From e644b3e4339a55dd4c04565c5c7d7b9f246eb985 Mon Sep 17 00:00:00 2001
From: Patryk Hegenberg <patrykhegenberg@gmail.com>
Date: Sun, 25 May 2025 12:39:32 +0200
Subject: [PATCH] ci: add hetzner dns api token secret (encrypted with sops)

---
 .sops.yaml                                    |  4 +
 .../hetzner-dns-api-token-secret.yaml         | 35 ++++++++
 notes/sops-and-hetzner-secret.md              | 84 +++++++++++++++++++
 3 files changed, 123 insertions(+)
 create mode 100644 .sops.yaml
 create mode 100644 infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
 create mode 100644 notes/sops-and-hetzner-secret.md

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..a306b2c
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,4 @@
+creation_rules:
+  - encrypted_regex: '^(data|stringData)$'
+    path_regex: \.yaml$
+    pgp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
diff --git a/infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml b/infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
new file mode 100644
index 0000000..e8732d5
--- /dev/null
+++ b/infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: hetzner-dns-api-token
+    namespace: cert-manager
+type: Opaque
+stringData:
+    token: ENC[AES256_GCM,data:/q+htxkBlasprvVO3GjL8EAmNGLBZcqd4k96c/eVU3Y=,iv:pOJc+J8Q0rnPprkp372CcQDQ0RO0ENKLPqmnf3KzXQk=,tag:Rw6S+CzTJ3VlOckOLZ4naA==,type:str]
+sops:
+    lastmodified: "2025-05-25T10:35:11Z"
+    mac: ENC[AES256_GCM,data:tHl5WGev15r18SbtIeyx0Xs3VgrG1OejsyxCC29CC1XabQn5Xx3E2VKsMUfpKyzQY0OIICttqRGlWRqVBCZEDZqNrohzS3gbyK9lXAbLGTsYbUTHWsjdDPzMpfa+bxmNfbrBkNjG60gMNvXygCywVi7JM2YSJVOomq1KUAhn69Y=,iv:LJqNhjtcU4f5gNUElvUrZpmwH5IwkDABC45HxOIYXDU=,tag:q/Yox5t//+yLPq7GQeUMFQ==,type:str]
+    pgp:
+        - created_at: "2025-05-25T10:35:11Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklAQ/+K+G06VtrtojKTRADKvXKKF+KI2ishkmOLnQNblMhRy10
+            cJeyfXrQ6HLaqVAh+3/2IUNb85Y/udfFHH6GuCrnib4QwJU1+u/rh1h11BDTKJMO
+            y5mkGZuu1mEp30sSSbEYlk4FMoklqsA2SPIb1ofYi5M+Iz1eMWeJyUy6mMvrClYw
+            y2EQ+9+39o4sO/KTg6RI6uF/BDgL/qo9PBg4IGXS6KQYiQdzOKslxZRXdKren5ll
+            /AA0BWj4pciytuWI3Rp2dfd4Odk+hf/fnk8vyki0snDlR0GP4hKifxseoOHnHVor
+            Rxp4bb3uUwpZ0yi3yn8/IwC797ZwcefyNTDm7UACmmUvJBYEdul5YdhFXVAtENst
+            fYIGuI2Ypkky4klu1QRkrzSwqztuIZ5O5o16rn3McPycXh9ftxELnPE0rQz+4ee3
+            bcy9FK8b9fsgc3YgqqfDYuXyoyA90pDRl+x+Ejng089pA2I1yes1pT+vMaxfFpvj
+            mulzhlTdc63xNWzqQQ9Zdk7z239pgvrtVI6bQDSDlLT8qcLAhqBf6lCcAL6tqUJy
+            wpbiTA4GfB6h26vFOvvvLNhMKn7XeAZUt2PiaZR2Nxdh8slcvVbgBiMcziEugZ2G
+            Mzq0fzD1EbJsdceTx4hgVop8q40KiFZCFnx1gRrlH8sUrF92NPa14skaAtHsHozU
+            aAEJAhCW+hNEIFREgHv2QeN/lV7qhjyDiBKWUXKbzILUutR0r5hMfmHAnyen5Ck7
+            ROGVrA4EpO9SOr8CxPp0DngmdhpwoWTSE4THENNKV/ggNTzFz6mjulUcEJMcMX5q
+            M3eLeR38qWQa
+            =ajdb
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/notes/sops-and-hetzner-secret.md b/notes/sops-and-hetzner-secret.md
new file mode 100644
index 0000000..75618e6
--- /dev/null
+++ b/notes/sops-and-hetzner-secret.md
@@ -0,0 +1,84 @@
+# SOPS für FluxCD einrichten
+
+## SOPS & GPG installieren
+```bash
+sudo dnf install gnupg
+```
+### Download the binary
+```bash
+curl -LO https://github.com/getsops/sops/releases/download/v3.10.2/sops-v3.10.2.linux.amd64
+```
+
+### Move the binary in to your PATH
+```bash
+mv sops-v3.10.2.linux.amd64 /usr/local/bin/sops
+```
+
+### Make the binary executable
+```bash
+chmod +x /usr/local/bin/sops
+```
+
+## GPG Key generieren
+```bash
+export KEY_NAME="k3s.homelab"
+export KEY_COMMENT="flux secrets"
+gpg --batch --full-generate-key <<EOF
+%no-protection
+Key-Type: 1
+Key-Length: 4096
+Subkey-Type: 1
+Subkey-Length: 4096
+Expire-Date: 0
+Name-Comment: ${KEY_COMMENT}
+Name-Real: ${KEY_NAME}
+EOF
+```
+
+## GPG Fingerprint anzeigen
+```bash
+gpg --list-secret-keys "${KEY_NAME}"
+export KEY_FP=<DEIN_FINGERPRINT>
+```
+
+## GPG Key als Kubernetes Secret speichern
+```bash
+gpg --export-secret-keys --armor "${KEY_FP}" | \
+kubectl create secret generic sops-gpg \
+  --namespace=flux-system \
+  --from-file=sops.asc=/dev/stdin
+```
+## .sops.yaml im Repo anlegen
+```bash
+cat <<EOF > .sops.yaml
+creation_rules:
+  - encrypted_regex: '^(data|stringData)$'
+    path_regex: \.yaml$
+    pgp: <DEIN_FINGERPRINT>
+EOF
+```
+
+## Hetzner DNS API Token in Secret-Datei eintragen
+```bash
+cat <<EOF > infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: hetzner-dns-api-token
+  namespace: cert-manager
+type: Opaque
+stringData:
+  token: "<HIER_DEIN_HETZNER_DNS_API_TOKEN_EINFÜGEN>"
+EOF
+```
+## Mit SOPS verschlüsseln
+```bash
+sops -e -i infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
+```
+
+## Ins Git-Repo legen und pushen
+```bash
+git add infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
+git commit -m "Add Hetzner DNS API token secret (encrypted with SOPS)"
+git push origin main
+```