chore(syncthing): attempt to inject sops-encrypted secrets into syncthing's config folder

apps/syncthing/overlay/media/cert.sops.pem

@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:uVfizKnFIFJStCPtdNEJBe4apghX/DbJim4kM75KtuL/TQJ/WJ8Cas5o2Q1cwMggkpuSLCyo6BUwWQoYjSvTonVkFU26O8n2m1Y62Lukg7fOY2ZYvzj79c+YlWPDGstdh1CtGMPdgmZfmC/YlJDyXxx/it4jiCvK2ADF4s+HECfwgOyN5YMwrliPgj3J3maVQAMjnDcs540k1uh3l8bWA+keLE9bqSIEZSQ/e/RkaZ02JDYssFEhCTWBY9RYzaQ5DvXvN8UjdeCz5EtfSeZICxitvkYPjEfLZ9CNAhVnnGTM8/6p1xWNiEnnSwrNqpJ+zK3cixkQNlTgcDA8tcOtTzqU8POtj5itOrJV0mCwpyArK2DfungDR4P0nVlBBuqPxiWjufpDxUfg+IPFhxFKHHGZaOvDZfiXwT/mZFwp31wUbdaKLQkqWAHcAyUN/pabjWzOhSdCWEFh/VlPX4a1CW/yl8YYPEqGz4gzJ9SUM29cUH4GoyLksC/bFf5J92sZ50dj5QD12duuVqYmJGLqTphSjsnRv7AO4EdpFSvO69WoxzkcGzx92dK5mw4RcuW5SCEfu4XaZWCVLCBpnp9Rl3R6BPUdckh5nbDp6L99++swgReZ4z4wWgeUZ60yTgcO+wH5FBGIWBTNlA8Z+C/d3ZGboU4zGqIr6X3ohDu/jKjgA0+2OBcEXPm/zHp2QfqQmUk48AlDUnxcX7wGEB4l48ErBNjhyreNWkmuoZtLwdQUeQc+vstnLOdx3sbMEUVEvyvZVzTfLMhJvkCfFjZyIF7fynNtvMn8wnUSumPkGQ5FqVh1uNnX,iv:zsUQSb6qkBpr5TLYy0FCV4X6b4exTYxmlp+q5wCZoCw=,tag:EIPkQItZvaLUkm9HoQdILw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByYnVhODBJV091cXFTbk13\nWUhWREgvMTlGSUtxRUptazA3OUlONjZMV0g0CmhwTFJiZk1zZjA2a2RncHNmdmZX\nckRyNVpPWVJsTlp5ZDlaWWhHcG5TQzgKLS0tIC9EUEFJOFlBWVBVc285RzdYVXlq\nc0RBRW5SNy9wL2s2Q0Fpa21JREVwVlkKIHnlUKipzptrJUyzQumGiSRVm+hsEuq8\n+o7772jG0rwsLt0xQ3cKaQP2Rfeiul3QQXde7bEuT8T/iN6fBZPYkg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-05-25T13:09:08Z",
+		"mac": "ENC[AES256_GCM,data:c84fztj6EhtZtm9IdIy3qEq0EFjl4Id5IG1B8kaZChnScTNFLTKb8Hlbc6GMVFM11FfOjscfe6/oa1eZAk6bM4V0LNFi5ysXIbByPcUy5ZaA1agUtSKOlQOD0lIaONhzaAVuQWD7W7m7vz1nYVoUEBNvFplkoZqVgllenJiq4Jo=,iv:CeOKU8Vfls5Bc//n/uTKNJlz6ZwtNskPVj7Da3otw0U=,tag:wkh25T/s1p+oRRuAlYQdZw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

apps/syncthing/overlay/media/config.json

@@ -0,0 +1,11 @@
+{
+  "appName": "syncthing",
+  "userGivenName": "syncthing",
+  "destNamespace": "media",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "apps/syncthing/overlays/media",
+  "srcRepoURL": "ssh://git@gitea-ssh.gitops.svc.cluster.local:2222/davad/argo.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}

apps/syncthing/overlay/media/deployment-patch.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: syncthing
+spec:
+  template:
+    containers:
+      - name: syncthing
+        volumeMounts:
+          - name: sync-keys
+            mountPath: /var/syncthing/config/cert.pem
+            subPath: cert.pem
+            readOnly: true
+          - name: sync-keys
+            mountPath: /var/syncthing/config/key.pem
+            readOnly: true
+            subPath: key.pem
+    volumes:
+      - name: sync-keys
+        secret:
+          secretName: sync-secret
+          items:
+            - key: cert.pem
+            - key: key.pem

apps/syncthing/overlay/media/key.sops.pem

@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:UeRToJkSGyQUd7AS/5B1ksjtwzwhSrEGNySX/qfqoByWOiTFy+slinkbDRj1Xb/xcqM92/nq3CF1m5K2Kyg+XiixFSh/RTTe9NV8julJqNQ6sMtlGmp+cFh8BwESTqdwqusjS0OztNdInvdzpm2+vfRY5lccwRrqSElobTZ2mr9zewJmIb6BBWyKf4NoTu5vvxGLsTe+caaX4RDjFnsDA7jD3kHKNkk7O8wMVhpf0dYF0xDQUp/BHVRpGQlOidNzCpisDs/Ww1JuXoR2/comp70qTR13mD2EIv3pITyRTVUKzYY7nI3LqDNxr7pUi78Q5gJRayW/TGSejJnMlnCQBvy7axRS94TpmDMBD3OhY5d//sU8l1qJp9bAPZ+cQy52,iv:isJiH3XpfLXflLjwbpeW1/T9OK7JAVEZgKwhNW1oeFU=,tag:j1ozcySXkqPGB1+kCmpNQw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaFdsNW1CYzZQR29SSldV\nSEdudDVHS01vOGRicHhGUjFQb3pwNlBzUUhrCk52YW83VmpLYlBuc2xqWCtadXc0\nK0NJR1JiYUZhak1mSXp2T3dmcXVDTzAKLS0tIFR0dFJZdjMvdWF1QVZTU3pZNG9L\nUXcvSUZUTGZyeVJEVlFoTnVtMXZJL0UKC6Ddfsg6346q2ozfx0v4VbtE099q2SgE\nteD2nQXqGIuVTdifmUWPb4kwRBeb8Zk1w7F5ELME3UQOGVPvGiJB/Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-05-25T13:09:11Z",
+		"mac": "ENC[AES256_GCM,data:GGcmvaZ/h5OMfeNY7EzMGYCFPYnxtce/5yqGvdf6pGwCDGLIBBXSQzYRKCOz4knCFTho1ka9EQAj24EM/z3qz7cGDTbU96WoxZaEaknAY6EaI9SjNxhFJNf1KFgmf6eOimDTLNfieG81jL10i/fAyXV+qgd1s/okDDs2C/pGyRA=,iv:kdfbAtaFeA/pQWwVkJRm3uVNoD/BFz08kFBiekM5lQo=,tag:C+4DNsbG8G0Vm9TbBIti3w==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

apps/syncthing/overlay/media/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+generators:
+  - secrets.yaml
+
+patches:
+  - path: deployment-patch.yaml

apps/syncthing/overlay/media/secrets.yaml

@@ -0,0 +1,15 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: ksops-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+secretFrom:
+  - metadata:
+      name: sync-secret
+    type: Opaque
+    binaryFiles:
+      - cert.pem=./cert.sops.pem
+      - key.pem=./key.sops.pem