feat: add new cluster, create common directory

.taskfiles/Flux/Taskfile.yaml

@@ -3,17 +3,17 @@
 version: "3"
 
 vars:
-  CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/sops-key.sops.yaml"
+  CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/sops-key.sops.yaml"
-  GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/forgejo-deploy-key.sops.yaml"
+  GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/forgejo-deploy-key.sops.yaml"
 
 tasks:
   bootstrap:
     desc: Bootstrap Flux into a Kubernetes cluster
     cmds:
-      - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/bootstrap/flux
+      - kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/common/bootstrap/flux
       - sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --server-side --filename -
       - sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --server-side --filename -
-      - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/flux/config
+      - kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/{{.CLUSTER}}/flux/config
     preconditions:
       - { msg: "Missing cluster sops key", sh: "gpg -K 687802D4DFD8AA82EA55666CF7DADAC782D7663D" }
 

Taskfile.yaml

@@ -3,7 +3,7 @@
 version: "3"
 
 vars:
-  CLUSTER_DIR: "{{.ROOT_DIR}}/cluster"
+  CLUSTERS_DIR: "{{.ROOT_DIR}}/kubernetes"
 
 includes:
   flux: .taskfiles/Flux/Taskfile.yaml

kubernetes/common/apps/openebs/kustomization.yaml

@@ -4,5 +4,4 @@ resources:
 - ./namespace.yaml
 - ./helm-repository.yaml
 - ./helm-release.yaml
-- ./mainpool-sc.yaml
 - ./monitoring-helm-release.yaml

kubernetes/main/core/kustomization.yaml

@@ -4,8 +4,13 @@ resources:
 - ./kube-system
 - ./helm-repositories.yaml
 - ./cert-manager
-- ./networking
+- ../../common/apps/metallb
-- ./storage
+- ../../common/apps/traefik
+# storage
+- ./longhorn
+- ./openebs
+
 - ./kube-replicator
-- ./nfd/ks.yaml
+
-- ./intel-gpu/ks.yaml
+- ../../common/apps/nfd/ks.yaml
+- ../../common/apps/intel-gpu/ks.yaml

kubernetes/main/core/openebs/kustomization.yaml

@@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./longhorn
+- ../../../common/apps/openebs
-- ./openebs
+- ./mainpool-sc.yaml
-#- ./local-path-provisioner

kubernetes/main/core/storage/local-path-provisioner/helm.yaml

@@ -1,82 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: local-path-provisioner
-  namespace: flux-system
-spec:
-  interval: 1m
-  url: https://github.com/rancher/local-path-provisioner.git
-  ref:
-    tag: v0.0.29
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: local-path-provisioner
-  namespace: kube-system
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: ./deploy/chart/local-path-provisioner
-      sourceRef:
-        kind: GitRepository
-        name: local-path-provisioner
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    helperImage:
-      repository: public.ecr.aws/docker/library/busybox
-      tag: latest
-    storageClass:
-      defaultClass: false
-    nodePathMap:
-      - node: DEFAULT_PATH_FOR_NON_LISTED_NODES
-        paths: ["/var/lib/rancher/k3s/storage"]
-    # Note: Do not enable Flux variable substitution on this HelmRelease
-    configmap:
-      setup: |-
-        #!/bin/sh
-        while getopts "m:s:p:" opt
-        do
-            case $opt in
-                p)
-                absolutePath=$OPTARG
-                ;;
-                s)
-                sizeInBytes=$OPTARG
-                ;;
-                m)
-                volMode=$OPTARG
-                ;;
-            esac
-        done
-        mkdir -m 0777 -p ${absolutePath}
-        chmod 701 ${absolutePath}/..
-      teardown: |-
-        #!/bin/sh
-        while getopts "m:s:p:" opt
-        do
-            case $opt in
-                p)
-                absolutePath=$OPTARG
-                ;;
-                s)
-                sizeInBytes=$OPTARG
-                ;;
-                m)
-                volMode=$OPTARG
-                ;;
-            esac
-        done
-        rm -rf ${absolutePath}

kubernetes/main/secrets/kustomization.yaml

@@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./cluster-secrets.sops.yaml
-- ./orca-registry-puller.sops.yaml
 - ./cluster-settings.yaml

