2026-04-24 01:47:20 +00:00
14 changed files with 53 additions and 31 deletions
--- a/clusters/cl01tl/manifests/grimmory/Deployment-grimmory.yaml
+++ b/clusters/cl01tl/manifests/grimmory/Deployment-grimmory.yaml
@@ -52,7 +52,7 @@ spec:
              valueFrom:
                secretKeyRef:
                  key: password
-                  name: grimmory-database-config
+                  name: grimmory-database-secret
            - name: GRIMMORY_PORT
              value: "6060"
            - name: SWAGGER_ENABLED
--- a/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-database-secret.yaml
+++ b/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-database-secret.yaml
@@ -1,10 +1,10 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grimmory-database-config
+  name: grimmory-database-secret
  namespace: grimmory
  labels:
-    app.kubernetes.io/name: grimmory-database-config
+    app.kubernetes.io/name: grimmory-database-secret
    app.kubernetes.io/instance: grimmory
    app.kubernetes.io/part-of: grimmory
 spec:
--- a/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-external.yaml
+++ b/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-external.yaml
@@ -15,8 +15,8 @@ spec:
    - secretKey: access
      remoteRef:
        key: /digital-ocean/home-infra/mariadb-backups
-        property: access
+        property: AWS_ACCESS_KEY_ID
    - secretKey: secret
      remoteRef:
        key: /digital-ocean/home-infra/mariadb-backups
-        property: secret
+        property: AWS_SECRET_ACCESS_KEY
--- a/clusters/cl01tl/manifests/grimmory/MariaDB-grimmory-mariadb-cluster.yaml
+++ b/clusters/cl01tl/manifests/grimmory/MariaDB-grimmory-mariadb-cluster.yaml
@@ -31,6 +31,6 @@ spec:
  rootPasswordSecretKeyRef:
    generate: false
    key: password
-    name: grimmory-database-config
+    name: grimmory-database-secret
  storage:
    size: 5Gi
--- a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-hookshot.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-hookshot.yaml
@@ -27,7 +27,7 @@ spec:
        app.kubernetes.io/name: matrix-hookshot
    spec:
      enableServiceLinks: false
-      serviceAccountName: default
+      serviceAccountName: matrix-synapse
      automountServiceAccountToken: true
      hostIPC: false
      hostNetwork: false
--- a/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-1.yaml
+++ b/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-1.yaml
@@ -37,6 +37,8 @@ spec:
        - envFrom:
            - secretRef:
                name: openbao-unseal-config-1
+            - secretRef:
+                name: openbao-ntfy-unseal-config
          image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa
          name: main
          resources:
--- a/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-2.yaml
+++ b/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-2.yaml
@@ -37,6 +37,8 @@ spec:
        - envFrom:
            - secretRef:
                name: openbao-unseal-config-2
+            - secretRef:
+                name: openbao-ntfy-unseal-config
          image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa
          name: main
          resources:
--- a/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-3.yaml
+++ b/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-3.yaml
@@ -37,6 +37,8 @@ spec:
        - envFrom:
            - secretRef:
                name: openbao-unseal-config-3
+            - secretRef:
+                name: openbao-ntfy-unseal-config
          image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:9b936fadc8dea2a473972806bffc218a4dd2fbc3b373566138a60e058cc544aa
          name: main
          resources:
--- a/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-ntfy-unseal-config.yaml
+++ b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-ntfy-unseal-config.yaml
@@ -0,0 +1,28 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: openbao-ntfy-unseal-config
+  namespace: openbao
+  labels:
+    app.kubernetes.io/name: openbao-ntfy-unseal-config
+    app.kubernetes.io/instance: openbao
+    app.kubernetes.io/part-of: openbao
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        NOTIFY_QUEUE_URLS: "{{ .endpoint }}/{{ .topic }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed"
+  data:
+    - secretKey: endpoint
+      remoteRef:
+        key: /cl01tl/ntfy/users/cl01tl
+        property: internal-endpoint-credential
+    - secretKey: topic
+      remoteRef:
+        key: /cl01tl/ntfy/topics
+        property: openbao
--- a/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-1.yaml
+++ b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-1.yaml
@@ -15,16 +15,12 @@ spec:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/openbao/unseal
-        property: ENVIRONMENT
+        property: environment
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/openbao/unseal
-        property: NODES
+        property: nodes
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/openbao/unseal
-        property: TOKENS_1
-    - secretKey: NOTIFY_QUEUE_URLS
-      remoteRef:
-        key: /cl01tl/openbao/unseal
-        property: NOTIFY_QUEUE_URLS
+        property: tokens-1
--- a/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-2.yaml
+++ b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-2.yaml
@@ -15,16 +15,12 @@ spec:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/openbao/unseal
-        property: ENVIRONMENT
+        property: environment
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/openbao/unseal
-        property: NODES
+        property: nodes
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/openbao/unseal
-        property: TOKENS_2
-    - secretKey: NOTIFY_QUEUE_URLS
-      remoteRef:
-        key: /cl01tl/openbao/unseal
-        property: NOTIFY_QUEUE_URLS
+        property: tokens-2
--- a/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-3.yaml
+++ b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-3.yaml
@@ -15,16 +15,12 @@ spec:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/openbao/unseal
-        property: ENVIRONMENT
+        property: environment
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/openbao/unseal
-        property: NODES
+        property: nodes
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/openbao/unseal
-        property: TOKENS_3
-    - secretKey: NOTIFY_QUEUE_URLS
-      remoteRef:
-        key: /cl01tl/openbao/unseal
-        property: NOTIFY_QUEUE_URLS
+        property: tokens-3
--- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-external-config.yaml
+++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-external-config.yaml
@@ -14,5 +14,5 @@ spec:
  data:
    - secretKey: BUCKET
      remoteRef:
-        key: /digital-ocean/home-infra/vault-backup
+        key: /digital-ocean/home-infra/vault-backups
        property: BUCKET_PATH
--- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml
+++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml
@@ -18,8 +18,8 @@ spec:
        property: token
    - secretKey: NTFY_ENDPOINT
      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
-        property: endpoint
+        key: /cl01tl/ntfy/config
+        property: internal-endpoint
    - secretKey: NTFY_TOPIC
      remoteRef:
        key: /cl01tl/ntfy/topics