From 9baefa22ab7a0ef1bdf46eec0c6d9c778d6ae5e8 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Wed, 15 Apr 2026 15:12:32 +0000
Subject: [PATCH] fix: technitium CronJob scheduling, LUKS backup support,
 speedtest scrape

- technitium-password-sync: remove RWO encrypted PVC mount that caused
  pods to stick in ContainerCreating on wrong nodes. Plugin install now
  warns instead of failing when zip unavailable.
- daily-backup: add LUKS decryption support for encrypted PVC snapshots
  using /root/.luks-backup-key. Uses noload mount option to skip ext4
  journal replay. Also installed cryptsetup-bin on PVE host.
- speedtest: disable prometheus.io/scrape annotation (no /prometheus
  endpoint exists, causing ScrapeTargetDown alert).

[ci skip]

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 scripts/daily-backup.sh                      | 25 +++++++++++++++++++-
 stacks/speedtest/main.tf                     |  4 +---
 stacks/technitium/modules/technitium/main.tf | 17 ++-----------
 3 files changed, 27 insertions(+), 19 deletions(-)

diff --git a/scripts/daily-backup.sh b/scripts/daily-backup.sh
index 7813b505..8ebf8e9c 100644
--- a/scripts/daily-backup.sh
+++ b/scripts/daily-backup.sh
@@ -145,8 +145,26 @@ else
             continue
         fi
 
+        # Detect LUKS-encrypted volumes and set up mount device
+        LUKS_NAME=""
+        MOUNT_DEV="/dev/pve/${snap}"
+        MOUNT_OPTS="ro"
+        if blkid -o value -s TYPE "/dev/pve/${snap}" 2>/dev/null | grep -q 'crypto_LUKS'; then
+            LUKS_KEY="/root/.luks-backup-key"
+            LUKS_NAME="pvc-snap-$(echo "${snap}" | md5sum | cut -c1-12)"
+            if [ -f "${LUKS_KEY}" ] && cryptsetup open --type luks --key-file "${LUKS_KEY}" --readonly "/dev/pve/${snap}" "${LUKS_NAME}" 2>&1; then
+                MOUNT_DEV="/dev/mapper/${LUKS_NAME}"
+                MOUNT_OPTS="ro,noload"  # noload skips ext4 journal replay on read-only LUKS
+                log "  LUKS: decrypted ${snap} → ${LUKS_NAME}"
+            else
+                warn "Failed to decrypt LUKS snapshot ${snap}"
+                PVC_FAIL=$((PVC_FAIL + 1))
+                continue
+            fi
+        fi
+
         # Mount snapshot read-only, rsync files
-        if timeout 30 mount -o ro "/dev/pve/${snap}" "${PVC_MOUNT}" 2>&1; then
+        if timeout 30 mount -o "${MOUNT_OPTS}" "${MOUNT_DEV}" "${PVC_MOUNT}" 2>&1; then
             dst="${BACKUP_ROOT}/pvc-data/${WEEK}/${ns_pvc}"
             mkdir -p "${dst}"
             if rsync -az --delete \
@@ -182,6 +200,11 @@ else
             warn "Failed to mount snapshot ${snap}"
             PVC_FAIL=$((PVC_FAIL + 1))
         fi
+
+        # Close LUKS device if we opened one
+        if [ -n "${LUKS_NAME}" ]; then
+            cryptsetup close "${LUKS_NAME}" 2>/dev/null || true
+        fi
     done
 
     log "  PVC copy: ${PVC_COUNT} OK, ${PVC_FAIL} failed"
diff --git a/stacks/speedtest/main.tf b/stacks/speedtest/main.tf
index 4b13bf2c..e6d2e255 100644
--- a/stacks/speedtest/main.tf
+++ b/stacks/speedtest/main.tf
@@ -206,9 +206,7 @@ resource "kubernetes_service" "speedtest" {
       "app" = "speedtest"
     }
     annotations = {
-      "prometheus.io/scrape" = "true"
-      "prometheus.io/path"   = "/prometheus"
-      "prometheus.io/port"   = "80"
+      "prometheus.io/scrape" = "false"
     }
   }
 
diff --git a/stacks/technitium/modules/technitium/main.tf b/stacks/technitium/modules/technitium/main.tf
index 7b00f0fc..0968582a 100644
--- a/stacks/technitium/modules/technitium/main.tf
+++ b/stacks/technitium/modules/technitium/main.tf
@@ -470,11 +470,6 @@ resource "kubernetes_cron_job_v1" "technitium_password_sync" {
                 name  = "TECH_PASS"
                 value = var.technitium_password
               }
-              volume_mount {
-                name       = "technitium-data"
-                mount_path = "/etc/dns"
-                read_only  = true
-              }
               command = ["/bin/sh", "-c", <<-EOT
                 set -e
                 TOKEN=$$(curl -sf "http://technitium-web:5380/api/user/login?user=$$TECH_USER&pass=$$TECH_PASS" | grep -o '"token":"[^"]*"' | cut -d'"' -f4)
@@ -485,12 +480,10 @@ resource "kubernetes_cron_job_v1" "technitium_password_sync" {
                 curl -sf -X POST "http://technitium-web:5380/api/apps/config/set?token=$$TOKEN" --data-urlencode "name=Query Logs (MySQL)" --data-urlencode "config=$$MYSQL_CONFIG"
                 echo "MySQL logging disabled"
 
-                # Install PG plugin if not already loaded (survives restarts via NFS, but not upgrades)
+                # Check PG plugin is loaded (installed persistently in Technitium data dir)
                 PG_LOADED=$$(curl -sf "http://technitium-web:5380/api/apps/list?token=$$TOKEN" | grep -c 'QueryLogsPostgres.App' || true)
                 if [ "$$PG_LOADED" = "0" ]; then
-                  echo "PG plugin not loaded, installing from NFS..."
-                  curl -sf -X POST "http://technitium-web:5380/api/apps/install?token=$$TOKEN&name=Query%20Logs%20(Postgres)" -F "fileData=@/etc/dns/QueryLogsPostgresApp.zip"
-                  echo "PG plugin installed"
+                  echo "WARNING: PG plugin not loaded — reinstall manually via Technitium UI"
                 fi
 
                 # Configure PG query logging
@@ -500,12 +493,6 @@ resource "kubernetes_cron_job_v1" "technitium_password_sync" {
               EOT
               ]
             }
-            volume {
-              name = "technitium-data"
-              persistent_volume_claim {
-                claim_name = kubernetes_persistent_volume_claim.primary_config_encrypted.metadata[0].name
-              }
-            }
             restart_policy = "OnFailure"
           }
         }