feat(infrastructure): add backups

7project/backend/Dockerfile

@@ -5,4 +5,4 @@ COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 COPY . .
 EXPOSE 8000
-CMD alembic upgrade head && uvicorn app.app:fastApi --host 0.0.0.0 --port 8000
+CMD alembic upgrade head && uvicorn app.app:app --host 0.0.0.0 --port 8000

7project/backend/alembic/versions/2025_10_10_1405-7af8f296d089_add_user_oauth.py

@@ -1,48 +0,0 @@
-"""add user oauth
-
-Revision ID: 7af8f296d089
-Revises: 390041bd839e
-Create Date: 2025-10-10 14:05:00.153376
-
-"""
-from typing import Sequence, Union
-
-import fastapi_users_db_sqlalchemy
-from alembic import op
-import sqlalchemy as sa
-
-
-# revision identifiers, used by Alembic.
-revision: str = '7af8f296d089'
-down_revision: Union[str, Sequence[str], None] = '390041bd839e'
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-def upgrade() -> None:
-    """Upgrade schema."""
-    # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('oauth_account',
-    sa.Column('id', fastapi_users_db_sqlalchemy.generics.GUID(), nullable=False),
-    sa.Column('user_id', fastapi_users_db_sqlalchemy.generics.GUID(), nullable=False),
-    sa.Column('oauth_name', sa.String(length=100), nullable=False),
-    sa.Column('access_token', sa.String(length=1024), nullable=False),
-    sa.Column('expires_at', sa.Integer(), nullable=True),
-    sa.Column('refresh_token', sa.String(length=1024), nullable=True),
-    sa.Column('account_id', sa.String(length=320), nullable=False),
-    sa.Column('account_email', sa.String(length=320), nullable=False),
-    sa.ForeignKeyConstraint(['user_id'], ['user.id'], ondelete='cascade'),
-    sa.PrimaryKeyConstraint('id')
-    )
-    op.create_index(op.f('ix_oauth_account_account_id'), 'oauth_account', ['account_id'], unique=False)
-    op.create_index(op.f('ix_oauth_account_oauth_name'), 'oauth_account', ['oauth_name'], unique=False)
-    # ### end Alembic commands ###
-
-
-def downgrade() -> None:
-    """Downgrade schema."""
-    # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index(op.f('ix_oauth_account_oauth_name'), table_name='oauth_account')
-    op.drop_index(op.f('ix_oauth_account_account_id'), table_name='oauth_account')
-    op.drop_table('oauth_account')
-    # ### end Alembic commands ###

7project/backend/app/app.py

@@ -1,16 +1,15 @@
 from fastapi import Depends, FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 
-import app.services.user_service
 from app.models.user import User
 
 from app.schemas.user import UserCreate, UserRead, UserUpdate
 from app.services.user_service import auth_backend, current_active_verified_user, fastapi_users
 
-fastApi = FastAPI()
+app = FastAPI()
 
 # CORS for frontend dev server
-fastApi.add_middleware(
+app.add_middleware(
     CORSMiddleware,
     allow_origins=[
         "http://localhost:5173",
@@ -21,48 +20,37 @@ fastApi.add_middleware(
     allow_headers=["*"],
 )
 
-fastApi.include_router(
+app.include_router(
     fastapi_users.get_auth_router(auth_backend), prefix="/auth/jwt", tags=["auth"]
 )
-fastApi.include_router(
+app.include_router(
     fastapi_users.get_register_router(UserRead, UserCreate),
     prefix="/auth",
     tags=["auth"],
 )
-fastApi.include_router(
+app.include_router(
     fastapi_users.get_reset_password_router(),
     prefix="/auth",
     tags=["auth"],
 )
-fastApi.include_router(
+app.include_router(
     fastapi_users.get_verify_router(UserRead),
     prefix="/auth",
     tags=["auth"],
 )
-fastApi.include_router(
+app.include_router(
     fastapi_users.get_users_router(UserRead, UserUpdate),
     prefix="/users",
     tags=["users"],
 )
 
