aws_infra/main.tf

@@ -3,5 +3,14 @@
 module "forgejo_backup" {
   source = "./modules/forgejo_backup"
 
-  bucket_name = "juntekim-forgejo-backup"
+  bucket_name = "juntekim-git-backup"
+}
+
+output "forgejo_backup_access_key_id" {
+  value = module.forgejo_backup.iam_access_key_id
+}
+
+output "forgejo_backup_secret_access_key" {
+  value     = module.forgejo_backup.iam_secret_access_key
+  sensitive = true
 }

aws_infra/provider.tf

@@ -17,5 +17,6 @@ terraform {
 }
 
 provider "aws" {
-  region = var.aws_region
+  region  = var.aws_region
+  profile = "personal"
 }

forgejo/forgejo-backup-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: forgejo-backup-secret
+  namespace: default
+type: Opaque
+stringData:
+  AWS_ACCESS_KEY_ID: AKIAQL67W6HIV6WTECSQ
+  AWS_SECRET_ACCESS_KEY: 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

forgejo/forgejo-storage.yaml

@@ -0,0 +1,29 @@
+# ================================
+# FORGEJO PERSISTENT STORAGE
+# Apply once — do NOT delete
+# ================================
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: forgejo-db-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: rook-ceph-block
+  resources:
+    requests:
+      storage: 10Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: forgejo-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: rook-ceph-block
+  resources:
+    requests:
+      storage: 20Gi

forgejo/forgejo.yaml

@@ -13,19 +13,6 @@ stringData:
   POSTGRES_PASSWORD: changeMePleaseOtherwiseSomeoneWillKnow
   POSTGRES_DB: forgejo
 
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: forgejo-db-pvc
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: rook-ceph-block
-  resources:
-    requests:
-      storage: 10Gi
-
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -35,6 +22,8 @@ metadata:
     app: forgejo-postgres
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: forgejo-postgres
@@ -78,19 +67,6 @@ spec:
 # FORGEJO APP
 # -------------------------
 
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: forgejo-pvc
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: rook-ceph-block
-  resources:
-    requests:
-      storage: 20Gi
-
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -100,6 +76,8 @@ metadata:
     app: forgejo
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: forgejo
@@ -158,6 +136,32 @@ spec:
           volumeMounts:
             - name: forgejo-data
               mountPath: /data
+        - name: backup
+          image: python:3-alpine
+          env:
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-backup-secret
+                  key: AWS_ACCESS_KEY_ID
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-backup-secret
+                  key: AWS_SECRET_ACCESS_KEY
+            - name: AWS_DEFAULT_REGION
+              value: eu-west-2
+          command:
+            - /bin/sh
+            - -c
+            - |
+              apk add --no-cache dcron aws-cli
+              echo "0 2 * * 0 TIMESTAMP=\$(date +\%Y-\%m-\%d) && tar -czf - /data | aws s3 cp - s3://juntekim-git-backup/repos/forgejo-backup-\${TIMESTAMP}.tar.gz" | crontab -
+              crond -f -l 2
+          volumeMounts:
+            - name: forgejo-data
+              mountPath: /data
+              readOnly: true
       volumes:
         - name: forgejo-data
           persistentVolumeClaim: