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 10
      within: 3d
--- a/kubernetes/apps/default/resilio-sync/claude/backups/restic.sops.yaml
+++ b/kubernetes/apps/default/resilio-sync/claude/backups/restic.sops.yaml
@@ -1,35 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: resilio-claude-restic
    namespace: default
 type: Opaque
 stringData:
    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
    RESTIC_REPOSITORY: ENC[AES256_GCM,data:tle03NzNTqaJ5cJAdT1sjg52Ntx0u9EN9bINzjeUN/CbFKQe4AWiYgZ8GknlmTyMZOvNlCtRG33Qms+11cEn2Q==,iv:pvyfxAfK/7LUYU+jRQAhXy0huhgTA1YWSvz5UXukDk8=,tag:/owfcCbcyJP33pv4KXT7uA==,type:str]
    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T06:43:50Z"
    mac: ENC[AES256_GCM,data:Zo2GQtU7ZqaviBO13/EWHSBgU11KTTCNaudRt7H1TO6VSl8xhtJNb+H+4WZSrf5TY4vtsbYqi46l2DybdtyWKd5z1gk/g7AKw2CPK7Nb8ARsH8F9VTcPr/5AMvHHM7kR0xL2jQsAh7iM+edGBFRaNcNQRxLFArfpgRgUslYMJB4=,iv:JddLCxRb7LYYZzIe/l8dHLNa0tp+LNi9/OtFEbi7Z4c=,tag:AmJlpTk775FaRzxyrKR/9A==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/resilio-sync/claude/helmrelease.yaml
+++ b/kubernetes/apps/default/resilio-sync/claude/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: &app resilio-claude
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -27,6 +27,9 @@ spec:
  uninstall:
    keepHistory: false
  values:
    controller:
      annotations:
        reloader.stakater.com/auto: "true"
    image:
      repository: ghcr.io/auricom/resilio-sync
      tag: 2.7.3.1381-1@sha256:4f9dab7d50a4046b503686b766da6adbb627ff62f63587617cd46a468c810b11
@@ -62,7 +65,7 @@ spec:
        enabled: true
        type: configMap
        configMap:
-        name: resilio-claude-sync-conf
+        name: resilio-claude-configmap
        mountPath: /config/sync.conf
        subPath: sync.conf
      backups:
--- a/kubernetes/apps/default/resilio-sync/claude/kustomization.yaml
+++ b/kubernetes/apps/default/resilio-sync/claude/kustomization.yaml
@@ -4,11 +4,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
  - backups
  - ./helmrelease.yaml
  - ./volsync.yaml
  - ./volume.yaml
 configMapGenerator:
-  - name: resilio-claude-sync-conf
+  - name: resilio-claude-configmap
    files:
      - ./config/sync.conf
 generatorOptions:
--- a/kubernetes/apps/default/resilio-sync/claude/volsync.yaml
+++ b/kubernetes/apps/default/resilio-sync/claude/volsync.yaml
@@ -0,0 +1,49 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: resilio-claude-restic
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: resilio-claude-restic-secret
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/resilio-claude'
        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
  dataFrom:
    - extract:
        key: volsync-restic-template
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: resilio-claude
  namespace: default
 spec:
  sourcePVC: resilio-claude-config
  trigger:
    schedule: "0 7 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 7
    repository: resilio-claude-restic-secret
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 7
      within: 3d
--- a/kubernetes/apps/default/resilio-sync/helene/backups/kustomization.yaml
+++ b/kubernetes/apps/default/resilio-sync/helene/backups/kustomization.yaml
@@ -1,7 +0,0 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./replicationsource.yaml
  - ./restic.sops.yaml
--- a/kubernetes/apps/default/resilio-sync/helene/backups/replicationsource.yaml
+++ b/kubernetes/apps/default/resilio-sync/helene/backups/replicationsource.yaml
@@ -1,25 +0,0 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: resilio-helene
  namespace: default
 spec:
  sourcePVC: resilio-helene-config
  trigger:
    schedule: "0 0 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 10
    repository: resilio-helene-restic
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 10
      within: 3d
--- a/kubernetes/apps/default/resilio-sync/helene/backups/restic.sops.yaml
+++ b/kubernetes/apps/default/resilio-sync/helene/backups/restic.sops.yaml
@@ -1,35 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: resilio-helene-restic
    namespace: default
 type: Opaque
 stringData:
    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
    RESTIC_REPOSITORY: ENC[AES256_GCM,data:gGcefoNg68nJNdN4bBgvPlN8LtIp57igeI0w+51XbxvE61oudJm4H5ePqqIom+c4YA+r2MPyRtDcU3zZZZkJGQ==,iv:ujh8jWNTLBpN2YhtjjCPFkq4I3JVBQRdQsTiKeLTuMI=,tag:Bor468jY1eb2k1P4EJRsVg==,type:str]
    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T06:38:55Z"
    mac: ENC[AES256_GCM,data:q9w22A6MR1+1SYCuwEcXlNqf02paU/dLuU0VbL3RJ5zTu5Se4Z+aiA6bTFffhBjusdDQFtfOU4YfFO/OGEyYyA68vjugG8n8OrF7BsSBB9ZjX2C+jwxH+vDHTf+X1FxjhipzX+PuNlTKfHLHe5vvLlKAPeftHy2wpzFb31zU69s=,iv:fBKgliHL7/dEEXL/E/snkX0J3e79gZ3KVtoH/MCkZ6c=,tag:bnd3E1CB8rtOCyZMFnQR5g==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/resilio-sync/helene/helmrelease.yaml
+++ b/kubernetes/apps/default/resilio-sync/helene/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: &app resilio-helene
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -27,6 +27,9 @@ spec:
  uninstall:
    keepHistory: false
  values:
    controller:
      annotations:
        reloader.stakater.com/auto: "true"
    image:
      repository: ghcr.io/auricom/resilio-sync
      tag: 2.7.3.1381-1@sha256:4f9dab7d50a4046b503686b766da6adbb627ff62f63587617cd46a468c810b11
@@ -62,7 +65,7 @@ spec:
        enabled: true
        type: configMap
        configMap:
-        name: resilio-helene-sync-conf
+        name: resilio-helene-configmap
        mountPath: /config/sync.conf
        subPath: sync.conf
      backups:
--- a/kubernetes/apps/default/resilio-sync/helene/kustomization.yaml
+++ b/kubernetes/apps/default/resilio-sync/helene/kustomization.yaml
@@ -4,11 +4,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
  - backups
  - ./helmrelease.yaml
  - ./volsync.yaml
  - ./volume.yaml
 configMapGenerator:
-  - name: resilio-helene-sync-conf
+  - name: resilio-helene-configmap
    files:
      - ./config/sync.conf
 generatorOptions:
--- a/kubernetes/apps/default/resilio-sync/helene/volsync.yaml
+++ b/kubernetes/apps/default/resilio-sync/helene/volsync.yaml
@@ -0,0 +1,49 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: resilio-helene-restic
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: resilio-helene-restic-secret
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/resilio-helene'
        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
  dataFrom:
    - extract:
        key: volsync-restic-template
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: resilio-helene
  namespace: default
 spec:
  sourcePVC: resilio-helene-config
  trigger:
    schedule: "0 7 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 7
    repository: resilio-helene-restic-secret
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 7
      within: 3d
--- a/kubernetes/apps/default/sabnzbd/app/backups/kustomization.yaml
+++ b/kubernetes/apps/default/sabnzbd/app/backups/kustomization.yaml
@@ -1,7 +0,0 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./replicationsource.yaml
  - ./restic.sops.yaml
--- a/kubernetes/apps/default/sabnzbd/app/backups/replicationsource.yaml
+++ b/kubernetes/apps/default/sabnzbd/app/backups/replicationsource.yaml
@@ -1,25 +0,0 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: sabnzbd
  namespace: default
 spec:
  sourcePVC: sabnzbd-config
  trigger:
    schedule: "0 0 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 10
    repository: sabnzbd-restic
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 10
      within: 3d
--- a/kubernetes/apps/default/sabnzbd/app/backups/restic.sops.yaml
+++ b/kubernetes/apps/default/sabnzbd/app/backups/restic.sops.yaml
@@ -1,35 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: sabnzbd-restic
    namespace: default
 type: Opaque
 stringData:
    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
