Remove obsolete secret templates

- Delete 13 .yaml.tpl files replaced by ExternalSecrets
- Update immich/README.md with direct CNPG secret copy instructions
- Update miniflux/README.md with context flag and ESO note

Only 1password-connect/secret-credentials.yaml.tpl remains (bootstrap).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

argocd/manifests/argocd/repo-forge-secret.yaml.tpl

@@ -1,31 +0,0 @@
-# ArgoCD credential template for forge SSH access
-# This is a repo-creds (credential template) that matches ALL repos under eblume/
-#
-# IMPORTANT: Use ?ssh-format=openssh to get OpenSSH format (required by ArgoCD)
-#
-# The SSH key must be added to the Forgejo user's SSH keys (not as a deploy key)
-# so it has access to all repos owned by that user.
-#
-# Create the secret with:
-#
-#   PRIV_KEY=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key?ssh-format=openssh")$'\n' && \
-#   kubectl create secret generic repo-creds-forge -n argocd \
-#     --from-literal=type=git \
-#     --from-literal=url='ssh://forgejo@forge.ops.eblu.me:2222/eblume/' \
-#     --from-literal=insecure=true \
-#     --from-literal=sshPrivateKey="$PRIV_KEY" && \
-#   kubectl label secret repo-creds-forge -n argocd argocd.argoproj.io/secret-type=repo-creds
-#
-apiVersion: v1
-kind: Secret
-metadata:
-  name: repo-creds-forge
-  namespace: argocd
-  labels:
-    argocd.argoproj.io/secret-type: repo-creds
-stringData:
-  type: git
-  url: ssh://forgejo@forge.ops.eblu.me:2222/eblume/
-  insecure: "true"
-  sshPrivateKey: |
-    # Key from 1Password: op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key

argocd/manifests/databases/secret-borgmatic.yaml.tpl

@@ -1,13 +0,0 @@
-# Template for borgmatic backup user password
-# Apply with: op inject -i secret-borgmatic.yaml.tpl | kubectl apply -f -
-#
-# Uses the same borgmatic password from 1Password as the brew PostgreSQL setup
-apiVersion: v1
-kind: Secret
-metadata:
-  name: blumeops-pg-borgmatic
-  namespace: databases
-type: kubernetes.io/basic-auth
-stringData:
-  username: borgmatic
-  password: {{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/mw2bv5we7woicjza7hc6s44yvy/db-password }}

argocd/manifests/databases/secret-eblume.yaml.tpl

@@ -1,13 +0,0 @@
-# Template for eblume superuser password
-# Apply with: op inject -i secret-eblume.yaml.tpl | kubectl apply -f -
-#
-# Uses the same 1Password item as the brew PostgreSQL setup on indri
-apiVersion: v1
-kind: Secret
-metadata:
-  name: blumeops-pg-eblume
-  namespace: databases
-type: kubernetes.io/basic-auth
-stringData:
-  username: eblume
-  password: {{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/guxu3j7ajhjyey6xxl2ovsl2ui/password }}

argocd/manifests/databases/secret-teslamate.yaml.tpl

@@ -1,11 +0,0 @@
-# Template for TeslaMate database user password
-# Apply with: op inject -i argocd/manifests/databases/secret-teslamate.yaml.tpl | kubectl apply -f -
-apiVersion: v1
-kind: Secret
-metadata:
-  name: blumeops-pg-teslamate
-  namespace: databases
-type: kubernetes.io/basic-auth
-stringData:
-  username: teslamate
-  password: {{ op://blumeops/TeslaMate/db_password }}

argocd/manifests/devpi/secret-root.yaml.tpl

@@ -1,12 +0,0 @@
-# Template for devpi root password secret
-# Create the secret before deploying:
-#   kubectl create namespace devpi
-#   op inject -i argocd/manifests/devpi/secret-root.yaml.tpl | kubectl apply -f -
-apiVersion: v1
-kind: Secret
-metadata:
-  name: devpi-root
-  namespace: devpi
-type: Opaque
-stringData:
-  password: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/kyhzfifryqnuk7jeyibmmjvxxm/root password }}"

