diff --git a/kubernetes/apps/default/authelia/app/config/configuration.yaml b/kubernetes/apps/default/authelia/app/config/configuration.yaml index 3eddf4460..18301f0e0 100644 --- a/kubernetes/apps/default/authelia/app/config/configuration.yaml +++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml @@ -1,15 +1,15 @@ --- session: - redis: - high_availability: - sentinel_name: redis-master - nodes: - - host: redis-node-0.redis-headless.default.svc.cluster.local. - port: 26379 - - host: redis-node-1.redis-headless.default.svc.cluster.local. - port: 26379 - - host: redis-node-2.redis-headless.default.svc.cluster.local. - port: 26379 + # redis: + # high_availability: + # sentinel_name: redis-master + # nodes: + # - host: redis-node-0.redis-headless.default.svc.cluster.local. + # port: 26379 + # - host: redis-node-1.redis-headless.default.svc.cluster.local. + # port: 26379 + # - host: redis-node-2.redis-headless.default.svc.cluster.local. + # port: 26379 access_control: ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any diff --git a/kubernetes/apps/default/authelia/app/helmrelease.yaml b/kubernetes/apps/default/authelia/app/helmrelease.yaml index 83cb28681..8f19008b3 100644 --- a/kubernetes/apps/default/authelia/app/helmrelease.yaml +++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml @@ -77,7 +77,7 @@ spec: AUTHELIA_SESSION_DOMAIN: ${SECRET_CLUSTER_DOMAIN} AUTHELIA_SESSION_NAME: authelia-home-ops AUTHELIA_SESSION_REDIS_DATABASE_INDEX: 14 - AUTHELIA_SESSION_REDIS_HOST: redis.database.svc.cluster.local. + AUTHELIA_SESSION_REDIS_HOST: redis-master.default.svc.cluster.local. AUTHELIA_SESSION_REDIS_PORT: 6379 AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia AUTHELIA_STORAGE_POSTGRES_HOST: ${POSTGRES_HOST} diff --git a/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml b/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml index 022b333f4..0df98a2e5 100644 --- a/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml +++ b/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml @@ -43,7 +43,7 @@ spec: tag: 1.288.0 env: NODE_ENV: production - REDIS_HOST: redis-headless.default.svc.cluster.local + REDIS_HOST: redis-master.default.svc.cluster.local REDIS_PORT: 6379 envFrom: *envFrom service: diff --git a/kubernetes/apps/default/lychee/app/helmrelease.yaml b/kubernetes/apps/default/lychee/app/helmrelease.yaml index 7f3dcd0b3..e4120f397 100644 --- a/kubernetes/apps/default/lychee/app/helmrelease.yaml +++ b/kubernetes/apps/default/lychee/app/helmrelease.yaml @@ -44,7 +44,7 @@ spec: TIMEZONE: ${TIMEZONE} APP_NAME: Lychee DB_CONNECTION: pgsql - REDIS_HOST: redis.default.svc.cluster.local. + REDIS_HOST: redis-master.default.svc.cluster.local. REDIS_PORT: 6379 envFrom: - secretRef: diff --git a/kubernetes/apps/default/nitter/app/config/config.yml b/kubernetes/apps/default/nitter/app/config/config.yml index 271cacee7..4f1978701 100644 --- a/kubernetes/apps/default/nitter/app/config/config.yml +++ b/kubernetes/apps/default/nitter/app/config/config.yml @@ -10,7 +10,7 @@ hostname = "nitter.${SECRET_CLUSTER_DOMAIN}" [Cache] listMinutes = 240 # how long to cache list info (not the tweets, so keep it high) rssMinutes = 10 # how long to cache rss queries -redisHost = "redis.default.svc.cluster.local." # Change to "nitter-redis" if using docker-compose +redisHost = "redis-master.default.svc.cluster.local." # Change to "nitter-redis" if using docker-compose redisPort = 6379 redisPassword = "" redisConnections = 20 # connection pool size diff --git a/kubernetes/apps/default/paperless/app/externalsecret.yaml b/kubernetes/apps/default/paperless/app/externalsecret.yaml index eb65d6259..209ef6d80 100644 --- a/kubernetes/apps/default/paperless/app/externalsecret.yaml +++ b/kubernetes/apps/default/paperless/app/externalsecret.yaml @@ -16,8 +16,8 @@ spec: engineVersion: v2 data: # App - PAPERLESS_ADMIN_USER: "{{ .USERNAME }}" - PAPERLESS_ADMIN_PASSWORD: "{{ .PASSWORD }}" + PAPERLESS_ADMIN_USER: "{{ .PAPERLESS_ADMIN_USER }}" + PAPERLESS_ADMIN_PASSWORD: "{{ .PAPERLESS_ADMIN_PASSWORD }}" PAPERLESS_SECRET_KEY: "{{ .PAPERLESS_SECRET_KEY }}" PAPERLESS_DBUSER: &dbUser "{{ .POSTGRES_USER }}" PAPERLESS_DBPASS: &dbPass "{{ .POSTGRES_PASS }}" diff --git a/kubernetes/apps/default/paperless/app/helmrelease.yaml b/kubernetes/apps/default/paperless/app/helmrelease.yaml index ebc2f415e..49a3498ae 100644 --- a/kubernetes/apps/default/paperless/app/helmrelease.yaml +++ b/kubernetes/apps/default/paperless/app/helmrelease.yaml @@ -33,7 +33,7 @@ spec: imagePullPolicy: IfNotPresent envFrom: &envFrom - secretRef: - name: &secret outline-secret + name: &secret paperless-secret image: repository: ghcr.io/paperless-ngx/paperless-ngx tag: 1.16.5 @@ -48,7 +48,7 @@ spec: PAPERLESS_OCR_LANGUAGE: fra PAPERLESS_PORT: 8000 PAPERLESS_DBNAME: paperless - PAPERLESS_REDIS: redis://paperless-redis.default.svc.cluster.local:6379 + PAPERLESS_REDIS: redis://redis-master.default.svc.cluster.local:6379 PAPERLESS_TASK_WORKERS: 2 PAPERLESS_TIME_ZONE: "Europe/Paris" PAPERLESS_URL: https://paperless.${SECRET_CLUSTER_DOMAIN} diff --git a/kubernetes/apps/default/paperless/app/kustomization.yaml b/kubernetes/apps/default/paperless/app/kustomization.yaml index d54e57b8d..85e530b33 100644 --- a/kubernetes/apps/default/paperless/app/kustomization.yaml +++ b/kubernetes/apps/default/paperless/app/kustomization.yaml @@ -6,4 +6,3 @@ namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml - - ./redis diff --git a/kubernetes/apps/default/paperless/app/redis/helmrelease.yaml b/kubernetes/apps/default/paperless/app/redis/helmrelease.yaml deleted file mode 100644 index 7802a3d47..000000000 --- a/kubernetes/apps/default/paperless/app/redis/helmrelease.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: &app paperless-redis - namespace: default -spec: - interval: 15m - chart: - spec: - chart: app-template - version: 1.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - remediation: - retries: 3 - values: - global: - nameOverride: *app - image: - repository: docker.io/library/redis - tag: 7.0.12 - service: - main: - ports: - http: - enabled: false - redis: - enabled: true - port: 6379 diff --git a/kubernetes/apps/default/paperless/app/redis/kustomization.yaml b/kubernetes/apps/default/paperless/app/redis/kustomization.yaml deleted file mode 100644 index 5b48b4e26..000000000 --- a/kubernetes/apps/default/paperless/app/redis/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: default -resources: - - ./helmrelease.yaml diff --git a/kubernetes/apps/default/pgadmin/app/backups/kustomization.yaml b/kubernetes/apps/default/pgadmin/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/pgadmin/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/pgadmin/app/backups/replicationsource.yaml b/kubernetes/apps/default/pgadmin/app/backups/replicationsource.yaml deleted file mode 100644 index fcc3ce3db..000000000 --- a/kubernetes/apps/default/pgadmin/app/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: pgadmin - namespace: default -spec: - sourcePVC: pgadmin-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: pgadmin-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 5050 - runAsGroup: 0 - fsGroup: 0 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/pgadmin/app/backups/restic.sops.yaml b/kubernetes/apps/default/pgadmin/app/backups/restic.sops.yaml deleted file mode 100644 index d5301efe7..000000000 --- a/kubernetes/apps/default/pgadmin/app/backups/restic.sops.