oleksandr/homelab
1
0
Fork 0
Code Pull Requests Activity

feat(k8s/cryptpad): add cryptpad stack

Browse Source
This commit is contained in:
Oleksandr Berezovskyi
2026-03-13 14:32:32 +02:00
parent 3af951d6ff
commit a7bb66a183
16 changed files with 738 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
kubernetes/app/cryptpad/TODO.md Normal file
View File

@@ -0,0 +1,78 @@
# CryptPad Deployment TODO
## 1. Generate OIDC secret and update both configs
```bash
# Generate a random secret
openssl rand -base64 32
# Hash it for Authelia
docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --password 'YOUR_SECRET'
```
- [+] Decrypt Authelia configmap: `cd kubernetes && sops -d -i infrastructure/controllers/authelia/configmap.sops.yaml`
- [+] Replace `REPLACE_WITH_PBKDF2_HASH` with the generated hash
- [+] Re-encrypt: `sops -e -i infrastructure/controllers/authelia/configmap.sops.yaml`
- [+] Decrypt CryptPad secret: `sops -d -i app/cryptpad/secret.sops.yaml`
- [+] Replace `REPLACE_WITH_CRYPTPAD_OIDC_SECRET` with the plaintext secret
- [+] Re-encrypt: `sops -e -i app/cryptpad/secret.sops.yaml`
## 2. Fill in and encrypt backup secret
```bash
cd kubernetes && sops -d -i app/cryptpad/secret-backup.sops.yaml
```
- [+] Replace `REPLACE_REST_PASSWORD` with the password for the `cryptpad` htpasswd user on rest-server
- [+] Replace `REPLACE_WITH_STRONG_PASSWORD` x2 with restic repo passwords for NAS and B2
- [+] Replace `REPLACE_WITH_B2_KEY_ID` with Backblaze B2 application key ID
- [+] Replace `REPLACE_WITH_B2_APPLICATION_KEY` with Backblaze B2 application key
- [+] Re-encrypt: `sops -e -i app/cryptpad/secret-backup.sops.yaml`
## 3. Create NFS directories on Synology
SSH into Synology and run:
```bash
mkdir -p /volume3/k8s-storage/cryptpad-data
mkdir -p /volume3/k8s-storage/cryptpad-config
```
- [+] Directories created
## 4. Set up restic repos and htpasswd user
```bash
# Generate htpasswd entry and append to /volume1/docker/rest-server/config/htpasswd on Synology
docker run --rm httpd:2-alpine htpasswd -nbB cryptpad 'YOUR_REST_PASSWORD'
# Init Synology repos
restic -r "rest:http://cryptpad:PASSWORD@synology.storage.lviv:8888/cryptpad-data/" init
restic -r "rest:http://cryptpad:PASSWORD@synology.storage.lviv:8888/cryptpad-config/" init
# Init B2 repos
B2_ACCOUNT_ID=... B2_ACCOUNT_KEY=... restic -r "b2:berezovskyi-backup-homelab-cryptpad:/data/" init
B2_ACCOUNT_ID=... B2_ACCOUNT_KEY=... restic -r "b2:berezovskyi-backup-homelab-cryptpad:/config/" init
```
- [+] cryptpad htpasswd user added to rest-server
- [+] Synology repos initialised
- [+] B2 repos initialised
## 5. Commit, push and verify deployment
- [ ] Commit and push all changes
- [ ] Pod comes up healthy (first start is slow: OnlyOffice download + SSO plugin clone):
```bash
kubectl get pods -n cryptpad -w
kubectl logs -n cryptpad -l app=cryptpad --tail=50 -f
```
- [ ] Both domains resolve with valid TLS:
- https://cryptpad.berezovskyi.dev
- https://sandbox.cryptpad.berezovskyi.dev
- [ ] OIDC login works: "Register with Authelia" button appears and completes successfully
- [ ] Run a backup job manually to verify repos:
```bash
kubectl create job -n cryptpad --from=cronjob/cryptpad-data-backup test-backup-data
kubectl logs -n cryptpad -l job-name=test-backup-data -f
```

63
kubernetes/app/cryptpad/configmap.yaml Normal file
View File

@@ -0,0 +1,63 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: cryptpad-config
namespace: cryptpad
data:
application_config.js: |
(() => {
const factory = (AppConfig) => {
AppConfig.registeredOnlyTypes = AppConfig.availablePadTypes;
AppConfig.disableAnonymousPadCreation = true;
AppConfig.disableAnonymousStore = true;
return AppConfig;
};
if (typeof(module) !== 'undefined' && module.exports) {
module.exports = factory(
require('../www/common/application_config_internal.js')
);
} else if ((typeof(define) !== 'undefined' && define !== null) && (define.amd !== null)) {
define(['/common/application_config_internal.js'], factory);
}
})();
config.js: |
module.exports = {
httpUnsafeOrigin: 'https://${CRYPTPAD_HOST}',
httpSafeOrigin: 'https://${CRYPTPAD_SANDBOX_HOST}',
httpAddress: '0.0.0.0',
//httpPort: 3000,
//httpSafePort: 3001,
// websocketPort: 3003,
// maxWorkers: 4,
//otpSessionExpiration: 7*24, // hours
//enforceMFA: false,
//logIP: false,
adminKeys: [
],
//inactiveTime: 90, // days
//archiveRetentionTime: 15,
//accountRetentionTime: 365,
//disableIntegratedEviction: true,
//maxUploadSize: 20 * 1024 * 1024,
//premiumUploadSize: 100 * 1024 * 1024,
filePath: './datastore/',
archivePath: './data/archive',
pinPath: './data/pins',
taskPath: './data/tasks',
blockPath: './block',
blobPath: './blob',
blobStagingPath: './data/blobstage',
decreePath: './data/decrees',
logPath: './data/logs',
logToStdout: true,
logLevel: 'verbose',
logFeedback: false,
verbose: true,
installMethod: 'docker',
};

123
kubernetes/app/cryptpad/cronjob-backup.yaml Normal file
View File

@@ -0,0 +1,123 @@
# Backs up user data (blob, datastore, data, block directories)
apiVersion: batch/v1
kind: CronJob
metadata:
name: cryptpad-data-backup
namespace: cryptpad
labels:
app: cryptpad-backup
spec:
schedule: "0 2 * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app: cryptpad-backup
spec:
restartPolicy: OnFailure
containers:
- name: resticprofile
image: creativeprojects/resticprofile:0.32.0
command:
- sh
- -c
- |
resticprofile -c /secrets/profiles.yaml -n cryptpad-data backup
resticprofile -c /secrets/profiles.yaml -n cryptpad-data copy
env:
- name: B2_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: cryptpad-backup-config
key: B2_ACCOUNT_ID
- name: B2_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: cryptpad-backup-config
key: B2_ACCOUNT_KEY
volumeMounts:
- name: secrets
mountPath: /secrets
readOnly: true
- name: data
mountPath: /backup-data
readOnly: true
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 1Gi
volumes:
- name: secrets
secret:
secretName: cryptpad-backup-config
- name: data
persistentVolumeClaim:
claimName: cryptpad-data
---
# Backs up config and customization directories
apiVersion: batch/v1
kind: CronJob
metadata:
name: cryptpad-config-backup
namespace: cryptpad
labels:
app: cryptpad-backup
spec:
schedule: "0 3 * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app: cryptpad-backup
spec:
restartPolicy: OnFailure
containers:
- name: resticprofile
image: creativeprojects/resticprofile:0.32.0
command:
- sh
- -c
- |
resticprofile -c /secrets/profiles.yaml -n cryptpad-config backup
resticprofile -c /secrets/profiles.yaml -n cryptpad-config copy
env:
- name: B2_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: cryptpad-backup-config
key: B2_ACCOUNT_ID
- name: B2_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: cryptpad-backup-config
key: B2_ACCOUNT_KEY
volumeMounts:
- name: secrets
mountPath: /secrets
readOnly: true
- name: config
mountPath: /backup-config
readOnly: true
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
memory: 512Mi
volumes:
- name: secrets
secret:
secretName: cryptpad-backup-config
- name: config
persistentVolumeClaim:
claimName: cryptpad-config

175
kubernetes/app/cryptpad/deployment.yaml Normal file
View File

@@ -0,0 +1,175 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: cryptpad
namespace: cryptpad
labels:
app: cryptpad
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: cryptpad
template:
metadata:
labels:
app: cryptpad
spec:
securityContext:
runAsUser: 4001
runAsGroup: 4001
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
initContainers:
# # Create required subdirectories on NFS volumes before subPath mounts are used
# - name: init-dirs
# image: busybox:1.36
# securityContext:
# runAsUser: 0
# runAsNonRoot: false
# command:
# - sh
# - -c
# - |
# mkdir -p /data/blob /data/datastore /data/data /data/block /data/onlyoffice
# mkdir -p /config/customize
# chown -R 4001:4001 /data /config
# volumeMounts:
# - name: data
# mountPath: /data
# - name: config
# mountPath: /config
# Clone the official CryptPad SSO plugin into an emptyDir shared with the main container
- name: install-sso-plugin
image: alpine/git:v2.47.2
securityContext:
runAsUser: 0
runAsNonRoot: false
command:
- sh
- -c
- |
git clone --depth=1 https://github.com/cryptpad/sso /plugin
chown -R 4001:4001 /plugin
volumeMounts:
- name: sso-plugin
mountPath: /plugin
containers:
- name: cryptpad
image: cryptpad/cryptpad:version-2026.2.0
ports:
- containerPort: 3000
name: http
protocol: TCP
- containerPort: 3003
name: api
protocol: TCP
env:
- name: CPAD_CONF
value: "/cryptpad/config/config.js"
- name: CPAD_MAIN_DOMAIN
value: "https://${CRYPTPAD_HOST}"
- name: CPAD_SANDBOX_DOMAIN
value: "https://${CRYPTPAD_SANDBOX_HOST}"
# Trust the Traefik pod CIDR so CryptPad sees real client IPs.
# Adjust if your pod CIDR is different.
- name: CPAD_TRUSTED_PROXY
value: "10.0.0.0/8"
- name: CPAD_REALIP_HEADER
value: "X-Forwarded-For"
- name: CPAD_REALIP_RECURSIVE
value: "on"
# Downloads and installs OnlyOffice frontend on first start (persisted via data PVC).
# First startup will be slower while OnlyOffice assets are fetched.
- name: CPAD_INSTALL_ONLYOFFICE
value: "yes"
volumeMounts:
# User data — split into subdirs on a single NFS PVC
- name: data
mountPath: /cryptpad/blob
subPath: blob
- name: data
mountPath: /cryptpad/datastore
subPath: datastore
- name: data
mountPath: /cryptpad/data
subPath: data
- name: data
mountPath: /cryptpad/block
subPath: block
# Customization (branding, themes) — persisted on NFS
- name: config
mountPath: /cryptpad/customize
subPath: customize
# OnlyOffice dist — local-path (not NFS): rdfind uses hard links which
# require a real filesystem, and scanning NFS for dedup is very slow
- name: onlyoffice
mountPath: /cryptpad/www/common/onlyoffice/dist
# SSO plugin — freshly cloned by init container on each pod start
- name: sso-plugin
mountPath: /cryptpad/lib/plugins/sso
# sso.js mounted directly from the secret — overlays the NFS config dir
# at this specific file path, no init container needed
- name: sso-secret
mountPath: /cryptpad/config/sso.js
subPath: sso.js
readOnly: true
- name: application-config
mountPath: /cryptpad/customize/application_config.js
subPath: application_config.js
readOnly: true
- name: application-config
mountPath: /cryptpad/config/config.js
subPath: config.js
readOnly: true
# npm run build runs on every start and can take several minutes.
# startupProbe absorbs that time; liveness/readiness take over once up.
startupProbe:
httpGet:
port: 3000
path: /
failureThreshold: 120
periodSeconds: 60
livenessProbe:
httpGet:
port: 3000
path: /
periodSeconds: 30
readinessProbe:
httpGet:
port: 3000
path: /
periodSeconds: 10
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
memory: 2Gi
volumes:
- name: data
persistentVolumeClaim:
claimName: cryptpad-data
- name: config
persistentVolumeClaim:
claimName: cryptpad-config
- name: sso-plugin
emptyDir: {}
- name: onlyoffice
persistentVolumeClaim:
claimName: cryptpad-onlyoffice
- name: sso-secret
secret:
secretName: cryptpad-credentials
items:
- key: sso.js
path: sso.js
- name: application-config
configMap:
name: cryptpad-config

