From a21aa6d5735934b39f214bc389acd8549413aa0f Mon Sep 17 00:00:00 2001
From: ansible <ansible@n0ball.tw>
Date: Tue, 10 Mar 2026 21:06:16 +0800
Subject: [PATCH] Update k8s manifests

---
 k8s/apps/vaultwarden/helmrelease.yaml         | 13 ++++++++
 .../observability/kube-prometheus-stack.yaml  |  7 ++++-
 .../sops/grafana-smtp-secret.yaml             | 30 ++++++++++++++++++
 k8s/infrastructure/sops/kustomization.yaml    |  3 ++
 k8s/infrastructure/sops/smtp-secret.yaml      | 31 +++++++++++++++++++
 .../sops/vaultwarden-smtp-secret.yaml         | 31 +++++++++++++++++++
 6 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 k8s/infrastructure/sops/grafana-smtp-secret.yaml
 create mode 100644 k8s/infrastructure/sops/smtp-secret.yaml
 create mode 100644 k8s/infrastructure/sops/vaultwarden-smtp-secret.yaml

diff --git a/k8s/apps/vaultwarden/helmrelease.yaml b/k8s/apps/vaultwarden/helmrelease.yaml
index 7bd181c..4193b43 100644
--- a/k8s/apps/vaultwarden/helmrelease.yaml
+++ b/k8s/apps/vaultwarden/helmrelease.yaml
@@ -29,6 +29,19 @@ spec:
       signupsMatchEmail: true
       onlySSO: true
       enforceSSO: true
+    smtp:
+      existingSecret: vaultwarden-smtp-secret
+      host:
+        existingSecretKey: SMTP_HOST
+      port:
+        existingSecretKey: SMTP_PORT
+      from:
+        existingSecretKey: SMTP_FROM
+      username:
+        existingSecretKey: SMTP_USERNAME
+      password:
+        existingSecretKey: SMTP_PASSWORD
+      security: starttls
     ingress:
       enabled: true
       class: traefik
diff --git a/k8s/infrastructure/observability/kube-prometheus-stack.yaml b/k8s/infrastructure/observability/kube-prometheus-stack.yaml
index 4f11a70..1fed41e 100644
--- a/k8s/infrastructure/observability/kube-prometheus-stack.yaml
+++ b/k8s/infrastructure/observability/kube-prometheus-stack.yaml
@@ -44,10 +44,15 @@ spec:
         existingSecret: grafana-admin-secret
         userKey: admin-user
         passwordKey: admin-password
-      envFromSecret: grafana-oidc-secret
+      envFromSecrets:
+        - grafana-oidc-secret
+        - grafana-smtp-secret
       grafana.ini:
         server:
           root_url: https://grafana.n0ball.tw
+        smtp:
+          enabled: true
+          from_name: Grafana Homelab
         auth:
           disable_login_form: true
         auth.generic_oauth:
diff --git a/k8s/infrastructure/sops/grafana-smtp-secret.yaml b/k8s/infrastructure/sops/grafana-smtp-secret.yaml
new file mode 100644
index 0000000..35af9b7
--- /dev/null
+++ b/k8s/infrastructure/sops/grafana-smtp-secret.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: grafana-smtp-secret
+    namespace: observability
+stringData:
+    GF_SMTP_HOST: ENC[AES256_GCM,data:pcMCTkBAVIOtYt4g+QwCWSwrlGov,iv:RsEI/u7pu36otzp4iylxX9kMIvvdTuZLgoLcDNeYIHk=,tag:jV8scVfJqzOiEYft8Pmy9g==,type:str]
+    GF_SMTP_USER: ENC[AES256_GCM,data:HO198RSQeA==,iv:lO4AF255RWANTBeruxnBZjjkZHrag+jK7s61Z+twq5U=,tag:u+Ng9BEwcyCInSm3FxQQfg==,type:str]
+    GF_SMTP_PASSWORD: ENC[AES256_GCM,data:KPvsEbNfH9wq6OylI+wYNw==,iv:JGe+bCmuirDK+FFitF4PSDZeZyjxXMZL3ATTXoHdVco=,tag:RedLh8ZbJcPT63vX15nxaw==,type:str]
+    GF_SMTP_FROM_ADDRESS: ENC[AES256_GCM,data:t0RUd5S1bA5fUz+zMEoyhdo=,iv:/u9Lm7NKx9Ud1uPmTaDax0I3xAK79QVwrge9nZTz2s4=,tag:fGi0ZvgBg33QvtaZ0jebaQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5NWVBanN0dWtRdWRuWkc3
+            Y1pjV2x4aHhtUS90Syt2UDd3WVFYZnBmTzNJCkZrRU96a2RINk9hNE9QOERJcjJn
+            b0x2RWlhWVJkY3lBQ1JVYlRXeUZjd28KLS0tIEN3d1lEemZBZFlKSHQ4MTI0V1Jx
+            LzBEMVU2Y28zeG02aXZVcVZUZVdhL28KdvVWj8RUoUh/FbJ4RvEaleObickamT/4
+            gLPSSWlsTm5c8j6NJ57gqA5Wx3RP6dmWiuR4qcSC21Qmn5av2ZyEuQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-10T13:00:16Z"
+    mac: ENC[AES256_GCM,data:CpxAK7sEYaQBygYi+UMfXw6U3U2dsBg6ttJZzyqljSF5fvBKGa59zRZ9KCUfOc0dhCtDLb8ZgJMyCJB7n03knMnd8AiaByWWUhkwewHe5x6OJQbX6FcwrdW+4fyYeUCThPTgOpVmdPQNuuObtTUMLLMmKD2ImckGUbiwfrkWzYc=,iv:GIojxu2imK2dAc5PZnw+KsYW0SLrwtBP2H6cDBJuAVQ=,tag:JtqmpJQussm6gzVvBi1JTA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4
diff --git a/k8s/infrastructure/sops/kustomization.yaml b/k8s/infrastructure/sops/kustomization.yaml
index bb91e2f..9e3b4b7 100644
--- a/k8s/infrastructure/sops/kustomization.yaml
+++ b/k8s/infrastructure/sops/kustomization.yaml
@@ -8,3 +8,6 @@ resources:
   - vaultwarden-db-secret.yaml
   - grafana-oidc-secret.yaml
   - vaultwarden-oidc-secret.yaml
+  - smtp-secret.yaml
+  - grafana-smtp-secret.yaml
+  - vaultwarden-smtp-secret.yaml
diff --git a/k8s/infrastructure/sops/smtp-secret.yaml b/k8s/infrastructure/sops/smtp-secret.yaml
new file mode 100644
index 0000000..070f0bb
--- /dev/null
+++ b/k8s/infrastructure/sops/smtp-secret.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: smtp-secret
+    namespace: keycloak
+stringData:
+    SMTP_HOST: ENC[AES256_GCM,data:UEwWSAWIz/naRLEiM9g8qQ==,iv:ZBSnYkYNVBFT1XoRKukyQpFMxcAG3mr3xvWo1jAD28c=,tag:KS8NKuzKTQYRwCNwDEVW9g==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:o7gHuw==,iv:PdaGtPUTjMEpS4i/+07LueYqQnaCJrZ7TyYoRElDVp4=,tag:t4kgYepghKKG+oAXDCEecg==,type:str]
+    SMTP_USER: ENC[AES256_GCM,data:SnOdJ57L9g==,iv:cjjVQFPf7n1EBvHv25Z78RVxCZ9a2vzjUT5DCMQXfdY=,tag:u3734VYdskZhYMxOFEbkLw==,type:str]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:VrGs3IT7qd50jglhbKJYiQ==,iv:gDqzuFnEkInQE4m9oJJtL68mQDVht+7S7FaOovX8zAY=,tag:1j2cVjkTcZ31zMBVPYxDaw==,type:str]
