small-hack · jessebot · May 15, 2024 · Apr 10, 2024 · Apr 10, 2024 · Apr 10, 2024
diff --git a/.../app_of_apps/external_secrets_appset.yaml → ..._apps/external_secrets_argocd_appset.yaml b/.../app_of_apps/external_secrets_appset.yaml → ..._apps/external_secrets_argocd_appset.yaml
diff --git a/demo/argo-workflows/app-of-apps/external_secret_appset.yaml b/demo/argo-workflows/app-of-apps/external_secret_appset.yaml
@@ -0,0 +1,3 @@
+.restic.env
+.restic-env
+.home-assistant-restic-password
@@ -0,0 +1,10 @@
+# this contains both the s3 endpoint (this example uses b2, but you can use any s3 compliant endpoint) AND the s3 bucket
+export RESTIC_REPOSITORY="s3:s3.eu-central-003.backblazeb2.com/my-home-assistant-bucket"
+
+# Create this file, with a single line with your restic repo password. Make sure it's `chmod`ed to 600 and has only your user as the owner
+export RESTIC_PASSWORD_FILE=./.home-assistant-restic-password
+
+export AWS_ACCESS_KEY_ID="access key id goes here"
+export AWS_SECRET_ACCESS_KEY="secret key goes here"
+
+# after sourcing this file, you can do the following to test: restic snapshots
@@ -0,0 +1,52 @@
+This app is already backed up on a schedule, however, you can also trigger a manual backup through the TUI.
+
+We've included an example `.sample-restic-env` that you can use to get started filling out the correct info for exporting your environment variables.
+
+```bash
+# copy the sample file, and then use vi, vim, nvim, or nano to edit
+# the file with your s3 credentials and restic password command
+cp .sample-restic-env .restic-env
+```
+
+You can also check your backups with
+
+```bash
+source .restic-env
+restic snapshots
+```
+
+We've also included a very basic restore job you can run in this directory to get started. Below are the values that you must change before you can run this restore job:
+
+This must be changed to YOUR S3 endpoint and home assistant backup bucket:
+```yaml
+value: s3:my.s3.endpoint/my-home-assistant-bucket
+```
+
+Replace the word TIMESTAMP with an actual timestamp:
+```yaml
+name: home-assistant-restic-restore-TIMESTAMP
+```
+
+Replace the snapshot ID "latest" with the ID of the snapshot you actually want to use:
+```yaml
+ - name: SNAPSHOT_ID
+   value: latest
+```
+
+If you're NOT using affinity and tolerations remove these two sections, otherwise, change the keys, values, operators, and effect to match your own needs:
+```yaml
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: home-assistant
+                operator: In
+                values:
+                - true
+      tolerations:
+        - effect: NoSchedule
+          key: home-assistant
+          operator: Equal
+          value: true
+```
@@ -0,0 +1,67 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: home-assistant-restic-restore-TIMESTAMP
+spec:
+  template:
+    metadata:
+      name: restic-restore-job
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: home-assistant
+                operator: In
+                values:
+                - true
+      tolerations:
+        - effect: NoSchedule
+          key: home-assistant
+          operator: Equal
+          value: true
+      volumes:
+        - name: restic-repo-password
+          secret:
+            secretName: s3-backups-credentials
+        - name: home-assistant
+          persistentVolumeClaim:
+            claimName: home-assistant
+      containers:
+        - name: restic-restore
+          image: instrumentisto/restic:latest
+          # runs: restic restore $SNAPSHOT_ID:/data/pvc-name --target config/
+          command:
+            - restic
+            - restore
+            - $SNAPSHOT_ID:/data/$PVC
+            - --target
+            - /config
+          volumeMounts:
+            - name: restic-repo-password
+              readOnly: true
+              mountPath: "/secrets/"
+            - name: home-assistant
+              mountPath: /config
+          env:
+            - name: SNAPSHOT_ID
+              value: latest
+            - name: PVC
+              value: home-assistant
+            - name: RESTIC_REPOSITORY
+              value: s3:my.s3.endpoint/my-home-assistant-bucket
+            - name: RESTIC_PASSWORD_FILE
+              value: "/secrets/resticRepoPassword"
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  key: accessKeyID
+                  name: s3-backups-credentials
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: secretAccessKey
+                  name: s3-backups-credentials
+      restartPolicy: Never
@@ -0,0 +1,48 @@
+{{- if eq .Values.provider "bitwarden" }}
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: s3-backups-credentials
+  namespace: home-assistant
+spec:
+  target:
+    name: s3-backups-credentials
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        accessKeyID: |-
+          {{ `{{ .accessKey }}` }}
+        secretAccessKey: |-
+          {{ `{{ .secretKey }}` }}
+        resticRepoPassword: |-
+          {{ `{{ .resticRepoPass }}` }}
+  data:
+    - secretKey: accessKey
+      sourceRef:
+        storeRef:
+          name: bitwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: {{ .Values.s3BackupCredentialsBitwardenID }}