    RESTIC_REPOSITORY: ENC[AES256_GCM,data:1MHDHUB4FpcpVcG2S76kldKBBRyDkt5RojedKnueMfqVB54XZgtQ+eUjjoLAlxedC0YdIb52q7li,iv:BSebPLGLm1DQV5ehrHq9rG2eUtqWdqGshX5/aBJDgz8=,tag:pZLHq8OuMXnj9phtLeLMuw==,type:str]
    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T08:26:24Z"
    mac: ENC[AES256_GCM,data:oilRwF4uQM17O8OIGqduE1UBuQ9xFZE0KGNGJ0gvlEuDxhsA72mIfhXc2sDnPlab+Z8EZY7w0OjCgKI9jUOXW/1W19PhhvF2UbbqK+FR7dTNo0ZtZ+tlu9+dfAylyQwLcWCvc6wbatx5igi4v9R8E4d8/ul7A/jrGPEAsDqNflg=,iv:UI/MdEx2O3JC8nd9nmiCbkJeEhe2TefRB7jpvQCAJc4=,tag:Nmbw7j/cvhKnGFP+XORGEA==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/sabnzbd/app/externalsecret.yaml
+++ b/kubernetes/apps/default/sabnzbd/app/externalsecret.yaml
@@ -0,0 +1,18 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: sabnzbd
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: sabnzbd-secret
    creationPolicy: Owner
  dataFrom:
    - extract:
        # SABNZBD__API_KEY, SABNZBD__NZB_KEY
        key: sabnzbd
--- a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml
+++ b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: &app sabnzbd
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -27,6 +27,9 @@ spec:
  uninstall:
    keepHistory: false
  values:
    controller:
      annotations:
        reloader.stakater.com/auto: "true"
    image:
      repository: ghcr.io/onedr0p/sabnzbd
      tag: 4.0.3@sha256:aff676e3c234f7a4493c75813e296c347c02b6e5374acd1858f8244ea44f2b4a
@@ -42,7 +45,7 @@ spec:
        sabnzbd.${SECRET_CLUSTER_DOMAIN}
    envFrom:
      - secretRef:
-          name: *app
+          name: sabnzbd-secret
    service:
      main:
        ports:
--- a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml
+++ b/kubernetes/apps/default/sabnzbd/app/kustomization.yaml
@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./backups
+  - ./externalsecret.yaml
  - ./helmrelease.yaml
-  - ./secret.sops.yaml
+  - ./volsync.yaml
  - ./volume.yaml
--- a/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml
+++ b/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml
@@ -1,30 +0,0 @@
 # yamllint disable
 apiVersion: v1
 kind: Secret
 metadata:
    name: sabnzbd
    namespace: default
 type: Opaque
 stringData:
    SABNZBD__API_KEY: ENC[AES256_GCM,data:6VgnjcgBVwvaKqWPNisOfct6smrVostiIR/yuoYqjco=,iv:WW1b7LJgG4CWEEm7ETwwXlfu3fG345YAvqi1dlsS8cg=,tag:nZSAbcWxwyXjKnwyVYt/Ug==,type:str]
    SABNZBD__NZB_KEY: ENC[AES256_GCM,data:RoNUH0En29584v+m85gqlwIrLJ3aP5al0161FTnXGko=,iv:3u/uzWLe1f84WquDjrxXXdArcL1BeF6cNplImjP1yoE=,tag:xoPmImdecg/2twtVRzJh/g==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
            YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
            Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
            OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
            hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T08:25:52Z"
    mac: ENC[AES256_GCM,data:xCWHBq+s8wEUYhPYxE8XlJXJNeGf9w3MaNI7qrDucupXYxl3gnIiixjArRSk3oc2NuqUiNJF5pFlECHaj24/qvLQNftkWlulT3CxFHZ90/L+mK33h7dtOHmjNkqUtCmQgjylpPyT0MLWuYGC7WpcdCyficKk6OUc3F9BXbovbnM=,iv:Gii2DWFNLyy8yBCXwQqaUb9ewVtbkHDEhOz7p379YLA=,tag:HnfsqBeBu6B70eM+GDYXZg==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/sabnzbd/app/volsync.yaml
+++ b/kubernetes/apps/default/sabnzbd/app/volsync.yaml
@@ -0,0 +1,49 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: sabnzbd-restic
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: sabnzbd-restic-secret
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/sabnzbd'
        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
  dataFrom:
    - extract:
        key: volsync-restic-template
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: sabnzbd
  namespace: default
 spec:
  sourcePVC: sabnzbd-config
  trigger:
    schedule: "0 7 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 7
    repository: sabnzbd-restic-secret
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 7
      within: 3d
--- a/kubernetes/apps/default/sabnzbd/ks.yaml
+++ b/kubernetes/apps/default/sabnzbd/ks.yaml
@@ -9,6 +9,7 @@ metadata:
    substitution.flux.home.arpa/enabled: "true"
 spec:
  dependsOn:
    - name: cluster-apps-external-secrets-stores
    - name: cluster-apps-rook-ceph-cluster
    - name: cluster-apps-volsync-app
  path: ./kubernetes/apps/default/sabnzbd/app
--- a/kubernetes/apps/default/semaphore/app/externalsecret.yaml
+++ b/kubernetes/apps/default/semaphore/app/externalsecret.yaml
@@ -0,0 +1,37 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: semaphore
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: semaphore-secret
    creationPolicy: Owner
    template:
      data:
        # Ansible Semaphore
        SEMAPHORE_DB_USER: &dbUser "{{ .POSTGRES_USER }}"
        SEMAPHORE_DB_PASS: &dbPass "{{ .POSTGRES_PASS }}"
        SEMAPHORE_DB_HOST: &dbHost postgres-rw.default.svc.cluster.local
        SEMAPHORE_DB_PORT: "5432"
        SEMAPHORE_DB: &dbName semaphore
        SEMAPHORE_ADMIN_PASSWORD: "{{ .SEMAPHORE_ADMIN_PASSWORD }}"
        SEMAPHORE_ADMIN_NAME: "{{ .SEMAPHORE_ADMIN_NAME }}"
        SEMAPHORE_ADMIN: "{{ .SEMAPHORE_ADMIN }}"
        SEMAPHORE_ACCESS_KEY_ENCRYPTION: "{{ .SEMAPHORE_ACCESS_KEY_ENCRYPTION }}"
        # Postgres Init
        INIT_POSTGRES_DBNAME: *dbName
        INIT_POSTGRES_HOST: *dbHost
        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
        INIT_POSTGRES_USER: *dbUser
        INIT_POSTGRES_PASS: *dbPass
  dataFrom:
    - extract:
        key: cloudnative-pg
    - extract:
        key: semaphore
--- a/kubernetes/apps/default/semaphore/app/helmrelease.yaml
+++ b/kubernetes/apps/default/semaphore/app/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: semaphore
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -28,11 +28,12 @@ spec:
    keepHistory: false
  values:
    initContainers:
-      init-db:
+      01-init-db:
-        image: ghcr.io/onedr0p/postgres-initdb:14.8
+        image: ghcr.io/onedr0p/postgres-init:14.8
-        envFrom:
+        imagePullPolicy: IfNotPresent
        envFrom: &envFrom
          - secretRef:
-              name: semaphore-secret
+              name: &secret semaphore-secret
    controller:
      annotations:
        reloader.stakater.com/auto: "true"
@@ -40,12 +41,11 @@ spec:
      repository: docker.io/semaphoreui/semaphore
      tag: v2.8.91
    env:
      SEMAPHORE_DB_DIALECT: postgres
      SEMAPHORE_LDAP_ACTIVATED: "no"
      SEMAPHORE_PLAYBOOK_PATH: /tmp/semaphore/
      SEMAPHORE_ADMIN_EMAIL: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
-    envFrom:
+    envFrom: *envFrom
      - secretRef:
          name: semaphore-secret
    service:
      main:
        ports:
--- a/kubernetes/apps/default/semaphore/app/kustomization.yaml
+++ b/kubernetes/apps/default/semaphore/app/kustomization.yaml
@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
  - ./externalsecret.yaml
  - ./helmrelease.yaml
  - ./secret.sops.yaml
--- a/kubernetes/apps/default/semaphore/app/secret.sops.yaml
+++ b/kubernetes/apps/default/semaphore/app/secret.sops.yaml
@@ -1,45 +0,0 @@
 # yamllint disable
 apiVersion: v1
 kind: Secret
 metadata:
    name: semaphore-secret
    namespace: default
 type: Opaque
 stringData:
    #ENC[AES256_GCM,data:sgvfTo/EWQFqeQ2xZ/iLCPov,iv:SF3b5MYuNOSlK+o4hLGHOk9e1vSpN7kSQUSrhTIA2tc=,tag:dpKEfawky8MPqniHVZ52Sw==,type:comment]
    SEMAPHORE_DB_DIALECT: ENC[AES256_GCM,data:nyDaS8zCV4o=,iv:YCQiaTeAxm4bGCeNx6kJI8u/hOlQ36C97Fuef5FenNs=,tag:75QZEHB0cF92NaPjbd44KA==,type:str]
    SEMAPHORE_DB_USER: ENC[AES256_GCM,data:FOFePOCsxamf,iv:556TKMhCRhHWEyPwLvFPFMwmo9RKiz1pW9OJJUsSwgk=,tag:6rPAfthdf73N1X83S+UynQ==,type:str]
    SEMAPHORE_DB_PASS: ENC[AES256_GCM,data:Nl66upZmTE4xykvseIqtsS2w5G4=,iv:QkW7oGqDyY9G5yi1yMAhw3y48RmPGWqoKNL9tlUm5MU=,tag:Wu5fPPywslQOC8dGBea0bw==,type:str]
    SEMAPHORE_DB_HOST: ENC[AES256_GCM,data:SlxTav3/SdtmeLD+NdB6oo8rb58FMYeM3odW4gey2OWGIwmzvw==,iv:Udz0Nu9zIk/h+8vur9wfC92iK5RjSpAoyV1Z4pb/5sY=,tag:zJPys79V5yz04nvj0VlcKg==,type:str]
    SEMAPHORE_DB_PORT: ENC[AES256_GCM,data:qvnfig==,iv:jBXljtUMN7IM1JZHBa35FpwVdiKdOXKDJYJGeH1wTQU=,tag:PbwIlXX2CMRWxUnmKoDsSQ==,type:str]