kubernetes/main/secrets/orca-registry-puller.sops.yaml

@@ -1,62 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: orca-puller
-    namespace: default
-    annotations:
-        replicator.v1.mittwald.de/replication-allowed: "true"
-        replicator.v1.mittwald.de/replication-allowed-namespaces: '*'
-data:
-    .dockerconfigjson: ENC[AES256_GCM,data:g58h5rYAEZu2W3CYnYHgajsp7wvnFdhyRCt1qWPHbVDC+nwD1TVqTGDga1b2/RTR5tdobqZ9FdP41/1dzZeNBe2lfXOsWhQYd87EhpchFYRgsb9u7ZL32sxERhAxSg+0/AaoIYSHbuBLgRwxqnHOojS7Hcg956L+6Kgh/uiaOGsUrKRjlMAI0aN4agx+n/nU,iv:ichMs+o/3ld90VVq/UatXpAtpD6qjrEIdt0ZRwyh0Gg=,tag:lxvZy9U6sGsndz3sAy3DTQ==,type:str]
-type: kubernetes.io/dockerconfigjson
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-07-22T02:12:00Z"
-    mac: ENC[AES256_GCM,data:yFHVGwFdi2n4Ju6SqqxXDxqxZaHKROIsQZtF+AtJY52f0XJif9jP2fi05dnxULnQ+wWOq4FPwVXc/9GiCiYMItecEApS0+6C7sWxKCWzYYAiFyxSajECzNtr4/XN5yoZBJCgsgFAf42jy9Nr5xLHOAVomnNfmDheS/Pe+Uq9v9E=,iv:oFKca0hHR7ERNgJqDp3pOxzQDBlTCF9Fx1yIl3HCj2o=,tag:107vU6pOFE6Na4BO5C5tiA==,type:str]
-    pgp:
-        - created_at: "2023-07-22T02:12:00Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAzKleRwoSoixAQ//QEVgmHtcIVC1afYtQMgD3Kwb+n0nZid3d/enKN64D+fJ
-            bw0xXX9tjO4sy3To49k0EDETLW5paxcNApFYL+zajxNfa+EAZfdYxQqKWraQcxvL
-            /p8bNDyzYDrecWcIdcq4RqrVEA4Ga0K6MmPM0t5l+J/PgguDJWmAxEzlmTb/CdqI
-            MpUmO0RoLHb6m0vfAkEI0LT5E/37pTdqjAq4eMT9n7zxeHr3NmJBIetahENxTKDk
-            Ymw7DhBCLZBPvHyxw/kU7hS/yhJMxmLw9mjHuzWkYVYmZQDB/TwqWsL4cVLFNAVu
-            LqZBHtl2HmaeGefhDij4SfxCj3qTi1e3z1T5wch97XmFanabNizb2oezHYou4h5k
-            AVqWuxUd13am9YhmRMQ32TPPxyAWpV4W87C/XnIrMrfePH2xy54S2ISyL5lQ1I3K
-            5/a4ZMU8hBdCw7FxX6OSAXUd5cCfelJEaRopvwgXF5ZfQjARjQ7iGCedqBQbOsZM
-            vsf5WQvYxp8uivj7gKxhn+KkqJoM225OQKlSwCQ2bj20WsZ3SrjBuK41iO88urej
-            SJLAqG42e+nUjHXn/ql794kCHHG59uRES1wWLvgQ6Siu8TxJK6B+fjOrHBMOeSiD
-            oMKyqWIvziXN5KczkIpOWFCJzHb+AGTUn/a/jCLAqAxAqkWHwwbLdMiUv1053vHS
-            XgHkdbFnWqSekHCdLXu6q1lJhY+VAyzI55Ex2HvdxzBxWQKZAD4c1fFN/88j/Fb4
-            6/IVZvSU45coCyUR3O+py0s6XvBjrJL6W4haNXMl6nVcTxHgby1JTX5vickv400=
-            =cqEc
-            -----END PGP MESSAGE-----
-          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
-        - created_at: "2023-07-22T02:12:00Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAy5t8IMoPu4VAQ//RAyoi7oTNza3klhojjvUXum9iH3pOl1eqNu3qdJc9L4A
-            rGeo7Q9NTgywAaHQA4N0WPjJfFNkKSFLBxbtRpzlVCNrfontoGoFr5fGFWDh2Kfe
-            LydY3Zz9yUfcQYuGm8onVM6B6ImYUtM9ZPix808jxfiuz7rvqNmxqTdCa9o5oMHK
-            TqQ5u26MBR9cFf+W7bxKdDsqm4vEhxxWpEf5wgX+iZboA4O/J8LCVwrp6pb2pJ1q
-            nMA5ElKk/WZbsB6C20DYNXJRsdHjC1Huye6NDt1Em2XY9qcfWkQskVtohlYCdDCp
-            TciHgOF32rmN7h1i4j5Ae58AaSQmNRpKZFc192z8+dHdiSlzQEno6XXV11pezz/i
-            0ALvy2Q+r7xFA8xXyrOf7xOU/j9T8XCEAeidtQoZzEcINtg93tKItakzqacxRa2C
-            4Yj3Wic3LGSX13dZ5cpQNT6P3F6UMVAlVEEu1lHdsAjShbmuFWSFNXVo473O3Nwu
-            1imHmfb1xnqbiWS0tKdUX9jMQg+xYPrsAXQESq/9PmPJxl4tsGPzzCu+rMKf9pmF
-            XqGBASdcf9WaB4Hojm6+4UKb7pPDKAC2vLnOV9ilGv/0z+DwxU0x9swPkAYBm9M9
-            KkcaEh8petqyU2J8f91ESU3OafMo2h5OsJvzB2Zte2XIZIZV0h0y8mo6LKOJ1hzS
-            XgFiMVicO02DFcMkSJXA7ZVnV+1qfJl5vPW6Sa0vDikz/k8jYoRSv2skwZcpFIYf
-            Kr6LbZskq2QVBDS50HdpbOfyF+N8/mYuSfjKkuVH8oOq0KrZ38eJROiygPgpUYk=
-            =i9P2
-            -----END PGP MESSAGE-----
-          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/thin/apps/helm-repositories.yaml