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: pgadmin-restic -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:qryOEQuCawQ2v33QSxpTdhcuHoGh2ruI1wvMYn/En8K3FcoZaKMv7v6oXCgNPgbWgJDTYJfYfK5v,iv:8Eh981HkHI1igvBSd5M6GFjRVYfbqU8lHnabyTOF67Y=,tag:Nqs2IAcPtperhP+t5u+cJw==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T16:07:48Z" - mac: ENC[AES256_GCM,data:IgxbLSa14K4zKdl/+xNxkubLynB2+BcAdwU9GeLby5F/hwEHlfychYYJoP+tx7tXC0xSA+m1HvA7H3LKY4pY8rpdkBBFbBrP/10rxhs3etoXkNhn+KmkMgECbiIhk8z1CWj+8H60vQJZfIogDr850Fk5cff3oOELObEHwKF1gfU=,iv:kaZ1uNoiDWrgq7IBnBhMzo8vRDTmVkMYn1CaipE7Gb0=,tag:QZzim5SMJPxonXw7X3sATQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/pgadmin/app/externalsecret.yaml b/kubernetes/apps/default/pgadmin/app/externalsecret.yaml new file mode 100644 index 000000000..f0886a3e9 --- /dev/null +++ b/kubernetes/apps/default/pgadmin/app/externalsecret.yaml @@ -0,0 +1,25 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: pgadmin + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: pgadmin-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + # App + PGADMIN_DEFAULT_EMAIL: pgadmin@xpander.eml.cc + PGADMIN_DEFAULT_PASSWORD: X9VCaWrsCr9PoF + dataFrom: + - extract: + key: cloudnative-pg + - extract: + key: pgadmin diff --git a/kubernetes/apps/default/pgadmin/app/helmrelease.yaml b/kubernetes/apps/default/pgadmin/app/helmrelease.yaml index f0f58228f..6f74580ba 100644 --- a/kubernetes/apps/default/pgadmin/app/helmrelease.yaml +++ b/kubernetes/apps/default/pgadmin/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION: "False" envFrom: - secretRef: - name: *app + name: pgadmin-secret initContainers: volume-permissions: image: dpage/pgadmin4:7.4 diff --git a/kubernetes/apps/default/pgadmin/app/kustomization.yaml b/kubernetes/apps/default/pgadmin/app/kustomization.yaml index 0753c22a3..f082c6d3b 100644 --- a/kubernetes/apps/default/pgadmin/app/kustomization.yaml +++ b/kubernetes/apps/default/pgadmin/app/kustomization.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml + - ./volsync.yaml - ./volume.yaml diff --git a/kubernetes/apps/default/pgadmin/app/secret.sops.yaml b/kubernetes/apps/default/pgadmin/app/secret.sops.yaml deleted file mode 100644 index 864f6b9c1..000000000 --- a/kubernetes/apps/default/pgadmin/app/secret.sops.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: pgadmin - namespace: default -type: Opaque -stringData: - PGADMIN_DEFAULT_EMAIL: ENC[AES256_GCM,data:Wd9Qcm7AmuvGHWyfe277NnCDaRiKQw==,iv:rP1B90nsQs5s0OAGvTAW9X99fprpTMa9Y1COgtrcPOI=,tag:odhJmt+W6yoXfEhYPj0Rcw==,type:str] - PGADMIN_DEFAULT_PASSWORD: ENC[AES256_GCM,data:SWUqh0QUjYWjCruuZPQ=,iv:F1rwMkkHu2lgFDlUK5ZPtvY4KWh9kF8S5B0VnsiBUoE=,tag:Haa3c8UsJpQDsYG9hWWj/Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2 - bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC - VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw - OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+ - LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-17T07:32:43Z" - mac: ENC[AES256_GCM,data:iWV6sSItfSAGEjpEytnA/33bkseU+rguCuF3OG7ZAnECFgfLOkTqu4prATJwSKnowom+BcjjqbFMNuS3dQ5l+IIrOVkftpjJEXT0L2/5iry7NBePgqraqOvxSMJ9roxk+yHI1GOWo0UEKehYhLxoCe3g32YqTB4ASflKWJU5bzU=,iv:apZ2IbkwLG4Pppu1tvlXAWmsCZLKwbgRh/QBru4kUBI=,tag:hR5dIbKT3IZcQSCOToWFsw==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/pgadmin/app/volsync.yaml b/kubernetes/apps/default/pgadmin/app/volsync.yaml new file mode 100644 index 000000000..1ea1eb54e --- /dev/null +++ b/kubernetes/apps/default/pgadmin/app/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: pgadmin-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: pgadmin-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/pgadmin' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: pgadmin + namespace: default +spec: + sourcePVC: pgadmin-config + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: pgadmin-restic-secret + cacheCapacity: 10Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/pgadmin/ks.yaml b/kubernetes/apps/default/pgadmin/ks.yaml index 0ec05d11c..5804f3832 100644 --- a/kubernetes/apps/default/pgadmin/ks.yaml +++ b/kubernetes/apps/default/pgadmin/ks.yaml @@ -15,6 +15,7 @@ spec: name: home-ops-kubernetes dependsOn: - name: cluster-apps-rook-ceph-cluster + - name: cluster-apps-external-secrets-stores - name: cluster-apps-volsync-app healthChecks: - apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kubernetes/apps/default/prowlarr/app/backups/kustomization.yaml