diff --git a/gitops/core/apps/genmachine/storage/kopia.yaml b/gitops/core/apps/genmachine/storage/kopia.yaml new file mode 100644 index 000000000..b36b42317 --- /dev/null +++ b/gitops/core/apps/genmachine/storage/kopia.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: kopia + namespace: argocd + annotations: + argocd.argoproj.io/manifest-generate-paths: .;../common +spec: + goTemplate: true + generators: + - git: + repoURL: 'https://github.com/ixxeL-DevOps/fullstack.git' + revision: main + directories: + - path: 'gitops/manifests/kopia/*' + exclude: false + - path: 'gitops/manifests/kopia/common' + exclude: true + - path: 'gitops/manifests/kopia/beelink' + exclude: true + - path: 'gitops/manifests/kopia/k0s' + exclude: true + template: + metadata: + name: 'kopia-{{ .path.basenameNormalized }}' + annotations: + argocd.argoproj.io/manifest-generate-paths: .;../common + spec: + project: infra-storage + destination: + name: '{{ .path.basenameNormalized }}' + namespace: kopia + sources: + - path: 'gitops/manifests/kopia/{{ .path.basenameNormalized }}' + repoURL: https://github.com/ixxeL-DevOps/fullstack.git + targetRevision: main + helm: + releaseName: kopia + valueFiles: + - $values/gitops/manifests/kopia/common/common-values.yaml + - $values/gitops/manifests/kopia/{{ .path.basenameNormalized }}/{{ .path.basenameNormalized }}-values.yaml + ignoreMissingValueFiles: true + - repoURL: https://github.com/ixxeL-DevOps/fullstack.git + targetRevision: main + ref: values + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - Validate=true + - PruneLast=true + - RespectIgnoreDifferences=true + - Replace=false + - ApplyOutOfSyncOnly=true + - CreateNamespace=true + - ServerSideApply=true + retry: + limit: 6 + backoff: + duration: 10s + factor: 2 + maxDuration: 3m diff --git a/gitops/manifests/adguard/genmachine/templates/volsync-backup.yaml b/gitops/manifests/adguard/genmachine/templates/volsync-backup.yaml index 32df0430f..6df781d9e 100644 --- a/gitops/manifests/adguard/genmachine/templates/volsync-backup.yaml +++ b/gitops/manifests/adguard/genmachine/templates/volsync-backup.yaml @@ -1,6 +1,72 @@ --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource +metadata: + name: backup-kopia-adguard +spec: + sourcePVC: pvc-adguard-data + trigger: + schedule: "0 4 * * 3" # On wednesday every week at 04:00 AM + kopia: + repository: kopia-config + pruneIntervalDays: 7 + retain: + hourly: 1 + daily: 1 + weekly: 4 + monthly: 4 + yearly: 1 + within: 24h + copyMethod: Direct + storageClassName: nfs-csi-delete +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-config +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-config + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_S3_BUCKET: "kopia" + KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com" + KOPIA_OBJECT_PREFIX: "volsync/adguard/genmachine/" + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource metadata: name: backup-adguard spec: diff --git a/gitops/manifests/authentik/genmachine/app/templates/volsync-backup.yaml b/gitops/manifests/authentik/genmachine/app/templates/volsync-backup.yaml index 3f4f50db2..0d11691a3 100644 --- a/gitops/manifests/authentik/genmachine/app/templates/volsync-backup.yaml +++ b/gitops/manifests/authentik/genmachine/app/templates/volsync-backup.yaml @@ -1,6 +1,72 @@ --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource +metadata: + name: backup-kopia-authentik-pgsql +spec: + sourcePVC: pvc-authentik-pgsql-data + trigger: + schedule: "0 4 * * 1,4" # On monday and thursday every week at 04:00 AM + kopia: + repository: kopia-config + pruneIntervalDays: 7 + retain: + hourly: 2 + daily: 2 + weekly: 4 + monthly: 4 + yearly: 1 + within: 24h + copyMethod: Direct + storageClassName: nfs-csi-delete +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-config +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-config + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_S3_BUCKET: "kopia" + KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com" + KOPIA_OBJECT_PREFIX: "volsync/authentik/genmachine/" + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource metadata: name: backup-authentik-pgsql spec: diff --git a/gitops/manifests/cilium/genmachine/genmachine-values.yaml b/gitops/manifests/cilium/genmachine/genmachine-values.yaml index e0a100d6d..377e19ecb 100644 --- a/gitops/manifests/cilium/genmachine/genmachine-values.yaml +++ b/gitops/manifests/cilium/genmachine/genmachine-values.yaml @@ -47,6 +47,8 @@ cilium: routingMode: native autoDirectNodeRoutes: true + # Doit correspondre au podSubnets du cluster Talos (cluster.network.podSubnets). + # Indique à Cilium le CIDR des pods pour éviter le SNAT du trafic inter-pod en mode native routing. ipv4NativeRoutingCIDR: "10.244.0.0/16" enableIPv4BIGTCP: true diff --git a/gitops/manifests/homarr/genmachine/templates/backup-pvc.yaml b/gitops/manifests/homarr/genmachine/templates/backup-pvc.yaml index 22bc16ddc..78998bedd 100644 --- a/gitops/manifests/homarr/genmachine/templates/backup-pvc.yaml +++ b/gitops/manifests/homarr/genmachine/templates/backup-pvc.yaml @@ -1,6 +1,69 @@ --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource +metadata: + name: rs-kopia-homarr-db +spec: + sourcePVC: homarr-database + trigger: + schedule: "0 3 * * *" + kopia: + repository: kopia-config + pruneIntervalDays: 7 + retain: + daily: 7 + weekly: 3 + monthly: 2 + copyMethod: Direct + storageClassName: nfs-csi-delete +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-config +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-config + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_S3_BUCKET: "kopia" + KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com" + KOPIA_OBJECT_PREFIX: "homarr/genmachine-pvc/" + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource metadata: name: rs-homarr-db spec: diff --git a/gitops/manifests/kopia/common/common-values.yaml b/gitops/manifests/kopia/common/common-values.yaml new file mode 100644 index 000000000..ed97d539c --- /dev/null +++ b/gitops/manifests/kopia/common/common-values.yaml @@ -0,0 +1 @@ +--- diff --git a/gitops/manifests/kopia/genmachine/Chart.yaml b/gitops/manifests/kopia/genmachine/Chart.yaml new file mode 100644 index 000000000..71491fd43 --- /dev/null +++ b/gitops/manifests/kopia/genmachine/Chart.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v2 +name: kopia +version: 1.0.0 +dependencies: + - name: app-template + version: 4.6.2 + repository: https://bjw-s-labs.github.io/helm-charts diff --git a/gitops/manifests/kopia/genmachine/genmachine-values.yaml b/gitops/manifests/kopia/genmachine/genmachine-values.yaml new file mode 100644 index 000000000..96267eac6 --- /dev/null +++ b/gitops/manifests/kopia/genmachine/genmachine-values.yaml @@ -0,0 +1,106 @@ +--- +app-template: + controllers: + kopia: + strategy: Recreate + initContainers: + # Connect to existing S3 repository or create it on first run + init-repo: + image: + repository: ghcr.io/thespad/kopia-server + tag: "0.22.3-spad59" + envFrom: + - secretRef: + name: kopia-creds + env: + KOPIA_CONFIG_PATH: /config/repository.config + KOPIA_CACHE_DIRECTORY: /cache + SSL_CERT_FILE: /certs/fredcorp-ca-chain.pem + command: ["/bin/sh", "-c"] + args: + - | + kopia repository connect s3 \ + --bucket=kopia \ + --endpoint=minio-api.talos-genmachine.fredcorp.com \ + --no-check-for-updates \ + --password="${KOPIA_PASSWORD}" 2>/dev/null \ + || \ + kopia repository create s3 \ + --bucket=kopia \ + --endpoint=minio-api.talos-genmachine.fredcorp.com \ + --no-check-for-updates \ + --password="${KOPIA_PASSWORD}" + + containers: + app: + image: + repository: ghcr.io/thespad/kopia-server + tag: "0.22.3-spad59" + envFrom: + - secretRef: + name: kopia-creds + env: + KOPIA_CONFIG_PATH: /config/repository.config + KOPIA_CACHE_DIRECTORY: /cache + SSL_CERT_FILE: /certs/fredcorp-ca-chain.pem + probes: + liveness: + enabled: true + custom: true + spec: + httpGet: + path: /api/v1/repo/status + port: 51515 + initialDelaySeconds: 30 + periodSeconds: 30 + readiness: + enabled: true + custom: true + spec: + httpGet: + path: /api/v1/repo/status + port: 51515 + initialDelaySeconds: 10 + periodSeconds: 10 + + service: + app: + controller: kopia + ports: + http: + port: 51515 + + ingress: + app: + className: traefik + annotations: + cert-manager.io/cluster-issuer: fredcorp-ca + cert-manager.io/common-name: kopia.talos-genmachine.fredcorp.com + traefik.ingress.kubernetes.io/router.entrypoints: websecure + hosts: + - host: kopia.talos-genmachine.fredcorp.com + paths: + - path: / + service: + identifier: app + port: http + tls: + - secretName: kopia-tls-cert + hosts: + - kopia.talos-genmachine.fredcorp.com + + persistence: + config: + type: emptyDir + globalMounts: + - path: /config + cache: + existingClaim: pvc-kopia + globalMounts: + - path: /cache + ca-cert: + type: secret + name: fredcorp-ca-chain + globalMounts: + - path: /certs + readOnly: true diff --git a/gitops/manifests/kopia/genmachine/templates/extsecrets.yaml b/gitops/manifests/kopia/genmachine/templates/extsecrets.yaml new file mode 100644 index 000000000..a6f0f2bcb --- /dev/null +++ b/gitops/manifests/kopia/genmachine/templates/extsecrets.yaml @@ -0,0 +1,56 @@ +--- +# kopia-creds: repository encryption password + S3 credentials + server UI password +# Vault paths to provision: +# kopia/repo/minio-backup → password (repository encryption key) +# kopia/server → password (Kopia server UI admin password) +# minio/creds/admin → user, password (shared with restic) +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-creds +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-creds + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_UI_USERNAME: "admin" + KOPIA_UI_PASSWORD: '{{ "{{" }}.server_password{{ "}}" }}' + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password + - secretKey: server_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/server + property: password diff --git a/gitops/manifests/kopia/genmachine/templates/pv.yaml b/gitops/manifests/kopia/genmachine/templates/pv.yaml new file mode 100644 index 000000000..e80c59cb6 --- /dev/null +++ b/gitops/manifests/kopia/genmachine/templates/pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: kopia +spec: + capacity: + storage: {{ .Values.persistence.size }} + accessModes: + - ReadWriteOnce + csi: + driver: nfs.csi.k8s.io + volumeAttributes: + csi.storage.k8s.io/pv/name: kopia + csi.storage.k8s.io/pvc/name: pvc-kopia + server: {{ .Values.persistence.nfs.server }} + share: {{ .Values.persistence.nfs.share }} + subdir: {{ .Values.persistence.nfs.subdir }} + volumeHandle: {{ .Values.persistence.nfs.server }}#{{ trimPrefix "/" .Values.persistence.nfs.share }}#{{ .Values.persistence.nfs.subdir }}## + persistentVolumeReclaimPolicy: Retain + storageClassName: {{ .Values.persistence.storageClassName }} + mountOptions: + - nfsvers=4.1 + - nolock diff --git a/gitops/manifests/kopia/genmachine/templates/pvc.yaml b/gitops/manifests/kopia/genmachine/templates/pvc.yaml new file mode 100644 index 000000000..5d33ba367 --- /dev/null +++ b/gitops/manifests/kopia/genmachine/templates/pvc.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-kopia +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.persistence.size }} + storageClassName: {{ .Values.persistence.storageClassName }} + volumeName: kopia diff --git a/gitops/manifests/minio/genmachine/genmachine-values.yaml b/gitops/manifests/minio/genmachine/genmachine-values.yaml index fda08cc69..2b6974996 100644 --- a/gitops/manifests/minio/genmachine/genmachine-values.yaml +++ b/gitops/manifests/minio/genmachine/genmachine-values.yaml @@ -71,6 +71,16 @@ minio: # set objectlocking for # bucket [true|false] NOTE: versioning is enabled by default if you use locking objectlocking: false + - name: kopia + policy: none + purge: false + versioning: false + objectlocking: false + - name: restic + policy: none + purge: false + versioning: false + objectlocking: false metrics: serviceMonitor: diff --git a/gitops/manifests/vault/genmachine/templates/volsync-backup.yaml b/gitops/manifests/vault/genmachine/templates/volsync-backup.yaml index 72fd9b2d1..ae0b470fe 100644 --- a/gitops/manifests/vault/genmachine/templates/volsync-backup.yaml +++ b/gitops/manifests/vault/genmachine/templates/volsync-backup.yaml @@ -1,6 +1,72 @@ --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource +metadata: + name: backup-kopia-vault +spec: + sourcePVC: data-vault-0 + trigger: + schedule: "0 1 * * 3" # On wednesday every week at 01:00 AM + kopia: + repository: kopia-config + pruneIntervalDays: 7 + retain: + hourly: 2 + daily: 2 + weekly: 4 + monthly: 4 + yearly: 1 + within: 24h + copyMethod: Direct + storageClassName: nfs-csi-delete +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-config +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-config + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_S3_BUCKET: "kopia" + KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com" + KOPIA_OBJECT_PREFIX: "volsync/vault/genmachine/" + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource metadata: name: backup-vault spec: diff --git a/gitops/manifests/wireguard/genmachine/templates/volsync-backup.yaml b/gitops/manifests/wireguard/genmachine/templates/volsync-backup.yaml index 2b989a788..b13f4bacb 100644 --- a/gitops/manifests/wireguard/genmachine/templates/volsync-backup.yaml +++ b/gitops/manifests/wireguard/genmachine/templates/volsync-backup.yaml @@ -1,6 +1,72 @@ --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource +metadata: + name: backup-kopia-wireguard +spec: + sourcePVC: wireguard-wg-portal + trigger: + schedule: "0 1 * * 3" # On wednesday every week at 01:00 AM + kopia: + repository: kopia-config + pruneIntervalDays: 7 + retain: + hourly: 2 + daily: 2 + weekly: 4 + monthly: 4 + yearly: 1 + within: 24h + copyMethod: Direct + storageClassName: nfs-csi-delete +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-config +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-config + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_S3_BUCKET: "kopia" + KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com" + KOPIA_OBJECT_PREFIX: "volsync/wireguard/genmachine/" + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource metadata: name: backup-wireguard spec: