feat: bookstack export job

.github/lint/.yamllint.yaml

@@ -4,6 +4,7 @@ ignore: |
   .vscode/
   *.sops.*
   ansible/roles/xanmanning.k3s/
+  cluster/base-custom/secrets
   gotk-components.yaml
 extends: default
 rules:

cluster/apps/data/bookstack/export-job.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: bookstack-books-export
+  namespace: data
+spec:
+  schedule: "@daily"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          name: bookstack-books-export
+        spec:
+          serviceAccountName: jobs
+          imagePullSecrets:
+            - name: regcred
+          containers:
+            - name: gitea-repositories-backup
+              image: registry.${SECRET_CLUSTER_DOMAIN}/homelab/home-cluster-jobs:1.1.0
+              imagePullPolicy: IfNotPresent
+              command:
+                - "bin/sh"
+                - "-ec"
+                - |
+                  #!/bin/bash
+
+                  set -o nounset
+                  set -o errexit
+
+                  mkdir -p ~/.ssh
+                  cp /opt/id_rsa ~/.ssh/id_rsa
+                  chmod 600 ~/.ssh/id_rsa
+
+                  ssh -o StrictHostKeyChecking=no homelab@${LOCAL_LAN_TRUENAS} << 'EOF'
+
+                    set -x
+
+                    WORK_DIR="/mnt/storage/backups/bookstack"
+
+                    SHELVES=$(curl --silent --location --request GET "https://bookstack.${SECRET_CLUSTER_DOMAIN}/api/shelves" --header "Authorization: Token ${SECRET_BOOKSTACK_TOKEN_ID}:${SECRET_BOOKSTACK_TOKEN_SECRET}" | jq --raw-output .data[].id)
+
+                    for shelf in $SHELVES
+                    do
+                        shelf_slug=$(curl --silent --location --request GET "https://bookstack.${SECRET_CLUSTER_DOMAIN}/api/shelves/$shelf" --header "Authorization: Token ${SECRET_BOOKSTACK_TOKEN_ID}:${SECRET_BOOKSTACK_TOKEN_SECRET}" | jq --raw-output .slug)
+                        mkdir -p $WORK_DIR/$shelf_slug
+                        BOOKS=$(curl --silent --location --request GET "https://bookstack.${SECRET_CLUSTER_DOMAIN}/api/shelves/$shelf" --header "Authorization: Token ${SECRET_BOOKSTACK_TOKEN_ID}:${SECRET_BOOKSTACK_TOKEN_SECRET}" | jq --raw-output .books[].id)
+                        for book in $BOOKS
+                        do
+                            book_slug=$(curl --silent --location --request GET "https://bookstack.${SECRET_CLUSTER_DOMAIN}/api/books/$book" --header "Authorization: Token ${SECRET_BOOKSTACK_TOKEN_ID}:${SECRET_BOOKSTACK_TOKEN_SECRET}" | jq --raw-output .slug)
+                            echo "INFO: export book $book_slug..."
+                            curl --silent --location --request GET "https://bookstack.${SECRET_CLUSTER_DOMAIN}/api/books/$book/export/html" --header "Authorization: Token ${SECRET_BOOKSTACK_TOKEN_ID}:${SECRET_BOOKSTACK_TOKEN_SECRET}" --output $WORK_DIR/$shelf_slug/$book_slug.html
+                        done
+                    done
+                  EOF
+
+                  curl -m 10 --retry 5 http://healthchecks.monitoring.svc.cluster.local:8000/ping/d671a835-0731-448a-b20b-284500e5753a
+              volumeMounts:
+                - name: secret
+                  mountPath: /opt/id_rsa
+                  subPath: deployment-rsa-priv-key
+          volumes:
+            - name: secret
+              secret:
+                secretName: drone-pipelines
+          restartPolicy: Never

