diff --git a/kubernetes/apps/default/firefly-iii/app/externalsecret.yaml b/kubernetes/apps/default/firefly-iii/app/externalsecret.yaml index 91d1f877e..c26448475 100644 --- a/kubernetes/apps/default/firefly-iii/app/externalsecret.yaml +++ b/kubernetes/apps/default/firefly-iii/app/externalsecret.yaml @@ -18,7 +18,7 @@ spec: # App APP_KEY: "{{ .FIREFLY_APP_KEY }}" DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}" - DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}" + DB_PASSWORD: &dbPass "{{ .POSTGRES_USER }}" FIREFLY_III_ACCESS_TOKEN: "{{ .FIREFLY_ACCESS_TOKEN }}" # Postgres Init INIT_POSTGRES_DBNAME: firefly-iii diff --git a/kubernetes/apps/default/pgadmin/app/helmrelease.yaml b/kubernetes/apps/default/pgadmin/app/helmrelease.yaml index 6f74580ba..336776995 100644 --- a/kubernetes/apps/default/pgadmin/app/helmrelease.yaml +++ b/kubernetes/apps/default/pgadmin/app/helmrelease.yaml @@ -27,6 +27,9 @@ spec: uninstall: keepHistory: false values: + controller: + annotations: + reloader.stakater.com/auto: "true" image: repository: dpage/pgadmin4 tag: "7.4" diff --git a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml index a20956532..99d0866e9 100644 --- a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml @@ -27,6 +27,9 @@ spec: uninstall: keepHistory: false values: + controller: + annotations: + reloader.stakater.com/auto: "true" image: repository: ghcr.io/onedr0p/prowlarr-nightly tag: 1.7.2.3700@sha256:4c74dbd28e86519c683cfd8f2b87d5e8f72cc5c5c8f9d4112185f769c612c4a6 diff --git a/kubernetes/apps/default/radarr/app/backups/replicationsource.yaml b/kubernetes/apps/default/radarr/app/backups/replicationsource.yaml deleted file mode 100644 index 0d4dfa6cd..000000000 --- a/kubernetes/apps/default/radarr/app/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: radarr - namespace: default -spec: - sourcePVC: radarr-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: radarr-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/radarr/app/backups/restic.sops.yaml b/kubernetes/apps/default/radarr/app/backups/restic.sops.yaml deleted file mode 100644 index c7f5891f6..000000000 --- a/kubernetes/apps/default/radarr/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: radarr-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:Mwfqvvc/7p7ih8sPZY1uFswPCwDPB3Uw8u0IStIxsje5YS6pZpCH+POaxpMNifr8OIQBEP0xq7k=,iv:ibk8gAjTqDB3F0WAAEfqg+vHSOfg8OgFxR1IlF/gzXc=,tag:+a0WDJxsIWarDR81vWRvSQ==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T15:40:20Z" - mac: ENC[AES256_GCM,data:J9bpaDGW5zzW0OrW78rbXUNwRpGh0QviME4Lg1uQuVjosOepWxopG+QNyI0BHddIF7NnDfuSZy6LnclMEFl2vcpZXZTi6kSJEYPPbcLzAQG0FbkK4nSnW2JlL5cy83P81plYzqggXoqvgZWpRikg7iI2KJy6dXDKV5ZtVEy0myA=,iv:cmtmvn96UQvbJbrtVx+GGVEDFGB4QpndTMyYikwQ1BI=,tag:zvhhBHOLjYZy6Z6S/dR9QQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/radarr/app/externalsecret.yaml b/kubernetes/apps/default/radarr/app/externalsecret.yaml new file mode 100644 index 000000000..7644b6e92 --- /dev/null +++ b/kubernetes/apps/default/radarr/app/externalsecret.yaml @@ -0,0 +1,39 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: radarr + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: radarr-secret + creationPolicy: Owner + template: + data: + # App + RADARR__API_KEY: "{{ .RADARR__API_KEY }}" + # RADARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local + # RADARR__POSTGRES_PORT: "5432" + # RADARR__POSTGRES_USER: &dbUser "{{ .RADARR__POSTGRES_USER }}" + # RADARR__POSTGRES_PASSWORD: &dbPass "{{ .RADARR__POSTGRES_PASSWORD }}" + # RADARR__POSTGRES_MAIN_DB: radarr_main + # RADARR__POSTGRES_LOG_DB: radarr_log + PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}" + PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" + # Postgres Init + INIT_POSTGRES_DBNAME: radarr_main radarr_log + INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_USER: "{{ .RADARR__POSTGRES_USER }}" + INIT_POSTGRES_PASS: "{{ .RADARR__POSTGRES_PASSWORD }}" + INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" + dataFrom: + - extract: + key: cloudnative-pg + - extract: + key: pushover + - extract: + key: radarr diff --git a/kubernetes/apps/default/radarr/app/helmrelease.yaml b/kubernetes/apps/default/radarr/app/helmrelease.yaml index 45aff1867..b0c42af69 100644 --- a/kubernetes/apps/default/radarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/radarr/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app radarr namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -27,6 +27,17 @@ spec: uninstall: keepHistory: false values: + initContainers: + 01-init-db: + image: ghcr.io/onedr0p/postgres-init:14.8 + imagePullPolicy: IfNotPresent + envFrom: &envFrom + - secretRef: + name: &secret radarr-secret + controller: + annotations: + configmap.reloader.stakater.com/reload: radarr-pushover + reloader.stakater.com/auto: "true" image: repository: ghcr.io/onedr0p/radarr-develop tag: 4.7.0.7588@sha256:2cd821b4ecf67a69ae16e49cc3321e867c274efdd42096d1fef3bd92dfcf2f46 @@ -40,7 +51,7 @@ spec: RADARR__LOG_LEVEL: info envFrom: - secretRef: - name: *app + name: radarr-secret service: main: ports: @@ -97,9 +108,6 @@ spec: mountPath: /scripts/pushover-notify.sh defaultMode: 0775 readOnly: true - podAnnotations: - configmap.reloader.stakater.com/reload: radarr-pushover - secret.reloader.stakater.com/reload: *app resources: requests: cpu: 500m diff --git a/kubernetes/apps/default/radarr/app/kustomization.yaml b/kubernetes/apps/default/radarr/app/kustomization.yaml index 96413136e..d7f44406a 100644 --- a/kubernetes/apps/default/radarr/app/kustomization.yaml +++ b/kubernetes/apps/default/radarr/app/kustomization.yaml @@ -4,9 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml + - ./volsync.yaml - ./volume.yaml configMapGenerator: - name: radarr-pushover diff --git a/kubernetes/apps/default/radarr/app/scripts/pushover-notify.sh b/kubernetes/apps/default/radarr/app/scripts/pushover-notify.sh index ab7b770b8..88853a390 100755 --- a/kubernetes/apps/default/radarr/app/scripts/pushover-notify.sh +++ b/kubernetes/apps/default/radarr/app/scripts/pushover-notify.sh @@ -4,7 +4,7 @@ PUSHOVER_DEBUG="${PUSHOVER_DEBUG:-"true"}" # kubectl port-forward service/radarr -n default 7878:7878 # export PUSHOVER_STARR_INSTANCE_NAME=Radarr; # export PUSHOVER_APP_URL=""; -# export PUSHOVER_TOKEN=""; +# export PUSHOVER_API_TOKEN=""; # export PUSHOVER_USER_KEY=""; # export radarr_eventtype=Download; # ./notify.sh @@ -26,7 +26,7 @@ PUSHOVER_STARR_INSTANCE_NAME="$(xmlstarlet sel -t -v "//InstanceName" -nl ${CONF # Required PUSHOVER_APP_URL="${PUSHOVER_APP_URL:-}" && [[ -z "${PUSHOVER_APP_URL}" ]] && ERRORS+=("PUSHOVER_APP_URL not defined") PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-}" && [[ -z "${PUSHOVER_USER_KEY}" ]] && ERRORS+=("PUSHOVER_USER_KEY not defined") -PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-}" && [[ -z "${PUSHOVER_TOKEN}" ]] && ERRORS+=("PUSHOVER_TOKEN not defined") +PUSHOVER_API_TOKEN="${PUSHOVER_API_TOKEN:-}" && [[ -z "${PUSHOVER_API_TOKEN}" ]] && ERRORS+=("PUSHOVER_API_TOKEN not defined") # Optional PUSHOVER_DEVICE="${PUSHOVER_DEVICE:-}" PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}" @@ -76,7 +76,7 @@ if [[ "${radarr_eventtype:-}" == "Download" ]]; then fi notification=$(jq -n \ - --arg token "${PUSHOVER_TOKEN}" \ + --arg token "${PUSHOVER_API_TOKEN}" \ --arg user "${PUSHOVER_USER_KEY}" \ --arg title "${PUSHOVER_TITLE}" \ --arg message "${PUSHOVER_MESSAGE:-"Unable to obtain plot summary"}" \ diff --git a/kubernetes/apps/default/radarr/app/secret.sops.yaml b/kubernetes/apps/default/radarr/app/secret.sops.yaml deleted file mode 100644 index bb75ea54a..000000000 --- a/kubernetes/apps/default/radarr/app/secret.sops.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: radarr - namespace: default -type: Opaque -stringData: - PUSHOVER_TOKEN: ENC[AES256_GCM,data:StcjXKnJz7NbKuMtzWd/FXE1pqY0TSLO8o8AioYe,iv:Cw6dA2Fr3le6d70+TSGmBCjEX6mHFk21ck9IQqKx71o=,tag:4ANhz87eqkbvSNy5Yp6Edw==,type:str] - PUSHOVER_USER_KEY: ENC[AES256_GCM,data:3UbR7hAnBAAjw/tdB8TSMZw3inuJJhJx9AiIN4tZ,iv:GuB8Kf/pAOp32SiVhpSLFisIeoEg1VxdYm2Raw2stRM=,tag:A8nDFwYPcZ7fOPG/UPYYzQ==,type:str] - RADARR__API_KEY: ENC[AES256_GCM,data:G9ik2e/t2hwFFDvt3LJRdvo8v1T86RvXwTgjWyCW9Lc=,iv:oTPUMOXB8ZvHBChMhmm9CmpSOSQNEnvkrwGa0rTwXUI=,tag:wFJkxS/pNuExTn2UywghYA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2 - bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC - VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw - OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+ - LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T15:40:44Z" - mac: ENC[AES256_GCM,data:P3hPFflDuXXnshmEDOIZ+yfmcdJsckZshmacp3MP+cQM2Vvb8j6u+w4CQU+Mlpdd04O+x+XWXKC4BvNGXLryvFsjrezP8hrVIQuHX4kTNMOzHNFhzdMab2LpWYOCzT8WfPvLY+RTqf8hj8/ppouJh/R+tzBvQZfvGGRkAqGfj0M=,iv:4GmbEkfLOp2yzvOLlBKRdMZl7mKURBCIovuj5ZKIvbE=,tag:chGlnHNB+kCM/hcyNDeg7Q==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/radarr/app/volsync.yaml b/kubernetes/apps/default/radarr/app/volsync.yaml new file mode 100644 index 000000000..84840870f --- /dev/null +++ b/kubernetes/apps/default/radarr/app/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: radarr-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: radarr-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/radarr' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: radarr + namespace: default +spec: + sourcePVC: radarr-config + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: radarr-restic-secret + cacheCapacity: 2Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/radarr/ks.yaml b/kubernetes/apps/default/radarr/ks.yaml index 51870f827..34b66c1f4 100644 --- a/kubernetes/apps/default/radarr/ks.yaml +++ b/kubernetes/apps/default/radarr/ks.yaml @@ -9,6 +9,8 @@ metadata: substitution.flux.home.arpa/enabled: "true" spec: dependsOn: + - name: cluster-apps-cloudnative-pg-cluster + - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app path: ./kubernetes/apps/default/radarr/app diff --git a/kubernetes/apps/default/readarr/app/backups/kustomization.yaml b/kubernetes/apps/default/readarr/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/readarr/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/readarr/app/backups/replicationsource.yaml b/kubernetes/apps/default/readarr/app/backups/replicationsource.yaml deleted file mode 100644 index 0cfbf8892..000000000 --- a/kubernetes/apps/default/readarr/app/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: readarr - namespace: default -spec: - sourcePVC: readarr-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: readarr-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/readarr/app/backups/restic.sops.yaml b/kubernetes/apps/default/readarr/app/backups/restic.sops.yaml deleted file mode 100644 index 3e8c67c8e..000000000 --- a/kubernetes/apps/default/readarr/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: readarr-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:9NP9PR2gAtRF6m2Nla934qz/p7uETdIM8Ifx4WWwd/SLqKaR/vklmwF3N4pd1hAsVLjbg3KQzcKp,iv:yTSY9TmEYn7niuDqAYr0uGflq9K5CgQTss1k+wnUNB0=,tag:jj+vrqoKE7DldNycnQ/eag==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T15:44:52Z" - mac: ENC[AES256_GCM,data:Jxa7Xz8ZPnAbBhU3gr92KMfnqDi4BSaywtykVFQ+S9FHsl0Qsk796SHz0pxfvO95o894a0/sTwFTyzulrs+aIojbZn771PX1LbluJeC7zqjXEqbyKclK7luHIo+B2CqvVP4H3WvSgFD+pOFUQzOfo0Mk6pSvWTra+A0fzveNPrM=,iv:4uObp+QoXWSR+Q+bsmwiDzJG+8G6+8bCKnE9lA2UKpE=,tag:1UR7FJOBxRsXsbn3R5ktBA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/readarr/app/externalsecret.yaml b/kubernetes/apps/default/readarr/app/externalsecret.yaml new file mode 100644 index 000000000..3e159c8ca --- /dev/null +++ b/kubernetes/apps/default/readarr/app/externalsecret.yaml @@ -0,0 +1,25 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: readarr + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: readarr-secret + creationPolicy: Owner + template: + data: + # App + READARR__API_KEY: "{{ .READARR__API_KEY }}" + PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}" + PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" + dataFrom: + - extract: + key: pushover + - extract: + key: readarr diff --git a/kubernetes/apps/default/readarr/app/helmrelease.yaml b/kubernetes/apps/default/readarr/app/helmrelease.yaml index fcd400bf7..7cc1bc200 100644 --- a/kubernetes/apps/default/readarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/readarr/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app readarr namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -27,6 +27,9 @@ spec: uninstall: keepHistory: false values: + controller: + annotations: + reloader.stakater.com/auto: "true" image: repository: ghcr.io/onedr0p/readarr-nightly tag: 0.2.3.1948@sha256:c042ba9164015fd00ea1eacf93ea5ba1c39b0a101666dc52150d4dc1517e4198 @@ -37,7 +40,7 @@ spec: READARR__LOG_LEVEL: info envFrom: - secretRef: - name: *app + name: readarr-secret service: main: ports: diff --git a/kubernetes/apps/default/readarr/app/kustomization.yaml b/kubernetes/apps/default/readarr/app/kustomization.yaml index 0753c22a3..f082c6d3b 100644 --- a/kubernetes/apps/default/readarr/app/kustomization.yaml +++ b/kubernetes/apps/default/readarr/app/kustomization.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml + - ./volsync.yaml - ./volume.yaml diff --git a/kubernetes/apps/default/readarr/app/secret.sops.yaml b/kubernetes/apps/default/readarr/app/secret.sops.yaml deleted file mode 100644 index 7294da6b4..000000000 --- a/kubernetes/apps/default/readarr/app/secret.sops.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: readarr - namespace: default -type: Opaque -stringData: - READARR__API_KEY: ENC[AES256_GCM,data:x/TOFsYuY8sOvAyJPqkZbmOJuhtxeIQKau6PiO+p18Q=,iv:GHnX9rSOWjOVNZpUWxDzt95JrzK9sj+tcPv38SPY7UU=,tag:APu6Ux2bdZV6HXG0IUTq2A==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2 - bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC - VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw - OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+ - LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T15:45:04Z" - mac: ENC[AES256_GCM,data:KFi15cAw/4EkyfTd9fydTbhMXlhOyxPGYvy08dWk6PRXhG7VgV7UC/VnLIzuNkWFKT593fmwg9RBwrcR/v1oS0Zq4IB0vHLHqd4QhwSYTm+ChxeOOWoxkTY5DRMU0g6KGQGktDVm54E3jY9S1/NQJkVRJkpBAsTvFLfIWOOnjM4=,iv:NhJWTB7T+MkuDCicu9GAxS97T2Ql0kRVMkTy781OE/k=,tag:GZo4b5gku+lDuinvVGjhtQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/readarr/app/volsync.yaml b/kubernetes/apps/default/readarr/app/volsync.yaml new file mode 100644 index 000000000..03dea1ad1 --- /dev/null +++ b/kubernetes/apps/default/readarr/app/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: readarr-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: readarr-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/readarr' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: readarr + namespace: default +spec: + sourcePVC: readarr-config + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: readarr-restic-secret + cacheCapacity: 2Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/readarr/ks.yaml b/kubernetes/apps/default/readarr/ks.yaml index ae1bc053c..1d6be8550 100644 --- a/kubernetes/apps/default/readarr/ks.yaml +++ b/kubernetes/apps/default/readarr/ks.yaml @@ -9,6 +9,7 @@ metadata: substitution.flux.home.arpa/enabled: "true" spec: dependsOn: + - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app path: ./kubernetes/apps/default/readarr/app diff --git a/kubernetes/apps/default/recyclarr/app/helmrelease.yaml b/kubernetes/apps/default/recyclarr/app/helmrelease.yaml index f202a6742..4c7c9052f 100644 --- a/kubernetes/apps/default/recyclarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/recyclarr/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: recyclarr namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -40,9 +40,9 @@ spec: args: ["sync"] envFrom: - secretRef: - name: radarr + name: radarr-secret - secretRef: - name: sonarr + name: sonarr-secret service: main: enabled: false diff --git a/kubernetes/apps/default/redis/app/helmrelease.yaml b/kubernetes/apps/default/redis/app/helmrelease.yaml index 65f828e5e..a2756631a 100644 --- a/kubernetes/apps/default/redis/app/helmrelease.yaml +++ b/kubernetes/apps/default/redis/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app redis namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: redis @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bitnami namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: diff --git a/kubernetes/apps/default/redis/app/kustomization.yaml b/kubernetes/apps/default/redis/app/kustomization.yaml index 22859439e..5b48b4e26 100644 --- a/kubernetes/apps/default/redis/app/kustomization.yaml +++ b/kubernetes/apps/default/redis/app/kustomization.yaml @@ -4,5 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./secret.sops.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/redis/app/secret.sops.yaml b/kubernetes/apps/default/redis/app/secret.sops.yaml deleted file mode 100644 index f6c0a35b9..000000000 --- a/kubernetes/apps/default/redis/app/secret.sops.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: redis - namespace: default -type: Opaque -stringData: - redis-password: ENC[AES256_GCM,data:jDOKfnXB3U1z/aV86U5euK27edk=,iv:9a946UDG5b8CdjVFqcIG5Hfyz/L62gxN4SEhj3Uzo8Q=,tag:/2ZfSSzXnjEcqXhEV/aHFg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVWZVaFFvMVJRRWR1eUU3 - QzI5cjNscE83czk0TG9Ra1JvVmExa0hWbWt3Ck1YY1htcXhDamwxY1pVcE0wS2U3 - WWNQbTJFK1dFdEhkMk8vbG9pQlJzN1kKLS0tIDBUTUZhMUF2VVJhbFNpQ1FTNWZC - ZUZsSDdUYXFVb3JROEFnaC8yRU1zZ0UK1klzjeo3oaS6n1Apy0nY746ax2Uxxddg - Mn61QDtkPf8FLNBC3tFTe3pWzhWseD/89WaW3f3GScJxy34SFUZxLQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-12T21:08:53Z" - mac: ENC[AES256_GCM,data:vTtJo+nCb8eK9f4jUJHbq2zUXb8kZf5P91qPsfOfBV1wgMbM3YtlkKQFYsg/eAac/JBoRvUGhzsyFc/MEX3mCGVsU8BQ5cPuM54EVGAkrOAHzm3dXVqf1FDVwfeSXuMZ4iHsfKSyTPLcoZfJq5WQ9p/hIA3PSVsVQrmElS4S8/E=,iv:AxOjOctewK7bUrrSH+kfravg7UKBawUD1q/QBdpPDVw=,tag:j5/wMeAh+FdG/RDOpBt4jw==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/resilio-sync/claude/backups/kustomization.yaml b/kubernetes/apps/default/resilio-sync/claude/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/resilio-sync/claude/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/resilio-sync/claude/backups/replicationsource.yaml b/kubernetes/apps/default/resilio-sync/claude/backups/replicationsource.yaml deleted file mode 100644 index f2ff6a9cf..000000000 --- a/kubernetes/apps/default/resilio-sync/claude/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: resilio-claude - namespace: default -spec: - sourcePVC: resilio-claude-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: resilio-claude-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/resilio-sync/claude/backups/restic.sops.yaml b/kubernetes/apps/default/resilio-sync/claude/backups/restic.sops.yaml deleted file mode 100644 index f80e13592..000000000 --- a/kubernetes/apps/default/resilio-sync/claude/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: resilio-claude-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:tle03NzNTqaJ5cJAdT1sjg52Ntx0u9EN9bINzjeUN/CbFKQe4AWiYgZ8GknlmTyMZOvNlCtRG33Qms+11cEn2Q==,iv:pvyfxAfK/7LUYU+jRQAhXy0huhgTA1YWSvz5UXukDk8=,tag:/owfcCbcyJP33pv4KXT7uA==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T06:43:50Z" - mac: ENC[AES256_GCM,data:Zo2GQtU7ZqaviBO13/EWHSBgU11KTTCNaudRt7H1TO6VSl8xhtJNb+H+4WZSrf5TY4vtsbYqi46l2DybdtyWKd5z1gk/g7AKw2CPK7Nb8ARsH8F9VTcPr/5AMvHHM7kR0xL2jQsAh7iM+edGBFRaNcNQRxLFArfpgRgUslYMJB4=,iv:JddLCxRb7LYYZzIe/l8dHLNa0tp+LNi9/OtFEbi7Z4c=,tag:AmJlpTk775FaRzxyrKR/9A==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/resilio-sync/claude/helmrelease.yaml b/kubernetes/apps/default/resilio-sync/claude/helmrelease.yaml index 88457f071..f85404be2 100644 --- a/kubernetes/apps/default/resilio-sync/claude/helmrelease.yaml +++ b/kubernetes/apps/default/resilio-sync/claude/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app resilio-claude namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -27,6 +27,9 @@ spec: uninstall: keepHistory: false values: + controller: + annotations: + reloader.stakater.com/auto: "true" image: repository: ghcr.io/auricom/resilio-sync tag: 2.7.3.1381-1@sha256:4f9dab7d50a4046b503686b766da6adbb627ff62f63587617cd46a468c810b11 @@ -62,7 +65,7 @@ spec: enabled: true type: configMap configMap: - name: resilio-claude-sync-conf + name: resilio-claude-configmap mountPath: /config/sync.conf subPath: sync.conf backups: diff --git a/kubernetes/apps/default/resilio-sync/claude/kustomization.yaml b/kubernetes/apps/default/resilio-sync/claude/kustomization.yaml index 060c5c2e2..c6cfa7f7c 100644 --- a/kubernetes/apps/default/resilio-sync/claude/kustomization.yaml +++ b/kubernetes/apps/default/resilio-sync/claude/kustomization.yaml @@ -4,11 +4,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - backups - ./helmrelease.yaml + - ./volsync.yaml - ./volume.yaml configMapGenerator: - - name: resilio-claude-sync-conf + - name: resilio-claude-configmap files: - ./config/sync.conf generatorOptions: diff --git a/kubernetes/apps/default/resilio-sync/claude/volsync.yaml b/kubernetes/apps/default/resilio-sync/claude/volsync.yaml new file mode 100644 index 000000000..23e52366f --- /dev/null +++ b/kubernetes/apps/default/resilio-sync/claude/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: resilio-claude-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: resilio-claude-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/resilio-claude' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: resilio-claude + namespace: default +spec: + sourcePVC: resilio-claude-config + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: resilio-claude-restic-secret + cacheCapacity: 2Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/resilio-sync/helene/backups/kustomization.yaml b/kubernetes/apps/default/resilio-sync/helene/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/resilio-sync/helene/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/resilio-sync/helene/backups/replicationsource.yaml b/kubernetes/apps/default/resilio-sync/helene/backups/replicationsource.yaml deleted file mode 100644 index d27ff6f8b..000000000 --- a/kubernetes/apps/default/resilio-sync/helene/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: resilio-helene - namespace: default -spec: - sourcePVC: resilio-helene-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: resilio-helene-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/resilio-sync/helene/backups/restic.sops.yaml b/kubernetes/apps/default/resilio-sync/helene/backups/restic.sops.yaml deleted file mode 100644 index b2d85639f..000000000 --- a/kubernetes/apps/default/resilio-sync/helene/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: resilio-helene-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:gGcefoNg68nJNdN4bBgvPlN8LtIp57igeI0w+51XbxvE61oudJm4H5ePqqIom+c4YA+r2MPyRtDcU3zZZZkJGQ==,iv:ujh8jWNTLBpN2YhtjjCPFkq4I3JVBQRdQsTiKeLTuMI=,tag:Bor468jY1eb2k1P4EJRsVg==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T06:38:55Z" - mac: ENC[AES256_GCM,data:q9w22A6MR1+1SYCuwEcXlNqf02paU/dLuU0VbL3RJ5zTu5Se4Z+aiA6bTFffhBjusdDQFtfOU4YfFO/OGEyYyA68vjugG8n8OrF7BsSBB9ZjX2C+jwxH+vDHTf+X1FxjhipzX+PuNlTKfHLHe5vvLlKAPeftHy2wpzFb31zU69s=,iv:fBKgliHL7/dEEXL/E/snkX0J3e79gZ3KVtoH/MCkZ6c=,tag:bnd3E1CB8rtOCyZMFnQR5g==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/resilio-sync/helene/helmrelease.yaml b/kubernetes/apps/default/resilio-sync/helene/helmrelease.yaml index 6820c35d3..a83598242 100644 --- a/kubernetes/apps/default/resilio-sync/helene/helmrelease.yaml +++ b/kubernetes/apps/default/resilio-sync/helene/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app resilio-helene namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -27,6 +27,9 @@ spec: uninstall: keepHistory: false values: + controller: + annotations: + reloader.stakater.com/auto: "true" image: repository: ghcr.io/auricom/resilio-sync tag: 2.7.3.1381-1@sha256:4f9dab7d50a4046b503686b766da6adbb627ff62f63587617cd46a468c810b11 @@ -62,7 +65,7 @@ spec: enabled: true type: configMap configMap: - name: resilio-helene-sync-conf + name: resilio-helene-configmap mountPath: /config/sync.conf subPath: sync.conf backups: diff --git a/kubernetes/apps/default/resilio-sync/helene/kustomization.yaml b/kubernetes/apps/default/resilio-sync/helene/kustomization.yaml index d83ab4fd2..f21c0423a 100644 --- a/kubernetes/apps/default/resilio-sync/helene/kustomization.yaml +++ b/kubernetes/apps/default/resilio-sync/helene/kustomization.yaml @@ -4,11 +4,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - backups - ./helmrelease.yaml + - ./volsync.yaml - ./volume.yaml configMapGenerator: - - name: resilio-helene-sync-conf + - name: resilio-helene-configmap files: - ./config/sync.conf generatorOptions: diff --git a/kubernetes/apps/default/resilio-sync/helene/volsync.yaml b/kubernetes/apps/default/resilio-sync/helene/volsync.yaml new file mode 100644 index 000000000..114197e46 --- /dev/null +++ b/kubernetes/apps/default/resilio-sync/helene/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: resilio-helene-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: resilio-helene-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/resilio-helene' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: resilio-helene + namespace: default +spec: + sourcePVC: resilio-helene-config + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: resilio-helene-restic-secret + cacheCapacity: 2Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/sabnzbd/app/backups/kustomization.yaml b/kubernetes/apps/default/sabnzbd/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/sabnzbd/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/sabnzbd/app/backups/replicationsource.yaml b/kubernetes/apps/default/sabnzbd/app/backups/replicationsource.yaml deleted file mode 100644 index 95d8323ab..000000000 --- a/kubernetes/apps/default/sabnzbd/app/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: sabnzbd - namespace: default -spec: - sourcePVC: sabnzbd-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: sabnzbd-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/sabnzbd/app/backups/restic.sops.yaml b/kubernetes/apps/default/sabnzbd/app/backups/restic.sops.yaml deleted file mode 100644 index 94b5f4151..000000000 --- a/kubernetes/apps/default/sabnzbd/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: sabnzbd-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:1MHDHUB4FpcpVcG2S76kldKBBRyDkt5RojedKnueMfqVB54XZgtQ+eUjjoLAlxedC0YdIb52q7li,iv:BSebPLGLm1DQV5ehrHq9rG2eUtqWdqGshX5/aBJDgz8=,tag:pZLHq8OuMXnj9phtLeLMuw==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T08:26:24Z" - mac: ENC[AES256_GCM,data:oilRwF4uQM17O8OIGqduE1UBuQ9xFZE0KGNGJ0gvlEuDxhsA72mIfhXc2sDnPlab+Z8EZY7w0OjCgKI9jUOXW/1W19PhhvF2UbbqK+FR7dTNo0ZtZ+tlu9+dfAylyQwLcWCvc6wbatx5igi4v9R8E4d8/ul7A/jrGPEAsDqNflg=,iv:UI/MdEx2O3JC8nd9nmiCbkJeEhe2TefRB7jpvQCAJc4=,tag:Nmbw7j/cvhKnGFP+XORGEA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/sabnzbd/app/externalsecret.yaml b/kubernetes/apps/default/sabnzbd/app/externalsecret.yaml new file mode 100644 index 000000000..4c0f9bba4 --- /dev/null +++ b/kubernetes/apps/default/sabnzbd/app/externalsecret.yaml @@ -0,0 +1,18 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: sabnzbd + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: sabnzbd-secret + creationPolicy: Owner + dataFrom: + - extract: + # SABNZBD__API_KEY, SABNZBD__NZB_KEY + key: sabnzbd diff --git a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml index 06a13832a..4bdf25d8e 100644 --- a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml +++ b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app sabnzbd namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -27,6 +27,9 @@ spec: uninstall: keepHistory: false values: + controller: + annotations: + reloader.stakater.com/auto: "true" image: repository: ghcr.io/onedr0p/sabnzbd tag: 4.0.3@sha256:aff676e3c234f7a4493c75813e296c347c02b6e5374acd1858f8244ea44f2b4a @@ -42,7 +45,7 @@ spec: sabnzbd.${SECRET_CLUSTER_DOMAIN} envFrom: - secretRef: - name: *app + name: sabnzbd-secret service: main: ports: diff --git a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml b/kubernetes/apps/default/sabnzbd/app/kustomization.yaml index 0753c22a3..f082c6d3b 100644 --- a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml +++ b/kubernetes/apps/default/sabnzbd/app/kustomization.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml + - ./volsync.yaml - ./volume.yaml diff --git a/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml b/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml deleted file mode 100644 index 9f87ed011..000000000 --- a/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: sabnzbd - namespace: default -type: Opaque -stringData: - SABNZBD__API_KEY: ENC[AES256_GCM,data:6VgnjcgBVwvaKqWPNisOfct6smrVostiIR/yuoYqjco=,iv:WW1b7LJgG4CWEEm7ETwwXlfu3fG345YAvqi1dlsS8cg=,tag:nZSAbcWxwyXjKnwyVYt/Ug==,type:str] - SABNZBD__NZB_KEY: ENC[AES256_GCM,data:RoNUH0En29584v+m85gqlwIrLJ3aP5al0161FTnXGko=,iv:3u/uzWLe1f84WquDjrxXXdArcL1BeF6cNplImjP1yoE=,tag:xoPmImdecg/2twtVRzJh/g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn - YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q - Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy - OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy - hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T08:25:52Z" - mac: ENC[AES256_GCM,data:xCWHBq+s8wEUYhPYxE8XlJXJNeGf9w3MaNI7qrDucupXYxl3gnIiixjArRSk3oc2NuqUiNJF5pFlECHaj24/qvLQNftkWlulT3CxFHZ90/L+mK33h7dtOHmjNkqUtCmQgjylpPyT0MLWuYGC7WpcdCyficKk6OUc3F9BXbovbnM=,iv:Gii2DWFNLyy8yBCXwQqaUb9ewVtbkHDEhOz7p379YLA=,tag:HnfsqBeBu6B70eM+GDYXZg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/sabnzbd/app/volsync.yaml b/kubernetes/apps/default/sabnzbd/app/volsync.yaml new file mode 100644 index 000000000..47a96ae52 --- /dev/null +++ b/kubernetes/apps/default/sabnzbd/app/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: sabnzbd-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: sabnzbd-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/sabnzbd' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: sabnzbd + namespace: default +spec: + sourcePVC: sabnzbd-config + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: sabnzbd-restic-secret + cacheCapacity: 2Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/sabnzbd/ks.yaml b/kubernetes/apps/default/sabnzbd/ks.yaml index 99765bf71..370fb16a0 100644 --- a/kubernetes/apps/default/sabnzbd/ks.yaml +++ b/kubernetes/apps/default/sabnzbd/ks.yaml @@ -9,6 +9,7 @@ metadata: substitution.flux.home.arpa/enabled: "true" spec: dependsOn: + - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app path: ./kubernetes/apps/default/sabnzbd/app diff --git a/kubernetes/apps/default/semaphore/app/externalsecret.yaml b/kubernetes/apps/default/semaphore/app/externalsecret.yaml new file mode 100644 index 000000000..96ba5f95f --- /dev/null +++ b/kubernetes/apps/default/semaphore/app/externalsecret.yaml @@ -0,0 +1,37 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: semaphore + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: semaphore-secret + creationPolicy: Owner + template: + data: + # Ansible Semaphore + SEMAPHORE_DB_USER: &dbUser "{{ .POSTGRES_USER }}" + SEMAPHORE_DB_PASS: &dbPass "{{ .POSTGRES_PASS }}" + SEMAPHORE_DB_HOST: &dbHost postgres-rw.default.svc.cluster.local + SEMAPHORE_DB_PORT: "5432" + SEMAPHORE_DB: &dbName semaphore + SEMAPHORE_ADMIN_PASSWORD: "{{ .SEMAPHORE_ADMIN_PASSWORD }}" + SEMAPHORE_ADMIN_NAME: "{{ .SEMAPHORE_ADMIN_NAME }}" + SEMAPHORE_ADMIN: "{{ .SEMAPHORE_ADMIN }}" + SEMAPHORE_ACCESS_KEY_ENCRYPTION: "{{ .SEMAPHORE_ACCESS_KEY_ENCRYPTION }}" + # Postgres Init + INIT_POSTGRES_DBNAME: *dbName + INIT_POSTGRES_HOST: *dbHost + INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" + INIT_POSTGRES_USER: *dbUser + INIT_POSTGRES_PASS: *dbPass + dataFrom: + - extract: + key: cloudnative-pg + - extract: + key: semaphore diff --git a/kubernetes/apps/default/semaphore/app/helmrelease.yaml b/kubernetes/apps/default/semaphore/app/helmrelease.yaml index 37d94b15d..32f619397 100644 --- a/kubernetes/apps/default/semaphore/app/helmrelease.yaml +++ b/kubernetes/apps/default/semaphore/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: semaphore namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -28,11 +28,12 @@ spec: keepHistory: false values: initContainers: - init-db: - image: ghcr.io/onedr0p/postgres-initdb:14.8 - envFrom: + 01-init-db: + image: ghcr.io/onedr0p/postgres-init:14.8 + imagePullPolicy: IfNotPresent + envFrom: &envFrom - secretRef: - name: semaphore-secret + name: &secret semaphore-secret controller: annotations: reloader.stakater.com/auto: "true" @@ -40,12 +41,11 @@ spec: repository: docker.io/semaphoreui/semaphore tag: v2.8.91 env: + SEMAPHORE_DB_DIALECT: postgres SEMAPHORE_LDAP_ACTIVATED: "no" SEMAPHORE_PLAYBOOK_PATH: /tmp/semaphore/ SEMAPHORE_ADMIN_EMAIL: "${SECRET_CLUSTER_DOMAIN_EMAIL}" - envFrom: - - secretRef: - name: semaphore-secret + envFrom: *envFrom service: main: ports: diff --git a/kubernetes/apps/default/semaphore/app/kustomization.yaml b/kubernetes/apps/default/semaphore/app/kustomization.yaml index 174d4b6e6..85e530b33 100644 --- a/kubernetes/apps/default/semaphore/app/kustomization.yaml +++ b/kubernetes/apps/default/semaphore/app/kustomization.yaml @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml diff --git a/kubernetes/apps/default/semaphore/app/secret.sops.yaml b/kubernetes/apps/default/semaphore/app/secret.sops.yaml deleted file mode 100644 index fc8287c07..000000000 --- a/kubernetes/apps/default/semaphore/app/secret.sops.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: semaphore-secret - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:sgvfTo/EWQFqeQ2xZ/iLCPov,iv:SF3b5MYuNOSlK+o4hLGHOk9e1vSpN7kSQUSrhTIA2tc=,tag:dpKEfawky8MPqniHVZ52Sw==,type:comment] - SEMAPHORE_DB_DIALECT: ENC[AES256_GCM,data:nyDaS8zCV4o=,iv:YCQiaTeAxm4bGCeNx6kJI8u/hOlQ36C97Fuef5FenNs=,tag:75QZEHB0cF92NaPjbd44KA==,type:str] - SEMAPHORE_DB_USER: ENC[AES256_GCM,data:FOFePOCsxamf,iv:556TKMhCRhHWEyPwLvFPFMwmo9RKiz1pW9OJJUsSwgk=,tag:6rPAfthdf73N1X83S+UynQ==,type:str] - SEMAPHORE_DB_PASS: ENC[AES256_GCM,data:Nl66upZmTE4xykvseIqtsS2w5G4=,iv:QkW7oGqDyY9G5yi1yMAhw3y48RmPGWqoKNL9tlUm5MU=,tag:Wu5fPPywslQOC8dGBea0bw==,type:str] - SEMAPHORE_DB_HOST: ENC[AES256_GCM,data:SlxTav3/SdtmeLD+NdB6oo8rb58FMYeM3odW4gey2OWGIwmzvw==,iv:Udz0Nu9zIk/h+8vur9wfC92iK5RjSpAoyV1Z4pb/5sY=,tag:zJPys79V5yz04nvj0VlcKg==,type:str] - SEMAPHORE_DB_PORT: ENC[AES256_GCM,data:qvnfig==,iv:jBXljtUMN7IM1JZHBa35FpwVdiKdOXKDJYJGeH1wTQU=,tag:PbwIlXX2CMRWxUnmKoDsSQ==,type:str] - SEMAPHORE_DB: ENC[AES256_GCM,data:v1dS1uIC8tGz,iv:nUz0Q88R/CnDmKuc//YqaAq3Mkbi+6miWkf9W0xmMbE=,tag:YopXWX3B70HHxq1Gc8NqUQ==,type:str] - SEMAPHORE_ADMIN_PASSWORD: ENC[AES256_GCM,data:yLiUSF9VyLN5YNfvAafUaV0KyaA=,iv:4BV3mxZMso0u2c/5jCAaEHbqijZiaLvATM6kJmcCvKY=,tag:tmHatfh3jHUX4MAzcUM7XQ==,type:str] - SEMAPHORE_ADMIN_NAME: ENC[AES256_GCM,data:zXt5NHSg,iv:NN/j6bFE03XbljhzQiTTkRRHqx/YU0nWHpGzjTKdC5Y=,tag:dteln0PGY4+b4hzaa7/mWw==,type:str] - SEMAPHORE_ADMIN: ENC[AES256_GCM,data:FMxAjLY=,iv:Oj9N3OBgAHBO+FAaqbMy70/F8hloUHWx8lXpUuaY6m0=,tag:xCw/C2s15dMSbD5z8wPhVA==,type:str] - SEMAPHORE_ACCESS_KEY_ENCRYPTION: ENC[AES256_GCM,data:ct9BMd7uE0DcD2kHsNkqD5vnfpAwLKLHImJu1ih56CHmhV03d3OrYDjHQ1g=,iv:MFCc4EvM40Q+1+xK5zTYXhFGkfEvkLmZuIbkOZI/0U4=,tag:sOkZUUNlikdeUp6Ax+Og4w==,type:str] - #ENC[AES256_GCM,data:G9yw2//y27PlVIHYhgA=,iv:qJ+cx+HixCnkGSARdo5fFYDJQT3jHearN00HeO0EwMk=,tag:yPer6XrUnfpKwrdsBlSkRA==,type:comment] - POSTGRES_DB: ENC[AES256_GCM,data:tsx2YRZtnx9u,iv:8zVFcdkLjSmbFgHXafyTBeXNmzTvvo9b5WPNRbtLHAM=,tag:yXOIDOp8Hm0dQuKfs5k1ig==,type:str] - POSTGRES_HOST: ENC[AES256_GCM,data:J7athqTJ9IEmr754JHpXxX7OepWTfuwxRCVUhy9cs/C+60nFNw==,iv:7q7sjl2SlIeDxRMtmf6ojU7hQ7wfH4dS/lheSz8TstI=,tag:SC/84LbwWT+ZxBflXvaHpw==,type:str] - POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:vihjmp4ehKUnXu4G3fxz/g==,iv:JGU0/W49NuacVNK5FE4Y8xviVT9nKhcJxuoZYj1UYDA=,tag:XIb324L6UHD/eu5omlRLEw==,type:str] - POSTGRES_PASS: ENC[AES256_GCM,data:qgKq9wFrS11Ts3brLGV7xJfbkE0=,iv:Jy3leaCr7MljBCpKzVDiyroBQw37W1/GIw9itA/Pb7o=,tag:0JnelzWhN2oXCsMRlRW2Cw==,type:str] - POSTGRES_USER: ENC[AES256_GCM,data:oNBXe1ln8LlO,iv:tgGEQyNy8aS2Gjm8yZR0rVzWN1FEcCKanjUKGAlbrkg=,tag:jeA4HSoK3kSFqvJTFyWGMw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2 - bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC - VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw - OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+ - LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-20T21:37:28Z" - mac: ENC[AES256_GCM,data:dagIu0cei3FxxV9iiLhHWimUpO///hZ2e/GaZ99go9XgVuMuJ5Nu3xLrgV/49qs4gQDsqA6XEoTeOpWK+6geO2k/dFxYQZixj3SH3CpWyrGl6lc+yFDLuCHLklh0OpKG9x7R9BlUkWt1M27Tmr1mdV6NZXqOZazJp4bT/ucETIE=,iv:LVi/RYrruDCk0C9LcyxSW1kO3zRKKJh1LLl5FYq325w=,tag:ng6MhZofV1t2XSghYC8u/Q==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/semaphore/ks.yaml b/kubernetes/apps/default/semaphore/ks.yaml index 081145b2c..e24604968 100644 --- a/kubernetes/apps/default/semaphore/ks.yaml +++ b/kubernetes/apps/default/semaphore/ks.yaml @@ -9,6 +9,7 @@ metadata: substitution.flux.home.arpa/enabled: "true" spec: dependsOn: + - name: cluster-apps-external-secrets-stores - name: cluster-apps-cloudnative-pg-app path: ./kubernetes/apps/default/semaphore/app prune: true diff --git a/kubernetes/apps/default/sharry/app/externalsecret.yaml b/kubernetes/apps/default/sharry/app/externalsecret.yaml new file mode 100644 index 000000000..bc25ba2c5 --- /dev/null +++ b/kubernetes/apps/default/sharry/app/externalsecret.yaml @@ -0,0 +1,28 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: sharry + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: sharry-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + # Postgres Init + INIT_POSTGRES_DBNAME: sharry + INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_USER: "{{ .POSTGRES_USERNAME }}" + INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}" + INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" + dataFrom: + - extract: + key: cloudnative-pg + - extract: + key: sharry diff --git a/kubernetes/apps/default/sharry/app/helmrelease.yaml b/kubernetes/apps/default/sharry/app/helmrelease.yaml index 86b74f867..7a698577f 100644 --- a/kubernetes/apps/default/sharry/app/helmrelease.yaml +++ b/kubernetes/apps/default/sharry/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app sharry namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -27,9 +27,16 @@ spec: uninstall: keepHistory: false values: + initContainers: + 01-init-db: + image: ghcr.io/onedr0p/postgres-init:14.8 + imagePullPolicy: IfNotPresent + envFrom: &envFrom + - secretRef: + name: &secret sharry-secret controller: - replicas: 1 - strategy: Recreate + annotations: + reloader.stakater.com/auto: "true" image: repository: eikek0/sharry tag: v1.12.1 @@ -56,9 +63,6 @@ spec: tls: - hosts: - *host - podAnnotations: - configMap.reloader.stakater.com/reload: *app - secret.reloader.stakater.com/reload: *app resources: requests: cpu: 50m @@ -69,6 +73,6 @@ spec: config: enabled: true type: configMap - name: sharry + name: sharry-configmap mountPath: /opt/sharry.conf subPath: sharry.conf diff --git a/kubernetes/apps/default/sharry/app/kustomization.yaml b/kubernetes/apps/default/sharry/app/kustomization.yaml index f0a7bdda9..45fa40280 100644 --- a/kubernetes/apps/default/sharry/app/kustomization.yaml +++ b/kubernetes/apps/default/sharry/app/kustomization.yaml @@ -4,11 +4,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: + - ./externalsecret.yaml - ./helmrelease.yaml -patchesStrategicMerge: - - ./patches/postgres.yaml configMapGenerator: - - name: sharry + - name: sharry-configmap files: - ./config/sharry.conf generatorOptions: diff --git a/kubernetes/apps/default/sharry/app/patches/postgres.yaml b/kubernetes/apps/default/sharry/app/patches/postgres.yaml deleted file mode 100644 index a45c74dc0..000000000 --- a/kubernetes/apps/default/sharry/app/patches/postgres.