From dae2483f9fcb22975b8efbfb7bbd0aea55ed8241 Mon Sep 17 00:00:00 2001 From: ixxeL2097 Date: Sun, 26 Apr 2026 23:17:01 +0200 Subject: [PATCH 1/3] feat(cilium/genmachine): switch to native routing, enable WireGuard and IPv4 BIG TCP - Switch routing-mode from VXLAN tunnel to native routing autoDirectNodeRoutes installs per-node pod CIDR routes automatically ipv4NativeRoutingCIDR scoped to 10.244.0.0/16 (genmachine pod CIDR) - Enable WireGuard pod-to-pod encryption (nodeEncryption disabled) - Enable IPv4 BIG TCP now compatible with native routing (vs tunnel) Co-Authored-By: Claude Sonnet 4.6 --- .../cilium/genmachine/genmachine-values.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/gitops/manifests/cilium/genmachine/genmachine-values.yaml b/gitops/manifests/cilium/genmachine/genmachine-values.yaml index 04450b80c..e0a100d6d 100644 --- a/gitops/manifests/cilium/genmachine/genmachine-values.yaml +++ b/gitops/manifests/cilium/genmachine/genmachine-values.yaml @@ -45,6 +45,17 @@ cilium: envoy: enabled: false + routingMode: native + autoDirectNodeRoutes: true + ipv4NativeRoutingCIDR: "10.244.0.0/16" + + enableIPv4BIGTCP: true + + encryption: + enabled: true + type: wireguard + nodeEncryption: false + # Egress test egressGateway: enabled: true From 15c03e121c6aca213b3f06908d937a09ad40954d Mon Sep 17 00:00:00 2001 From: ixxeL2097 Date: Mon, 27 Apr 2026 22:11:18 +0200 Subject: [PATCH 2/3] feat(kopia): deploy Kopia server + UI and add parallel VolSync Kopia backups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add kopia and restic buckets to MinIO genmachine values - Create custom Helm chart for Kopia server (kopia/kopia image) with: - Init container to connect/create S3 repository on startup - Kopia server with UI exposed via Traefik ingress at kopia.talos-genmachine.fredcorp.com - NFS-backed PVC for cache (192.168.1.250:/volatile/kopia) - ExternalSecret pulling from Vault (kopia/repo/minio-backup, kopia/server, minio/creds/admin) - Custom CA (fredcorp-ca-chain) for MinIO TLS verification - Add ArgoCD ApplicationSet for kopia in infra-storage project - Add parallel Kopia ReplicationSource (VolSync) alongside existing restic sources for: wireguard, vault, adguard, homarr, authentik - Add comment on ipv4NativeRoutingCIDR in Cilium values Vault secrets to provision before deploy: kopia/repo/minio-backup → password kopia/server → password Co-Authored-By: Claude Sonnet 4.6 --- .../core/apps/genmachine/storage/kopia.yaml | 64 ++++++++++ .../genmachine/templates/volsync-backup.yaml | 66 ++++++++++ .../app/templates/volsync-backup.yaml | 66 ++++++++++ .../cilium/genmachine/genmachine-values.yaml | 2 + .../genmachine/templates/backup-pvc.yaml | 63 ++++++++++ .../manifests/kopia/common/common-values.yaml | 1 + gitops/manifests/kopia/genmachine/Chart.yaml | 4 + .../kopia/genmachine/genmachine-values.yaml | 28 +++++ .../genmachine/templates/deployment.yaml | 117 ++++++++++++++++++ .../genmachine/templates/extsecrets.yaml | 55 ++++++++ .../kopia/genmachine/templates/ingress.yaml | 24 ++++ .../kopia/genmachine/templates/pv.yaml | 24 ++++ .../kopia/genmachine/templates/pvc.yaml | 13 ++ .../kopia/genmachine/templates/service.yaml | 14 +++ .../minio/genmachine/genmachine-values.yaml | 10 ++ .../genmachine/templates/volsync-backup.yaml | 66 ++++++++++ .../genmachine/templates/volsync-backup.yaml | 66 ++++++++++ 17 files changed, 683 insertions(+) create mode 100644 gitops/core/apps/genmachine/storage/kopia.yaml create mode 100644 gitops/manifests/kopia/common/common-values.yaml create mode 100644 gitops/manifests/kopia/genmachine/Chart.yaml create mode 100644 gitops/manifests/kopia/genmachine/genmachine-values.yaml create mode 100644 gitops/manifests/kopia/genmachine/templates/deployment.yaml create mode 100644 gitops/manifests/kopia/genmachine/templates/extsecrets.yaml create mode 100644 gitops/manifests/kopia/genmachine/templates/ingress.yaml create mode 100644 gitops/manifests/kopia/genmachine/templates/pv.yaml create mode 100644 gitops/manifests/kopia/genmachine/templates/pvc.yaml create mode 100644 gitops/manifests/kopia/genmachine/templates/service.yaml diff --git a/gitops/core/apps/genmachine/storage/kopia.yaml b/gitops/core/apps/genmachine/storage/kopia.yaml new file mode 100644 index 000000000..b36b42317 --- /dev/null +++ b/gitops/core/apps/genmachine/storage/kopia.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: kopia + namespace: argocd + annotations: + argocd.argoproj.io/manifest-generate-paths: .;../common +spec: + goTemplate: true + generators: + - git: + repoURL: 'https://github.com/ixxeL-DevOps/fullstack.git' + revision: main + directories: + - path: 'gitops/manifests/kopia/*' + exclude: false + - path: 'gitops/manifests/kopia/common' + exclude: true + - path: 'gitops/manifests/kopia/beelink' + exclude: true + - path: 'gitops/manifests/kopia/k0s' + exclude: true + template: + metadata: + name: 'kopia-{{ .path.basenameNormalized }}' + annotations: + argocd.argoproj.io/manifest-generate-paths: .;../common + spec: + project: infra-storage + destination: + name: '{{ .path.basenameNormalized }}' + namespace: kopia + sources: + - path: 'gitops/manifests/kopia/{{ .path.basenameNormalized }}' + repoURL: https://github.com/ixxeL-DevOps/fullstack.git + targetRevision: main + helm: + releaseName: kopia + valueFiles: + - $values/gitops/manifests/kopia/common/common-values.yaml + - $values/gitops/manifests/kopia/{{ .path.basenameNormalized }}/{{ .path.basenameNormalized }}-values.yaml + ignoreMissingValueFiles: true + - repoURL: https://github.com/ixxeL-DevOps/fullstack.git + targetRevision: main + ref: values + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - Validate=true + - PruneLast=true + - RespectIgnoreDifferences=true + - Replace=false + - ApplyOutOfSyncOnly=true + - CreateNamespace=true + - ServerSideApply=true + retry: + limit: 6 + backoff: + duration: 10s + factor: 2 + maxDuration: 3m diff --git a/gitops/manifests/adguard/genmachine/templates/volsync-backup.yaml b/gitops/manifests/adguard/genmachine/templates/volsync-backup.yaml index 32df0430f..6df781d9e 100644 --- a/gitops/manifests/adguard/genmachine/templates/volsync-backup.yaml +++ b/gitops/manifests/adguard/genmachine/templates/volsync-backup.yaml @@ -1,6 +1,72 @@ --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource +metadata: + name: backup-kopia-adguard +spec: + sourcePVC: pvc-adguard-data + trigger: + schedule: "0 4 * * 3" # On wednesday every week at 04:00 AM + kopia: + repository: kopia-config + pruneIntervalDays: 7 + retain: + hourly: 1 + daily: 1 + weekly: 4 + monthly: 4 + yearly: 1 + within: 24h + copyMethod: Direct + storageClassName: nfs-csi-delete +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-config +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-config + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_S3_BUCKET: "kopia" + KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com" + KOPIA_OBJECT_PREFIX: "volsync/adguard/genmachine/" + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource metadata: name: backup-adguard spec: diff --git a/gitops/manifests/authentik/genmachine/app/templates/volsync-backup.yaml b/gitops/manifests/authentik/genmachine/app/templates/volsync-backup.yaml index 3f4f50db2..0d11691a3 100644 --- a/gitops/manifests/authentik/genmachine/app/templates/volsync-backup.yaml +++ b/gitops/manifests/authentik/genmachine/app/templates/volsync-backup.yaml @@ -1,6 +1,72 @@ --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource +metadata: + name: backup-kopia-authentik-pgsql +spec: + sourcePVC: pvc-authentik-pgsql-data + trigger: + schedule: "0 4 * * 1,4" # On monday and thursday every week at 04:00 AM + kopia: + repository: kopia-config + pruneIntervalDays: 7 + retain: + hourly: 2 + daily: 2 + weekly: 4 + monthly: 4 + yearly: 1 + within: 24h + copyMethod: Direct + storageClassName: nfs-csi-delete +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-config +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-config + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_S3_BUCKET: "kopia" + KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com" + KOPIA_OBJECT_PREFIX: "volsync/authentik/genmachine/" + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource metadata: name: backup-authentik-pgsql spec: diff --git a/gitops/manifests/cilium/genmachine/genmachine-values.yaml b/gitops/manifests/cilium/genmachine/genmachine-values.yaml index e0a100d6d..377e19ecb 100644 --- a/gitops/manifests/cilium/genmachine/genmachine-values.yaml +++ b/gitops/manifests/cilium/genmachine/genmachine-values.yaml @@ -47,6 +47,8 @@ cilium: routingMode: native autoDirectNodeRoutes: true + # Doit correspondre au podSubnets du cluster Talos (cluster.network.podSubnets). + # Indique à Cilium le CIDR des pods pour éviter le SNAT du trafic inter-pod en mode native routing. ipv4NativeRoutingCIDR: "10.244.0.0/16" enableIPv4BIGTCP: true diff --git a/gitops/manifests/homarr/genmachine/templates/backup-pvc.yaml b/gitops/manifests/homarr/genmachine/templates/backup-pvc.yaml index 22bc16ddc..78998bedd 100644 --- a/gitops/manifests/homarr/genmachine/templates/backup-pvc.yaml +++ b/gitops/manifests/homarr/genmachine/templates/backup-pvc.yaml @@ -1,6 +1,69 @@ --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource +metadata: + name: rs-kopia-homarr-db +spec: + sourcePVC: homarr-database + trigger: + schedule: "0 3 * * *" + kopia: + repository: kopia-config + pruneIntervalDays: 7 + retain: + daily: 7 + weekly: 3 + monthly: 2 + copyMethod: Direct + storageClassName: nfs-csi-delete +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-config +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-config + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_S3_BUCKET: "kopia" + KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com" + KOPIA_OBJECT_PREFIX: "homarr/genmachine-pvc/" + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource metadata: name: rs-homarr-db spec: diff --git a/gitops/manifests/kopia/common/common-values.yaml b/gitops/manifests/kopia/common/common-values.yaml new file mode 100644 index 000000000..ed97d539c --- /dev/null +++ b/gitops/manifests/kopia/common/common-values.yaml @@ -0,0 +1 @@ +--- diff --git a/gitops/manifests/kopia/genmachine/Chart.yaml b/gitops/manifests/kopia/genmachine/Chart.yaml new file mode 100644 index 000000000..0e8461e9a --- /dev/null +++ b/gitops/manifests/kopia/genmachine/Chart.yaml @@ -0,0 +1,4 @@ +--- +apiVersion: v2 +name: kopia +version: 1.0.0 diff --git a/gitops/manifests/kopia/genmachine/genmachine-values.yaml b/gitops/manifests/kopia/genmachine/genmachine-values.yaml new file mode 100644 index 000000000..594900a93 --- /dev/null +++ b/gitops/manifests/kopia/genmachine/genmachine-values.yaml @@ -0,0 +1,28 @@ +--- +image: + repository: kopia/kopia + tag: "0.18.2" + pullPolicy: IfNotPresent + +config: + bucket: kopia + endpoint: minio-api.talos-genmachine.fredcorp.com + serverUsername: admin + +ingress: + className: traefik + host: kopia.talos-genmachine.fredcorp.com + annotations: + cert-manager.io/cluster-issuer: fredcorp-ca + cert-manager.io/common-name: kopia.talos-genmachine.fredcorp.com + traefik.ingress.kubernetes.io/router.entrypoints: websecure + tls: + secretName: kopia-tls-cert + +persistence: + storageClassName: nfs-csi-retain + size: 5Gi + nfs: + server: 192.168.1.250 + share: /volatile + subdir: kopia diff --git a/gitops/manifests/kopia/genmachine/templates/deployment.yaml b/gitops/manifests/kopia/genmachine/templates/deployment.yaml new file mode 100644 index 000000000..623cc9b9a --- /dev/null +++ b/gitops/manifests/kopia/genmachine/templates/deployment.yaml @@ -0,0 +1,117 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kopia + labels: + app: kopia +spec: + replicas: 1 + selector: + matchLabels: + app: kopia + strategy: + type: Recreate + template: + metadata: + labels: + app: kopia + spec: + initContainers: + # Connect to existing S3 repository or create it if first run + - name: kopia-init + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - secretRef: + name: kopia-creds + env: + - name: KOPIA_CONFIG_PATH + value: /app/config/repository.config + - name: KOPIA_CACHE_DIRECTORY + value: /app/cache + - name: SSL_CERT_FILE + value: /certs/fredcorp-ca-chain.pem + command: ["/bin/sh", "-c"] + args: + - | + kopia repository connect s3 \ + --bucket={{ .Values.config.bucket }} \ + --endpoint={{ .Values.config.endpoint }} \ + --no-check-for-updates \ + --password="${KOPIA_PASSWORD}" \ + 2>/dev/null \ + || \ + kopia repository create s3 \ + --bucket={{ .Values.config.bucket }} \ + --endpoint={{ .Values.config.endpoint }} \ + --no-check-for-updates \ + --password="${KOPIA_PASSWORD}" + volumeMounts: + - name: config + mountPath: /app/config + - name: cache + mountPath: /app/cache + - name: ca-cert + mountPath: /certs + readOnly: true + containers: + - name: kopia + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - secretRef: + name: kopia-creds + env: + - name: KOPIA_CONFIG_PATH + value: /app/config/repository.config + - name: KOPIA_CACHE_DIRECTORY + value: /app/cache + - name: SSL_CERT_FILE + value: /certs/fredcorp-ca-chain.pem + command: ["/bin/sh", "-c"] + args: + - | + kopia server start \ + --address=0.0.0.0:51515 \ + --server-username={{ .Values.config.serverUsername }} \ + --server-password="${KOPIA_SERVER_PASSWORD}" \ + --no-legacy-api \ + --no-check-for-updates \ + --log-level=info + ports: + - name: http + containerPort: 51515 + protocol: TCP + livenessProbe: + httpGet: + path: /api/v1/repo/status + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /api/v1/repo/status + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + volumeMounts: + - name: config + mountPath: /app/config + - name: cache + mountPath: /app/cache + - name: ca-cert + mountPath: /certs + readOnly: true + volumes: + - name: config + emptyDir: {} + - name: cache + persistentVolumeClaim: + claimName: pvc-kopia + - name: ca-cert + secret: + secretName: fredcorp-ca-chain + items: + - key: fredcorp-ca-chain.pem + path: fredcorp-ca-chain.pem diff --git a/gitops/manifests/kopia/genmachine/templates/extsecrets.yaml b/gitops/manifests/kopia/genmachine/templates/extsecrets.yaml new file mode 100644 index 000000000..c8cbb1261 --- /dev/null +++ b/gitops/manifests/kopia/genmachine/templates/extsecrets.yaml @@ -0,0 +1,55 @@ +--- +# kopia-creds: repository encryption password + S3 credentials + server UI password +# Vault paths to provision: +# kopia/repo/minio-backup → password (repository encryption key) +# kopia/server → password (Kopia server UI admin password) +# minio/creds/admin → user, password (shared with restic) +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-creds +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-creds + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_SERVER_PASSWORD: '{{ "{{" }}.server_password{{ "}}" }}' + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password + - secretKey: server_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/server + property: password diff --git a/gitops/manifests/kopia/genmachine/templates/ingress.yaml b/gitops/manifests/kopia/genmachine/templates/ingress.yaml new file mode 100644 index 000000000..83f30338d --- /dev/null +++ b/gitops/manifests/kopia/genmachine/templates/ingress.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kopia + annotations: + {{- toYaml .Values.ingress.annotations | nindent 4 }} +spec: + ingressClassName: {{ .Values.ingress.className }} + rules: + - host: {{ .Values.ingress.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: kopia + port: + name: http + tls: + - hosts: + - {{ .Values.ingress.host }} + secretName: {{ .Values.ingress.tls.secretName }} diff --git a/gitops/manifests/kopia/genmachine/templates/pv.yaml b/gitops/manifests/kopia/genmachine/templates/pv.yaml new file mode 100644 index 000000000..e80c59cb6 --- /dev/null +++ b/gitops/manifests/kopia/genmachine/templates/pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: kopia +spec: + capacity: + storage: {{ .Values.persistence.size }} + accessModes: + - ReadWriteOnce + csi: + driver: nfs.csi.k8s.io + volumeAttributes: + csi.storage.k8s.io/pv/name: kopia + csi.storage.k8s.io/pvc/name: pvc-kopia + server: {{ .Values.persistence.nfs.server }} + share: {{ .Values.persistence.nfs.share }} + subdir: {{ .Values.persistence.nfs.subdir }} + volumeHandle: {{ .Values.persistence.nfs.server }}#{{ trimPrefix "/" .Values.persistence.nfs.share }}#{{ .Values.persistence.nfs.subdir }}## + persistentVolumeReclaimPolicy: Retain + storageClassName: {{ .Values.persistence.storageClassName }} + mountOptions: + - nfsvers=4.1 + - nolock diff --git a/gitops/manifests/kopia/genmachine/templates/pvc.yaml b/gitops/manifests/kopia/genmachine/templates/pvc.yaml new file mode 100644 index 000000000..5d33ba367 --- /dev/null +++ b/gitops/manifests/kopia/genmachine/templates/pvc.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-kopia +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.persistence.size }} + storageClassName: {{ .Values.persistence.storageClassName }} + volumeName: kopia diff --git a/gitops/manifests/kopia/genmachine/templates/service.yaml b/gitops/manifests/kopia/genmachine/templates/service.yaml new file mode 100644 index 000000000..165820eb8 --- /dev/null +++ b/gitops/manifests/kopia/genmachine/templates/service.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: kopia +spec: + selector: + app: kopia + ports: + - name: http + port: 51515 + targetPort: http + protocol: TCP + type: ClusterIP diff --git a/gitops/manifests/minio/genmachine/genmachine-values.yaml b/gitops/manifests/minio/genmachine/genmachine-values.yaml index fda08cc69..2b6974996 100644 --- a/gitops/manifests/minio/genmachine/genmachine-values.yaml +++ b/gitops/manifests/minio/genmachine/genmachine-values.yaml @@ -71,6 +71,16 @@ minio: # set objectlocking for # bucket [true|false] NOTE: versioning is enabled by default if you use locking objectlocking: false + - name: kopia + policy: none + purge: false + versioning: false + objectlocking: false + - name: restic + policy: none + purge: false + versioning: false + objectlocking: false metrics: serviceMonitor: diff --git a/gitops/manifests/vault/genmachine/templates/volsync-backup.yaml b/gitops/manifests/vault/genmachine/templates/volsync-backup.yaml index 72fd9b2d1..ae0b470fe 100644 --- a/gitops/manifests/vault/genmachine/templates/volsync-backup.yaml +++ b/gitops/manifests/vault/genmachine/templates/volsync-backup.yaml @@ -1,6 +1,72 @@ --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource +metadata: + name: backup-kopia-vault +spec: + sourcePVC: data-vault-0 + trigger: + schedule: "0 1 * * 3" # On wednesday every week at 01:00 AM + kopia: + repository: kopia-config + pruneIntervalDays: 7 + retain: + hourly: 2 + daily: 2 + weekly: 4 + monthly: 4 + yearly: 1 + within: 24h + copyMethod: Direct + storageClassName: nfs-csi-delete +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-config +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-config + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_S3_BUCKET: "kopia" + KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com" + KOPIA_OBJECT_PREFIX: "volsync/vault/genmachine/" + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource metadata: name: backup-vault spec: diff --git a/gitops/manifests/wireguard/genmachine/templates/volsync-backup.yaml b/gitops/manifests/wireguard/genmachine/templates/volsync-backup.yaml index 2b989a788..b13f4bacb 100644 --- a/gitops/manifests/wireguard/genmachine/templates/volsync-backup.yaml +++ b/gitops/manifests/wireguard/genmachine/templates/volsync-backup.yaml @@ -1,6 +1,72 @@ --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource +metadata: + name: backup-kopia-wireguard +spec: + sourcePVC: wireguard-wg-portal + trigger: + schedule: "0 1 * * 3" # On wednesday every week at 01:00 AM + kopia: + repository: kopia-config + pruneIntervalDays: 7 + retain: + hourly: 2 + daily: 2 + weekly: 4 + monthly: 4 + yearly: 1 + within: 24h + copyMethod: Direct + storageClassName: nfs-csi-delete +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: kopia-config +spec: + refreshInterval: 1h + secretStoreRef: + name: admin + kind: ClusterSecretStore + target: + name: kopia-config + creationPolicy: Owner + deletionPolicy: Retain + template: + engineVersion: v2 + data: + KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' + AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' + AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' + KOPIA_S3_BUCKET: "kopia" + KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com" + KOPIA_OBJECT_PREFIX: "volsync/wireguard/genmachine/" + data: + - secretKey: kopia_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: kopia/repo/minio-backup + property: password + - secretKey: minio_user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: user + - secretKey: minio_password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: minio/creds/admin + property: password +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource metadata: name: backup-wireguard spec: From 47f7e8c02b53fcb1838824831a23acb1e738c527 Mon Sep 17 00:00:00 2001 From: ixxeL2097 Date: Mon, 27 Apr 2026 22:54:22 +0200 Subject: [PATCH 3/3] refactor(kopia): switch to bjw-s/app-template chart + thespad/kopia-server image Replace custom Deployment/Service/Ingress templates with the bjw-s app-template Helm chart (v4.6.2) which is the standard pattern in K8s homelabs. Switch image from kopia/kopia to ghcr.io/thespad/kopia-server which is purpose-built for server mode and exposes the correct env vars (KOPIA_UI_USERNAME/KOPIA_UI_PASSWORD). Update ExternalSecret to produce KOPIA_UI_USERNAME/KOPIA_UI_PASSWORD instead of the generic KOPIA_SERVER_PASSWORD used by the raw kopia image. Co-Authored-By: Claude Sonnet 4.6 --- gitops/manifests/kopia/genmachine/Chart.yaml | 4 + .../kopia/genmachine/genmachine-values.yaml | 126 ++++++++++++++---- .../genmachine/templates/deployment.yaml | 117 ---------------- .../genmachine/templates/extsecrets.yaml | 3 +- .../kopia/genmachine/templates/ingress.yaml | 24 ---- .../kopia/genmachine/templates/service.yaml | 14 -- 6 files changed, 108 insertions(+), 180 deletions(-) delete mode 100644 gitops/manifests/kopia/genmachine/templates/deployment.yaml delete mode 100644 gitops/manifests/kopia/genmachine/templates/ingress.yaml delete mode 100644 gitops/manifests/kopia/genmachine/templates/service.yaml diff --git a/gitops/manifests/kopia/genmachine/Chart.yaml b/gitops/manifests/kopia/genmachine/Chart.yaml index 0e8461e9a..71491fd43 100644 --- a/gitops/manifests/kopia/genmachine/Chart.yaml +++ b/gitops/manifests/kopia/genmachine/Chart.yaml @@ -2,3 +2,7 @@ apiVersion: v2 name: kopia version: 1.0.0 +dependencies: + - name: app-template + version: 4.6.2 + repository: https://bjw-s-labs.github.io/helm-charts diff --git a/gitops/manifests/kopia/genmachine/genmachine-values.yaml b/gitops/manifests/kopia/genmachine/genmachine-values.yaml index 594900a93..96267eac6 100644 --- a/gitops/manifests/kopia/genmachine/genmachine-values.yaml +++ b/gitops/manifests/kopia/genmachine/genmachine-values.yaml @@ -1,28 +1,106 @@ --- -image: - repository: kopia/kopia - tag: "0.18.2" - pullPolicy: IfNotPresent +app-template: + controllers: + kopia: + strategy: Recreate + initContainers: + # Connect to existing S3 repository or create it on first run + init-repo: + image: + repository: ghcr.io/thespad/kopia-server + tag: "0.22.3-spad59" + envFrom: + - secretRef: + name: kopia-creds + env: + KOPIA_CONFIG_PATH: /config/repository.config + KOPIA_CACHE_DIRECTORY: /cache + SSL_CERT_FILE: /certs/fredcorp-ca-chain.pem + command: ["/bin/sh", "-c"] + args: + - | + kopia repository connect s3 \ + --bucket=kopia \ + --endpoint=minio-api.talos-genmachine.fredcorp.com \ + --no-check-for-updates \ + --password="${KOPIA_PASSWORD}" 2>/dev/null \ + || \ + kopia repository create s3 \ + --bucket=kopia \ + --endpoint=minio-api.talos-genmachine.fredcorp.com \ + --no-check-for-updates \ + --password="${KOPIA_PASSWORD}" -config: - bucket: kopia - endpoint: minio-api.talos-genmachine.fredcorp.com - serverUsername: admin + containers: + app: + image: + repository: ghcr.io/thespad/kopia-server + tag: "0.22.3-spad59" + envFrom: + - secretRef: + name: kopia-creds + env: + KOPIA_CONFIG_PATH: /config/repository.config + KOPIA_CACHE_DIRECTORY: /cache + SSL_CERT_FILE: /certs/fredcorp-ca-chain.pem + probes: + liveness: + enabled: true + custom: true + spec: + httpGet: + path: /api/v1/repo/status + port: 51515 + initialDelaySeconds: 30 + periodSeconds: 30 + readiness: + enabled: true + custom: true + spec: + httpGet: + path: /api/v1/repo/status + port: 51515 + initialDelaySeconds: 10 + periodSeconds: 10 -ingress: - className: traefik - host: kopia.talos-genmachine.fredcorp.com - annotations: - cert-manager.io/cluster-issuer: fredcorp-ca - cert-manager.io/common-name: kopia.talos-genmachine.fredcorp.com - traefik.ingress.kubernetes.io/router.entrypoints: websecure - tls: - secretName: kopia-tls-cert + service: + app: + controller: kopia + ports: + http: + port: 51515 -persistence: - storageClassName: nfs-csi-retain - size: 5Gi - nfs: - server: 192.168.1.250 - share: /volatile - subdir: kopia + ingress: + app: + className: traefik + annotations: + cert-manager.io/cluster-issuer: fredcorp-ca + cert-manager.io/common-name: kopia.talos-genmachine.fredcorp.com + traefik.ingress.kubernetes.io/router.entrypoints: websecure + hosts: + - host: kopia.talos-genmachine.fredcorp.com + paths: + - path: / + service: + identifier: app + port: http + tls: + - secretName: kopia-tls-cert + hosts: + - kopia.talos-genmachine.fredcorp.com + + persistence: + config: + type: emptyDir + globalMounts: + - path: /config + cache: + existingClaim: pvc-kopia + globalMounts: + - path: /cache + ca-cert: + type: secret + name: fredcorp-ca-chain + globalMounts: + - path: /certs + readOnly: true diff --git a/gitops/manifests/kopia/genmachine/templates/deployment.yaml b/gitops/manifests/kopia/genmachine/templates/deployment.yaml deleted file mode 100644 index 623cc9b9a..000000000 --- a/gitops/manifests/kopia/genmachine/templates/deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kopia - labels: - app: kopia -spec: - replicas: 1 - selector: - matchLabels: - app: kopia - strategy: - type: Recreate - template: - metadata: - labels: - app: kopia - spec: - initContainers: - # Connect to existing S3 repository or create it if first run - - name: kopia-init - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - envFrom: - - secretRef: - name: kopia-creds - env: - - name: KOPIA_CONFIG_PATH - value: /app/config/repository.config - - name: KOPIA_CACHE_DIRECTORY - value: /app/cache - - name: SSL_CERT_FILE - value: /certs/fredcorp-ca-chain.pem - command: ["/bin/sh", "-c"] - args: - - | - kopia repository connect s3 \ - --bucket={{ .Values.config.bucket }} \ - --endpoint={{ .Values.config.endpoint }} \ - --no-check-for-updates \ - --password="${KOPIA_PASSWORD}" \ - 2>/dev/null \ - || \ - kopia repository create s3 \ - --bucket={{ .Values.config.bucket }} \ - --endpoint={{ .Values.config.endpoint }} \ - --no-check-for-updates \ - --password="${KOPIA_PASSWORD}" - volumeMounts: - - name: config - mountPath: /app/config - - name: cache - mountPath: /app/cache - - name: ca-cert - mountPath: /certs - readOnly: true - containers: - - name: kopia - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - envFrom: - - secretRef: - name: kopia-creds - env: - - name: KOPIA_CONFIG_PATH - value: /app/config/repository.config - - name: KOPIA_CACHE_DIRECTORY - value: /app/cache - - name: SSL_CERT_FILE - value: /certs/fredcorp-ca-chain.pem - command: ["/bin/sh", "-c"] - args: - - | - kopia server start \ - --address=0.0.0.0:51515 \ - --server-username={{ .Values.config.serverUsername }} \ - --server-password="${KOPIA_SERVER_PASSWORD}" \ - --no-legacy-api \ - --no-check-for-updates \ - --log-level=info - ports: - - name: http - containerPort: 51515 - protocol: TCP - livenessProbe: - httpGet: - path: /api/v1/repo/status - port: http - initialDelaySeconds: 30 - periodSeconds: 30 - readinessProbe: - httpGet: - path: /api/v1/repo/status - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - volumeMounts: - - name: config - mountPath: /app/config - - name: cache - mountPath: /app/cache - - name: ca-cert - mountPath: /certs - readOnly: true - volumes: - - name: config - emptyDir: {} - - name: cache - persistentVolumeClaim: - claimName: pvc-kopia - - name: ca-cert - secret: - secretName: fredcorp-ca-chain - items: - - key: fredcorp-ca-chain.pem - path: fredcorp-ca-chain.pem diff --git a/gitops/manifests/kopia/genmachine/templates/extsecrets.yaml b/gitops/manifests/kopia/genmachine/templates/extsecrets.yaml index c8cbb1261..a6f0f2bcb 100644 --- a/gitops/manifests/kopia/genmachine/templates/extsecrets.yaml +++ b/gitops/manifests/kopia/genmachine/templates/extsecrets.yaml @@ -23,7 +23,8 @@ spec: KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}' AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}' AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}' - KOPIA_SERVER_PASSWORD: '{{ "{{" }}.server_password{{ "}}" }}' + KOPIA_UI_USERNAME: "admin" + KOPIA_UI_PASSWORD: '{{ "{{" }}.server_password{{ "}}" }}' data: - secretKey: kopia_password remoteRef: diff --git a/gitops/manifests/kopia/genmachine/templates/ingress.yaml b/gitops/manifests/kopia/genmachine/templates/ingress.yaml deleted file mode 100644 index 83f30338d..000000000 --- a/gitops/manifests/kopia/genmachine/templates/ingress.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: kopia - annotations: - {{- toYaml .Values.ingress.annotations | nindent 4 }} -spec: - ingressClassName: {{ .Values.ingress.className }} - rules: - - host: {{ .Values.ingress.host }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: kopia - port: - name: http - tls: - - hosts: - - {{ .Values.ingress.host }} - secretName: {{ .Values.ingress.tls.secretName }} diff --git a/gitops/manifests/kopia/genmachine/templates/service.yaml b/gitops/manifests/kopia/genmachine/templates/service.yaml deleted file mode 100644 index 165820eb8..000000000 --- a/gitops/manifests/kopia/genmachine/templates/service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: kopia -spec: - selector: - app: kopia - ports: - - name: http - port: 51515 - targetPort: http - protocol: TCP - type: ClusterIP