feat(k8s/immich): use restic for all backups
This commit is contained in:
@@ -4,7 +4,7 @@ metadata:
|
||||
name: immich-db-backup
|
||||
namespace: immich
|
||||
labels:
|
||||
app: immich-db-backup
|
||||
app: immich-backup
|
||||
spec:
|
||||
schedule: "0 3 * * *"
|
||||
concurrencyPolicy: Forbid
|
||||
@@ -15,7 +15,7 @@ spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: immich-db-backup
|
||||
app: immich-backup
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
initContainers:
|
||||
@@ -44,27 +44,40 @@ spec:
|
||||
- -c
|
||||
- pg_dump --clean --if-exists > /backup/dump.sql
|
||||
volumeMounts:
|
||||
- name: backup
|
||||
- name: backup-tmp
|
||||
mountPath: /backup
|
||||
containers:
|
||||
- name: rclone-upload
|
||||
image: rclone/rclone:1.69
|
||||
- name: resticprofile
|
||||
image: creativeprojects/resticprofile:0.32.0
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- rclone copy /backup/dump.sql b2crypt:immich-db/ --config /config/rclone/rclone.conf
|
||||
- |
|
||||
resticprofile -c /secrets/profiles.yaml -n immich-db backup
|
||||
resticprofile -c /secrets/profiles.yaml -n immich-db copy
|
||||
env:
|
||||
- name: B2_ACCOUNT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-backup-config
|
||||
key: B2_ACCOUNT_ID
|
||||
- name: B2_ACCOUNT_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-backup-config
|
||||
key: B2_ACCOUNT_KEY
|
||||
volumeMounts:
|
||||
- name: backup
|
||||
mountPath: /backup
|
||||
- name: rclone-config
|
||||
mountPath: /config/rclone
|
||||
- name: secrets
|
||||
mountPath: /secrets
|
||||
readOnly: true
|
||||
- name: backup-tmp
|
||||
mountPath: /backup
|
||||
volumes:
|
||||
- name: backup
|
||||
emptyDir: {}
|
||||
- name: rclone-config
|
||||
- name: secrets
|
||||
secret:
|
||||
secretName: immich-rclone-config
|
||||
secretName: immich-backup-config
|
||||
- name: backup-tmp
|
||||
emptyDir: {}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
@@ -72,7 +85,7 @@ metadata:
|
||||
name: immich-library-backup
|
||||
namespace: immich
|
||||
labels:
|
||||
app: immich-library-backup
|
||||
app: immich-backup
|
||||
spec:
|
||||
schedule: "0 4 * * *"
|
||||
concurrencyPolicy: Forbid
|
||||
@@ -83,50 +96,46 @@ spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: immich-library-backup
