initial migration

infrastructure/backup/base/cronjob.yaml

@@ -0,0 +1,43 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: restic-rclone-gdrive
+  
+spec:
+  successfulJobsHistoryLimit: 2
+  failedJobsHistoryLimit: 2
+
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: Never
+          hostname: restic-k3s-pod
+          # used by restic to identify the host
+          containers:
+          - name: restic-base-container
+            image: restic/restic:latest
+            command:
+              - /bin/sh
+              - -c
+            # >- strips newlines
+            # RESTIC_ARGS Can be for instance: --verbose --dry-run
+            args: []
+            
+            volumeMounts:
+              - mountPath: /data
+                name: backup-nfs-access
+
+            env:
+              - name: RESTIC_REPOSITORY
+                value: rest:http://rclone-gcloud:8000/kluster
+                # lives in the same namespace
+              - name: RESTIC_PASSWORD
+                valueFrom:
+                  secretKeyRef:
+                    name: restic-gdrive-credentials
+                    key: restic-password
+          volumes:
+            - name: backup-nfs-access
+              persistentVolumeClaim:
+                claimName: backup-nfs-access

infrastructure/backup/base/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./cronjob.yaml
+- ./restic-password.secret.yaml

infrastructure/backup/overlays/applying.md

@@ -0,0 +1,8 @@
+```
+k kustomize backup/overlays/backup | k apply -f -
+> secret/restic-credentials-backup created
+> cronjob.batch/restic-backblaze-backup created
+k kustomize backup/overlays/prune | k apply -f -
+> secret/restic-credentials-prune created
+> cronjob.batch/restic-backblaze-prune created
+```

infrastructure/backup/overlays/backup/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# namespace: backup
+nameSuffix: -backup
+resources:
+  - ../../base
+  # - ./restic-commands.yaml
+
+
+# patch the cronjob args field:
+patches:
+  - path: ./restic-commands.yaml
+    target:
+      kind: CronJob
+      

infrastructure/backup/overlays/backup/restic-commands.yaml

@@ -0,0 +1,25 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backup-patch
+spec:
+  schedule: "0 2 * * *"
+  # at 2:00, every day
+
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: restic-base-container
+            args:
+            # >- strips newlines
+            # -r $(RESTIC_REPOSITORY) not needed, bc set as env var
+              - >-
+                  restic backup
+                  --verbose=2
+                  /data
+                  --exclude=s3/
+                  &&
+                  restic
+                  list snapshots

infrastructure/backup/overlays/prune/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# namespace: backup
+nameSuffix: -prune
+resources:
+  - ../../base
+  # - ./restic-commands.yaml
+
+
+# patch the cronjob args field:
+patches:
+  - path: ./restic-commands.yaml
+    target:
+      kind: CronJob

infrastructure/backup/overlays/prune/restic-commands.yaml

@@ -0,0 +1,24 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: prune-patch
+spec:
+  schedule: "0 0 1/15 * *"
+  # at midnight, the first and 15. of every month
+  
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: restic-base-container
+            args:
+            # >- strips newlines
+            # RESTIC_ARGS Can be for instance: --verbose --dry-run
+            # RESTIC_REPOSITORY is set in the secret
+              - >-
+                  restic forget
+                  -r $(RESTIC_REPOSITORY)
+                  --verbose=2
+                  --keep-daily 7 --keep-weekly 5
+                  --prune

