--wip-- [skipci]

brettinternet · Sep 21, 2024 · 9326e92 · 9326e92
1 parent 2198c1e
commit 9326e92
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 52 deletions.
diff --git a/kubernetes/main/apps/database/pgadmin/app/secret.sops.yaml b/kubernetes/main/apps/database/pgadmin/app/secret.sops.yaml
@@ -3,28 +3,28 @@ kind: Secret
 apiVersion: v1
 type: Opaque
 metadata:
-    name: pgadmin-secret
+  name: pgadmin-secret
 stringData:
-    PGADMIN_DEFAULT_EMAIL: ENC[AES256_GCM,data:cIHqcvRQnM/xSq+AdDpaTI/z7mEZ3A==,iv:R2/ZSS5Vl8I02y/xOFlADDUCq6dTyjUoEW3adZVzo8Y=,tag:IvZzFiwRzR5mmnrd+f3qMw==,type:str]
-    PGADMIN_DEFAULT_PASSWORD: ENC[AES256_GCM,data:xHttGGv9r9oOTJqlZaar4tuHMz5qbw1czc/Fced/kYU=,iv:tH3ZEnNMVA+F59TGd2ve0YDaCXx5AuDc0pqVyy84yIk=,tag:1GQ59uCGbP6KbHCFIg8bdg==,type:str]
-    config_local.py: ENC[AES256_GCM,data:m+I6G3gx9ISErrdCs+KiuVgPwEaBoEbKbDdT+H4cAUv4pN9loMrP4xLicraBNcIBWKYA/P3ja9Mvt0xRI0y4tFRQJMHdPj7FtzwDOQJ8BcReuAKHM1Glb/h7CJ4/HmcquHPzAU19kk1hkkkGtOaf6R1CmX2dLjVSH0ZNFYE1i2UQu2WwrPgxJl0aQMx+Ds/qufB4/vmttRfmWR6DGLoo0rIfhNqJb+daHBPndvjcrAZ2xcWX4zhlVcuLFeeXfjJODPM8aS03JS6jURftCv5PcCBoWUQUPQksmFc03uQjpHga8NeIQOdGw6/EfL9di/zYhjkkKyzCNKgktu87B2jEdQINIvFtcaxXbwPNPzYRLHIapD2BkHpDdv4gap8YnarXOlK+1ty9dSh0Xl+EqgvVAmliZj0sg1rQUqtHCgdfaLmC87xd/7l4ENc4EVtiBlS+5LYtQnzUtXgmvF/DNwkAqCfL1l2/jLBsPBhQwDZrfrGk2qX1CfA2rfvTZVG6m6dgMJ8wIvKpS9LTSPtLLKCg7GCUxFsNsY7BM955QOf0Z1B3PD21NZ9yfbXe8DAJnc4q9AIJD6U4opyw03c/n5CsT8YSjDdAowZesTOQdt+Ei0yyqf9IKfYVmsFk/YR6uq4weHwYLIoYzMHMr163de7uofTQ8PP6/qIUQCZcEutq8J1lPwyBlifE2c0XOjBFVvct0Rb6nde/lU55KaAyl3HiIklmkAD9a6bxu8uUquoZ0eP8hvPohRN/gqMb/XNGFNs4HGzrs4ssYhGxdll1mGPRgEFhxrlARXDLOa9m1h51fnW8XDsPnoDjVeCl56zUNc+Kbyk68UaFO2qDeZ7WYymVNsJWnedwJu+wF7Xs8FCXubKCqWO5Qa6rInf3OlZISXKUMsCNbzMyNkbu4nryVoZQCvuv+lCO5Mwr75AuvzTuo/f8rraw0dVzRdB2B2P6l9vT4Hsvyi+1xZs32fVNYf4d3kk6d5jfJOaheukQqeADQRWSduN0W6CXDqJdipzdSr/SwkdDIeDfXuh2wCpNXKg4kzez/Ma2JBEGYSyaOncMyBbJ17lOa2GRs17KaACOqMwRx6rxnWPgvLWOlCKjO714o3A=,iv:CUPlb2PS9n0d5pBSqDRd0Z0XbBOb/+sCGtYTt4VGU8Y=,tag:1gDkI5dddFeX0RKdJ96BLw==,type:str]
+  PGADMIN_DEFAULT_EMAIL: ENC[AES256_GCM,data:mDnkHu09PVNumYsG919F6ahM38P9Tcoi23HUm+ErxA==,iv:GKwLabXoa6rr+ON+CUTEF3y5lUQXnMcekTkQRQO27k0=,tag:zSSpV2plDrLXOhLQKYaN9g==,type:str]
+  PGADMIN_DEFAULT_PASSWORD: ENC[AES256_GCM,data:XNKytIwjIOW/etQvvvwoy9dGY50yXRfLbpa9fv+MCxE=,iv:ejHmuE7durqTGzTBTxWtRi5zkZYzfIwvvU9MeOeNX9s=,tag:zq/3xmJ6FlDIUDnsSzPvAg==,type:str]