@@ -0,0 +1,17 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: bitnami-charts
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://charts.bitnami.com/bitnami
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: bjws-charts
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://bjw-s.github.io/helm-charts

kubernetes/thin/apps/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./helm-repositories.yaml
+- ../../common/apps/metallb
+- ../../common/apps/traefik
+# storage
+#- ./longhorn
+#- ../../common/apps/openebs
+
+#- ./kube-replicator
+
+- ../../common/apps/nfd/ks.yaml
+- ../../common/apps/intel-gpu/ks.yaml

kubernetes/thin/flux/config/cluster.yaml

@@ -0,0 +1,62 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: home-cluster
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  ref:
+    branch: feat/thin-cluster
+  secretRef:
+    name: forgejo-deploy-key
+  url: ssh://git@git.seanomik.net/seanomik/k3s-cluster
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-secrets
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/thin/secrets
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: apps
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  dependsOn:
+    - name: cluster-secrets
+    - name: core
+  path: ./kubernetes/thin/apps
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/thin/flux/config/kustomization.yaml

@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./traefik
+  - ./cluster.yaml
-- ./metallb

kubernetes/thin/secrets/cluster-secrets.sops.yaml

@@ -0,0 +1,79 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cluster-secrets
+    namespace: flux-system
+type: Opaque
+stringData:
+    SECRET_MY_EMAIL: ENC[AES256_GCM,data:rNyzxxuVq/1dII5m8OKexQsH,iv:+i/h+iXhBNM7qxDyK7/3pQqp8l7hXDHhnZOwyuwcC3k=,tag:RM3svsBJXpFafRzoLp2NOg==,type:str]
+    SECRET_LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:uUinHshJ3aUNzJDRQNVNWwNJ,iv:s8kggffO33/E04aUdZvxmgNhoPVKh+HnjX+k0o0DTNc=,tag:qreqEiN28i26OpsagQP5hQ==,type:str]
+    SECRET_DOMAIN: ENC[AES256_GCM,data:3zCSigeMzhC4H2SDVjqV6Q==,iv:OtUj2mDzmv9afBf4NcDSwZgGdKLJY3WG8qqSbI/NNog=,tag:buWUYjBMtfAVQADN2EREvQ==,type:str]
+    SECRET_NEW_DOMAIN: ENC[AES256_GCM,data:BDuzEYN7KOlqDUbJyFwHWCQ=,iv:DHrkALxuuEiZhjdLeFArgaORR8ZlsUuW2BT/joEFQGo=,tag:u1zVa2SA4xpgjNcO9iXtiw==,type:str]
