apps: do daily enshrouded backups

Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>

Author: frzifus

clusters/homelab/apps/enshrouded/backup/backup-pod-config.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: k8up.io/v1
+kind: PodConfig
+metadata:
+  name: enshrouded-backup-pod-config
+  namespace: enshrouded
+spec:
+  template:
+    spec:
+      affinity:
+        podAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: enshrouded-server
+              topologyKey: kubernetes.io/hostname
+      securityContext:
+        fsGroup: 10000
+        runAsGroup: 10000
+        runAsUser: 10000
+      containers:
+        - name: k8up
+          securityContext:
+            allowPrivilegeEscalation: false

clusters/homelab/apps/enshrouded/backup/backup-schedule.yaml

@@ -0,0 +1,42 @@
+---
+# Backup schedule for Enshrouded game server state
+apiVersion: k8up.io/v1
+kind: Schedule
+metadata:
+  name: enshrouded-backup
+  namespace: enshrouded
+spec:
+  backend:
+    repoPasswordSecretRef:
+      name: enshrouded-backup-credentials
+      key: RESTIC_PASSWORD
+    s3:
+      endpoint: https://s3.us-west-000.backblazeb2.com
+      bucket: enshrouded-ff759ae6-7fe3-4ffc-a341-2770e6cd84ba
+      accessKeyIDSecretRef:
+        name: enshrouded-backup-credentials
+        key: ACCESS_KEY_ID
+      secretAccessKeySecretRef:
+        name: enshrouded-backup-credentials
+        key: SECRET_ACCESS_KEY
+  backup:
+    schedule: "0 4 * * *"  # Daily at 4 AM
+    failedJobsHistoryLimit: 2
+    successfulJobsHistoryLimit: 3
+    # Target specific PVCs by label
+    labelSelectors:
+      - matchExpressions:
+        - key: k8up.io/backup
+          operator: In
+          values:
+            - "true"
+    # Follow enshrouded-server pod to same node (required for RWO volumes)
+    podConfigRef:
+      name: enshrouded-backup-pod-config
+  check:
+    schedule: "0 2 * * *"  # Daily at 2 AM
+  prune:
+    schedule: "0 3 * * *"  # Daily at 3 AM
+    retention:
+      keepLast: 7
+      keepDaily: 7

clusters/homelab/apps/enshrouded/backup/backup-secret.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: enshrouded-backup-credentials
+    namespace: enshrouded
+type: Opaque
+stringData:
+    ACCESS_KEY_ID: ENC[AES256_GCM,data:/sIg0oO7oRuxqU4Yd3e2IG9DmoxvADQHbA==,iv:mFHQ3fkiT6PJHz3AGLZGngJyL3PW0q9llAYejZgm9vE=,tag:dR64dXfCAsHo7skT82etUQ==,type:str]
+    SECRET_ACCESS_KEY: ENC[AES256_GCM,data:8b5oQnkqg6paYdzGYEH4SydsaMTRE2gsUEoixeIrww==,iv:zp+LP6NwD74i+pKvoFhFGOnuQTwkL6x6PmhcUreADws=,tag:8GNcjiQRdhdxxysDV5v5uQ==,type:str]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:cwg3Kkvs0o7UtLf5SSnpeMPPMTboT7fKrSWfgraYBA==,iv:bZCPXm9u4ugPGEerCGbBo6tdIHWycokCaMDlQKJS0No=,tag:s05LKjQVDsNJfbC5G9z1ug==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1nl4pnuny2pjg3ejfk9vrx0y4ssmna36xlw3wqmzv55ku38psdylsp2t2yw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvQTRpVXZmSlpyOUo3VlU4
+            TjJkVVhhSXVReWh6ZlNxRmtjcHczdnAwMWlRClk5RmtiSTc4c3V5a0ZaZGEyQnRK
+            dER2RENValphdGRNQjVxWFUwN2pGclUKLS0tIEZqOFEyaWdNWFJ6SUlScWFRdFJq
+            OXIwSThWY0UxSW9BVWhhMis2dmNSVDgKQFLDM/z+0RRE0aCSV5CVuPuBD/irOq2e
+            X/jPce0xQ3xAhC8uHdu0iYv5OEfQCy5cB/gKaWLc9En28YyPue5hgQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-11T12:45:22Z"
+    mac: ENC[AES256_GCM,data:d2/P21vjXi3CIhHP5LS8B8z84tso1ncF9nK/o/Lti9EB5XP1j5n4fo1pkgI7FQTlyDEszsOSwo9oD3M+TnsTxPfTEz9jQHzhM5ffU3Df++nAEyLS7c7bcLv122x14kqIoGOa3P7d23Urr5X/etn/8395qMkhXHV0oIrUF+YPPGA=,iv:wPr+6id5XvNlkjQH/obFtjyY4psFETt14LWcAdmDSwY=,tag:5QCmEn1QGhSs/aL8JFIiOA==,type:str]
+    pgp: []
+    encrypted_regex: ^(stringData)$
+    version: 3.9.0

