From 3737e2e60a16f11952a79625c157e84d970c6e1b Mon Sep 17 00:00:00 2001
From: Alex Lebens <alexanderlebens@gmail.com>
Date: Thu, 7 May 2026 15:13:54 -0500
Subject: [PATCH] feat: migrate to backblaze

---
 .../cl01tl/helm/cloudnative-pg/values.yaml    |  15 +-
 clusters/cl01tl/helm/directus/Chart.lock      |   7 +-
 clusters/cl01tl/helm/directus/Chart.yaml      |   4 +
 clusters/cl01tl/helm/directus/values.yaml     |  26 ++-
 clusters/cl01tl/helm/karakeep/Chart.lock      |   7 +-
 clusters/cl01tl/helm/karakeep/Chart.yaml      |   4 +
 clusters/cl01tl/helm/karakeep/values.yaml     |  25 ++-
 clusters/cl01tl/helm/ntfy/values.yaml         |   2 +-
 clusters/cl01tl/helm/openbao/values.yaml      |   5 +-
 clusters/cl01tl/helm/rclone/Chart.yaml        |   4 +
 clusters/cl01tl/helm/rclone/values.yaml       | 165 ++++--------------
 11 files changed, 116 insertions(+), 148 deletions(-)

diff --git a/clusters/cl01tl/helm/cloudnative-pg/values.yaml b/clusters/cl01tl/helm/cloudnative-pg/values.yaml
index 7b3e40085..230774d2a 100644
--- a/clusters/cl01tl/helm/cloudnative-pg/values.yaml
+++ b/clusters/cl01tl/helm/cloudnative-pg/values.yaml
@@ -18,7 +18,7 @@ rclone-postgres-backups-remote:
   nameOverride: postgres-backups-remote-rclone
   cronJob:
     suspend: false
-    schedule: 0 6 * * 6
+    schedule: 30 6 * * 1
   rclone:
     source:
       bucketName: postgres-backups
@@ -44,14 +44,13 @@ rclone-postgres-backups-remote:
 rclone-postgres-backups-external:
   nameOverride: postgres-backups-external-rclone
   cronJob:
-    suspend: true
-    schedule: 0 6 * * 6
+    suspend: false
+    schedule: 0 6 * * 1
   rclone:
     source:
-      bucketName: openbao-backups
+      bucketName: postgres-backups
     destination:
-      bucketName: postgres-backups-ecc1010276b61716
-      providerType: DigitalOcean
+      bucketName: postgres-backups-775957147abfbc73
   prune:
     enabled: true
     ageToPrune: 45d
@@ -66,10 +65,10 @@ rclone-postgres-backups-external:
           path: /garage/config
       destination:
         credentials:
-          path: /digital-ocean/home-infra/postgres-backups
+          path: /backblaze/home-infra/postgres-backups
           keyIdProperty: AWS_ACCESS_KEY_ID
           secretKeyProperty: AWS_SECRET_ACCESS_KEY
           regionProperty: AWS_REGION
         config:
-          path: /digital-ocean/config
+          path: /backblaze/config
           endpointProperty: ENDPOINT
diff --git a/clusters/cl01tl/helm/directus/Chart.lock b/clusters/cl01tl/helm/directus/Chart.lock
index b1f930340..ada680acb 100644
--- a/clusters/cl01tl/helm/directus/Chart.lock
+++ b/clusters/cl01tl/helm/directus/Chart.lock
@@ -11,5 +11,8 @@ dependencies:
 - name: rclone-bucket
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.7.0
-digest: sha256:3dea680a7391a11ea84cb6b81a0fd336590e59b163c7c3f5a11efc57136d8bc2
-generated: "2026-05-07T01:19:59.656347343Z"
+- name: rclone-bucket
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.7.0
+digest: sha256:5be9eefefbda2ebe4b33dd0e0684f3688781de408bb666113e3b44e6e6b606dc
+generated: "2026-05-07T15:08:44.150931-05:00"
diff --git a/clusters/cl01tl/helm/directus/Chart.yaml b/clusters/cl01tl/helm/directus/Chart.yaml
index 3e10c0990..a47d0575e 100644
--- a/clusters/cl01tl/helm/directus/Chart.yaml
+++ b/clusters/cl01tl/helm/directus/Chart.yaml
@@ -32,6 +32,10 @@ dependencies:
     alias: rclone-directus-assets-remote
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 0.7.0
+  - name: rclone-bucket
+    alias: rclone-directus-assets-external
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 0.7.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 # renovate: datasource=github-releases depName=directus/directus
 appVersion: 11.17.4
diff --git a/clusters/cl01tl/helm/directus/values.yaml b/clusters/cl01tl/helm/directus/values.yaml
index 7c7f6cf57..95d7574d5 100644
--- a/clusters/cl01tl/helm/directus/values.yaml
+++ b/clusters/cl01tl/helm/directus/values.yaml
@@ -211,9 +211,10 @@ valkey:
         default:
           permissions: "~* &* +@all"
 rclone-directus-assets-remote:
+  nameOverride: directus-assets-remote-rclone
   cronJob:
     suspend: false
-    schedule: 0 0 * * *
+    schedule: 30 6 * * 2
   rclone:
     source:
       bucketName: directus-assets
@@ -231,3 +232,26 @@ rclone-directus-assets-remote:
