feat: add SOPS encrypted secrets and enable Flux decryption

- Add .sops.yaml config with age public key
- Encrypt authelia-users, authelia-secrets, vaultwarden-admin
- Enable SOPS decryption in Flux Kustomization (gotk-sync.yaml)
- Secrets are now safe to store in git (encrypted with age)

.sops.yaml

@@ -0,0 +1,4 @@
+creation_rules:
+- path_regex: .*\.enc\.yaml$
+  encrypted_regex: ^(data|stringData)$
+  age: age1aq4d879wuczrqj48nnw7ktsddrxfr8y8xaf0j0aqteswmsxnfs7sfs9phj

clusters/lab/flux-system/gotk-sync.yaml

@@ -25,3 +25,7 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age

clusters/lab/secrets/authelia-secrets.enc.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+data:
+    JWT_SECRET: ENC[AES256_GCM,data:gf6LutyW8lciwY/fUrDG38jLflMN2kjhK5vierKwDIhYtgforRpOJyVKZTLfX9s3KzciWGhwfjVDiFm90PnvuDXO/6r8ohGf6w+1cT0Qxwd1hHNZ4HKQ5Q==,iv:1F3sIewYGaNZIHWQQ1i37YuPBGbCiBTenFWqwVV08cE=,tag:QV68W/bTemJgr3IbE5TXkA==,type:str]
+    SESSION_SECRET: ENC[AES256_GCM,data:xReVn/YIR1iHXaEjzMJhPEdD5Z7Sru0IOHS2wOigm5dbTxJQSxiW10WJ6PW457CxMXw0fkNorTcR6catEia2+SfNktyn2uBXnXXp66t3MbkBZ2RQSyzMgA==,iv:vW2sVq/sNlCZpplzn46zeSqyHcNAb5UbODjDwEfUn5c=,tag:FSLHZMxXOU9W6yPVReDy8A==,type:str]
+    STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:jZ3u73n+dwdMSMLuvrH3EK4iADQVdJvv0Mfc7L8uKZelahj9dtvQ7dTVMiIi/ghDKch/f9sN+2kiK34/QyrIl74LefKug/2ox0NlbJZwehIdJu1QgJKUkg==,iv:dH/Hd2kkrMvDNvAMaax8OpsqLhmBAl9XwN/sEsZVXPA=,tag:5/1y6J3Ho/0vtIv+SAkxyg==,type:str]
+kind: Secret
+metadata:
+    name: authelia-secrets
+    namespace: flux-system
+type: Opaque
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1aq4d879wuczrqj48nnw7ktsddrxfr8y8xaf0j0aqteswmsxnfs7sfs9phj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcGlXanZFWHBJcmt5dEJ6
+            TjVEcmg4eHFFY0JxTE1WZUNzRk9JNkMvL0g4ClkvQ25SWmlCVXhSQSt1UnlyTEtF
+            UEVPeFBuNlZHdmwvdm9NS1BpK1hobWcKLS0tIEVBNnlBeVNRSlRCaG1tSG16QVls
+            RnRuM0RLY0FxTjVyTFIraG9rMGhiS2sKaIsyMoEYTegx6t/ZbtIFwHll7R3kRQEK
+            MrAw0v/axBy3yBBcYXfkkwAs4Bv4fi4fb7LXvdoo77HyKuyZosyLig==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-19T23:20:44Z"
+    mac: ENC[AES256_GCM,data:6rcdfoewR56ZdcicTv0C54iR75l8px7WjdbVNdD/Smj9kFyzQpeINyumF7z/ZyqkzKHClLHD0XKwTyeEaTPpHA1niaPvnAEg5ZPDIyTyz+qfS+1HCQIvPaW8Bzqzl874iL8+SqtyWhlLKOe3v5gQYYPP6HND9AcYQGS/nLT6taY=,iv:aZ2KUdKEQ0EQviJWttqhq5qdtjbd2XCDgl7zlWqY/Ng=,tag:fG+BgrRBBtjWRaEP7nLf1Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4

clusters/lab/secrets/authelia-users.enc.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+data:
+    users_database.yml: ENC[AES256_GCM,data:gS+TAE7aIpygr0A4z9TPBsXpACqxBw6uBbmv91UBn2+tsX5xINnCyNo56Cy0gHC66u1zZIqiOalLBwnwDOphc1SnEXX+RuYjzNLhpre0+i4F5GCCfz9I+pdjsPlojfYUpYw4jRX7haR09XCEtJBXwFUiJ3MXYkqSshSkFNIn+Ax6G5R34Q8h8lSuvrGf/f4yXtmBKI/6bS1wf241xemBXlFqIU0Ddt2nv8Milpz863Bn7h6j9pE8d4nnb9qJmrVXPS4TUrcmYO8zu0IvGZPq7xS01nl7573b1ZqU+SFqUFiFoWwjJzZUcqfbhoORQm7px1pGy2WPJIbkUtIgoSpggxOzVU6V4UVQ3sfpg68Q9bv9q+PJvTa7HTyawJuYumZMY9oBJIFo4fN7WzZvstlDURN8Uaw=,iv:F7Bl2WU0FDLYHQ2iMyRKnkUPFMy9yx9PcBhEpPgqO8I=,tag:w5WBC1EktgpuNVjt7oe9NA==,type:str]
+kind: Secret
+metadata:
+    annotations:
+        apiVersion: v1
+        kind: Secret
+        metadata:
+            annotations: {}
+            name: authelia-users
+            namespace: authelia
+        stringData:
+            users_database.yml: ENC[AES256_GCM,data:JQD2vou4gwHEWuRtavX+H6EnCc7U4lzZImHGAG3PclGi81pIrZ0RdLV86s3WPGVt6XAtyPpdma0EBc0j53me1IIBxfyx74GXQPObTPcEuP+GIlaJzFBaZTzJbPeNCzPdfE8qNEslF9ot3ir6EI6fYLCZgPYHGiNCxRJUVDThVtwh1TBglGxviKzfW6CpEzx8ZykamN2pyvyHZN+pV3+5LCALNK9OlS1Fqt0gAyXEX+dTgXLPl3QYc4LSSDgfkTsifvbXlZ/b+zSiRP+vxhWnqnXm+T1FNb5DCHoHaM9GuDDJf5AsJQ==,iv:cOtPHG1JyiQuFjd7Hb4G3Fu/ltbKND/gJZ5PmUIzarQ=,tag:SaW3gwB8wwfsZcGGTfeHKA==,type:str]
+    name: authelia-users
+    namespace: authelia
+type: Opaque
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1aq4d879wuczrqj48nnw7ktsddrxfr8y8xaf0j0aqteswmsxnfs7sfs9phj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVkkrWktMemtGdlo5cnl4
+            WURBcFZ6a1dUM3ZkVCs2bGhNb3gxVHBDWEU0Cml1K0FRTCtsaHRJNmMveHd0dEc4
+            MlRqYlo0aUFzRlF3OVRKV1loSmo0TTgKLS0tICtpZUdrbDJwY3c1WDhwaDlVdW5r
+            V1pXY1o4WmpkeWJxd3d1amVwTTBJN28K3y/ygmRFtrRd6I0ETVWoVAbBDJSGiITU
+            ADecKPFymgJ5Mf/HnH7FJFfnz3n54RQ2KIIe2S2JqsBT3XoQJVo/Bw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-19T23:20:44Z"
+    mac: ENC[AES256_GCM,data:JutOjo3m2IMxAKFXKJu5FScH3cZV7Yk0ehQdW6pYI08bfSFoixtbzotkufeFmwWxFFFGdBo2XOhVF8hPrcAJHECGFRJzTpN/mV5t6cTXnjg/ow1mmFf2hOhXUFz4WRfa+qO5l6X+gSnSm+ZEzIhK0odQV1rZxiw7/Ug0ohAndBY=,iv:vm5VwqXi5rbE8GybdNwAuwKe3CTJuAe0j5sZ+/joSJs=,tag:1ECDZ9/H+pnIVnnaBp0w3Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4

clusters/lab/secrets/vaultwarden-admin.enc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    ADMIN_TOKEN: ENC[AES256_GCM,data:L2A205PEjydsGcq5f3lZwGkPSYnoBjTruzMMgW1fk4kkxekLlNemmrtuYW4fyK5aXn1XAMmdXNkLaeIpVpekZn6kFXNnMPCRvhG1M3UeRakRl1XQDhjmZQ==,iv:LqZQ6twVcTuzCItFsWMUo4J/CxUv7zVmpqlI9yWf2kk=,tag:9rVdsUyYnPV5y1PaOPQ7TA==,type:str]
+kind: Secret
+metadata:
+    name: vaultwarden-admin
+    namespace: flux-system
+type: Opaque
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1aq4d879wuczrqj48nnw7ktsddrxfr8y8xaf0j0aqteswmsxnfs7sfs9phj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0alEyc3l2MjdjYW5PbkFF
+            U2dGM2IwTkE3MThGZk1CMldxejJVYmxvRTJJCkpMdVVEcjNPajl4TXRpajZJdTN6
+            bXI0em9zenluN0ptbHNYS1RUQ25UYjgKLS0tIDhta0JnMFU2MGN0SWFKRGxHOTY2
+            UTBibmJHR0FKWTMyS2NsM1FmcUVTU1UKvt86R1oeurlBtuUpCC63wi8Wm2IDul21
+            +i3HaSlTkcugg9iCz42x5HHgOlU0LvDNKTkTQnnrUeSp0iX11tDWOw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-19T23:20:45Z"
+    mac: ENC[AES256_GCM,data:ipF3sijq2rbfsfKWzUQomsz1GGrini+jLc9BRg6+z/euN1Hx0VC2NMbokgqzIHBrJGsee7OqG8tu6CbyqEwLSy7SduAP4wa53Apby9tZ2G1GsNY3u7P4Ipj/SZInRnM6KaV2SV8FyywPR2vsQfJkVKjQaDNzO2qAo5/dyZ6+lHU=,iv:2g8pxr/YNA/t3r/nsFk9T8wMaFKp0sXC8V2F87swEqk=,tag:p+bTr1hDtxlwbbT/RuwRbw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4