♻️ homelab

2025-09-17 18:24:14 +02:00 · 2023-11-12 20:45:54 +01:00
parent 886760adb7
commit 4ab17e0913
28 changed files with 183 additions and 98 deletions
--- a/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml
+++ b/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml
@@ -0,0 +1,60 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: homelab-opnsense-backup
+  namespace: default
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 2.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    controllers:
+      main:
+        type: cronjob
+        cronjob:
+          concurrencyPolicy: Forbid
+          schedule: "@daily"
+        containers:
+          main:
+            image:
+              repository: ghcr.io/auricom/kubectl
+              tag: 1.28.3@sha256:536e3a2a8222d56637208c207a5b77a7d656175a29b899383d5a1bb1d1e48438
+            command: ["/bin/bash", "/app/opnsense-backup.sh"]
+            env:
+              OPNSENSE_URL: "https://opnsense.${SECRET_DOMAIN}"
+              S3_URL: "https://truenas.${SECRET_DOMAIN}:51515"
+            envFrom:
+              - secretRef:
+                  name: homelab-opnsense-secret
+    service:
+      main:
+        enabled: false
+    persistence:
+      config:
+        enabled: true
+        type: configMap
+        name: homelab-opnsense-backup-configmap
+        defaultMode: 0775
+        globalMounts:
+          - path: /app/opnsense-backup.sh
+            subPath: opnsense-backup.sh
+            readOnly: true
--- a/kubernetes/apps/default/homelab/opnsense/backup/kustomization.yaml
+++ b/kubernetes/apps/default/homelab/opnsense/backup/kustomization.yaml
@@ -0,0 +1,15 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+configMapGenerator:
+  - name: homelab-opnsense-backup-configmap
+    files:
+      - ./opnsense-backup.sh
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled
--- a/kubernetes/apps/default/homelab/opnsense/backup/opnsense-backup.sh
+++ b/kubernetes/apps/default/homelab/opnsense/backup/opnsense-backup.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -o nounset
+set -o errexit
+
+config_filename="$(date "+%Y%m%d-%H%M%S").xml"
+
+http_host=${S3_URL#*//}
+http_host=${http_host%:*}
+http_request_date=$(date -R)
+http_filepath="opnsense/${config_filename}"
+http_signature=$(
+    printf "PUT\n\ntext/xml\n%s\n/%s" "${http_request_date}" "${http_filepath}" \
+        | openssl sha1 -hmac "${AWS_SECRET_ACCESS_KEY}" -binary \
+        | base64
+)
+
+echo "Download Opnsense config file ..."
+curl -fsSL \
+    --user "${OPNSENSE_KEY}:${OPNSENSE_SECRET}" \
+    --output "/tmp/${config_filename}" \
+    "${OPNSENSE_URL}/api/backup/backup/download"
+
+echo "Upload backup to s3 bucket ..."
+curl -fsSL \
+    -X PUT -T "/tmp/${config_filename}" \
+    -H "Host: ${http_host}" \
+    -H "Date: ${http_request_date}" \
+    -H "Content-Type: text/xml" \
+    -H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${http_signature}" \
+    "${S3_URL}/${http_filepath}"
--- a/kubernetes/apps/default/homelab/opnsense/backup/readme.md
+++ b/kubernetes/apps/default/homelab/opnsense/backup/readme.md
@@ -0,0 +1,71 @@
+# Opnsense
+
+## S3 Configuration
+
+1. Create `~/.mc/config.json`
+
+   ```json
+   {
+     "version": "10",
+     "aliases": {
+       "minio": {
+         "url": "https://s3.<domain>",
+         "accessKey": "<access-key>",
+         "secretKey": "<secret-key>",
+         "api": "S3v4",
+         "path": "auto"
+       }
+     }
+   }
+   ```
+
+2. Create the opnsense user and password
+
+   ```sh
+   mc admin user add minio opnsense <super-secret-password>
+   ```
+
+3. Create the opnsense bucket
+
+   ```sh
+   mc mb minio/opnsense
+   ```
+
+4. Create `opnsense-user-policy.json`
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Action": [
+           "s3:ListBucket",
+           "s3:PutObject",
+           "s3:GetObject",
+           "s3:DeleteObject"
+         ],
+         "Effect": "Allow",
+         "Resource": ["arn:aws:s3:::opnsense/*", "arn:aws:s3:::opnsense"],
+         "Sid": ""
+       }
+     ]
+   }
+   ```
+
+5. Apply the bucket policies
+
+    ```sh
+    mc admin policy add minio opnsense-private opnsense-user-policy.json
+    ```
+
+6. Associate private policy with the user
+
+    ```sh
+    mc admin policy set minio opnsense-private user=opnsense
+    ```
+
+7. Create a retention policy
+
+    ```sh
+    mc ilm add minio/opnsense --expire-days "90"
+    ```