migrate to local backups

clusters/cl01tl/platform/authentik/templates/external-secret.yaml

@@ -72,3 +72,40 @@ spec:
         key: /digital-ocean/home-infra/postgres-backups
         metadataPolicy: None
         property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: authentik-postgresql-17-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_REGION

clusters/cl01tl/platform/authentik/values.yaml

@@ -64,17 +64,45 @@ postgres-17-cluster:
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-17-cluster
+      destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
+      endpointURL: http://garage-main.garage:3900
       index: 1
+      endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
   backup:
     objectStore:
       - name: external
         destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-17-cluster
         index: 1
-        retentionPolicy: "2d"
+        retentionPolicy: "7d"
+        isWALArchiver: false
+      - name: garage-local
+        destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
+        index: 1
+        endpointURL: http://garage-main.garage:3900
+        endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
+        endpointCredentialsIncludeRegion: true
+        retentionPolicy: "7d"
         isWALArchiver: true
+      # - name: garage-remote
+      #   destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
+      #   index: 1
+      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
+      #   endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
+      #   retentionPolicy: "30d"
+      #   data:
+      #     compression: bzip2
+      #     jobs: 2
     scheduledBackups:
       - name: daily-backup
         suspend: false
         schedule: "0 0 0 * * *"
         backupName: external
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 0 0 * * *"
+        backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: false
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote

clusters/cl01tl/platform/gitea/templates/external-secret.yaml

@@ -279,3 +279,40 @@ spec:
         key: /digital-ocean/home-infra/postgres-backups
         metadataPolicy: None
         property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-postgresql-17-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_REGION

clusters/cl01tl/platform/gitea/values.yaml

@@ -334,17 +334,45 @@ postgres-17-cluster:
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-17-cluster
+      destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-17-cluster
+      endpointURL: http://garage-main.garage:3900
       index: 1
+      endpointCredentials: gitea-postgresql-17-cluster-backup-secret-garage
   backup:
     objectStore:
       - name: external
         destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-17-cluster
         index: 1
-        retentionPolicy: "2d"
+        retentionPolicy: "7d"
+        isWALArchiver: false
+      - name: garage-local
+        destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-17-cluster
+        index: 1
+        endpointURL: http://garage-main.garage:3900
+        endpointCredentials: gitea-postgresql-17-cluster-backup-secret-garage
+        endpointCredentialsIncludeRegion: true
+        retentionPolicy: "7d"
         isWALArchiver: true
+      # - name: garage-remote
+      #   destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-17-cluster
+      #   index: 1
+      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
+      #   endpointCredentials: gitea-postgresql-17-cluster-backup-secret-garage
+      #   retentionPolicy: "30d"
+      #   data:
+      #     compression: bzip2
+      #     jobs: 2
     scheduledBackups:
       - name: daily-backup
         suspend: false
         schedule: "0 0 0 * * *"
         backupName: external
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 0 0 * * *"
+        backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: false
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote

clusters/cl01tl/platform/matrix-synapse/templates/external-secret.yaml

@@ -442,3 +442,40 @@ spec:
         key: /digital-ocean/home-infra/postgres-backups
         metadataPolicy: None
         property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-synapse-postgresql-17-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-synapse-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_REGION

clusters/cl01tl/platform/matrix-synapse/values.yaml

@@ -311,17 +311,45 @@ postgres-17-cluster:
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/matrix-synapse/matrix-synapse-postgresql-17-cluster
-      index: 2
+      destinationPath: s3://postgres-backups/cl01tl/matrix-synapse/matrix-synapse-postgresql-17-cluster
+      endpointURL: http://garage-main.garage:3900
+      index: 1
+      endpointCredentials: matrix-synapse-postgresql-17-cluster-backup-secret-garage
   backup:
     objectStore:
       - name: external
         destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/matrix-synapse/matrix-synapse-postgresql-17-cluster
         index: 2
-        retentionPolicy: "2d"
+        retentionPolicy: "7d"
+        isWALArchiver: false
+      - name: garage-local
+        destinationPath: s3://postgres-backups/cl01tl/matrix-synapse/matrix-synapse-postgresql-17-cluster
+        index: 1
+        endpointURL: http://garage-main.garage:3900
+        endpointCredentials: matrix-synapse-postgresql-17-cluster-backup-secret-garage
+        endpointCredentialsIncludeRegion: true
+        retentionPolicy: "7d"
         isWALArchiver: true
+      # - name: garage-remote
+      #   destinationPath: s3://postgres-backups/cl01tl/matrix-synapse/matrix-synapse-postgresql-17-cluster
+      #   index: 1
+      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
+      #   endpointCredentials: matrix-synapse-postgresql-17-cluster-backup-secret-garage
+      #   retentionPolicy: "30d"
+      #   data:
+      #     compression: bzip2
+      #     jobs: 2
     scheduledBackups:
       - name: daily-backup
         suspend: false
         schedule: "0 0 0 * * *"
         backupName: external
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 0 0 * * *"
+        backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: false
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote

clusters/cl01tl/platform/n8n/templates/external-secret.yaml

@@ -49,3 +49,40 @@ spec:
         key: /digital-ocean/home-infra/postgres-backups
         metadataPolicy: None
         property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: n8n-postgresql-17-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: n8n-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_REGION

