Merge branch 'tmp/secrets-5' of https://gitea.alexlebens.net/alexlebens/infrastructure into tmp/secrets-5

.gitea/workflows/lint-test-helm.yaml

@@ -169,10 +169,9 @@ jobs:
 
           echo ">> Running linting on changed charts ..."
 
-          lint_chart() {
-            local DIR="$1"
-            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
-            local CHART_NAME=$(basename "${CHART_PATH}")
+          for DIR in ${CHANGED_CHARTS}; do
+            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
+            CHART_NAME=$(basename "${CHART_PATH}")
 
             if [ -f "${CHART_PATH}/Chart.yaml" ]; then
               echo ""
@@ -183,8 +182,15 @@ jobs:
               echo ">> Linting helm chart ${CHART_NAME} ..."
 
               if ! helm lint "${CHART_PATH}" --namespace "default"; then
-                echo "${DIR}" > ".failed_chart_${CHART_NAME}"
-                return 1
+                EXIT_CODE=1
+
+                if [ -z "${FAILED_CHARTS}" ]; then
+                  FAILED_CHARTS="${DIR}"
+
+                else
+                  FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
+
+                fi
               fi
 
             else
@@ -192,20 +198,8 @@ jobs:
               echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
 
             fi
-          }
 
-          export -f lint_chart
-          export CLUSTER
-
-          for DIR in ${CHANGED_CHARTS}; do
-            echo "${DIR}"
-          done | xargs -P 4 -I {} bash -c 'OUT=$(lint_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
-
-          if ls .failed_chart_* 1> /dev/null 2>&1; then
-            EXIT_CODE=1
-            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
-            rm -f .failed_chart_*
-          fi
+          done
 
           echo ""
           echo "----"
@@ -335,9 +329,8 @@ jobs:
           EXIT_CODE=0
           FAILED_CHARTS=""
 
-          validate_chart() {
-            local DIR="$1"
-            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
+          for DIR in ${CHANGED_CHARTS}; do
+            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
             echo ""
             echo ">> Validating: ${DIR}"
 
@@ -350,23 +343,18 @@ jobs:
                 -strict \
                 -summary; then
 
-              echo "${DIR}" > ".failed_chart_${DIR}"
-              return 1
+              EXIT_CODE=1
+
+              if [ -z "${FAILED_CHARTS}" ]; then
+                FAILED_CHARTS="${DIR}"
+
+              else
+                FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
+
+              fi
             fi
-          }
 
-          export -f validate_chart
-          export CLUSTER SCHEMA_LOCATIONS
-
-          for DIR in ${CHANGED_CHARTS}; do
-            echo "${DIR}"
-          done | xargs -P 4 -I {} bash -c 'OUT=$(validate_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
-
-          if ls .failed_chart_* 1> /dev/null 2>&1; then
-            EXIT_CODE=1
-            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
-            rm -f .failed_chart_*
-          fi
+          done
 
           echo ""
           echo "----"

clusters/cl01tl/helm/excalidraw/Chart.yaml

@@ -19,4 +19,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/excalidraw.png
 # renovate: datasource=github-releases depName=excalidraw/excalidraw
-appVersion: v0.18.1
+appVersion: v0.18.0

clusters/cl01tl/helm/external-dns/templates/external-secret.yaml

@@ -13,5 +13,5 @@ spec:
   data:
     - secretKey: api-key
       remoteRef:
-        key: /unifi/users/cl01tl
+        key: /unifi/auth/cl01tl
         property: api-key

clusters/cl01tl/helm/foldergram/values.yaml

@@ -70,7 +70,7 @@ foldergram:
       forceRename: foldergram-data
       storageClass: synology-iscsi-delete
       accessMode: ReadWriteOnce
-      size: 500Gi
+      size: 250Gi
       advancedMounts:
         main:
           main:

clusters/cl01tl/helm/gitea/values.yaml

@@ -213,7 +213,7 @@ gitea-actions:
       registry: docker.io
       repository: docker
       # renovate: datasource=docker depName=docker
-      tag: 29.4.1-dind@sha256:c77e5d7912f9b137cc67051fdc2991d8f5ae22c55ddf532bb836dcb693a04940
+      tag: 29.4.0-dind@sha256:f80c26212befc1c1988b529495532c6b9180d9b1dab1611f4a1efbe9da8ec821
       extraVolumeMounts:
         - name: docker-vol
           mountPath: /var/lib/docker

clusters/cl01tl/helm/grimmory/templates/external-secret.yaml

@@ -1,10 +1,10 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grimmory-database-secret
+  name: grimmory-database-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-database-secret
+    app.kubernetes.io/name: grimmory-database-config
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
@@ -33,11 +33,11 @@ spec:
     - secretKey: access
       remoteRef:
         key: /digital-ocean/home-infra/mariadb-backups
-        property: AWS_ACCESS_KEY_ID
+        property: access
     - secretKey: secret
       remoteRef:
         key: /digital-ocean/home-infra/mariadb-backups
-        property: AWS_SECRET_ACCESS_KEY
+        property: secret
 
 ---
 apiVersion: external-secrets.io/v1

clusters/cl01tl/helm/grimmory/values.yaml

@@ -27,7 +27,7 @@ grimmory:
             - name: DATABASE_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: grimmory-database-secret
+                  name: grimmory-database-config
                   key: password
             - name: GRIMMORY_PORT
               value: 6060
@@ -98,7 +98,7 @@ mariadb-cluster:
   mariadb:
     rootPasswordSecretKeyRef:
       generate: false
-      name: grimmory-database-secret
+      name: grimmory-database-config
       key: password
     storage:
       size: 5Gi

clusters/cl01tl/helm/jellystat/templates/external-secret.yaml

@@ -21,5 +21,5 @@ spec:
         property: user
     - secretKey: password
       remoteRef:
-        key: /cl01tl/jellystat/config
+        key: /cl01tl/jellystat/cconfig
         property: password

clusters/cl01tl/helm/kube-prometheus-stack/templates/external-secret.yaml

@@ -13,7 +13,7 @@ spec:
   data:
     - secretKey: ntfy_password
       remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        key: / cl01tl/ntfy/users/cl01tl
         property: password
 
 ---

clusters/cl01tl/helm/libation/Chart.yaml

@@ -26,4 +26,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/libation.png
 # renovate: datasource=github-releases depName=rmcrackan/Libation
-appVersion: 13.3.5
+appVersion: 13.3.4

clusters/cl01tl/helm/libation/values.yaml

@@ -12,7 +12,7 @@ libation:
         main:
           image:
             repository: rmcrackan/libation
-            tag: 13.3.5@sha256:fcfeaa406a3567e3de89d85bf761d17868029c6e8a127922672770cb812b9be8
+            tag: 13.3.4@sha256:eb0357e8a880ed0049dffd2a99a9d2eda322ed33b3b9e16f4fb93eb15275f396
           env:
             - name: SLEEP_TIME
               value: "-1"

clusters/cl01tl/helm/matrix-synapse/templates/secret-provider-class.yaml

@@ -16,102 +16,22 @@ spec:
         fileName: config.yaml
         secretPath: secret/data/cl01tl/matrix-synapse/config
         secretKey: config.yaml
-
----
-apiVersion: secrets-store.csi.x-k8s.io/v1
-kind: SecretProviderClass
-metadata:
-  name: matrix-synapse-oidc-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: matrix-synapse-oidc-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  provider: openbao
-  parameters:
-    baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: matrix-synapse
-    objects: |
       - objectName: oidc.yaml
         fileName: oidc.yaml
         secretPath: secret/data/cl01tl/matrix-synapse/config
         secretKey: oidc.yaml
-
----
-apiVersion: secrets-store.csi.x-k8s.io/v1
-kind: SecretProviderClass
-metadata:
-  name: matrix-synapse-hookshot-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: matrix-synapse-hookshot-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  provider: openbao
-  parameters:
-    baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: matrix-synapse
-    objects: |
       - objectName: hookshot-registration.yaml
         fileName: hookshot-registration.yaml
         secretPath: secret/data/cl01tl/matrix-synapse/hookshot
         secretKey: hookshot-registration.yaml
-
----
-apiVersion: secrets-store.csi.x-k8s.io/v1
-kind: SecretProviderClass
-metadata:
-  name: matrix-synapse-mautrix-discord-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: matrix-synapse-mautrix-discord-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  provider: openbao
-  parameters:
-    baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: matrix-synapse
-    objects: |
       - objectName: mautrix-discord-registration.yaml
         fileName: mautrix-discord-registration.yaml
         secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord
         secretKey: mautrix-discord-registration.yaml
-
----
-apiVersion: secrets-store.csi.x-k8s.io/v1
-kind: SecretProviderClass
-metadata:
-  name: matrix-synapse-mautrix-whatsapp-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: matrix-synapse-mautrix-whatsapp-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  provider: openbao
-  parameters:
-    baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: matrix-synapse
-    objects: |
       - objectName: mautrix-whatsapp-registration.yaml
         fileName: mautrix-whatsapp-registration.yaml
         secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp
         secretKey: mautrix-whatsapp-registration.yaml
-
----
-apiVersion: secrets-store.csi.x-k8s.io/v1
-kind: SecretProviderClass
-metadata:
-  name: matrix-synapse-double-puppet-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: matrix-synapse-double-puppet-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  provider: openbao
-  parameters:
-    baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: matrix-synapse
-    objects: |
       - objectName: double-puppet-registration.yaml
         fileName: double-puppet-registration.yaml
         secretPath: secret/data/cl01tl/matrix-synapse/double-puppet

clusters/cl01tl/helm/matrix-synapse/values.yaml

@@ -43,67 +43,11 @@ matrix-synapse:
           readOnly: true
           volumeAttributes:
             secretProviderClass: matrix-synapse-config
-      - name: oidc-config
-        csi:
-          driver: secrets-store.csi.k8s.io
-          readOnly: true
-          volumeAttributes:
-            secretProviderClass: matrix-synapse-oidc-config
-      - name: hookshot-config
-        csi:
-          driver: secrets-store.csi.k8s.io
-          readOnly: true
-          volumeAttributes:
-            secretProviderClass: matrix-synapse-hookshot-config
-      - name: mautrix-discord-config
-        csi:
-          driver: secrets-store.csi.k8s.io
-          readOnly: true
-          volumeAttributes:
-            secretProviderClass: matrix-synapse-mautrix-discord-config
-      - name: mautrix-whatsapp-config
-        csi:
-          driver: secrets-store.csi.k8s.io
-          readOnly: true
-          volumeAttributes:
-            secretProviderClass: matrix-synapse-mautrix-whatsapp-config
-      - name: double-puppet-config
-        csi:
-          driver: secrets-store.csi.k8s.io
-          readOnly: true
-          volumeAttributes:
-            secretProviderClass: matrix-synapse-double-puppet-config
     extraVolumeMounts:
       - name: config
-        mountPath: /synapse/config/conf.d/config.yaml
+        mountPath: /synapse/config/conf.d
         mountPropagation: None
         readOnly: true
-        subPath: config.yaml
-      - name: oidc-config
-        mountPath: /synapse/config/conf.d/oidc.yaml
-        mountPropagation: None
-        readOnly: true
-        subPath: oidc.yaml
-      - name: hookshot-config
-        mountPath: /synapse/config/conf.d/hookshot-registration.yaml
-        mountPropagation: None
-        readOnly: true
-        subPath: hookshot-registration.yaml
-      - name: mautrix-discord-config
-        mountPath: /synapse/config/conf.d/mautrix-discord-registration.yaml
-        mountPropagation: None
-        readOnly: true
-        subPath: mautrix-discord-registration.yaml
-      - name: mautrix-whatsapp-config
-        mountPath: /synapse/config/conf.d/mautrix-whatsapp-registration.yaml
-        mountPropagation: None
-        readOnly: true
-        subPath: mautrix-whatsapp-registration.yaml
-      - name: double-puppet-config
-        mountPath: /synapse/config/conf.d/double-puppet-registration.yaml
-        mountPropagation: None
-        readOnly: true
-        subPath: double-puppet-registration.yaml
     resources:
       requests:
         cpu: 10m
@@ -174,8 +118,6 @@ matrix-hookshot:
       type: deployment
       replicas: 1
       strategy: Recreate
-      serviceAccount:
-        name: matrix-synapse
       containers:
         main:
           image:

clusters/cl01tl/helm/ollama/values.yaml

@@ -127,7 +127,7 @@ ollama:
             - name: WEBUI_SECRET_KEY
               valueFrom:
                 secretKeyRef:
-                  name: open-webui-key
+                  name: ollama-key
                   key: key
             - name: DATABASE_URL
               valueFrom:

clusters/cl01tl/helm/openbao/Chart.yaml

@@ -19,7 +19,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: openbao
-    version: 0.27.2
+    version: 0.27.1
     repository: https://openbao.github.io/openbao-helm
   - name: app-template
     alias: unseal

clusters/cl01tl/helm/openbao/templates/external-secret.yaml

@@ -9,7 +9,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
@@ -40,20 +40,24 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ENVIRONMENT
       remoteRef:
         key: /cl01tl/openbao/unseal
-        property: environment
+        property: ENVIRONMENT
     - secretKey: NODES
       remoteRef:
         key: /cl01tl/openbao/unseal
-        property: nodes
+        property: NODES
     - secretKey: TOKENS
       remoteRef:
         key: /cl01tl/openbao/unseal
-        property: tokens-1
+        property: TOKENS_1
+    - secretKey: NOTIFY_QUEUE_URLS
+      remoteRef:
+        key: /cl01tl/openbao/unseal
+        property: NOTIFY_QUEUE_URLS
 
 ---
 apiVersion: external-secrets.io/v1
@@ -67,20 +71,24 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ENVIRONMENT
       remoteRef:
         key: /cl01tl/openbao/unseal
-        property: environment
+        property: ENVIRONMENT
     - secretKey: NODES
       remoteRef:
         key: /cl01tl/openbao/unseal
-        property: nodes
+        property: NODES
     - secretKey: TOKENS
       remoteRef:
         key: /cl01tl/openbao/unseal
-        property: tokens-2
+        property: TOKENS_2
+    - secretKey: NOTIFY_QUEUE_URLS
+      remoteRef:
+        key: /cl01tl/openbao/unseal
+        property: NOTIFY_QUEUE_URLS
 
 ---
 apiVersion: external-secrets.io/v1
@@ -94,46 +102,61 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ENVIRONMENT
       remoteRef:
         key: /cl01tl/openbao/unseal
-        property: environment
+        property: ENVIRONMENT
     - secretKey: NODES
       remoteRef:
         key: /cl01tl/openbao/unseal
-        property: nodes
+        property: NODES
     - secretKey: TOKENS
       remoteRef:
         key: /cl01tl/openbao/unseal
-        property: tokens-3
+        property: TOKENS_3
+    - secretKey: NOTIFY_QUEUE_URLS
+      remoteRef:
+        key: /cl01tl/openbao/unseal
+        property: NOTIFY_QUEUE_URLS
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: openbao-ntfy-unseal-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: openbao-ntfy-unseal-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        NOTIFY_QUEUE_URLS: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed"
-  data:
-    - secretKey: endpoint
-      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
-        property: internal-endpoint-credential
-    - secretKey: topic
-      remoteRef:
-        key: /cl01tl/ntfy/topics
-        property: openbao
+# ---
+# apiVersion: external-secrets.io/v1
+# kind: ExternalSecret
+# metadata:
+#   name: openbao-token
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: openbao-token
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   secretStoreRef:
+#     kind: ClusterSecretStore
+#     name: openbao
+#   data:
+#     - secretKey: token
+#       remoteRef:
+#         key: /cl01tl/openbao/token
+#         property: token
+#     - secretKey: unseal_key_1
+#       remoteRef:
+#         key: /cl01tl/openbao/token
+#         property: unseal_key_1
+#     - secretKey: unseal_key_2
+#       remoteRef:
+#         key: /cl01tl/openbao/token
+#         property: unseal_key_2
+#     - secretKey: unseal_key_3
+#       remoteRef:
+#         key: /cl01tl/openbao/token
+#         property: unseal_key_3
+#     - secretKey: unseal_key_4
+#       remoteRef:
+#         key: /cl01tl/openbao/token
+#         property: unseal_key_4
+#     - secretKey: unseal_key_5
+#       remoteRef:
+#         key: /cl01tl/openbao/token
+#         property: unseal_key_5

clusters/cl01tl/helm/openbao/values.yaml

@@ -160,8 +160,6 @@ unseal:
           envFrom:
             - secretRef:
                 name: openbao-unseal-config-1
-            - secretRef:
-                name: openbao-ntfy-unseal-config
           resources:
             requests:
               cpu: 1m
@@ -178,8 +176,6 @@ unseal:
           envFrom:
             - secretRef:
                 name: openbao-unseal-config-2
-            - secretRef:
-                name: openbao-ntfy-unseal-config
           resources:
             requests:
               cpu: 1m
@@ -196,8 +192,6 @@ unseal:
           envFrom:
             - secretRef:
                 name: openbao-unseal-config-3
-            - secretRef:
-                name: openbao-ntfy-unseal-config
           resources:
             requests:
               cpu: 1m

clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml

@@ -55,5 +55,5 @@ spec:
   data:
     - secretKey: PAPERLESS_SOCIALACCOUNT_PROVIDERS
       remoteRef:
-        key: /cl01tl/authentik/oidc/paperless-ngx
+        key: /authentik/oidc/paperless-ngx
         property: PAPERLESS_SOCIALACCOUNT_PROVIDERS

