From 9d01bc51772813db8096d8cfd695f19f4e93dad7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?c=C4=83t=C4=83lin?= <catalin@roboces.dev>
Date: Tue, 10 Mar 2026 18:14:16 +0100
Subject: [PATCH] feat: add k8s/vaultwarden-secrets-manager

---
 .../vaultwarden-secrets-manager.yaml          | 64 +++++++++++++++++++
 k8s/services/argo/project-fuku.yaml           |  1 +
 k8s/services/valheim/sealedsecrets.yaml       | 16 -----
 .../sealedsecrets.yaml                        | 17 +++++
 4 files changed, 82 insertions(+), 16 deletions(-)
 create mode 100644 k8s/argo-apps/vaultwarden-secrets-manager.yaml
 delete mode 100644 k8s/services/valheim/sealedsecrets.yaml
 create mode 100644 k8s/services/vaultwarden-kubernetes-secrets/sealedsecrets.yaml

diff --git a/k8s/argo-apps/vaultwarden-secrets-manager.yaml b/k8s/argo-apps/vaultwarden-secrets-manager.yaml
new file mode 100644
index 0000000..e2fc9d9
--- /dev/null
+++ b/k8s/argo-apps/vaultwarden-secrets-manager.yaml
@@ -0,0 +1,64 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vaultwarden-secrets-manager
+  namespace: argocd
+spec:
+  destination:
+    name: ''
+    namespace: apps-fuku
+    server: https://kubernetes.default.svc
+  sources:
+    - chart: vaultwarden-kubernetes-secrets
+      repoURL: ghcr.io/antoniolago/charts
+      targetRevision: 1.2.8
+      helm:
+        valuesObject:
+          api:
+            enabled: true
+            service:
+              type: LoadBalancer
+            persistence:
+              storageClass: truenas-nfs-csi
+          dashboard:
+            enabled: true
+            service:
+              type: LoadBalancer
+          ingress:
+            enabled: true
+            className: traefik
+            hosts:
+              - host: vault-secrets.fuku
+                paths:
+                  - path: /
+                    pathType: Prefix
+                    backend: dashboard
+                    port: 80
+                  - path: /api
+                    pathType: Prefix
+                    backend: api
+                    port: 8080
+          env:
+            config:
+              VAULTWARDEN__SERVERURL: "https://vault.roboces.dev"
+            secrets:
+              BW_CLIENTID:
+                secretName: "vaultwarden-kubernetes-secrets"
+                secretKey: "BW_CLIENTID"
+              BW_CLIENTSECRET:
+                secretName: "vaultwarden-kubernetes-secrets"
+                secretKey: "BW_CLIENTSECRET"