+        property: username
+
+    - secretKey: secretKey
+      sourceRef:
+        storeRef:
+          name: bitwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: {{ .Values.s3BackupCredentialsBitwardenID }}
+        property: password
+
+    - secretKey: resticRepoPass
+      sourceRef:
+        storeRef:
+          name: bitwarden-fields
+          kind: ClusterSecretStore
+      remoteRef:
+        key: {{ .Values.s3BackupCredentialsBitwardenID }}
+        property: resticRepoPassword
+{{- end }}
@@ -4,3 +4,6 @@ provider: "true"
 
 # the item ID of the Bitwarden admin credentials
 bitwardenAdminCredentialsID: ""
+
+# -- existing kubernetes secret with s3 credentials for the remote backups
+s3BackupCredentialsBitwardenID: ""
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: home-assistance-persistence-chart
+description: A Helm chart for deploying a home assistant pvc on Kubernetes including backups using k8up
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"
@@ -0,0 +1,29 @@
+# home-assistance-persistence-chart
+
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+
+A Helm chart for deploying a home assistant pvc on Kubernetes including backups using k8up
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| k8up | object | `{"backup_name":"home-assistant-nightly","backup_type":"s3","local":{"mountPath":""},"podSecurityContext":{"runAsUser":0},"prometheus_url":"","repoPasswordSecretRef":{"key":"","name":""},"s3":{"accessKeyIDSecretRef":{"key":"","name":"","optional":false},"bucket":"","endpoint":"","secretAccessKeySecretRef":{"key":"","name":"","optional":false}},"schedules":{"backup":"","check":"","prune":""}}` | for enabling backups to a remote s3 provider or local disk backup |
+| k8up.backup_type | string | `"s3"` | can be set to 's3' or 'local' |
+| k8up.podSecurityContext | object | `{"runAsUser":0}` | user to run the backups as |
+| k8up.prometheus_url | string | `""` | url to push to for prometheus gateway |
+| k8up.repoPasswordSecretRef | object | `{"key":"","name":""}` | secret for your restic repo |
+| k8up.repoPasswordSecretRef.key | string | `""` | key in secret to use for repo password |
+| k8up.repoPasswordSecretRef.name | string | `""` | name of the secret to use |
+| k8up.s3.accessKeyIDSecretRef.key | string | `""` | key in the secret to use for access key id |
+| k8up.s3.accessKeyIDSecretRef.name | string | `""` | name of the secret to use |
+| k8up.s3.bucket | string | `""` | s3 bucket to backup to |
+| k8up.s3.endpoint | string | `""` | s3 endpoint to backup to |
+| k8up.s3.secretAccessKeySecretRef.key | string | `""` | key in the secret to use for secret access key |
+| k8up.s3.secretAccessKeySecretRef.name | string | `""` | name of the secret to use |
+| k8up.schedules | object | `{"backup":"","check":"","prune":""}` | schedules for backups, checks, and prunes |
+| pvc_capacity | string | `"10Gi"` |  |
+| pvc_storageClassName | string | `"local-path"` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
@@ -5,9 +5,12 @@ kind: PersistentVolumeClaim
 metadata:
   namespace: home-assistant
   name: home-assistant
+  annotations:
+    k8up.io/backup: 'true'
 spec:
+  storageClassName: {{ .Values.pvc_storageClassName }}
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
-      storage: 15Gi
+      storage: {{ .Values.pvc_capacity }}
@@ -0,0 +1,50 @@
+---
+apiVersion: k8up.io/v1
+kind: Schedule
+metadata:
+  name: {{ .Values.k8up.backup_name }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/resource-policy": keep
+spec:
+  backend:
+    repoPasswordSecretRef:
+      name: {{ .Values.k8up.repoPasswordSecretRef.name }}
+      key: {{ .Values.k8up.repoPasswordSecretRef.key }}
+    {{- if eq .Values.k8up.backup_type "s3" }}
+    s3:
+      endpoint: {{ .Values.k8up.s3.endpoint }}
+      bucket: {{ .Values.k8up.s3.bucket }}
+      accessKeyIDSecretRef:
+        name: {{ .Values.k8up.s3.accessKeyIDSecretRef.name }}
+        key: {{ .Values.k8up.s3.accessKeyIDSecretRef.key }}
+        optional: {{ .Values.k8up.s3.accessKeyIDSecretRef.optional }}
+      secretAccessKeySecretRef:
+        name: {{ .Values.k8up.s3.secretAccessKeySecretRef.name }}
+        key: {{ .Values.k8up.s3.secretAccessKeySecretRef.key }}
+        optional: {{ .Values.k8up.s3.secretAccessKeySecretRef.optional }}
+    {{- end }}
+    {{- if eq .Values.k8up.backup_type "local" }}
+    local:
+      mountPath: {{ .Values.k8up.local.mountPath }}
+    {{- end }}
+  # Backup nightly at scheduled time (Central Europe Time)
+  backup:
+    schedule: {{ .Values.k8up.schedules.backup }}
+    failedJobsHistoryLimit: 5
+    successfulJobsHistoryLimit: 2
+    promURL: {{ .Values.k8up.prometheus_url }}
+    {{- if .Values.k8up.podSecurityContext }}
+    podSecurityContext:
+      runAsUser: {{ .Values.k8up.podSecurityContext.runAsUser }}
+    {{- end }}
+  # verify the backups are ok
+  check:
+    schedule: {{ .Values.k8up.schedules.check }}
+    promURL: {{ .Values.k8up.prometheus_url }}
+  # delete old backups
+  prune:
+    schedule: {{ .Values.k8up.schedules.prune }}
+    retention:
+      keepDaily: 7
+      keepWeekly: 8