-fastApi.include_router(
-    fastapi_users.get_oauth_router(
-        app.services.user_service.mojeid_oauth_service,
-        auth_backend,
-        "SECRET",
-        associate_by_email=True
-    ),
-    prefix="/auth/mojeid",
-    tags=["auth"],
-)
-
 
 # Liveness/root endpoint
-@fastApi.get("/", include_in_schema=False)
+@app.get("/", include_in_schema=False)
 async def root():
     return {"status": "ok"}
 
 
-@fastApi.get("/authenticated-route")
+@app.get("/authenticated-route")
 async def authenticated_route(user: User = Depends(current_active_verified_user)):
     return {"message": f"Hello {user.email}!"}

7project/backend/app/models/user.py

@@ -1,19 +1,12 @@
-from typing import List
-
 from sqlalchemy import Column, String
 from sqlalchemy.orm import relationship
-from fastapi_users.db import SQLAlchemyBaseUserTableUUID, SQLAlchemyBaseOAuthAccountTableUUID
+from fastapi_users.db import SQLAlchemyBaseUserTableUUID
 from app.core.base import Base
 
 
-class OAuthAccount(SQLAlchemyBaseOAuthAccountTableUUID, Base):
-    pass
-
-
 class User(SQLAlchemyBaseUserTableUUID, Base):
     first_name = Column(String(length=100), nullable=True)
     last_name = Column(String(length=100), nullable=True)
-    oauth_accounts = relationship("OAuthAccount", lazy="joined")
 
     # Relationship
     transactions = relationship("Transaction", back_populates="user")

7project/backend/app/oauth/moje_id.py

@@ -1,48 +0,0 @@
-import json
-from typing import Optional, Literal
-
-from httpx_oauth.clients.openid import OpenID
-from httpx_oauth.oauth2 import OAuth2Token, GetAccessTokenError, T
-
-
-# claims=%7B%22id_token%22%3A%7B%22birthdate%22%3A%7B%22essential%22%3Atrue%7D%2C%22name%22%3A%7B%22essential%22%3Atrue%7D%2C%22given_name%22%3A%7B%22essential%22%3Atrue%7D%2C%22family_name%22%3A%7B%22essential%22%3Atrue%7D%2C%22email%22%3A%7B%22essential%22%3Atrue%7D%2C%22address%22%3A%7B%22essential%22%3Afalse%7D%2C%22mojeid_valid%22%3A%7B%22essential%22%3Atrue%7D%7D%7D
-class MojeIDOAuth(OpenID):
-    def __init__(self, client_id: str, client_secret: str):
-        super().__init__(
-            client_id,
-            client_secret,
-            "https://mojeid.regtest.nic.cz/.well-known/openid-configuration/",
-            "MojeID",
-            base_scopes=["openid", "email", "profile"],
-        )
-
-    async def get_authorization_url(
-            self,
-            redirect_uri: str,
-            state: Optional[str] = None,
-            scope: Optional[list[str]] = None,
-            code_challenge: Optional[str] = None,
-            code_challenge_method: Optional[Literal["plain", "S256"]] = None,
-            extras_params: Optional[T] = None,
-    ) -> str:
-        required_fields = {
-            'id_token': {
-                'name': {'essential': True},
-                'given_name': {'essential': True},
-                'family_name': {'essential': True},
-                'email': {'essential': True},
-                'mojeid_valid': {'essential': True},
-            }}
-
-        if extras_params is None:
-            extras_params = {}
-        extras_params["claims"] = json.dumps(required_fields)
-
-        return await super().get_authorization_url(
-            redirect_uri,
-            state,
-            scope,
-            code_challenge,
-            code_challenge_method,
-            extras_params,
-        )

7project/backend/app/services/db.py

@@ -4,13 +4,11 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from fastapi_users.db import SQLAlchemyUserDatabase
 
 from ..core.db import async_session_maker
-from ..models.user import User, OAuthAccount
+from ..models.user import User
-
 
 async def get_async_session() -> AsyncGenerator[AsyncSession, None]:
     async with async_session_maker() as session:
         yield session
 