b/kubernetes/apps/default/prowlarr/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/prowlarr/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/prowlarr/app/backups/replicationsource.yaml b/kubernetes/apps/default/prowlarr/app/backups/replicationsource.yaml deleted file mode 100644 index d66d0840e..000000000 --- a/kubernetes/apps/default/prowlarr/app/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: prowlarr - namespace: default -spec: - sourcePVC: prowlarr-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: prowlarr-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/prowlarr/app/backups/restic.sops.yaml b/kubernetes/apps/default/prowlarr/app/backups/restic.sops.yaml deleted file mode 100644 index 379c3d6dd..000000000 --- a/kubernetes/apps/default/prowlarr/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: prowlarr-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:zMuiIhvBSTPAzRgFb+vkJH9oKcqDWhm/HDmyOZw90u9Jyk/x1ECBUjYZV92L1n45FFgad+Ar5itA3A==,iv:8xMm1z4MOeShBffaX3D4/DmTkiQVUXhfJ2vtmGrN47s=,tag:1VaRnhpsc6lRVf7seUcTxQ==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T15:43:42Z" - mac: ENC[AES256_GCM,data:RJagSpJ1MfpGmDgIjMyAwinS76tekbRu1OO8AXVWjAnVkV5qYuxaXZv1q2tIkPmx6whTqaywsewEwUQuatuh6cfP0u2Owtf5iSd6kPEnRSNsHt/1Eyy/mZWrFO5F9N644u4ZGKqt3/uYofrMPlWdGb5iDSS5gCu6Pkp/PiQGpdY=,iv:d7n+V0Cc5RngOo1s8bpbHzm++2iMfWqvXma+z2DjarY=,tag:0oVwIAaapVTMn8TFlNXCvQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/prowlarr/app/externalsecret.yaml b/kubernetes/apps/default/prowlarr/app/externalsecret.yaml new file mode 100644 index 000000000..287175a96 --- /dev/null +++ b/kubernetes/apps/default/prowlarr/app/externalsecret.yaml @@ -0,0 +1,18 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: prowlarr + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: prowlarr-secret + creationPolicy: Owner + dataFrom: + - extract: + # PROWLARR__API_KEY + key: prowlarr diff --git a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml index 689a9d646..a20956532 100644 --- a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app prowlarr namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -37,7 +37,7 @@ spec: PROWLARR__LOG_LEVEL: info envFrom: - secretRef: - name: *app + name: prowlarr-secret service: main: ports: diff --git a/kubernetes/apps/default/prowlarr/app/kustomization.yaml b/kubernetes/apps/default/prowlarr/app/kustomization.yaml index 0753c22a3..f082c6d3b 100644 --- a/kubernetes/apps/default/prowlarr/app/kustomization.yaml +++ b/kubernetes/apps/default/prowlarr/app/kustomization.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml + - ./volsync.yaml - ./volume.yaml diff --git a/kubernetes/apps/default/prowlarr/app/secret.sops.yaml b/kubernetes/apps/default/prowlarr/app/secret.sops.yaml deleted file mode 100644 index 1de455f53..000000000 --- a/kubernetes/apps/default/prowlarr/app/secret.sops.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: prowlarr - namespace: default -type: Opaque -stringData: - PROWLARR__API_KEY: ENC[AES256_GCM,data:6/3B+g9AJAUGfsMW1AUVtqaoVf5h3QYfzT3sxSw2eNU=,iv:/Zy/DImNcALRqNpC+A1/9SzXMOQBUfMIS6AfpITluqQ=,tag:nDfX44CMACwX1DNHoGzSIQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2 - bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC - VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw - OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+ - LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T15:42:44Z" - mac: ENC[AES256_GCM,data:hr3DFNBsVq0evyvpIDz9NXOqX48pLhTI+dCbJ9mIGoEeTxdNtJk1RsSrZIF6+wEZcYfryKY5Pdx8RMXyoGklCfrd5gIFmmwip+Z2IqvuXb0OsvvShtfgBzmefS+gUJmuIT0PSs6SjFxJsGUrFAd4R+KGlg4L++sW3TcZ18UEQR4=,iv:zTzHCXD+5JxQzovryzBueqgiNef/yf+Eb6pB9I7cH5I=,tag:iXneOonTSlJsDjycK6z68A==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/prowlarr/app/volsync.yaml b/kubernetes/apps/default/prowlarr/app/volsync.yaml new file mode 100644 index 000000000..c63fa88c7 --- /dev/null +++ b/kubernetes/apps/default/prowlarr/app/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: prowlarr-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: prowlarr-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/prowlarr' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: prowlarr + namespace: default +spec: + sourcePVC: prowlarr-config + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: prowlarr-restic-secret + cacheCapacity: 2Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/prowlarr/ks.yaml b/kubernetes/apps/default/prowlarr/ks.yaml index dd2943330..1af898130 100644 --- a/kubernetes/apps/default/prowlarr/ks.yaml +++ b/kubernetes/apps/default/prowlarr/ks.yaml @@ -9,6 +9,7 @@ metadata: substitution.flux.home.arpa/enabled: "true" spec: dependsOn: + - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app path: ./kubernetes/apps/default/prowlarr/app diff --git a/kubernetes/apps/default/pyload/app/backups/kustomization.yaml b/kubernetes/apps/default/pyload/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/pyload/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/pyload/app/backups/replicationsource.yaml b/kubernetes/apps/default/pyload/app/backups/replicationsource.yaml deleted file mode 100644 index 7e367691c..000000000 --- a/kubernetes/apps/default/pyload/app/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: pyload - namespace: default -spec: - sourcePVC: pyload-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: pyload-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/pyload/app/backups/restic.sops.yaml b/kubernetes/apps/default/pyload/app/backups/restic.sops.yaml deleted file mode 100644 index a7d9c5209..000000000 --- a/kubernetes/apps/default/pyload/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: pyload-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:66YmP6yktbN5r4eToOnNylKG0vCriq3u7Q1q93xAPb7sp19x4CptSVGXY5DjY1/i1t9ozHC1LCE=,iv:4D7U693SKgtTpwOxgzEKmureeP+0AQUKdpycFApe4xo=,tag:ZJq5MZjqeMxA3yqftRFLlg==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T08:24:18Z" - mac: ENC[AES256_GCM,data:GbJlDb+SkHtJoVFrb/reEfI8GdRIpYSJxK5P3qZ2OAAdSqMs6P94czKPrdGVBZnOZZaZX3OUJlumbiZV4zZlnSztd04ayDEUU5pCP2r8ODMNa/fpTOnZr8a++GVgYsk84JR3R1XEWHnfCqspZENC+spSVvbIO1zu/FlLm4bj/Og=,iv:8CVcYPkssvedzgAtO/6vNspyPjBfvMnGO3n7fNhsayo=,tag:BkCiGbMys+Jfny7SC39mlg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/pyload/app/helmrelease.yaml b/kubernetes/apps/default/pyload/app/helmrelease.yaml index e4129eb98..aa879c398 100644 --- a/kubernetes/apps/default/pyload/app/helmrelease.yaml +++ b/kubernetes/apps/default/pyload/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app pyload namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: diff --git a/kubernetes/apps/default/pyload/app/kustomization.yaml b/kubernetes/apps/default/pyload/app/kustomization.yaml index b71b75551..39fd93644 100644 --- a/kubernetes/apps/default/pyload/app/kustomization.yaml +++ b/kubernetes/apps/default/pyload/app/kustomization.yaml @@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups - ./helmrelease.yaml + - ./volsync.yaml - ./volume.yaml diff --git a/kubernetes/apps/default/pyload/app/volsync.yaml b/kubernetes/apps/default/pyload/app/volsync.yaml new file mode 100644 index 000000000..1a65d1d74 --- /dev/null +++ b/kubernetes/apps/default/pyload/app/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: pyload-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: pyload-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/pyload' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: pyload + namespace: default +spec: + sourcePVC: pyload-config + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: pyload-restic-secret + cacheCapacity: 2Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/pyload/ks.yaml b/kubernetes/apps/default/pyload/ks.yaml index c0ba634db..d7a47840e 100644 --- a/kubernetes/apps/default/pyload/ks.yaml +++ b/kubernetes/apps/default/pyload/ks.yaml @@ -9,6 +9,7 @@ metadata: substitution.flux.home.arpa/enabled: "true" spec: dependsOn: + - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app path: ./kubernetes/apps/default/pyload/app diff --git