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: sharry - namespace: default -spec: - values: - initContainers: - init-db: - image: ghcr.io/onedr0p/postgres-initdb:14.8 - env: - - name: POSTGRES_HOST - value: ${POSTGRES_HOST} - - name: POSTGRES_DB - value: sharry - - name: POSTGRES_SUPER_PASS - valueFrom: - secretKeyRef: - name: postgres-superuser - key: password - - name: POSTGRES_USER - value: ${SECRET_SHARRY_DB_USERNAME} - - name: POSTGRES_PASS - value: ${SECRET_SHARRY_DB_PASSWORD} diff --git a/kubernetes/apps/default/smtp-relay/app/externalsecret.yaml b/kubernetes/apps/default/smtp-relay/app/externalsecret.yaml new file mode 100644 index 000000000..4f170682b --- /dev/null +++ b/kubernetes/apps/default/smtp-relay/app/externalsecret.yaml @@ -0,0 +1,18 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: smtp-relay + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: smtp-relay-secret + creationPolicy: Owner + dataFrom: + - extract: + # SMTP_DOMAIN, SMTP_EMAIL_SMTP_USERNAME, SMTP_PASSWORD + key: smtp-relay diff --git a/kubernetes/apps/default/smtp-relay/app/helmrelease.yaml b/kubernetes/apps/default/smtp-relay/app/helmrelease.yaml index 9fa67faef..8dac3caba 100644 --- a/kubernetes/apps/default/smtp-relay/app/helmrelease.yaml +++ b/kubernetes/apps/default/smtp-relay/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app smtp-relay namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -28,7 +28,6 @@ spec: keepHistory: false values: controller: - replicas: 1 strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" diff --git a/kubernetes/apps/default/smtp-relay/app/kustomization.yaml b/kubernetes/apps/default/smtp-relay/app/kustomization.yaml index 28e70f62e..44d727753 100644 --- a/kubernetes/apps/default/smtp-relay/app/kustomization.yaml +++ b/kubernetes/apps/default/smtp-relay/app/kustomization.yaml @@ -4,8 +4,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml configMapGenerator: - name: smtp-relay-configmap files: diff --git a/kubernetes/apps/default/smtp-relay/app/secret.sops.yaml b/kubernetes/apps/default/smtp-relay/app/secret.sops.yaml deleted file mode 100644 index 9cdb8f0eb..000000000 --- a/kubernetes/apps/default/smtp-relay/app/secret.sops.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# yamllint disable -kind: Secret -apiVersion: v1 -type: Opaque -metadata: - name: smtp-relay-secret - namespace: default -stringData: - SMTP_PASSWORD: ENC[AES256_GCM,data:Yf/FCPWceNJadwSaTvNXug==,iv:eErTrc6gWkClzoMmLgkz6xgaUA/W7cZoxhgGeCuHPyk=,tag:HYWJN3imrt/Umv4NREuQpg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSGowVER2SFNrYTVxOUc4 - S1lDV295S2tnTlE1TkFuWnFYdXZoZ2ZlYkVrCmdRaXpGNTZTbDBjbkxPTkhaSkU1 - ZTZEakZwV1prTXpGalc2L0MrQ3BlVlEKLS0tIDdIdTdKTzBybHc5NjJaU0Z4dFg1 - U003SkswTXRYaUdWYzVRL2oxb2RGdEEKQojCy0af9JFKnKSYQhT2C1sXIBjfKjEz - b7/1MAC99t37PRSsyh+ALf6DctqxysHKpG6Ku/RAchPqd2MwtIjWlQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-01T22:33:34Z" - mac: ENC[AES256_GCM,data:guldqBejtXp67NO2A/B0kPCLlJmpE7OAp04IRnv8iaMyvo/TxBkgvC8PQ/oQesxf2KNlJ671ewlIU9IdDres8qAC6ytV+iWVZGusOQfXKZKO5EWygckXokvs7jIfxWI7TdztLCMXlzaVDyH4fnrg2x4luxc3PNrctDfzu/vEP3s=,iv:Z9XHDirjaOs5UU5hWakGWDAvzvadIbJvBp4QbXCiw24=,tag:9WLfHq0SIQRvJqUmNWrSXA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/smtp-relay/ks.yaml b/kubernetes/apps/default/smtp-relay/ks.yaml index 1649b6b2d..fe0f73ff0 100644 --- a/kubernetes/apps/default/smtp-relay/ks.yaml +++ b/kubernetes/apps/default/smtp-relay/ks.yaml @@ -10,6 +10,8 @@ metadata: spec: path: ./kubernetes/apps/default/smtp-relay/app prune: true + dependsOn: + - name: cluster-apps-external-secrets-stores sourceRef: kind: GitRepository name: home-ops-kubernetes diff --git a/kubernetes/apps/default/sonarr/app/backups/kustomization.yaml b/kubernetes/apps/default/sonarr/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/sonarr/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/sonarr/app/backups/replicationsource.yaml b/kubernetes/apps/default/sonarr/app/backups/replicationsource.yaml deleted file mode 100644 index 798ab8063..000000000 --- a/kubernetes/apps/default/sonarr/app/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: sonarr - namespace: default -spec: - sourcePVC: sonarr-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: sonarr-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/sonarr/app/backups/restic.sops.yaml b/kubernetes/apps/default/sonarr/app/backups/restic.sops.yaml deleted file mode 100644 index 769032af2..000000000 --- a/kubernetes/apps/default/sonarr/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: sonarr-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:E7B+rjyyZrHxiLBh/xnUl1b88ERSnGxUGHzZH+087fbXJOlbySnFuKRv+jPHMCoa//0r8RsC5mM=,iv:evk0OG92emADqogInteT7NSOsd+aGXEF8xMVLIVB63M=,tag:9YuM5VMkLpAA316dkjr5HA==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T15:35:19Z" - mac: ENC[AES256_GCM,data:VRBAxTHYtA4MWbi5qylhkRP2OlCAu8lOodgxVHlPicLY/AFxa70NhZcVMAD1iewVpr98ul0BQb/VdtRxlRdq4LjecdNK6o/FJUcvMVRjOBmMMyvqGnGmlif7MLMRt6H+FAknTC6nCJ1uSGu6KihvAA1f7jIeCOxzApGYqIsHp5M=,iv:yCrKaT5zu9ROQH5c8etRrYSlKRIKVeiNngbsOiX2a1g=,tag:4AINfTcGTA07MvMq7g4WXw==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/sonarr/app/externalsecret.yaml b/kubernetes/apps/default/sonarr/app/externalsecret.yaml new file mode 100644 index 000000000..a06c63282 --- /dev/null +++ b/kubernetes/apps/default/sonarr/app/externalsecret.yaml @@ -0,0 +1,25 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: sonarr + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: sonarr-secret + creationPolicy: Owner + template: + data: + # App + SONARR__API_KEY: "{{ .SONARR__API_KEY }}" + PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}" + PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" + dataFrom: + - extract: + key: pushover + - extract: + key: sonarr diff --git a/kubernetes/apps/default/sonarr/app/helmrelease.yaml b/kubernetes/apps/default/sonarr/app/helmrelease.yaml index c56d9e2d5..2e992510e 100644 --- a/kubernetes/apps/default/sonarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/sonarr/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app sonarr namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -27,6 +27,10 @@ spec: uninstall: keepHistory: false values: + controller: + annotations: + reloader.stakater.com/auto: "true" + configmap.reloader.stakater.com/reload: sonarr-pushover image: repository: ghcr.io/onedr0p/sonarr-develop tag: 4.0.0.559@sha256:62cc0157d673e68691c83c27a13011d416f28734134431bf27cf9b557cb7c2c5 @@ -40,7 +44,7 @@ spec: SONARR__LOG_LEVEL: info envFrom: - secretRef: - name: *app + name: sonarr-secret service: main: ports: @@ -97,9 +101,6 @@ spec: mountPath: /scripts/pushover-notify.sh defaultMode: 0775 readOnly: true - podAnnotations: - configmap.reloader.stakater.com/reload: sonarr-pushover - secret.reloader.stakater.com/reload: *app resources: requests: cpu: 500m diff --git a/kubernetes/apps/default/sonarr/app/kustomization.yaml b/kubernetes/apps/default/sonarr/app/kustomization.yaml index 96837f453..83fe3d7fb 100644 --- a/kubernetes/apps/default/sonarr/app/kustomization.yaml +++ b/kubernetes/apps/default/sonarr/app/kustomization.yaml @@ -4,9 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml + - ./volsync.yaml - ./volume.yaml configMapGenerator: - name: sonarr-pushover diff --git a/kubernetes/apps/default/sonarr/app/secret.sops.yaml b/kubernetes/apps/default/sonarr/app/secret.sops.yaml deleted file mode 100644 index b160d3d12..000000000 --- a/kubernetes/apps/default/sonarr/app/secret.sops.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: sonarr - namespace: default -type: Opaque -stringData: - PUSHOVER_TOKEN: ENC[AES256_GCM,data:VbPcH4St6p1+rdYkXgXnmWJw9wH1eeFe0KM0TxH9,iv:WLxuFr8DscUhYrgglmAPctrrY2QsItfwQ5ZnKD2P7xE=,tag:tfLhrhos9ZFKhuMdCnHDEA==,type:str] - PUSHOVER_USER_KEY: ENC[AES256_GCM,data:3UbR7hAnBAAjw/tdB8TSMZw3inuJJhJx9AiIN4tZ,iv:GuB8Kf/pAOp32SiVhpSLFisIeoEg1VxdYm2Raw2stRM=,tag:A8nDFwYPcZ7fOPG/UPYYzQ==,type:str] - SONARR__API_KEY: ENC[AES256_GCM,data:2byvnqPCT5MWJBnSmQrzXDnmfCvokUrr2PIR27iC+Y8=,iv:ejJtd3eXWlw0MyA6eXWVPChyVNgHK+FVpSYg2guOvZ8=,tag:QR0/X0cbJXFvzXhItglnCQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2 - bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC - VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw - OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+ - LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T15:35:43Z" - mac: ENC[AES256_GCM,data:W28v1mhf0LE/Wx/wz5YebMTvEAUY1/g8/aZmJKJNzioyT909NTlixyyMScZ9cUj/tKchkiv9DG9zKHNWiZSWHV8eEIsrzth4ENR0Puj0ZXzAFQAblzQh50DPMIVURt6FXcIh9Uw05fXcJwu2AN/lkWplsG7sDMo7n5y95ZomVHM=,iv:WSvs/o2Jep7DnoHBz2O/5t6aGjfYTNwRclGyf4npbOs=,tag:2OqXhjFhAnnxAK16o8TuOQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/sonarr/app/volsync.yaml b/kubernetes/apps/default/sonarr/app/volsync.yaml new file mode 100644 index 000000000..bd3877670 --- /dev/null +++ b/kubernetes/apps/default/sonarr/app/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: sonarr-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: sonarr-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/sonarr' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: sonarr + namespace: default +spec: + sourcePVC: sonarr-config + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: sonarr-restic-secret + cacheCapacity: 2Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/sonarr/ks.yaml b/kubernetes/apps/default/sonarr/ks.yaml index 7ae7cd1fd..7209de16b 100644 --- a/kubernetes/apps/default/sonarr/ks.yaml +++ b/kubernetes/apps/default/sonarr/ks.yaml @@ -9,6 +9,7 @@ metadata: substitution.flux.home.arpa/enabled: "true" spec: dependsOn: + - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app path: ./kubernetes/apps/default/sonarr/app diff --git a/kubernetes/apps/default/tandoor/app/backups/kustomization.yaml b/kubernetes/apps/default/tandoor/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/tandoor/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/tandoor/app/backups/replicationsource.yaml b/kubernetes/apps/default/tandoor/app/backups/replicationsource.yaml deleted file mode 100644 index 55adc4d35..000000000 --- a/kubernetes/apps/default/tandoor/app/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: tandoor - namespace: default -spec: - sourcePVC: tandoor-files - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: tandoor-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/tandoor/app/backups/restic.sops.yaml b/kubernetes/apps/default/tandoor/app/backups/restic.sops.yaml deleted file mode 100644 index 5366b15e0..000000000 --- a/kubernetes/apps/default/tandoor/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: tandoor-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:doNM45RgucJso4t85IZREhHclpvKXYy+GFomdGSokK7kjl7Jn25CJuG/u5t7GnjC0M2uYo8nhyMQ,iv:eNummV+QSSAkFFaZC0WPAMV/G+j70b0X6pN1MgUYx7s=,tag:gR260etgdx6Lwt9GXpDWew==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T06:24:08Z" - mac: ENC[AES256_GCM,data:udFHC/EM7a4g1pOvhU8HJRiSSSnBDvzva3rrZdmjidfcjrt90dStpNL+AHCLXjqj0DsPJHP8bvyXsrrOQg+WXi47OnugUu0YnqaoS6n5nklCfhcqWU5PM5eG+zmuDkfnXT9EbwAyKXvnmzhIr4Rr2+LxsZNJpVqY6AfNM4IFRtc=,iv:lqVOyMN1c/9pxU/CRuEjcPd6890uNq3xgqwF8RKkFEo=,tag:YMrnTGCruKCbTq0r24SEyw==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/tandoor/app/externalsecret.yaml b/kubernetes/apps/default/tandoor/app/externalsecret.yaml new file mode 100644 index 000000000..7308e5a12 --- /dev/null +++ b/kubernetes/apps/default/tandoor/app/externalsecret.yaml @@ -0,0 +1,34 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: tandoor + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: tandoor-secret + creationPolicy: Owner + template: + data: + # App + SECRET_KEY: "{{ .TANDOOR_SECRET_KEY }}" + POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local + POSTGRES_PORT: "5432" + POSTGRES_DB: &dbName tandoor + POSTGRES_USER: &dbUser "{{ .TANDOOR_POSTGRES_USER }}" + POSTGRES_PASSWORD: &dbPass "{{ .TANDOOR_POSTGRES_PASS }}" + # Postgres Init + INIT_POSTGRES_DBNAME: *dbName + INIT_POSTGRES_HOST: *dbHost + INIT_POSTGRES_USER: *dbUser + INIT_POSTGRES_PASS: *dbPass + INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" + dataFrom: + - extract: + key: cloudnative-pg + - extract: + key: tandoor diff --git a/kubernetes/apps/default/tandoor/app/helmrelease.yaml b/kubernetes/apps/default/tandoor/app/helmrelease.yaml index ccfa7d2a7..73de69d53 100644 --- a/kubernetes/apps/default/tandoor/app/helmrelease.yaml +++ b/kubernetes/apps/default/tandoor/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app tandoor namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -33,9 +33,19 @@ spec: image: repository: vabene1111/recipes tag: 1.5.4 - envFrom: + envFrom: &envFrom - secretRef: name: tandoor-secret + env: + DEBUG: "0" + ALLOWED_HOSTS: "*" + DB_ENGINE: django.db.backends.postgresql_psycopg2 + GUNICORN_MEDIA: "0" + TIMEZONE: ${TIMEZONE} + TANDOOR_PORT: 8888 + FRACTION_PREF_DEFAULT: "0" + COMMENT_PREF_DEFAULT: "1" + SHOPPING_MIN_AUTOSYNC_INTERVAL: "5" command: - /opt/recipes/venv/bin/gunicorn - -b @@ -88,7 +98,7 @@ spec: type: "custom" volumeSpec: configMap: - name: *app + name: tandoor-configmap django-js-reverse: enabled: true type: emptyDir @@ -106,9 +116,6 @@ spec: runAsGroup: 568 fsGroup: 568 fsGroupChangePolicy: "OnRootMismatch" - podAnnotations: - configMap.reloader.stakater.com/reload: *app - secret.reloader.stakater.com/reload: *app resources: requests: cpu: 100m @@ -116,7 +123,11 @@ spec: limits: memory: 512Mi initContainers: - init-migrate: + 01-init-db: + image: ghcr.io/onedr0p/postgres-init:14.8 + imagePullPolicy: IfNotPresent + envFrom: *envFrom + 02-init-migrate: image: vabene1111/recipes:1.5.4 env: - name: DB_ENGINE @@ -145,9 +156,8 @@ spec: mountPath: /opt/recipes/cookbook/static/django_js_reverse - name: static mountPath: /opt/recipes/staticfiles - additionalContainers: + sidecars: nginx: - name: nginx image: nginxinc/nginx-unprivileged:1.25.1-alpine imagePullPolicy: IfNotPresent ports: diff --git a/kubernetes/apps/default/tandoor/app/kustomization.yaml b/kubernetes/apps/default/tandoor/app/kustomization.yaml index c3d118f86..a097fd3fd 100644 --- a/kubernetes/apps/default/tandoor/app/kustomization.yaml +++ b/kubernetes/apps/default/tandoor/app/kustomization.yaml @@ -4,15 +4,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml + - ./volsync.yaml - ./volume.yaml -patchesStrategicMerge: - - ./patches/env.yaml - - ./patches/postgres.yaml configMapGenerator: - - name: tandoor + - name: tandoor-configmap files: - ./config/nginx-config generatorOptions: diff --git a/kubernetes/apps/default/tandoor/app/patches/env.yaml b/kubernetes/apps/default/tandoor/app/patches/env.yaml deleted file mode 100644 index bee84a513..000000000 --- a/kubernetes/apps/default/tandoor/app/patches/env.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: tandoor - namespace: default -spec: - values: - env: - DEBUG: "0" - ALLOWED_HOSTS: "*" - DB_ENGINE: django.db.backends.postgresql_psycopg2 - POSTGRES_HOST: ${POSTGRES_HOST} - POSTGRES_PORT: ${POSTGRES_PORT} - POSTGRES_DB: tandoor - GUNICORN_MEDIA: "0" - TIMEZONE: ${TIMEZONE} - TANDOOR_PORT: 8888 - FRACTION_PREF_DEFAULT: "0" - COMMENT_PREF_DEFAULT: "1" - SHOPPING_MIN_AUTOSYNC_INTERVAL: "5" diff --git a/kubernetes/apps/default/tandoor/app/patches/postgres.yaml b/kubernetes/apps/default/tandoor/app/patches/postgres.yaml deleted file mode 100644 index 261066f26..000000000 --- a/kubernetes/apps/default/tandoor/app/patches/postgres.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: tandoor - namespace: default -spec: - values: - initContainers: - init-db: - image: ghcr.io/onedr0p/postgres-initdb:14.8 - env: - - name: POSTGRES_HOST - value: ${POSTGRES_HOST} - - name: POSTGRES_DB - value: tandoor - - name: POSTGRES_SUPER_PASS - valueFrom: - secretKeyRef: - name: postgres-superuser - key: password - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: tandoor-secret - key: POSTGRES_USER - - name: POSTGRES_PASS - valueFrom: - secretKeyRef: - name: tandoor-secret - key: POSTGRES_PASSWORD diff --git a/kubernetes/apps/default/tandoor/app/secret.sops.yaml b/kubernetes/apps/default/tandoor/app/secret.sops.yaml deleted file mode 100644 index 997c0db64..000000000 --- a/kubernetes/apps/default/tandoor/app/secret.sops.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: tandoor-secret - namespace: default -type: Opaque -stringData: - SECRET_KEY: ENC[AES256_GCM,data:Q6F1yVx9o5l+NGOYDe+m6DH/v1MxJQCSKT89IVwjqYI=,iv:KAkiYOyzD+i4ybTb19cIUaZlLq9/Hkda9c9ksf+FQrg=,tag:5nEYJe8JnrwScW2a8+dekw==,type:str] - POSTGRES_USER: ENC[AES256_GCM,data:FYYcjxl00w==,iv:Qhyu+2pCDrLynJVKb88olLiG1S9mmSVJgdsWuBu2iPQ=,tag:XngsCKqqnv/eZUN715cY5A==,type:str] - POSTGRES_PASSWORD: ENC[AES256_GCM,data:7nRBJj4SN//W6kcD4RwDOw==,iv:uTlW+I/H72vTlUIH7m9AVqRKSA+XMAQoJLGcu5cFFFM=,tag:tkeMqZVP8NHgyH4aOWSlFw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TlpyT0RXNHdBVHBKVkJo - dGhPZDgvTHlOVHJ5d3JDeEZhd2NmQUxVdURrCkZKTWVPK2Y0L3NWVDJCbHRUYVQ2 - MGVuRXdSMHZzSFFpOHFNa2laNEF5T1EKLS0tIGcvVDBRWTJPeVJzVTg2ZzNRdTFJ - VjJ5ZzIyNE9OMGVVcFBiOWRjazFGYkUK8wW2HI/BuiFMAyOV/BABZkE+L6qLVAuE - LM+b1l2q79np70ostH7Jmox9KP4QsMLYxDhjse/ygS5e8oQRbb1oTg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-11T21:32:22Z" - mac: ENC[AES256_GCM,data:y+O9Ry6ybIm1hmfZspcyiJPzjGDa89e2Qa+oMj+qsye6T6Y3k0JRn/POGkrxHCsw05exKMa3+8ldQQgHewdiiv1TOJ3Xwap377AtYlId+hBfwyfPG1VtnBNu4pHDe919f6q7DNRJbaQscmZgFuZYRMyIeI+rBNT7slGuvAWwAjc=,iv:4DFc9cJ9BaDwv/E3ZVBFwf82879ePff6BoOryRBn0Oo=,tag:n870pnOy32XnELnZzyukvQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/tandoor/app/volsync.yaml b/kubernetes/apps/default/tandoor/app/volsync.yaml new file mode 100644 index 000000000..9cbec054b --- /dev/null +++ b/kubernetes/apps/default/tandoor/app/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: tandoor-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: tandoor-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/tandoor' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: tandoor + namespace: default +spec: + sourcePVC: tandoor-files + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: tandoor-restic-secret + cacheCapacity: 2Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/tandoor/ks.yaml b/kubernetes/apps/default/tandoor/ks.yaml index 7a9638dca..5dd3625be 100644 --- a/kubernetes/apps/default/tandoor/ks.yaml +++ b/kubernetes/apps/default/tandoor/ks.yaml @@ -15,6 +15,7 @@ spec: name: home-ops-kubernetes dependsOn: - name: cluster-apps-cloudnative-pg-cluster + - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app healthChecks: diff --git a/kubernetes/apps/default/theme-park/app/helmrelease.yaml b/kubernetes/apps/default/theme-park/app/helmrelease.yaml index 1fd95f0bf..3ddf0f579 100644 --- a/kubernetes/apps/default/theme-park/app/helmrelease.yaml +++ b/kubernetes/apps/default/theme-park/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app theme-park namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: diff --git a/kubernetes/apps/default/truenas/backup/helmrelease.yaml b/kubernetes/apps/default/truenas/app/backup/helmrelease.yaml similarity index 82% rename from kubernetes/apps/default/truenas/backup/helmrelease.yaml rename to kubernetes/apps/default/truenas/app/backup/helmrelease.yaml index c830cdf72..118765900 100644 --- a/kubernetes/apps/default/truenas/backup/helmrelease.yaml +++ b/kubernetes/apps/default/truenas/app/backup/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: truenas-backup namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -39,11 +39,9 @@ spec: command: ["/bin/bash", "/app/truenas-backup.sh"] env: HOSTNAME: truenas - SECRET_DOMAIN: ${SECRET_DOMAIN} - SECRET_CLUSTER_DOMAIN: ${SECRET_CLUSTER_DOMAIN} envFrom: - secretRef: - name: truenas-backup-secret + name: truenas-secret service: main: enabled: false @@ -59,8 +57,8 @@ spec: ssh: enabled: true type: secret - name: truenas-backup-secret - subPath: SSH_KEY + name: truenas-secret + subPath: TRUENAS_SSH_KEY mountPath: /opt/id_rsa defaultMode: 0775 readOnly: true @@ -72,13 +70,9 @@ spec: env: - name: HOSTNAME value: truenas-remote - - name: SECRET_DOMAIN - value: ${SECRET_DOMAIN} - - name: SECRET_CLUSTER_DOMAIN - value: ${SECRET_CLUSTER_DOMAIN} envFrom: - secretRef: - name: truenas-backup-secret + name: truenas-secret volumeMounts: - name: config readOnly: true @@ -87,4 +81,4 @@ spec: - name: ssh readOnly: true mountPath: /opt/id_rsa - subPath: SSH_KEY + subPath: TRUENAS_SSH_KEY diff --git a/kubernetes/apps/default/truenas/backup/kustomization.yaml b/kubernetes/apps/default/truenas/app/backup/kustomization.yaml similarity index 94% rename from kubernetes/apps/default/truenas/backup/kustomization.yaml rename to kubernetes/apps/default/truenas/app/backup/kustomization.yaml index 5544a84aa..bdafafc5b 100644 --- a/kubernetes/apps/default/truenas/backup/kustomization.yaml +++ b/kubernetes/apps/default/truenas/app/backup/kustomization.yaml @@ -5,7 +5,6 @@ kind: Kustomization namespace: default resources: - ./helmrelease.yaml - - ./secret.sops.yaml configMapGenerator: - name: truenas-backup-configmap files: diff --git a/kubernetes/apps/default/truenas/backup/truenas-backup.sh b/kubernetes/apps/default/truenas/app/backup/truenas-backup.sh similarity index 90% rename from kubernetes/apps/default/truenas/backup/truenas-backup.sh rename to kubernetes/apps/default/truenas/app/backup/truenas-backup.sh index 4e256ac48..5dbdcca85 100755 --- a/kubernetes/apps/default/truenas/backup/truenas-backup.sh +++ b/kubernetes/apps/default/truenas/app/backup/truenas-backup.sh @@ -7,8 +7,8 @@ mkdir -p ~/.ssh cp /opt/id_rsa ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa -printf -v aws_access_key_id_str %q "$AWS_ACCESS_KEY_ID" -printf -v aws_secret_access_key_str %q "$AWS_SECRET_ACCESS_KEY" +printf -v aws_access_key_id_str %q "$TRUENAS_AWS_ACCESS_KEY_ID" +printf -v aws_secret_access_key_str %q "$TRUENAS_AWS_SECRET_ACCESS_KEY" printf -v secret_domain_str %q "$SECRET_DOMAIN" diff --git a/kubernetes/apps/default/truenas/certs-deploy/helmrelease.yaml b/kubernetes/apps/default/truenas/app/certs-deploy/helmrelease.yaml similarity index 87% rename from kubernetes/apps/default/truenas/certs-deploy/helmrelease.yaml rename to kubernetes/apps/default/truenas/app/certs-deploy/helmrelease.yaml index 65ed3d859..777f68b35 100644 --- a/kubernetes/apps/default/truenas/certs-deploy/helmrelease.yaml +++ b/kubernetes/apps/default/truenas/app/certs-deploy/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: truenas-certs-deploy namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -40,11 +40,10 @@ spec: env: HOSTNAME: truenas TRUENAS_HOME: /mnt/storage/home/homelab - SECRET_DOMAIN: ${SECRET_DOMAIN} CERTS_DEPLOY_S3_ENABLED: "True" envFrom: - secretRef: - name: truenas-certs-deploy-secret + name: truenas-secret service: main: enabled: false @@ -68,14 +67,13 @@ spec: ssh: enabled: true type: secret - name: truenas-certs-deploy-secret - subPath: SSH_KEY + name: truenas-secret + subPath: TRUENAS_SSH_KEY mountPath: /opt/id_rsa defaultMode: 0775 readOnly: true - additionalContainers: + sidecars: truenas-remote-certs-deploy: - name: truenas-remote-certs-deploy image: ghcr.io/auricom/kubectl:1.27.3@sha256:402cbd1a404bdae3db854252054e4160b5746067e6f462d4a48236c46f6ad28a command: ["/bin/bash", "/app/truenas-certs-deploy.sh"] env: @@ -83,13 +81,11 @@ spec: value: truenas-remote - name: TRUENAS_HOME value: /mnt/vol1/home/homelab - - name: SECRET_DOMAIN - value: ${SECRET_DOMAIN} - name: CERTS_DEPLOY_S3_ENABLED value: "False" envFrom: - secretRef: - name: truenas-certs-deploy-secret + name: truenas-secret volumeMounts: - name: config readOnly: true @@ -102,4 +98,4 @@ spec: - name: ssh readOnly: true mountPath: /opt/id_rsa - subPath: SSH_KEY + subPath: TRUENAS_SSH_KEY diff --git a/kubernetes/apps/default/truenas/certs-deploy/kustomization.yaml b/kubernetes/apps/default/truenas/app/certs-deploy/kustomization.yaml similarity index 95% rename from kubernetes/apps/default/truenas/certs-deploy/kustomization.yaml rename to kubernetes/apps/default/truenas/app/certs-deploy/kustomization.yaml index a47ef4c73..2027d5367 100644 --- a/kubernetes/apps/default/truenas/certs-deploy/kustomization.yaml +++ b/kubernetes/apps/default/truenas/app/certs-deploy/kustomization.yaml @@ -5,7 +5,6 @@ kind: Kustomization namespace: default resources: - ./helmrelease.yaml - - ./secret.sops.yaml configMapGenerator: - name: truenas-certs-deploy-configmap files: diff --git a/kubernetes/apps/default/truenas/certs-deploy/truenas-certs-deploy.py b/kubernetes/apps/default/truenas/app/certs-deploy/truenas-certs-deploy.py similarity index 100% rename from kubernetes/apps/default/truenas/certs-deploy/truenas-certs-deploy.py rename to kubernetes/apps/default/truenas/app/certs-deploy/truenas-certs-deploy.py diff --git a/kubernetes/apps/default/truenas/certs-deploy/truenas-certs-deploy.sh b/kubernetes/apps/default/truenas/app/certs-deploy/truenas-certs-deploy.sh similarity index 92% rename from kubernetes/apps/default/truenas/certs-deploy/truenas-certs-deploy.sh rename to kubernetes/apps/default/truenas/app/certs-deploy/truenas-certs-deploy.sh index 4654d6427..667c65508 100644 --- a/kubernetes/apps/default/truenas/certs-deploy/truenas-certs-deploy.sh +++ b/kubernetes/apps/default/truenas/app/certs-deploy/truenas-certs-deploy.sh @@ -13,18 +13,18 @@ elif [ "${HOSTNAME}" == "truenas-remote" ]; then printf -v truenas_api_key %q "$TRUENAS_REMOTE_API_KEY" fi printf -v cert_deploy_s3_enabled_str %q "$CERTS_DEPLOY_S3_ENABLED" -printf -v pushover_api_key_str %q "$PUSHOVER_API_KEY" +printf -v pushover_api_token_str %q "$PUSHOVER_API_TOKEN" printf -v pushover_user_key_str %q "$PUSHOVER_USER_KEY" printf -v secret_domain_str %q "$SECRET_DOMAIN" scp -o StrictHostKeyChecking=no /app/truenas-certs-deploy.py homelab@${HOSTNAME}.${SECRET_DOMAIN}:${TRUENAS_HOME}/scripts/certificates_deploy.py -ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_s3_enabled_str $pushover_api_key_str $pushover_user_key_str $secret_domain_str" << 'EOF' +ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_s3_enabled_str $pushover_api_token_str $pushover_user_key_str $secret_domain_str" << 'EOF' set -o nounset set -o errexit -PUSHOVER_API_KEY=$3 +PUSHOVER_API_TOKEN=$3 PUSHOVER_USER_KEY=$4 SECRET_DOMAIN=$5 @@ -48,7 +48,7 @@ if [[ "$result" == "${CERTS_DEPLOY_PRIVATE_KEY_PATH}" ]]; then echo "ERROR - Certificate is older than 69 days" echo "ERROR - Verify than it has been renewed by ACME client on opnsense and that the upload automation has been executed" curl -s \ - --form-string "token=${PUSHOVER_API_KEY}" \ + --form-string "token=${PUSHOVER_API_TOKEN}" \ --form-string "user=${PUSHOVER_USER_KEY}" \ --form-string "message=Certificate on $TARGET is older than 69 days. Verify than it has been renewed by ACME client on opnsense and that the upload automation has been executed" \ https://api.pushover.net/1/messages.json diff --git a/kubernetes/apps/default/truenas/app/externalsecret.yaml b/kubernetes/apps/default/truenas/app/externalsecret.yaml new file mode 100644 index 000000000..c7da46ea0 --- /dev/null +++ b/kubernetes/apps/default/truenas/app/externalsecret.yaml @@ -0,0 +1,36 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: truenas + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: truenas-secret + creationPolicy: Owner + template: + data: + # App + PUSHOVER_API_TOKEN: "{{ .TRUENAS_PUSHOVER_API_TOKEN }}" + PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" + TRUENAS_AWS_ACCESS_KEY_ID: "{{ .TRUENAS_AWS_ACCESS_KEY_ID }}" + TRUENAS_AWS_SECRET_ACCESS_KEY: "{{ .TRUENAS_AWS_SECRET_ACCESS_KEY }}" + TRUENAS_SSH_KEY: "{{ .TRUENAS_SSH_KEY }}" + TRUENAS_API_KEY: "{{ .TRUENAS_API_KEY }}" + TRUENAS_REMOTE_API_KEY: "{{ .TRUENAS_REMOTE_API_KEY }}" + SECRET_DOMAIN: "{{ .SECRET_DOMAIN }}" + SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}" + SOPS_AGE_KEY: "{{ .SOPS_AGE_KEY }}" + dataFrom: + - extract: + key: generic + - extract: + key: pushover + - extract: + key: sops + - extract: + key: truenas diff --git a/kubernetes/apps/default/radarr/app/backups/kustomization.yaml b/kubernetes/apps/default/truenas/app/kustomization.yaml similarity index 61% rename from kubernetes/apps/default/radarr/app/backups/kustomization.yaml rename to kubernetes/apps/default/truenas/app/kustomization.yaml index 57bca902d..57b45fa2c 100644 --- a/kubernetes/apps/default/radarr/app/backups/kustomization.yaml +++ b/kubernetes/apps/default/truenas/app/kustomization.yaml @@ -2,6 +2,9 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: default resources: - - ./replicationsource.yaml - - ./restic.sops.yaml + - ./backup + - ./certs-deploy + - ./externalsecret.yaml + - ./minio-rclone diff --git a/kubernetes/apps/default/truenas/minio-rclone/helmrelease.yaml b/kubernetes/apps/default/truenas/app/minio-rclone/helmrelease.yaml similarity index 93% rename from kubernetes/apps/default/truenas/minio-rclone/helmrelease.yaml rename to kubernetes/apps/default/truenas/app/minio-rclone/helmrelease.yaml index 49c117734..1962c922c 100644 --- a/kubernetes/apps/default/truenas/minio-rclone/helmrelease.yaml +++ b/kubernetes/apps/default/truenas/app/minio-rclone/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: truenas-minio-rclone namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -52,7 +52,7 @@ spec: age: enabled: true type: secret - name: truenas-minio-rclone-secret - subPath: AGE_KEY + name: truenas-secret + subPath: SOPS_AGE_KEY mountPath: /app/age_key readOnly: true diff --git a/kubernetes/apps/default/truenas/minio-rclone/kustomization.yaml b/kubernetes/apps/default/truenas/app/minio-rclone/kustomization.yaml similarity index 94% rename from kubernetes/apps/default/truenas/minio-rclone/kustomization.yaml rename to kubernetes/apps/default/truenas/app/minio-rclone/kustomization.yaml index e4e1bb02a..38dbe79d9 100644 --- a/kubernetes/apps/default/truenas/minio-rclone/kustomization.yaml +++ b/kubernetes/apps/default/truenas/app/minio-rclone/kustomization.yaml @@ -5,7 +5,6 @@ kind: Kustomization namespace: default resources: - ./helmrelease.yaml - - ./secret.sops.yaml configMapGenerator: - name: truenas-minio-rclone-configmap files: diff --git a/kubernetes/apps/default/truenas/minio-rclone/minio-rclone.sh b/kubernetes/apps/default/truenas/app/minio-rclone/minio-rclone.sh similarity index 100% rename from kubernetes/apps/default/truenas/minio-rclone/minio-rclone.sh rename to kubernetes/apps/default/truenas/app/minio-rclone/minio-rclone.sh diff --git a/kubernetes/apps/default/truenas/backup/secret.sops.yaml b/kubernetes/apps/default/truenas/backup/secret.sops.yaml deleted file mode 100644 index 0125b6fb9..000000000 --- a/kubernetes/apps/default/truenas/backup/secret.sops.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: truenas-backup-secret - namespace: default -type: Opaque -stringData: - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:4Waq8U9rY/IsdzKInsJQGoXD1Q4=,iv:N05MKTKyY4LatzfPZS6Vke1dyZmYs0tOhU/O51K8mwQ=,tag:bQHdjgc5Xqg//PBOVuUccg==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:JN6f87JOBaZVC5ue4aArSDrQ/NVe73vZZgmbXYeGAVcl4urzUbO4qA==,iv:i0RP/gidkJG7pccRVIT6FUd3IHm7Z5y2hnjSBqVwHLA=,tag:L688v2TfeIMnX7BNmA5kmA==,type:str] - SSH_KEY: ENC[AES256_GCM,data:bGIefWSzJHPFL98GrIjMz1ojanyrwf2qOVkfFHscBO3GAgjdBlkXk7JKWc5ykpPdMGbNd7G6XIjxw4fx2nj87RqiavRPRKwJu3VouzzBee75aGDqKrWRmZUhwOwliv/RS8Ipma8qTMDBNTfpHcAFHOW7kYYAe1gCYlWKum8KDjJ3G4YW0eApjSczyWsQ5ApzbiqAbOswCRvwa4dBzFw8rWVjUVpbqCA9iiql8x4agApY/tO2lrSsnnpv5URcoOD+qiXDOb+bkMDg/CKxyLCvcoQF1MtodjOazTgo1yFefGqD5Y4q3KFS70wLKkU6NK1WbfWz/s0hGt2M6RnUvxWKXmeX4AeSN/716/Kju9kZ07ddGq5A2okrMxqVOiVlOc/lMJICe3pANdfLE1/TNLQwSf5L5R18ulJ3Wj/wiB8FkFvqHeA28Hqtb+L2kiDa8nGbxr6qeOrOr8EuRdwogCKy56cU4w8Tjo6UVwfxyWFD+MuXlzYjxg90O5CRV44KfTV+tya2JyCIDY0K9/vmLYEDFtIWpIYLLEwBj6ZvomZbIFMJYK0BYo+G5E6xEi4IZzb00DIy6p/UUkDs1dLhMTdPigKMXrt0chX30Txw245rCQ5V/tzNBAvpsmglIsOyn7KihE+HUGJBTGfLgBDXkgplvz3wckq+axGWRDv8Z5/HN76xkucVE1ikTN5qRKY/xqi99fdmAXc6EhGbfQX4WvSyJFvtI1QUFy1Acdl55tQG9QsrFJ7Xd3ruhIkYNx6+IqvgvOZMOWRt5rvQ0b8VBZCMquNxETTRXNEg1ltCbgQ+mXKlX34gFBJWBzsfVdfosOSh9RKEBgrqSZ+wdH2pkjV4Ka8KO+NcDhap2VmDQWcA34LkX1825c53HjQScSfkgLR2Lty9cEwIqA78eI6gwx2Zw+TmFc6Jj1vktiNOudrzlwQphhh8ggNl9MagJbi8maiRIyb4xGsIIJdcp6kfHV/FBoYrb1SrDzmLSG/c01rrEr1/oL35EFncF+hn8MdBOXNcJSxdKVdLoF3/rjL/Lgz/U1gxgbCJekc5UwjlEsDmM1Mlwd0dXWJ94+djOXWRLyu/FhlJrMtA5YdCecm/x9d3wLS61zkYH5HU8HTKhkZgreRvcGEmT2SEgesA4MVLkY4cFeGaYNgSX2oneacl9eHyv0CBfXE/nTxDFZA/tzSSVs94TDe6o3tBcmANB9C4AcmBp+lVYfUdZf9ynRK6E4NAsJklpIWVLYxyWDNy83X/yctGQEXBVVwLK2Eq7Y/jbXKlWR9vBf4ZHaCDUO+eEtCWz/JoQrxv2zu0g42HSrwn9yD6WAM1CMOhGhR+5X6VfYZ6mIInOHB8cO2UXkRkzJRqkvK4FhEOswtVHlCWRUCEtxqYFCjuYiSun+EvdzCeP84MHjI64lPB1QhS0KXR+A9MgQiWFbvGTCasORvrlRRs+J30W1UI5UbhyNh07LIdH68EQmdq8TGCr6n7v9mEOIAbrrLLv6Wi/pJB5irsVQxO2p63xtj+lb33wYj+/2HLhq2z/1ElXbFbqkibWSz+Hp2ZYswlcthmSyCa7YSwacVVFYGoUyepvom9PcizeDcD+QEx68rXnlKo+ilWNFpJUybRVtoEkpKLAyJ7VA8SUmhVhAPCEz5IMvXPsCd5KkA0u2XGOc/McBjcOMGgCH8NvRAer3HBHjLq3aex41J4hQAAmmZUMAnomDj2V9kZsxzD5FnsH7+f026GUtVaN393dcS1zxCN8PI57dEVIBkUn+HcgbJ8rq+8A5kPBKAO+CX8HHDZ0zRoero7PT7nXxKhPWQ7VxNm/FYdhGP+N4FbbQkBwmK2nUT2MWwW/nFgHX95rCO+qA6uq9uW0zhW7ML4NHbIXXFcxHfa28A/CUSValk60cFsjf/TYk2n5aETVby9sLnYkvPDOJle52JVvtWrpnvpka0sh1/Ve3L92upX19pXv/0925F+4EdrCe1OPScAibMhNt90EiNAuyaWkAtycmdvlazfEUEcrkYA/KqQx+KXXyQcYDxvd7rbRScTv4GorlKLOc90kOd6eRgC+GW0g//XZCkHEdHL2WbY8mDuMSC+5O6ig8pqxwzT3efIlaS0asJ27Hnz0w9pzrktAJyz523SaLIujJKsQX7o8yQ89LDYeqtTZCGA1jOQybQGsGhGuOQOCkEzwRVeqpY/MbNwkAL2TOcbxpEDaVSMPw64ECTLYITJGd2/2WAUkdEjAegURamjvuYDliXQwuyOF4LriM+A0AdJm/BgbTR0sS8f6TKAqiDmEEWrG885V07i+TvxKT4K60bjqX/FzO10u+3LaV8tAvGbNR0VP/euxnt+mmNIQ2qEYdMiLGQP4Dc8wPb2vegMPDmSSTFIJ64zwe2MiWX55O/5IRNxPLEoi4m9FS7ArZgzELEX2N6ufrVScgLD+moYDEQfGO6XXUqNsCpiqf2IGzwiZDicjrp43Spwu4CyKdeZnlf89F+SY4jkYb9l0K7OwvVvYGpuPBQsI+O3t/Xt79l6VaaYwVaf5pOwxFPjmwmoYqdvl4CDv5XVnyIz+sz9ySvMtdrKN0Jv/TJ2Qh2MQaZqVDPIOnHuz8c+uIhn2qjPpKejnJ8RQv/421ZRfu/3K3INRBq7qI3vTA/3JyqxTWQ2MpwAZJzjw4qzeLfALqXv+WIrN/tbZJHw1luOPEW/E31Ipypri2ITRKJruyEbfASK/VmrTOYcV/dSgpyaxmGdWwQ6zQeEHgypPHIU1W/5WPg8QAPNF0uu7cy5TQHFVtdTwCeDQ4BPdMB5faCcaKoDxZ4dIEU7srGKi5hi0TyUw/5HSmry3H+e6VEXHhTw7TRrSImfwASuol1lavkZcEnGv4Moj7mIZ+/PqBwJvH+eP9d2Q0f+z2lWQ/kCl9R1IOsP4H8f51j2TUc302U/8Px/TrywCAn4L8qspyHJiC9xQvkRevqI/MjeA1em0a9bUrtO4z1FsJeWiSShDK0pQuXBmw3iGzHsye3iKsxDtT/4FGKc2BfhnzYd+58MEpZih1MaOLmaC6+s8HbwaH7awHnK4/wKx57IZsDQ4vl9jShZ2WqeDdFFGOuAE8tUmyficHPJZ9u/RcJXwm1AK3p7fX8Ekf133de7qWSsNMHPgQnGCG1NlPTccdpVX6qUB+EyZCS11NYuJk8834hOH2yT7UMzRKMquCtWor1fAH/q6RDTntMkuUH+M5R55EVdKuWBqhlx0Umd2B2p7n6izvi91X7OeRvwl3C1EBoKaDynf3hJTjKQ3ZrU4teOePAIrPy/Xk1qzIo48ELIDz7ZEz/ffIPalTc/wNSW+/h0Pogftm6YvCoVPWCyvwA4o6twJ9YKjXm8A5fizGwOfGua25gkZvn8HpVL1ZJyA7LJWKR4IUOi6989Q5/zJR15/X8piMGkItq0MKc7gcdiuqkjJilegn7c5uYmcRyRIFgEx37Ty6KMX2ljEGdOfbIi4xLETtjZ2DTr,iv:NkbvqlEf99WrgjBKF1vyl0kWxbsUcPzJmfTiiAsMUfI=,tag:3Okc7Dkh9bATeff8i2LQjw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMEhOUTJMcUYvNFozRDNr - WnhJTEYzVWN4V1VXemhtWWU1SmMvUmljNFFNCk91aHhXRVBDSzhhcjIzalQ5SEpN - cTJIOGVVYWNYRGdtMm5nZUZ5Q0EzTE0KLS0tIFRMYnNGakdrSktjT2ZoNk1sN21C - YlhlTVhRdDFJUVZiMTdtVXlveWNDWE0KG7MKLp5tUCm7KpuhpmsvAWDrreBuHSEp - zyH6hY1i7jgjh020qZI32zNDHeTIJhi+mHur/jvBJhEGLMz6JYUPrg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-02T20:30:20Z" - mac: ENC[AES256_GCM,data:O3rYI2l6/VbuxOD+uigagizpMzY6SIMXlu8sT2nWIDDp/7q1OLd8xilAKtTD85jYGbqFk5bluhyMiFdjq4sA9RZAPXoYY/l9RqMSBeR/gptUPAqK5qkYL9XX1AXbWuxziXIAtJYvyQuyTYeWPMsMNkmHNb1APxDWc0quUTfphjA=,iv:Tdvt08Qm6yD22YM9p0pQ/Gxfc4RAM9m9J0mBShAJ0X4=,tag:FgQxh1qBlVsfDRDCnmyyPA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/truenas/certs-deploy/secret.sops.yaml b/kubernetes/apps/default/truenas/certs-deploy/secret.sops.yaml deleted file mode 100644 index f479ca0d8..000000000 --- a/kubernetes/apps/default/truenas/certs-deploy/secret.sops.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: truenas-certs-deploy-secret - namespace: default -type: Opaque -stringData: - TRUENAS_API_KEY: ENC[AES256_GCM,data:0B0eF5hqqwDuv61BFxirXqxrIEtABYCRnHv97XiiyIEEKM2+DH/L0VknFczxEZIbdhERip30is4irI8mUhJOT9S2,iv:JlHKJhRd/UPJh354GyUftnrFBHLZLhIRGSfYbxKriCs=,tag:njMr8GG+YCjKpZvK3pFWsQ==,type:str] - TRUENAS_REMOTE_API_KEY: ENC[AES256_GCM,data:hHsW9mHIVj9JQqJb/xdTwC0I9ro7OqVT5owjVS00VDplhl81f3zjSN7B+HL3YOVYg2VrjoJ/1Gukk7F413CXcqI7,iv:b2SAPCAmbcvfam9Kt6ess5musA7jawiQPVwxMKwJpmE=,tag:ILIgoNmSFXPGs6zRHi/u7Q==,type:str] - PUSHOVER_API_KEY: ENC[AES256_GCM,data:cyk9BKRm/sSP9/y58+P1T6KMog+FqD/088NFgJ9E,iv:4d9NorzBh+XpvV0oAk6eC+d5adcDkoqwpg/iX1tI6J0=,tag:PAWmAMz6p6wXjTtMSBeJwQ==,type:str] - PUSHOVER_USER_KEY: ENC[AES256_GCM,data:TDSEIhc63jIoquDRBAeU987nfDHIhrmie41m5iA/,iv:3pHGEh9tJgeBr0B6DIT0sKtfedEZSXkAsFd+7oaIb2U=,tag:6SMb0MQzXfQNNlGsVbr3AA==,type:str] - SSH_KEY: ENC[AES256_GCM,data:/u/tzgpNhYeTfO3Y1V5DsXXWHcnpGCpmSQmcHmhtiQHeuWJJyCy9cObf6Hm8BQjmYPSnUwCGMC1GQM8rjHBiWDXVMK5IXiQlpd5gFxxH8LK8DjfMy8hiNLEe40dkYB044mfGJbyfBEK3AaGURVHlgfzGQiXMWbqSL9BGGr3hhvfuWyrpFxJSDC8CmJ0Swu9Fw8J6LliTwMG1LQAJUNd8ZJkV5qFpbHG0LDlYYI2ebjQspS8tsQuwsE4ewPrVeD2YDY81klcFnshHLD1fR7HHCNtEpMUfV9lstDVqm12JAFWGN0wFoxDR5C+JBZLgEtFwjq2hE6OZ858D5h+jwCYEVmrW3hWVK7aTYjoSmPxDaiZ5Ro7YcXSilMuSSi3IacS3iWQP6VXFfKDZTD4C527ZlJRgMQFKAvGb6FcJj2NhpcmMM9fDLsSF4VFsEYBkkp/GM+TZHqeIp+kOFvNcDwZwgqwgfu8VCB0ogwpvyTr8rpdoS8phH6P8hFO5Nzxx3HEV3cHIbiXFOrDFO2xzM1YdaAJs2sOvVm5+uTl/XJqg6kXLCzoe1LZAoK4MIVFCk2U2rItGN05wLPUTMopJuEUvHxrCg79AQToIZCD2v9Xl7HucyXR386yuL9VrS341Euc8bPELDwPNgJLxnsGRDp8xUN1CsvZWxcVxpw4k+jdXHZKd110WMKcfUMaYcKPxupdu/qDqvR6DhpywpBxPhgJL1/f8V7T09t2KCdUa81rwTsPVuK9B1H3Q/YYc8h99nBUZaYrIQk+WQtbgKYvzz204I7lev+lliPkie7H6umDWw3NADoOQqvF84kxAfO4jUbvTIeLeFSik6p0RNN3CdTnK5hNEdtpbk4+KuHSw6WBB9aTFcm3JkHGZsEuYVXWNoEgbIEjL17JLXm2FV0kNJil+vbQ5qcan5H7aKm1vcHgXylDGmKPU2QzSpXSSSwTMxOeAKGrPVIusT+gpqw22+YHa/kS2trz0XrPt/rXY4SDAXcjSNSzS5WcnvVX5v7DioGHo8/emYY9XEjML2iig1mxxyaP71GuWvzmITPWQHM3iJvXPywwgki1UiZqN+3WsZUi2zFrGJP/VXuL+8lCKvwZmRg0ACK+TeAenZsSSr3AdiKKbpriGHeqjjnSUvMmx6DUNIYdrxc9gNXBQ4tnNMN+pYBDj2jeiSIx2pb2derhOMGKyBCn3vfFylp2ljp7xJ39+N8fTlB7oTDQRCXmW/CR6bHd41/DeP9Hli8D0iYq0toM2oxby/eXPr/+I7wOZU23CKi/kQssxdn5XnlAGV0j7moF3ys3q7qFWesRQw1iYsS+dIvSr714u1NJXvE0nU6v5Vv64s22g+AC1FrWlsOdSo3CDLc1KctIuuFclyxI4mIekQk3iOKl/4a6XK/suOhmyzWHEKlq3LhbHZEA/maMOsKU//tX0uA+asOBLQJPtixwuQ9ZE0vpr4uL0LRJjpnYk09ktuE2YerQu6pGkMBt7uQnpWSzAlO2+3jPducXUdft9MXYM2jaK+PoUuCLUNegeqcpzF3KnGT9zDfbR15abg9nrY1Gv4cHlNN94JFxD2Z9qYBnNHBmG+Pdkq5xYDOcSmC3AV1IF+OAY+IYbb2BAUVy2JvqJal2mvGnlgOSVxtaA51VOkov8Bd0XwMUC/QDaj+CxMS/uDIDUsg6qbuw4dg+HjDVYhlnc6YElwET6LBoLkS5SIX+8W8XoVDAoTapOlrSXDo/elRW/WY4TJ4MEdW0xasjDuCxNDCpdmzbGsNUbpXQqDSz3sJvEggri0Q5ShGBJ57XCNEbXO/ZjlzBE1eN1bVjKkAbNrdj89NHpwFJiUUwiqhJmMFt1lbCdA9ihpKsuUyF7jBwnOdVnSLqvcL+U2WG6xWfJHTyoMpRFlaJJfchc3Nv3upOajk1rPFCdEK0vztAYinN8ldieKOz1bSJL8/RomSyjWJ3CeyyQYAODZn8KNf8E8YqapENbHA4Mj687NvaMxXl+sRxp+uprbZ/KDY609vEuub/46q0S5yddd3VAUrXX1x+leeRusGqXR0I9iwyaYSXpZO7fyUm1762o71fQHYgXcvco2NmDCH8AeFO0/Dc6bm8n//2g5XUg0ej+o1YZQaQ+plDjM9pHX33/BOvXDOJ7MoQMGIHadv9tS+USaLKNI45Z4tklIKGzkNh5q6JCrIGnja76ncaLGGOJpxG2tuQh7CATdSCWtDOJTLYDa84kWLH1lkXJeLkYGdTrKDpjNZnUQkggVyKisK9cSlnsUNsW+xwl2fKvuoNjm0wrBXN4MkUdLbbGBFt5CbZbyzz3f4et8twQ77TT6KJ5hORj/D3FFfM8LCDS/WQYQ9mHEZjWhtIfIRphSt192I/6hHuhHb7nl+ZO/SKoqfKN7Z32OUIR/gc6tcD+CYC02EpNgqZw9Lacq+zIAvY2m5KUbjaX/ddjI6OE7WyrBSArjtr/o1Vrto8xBZ5eHbbauFTFHN/QuadfU/VHDLUM2KQoWw1luYMTQBpyhK/ZCnOcU6hhJfWyMBY7lHBZBc44iu1ntyc+BPXL5kg9RoA832vNJAqt+1TGllnT1l6rd29+evfW7LIVLwQKVfCcR7DNX9NJYF8LDz2TCL7633udmoJC4bDCIW4mt1D5ITItat3AHSLruYyFPrUx4GwWGL4SKZTQxqpVxvj8mQC77h8WbkfH2csU6hFr7yCjVMpg7RSax942GHUPZzJnHmjgbgyNnats/ZgKjWxlVi/D7bUDxcYGOAHwjodyidGZbCiQckxkwF8brcfLM4VcgYfZ4Xe2tcMFLQML4id8WTgpnCv+jnSmOxn0IJog4SQ1qxPScKCAQL78SKCCeG67GTmcMbBPXhKTf7AQTpCIAUPSeAiR5rvNv5TZjIXzWYu6SP0Cw8+NxkENaS5RZsXtjVJTGnL3UJjVEQw9BC5qjXta2n8R8X1ELDB6qwjdDy3U5hbrdwEyjV8h5TJRe3xcYcMrKicmLfG6bhdcx1SpiCiI9M3hpc32S2Dn8FCoYFlP4tsuzT4b2VcaOZAlkLahchNbTTIMlehzJnGkXX1HwCh+c+fSD/apiONh49VPbVOAvV/rsSjn15AemL25MrP76evzIZwfrYdsZkGyq+sT2UyO8sGhu9U08bJkdC+1saQzSam75AWvV2dS7/HLefsMoezSLurhkr1jGjVsxaRXM9UCWxRYP2a4HHT6fHXdUGP9dHyEv8E/B5RpvD/HzNr8udxHdq7SgXhoEHMqWOKPtNVkXlqttlAWbcoWDnJaOBH1/50+DZYuZ9bmF+X5qk/TM2jyhQIyekLSw1quOdnfx5OM8K9ZmgUEqyJ2LibXW9yZWoth/Pjq7sFIkC8YSneWiFRk7uOFZjcfnoItHrjghW5tK7diluj97+O3p2FqtV9pqB2UhyPAeIRSmWFxhPj5dornJVIQL/Zr2Jv911HICP2G7wQnsKv54Fnp4t+9ZjhJzkTh4IFK,iv:vF3GSh82JgjFVTTkTJrxu142JQGIF1/1r9b1yfcDXGE=,tag:rf0/VoDl2vKwL9gwepX4rg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMEhOUTJMcUYvNFozRDNr - WnhJTEYzVWN4V1VXemhtWWU1SmMvUmljNFFNCk91aHhXRVBDSzhhcjIzalQ5SEpN - cTJIOGVVYWNYRGdtMm5nZUZ5Q0EzTE0KLS0tIFRMYnNGakdrSktjT2ZoNk1sN21C - YlhlTVhRdDFJUVZiMTdtVXlveWNDWE0KG7MKLp5tUCm7KpuhpmsvAWDrreBuHSEp - zyH6hY1i7jgjh020qZI32zNDHeTIJhi+mHur/jvBJhEGLMz6JYUPrg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-17T00:23:02Z" - mac: ENC[AES256_GCM,data:pIJwVCQaP73DElbqqxbA9jadVekYkvcHxnlanOtUdjHiNAYRwjXpJTssPEJC3TL+r4zBWZUlstDG4R9kgaY1Kz/dnhO7MuH/1FN6ShTWsDwgVJfJTtn8hfYiq9H7mHNwvscK7PbirQQYPCXMFFMDfK2CfKBIYkKmlzOMQvVRvlc=,iv:yexA2IKrIGFg8phkJhLkd211MDxBidfVdGL+PVzkAJ0=,tag:XnQdY6Md8PcWgyubtX3Ekw==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/truenas/ks.yaml b/kubernetes/apps/default/truenas/ks.yaml index 76cddb415..a76327f9f 100644 --- a/kubernetes/apps/default/truenas/ks.yaml +++ b/kubernetes/apps/default/truenas/ks.yaml @@ -3,12 +3,12 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: cluster-apps-truenas-backup + name: cluster-apps-truenas namespace: flux-system labels: substitution.flux.home.arpa/enabled: "true" spec: - path: ./kubernetes/apps/default/truenas/backup + path: ./kubernetes/apps/default/truenas prune: true sourceRef: kind: GitRepository @@ -18,48 +18,10 @@ spec: kind: HelmRelease name: truenas-backup namespace: default - interval: 30m - retryInterval: 1m - timeout: 3m ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: cluster-apps-truenas-certs-deploy - namespace: flux-system - labels: - substitution.flux.home.arpa/enabled: "true" -spec: - path: ./kubernetes/apps/default/truenas/certs-deploy - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - healthChecks: - apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease name: truenas-certs-deploy namespace: default - interval: 30m - retryInterval: 1m - timeout: 3m ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: cluster-apps-truenas-minio-rclone - namespace: flux-system - labels: - substitution.flux.home.arpa/enabled: "true" -spec: - path: ./kubernetes/apps/default/truenas/minio-rclone - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - healthChecks: - apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease name: truenas-minio-rclone diff --git a/kubernetes/apps/default/truenas/minio-rclone/secret.sops.yaml b/kubernetes/apps/default/truenas/minio-rclone/secret.sops.yaml deleted file mode 100644 index 56c0ffeba..000000000 --- a/kubernetes/apps/default/truenas/minio-rclone/secret.sops.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: truenas-minio-rclone-secret - namespace: default -type: Opaque -stringData: - AGE_KEY: ENC[AES256_GCM,data:4xNBIadPDtcizBd02RW/JN1KiOIwkED4NtXAvuI6hxaOOzpfWh8hC2jrn8MLej0e+yXEcODe0KCUsx4p+GQEARSqOvrFWJ96XgoC1batFUmzGk8/WGdbaGt+zXxwsAPpJeEIYElPqy/XLgu+k1xdc/vvN78+RPnRXEWoxbSXonxuy9DJg1VQVaP2V9lKnHcIlYtQaz2xtdTBhOVAyaVKJxo11ievv96ZFY7eyX2YmaBtOfmU9pNH9InYqU+L,iv:ahXvBl2CgjOxB6MmcjMXBryf+MwahtII/NTxYIFa3DQ=,tag:+AriTfQEhOrfJCRnfes/Cw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMEhOUTJMcUYvNFozRDNr - WnhJTEYzVWN4V1VXemhtWWU1SmMvUmljNFFNCk91aHhXRVBDSzhhcjIzalQ5SEpN - cTJIOGVVYWNYRGdtMm5nZUZ5Q0EzTE0KLS0tIFRMYnNGakdrSktjT2ZoNk1sN21C - YlhlTVhRdDFJUVZiMTdtVXlveWNDWE0KG7MKLp5tUCm7KpuhpmsvAWDrreBuHSEp - zyH6hY1i7jgjh020qZI32zNDHeTIJhi+mHur/jvBJhEGLMz6JYUPrg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-02T22:33:41Z" - mac: ENC[AES256_GCM,data:DLH8O96zF76gLpyPBoN4vJz3iFfLTlJVovM5URp1LtaN3JxlMGoldhsbeCTWK2O90TTkzAh6BB+2nWa4yEx+VL1pOD8XSYDz5qZS3EpQ5Gf4yr9qSziSg/uLuw39T2OxQkWw5FVCK1mzbF+Pw7IUIasUQFDmM2xBiuYH4M2OYyI=,iv:481eBWmOpRB74G1y4ntMqHS2+DKC0+OOtOEO8eKspfA=,tag:/Be7ik2B+Ya9k9cQH3iVZw==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/unifi/app/backups/kustomization.yaml b/kubernetes/apps/default/unifi/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/unifi/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/unifi/app/backups/replicationsource.yaml b/kubernetes/apps/default/unifi/app/backups/replicationsource.yaml deleted file mode 100644 index 4ab79945a..000000000 --- a/kubernetes/apps/default/unifi/app/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: unifi - namespace: default -spec: - sourcePVC: unifi-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: unifi-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 999 - runAsGroup: 999 - fsGroup: 999 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/unifi/app/backups/restic.sops.yaml b/kubernetes/apps/default/unifi/app/backups/restic.sops.yaml deleted file mode 100644 index 546151ccb..000000000 --- a/kubernetes/apps/default/unifi/app/backups/restic.sops.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: unifi-restic -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:FthTBOx4mCQ2gDeoZXFhQfqTc8mEVxP80iRGMR7sa3ZLHACzZN1fJKjWEvmDZZrPdVm7jATT7g==,iv:LF73PZaA+S8FPtnSrkG+8iuN+3q+PxR2GL2VmwXaeNg=,tag:yhNZUDL6vT3ZfJpXtuyblA==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T04:29:55Z" - mac: ENC[AES256_GCM,data:XlsRVx6bf/r7G1os9tRykc2uwYRcmR+6+noK9ZyaSfJGFDs4NNTQRtk+aXZpPWo7L6BBYeeUk6gV/UjspwoLkKVAO9xOarux5hxN5PbZkS1sRAMTK6oyOZTNyxkhJwQwSj6w1n339yNpJHZcu6FpN1Lw5lGvbvI338RLW1bJ/zY=,iv:SJ1/Ovbp4c3w1B6Utpjk7Yoal3Z4EY6R9HHlV9KpzxQ=,tag:rMMzNLDdnC60mRLV76d/Yg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/unifi/app/helmrelease.yaml b/kubernetes/apps/default/unifi/app/helmrelease.yaml index 280fe589b..35c5bc6f9 100644 --- a/kubernetes/apps/default/unifi/app/helmrelease.yaml +++ b/kubernetes/apps/default/unifi/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app unifi namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: diff --git a/kubernetes/apps/default/unifi/app/kustomization.yaml b/kubernetes/apps/default/unifi/app/kustomization.yaml index b71b75551..39fd93644 100644 --- a/kubernetes/apps/default/unifi/app/kustomization.yaml +++ b/kubernetes/apps/default/unifi/app/kustomization.yaml @@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups - ./helmrelease.yaml + - ./volsync.yaml - ./volume.yaml diff --git a/kubernetes/apps/default/unifi/app/volsync.yaml b/kubernetes/apps/default/unifi/app/volsync.yaml new file mode 100644 index 000000000..74fe12259 --- /dev/null +++ b/kubernetes/apps/default/unifi/app/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: unifi-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: unifi-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/unifi' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: unifi + namespace: default +spec: + sourcePVC: unifi-config + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: unifi-restic-secret + cacheCapacity: 2Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/vikunja/app/backups/kustomization.yaml b/kubernetes/apps/default/vikunja/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/vikunja/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/vikunja/app/backups/replicationsource.yaml b/kubernetes/apps/default/vikunja/app/backups/replicationsource.yaml deleted file mode 100644 index 5f6d1ff08..000000000 --- a/kubernetes/apps/default/vikunja/app/backups/replicationsource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: vikunja - namespace: default -spec: - sourcePVC: vikunja-files - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: vikunja-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/vikunja/app/backups/restic.sops.yaml b/kubernetes/apps/default/vikunja/app/backups/restic.sops.yaml deleted file mode 100644 index 8386cf998..000000000 --- a/kubernetes/apps/default/vikunja/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: vikunja-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:DRnr4ptC0pZnm1K+Vov2pOS89+PXdZA3xtQVGedWFYJJxKAWnJlF2I4VWvegxNGxDRzDFrPAWOZp,iv:FoHVMYFLdC00BjbSUeoac1CoQA06Jm/fV+NEeWpAx8Y=,tag:AmOc73QKyRAgMPGYpVdMgg==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T06:25:36Z" - mac: ENC[AES256_GCM,data:aI42cmAJAJd+NhktFhGTZ7uheN3HOWsJhzXKXZasdj4X0T/+COCO/+vjLcY1JH3rlkRi1GQm/PD+b/qncg1wczrn5YGiJJqyS+UmnGKaElBqFuI+/A78eN9BSX958yHuyHRHNUyXOEC0NCyjb5nOSdQi2nDaZX0biMQwXAxHLQQ=,iv:HQnXpSChZXVRhwbitJw1RIJBQdIi64+hfYG8LYiMfPs=,tag:P6kJp+32HXimosiVBuJVEw==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/vikunja/app/externalsecret.yaml b/kubernetes/apps/default/vikunja/app/externalsecret.yaml new file mode 100644 index 000000000..5af69d19a --- /dev/null +++ b/kubernetes/apps/default/vikunja/app/externalsecret.yaml @@ -0,0 +1,35 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vikunja + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: vikunja-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + # App + VIKUNJA_DATABASE_HOST: &dbHost postgres-rw.default.svc.cluster.local. + VIKUNJA_DATABASE_DATABASE: &dbName vikunja + VIKUNJA_DATABASE_USER: &dbUser "{{ .VIKUNJA_POSTGRES_USER }}" + VIKUNJA_DATABASE_PASSWORD: &dbPass "{{ .VIKUNJA_POSTGRES_PASS }}" + VIKUNJA_DATABASE_TYPE: postgres + VIKUNJA_SERVICE_JWTSECRET: "{{ .VIKUNJA_SERVICE_JWTSECRET }}" + # Postgres Init + INIT_POSTGRES_DBNAME: *dbName + INIT_POSTGRES_HOST: *dbHost + INIT_POSTGRES_USER: *dbUser + INIT_POSTGRES_PASS: *dbPass + INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" + dataFrom: + - extract: + key: cloudnative-pg + - extract: + key: vikunja diff --git a/kubernetes/apps/default/vikunja/app/helmrelease.yaml b/kubernetes/apps/default/vikunja/app/helmrelease.yaml index fac244ba3..6daf44fc2 100644 --- a/kubernetes/apps/default/vikunja/app/helmrelease.yaml +++ b/kubernetes/apps/default/vikunja/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: &app vikunja namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -27,15 +27,27 @@ spec: uninstall: keepHistory: false values: + initContainers: + 01-init-db: + image: ghcr.io/onedr0p/postgres-init:14.8 + imagePullPolicy: IfNotPresent + envFrom: &envFrom + - secretRef: + name: &secret vikunja-secret controller: - replicas: 1 + annotations: + reloader.stakater.com/auto: "true" strategy: Recreate image: repository: caddy tag: 2.6.4-alpine envFrom: - secretRef: - name: *app + name: vikunja-secret + env: + VIKUNJA_MAILER_HOST: smtp-relay.default.svc.cluster.local. + VIKUNJA_MAILER_PORT: "2525" + VIKUNJA_MAILER_FROMEMAIL: Vikunja service: main: ports: @@ -68,7 +80,7 @@ spec: type: "custom" volumeSpec: configMap: - name: *app + name: vikunja-configmap vikunja-config: enabled: "true" mountPath: /etc/vikunja/config.yml @@ -76,10 +88,7 @@ spec: type: "custom" volumeSpec: configMap: - name: *app - podAnnotations: - configMap.reloader.stakater.com/reload: *app - secret.reloader.stakater.com/reload: *app + name: vikunja-configmap resources: requests: cpu: 5m @@ -91,28 +100,7 @@ spec: name: api image: vikunja/api:0.21.0 imagePullPolicy: IfNotPresent - env: - - name: VIKUNJA_SERVICE_JWTSECRET - valueFrom: - secretKeyRef: - name: vikunja - key: VIKUNJA_SERVICE_JWTSECRET - - name: VIKUNJA_DATABASE_TYPE - value: postgres - - name: VIKUNJA_DATABASE_HOST - value: ${POSTGRES_HOST} - - name: VIKUNJA_DATABASE_DATABASE - value: vikunja - - name: VIKUNJA_DATABASE_USER - valueFrom: - secretKeyRef: - name: vikunja - key: VIKUNJA_DATABASE_USER - - name: VIKUNJA_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: vikunja - key: VIKUNJA_DATABASE_PASSWORD + envFrom: *envFrom volumeMounts: - name: vikunja-config mountPath: /etc/vikunja/config.yml diff --git a/kubernetes/apps/default/vikunja/app/kustomization.yaml b/kubernetes/apps/default/vikunja/app/kustomization.yaml index 984e6a496..28456d43f 100644 --- a/kubernetes/apps/default/vikunja/app/kustomization.yaml +++ b/kubernetes/apps/default/vikunja/app/kustomization.yaml @@ -4,14 +4,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml + - ./volsync.yaml - ./volume.yaml -patchesStrategicMerge: - - ./patches/postgres.yaml configMapGenerator: - - name: vikunja + - name: vikunja-configmap files: - ./config/Caddyfile generatorOptions: diff --git a/kubernetes/apps/default/vikunja/app/patches/postgres.yaml b/kubernetes/apps/default/vikunja/app/patches/postgres.yaml deleted file mode 100644 index 2f2d75f32..000000000 --- a/kubernetes/apps/default/vikunja/app/patches/postgres.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: vikunja - namespace: default -spec: - values: - initContainers: - init-db: - image: ghcr.io/onedr0p/postgres-initdb:14.8 - env: - - name: POSTGRES_HOST - value: ${POSTGRES_HOST} - - name: POSTGRES_DB - value: vikunja - - name: POSTGRES_SUPER_PASS - valueFrom: - secretKeyRef: - name: postgres-superuser - key: password - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: vikunja - key: VIKUNJA_DATABASE_USER - - name: POSTGRES_PASS - valueFrom: - secretKeyRef: - name: vikunja - key: VIKUNJA_DATABASE_PASSWORD diff --git a/kubernetes/apps/default/vikunja/app/secret.sops.yaml b/kubernetes/apps/default/vikunja/app/secret.sops.yaml deleted file mode 100644 index cdc338b59..000000000 --- a/kubernetes/apps/default/vikunja/app/secret.sops.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: vikunja - namespace: default -type: Opaque -stringData: - VIKUNJA_SERVICE_JWTSECRET: ENC[AES256_GCM,data:4J8HtMOUKxNTEksSXYKrAAQ2KNFvdluzTvzY05/8T7k=,iv:h/666tO3f5hplYEaVJsh4BGjPlO/sFopb3+ryI3dzsQ=,tag:8dJLb9f2QgH9S/8qwF2ryg==,type:str] - VIKUNJA_DATABASE_USER: ENC[AES256_GCM,data:IzqNYqs+HQ==,iv:bfIcOoN/DhtqAcTYtSRBXnnPF+0zM4YY+kKYGesEUJo=,tag:4C1FeAoG6QOc2AqKRKxaSw==,type:str] - VIKUNJA_DATABASE_PASSWORD: ENC[AES256_GCM,data:7EylHKZA0JLmu+9ooB8oVw==,iv:AaXKHrU9yBPE1hci/cfOtnkxq5XHVeoJbRLzJ/SjLxE=,tag:x9stCWILtUYHjxBKNrhXEg==,type:str] - VIKUNJA_MAILER_HOST: ENC[AES256_GCM,data:oRfkMDOjxFl1f/EOlAkkHgEFTufyYjcvv6RwFSMRyLGKt/wr8A==,iv:U3Jafk0PMBnjzEfvyZ9x5oUUfulCee7j6FTgg+bNGiA=,tag:b0EYelcD1+mZJgF6MGQbiA==,type:str] - VIKUNJA_MAILER_PORT: ENC[AES256_GCM,data:hR5uWg==,iv:r7C2+WKphiadrgSC5yPlSEzB848im2sycU/3JW/B8PQ=,tag:W1wZ+onDoOtQc/Ew40JFkg==,type:str] - VIKUNJA_MAILER_FROMEMAIL: ENC[AES256_GCM,data:UpQWnJN0aLcBYAi238SGkWg1TrjOqUXA3JtBSalZVfuroA==,iv:VVUjuNiIc82KlH2pd0qMlOIZEoRi3DHcRqP1yGTk/IU=,tag:PVqBIYoD9Tz1hg74coLeHA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2 - akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC - Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT - Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq - DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-16T20:42:23Z" - mac: ENC[AES256_GCM,data:0fH3fnxti4QLymzxc0gN5SWXbzpKUl0Mq2OG/fs5jx3YB9YW2ZNR6D7eO7A0dtF8G61YZT/fL4+MJtcQW8Gl/snVAFdEU2GLs6Jr5orCFvoHzaIzkl68/eehrWC6CFHpfljlBqNn5lA85GU8t4zrIbZiO207rDdPYsTZIXu3G8E=,iv:bOzx4OVPkoTbvABLsRF11VshmYIyTImhgRbPEiCF6lM=,tag:3I2VNKnAeqwK5yqdYiK0hQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/vikunja/app/volsync.yaml b/kubernetes/apps/default/vikunja/app/volsync.yaml new file mode 100644 index 000000000..b67152a63 --- /dev/null +++ b/kubernetes/apps/default/vikunja/app/volsync.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vikunja-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: vikunja-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/vikunja' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: vikunja + namespace: default +spec: + sourcePVC: vikunja-files + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: vikunja-restic-secret + cacheCapacity: 20Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + moverSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/vikunja/ks.yaml b/kubernetes/apps/default/vikunja/ks.yaml index d374a1ff7..9b98eed49 100644 --- a/kubernetes/apps/default/vikunja/ks.yaml +++ b/kubernetes/apps/default/vikunja/ks.yaml @@ -15,6 +15,7 @@ spec: name: home-ops-kubernetes dependsOn: - name: cluster-apps-cloudnative-pg-cluster + - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app healthChecks: diff --git a/kubernetes/apps/default/zigbee2mqtt/app/backups/kustomization.yaml b/kubernetes/apps/default/zigbee2mqtt/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/zigbee2mqtt/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/zigbee2mqtt/app/backups/replicationsource.yaml b/kubernetes/apps/default/zigbee2mqtt/app/backups/replicationsource.yaml deleted file mode 100644 index 10b7ef87c..000000000 --- a/kubernetes/apps/default/zigbee2mqtt/app/backups/replicationsource.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: zigbee2mqtt - namespace: default -spec: - sourcePVC: zigbee2mqtt-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: zigbee2mqtt-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/zigbee2mqtt/app/backups/restic.sops.yaml b/kubernetes/apps/default/zigbee2mqtt/app/backups/restic.sops.yaml deleted file mode 100644 index dc24f53c3..000000000 --- a/kubernetes/apps/default/zigbee2mqtt/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: zigbee2mqtt-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:L1Pxmxv7nkAOhkfxBqaFUyjN06zDQ7Ch9zwWd6zGz1Rqy4Lz3K9vyzsteB2TAULio106cMb23UlhhybviQ==,iv:tpkWyt79gi2M1s//rClBfScw6OAOf+5gqUHVhTuB1oA=,tag:+r5keMgEuAGGJYqOnUDmMg==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T07:03:26Z" - mac: ENC[AES256_GCM,data:Ibdqa/ZFeJ1MCJIVUWkeAscsVyTVma29RYgs9Ry/UNVhogkxZxSuouvpjASfygVo6nkhUsjM1zbgwPKP6yY1kvpTtj0rCErJirS1FkhlgoCDkfeh7O+5bsInbo0UnmSVitIuyxH1FuQAyqwhnf/SAOoq9uy/K8vzwInisLsgIuU=,iv:U/PQXaFAURKE5BuvToFnP5Js+HXXm7R53/eBUgxX0Ek=,tag:kQESc+NVRepUUoF2m80NCA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml b/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml index 532a0699f..b90a4f569 100644 --- a/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml +++ b/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml @@ -31,6 +31,47 @@ spec: image: repository: koenkk/zigbee2mqtt tag: 1.32.1 + env: + TZ: "${TIMEZONE}" + ZIGBEE2MQTT_DATA: /data + ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_DISCOVERY_TOPIC: homeassistant + ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_LEGACY_ENTITY_ATTRIBUTES: "true" + ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_LEGACY_TRIGGERS: "true" + ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_STATUS_TOPIC: homeassistant/status + ZIGBEE2MQTT_CONFIG_ADVANCED_LAST_SEEN: ISO_8601 + ZIGBEE2MQTT_CONFIG_ADVANCED_LEGACY_API: "false" + ZIGBEE2MQTT_CONFIG_ADVANCED_LEGACY_AVAILABILITY_PAYLOAD: "false" + ZIGBEE2MQTT_CONFIG_ADVANCED_LOG_LEVEL: warn + ZIGBEE2MQTT_CONFIG_ADVANCED_LOG_OUTPUT: '["console"]' + ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY: "[204, 61, 75, 23, 44, 230, 24, 203, 53, 5, 248, 32, 50, 84, 44, 159]" + ZIGBEE2MQTT_CONFIG_AVAILABILITY_ACTIVE_TIMEOUT: 60 + ZIGBEE2MQTT_CONFIG_AVAILABILITY_PASSIVE_TIMEOUT: 2000 + ZIGBEE2MQTT_CONFIG_DEVICE_OPTIONS_LEGACY: "false" + ZIGBEE2MQTT_CONFIG_DEVICE_OPTIONS_RETAIN: "true" + ZIGBEE2MQTT_CONFIG_EXPERIMENTAL_NEW_API: "true" + ZIGBEE2MQTT_CONFIG_FRONTEND_PORT: 8080 + ZIGBEE2MQTT_CONFIG_FRONTEND_URL: "https://zigbee.${SECRET_CLUSTER_DOMAIN}" + ZIGBEE2MQTT_CONFIG_HOMEASSISTANT: "true" + ZIGBEE2MQTT_CONFIG_MQTT_INCLUDE_DEVICE_INFORMATION: "true" + ZIGBEE2MQTT_CONFIG_MQTT_KEEPALIVE: 60 + ZIGBEE2MQTT_CONFIG_MQTT_REJECT_UNAUTHORIZED: "true" + ZIGBEE2MQTT_CONFIG_MQTT_SERVER: "mqtt://emqx.default.svc.cluster.local." + ZIGBEE2MQTT_CONFIG_MQTT_VERSION: 5 + ZIGBEE2MQTT_CONFIG_MQTT_USER: + valueFrom: + secretKeyRef: + name: emqx-config + key: user_1_username + ZIGBEE2MQTT_CONFIG_MQTT_PASSWORD: + valueFrom: + secretKeyRef: + name: emqx-config + key: user_1_password + ZIGBEE2MQTT_CONFIG_PERMIT_JOIN: "false" + ZIGBEE2MQTT_CONFIG_SERIAL_PORT: /dev/serial/by-id/usb-1a86_USB_Serial-if00-port0 + + # ZIGBEE2MQTT_CONFIG_DEVICES: devices.yaml + # ZIGBEE2MQTT_CONFIG_GROUPS: groups.yaml service: main: ports: diff --git a/kubernetes/apps/default/zigbee2mqtt/app/kustomization.yaml b/kubernetes/apps/default/zigbee2mqtt/app/kustomization.yaml index 66abd88cb..5c65a9b80 100644 --- a/kubernetes/apps/default/zigbee2mqtt/app/kustomization.yaml +++ b/kubernetes/apps/default/zigbee2mqtt/app/kustomization.yaml @@ -4,10 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups - ./helmrelease.yaml - ./prometheusrule.yaml + - ./volsync.yaml - ./volume.yaml patchesStrategicMerge: - - ./patches/env.yaml - ./patches/exporter.yaml diff --git a/kubernetes/apps/default/zigbee2mqtt/app/patches/env.yaml b/kubernetes/apps/default/zigbee2mqtt/app/patches/env.yaml deleted file mode 100644 index c7dd22a29..000000000 --- a/kubernetes/apps/default/zigbee2mqtt/app/patches/env.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: zigbee2mqtt - namespace: default -spec: - values: - env: - TZ: "${TIMEZONE}" - ZIGBEE2MQTT_DATA: /data - ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_DISCOVERY_TOPIC: homeassistant - ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_LEGACY_ENTITY_ATTRIBUTES: "true" - ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_LEGACY_TRIGGERS: "true" - ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_STATUS_TOPIC: homeassistant/status - ZIGBEE2MQTT_CONFIG_ADVANCED_LAST_SEEN: ISO_8601 - ZIGBEE2MQTT_CONFIG_ADVANCED_LEGACY_API: "false" - ZIGBEE2MQTT_CONFIG_ADVANCED_LEGACY_AVAILABILITY_PAYLOAD: "false" - ZIGBEE2MQTT_CONFIG_ADVANCED_LOG_LEVEL: warn - ZIGBEE2MQTT_CONFIG_ADVANCED_LOG_OUTPUT: '["console"]' - ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY: "[204, 61, 75, 23, 44, 230, 24, 203, 53, 5, 248, 32, 50, 84, 44, 159]" - ZIGBEE2MQTT_CONFIG_AVAILABILITY_ACTIVE_TIMEOUT: 60 - ZIGBEE2MQTT_CONFIG_AVAILABILITY_PASSIVE_TIMEOUT: 2000 - ZIGBEE2MQTT_CONFIG_DEVICE_OPTIONS_LEGACY: "false" - ZIGBEE2MQTT_CONFIG_DEVICE_OPTIONS_RETAIN: "true" - ZIGBEE2MQTT_CONFIG_EXPERIMENTAL_NEW_API: "true" - ZIGBEE2MQTT_CONFIG_FRONTEND_PORT: 8080 - ZIGBEE2MQTT_CONFIG_FRONTEND_URL: "https://zigbee.${SECRET_CLUSTER_DOMAIN}" - ZIGBEE2MQTT_CONFIG_HOMEASSISTANT: "true" - ZIGBEE2MQTT_CONFIG_MQTT_INCLUDE_DEVICE_INFORMATION: "true" - ZIGBEE2MQTT_CONFIG_MQTT_KEEPALIVE: 60 - ZIGBEE2MQTT_CONFIG_MQTT_REJECT_UNAUTHORIZED: "true" - ZIGBEE2MQTT_CONFIG_MQTT_SERVER: "mqtt://emqx.default.svc.cluster.local." - ZIGBEE2MQTT_CONFIG_MQTT_VERSION: 5 - ZIGBEE2MQTT_CONFIG_MQTT_USER: - valueFrom: - secretKeyRef: - name: emqx-config - key: user_1_username - ZIGBEE2MQTT_CONFIG_MQTT_PASSWORD: - valueFrom: - secretKeyRef: - name: emqx-config - key: user_1_password - ZIGBEE2MQTT_CONFIG_PERMIT_JOIN: "false" - ZIGBEE2MQTT_CONFIG_SERIAL_PORT: /dev/serial/by-id/usb-1a86_USB_Serial-if00-port0 - - # ZIGBEE2MQTT_CONFIG_DEVICES: devices.yaml - # ZIGBEE2MQTT_CONFIG_GROUPS: groups.yaml diff --git a/kubernetes/apps/default/zigbee2mqtt/app/volsync.yaml b/kubernetes/apps/default/zigbee2mqtt/app/volsync.yaml new file mode 100644 index 000000000..db74044ec --- /dev/null +++ b/kubernetes/apps/default/zigbee2mqtt/app/volsync.yaml @@ -0,0 +1,45 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: zigbee2mqtt-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: zigbee2mqtt-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/zigbee2mqtt' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: zigbee2mqtt + namespace: default +spec: + sourcePVC: zigbee2mqtt-images + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: zigbee2mqtt-restic-secret + cacheCapacity: 10Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + retain: + daily: 7 + within: 3d diff --git a/kubernetes/apps/default/zwave-js-ui/app/backups/kustomization.yaml b/kubernetes/apps/default/zwave-js-ui/app/backups/kustomization.yaml deleted file mode 100644 index 57bca902d..000000000 --- a/kubernetes/apps/default/zwave-js-ui/app/backups/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./replicationsource.yaml - - ./restic.sops.yaml diff --git a/kubernetes/apps/default/zwave-js-ui/app/backups/replicationsource.yaml b/kubernetes/apps/default/zwave-js-ui/app/backups/replicationsource.yaml deleted file mode 100644 index d351d7c1a..000000000 --- a/kubernetes/apps/default/zwave-js-ui/app/backups/replicationsource.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: zwave-js-ui - namespace: default -spec: - sourcePVC: zwavejs2mqtt-config - trigger: - schedule: "0 0 * * *" - restic: - copyMethod: Snapshot - pruneIntervalDays: 10 - repository: zwave-js-ui-restic - cacheCapacity: 2Gi - volumeSnapshotClassName: csi-ceph-blockpool - storageClassName: rook-ceph-block - retain: - daily: 10 - within: 3d diff --git a/kubernetes/apps/default/zwave-js-ui/app/backups/restic.sops.yaml b/kubernetes/apps/default/zwave-js-ui/app/backups/restic.sops.yaml deleted file mode 100644 index 51e24d09b..000000000 --- a/kubernetes/apps/default/zwave-js-ui/app/backups/restic.sops.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: zwave-js-ui-restic - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:ELPM2Nznsjcgg5OttvaL05NZ6t1hgPWeCsH0aHBKJdGdFoSMPozODIs/U5bOLy/1otuZafN+e3iST3oK+Q==,iv:+Rcx/CS0JakDUgqck2uUd9mjUNwvsoWK1hrr7l3X9Pc=,tag:b5FymjZch032ztFmghABNw==,type:str] - #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str] - #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment] - #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ - THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB - TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN - dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4 - 3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-28T07:07:32Z" - mac: ENC[AES256_GCM,data:2KNyrzuE7T3pEL4ODA7EL2SvtobXNMMw490zlX4/HvzPTwSMAlq1Vl4wT2mOCs0F03O9D5zBrfH5oVPZzRhWWrKju36LZ+wTl1q5m1QNK/R7d1DsjwAR4T4x9PkRIGRwxlcRgaok+4+MiOITpF39UBQeIxursfSlzE0zMpZ+FQ8=,iv:msLmdNkotwAXv8trhNdFeCKL9FrpHb+nPVb6NZnFM1Q=,tag:tPlJA7StXoZkivMM3jF8fg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/default/zwave-js-ui/app/kustomization.yaml b/kubernetes/apps/default/zwave-js-ui/app/kustomization.yaml index b71b75551..39fd93644 100644 --- a/kubernetes/apps/default/zwave-js-ui/app/kustomization.yaml +++ b/kubernetes/apps/default/zwave-js-ui/app/kustomization.yaml @@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./backups - ./helmrelease.yaml + - ./volsync.yaml - ./volume.yaml diff --git a/kubernetes/apps/default/zwave-js-ui/app/volsync.yaml b/kubernetes/apps/default/zwave-js-ui/app/volsync.yaml new file mode 100644 index 000000000..3fdb4053f --- /dev/null +++ b/kubernetes/apps/default/zwave-js-ui/app/volsync.yaml @@ -0,0 +1,45 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: zwavejs2mqtt-restic + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: zwavejs2mqtt-restic-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/zwavejs2mqtt' + RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}' + AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}' + dataFrom: + - extract: + key: volsync-restic-template +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: zwavejs2mqtt + namespace: default +spec: + sourcePVC: zwavejs2mqtt-images + trigger: + schedule: "0 7 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 7 + repository: zwavejs2mqtt-restic-secret + cacheCapacity: 10Gi + volumeSnapshotClassName: csi-ceph-blockpool + storageClassName: rook-ceph-block + retain: + daily: 7 + within: 3d