diff --git a/.github/lint/.yamllint.yaml b/.github/lint/.yamllint.yaml index dc20d1c5d..18dbe5635 100644 --- a/.github/lint/.yamllint.yaml +++ b/.github/lint/.yamllint.yaml @@ -4,6 +4,7 @@ ignore: | .vscode/ *.sops.* ansible/roles/xanmanning.k3s/ + cluster/base-custom/secrets gotk-components.yaml extends: default rules: diff --git a/cluster/apps/data/bookstack/export-job.yaml b/cluster/apps/data/bookstack/export-job.yaml new file mode 100644 index 000000000..00c1b1283 --- /dev/null +++ b/cluster/apps/data/bookstack/export-job.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: bookstack-books-export + namespace: data +spec: + schedule: "@daily" + jobTemplate: + spec: + template: + metadata: + name: bookstack-books-export + spec: + serviceAccountName: jobs + imagePullSecrets: + - name: regcred + containers: + - name: gitea-repositories-backup + image: registry.${SECRET_CLUSTER_DOMAIN}/homelab/home-cluster-jobs:1.1.0 + imagePullPolicy: IfNotPresent + command: + - "bin/sh" + - "-ec" + - | + #!/bin/bash + + set -o nounset + set -o errexit + + mkdir -p ~/.ssh + cp /opt/id_rsa ~/.ssh/id_rsa + chmod 600 ~/.ssh/id_rsa + + ssh -o StrictHostKeyChecking=no homelab@${LOCAL_LAN_TRUENAS} << 'EOF' + + set -x + + WORK_DIR="/mnt/storage/backups/bookstack" + + SHELVES=$(curl --silent --location --request GET "https://bookstack.${SECRET_CLUSTER_DOMAIN}/api/shelves" --header "Authorization: Token ${SECRET_BOOKSTACK_TOKEN_ID}:${SECRET_BOOKSTACK_TOKEN_SECRET}" | jq --raw-output .data[].id) + + for shelf in $SHELVES + do + shelf_slug=$(curl --silent --location --request GET "https://bookstack.${SECRET_CLUSTER_DOMAIN}/api/shelves/$shelf" --header "Authorization: Token ${SECRET_BOOKSTACK_TOKEN_ID}:${SECRET_BOOKSTACK_TOKEN_SECRET}" | jq --raw-output .slug) + mkdir -p $WORK_DIR/$shelf_slug + BOOKS=$(curl --silent --location --request GET "https://bookstack.${SECRET_CLUSTER_DOMAIN}/api/shelves/$shelf" --header "Authorization: Token ${SECRET_BOOKSTACK_TOKEN_ID}:${SECRET_BOOKSTACK_TOKEN_SECRET}" | jq --raw-output .books[].id) + for book in $BOOKS + do + book_slug=$(curl --silent --location --request GET "https://bookstack.${SECRET_CLUSTER_DOMAIN}/api/books/$book" --header "Authorization: Token ${SECRET_BOOKSTACK_TOKEN_ID}:${SECRET_BOOKSTACK_TOKEN_SECRET}" | jq --raw-output .slug) + echo "INFO: export book $book_slug..." + curl --silent --location --request GET "https://bookstack.