a/kubernetes/apps/default/qbittorrent/app/backups/kustomization.yaml b/kubernetes/apps/default/qbittorrent/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/qbittorrent/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/qbittorrent/app/backups/replicationsource.yaml b/kubernetes/apps/default/qbittorrent/app/backups/replicationsource.yaml deleted file mode 100644 index b2f8b28a4..000000000 --- a/kubernetes/apps/default/qbittorrent/app/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: qbittorrent - namespace: default -spec: - sourcePVC: qbittorrent-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: qbittorrent-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/qbittorrent/app/backups/restic.sops.yaml b/kubernetes/apps/default/qbittorrent/app/backups/restic.sops.yaml deleted file mode 100644 index a8751c2b4..000000000 --- a/kubernetes/apps/default/qbittorrent/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: qbittorrent-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:IjRX4eF0Dy6uP3ocLiw+LV9bdgI6L3n8T4PTdrb+74CoNRRa8IxiWuCqDje6tgPGPwbTbtalanwnWlQFfg==,iv:9V0Z70klLCtYzbiQbHqzXxxxGOLvkax4iJ2b4+xfb5A=,tag:iGwhiZQiI0EB7QQm/rvPVg==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T08:19:27Z" - mac: ENC[AES256_GCM,data:pMKVC4IP3YD6kxtLzWNh6sBDCNzDgpHSsF9Ol8G0k5cRgNptV6htHOccOtZ5/gEWbGC9P8413zVDU6dMO27ejQbrf1NdpcaW2PjYAo3qfNGSyV31EKVC72odbSNBhcNzNUm7A6pGy7WwA7H0zhvBjEw1xwT1O9WuC+YX+CqJeTg=,iv:1htxNecL/xznVUhaH3ABkqwuxRMfiRJ9RhwTFb+1Ggk=,tag:3g2C2dfmb4Jx5Sunmrdhwg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml index 5611bc9e2..29acde53a 100644 --- a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml +++ b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app qbittorrent namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: diff --git a/kubernetes/apps/default/qbittorrent/app/kustomization.yaml b/kubernetes/apps/default/qbittorrent/app/kustomization.yaml index 5f39f317b..3bf0e97a0 100644 --- a/kubernetes/apps/default/qbittorrent/app/kustomization.yaml +++ b/kubernetes/apps/default/qbittorrent/app/kustomization.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups - ./helmrelease.yaml - ./jobs + - ./volsync.yaml - ./volume.yaml diff --git a/kubernetes/apps/default/qbittorrent/app/volsync.yaml b/kubernetes/apps/default/qbittorrent/app/volsync.yaml new file mode 100644 index 000000000..615f90bc3 --- /dev/null +++ b/kubernetes/apps/default/qbittorrent/app/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: qbittorrent-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: qbittorrent-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/qbittorrent' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: qbittorrent + namespace: default +spec: + sourcePVC: qbittorrent-config + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: qbittorrent-restic-secret + cacheCapacity: 2Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/redis/app/helmrelease.yaml b/kubernetes/apps/default/redis/app/helmrelease.yaml index 0ae3c4536..65f828e5e 100644 --- a/kubernetes/apps/default/redis/app/helmrelease.yaml +++ b/kubernetes/apps/default/redis/app/helmrelease.yaml @@ -27,20 +27,18 @@ spec: uninstall: keepHistory: false values: - global: - # imageRegistry: public.ecr.aws - storageClass: rook-ceph-block auth: enabled: false sentinel: false - # existingSecret: *app - sentinel: - enabled: true - masterSet: redis-master - getMasterTimeout: 10 - startupProbe: - failureThreshold: 2 + master: + persistence: + enabled: false + replica: + persistence: + enabled: false + architecture: standalone metrics: enabled: true serviceMonitor: enabled: true + interval: 1m diff --git a/kubernetes/apps/default/wallabag/app/backups/kustomization.yaml b/kubernetes/apps/default/wallabag/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/wallabag/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/wallabag/app/backups/replicationsource.yaml b/kubernetes/apps/default/wallabag/app/backups/replicationsource.yaml deleted file mode 100644 index ac29b54ed..000000000 --- a/kubernetes/apps/default/wallabag/app/backups/replicationsource.