argocd/manifests/forgejo-runner/secret.yaml.tpl

@@ -1,17 +0,0 @@
-# Forgejo Runner Environment Secret
-# This template is processed by `op inject` to resolve 1Password references.
-#
-# Usage:
-#   op inject -i secret.yaml.tpl | kubectl --context=minikube-indri apply -f -
-#
-apiVersion: v1
-kind: Secret
-metadata:
-  name: forgejo-runner-env
-  namespace: forgejo-runner
-type: Opaque
-stringData:
-  FORGEJO_URL: "https://forge.ops.eblu.me"
-  RUNNER_NAME: "k8s-runner"
-  RUNNER_LABELS: "k8s:docker://registry.ops.eblu.me/blumeops/forgejo-runner:v2.1.7"
-  RUNNER_TOKEN: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/runner_reg }}"

argocd/manifests/grafana-config/secret-admin.yaml.tpl

@@ -1,16 +0,0 @@
-# Grafana admin password secret
-#
-# Apply with: op inject -i secret-admin.yaml.tpl | kubectl apply -f -
-#
-# 1Password item: blumeops vault (vg6xf6vvfmoh5hqjjhlhbeoaie)
-# Item ID: oxkcr3xtxnewy7noep2izvyr6y
-# Field: password
-apiVersion: v1
-kind: Secret
-metadata:
-  name: grafana-admin
-  namespace: monitoring
-type: Opaque
-stringData:
-  admin-user: admin
-  admin-password: {{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/oxkcr3xtxnewy7noep2izvyr6y/password }}

argocd/manifests/grafana-config/secret-teslamate-datasource.yaml.tpl

@@ -1,13 +0,0 @@
-# TeslaMate PostgreSQL datasource password for Grafana
-# Apply with: op inject -i argocd/manifests/grafana-config/secret-teslamate-datasource.yaml.tpl | kubectl apply -f -
-#
-# This secret is mounted as environment variables in Grafana
-# The password is referenced in values.yaml datasource config as $TESLAMATE_DB_PASSWORD
-apiVersion: v1
-kind: Secret
-metadata:
-  name: grafana-teslamate-datasource
-  namespace: monitoring
-type: Opaque
-stringData:
-  TESLAMATE_DB_PASSWORD: {{ op://blumeops/TeslaMate/db_password }}

argocd/manifests/immich/README.md

@@ -19,17 +19,20 @@ Self-hosted photo and video management solution with AI-powered search and face
 
 ## Secret Setup
 
+The `immich-db` secret contains the database password, which is auto-generated by CloudNativePG
+in the `immich-pg-app` secret. To create or regenerate the secret:
+
 ```bash
-# Create namespace
-kubectl create namespace immich
+# Create namespace if needed
+kubectl --context=minikube-indri create namespace immich
 
-# Get the auto-generated immich password from CloudNativePG
-kubectl -n databases get secret immich-pg-app -o jsonpath='{.data.password}' | base64 -d
-
-# Store that password in 1Password under blumeops/immich-pg, then:
-op inject -i argocd/manifests/immich/secret-db.yaml.tpl | kubectl apply -f -
+# Copy password from CNPG secret to immich namespace
+kubectl --context=minikube-indri create secret generic immich-db -n immich \
+  --from-literal=password="$(kubectl --context=minikube-indri -n databases get secret immich-pg-app -o jsonpath='{.data.password}' | base64 -d)"
 ```
 
+Note: This secret is not managed by ExternalSecrets since the source of truth is the CNPG-generated secret.
+
 ## Access
 