${SECRET_CLUSTER_DOMAIN}/api/books/$book/export/html" --header "Authorization: Token ${SECRET_BOOKSTACK_TOKEN_ID}:${SECRET_BOOKSTACK_TOKEN_SECRET}" --output $WORK_DIR/$shelf_slug/$book_slug.html + done + done + EOF + + curl -m 10 --retry 5 http://healthchecks.monitoring.svc.cluster.local:8000/ping/d671a835-0731-448a-b20b-284500e5753a + volumeMounts: + - name: secret + mountPath: /opt/id_rsa + subPath: deployment-rsa-priv-key + volumes: + - name: secret + secret: + secretName: drone-pipelines + restartPolicy: Never diff --git a/cluster/apps/data/bookstack/kustomization.yaml b/cluster/apps/data/bookstack/kustomization.yaml index a71d36f14..4979e1d3c 100644 --- a/cluster/apps/data/bookstack/kustomization.yaml +++ b/cluster/apps/data/bookstack/kustomization.yaml @@ -1,5 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - export-job.yaml - helm-release.yaml - volumes.yaml diff --git a/cluster/apps/secret-reflector/secret-reflector.yaml b/cluster/apps/secret-reflector/secret-reflector.yaml index 2030b575d..39cbc74f1 100644 --- a/cluster/apps/secret-reflector/secret-reflector.yaml +++ b/cluster/apps/secret-reflector/secret-reflector.yaml @@ -22,7 +22,7 @@ spec: set -o errexit # space delimited secrets to copy - secrets="${SECRET_CLUSTER_CERTIFICATE_DEFAULT} regcred" + secrets="${SECRET_CLUSTER_CERTIFICATE_DEFAULT} regcred drone-pipelines" # source namespace to reflect secret from namespace_source="networking" # space delimited namespace where to reflect the secrets to diff --git a/cluster/base-custom/secrets/cluster-secrets.yaml b/cluster/base-custom/secrets/cluster-secrets.yaml index 6ff8200fe..89991995d 100644 --- a/cluster/base-custom/secrets/cluster-secrets.yaml +++ b/cluster/base-custom/secrets/cluster-secrets.yaml @@ -25,6 +25,8 @@ stringData: SECRET_AUTHENTIK_SMTP_PASSWORD: ENC[AES256_GCM,data:3GG9ga/EuoQYdk0wl0wUcQ==,iv:X9cr9jpQObF9RkAPSf0M/CBve9YvWXrVdeu6RoIrtEo=,tag:AF+vgtirdBJ2AYzMi/fEqA==,type:str] SECRET_BOOKSTACK_DB_PASSWORD: ENC[AES256_GCM,data:i9Ky7+e2UHfh14EP9wus8Q==,iv:6grPFBXTg+Oj/jShYgpM84k65r6bKvXFg5b9St3PeTE=,tag:kEab7xSmieYtdeg0zAEyXg==,type:str] SECRET_BOOKSTACK_DB_ROOT_PASSWORD: ENC[AES256_GCM,data:4/o956Da0ckVLdxUqs1WWA==,iv:G8DddhYyMZKuGJyWnj+eOaNRiJm7oGetiIZlQgtRFEo=,tag:WX9+DDnA2UPm9nPRLYibXw==,type:str] + SECRET_BOOKSTACK_TOKEN_ID: ENC[AES256_GCM,data:d+OuZJN/NvKja9bUhLESl52MeuaC875DhuWDF2gCC+M=,iv:x/E2lfWnDxKWC317laRfSiqlXZ2saiqgoGV6P+sOchE=,tag:a+ZRy1Dm5TM4oQ5SklhGYA==,type:str] + SECRET_BOOKSTACK_TOKEN_SECRET: ENC[AES256_GCM,data:dInN0nIxi9t4zZyKe5TDLrxB2Q4CBvBmD5t2F6NB2ak=,iv:8DyybtQzxxPJrpUrZ6FRK41X7VeMFZ5PxhoYCvzSOSE=,tag:4N7ZLRwhacoNi9B/IlvIyQ==,type:str] SECRET_BOTKUBE_DISCORD_BOTID: ENC[AES256_GCM,data:bK1J9v+/Dajd9qrvz3lH49GY,iv:Hq6cY96Te1frwXVf3HC3qgOiaCZW2hHCqjVvvslUGFg=,tag:Dq0cUemHKfcdpx9hLkUekQ==,type:str] SECRET_BOTKUBE_DISCORD_TOKEN: ENC[AES256_GCM,data:pDPm3TYITWApPZRMcSH6ijtPQQuHSd/PNT2Wy23tUp7uzluhHS5hvlujTkjk7oRb95kE6Gi2D8yDmNg=,iv:HQyMQiaRsjNIfPUTjLRVL/zchSdXFmevxaeruwGx3tk=,tag:l+po8014SaZd61DxE1T43A==,type:str] SECRET_CLUSTER_CERTIFICATE_DEFAULT: ENC[AES256_GCM,data:NlCiFO/3sseKI3fVzQ4ajeMOrg==,iv:seSVdR5wkR8sf/PKSy7T3P5oCkbJI4sMNC8XWSJUnh0=,tag:jSjCQVDNPQ7c8Dlg8yozPg==,type:str] @@ -94,8 +96,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2021-08-11T14:46:04Z" - mac: ENC[AES256_GCM,data:IE6CWaM241i7TsDxHHFYzYscwOLKfOYb3P6vDl+3Q5P89TRh9Fjx7ibPj2fsaSAJ7HegBbB1F9k75bO5uuW5OKPv7UWb1SkHR2+ArvmHaNObaN5fbr4kMBcCaC7XzlfFbnKz+MJfP0xfn6nbBk2hjX6F/jhMA/WNWaYLphJmNxA=,iv:KW/y96vqvgXJm9iP6E6NY25kRv8OUlCEwZy+iwAxQVw=,tag:Agy6b0qs7YSrJXss0D2aMA==,type:str] + lastmodified: "2021-08-17T14:23:32Z" + mac: ENC[AES256_GCM,data:QkzSO6LiygY54LB50XD8Po1I6q5aPK84X1+C23sSPOCeBXnxFkYlJ/XkV1oGnzGvwel68ew9h7rO7VcaRDUz7z9EgGxmkD1vGEguisH75qQ5yhCMxiiOyaOufoCD2AEx0rNE3eiz086J+tGUAh6bRrIViOYr7Pf0vPvc0BYHt+I=,iv:mWsmogq2L1i/Ni/7/zWYBxUSmzGZZOScmh7SpUQYQTM=,tag:NZ9U0lF125Gz9reqtEGLmQ==,type:str] pgp: - created_at: "2021-07-17T21:14:34Z" enc: | diff --git a/cluster/base-custom/secrets/drone-pipelines.yaml b/cluster/base-custom/secrets/drone-pipelines.yaml index 7c692d19b..c2f93547d 100644 --- a/cluster/base-custom/secrets/drone-pipelines.yaml +++ b/cluster/base-custom/secrets/drone-pipelines.yaml @@ -2,7 +2,7 @@ kind: Secret apiVersion: v1 metadata: name: drone-pipelines - namespace: development + namespace: networking stringData: registry-username: ENC[AES256_GCM,data:0feiw+FkNQ==,iv:qlqyZnDaxDWSotJudzuVBnGRv4Nm5BkzcYvtzdXGG/c=,tag:6LpLEQWy9Bl6NrpgqslXVQ==,type:str] registry-password: ENC[AES256_GCM,data:bXkbSETYKwDpoulIcEE=,iv:kbDngo9bEnY2wuyy42rXb+zUvgFLY3LEpHTmk2sXDog=,tag:Q2rIX1k5tNLLx7sTEOMPXQ==,type:str] @@ -16,8 +16,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2021-07-17T21:15:46Z" - mac: ENC[AES256_GCM,data:gi+0ATruo1hPLHGXHXNYrKtfHWp55KxAQyK/A2//c3zZ8s7XamBW76dWbPp7PnjlAMtmSbpfwOX1c2+vxIGuhwj6V18q0Kuezzg2WJdbm3wU0Gb4b5O2d71g1s/Pnpyxy/UjFN8U2DjYS1ueZbJIsO54VTA4U9ZQRZ7DWLyy7u0=,iv:LPzjZb8bo24n1CowNSkQY2o4VmQqA8vTwhWVhb2usew=,tag:/Hh6rVVZnMhMZq9wuIiv2Q==,type:str] + lastmodified: "2021-08-17T15:11:07Z" + mac: ENC[AES256_GCM,data:hjSULr6lAuXyU9VOWWcJI1tRzi+jgMiiupKeKPcb0sA3nD5TnqSezNNe2bAzxQeqm8QKcVc94ZiSRR8FYAtaMx4VI1/+qJiB2Pj08G69g6ZQCteTd1sZpQ180Vo7tVf2QD8OoHEbPfupVf4Yd6+K1p+jGpkjG4Fr0Pw8j0JgRFk=,iv:DckGGVxlMJu/KQsj937EoCXLA4Kk2GniRf+W2O4L5J8=,tag:edlCI7W7NOa1EzHriIQc5A==,type:str] pgp: - created_at: "2021-07-17T21:15:45Z" enc: |