From 4929cf97b72abb67fbc05a5cf39e6e9dee82fce2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= <marcio.fernandes@outlook.pt>
Date: Mon, 10 Mar 2025 21:22:09 +0000
Subject: [PATCH] feat: added borg backup job with offsite borg sync

---
 backup/backup-cronjob.yaml            |  14 ++-
 backup/borbackup-offsite-cronjob.yaml | 127 ++++++++++++++++++++++++++
 backup/gitea-backup-secret-deploy.sh  |   2 +-
 backup/gitea-backup-secret.yaml       |   8 +-
 4 files changed, 138 insertions(+), 13 deletions(-)
 create mode 100644 backup/borbackup-offsite-cronjob.yaml

diff --git a/backup/backup-cronjob.yaml b/backup/backup-cronjob.yaml
index baf1260..021a98a 100644
--- a/backup/backup-cronjob.yaml
+++ b/backup/backup-cronjob.yaml
@@ -18,26 +18,24 @@ spec:
               args:
                 - |
                   echo "INFO: Starting export"
-                  . /run/database-access-secret/database
+                  . /root/.gitea-inline-config/database
                   export PGPASSWORD=$PASSWD
                   echo "INFO: Exporting database"
                   pg_dump -h gitea-postgresql.git-limbosolutions-com.svc.cluster.local -U $USER -d $NAME > /data/postgresql-export/db_backup.sql
                   if [ $? -ne 0 ]; then
                     echo "ERROR: Exporting database failed"
                     exit 1
-                  fi
+                  fi 
                   echo "INFO: Exporting database finished"
 
               volumeMounts:
-              - name: db-postgresql-data
-                mountPath: /var/lib/postgresql/data
-                
+
               - name: backup-run-data
                 mountPath: /data/postgresql-export
                 subPath: postgresql-export
 
-              - name: database-access-secret
-                mountPath: /run/database-access-secret
+              - name: gitea-inline-config
+                mountPath: /root/.gitea-inline-config
                 readOnly: true
 
           containers:
@@ -96,6 +94,6 @@ spec:
             - name: backup-run-data
               emptyDir: {}
 
-            - name: database-access-secret
+            - name: gitea-inline-config
               secret:
                 secretName: gitea-inline-config
\ No newline at end of file
diff --git a/backup/borbackup-offsite-cronjob.yaml b/backup/borbackup-offsite-cronjob.yaml
new file mode 100644
index 0000000..be98cde
--- /dev/null
+++ b/backup/borbackup-offsite-cronjob.yaml
@@ -0,0 +1,127 @@
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: gitea-backup-offsite
+  namespace: git-limbosolutions-com
+spec:
+  schedule: "0 2 * * *"
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          restartPolicy: Never
+          initContainers:
+            - name: postgres-export
+              image: postgres:latest
+              command: ["sh", "-c"]
+              args:
+                - |
+                  echo "INFO: Starting export"
+                  . /root/.gitea-inline-config/database
+                  export PGPASSWORD=$PASSWD
+                  echo "INFO: Exporting database"
+                  pg_dump -h gitea-postgresql.git-limbosolutions-com.svc.cluster.local -U $USER -d $NAME > /data/postgresql-export/db_backup.sql
+                  if [ $? -ne 0 ]; then
+                    echo "ERROR: Exporting database failed"
+                    exit 1
+                  fi 
+                  echo "INFO: Exporting database finished"
+
+              volumeMounts:
+                
+              - name: backup-var-data
+                mountPath: /data/postgresql-export
+                subPath: postgresql-export
+
+              - name: gitea-inline-config
+                mountPath: /root/.gitea-inline-config
+                readOnly: true
+
+          containers:
+            - name: borg-client
+              image: git.limbosolutions.com/kb/borg-backup:latest
+              resources:
+                limits:
+                  memory: "512Mi"
+                  cpu: "500m"
+                requests:
+                  memory: "256Mi"
+                  cpu: "250m"
+              env:
+                - name: BORG_REPO
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-backup-secret
+                      key: BORG_REPO
+
+                - name: BORG_PASSPHRASE
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-backup-secret
+                      key: BORG_PASSPHRASE
+
+                - name: BORG_RSH
+                  value: ssh -o StrictHostKeyChecking=no
+
+                - name: BORG_KEY_FILE
+                  value: /root/.borg/key
+
+              command: ["sh", "-c"]
+              args:
+              - |
+               
+                borg create ${BORG_REPO}::"postgresql-export-$(date +%Y-%m-%d_%H:%M:%S)" /data/postgresql-export
+                if [ $? -ne 0 ]; then
+                echo "ERROR: Borg backup failed"
+                exit 1
+                fi
+
+                borg create ${BORG_REPO}::"gitea-data-$(date +%Y-%m-%d_%H:%M:%S)" /data/gitea-data
+                if [ $? -ne 0 ]; then
+                echo "ERROR: Borg backup failed"
+                exit 1
+                fi
+
+                ${BORG_RSH} mf@backupsrv01.dev.lan \
+                "rclone sync ~/borg-repos/git.limbosolutions.com mf.onedrive:.backups/git.limbosolutions.com/borg" &&
+                echo "INFO: borg repo offsite sync finished"
+
+              volumeMounts:
+                - name: gitea-data
+                  mountPath: /data/gitea-data
+
+                - name: backup-var-data
+                  mountPath: /data/postgresql-export
+                  subPath: postgresql-export
+              
+                - name: gitea-backup-secret
+                  mountPath: /root/.borg/key
+                  subPath: BORG_KEY_FILE
+
+                - name: gitea-backup-secret
+                  mountPath: /root/.ssh/id_rsa
+                  subPath: SSH_ID_RSA
+
+
+          volumes:
+            - name: gitea-data
+              persistentVolumeClaim:
+                claimName: gitea-shared-storage
+
+            - name: gitea-inline-config
+              secret:
+                secretName: gitea-inline-config
+            
+            - name: gitea-backup-secret
+              secret:
+                secretName: gitea-backup-secret
+                defaultMode: 0600
+
+            - name: backup-var-data
+              emptyDir: {}
+
+
+
+
diff --git a/backup/gitea-backup-secret-deploy.sh b/backup/gitea-backup-secret-deploy.sh
index 2cd37b8..db6a0d5 100755
--- a/backup/gitea-backup-secret-deploy.sh
+++ b/backup/gitea-backup-secret-deploy.sh
@@ -5,4 +5,4 @@
 export $(cut -d= -f1 ./.env)
 
 
-envsubst < secret.yaml | kubectl apply -f -
\ No newline at end of file
+envsubst < gitea-backup-secret.yaml | kubectl apply -f -
\ No newline at end of file
diff --git a/backup/gitea-backup-secret.yaml b/backup/gitea-backup-secret.yaml
index 9164fde..2e85212 100644
--- a/backup/gitea-backup-secret.yaml
+++ b/backup/gitea-backup-secret.yaml
@@ -8,7 +8,7 @@ data:
   PBS_REPOSITORY: ${PBS_REPOSITORY}
   PBS_PASSWORD: ${PBS_PASSWORD}
   PBS_FINGERPRINT: ${PBS_FINGERPRINT}
-  DB_USER: ${DB_USER}
-  DB_PASSWORD: ${DB_PASSWORD}
-  DB_NAME: ${DB_NAME}
-  DB_HOST: ${DB_HOST}
+  BORG_KEY_FILE: ${BORG_KEY_FILE}
+  BORG_REPO: ${BORG_REPO}
+  BORG_PASSPHRASE: ${BORG_PASSPHRASE}
+  SSH_ID_RSA: ${SSH_ID_RSA}