feat: install kopia

kubernetes/turing/kube-system/cilium/app/cilium-l2.yaml

@@ -14,5 +14,5 @@ kind: CiliumLoadBalancerIPPool
 metadata:
   name: pool
 spec:
-  cidrs:
+  blocks:
     - cidr: "192.168.0.0/24"

kubernetes/turing/storage/kopia/app/helmrelease.yaml

@@ -0,0 +1,119 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app kopia
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.3.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      kopia:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          app:
+            image:
+              repository: docker.io/kopia/kopia
+              tag: 0.17.0@sha256:bc91968da06d8c7353ec6bfd136fd907587977498b4f7aae83d84995a5bfad15
+            env:
+              TZ: ${TIMEZONE}
+            args:
+              - server
+              - start
+              - --insecure
+              - --address
+              - 0.0.0.0:80
+              - --without-password
+              - --metrics-listen-addr
+              - 0.0.0.0:8080
+              - --config-file
+              - /app/config/repository.config
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /
+                    port: 80
+                  initialDelaySeconds: 30
+                  periodSeconds: 30
+                  timeoutSeconds: 10
+                  failureThreshold: 6
+              readiness: *probes
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 568
+        runAsGroup: 568
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        supplementalGroups: [10000]
+        seccompProfile: { type: RuntimeDefault }
+    service:
+      app:
+        controller: kopia
+        ports:
+          http:
+            port: 80
+          metrics:
+            port: 8080
+    serviceMonitor:
+      app:
+        serviceName: kopia
+        endpoints:
+          - port: metrics
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s
+    ingress:
+      main:
+        className: internal
+        hosts:
+          - host: &host kopia.${SECRET_DOMAIN}
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts:
+              - *host
+    persistence:
+      config:
+        type: emptyDir
+        globalMounts:
+          - path: /app/config
+      cache:
+        type: emptyDir
+        globalMounts:
+          - path: /app/cache
+      logs:
+        type: emptyDir
+        globalMounts:
+          - path: /app/logs
+      photos:
+        type: persistentVolumeClaim
+        existingClaim: photos-nfs

kubernetes/turing/storage/kopia/app/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: storage
+resources:
+  - ./helmrelease.yaml
+  - ./pvc.yaml

kubernetes/turing/storage/kopia/app/pvc.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: photos-nfs
+  namespace: media
+spec:
+  capacity:
+    storage: 1Mi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  nfs:
+    path: /photos
+    server: ${NFS_SERVER}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: photos-nfs
+  namespace: media
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Mi

kubernetes/turing/storage/kopia/ks.yaml

@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app kopia
+  namespace: flux-system
+spec:
+  targetNamespace: storage
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/turing/storage/kopia/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/turing/storage/kustomization.yaml

@@ -2,5 +2,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./kopia/ks.yaml
   - ./namespace.yaml
   - ./longhorn/ks.yaml

kubernetes/turing/storage/longhorn/app/helmrelease.yaml

@@ -40,7 +40,6 @@ spec:
       ingressClassName: internal
       host: &host "longhorn.turing.${SECRET_DOMAIN}"
       tls: true
-      tlsSecret: longhorn-tls
     defaultSettings:
       backupTarget: "nfs://192.168.0.154:/longhorn"
       defaultDataPath: "/mnt/nvme/longhorn"