From 304faa30677a0a03b7f16a0b7ee4b10cb7f26d82 Mon Sep 17 00:00:00 2001
From: Shahab Dogar <shahab@dogar.dev>
Date: Sat, 6 Sep 2025 19:37:17 +0500
Subject: [PATCH] feat: add barman support and update CLAUDE.md

---
 1password/secrets.json |   4 ++
 CLAUDE.md              | 105 +++++++++++++++++++++++++++++++++++++++++
 main.ts                |   1 +
 3 files changed, 110 insertions(+)
 create mode 100644 CLAUDE.md

diff --git a/1password/secrets.json b/1password/secrets.json
index 70c0ac7..d53de47 100644
--- a/1password/secrets.json
+++ b/1password/secrets.json
@@ -79,5 +79,9 @@
     "name": "longhorn-backup",
     "namespace": "longhorn-system",
     "itemPath": "vaults/Lab/items/longhorn-backup"
+  },
+  {
+    "name": "cloudflare-r2-token",
+    "itemPath": "vaults/Private/items/cloudflare"
   }
 ]
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 0000000..3e32ce6
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,105 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+This is a homelab infrastructure-as-code project using CDKTF (Cloud Development Kit for Terraform) with TypeScript. The project defines and manages a complete Kubernetes-based homelab environment including various services like GitLab, Postgres clusters, authentication systems, and monitoring solutions.
+
+## Architecture
+
+The project follows a modular architecture pattern where each service is implemented as a TypeScript class extending `Construct`. The main stack is defined in `main.ts` which orchestrates all the services:
+
+- **Core Stack**: Located in `main.ts` - defines the main `Homelab` class that manages all infrastructure components
+- **Service Modules**: Each service (Gitea, Postgres, Authentik, etc.) is in its own directory with an `index.ts` file
+- **Helm Values**: Service-specific Helm chart values are stored in `helm/values/` directory
+- **State Management**: Uses Cloudflare R2 as the Terraform state backend
+
+### Key Services Managed
+
+- **GitLab Server** (`gitea/`) - Self-hosted Git repository management
+- **PostgreSQL Cluster** (`postgres/`) - Multi-instance database cluster with TLS certificates
+- **Authentik** (`authentik/`) - Identity and access management
+- **Redis Cluster** (`redis/`) - In-memory data structure store
+- **Monitoring Stack** (`prometheus/`) - Prometheus-based monitoring
+- **Storage** (`longhorn/`) - Distributed block storage
+- **Load Balancing** (`metallb/`) - Bare metal load balancer
+- **Ingress** (`nginx/`) - HTTP/HTTPS ingress controller
+- **DNS** (`pihole/`) - Network-wide ad blocking
+- **Secret Management** (`1password/`) - External secrets integration
+
+## Development Commands
+
+### Build and Compilation
+```bash
+npm run build          # Compile TypeScript to JavaScript
+npm run compile        # Compile with pretty output
+npm run watch          # Watch mode for development
+```
+
+### CDKTF Operations
+```bash
+npm run get            # Download and generate provider bindings
+npm run synth          # Generate Terraform configuration
+cdktf deploy           # Deploy infrastructure
+cdktf destroy          # Destroy infrastructure
+```
+
+### Environment Setup
+```bash
+nix develop            # Enter development environment (requires Nix)
+```
+
+## Development Environment
+
+The project uses Nix for development environment management. The `flake.nix` provides:
+- Node.js 24
+- Terraform and CDKTF CLI
+- Kubernetes tooling (kubectl, helm)
+- Development tools (TypeScript LSP, prettier, jq)
+- Infrastructure tools (tflint, awscli2)
+
+## Environment Variables
+
+Required environment variables (defined in `.env`):
+- `R2_ACCESS_KEY_ID` - Cloudflare R2 access key
+- `R2_SECRET_ACCESS_KEY` - Cloudflare R2 secret key  
+- `ACCOUNT_ID` - Cloudflare account ID
+- `BUCKET` - R2 bucket name for state storage
+
+## TypeScript Configuration
+
+The project uses strict TypeScript configuration with:
+- Target: ES2018
+- Module: CommonJS
+- Strict type checking enabled
+- Declaration files generated
+- Incremental compilation
+
+## Working with Services
+
+Each service follows a consistent pattern:
+1. Service class in `{service}/index.ts`
+2. Helm values file in `helm/values/{service}.values.yaml`
+3. Service instantiated in `main.ts` with required providers and configuration
+
+When adding new services:
+- Create a new directory with `index.ts`
+- Define a TypeScript class extending `Construct`
+- Add Helm values file if using Helm charts
+- Import and instantiate in `main.ts`
+
+## Certificate Management
+
+The PostgreSQL cluster includes comprehensive TLS certificate management using cert-manager:
+- Self-signed root CA certificates
+- Separate server and client certificate chains
+- Automatic certificate rotation
+- Client certificates for database users
+
+## Storage and Networking
+
+- **Storage Class**: Uses `longhorn-crypto` for encrypted persistent volumes
+- **Networking**: MetalLB provides load balancer services for bare metal
+- **DNS**: Custom CoreDNS configuration for internal name resolution
+- **Ingress**: Nginx ingress controller for HTTP/HTTPS traffic
\ No newline at end of file
diff --git a/main.ts b/main.ts
index 0ac3b91..877e3c3 100644
--- a/main.ts
+++ b/main.ts
@@ -128,6 +128,7 @@ class Homelab extends TerraformStack {
       users: ["shahab", "budget-tracker"],
       primaryUser: "shahab",
       initSecretName: "postgres-password",
+      backupR2EndpointURL: `https://${env.ACCOUNT_ID}.r2.cloudflarestorage.com/homelab-backups`,
     });
 
     new RedisCluster(this, "redis-cluster", {