diff --git a/clusters/cl01tl/helm/matrix-synapse/values.yaml b/clusters/cl01tl/helm/matrix-synapse/values.yaml index efbc66d95..3b0b4cc27 100644 --- a/clusters/cl01tl/helm/matrix-synapse/values.yaml +++ b/clusters/cl01tl/helm/matrix-synapse/values.yaml @@ -463,6 +463,9 @@ volsync-target-discord: schedule: 40 10 * * * volsync-target-whatsapp: pvcTarget: mautrix-whatsapp + moverSecurityContext: + runAsUser: 1337 + runAsGroup: 1337 local: enabled: true schedule: 42 8 * * * diff --git a/clusters/cl01tl/helm/tailscale-operator/Chart.yaml b/clusters/cl01tl/helm/tailscale-operator/Chart.yaml index 816fb875e..f4865b96a 100644 --- a/clusters/cl01tl/helm/tailscale-operator/Chart.yaml +++ b/clusters/cl01tl/helm/tailscale-operator/Chart.yaml @@ -4,14 +4,14 @@ version: 1.0.0 description: Tailscale Operator keywords: - tailscale-operator - - tailscale - wireguard - - vpn - - kubernetes -home: https://wiki.alexlebens.dev/s/673177ef-e91b-43ad-9b80-d5037ec77852 + - operator +home: https://docs.alexlebens.dev/applications/tailscale-operator/ sources: - https://github.com/tailscale/tailscale + - https://hub.docker.com/r/tailscale/tailscale - https://hub.docker.com/r/tailscale/k8s-operator + - https://hub.docker.com/r/tailscale/k8s-nameserver - https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/chart maintainers: - name: alexlebens @@ -20,5 +20,5 @@ dependencies: version: 1.94.2 repository: https://pkgs.tailscale.com/helmcharts icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/tailscale-light.png -# renovate: datasource=github-releases depName=tailscale/tailscale -appVersion: v1.96.4 +# renovate: datasource=docker depName=tailscale/tailscale +appVersion: v1.94.2 diff --git a/clusters/cl01tl/helm/tailscale-operator/templates/external-secrets.yaml b/clusters/cl01tl/helm/tailscale-operator/templates/external-secrets.yaml index 21beff15b..67c070a66 100644 --- a/clusters/cl01tl/helm/tailscale-operator/templates/external-secrets.yaml +++ b/clusters/cl01tl/helm/tailscale-operator/templates/external-secrets.yaml @@ -14,15 +14,9 @@ spec: data: - secretKey: client_id remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /tailscale/k8s-operator - metadataPolicy: None property: clientId - secretKey: client_secret remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /tailscale/k8s-operator - metadataPolicy: None property: clientSecret diff --git a/clusters/cl01tl/helm/tailscale-operator/values.yaml b/clusters/cl01tl/helm/tailscale-operator/values.yaml index 38589d835..ce4f12a72 100644 --- a/clusters/cl01tl/helm/tailscale-operator/values.yaml +++ b/clusters/cl01tl/helm/tailscale-operator/values.yaml @@ -1,21 +1,18 @@ tailscale-operator: - oauth: {} installCRDs: true operatorConfig: defaultTags: - "tag:k8s-operator" - logging: info + image: + repository: tailscale/k8s-operator + tag: v1.94.2 + digest: sha256:7956bd50dca9dc804b98720df94d112b54af85449ed0bf8cc7fad0346b225067 hostname: tailscale-operator-cl01tl - nodeSelector: - kubernetes.io/os: linux - operatorConfig: - securityContext: - capabilities: - add: - - NET_ADMIN + ingressClass: + name: tailscale proxyConfig: - defaultTags: "tag:k8s" - firewallMode: auto - defaultProxyClass: "no-metrics" - apiServerProxyConfig: - mode: "false" + image: + repository: tailscale/tailscale + tag: v1.94.2 + digest: sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 + defaultProxyClass: no-metrics diff --git a/clusters/cl01tl/helm/talos/Chart.yaml b/clusters/cl01tl/helm/talos/Chart.yaml index 597e69892..cd03d7e3f 100644 --- a/clusters/cl01tl/helm/talos/Chart.yaml +++ b/clusters/cl01tl/helm/talos/Chart.yaml @@ -4,12 +4,16 @@ version: 1.0.0 description: Talos keywords: - talos - - etcd - - kubernetes -home: https://wiki.alexlebens.dev/s/c5ead573-34b6-442b-a286-7819e6e71f78 + - operating-system + - job +home: https://docs.alexlebens.dev/applications/talos/ sources: + - https://github.com/siderolabs/talos - https://github.com/siderolabs/talos-backup + - https://github.com/Angatar/s3cmd + - https://github.com/siderolabs/talos/pkgs/container/talosctl - https://github.com/siderolabs/talos-backup/pkgs/container/talos-backup + - https://hub.docker.com/r/d3fk/s3cmd - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template maintainers: - name: alexlebens @@ -22,6 +26,6 @@ dependencies: alias: etcd-defrag repository: https://bjw-s-labs.github.io/helm-charts/ version: 4.6.2 -icon: https://avatars.githubusercontent.com/u/13804887?s=200&v=4 +icon: https://raw.githubusercontent.com/siderolabs/docs/3989ed11f0622252d7cee03b3ba3a3052be242d7/public/images/talos.svg # renovate: datasource=github-releases depName=siderolabs/talos-backup -appVersion: v0.1.0-beta.3 +appVersion: v0.1.0-beta.3-7-ge8e193c diff --git a/clusters/cl01tl/helm/talos/templates/config.yaml b/clusters/cl01tl/helm/talos/templates/config.yaml index 51bc857df..04d790dea 100644 --- a/clusters/cl01tl/helm/talos/templates/config.yaml +++ b/clusters/cl01tl/helm/talos/templates/config.yaml @@ -12,91 +12,138 @@ data: DATE_RANGE=$(date -d @$(( $(date +%s) - $DATE_RANGE_SECONDS )) +%Y-%m-%dT%H:%M:%SZ); FILE_MATCH="${BUCKET}/cl01tl/etcd/cl01tl-${DATE_RANGE}.snap.age"; ERROR=false; + MESSAGE=""; - echo " "; + echo ""; echo ">> Running S3 prune for Talos backup repository ${TARGET} ..."; - echo " "; + echo ""; echo ">> Configured Date Range is $(date -u -d @${DATE_RANGE_SECONDS} +"%j days, %H hours, %M minutes")"; echo ">> Backups prior to '$DATE_RANGE' will be removed"; + echo ""; + FILES=$(s3cmd ls --no-check-certificate ${BUCKET}/cl01tl/etcd/ | awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}'); if [ $? -ne 0 ]; then - ERROR=true; - echo " "; + echo ""; echo ">> Detected error, will send message to ntfy"; + + ERROR=true; + MESSAGE="Error collecting files to delete from '${TARGET}'"; + elif [ -n "${FILES}" ]; then - echo " "; + echo ""; echo ">> Backups to be removed:"; - echo "$FILES" - echo " "; + echo ""; + echo "$FILES"; + echo ""; echo ">> Deleting ..."; - $FILES | while read file; do - s3cmd del --no-check-certificate -v "$file"; + + for file in $FILES; do + s3cmd del --no-check-certificate -v "${file}"; + if [ $? -ne 0 ]; then - ERROR=true; echo ">> Detected error, will send message to ntfy"; + + ERROR=true; + MESSAGE="Error deleting file from '${TARGET}'"; + fi; done; + else - echo " "; + echo ""; echo ">> No backups to remove"; + + exit 0; + fi; - if [ "$ERROR" = "true" ]; then + MAX_RETRIES=5; + SUCCESS=false; - MAX_RETRIES=5; - SUCCESS=false; + echo ""; + echo ">> Sending message to ntfy using curl ..."; - echo " "; - echo ">> Sending message to ntfy using curl ..."; + echo ""; + echo ">> Verifying required commands ..."; - echo " "; - echo ">> Verifying required commands ..."; + for i in $(seq 1 "$MAX_RETRIES"); do + if apk update >/dev/null 2>&1; then + echo ">> Attempt $i: Repositories are reachable"; - for i in $(seq 1 "$MAX_RETRIES"); do - if apk update 2>&1 >/dev/null; then - echo ">> Attempt $i: Repositories are reachable"; - SUCCESS=true; - break; - else - echo ">> Attempt $i: Connection failed, retrying in 5 seconds ..."; - sleep 5; - fi; - done; + SUCCESS=true; - if [ "$SUCCESS" = false ]; then - echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ..."; - exit 1; - fi + break; + + else + echo ">> Attempt $i: Connection failed, retrying in 5 seconds ..."; + + sleep 5; - if ! command -v curl 2>&1 >/dev/null; then - echo ">> Command curl could not be found, installing"; - apk add --no-cache -q curl; - if [ $? -eq 0 ]; then - echo ">> Installation successful"; - else - echo ">> Installation failed with exit code $?"; - exit 1; - fi; fi; + done; - echo " "; - echo ">> Sending to NTFY ..."; + if [ "$SUCCESS" = false ]; then + echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ..."; + + exit 1; + + fi + + if ! command -v curl >/dev/null 2>&1; then + echo ">> Command curl could not be found, installing"; + + apk add --no-cache -q curl; + + if [ $? -eq 0 ]; then + echo ">> Installation successful"; + + else + echo ">> Installation failed with exit code $?"; + + exit 1; + + fi; + fi; + + echo ""; + echo ">> Sending to NTFY ..."; + + if [ "$ERROR" = "true" ]; then HTTP_STATUS=$(curl \ --silent \ --write-out '%{http_code}' \ -H "Authorization: Bearer ${NTFY_TOKEN}" \ -H "X-Priority: 5" \ -H "X-Tags: warning" \ - -H "X-Title: Talos Backup Failed for ${TARGET}" \ + -H "X-Title: Talos Backup Prune Failed for ${TARGET}" \ -d "$MESSAGE" \ ${NTFY_ENDPOINT}/${NTFY_TOPIC} ); + + echo ">> HTTP Status Code: $HTTP_STATUS"; + + exit 1; + + else + MESSAGE="Pruned $(echo "$FILES" | wc -l) files" + + HTTP_STATUS=$(curl \ + --silent \ + --write-out '%{http_code}' \ + -H "Authorization: Bearer ${NTFY_TOKEN}" \ + -H "X-Priority: 5" \ + -H "X-Tags: warning" \ + -H "X-Title: Talos Backup Prune Success for ${TARGET}" \ + -d "$MESSAGE" \ + ${NTFY_ENDPOINT}/${NTFY_TOPIC} + ); + echo ">> HTTP Status Code: $HTTP_STATUS"; fi; - echo " "; + echo ""; echo ">> Completed S3 prune for Talos backup repository ${TARGET}"; diff --git a/clusters/cl01tl/helm/talos/templates/external-secret.yaml b/clusters/cl01tl/helm/talos/templates/external-secret.yaml index 26d138d64..b625b664c 100644 --- a/clusters/cl01tl/helm/talos/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/talos/templates/external-secret.yaml @@ -14,38 +14,23 @@ spec: data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: .s3cfg remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: s3cfg-local - secretKey: BUCKET remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: BUCKET - secretKey: AGE_X25519_PUBLIC_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/talos/etcd-backup - metadataPolicy: None property: AGE_X25519_PUBLIC_KEY --- @@ -65,38 +50,23 @@ spec: data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: .s3cfg remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: s3cfg-remote - secretKey: BUCKET remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: BUCKET - secretKey: AGE_X25519_PUBLIC_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/talos/etcd-backup - metadataPolicy: None property: AGE_X25519_PUBLIC_KEY --- @@ -116,38 +86,23 @@ spec: data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /digital-ocean/home-infra/etcd-backup - metadataPolicy: None property: AWS_ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /digital-ocean/home-infra/etcd-backup - metadataPolicy: None property: AWS_SECRET_ACCESS_KEY - secretKey: .s3cfg remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /digital-ocean/home-infra/etcd-backup - metadataPolicy: None property: s3cfg - secretKey: BUCKET remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /digital-ocean/home-infra/etcd-backup - metadataPolicy: None property: BUCKET - secretKey: AGE_X25519_PUBLIC_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/talos/etcd-backup - metadataPolicy: None property: AGE_X25519_PUBLIC_KEY --- @@ -167,24 +122,15 @@ spec: data: - secretKey: NTFY_TOKEN remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /ntfy/user/cl01tl - metadataPolicy: None property: token - secretKey: NTFY_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /ntfy/user/cl01tl - metadataPolicy: None property: endpoint - secretKey: NTFY_TOPIC remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/talos/etcd-backup - metadataPolicy: None property: NTFY_TOPIC --- @@ -204,8 +150,5 @@ spec: data: - secretKey: config remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/talos/etcd-defrag - metadataPolicy: None property: config diff --git a/clusters/cl01tl/helm/talos/values.yaml b/clusters/cl01tl/helm/talos/values.yaml index 1d2cebe20..e0c1a7d70 100644 --- a/clusters/cl01tl/helm/talos/values.yaml +++ b/clusters/cl01tl/helm/talos/values.yaml @@ -11,20 +11,15 @@ etcd-backup: effect: NoSchedule cronjob: suspend: false - concurrencyPolicy: Forbid - timeZone: US/Central - schedule: "0 2 * * *" - startingDeadlineSeconds: 90 - successfulJobsHistory: 1 - failedJobsHistory: 1 + timeZone: America/Chicago + schedule: 0 2 * * * backoffLimit: 3 parallelism: 1 containers: backup: image: repository: ghcr.io/siderolabs/talos-backup - tag: v0.1.0-beta.3@sha256:05c86663b251a407551dc948097e32e163a345818117eb52c573b0447bd0c7a7 - pullPolicy: IfNotPresent + tag: v0.1.0-beta.3-7-ge8e193c@sha256:d6f98bf2817bb0bd46be49e41251e24d713945a6af6e893529cc17d524187953 command: - /talos-backup workingDir: /tmp @@ -69,8 +64,7 @@ etcd-backup: s3-prune: image: repository: d3fk/s3cmd - tag: latest@sha256:e3965f8205dfb96fb00e66cee54a0d171f1829a3cc6a1bbb980ab076730e54be - pullPolicy: IfNotPresent + tag: latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 command: - /bin/sh args: @@ -96,21 +90,16 @@ etcd-backup: operator: Exists effect: NoSchedule cronjob: - suspend: true - concurrencyPolicy: Forbid - timeZone: US/Central - schedule: "0 3 * * *" - startingDeadlineSeconds: 90 - successfulJobsHistory: 1 - failedJobsHistory: 1 + suspend: false + timeZone: America/Chicago + schedule: 0 3 * * * backoffLimit: 3 parallelism: 1 containers: backup: image: repository: ghcr.io/siderolabs/talos-backup - tag: v0.1.0-beta.3@sha256:05c86663b251a407551dc948097e32e163a345818117eb52c573b0447bd0c7a7 - pullPolicy: IfNotPresent + tag: v0.1.0-beta.3-7-ge8e193c@sha256:d6f98bf2817bb0bd46be49e41251e24d713945a6af6e893529cc17d524187953 command: - /talos-backup workingDir: /tmp @@ -155,8 +144,7 @@ etcd-backup: s3-prune: image: repository: d3fk/s3cmd - tag: latest@sha256:e3965f8205dfb96fb00e66cee54a0d171f1829a3cc6a1bbb980ab076730e54be - pullPolicy: IfNotPresent + tag: latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 command: - /bin/sh args: @@ -183,20 +171,15 @@ etcd-backup: effect: NoSchedule cronjob: suspend: false - concurrencyPolicy: Forbid - timeZone: US/Central - schedule: "0 4 * * *" - startingDeadlineSeconds: 90 - successfulJobsHistory: 1 - failedJobsHistory: 1 + timeZone: America/Chicago + schedule: 0 4 * * * backoffLimit: 3 parallelism: 1 containers: backup: image: repository: ghcr.io/siderolabs/talos-backup - tag: v0.1.0-beta.3-5-g07d09ec@sha256:96054af026b6255ec14d198f2f10ad6c813b335a2e21a76804365c053dd4ba7b - pullPolicy: IfNotPresent + tag: v0.1.0-beta.3-7-ge8e193c@sha256:d6f98bf2817bb0bd46be49e41251e24d713945a6af6e893529cc17d524187953 command: - /talos-backup workingDir: /tmp @@ -241,8 +224,7 @@ etcd-backup: s3-prune: image: repository: d3fk/s3cmd - tag: latest@sha256:e3965f8205dfb96fb00e66cee54a0d171f1829a3cc6a1bbb980ab076730e54be - pullPolicy: IfNotPresent + tag: latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 command: - /bin/sh args: @@ -393,20 +375,15 @@ etcd-defrag: effect: NoSchedule cronjob: suspend: false - concurrencyPolicy: Forbid - timeZone: US/Central + timeZone: America/Chicago schedule: "0 0 * * 0" - startingDeadlineSeconds: 90 - successfulJobsHistory: 1 - failedJobsHistory: 1 backoffLimit: 3 parallelism: 1 containers: main: image: repository: ghcr.io/siderolabs/talosctl - tag: v1.12.6 - pullPolicy: IfNotPresent + tag: v1.12.6@sha256:a027cf02cf74a75eee83ccffa201f3a9455d77e795d092b87cae5e637f143e54 args: - etcd - defrag @@ -426,20 +403,15 @@ etcd-defrag: effect: NoSchedule cronjob: suspend: false - concurrencyPolicy: Forbid - timeZone: US/Central + timeZone: America/Chicago schedule: "10 0 * * 0" - startingDeadlineSeconds: 90 - successfulJobsHistory: 1 - failedJobsHistory: 1 backoffLimit: 3 parallelism: 1 containers: main: image: repository: ghcr.io/siderolabs/talosctl - tag: v1.12.6 - pullPolicy: IfNotPresent + tag: v1.12.6@sha256:a027cf02cf74a75eee83ccffa201f3a9455d77e795d092b87cae5e637f143e54 args: - etcd - defrag @@ -459,20 +431,15 @@ etcd-defrag: effect: NoSchedule cronjob: suspend: false - concurrencyPolicy: Forbid - timeZone: US/Central + timeZone: America/Chicago schedule: "20 0 * * 0" - startingDeadlineSeconds: 90 - successfulJobsHistory: 1 - failedJobsHistory: 1 backoffLimit: 3 parallelism: 1 containers: main: image: repository: ghcr.io/siderolabs/talosctl - tag: v1.12.6 - pullPolicy: IfNotPresent + tag: v1.12.6@sha256:a027cf02cf74a75eee83ccffa201f3a9455d77e795d092b87cae5e637f143e54 args: - etcd - defrag diff --git a/clusters/cl01tl/helm/vault/values.yaml b/clusters/cl01tl/helm/vault/values.yaml index 71540be0a..cacff5926 100644 --- a/clusters/cl01tl/helm/vault/values.yaml +++ b/clusters/cl01tl/helm/vault/values.yaml @@ -188,7 +188,6 @@ snapshot: image: repository: d3fk/s3cmd tag: latest@sha256:e3965f8205dfb96fb00e66cee54a0d171f1829a3cc6a1bbb980ab076730e54be - pullPolicy: IfNotPresent command: - /bin/sh args: @@ -209,7 +208,6 @@ snapshot: image: repository: d3fk/s3cmd tag: latest@sha256:e3965f8205dfb96fb00e66cee54a0d171f1829a3cc6a1bbb980ab076730e54be - pullPolicy: IfNotPresent command: - /bin/sh args: @@ -230,7 +228,6 @@ snapshot: image: repository: d3fk/s3cmd tag: latest@sha256:e3965f8205dfb96fb00e66cee54a0d171f1829a3cc6a1bbb980ab076730e54be - pullPolicy: IfNotPresent command: - /bin/sh args: diff --git a/renovate.json b/renovate.json index 60c8ebf97..e8b91a606 100644 --- a/renovate.json +++ b/renovate.json @@ -123,7 +123,8 @@ ], "matchPackageNames": [ "excalidraw/excalidraw", - "searxng/searxng" + "searxng/searxng", + "d3fk/s3cmd" ], "addLabels": [ "automerge"