feat: Add automated backups for Forgejo (Postgres + git repos)

- CNPG Barman backup to Hetzner S3 (s3://k8s-and-chill-backups/forgejo/cnpg/) - ScheduledBackup CR: daily at 2 AM, 30d retention, prefer-standby - Git repo rclone sync to S3 (s3://k8s-and-chill-backups/forgejo/git/) via CronJob at 3 AM - Requires secrets: forgejo-backup-s3 (S3 creds), hcloud-token (not used but created) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 17:21:09 +02:00 · 2026-04-03 17:21:09 +02:00 · 167fc62b92
parent 25714eeef6
commit 167fc62b92
9 changed files with 249 additions and 3 deletions
--- a/envs/production/_apps/forgejo/argocd/replace-jobs.overlay.ytt.yaml
+++ b/envs/production/_apps/forgejo/argocd/replace-jobs.overlay.ytt.yaml
@ -4,8 +4,12 @@
 ---
 #@overlay/match-child-defaults missing_ok=True
 spec:
+  ignoreDifferences:
+    - group: ""
+      kind: PersistentVolumeClaim
+      jsonPointers:
+        - /spec/volumeName
  syncPolicy:
-    #@overlay/match missing_ok=True
    syncOptions:
      #@overlay/append
-      - Replace=true
+      - RespectIgnoreDifferences=true
--- a/prototypes/forgejo/ytt/cnpg-cluster.ytt.yaml
+++ b/prototypes/forgejo/ytt/cnpg-cluster.ytt.yaml
@ -27,6 +27,24 @@ spec:
    limits:
      memory: 512Mi

+  backup:
+    barmanObjectStore:
+      endpointURL: https://fsn1.your-objectstorage.com
+      destinationPath: s3://k8s-and-chill-backups/forgejo/cnpg
+      s3Credentials:
+        accessKeyId:
+          name: forgejo-backup-s3
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: forgejo-backup-s3
+          key: SECRET_ACCESS_KEY
+      wal:
+        compression: gzip
+      data:
+        compression: gzip
+    retentionPolicy: "30d"
+    target: prefer-standby
+
  postgresql:
    parameters:
      shared_buffers: "64MB"
--- a/prototypes/forgejo/ytt/cnpg-scheduled-backup.ytt.yaml
+++ b/prototypes/forgejo/ytt/cnpg-scheduled-backup.ytt.yaml
@ -0,0 +1,17 @@
+#@ load("@ytt:data", "data")
+
+#@ ns = data.values.application.namespace
+
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: forgejo-daily-backup
+  namespace: #@ ns
+spec:
+  cluster:
+    name: forgejo-cnpg
+  schedule: "0 0 2 * * *"
+  method: barmanObjectStore
+  backupOwnerReference: cluster
+  target: prefer-standby
--- a/prototypes/forgejo/ytt/git-snapshot-cronjob.ytt.yaml
+++ b/prototypes/forgejo/ytt/git-snapshot-cronjob.ytt.yaml
@ -0,0 +1,87 @@
+#@ load("@ytt:data", "data")
+
+#@ ns = data.values.application.namespace
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: forgejo-git-backup
+  namespace: #@ ns
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: forgejo-git-backup
+  namespace: #@ ns
+spec:
+  schedule: "0 3 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 86400
+      template:
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: forgejo-git-backup
+          nodeSelector:
+            kubernetes.io/hostname: ubuntu-4gb-nbg1-3
+          containers:
+            - name: backup
+              image: alpine:3.20
+              command:
+                - sh
+                - -c
+                - |
+                  set -e
+                  apk add --no-cache rclone > /dev/null 2>&1
+
+                  mkdir -p /tmp/rclone
+                  cat > /tmp/rclone/rclone.conf <<CONF
+                  [s3]
+                  type = s3
+                  provider = Other
+                  access_key_id = ${ACCESS_KEY_ID}
+                  secret_access_key = ${SECRET_ACCESS_KEY}
+                  endpoint = https://fsn1.your-objectstorage.com
+                  acl = private
+                  CONF
+
+                  echo "Syncing git repositories to S3..."
+                  rclone sync /data/git/ s3:k8s-and-chill-backups/forgejo/git/ \
+                    --config /tmp/rclone/rclone.conf \
+                    --transfers 4 \
+                    -v
+
+                  echo "Syncing gitea data (avatars, attachments, keys)..."
+                  rclone sync /data/gitea/ s3:k8s-and-chill-backups/forgejo/gitea/ \
+                    --config /tmp/rclone/rclone.conf \
+                    --exclude 'conf/**' \
+                    --exclude 'queues/**' \
+                    --transfers 4 \
+                    -v
+
+                  rm -rf /tmp/rclone
+                  echo "Backup complete."