infrastructure/backup/rclone-config.sealedsecret.yaml

@@ -0,0 +1,22 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "rclone-config-files",
+    "namespace": "backup",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "rclone-config-files",
+        "namespace": "backup",
+        "creationTimestamp": null
+      },
+      "type": "Opaque"
+    },
+    "encryptedData": {
+      "rclone.conf": "AgCQ13IG+R6bs+nAxe1xuDXttYlvGlLfV3oQ6c0qtoF2jXB8hN3LftydHn+Se3LjghmQKAIErfsA7ZRhJoWfFuSm2AIc3w2mMonsga5gjBx/56/tZSvnT2Bzn/5UXktTVxwEINSBP0dYiMcn4/G+5hO3bngmG+lCZXeI7yWoTW8H+8NKYxDHUzdoBBhPPPLTERTRZHB8EzOPUlefHq/2y/NpUfkxyLSjYk0/X45W6XNzH6MfdA2x6omxd4giDQSEwJGdXqIXu1rPnPjV7WVcA8qJzkQbxhzjqpUcFgM12YsLGVVW8HSSdAy+ZNdTXmhCIu2+pI+AVuol4QY9r/gU3xlGhFmc3asW5k4iOfn7/ZEr3Yk8JplAYM+GWQ07s59MqYdGOhqFUpVmkjO97Z29iaeReQZCwxzl/PmxUtfI20eTmtUlFKE3fObMr27sZcXgeJS3ktHOONGoqvHHeuqd4hfTaVAGwVOAEoBY8Xnkq3ECN5ld8V4zR8e52QHtANflN4IJgjnGO5pMQyAW+XASAJDxG48q7ruu9i0mI4vuM0rVuoWi2v9I30/M7Mv2xAYnmKC7NIao1mDya3paidHwkIu12480oBDdHZpm5NSqHtQr/HKMQWnbu6CrufrDmTqoVe/ew5uaqjbfrBBys35k5ObUUPlhU3putgfmsR3YZXDaAqOwIoXQ30wm02gCA5z/WNEY3EaKP6RhgsowwkrPPniQfz4EaxQQjmZ/toe/xpwzSZjmoVnJtJabiuqL/B/eY6WpNOTjOzsc7Z69EOyhZMs41gNoA32RRUbFO1ppOu8518cE12KpsGbH6K6NcucSrKh2Gd3xNGwjaGQVT2vLTVi9YwByiwvrsVpNU06f2v0fcZWeRgoFoUkKMj746lw0E+X7oF0+PmfPT2IeTRszHECkbStSvFZNDivcdJyDFutocAZKNjDoAnVPlTNVYwKKcmHvw3sOOXhVN7NOj/+9UxSNyRvip7GPZKtRF1u9ftlD6OaLCCVSip7MJ41a7TugBTUUaMJbQUTmidWKZn6A0nctAvdrPbBatPI2BZQ4amwdXa2bWyE7DI13WaCm6kAVJijsAmfVrVX3C+Ft5p8unbjsVQ/ErdpKTjlq9mJsie3TQdME5r74GlcURiVXdLc7KcV7vpf6yy88XS6ee+Y9WmlYDAwRX+taMilRDlunMeF5Zmh12DCXMzsradEifEOZ/Mg5BMznxvrZv3iHDArm/j4QW7Bi0To3+f2826IAaXMlI4ze7e9Ny3NUbgy85yE+RNYiio0+wvWRKraxpqI0EODy/juBed3VcoWlOfch0hKU4BZTVrU5rDEmwYcp6oWnXE92fhVH7wjy4IV3WUSubYg="
+    }
+  }
+}

infrastructure/backup/rclone-gcloud.deployment.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rclone-gcloud
+
+spec:
+  selector:
+    matchLabels:
+      app: rclone-gcloud
+  template:
+    metadata:
+      labels:
+        app: rclone-gcloud
+    spec:
+      containers:
+      - name: rclone
+        image: rclone/rclone:latest
+        command: ["/bin/sh", "-c"]
+        args: # mounted as a secret
+          # >- strips newlines
+            # sleep infinity
+          - >-
+            rclone
+            --config /config/rclone.conf
+            serve restic
+            --addr :8000
+            -v
+            ETHZ-gdrive:backup
+
+        volumeMounts:
+          # from secret
+          - name: rclone-config
+            mountPath: /config
+            readOnly: true
+      volumes:
+      - name: rclone-config
+        secret:
+          secretName: rclone-config-files
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rclone-gcloud
+
+spec:
+  selector:
+    app: rclone-gcloud
+  ports:
+    - protocol: TCP
+      port: 8000
+      targetPort: 8000
+
+

infrastructure/backup/restic-rclone.env

@@ -0,0 +1,2 @@
+export RESTIC_REPOSITORY=rest:http://127.0.0.1:8000/kluster
+export RESTIC_PASSWORD="2r,TE0.,U@gni3e%xr)_LC64"