Basically this is what this website is sitting on.
Find a file
2026-06-29 15:23:25 +02:00
.forgejo/workflows (fix): Helm not found error 2026-06-28 14:11:50 +02:00
adrs (adr): One postgresql instance vs several #22 2026-06-15 12:17:43 +02:00
apps (fix): Include secrets in penpot #24 2026-06-24 21:56:54 +02:00
charts (fix): Broken secret handling in wikijs #11 2026-06-29 15:23:25 +02:00
.gitignore (fix): Sops encryption not working 2026-02-24 12:27:10 +01:00
.sops.yaml (chore): Phase out the secrets 2026-02-26 14:47:18 +01:00
README.md (feat): Add README.md #2 2026-06-26 11:02:04 +02:00
renovate.json (feat): Add Renovate #28 2026-06-26 10:49:38 +02:00

GitOps source of truth for my own self-hosted Kubernetes cluster, deployed and reconciled by ArgoCD.

How it works

  • apps/ — one ArgoCD Application manifest per workload. Most point at a local chart (path: charts/<name>, targetRevision: HEAD); a few (e.g. ingress-nginx) reference an upstream chart directly.
  • charts/ — thin local Helm charts, one per app. Each wraps a single upstream chart as a dependencies: entry in its Chart.yaml, pinned to a specific version, with cluster-specific config in values.yaml.
  • secrets.yaml files alongside values.yaml hold credentials, encrypted with SOPS using an age key (see .sops.yaml). ArgoCD decrypts them in-cluster via argocd-helm-secrets.
  • adrs/ — architecture decision records for non-obvious infra calls.

Setting up from scratch

  1. Bootstrap ArgoCD itself, including the SOPS-aware repo-server image — see charts/argocd/Chart.yaml (a Rancher HelmChart resource if using k3s, otherwise install argo-cd via the equivalent values).

  2. Generate an age key and give it to ArgoCD, so it can decrypt secrets.yaml files:

    age-keygen -o age.key
    kubectl -n argocd create secret generic sops-age --from-file=age.key
    

    Mount it into argocd-repo-server (volume + SOPS_AGE_KEY_FILE env var — already wired up if you used the argocd chart above).

  3. Add the public half of that key to .sops.yaml so future secrets are encrypted for it.

  4. Apply the Application manifests:

    kubectl apply -f apps/ -R
    

    ArgoCD takes over from here — each Application syncs its chart automatically.

Adding a new app

  1. Create charts/<name>/ with a Chart.yaml (upstream chart as a dependency) and values.yaml.
  2. Encrypt any secrets into charts/<name>/secrets.yaml with sops -e.
  3. Add an Application manifest under apps/.
  4. Commit — ArgoCD does the rest.