clusters/cl01tl/helm/qbittorrent/values.yaml

@@ -71,9 +71,9 @@ qbittorrent:
                   name: protonvpn-wireguard-conf
                   key: private-key
             - name: FIREWALL_OUTBOUND_SUBNETS
-              value: 192.168.1.0/24,10.0.0.0/8
+              value: 192.168.1.0/24,10.244.0.0/16
             - name: FIREWALL_INPUT_PORTS
-              value: 8080,9022
+              value: 5030,50300
             - name: VPN_PORT_FORWARDING
               value: 'on'
             - name: VPN_PORT_FORWARDING_UP_COMMAND

clusters/cl01tl/helm/rclone/templates/external-secret.yaml

@@ -44,7 +44,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
@@ -79,7 +79,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
@@ -114,7 +114,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
@@ -149,7 +149,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
@@ -184,7 +184,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:

clusters/cl01tl/helm/searxng/templates/external-secret.yaml

@@ -9,7 +9,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: metrics-password
       remoteRef:

clusters/cl01tl/helm/slskd/values.yaml

@@ -73,7 +73,7 @@ slskd:
                   name: protonvpn-wireguard-conf
                   key: private-key
             - name: FIREWALL_OUTBOUND_SUBNETS
-              value: 192.168.1.0/24,10.0.0.0/8
+              value: 192.168.1.0/24,10.244.0.0/16
             - name: FIREWALL_INPUT_PORTS
               value: 5030,50300
             - name: DNS_UPSTREAM_RESOLVER_TYPE

clusters/cl01tl/helm/tubearchivist/values.yaml

@@ -62,7 +62,7 @@ tubearchivist:
                   name: protonvpn-wireguard-conf
                   key: private-key
             - name: FIREWALL_OUTBOUND_SUBNETS
-              value: 192.168.1.0/24,10.0.0.0/8
+              value: 192.168.1.0/24,10.244.0.0/16
             - name: FIREWALL_INPUT_PORTS
               value: 80,8000,24000
             - name: DNS_UPSTREAM_RESOLVER_TYPE

clusters/cl01tl/helm/vault/Chart.yaml

@@ -31,4 +31,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/hashicorp-vault.png
 # renovate: datasource=github-releases depName=hashicorp/vault
-appVersion: 2.0.0
+appVersion: 1.21.4

clusters/cl01tl/helm/vault/templates/external-secret.yaml

@@ -1,24 +1,5 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
-metadata:
-  name: vault-token
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: vault-token
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: token
-      remoteRef:
-        key: /cl01tl/vault/token
-        property: root
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
 metadata:
   name: vault-snapshot-agent-role
   namespace: {{ .Release.Namespace }}
@@ -93,7 +74,7 @@ spec:
   data:
     - secretKey: BUCKET
       remoteRef:
-        key: /digital-ocean/home-infra/vault-backups
+        key: /digital-ocean/home-infra/vault-backup
         property: BUCKET_PATH
 
 ---
@@ -193,12 +174,12 @@ spec:
   data:
     - secretKey: NTFY_TOKEN
       remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        key: /ntfy/user/cl01tl
         property: token
     - secretKey: NTFY_ENDPOINT
       remoteRef:
-        key: /cl01tl/ntfy/config
-        property: internal-endpoint
+        key: /ntfy/user/cl01tl
+        property: endpoint
     - secretKey: NTFY_TOPIC
       remoteRef:
         key: /cl01tl/ntfy/topics

clusters/cl01tl/helm/vault/values.yaml

@@ -8,7 +8,7 @@ vault:
     enabled: true
     image:
       repository: hashicorp/vault
-      tag: 2.0.0@sha256:e40c741ed95bb271425e3e6ca6c222d620cf8682f6f7a1b1e7c9d49d0aba484b
+      tag: 1.21.4@sha256:4e33b126a59c0c333b76fb4e894722462659a6bec7c48c9ee8cea56fccfd2569
     updateStrategyType: RollingUpdate
     logLevel: debug
     logFormat: standard
@@ -111,7 +111,7 @@ snapshot:
         snapshot:
           image:
             repository: hashicorp/vault
-            tag: 2.0.0@sha256:e40c741ed95bb271425e3e6ca6c222d620cf8682f6f7a1b1e7c9d49d0aba484b
+            tag: 1.21.4@sha256:4e33b126a59c0c333b76fb4e894722462659a6bec7c48c9ee8cea56fccfd2569
           command:
             - /bin/ash
           args:

clusters/cl01tl/helm/yamtrack/templates/external-secret.yaml

@@ -14,7 +14,7 @@ spec:
     - secretKey: SECRET
       remoteRef:
         key: /cl01tl/yamtrack/config
-        property: secret
+        property: SECRET
 
 ---
 apiVersion: external-secrets.io/v1