+  config_local.py: ENC[AES256_GCM,data:DVsvzD4rY3Ddy4bCtJ2fAaHhVLEpJcRoWv+pdudYhOCFCuVFPYqDnJWBsSg9Np9bY+JBGYm5M0JNlb8rmf4JY0l57IdsDEd62bt8BQni/K9r5akBCtG1va0CNIZqYvlcVVzyJgkt1eFmOSEZq5tkQwISQ+UCZ3Sw5YQWfFjjGV9sOHP2BX1YxtVu+imiKbzBGY6IZo3uDmQNreruoII12iqA1HdMx1qgJx6JA/6ojvK/0+J56N64xWvaWFen62WuJ6/vatBifb+gX5Y2WtCgK3PY9+h4kKPSUDXwoc2LABhVhvT8kF/75yYKAMWjuNG5CS2EZGF91HtyHj3bezcMlVOPeBsr0xYpkQzo1RMWFuIYo10cqy304oGHqGCoebHGHJoTjSf8FseV7PpbfzLgRrXzCHaA4pkcN6gri9Zw5waKyF0HySgrF6UPN1Bs9im6jL/37YxCsB7XwtP4NU7tbp6bMH8Wh0n3pvnyz/NZ1Uo0+SyDKlRm32u2oBj/oEsSsrLtYKJZs0H7yRl5q7S9KjQK+k3g6VNwk0MySk3iyPmuZgt1XvXEZ4ndxKUDx/ZbDyeMqb06X1NQFqSM62TauR9rQ2bUshz9gaf6o7t/0OM7nLuNfDz2XJgRXpzKexl9d4ZP4K/2iSoN3Uo3KjFOZ52R+x3McdKuj32WsflOCm1a+cz8q/LOQwa1bm7j3EpeE6zVAeJteRg+apWcZaubnLd1mEDo9YwbfYTNH1/b6aUzzYwBQSxFo4kYp5MXLE9Bwa47vS1Taz15jtiR9dQOnq5ItGwW2Md4i8/7031ITo1MFzGnibhxHqT3fblVylWDm02Ujvhy7h8+Hz54zqhRvgeZj5Z46reJ1MjxYGWJJz8fDuHj7x7e4fqgQp1AUBgKekw6OKDb7Gg1Zyr0PkHbGrsaoxVSdGaIInKlM5xYHvdfTu0KS6Hnxfy0zi/4vrROpSly5TVfMg5okGHapBnfbbeVE8XGSYAE36dPEI1xfCiY7QDSeS/db7rZ0dclZf+JPTNSOszQMSu0GNqfyCIP5usbeRSkGSEIpGghzTH4FbQIltNQgSOu5hktsR9BacQruHs0Yc7r5xO/bJJTxDeAy6w=,iv:ItRTz5HZ6y8Shh0LkZ1NQH7pJjtR8PE0sUCjJznPYEs=,tag:p3mH5DDdHciQ1D8ngUkMfw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age148wprsnqjq8jughvywnzmvs8gffhrkendpr7g60q8u4rdsj4jvuqk7ltrs
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3czcza25WVHdQSjVsNDhF
-            QWRtN2N2WU05cEpnZ045Mjh5bDlHbUM5NjFrClQ2WlVtbkVzOGRTRytvT3JzODVF
-            SnBCNTJnRkZzRlBzcElDMUI5UDJQZE0KLS0tIHNxdWoxMFZTRWNpQ2RNM01JdjY0
-            UXNFM0J2REw0ZzJhRC9QakxUWnZCUnMKpEjTWQ3kUT2oI5qmHaAsxcPyJiXsZMbJ
-            1oRDKCDg7dHUpwg64Ryazzaj8y93R78eHdhuCXesAq/Ehm9Dd0FaiQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-13T19:33:59Z"
-    mac: ENC[AES256_GCM,data:cdretLXTb5hU5bl4TxsLg0Ow482ednZzN7oZvsD5GZzhEtneE31r3qu8GnqJ6t/3zotrHbgWmu0UYk/YYuMNS/nQWejsCGMDWZmPHHyI+a2TqpVib/dufXk8BKYv+Mropgp2rwHRPyH1E7Drz7KwHGYgiQWIZOkC99zrGggKXhM=,iv:BFEThJNL8s5rNVPwTYVOBLRkJ8qV8JD5lhFQwXyOOMA=,tag:IKjdWG9idy3ADm678lYtgQ==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.8.1
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age148wprsnqjq8jughvywnzmvs8gffhrkendpr7g60q8u4rdsj4jvuqk7ltrs
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMnczNjF6eXF6UjJGY2Vx
+        Q0hFWFRoSG1oQnI4a3lLWkE1ZVBQc2ErbUJZCjByR3dHcStWMi9ta3NxNkRNUVhz
+        Q3hHbk00R2NmcmhPN29NYkxjblFPakUKLS0tIGZUczhoVHhmK0tUWlAvMXNVUFBJ
+        SUZlcVB5eVVOV01VNk5XSW1WY1hYeDQKbvVi8l0vQDcXBOU57l4D5hl1dyKW6Auz
+        KMkzore6ab3RRvnhl/plBumKuBgUGLYBWbvCB9W5Am0/0wEgPnmtbg==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-21T05:41:18Z"
+  mac: ENC[AES256_GCM,data:xrrtp+k1bg8FVl8Ghk50FcSkOIhqvctwolckgIZR2wqyjrlBJCT5Y+PK7jj7bwl+biHKsPwKLCFZQYTG3zWX/nRE3ltYt8JDKMiaBFS70CmEP8WZskH2bJyTyOLZLq2iVceZdyIoMSo3jk1SfLvEmwkWF9E8ejtWBQ5kXJRu93E=,iv:51Q7L+OALG+f+ZLU8S5SDbL6bcD32TTQdfK+VtCeOiY=,tag:InsrYZbIy8vmJdu7nWz5ew==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  version: 3.9.0
diff --git a/kubernetes/main/apps/default/kopia/app/helmrelease.yaml b/kubernetes/main/apps/default/kopia/app/helmrelease.yaml
@@ -1,3 +1,4 @@
+# First, create the repository from the CLI or desktop GUI.
 ---
 # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2

diff --git a/kubernetes/main/apps/home/kustomization.yaml b/kubernetes/main/apps/home/kustomization.yaml
@@ -7,4 +7,4 @@ resources:
   - ./esphome/ks.yaml
   # - ./frigate/ks.yaml
   # - ./home-assistant/ks.yaml
-  - ./mosquitto/ks.yaml
+  # - ./mosquitto/ks.yaml
diff --git a/kubernetes/main/apps/home/mosquitto/app/helmrelease.yaml b/kubernetes/main/apps/home/mosquitto/app/helmrelease.yaml
@@ -25,11 +25,23 @@ spec:
     controllers:
       mosquitto:
         strategy: RollingUpdate
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          init-config:
+            image:
+              repository: &image docker.io/library/eclipse-mosquitto
+              tag: &tag 2.0.18@sha256:d12c8f80dfc65b768bb9acecc7ef182b976f71fb681640b66358e5e0cf94e9e9
+            command: ["/bin/sh", "-c"]
+            args: ["chmod 0700 /mosquitto/config/passwd /mosquitto/data/mosquitto.db"]
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: false
         containers:
           app:
             image:
-              repository: docker.io/library/eclipse-mosquitto
-              tag: 2.0.18@sha256:d12c8f80dfc65b768bb9acecc7ef182b976f71fb681640b66358e5e0cf94e9e9
+              repository: *image
+              tag: *tag
             probes:
               liveness:
                 enabled: true
@@ -48,8 +60,9 @@ spec:
     defaultPodOptions:
       securityContext:
         runAsNonRoot: true
-        runAsUser: 65534
-        runAsGroup: 65534
+        runAsUser: 568
+        runAsGroup: 568
+        fsGroup: 568
         seccompProfile: { type: RuntimeDefault }
     service:
       app:

diff --git a/kubernetes/main/templates/volsync/remote/secret.sops.yaml b/kubernetes/main/templates/volsync/remote/secret.sops.yaml
@@ -3,29 +3,29 @@ kind: Secret
 apiVersion: v1
 type: Opaque
 metadata:
-    name: ${APP}-volsync-b2-secret
+  name: ${APP}-volsync-b2-secret
 stringData:
-    RESTIC_REPOSITORY: ENC[AES256_GCM,data:xL5jpj3u6W1A7SdgL4Fc6E/0rerK0jYXXYcg,iv:sbazTpfx3l3FAMTDU8xzGdeevktGDrZhmBRRHn6XGoI=,tag:gemwbKlVRRzegNjoBGb69g==,type:str]
-    RESTIC_PASSWORD: ENC[AES256_GCM,data:on52lrt45BWsBlA7N/TOH7BjL4j6YRwoIeYJx35m3B0=,iv:T3AeN9ALj++nu2mhhtf3DeuWjKeRqhRLTtuqoYwkaqI=,tag:w/PI3I+18fOQhC9rihKZSg==,type:str]
-    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:Yp5Ts0MOmVdJanhyJBUYjJFdKFy44NuhiQ==,iv:i0gOch4/JT+hBlEeHYllSFbPxvCKZILULIKEBKDBGbI=,tag:+oSzSxXupMnCAnTtLyZNzA==,type:str]
-    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:QiHNYqDHL4sMlep2nnzEnxLGbyZjd72nLUcGr5gZRw==,iv:AjTaqBWfVouFByS+mQcj82zwAF80OPAM9arsX6M6/44=,tag:xDBFTtMnlSaXLzXYeQBeyQ==,type:str]
+  RESTIC_REPOSITORY: ENC[AES256_GCM,data:teGcTIlMn5JhEAJm5TiDZMnIL9jitMjysmya,iv:mFBA8IZmcPib3cYcqI8vAOvJYhzK5xOkIobO1Y2cTQQ=,tag:kKv5t/HpsQJizvF2xVXAkg==,type:str]
+  RESTIC_PASSWORD: ENC[AES256_GCM,data:XDRKILjo0JTZHiY59LFkJEisE675umTvhCjPm4jLEdY=,iv:AUKzigwJ8XQdC0VZN4vO2UHr5OfmzJmc7uwcuU7IZBs=,tag:nU2yBiG+seIIXxMNdH56CQ==,type:str]
+  B2_ACCOUNT_ID: ENC[AES256_GCM,data:TdeTgmRl/X/qbaD8GTGr6M0GRoHAfMyuDA==,iv:22jEDBxqFGmU2TGorWkugM411jiEtyfujRZ9O7Q/xR0=,tag:s1YNlZGXAMNvrQS3YbfGlA==,type:str]
+  B2_ACCOUNT_KEY: ENC[AES256_GCM,data:/gvfJG47Pq5b2cnVBePZ4r5J1inVlR4GbqZuAABX9A==,iv:t6bg5sy9uXm3884T877SYT+uz5HL2gh/C7w1kGJT6H0=,tag:OrUhnOyPpC6kl2zdG8/Elg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age148wprsnqjq8jughvywnzmvs8gffhrkendpr7g60q8u4rdsj4jvuqk7ltrs
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSnVaV2w2K3JyVWZOVGt6
-            MEpLSDdudVAydDB0NmdnR2JqMmlMbXJKc3lFCll4d2c0akRlTlhaMFE5YkgrQkt3
-            RmhUL2RlNkllUHk4amVuLzhqWUx4eGsKLS0tIEdyTlNZTXg0VGR4VWUyUHd2TEF2
-            dnpzdndnQTU5MFBrZHNpQTRFQWdjN1UK5FkTVg1B2qmBqF5l6osNqGz2AoJchd8Q
-            xbwTkDc9UHQI+qpLwffJntl0DTBH7KH7qa90neY1d4hvPiLdzLi6Cw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-13T22:14:28Z"
-    mac: ENC[AES256_GCM,data:GazREuQ8wFL8FMU7+tC4Xw5YDFlxTrzwfcE14J83lYkyEnfDJFcsBOGFvJvikeuThgWE+8vigFUKCP7kWxYBr9mJXnLThdHE91HPN1p61N3qiRmyMsd6pqKk2T+qfLSu1PgEAW3agq+Xsm//UpVOta2s2uYY0rvjwytwPGCXKRk=,iv:YD27KIgEMJ8gBLB2Nvt0Kk/xD580mxlCp9q+cNRMmFg=,tag:YOGhvvAPcHWfzT26wkiIJw==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.8.1
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age148wprsnqjq8jughvywnzmvs8gffhrkendpr7g60q8u4rdsj4jvuqk7ltrs
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaTE2eURiRG9KOEtHZ3Y5
+        U1gvczRMVCtwTm11MVV2ZjMzeGhqcm9BRmdJCnFTeDA1b1dQdWVGWjVVWUtyVmlL
+        eFVyRWhtcXU4eGhQWmpUNjZrZjBlNUkKLS0tIFF1aWk2QVE2clROQmxqS2FKdzcw
+        SjZWYzZBTStiTHMyc3pId2M4WVFqTEEKXyrSU2sW1Nqi9SbTQ/0Jf/bL7hO9NfsJ
+        UMcKgzrzbhyOXWDjycrmiFSJXG2UrkLYzhnnlNEQocDYHD7eX6Wr6Q==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-21T06:18:56Z"
+  mac: ENC[AES256_GCM,data:9bD+yOzTYy29OBrYL3d/ENbIWzQzgb70xxlGFybGICJ+aex0NUihpoaWTRdiJJTMn+5iqlJ8h7sTGKfhnxxgtsfJ0iAi0zQcUhpcxAmYi9wFEgGa7xCPcREHZ/orvTNsUvxKu+e7FCJWrSt83SDJGK5GTkDYajYjfZevs802798=,iv:/h7YdcBjhsJVKWTscJ49hrTrBGZmWavhCmCUUu+JEw0=,tag:i+GpH+Y+dk7uSzJkUvXIuw==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  version: 3.9.0