+              VAULTWARDEN__MASTERPASSWORD:
+                secretName: "vaultwarden-kubernetes-secrets"
+                secretKey: "VAULTWARDEN__MASTERPASSWORD"
+    - path: k8s/services/vaultwarden-kubernetes-secrets
+      repoURL: https://git.roboces.dev/catalin/fukuops.git
+      targetRevision: main
+  project: fuku
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/k8s/services/argo/project-fuku.yaml b/k8s/services/argo/project-fuku.yaml
index ead0d89..6f03737 100644
--- a/k8s/services/argo/project-fuku.yaml
+++ b/k8s/services/argo/project-fuku.yaml
@@ -33,3 +33,4 @@ spec:
         - https://vmware-tanzu.github.io/helm-charts/
         - https://helm.runix.net
         - https://rcourtman.github.io/Pulse
+        - ghcr.io/antoniolago/charts
diff --git a/k8s/services/valheim/sealedsecrets.yaml b/k8s/services/valheim/sealedsecrets.yaml
deleted file mode 100644
index ad59cb1..0000000
--- a/k8s/services/valheim/sealedsecrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# yamllint disable rule:line-length
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: valheim-secrets
-  namespace: apps-fuku
-spec:
-  encryptedData:
-    server-password: AgBsm7Qg9ej7FtFh5twb4ALyL0I/fzVukURvFg17aweeDX7bM/9p/Yq7S2XG8gbqOYbC1GxknGMHQUnTXqXC9YZ4tZVUAptTCrAsPZHhHiet8bM39KCo2tGa5mCyC7lcmxae26cHuKj8Df6iMQCHL9ZH58A2SU8OIaszkonjwvSnbk6u7/HLCE8UyqP1JjXBMd4wx4BFDrhbauZr10f51tI55ksY+x44QQNrz84QEXmQ/dgwdzGAWqcPQTf57BebSI+ZKtUIvrMpNtz1ioqGnH3vWlb7QnqyqcyAYri3W3j8DB03EpfI2QjYi5Rs1NaJoO8L5HFdHW5p+rmttuwRxiEUPmURftH25o6Mgv/EcWGsB1TpyyFXM8JNU01lWJ+Wty316YF1BV3zHqdQeKu82R/wSv+iVm1dYKTfSOLe3YJr+aFnhYX3hCpBup1cB2KeOe/X9wTo2ETdvKhcIJPz8x7TRcXaCerVmVBw6LagmmdtMsCL4AIXw2gdkBeGONQmOzR1hDyTBAmpTv59WYzAJcCPZRE6gGxCPqH32G36E7WGEI4UOsjvT3GkVDnYx4FUDppzSP0ebnHZOwwAPFtXojHUaHg7ZTjZiuXDQa9Hkqt4mIOKa0i1HI0MyPu8eZJjoRXNS4j1yLfDCP2eSuhGjtVNbbyQthaITolitZ0VeUU8St1iKB7rvAGHqhBoPSw9TOBVSsBcHgIAV64oRqto4kM8
-  template:
-    metadata:
-      creationTimestamp: null
-      name: valheim-secrets
-      namespace: apps-fuku
diff --git a/k8s/services/vaultwarden-kubernetes-secrets/sealedsecrets.yaml b/k8s/services/vaultwarden-kubernetes-secrets/sealedsecrets.yaml
new file mode 100644
index 0000000..a8f2585
--- /dev/null
+++ b/k8s/services/vaultwarden-kubernetes-secrets/sealedsecrets.yaml
@@ -0,0 +1,17 @@
+# yamllint disable rule:line-length
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: vaultwarden-kubernetes-secrets
+  namespace: apps-fuku
+spec:
