# gitea-backup.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: gitea-backup-script
  namespace: gitea
data:
  backup.sh: |
    #!/bin/bash
    set -euo pipefail
    
    BACKUP_DIR="/backup/gitea"
    DATE=$(date +%Y%m%d_%H%M%S)
    BACKUP_FILE="gitea_${DATE}.zip"
    RETENTION_DAYS=30
    
    echo "[$(date)] Starting Gitea backup..."
    
    # Create backup directory (may fail if permissions issue, that's ok)
    mkdir -p ${BACKUP_DIR} 2>/dev/null || true
    
    # Change to temp directory for dump
    cd /tmp
    
    # Run Gitea dump
    if gitea dump -c /data/gitea/conf/app.ini --type zip; then
      echo "[$(date)] ✓ Gitea dump successful"
      
      # Find the created dump file
      DUMP_FILE=$(ls -t gitea-dump-*.zip 2>/dev/null | head -1)
      
      if [ -n "$DUMP_FILE" ] && [ -f "$DUMP_FILE" ]; then
        # Move to backup directory with our naming convention
        mv "$DUMP_FILE" ${BACKUP_DIR}/${BACKUP_FILE}
        SIZE=$(du -h ${BACKUP_DIR}/${BACKUP_FILE} | cut -f1)
        echo "[$(date)] Backup size: ${SIZE}"
      else
        echo "[$(date)] ✗ ERROR: Dump file not found!"
        exit 1
      fi
    else
      echo "[$(date)] ✗ Gitea dump failed!"
      exit 1
    fi
    
    # Cleanup old backups
    echo "[$(date)] Cleaning up backups older than ${RETENTION_DAYS} days..."
    find ${BACKUP_DIR} -name "gitea_*.zip" -mtime +${RETENTION_DAYS} -delete 2>/dev/null || true
    
    # List recent backups
    echo "[$(date)] Recent backups:"
    ls -lh ${BACKUP_DIR} 2>/dev/null | tail -5 || echo "Could not list backups"
    
    echo "[$(date)] Gitea backup completed successfully"
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: gitea-backup
  namespace: gitea
spec:
  schedule: "0 3 * * *"
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      template:
        spec:
          securityContext:
            runAsUser: 1000      # Run as git user
            runAsGroup: 1000     # Run as git group
            fsGroup: 1000        # Set filesystem group
          containers:
          - name: gitea-backup
            image: gitea/gitea:1.24  # Match your version
            command: ["/bin/bash", "/scripts/backup.sh"]
            securityContext:
              allowPrivilegeEscalation: false
              runAsNonRoot: true
            volumeMounts:
            - name: backup-script
              mountPath: /scripts
            - name: gitea-data
              mountPath: /data
            - name: backup-storage
              mountPath: /backup
            - name: tmp
              mountPath: /tmp
          volumes:
          - name: backup-script
            configMap:
              name: gitea-backup-script
              defaultMode: 0755
          - name: gitea-data
            persistentVolumeClaim:
              claimName: gitea-shared-storage  # Adjust to your PVC name
          - name: backup-storage
            hostPath:
              path: /mnt/backup/k8s-backups  # Fixed path
              type: DirectoryOrCreate
          - name: tmp
            emptyDir: {}
          restartPolicy: OnFailure