clusters/cl01tl/platform/n8n/values.yaml

@@ -327,17 +327,45 @@ postgres-17-cluster:
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/n8n/n8n-postgresql-17-cluster
-      index: 2
+      destinationPath: s3://postgres-backups/cl01tl/n8n/n8n-postgresql-17-cluster
+      endpointURL: http://garage-main.garage:3900
+      index: 1
+      endpointCredentials: n8n-postgresql-17-cluster-backup-secret-garage
   backup:
     objectStore:
       - name: external
         destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/n8n/n8n-postgresql-17-cluster
         index: 2
-        retentionPolicy: "2d"
+        retentionPolicy: "7d"
+        isWALArchiver: false
+      - name: garage-local
+        destinationPath: s3://postgres-backups/cl01tl/n8n/n8n-postgresql-17-cluster
+        index: 1
+        endpointURL: http://garage-main.garage:3900
+        endpointCredentials: n8n-postgresql-17-cluster-backup-secret-garage
+        endpointCredentialsIncludeRegion: true
+        retentionPolicy: "7d"
         isWALArchiver: true
+      # - name: garage-remote
+      #   destinationPath: s3://postgres-backups/cl01tl/n8n/n8n-postgresql-17-cluster
+      #   index: 1
+      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
+      #   endpointCredentials: n8n-postgresql-17-cluster-backup-secret-garage
+      #   retentionPolicy: "30d"
+      #   data:
+      #     compression: bzip2
+      #     jobs: 2
     scheduledBackups:
       - name: daily-backup
         suspend: false
         schedule: "0 0 0 * * *"
         backupName: external
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 0 0 * * *"
+        backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: false
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote

clusters/cl01tl/platform/ollama/templates/external-secret.yaml

@@ -137,3 +137,40 @@ spec:
         key: /digital-ocean/home-infra/postgres-backups
         metadataPolicy: None
         property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: ollama-web-postgresql-17-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ollama-web-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_REGION

clusters/cl01tl/platform/ollama/values.yaml

@@ -251,17 +251,46 @@ postgres-17-cluster:
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/ollama/ollama-web-postgresql-17-cluster
+      destinationPath: s3://postgres-backups/cl01tl/ollama/ollama-web-postgresql-17-cluster
+      endpointURL: http://garage-main.garage:3900
       index: 1
+      endpointCredentials: ollama-web-postgresql-17-cluster-backup-secret-garage
   backup:
     objectStore:
       - name: external
         destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/ollama/ollama-web-postgresql-17-cluster
         index: 1
-        retentionPolicy: "2d"
+        endpointCredentials: ollama-web-postgresql-17-cluster-backup-secret
+        retentionPolicy: "7d"
+        isWALArchiver: false
+      - name: garage-local
+        destinationPath: s3://postgres-backups/cl01tl/ollama/ollama-web-postgresql-17-cluster
+        index: 1
+        endpointURL: http://garage-main.garage:3900
+        endpointCredentials: ollama-web-postgresql-17-cluster-backup-secret-garage
+        endpointCredentialsIncludeRegion: true
+        retentionPolicy: "7d"
         isWALArchiver: true
+      # - name: garage-remote
+      #   destinationPath: s3://postgres-backups/cl01tl/ollama/ollama-web-postgresql-17-cluster
+      #   index: 1
+      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
+      #   endpointCredentials: ollama-web-postgresql-17-cluster-backup-secret-garage
+      #   retentionPolicy: "30d"
+      #   data:
+      #     compression: bzip2
+      #     jobs: 2
     scheduledBackups:
       - name: daily-backup
         suspend: false
         schedule: "0 0 0 * * *"
         backupName: external
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 0 0 * * *"
+        backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: false
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote

clusters/cl01tl/platform/stalwart/templates/external-secret.yaml

@@ -124,3 +124,40 @@ spec:
         key: /digital-ocean/home-infra/postgres-backups
         metadataPolicy: None
         property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: stalwart-postgresql-17-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: stalwart-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_REGION

clusters/cl01tl/platform/stalwart/values.yaml

@@ -68,17 +68,45 @@ postgres-17-cluster:
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/stalwart/stalwart-postgresql-17-cluster
+      destinationPath: s3://postgres-backups/cl01tl/stalwart/stalwart-postgresql-17-cluster
+      endpointURL: http://garage-main.garage:3900
       index: 1
+      endpointCredentials: stalwart-postgresql-17-cluster-backup-secret-garage
   backup:
     objectStore:
       - name: external
         destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/stalwart/stalwart-postgresql-17-cluster
         index: 1
-        retentionPolicy: "2d"
+        retentionPolicy: "7d"
+        isWALArchiver: false
+      - name: garage-local
+        destinationPath: s3://postgres-backups/cl01tl/stalwart/stalwart-postgresql-17-cluster
+        index: 1
+        endpointURL: http://garage-main.garage:3900
+        endpointCredentials: stalwart-postgresql-17-cluster-backup-secret-garage
+        endpointCredentialsIncludeRegion: true
+        retentionPolicy: "7d"
         isWALArchiver: true
+      # - name: garage-remote
+      #   destinationPath: s3://postgres-backups/cl01tl/stalwart/stalwart-postgresql-17-cluster
+      #   index: 1
+      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
+      #   endpointCredentials: stalwart-postgresql-17-cluster-backup-secret-garage
+      #   retentionPolicy: "30d"
+      #   data:
+      #     compression: bzip2
+      #     jobs: 2
     scheduledBackups:
       - name: daily-backup
         suspend: false
         schedule: "0 0 0 * * *"
         backupName: external
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 0 0 * * *"
+        backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: false
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote