feat: install Velero

external/Makefile

@@ -21,3 +21,6 @@ plan: .terraform.lock.hcl
 
 apply: .terraform.lock.hcl namespaces
 	terraform apply -auto-approve
+
+format:
+	terraform fmt -recursive .

external/main.tf

@@ -17,3 +17,8 @@ module "ntfy" {
   source = "./modules/ntfy"
   auth   = var.ntfy
 }
+
+module "backup" {
+  source        = "./modules/backup"
+  backup_bucket = var.backup_bucket
+}

external/modules/backup/main.tf

@@ -0,0 +1,16 @@
+resource "kubernetes_secret" "velero_credentials" {
+  metadata {
+    name      = "velero-credentials"
+    namespace = "velero"
+  }
+
+  data = {
+    cloud = <<EOF
+      %{for bucket in var.backup_buckets~}
+      [${bucket.name}]
+      aws_access_key_id=${bucket.access_key_id}
+      aws_secret_access_key=${bucket.secret_access_key}
+      %{endfor~}
+    EOF
+  }
+}

external/modules/backup/variables.tf

@@ -0,0 +1,10 @@
+variable "backup_buckets" {
+  type = list(object({
+    name              = string
+    url               = string
+    bucket            = string
+    region            = string
+    access_key_id     = string
+    secret_access_key = string
+  }))
+}

external/modules/backup/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.9.0"
+    }
+  }
+}

external/namespaces.yml

@@ -12,4 +12,5 @@
         - external-dns
         - global-secrets
         - k8up-operator
+        - velero
         - zerotier

external/variables.tf

@@ -24,3 +24,14 @@ variable "ntfy" {
 
   sensitive = true
 }
+
+variable "backup_bucket" {
+  type = object({
+    name              = string
+    url               = string
+    bucket            = string
+    region            = string
+    access_key_id     = string
+    secret_access_key = string
+  })
+}

system/velero/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: velero
+version: 0.0.0
+dependencies:
+  - name: velero
+    version: 2.31.8
+    repository: https://vmware-tanzu.github.io/helm-charts

system/velero/values.yaml

@@ -0,0 +1,35 @@
+velero:
+  initContainers:
+    - name: velero-plugin-for-aws
+      image: velero/velero-plugin-for-aws:v1.5.1
+      imagePullPolicy: IfNotPresent
+      volumeMounts:
+        - mountPath: /target
+          name: plugins
+  configuration:
+    provider: aws
+    # TODO support multiple locations
+    backupStorageLocation:
+      bucket: homelab-backup
+      config:
+        region: minio
+        s3ForcePathStyle: 'true'
+        s3Url: http://192.168.1.24:9000
+        profile: onsite
+    defaultVolumesToRestic: true
+  credentials:
+    useSecret: true
+    existingSecret: velero-credentials
+  schedules:
+    onsite:
+      schedule: "*/2 * * * *"
+      storageLocation: default
+      template:
+        ttl: "240h"
+    # TODO support multiple locations
+    # offsite:
+    #   schedule: "*/2 * * * *"
+    #   storageLocation: offsite
+    #   template:
+    #     ttl: "240h"
+  deployRestic: true