From 385e401c08238e87feb530836d223182af3c1901 Mon Sep 17 00:00:00 2001
From: Alex Lebens <alexanderlebens@gmail.com>
Date: Tue, 8 Jul 2025 18:03:53 -0500
Subject: [PATCH] add prune

---
 .../talos/templates/external-secret.yaml      | 14 ++++++
 clusters/cl01tl/services/talos/values.yaml    | 48 ++++++++++++++++++-
 2 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/clusters/cl01tl/services/talos/templates/external-secret.yaml b/clusters/cl01tl/services/talos/templates/external-secret.yaml
index 815f80fac..c1b4f3b44 100644
--- a/clusters/cl01tl/services/talos/templates/external-secret.yaml
+++ b/clusters/cl01tl/services/talos/templates/external-secret.yaml
@@ -28,6 +28,20 @@ spec:
         key: /digital-ocean/home-infra/etcd-backup
         metadataPolicy: None
         property: AWS_SECRET_ACCESS_KEY
+    - secretKey: .s3cfg
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/gitea-backup
+        metadataPolicy: None
+        property: s3cfg
+    - secretKey: BUCKET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/gitea-backup
+        metadataPolicy: None
+        property: BUCKET
     - secretKey: AGE_X25519_PUBLIC_KEY
       remoteRef:
         conversionStrategy: Default
diff --git a/clusters/cl01tl/services/talos/values.yaml b/clusters/cl01tl/services/talos/values.yaml
index 673a8535e..aa5bb8484 100644
--- a/clusters/cl01tl/services/talos/values.yaml
+++ b/clusters/cl01tl/services/talos/values.yaml
@@ -56,7 +56,7 @@ etcd-backup:
             - name: BUCKET
               value: talos-backups-bee8585f7b8a4d0239c9b823
             - name: S3_PREFIX
-              value: "cl01tl"
+              value: "cl01tl/etcd"
             - name: CLUSTER_NAME
               value: "cl01tl"
             - name: AGE_X25519_PUBLIC_KEY
@@ -70,6 +70,41 @@ etcd-backup:
             requests:
               cpu: 100m
               memory: 128Mi
+        s3-prune:
+          image:
+            repository: d3fk/s3cmd
+            tag: latest@sha256:e9f00f479587ce03d52eb1c650e589b14dc13baf5345cb6ac752105e08305eca
+            pullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+          args:
+            - -ec
+            - |
+              export ONE_WEEK_AGO=$(date -d @$(( $(date +%s) - 604800 )) +%Y-%m-%d\ %H:%M:%S);
+              export TWO_WEEK_AGO=$(date -d @$(( $(date +%s) - 1209600 )) +%Y-%m-%d\ %H:%M:%S);
+              export TIME_RANGE="$TWO_WEEK_AGO"
+              echo ">> Running S3 prune for Gitea backup repository"
+              echo ">> Backups prior to '$TIME_RANGE' will be removed"
+              echo ">> File list:"
+              s3cmd ls -v ${BUCKET}/cl01tl/etcd/
+              echo ">> Deleting ..."
+              s3cmd ls -v ${BUCKET}/cl01tl/etcd/ |
+                awk -v time_range="$TIME_RANGE" '$1 < time_range {print $4}' |
+                while read file;
+                  do s3cmd del -v "$file";
+                  echo ">> Deleted $file";
+                done;
+              echo ">> Completed S3 prune for Gitea backup repository"
+          env:
+            - name: BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-s3cmd-config
+                  key: BUCKET
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
   persistence:
     tmp:
       type: emptyDir
@@ -97,3 +132,14 @@ etcd-backup:
             - path: /var/run/secrets/talos.dev
               readOnly: true
               mountPropagation: None
+    s3cmd-config:
+      enabled: true
+      type: secret
+      name: talos-etcd-backup-secret
+      advancedMounts:
+        backup:
+          s3-backup:
+            - path: /root/.s3cfg
+              readOnly: true
+              mountPropagation: None
+              subPath: .s3cfg