|
||||
app: immich-backup
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
containers:
|
||||
- name: resticprofile-backup
|
||||
- name: resticprofile
|
||||
image: creativeprojects/resticprofile:0.32.0
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- resticprofile -c /etc/resticprofile/profiles.yaml backup && resticprofile -c /etc/resticprofile/profiles.yaml forget
|
||||
- |
|
||||
resticprofile -c /secrets/profiles.yaml -n immich-library backup
|
||||
resticprofile -c /secrets/profiles.yaml -n immich-library copy
|
||||
env:
|
||||
- name: AWS_ACCESS_KEY_ID
|
||||
- name: B2_ACCOUNT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-backup-credentials
|
||||
key: AWS_ACCESS_KEY_ID
|
||||
- name: AWS_SECRET_ACCESS_KEY
|
||||
name: immich-backup-config
|
||||
key: B2_ACCOUNT_ID
|
||||
- name: B2_ACCOUNT_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-backup-credentials
|
||||
key: AWS_SECRET_ACCESS_KEY
|
||||
name: immich-backup-config
|
||||
key: B2_ACCOUNT_KEY
|
||||
volumeMounts:
|
||||
- name: secrets
|
||||
mountPath: /secrets
|
||||
readOnly: true
|
||||
- name: library
|
||||
mountPath: /photos
|
||||
readOnly: true
|
||||
- name: resticprofile-config
|
||||
mountPath: /etc/resticprofile
|
||||
readOnly: true
|
||||
- name: restic-key
|
||||
mountPath: /etc/restic
|
||||
mountPath: /data
|
||||
readOnly: true
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
memory: 1Gi
|
||||
volumes:
|
||||
- name: secrets
|
||||
secret:
|
||||
secretName: immich-backup-config
|
||||
- name: library
|
||||
persistentVolumeClaim:
|
||||
claimName: immich-library
|
||||
- name: resticprofile-config
|
||||
secret:
|
||||
secretName: immich-backup-credentials
|
||||
items:
|
||||
- key: profiles.yaml
|
||||
path: profiles.yaml
|
||||
- name: restic-key
|
||||
secret:
|
||||
secretName: immich-backup-credentials
|
||||
items:
|
||||
- key: RESTIC_KEY
|
||||
path: key
|
||||
|
||||
@@ -46,7 +46,7 @@ spec:
|
||||
app.kubernetes.io/name: server
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: immich-db-backup
|
||||
app: immich-backup
|
||||
---
|
||||
# Allow immich pods to reach valkey
|
||||
apiVersion: networking.k8s.io/v1
|
||||
|
||||
@@ -100,6 +100,7 @@ spec:
|
||||
enabled: true