cluster/apps/data/bookstack/kustomization.yaml

@@ -1,5 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - export-job.yaml
   - helm-release.yaml
   - volumes.yaml

cluster/apps/secret-reflector/secret-reflector.yaml

@@ -22,7 +22,7 @@ spec:
                   set -o errexit
 
                   # space delimited secrets to copy
-                  secrets="${SECRET_CLUSTER_CERTIFICATE_DEFAULT} regcred"
+                  secrets="${SECRET_CLUSTER_CERTIFICATE_DEFAULT} regcred drone-pipelines"
                   # source namespace to reflect secret from
                   namespace_source="networking"
                   # space delimited namespace where to reflect the secrets to

cluster/base-custom/secrets/cluster-secrets.yaml

@@ -25,6 +25,8 @@ stringData:
     SECRET_AUTHENTIK_SMTP_PASSWORD: ENC[AES256_GCM,data:3GG9ga/EuoQYdk0wl0wUcQ==,iv:X9cr9jpQObF9RkAPSf0M/CBve9YvWXrVdeu6RoIrtEo=,tag:AF+vgtirdBJ2AYzMi/fEqA==,type:str]
     SECRET_BOOKSTACK_DB_PASSWORD: ENC[AES256_GCM,data:i9Ky7+e2UHfh14EP9wus8Q==,iv:6grPFBXTg+Oj/jShYgpM84k65r6bKvXFg5b9St3PeTE=,tag:kEab7xSmieYtdeg0zAEyXg==,type:str]
     SECRET_BOOKSTACK_DB_ROOT_PASSWORD: ENC[AES256_GCM,data:4/o956Da0ckVLdxUqs1WWA==,iv:G8DddhYyMZKuGJyWnj+eOaNRiJm7oGetiIZlQgtRFEo=,tag:WX9+DDnA2UPm9nPRLYibXw==,type:str]
+    SECRET_BOOKSTACK_TOKEN_ID: ENC[AES256_GCM,data:d+OuZJN/NvKja9bUhLESl52MeuaC875DhuWDF2gCC+M=,iv:x/E2lfWnDxKWC317laRfSiqlXZ2saiqgoGV6P+sOchE=,tag:a+ZRy1Dm5TM4oQ5SklhGYA==,type:str]
+    SECRET_BOOKSTACK_TOKEN_SECRET: ENC[AES256_GCM,data:dInN0nIxi9t4zZyKe5TDLrxB2Q4CBvBmD5t2F6NB2ak=,iv:8DyybtQzxxPJrpUrZ6FRK41X7VeMFZ5PxhoYCvzSOSE=,tag:4N7ZLRwhacoNi9B/IlvIyQ==,type:str]
     SECRET_BOTKUBE_DISCORD_BOTID: ENC[AES256_GCM,data:bK1J9v+/Dajd9qrvz3lH49GY,iv:Hq6cY96Te1frwXVf3HC3qgOiaCZW2hHCqjVvvslUGFg=,tag:Dq0cUemHKfcdpx9hLkUekQ==,type:str]
     SECRET_BOTKUBE_DISCORD_TOKEN: ENC[AES256_GCM,data:pDPm3TYITWApPZRMcSH6ijtPQQuHSd/PNT2Wy23tUp7uzluhHS5hvlujTkjk7oRb95kE6Gi2D8yDmNg=,iv:HQyMQiaRsjNIfPUTjLRVL/zchSdXFmevxaeruwGx3tk=,tag:l+po8014SaZd61DxE1T43A==,type:str]
     SECRET_CLUSTER_CERTIFICATE_DEFAULT: ENC[AES256_GCM,data:NlCiFO/3sseKI3fVzQ4ajeMOrg==,iv:seSVdR5wkR8sf/PKSy7T3P5oCkbJI4sMNC8XWSJUnh0=,tag:jSjCQVDNPQ7c8Dlg8yozPg==,type:str]
@@ -94,8 +96,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2021-08-11T14:46:04Z"
-    mac: ENC[AES256_GCM,data:IE6CWaM241i7TsDxHHFYzYscwOLKfOYb3P6vDl+3Q5P89TRh9Fjx7ibPj2fsaSAJ7HegBbB1F9k75bO5uuW5OKPv7UWb1SkHR2+ArvmHaNObaN5fbr4kMBcCaC7XzlfFbnKz+MJfP0xfn6nbBk2hjX6F/jhMA/WNWaYLphJmNxA=,iv:KW/y96vqvgXJm9iP6E6NY25kRv8OUlCEwZy+iwAxQVw=,tag:Agy6b0qs7YSrJXss0D2aMA==,type:str]
+    lastmodified: "2021-08-17T14:23:32Z"
+    mac: ENC[AES256_GCM,data:QkzSO6LiygY54LB50XD8Po1I6q5aPK84X1+C23sSPOCeBXnxFkYlJ/XkV1oGnzGvwel68ew9h7rO7VcaRDUz7z9EgGxmkD1vGEguisH75qQ5yhCMxiiOyaOufoCD2AEx0rNE3eiz086J+tGUAh6bRrIViOYr7Pf0vPvc0BYHt+I=,iv:mWsmogq2L1i/Ni/7/zWYBxUSmzGZZOScmh7SpUQYQTM=,tag:NZ9U0lF125Gz9reqtEGLmQ==,type:str]
     pgp:
         - created_at: "2021-07-17T21:14:34Z"
           enc: |

cluster/base-custom/secrets/drone-pipelines.yaml

@@ -2,7 +2,7 @@ kind: Secret
 apiVersion: v1
 metadata:
     name: drone-pipelines
-    namespace: development
+    namespace: networking
 stringData:
     registry-username: ENC[AES256_GCM,data:0feiw+FkNQ==,iv:qlqyZnDaxDWSotJudzuVBnGRv4Nm5BkzcYvtzdXGG/c=,tag:6LpLEQWy9Bl6NrpgqslXVQ==,type:str]
     registry-password: ENC[AES256_GCM,data:bXkbSETYKwDpoulIcEE=,iv:kbDngo9bEnY2wuyy42rXb+zUvgFLY3LEpHTmk2sXDog=,tag:Q2rIX1k5tNLLx7sTEOMPXQ==,type:str]
@@ -16,8 +16,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2021-07-17T21:15:46Z"
-    mac: ENC[AES256_GCM,data:gi+0ATruo1hPLHGXHXNYrKtfHWp55KxAQyK/A2//c3zZ8s7XamBW76dWbPp7PnjlAMtmSbpfwOX1c2+vxIGuhwj6V18q0Kuezzg2WJdbm3wU0Gb4b5O2d71g1s/Pnpyxy/UjFN8U2DjYS1ueZbJIsO54VTA4U9ZQRZ7DWLyy7u0=,iv:LPzjZb8bo24n1CowNSkQY2o4VmQqA8vTwhWVhb2usew=,tag:/Hh6rVVZnMhMZq9wuIiv2Q==,type:str]
+    lastmodified: "2021-08-17T15:11:07Z"
+    mac: ENC[AES256_GCM,data:hjSULr6lAuXyU9VOWWcJI1tRzi+jgMiiupKeKPcb0sA3nD5TnqSezNNe2bAzxQeqm8QKcVc94ZiSRR8FYAtaMx4VI1/+qJiB2Pj08G69g6ZQCteTd1sZpQ180Vo7tVf2QD8OoHEbPfupVf4Yd6+K1p+jGpkjG4Fr0Pw8j0JgRFk=,iv:DckGGVxlMJu/KQsj937EoCXLA4Kk2GniRf+W2O4L5J8=,tag:edlCI7W7NOa1EzHriIQc5A==,type:str]
     pgp:
         - created_at: "2021-07-17T21:15:45Z"
           enc: |