+  encryptedData:
+    BW_CLIENTID: AgB6UpzjiBqifwHwm4YfevKVQLTt/2JxrTdJ0O29i416TrvPvYlrofG6ihWQDIr7zAROq5RE1YI1mFdczzcHTccMV+/rPPBTY04rdkoypc17/+P5eVLO03dcSldhbcgiMJQYgji+U59SFebPxxPI9gn6GmOss368Wqgdffu/d7V6RtvBNN+qgIu1FjS26FYxKRKi/mEjPmF6GCkkWRHkkpimdjKalVkuQXiu04cwDTSRYNmgePv5ihem/5tP7ZqgQCFpYafpia6CnQwhHNoPP4Dq+cV5VVPw7AfVdm28HgFLiZhiUWXoGiiFvTZcDwViG4T80gqxtfN/2ur94V7zc/PTGXSsVWBJYM93/jf3zcK7h5wag0nXeYm7nD+NT1JM/2NZguqLVl3iX4qE+f0C83dPTUrBv8+9H3aw0YLI/zgnT8Fdg6VAdbGrXMXrTEqm2IChRZ65/WIgwaRWIH+ETsWPFqUj3mH9Cx8NkNNSRfTqmZS28VEfcCzutSgTJ4zs2VwTYDBBD1QQSMrhUSLrCihWLK3ZTjVTEwAaoUObnaFrYpNBGVZQne9zzWO38/y4NQ2D1Q1YTx0cBP8qcKit9v1GFmOcNDsVG1WCFkZh0qz4j37SOBH0J00sG1lwGvkb05pOjcGVUexjzvHloUjSauFypW+2XQqnVshMbNgKgZYZmZmWbHf8nyq7+wssivbjB5qX5foiCN/Qp2WtIG92k08ZU1+hTq/w/GX8DI/UsbSLU7p/0vpAKMDBuw==
+    BW_CLIENTSECRET: AgBfsr/ECO+lxSojrp1Ailv7SOYMqtGzmQCmXI3g7+K0W+RT7dOHuZOk7VlvYG5l4qVjriXhMo1xGcGYf8WeAebx+OWTs9Y9sRQ7eGnQW/KD7ihV3vCy2+jEdWZas9wEN1coUUt7Lbg09jz+nrt8Di2xFigJWSjuWejyAwmnRC0O0gLSudidf2x1aTeclid1tFvubbKbYUrLbTCLPW1bDuDs8BseRX6sF8/CVR1ZKWbcADUYvP7Amygc4WMElRREMQJjKBiPYNA4OuepvpQDlNVz/wq499XJAnFMDP8BhKxYalwOqTYzWQT0DA4mwBokMnpRE0VJ3erAAKQwzDHqO8pFE5bqhgzjwTWryH0ZmRF96JVLxx5IMetb8jYEPAHA/ymz9GmSUyVDXDRoeyH2xM4vuD/6A2JXc6kgcpfRx+5UJUybajO7urvHBCS/5X5cEiEOyEtqPMqkRdv2LgN1wXMEU88eK2NqpVX7zhLIJgoMusdHtkDmSlS+pFIb3GwGQRmn5khj5xkyQKweMoPvC5Pq+T/F5/2NziJGRj56HYvaiOPfyfzetaw7Zh3I+umMfZ6mtKD7ntYB1EYaqIMhTlAQv8DxS98t19LOke3h5QKcX6SdKeAqAvlqxuYZ5rweNtZsDevtnaFdmDzbve6xbZrtNwAurpZMYC/7tetyH+jFHrcFjDCuMMLdD5t4d8NW50nks71Pofe6KO/8lkzNOjiQwBIUfG+8Y6bAmPiBBr0=
+    VAULTWARDEN__MASTERPASSWORD: AgBlRRDUcWw8Kq8IJ/dBk1RQwA6jg4VtpDTzU9eRtkdZfBoEI+KnQt2QHtGv7ZMmyCHztRAoJcEWyoN25RMdG4dQQN40IOPBiv7D8e036nQv7rQqZWE7mPPs9veskS+8sE+h3HFlwIEytn4721nHw4DNl2Uwbtgo1rTRRyJ3Px2UoCfnCU1xVtimWhj7uLjf2kPkSvWRUFZFfzSkuMWtiAPDxspk7q8CTktdiUHV6ZsuuIcZfJ1mHkuredVGYpOcrKLJcwGE7Auzn382lILNwkSuiZjt0T+O5A0c406SPVGU/ovofbRgdUQmmIbS+q6y17HMDkwLutdmIyJgqMEPJXR0KfebjzdtaNdSbmL68QsdECqCbQm6Az3uMEOJ8TVm9rH5yfZZoXLMVjzHgwtQbV9vBb0ubMUKdqJahD0zUQ/1FqDtYHt9OBv8bLh8SXiTKNxz2GByHjcGFUNZhZac1eTqmtYxxUhk4KNFsqx7FvJNUi0VTfINvHAd9Tjlrd0vQbST3VgdiIEHcuxW5HShdSnl8o5WXKmEtlecMqB3Y/C6IIPF+CZ6HoMgfE59G2dchnNccSwdZRa0n6OWt3BWJi7fuhrBXvTBpa5Zxrqh6o1VX3k5wXDgBRN7a8pZawhuCXbcBcrhcs+wDm7YlK3Gj3F01dIOGc7qMpdMWUHcUxCikC9Wlnp5b+OKB2huiHWr2p8v0IeOu8MfC65GEkx/dInxW1CkitHsGVA=
+  template:
+    metadata:
+      name: vaultwarden-kubernetes-secrets
+      namespace: apps-fuku
+    type: Opaque