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: wallabag - namespace: default -spec: - sourcePVC: wallabag-images - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: wallabag-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/wallabag/app/backups/restic.sops.yaml b/kubernetes/apps/default/wallabag/app/backups/restic.sops.yaml deleted file mode 100644 index df33dfe2f..000000000 --- a/kubernetes/apps/default/wallabag/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: wallabag-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:DmxzZkxk68HJTj0BQviWqKcwkR/QI/6clRDeyXzhs/y25kKiVUAjEOoo7pjx12lGPJLkHEehs6szag==,iv:qC2aHOajpp3bm/XDUFlt8VCx1lWWNjHoBn61y+IFVQM=,tag:BiSD1EyP/BPIXZYXkJ9+kQ==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T06:25:57Z" - mac: ENC[AES256_GCM,data:wDJZL3xNohPiuk/rwKYvRTv2CJSg5M467+Yu7Ce8qAHQakvmYd7gTuyBXQn7EMTQLhuGgISc+S0RZOVbIimNKj/Th7OPsAeBoQr/OwawpiN+UNZ/0gDn+VdsKE2ZaRY6QXpqZF1D4ZCc8DLCExbifY2T9lgQzryVoky3WRsLpl0=,iv:2mQMILQiKRIL6EPYFAH7a8RZ96+EnZL45gqjbSB40Eg=,tag:TiLoMFbodTD+8m24xwKwvA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/wallabag/app/externalsecret.yaml b/kubernetes/apps/default/wallabag/app/externalsecret.yaml new file mode 100644 index 000000000..87eccdfb8 --- /dev/null +++ b/kubernetes/apps/default/wallabag/app/externalsecret.yaml @@ -0,0 +1,34 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: wallabag + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: wallabag-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + # App + SYMFONY__ENV__DATABASE_USER: &dbUser "{{ .POSTGRES_USER }}" + SYMFONY__ENV__DATABASE_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}" + SYMFONY__ENV__DATABASE_HOST: &dbHost postgres-rw.default.svc.cluster.local + SYMFONY__ENV__DATABASE_PORT: "5432" + SYMFONY__ENV__DATABASE_NAME: &dbName wallabag + # Postgres Init + INIT_POSTGRES_DBNAME: *dbName + INIT_POSTGRES_HOST: *dbHost + INIT_POSTGRES_USER: *dbUser + INIT_POSTGRES_PASS: *dbPass + INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" + dataFrom: + - extract: + key: cloudnative-pg + - extract: + key: wallabag diff --git a/kubernetes/apps/default/wallabag/app/helmrelease.yaml b/kubernetes/apps/default/wallabag/app/helmrelease.yaml index 1ca7da92a..cef880eca 100644 --- a/kubernetes/apps/default/wallabag/app/helmrelease.yaml +++ b/kubernetes/apps/default/wallabag/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app wallabag namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -28,14 +28,29 @@ spec: keepHistory: false values: controller: - replicas: 1 - strategy: Recreate + annotations: + reloader.stakater.com/auto: "true" + initContainers: + 01-init-db: + image: ghcr.io/onedr0p/postgres-init:14.8 + imagePullPolicy: IfNotPresent + envFrom: &envFrom + - secretRef: + name: wallabag-secret image: repository: wallabag/wallabag tag: 2.5.4 - envFrom: + envFrom: &envFrom - secretRef: - name: *app + name: wallabag-secret + env: + SYMFONY__ENV__DATABASE_DRIVER: pdo_pgsql + SYMFONY__ENV__REDIS_HOST: redis-master.default.svc.cluster.local. + SYMFONY__ENV__DOMAIN_NAME: https://wallabag.${SECRET_CLUSTER_DOMAIN} + SYMFONY__ENV__SERVER_NAME: Wallabag + SYMFONY__ENV__FOSUSER_REGISTRATION: "false" + SYMFONY__ENV__FOSUSER_CONFIRMATION: "false" + POPULATE_DATABASE: "false" enableServiceLinks: false service: main: @@ -63,8 +78,6 @@ spec: images: enabled: true existingClaim: wallabag-images - podAnnotations: - secret.reloader.stakater.com/reload: *app resources: requests: cpu: 100m diff --git a/kubernetes/apps/default/wallabag/app/kustomization.yaml b/kubernetes/apps/default/wallabag/app/kustomization.yaml index a8f3e2fe2..f082c6d3b 100644 --- a/kubernetes/apps/default/wallabag/app/kustomization.yaml +++ b/kubernetes/apps/default/wallabag/app/kustomization.yaml @@ -4,10 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml + - ./volsync.yaml - ./volume.yaml -patchesStrategicMerge: - - ./patches/env.yaml - - ./patches/postgres.yaml diff --git a/kubernetes/apps/default/wallabag/app/patches/env.yaml b/kubernetes/apps/default/wallabag/app/patches/env.yaml deleted file mode 100644 index ed9dde24d..000000000 --- a/kubernetes/apps/default/wallabag/app/patches/env.