|
||||
controllers:
|
||||
main:
|
||||
strategy: Recreate
|
||||
pod:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
|
||||
@@ -1,25 +1,26 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: immich-backup-credentials
|
||||
name: immich-backup-config
|
||||
namespace: immich
|
||||
stringData:
|
||||
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:lGrcLznG4NVn/xM+pyaRwdbnt1DMioucgA==,iv:4gb4Rdd2RCFS0SjK/nUjSbNcgcs8QrUlkz04BOimmv4=,tag:Q+3vV6Fknl/BpHcgeef2AA==,type:str]
|
||||
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:Kw7Pt1HiDi/ZsWwZcSeyWgVAtBkmqyNi8XVW3wjU0Q==,iv:AjpZVeXZthyKtOqWzz4K/0CxEL2QB75PXD/EnFTI1wM=,tag:NdW8QJUKz2W4u5LCgk64XQ==,type:str]
|
||||
RESTIC_KEY: ENC[AES256_GCM,data:dmb7QIwP35GF+L6+aKsYiyKgRrYOSw7LOdSakZVK6CRlKB7izmTboGAZHOitDHXw9lHASBfE3gYKkDZtLSK9tw==,iv:34i8s9xax+XVe2k5nyazbsz0wD+pWX0BWde+sf77TZY=,tag:VijQe0wBxCZNVv8hPopvgQ==,type:str]
|
||||
profiles.yaml: ENC[AES256_GCM,data:WO05cJpUjcdvAqmd7DSfIL+o859jLOsMgx26U858rnXSZGYGFmAexkcePmb+XnRxxNoxGLdC1xyC1KcpLfWz9llorxN27FojkBIWm7ZlqBPpAoVpLoroYnPrMVlSQgZsuKW+zcN/wHWH1KmgU9ImPEfS5qtcLmcr3RZLmm6HPVwdtUBU6HDe6boYHuYV1FSFDvZWE2swWp9Ml6rCEwcr7dvOWRN/djEr8AMbZPhj8Qhe94VeX1Ocx/jzTSFBLZrhLN1xcwBrwPNSjb00+JtNrMhpA0z8/bJnLMhLWWDb/WbWNqQnJkJImJPFj2t3gI0klkdaosq29Rc5bHJcKzMDed3RSvdFu7dkQGr86cw+qBtPLYq7oTYEu4Zo1hXjDfeckcpk2tI+z++lNOws+O+L6SBbxx4ZPhlOymonf1xBvBeXH65LU9YOtjAp/fBmSIAXsgoYEOBhkXd/vAG8oblFp2VXvGSs8agZGbTZTeON4Kam8eyGnVeA92Vjk5OgpE+qW+dVdT2qSUyOdpJmJoQbxnpKjNs1Qft+arDNP87hA+cFav7/3i5+WawesFPTAuSTgZBSzCd3I2nJtmO/zonGVaB5,iv:qDSbTaPMqqTDBWw+pU5pKwOT8Vo8BQCGb81PmPh3qbM=,tag:uym01wpo+OMWiVxyWNr3cQ==,type:str]
|
||||
profiles.yaml: ENC[AES256_GCM,data:8xHz7OVSV5yTzjK+a+3QJp6fKoNSYjYMSytSxbl6gwSH9vhC/n/H5AkCeoRQeMbv8XxvBcW7AE8SRNRbGUGdpVa7bbGfc64NMReH15Jly/krVRYXKwuwxPwLyDLu3BJkkUMVR8WOLqcin8GL0CMxsPYw7u9pexOm8029C6OUJNkgeoZfxkw2p84duOPvJiSB4zgTK4MBUAXXk9ntaD+DyMyskjwH/wIbxhVeeqIji0BixSUPhYhiz7zpvxtoAYUaDkgQZZkIMVYayb4ors11W9Hl1pq/mQ8P8GFleaqabYJeerRCGSZbjpo67HHcAdAHlYlPD09eReDi8Lc786+0LVVstUII09kSDqz3So3NSKzo7N86s0PUTTFaBYSWz1Nc9NVvYxb5vpPLNuLjrPDHy9yRlLw53wKtX6CzioPXG96NKfTU7d6tR8ocaCk38/tXkVQxf2MTWJaj2lL3u5gGftPYTXagNHF6IQYI9hIyrznUP4FezErfZmAunaIKvRnQ+AYli7AtbNkeOUeqJ3GYIlKR7eZTxeKFhK54iOvivm7OZiSfi20ItjruAO6kpYl0zfoJGEOGO1sNFmkgRb00