24
kubernetes/app/cryptpad/ingress-main.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cryptpad
namespace: cryptpad
annotations:
cert-manager.io/cluster-issuer: letsencrypt
# No Traefik auth middleware — authentication is handled natively via the OIDC SSO plugin
spec:
tls:
- hosts:
- ${CRYPTPAD_HOST}
secretName: cryptpad-tls
rules:
- host: ${CRYPTPAD_HOST}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: cryptpad
port:
number: 3000

26
kubernetes/app/cryptpad/ingress-sandbox.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cryptpad-sandbox
namespace: cryptpad
annotations:
cert-manager.io/cluster-issuer: letsencrypt
# The sandbox domain is required by CryptPad for CSP isolation of embedded content.
# It must be a different origin from the main domain but points to the same backend.
# No auth middleware — this domain serves sandboxed iframes with restrictive CSP headers.
spec:
tls:
- hosts:
- ${CRYPTPAD_SANDBOX_HOST}
secretName: cryptpad-sandbox-tls
rules:
- host: ${CRYPTPAD_SANDBOX_HOST}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: cryptpad
port:
number: 3000

4
kubernetes/app/cryptpad/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: cryptpad

56
kubernetes/app/cryptpad/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,56 @@
# Default deny all ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: cryptpad
spec:
podSelector: {}
policyTypes:
- Ingress
---
# Allow Traefik to reach the CryptPad pod (both HTTP and API/WebSocket ports)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-controller
namespace: cryptpad
spec:
podSelector:
matchLabels:
app: cryptpad
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik
ports:
- port: 3000
- port: 3003
---
# Allow backup pods egress to Synology (restic rest-server), B2, and DNS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-backup-egress
namespace: cryptpad
spec:
podSelector:
matchLabels:
app: cryptpad-backup
policyTypes:
- Egress
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- ports:
- port: 8000
protocol: TCP
- ports:
- port: 443
protocol: TCP

32
kubernetes/app/cryptpad/pv-config.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: cryptpad-config-nfs
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
storageClassName: ""
persistentVolumeReclaimPolicy: Retain
mountOptions:
- hard
- timeo=30
- retrans=3
nfs:
server: synology.storage.lviv
path: ${CRYPTPAD_CONFIG_NFS_PATH}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: cryptpad-config
namespace: cryptpad
spec:
accessModes:
- ReadWriteOnce
storageClassName: ""
volumeName: cryptpad-config-nfs
resources:
requests:
storage: 10Gi

32
kubernetes/app/cryptpad/pv-data.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: cryptpad-data-nfs
spec:
capacity:
storage: 100Gi
accessModes:
- ReadWriteOnce
storageClassName: ""
persistentVolumeReclaimPolicy: Retain
mountOptions:
- hard
- timeo=30
- retrans=3
nfs:
server: synology.storage.lviv
path: ${CRYPTPAD_DATA_NFS_PATH}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: cryptpad-data
namespace: cryptpad
spec:
accessModes:
- ReadWriteOnce
storageClassName: ""
volumeName: cryptpad-data-nfs
resources:
requests:
storage: 100Gi

12
kubernetes/app/cryptpad/pvc-onlyoffice.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: cryptpad-onlyoffice
namespace: cryptpad
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 5Gi

26
kubernetes/app/cryptpad/secret-backup.sops.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Secret
metadata:
name: cryptpad-backup-config
namespace: cryptpad
stringData:
profiles.yaml: ENC[AES256_GCM,data:8t3Vx7GUX059eX6nxypFx/VacLL+hMy+muF3cybpSMNt5cQXONoUrFQnjW1VkWRgk/n/fqVa80HmT3g1JCeUBwNVDsM9DfH0VCiJxoMYrpDmYObkt82RUMnojhG6afPVPEduvaccOAjyslGnZAMAuQT+DIO/C8wayYDQJcIXJZeHorRJR/4P358EWw7h/p6ylNXGWPiI7IsIn0zsaePD3mshoA4ix+pUbBztTSk3Ij7iiGqltYIZkq8QYkOy4oiAmFTLxIlZfEfrMXrkOaHuvkGd1uftX3VfzJAaLmbGP5sEdkAPawYmGWLnU+ObFSL31zkbTCKhNtEwzQbDmw5RC4srVMj6UttDDs7LBzGZh/HUuXoKb+DIBlYV9siGwZH3bLrg7XoXVi2BimKPAQELlAtOfvOe7NZ8cBE34cCvd3MiZqN37uZYdx2sRHFPJp6PyWbglG2TIqj/J1lPKdZOMG7NpEvc2WXi8ltWjtNmDNjoLsaUh5+e3TqLIYkdd4BxwN0sEJFU/apyyGcS5/2TED0ZgBPINvdCVApTagNwIWjmi11VH2r5hxkb2OnZkwRjsyujmSexaFdS7jjBDXZNg6x1Q4vgBb70iCfTPqAGQyFkTpf3+AKopuPgto9LLztmmC7e4Q08D1ncDGatGRrgIXDhhhhFnbTKdle53gQKLWi8THxIF1/nlvu07zn+HYP5sWG38No2kpMJwCXeUoqXwHhcgVRlAyPka6ip+zWOyg/qdcJU4k4sCW4+DkrdwUHOCiT/0wYRMdeoDRJDLVS/5OESl3HboIQSTxDhgUid0iGH3zr35zwa3DR4mMXYPkh+Nodsp0oh5aG0lIDGrz+6lOVznYUTate1CVm3HN2zQPRyuTPMxILsEVC44qQ3KyR55VgZhwER2418wg68VFQA1uT8HTPEVZFPRgxdK4amIHr7cnC2B67/X0oeHJNbDEc0EAkEx8v08HklJQELNMNInRySW1UnBQOIWo3rl0PsZgyecWnK9vdwPjfEyzr8DVlfm7rGMNTWc7iIPwYom9jLHh4IgOU5TEVatwkd+zMS8ZeHPeFEdL/bf0YbdBqir8+X9ERSkG41OQGYL5Rhx3XM6oExfA4hGGqAEXfGTCAqIljkyKzo7280sIdkDvEBq+FMnCJ+APCSoPqNQUqZpEmWG/XP+Q+bgo5Pb32vlxL8dwcVmuiuu0cndW7gzA6YgfCRfTmGTNjW43J/h5ODBa8Vhu2WNiRMwCzH72ExOvwgKEBeP1LPHVcMLT0f/CMItcpzkuGwzlitZMAm2nmCdSB71hdtsKD6x5hIzhsDCAzZz6VCUF+NAgjOyks3urlDiBhyMnzetXnDgtLB1kL8qwIHOvWQoF5S50KrCbHTNJUhBWBJzRom7oZJOdyHwo7MmSMvRWTY5xA09umSia6/qyDlGeCHDYx/C8i3/WGUGsVKB2EzsfY=,iv:z79twnVkLyonYaOgz2f4ZW7noMlDxZgDRqYySBj+Mlk=,tag:2W0mtSBGiqgWPKDyZrKYRg==,type:str]
restic-password-nas: ENC[AES256_GCM,data:0g81dj/gNwnBPkbVXR1o5mZ4axAhnL7YwSNcnE2fI1DWly4cO3kNyxta5OdgTAGZwNeiT+qaOFi6HXHn9fSHlQ==,iv:OZEza2gkiygZ1KzvD3MJZ/JXIrfbcZenKcOJfMlEjvM=,tag:rnJ8sFQgzD6g3pEHRQLg3A==,type:str]
restic-password-b2: ENC[AES256_GCM,data:sazn2f09uZsFU1/MY30iPj0gx9pSFvcy/JgHsXTLMFbq5OimAfHsiYR1nMf2mQ8GwqMtQTF4t0lkfDnmy/8Qyg==,iv:HOI8oohNCCtP/heNBCQ5HEKfRVdMalv3MU/puRkOQ4A=,tag:aLKeUbwED2TjeAfkydj+MQ==,type:str]
B2_ACCOUNT_ID: ENC[AES256_GCM,data:Jh4gWGGt5wVaVAMG5oWFXW7W0Taq9Qiyhw==,iv:XZtsiYUtFtSDhgLpG3uNIGLHWqGmCM3zHq2RUu6tdXM=,tag:KQfrBmkAYadVvhtgAzDNzw==,type:str]
B2_ACCOUNT_KEY: ENC[AES256_GCM,data:XI+P//Ti512rQfDgmV00Bq3Wxly6//ESBKsDItXdug==,iv:/xAPGSJIathFIwyWUQoBW2DwYBpHnJCElnRMe16Pf9s=,tag:xSh2kFbQnw+bpAbbQ3rHWQ==,type:str]
sops:
age:
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVGM3NlRSenp4d05sTEdY
c0JkdW5Xd2RQU3I4SlVTczVRWnVaRUY5RHdnClM1QVlGR3lRWGZCVXR0RjR1Kzlh
ck4vLzNpeThIdmV4citIaFlVWnpFWXMKLS0tIHV2aWtSVTRxMzUrbldwQVRLRHE5
ajAzS2pINWIvQTc0T0FhMit6ZHNVRlkKW6hYD2mjAtZRyC8/fbSWiij1/clTB4br
sAmsCMBIDQf+r12TuzzpLiMnNOIU349GcYxuA24GWaEanordqCLz3A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-13T12:31:48Z"
mac: ENC[AES256_GCM,data:O+jD7jCBoQYNrRr+j/yn4YkGLaggHee8YVmvE5I5QXOB5pfPg09yQbuYj2IhKPBbVXl24ejlNDEAG3/qDaWgg1IlB+dKeTyrqxWq+mQ7vM9bgNRhf4ozS1lL3NR23V6JhilrosxTlFYCajerxdUbCh0vBXqsdJ0cIV8yggtQ7eY=,iv:gJkOvEFY4L/7qE3zMYnnon8XcGUegmcWKvKQ+/rxBVo=,tag:xQ1Qo7SgOs3N8451xX7Yxg==,type:str]
encrypted_regex: ^(data|stringData|email)$
version: 3.12.1

25
kubernetes/app/cryptpad/secret.sops.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: Secret
metadata:
name: cryptpad-credentials
namespace: cryptpad
stringData:
#ENC[AES256_GCM,data:s4VxDsDqwHw6ZhFNzA/mS+gdPwZlV5AcBDRUqfHTKSzjQPVg7unz7HkyfXtSBt36aH3P7fR9lUF1XtNvH9fF+6EfCa1dzIToSEw=,iv:TuYHrkjDFkA7fHhWzaHGrptyP5ClwiMArjoTf5LHXrQ=,tag:gvZxTmeeCEDTISgIpKxhhA==,type:comment]
#ENC[AES256_GCM,data:CXpQCo8r5GCE6lIpXpXlab0CEdMCuNC54Ynh4ahfE1fv2c49wNoiQNRQAjONbmhUoUIiUcCehNmuw/ZK5Fd3rvVUhXdUAKYo,iv:U6vrAHUz22QWSLxBYRFea+LXajuHIh8NlggB6DAoCjc=,tag:nnV8RMrNv+trUQgXpCvkJA==,type:comment]
#ENC[AES256_GCM,data:7TBFv3i2TzlyAcVhAdFE6T2F0E8pdAbYZorT6/brY8Ed+g6LvnwdVaYPcpJ7P6ETWXraqbhoktWICYklr35PAg==,iv:xsPinB1/gkzMHyzsrJ2gj8Fm0PWaIQbtBIB7fT1BTzI=,tag:O9dv+myneU7neE7JiRGuBQ==,type:comment]
sso.js: ENC[AES256_GCM,data:u1XHMXQKf6QtqqjzNx8LZIEZxKSWhVFZbgvKBqsGoKo7kve0nZynH/bYohVO3XDBtahBqDCgeAD/rj5OE2MlEhwF0OTfylpPmlDjD3tuwogMv2NSDwERzzGv2BvMY97kIRwbGP3OtHGEEGO32JmNKWInZH7BrazeX5gvNLKjHk8XtCN8jKxoJwGEYw7EM8s219iFyQISKjo9/yElv4JVlecIa1bcbzswRsgWqzjG3kBJ2HLRcnH4Nr8D8VCDEdO32GHS0Y9Z7b3eaaj0YQyWleyAfqlufktMcr+SFDSQy4sPnzFuydi7kPXRb6OVDZLaKMVA4422VEEsuAOcz5CUZIJAg5KhPz9lZsruRw3hZBTjhRE2G05TwsvJNwY005rVe2pHL/Q3OZRKNZIfXK34lOwnBQMnBPJvtogIT+hZUBBAyz82nuR8KuujsGLo4sJPC/Vuayg9CrwxbQRx7fit5sdu5djwvVleBKyayhbBaP23BZToB9znSNm5HCOpohpAg4OYXazRpLBGH6lHla1tZy7MpfnoltEOHjeBQoqpez3zBQ9zNichIuPVnIK0h1dqAjLlZc5n7d9L6AHDrzSRq40iOnuc4ZuATMXtmd1JynSrjCH4FYKtROV9V3JXUCK9GwnZ04D26rbwxCKKykHkABF4AFDvv4ZeJPvN+Ag6R8TuSG74qzRUjvBP1+2uR/y9IsN5dGviYKzGnVFvkD87RrF3nZQc40+C4CfAuP9xTLJPzZ0b1t6Qr3Q52LipSyOt/I04ULToOU4U7heEkpbZxJAWiAlgLskjy9TfL/OY1uyZT9ZanWAhRVBa0dk2h8I5p9a01XtR8X3sIqg41i1K3VqEcKGk7IQMf+WmiUdLef7qx6Gq3+Di067NJ7fKKNAN3IFGE/LBlBVaj1fQNOaCfjSJ/A==,iv:FSSJUe6ymLHIM5CQLVgemHX71Z7Bz609WsNkOs9QM1E=,tag:Wxdnfa6WXyXVxI3VjU6dMA==,type:str]
sops:
age:
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Vm8xRmZ0WDJRMmNPVUxq
T3VQSUVUYnVER0FFVW5FYWFHaUV3S2daWFJvCmxLdWpLVHpnMWNQaTlDZ0VOZ0JL
K044cmpRZm50SmZNNWZlWjBDS1hGS2cKLS0tIGRxMnZTTWRRMlg5eVBOb3pVYUlK
clRoWlp2SjQrOGFjQW92VnQ4amxUMXMKMjcBWo44X+Y2kmwpKZcBsBZZkWQJZEOf
VscZUj8VAZKF9IxOmbBaFc2EBi5xI7sYJSJ+gaLHHKLhcSNu59P+kQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-13T19:48:58Z"
mac: ENC[AES256_GCM,data:0mpN6sWiCHp3zVIKIdIEAnBEcczPb1YVfj4fae50JnJ4jF9ZZ6Wz4sQny00LKN59NFFHHM5bOa+ibqEXZ3pgtF0WQmmc5Sfn5w6n66L4mSJ0Pjx4akMJYjt5xMkRuLG996yZXg7pvSd3YrMgJEqf0hiexN+KJMLDqUwDIYpUHpc=,iv:BMIyWxc0k8SZTxS9/F3Vxfa4HY/WordDRQTfJmZZSI0=,tag:FpPT98LvKY2HgeBfZOw5TQ==,type:str]
encrypted_regex: ^(data|stringData|email)$
version: 3.12.1

17
kubernetes/app/cryptpad/service.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: cryptpad
namespace: cryptpad
spec:
selector:
app: cryptpad
# Session affinity ensures WebSocket connections always reach the same pod
sessionAffinity: ClientIP
ports:
- port: 3000
targetPort: 3000
name: http
- port: 3003
targetPort: 3003
name: api

68
kubernetes/config/cluster-vars.sops.yaml
View File

@@ -4,43 +4,47 @@ metadata:
name: cluster-vars name: cluster-vars
namespace: flux-system namespace: flux-system
stringData: stringData:
LUBELOGGER_HOST: ENC[AES256_GCM,data:mo4RhFZ9ToCqhLptPjTmQ/ZSLpVI9520zrc=,iv:kfzOXDSTQmSL9OIuGvwRn/iImcW6UMCtGfwt06+iQoo=,tag:xT2heEQ7xZFCrDTgQiEm2Q==,type:str] LUBELOGGER_HOST: ENC[AES256_GCM,data:QuBDk9WJ7LTcdHb/bp88hikNcCtLO92eqNk=,iv:pqqc9NsnnTzhhQ5t83stJByNTROavNnmKSPthjBXexE=,tag:8lHy65UkfmSa7xmddyqYxw==,type:str]
LUBELOGGER_DATA_NFS_PATH: ENC[AES256_GCM,data:qHdWlXxFEpiJ8JQUcL4K7oqTM5bO29KUNXUG1LI9M1pSYyuP,iv:eRtUjUXe2k1m/hMaj4vUISAHxLKllH9hvz6kJJbRKfA=,tag:0rQ53dRA3qOxViB3IpWvfg==,type:str] LUBELOGGER_DATA_NFS_PATH: ENC[AES256_GCM,data:+WDbvq7eH39G93J/+x6K8c6wokU7qoyp7LH7h/RXdtbhKnla,iv:Hya9YrPOKEm/aJS0kxSWoJS9r+HTFQJUlyZs+HZJpzA=,tag:0e3JGlhbP4TPyOlXBTz+tA==,type:str]
AUTHELIA_DOMAIN: ENC[AES256_GCM,data:j3Ly+ice3WnD8Bsp4HYY,iv:hTxKhvXwg/fMWTPuj/fXQIbM0Hg8pS9nIP0dY8e3rRg=,tag:sCh+1/nEj0FcJE+NQvbr6w==,type:str] AUTHELIA_DOMAIN: ENC[AES256_GCM,data:caSiQvcSS1LewjHfgCYs,iv:FPQKCaOR4uHUHhLfREHe6On1eei52G22IzpmM1NgEsI=,tag:ykET9qINerjhNeS7bnJe/A==,type:str]
QBITTORRENT_HOST: ENC[AES256_GCM,data:TMTdrznfaA46SiExvQx1ZzgkANLw6MA8MGLX,iv:1AxA9vEwLh8bthKEptzzbKfRAZDB1yvQ0a+HBLxKUmI=,tag:xVITE1MfFmV76TwQ9/rRuQ==,type:str] QBITTORRENT_HOST: ENC[AES256_GCM,data:qN8gP/np3cjQoFVvIJdvo+1ebl1SskhO5DBK,iv:hY7i616K8palrLggUTzlL6BpSSZEBWh4WsGN1TRUpzA=,tag:iYsAKc1SBfcYqWEMMZm1gA==,type:str]
SONARR_HOST: ENC[AES256_GCM,data:Q9OEDs7He/H1HayAOXSLrU7wvs8gQg==,iv:1dHreVGSc3zNPoWJjnvhgbUX8JxcEIF/JFL7PMIxlrs=,tag:/xDdrIMTsPmxZ39BY1Pb6w==,type:str] SONARR_HOST: ENC[AES256_GCM,data:YxisUk/Uy/Lf7cowWCqZsn8KJ/UpKw==,iv:UstF8GaxjmQm2Q5Rp1U9U0QI2Df7SN1DSPs7JOXRVBI=,tag:1jE3fWvbkr/L5PvYI0SxBg==,type:str]
RADARR_HOST: ENC[AES256_GCM,data:Iv3321zxPNtqtH6cz7hb0R74wMsYCw==,iv:88LqT+jf5qAF02kD0+ovNOLWak5YYNyWrWZksdjZ2HI=,tag:zoMJlpWJVh6l7oJH3I99HQ==,type:str] RADARR_HOST: ENC[AES256_GCM,data:dUL+yqEePzXTbTlz4F6YLVkDsQIEig==,iv:VzCh2ogRGNIJC40CTi2dOhZdi9WxxWgzN+e8IDdPAEo=,tag:bJLtWZJlTxeN6m7zVAmtLA==,type:str]
MEDIA_NFS_PATH: ENC[AES256_GCM,data:ygNqir+aeTWDGuDSJzY=,iv:hB/EaXaYWHCFWAfrF4KRIOjsxjAWrv/PK9M5zfl4P98=,tag:/zxr9KeoQMkjrC5P5+gFMA==,type:str] MEDIA_NFS_PATH: ENC[AES256_GCM,data:drjxaZ7uaFiovkY7Mo0=,iv:rfqIjqMumFI7oePn+lA8CfG4vAhfxL32Uv2ZttTH038=,tag:LIver6FC7he5d5Bsi4PfXA==,type:str]
IMMICH_HOST: ENC[AES256_GCM,data:o4v0yur2+mIIpUNrX3M8dzTh6p8pLw==,iv:3TVgj/krd83qHJybk/UiXKW+K2XAMxGK+KdOGmmAhbY=,tag:z+cPhTEIPLn/UKQTD5kp3w==,type:str] IMMICH_HOST: ENC[AES256_GCM,data:1LGD3YrmOO3/sIhR0149Q/suEHrLWA==,iv:mCz716bly6VtfKZBK+jLCr3oURAiqoXeECnsCw9mnPk=,tag:esKqHiz1pd9eUIk3jQYm7Q==,type:str]
IMMICH_UPLOAD_NFS_PATH: ENC[AES256_GCM,data:ZV0eoVdFpmZcd1K80Y+l,iv:Nm40FXFxTJdpk9K+1n/qw5Hv//hOtQ1gqlPnenn/d4A=,tag:S1Oe3ekG+2HWfUXT4L07BQ==,type:str] IMMICH_UPLOAD_NFS_PATH: ENC[AES256_GCM,data:AvHp67fslvEzhk3IdxwN,iv:TQbwhfCma2+zeH+HMWGCI8GiX1uFCM4bc0XBr7K0ids=,tag:dXZFHpXFcZ04EvFkN2iIXg==,type:str]
JELLYFIN_HOST: ENC[AES256_GCM,data:kl6DVa63VWSkJBvLAyPgdMdQWY3KQMME,iv:fZRHSmZDdzb4Q4QrQ7aWNKtoQDk6h5oiM4fNWeoVwQM=,tag:hNV90VtbFfg+pr2KpsIPbw==,type:str] JELLYFIN_HOST: ENC[AES256_GCM,data:VwDP7lAl4De7261TkxjhwrGDhjbPWnsw,iv:iiGkrhmrCaP0uJGIS86lHHpTvK9/LEbPDmUynbvb5Zc=,tag:dsaHhji6yqhoI+MHWbbSww==,type:str]
JELLYFIN_INTERNAL_HOST: ENC[AES256_GCM,data:RkkZKpdZNsDxmCCGFt5qYEwV7hL/,iv:2yjtHRXRnCxGTyOqjaVWVFH6XZKHLYfN0E0Pzz0vsmA=,tag:eS2K/bKXmby+GpzhVpkh8w==,type:str] JELLYFIN_INTERNAL_HOST: ENC[AES256_GCM,data:GIPmFvSbmIPS2FRhBvjsmpljh+N+,iv:PZyyKY1HfxDGwDGBCVbRBgrR1t7viB7pOiv8C/XUGB4=,tag:LyPdXi47GgehLyT5AmieAQ==,type:str]
ARCHMIRROR_HOST: ENC[AES256_GCM,data:CGLUdXiplaG1w71pxtqMC1Yq43lM+0Y=,iv:tCVzEs+h/w4YzLdf691npWDNVCPSyky8H++sj7tsRe4=,tag:EkH5dVeZk67yFpnV2CrBEA==,type:str] ARCHMIRROR_HOST: ENC[AES256_GCM,data:NearvWUsTMh6siTUOlBGZNn103eimkU=,iv:96e/phG8pIIsNZSrRQvh1FacbuUlWQ7kgsT8BEvCdo4=,tag:9WZQWF+gwzzMYSr/a9pssg==,type:str]
ARCHMIRROR_NFS_PATH: ENC[AES256_GCM,data:oGDI8Nl3Zf3iuMA3sNN2jqniaA==,iv:CgjUobkblU7cWI+nTV3JU7kwtOlCEDk+PDhCSBdE0mc=,tag:wFezeyn4cRrzIXDaAg7mEA==,type:str] ARCHMIRROR_NFS_PATH: ENC[AES256_GCM,data:nrvDtUp/GPrwPESIG6JSiwNQ2A==,iv:8qouFgmfzrwl6FisfZM0S8Jn8640vJqQloR5IQ7GXA0=,tag:xBecYxsHS8hMs5MY7V7KKQ==,type:str]
ARCHMIRROR_MIRROR_URL: ENC[AES256_GCM,data:DoI5nr/RSdtY4zaIfmlprAr+n2ExKA8qUKRXqhT7lOPyUZtU2ItSzY8mTIbS,iv:biT2NysvqRbpwds4MbWHIBbUmIoJ/9hUHxWOeR9AHHw=,tag:4J2yS+n4NN+hmYtSyrxVNw==,type:str] ARCHMIRROR_MIRROR_URL: ENC[AES256_GCM,data:3Oi1H75txcHQIY/hhRD7gM/B3O9qTDLtBqVtI6oLbp6tQ6Yv+JIgaOccbD7L,iv:orVYaNKGbHVx5y57jrQIgJZOJFAfrnOwDdNSjNSNHjg=,tag:QeJTLHLFSZI/f1BfvZbPiw==,type:str]
PODSYNC_HOST: ENC[AES256_GCM,data:9JjkiVULuU4TLG7vbWoORZQsxvnAv2g=,iv:RVP7P0wlomAxbJ+856ITaQZfFOP78RJYE9HIDDqs1Gk=,tag:pJ5s8ouur7E0fYOeNkkspg==,type:str] PODSYNC_HOST: ENC[AES256_GCM,data:tA5u8V+eu1IwxJHsLYb8KxgL2MECKBU=,iv:TTyZNPXVyfL61kY6fylrGzFVL9EfmiGsvInUuowarII=,tag:FQJSmNQ2zKFrxc4/eORZag==,type:str]
PODSYNC_NFS_PATH: ENC[AES256_GCM,data:eZTdkzRq6RyBls2p+c83Zs14eVFs,iv:MnZrhxJ9i9XzPgvTfmLvrq0GwATxEffXfcIX+hJ+F44=,tag:G8LEfhfNqz+JKO+m6d2JbQ==,type:str] PODSYNC_NFS_PATH: ENC[AES256_GCM,data:mKlv16ySwzdT9YENiok9i/xwBeBQ,iv:c6uSkGazodRjhH9WdRYHgI6YfolDrCpAlkKA2oVNj3k=,tag:ForwAcRFxP2UqViwufQcfQ==,type:str]
PIHOLE_HOST: ENC[AES256_GCM,data:Uaumycd9RVBTbG8IJtqwxz08RTZHGQ==,iv:4htbd/WBr4gY31NaocdiRUctfAEoDu5DtBgnZarxNxo=,tag:viq01wkMfYucjfh87No5Hw==,type:str] PIHOLE_HOST: ENC[AES256_GCM,data:mG/8qHvZ4J7Dsgji/RPLOsjPNx6mow==,iv:CQpWtnZ5XWlQ169RpfE/kaCxJ6eB5NgfL1CgBRHU8ow=,tag:gIwe34Hv4felrvn00nqQKg==,type:str]
PAPERLESS_HOST: ENC[AES256_GCM,data:tAAI/R+sg9XfLLQBXbxf+xrz1l4lIHhXpQ==,iv:VYmnOxYXftZ3GDum26bghoxxCsULpR5AOHnrGanA5YI=,tag:drVRB7ktOvmh+D87bWI66g==,type:str] PAPERLESS_HOST: ENC[AES256_GCM,data:NeaFxM3W1r15ZStzm9J2XCpFS3Ah4JhQ/Q==,iv:cqN1pjY99b8O++vCgjawfZxzPWG273bOjahWJEmqCP8=,tag:938T5rWu5jhuLyJuAPG/lA==,type:str]
PAPERLESS_MEDIA_NFS_PATH: ENC[AES256_GCM,data:y/lRctau9ThQ5fPFdOM/HBd8,iv:qN5fIcna24uv0jHq4MNzNMDk411vgkUBk89fl2wQqig=,tag:eEMI1DVmO6ZtWUBmd8Cnug==,type:str] PAPERLESS_MEDIA_NFS_PATH: ENC[AES256_GCM,data:CYa9GzWOKfAjarJHXtvENsNC,iv:cTha+yGPGP4B1mj57dypaNiOvJnXAVhm9er9CQWaTGo=,tag:49OytTJW2+e/+jgrB+J4Kw==,type:str]
PAPERLESS_CONSUME_NFS_PATH: ENC[AES256_GCM,data:bdU1NbD1gD40+xbZREdow0B40PhA1vQ=,iv:EP9z698LVr8AaOc68vEHFJ0DwsSAAWvfK+PGYN/eT24=,tag:JC9VwM5u9LKAnE6xibPJOg==,type:str] PAPERLESS_CONSUME_NFS_PATH: ENC[AES256_GCM,data:VhWw5YmwjtwiEoCr5EzCBWWrN2uKgm4=,iv:W6fGL45hRRcU1rHiUU0IgbXEM1TGSSePeMrVCEWgG88=,tag:ELcOHsMItD6/9DqSpz6N+A==,type:str]
PAPERLESS_DATA_NFS_PATH: ENC[AES256_GCM,data:uCwUZzQS6vnnZ3rKXl5UaZsRfuYSotia7pFxZTPPA+XSUzs=,iv:vSyZmSCYz2VoK8UyBFaaB4nynkm/v+9AYTaoBHk+jzg=,tag:gSAEGvxbbdeoCbTZL0VlMg==,type:str] PAPERLESS_DATA_NFS_PATH: ENC[AES256_GCM,data:A6sZGcSFPmnPelq8bDL7mtfdDC9UM+7SSTbgKlZdxaa1gdQ=,iv:a737cuKoiUzO3YY6npDdf8ZEnO/9kYNqsx4mvv+scPA=,tag:Lia6JthxOZUxrvq9d1nvXw==,type:str]
HOMEPAGE_HOST: ENC[AES256_GCM,data:noHdJM8h94an/Z6w5SHman+WslE=,iv:4fSqGovcPeva4lCRj7f6SYk5G7nxNYYG1Y3PaRZngbM=,tag:aM79SYGMpe81KxoXBSfHVQ==,type:str] HOMEPAGE_HOST: ENC[AES256_GCM,data:4XI+Sq5sznKiNxA5YCd6UE40JH4=,iv:eUAW0IqfBYf+bAZQ7KBRWsyrIECIt+yUcWWIKfmxOAg=,tag:Pxsx3y9fyv/AA98ISl0fzw==,type:str]
GROCY_HOST: ENC[AES256_GCM,data:ZiQ/OgOfqVuGSBgm4uTTlStWOmic,iv:JRA/BgFz3y8zxbYmCeZcJqU9ICMIzLEri1CHiSkdm60=,tag:0G7gFRUo++uUkSCtU+DxPQ==,type:str] GROCY_HOST: ENC[AES256_GCM,data:w6D1mfF+OLfvIqVYSQEwp78HYMGI,iv:h5S6aGLzIb19BvnXx4UZ5I10ieZRKYB74Ndrzr6CBNc=,tag:YDy3zjoWO/83B6OR60DBUg==,type:str]
GROCY_NFS_PATH: ENC[AES256_GCM,data:XaCaZ8QsqmmnUGJlfcqFitGr5j3b2UeJJbWAaLmwgn0Y,iv:manP8bjzo1rlfIh0pFeLGI16Sxc/v5uwKwcOvk5fAJg=,tag:ucQ+MYlfuYmRobBDk69U+w==,type:str] GROCY_NFS_PATH: ENC[AES256_GCM,data:A+cXeJJ4VYkSn1utXVFzk391bX3vpjedPZwnkuWvthpf,iv:+d9W861HZwwRWKZoxmGCxTPp3njjFC+jHDUTi+ummp8=,tag:U1zj0OJWFRtnMhWi4lJr7Q==,type:str]
BACKUP_LOCAL_HOST: ENC[AES256_GCM,data:ph1AVgk0R7hYC0lwLFk0fIIGqO/Y237DGaM=,iv:vt48bzCXVtBJeCvbEJLPqY3L7TuQelZaKC90LHMw8TY=,tag:xS9aUhuUC8EfE6p4elKemg==,type:str] CRYPTPAD_HOST: ENC[AES256_GCM,data:sbmFVAfakR6YsrjRxwNqDdK+dlW+B7EE,iv:vPXVGpCWaPUKJl6XsiVeFWhsFvl/fHamZrAegL3eddw=,tag:KcsSM6iZaja6OG6NtIPoBg==,type:str]
CRYPTPAD_SANDBOX_HOST: ENC[AES256_GCM,data:k0xDNM8Va173zT2z/tx03Qol/kp/Q8qTtDi/4MpNzC8=,iv:HVtPhrD6SAdk8tHb7DbLQ9XjsxIjSguFVukEmc21I0U=,tag:nHhy9qYMCUZThHmaBWKn6A==,type:str]
CRYPTPAD_DATA_NFS_PATH: ENC[AES256_GCM,data:XMxe5eTMz6i6IeoVvluq7VsitGlJr6nOtycLz1+ZKmusKg==,iv:UKVF/r+Xn4voxKoPgC4KIFrPXMStfA7AlQ8laYG3umw=,tag:Y6aBzCnpsfFYB98UeKOCcA==,type:str]
CRYPTPAD_CONFIG_NFS_PATH: ENC[AES256_GCM,data:TPnD5ASCOPa88yC/cIMEJGe7ANe1AQ2P8gWCNeflyTjFzdEC,iv:pUpCwXOH8phWRtXbZKieHtWRp+/SZfRltPUWe+9yM7Y=,tag:X0vgZ+zfKsb5a8lYzrEe5Q==,type:str]
BACKUP_LOCAL_HOST: ENC[AES256_GCM,data:Q6h+PiTmuoYNUgP1IhhGOGhSfmqay+y0Tp8=,iv:a+/TByPEf0XVQ9CVo+xMoEzVusayFFb2PlRohDBe4Qw=,tag:VYHLADu4lOL4S8390zi6KA==,type:str]
sops: sops:
age: age:
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUXpQVDcxWmhaMVVFKy9n YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsUjRiRlhtRjlnT0hQb0Fw
aXgyLzBrU1dUNC90VnFEbWhwNkVlUy8yaFdvCmFjeEVEeWF1UUlCV3dqT096d1Z5 Q3dkZlUvY0d2YnE2d3ZUa1krSGhmblFwaHpBCnVEZHVUNm9ncU5aQ1R6U0x6OHBR
YUV6bHZ2eUNvZXZRRXkvVVZ0VTVyalkKLS0tIGdUN0dDVnlDUnYwZCs0c3NNd3ht QVhVa0JSU3ZpQUJNOGRPUC9lRFA0dWsKLS0tIE1idWlGeTRSd3dNWk83SEI2Q3E2
WDZkSzBPSWdqV3VlVE1xSE5VQ0hObXcKaSynnP7cN8VI2vUtIaexGAY7eWdQ5M8B Ky8wRHhmMWE0dE5PNjJsSWxDU251bmMKXV0Vszr6BhiPekFiE48+Kw2FKOGyPr6B
YIF0ijHuzUGBzdgx0oyA9SX+3LiHPGuVt3nbQk/RAUzzc4GYxoX1JQ== /x2AbGBwgLHuAp+ge9kAZd6xMTum+KOa2Zt6Ms892/lPqhp7at2e7A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T10:47:06Z" lastmodified: "2026-03-13T12:17:18Z"
mac: ENC[AES256_GCM,data:4Jeh3BpZ1eEWm5BZujXG2TBIAgVr2y6PgQvLXLhYpDvJohzL+lwbeiB0/CbW/jC5iKddivyJaA7FxgBoJK9DHMc1+r198nmiC5e38vQ+wIGgpPxBcF5CuBg1ogfudu6y5TowINYnsfUR4/6APOcan+xuHFTz4kzqmzuMtThbRSw=,iv:zwPaN6AQxklGCkkhCgvUWP4NdaO8APPou6PMxkPeyT0=,tag:YFueXynrxa4iRSGN2v1u2A==,type:str] mac: ENC[AES256_GCM,data:Q0QTTK476NLfk0zToVjVbXr8qiIE+PDRdsnCQRQJWqcJrbr8Gn8NghDVq8D4++FYamrudATTTxhbypaPh4Hm6PCeZaGgtnknPo+kwjIyhh6HMnqU3tyq4obBhC1W65HBQ6V57NyNnYrNIPMpG5afrZpsKMPeQuTxlnohcn9UHnE=,iv:43LluR5Lje9445jSlHC/ubIeNWpH6WmqP3pXerUxPxw=,tag:XuNHBpx4FY5YLgzAYVUZhQ==,type:str]
encrypted_regex: ^(data|stringData|email)$ encrypted_regex: ^(data|stringData|email)$
version: 3.12.1 version: 3.12.1

18
kubernetes/infrastructure/controllers/authelia/configmap.sops.yaml
View File

File diff suppressed because one or more lines are too long