+              env:
+                - name: ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: forgejo-backup-s3
+                      key: ACCESS_KEY_ID
+                - name: SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: forgejo-backup-s3
+                      key: SECRET_ACCESS_KEY
+              volumeMounts:
+                - name: data
+                  mountPath: /data
+                  readOnly: true
+          volumes:
+            - name: data
+              persistentVolumeClaim:
+                claimName: forgejo-git-storage
--- a/rendered/argocd/production/app-forgejo.yaml
+++ b/rendered/argocd/production/app-forgejo.yaml
@ -11,6 +11,11 @@ spec:
  destination:
    namespace: forgejo
    server: https://kubernetes.default.svc
+  ignoreDifferences:
+    - group: ""
+      jsonPointers:
+        - /spec/volumeName
+      kind: PersistentVolumeClaim
  project: env-production
  source:
    path: rendered/envs/production/forgejo
@ -23,4 +28,4 @@ spec:
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
-      - Replace=true
+      - RespectIgnoreDifferences=true
--- a/rendered/envs/production/forgejo/cluster-forgejo-cnpg.yaml
+++ b/rendered/envs/production/forgejo/cluster-forgejo-cnpg.yaml
@ -6,6 +6,23 @@ metadata:
  name: forgejo-cnpg
  namespace: forgejo
 spec:
+  backup:
+    barmanObjectStore:
+      data:
+        compression: gzip
+      destinationPath: s3://k8s-and-chill-backups/forgejo/cnpg
+      endpointURL: https://fsn1.your-objectstorage.com
+      s3Credentials:
+        accessKeyId:
+          key: ACCESS_KEY_ID
+          name: forgejo-backup-s3
+        secretAccessKey:
+          key: SECRET_ACCESS_KEY
+          name: forgejo-backup-s3
+      wal:
+        compression: gzip
+    retentionPolicy: 30d
+    target: prefer-standby
  bootstrap:
    initdb:
      database: forgejo
--- a/rendered/envs/production/forgejo/cronjob-forgejo-git-backup.yaml
+++ b/rendered/envs/production/forgejo/cronjob-forgejo-git-backup.yaml
@ -0,0 +1,77 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  name: forgejo-git-backup
+  namespace: forgejo
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - command:
+                - sh
+                - -c
+                - |
+                  set -e
+                  apk add --no-cache rclone > /dev/null 2>&1
+
+                  mkdir -p /tmp/rclone
+                  cat > /tmp/rclone/rclone.conf <<CONF
+                  [s3]
+                  type = s3
+                  provider = Other
+                  access_key_id = ${ACCESS_KEY_ID}
+                  secret_access_key = ${SECRET_ACCESS_KEY}
+                  endpoint = https://fsn1.your-objectstorage.com
+                  acl = private
+                  CONF
+
+                  echo "Syncing git repositories to S3..."
+                  rclone sync /data/git/ s3:k8s-and-chill-backups/forgejo/git/ \
+                    --config /tmp/rclone/rclone.conf \
+                    --transfers 4 \
+                    -v
+
+                  echo "Syncing gitea data (avatars, attachments, keys)..."
+                  rclone sync /data/gitea/ s3:k8s-and-chill-backups/forgejo/gitea/ \
+                    --config /tmp/rclone/rclone.conf \
+                    --exclude 'conf/**' \
+                    --exclude 'queues/**' \
+                    --transfers 4 \
+                    -v
+
+                  rm -rf /tmp/rclone
+                  echo "Backup complete."
+              env:
+                - name: ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      key: ACCESS_KEY_ID
+                      name: forgejo-backup-s3
+                - name: SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      key: SECRET_ACCESS_KEY
+                      name: forgejo-backup-s3
+              image: alpine:3.20
+              name: backup
+              volumeMounts:
+                - mountPath: /data
+                  name: data
+                  readOnly: true
+          nodeSelector:
+            kubernetes.io/hostname: ubuntu-4gb-nbg1-3
+          restartPolicy: OnFailure
+          serviceAccountName: forgejo-git-backup
+          volumes:
+            - name: data
+              persistentVolumeClaim:
+                claimName: forgejo-git-storage
+      ttlSecondsAfterFinished: 86400
+  schedule: 0 3 * * *
+  successfulJobsHistoryLimit: 3
--- a/rendered/envs/production/forgejo/scheduledbackup-forgejo-daily-backup.yaml
+++ b/rendered/envs/production/forgejo/scheduledbackup-forgejo-daily-backup.yaml
@ -0,0 +1,14 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  name: forgejo-daily-backup
+  namespace: forgejo
+spec:
+  backupOwnerReference: cluster
+  cluster:
+    name: forgejo-cnpg
+  method: barmanObjectStore
+  schedule: 0 0 2 * * *
+  target: prefer-standby
--- a/rendered/envs/production/forgejo/serviceaccount-forgejo-git-backup.yaml
+++ b/rendered/envs/production/forgejo/serviceaccount-forgejo-git-backup.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  name: forgejo-git-backup
+  namespace: forgejo