    SEMAPHORE_DB: ENC[AES256_GCM,data:v1dS1uIC8tGz,iv:nUz0Q88R/CnDmKuc//YqaAq3Mkbi+6miWkf9W0xmMbE=,tag:YopXWX3B70HHxq1Gc8NqUQ==,type:str]
    SEMAPHORE_ADMIN_PASSWORD: ENC[AES256_GCM,data:yLiUSF9VyLN5YNfvAafUaV0KyaA=,iv:4BV3mxZMso0u2c/5jCAaEHbqijZiaLvATM6kJmcCvKY=,tag:tmHatfh3jHUX4MAzcUM7XQ==,type:str]
    SEMAPHORE_ADMIN_NAME: ENC[AES256_GCM,data:zXt5NHSg,iv:NN/j6bFE03XbljhzQiTTkRRHqx/YU0nWHpGzjTKdC5Y=,tag:dteln0PGY4+b4hzaa7/mWw==,type:str]
    SEMAPHORE_ADMIN: ENC[AES256_GCM,data:FMxAjLY=,iv:Oj9N3OBgAHBO+FAaqbMy70/F8hloUHWx8lXpUuaY6m0=,tag:xCw/C2s15dMSbD5z8wPhVA==,type:str]
    SEMAPHORE_ACCESS_KEY_ENCRYPTION: ENC[AES256_GCM,data:ct9BMd7uE0DcD2kHsNkqD5vnfpAwLKLHImJu1ih56CHmhV03d3OrYDjHQ1g=,iv:MFCc4EvM40Q+1+xK5zTYXhFGkfEvkLmZuIbkOZI/0U4=,tag:sOkZUUNlikdeUp6Ax+Og4w==,type:str]
    #ENC[AES256_GCM,data:G9yw2//y27PlVIHYhgA=,iv:qJ+cx+HixCnkGSARdo5fFYDJQT3jHearN00HeO0EwMk=,tag:yPer6XrUnfpKwrdsBlSkRA==,type:comment]
    POSTGRES_DB: ENC[AES256_GCM,data:tsx2YRZtnx9u,iv:8zVFcdkLjSmbFgHXafyTBeXNmzTvvo9b5WPNRbtLHAM=,tag:yXOIDOp8Hm0dQuKfs5k1ig==,type:str]
    POSTGRES_HOST: ENC[AES256_GCM,data:J7athqTJ9IEmr754JHpXxX7OepWTfuwxRCVUhy9cs/C+60nFNw==,iv:7q7sjl2SlIeDxRMtmf6ojU7hQ7wfH4dS/lheSz8TstI=,tag:SC/84LbwWT+ZxBflXvaHpw==,type:str]
    POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:vihjmp4ehKUnXu4G3fxz/g==,iv:JGU0/W49NuacVNK5FE4Y8xviVT9nKhcJxuoZYj1UYDA=,tag:XIb324L6UHD/eu5omlRLEw==,type:str]
    POSTGRES_PASS: ENC[AES256_GCM,data:qgKq9wFrS11Ts3brLGV7xJfbkE0=,iv:Jy3leaCr7MljBCpKzVDiyroBQw37W1/GIw9itA/Pb7o=,tag:0JnelzWhN2oXCsMRlRW2Cw==,type:str]
    POSTGRES_USER: ENC[AES256_GCM,data:oNBXe1ln8LlO,iv:tgGEQyNy8aS2Gjm8yZR0rVzWN1FEcCKanjUKGAlbrkg=,tag:jeA4HSoK3kSFqvJTFyWGMw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-01-20T21:37:28Z"
    mac: ENC[AES256_GCM,data:dagIu0cei3FxxV9iiLhHWimUpO///hZ2e/GaZ99go9XgVuMuJ5Nu3xLrgV/49qs4gQDsqA6XEoTeOpWK+6geO2k/dFxYQZixj3SH3CpWyrGl6lc+yFDLuCHLklh0OpKG9x7R9BlUkWt1M27Tmr1mdV6NZXqOZazJp4bT/ucETIE=,iv:LVi/RYrruDCk0C9LcyxSW1kO3zRKKJh1LLl5FYq325w=,tag:ng6MhZofV1t2XSghYC8u/Q==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/semaphore/ks.yaml
+++ b/kubernetes/apps/default/semaphore/ks.yaml
@@ -9,6 +9,7 @@ metadata:
    substitution.flux.home.arpa/enabled: "true"
 spec:
  dependsOn:
    - name: cluster-apps-external-secrets-stores
    - name: cluster-apps-cloudnative-pg-app
  path: ./kubernetes/apps/default/semaphore/app
  prune: true
--- a/kubernetes/apps/default/sharry/app/externalsecret.yaml
+++ b/kubernetes/apps/default/sharry/app/externalsecret.yaml
@@ -0,0 +1,28 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: sharry
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: sharry-secret
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        # Postgres Init
        INIT_POSTGRES_DBNAME: sharry
        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
        INIT_POSTGRES_USER: "{{ .POSTGRES_USERNAME }}"
        INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}"
        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
  dataFrom:
    - extract:
        key: cloudnative-pg
    - extract:
        key: sharry
--- a/kubernetes/apps/default/sharry/app/helmrelease.yaml
+++ b/kubernetes/apps/default/sharry/app/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: &app sharry
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -27,9 +27,16 @@ spec:
  uninstall:
    keepHistory: false
  values:
    initContainers:
      01-init-db:
        image: ghcr.io/onedr0p/postgres-init:14.8
        imagePullPolicy: IfNotPresent
        envFrom: &envFrom
          - secretRef:
              name: &secret sharry-secret
    controller:
-      replicas: 1
+      annotations:
-      strategy: Recreate
+        reloader.stakater.com/auto: "true"
    image:
      repository: eikek0/sharry
      tag: v1.12.1
@@ -56,9 +63,6 @@ spec:
        tls:
          - hosts:
              - *host
    podAnnotations:
      configMap.reloader.stakater.com/reload: *app
      secret.reloader.stakater.com/reload: *app
    resources:
      requests:
        cpu: 50m
@@ -69,6 +73,6 @@ spec:
      config:
        enabled: true
        type: configMap
-        name: sharry
+        name: sharry-configmap
        mountPath: /opt/sharry.conf
        subPath: sharry.conf
--- a/kubernetes/apps/default/sharry/app/kustomization.yaml
+++ b/kubernetes/apps/default/sharry/app/kustomization.yaml
@@ -4,11 +4,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
  - ./externalsecret.yaml
  - ./helmrelease.yaml
 patchesStrategicMerge:
  - ./patches/postgres.yaml
 configMapGenerator:
-  - name: sharry
+  - name: sharry-configmap
    files:
      - ./config/sharry.conf
 generatorOptions:
--- a/kubernetes/apps/default/sharry/app/patches/postgres.yaml
+++ b/kubernetes/apps/default/sharry/app/patches/postgres.yaml
@@ -1,26 +0,0 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: sharry
  namespace: default
 spec:
  values:
    initContainers:
      init-db:
        image: ghcr.io/onedr0p/postgres-initdb:14.8
        env:
          - name: POSTGRES_HOST
            value: ${POSTGRES_HOST}
          - name: POSTGRES_DB
            value: sharry
          - name: POSTGRES_SUPER_PASS
            valueFrom:
              secretKeyRef:
                name: postgres-superuser
                key: password
          - name: POSTGRES_USER
            value: ${SECRET_SHARRY_DB_USERNAME}
          - name: POSTGRES_PASS
            value: ${SECRET_SHARRY_DB_PASSWORD}
--- a/kubernetes/apps/default/smtp-relay/app/externalsecret.yaml
+++ b/kubernetes/apps/default/smtp-relay/app/externalsecret.yaml
@@ -0,0 +1,18 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: smtp-relay
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: smtp-relay-secret
    creationPolicy: Owner
  dataFrom:
    - extract:
        # SMTP_DOMAIN, SMTP_EMAIL_SMTP_USERNAME, SMTP_PASSWORD
        key: smtp-relay
--- a/kubernetes/apps/default/smtp-relay/app/helmrelease.yaml
+++ b/kubernetes/apps/default/smtp-relay/app/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: &app smtp-relay
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -28,7 +28,6 @@ spec:
    keepHistory: false
  values:
    controller:
      replicas: 1
      strategy: RollingUpdate
      annotations:
        reloader.stakater.com/auto: "true"
--- a/kubernetes/apps/default/smtp-relay/app/kustomization.yaml
+++ b/kubernetes/apps/default/smtp-relay/app/kustomization.yaml
@@ -4,8 +4,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
  - ./externalsecret.yaml
  - ./helmrelease.yaml
  - ./secret.sops.yaml
 configMapGenerator:
  - name: smtp-relay-configmap
    files:
--- a/kubernetes/apps/default/smtp-relay/app/secret.sops.yaml
+++ b/kubernetes/apps/default/smtp-relay/app/secret.sops.yaml
@@ -1,29 +0,0 @@
 # yamllint disable
 kind: Secret
 apiVersion: v1
 type: Opaque
 metadata:
    name: smtp-relay-secret
    namespace: default
 stringData:
    SMTP_PASSWORD: ENC[AES256_GCM,data:Yf/FCPWceNJadwSaTvNXug==,iv:eErTrc6gWkClzoMmLgkz6xgaUA/W7cZoxhgGeCuHPyk=,tag:HYWJN3imrt/Umv4NREuQpg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSGowVER2SFNrYTVxOUc4
            S1lDV295S2tnTlE1TkFuWnFYdXZoZ2ZlYkVrCmdRaXpGNTZTbDBjbkxPTkhaSkU1
            ZTZEakZwV1prTXpGalc2L0MrQ3BlVlEKLS0tIDdIdTdKTzBybHc5NjJaU0Z4dFg1
            U003SkswTXRYaUdWYzVRL2oxb2RGdEEKQojCy0af9JFKnKSYQhT2C1sXIBjfKjEz
            b7/1MAC99t37PRSsyh+ALf6DctqxysHKpG6Ku/RAchPqd2MwtIjWlQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-01T22:33:34Z"
    mac: ENC[AES256_GCM,data:guldqBejtXp67NO2A/B0kPCLlJmpE7OAp04IRnv8iaMyvo/TxBkgvC8PQ/oQesxf2KNlJ671ewlIU9IdDres8qAC6ytV+iWVZGusOQfXKZKO5EWygckXokvs7jIfxWI7TdztLCMXlzaVDyH4fnrg2x4luxc3PNrctDfzu/vEP3s=,iv:Z9XHDirjaOs5UU5hWakGWDAvzvadIbJvBp4QbXCiw24=,tag:9WLfHq0SIQRvJqUmNWrSXA==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/smtp-relay/ks.yaml
+++ b/kubernetes/apps/default/smtp-relay/ks.yaml
@@ -10,6 +10,8 @@ metadata:
 spec:
  path: ./kubernetes/apps/default/smtp-relay/app
  prune: true
  dependsOn:
    - name: cluster-apps-external-secrets-stores
  sourceRef:
    kind: GitRepository
    name: home-ops-kubernetes
--- a/kubernetes/apps/default/sonarr/app/backups/kustomization.yaml
+++ b/kubernetes/apps/default/sonarr/app/backups/kustomization.yaml
@@ -1,7 +0,0 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./replicationsource.yaml
  - ./restic.sops.yaml
--- a/kubernetes/apps/default/sonarr/app/backups/replicationsource.yaml
+++ b/kubernetes/apps/default/sonarr/app/backups/replicationsource.yaml
@@ -1,25 +0,0 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: sonarr
  namespace: default
 spec:
  sourcePVC: sonarr-config
  trigger:
    schedule: "0 0 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 10
    repository: sonarr-restic
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 10
      within: 3d
--- a/kubernetes/apps/default/sonarr/app/backups/restic.sops.yaml
+++ b/kubernetes/apps/default/sonarr/app/backups/restic.sops.yaml
@@ -1,35 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: sonarr-restic
    namespace: default
 type: Opaque
 stringData:
    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
    RESTIC_REPOSITORY: ENC[AES256_GCM,data:E7B+rjyyZrHxiLBh/xnUl1b88ERSnGxUGHzZH+087fbXJOlbySnFuKRv+jPHMCoa//0r8RsC5mM=,iv:evk0OG92emADqogInteT7NSOsd+aGXEF8xMVLIVB63M=,tag:9YuM5VMkLpAA316dkjr5HA==,type:str]
    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T15:35:19Z"
    mac: ENC[AES256_GCM,data:VRBAxTHYtA4MWbi5qylhkRP2OlCAu8lOodgxVHlPicLY/AFxa70NhZcVMAD1iewVpr98ul0BQb/VdtRxlRdq4LjecdNK6o/FJUcvMVRjOBmMMyvqGnGmlif7MLMRt6H+FAknTC6nCJ1uSGu6KihvAA1f7jIeCOxzApGYqIsHp5M=,iv:yCrKaT5zu9ROQH5c8etRrYSlKRIKVeiNngbsOiX2a1g=,tag:4AINfTcGTA07MvMq7g4WXw==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/sonarr/app/externalsecret.yaml
+++ b/kubernetes/apps/default/sonarr/app/externalsecret.yaml
@@ -0,0 +1,25 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: sonarr
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: sonarr-secret
    creationPolicy: Owner
    template:
      data:
        # App
        SONARR__API_KEY: "{{ .SONARR__API_KEY }}"
        PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}"
        PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}"
  dataFrom:
    - extract:
        key: pushover
    - extract:
        key: sonarr
--- a/kubernetes/apps/default/sonarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/sonarr/app/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: &app sonarr
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -27,6 +27,10 @@ spec:
  uninstall:
    keepHistory: false
  values:
    controller:
      annotations:
        reloader.stakater.com/auto: "true"
        configmap.reloader.stakater.com/reload: sonarr-pushover
    image:
      repository: ghcr.io/onedr0p/sonarr-develop
      tag: 4.0.0.559@sha256:62cc0157d673e68691c83c27a13011d416f28734134431bf27cf9b557cb7c2c5
@@ -40,7 +44,7 @@ spec:
      SONARR__LOG_LEVEL: info
    envFrom:
      - secretRef:
-          name: *app
+          name: sonarr-secret
    service:
      main:
        ports:
@@ -97,9 +101,6 @@ spec:
        mountPath: /scripts/pushover-notify.sh
        defaultMode: 0775
        readOnly: true
    podAnnotations:
      configmap.reloader.stakater.com/reload: sonarr-pushover
      secret.reloader.stakater.com/reload: *app
    resources:
      requests:
        cpu: 500m
--- a/kubernetes/apps/default/sonarr/app/kustomization.yaml
+++ b/kubernetes/apps/default/sonarr/app/kustomization.yaml
@@ -4,9 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./backups
+  - ./externalsecret.yaml
  - ./helmrelease.yaml
-  - ./secret.sops.yaml
+  - ./volsync.yaml
  - ./volume.yaml
 configMapGenerator:
  - name: sonarr-pushover
--- a/kubernetes/apps/default/sonarr/app/secret.sops.yaml
+++ b/kubernetes/apps/default/sonarr/app/secret.sops.yaml
@@ -1,31 +0,0 @@
 # yamllint disable
 apiVersion: v1
 kind: Secret
 metadata:
    name: sonarr
    namespace: default
 type: Opaque
 stringData:
    PUSHOVER_TOKEN: ENC[AES256_GCM,data:VbPcH4St6p1+rdYkXgXnmWJw9wH1eeFe0KM0TxH9,iv:WLxuFr8DscUhYrgglmAPctrrY2QsItfwQ5ZnKD2P7xE=,tag:tfLhrhos9ZFKhuMdCnHDEA==,type:str]
    PUSHOVER_USER_KEY: ENC[AES256_GCM,data:3UbR7hAnBAAjw/tdB8TSMZw3inuJJhJx9AiIN4tZ,iv:GuB8Kf/pAOp32SiVhpSLFisIeoEg1VxdYm2Raw2stRM=,tag:A8nDFwYPcZ7fOPG/UPYYzQ==,type:str]
    SONARR__API_KEY: ENC[AES256_GCM,data:2byvnqPCT5MWJBnSmQrzXDnmfCvokUrr2PIR27iC+Y8=,iv:ejJtd3eXWlw0MyA6eXWVPChyVNgHK+FVpSYg2guOvZ8=,tag:QR0/X0cbJXFvzXhItglnCQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T15:35:43Z"
    mac: ENC[AES256_GCM,data:W28v1mhf0LE/Wx/wz5YebMTvEAUY1/g8/aZmJKJNzioyT909NTlixyyMScZ9cUj/tKchkiv9DG9zKHNWiZSWHV8eEIsrzth4ENR0Puj0ZXzAFQAblzQh50DPMIVURt6FXcIh9Uw05fXcJwu2AN/lkWplsG7sDMo7n5y95ZomVHM=,iv:WSvs/o2Jep7DnoHBz2O/5t6aGjfYTNwRclGyf4npbOs=,tag:2OqXhjFhAnnxAK16o8TuOQ==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/sonarr/app/volsync.yaml
+++ b/kubernetes/apps/default/sonarr/app/volsync.yaml
@@ -0,0 +1,49 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: sonarr-restic
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: sonarr-restic-secret
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/sonarr'
        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
  dataFrom:
    - extract:
        key: volsync-restic-template
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: sonarr
  namespace: default
 spec:
  sourcePVC: sonarr-config
  trigger:
    schedule: "0 7 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 7
    repository: sonarr-restic-secret
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 7
      within: 3d
--- a/kubernetes/apps/default/sonarr/ks.yaml
+++ b/kubernetes/apps/default/sonarr/ks.yaml
@@ -9,6 +9,7 @@ metadata:
    substitution.flux.home.arpa/enabled: "true"
 spec:
  dependsOn:
    - name: cluster-apps-external-secrets-stores
    - name: cluster-apps-rook-ceph-cluster
    - name: cluster-apps-volsync-app
  path: ./kubernetes/apps/default/sonarr/app
--- a/kubernetes/apps/default/tandoor/app/backups/kustomization.yaml
+++ b/kubernetes/apps/default/tandoor/app/backups/kustomization.yaml
@@ -1,7 +0,0 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./replicationsource.yaml
  - ./restic.sops.yaml
--- a/kubernetes/apps/default/tandoor/app/backups/replicationsource.yaml
+++ b/kubernetes/apps/default/tandoor/app/backups/replicationsource.yaml
@@ -1,25 +0,0 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: tandoor
  namespace: default
 spec:
  sourcePVC: tandoor-files
  trigger:
    schedule: "0 0 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 10
    repository: tandoor-restic
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 10
      within: 3d
--- a/kubernetes/apps/default/tandoor/app/backups/restic.sops.yaml
+++ b/kubernetes/apps/default/tandoor/app/backups/restic.sops.yaml
@@ -1,35 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: tandoor-restic
    namespace: default
 type: Opaque
 stringData:
    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
    RESTIC_REPOSITORY: ENC[AES256_GCM,data:doNM45RgucJso4t85IZREhHclpvKXYy+GFomdGSokK7kjl7Jn25CJuG/u5t7GnjC0M2uYo8nhyMQ,iv:eNummV+QSSAkFFaZC0WPAMV/G+j70b0X6pN1MgUYx7s=,tag:gR260etgdx6Lwt9GXpDWew==,type:str]
    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T06:24:08Z"
    mac: ENC[AES256_GCM,data:udFHC/EM7a4g1pOvhU8HJRiSSSnBDvzva3rrZdmjidfcjrt90dStpNL+AHCLXjqj0DsPJHP8bvyXsrrOQg+WXi47OnugUu0YnqaoS6n5nklCfhcqWU5PM5eG+zmuDkfnXT9EbwAyKXvnmzhIr4Rr2+LxsZNJpVqY6AfNM4IFRtc=,iv:lqVOyMN1c/9pxU/CRuEjcPd6890uNq3xgqwF8RKkFEo=,tag:YMrnTGCruKCbTq0r24SEyw==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/tandoor/app/externalsecret.yaml
+++ b/kubernetes/apps/default/tandoor/app/externalsecret.yaml
@@ -0,0 +1,34 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: tandoor
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: tandoor-secret
    creationPolicy: Owner
    template:
      data:
        # App
        SECRET_KEY: "{{ .TANDOOR_SECRET_KEY }}"
        POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
        POSTGRES_PORT: "5432"
        POSTGRES_DB: &dbName tandoor
        POSTGRES_USER: &dbUser "{{ .TANDOOR_POSTGRES_USER }}"
        POSTGRES_PASSWORD:  &dbPass "{{ .TANDOOR_POSTGRES_PASS }}"
        # Postgres Init
        INIT_POSTGRES_DBNAME: *dbName
        INIT_POSTGRES_HOST: *dbHost
        INIT_POSTGRES_USER: *dbUser
        INIT_POSTGRES_PASS: *dbPass
        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
  dataFrom:
    - extract:
        key: cloudnative-pg
    - extract:
        key: tandoor
--- a/kubernetes/apps/default/tandoor/app/helmrelease.yaml
+++ b/kubernetes/apps/default/tandoor/app/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: &app tandoor
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -33,9 +33,19 @@ spec:
    image:
      repository: vabene1111/recipes
      tag: 1.5.4
-    envFrom:
+    envFrom: &envFrom
      - secretRef:
          name: tandoor-secret
    env:
      DEBUG: "0"
      ALLOWED_HOSTS: "*"
      DB_ENGINE: django.db.backends.postgresql_psycopg2
      GUNICORN_MEDIA: "0"
      TIMEZONE: ${TIMEZONE}
      TANDOOR_PORT: 8888
      FRACTION_PREF_DEFAULT: "0"
      COMMENT_PREF_DEFAULT: "1"
      SHOPPING_MIN_AUTOSYNC_INTERVAL: "5"
    command:
      - /opt/recipes/venv/bin/gunicorn
      - -b
@@ -88,7 +98,7 @@ spec:
        type: "custom"
        volumeSpec:
          configMap:
-            name: *app
+            name: tandoor-configmap
      django-js-reverse:
        enabled: true
        type: emptyDir
@@ -106,9 +116,6 @@ spec:
      runAsGroup: 568
      fsGroup: 568
      fsGroupChangePolicy: "OnRootMismatch"
    podAnnotations:
      configMap.reloader.stakater.com/reload: *app
      secret.reloader.stakater.com/reload: *app
    resources:
      requests:
        cpu: 100m
@@ -116,7 +123,11 @@ spec:
      limits:
        memory: 512Mi
    initContainers:
-      init-migrate:
+      01-init-db:
        image: ghcr.io/onedr0p/postgres-init:14.8
        imagePullPolicy: IfNotPresent
        envFrom: *envFrom
      02-init-migrate:
        image: vabene1111/recipes:1.5.4
        env:
          - name: DB_ENGINE
@@ -145,9 +156,8 @@ spec:
            mountPath: /opt/recipes/cookbook/static/django_js_reverse
          - name: static
            mountPath: /opt/recipes/staticfiles
-    additionalContainers:
+    sidecars:
      nginx:
        name: nginx
        image: nginxinc/nginx-unprivileged:1.25.1-alpine
        imagePullPolicy: IfNotPresent
        ports:
--- a/kubernetes/apps/default/tandoor/app/kustomization.yaml
+++ b/kubernetes/apps/default/tandoor/app/kustomization.yaml
@@ -4,15 +4,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./backups
+  - ./externalsecret.yaml
  - ./helmrelease.yaml
-  - ./secret.sops.yaml
+  - ./volsync.yaml
  - ./volume.yaml
 patchesStrategicMerge:
  - ./patches/env.yaml
  - ./patches/postgres.yaml
 configMapGenerator:
-  - name: tandoor
+  - name: tandoor-configmap
    files:
      - ./config/nginx-config
 generatorOptions:
--- a/kubernetes/apps/default/tandoor/app/patches/env.yaml
+++ b/kubernetes/apps/default/tandoor/app/patches/env.yaml
@@ -1,22 +0,0 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: tandoor
  namespace: default
 spec:
  values:
    env:
      DEBUG: "0"
      ALLOWED_HOSTS: "*"
      DB_ENGINE: django.db.backends.postgresql_psycopg2
      POSTGRES_HOST: ${POSTGRES_HOST}
      POSTGRES_PORT: ${POSTGRES_PORT}
      POSTGRES_DB: tandoor
      GUNICORN_MEDIA: "0"
      TIMEZONE: ${TIMEZONE}
      TANDOOR_PORT: 8888
      FRACTION_PREF_DEFAULT: "0"
      COMMENT_PREF_DEFAULT: "1"
      SHOPPING_MIN_AUTOSYNC_INTERVAL: "5"
--- a/kubernetes/apps/default/tandoor/app/patches/postgres.yaml
+++ b/kubernetes/apps/default/tandoor/app/patches/postgres.yaml
@@ -1,32 +0,0 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: tandoor
  namespace: default
 spec:
  values:
    initContainers:
      init-db:
        image: ghcr.io/onedr0p/postgres-initdb:14.8
        env:
          - name: POSTGRES_HOST
            value: ${POSTGRES_HOST}
          - name: POSTGRES_DB
            value: tandoor
          - name: POSTGRES_SUPER_PASS
            valueFrom:
              secretKeyRef:
                name: postgres-superuser
                key: password
          - name: POSTGRES_USER
            valueFrom:
              secretKeyRef:
                name: tandoor-secret
                key: POSTGRES_USER
          - name: POSTGRES_PASS
            valueFrom:
              secretKeyRef:
                name: tandoor-secret
                key: POSTGRES_PASSWORD
--- a/kubernetes/apps/default/tandoor/app/secret.sops.yaml
+++ b/kubernetes/apps/default/tandoor/app/secret.sops.yaml
@@ -1,31 +0,0 @@
 # yamllint disable
 apiVersion: v1
 kind: Secret
 metadata:
    name: tandoor-secret
    namespace: default
 type: Opaque
 stringData:
    SECRET_KEY: ENC[AES256_GCM,data:Q6F1yVx9o5l+NGOYDe+m6DH/v1MxJQCSKT89IVwjqYI=,iv:KAkiYOyzD+i4ybTb19cIUaZlLq9/Hkda9c9ksf+FQrg=,tag:5nEYJe8JnrwScW2a8+dekw==,type:str]
    POSTGRES_USER: ENC[AES256_GCM,data:FYYcjxl00w==,iv:Qhyu+2pCDrLynJVKb88olLiG1S9mmSVJgdsWuBu2iPQ=,tag:XngsCKqqnv/eZUN715cY5A==,type:str]
    POSTGRES_PASSWORD: ENC[AES256_GCM,data:7nRBJj4SN//W6kcD4RwDOw==,iv:uTlW+I/H72vTlUIH7m9AVqRKSA+XMAQoJLGcu5cFFFM=,tag:tkeMqZVP8NHgyH4aOWSlFw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TlpyT0RXNHdBVHBKVkJo
            dGhPZDgvTHlOVHJ5d3JDeEZhd2NmQUxVdURrCkZKTWVPK2Y0L3NWVDJCbHRUYVQ2
            MGVuRXdSMHZzSFFpOHFNa2laNEF5T1EKLS0tIGcvVDBRWTJPeVJzVTg2ZzNRdTFJ
            VjJ5ZzIyNE9OMGVVcFBiOWRjazFGYkUK8wW2HI/BuiFMAyOV/BABZkE+L6qLVAuE
            LM+b1l2q79np70ostH7Jmox9KP4QsMLYxDhjse/ygS5e8oQRbb1oTg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-04-11T21:32:22Z"
    mac: ENC[AES256_GCM,data:y+O9Ry6ybIm1hmfZspcyiJPzjGDa89e2Qa+oMj+qsye6T6Y3k0JRn/POGkrxHCsw05exKMa3+8ldQQgHewdiiv1TOJ3Xwap377AtYlId+hBfwyfPG1VtnBNu4pHDe919f6q7DNRJbaQscmZgFuZYRMyIeI+rBNT7slGuvAWwAjc=,iv:4DFc9cJ9BaDwv/E3ZVBFwf82879ePff6BoOryRBn0Oo=,tag:n870pnOy32XnELnZzyukvQ==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/tandoor/app/volsync.yaml
+++ b/kubernetes/apps/default/tandoor/app/volsync.yaml
@@ -0,0 +1,49 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: tandoor-restic
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: tandoor-restic-secret
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/tandoor'
        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
  dataFrom:
    - extract:
        key: volsync-restic-template
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: tandoor
  namespace: default
 spec:
  sourcePVC: tandoor-files
  trigger:
    schedule: "0 7 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 7
    repository: tandoor-restic-secret
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
    retain:
      daily: 7
      within: 3d
--- a/kubernetes/apps/default/tandoor/ks.yaml
+++ b/kubernetes/apps/default/tandoor/ks.yaml
@@ -15,6 +15,7 @@ spec:
    name: home-ops-kubernetes
  dependsOn:
    - name: cluster-apps-cloudnative-pg-cluster
    - name: cluster-apps-external-secrets-stores
    - name: cluster-apps-rook-ceph-cluster
    - name: cluster-apps-volsync-app
  healthChecks:
--- a/kubernetes/apps/default/theme-park/app/helmrelease.yaml
+++ b/kubernetes/apps/default/theme-park/app/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: &app theme-park
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
--- a/kubernetes/apps/default/truenas/app/backup/helmrelease.yaml
+++ b/kubernetes/apps/default/truenas/app/backup/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: truenas-backup
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -39,11 +39,9 @@ spec:
    command: ["/bin/bash", "/app/truenas-backup.sh"]
    env:
      HOSTNAME: truenas