VMxVIjBxjszb6er1TdKx5MPW3IY3tXLXGoLe0J/MNb0C9eDWD9EgR70BVz+0dFYmrC5mgMugpMMEi9yZjD1c517NyNzREVSrrKkdqrjyD2kzNSpNZEniIMP0n0MPEZ/vIp1oKzZQ3eMev+zHxvhGp98TjQ/oWhu5tXOc/g/mWUiASaB8611Doa2laVPCXTcMQCxFo8/b2CkmfToFmGwWmzQNmp0coRK4Zjr7bUIa1Ki1SmeAd0n2/yBQuX+081+NO+no8+GhR2/FS+SlYqh5PweCeAtM7GYeCoRXYUTTxafCS5JJ912fDUbaJixLbg1F3zficPAQ1XBSsB14pHO2rGVRcRS1pEruAXwTsMSpNiTIRLghxU/ES6zCwfxwL83PRcfSgep/G+GAfdijtVawH+c+QBTHI/5bLS5rmid8qR0TYrH89UbnOMFa0evDFuNgh5qtBi938gKKqdCtPAY7kkU8l8+fT9bLied0S6jE5q7jNXmBJH3qmc47MYwNSOeouiJ2aXar9KVn/xbBlaIuHd5Go97PtU09XZK2hcAGEXGiQT6iI8MXUucl/dfvtFMmlkD0wMMytQ8q9AFt7RwodVTWLv/mMxxBg3HrWKqvM3vBOzEjCTTWctOVmjCr/qq/sLBr/mxYFg==,iv:5P67BQp0lLdEqdUx2r2PLjYlUJiUIU1A+O2rFQQP4CM=,tag:4yRRV1Cuy5O31X/++QCD0Q==,type:str]
|
||||
restic-password-nas: ENC[AES256_GCM,data:lXtgvRD9ov1llpAWnK7RwYulfp0umpcZw7qHhjCWHc1ag0dEeMKOveehqz+kIUfqLe+L3ETXOoyeDgYlXMCzkw==,iv:Bve8VOl42fTVZ5QNxKuVwGzLnkKihjm5vRHW8A0J+R0=,tag:q7QnJsJtSF6oo9DoHCwL4Q==,type:str]
|
||||
restic-password-b2: ENC[AES256_GCM,data:th+gQw51kZDy0zGsqiUSUfBwOBOGaQxqgIj4aJV706OQ2IPmL5Z7JX4r8d30O5ezZ3Cyxniw7PFx+UgNUmg0pg==,iv:HxHsvvHkwjef3/E3/Ix+e8PgyK+uCd8Yl8qZPhhsnjw=,tag:bKRTdd88Mo53/wmf4aQEiA==,type:str]
|
||||
B2_ACCOUNT_ID: ENC[AES256_GCM,data:2GCe4rtcCdz0iaNWnEf3rFzd3Qh9CNMqaA==,iv:aiHojCbIisaUfDh5GIR6tY0IW6MVZEII6apW6KV0r90=,tag:FER2E8ZzIML0/0ZeaAwHsA==,type:str]
|
||||
B2_ACCOUNT_KEY: ENC[AES256_GCM,data:kqRXVKoc39utPwhcNJSPE3ETZZQUGitYP6Wje40OvA==,iv:eTj77H7cEzpMlngHVkwGcvBXEbQOcq09Uaxb+rD87ck=,tag:zqbtfJVq9u3CaA9iwsfTLQ==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WFFRWVAwVkx6SjBPZUw5
|
||||
Ykx2QnJjYS96VEJHaWFOTC9Yb0Q1ckppSEg4CjYvcGVYQ284c1JzRXJseTFPVDJQ
|
||||
bDNHeXVKNXNydzcyVFlkWHJuQ0R0T1kKLS0tIHNuMThacHk1dko0N3hRd3NjZUxv
|
||||
U25jVnVQQjhaQlI2TU5QSGhtcjRvZWcKNCiNhsb+lZehYXAx87a3h5G5mifOdqxQ
|
||||
5xa/TTuqQwv4v5xrsMKcYvt2VvKipWYaByP/4F6D5mkH28GK2etlgg==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUQ1pTWTNjZTU1V1ZSeVZt
|
||||
MjBpNSs5blRtdGwrdXVNQWZ5dk90enQ4d1NNCjZpT0JlNG5naDcwNEJ5dFl0UktT
|
||||
OWZjbVdqUC8yNGxmeExRRTRuMjBCbm8KLS0tIFNQT3pvOUlOMzN0NGovOGx2RmhE
|
||||
U2ZxL2VvbUF1Wk93TmxseHcvVWNOc2sKNmTJhYwOuV2gE/PGFodfxsQS6Okwv+Yq
|
||||
a0V7VAhKutBT+b+1lmdCvQy/wOTzHRo4tJ6wDReu9bwT8pj8ya/hkw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2026-02-22T16:17:56Z"
