fix: technitium CronJob scheduling, LUKS backup support, speedtest scrape

- technitium-password-sync: remove RWO encrypted PVC mount that caused pods to stick in ContainerCreating on wrong nodes. Plugin install now warns instead of failing when zip unavailable. - daily-backup: add LUKS decryption support for encrypted PVC snapshots using /root/.luks-backup-key. Uses noload mount option to skip ext4 journal replay. Also installed cryptsetup-bin on PVE host. - speedtest: disable prometheus.io/scrape annotation (no /prometheus endpoint exists, causing ScrapeTargetDown alert). [ci skip] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 15:12:32 +00:00 · 2026-04-15 15:12:32 +00:00 · 9baefa22ab
commit 9baefa22ab
parent 25ef5176bb
3 changed files with 27 additions and 19 deletions
--- a/scripts/daily-backup.sh
+++ b/scripts/daily-backup.sh
@ -145,8 +145,26 @@ else
            continue
        fi

+        # Detect LUKS-encrypted volumes and set up mount device
+        LUKS_NAME=""
+        MOUNT_DEV="/dev/pve/${snap}"
+        MOUNT_OPTS="ro"
+        if blkid -o value -s TYPE "/dev/pve/${snap}" 2>/dev/null | grep -q 'crypto_LUKS'; then
+            LUKS_KEY="/root/.luks-backup-key"
+            LUKS_NAME="pvc-snap-$(echo "${snap}" | md5sum | cut -c1-12)"
+            if [ -f "${LUKS_KEY}" ] && cryptsetup open --type luks --key-file "${LUKS_KEY}" --readonly "/dev/pve/${snap}" "${LUKS_NAME}" 2>&1; then
+                MOUNT_DEV="/dev/mapper/${LUKS_NAME}"
+                MOUNT_OPTS="ro,noload"  # noload skips ext4 journal replay on read-only LUKS
+                log "  LUKS: decrypted ${snap} → ${LUKS_NAME}"
+            else
+                warn "Failed to decrypt LUKS snapshot ${snap}"
+                PVC_FAIL=$((PVC_FAIL + 1))
+                continue
+            fi
+        fi
+
        # Mount snapshot read-only, rsync files
-        if timeout 30 mount -o ro "/dev/pve/${snap}" "${PVC_MOUNT}" 2>&1; then
+        if timeout 30 mount -o "${MOUNT_OPTS}" "${MOUNT_DEV}" "${PVC_MOUNT}" 2>&1; then
            dst="${BACKUP_ROOT}/pvc-data/${WEEK}/${ns_pvc}"
            mkdir -p "${dst}"
            if rsync -az --delete \
@ -182,6 +200,11 @@ else
            warn "Failed to mount snapshot ${snap}"
            PVC_FAIL=$((PVC_FAIL + 1))
        fi
+
+        # Close LUKS device if we opened one
+        if [ -n "${LUKS_NAME}" ]; then
+            cryptsetup close "${LUKS_NAME}" 2>/dev/null || true
+        fi
    done

    log "  PVC copy: ${PVC_COUNT} OK, ${PVC_FAIL} failed"