Update sops and config

2025-01-26 14:29:03 +00:00
parent b0ba3483b3
commit 5ba5131dd6
5 changed files with 21 additions and 54 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -5,4 +5,4 @@ creation_rules:
    # kairos
    age: >-
      age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv,
-      age1uet38mkyg2uacft9tzdfuql6y5vf9d97h4dvfq2fm5gew7rz4usqm3a7tf
+      age1zm48vge8cpu8jwpxqc0tpgrwjqee0amhpmrla0dl8vzh08efu4fqwwcqax
--- a/apps/gluetun/secret.yaml
+++ b/apps/gluetun/secret.yaml
@@ -19,20 +19,20 @@ sops:
        - recipient: age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYeHdxWFFlOFZ2d0VwQnJR
-            dVB6Qk9WSm1ERXlsSFFRazRWVlpIRC8xU1RnCjMyVGpRMUZ4clBwazVLY0FZRDlV
-            OE8xQnVwQnVSSkkxcWt5RUFCUmtubFUKLS0tIHdxS242Yjg3SGoybU1jV0VxNzY3
-            c1ZHNk1RSTdNMUt4SjBqa2NZNmtLVzQKVXmBSA2HTwWLYU4/LAw4FLTacCS4IJKN
-            SWexKEcxg4bBuMP+GZauhZY5RSK+7IDdshJkXll3TP0iM6ztt6gvXA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkc2Z0Qm0yUDczYVN1b2Y3
+            TTFJSSt3Ry9tOUpmM3o1ajdPZThVYXBpZFhzCjRKQ1R0OU1qMHdEV1NXTlE1VzR2
+            VTNKaytmR0ZpbCtiRnRkVFhxTm4yckUKLS0tIEtXcXV3V21FSW04azNyNzZwRGls
+            Y3JsOFZMWVVlN0Y4SURDZ0k2L3VPaDQKvKWVSM8XXEt+rhboqm/p/tSO2Gf7SAUw
+            T2dUdoIeB/Lpx0+4bD9yRXydsCNcp5RxyQ/8bqc5VRgVta1Jl+g9AA==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1uet38mkyg2uacft9tzdfuql6y5vf9d97h4dvfq2fm5gew7rz4usqm3a7tf
+        - recipient: age1zm48vge8cpu8jwpxqc0tpgrwjqee0amhpmrla0dl8vzh08efu4fqwwcqax
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByYzh1MzhidDJhVkx3R3dJ
-            LzJ3R1VGN1hsbjBkMmo0TGY5REFSQ0s4Vng0CmhGL3FsTm01eUttSUpORkdZT1c4
-            TitCNzNYcGxtdkM5SUFLcW5QQ0NxOGcKLS0tIG8zVWlMZEZRVHdtSExaUUFxdHdy
-            MjJseVM2R2FWM1ZKZjY4azNpaUZva3MKa6NxII3XcJVIhUyzn9aPWs2cLT/YBUR2
-            OjCmnosYznV+DxjKeTuXgMK+spvz7WbBzUkcCPTgB9I/NPnuDpDrJA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHb2FSa1d2L0JGbDlyRlp1
+            ejZUU082emppOTRlaU1nSVZmVHBOSWV5SHhnCmlpZFV1cnRsME4wdVhvSjJZT0J5
+            QWJCTVgxSnowSXFBV3RrR3RtaUhuZmcKLS0tIDFuaXl3NjZBNUhNSEN6Z2hZN2xq
+            ZDV4bU5VaU9EczhubVlLUTFhQWREaXMKNqUwgOhAu++if1cdGyMRZaGjfjoSxa8L
+            ZBcKsKlb0btyoCNuZkLQizkmNVe+HnKSfXGq5hce6ADr62+fEVaNlA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-01-24T20:18:44Z"
    mac: ENC[AES256_GCM,data:cqLdb0hR4KUyxZpkXoezREg5+pLxiD080+AIMKDe4uT8MxNRdBfj7d+e9reCbi4Ev9Z1Os3Ds2B/IaS5xIbiS5xm9b1FhIoOogJkIKY3YbkU2ifnvtrddQua9S3X0/JD/fJ6Dp4OFsS6cIWccahdR9plbMTXW5Ex/MZdiId6oUU=,iv:CDpY2i6QMyvvenGlxvdYYtf4p5RVd/ALndxlDnk/7cQ=,tag:IF7DmCc0tMsLTaIub+c2hQ==,type:str]
--- a/apps/sonarr/deployment.yaml
+++ b/apps/sonarr/deployment.yaml
@@ -24,6 +24,7 @@ spec:
          name: gluetun
          imagePullPolicy: Always
          securityContext:
+            privileged: true
            capabilities:
              add: ["NET_ADMIN"]
          ports:
--- a/kairos-config.yaml
+++ b/kairos-config.yaml
@@ -2,11 +2,10 @@

 install:
  poweroff: true
-  image: "docker:gitea.home.joemonk.co.uk/joe/kairos-custom:3"
+  image: quay.io/kairos/debian:bookworm-standard-amd64-generic-v3.3.0-k3sv1.32.0-k3s1

 reset:
  reboot: true
-
  reset-persistent: true
  reset-oem: true

@@ -33,36 +32,3 @@ stages:
    dns:
      nameservers:
      - 192.168.1.1
-  - name: "Set samba config"
-    files:
-    - path: /etc/samba/smb.conf
-      permissions: 0644
-      owner: 0
-      group: 0
-      content: |
-        [global]
-          workgroup = WORKGROUP
-          server role = standalone server
-          map to guest = bad user
-
-        ####### Share Definitions #######
-        [data]
-          comment = Kairos File Server Share
-          path = /usr/local
-          browseable = yes
-          writeable = yes
-          read only = no
-          guest ok = yes
-          force user = root
-          force group = root
-          public = yes
-
-          create mask = 777
-          force create mode = 777
-          security mask = 777
-          force security mode = 777
-
-          directory mask = 0777
-          force directory mode = 0777
-          directory security mask = 0777
-          force directory security mode = 0777
--- a/readme.md
+++ b/readme.md
@@ -12,6 +12,8 @@
  The main things we're looking for are the latest debian, standard, amd64, then the versions of kairos (v3.1.1) and k3s (1.30.2).
 - Burn to usb
 - Boot from usb, live install and go to the config webui
+  - If doing the firebat and it doesn't boot into bios or the drive, in grub press `c` then type `fwsetup` to reboot into bios
+  - Rufus struggles with the image, Ventoy worked perfectly using the live image launch
 - Add the public keys to the config (from ~/.ssh - `ssh-keygen -t ed25519 -C "joemonk@hotmail.co.uk"`)
 - Update the image at https://gitea.home.joemonk.co.uk/joe/kairos-custom to the latest kairos image and build it
 - Update the image in the kairos-config to reflect that build
@@ -59,13 +61,11 @@ kubectl create secret generic sops-age \
 --from-file=age.agekey=/dev/stdin
 ```

-Update the encryption with `sops updatekeys`, then delete age.agekey.
+Delete age.agekey after sending it to the cluster.  
+Then update the encryption with `sops updatekeys -y apps/gluetun/secret.yaml`.

-TODO - This doesn't appear to work as expected, need to do:
-  - `sops updatekeys -y apps/gluetun/secret.yaml`
-
-This should work but is untested (in fish)  
-`for file in $(grep -lr "sops:"); sops updatekeys -y $file; end`
+In fish you can updatekeys in every secret   
+`for file in $(grep --include="*.yaml" -lr "sops:"); sops updatekeys -y $file; end`

 ### Using sops