From 8ff42e33b3c3d813a1b189e30876eb8d6119c3dd Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Sun, 26 Apr 2026 13:48:24 -0500 Subject: [PATCH 1/2] feat: move rclone to chart and namespace --- clusters/cl01tl/helm/karakeep/Chart.yaml | 5 ++ clusters/cl01tl/helm/karakeep/values.yaml | 21 +++++ .../rclone/templates/external-secret.yaml | 35 --------- clusters/cl01tl/helm/rclone/values.yaml | 78 ------------------- 4 files changed, 26 insertions(+), 113 deletions(-) diff --git a/clusters/cl01tl/helm/karakeep/Chart.yaml b/clusters/cl01tl/helm/karakeep/Chart.yaml index 95cdb5ff6..336f5cf00 100644 --- a/clusters/cl01tl/helm/karakeep/Chart.yaml +++ b/clusters/cl01tl/helm/karakeep/Chart.yaml @@ -15,6 +15,7 @@ sources: - https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target + - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket maintainers: - name: alexlebens dependencies: @@ -32,6 +33,10 @@ dependencies: alias: volsync-target-data version: 1.0.0 repository: oci://harbor.alexlebens.net/helm-charts + - name: rclone-bucket + alias: rclone-karakeep-assets-remote + repository: oci://harbor.alexlebens.net/helm-charts + version: 0.2.0 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/karakeep.png # renovate: datasource=github-releases depName=karakeep-app/karakeep appVersion: 0.31.0 diff --git a/clusters/cl01tl/helm/karakeep/values.yaml b/clusters/cl01tl/helm/karakeep/values.yaml index c8469b515..c7880677e 100644 --- a/clusters/cl01tl/helm/karakeep/values.yaml +++ b/clusters/cl01tl/helm/karakeep/values.yaml @@ -172,3 +172,24 @@ volsync-target-data: external: enabled: true schedule: 30 10 * * * +rclone-karakeep-assets-remote: + cronJob: + suspend: false + schedule: 10 0 * * * + rclone: + source: + bucketName: karakeep-assets + destination: + bucketName: karakeep-assets + secret: + externalSecret: + source: + credentials: + path: /garage/home-infra/karakeep-assets + config: + path: /garage/config + destination: + credentials: + path: /garage/home-infra/karakeep-assets + config: + path: /garage/config diff --git a/clusters/cl01tl/helm/rclone/templates/external-secret.yaml b/clusters/cl01tl/helm/rclone/templates/external-secret.yaml index 3c08a406d..80d6e4e75 100644 --- a/clusters/cl01tl/helm/rclone/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/rclone/templates/external-secret.yaml @@ -1,40 +1,5 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret -metadata: - name: garage-karakeep-secret - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: garage-karakeep-secret - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - key: /garage/home-infra/karakeep-assets - property: ACCESS_KEY_ID - - secretKey: ACCESS_REGION - remoteRef: - key: /garage/home-infra/karakeep-assets - property: ACCESS_REGION - - secretKey: ACCESS_SECRET_KEY - remoteRef: - key: /garage/home-infra/karakeep-assets - property: ACCESS_SECRET_KEY - - secretKey: SRC_ENDPOINT - remoteRef: - key: /garage/config - property: ENDPOINT_LOCAL - - secretKey: DEST_ENDPOINT - remoteRef: - key: /garage/config - property: ENDPOINT_REMOTE - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret metadata: name: garage-talos-backups-secret namespace: {{ .Release.Namespace }} diff --git a/clusters/cl01tl/helm/rclone/values.yaml b/clusters/cl01tl/helm/rclone/values.yaml index afb2ff7f7..25ab51e21 100644 --- a/clusters/cl01tl/helm/rclone/values.yaml +++ b/clusters/cl01tl/helm/rclone/values.yaml @@ -1,83 +1,5 @@ rclone: controllers: - karakeep-assets: - type: cronjob - cronjob: - suspend: false - timeZone: America/Chicago - schedule: 10 0 * * * - backoffLimit: 3 - parallelism: 1 - containers: - sync: - image: - repository: rclone/rclone - tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96 - args: - - sync - - src:karakeep-assets - - dest:karakeep-assets - - --s3-no-check-bucket - - --verbose - env: - - name: RCLONE_S3_PROVIDER - value: Other - - name: RCLONE_CONFIG_SRC_TYPE - value: s3 - - name: RCLONE_CONFIG_SRC_PROVIDER - value: Other - - name: RCLONE_CONFIG_SRC_ENV_AUTH - value: false - - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: garage-karakeep-secret - key: ACCESS_KEY_ID - - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: garage-karakeep-secret - key: ACCESS_SECRET_KEY - - name: RCLONE_CONFIG_SRC_REGION - valueFrom: - secretKeyRef: - name: garage-karakeep-secret - key: ACCESS_REGION - - name: RCLONE_CONFIG_SRC_ENDPOINT - valueFrom: - secretKeyRef: - name: garage-karakeep-secret - key: SRC_ENDPOINT - - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE - value: true - - name: RCLONE_CONFIG_DEST_TYPE - value: s3 - - name: RCLONE_CONFIG_DEST_PROVIDER - value: Other - - name: RCLONE_CONFIG_DEST_ENV_AUTH - value: false - - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: garage-karakeep-secret - key: ACCESS_KEY_ID - - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: garage-karakeep-secret - key: ACCESS_SECRET_KEY - - name: RCLONE_CONFIG_DEST_REGION - valueFrom: - secretKeyRef: - name: garage-karakeep-secret - key: ACCESS_REGION - - name: RCLONE_CONFIG_DEST_ENDPOINT - valueFrom: - secretKeyRef: - name: garage-karakeep-secret - key: DEST_ENDPOINT - - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE - value: true talos-backups: type: cronjob cronjob: From 9ed15984067e3ca10c25e5040069b1e4378163ae Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Sun, 26 Apr 2026 13:55:14 -0500 Subject: [PATCH 2/2] feat: move rclone to chart and namespace --- clusters/cl01tl/helm/ntfy/Chart.yaml | 4 + clusters/cl01tl/helm/ntfy/values.yaml | 21 +++ clusters/cl01tl/helm/rclone/Chart.yaml | 5 + .../rclone/templates/external-secret.yaml | 70 ------- clusters/cl01tl/helm/rclone/values.yaml | 178 +++--------------- 5 files changed, 52 insertions(+), 226 deletions(-) diff --git a/clusters/cl01tl/helm/ntfy/Chart.yaml b/clusters/cl01tl/helm/ntfy/Chart.yaml index 46a0f33b5..feb05a0ec 100644 --- a/clusters/cl01tl/helm/ntfy/Chart.yaml +++ b/clusters/cl01tl/helm/ntfy/Chart.yaml @@ -21,6 +21,10 @@ dependencies: alias: postgres-18-cluster version: 7.12.1 repository: oci://harbor.alexlebens.net/helm-charts + - name: rclone-bucket + alias: rclone-ntfy-attachments-remote + repository: oci://harbor.alexlebens.net/helm-charts + version: 0.2.0 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ntfy.png # renovate: datasource=github-releases depName=binwiederhier/ntfy appVersion: 2.22.0 diff --git a/clusters/cl01tl/helm/ntfy/values.yaml b/clusters/cl01tl/helm/ntfy/values.yaml index 78fa9d701..728937585 100644 --- a/clusters/cl01tl/helm/ntfy/values.yaml +++ b/clusters/cl01tl/helm/ntfy/values.yaml @@ -124,3 +124,24 @@ postgres-18-cluster: immediate: true schedule: "0 15 14 * * *" backupName: garage-local +rclone-ntfy-attachments-remote: + cronJob: + suspend: false + schedule: 50 0 * * * + rclone: + source: + bucketName: ntfy-attachments + destination: + bucketName: ntfy-attachments + secret: + externalSecret: + source: + credentials: + path: /garage/home-infra/ntfy-attachments + config: + path: /garage/config + destination: + credentials: + path: /garage/home-infra/ntfy-attachments + config: + path: /garage/config diff --git a/clusters/cl01tl/helm/rclone/Chart.yaml b/clusters/cl01tl/helm/rclone/Chart.yaml index a91f2cd32..5db5a9ef3 100644 --- a/clusters/cl01tl/helm/rclone/Chart.yaml +++ b/clusters/cl01tl/helm/rclone/Chart.yaml @@ -11,6 +11,7 @@ sources: - https://github.com/rclone/rclone - https://hub.docker.com/r/rclone/rclone - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template + - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket maintainers: - name: alexlebens dependencies: @@ -18,6 +19,10 @@ dependencies: alias: rclone repository: https://bjw-s-labs.github.io/helm-charts/ version: 4.6.2 + - name: rclone-bucket + alias: rclone-web-assets-remote + repository: oci://harbor.alexlebens.net/helm-charts + version: 0.2.0 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png # renovate: datasource=github-releases depName=rclone/rclone appVersion: v1.73.5 diff --git a/clusters/cl01tl/helm/rclone/templates/external-secret.yaml b/clusters/cl01tl/helm/rclone/templates/external-secret.yaml index 80d6e4e75..0b1920d07 100644 --- a/clusters/cl01tl/helm/rclone/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/rclone/templates/external-secret.yaml @@ -32,41 +32,6 @@ spec: key: /garage/config property: ENDPOINT_REMOTE ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: garage-web-assets-secret - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: garage-web-assets-secret - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - key: /garage/home-infra/web-assets - property: ACCESS_KEY_ID - - secretKey: ACCESS_REGION - remoteRef: - key: /garage/home-infra/web-assets - property: ACCESS_REGION - - secretKey: ACCESS_SECRET_KEY - remoteRef: - key: /garage/home-infra/web-assets - property: ACCESS_SECRET_KEY - - secretKey: SRC_ENDPOINT - remoteRef: - key: /garage/config - property: ENDPOINT_LOCAL - - secretKey: DEST_ENDPOINT - remoteRef: - key: /garage/config - property: ENDPOINT_REMOTE - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret @@ -102,41 +67,6 @@ spec: key: /garage/config property: ENDPOINT_REMOTE ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: garage-ntfy-attachments-secret - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: garage-ntfy-attachments-secret - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: openbao - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - key: /garage/home-infra/ntfy-attachments - property: ACCESS_KEY_ID - - secretKey: ACCESS_REGION - remoteRef: - key: /garage/home-infra/ntfy-attachments - property: ACCESS_REGION - - secretKey: ACCESS_SECRET_KEY - remoteRef: - key: /garage/home-infra/ntfy-attachments - property: ACCESS_SECRET_KEY - - secretKey: SRC_ENDPOINT - remoteRef: - key: /garage/config - property: ENDPOINT_LOCAL - - secretKey: DEST_ENDPOINT - remoteRef: - key: /garage/config - property: ENDPOINT_REMOTE - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret diff --git a/clusters/cl01tl/helm/rclone/values.yaml b/clusters/cl01tl/helm/rclone/values.yaml index 25ab51e21..060285c90 100644 --- a/clusters/cl01tl/helm/rclone/values.yaml +++ b/clusters/cl01tl/helm/rclone/values.yaml @@ -119,84 +119,7 @@ rclone: key: DEST_ENDPOINT - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE value: true - web-assets: - type: cronjob - cronjob: - suspend: false - timeZone: America/Chicago - schedule: 30 0 * * * - backoffLimit: 3 - parallelism: 1 - containers: - sync: - image: - repository: rclone/rclone - tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96 - args: - - sync - - src:web-assets - - dest:web-assets - - --s3-no-check-bucket - - --verbose - env: - - name: RCLONE_S3_PROVIDER - value: Other - - name: RCLONE_CONFIG_SRC_TYPE - value: s3 - - name: RCLONE_CONFIG_SRC_PROVIDER - value: Other - - name: RCLONE_CONFIG_SRC_ENV_AUTH - value: false - - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: garage-web-assets-secret - key: ACCESS_KEY_ID - - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: garage-web-assets-secret - key: ACCESS_SECRET_KEY - - name: RCLONE_CONFIG_SRC_REGION - valueFrom: - secretKeyRef: - name: garage-web-assets-secret - key: ACCESS_REGION - - name: RCLONE_CONFIG_SRC_ENDPOINT - valueFrom: - secretKeyRef: - name: garage-web-assets-secret - key: SRC_ENDPOINT - - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE - value: true - - name: RCLONE_CONFIG_DEST_TYPE - value: s3 - - name: RCLONE_CONFIG_DEST_PROVIDER - value: Other - - name: RCLONE_CONFIG_DEST_ENV_AUTH - value: false - - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: garage-web-assets-secret - key: ACCESS_KEY_ID - - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: garage-web-assets-secret - key: ACCESS_SECRET_KEY - - name: RCLONE_CONFIG_DEST_REGION - valueFrom: - secretKeyRef: - name: garage-web-assets-secret - key: ACCESS_REGION - - name: RCLONE_CONFIG_DEST_ENDPOINT - valueFrom: - secretKeyRef: - name: garage-web-assets-secret - key: DEST_ENDPOINT - - name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE - value: true + postgres-backups: type: cronjob cronjob: @@ -320,84 +243,6 @@ rclone: key: DEST_ENDPOINT - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE value: true - ntfy-attachments: - type: cronjob - cronjob: - suspend: false - timeZone: America/Chicago - schedule: 50 0 * * * - backoffLimit: 3 - parallelism: 1 - containers: - sync: - image: - repository: rclone/rclone - tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96 - args: - - sync - - src:ntfy-attachments - - dest:ntfy-attachments - - --s3-no-check-bucket - - --verbose - env: - - name: RCLONE_S3_PROVIDER - value: Other - - name: RCLONE_CONFIG_SRC_TYPE - value: s3 - - name: RCLONE_CONFIG_SRC_PROVIDER - value: Other - - name: RCLONE_CONFIG_SRC_ENV_AUTH - value: false - - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: garage-ntfy-attachments-secret - key: ACCESS_KEY_ID - - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: garage-ntfy-attachments-secret - key: ACCESS_SECRET_KEY - - name: RCLONE_CONFIG_SRC_REGION - valueFrom: - secretKeyRef: - name: garage-ntfy-attachments-secret - key: ACCESS_REGION - - name: RCLONE_CONFIG_SRC_ENDPOINT - valueFrom: - secretKeyRef: - name: garage-ntfy-attachments-secret - key: SRC_ENDPOINT - - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE - value: true - - name: RCLONE_CONFIG_DEST_TYPE - value: s3 - - name: RCLONE_CONFIG_DEST_PROVIDER - value: Other - - name: RCLONE_CONFIG_DEST_ENV_AUTH - value: false - - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: garage-ntfy-attachments-secret - key: ACCESS_KEY_ID - - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: garage-ntfy-attachments-secret - key: ACCESS_SECRET_KEY - - name: RCLONE_CONFIG_DEST_REGION - valueFrom: - secretKeyRef: - name: garage-ntfy-attachments-secret - key: ACCESS_REGION - - name: RCLONE_CONFIG_DEST_ENDPOINT - valueFrom: - secretKeyRef: - name: garage-ntfy-attachments-secret - key: DEST_ENDPOINT - - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE - value: true openbao-backups-remote: type: cronjob cronjob: @@ -630,3 +475,24 @@ rclone: value: https://nyc3.digitaloceanspaces.com - name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE value: true +rclone-web-assets-remote: + cronJob: + suspend: false + schedule: 30 0 * * * + rclone: + source: + bucketName: web-assets + destination: + bucketName: web-assets + secret: + externalSecret: + source: + credentials: + path: /garage/home-infra/web-assets + config: + path: /garage/config + destination: + credentials: + path: /garage/home-infra/web-assets + config: + path: /garage/config