           path: /garage/home-infra/directus-assets
         config:
           path: /garage/config
+rclone-directus-assets-external:
+  nameOverride: directus-assets-external-rclone
+  cronJob:
+    suspend: false
+    schedule: 0 6 * * 2
+  rclone:
+    source:
+      bucketName: directus-assets
+    destination:
+      bucketName: directus-assets-37363a16b71dc59b
+  secret:
+    externalSecret:
+      source:
+        credentials:
+          path: /garage/home-infra/directus-assets
+        config:
+          path: /garage/config
+      destination:
+        credentials:
+          path: /backblaze/home-infra/directus-assets
+        config:
+          path: /backblaze/config
+          endpointProperty: ENDPOINT
diff --git a/clusters/cl01tl/helm/karakeep/Chart.lock b/clusters/cl01tl/helm/karakeep/Chart.lock
index 97f6c2639..bd379ad31 100644
--- a/clusters/cl01tl/helm/karakeep/Chart.lock
+++ b/clusters/cl01tl/helm/karakeep/Chart.lock
@@ -14,5 +14,8 @@ dependencies:
 - name: rclone-bucket
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.7.0
-digest: sha256:bb424fe9bed824b37aa26d0e72d123fea5f5c3fcae4eaa21a54e087f2b52421a
-generated: "2026-05-07T01:20:20.489019444Z"
+- name: rclone-bucket
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.7.0
+digest: sha256:be0234cbbed7e9cd59ceaa9f0c8f4478cbd572867a8766f45840ec6d79a6a6aa
+generated: "2026-05-07T15:09:58.731382-05:00"
diff --git a/clusters/cl01tl/helm/karakeep/Chart.yaml b/clusters/cl01tl/helm/karakeep/Chart.yaml
index c9d427496..9918f505a 100644
--- a/clusters/cl01tl/helm/karakeep/Chart.yaml
+++ b/clusters/cl01tl/helm/karakeep/Chart.yaml
@@ -37,6 +37,10 @@ dependencies:
     alias: rclone-karakeep-assets-remote
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 0.7.0
+  - name: rclone-bucket
+    alias: rclone-karakeep-assets-external
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 0.7.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/karakeep.png
 # renovate: datasource=github-releases depName=karakeep-app/karakeep
 appVersion: 0.31.0
diff --git a/clusters/cl01tl/helm/karakeep/values.yaml b/clusters/cl01tl/helm/karakeep/values.yaml
index c7880677e..8a6f2a603 100644
--- a/clusters/cl01tl/helm/karakeep/values.yaml
+++ b/clusters/cl01tl/helm/karakeep/values.yaml
@@ -175,7 +175,7 @@ volsync-target-data:
 rclone-karakeep-assets-remote:
   cronJob:
     suspend: false
-    schedule: 10 0 * * *
+    schedule: 30 6 * * 3
   rclone:
     source:
       bucketName: karakeep-assets
@@ -193,3 +193,26 @@ rclone-karakeep-assets-remote:
           path: /garage/home-infra/karakeep-assets
         config:
           path: /garage/config
+rclone-karakeep-assets-external:
+  nameOverride: karakeep-assets-external-rclone
+  cronJob:
+    suspend: false
+    schedule: 0 6 * * 3
+  rclone:
+    source:
+      bucketName: karakeep-assets
+    destination:
+      bucketName: karakeep-assets-bcb0bc04dac3e3fd
+  secret:
+    externalSecret:
+      source:
+        credentials:
+          path: /garage/home-infra/karakeep-assets
+        config:
+          path: /garage/config
+      destination:
+        credentials:
+          path: /backblaze/home-infra/karakeep-assets
+        config:
+          path: /backblaze/config
+          endpointProperty: ENDPOINT
diff --git a/clusters/cl01tl/helm/ntfy/values.yaml b/clusters/cl01tl/helm/ntfy/values.yaml
index 728937585..fe9527895 100644
--- a/clusters/cl01tl/helm/ntfy/values.yaml
+++ b/clusters/cl01tl/helm/ntfy/values.yaml
@@ -127,7 +127,7 @@ postgres-18-cluster:
 rclone-ntfy-attachments-remote:
   cronJob:
     suspend: false
-    schedule: 50 0 * * *
+    schedule: 0 1 * * *
   rclone:
     source:
       bucketName: ntfy-attachments
diff --git a/clusters/cl01tl/helm/openbao/values.yaml b/clusters/cl01tl/helm/openbao/values.yaml
index 264e85c79..3ea3d5c5a 100644
--- a/clusters/cl01tl/helm/openbao/values.yaml
+++ b/clusters/cl01tl/helm/openbao/values.yaml
@@ -243,7 +243,7 @@ rclone-openbao-backups-remote:
   nameOverride: openbao-backups-remote-rclone
   cronJob:
     suspend: false
-    schedule: 0 1 * * *
+    schedule: 30 6 * * 4
   rclone:
     source:
       bucketName: openbao-backups
@@ -268,13 +268,12 @@ rclone-openbao-backups-external:
   nameOverride: openbao-backups-external-rclone
   cronJob:
     suspend: false
-    schedule: 10 1 * * *
+    schedule: 0 6 * * 4
