# Backup Architecture details

![](backup.svg)

* we use restic to produce small & encrypted backups
* backup is scheduled at `schedule: "10 23 * * *"`
* Forgejo stores files in `/data/gitea` and `/data/git/repositories`, these files are backed up. 
* The postgres db is also backed up

## Manual backup

1. Scale down forgejo deployment:   
   `kubectl -n forgejo scale deployment forgejo --replicas=0`
2. apply backup-and-restore pod:   
  `kubectl -n forgejo scale deployment backup-restore --replicas=1`
3. exec into pod and execute backup pod (press tab to get your exact pod name)   
   `kubectl -n forgejo exec -it backup-restore-... -- /usr/local/bin/backup.bb`
4. remove backup-and-restore pod:   
   `kubectl -n forgejo scale deployment backup-restore --replicas=0`
5. Scale up forgejo deployment:   
   `kubectl -n forgejo scale deployment forgejo --replicas=1`

## Manual restore

1. Scale down forgejo deployment:
   `kubectl -n forgejo scale deployment forgejo --replicas=0`
2. apply backup-and-restore pod:   
  `kubectl -n forgejo scale deployment backup-restore --replicas=1`
3. exec into pod and execute restore pod (press tab to get your exact pod name)   
   `kubectl -n forgejo exec -it backup-restore-... -- /usr/local/bin/restore.bb`
4. Start forgejo again:
   `kubectl -n forgejo scale deployment forgejo --replicas=1`
5. remove backup-and-restore pod:   
   `kubectl -n forgejo scale deployment backup-restore --replicas=0`

## Change Password

1. Check restic-new-password env is set in backup deployment   
   ```
   kind: Deployment
   metadata:
     name: backup-restore
   spec:
       spec:
         containers:
         - name: backup-app
           env:
           - name: RESTIC_NEW_PASSWORD_FILE
             value: /var/run/secrets/backup-secrets/restic-new-password
   ```
2. Add restic-new-password to secret   
   ```
   kind: Secret
   metadata:
     name: backup-secret
   data:
     restic-password: old
     restic-new-password: new
   ```
3. Scale backup-restore deployment up:   
   `kubectl -n nextcloud scale deployment backup-restore --replicas=1`
4. exec into pod and execute restore pod   
   `kubectl -n nextcloud exec -it backup-restore -- change-password.bb`
5. Scale backup-restore deployment down:   
  `kubectl -n nextcloud scale deployment backup-restore --replicas=0`
6. Replace restic-password with restic-new-password in secret   
   ```
   kind: Secret
   metadata:
     name: backup-secret
   data:
     restic-password: new
   ```