-
 async def get_user_db(session: AsyncSession = Depends(get_async_session)):
-    yield SQLAlchemyUserDatabase(session, User, OAuthAccount)
+    yield SQLAlchemyUserDatabase(session, User)

7project/backend/app/services/user_service.py

@@ -12,7 +12,6 @@ from fastapi_users.authentication.strategy.jwt import JWTStrategy
 from fastapi_users.db import SQLAlchemyUserDatabase
 
 from app.models.user import User
-from app.oauth.moje_id import MojeIDOAuth
 from app.services.db import get_user_db
 from app.core.queue import enqueue_email
 
@@ -20,11 +19,6 @@ SECRET = os.getenv("SECRET", "CHANGE_ME_SECRET")
 FRONTEND_URL = os.getenv("FRONTEND_URL", "http://localhost:5173")
 BACKEND_URL = os.getenv("BACKEND_URL", "http://localhost:8000")
 
-mojeid_oauth_service = MojeIDOAuth(
-    os.getenv("MOJEID_CLIENT_ID", "CHANGE_ME_CLIENT_ID"),
-    os.getenv("MOJEID_CLIENT_SECRET", "CHANGE_ME_CLIENT_SECRET"),
-)
-
 class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
     reset_password_token_secret = SECRET
     verification_token_secret = SECRET

7project/backend/requirements.txt

@@ -11,7 +11,6 @@ asyncmy==0.2.9
 bcrypt==4.3.0
 billiard==4.2.2
 celery==5.5.3
-certifi==2025.10.5
 cffi==2.0.0
 click==8.1.8
 click-didyoumean==0.3.1
@@ -26,10 +25,7 @@ fastapi-users==14.0.1
 fastapi-users-db-sqlalchemy==7.0.0
 greenlet==3.2.4
 h11==0.16.0
-httpcore==1.0.9
 httptools==0.6.4
-httpx==0.28.1
-httpx-oauth==0.16.1
 idna==3.10
 kombu==5.5.4
 makefun==1.16.0

7project/tofu/main.tf

@@ -96,6 +96,13 @@ module "database" {
 
   phpmyadmin_enabled = var.phpmyadmin_enabled
   cloudflare_domain  = var.cloudflare_domain
+
+  s3_enabled = var.s3_enabled
+  s3_bucket = var.s3_bucket
+  s3_region = var.s3_region
+  s3_endpoint = var.s3_endpoint
+  s3_key_id = var.s3_key_id
+  s3_key_secret = var.s3_key_secret
 }
 
 #module "argocd" {

7project/tofu/modules/maxscale/charts/maxscale-helm/Chart.yaml

@@ -1,4 +1,4 @@
 apiVersion: v2
 name: maxscale-helm
-version: 1.0.8
+version: 1.0.14
 description: Helm chart for MaxScale related Kubernetes manifests

7project/tofu/modules/maxscale/charts/maxscale-helm/templates/backup.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.s3.enabled }}
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Backup
+metadata:
+  name: backup
+  namespace: mariadb-operator
+spec:
+  mariaDbRef:
+    name: mariadb-repl
+    namespace: mariadb-operator
+  schedule:
+    cron: "0 */3 * * *"
+    suspend: false
+  timeZone: "Europe/Prague"
+  maxRetention: 720h # 30 days
+  compression: bzip2
+  storage:
+    s3:
+      bucket: {{ .Values.s3.bucket | quote }}
+      endpoint: {{ .Values.s3.endpoint | quote }}
+      accessKeyIdSecretKeyRef:
+        name: s3-credentials
+        key: key_id
+      secretAccessKeySecretKeyRef:
+        name: s3-credentials
+        key: secret_key
+      region: {{ .Values.s3.region | quote }}
+      tls:
+        enabled: true
+  # Define a PVC to use as staging area for keeping the backups while they are being processed.
+  stagingStorage:
+    persistentVolumeClaim:
+      resources:
+        requests:
+          storage: 10Gi
+      accessModes:
+        - ReadWriteOnce
+  args:
+    - --single-transaction
+    - --all-databases
+  logLevel: info
+{{- end }}

