stacks/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml

apiVersion: batch/v1
kind: CronJob
metadata:
  name: forgejo-s3-backup
  namespace: gitea
spec:
  schedule: "0 1 * * *"
  concurrencyPolicy: "Forbid"
  successfulJobsHistoryLimit: 5
  failedJobsHistoryLimit: 5
  startingDeadlineSeconds: 600 # 10 minutes
  jobTemplate:
    spec:
      # 60 min until backup - 10 min start - (backoffLimit * activeDeadlineSeconds) - some time sync buffer
      activeDeadlineSeconds: 1350
      backoffLimit: 2
      ttlSecondsAfterFinished: 259200 #
      template:
        spec:
          containers:
            - name: rclone
              image: rclone/rclone:1.70
              imagePullPolicy: IfNotPresent
              env:
                - name: SOURCE_BUCKET
                  valueFrom:
                    secretKeyRef:
                      name: forgejo-cloud-credentials
                      key: bucket-name
                - name: AWS_ACCESS_KEY_ID
                  valueFrom:
                    secretKeyRef:
                      name: forgejo-cloud-credentials
                      key: access-key
                - name: AWS_SECRET_ACCESS_KEY
                  valueFrom:
                    secretKeyRef:
                      name: forgejo-cloud-credentials
                      key: secret-key
              volumeMounts:
                - name: rclone-config
                  mountPath: /config/rclone
                  readOnly: true
                - name: backup-dir
                  mountPath: /backup
                  readOnly: false
              command:
                - /bin/sh
                - -c
                - |
                  rclone sync source:/${SOURCE_BUCKET} /backup -v --ignore-checksum
          restartPolicy: OnFailure
          volumes:
            - name: rclone-config
              secret:
                secretName: forgejo-s3-backup
            - name: backup-dir
              persistentVolumeClaim:
                claimName: s3-backup
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: s3-backup
  namespace: gitea
  annotations:
    everest.io/disk-volume-type: SATA
    everest.io/crypt-key-id: { { { .Env.PVC_KMS_KEY_ID } } }
spec:
  storageClassName: csi-disk
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 50Gi
---
apiVersion: v1
kind: Secret
metadata:
  name: forgejo-s3-backup
  namespace: gitea
type: Opaque
stringData:
  rclone.conf: |
    [source]
    type = s3
    provider = HuaweiOBS
    env_auth = true
    endpoint = obs.eu-de.otc.t-systems.com
    region = eu-de
    acl = private