Erich Blume
ce1f696bd8
Phase 2 of documentation restructuring. Creates docs/reference/ with: Services (16): - alloy, argocd, borgmatic, 1password, forgejo, grafana - jellyfin, kiwix, loki, miniflux, navidrome, postgresql - prometheus, teslamate, transmission, zot Infrastructure (3): - hosts - Device inventory - tailscale - ACLs, groups, tags - routing - DNS domains and port mappings Kubernetes (2): - cluster - Minikube specs - apps - ArgoCD application registry Storage (2): - sifaka - Synology NAS configuration - backups - Backup policy All cards use wiki-links for cross-referencing and include YAML frontmatter with title and tags for Quartz. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1.3 KiB
1.3 KiB
| title | tags | ||
|---|---|---|---|
| 1Password |
|
1Password
Root credential store for all BlumeOps secrets, synced to Kubernetes via External Secrets Operator.
Architecture
1Password Cloud
|
v
1Password Connect (namespace: 1password)
|
v
External Secrets Operator (namespace: external-secrets)
|
v
Native Kubernetes Secrets
Vault
The blumeops vault contains all infrastructure credentials.
Kubernetes Integration
ClusterSecretStore: onepassword-blumeops
Services reference 1Password items via ExternalSecret manifests. Example: argocd/manifests/devpi/external-secret.yaml
CLI Usage
# Get a secret field
op --vault blumeops item get <item-id> --fields <field> --reveal
# Inject into a template
op inject -i secret.yaml.tpl | kubectl apply -f -
Bootstrap (Disaster Recovery)
- Create Connect server:
op connect server create blumeops --vaults blumeops - Create token:
op connect token create blumeops --server <id> --vault blumeops - Store credentials in 1Password item "1Password Connect"
- Apply bootstrap secret to k8s
- Sync apps: 1password-connect, external-secrets-crds, external-secrets, external-secrets-config
Related
- argocd - Uses secrets for git access
- postgresql - Database credentials