feat(kopia): deploy Kopia server + UI with parallel VolSync backups

gitops/core/apps/genmachine/storage/kopia.yaml

@@ -0,0 +1,64 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: kopia
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/manifest-generate-paths: .;../common
+spec:
+  goTemplate: true
+  generators:
+    - git:
+        repoURL: 'https://github.com/ixxeL-DevOps/fullstack.git'
+        revision: main
+        directories:
+          - path: 'gitops/manifests/kopia/*'
+            exclude: false
+          - path: 'gitops/manifests/kopia/common'
+            exclude: true
+          - path: 'gitops/manifests/kopia/beelink'
+            exclude: true
+          - path: 'gitops/manifests/kopia/k0s'
+            exclude: true
+  template:
+    metadata:
+      name: 'kopia-{{ .path.basenameNormalized }}'
+      annotations:
+        argocd.argoproj.io/manifest-generate-paths: .;../common
+    spec:
+      project: infra-storage
+      destination:
+        name: '{{ .path.basenameNormalized }}'
+        namespace: kopia
+      sources:
+        - path: 'gitops/manifests/kopia/{{ .path.basenameNormalized }}'
+          repoURL: https://github.com/ixxeL-DevOps/fullstack.git
+          targetRevision: main
+          helm:
+            releaseName: kopia
+            valueFiles:
+              - $values/gitops/manifests/kopia/common/common-values.yaml
+              - $values/gitops/manifests/kopia/{{ .path.basenameNormalized }}/{{ .path.basenameNormalized }}-values.yaml
+            ignoreMissingValueFiles: true
+        - repoURL: https://github.com/ixxeL-DevOps/fullstack.git
+          targetRevision: main
+          ref: values
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - Validate=true
+          - PruneLast=true
+          - RespectIgnoreDifferences=true
+          - Replace=false
+          - ApplyOutOfSyncOnly=true
+          - CreateNamespace=true
+          - ServerSideApply=true
+        retry:
+          limit: 6
+          backoff:
+            duration: 10s
+            factor: 2
+            maxDuration: 3m

gitops/manifests/adguard/genmachine/templates/volsync-backup.yaml

@@ -1,6 +1,72 @@
 ---
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
+metadata:
+  name: backup-kopia-adguard
+spec:
+  sourcePVC: pvc-adguard-data
+  trigger:
+    schedule: "0 4 * * 3" # On wednesday every week at 04:00 AM
+  kopia:
+    repository: kopia-config
+    pruneIntervalDays: 7
+    retain:
+      hourly: 1
+      daily: 1
+      weekly: 4
+      monthly: 4
+      yearly: 1
+      within: 24h
+    copyMethod: Direct
+    storageClassName: nfs-csi-delete
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: kopia-config
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: admin
+    kind: ClusterSecretStore
+  target:
+    name: kopia-config
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    template:
+      engineVersion: v2
+      data:
+        KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}'
+        AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}'
+        AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}'
+        KOPIA_S3_BUCKET: "kopia"
+        KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com"
+        KOPIA_OBJECT_PREFIX: "volsync/adguard/genmachine/"
+  data:
+    - secretKey: kopia_password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: kopia/repo/minio-backup
+        property: password
+    - secretKey: minio_user
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: minio/creds/admin
+        property: user
+    - secretKey: minio_password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: minio/creds/admin
+        property: password
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
 metadata:
   name: backup-adguard
 spec:

gitops/manifests/authentik/genmachine/app/templates/volsync-backup.yaml

@@ -1,6 +1,72 @@
 ---
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
+metadata:
+  name: backup-kopia-authentik-pgsql
+spec:
+  sourcePVC: pvc-authentik-pgsql-data
+  trigger:
+    schedule: "0 4 * * 1,4" # On monday and thursday every week at 04:00 AM
+  kopia:
+    repository: kopia-config
+    pruneIntervalDays: 7
+    retain:
+      hourly: 2
+      daily: 2
+      weekly: 4
+      monthly: 4
+      yearly: 1
+      within: 24h
+    copyMethod: Direct
+    storageClassName: nfs-csi-delete
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: kopia-config
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: admin
+    kind: ClusterSecretStore
+  target:
+    name: kopia-config
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    template:
+      engineVersion: v2
+      data:
+        KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}'
+        AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}'
+        AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}'
+        KOPIA_S3_BUCKET: "kopia"
+        KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com"
+        KOPIA_OBJECT_PREFIX: "volsync/authentik/genmachine/"
+  data:
+    - secretKey: kopia_password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: kopia/repo/minio-backup
+        property: password
+    - secretKey: minio_user
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: minio/creds/admin
+        property: user
+    - secretKey: minio_password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: minio/creds/admin
+        property: password
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
 metadata:
   name: backup-authentik-pgsql
 spec:

gitops/manifests/cilium/genmachine/genmachine-values.yaml

@@ -47,6 +47,8 @@ cilium:
 
   routingMode: native
   autoDirectNodeRoutes: true
+  # Doit correspondre au podSubnets du cluster Talos (cluster.network.podSubnets).
+  # Indique à Cilium le CIDR des pods pour éviter le SNAT du trafic inter-pod en mode native routing.
   ipv4NativeRoutingCIDR: "10.244.0.0/16"
 
   enableIPv4BIGTCP: true

gitops/manifests/homarr/genmachine/templates/backup-pvc.yaml

@@ -1,6 +1,69 @@
 ---
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
+metadata:
+  name: rs-kopia-homarr-db
+spec:
+  sourcePVC: homarr-database
+  trigger:
+    schedule: "0 3 * * *"
+  kopia:
+    repository: kopia-config
+    pruneIntervalDays: 7
+    retain:
+      daily: 7
+      weekly: 3
+      monthly: 2
+    copyMethod: Direct
+    storageClassName: nfs-csi-delete
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: kopia-config
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: admin
+    kind: ClusterSecretStore
+  target:
+    name: kopia-config
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    template:
+      engineVersion: v2
+      data:
+        KOPIA_PASSWORD: '{{ "{{" }}.kopia_password{{ "}}" }}'
+        AWS_ACCESS_KEY_ID: '{{ "{{" }}.minio_user{{ "}}" }}'
+        AWS_SECRET_ACCESS_KEY: '{{ "{{" }}.minio_password{{ "}}" }}'
+        KOPIA_S3_BUCKET: "kopia"
+        KOPIA_S3_ENDPOINT: "minio-api.talos-genmachine.fredcorp.com"
+        KOPIA_OBJECT_PREFIX: "homarr/genmachine-pvc/"
+  data:
+    - secretKey: kopia_password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: kopia/repo/minio-backup
+        property: password
+    - secretKey: minio_user
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: minio/creds/admin
+        property: user
+    - secretKey: minio_password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: minio/creds/admin
+        property: password
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
 metadata:
   name: rs-homarr-db
 spec:

gitops/manifests/kopia/common/common-values.yaml

@@ -0,0 +1 @@
+---

gitops/manifests/kopia/genmachine/Chart.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v2
+name: kopia
+version: 1.0.0
+dependencies:
+  - name: app-template
+    version: 4.6.2
+    repository: https://bjw-s-labs.github.io/helm-charts