From 48f6f5e1b5960a67afb44493703135c8221753ac Mon Sep 17 00:00:00 2001
From: Michael Thomson <michael@michaelthomson.dev>
Date: Wed, 17 Dec 2025 14:21:48 -0500
Subject: [PATCH] sops decryption on all kustomizations

---
 bootstrap/apps/kustomization-actual.yaml                | 4 ++++
 bootstrap/apps/kustomization-authentik.yaml             | 4 ++++
 bootstrap/apps/kustomization-baikal.yaml                | 4 ++++
 bootstrap/apps/kustomization-booklore.yaml              | 2 ++
 bootstrap/apps/kustomization-gitea.yaml                 | 4 ++++
 bootstrap/apps/kustomization-homeassistant.yaml         | 4 ++++
 bootstrap/apps/kustomization-immich.yaml                | 4 ++++
 bootstrap/apps/kustomization-karakeep.yaml              | 4 ++++
 bootstrap/apps/kustomization-kube-prometheus-stack.yaml | 4 ++++
 bootstrap/apps/kustomization-media.yaml                 | 4 ++++
 bootstrap/apps/kustomization-michaelthomson.yaml        | 4 ++++
 bootstrap/apps/kustomization-minecraft.yaml             | 4 ++++
 bootstrap/apps/kustomization-nextcloud.yaml             | 4 ++++
 bootstrap/apps/kustomization-ntfy.yaml                  | 4 ++++
 bootstrap/apps/kustomization-pihole.yaml                | 4 ++++
 bootstrap/apps/kustomization-stirling-pdf.yaml          | 4 ++++
 bootstrap/apps/kustomization-syncthing.yaml             | 4 ++++
 bootstrap/apps/kustomization-uptime-kuma.yaml           | 4 ++++
 bootstrap/apps/kustomization-vaultwarden.yaml           | 4 ++++
 bootstrap/apps/kustomization-wg-easy.yaml               | 4 ++++
 bootstrap/infrastructure/infra-configs.yaml             | 4 ++++
 bootstrap/infrastructure/infra-controllers.yaml         | 4 ++++
 bootstrap/infrastructure/infra-crds.yaml                | 4 ++++
 23 files changed, 90 insertions(+)

diff --git a/bootstrap/apps/kustomization-actual.yaml b/bootstrap/apps/kustomization-actual.yaml
index 805fdea..88917cb 100644
--- a/bootstrap/apps/kustomization-actual.yaml
+++ b/bootstrap/apps/kustomization-actual.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-authentik.yaml b/bootstrap/apps/kustomization-authentik.yaml
index d1aeefb..7a78795 100644
--- a/bootstrap/apps/kustomization-authentik.yaml
+++ b/bootstrap/apps/kustomization-authentik.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-baikal.yaml b/bootstrap/apps/kustomization-baikal.yaml
index c57fc54..bf71371 100644
--- a/bootstrap/apps/kustomization-baikal.yaml
+++ b/bootstrap/apps/kustomization-baikal.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-booklore.yaml b/bootstrap/apps/kustomization-booklore.yaml
index 36bcea3..40a9f19 100644
--- a/bootstrap/apps/kustomization-booklore.yaml
+++ b/bootstrap/apps/kustomization-booklore.yaml
@@ -13,5 +13,7 @@ spec:
     name: flux-system
   decryption:
     provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-gitea.yaml b/bootstrap/apps/kustomization-gitea.yaml
index 4e922cd..1bbbbb8 100644
--- a/bootstrap/apps/kustomization-gitea.yaml
+++ b/bootstrap/apps/kustomization-gitea.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-homeassistant.yaml b/bootstrap/apps/kustomization-homeassistant.yaml
index b043ba2..c595e55 100644
--- a/bootstrap/apps/kustomization-homeassistant.yaml
+++ b/bootstrap/apps/kustomization-homeassistant.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-immich.yaml b/bootstrap/apps/kustomization-immich.yaml
index 1a57a07..16edf92 100644
--- a/bootstrap/apps/kustomization-immich.yaml
+++ b/bootstrap/apps/kustomization-immich.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-karakeep.yaml b/bootstrap/apps/kustomization-karakeep.yaml
index b32c97a..bf283ba 100644
--- a/bootstrap/apps/kustomization-karakeep.yaml
+++ b/bootstrap/apps/kustomization-karakeep.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-kube-prometheus-stack.yaml b/bootstrap/apps/kustomization-kube-prometheus-stack.yaml
index a2577b9..fae15df 100644
--- a/bootstrap/apps/kustomization-kube-prometheus-stack.yaml
