From b8a80b120774da0d400f1f7790b374414cf72f45 Mon Sep 17 00:00:00 2001
From: Michael Thomson <michael@michaelthomson.dev>
Date: Tue, 10 Jun 2025 21:28:17 -0400
Subject: [PATCH] immich cnpg backup

---
 apps/immich/cluster.yaml          | 31 +++++++++++++++++++++++++++++++
 apps/immich/scheduled-backup.yaml | 11 +++++++++++
 apps/immich/wasabi-secret.yaml    | 16 ++++++++++++++++
 3 files changed, 58 insertions(+)
 create mode 100644 apps/immich/scheduled-backup.yaml
 create mode 100644 apps/immich/wasabi-secret.yaml

diff --git a/apps/immich/cluster.yaml b/apps/immich/cluster.yaml
index 6a12cd7..d2a97e3 100644
--- a/apps/immich/cluster.yaml
+++ b/apps/immich/cluster.yaml
@@ -3,6 +3,9 @@ kind: Cluster
 metadata:
   name: immich-postgres
   namespace: immich
+  annotations:
+    # needed to allow for recovery from same name cluster backup
+    cnpg.io/skipEmptyWalArchiveCheck: enabled
 spec:
   imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.3.0
   instances: 3
@@ -26,7 +29,35 @@ spec:
       postInitSQL:
         - CREATE EXTENSION IF NOT EXISTS "vchord" CASCADE;
         - CREATE EXTENSION IF NOT EXISTS "earthdistance" CASCADE;
+    # NOTE: uncomment this and commend the above initdb when recovering
+    # recovery:
+    #   source: immich-postgres
 
   storage:
     size: 8Gi
     storageClass: longhorn-pg
+
+  externalClusters:
+    - name: immich-postgres
+      barmanObjectStore:
+        destinationPath: "s3://mthomson-cnpg-backup/immich/"
+        endpointURL: "https://s3.ca-central-1.wasabisys.com"
+        s3Credentials:
+          accessKeyId:
+            name: wasabi-secret
+            key: ACCESS_KEY_ID
+          secretAccessKey:
+            name: wasabi-secret
+            key: ACCESS_SECRET_KEY
+
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://mthomson-cnpg-backup/immich/"
+      endpointURL: "https://s3.ca-central-1.wasabisys.com"
+      s3Credentials:
+        accessKeyId:
+          name: wasabi-secret
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: wasabi-secret
+          key: ACCESS_SECRET_KEY
diff --git a/apps/immich/scheduled-backup.yaml b/apps/immich/scheduled-backup.yaml
new file mode 100644
index 0000000..4df7984
--- /dev/null
+++ b/apps/immich/scheduled-backup.yaml
@@ -0,0 +1,11 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: scheduled-backup
+  namespace: immich
+spec:
+  schedule: "0 0 0 * * *"
+  backupOwnerReference: self
+  #immediate: true
+  cluster:
+    name: immich-postgres
diff --git a/apps/immich/wasabi-secret.yaml b/apps/immich/wasabi-secret.yaml
new file mode 100644
index 0000000..c37529a
--- /dev/null
+++ b/apps/immich/wasabi-secret.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: wasabi-secret
+  namespace: immich
+spec:
+  encryptedData:
+    ACCESS_KEY_ID: AgBf5fXBrCPe5SFImEkZlzkaGR/ke0OYNrF0o2QjoykzJl0eNV4bNGlpN0ALUjShp819ykL5V08wlyYMFOuJJfpGaarh8OAt/npk61LcEe5FU1qB9t3m6bA61nkh8mNFZ1PBuZPD3JTA+uL4zlye3wvjNgZpZOngRFHsdWEoQf0Pb5rfrm7IQtM2IoWuzgpi8+7Y+qbE52pDH3gn7CJPurdgZtPG3CuwASzhTo+H4TOZIzn16bfgT7hN+8i2L26mkcnmwI8fAnXEbX1r5P+aO8zTJTRUEUECvELy8YaQX5i/uMt6z37cc1WYqI4hEOk+TK1pi9y4cXubUJR8LmmdRPnUFhq/kNso7ljcecPHUWhfqUlKn34qy+9WKrY71xFbat4EYTfD9q8CFZVBXkEC0hGrHsPjLaLg4hcVTHZXic7VXaIzgHsfzeF6yq9YA8y/UrqvoofCuIUGVRCs0JECFtBspzx7dE2GJD4FH7trValRE3gODJRDAuroGAfCz54RD+IWFWExLHBtj3cpwuMso5xPG5nac/3ITxXnqO/fRo1CtJgX6Bl++JDBxJKhC3humz4TaaXUBkUM6pyaI9BRge3W9KsKvNi6IkIc9g8HxPTxQlvUrhj4hDjIfxXsrsaC2kjqyD9pFnK3qFgK8WcyKq9VdXSPl32y00bTiGRZGB/l0WQvtLLYdKLUNuGEF9ObUq1916NxwMZD0nUIZo/VVpBoKUTJ3g==
+    ACCESS_SECRET_KEY: AgAaussEikyP/AFhmOBfL/13w2k2L0NQka4243P/On4JcVn8DWN5ZEMU9jJNwJ7UrdfLLUWtvGv4aPn7ccktQx5c3wzZUQzRdQ1tSdP+SX11fHqyA0cx9olyGXnYenLHBfb8L4hRTlh8Bmb3LtvOYmaFUvtJzPuUj8CsgJUc3v+eYAICyaiZYi0lNig5o7y6PYEC+xk9+eXrNRBJxmz3Cz5BigXSD8CUAKY0wWqs8z39VjDSUwitPF2mKZOe5ve0kiCc3oZ9h5bv5H89Emclj1KMDFuU+vYqQkX2ZgfIEUbU5UB19jmbW6l6cu0Oftm5wAYrFTL4pBIe9KBQIsv5ClC/VhmGgrfG9SdCB2R0ahAd+e6T8hJDCku8cNEODABoqG3Iu3hznCt2ULhyxZaHUP9PWq4iagy6wp9ELRS8Ne+51YoZfCdqv59c2L+BMOU1NNcCobW8HvBYEHv6Ylq1ntZkEEARlJpCEzBZsEsLk21sDkWX8I6dbPPMJXvVWFm3u8TyU9zU6MF/+1HcsP5jtI26lgPQjjKLuVI+67j0feZp//6mFmfnHMytX4RJn6UMt3oar42Lp6AaUXZjv2ShbtCSr/3l3dYfizf1OYqxJCgTsbGFS+A4khTdjKoW6/68UbVeMMNvJOy0yS1TqktRq68sB8qnETC+yRQQTBKcVTqOCO1NTlEi9eXcDKln/lq8fBcV5izhok4Np7tXo72DOkHNBxPZPUCL4jtyz1x2WesnlMEsH4Iis6Co
+  template:
+    metadata:
+      creationTimestamp: null
+      name: wasabi-secret
+      namespace: immich