Erich Blume
1b18748f51
Closes the gap where only miniflux and teslamate were backed up. Authentik (blumeops-pg) just needed a config entry. Immich (immich-pg) required a new borgmatic managed role, ExternalSecret, Tailscale service, and Caddy L4 proxy on port 5433. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
29 lines
719 B
YAML
29 lines
719 B
YAML
# ExternalSecret for borgmatic backup user password on immich-pg cluster
|
|
#
|
|
# Reuses the same 1Password item as blumeops-pg-borgmatic.
|
|
# 1Password item: "borgmatic" in blumeops vault
|
|
# Field: "db-password"
|
|
#
|
|
apiVersion: external-secrets.io/v1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: immich-pg-borgmatic
|
|
namespace: databases
|
|
spec:
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: onepassword-blumeops
|
|
target:
|
|
name: immich-pg-borgmatic
|
|
creationPolicy: Owner
|
|
template:
|
|
type: kubernetes.io/basic-auth
|
|
data:
|
|
username: borgmatic
|
|
password: "{{ .password }}"
|
|
data:
|
|
- secretKey: password
|
|
remoteRef:
|
|
key: borgmatic
|
|
property: db-password
|