clusters/homelab/apps/enshrouded/backup/backup-test.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: k8up.io/v1
+kind: Backup
+metadata:
+  name: enshrouded-backup-test
+  namespace: enshrouded
+spec:
+  backend:
+    repoPasswordSecretRef:
+      name: enshrouded-backup-credentials
+      key: RESTIC_PASSWORD
+    s3:
+      endpoint: https://s3.us-west-000.backblazeb2.com
+      bucket: enshrouded-ff759ae6-7fe3-4ffc-a341-2770e6cd84ba
+      accessKeyIDSecretRef:
+        name: enshrouded-backup-credentials
+        key: ACCESS_KEY_ID
+      secretAccessKeySecretRef:
+        name: enshrouded-backup-credentials
+        key: SECRET_ACCESS_KEY
+  failedJobsHistoryLimit: 2
+  successfulJobsHistoryLimit: 3
+  # Target specific PVCs by label
+  labelSelectors:
+    - matchExpressions:
+      - key: k8up.io/backup
+        operator: In
+        values:
+          - "true"
+  # Follow enshrouded-server pod to same node (required for RWO volumes)
+  podConfigRef:
+    name: enshrouded-backup-pod-config

clusters/homelab/apps/enshrouded/pvc.yaml

@@ -3,6 +3,10 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: enshrouded-state
+  namespace: enshrouded
+  labels:
+    k8up.io/backup: "true"
+    app: enshrouded-server
 spec:
   accessModes:
     - ReadWriteOnce

clusters/homelab/core/k8up.yaml

@@ -33,3 +33,89 @@ spec:
     crds: CreateReplace
   upgrade:
     crds: CreateReplace
+  values:
+    k8up:
+      envVars:
+        - name: BACKUP_PROMURL
+          value: "http://pushgateway.k8up.svc.cluster.local:9091"
+        - name: CLUSTER_NAME
+          value: "homelab"
+---
+# Prometheus Push Gateway for K8up metrics across all namespaces
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pushgateway
+  namespace: k8up
+  labels:
+    app: pushgateway
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pushgateway
+  template:
+    metadata:
+      labels:
+        app: pushgateway
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: pushgateway
+          image: prom/pushgateway:v1.10.0
+          args:
+            - --web.listen-address=:9091
+            - --web.telemetry-path=/metrics
+            - --persistence.interval=5m
+          ports:
+            - containerPort: 9091
+              name: http
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 256Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pushgateway
+  namespace: k8up
+  labels:
+    app: pushgateway
+spec:
+  selector:
+    app: pushgateway
+  ports:
+    - name: http
+      port: 9091
+      targetPort: 9091
+  type: ClusterIP
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: pushgateway
+  namespace: k8up
+  labels:
+    app: pushgateway
+spec:
+  selector:
+    matchLabels:
+      app: pushgateway
+  endpoints:
+    - port: http
+      path: /metrics
+      interval: 30s