+    SECRET_AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:A2S9VBNLw2m6IEEGunHo8T/4v0tp0RvByYc6FIJdx1Q=,iv:Mu+TbsN2Ci2/7LvKhb8XWm6SPJe5ZxS8Z8YWjLwdT1c=,tag:uoatWIMDRLT4XaP0f0kpiQ==,type:str]
+    SECRET_DATABASE_PGSQL_USER_PASS: ENC[AES256_GCM,data:A++t+kACJthb9w6yml5KJo9Eqc/wp/BFadLzwOQhkhc=,iv:7mA6zCaC360dyJkC5wybh3PnGWjr12q0R/aGKi2D5Rc=,tag:h3BVuMH8VvnSc8LEM85wlQ==,type:str]
+    SECRET_DATABASE_PGSQL_ADMIN_PASS: ENC[AES256_GCM,data:UyFKnNw20KiJZj/Y5Jba6uFhDU/N+Dijl1mJlCcBgJk=,iv:Il50aBOHREDCDYeXmZks9DVBkq1+z1ZLo2KfibbiWmk=,tag:y/DBhdWLToD30tqVGD3uRg==,type:str]
+    SECRET_DATABASE_REDIS_PASS: ENC[AES256_GCM,data:ePEMWYYpXF5lv4+RAScXxArlKXq8U21XUYsSWBf8TG0=,iv:Lr9qq1fVuyzleC3oU7izKP/YHoSrtXADl9efz3iWgEw=,tag:73XjcnTWr1wPYFEROznz+A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-09-07T01:46:20Z"
+    mac: ENC[AES256_GCM,data:vdG/QHWHQge+m6YCBqtAfRsXdWvMLiZQ6DOnaxgaUNpslPvQuHml1kWBsSKrmNmB79jxqB2M6HwEY7ljOMf6ZlTeMs7mW6i0oj368IS6gQGfOHSJ4d34shyXujO9JHEnmL7O0tnOs1bp4ZHxdd/t4Wmq/ii+W/Kbta3/VLtOj/A=,iv:aB8Y4Y0t4ncViBAvH2WAAGgzbrzUSvL3/RRY+VVUKlk=,tag:0BSFABPxUxgRG1fDrDHXug==,type:str]
+    pgp:
+        - created_at: "2024-09-07T01:46:20Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAyqlIeyoxYovAQ//XsBS23tIBniGlJAVG7gBJRclDr4ecXUH3LTkVPSaQ4r6
+            gLPL19dZaYcs4hkvOOgm0u7tXXPMFHuIWvLLPKwAbZMOGcvhqgSWmVDIFRKOtAKt
+            mdNeVEWARwf2/3JsVSyh8pyxbdtC1dlY6BB8Cxd95n70ZQdrAbGewAK6sVWWAiRr
+            uSLiYO/HUdyoP38q77dwG4p8up1qchND92Ie04zowWbiquMq+V/2pgJ3dd51Z5Gn
+            oD1oNZZZeZaBJ+G3mea5QSzduE7x8R56YyGyBcDOn6gmMxJF8adDBsQfdH2bQCWQ
+            I2QstgQwXAvvwqexow8x/wEAkUXksB/dZKWOu3QhlFq7vLJ9RXGTaKCg0FCcu8/U
+            h7x4njNLA2/aidAVL4ufRohiONss2fjcDhpiJ7uyBM/horq2SmABzwoCtmRS/4du
+            oE/Ygfh+OPa6+SuQmwB+BH255HPsDNeikC/F3XJ/LXKO6460L7yQAdYnKAR3EqVL
+            KcfrVNIaFAIxLQ7SQ3DaU2ddc18pzPbBDnLwwFoO+mM2u6wwaKZkyjAK/1NlNs/O
+            WGXjPzBvpjWTQmSL4PhwGmtaolNpE9j3zpLHUs3TcKUKXyzV1f5p2pxXBBo/IYZy
+            rVkKm2zPR0rgkVjJMWiZ+uazGy3mVbsDj3y/5c+CRYTuNoHk/AuWz3x8KSEz/JCF
+            AgwDXjg0p2IN1X8BEADFHtP/WpUDejsej2gXlWYJkT6N9IiZqfMKbejk3yAQr9+L
+            9J1c5UkDT6MeQpIFs04cZMAVmQRg+Q5D9ipgp8t4PMBNCT6xuQYIvfkdoESQG4Rt
+            6FpQHkeKkooXWJJzCppexkKzXeHjfMFm7KPd0jea46uwh+Qx2MbDaoiGK+YCzb82
+            mWCpgPfguOdbLaGI2aSYiWTrmMnNZv4cthv4Z/u1ph6NB2X/SbG3ot5O569epLpq
+            Al9bVUb2ZCEfrRUmqC9eWTr3p+GFRF77u7PVBwOjYItI4Paz+M7EKUmUqvMoj4EF