 - **URL**: https://photos.ops.eblu.me (after Caddy is updated)

argocd/manifests/immich/secret-db.yaml.tpl

@@ -1,12 +0,0 @@
-# Immich database password secret
-# Apply with: op inject -i argocd/manifests/immich/secret-db.yaml.tpl | kubectl apply -f -
-apiVersion: v1
-kind: Secret
-metadata:
-  name: immich-db
-  namespace: immich
-type: Opaque
-stringData:
-  # Password is auto-generated by CloudNativePG and stored in immich-pg-app secret
-  # Retrieve with: kubectl -n databases get secret immich-pg-app -o jsonpath='{.data.password}' | base64 -d
-  password: "{{ op://blumeops/immich-pg/password }}"

argocd/manifests/miniflux/README.md

@@ -16,8 +16,11 @@ RSS/Atom feed reader deployed via ArgoCD.
 kubectl create namespace miniflux
 
 # The miniflux user password is auto-generated by CNPG in blumeops-pg-app secret
-kubectl create secret generic miniflux-db -n miniflux \
-  --from-literal=url="$(kubectl -n databases get secret blumeops-pg-app -o jsonpath='{.data.uri}' | base64 -d)"
+kubectl --context=minikube-indri create secret generic miniflux-db -n miniflux \
+  --from-literal=url="$(kubectl --context=minikube-indri -n databases get secret blumeops-pg-app -o jsonpath='{.data.uri}' | base64 -d)"
+
+# Note: This secret is not managed by ExternalSecrets since the source of truth
+# is the CNPG-generated secret.
 ```
 
 2. Apply the ArgoCD application:

argocd/manifests/miniflux/secret-db.yaml.tpl

@@ -1,13 +0,0 @@
-# Miniflux database connection secret
-#
-# The miniflux user password is auto-generated by CloudNativePG and stored in
-# blumeops-pg-app secret in the databases namespace. To create this secret:
-#
-# 1. Get the URI from CNPG secret:
-#    kubectl -n databases get secret blumeops-pg-app -o jsonpath='{.data.uri}' | base64 -d
-#
-# 2. Create the secret (one-liner):
-#    kubectl create secret generic miniflux-db -n miniflux \
-#      --from-literal=url="$(kubectl -n databases get secret blumeops-pg-app -o jsonpath='{.data.uri}' | base64 -d)"
-#
-# Note: Uses internal k8s DNS hostname (blumeops-pg-rw.databases) not Tailscale

argocd/manifests/tailscale-operator/secret.yaml.tpl

@@ -1,14 +0,0 @@
-# Tailscale Operator OAuth Secret
-# This template is processed by `op inject` to resolve 1Password references.
-#
-# Usage:
-#   op inject -i secret.yaml.tpl | kubectl apply -f -
-#
-apiVersion: v1
-kind: Secret
-metadata:
-  name: operator-oauth
-  namespace: tailscale
-stringData:
-  client_id: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/2it22lavwgbxdskoaxanej354q/client-id }}"
-  client_secret: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/2it22lavwgbxdskoaxanej354q/client-secret }}"

argocd/manifests/teslamate/secret-db.yaml.tpl

@@ -1,11 +0,0 @@
-# TeslaMate database password secret
-#
-# Apply with: op inject -i argocd/manifests/teslamate/secret-db.yaml.tpl | kubectl apply -f -
-apiVersion: v1
-kind: Secret
-metadata:
-  name: teslamate-db
-  namespace: teslamate
-type: Opaque
-stringData:
-  password: {{ op://blumeops/TeslaMate/db_password }}

argocd/manifests/teslamate/secret-encryption-key.yaml.tpl

@@ -1,12 +0,0 @@
-# TeslaMate encryption key secret
-# This key encrypts Tesla API tokens at rest in the database
-#
-# Apply with: op inject -i argocd/manifests/teslamate/secret-encryption-key.yaml.tpl | kubectl apply -f -
-apiVersion: v1
-kind: Secret
-metadata:
-  name: teslamate-encryption
-  namespace: teslamate
-type: Opaque
-stringData:
-  key: {{ op://blumeops/TeslaMate/api_enc_key }}