|
||||
mac: ENC[AES256_GCM,data:525DsywY9tCeDrNwU39oFdJoF3jtB4AoA+i4LLEomnYsvQrdpMQRRn5BKVS40nmGZ3wA37JrJkGRk8Be21Wri6M3Vh0hzExWmqYLY7Xhvc+6IK6UJzgL/RQ9ynl7vtw7buozWWZhOWoBjzC84t/hWxepNSA30XHR9NypWUF+TpE=,iv:3lA2d8MtVGLtmhDlWVUHcyqrM6u4aoNoFL/l8YYS4Kw=,tag:9L/gobcRaGxk9n6RRChtXw==,type:str]
|
||||
lastmodified: "2026-03-11T19:58:21Z"
|
||||
mac: ENC[AES256_GCM,data:nJFnd5587Vv1+EzBnBMm8sEy+8jINWS2Fm8oW0lcOkeUbuBmBvQXpOSZf6IMvcPCIHdIwBRk8etI2kvH2GB8XtkhKJtGodRmRjfYnwBMWMdAjrYpK7eazHLQdsp1lyYZ5YaqS6oSaZtc4nJAhfO7Z9rpOZC0oTrZSnF+HEmsEds=,iv:Kn56EjcCZk1UNg4tFtogucNlNx9Xoh0SNDa9+hApMJE=,tag:ITbEbv5Q4HkbLVueOcl5GQ==,type:str]
|
||||
encrypted_regex: ^(data|stringData|email)$
|
||||
version: 3.11.0
|
||||
version: 3.12.1
|
||||
|
||||
@@ -1,22 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: immich-rclone-config
|
||||
namespace: immich
|
||||
stringData:
|
||||
rclone.conf: ENC[AES256_GCM,data:CryFjZBVyHdDPT1yGlmhCGDthmyhT3tTAmj2RmUl+pmrO4qkiT1UdADn/aSdSNjIE89dXzHcn22bY/4K9EuKhKPHm+MzHx10isPtrwERNy1FAhc2a1/pwBRIi5ej4MWZrCNnJCyG5coWDtsJhW/nRev0aAc24Jsp2S4Iyw4ZZcVDPLmYGCb0GYunOQOFKQkB3R+q3aFeaPOJnrn7EJVRzsiwFAd4hiVyCpSFme7n6xddKkMMrDICsyFg6ICkKYgFgRp0JnXVleA+y9phI17F/P63VXJsaI25JE5SMENTNpRHQ0OIC/HYQO92fadGXh7lMwp3zNwaoLk5YY1j4FXYuEHoxmtd82eEuvLYwM7CL4qj/aYZ1CiYWWiRg3oaUrKt7btFLDmdgkr4dhiv2S6t9AzwTp0Fo7Gg,iv:bSN2tyGWIQJVZ26dgFr/GEhmEeDM6cmfx6b6yEBWXY0=,tag:wKWO4uYYmb51sWq7JQY4UQ==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4NDg1WVBjbnB6YlFWTFpk
|
||||
S2M3Tm1zVUZhUFRSZi9mcHVNWkhCcm5OQVNnCmNBTmllY2U0Mkw1dUpvSkpoR2Rj
|
||||
SUN5T09kelNNZFBuaVFPMW1GUkhkNW8KLS0tIG1jNHdzczc0Z1c4bzVOVitBVHUy
|
||||
U1V5QVBjdUptb3YrNkJjNkZzZ0xZZnMKyH1YkErMgv7n7t9Wr1aAE5LJvLKPO18r
|
||||
z5gjcgUy7sCq77eRU4XjEgqivyy6fUcdbyTazhTGYIuUB5i3LbYSdQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2026-02-22T16:16:54Z"
|
||||
mac: ENC[AES256_GCM,data:gq7I3d82pjWZyHtX97jk8l+vYHqes1te43BXyI+yqYazh/ZyBshJT+60B5EjnfK8RA/C/jGcVTpBHa2Gc8BkcAxX1eDEvd9g72X70owB4MW3UYGSQ4XmeBzIdKC3p/LIW6SSzGcQB4MZZpuQ8HyP0+qGDE7NZJrim7wp6zI6Ovo=,iv:2l3NX+UuDdAQ9wAcaTFpWbWpq1G98p6CJBZnmzLLCvg=,tag:fzpx0i+w6lwfiQBHBMU9+A==,type:str]
|
||||
encrypted_regex: ^(data|stringData|email)$
|
||||
version: 3.11.0
|
||||
Reference in New Issue
Block a user