7project/tofu/modules/maxscale/charts/maxscale-helm/templates/garage.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.s3.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3-credentials
+  namespace: mariadb-operator
+type: Opaque
+stringData:
+  key_id: "{{ .Values.s3.key_id }}"
+  secret_key: "{{ .Values.s3.key_secret }}"
+{{- end }}

7project/tofu/modules/maxscale/charts/maxscale-helm/values.yaml

@@ -14,4 +14,12 @@ metallb:
 phpmyadmin:
   enabled: true
 
+s3:
+  enabled: false
+  endpoint: ""
+  region: ""
+  bucket: ""
+  key_id: ""
+  key_secret: ""
+
 base_domain: example.com

7project/tofu/modules/maxscale/main.tf

@@ -59,7 +59,7 @@ resource "helm_release" "mariadb-operator" {
 resource "helm_release" "maxscale_helm" {
   name       = "maxscale-helm"
   chart      = "${path.module}/charts/maxscale-helm"
-  version    = "1.0.8"
+  version    = "1.0.14"
   depends_on = [helm_release.mariadb-operator-crds, kubectl_manifest.secrets]
   timeout    = 3600
 
@@ -71,6 +71,12 @@ resource "helm_release" "maxscale_helm" {
     { name = "metallb.primary_ip", value = var.primary_ip },
     { name = "metallb.secondary_ip", value = var.secondary_ip },
     { name = "phpmyadmin.enabled", value = tostring(var.phpmyadmin_enabled) },
-    { name = "base_domain", value = var.cloudflare_domain }
+    { name = "base_domain", value = var.cloudflare_domain },
+    { name = "s3.key_id", value = var.s3_key_id },
+    { name = "s3.key_secret", value = var.s3_key_secret },
+    { name = "s3.enabled", value = var.s3_enabled },
+    { name = "s3.endpoint", value = var.s3_endpoint },
+    { name = "s3.region", value = var.s3_region },
+    { name = "s3.bucket", value = var.s3_bucket },
   ]
 }

7project/tofu/modules/maxscale/variables.tf

@@ -56,3 +56,35 @@ variable "cloudflare_domain" {
   default  = "Base cloudflare domain, e.g. example.com"
   nullable = false
 }
+
+variable "s3_key_id" {
+  description = "S3 Key ID for backups"
+  type        = string
+  sensitive   = true
+}
+
+variable "s3_key_secret" {
+  description = "S3 Key Secret for backups"
+  type        = string
+  sensitive   = true
+}
+
+variable "s3_enabled" {
+  description = "Enable S3 backups"
+  type        = bool
+}
+
+variable "s3_endpoint" {
+  description = "S3 endpoint for backups"
+  type        = string
+}
+
+variable "s3_region" {
+  description = "S3 region for backups"
+  type        = string
+}
+
+variable "s3_bucket" {
+  description = "S3 bucket name for backups"
+  type        = string
+}

7project/tofu/variables.tf

@@ -108,3 +108,40 @@ variable "rabbitmq-password" {
   sensitive   = true
   description = "Admin password for RabbitMQ user"
 }
+
+variable "s3_key_id" {
+  description = "S3 Key ID for backups"
+  type        = string
+  sensitive   = true
+  nullable    = false
+}
+
+variable "s3_key_secret" {
+  description = "S3 Key Secret for backups"
+  type        = string
+  sensitive   = true
+  nullable    = false
+}
+
+variable "s3_enabled" {
+  description = "Enable S3 backups"
+  type        = bool
+}
+
+variable "s3_endpoint" {
+  description = "S3 endpoint for backups"
+  type        = string
+}
+
+variable "s3_region" {
+  description = "S3 region for backups"
+  type        = string
+}
+
+variable "s3_bucket" {
+  description = "S3 bucket name for backups"
+  type        = string
+}
+
+
+