+            X+I9Oaac2t9nlIMLKNtq14LkncvdW+xuy83M2dN708ceo0+HxUeHCFyqbogKG8l9
+            vQa9OFGleLyeoWlVlBqKco2cQe4xI8UkJryxsBC+36OaeqrCFAhbYpCn5QL/Ij/4
+            8ZPg1RCh9oeFvfripRpQ9G6UNtmvloK8LA/73uHnkztAYx2AFMaI6zQr75F7S8IH
+            tSGNEUA3MHOU7pIrCp9KnGjjfsChD6J9d0EoOOQfP1nDxVkXrL1afiuFtieJOiru
+            pyr1LJonGBdBxDDSrfPj6tc1moqIjgiZiDBcImEPv076Wro9EZdTi53CNj9rtEln
+            hUpFDcNMdwccumMslDl8qNdAKJgFGEORtRqFs+n7nywjAnxqd7gVGKDO4RrjsdRm
+            AQkCEFhM1Krfrf1RAJz/fnEeg21yvhg47SCgBiNGizLXgyCgK1kGuxB+SpJVMkAg
+            rdBo5t2UfXkVyJQ00K77you1N17NtPnyKr8xfItd7JRmDpJn40f9MFR2AOyVFC5B
+            lVleELeG
+            =bKFu
+            -----END PGP MESSAGE-----
+          fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+        - created_at: "2024-09-07T01:46:20Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VARAAo2y6IQJlsEAswykjpfDzvQw3TCyTiZWe6duhmnDoXKjK
+            8A66oDpQcfl0ubjIj6/FJICLr2PGPb1bgKUEz+vBsp1bv+txUtLwUXJTqFKnCS1H
+            CRKfEmDSNaAtNEtpOGnCeMffB0ghLvs42mlTUUi7u240FJ6MgD7AvV4UlM5IYOLx
+            +yZyjzYzgNibyh7rOun2E/df2VhDX0Ns6n9ZPZ3TFSdqsXGJ4bqn8+0MhJYeOMNc
+            ap3dMMhUuUoH5krvocNymJ6WH8x4LwUJrlQsTdr0edA6BhNYC35a2JcAkOGblaCP
+            er845gN/iCRhl6i/XFYcz7mhMheYmiVf5TEuMvFsdjBl0yNi65wJz5EX3U01Y63+
+            G+UeWCLt9+qDnAG3CN45Hgp46xIXocBvUhqdrg4Srtd+h/12Xlg8vV0jcdezWNm5
+            pqWVeLDGjDFZNLvG/p+dWF+EDN/Zv9V3Axb1ChYeRCbue0POqr7X6OS5lWZmuUwa
+            oaiE2vYFkUCcdZtQANDDluh36Bk2pHAOELcttPa4OO4F0mCopAtg6uDp07WQUUwR
+            TkELlxQvOQYtTJZkTiiOe7ogr3jXWuz6hp80WN/ZVdh6UtO9cNem3d5+hECUA0LY
+            NuEPYAAyZxfpvRRIrkV768AS+USqA6VDjistIFc/qTG0L3WeDyP6h0plAJr9OKvU
+            ZgEJAhCQhjQZwIG7xvkuK2EzSePmMMUl+DEbq1GzgCuzh3Y+X/3pryvEjh+002pe
+            55FSHnIZn+nD8Z1jAcRI+6mEZWfNYUXecF98+JBGIe73J/xjNUSWJZpSiYLIMnR6
+            6SKCYH9ORA==
+            =jqMe
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.0

kubernetes/thin/secrets/cluster-settings.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-settings
+  namespace: flux-system
+data:
+  # MetalLB
+  METALLB_LB_RANGE: 192.168.1.60-192.168.1.70
+  SERVER_TIMEZONE: America/New_York

kubernetes/thin/secrets/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./cluster-secrets.sops.yaml
+- ./cluster-settings.yaml