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: wallabag - namespace: default -spec: - values: - env: - SYMFONY__ENV__DATABASE_DRIVER: pdo_pgsql - SYMFONY__ENV__DATABASE_HOST: ${POSTGRES_HOST} - SYMFONY__ENV__DATABASE_PORT: ${POSTGRES_PORT} - SYMFONY__ENV__DATABASE_NAME: wallabag - SYMFONY__ENV__REDIS_HOST: redis.default.svc.cluster.local. - SYMFONY__ENV__DOMAIN_NAME: https://wallabag.${SECRET_CLUSTER_DOMAIN} - SYMFONY__ENV__SERVER_NAME: Wallabag - SYMFONY__ENV__FOSUSER_REGISTRATION: "false" - SYMFONY__ENV__FOSUSER_CONFIRMATION: "false" - POPULATE_DATABASE: "false" diff --git a/kubernetes/apps/default/wallabag/app/patches/postgres.yaml b/kubernetes/apps/default/wallabag/app/patches/postgres.yaml deleted file mode 100644 index f3d3d6e0d..000000000 --- a/kubernetes/apps/default/wallabag/app/patches/postgres.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: wallabag - namespace: default -spec: - values: - initContainers: - init-db: - image: ghcr.io/onedr0p/postgres-initdb:14.8 - env: - - name: POSTGRES_HOST - value: ${POSTGRES_HOST} - - name: POSTGRES_DB - value: wallabag - - name: POSTGRES_SUPER_PASS - valueFrom: - secretKeyRef: - name: postgres-superuser - key: password - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: wallabag - key: SYMFONY__ENV__DATABASE_USER - - name: POSTGRES_PASS - valueFrom: - secretKeyRef: - name: wallabag - key: SYMFONY__ENV__DATABASE_PASSWORD diff --git a/kubernetes/apps/default/wallabag/app/secret.sops.yaml b/kubernetes/apps/default/wallabag/app/secret.sops.yaml deleted file mode 100644 index 2825eaf27..000000000 --- a/kubernetes/apps/default/wallabag/app/secret.sops.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: wallabag - namespace: default -type: Opaque -stringData: - SYMFONY__ENV__DATABASE_USER: ENC[AES256_GCM,data:h8pfT3ZnClc=,iv:2zW23/OmEWJJIf1NFJKqnVBenNsB+NA4qchYNLzuiJ4=,tag:JCl+8+z2tCByWzEomYsiCQ==,type:str] - SYMFONY__ENV__DATABASE_PASSWORD: ENC[AES256_GCM,data:1fIzVV2zPYBs/NUimG8=,iv:4LiY6LJtmV7UHlvw+GQn0HmISm3WL11y382gkPl+aCQ=,tag:CCL/dmqz2JolNe7H8ybDVg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2 - akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC - Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT - Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq - DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-16T09:15:34Z" - mac: ENC[AES256_GCM,data:RQzfap7GaeaS0dnZs0wdzPsNT4T1Wsz0ovSO1d766U/w9FlfU2nLfmVCHjKdmhCDq99gxazA5mKzaE1sUPtRrtO1td80G4KTe7jm8DDOLMQOQXgo+QN+W6hJ398uCfkrobtaQFE3YCa9sGyON5Rq2jubQ3+WyvZv/gV1oIvCVAU=,iv:o/wxk2bB97j9wcKqM3/T4kCYWrrKSGlIqgFhvTo9H9E=,tag:0VKKqxudYaNBDjGUm9O/ww==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/wallabag/app/volsync.yaml b/kubernetes/apps/default/wallabag/app/volsync.yaml new file mode 100644 index 000000000..77cb9a7bd --- /dev/null +++ b/kubernetes/apps/default/wallabag/app/volsync.yaml @@ -0,0 +1,45 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: wallabag-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: wallabag-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/wallabag' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: wallabag + namespace: default +spec: + sourcePVC: wallabag-images + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: wallabag-restic-secret + cacheCapacity: 10Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/wallabag/ks.yaml b/kubernetes/apps/default/wallabag/ks.yaml index 5284a5e0e..3aa615e59 100644 --- a/kubernetes/apps/default/wallabag/ks.yaml +++ b/kubernetes/apps/default/wallabag/ks.yaml @@ -15,6 +15,7 @@ spec: name: home-ops-kubernetes dependsOn: - name: cluster-apps-cloudnative-pg-cluster + - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app healthChecks: