From 679344d45e325db347284ce1c292de06aeeb692d Mon Sep 17 00:00:00 2001
From: Alex Lebens <alexanderlebens@gmail.com>
Date: Fri, 19 Dec 2025 22:55:55 -0600
Subject: [PATCH] add ntfy to script

---
 clusters/cl01tl/helm/vault/Chart.lock         |  7 +--
 clusters/cl01tl/helm/vault/Chart.yaml         |  4 --
 .../helm/vault/templates/config-map.yaml      | 33 +++++++++++--
 .../helm/vault/templates/external-secret.yaml | 37 ++++++++++++++
 clusters/cl01tl/helm/vault/values.yaml        | 49 ++++++-------------
 5 files changed, 84 insertions(+), 46 deletions(-)

diff --git a/clusters/cl01tl/helm/vault/Chart.lock b/clusters/cl01tl/helm/vault/Chart.lock
index 226109aee..ce339e224 100644
--- a/clusters/cl01tl/helm/vault/Chart.lock
+++ b/clusters/cl01tl/helm/vault/Chart.lock
@@ -8,8 +8,5 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.5.0
-digest: sha256:e8e25bec9d45503f18ed4bdcafe02465d53481d18705a54e069da67d0e33a403
-generated: "2025-12-19T22:15:41.082106-06:00"
+digest: sha256:01077322d1f106f1bb2834f2bc74f548084910af901a71e2892e05d3fb0d8c68
+generated: "2025-12-19T22:52:58.599824-06:00"
diff --git a/clusters/cl01tl/helm/vault/Chart.yaml b/clusters/cl01tl/helm/vault/Chart.yaml
index bb9791e94..7ac122a8a 100644
--- a/clusters/cl01tl/helm/vault/Chart.yaml
+++ b/clusters/cl01tl/helm/vault/Chart.yaml
@@ -29,9 +29,5 @@ dependencies:
     alias: unseal
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
-  - name: app-template
-    alias: temp
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.5.0
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/vault.png
 appVersion: 1.21.1
diff --git a/clusters/cl01tl/helm/vault/templates/config-map.yaml b/clusters/cl01tl/helm/vault/templates/config-map.yaml
index e7ac66795..513ac4547 100644
--- a/clusters/cl01tl/helm/vault/templates/config-map.yaml
+++ b/clusters/cl01tl/helm/vault/templates/config-map.yaml
@@ -65,8 +65,35 @@ data:
   backup.sh: |
     echo " ";
     echo ">> Running S3 backup for Vault snapshot";
-    if s3cmd sync --no-check-certificate -v /opt/backup "${BUCKET}/cl01tl/cl01tl-vault-snapshots/"; then
-        echo ">> Sync succeeded"
+    OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1)
+    STATUS=$?
+
+    echo " ";
+    if [ $STATUS -ne 0 ]; then
+        if echo "$OUTPUT" | grep -q "403 Forbidden"; then
+            MESSAGE="403 Authentication Error: Your keys are wrong or you don't have permission"
+        elif echo "$OUTPUT" | grep -q "404 Not Found"; then
+            MESSAGE="404 Error: The bucket or folder does not exist"
+        elif echo "$OUTPUT" | grep -q "Connection refused"; then
+            MESSAGE="Network Error: Cannot reach the S3 endpoint"
+        else
+            MESSAGE="Unknown Error: $OUTPUT"
+            echo ">> Unknown Error, output:"
+            echo " "
+            echo "$OUTPUT"
+            echo " "
+        fi
+
+        echo ">> Message: $MESSAGE"
+
+        echo ">> Sending to NTFY ..."
+        curl \
+            -H "Authorization: Bearer ${NTFY_TOKEN}" \
+            -H "X-Priority: 5" \
+            -H "X-Tags: warning" \
+            -H "X-Title: Vault Backup Failed for ${TARGET}" \
+            -d "$MESSAGE" \
+            ${NTFY_ENDPOINT}/${NTFY_TOPIC}
     else
-        echo ">> ERROR: Sync failed"
+        echo ">> S3 Sync succeeded"
     fi
diff --git a/clusters/cl01tl/helm/vault/templates/external-secret.yaml b/clusters/cl01tl/helm/vault/templates/external-secret.yaml
index 5d1453b53..79fc891f4 100644
--- a/clusters/cl01tl/helm/vault/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/vault/templates/external-secret.yaml
@@ -117,6 +117,43 @@ spec:
         metadataPolicy: None
         property: BUCKET
 
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-backup-ntfy-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-backup-ntfy-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: NTFY_TOKEN
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /ntfy/user/cl01tl
+        metadataPolicy: None
+        property: token
+    - secretKey: NTFY_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /ntfy/user/cl01tl
+        metadataPolicy: None
+        property: endpoint
+    - secretKey: NTFY_TOPIC
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/snapshot
+        metadataPolicy: None
+        property: NTFY_TOPIC
+
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
diff --git a/clusters/cl01tl/helm/vault/values.yaml b/clusters/cl01tl/helm/vault/values.yaml
index 7900a11f4..53eaec6ff 100644
--- a/clusters/cl01tl/helm/vault/values.yaml
+++ b/clusters/cl01tl/helm/vault/values.yaml
@@ -198,12 +198,17 @@ snapshot:
           args:
             - -ec
             - /scripts/backup.sh
+          envFrom:
+            - secretRef:
+                name: vault-backup-ntfy-secret
           env:
             - name: BUCKET
               valueFrom:
                 secretKeyRef:
                   name: vault-s3cmd-local-config
                   key: BUCKET
+            - name: TARGET
+              value: Local
         s3-backup-remote:
           image:
             repository: d3fk/s3cmd
@@ -214,12 +219,17 @@ snapshot:
           args:
             - -ec
             - /scripts/backup.sh
+          envFrom:
+            - secretRef:
+                name: vault-backup-ntfy-secret
           env:
             - name: BUCKET
               valueFrom:
                 secretKeyRef:
                   name: vault-s3cmd-remote-config
                   key: BUCKET
+            - name: TARGET
+              value: Remote
         s3-backup-external:
           image:
             repository: d3fk/s3cmd
@@ -230,12 +240,17 @@ snapshot:
           args:
             - -ec
             - /scripts/backup.sh
+          envFrom:
+            - secretRef:
+                name: vault-backup-ntfy-secret
           env:
             - name: BUCKET
               valueFrom:
                 secretKeyRef:
                   name: vault-s3cmd-external-config
                   key: BUCKET
+            - name: TARGET
+              value: External
   persistence:
     snapshot-script:
       enabled: true
@@ -370,37 +385,3 @@ unseal:
             requests:
               cpu: 10m
               memory: 24Mi
-temp:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      containers:
-        main:
-          image:
-            repository: ubuntu
-            tag: resolute-20251208
-            pullPolicy: IfNotPresent
-          command:
-            - "sleep"
-            - "infinity"
-          resources:
-            requests:
-              cpu: 10m
-              memory: 32Mi
-  persistence:
-    backup:
-      existingClaim: vault-storage-backup
-      advancedMounts:
-        main:
-          main:
-            - path: /opt/backup
-              readOnly: false
-    backup-old:
-      existingClaim: vault-nfs-storage-backup
-      advancedMounts:
-        main:
-          main:
-            - path: /opt/backup-old
-              readOnly: false