From 5e55c0e277d6791866dcca14855ae36e19ffac3e Mon Sep 17 00:00:00 2001
From: Davide Piu <davide@davidepiu.xyz>
Date: Fri, 20 Feb 2026 00:17:40 +0000
Subject: [PATCH] encrypt crowdsec bouncer key with SOPS + variable
 substitution

---
 clusters/lab/flux-system/gotk-sync.yaml       |  4 +++
 .../lab/infrastructure/traefik-crowdsec.yaml  |  2 +-
 .../lab/secrets/crowdsec-bouncer-key.enc.yaml | 28 +++++++++++++++++++
 3 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 clusters/lab/secrets/crowdsec-bouncer-key.enc.yaml

diff --git a/clusters/lab/flux-system/gotk-sync.yaml b/clusters/lab/flux-system/gotk-sync.yaml
index a18bfa0..3e5a801 100644
--- a/clusters/lab/flux-system/gotk-sync.yaml
+++ b/clusters/lab/flux-system/gotk-sync.yaml
@@ -29,3 +29,7 @@ spec:
     provider: sops
     secretRef:
       name: sops-age
+  postBuild:
+    substituteFrom:
+    - kind: Secret
+      name: crowdsec-bouncer-key
diff --git a/clusters/lab/infrastructure/traefik-crowdsec.yaml b/clusters/lab/infrastructure/traefik-crowdsec.yaml
index 5b8533f..683a63d 100644
--- a/clusters/lab/infrastructure/traefik-crowdsec.yaml
+++ b/clusters/lab/infrastructure/traefik-crowdsec.yaml
@@ -25,5 +25,5 @@ spec:
       updateIntervalSeconds: 15
       defaultDecisionSeconds: 60
       crowdsecLapiHost: crowdsec-crowdsec-service.crowdsec.svc.cluster.local:8080
-      crowdsecLapiKey: mDDWNQz36B/PPTbsN/QlqSmylJjW+poyWWu3Ws8GVoM
+      crowdsecLapiKey: ${CROWDSEC_BOUNCER_KEY}
       crowdsecLapiScheme: http
diff --git a/clusters/lab/secrets/crowdsec-bouncer-key.enc.yaml b/clusters/lab/secrets/crowdsec-bouncer-key.enc.yaml
new file mode 100644
index 0000000..410c31c
--- /dev/null
+++ b/clusters/lab/secrets/crowdsec-bouncer-key.enc.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: crowdsec-bouncer-key
+    namespace: flux-system
+type: Opaque
+stringData:
+    CROWDSEC_BOUNCER_KEY: ENC[AES256_GCM,data:ktUTw1k0+24RNUh1bu7HudK/5kDO0x5loeIPk4XZkpXxyTXUln0GfXhaEQ==,iv:MzwobssTi6WHZ6g+JLP4ZXv/yuuSF8i4NkyTz0f0v9w=,tag:L7eIt3721IxmO+O+SnTYvg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1aq4d879wuczrqj48nnw7ktsddrxfr8y8xaf0j0aqteswmsxnfs7sfs9phj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RVhCNmZGTXB1VXd2S1px
+            bjZZeXJBRlBtVDkyZTJRelU0WTJFVXAyM1N3ClZFZm41TzBNNjNuSFU2RTRxMXZ1
+            ajRENE1Jc2xxKzRCWndzV0N4MlhUYVEKLS0tIGRtSUpGL25STU9pZ3FRN29YZjk1
+            c3JjdXZXSVEwN210WGwvS2pJVURtanMKht5jSKUJ9BRpcv4/Nn54mD3iKuKSITMc
+            3wefbIXg/klWNamO41NVq03tOPwyQb+sKLQMJ573nuX2ZWea961jPw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-20T00:17:03Z"
+    mac: ENC[AES256_GCM,data:2wfPq7k2UMqjRT7jjfnAY00FjbCKRd0j50v5hYy5Ql5AV16eaC5IJhj2/khBAzSyoPkbcwCO2Smdps2BdCxg+rCpeJtyWCRuuY+X38IFMm0HH9+H2cSe+IO4rWR17vdCeoqLR0M1eQzdgtrTcVLgKc1IR7XE+3w82LwgGjXZweQ=,iv:eB2orixC9Jrbx8QDvZdUyk67WErfFTN5hv0FIkiis0k=,tag:Aiyk1LBVfCqXq6nGCvs1fQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4