+++ b/bootstrap/apps/kustomization-kube-prometheus-stack.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-media.yaml b/bootstrap/apps/kustomization-media.yaml
index 5cb2340..ba458c4 100644
--- a/bootstrap/apps/kustomization-media.yaml
+++ b/bootstrap/apps/kustomization-media.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-michaelthomson.yaml b/bootstrap/apps/kustomization-michaelthomson.yaml
index 43ccbe7..912296f 100644
--- a/bootstrap/apps/kustomization-michaelthomson.yaml
+++ b/bootstrap/apps/kustomization-michaelthomson.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-minecraft.yaml b/bootstrap/apps/kustomization-minecraft.yaml
index bf97b6f..c27a91f 100644
--- a/bootstrap/apps/kustomization-minecraft.yaml
+++ b/bootstrap/apps/kustomization-minecraft.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-nextcloud.yaml b/bootstrap/apps/kustomization-nextcloud.yaml
index 42f6271..c0fd56d 100644
--- a/bootstrap/apps/kustomization-nextcloud.yaml
+++ b/bootstrap/apps/kustomization-nextcloud.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-ntfy.yaml b/bootstrap/apps/kustomization-ntfy.yaml
index 92d7a90..e4cbe62 100644
--- a/bootstrap/apps/kustomization-ntfy.yaml
+++ b/bootstrap/apps/kustomization-ntfy.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-pihole.yaml b/bootstrap/apps/kustomization-pihole.yaml
index 541b2ef..223751c 100644
--- a/bootstrap/apps/kustomization-pihole.yaml
+++ b/bootstrap/apps/kustomization-pihole.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-stirling-pdf.yaml b/bootstrap/apps/kustomization-stirling-pdf.yaml
index e6c8b6c..5526b8d 100644
--- a/bootstrap/apps/kustomization-stirling-pdf.yaml
+++ b/bootstrap/apps/kustomization-stirling-pdf.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-syncthing.yaml b/bootstrap/apps/kustomization-syncthing.yaml
index 784a0f0..2e05c5d 100644
--- a/bootstrap/apps/kustomization-syncthing.yaml
+++ b/bootstrap/apps/kustomization-syncthing.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-uptime-kuma.yaml b/bootstrap/apps/kustomization-uptime-kuma.yaml
index e084ddf..87a6ec6 100644
--- a/bootstrap/apps/kustomization-uptime-kuma.yaml
+++ b/bootstrap/apps/kustomization-uptime-kuma.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-vaultwarden.yaml b/bootstrap/apps/kustomization-vaultwarden.yaml
index 2a51677..d15a278 100644
--- a/bootstrap/apps/kustomization-vaultwarden.yaml
+++ b/bootstrap/apps/kustomization-vaultwarden.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/apps/kustomization-wg-easy.yaml b/bootstrap/apps/kustomization-wg-easy.yaml
index 4c1c244..9c8d727 100644
--- a/bootstrap/apps/kustomization-wg-easy.yaml
+++ b/bootstrap/apps/kustomization-wg-easy.yaml
@@ -11,5 +11,9 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-configs
diff --git a/bootstrap/infrastructure/infra-configs.yaml b/bootstrap/infrastructure/infra-configs.yaml
index b0fa657..16c8f91 100644
--- a/bootstrap/infrastructure/infra-configs.yaml
+++ b/bootstrap/infrastructure/infra-configs.yaml
@@ -4,6 +4,10 @@ metadata:
   name: infra-configs
   namespace: flux-system
 spec:
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-controllers
   interval: 1h
diff --git a/bootstrap/infrastructure/infra-controllers.yaml b/bootstrap/infrastructure/infra-controllers.yaml
index 523bebd..ee85343 100644
--- a/bootstrap/infrastructure/infra-controllers.yaml
+++ b/bootstrap/infrastructure/infra-controllers.yaml
@@ -4,6 +4,10 @@ metadata:
   name: infra-controllers
   namespace: flux-system
 spec:
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-crds
   interval: 10m
diff --git a/bootstrap/infrastructure/infra-crds.yaml b/bootstrap/infrastructure/infra-crds.yaml
index f7b3d6d..bd3ce88 100644
--- a/bootstrap/infrastructure/infra-crds.yaml
+++ b/bootstrap/infrastructure/infra-crds.yaml
@@ -4,6 +4,10 @@ metadata:
   name: infra-crds
   namespace: flux-system
 spec:
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
   dependsOn:
     - name: infra-namespaces
   interval: 1h