feat: add SOPS encrypted secrets and enable Flux decryption

- Add .sops.yaml config with age public key - Encrypt authelia-users, authelia-secrets, vaultwarden-admin - Enable SOPS decryption in Flux Kustomization (gotk-sync.yaml) - Secrets are now safe to store in git (encrypted with age)
2026-02-19 23:20:58 +00:00
parent 914890b339
commit 51bcdebca8
5 changed files with 103 additions and 0 deletions
--- a/clusters/lab/secrets/authelia-users.enc.yaml
+++ b/clusters/lab/secrets/authelia-users.enc.yaml
@@ -0,0 +1,37 @@
+apiVersion: v1
+data:
+    users_database.yml: ENC[AES256_GCM,data:gS+TAE7aIpygr0A4z9TPBsXpACqxBw6uBbmv91UBn2+tsX5xINnCyNo56Cy0gHC66u1zZIqiOalLBwnwDOphc1SnEXX+RuYjzNLhpre0+i4F5GCCfz9I+pdjsPlojfYUpYw4jRX7haR09XCEtJBXwFUiJ3MXYkqSshSkFNIn+Ax6G5R34Q8h8lSuvrGf/f4yXtmBKI/6bS1wf241xemBXlFqIU0Ddt2nv8Milpz863Bn7h6j9pE8d4nnb9qJmrVXPS4TUrcmYO8zu0IvGZPq7xS01nl7573b1ZqU+SFqUFiFoWwjJzZUcqfbhoORQm7px1pGy2WPJIbkUtIgoSpggxOzVU6V4UVQ3sfpg68Q9bv9q+PJvTa7HTyawJuYumZMY9oBJIFo4fN7WzZvstlDURN8Uaw=,iv:F7Bl2WU0FDLYHQ2iMyRKnkUPFMy9yx9PcBhEpPgqO8I=,tag:w5WBC1EktgpuNVjt7oe9NA==,type:str]
+kind: Secret
+metadata:
+    annotations:
+        apiVersion: v1
+        kind: Secret
+        metadata:
+            annotations: {}
+            name: authelia-users
+            namespace: authelia
+        stringData:
+            users_database.yml: ENC[AES256_GCM,data:JQD2vou4gwHEWuRtavX+H6EnCc7U4lzZImHGAG3PclGi81pIrZ0RdLV86s3WPGVt6XAtyPpdma0EBc0j53me1IIBxfyx74GXQPObTPcEuP+GIlaJzFBaZTzJbPeNCzPdfE8qNEslF9ot3ir6EI6fYLCZgPYHGiNCxRJUVDThVtwh1TBglGxviKzfW6CpEzx8ZykamN2pyvyHZN+pV3+5LCALNK9OlS1Fqt0gAyXEX+dTgXLPl3QYc4LSSDgfkTsifvbXlZ/b+zSiRP+vxhWnqnXm+T1FNb5DCHoHaM9GuDDJf5AsJQ==,iv:cOtPHG1JyiQuFjd7Hb4G3Fu/ltbKND/gJZ5PmUIzarQ=,tag:SaW3gwB8wwfsZcGGTfeHKA==,type:str]
+    name: authelia-users
+    namespace: authelia
+type: Opaque
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1aq4d879wuczrqj48nnw7ktsddrxfr8y8xaf0j0aqteswmsxnfs7sfs9phj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVkkrWktMemtGdlo5cnl4
+            WURBcFZ6a1dUM3ZkVCs2bGhNb3gxVHBDWEU0Cml1K0FRTCtsaHRJNmMveHd0dEc4
+            MlRqYlo0aUFzRlF3OVRKV1loSmo0TTgKLS0tICtpZUdrbDJwY3c1WDhwaDlVdW5r
+            V1pXY1o4WmpkeWJxd3d1amVwTTBJN28K3y/ygmRFtrRd6I0ETVWoVAbBDJSGiITU
+            ADecKPFymgJ5Mf/HnH7FJFfnz3n54RQ2KIIe2S2JqsBT3XoQJVo/Bw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-19T23:20:44Z"
+    mac: ENC[AES256_GCM,data:JutOjo3m2IMxAKFXKJu5FScH3cZV7Yk0ehQdW6pYI08bfSFoixtbzotkufeFmwWxFFFGdBo2XOhVF8hPrcAJHECGFRJzTpN/mV5t6cTXnjg/ow1mmFf2hOhXUFz4WRfa+qO5l6X+gSnSm+ZEzIhK0odQV1rZxiw7/Ug0ohAndBY=,iv:vm5VwqXi5rbE8GybdNwAuwKe3CTJuAe0j5sZ+/joSJs=,tag:1ECDZ9/H+pnIVnnaBp0w3Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4