P3: PostgreSQL disaster recovery test and borgmatic k8s-pg backup #32

Merged

eblume merged 4 commits from feature/p3-postgresql-borgmatic into main

2026-01-19 18:00:32 -08:00

eblume commented

2026-01-19 18:00:03 -08:00

Owner

Summary

Fixed borgmatic borg: command not found by adding local_path config option
Successfully tested disaster recovery: restored miniflux data from borgmatic backup to k8s-pg
Added borgmatic user to k8s-pg via CloudNativePG managed roles
Configured borgmatic to backup both localhost and k8s-pg PostgreSQL databases
Added Tailscale ACL grant for tag:homelab → tag:k8s on port 5432
Disabled selfHeal on apps app to allow manual revision changes during development

Changes

ansible/roles/borgmatic/ - Added local_path and k8s-pg database entry
ansible/roles/postgresql/tasks/main.yml - Added k8s-pg to .pgpass
argocd/apps/apps.yaml - Disabled selfHeal
argocd/manifests/databases/blumeops-pg.yaml - Added borgmatic managed role
argocd/manifests/databases/secret-borgmatic.yaml.tpl - New secret template
pulumi/policy.hujson - Added ACL grant for backup access

Deployment and Testing

Borgmatic backup runs successfully
Miniflux data restored to k8s-pg (2 users, 2 feeds, 44 entries verified)
borgmatic user created in k8s-pg with pg_read_all_data role
Both localhost and k8s-pg databases in backup archive
zk documentation updated (borgmatic.md, postgresql.md)
After merge: set blumeops-pg app back to main revision

🤖 Generated with Claude Code

## Summary - Fixed borgmatic `borg: command not found` by adding `local_path` config option - Successfully tested disaster recovery: restored miniflux data from borgmatic backup to k8s-pg - Added borgmatic user to k8s-pg via CloudNativePG managed roles - Configured borgmatic to backup both localhost and k8s-pg PostgreSQL databases - Added Tailscale ACL grant for `tag:homelab` → `tag:k8s` on port 5432 - Disabled selfHeal on apps app to allow manual revision changes during development ## Changes - `ansible/roles/borgmatic/` - Added `local_path` and k8s-pg database entry - `ansible/roles/postgresql/tasks/main.yml` - Added k8s-pg to `.pgpass` - `argocd/apps/apps.yaml` - Disabled selfHeal - `argocd/manifests/databases/blumeops-pg.yaml` - Added borgmatic managed role - `argocd/manifests/databases/secret-borgmatic.yaml.tpl` - New secret template - `pulumi/policy.hujson` - Added ACL grant for backup access ## Deployment and Testing - [x] Borgmatic backup runs successfully - [x] Miniflux data restored to k8s-pg (2 users, 2 feeds, 44 entries verified) - [x] borgmatic user created in k8s-pg with pg_read_all_data role - [x] Both localhost and k8s-pg databases in backup archive - [x] zk documentation updated (borgmatic.md, postgresql.md) - [ ] After merge: set blumeops-pg app back to main revision 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 4 commits

2026-01-19 18:00:04 -08:00

Fix borgmatic borg path and add k8s-pg ACL grant 3f6af244f6

- Add local_path option to borgmatic config for borg binary
- Add ACL grant for tag:homelab -> tag:k8s on port 5432

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Add borgmatic user to k8s-pg via CloudNativePG 420aaf5696

- Create secret-borgmatic.yaml.tpl for 1Password integration
- Add borgmatic managed role with pg_read_all_data privilege
- Update README with borgmatic user documentation

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Fix apps selfHeal and borgmatic secret field name ec1198f5f4

- Disable selfHeal on apps app to allow manual revision changes during dev
- Fix secret-borgmatic.yaml.tpl to use db-password field

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Configure borgmatic to backup k8s-pg PostgreSQL be688bd10d

- Add k8s-pg database entry to borgmatic config
- Add k8s-pg entry to pgpass for borgmatic access

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>