apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: vault-token
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault-token
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: token
      remoteRef:
        key: /cl01tl/vault/token
        property: root

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: vault-snapshot-agent-role
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault-snapshot-agent-role
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: VAULT_APPROLE_ROLE_ID
      remoteRef:
        key: /cl01tl/vault/role/snapshot
        property: role-id
    - secretKey: VAULT_APPROLE_SECRET_ID
      remoteRef:
        key: /cl01tl/vault/role/snapshot
        property: secret-id

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: vault-backup-local-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault-backup-local-config
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: BUCKET
      remoteRef:
        key: /garage/home-infra/vault-backups
        property: BUCKET_PATH

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: vault-backup-remote-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault-backup-remote-config
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: BUCKET
      remoteRef:
        key: /garage/home-infra/vault-backups
        property: BUCKET_PATH

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: vault-backup-external-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault-backup-external-config
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: BUCKET
      remoteRef:
        key: /digital-ocean/home-infra/vault-backups
        property: BUCKET_PATH

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: vault-unseal-config-1
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault-unseal-config-1
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/vault/unseal
        property: environment
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/vault/unseal
        property: nodes
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/vault/unseal
        property: tokens-1

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: vault-unseal-config-2
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault-unseal-config-2
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/vault/unseal
        property: environment
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/vault/unseal
        property: nodes
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/vault/unseal
        property: tokens-2

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: vault-unseal-config-3
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault-unseal-config-3
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: ENVIRONMENT
      remoteRef:
        key: /cl01tl/vault/unseal
        property: environment
    - secretKey: NODES
      remoteRef:
        key: /cl01tl/vault/unseal
        property: nodes
    - secretKey: TOKENS
      remoteRef:
        key: /cl01tl/vault/unseal
        property: tokens-3

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: vault-ntfy-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault-ntfy-config
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: NTFY_TOKEN
      remoteRef:
        key: /cl01tl/ntfy/users/cl01tl
        property: token
    - secretKey: NTFY_ENDPOINT
      remoteRef:
        key: /cl01tl/ntfy/config
        property: internal-endpoint
    - secretKey: NTFY_TOPIC
      remoteRef:
        key: /cl01tl/ntfy/topics
        property: vault

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: vault-ntfy-unseal-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault-ntfy-unseal-config
    {{- include "custom.labels" . | nindent 4 }}
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        NOTIFY_QUEUE_URLS: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed"
  data:
    - secretKey: endpoint
      remoteRef:
        key: /cl01tl/ntfy/users/cl01tl
        property: internal-endpoint-credential
    - secretKey: topic
      remoteRef:
        key: /cl01tl/ntfy/topics
        property: vault