      SECRET_DOMAIN: ${SECRET_DOMAIN}
      SECRET_CLUSTER_DOMAIN: ${SECRET_CLUSTER_DOMAIN}
    envFrom:
      - secretRef:
-          name: truenas-backup-secret
+          name: truenas-secret
    service:
      main:
        enabled: false
@@ -59,8 +57,8 @@ spec:
      ssh:
        enabled: true
        type: secret
-        name: truenas-backup-secret
+        name: truenas-secret
-        subPath: SSH_KEY
+        subPath: TRUENAS_SSH_KEY
        mountPath: /opt/id_rsa
        defaultMode: 0775
        readOnly: true
@@ -72,13 +70,9 @@ spec:
        env:
          - name: HOSTNAME
            value: truenas-remote
          - name: SECRET_DOMAIN
            value: ${SECRET_DOMAIN}
          - name: SECRET_CLUSTER_DOMAIN
            value: ${SECRET_CLUSTER_DOMAIN}
        envFrom:
          - secretRef:
-              name: truenas-backup-secret
+              name: truenas-secret
        volumeMounts:
          - name: config
            readOnly: true
@@ -87,4 +81,4 @@ spec:
          - name: ssh
            readOnly: true
            mountPath: /opt/id_rsa
-            subPath: SSH_KEY
+            subPath: TRUENAS_SSH_KEY
--- a/kubernetes/apps/default/truenas/app/backup/kustomization.yaml
+++ b/kubernetes/apps/default/truenas/app/backup/kustomization.yaml
@@ -5,7 +5,6 @@ kind: Kustomization
 namespace: default
 resources:
  - ./helmrelease.yaml
  - ./secret.sops.yaml
 configMapGenerator:
  - name: truenas-backup-configmap
    files:
--- a/kubernetes/apps/default/truenas/app/backup/truenas-backup.sh
+++ b/kubernetes/apps/default/truenas/app/backup/truenas-backup.sh
@@ -7,8 +7,8 @@ mkdir -p ~/.ssh
 cp /opt/id_rsa ~/.ssh/id_rsa
 chmod 600 ~/.ssh/id_rsa
-printf -v aws_access_key_id_str %q "$AWS_ACCESS_KEY_ID"
+printf -v aws_access_key_id_str %q "$TRUENAS_AWS_ACCESS_KEY_ID"
-printf -v aws_secret_access_key_str %q "$AWS_SECRET_ACCESS_KEY"
+printf -v aws_secret_access_key_str %q "$TRUENAS_AWS_SECRET_ACCESS_KEY"
 printf -v secret_domain_str %q "$SECRET_DOMAIN"
--- a/kubernetes/apps/default/truenas/app/certs-deploy/helmrelease.yaml
+++ b/kubernetes/apps/default/truenas/app/certs-deploy/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: truenas-certs-deploy
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -40,11 +40,10 @@ spec:
    env:
      HOSTNAME: truenas
      TRUENAS_HOME: /mnt/storage/home/homelab
      SECRET_DOMAIN: ${SECRET_DOMAIN}
      CERTS_DEPLOY_S3_ENABLED: "True"
    envFrom:
      - secretRef:
-          name: truenas-certs-deploy-secret
+          name: truenas-secret
    service:
      main:
        enabled: false
@@ -68,14 +67,13 @@ spec:
      ssh:
        enabled: true
        type: secret
-        name: truenas-certs-deploy-secret
+        name: truenas-secret
-        subPath: SSH_KEY
+        subPath: TRUENAS_SSH_KEY
        mountPath: /opt/id_rsa
        defaultMode: 0775
        readOnly: true
-    additionalContainers:
+    sidecars:
      truenas-remote-certs-deploy:
        name: truenas-remote-certs-deploy
        image: ghcr.io/auricom/kubectl:1.27.3@sha256:402cbd1a404bdae3db854252054e4160b5746067e6f462d4a48236c46f6ad28a
        command: ["/bin/bash", "/app/truenas-certs-deploy.sh"]
        env:
@@ -83,13 +81,11 @@ spec:
            value: truenas-remote
          - name: TRUENAS_HOME
            value: /mnt/vol1/home/homelab
          - name: SECRET_DOMAIN
            value: ${SECRET_DOMAIN}
          - name: CERTS_DEPLOY_S3_ENABLED
            value: "False"
        envFrom:
          - secretRef:
-              name: truenas-certs-deploy-secret
+              name: truenas-secret
        volumeMounts:
          - name: config
            readOnly: true
@@ -102,4 +98,4 @@ spec:
          - name: ssh
            readOnly: true
            mountPath: /opt/id_rsa
-            subPath: SSH_KEY
+            subPath: TRUENAS_SSH_KEY
--- a/kubernetes/apps/default/truenas/app/certs-deploy/kustomization.yaml
+++ b/kubernetes/apps/default/truenas/app/certs-deploy/kustomization.yaml
@@ -5,7 +5,6 @@ kind: Kustomization
 namespace: default
 resources:
  - ./helmrelease.yaml
  - ./secret.sops.yaml
 configMapGenerator:
  - name: truenas-certs-deploy-configmap
    files:
--- a/kubernetes/apps/default/truenas/app/certs-deploy/truenas-certs-deploy.py
+++ b/kubernetes/apps/default/truenas/app/certs-deploy/truenas-certs-deploy.py
--- a/kubernetes/apps/default/truenas/app/certs-deploy/truenas-certs-deploy.sh
+++ b/kubernetes/apps/default/truenas/app/certs-deploy/truenas-certs-deploy.sh
@@ -13,18 +13,18 @@ elif [ "${HOSTNAME}" == "truenas-remote" ]; then
    printf -v truenas_api_key %q "$TRUENAS_REMOTE_API_KEY"
 fi
 printf -v cert_deploy_s3_enabled_str %q "$CERTS_DEPLOY_S3_ENABLED"
-printf -v pushover_api_key_str %q "$PUSHOVER_API_KEY"
+printf -v pushover_api_token_str %q "$PUSHOVER_API_TOKEN"
 printf -v pushover_user_key_str %q "$PUSHOVER_USER_KEY"
 printf -v secret_domain_str %q "$SECRET_DOMAIN"
 scp -o StrictHostKeyChecking=no /app/truenas-certs-deploy.py homelab@${HOSTNAME}.${SECRET_DOMAIN}:${TRUENAS_HOME}/scripts/certificates_deploy.py
-ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_s3_enabled_str $pushover_api_key_str $pushover_user_key_str $secret_domain_str" << 'EOF'
+ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_s3_enabled_str $pushover_api_token_str $pushover_user_key_str $secret_domain_str" << 'EOF'
 set -o nounset
 set -o errexit
-PUSHOVER_API_KEY=$3
+PUSHOVER_API_TOKEN=$3
 PUSHOVER_USER_KEY=$4
 SECRET_DOMAIN=$5
@@ -48,7 +48,7 @@ if [[ "$result" == "${CERTS_DEPLOY_PRIVATE_KEY_PATH}" ]]; then
    echo "ERROR - Certificate is older than 69 days"
    echo "ERROR - Verify than it has been renewed by ACME client on opnsense and that the upload automation has been executed"
    curl -s \
-        --form-string "token=${PUSHOVER_API_KEY}" \
+        --form-string "token=${PUSHOVER_API_TOKEN}" \
        --form-string "user=${PUSHOVER_USER_KEY}" \
        --form-string "message=Certificate on $TARGET is older than 69 days. Verify than it has been renewed by ACME client on opnsense and that the upload automation has been executed" \
        https://api.pushover.net/1/messages.json
--- a/kubernetes/apps/default/truenas/app/externalsecret.yaml
+++ b/kubernetes/apps/default/truenas/app/externalsecret.yaml
@@ -0,0 +1,36 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: truenas
  namespace: default
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: truenas-secret
    creationPolicy: Owner
    template:
      data:
        # App
        PUSHOVER_API_TOKEN: "{{ .TRUENAS_PUSHOVER_API_TOKEN }}"
        PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}"
        TRUENAS_AWS_ACCESS_KEY_ID: "{{ .TRUENAS_AWS_ACCESS_KEY_ID }}"
        TRUENAS_AWS_SECRET_ACCESS_KEY: "{{ .TRUENAS_AWS_SECRET_ACCESS_KEY }}"
        TRUENAS_SSH_KEY: "{{ .TRUENAS_SSH_KEY }}"
        TRUENAS_API_KEY: "{{ .TRUENAS_API_KEY }}"
        TRUENAS_REMOTE_API_KEY: "{{ .TRUENAS_REMOTE_API_KEY }}"
        SECRET_DOMAIN: "{{ .SECRET_DOMAIN }}"
        SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
        SOPS_AGE_KEY: "{{ .SOPS_AGE_KEY }}"
  dataFrom:
    - extract:
        key: generic
    - extract:
        key: pushover
    - extract:
        key: sops
    - extract:
        key: truenas
--- a/kubernetes/apps/default/radarr/app/backups/kustomization.yaml
+++ b/kubernetes/apps/default/radarr/app/backups/kustomization.yaml
@@ -2,6 +2,9 @@
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./replicationsource.yaml
+  - ./backup
-  - ./restic.sops.yaml
+  - ./certs-deploy
  - ./externalsecret.yaml
  - ./minio-rclone
--- a/kubernetes/apps/default/truenas/app/minio-rclone/helmrelease.yaml
+++ b/kubernetes/apps/default/truenas/app/minio-rclone/helmrelease.yaml
@@ -6,7 +6,7 @@ metadata:
  name: truenas-minio-rclone
  namespace: default
 spec:
-  interval: 15m
+  interval: 30m
  chart:
    spec:
      chart: app-template
@@ -15,7 +15,7 @@ spec:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
  install:
    createNamespace: true
    remediation:
@@ -52,7 +52,7 @@ spec:
      age:
        enabled: true
        type: secret
-        name: truenas-minio-rclone-secret
+        name: truenas-secret
-        subPath: AGE_KEY
+        subPath: SOPS_AGE_KEY
        mountPath: /app/age_key
        readOnly: true
--- a/kubernetes/apps/default/truenas/app/minio-rclone/kustomization.yaml
+++ b/kubernetes/apps/default/truenas/app/minio-rclone/kustomization.yaml
@@ -5,7 +5,6 @@ kind: Kustomization
 namespace: default
 resources:
  - ./helmrelease.yaml
  - ./secret.sops.yaml
 configMapGenerator:
  - name: truenas-minio-rclone-configmap
    files:
--- a/kubernetes/apps/default/truenas/app/minio-rclone/minio-rclone.sh
+++ b/kubernetes/apps/default/truenas/app/minio-rclone/minio-rclone.sh
--- a/kubernetes/apps/default/truenas/backup/secret.sops.yaml
+++ b/kubernetes/apps/default/truenas/backup/secret.sops.yaml
@@ -1,30 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: truenas-backup-secret
    namespace: default
 type: Opaque
 stringData:
    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:4Waq8U9rY/IsdzKInsJQGoXD1Q4=,iv:N05MKTKyY4LatzfPZS6Vke1dyZmYs0tOhU/O51K8mwQ=,tag:bQHdjgc5Xqg//PBOVuUccg==,type:str]
    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:JN6f87JOBaZVC5ue4aArSDrQ/NVe73vZZgmbXYeGAVcl4urzUbO4qA==,iv:i0RP/gidkJG7pccRVIT6FUd3IHm7Z5y2hnjSBqVwHLA=,tag:L688v2TfeIMnX7BNmA5kmA==,type:str]
    SSH_KEY: ENC[AES256_GCM,data:bGIefWSzJHPFL98GrIjMz1ojanyrwf2qOVkfFHscBO3GAgjdBlkXk7JKWc5ykpPdMGbNd7G6XIjxw4fx2nj87RqiavRPRKwJu3VouzzBee75aGDqKrWRmZUhwOwliv/RS8Ipma8qTMDBNTfpHcAFHOW7kYYAe1gCYlWKum8KDjJ3G4YW0eApjSczyWsQ5ApzbiqAbOswCRvwa4dBzFw8rWVjUVpbqCA9iiql8x4agApY/tO2lrSsnnpv5URcoOD+qiXDOb+bkMDg/CKxyLCvcoQF1MtodjOazTgo1yFefGqD5Y4q3KFS70wLKkU6NK1WbfWz/s0hGt2M6RnUvxWKXmeX4AeSN/716/Kju9kZ07ddGq5A2okrMxqVOiVlOc/lMJICe3pANdfLE1/TNLQwSf5L5R18ulJ3Wj/wiB8FkFvqHeA28Hqtb+L2kiDa8nGbxr6qeOrOr8EuRdwogCKy56cU4w8Tjo6UVwfxyWFD+MuXlzYjxg90O5CRV44KfTV+tya2JyCIDY0K9/vmLYEDFtIWpIYLLEwBj6ZvomZbIFMJYK0BYo+G5E6xEi4IZzb00DIy6p/UUkDs1dLhMTdPigKMXrt0chX30Txw245rCQ5V/tzNBAvpsmglIsOyn7KihE+HUGJBTGfLgBDXkgplvz3wckq+axGWRDv8Z5/HN76xkucVE1ikTN5qRKY/xqi99fdmAXc6EhGbfQX4WvSyJFvtI1QUFy1Acdl55tQG9QsrFJ7Xd3ruhIkYNx6+IqvgvOZMOWRt5rvQ0b8VBZCMquNxETTRXNEg1ltCbgQ+mXKlX34gFBJWBzsfVdfosOSh9RKEBgrqSZ+wdH2pkjV4Ka8KO+NcDhap2VmDQWcA34LkX1825c53HjQScSfkgLR2Lty9cEwIqA78eI6gwx2Zw+TmFc6Jj1vktiNOudrzlwQphhh8ggNl9MagJbi8maiRIyb4xGsIIJdcp6kfHV/FBoYrb1SrDzmLSG/c01rrEr1/oL35EFncF+hn8MdBOXNcJSxdKVdLoF3/rjL/Lgz/U1gxgbCJekc5UwjlEsDmM1Mlwd0dXWJ94+djOXWRLyu/FhlJrMtA5YdCecm/x9d3wLS61zkYH5HU8HTKhkZgreRvcGEmT2SEgesA4MVLkY4cFeGaYNgSX2oneacl9eHyv0CBfXE/nTxDFZA/tzSSVs94TDe6o3tBcmANB9C4AcmBp+lVYfUdZf9ynRK6E4NAsJklpIWVLYxyWDNy83X/yctGQEXBVVwLK2Eq7Y/jbXKlWR9vBf4ZHaCDUO+eEtCWz/JoQrxv2zu0g42HSrwn9yD6WAM1CMOhGhR+5X6VfYZ6mIInOHB8cO2UXkRkzJRqkvK4FhEOswtVHlCWRUCEtxqYFCjuYiSun+EvdzCeP84MHjI64lPB1QhS0KXR+A9MgQiWFbvGTCasORvrlRRs+J30W1UI5UbhyNh07LIdH68EQmdq8TGCr6n7v9mEOIAbrrLLv6Wi/pJB5irsVQxO2p63xtj+lb33wYj+/2HLhq2z/1ElXbFbqkibWSz+Hp2ZYswlcthmSyCa7YSwacVVFYGoUyepvom9PcizeDcD+QEx68rXnlKo+ilWNFpJUybRVtoEkpKLAyJ7VA8SUmhVhAPCEz5IMvXPsCd5KkA0u2XGOc/McBjcOMGgCH8NvRAer3HBHjLq3aex41J4hQAAmmZUMAnomDj2V9kZsxzD5FnsH7+f026GUtVaN393dcS1zxCN8PI57dEVIBkUn+HcgbJ8rq+8A5kPBKAO+CX8HHDZ0zRoero7PT7nXxKhPWQ7VxNm/FYdhGP+N4FbbQkBwmK2nUT2MWwW/nFgHX95rCO+qA6uq9uW0zhW7ML4NHbIXXFcxHfa28A/CUSValk60cFsjf/TYk2n5aETVby9sLnYkvPDOJle52JVvtWrpnvpka0sh1/Ve3L92upX19pXv/0925F+4EdrCe1OPScAibMhNt90EiNAuyaWkAtycmdvlazfEUEcrkYA/KqQx+KXXyQcYDxvd7rbRScTv4GorlKLOc90kOd6eRgC+GW0g//XZCkHEdHL2WbY8mDuMSC+5O6ig8pqxwzT3efIlaS0asJ27Hnz0w9pzrktAJyz523SaLIujJKsQX7o8yQ89LDYeqtTZCGA1jOQybQGsGhGuOQOCkEzwRVeqpY/MbNwkAL2TOcbxpEDaVSMPw64ECTLYITJGd2/2WAUkdEjAegURamjvuYDliXQwuyOF4LriM+A0AdJm/BgbTR0sS8f6TKAqiDmEEWrG885V07i+TvxKT4K60bjqX/FzO10u+3LaV8tAvGbNR0VP/euxnt+mmNIQ2qEYdMiLGQP4Dc8wPb2vegMPDmSSTFIJ64zwe2MiWX55O/5IRNxPLEoi4m9FS7ArZgzELEX2N6ufrVScgLD+moYDEQfGO6XXUqNsCpiqf2IGzwiZDicjrp43Spwu4CyKdeZnlf89F+SY4jkYb9l0K7OwvVvYGpuPBQsI+O3t/Xt79l6VaaYwVaf5pOwxFPjmwmoYqdvl4CDv5XVnyIz+sz9ySvMtdrKN0Jv/TJ2Qh2MQaZqVDPIOnHuz8c+uIhn2qjPpKejnJ8RQv/421ZRfu/3K3INRBq7qI3vTA/3JyqxTWQ2MpwAZJzjw4qzeLfALqXv+WIrN/tbZJHw1luOPEW/E31Ipypri2ITRKJruyEbfASK/VmrTOYcV/dSgpyaxmGdWwQ6zQeEHgypPHIU1W/5WPg8QAPNF0uu7cy5TQHFVtdTwCeDQ4BPdMB5faCcaKoDxZ4dIEU7srGKi5hi0TyUw/5HSmry3H+e6VEXHhTw7TRrSImfwASuol1lavkZcEnGv4Moj7mIZ+/PqBwJvH+eP9d2Q0f+z2lWQ/kCl9R1IOsP4H8f51j2TUc302U/8Px/TrywCAn4L8qspyHJiC9xQvkRevqI/MjeA1em0a9bUrtO4z1FsJeWiSShDK0pQuXBmw3iGzHsye3iKsxDtT/4FGKc2BfhnzYd+58MEpZih1MaOLmaC6+s8HbwaH7awHnK4/wKx57IZsDQ4vl9jShZ2WqeDdFFGOuAE8tUmyficHPJZ9u/RcJXwm1AK3p7fX8Ekf133de7qWSsNMHPgQnGCG1NlPTccdpVX6qUB+EyZCS11NYuJk8834hOH2yT7UMzRKMquCtWor1fAH/q6RDTntMkuUH+M5R55EVdKuWBqhlx0Umd2B2p7n6izvi91X7OeRvwl3C1EBoKaDynf3hJTjKQ3ZrU4teOePAIrPy/Xk1qzIo48ELIDz7ZEz/ffIPalTc/wNSW+/h0Pogftm6YvCoVPWCyvwA4o6twJ9YKjXm8A5fizGwOfGua25gkZvn8HpVL1ZJyA7LJWKR4IUOi6989Q5/zJR15/X8piMGkItq0MKc7gcdiuqkjJilegn7c5uYmcRyRIFgEx37Ty6KMX2ljEGdOfbIi4xLETtjZ2DTr,iv:NkbvqlEf99WrgjBKF1vyl0kWxbsUcPzJmfTiiAsMUfI=,tag:3Okc7Dkh9bATeff8i2LQjw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMEhOUTJMcUYvNFozRDNr
            WnhJTEYzVWN4V1VXemhtWWU1SmMvUmljNFFNCk91aHhXRVBDSzhhcjIzalQ5SEpN
            cTJIOGVVYWNYRGdtMm5nZUZ5Q0EzTE0KLS0tIFRMYnNGakdrSktjT2ZoNk1sN21C
            YlhlTVhRdDFJUVZiMTdtVXlveWNDWE0KG7MKLp5tUCm7KpuhpmsvAWDrreBuHSEp
            zyH6hY1i7jgjh020qZI32zNDHeTIJhi+mHur/jvBJhEGLMz6JYUPrg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-01-02T20:30:20Z"
    mac: ENC[AES256_GCM,data:O3rYI2l6/VbuxOD+uigagizpMzY6SIMXlu8sT2nWIDDp/7q1OLd8xilAKtTD85jYGbqFk5bluhyMiFdjq4sA9RZAPXoYY/l9RqMSBeR/gptUPAqK5qkYL9XX1AXbWuxziXIAtJYvyQuyTYeWPMsMNkmHNb1APxDWc0quUTfphjA=,iv:Tdvt08Qm6yD22YM9p0pQ/Gxfc4RAM9m9J0mBShAJ0X4=,tag:FgQxh1qBlVsfDRDCnmyyPA==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/truenas/certs-deploy/secret.sops.yaml
+++ b/kubernetes/apps/default/truenas/certs-deploy/secret.sops.yaml
@@ -1,32 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: truenas-certs-deploy-secret
    namespace: default
 type: Opaque
 stringData:
    TRUENAS_API_KEY: ENC[AES256_GCM,data:0B0eF5hqqwDuv61BFxirXqxrIEtABYCRnHv97XiiyIEEKM2+DH/L0VknFczxEZIbdhERip30is4irI8mUhJOT9S2,iv:JlHKJhRd/UPJh354GyUftnrFBHLZLhIRGSfYbxKriCs=,tag:njMr8GG+YCjKpZvK3pFWsQ==,type:str]
    TRUENAS_REMOTE_API_KEY: ENC[AES256_GCM,data:hHsW9mHIVj9JQqJb/xdTwC0I9ro7OqVT5owjVS00VDplhl81f3zjSN7B+HL3YOVYg2VrjoJ/1Gukk7F413CXcqI7,iv:b2SAPCAmbcvfam9Kt6ess5musA7jawiQPVwxMKwJpmE=,tag:ILIgoNmSFXPGs6zRHi/u7Q==,type:str]
    PUSHOVER_API_KEY: ENC[AES256_GCM,data:cyk9BKRm/sSP9/y58+P1T6KMog+FqD/088NFgJ9E,iv:4d9NorzBh+XpvV0oAk6eC+d5adcDkoqwpg/iX1tI6J0=,tag:PAWmAMz6p6wXjTtMSBeJwQ==,type:str]
    PUSHOVER_USER_KEY: ENC[AES256_GCM,data:TDSEIhc63jIoquDRBAeU987nfDHIhrmie41m5iA/,iv:3pHGEh9tJgeBr0B6DIT0sKtfedEZSXkAsFd+7oaIb2U=,tag:6SMb0MQzXfQNNlGsVbr3AA==,type:str]
    SSH_KEY: ENC[AES256_GCM,data:/u/tzgpNhYeTfO3Y1V5DsXXWHcnpGCpmSQmcHmhtiQHeuWJJyCy9cObf6Hm8BQjmYPSnUwCGMC1GQM8rjHBiWDXVMK5IXiQlpd5gFxxH8LK8DjfMy8hiNLEe40dkYB044mfGJbyfBEK3AaGURVHlgfzGQiXMWbqSL9BGGr3hhvfuWyrpFxJSDC8CmJ0Swu9Fw8J6LliTwMG1LQAJUNd8ZJkV5qFpbHG0LDlYYI2ebjQspS8tsQuwsE4ewPrVeD2YDY81klcFnshHLD1fR7HHCNtEpMUfV9lstDVqm12JAFWGN0wFoxDR5C+JBZLgEtFwjq2hE6OZ858D5h+jwCYEVmrW3hWVK7aTYjoSmPxDaiZ5Ro7YcXSilMuSSi3IacS3iWQP6VXFfKDZTD4C527ZlJRgMQFKAvGb6FcJj2NhpcmMM9fDLsSF4VFsEYBkkp/GM+TZHqeIp+kOFvNcDwZwgqwgfu8VCB0ogwpvyTr8rpdoS8phH6P8hFO5Nzxx3HEV3cHIbiXFOrDFO2xzM1YdaAJs2sOvVm5+uTl/XJqg6kXLCzoe1LZAoK4MIVFCk2U2rItGN05wLPUTMopJuEUvHxrCg79AQToIZCD2v9Xl7HucyXR386yuL9VrS341Euc8bPELDwPNgJLxnsGRDp8xUN1CsvZWxcVxpw4k+jdXHZKd110WMKcfUMaYcKPxupdu/qDqvR6DhpywpBxPhgJL1/f8V7T09t2KCdUa81rwTsPVuK9B1H3Q/YYc8h99nBUZaYrIQk+WQtbgKYvzz204I7lev+lliPkie7H6umDWw3NADoOQqvF84kxAfO4jUbvTIeLeFSik6p0RNN3CdTnK5hNEdtpbk4+KuHSw6WBB9aTFcm3JkHGZsEuYVXWNoEgbIEjL17JLXm2FV0kNJil+vbQ5qcan5H7aKm1vcHgXylDGmKPU2QzSpXSSSwTMxOeAKGrPVIusT+gpqw22+YHa/kS2trz0XrPt/rXY4SDAXcjSNSzS5WcnvVX5v7DioGHo8/emYY9XEjML2iig1mxxyaP71GuWvzmITPWQHM3iJvXPywwgki1UiZqN+3WsZUi2zFrGJP/VXuL+8lCKvwZmRg0ACK+TeAenZsSSr3AdiKKbpriGHeqjjnSUvMmx6DUNIYdrxc9gNXBQ4tnNMN+pYBDj2jeiSIx2pb2derhOMGKyBCn3vfFylp2ljp7xJ39+N8fTlB7oTDQRCXmW/CR6bHd41/DeP9Hli8D0iYq0toM2oxby/eXPr/+I7wOZU23CKi/kQssxdn5XnlAGV0j7moF3ys3q7qFWesRQw1iYsS+dIvSr714u1NJXvE0nU6v5Vv64s22g+AC1FrWlsOdSo3CDLc1KctIuuFclyxI4mIekQk3iOKl/4a6XK/suOhmyzWHEKlq3LhbHZEA/maMOsKU//tX0uA+asOBLQJPtixwuQ9ZE0vpr4uL0LRJjpnYk09ktuE2YerQu6pGkMBt7uQnpWSzAlO2+3jPducXUdft9MXYM2jaK+PoUuCLUNegeqcpzF3KnGT9zDfbR15abg9nrY1Gv4cHlNN94JFxD2Z9qYBnNHBmG+Pdkq5xYDOcSmC3AV1IF+OAY+IYbb2BAUVy2JvqJal2mvGnlgOSVxtaA51VOkov8Bd0XwMUC/QDaj+CxMS/uDIDUsg6qbuw4dg+HjDVYhlnc6YElwET6LBoLkS5SIX+8W8XoVDAoTapOlrSXDo/elRW/WY4TJ4MEdW0xasjDuCxNDCpdmzbGsNUbpXQqDSz3sJvEggri0Q5ShGBJ57XCNEbXO/ZjlzBE1eN1bVjKkAbNrdj89NHpwFJiUUwiqhJmMFt1lbCdA9ihpKsuUyF7jBwnOdVnSLqvcL+U2WG6xWfJHTyoMpRFlaJJfchc3Nv3upOajk1rPFCdEK0vztAYinN8ldieKOz1bSJL8/RomSyjWJ3CeyyQYAODZn8KNf8E8YqapENbHA4Mj687NvaMxXl+sRxp+uprbZ/KDY609vEuub/46q0S5yddd3VAUrXX1x+leeRusGqXR0I9iwyaYSXpZO7fyUm1762o71fQHYgXcvco2NmDCH8AeFO0/Dc6bm8n//2g5XUg0ej+o1YZQaQ+plDjM9pHX33/BOvXDOJ7MoQMGIHadv9tS+USaLKNI45Z4tklIKGzkNh5q6JCrIGnja76ncaLGGOJpxG2tuQh7CATdSCWtDOJTLYDa84kWLH1lkXJeLkYGdTrKDpjNZnUQkggVyKisK9cSlnsUNsW+xwl2fKvuoNjm0wrBXN4MkUdLbbGBFt5CbZbyzz3f4et8twQ77TT6KJ5hORj/D3FFfM8LCDS/WQYQ9mHEZjWhtIfIRphSt192I/6hHuhHb7nl+ZO/SKoqfKN7Z32OUIR/gc6tcD+CYC02EpNgqZw9Lacq+zIAvY2m5KUbjaX/ddjI6OE7WyrBSArjtr/o1Vrto8xBZ5eHbbauFTFHN/QuadfU/VHDLUM2KQoWw1luYMTQBpyhK/ZCnOcU6hhJfWyMBY7lHBZBc44iu1ntyc+BPXL5kg9RoA832vNJAqt+1TGllnT1l6rd29+evfW7LIVLwQKVfCcR7DNX9NJYF8LDz2TCL7633udmoJC4bDCIW4mt1D5ITItat3AHSLruYyFPrUx4GwWGL4SKZTQxqpVxvj8mQC77h8WbkfH2csU6hFr7yCjVMpg7RSax942GHUPZzJnHmjgbgyNnats/ZgKjWxlVi/D7bUDxcYGOAHwjodyidGZbCiQckxkwF8brcfLM4VcgYfZ4Xe2tcMFLQML4id8WTgpnCv+jnSmOxn0IJog4SQ1qxPScKCAQL78SKCCeG67GTmcMbBPXhKTf7AQTpCIAUPSeAiR5rvNv5TZjIXzWYu6SP0Cw8+NxkENaS5RZsXtjVJTGnL3UJjVEQw9BC5qjXta2n8R8X1ELDB6qwjdDy3U5hbrdwEyjV8h5TJRe3xcYcMrKicmLfG6bhdcx1SpiCiI9M3hpc32S2Dn8FCoYFlP4tsuzT4b2VcaOZAlkLahchNbTTIMlehzJnGkXX1HwCh+c+fSD/apiONh49VPbVOAvV/rsSjn15AemL25MrP76evzIZwfrYdsZkGyq+sT2UyO8sGhu9U08bJkdC+1saQzSam75AWvV2dS7/HLefsMoezSLurhkr1jGjVsxaRXM9UCWxRYP2a4HHT6fHXdUGP9dHyEv8E/B5RpvD/HzNr8udxHdq7SgXhoEHMqWOKPtNVkXlqttlAWbcoWDnJaOBH1/50+DZYuZ9bmF+X5qk/TM2jyhQIyekLSw1quOdnfx5OM8K9ZmgUEqyJ2LibXW9yZWoth/Pjq7sFIkC8YSneWiFRk7uOFZjcfnoItHrjghW5tK7diluj97+O3p2FqtV9pqB2UhyPAeIRSmWFxhPj5dornJVIQL/Zr2Jv911HICP2G7wQnsKv54Fnp4t+9ZjhJzkTh4IFK,iv:vF3GSh82JgjFVTTkTJrxu142JQGIF1/1r9b1yfcDXGE=,tag:rf0/VoDl2vKwL9gwepX4rg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMEhOUTJMcUYvNFozRDNr
            WnhJTEYzVWN4V1VXemhtWWU1SmMvUmljNFFNCk91aHhXRVBDSzhhcjIzalQ5SEpN
            cTJIOGVVYWNYRGdtMm5nZUZ5Q0EzTE0KLS0tIFRMYnNGakdrSktjT2ZoNk1sN21C
            YlhlTVhRdDFJUVZiMTdtVXlveWNDWE0KG7MKLp5tUCm7KpuhpmsvAWDrreBuHSEp
            zyH6hY1i7jgjh020qZI32zNDHeTIJhi+mHur/jvBJhEGLMz6JYUPrg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-03-17T00:23:02Z"
    mac: ENC[AES256_GCM,data:pIJwVCQaP73DElbqqxbA9jadVekYkvcHxnlanOtUdjHiNAYRwjXpJTssPEJC3TL+r4zBWZUlstDG4R9kgaY1Kz/dnhO7MuH/1FN6ShTWsDwgVJfJTtn8hfYiq9H7mHNwvscK7PbirQQYPCXMFFMDfK2CfKBIYkKmlzOMQvVRvlc=,iv:yexA2IKrIGFg8phkJhLkd211MDxBidfVdGL+PVzkAJ0=,tag:XnQdY6Md8PcWgyubtX3Ekw==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/truenas/ks.yaml
+++ b/kubernetes/apps/default/truenas/ks.yaml
@@ -3,12 +3,12 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: cluster-apps-truenas-backup
+  name: cluster-apps-truenas
  namespace: flux-system
  labels:
    substitution.flux.home.arpa/enabled: "true"
 spec:
-  path: ./kubernetes/apps/default/truenas/backup
+  path: ./kubernetes/apps/default/truenas
  prune: true
  sourceRef:
    kind: GitRepository
@@ -18,48 +18,10 @@ spec:
      kind: HelmRelease
      name: truenas-backup
      namespace: default
  interval: 30m
  retryInterval: 1m
  timeout: 3m
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: cluster-apps-truenas-certs-deploy
  namespace: flux-system
  labels:
    substitution.flux.home.arpa/enabled: "true"
 spec:
  path: ./kubernetes/apps/default/truenas/certs-deploy
  prune: true
  sourceRef:
    kind: GitRepository
    name: home-ops-kubernetes
  healthChecks:
    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
      kind: HelmRelease
      name: truenas-certs-deploy
      namespace: default
  interval: 30m
  retryInterval: 1m
  timeout: 3m
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: cluster-apps-truenas-minio-rclone
  namespace: flux-system
  labels:
    substitution.flux.home.arpa/enabled: "true"
 spec:
  path: ./kubernetes/apps/default/truenas/minio-rclone
  prune: true
  sourceRef:
    kind: GitRepository
    name: home-ops-kubernetes
  healthChecks:
    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
      kind: HelmRelease
      name: truenas-minio-rclone
--- a/kubernetes/apps/default/truenas/minio-rclone/secret.sops.yaml
+++ b/kubernetes/apps/default/truenas/minio-rclone/secret.sops.yaml
@@ -1,28 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: truenas-minio-rclone-secret
    namespace: default
 type: Opaque
 stringData:
    AGE_KEY: ENC[AES256_GCM,data:4xNBIadPDtcizBd02RW/JN1KiOIwkED4NtXAvuI6hxaOOzpfWh8hC2jrn8MLej0e+yXEcODe0KCUsx4p+GQEARSqOvrFWJ96XgoC1batFUmzGk8/WGdbaGt+zXxwsAPpJeEIYElPqy/XLgu+k1xdc/vvN78+RPnRXEWoxbSXonxuy9DJg1VQVaP2V9lKnHcIlYtQaz2xtdTBhOVAyaVKJxo11ievv96ZFY7eyX2YmaBtOfmU9pNH9InYqU+L,iv:ahXvBl2CgjOxB6MmcjMXBryf+MwahtII/NTxYIFa3DQ=,tag:+AriTfQEhOrfJCRnfes/Cw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMEhOUTJMcUYvNFozRDNr
            WnhJTEYzVWN4V1VXemhtWWU1SmMvUmljNFFNCk91aHhXRVBDSzhhcjIzalQ5SEpN
            cTJIOGVVYWNYRGdtMm5nZUZ5Q0EzTE0KLS0tIFRMYnNGakdrSktjT2ZoNk1sN21C
            YlhlTVhRdDFJUVZiMTdtVXlveWNDWE0KG7MKLp5tUCm7KpuhpmsvAWDrreBuHSEp
            zyH6hY1i7jgjh020qZI32zNDHeTIJhi+mHur/jvBJhEGLMz6JYUPrg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-01-02T22:33:41Z"
    mac: ENC[AES256_GCM,data:DLH8O96zF76gLpyPBoN4vJz3iFfLTlJVovM5URp1LtaN3JxlMGoldhsbeCTWK2O90TTkzAh6BB+2nWa4yEx+VL1pOD8XSYDz5qZS3EpQ5Gf4yr9qSziSg/uLuw39T2OxQkWw5FVCK1mzbF+Pw7IUIasUQFDmM2xBiuYH4M2OYyI=,iv:481eBWmOpRB74G1y4ntMqHS2+DKC0+OOtOEO8eKspfA=,tag:/Be7ik2B+Ya9k9cQH3iVZw==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/unifi/app/backups/kustomization.yaml
+++ b/kubernetes/apps/default/unifi/app/backups/kustomization.yaml
@@ -1,7 +0,0 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./replicationsource.yaml
  - ./restic.sops.yaml
--- a/kubernetes/apps/default/unifi/app/backups/replicationsource.yaml
+++ b/kubernetes/apps/default/unifi/app/backups/replicationsource.yaml
@@ -1,25 +0,0 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: unifi
  namespace: default
 spec:
  sourcePVC: unifi-config
  trigger:
    schedule: "0 0 * * *"
  restic:
    copyMethod: Snapshot
    pruneIntervalDays: 10
    repository: unifi-restic
    cacheCapacity: 2Gi
    volumeSnapshotClassName: csi-ceph-blockpool
    storageClassName: rook-ceph-block
    moverSecurityContext:
      runAsUser: 999
      runAsGroup: 999
      fsGroup: 999
    retain:
      daily: 10
      within: 3d
--- a/kubernetes/apps/default/unifi/app/backups/restic.sops.yaml
+++ b/kubernetes/apps/default/unifi/app/backups/restic.sops.yaml
@@ -1,34 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: unifi-restic
 type: Opaque
 stringData:
    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
    RESTIC_REPOSITORY: ENC[AES256_GCM,data:FthTBOx4mCQ2gDeoZXFhQfqTc8mEVxP80iRGMR7sa3ZLHACzZN1fJKjWEvmDZZrPdVm7jATT7g==,iv:LF73PZaA+S8FPtnSrkG+8iuN+3q+PxR2GL2VmwXaeNg=,tag:yhNZUDL6vT3ZfJpXtuyblA==,type:str]
    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-12-28T04:29:55Z"
    mac: ENC[AES256_GCM,data:XlsRVx6bf/r7G1os9tRykc2uwYRcmR+6+noK9ZyaSfJGFDs4NNTQRtk+aXZpPWo7L6BBYeeUk6gV/UjspwoLkKVAO9xOarux5hxN5PbZkS1sRAMTK6oyOZTNyxkhJwQwSj6w1n339yNpJHZcu6FpN1Lw5lGvbvI338RLW1bJ/zY=,iv:SJ1/Ovbp4c3w1B6Utpjk7Yoal3Z4EY6R9HHlV9KpzxQ=,tag:rMMzNLDdnC60mRLV76d/Yg==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/Show More
+++ b/Show More