diff --git a/kubernetes/app/immich/cronjob-backup.yaml b/kubernetes/app/immich/cronjob-backup.yaml index 6e14660..f2123cf 100644 --- a/kubernetes/app/immich/cronjob-backup.yaml +++ b/kubernetes/app/immich/cronjob-backup.yaml @@ -4,7 +4,7 @@ metadata: name: immich-db-backup namespace: immich labels: - app: immich-db-backup + app: immich-backup spec: schedule: "0 3 * * *" concurrencyPolicy: Forbid @@ -15,7 +15,7 @@ spec: template: metadata: labels: - app: immich-db-backup + app: immich-backup spec: restartPolicy: OnFailure initContainers: @@ -44,27 +44,40 @@ spec: - -c - pg_dump --clean --if-exists > /backup/dump.sql volumeMounts: - - name: backup + - name: backup-tmp mountPath: /backup containers: - - name: rclone-upload - image: rclone/rclone:1.69 + - name: resticprofile + image: creativeprojects/resticprofile:0.32.0 command: - sh - -c - - rclone copy /backup/dump.sql b2crypt:immich-db/ --config /config/rclone/rclone.conf + - | + resticprofile -c /secrets/profiles.yaml -n immich-db backup + resticprofile -c /secrets/profiles.yaml -n immich-db copy + env: + - name: B2_ACCOUNT_ID + valueFrom: + secretKeyRef: + name: immich-backup-config + key: B2_ACCOUNT_ID + - name: B2_ACCOUNT_KEY + valueFrom: + secretKeyRef: + name: immich-backup-config + key: B2_ACCOUNT_KEY volumeMounts: - - name: backup - mountPath: /backup - - name: rclone-config - mountPath: /config/rclone + - name: secrets + mountPath: /secrets readOnly: true + - name: backup-tmp + mountPath: /backup volumes: - - name: backup - emptyDir: {} - - name: rclone-config + - name: secrets secret: - secretName: immich-rclone-config + secretName: immich-backup-config + - name: backup-tmp + emptyDir: {} --- apiVersion: batch/v1 kind: CronJob @@ -72,7 +85,7 @@ metadata: name: immich-library-backup namespace: immich labels: - app: immich-library-backup + app: immich-backup spec: schedule: "0 4 * * *" concurrencyPolicy: Forbid @@ -83,50 +96,46 @@ spec: template: metadata: labels: - app: immich-library-backup + app: immich-backup spec: restartPolicy: OnFailure containers: - - name: resticprofile-backup + - name: resticprofile image: creativeprojects/resticprofile:0.32.0 command: - sh - -c - - resticprofile -c /etc/resticprofile/profiles.yaml backup && resticprofile -c /etc/resticprofile/profiles.yaml forget + - | + resticprofile -c /secrets/profiles.yaml -n immich-library backup + resticprofile -c /secrets/profiles.yaml -n immich-library copy env: - - name: AWS_ACCESS_KEY_ID + - name: B2_ACCOUNT_ID valueFrom: secretKeyRef: - name: immich-backup-credentials - key: AWS_ACCESS_KEY_ID - - name: AWS_SECRET_ACCESS_KEY + name: immich-backup-config + key: B2_ACCOUNT_ID + - name: B2_ACCOUNT_KEY valueFrom: secretKeyRef: - name: immich-backup-credentials - key: AWS_SECRET_ACCESS_KEY + name: immich-backup-config + key: B2_ACCOUNT_KEY volumeMounts: + - name: secrets + mountPath: /secrets + readOnly: true - name: library - mountPath: /photos - readOnly: true - - name: resticprofile-config - mountPath: /etc/resticprofile - readOnly: true - - name: restic-key - mountPath: /etc/restic + mountPath: /data readOnly: true + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + memory: 1Gi volumes: + - name: secrets + secret: + secretName: immich-backup-config - name: library persistentVolumeClaim: claimName: immich-library - - name: resticprofile-config - secret: - secretName: immich-backup-credentials - items: - - key: profiles.yaml - path: profiles.yaml - - name: restic-key - secret: - secretName: immich-backup-credentials - items: - - key: RESTIC_KEY - path: key diff --git a/kubernetes/app/immich/networkpolicy.yaml b/kubernetes/app/immich/networkpolicy.yaml index 92de992..725a4a2 100644 --- a/kubernetes/app/immich/networkpolicy.yaml +++ b/kubernetes/app/immich/networkpolicy.yaml @@ -46,7 +46,7 @@ spec: app.kubernetes.io/name: server - podSelector: matchLabels: - app: immich-db-backup + app: immich-backup --- # Allow immich pods to reach valkey apiVersion: networking.k8s.io/v1 diff --git a/kubernetes/app/immich/release.yaml b/kubernetes/app/immich/release.yaml index fc3d080..48ef477 100644 --- a/kubernetes/app/immich/release.yaml +++ b/kubernetes/app/immich/release.yaml @@ -100,6 +100,7 @@ spec: enabled: true controllers: main: + strategy: Recreate pod: securityContext: seccompProfile: diff --git a/kubernetes/app/immich/secret-backup.sops.yaml b/kubernetes/app/immich/secret-backup.sops.yaml index beee420..317774b 100644 --- a/kubernetes/app/immich/secret-backup.sops.yaml +++ b/kubernetes/app/immich/secret-backup.sops.yaml @@ -1,25 +1,26 @@ apiVersion: v1 kind: Secret metadata: - name: immich-backup-credentials + name: immich-backup-config namespace: immich stringData: - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:lGrcLznG4NVn/xM+pyaRwdbnt1DMioucgA==,iv:4gb4Rdd2RCFS0SjK/nUjSbNcgcs8QrUlkz04BOimmv4=,tag:Q+3vV6Fknl/BpHcgeef2AA==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:Kw7Pt1HiDi/ZsWwZcSeyWgVAtBkmqyNi8XVW3wjU0Q==,iv:AjpZVeXZthyKtOqWzz4K/0CxEL2QB75PXD/EnFTI1wM=,tag:NdW8QJUKz2W4u5LCgk64XQ==,type:str] - RESTIC_KEY: ENC[AES256_GCM,data:dmb7QIwP35GF+L6+aKsYiyKgRrYOSw7LOdSakZVK6CRlKB7izmTboGAZHOitDHXw9lHASBfE3gYKkDZtLSK9tw==,iv:34i8s9xax+XVe2k5nyazbsz0wD+pWX0BWde+sf77TZY=,tag:VijQe0wBxCZNVv8hPopvgQ==,type:str] - profiles.yaml: ENC[AES256_GCM,data:WO05cJpUjcdvAqmd7DSfIL+o859jLOsMgx26U858rnXSZGYGFmAexkcePmb+XnRxxNoxGLdC1xyC1KcpLfWz9llorxN27FojkBIWm7ZlqBPpAoVpLoroYnPrMVlSQgZsuKW+zcN/wHWH1KmgU9ImPEfS5qtcLmcr3RZLmm6HPVwdtUBU6HDe6boYHuYV1FSFDvZWE2swWp9Ml6rCEwcr7dvOWRN/djEr8AMbZPhj8Qhe94VeX1Ocx/jzTSFBLZrhLN1xcwBrwPNSjb00+JtNrMhpA0z8/bJnLMhLWWDb/WbWNqQnJkJImJPFj2t3gI0klkdaosq29Rc5bHJcKzMDed3RSvdFu7dkQGr86cw+qBtPLYq7oTYEu4Zo1hXjDfeckcpk2tI+z++lNOws+O+L6SBbxx4ZPhlOymonf1xBvBeXH65LU9YOtjAp/fBmSIAXsgoYEOBhkXd/vAG8oblFp2VXvGSs8agZGbTZTeON4Kam8eyGnVeA92Vjk5OgpE+qW+dVdT2qSUyOdpJmJoQbxnpKjNs1Qft+arDNP87hA+cFav7/3i5+WawesFPTAuSTgZBSzCd3I2nJtmO/zonGVaB5,iv:qDSbTaPMqqTDBWw+pU5pKwOT8Vo8BQCGb81PmPh3qbM=,tag:uym01wpo+OMWiVxyWNr3cQ==,type:str] + profiles.yaml: ENC[AES256_GCM,data:8xHz7OVSV5yTzjK+a+3QJp6fKoNSYjYMSytSxbl6gwSH9vhC/n/H5AkCeoRQeMbv8XxvBcW7AE8SRNRbGUGdpVa7bbGfc64NMReH15Jly/krVRYXKwuwxPwLyDLu3BJkkUMVR8WOLqcin8GL0CMxsPYw7u9pexOm8029C6OUJNkgeoZfxkw2p84duOPvJiSB4zgTK4MBUAXXk9ntaD+DyMyskjwH/wIbxhVeeqIji0BixSUPhYhiz7zpvxtoAYUaDkgQZZkIMVYayb4ors11W9Hl1pq/mQ8P8GFleaqabYJeerRCGSZbjpo67HHcAdAHlYlPD09eReDi8Lc786+0LVVstUII09kSDqz3So3NSKzo7N86s0PUTTFaBYSWz1Nc9NVvYxb5vpPLNuLjrPDHy9yRlLw53wKtX6CzioPXG96NKfTU7d6tR8ocaCk38/tXkVQxf2MTWJaj2lL3u5gGftPYTXagNHF6IQYI9hIyrznUP4FezErfZmAunaIKvRnQ+AYli7AtbNkeOUeqJ3GYIlKR7eZTxeKFhK54iOvivm7OZiSfi20ItjruAO6kpYl0zfoJGEOGO1sNFmkgRb00VMxVIjBxjszb6er1TdKx5MPW3IY3tXLXGoLe0J/MNb0C9eDWD9EgR70BVz+0dFYmrC5mgMugpMMEi9yZjD1c517NyNzREVSrrKkdqrjyD2kzNSpNZEniIMP0n0MPEZ/vIp1oKzZQ3eMev+zHxvhGp98TjQ/oWhu5tXOc/g/mWUiASaB8611Doa2laVPCXTcMQCxFo8/b2CkmfToFmGwWmzQNmp0coRK4Zjr7bUIa1Ki1SmeAd0n2/yBQuX+081+NO+no8+GhR2/FS+SlYqh5PweCeAtM7GYeCoRXYUTTxafCS5JJ912fDUbaJixLbg1F3zficPAQ1XBSsB14pHO2rGVRcRS1pEruAXwTsMSpNiTIRLghxU/ES6zCwfxwL83PRcfSgep/G+GAfdijtVawH+c+QBTHI/5bLS5rmid8qR0TYrH89UbnOMFa0evDFuNgh5qtBi938gKKqdCtPAY7kkU8l8+fT9bLied0S6jE5q7jNXmBJH3qmc47MYwNSOeouiJ2aXar9KVn/xbBlaIuHd5Go97PtU09XZK2hcAGEXGiQT6iI8MXUucl/dfvtFMmlkD0wMMytQ8q9AFt7RwodVTWLv/mMxxBg3HrWKqvM3vBOzEjCTTWctOVmjCr/qq/sLBr/mxYFg==,iv:5P67BQp0lLdEqdUx2r2PLjYlUJiUIU1A+O2rFQQP4CM=,tag:4yRRV1Cuy5O31X/++QCD0Q==,type:str] + restic-password-nas: ENC[AES256_GCM,data:lXtgvRD9ov1llpAWnK7RwYulfp0umpcZw7qHhjCWHc1ag0dEeMKOveehqz+kIUfqLe+L3ETXOoyeDgYlXMCzkw==,iv:Bve8VOl42fTVZ5QNxKuVwGzLnkKihjm5vRHW8A0J+R0=,tag:q7QnJsJtSF6oo9DoHCwL4Q==,type:str] + restic-password-b2: ENC[AES256_GCM,data:th+gQw51kZDy0zGsqiUSUfBwOBOGaQxqgIj4aJV706OQ2IPmL5Z7JX4r8d30O5ezZ3Cyxniw7PFx+UgNUmg0pg==,iv:HxHsvvHkwjef3/E3/Ix+e8PgyK+uCd8Yl8qZPhhsnjw=,tag:bKRTdd88Mo53/wmf4aQEiA==,type:str] + B2_ACCOUNT_ID: ENC[AES256_GCM,data:2GCe4rtcCdz0iaNWnEf3rFzd3Qh9CNMqaA==,iv:aiHojCbIisaUfDh5GIR6tY0IW6MVZEII6apW6KV0r90=,tag:FER2E8ZzIML0/0ZeaAwHsA==,type:str] + B2_ACCOUNT_KEY: ENC[AES256_GCM,data:kqRXVKoc39utPwhcNJSPE3ETZZQUGitYP6Wje40OvA==,iv:eTj77H7cEzpMlngHVkwGcvBXEbQOcq09Uaxb+rD87ck=,tag:zqbtfJVq9u3CaA9iwsfTLQ==,type:str] sops: age: - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WFFRWVAwVkx6SjBPZUw5 - Ykx2QnJjYS96VEJHaWFOTC9Yb0Q1ckppSEg4CjYvcGVYQ284c1JzRXJseTFPVDJQ - bDNHeXVKNXNydzcyVFlkWHJuQ0R0T1kKLS0tIHNuMThacHk1dko0N3hRd3NjZUxv - U25jVnVQQjhaQlI2TU5QSGhtcjRvZWcKNCiNhsb+lZehYXAx87a3h5G5mifOdqxQ - 5xa/TTuqQwv4v5xrsMKcYvt2VvKipWYaByP/4F6D5mkH28GK2etlgg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUQ1pTWTNjZTU1V1ZSeVZt + MjBpNSs5blRtdGwrdXVNQWZ5dk90enQ4d1NNCjZpT0JlNG5naDcwNEJ5dFl0UktT + OWZjbVdqUC8yNGxmeExRRTRuMjBCbm8KLS0tIFNQT3pvOUlOMzN0NGovOGx2RmhE + U2ZxL2VvbUF1Wk93TmxseHcvVWNOc2sKNmTJhYwOuV2gE/PGFodfxsQS6Okwv+Yq + a0V7VAhKutBT+b+1lmdCvQy/wOTzHRo4tJ6wDReu9bwT8pj8ya/hkw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-22T16:17:56Z" - mac: ENC[AES256_GCM,data:525DsywY9tCeDrNwU39oFdJoF3jtB4AoA+i4LLEomnYsvQrdpMQRRn5BKVS40nmGZ3wA37JrJkGRk8Be21Wri6M3Vh0hzExWmqYLY7Xhvc+6IK6UJzgL/RQ9ynl7vtw7buozWWZhOWoBjzC84t/hWxepNSA30XHR9NypWUF+TpE=,iv:3lA2d8MtVGLtmhDlWVUHcyqrM6u4aoNoFL/l8YYS4Kw=,tag:9L/gobcRaGxk9n6RRChtXw==,type:str] + lastmodified: "2026-03-11T19:58:21Z" + mac: ENC[AES256_GCM,data:nJFnd5587Vv1+EzBnBMm8sEy+8jINWS2Fm8oW0lcOkeUbuBmBvQXpOSZf6IMvcPCIHdIwBRk8etI2kvH2GB8XtkhKJtGodRmRjfYnwBMWMdAjrYpK7eazHLQdsp1lyYZ5YaqS6oSaZtc4nJAhfO7Z9rpOZC0oTrZSnF+HEmsEds=,iv:Kn56EjcCZk1UNg4tFtogucNlNx9Xoh0SNDa9+hApMJE=,tag:ITbEbv5Q4HkbLVueOcl5GQ==,type:str] encrypted_regex: ^(data|stringData|email)$ - version: 3.11.0 + version: 3.12.1 diff --git a/kubernetes/app/immich/secret-rclone.sops.yaml b/kubernetes/app/immich/secret-rclone.sops.yaml deleted file mode 100644 index cfafd2f..0000000 --- a/kubernetes/app/immich/secret-rclone.sops.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: immich-rclone-config - namespace: immich -stringData: - rclone.conf: ENC[AES256_GCM,data:CryFjZBVyHdDPT1yGlmhCGDthmyhT3tTAmj2RmUl+pmrO4qkiT1UdADn/aSdSNjIE89dXzHcn22bY/4K9EuKhKPHm+MzHx10isPtrwERNy1FAhc2a1/pwBRIi5ej4MWZrCNnJCyG5coWDtsJhW/nRev0aAc24Jsp2S4Iyw4ZZcVDPLmYGCb0GYunOQOFKQkB3R+q3aFeaPOJnrn7EJVRzsiwFAd4hiVyCpSFme7n6xddKkMMrDICsyFg6ICkKYgFgRp0JnXVleA+y9phI17F/P63VXJsaI25JE5SMENTNpRHQ0OIC/HYQO92fadGXh7lMwp3zNwaoLk5YY1j4FXYuEHoxmtd82eEuvLYwM7CL4qj/aYZ1CiYWWiRg3oaUrKt7btFLDmdgkr4dhiv2S6t9AzwTp0Fo7Gg,iv:bSN2tyGWIQJVZ26dgFr/GEhmEeDM6cmfx6b6yEBWXY0=,tag:wKWO4uYYmb51sWq7JQY4UQ==,type:str] -sops: - age: - - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4NDg1WVBjbnB6YlFWTFpk - S2M3Tm1zVUZhUFRSZi9mcHVNWkhCcm5OQVNnCmNBTmllY2U0Mkw1dUpvSkpoR2Rj - SUN5T09kelNNZFBuaVFPMW1GUkhkNW8KLS0tIG1jNHdzczc0Z1c4bzVOVitBVHUy - U1V5QVBjdUptb3YrNkJjNkZzZ0xZZnMKyH1YkErMgv7n7t9Wr1aAE5LJvLKPO18r - z5gjcgUy7sCq77eRU4XjEgqivyy6fUcdbyTazhTGYIuUB5i3LbYSdQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-22T16:16:54Z" - mac: ENC[AES256_GCM,data:gq7I3d82pjWZyHtX97jk8l+vYHqes1te43BXyI+yqYazh/ZyBshJT+60B5EjnfK8RA/C/jGcVTpBHa2Gc8BkcAxX1eDEvd9g72X70owB4MW3UYGSQ4XmeBzIdKC3p/LIW6SSzGcQB4MZZpuQ8HyP0+qGDE7NZJrim7wp6zI6Ovo=,iv:2l3NX+UuDdAQ9wAcaTFpWbWpq1G98p6CJBZnmzLLCvg=,tag:fzpx0i+w6lwfiQBHBMU9+A==,type:str] - encrypted_regex: ^(data|stringData|email)$ - version: 3.11.0