   rclone:
     source:
       bucketName: openbao-backups
     destination:
       bucketName: openbao-backups-038053cd180284dc
-      providerType: Other
   prune:
     enabled: true
     ageToPrune: 90d
diff --git a/clusters/cl01tl/helm/rclone/Chart.yaml b/clusters/cl01tl/helm/rclone/Chart.yaml
index 759a95b42..124cea7ee 100644
--- a/clusters/cl01tl/helm/rclone/Chart.yaml
+++ b/clusters/cl01tl/helm/rclone/Chart.yaml
@@ -17,6 +17,10 @@ dependencies:
     alias: rclone-web-assets-remote
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 0.7.0
+  - name: rclone-bucket
+    alias: rclone-web-assets-remote
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 0.7.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png
 # renovate: datasource=github-releases depName=rclone/rclone
 appVersion: v1.74.0
diff --git a/clusters/cl01tl/helm/rclone/values.yaml b/clusters/cl01tl/helm/rclone/values.yaml
index 379e86d70..9ab045c8a 100644
--- a/clusters/cl01tl/helm/rclone/values.yaml
+++ b/clusters/cl01tl/helm/rclone/values.yaml
@@ -1,144 +1,49 @@
-rclone:
-  controllers:
-    postgres-backups:
-      type: cronjob
-      cronjob:
-        suspend: false
-        timeZone: America/Chicago
-        schedule: 40 0 * * *
-        backoffLimit: 3
-        parallelism: 1
-      containers:
-        sync:
-          image:
-            repository: rclone/rclone
-            tag: 1.74.0@sha256:d2e0e88359d0b2e67cfcd2c43d5405185eb8adfc207079df27c42da82c5207bc
-          args:
-            - sync
-            - src:postgres-backups
-            - dest:postgres-backups
-            - --s3-no-check-bucket
-            - --max-age
-            - 30d
-            - --include
-            - "/cl01tl/*/*/*/base/**"
-            - --exclude
-            - "**/walls/**"
-            - --verbose
-          env:
-            - name: RCLONE_S3_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_SRC_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_SRC_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_SRC_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: SRC_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
-              value: true
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: DEST_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
-              value: true
-        prune:
-          image:
-            repository: rclone/rclone
-            tag: 1.74.0@sha256:d2e0e88359d0b2e67cfcd2c43d5405185eb8adfc207079df27c42da82c5207bc
-          args:
-            - delete
-            - dest:postgres-backups
-            - --min-age
-            - 30d
-            - --verbose
-          env:
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-postgres-backups-secret
-                  key: DEST_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
-              value: true
-rclone-web-assets-remote:
+rclone-web-assets-local:
   cronJob:
     suspend: false
-    schedule: 30 0 * * *
+    schedule: 0 6 * * 5
   rclone:
     source:
-      bucketName: web-assets
+      bucketName: web-assets-770aef58c931fcf4
     destination:
       bucketName: web-assets
   secret:
     externalSecret:
       source:
         credentials:
-          path: /garage/home-infra/web-assets
+          path: /backblaze/home-infra/web-assets
+          keyIdProperty: AWS_ACCESS_KEY_ID
+          secretKeyProperty: AWS_SECRET_ACCESS_KEY
+          regionProperty: AWS_REGION
         config:
-          path: /garage/config
+          path: /backblaze/config
+          endpointProperty: ENDPOINT
+      destination:
+        credentials:
+          path: /garage/home-infra/web-assets
+        config:
+          path: /garage/config
+          endpointProperty: ENDPOINT_LOCAL
+rclone-web-assets-remote:
+  cronJob:
+    suspend: false
+    schedule: 0 6 * * 6
+  rclone:
+    source:
+      bucketName: web-assets-770aef58c931fcf4
+    destination:
+      bucketName: web-assets
+  secret:
+    externalSecret:
+      source:
+        credentials:
+          path: /backblaze/home-infra/web-assets
+          keyIdProperty: AWS_ACCESS_KEY_ID
+          secretKeyProperty: AWS_SECRET_ACCESS_KEY
+          regionProperty: AWS_REGION
+        config:
+          path: /backblaze/config
+          endpointProperty: ENDPOINT
       destination:
         credentials:
           path: /garage/home-infra/web-assets