Erich Blume 54afa0750b Add how-to guide for restoring 1Password backup from borgmatic (#141 )

## Summary
- New how-to guide at `docs/how-to/restore-1password-backup.md` with step-by-step procedure for extracting and decrypting a 1Password `.1pux` export from borgmatic backup
- **End-to-end verified**: extracted from today's borg archive, decrypted age key with openssl, decrypted .1pux with age → valid 31MB zip with vault data
- Cross-links added from: disaster-recovery, 1password, borgmatic, backups policy, and how-to index
- Updated disaster-recovery.md from TBD stub to include a procedures table

## Deployment and Testing
- [x] Verified full extraction + decryption flow against live borgmatic archive
- [x] `docs-check-links` passes — all wiki-links valid
- [ ] Review guide for clarity and completeness

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/141

2026-02-10 10:55:00 -08:00

1,008 B

Raw Blame History

title

1Password

Root credential store for all BlumeOps secrets, synced to Kubernetes via External Secrets Operator.

Architecture

1Password Cloud
      |
      v
1Password Connect (namespace: 1password)
      |
      v
External Secrets Operator (namespace: external-secrets)
      |
      v
Native Kubernetes Secrets

Vault

The blumeops vault contains all infrastructure credentials.

Kubernetes Integration

ClusterSecretStore: onepassword-blumeops

Services reference 1Password items via ExternalSecret manifests.

Disaster Recovery Backup

The mise run op-backup task encrypts a .1pux vault export and transfers it to indri for inclusion in borgmatic backups. See restore-1password-backup for the full recovery procedure.

argocd - Uses secrets for git access
postgresql - Database credentials
restore-1password-backup - Recovery from backup
borgmatic - Backup system

1,008 B Raw Blame History