+    SMTP_FROM: ENC[AES256_GCM,data:d05nyEkSj4HzsHdxeEg4nAA=,iv:D/Ss9fWSEj404seTYLFdojRO3wHcJXk6A4d2ppDsoks=,tag:7ofdjjrV/yF9L2+GVFIjPQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcXBXNVR5bjRTMjAxYVAw
+            S0FuemUyb3BzN0laekNnQmEySGxvV3puKzA0CjV5Qm0zOVIxVkt2UWw4WkZWRXpI
+            dFJHYXlkZUdNQVJwOVVBa2NnTmxyOHMKLS0tIGdzRXFrUDN4TUx1ODZyTjNyVkRl
+            elBLRFZOcVZYclZHTEJDUjhOanJuL0EKrB2275gBAab0QfBmz1Pb0Om28LDP1KrX
+            tWD6cz9+Km+b51jkLYB1s2BkEozuuucK4mlNOMrg0jLstB83gZfhdA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-10T12:46:22Z"
+    mac: ENC[AES256_GCM,data:C+OfrN7tVE7NEytMSGSvO+QxgXb6yd0jPTEkN4zOMuRHkwlTCRCiYnDUMad7IM6nil/Mn4XWwefGTLjgDnkFApM186qbzpwKkJV9DHGu98ArgpND8PyLPpBGy1jDw6cP7hJH489cgWwtga6PgKACrcgGNsGPMC/Zf10tax71xqM=,iv:7v+R/xssKGJ/declxVYGzhWFKk09p9f5ZytS/Nae4pw=,tag:IZl8CWnkmecuOP7B6l6xNA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4
diff --git a/k8s/infrastructure/sops/vaultwarden-smtp-secret.yaml b/k8s/infrastructure/sops/vaultwarden-smtp-secret.yaml
new file mode 100644
index 0000000..d19e8a9
--- /dev/null
+++ b/k8s/infrastructure/sops/vaultwarden-smtp-secret.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: vaultwarden-smtp-secret
+    namespace: vaultwarden
+stringData:
+    SMTP_HOST: ENC[AES256_GCM,data:3W0K1w+12QaeXQ3ZKmfWcA==,iv:FAuCjO8nJhcXbYFAR+9/InvYrKbip8NBwyC50obAxcM=,tag:C+3ne2+NNgPrVtjPIgM8+Q==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:hL5OSg==,iv:1u2LYguWXOzJdIaGkDVT/SERB6Gy+elplmOeUuyFs8k=,tag:gHm4EFw1yBCOidZuBgvThQ==,type:str]
+    SMTP_USERNAME: ENC[AES256_GCM,data:ic0HgEgWpg==,iv:tbpfzmRzS1jNxEHTfK/t0s9JwUfRDHo+5AiMAUCQYQk=,tag:msollEvqME+TvWaDWccIbg==,type:str]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:RqU2+cTBZVDupZ4d8FP1vw==,iv:YqaXzXeTcs+N13tfALJVUjrmVrd1SfSowpsuUSkTtJo=,tag:zFhVrGqLNimXOcDHgrCb3w==,type:str]
+    SMTP_FROM: ENC[AES256_GCM,data:xwcIFe/m1zg5EouSnmF2,iv:2CBFKRM7y47gOqZOC/yXv0GDu0kG2HH0VNMW2wvcbkk=,tag:jmzYXHt88yGn+jbUmYV1eA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMR0hDZXgycW9rME5mWE5U
+            NlF6L2Rra2ZyWnpITktVVFFUWEpNQ0oxYkQ0ClFpalpMWFJhdVV0RktsdDdHbTRJ
+            NGxvak9tc1lMRGNiZ0dUdUpXK1Z0TmcKLS0tIGhaL1RzRE9mNGRrZ3VRaEZwY0Va
+            OG16dzRrNDRtaHZ2T0NHazhNc3ZHc3MKvj+MZS6FDRcLSxVjvMBMVf79EF4+IpEF
+            t7ABQyuPeRhpcvR0F/xD0LiIwmP9fOrXupJwWoYI9yi/U6gd+dBEQQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-10T13:00:16Z"
+    mac: ENC[AES256_GCM,data:rtvXMau47oy1q4iKL7oRRqfVN8rjAHPXpB41gxlGmCJYWvrWixwhWVUw2a9CTH+boL18KuQvWrtTAKjAmcoSiBAX28YeL/aivu1BHcniV8PRuP3aQ5iEMDv75F1h9xW3ggD3mkyV3wKGJluc/IVsrxaIokmYGxXN/AnS6bg8G18=,iv:evLmbX6w3tWpAnx/FRw8NgzLo+ZzfUGaRHtc2oq0vhc=,tag:jDGBTgHreN1krG9dJvkzdA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4