feat: Add Velero backup with local-volume-provider and SSHFS mount to Mac Mini

ams0 · claude · ams0 · commit 644f16ae8799 · 2026-03-31T00:01:46.000+02:00
Velero backs up PVCs via Kopia to a hostPath that is SSHFS-mounted to
feynman.rhino-butterfly.ts.net:/Volumes/Store/Borg/Velero. Daily (14d)
and weekly (90d) schedules cover all app namespaces.

- New sshfs Ansible role with systemd automount for resilient mounts
- Velero HelmRelease with replicated/local-volume-provider plugin
- Remove unused Velero HTTPRoute (no web UI)
- Add velero to root Flux kustomization

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/gitops/kustomization.yaml b/gitops/kustomization.yaml
@@ -14,8 +14,4 @@ resources:
 - gateways/gateway.yaml
 - local-path-provisioner/local-path-provisioner.yaml
 - argocd
-
-# Add more resources here as you create them
-# - deployment.yaml
-# - service.yaml
-# - ingress.yaml
+- velero
diff --git a/gitops/velero/kustomization.yaml b/gitops/velero/kustomization.yaml
@@ -5,4 +5,3 @@ resources:
   - namespace.yaml
   - velero-helmrepo.yaml
   - velero-helmrelease.yaml
-  - velero-httproute.yaml
diff --git a/gitops/velero/velero-helmrelease.yaml b/gitops/velero/velero-helmrelease.yaml
@@ -26,4 +26,100 @@ spec:
     remediation:
       retries: 3
   values:
-   
+    initContainers:
+      - name: local-volume-provider
+        image: replicated/local-volume-provider:v0.6.7
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+          - mountPath: /target
+            name: plugins
+
+    credentials:
+      useSecret: false
+
+    configuration:
+      backupStorageLocation:
+        - name: feynman
+          provider: replicated.com/hostpath
+          bucket: velero-backups
+          default: true
+          accessMode: ReadWrite
+          config:
+            path: /mnt/feynman-velero
+            resticRepoPrefix: /var/velero-local-volume-provider/velero-backups/restic
+
+      volumeSnapshotLocation: []
+      defaultVolumesToFsBackup: true
+      uploaderType: kopia
+
+    snapshotsEnabled: false
+    deployNodeAgent: true
+
+    nodeAgent:
+      resources:
+        requests:
+          cpu: 100m
+          memory: 256Mi
+        limits:
+          memory: 1Gi
+
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        memory: 512Mi
+
+    # Mount the SSHFS hostPath into the Velero pod
+    extraVolumes:
+      - name: feynman-velero
+        hostPath:
+          path: /mnt/feynman-velero
+          type: Directory
+
+    extraVolumeMounts:
+      - name: feynman-velero
+        mountPath: /mnt/feynman-velero
+
+    schedules:
+      daily-all-apps:
+        disabled: false
+        schedule: "0 2 * * *"
+        useOwnerReferencesInBackup: false
+        template:
+          ttl: "336h"
+          storageLocation: feynman
+          includedNamespaces:
+            - n8n
+            - forgejo
+            - minecraft
+            - keycloak
+            - actual
+            - alarik
+            - uptime-kuma
+            - outline
+            - waha
+            - rustfs
+          defaultVolumesToFsBackup: true
+          snapshotVolumes: false
+
+      weekly-disaster-recovery:
+        disabled: false
+        schedule: "0 3 * * 0"
+        useOwnerReferencesInBackup: false
+        template:
+          ttl: "2160h"
+          storageLocation: feynman
+          includedNamespaces:
+            - n8n
+            - forgejo
+            - minecraft
+            - keycloak
+            - actual
+            - alarik
+            - uptime-kuma
+            - outline
+            - waha
+            - rustfs
+          defaultVolumesToFsBackup: true
+          snapshotVolumes: false
diff --git a/gitops/velero/velero-httproute.yaml b/gitops/velero/velero-httproute.yaml
diff --git a/roles/sshfs/defaults/main.yml b/roles/sshfs/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+sshfs_mounts:
+  - name: feynman-velero
+    remote_path: "/Volumes/Store/Borg/Velero"
+    remote_user: feynam
+    remote_host: feynman.rhino-butterfly.ts.net
+    local_path: /mnt/feynman-velero
+    ssh_key: /home/ubuntu/.ssh/nas
+    uid: "1001"
+    gid: "1001"
diff --git a/roles/sshfs/handlers/main.yml b/roles/sshfs/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
diff --git a/roles/sshfs/tasks/main.yml b/roles/sshfs/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+- name: Install sshfs
+  apt:
+    name: sshfs
+    state: present
+    update_cache: yes
+
+- name: Create mount points
+  file:
+    path: "{{ item.local_path }}"
+    state: directory
+    mode: "0755"
+  loop: "{{ sshfs_mounts }}"
+
+- name: Deploy systemd mount units
+  template:
+    src: sshfs.mount.j2
+    dest: "/etc/systemd/system/{{ item.local_path | regex_replace('^/', '') | regex_replace('/', '-') }}.mount"
+    mode: "0644"
+  loop: "{{ sshfs_mounts }}"
+  notify: reload systemd
+
+- name: Deploy systemd automount units
+  template:
+    src: sshfs.automount.j2
+    dest: "/etc/systemd/system/{{ item.local_path | regex_replace('^/', '') | regex_replace('/', '-') }}.automount"
+    mode: "0644"
+  loop: "{{ sshfs_mounts }}"
+  notify: reload systemd
+
+- name: Flush handlers
+  meta: flush_handlers
+
+- name: Enable and start automount units
+  systemd:
+    name: "{{ item.local_path | regex_replace('^/', '') | regex_replace('/', '-') }}.automount"
+    enabled: yes
+    state: started
+  loop: "{{ sshfs_mounts }}"
+
diff --git a/roles/sshfs/templates/sshfs.automount.j2 b/roles/sshfs/templates/sshfs.automount.j2
@@ -0,0 +1,11 @@
+[Unit]
+Description=Automount SSHFS {{ item.local_path }}
+After=network-online.target tailscaled.service
+Wants=network-online.target
+
+[Automount]
+Where={{ item.local_path }}
+TimeoutIdleSec=0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/sshfs/templates/sshfs.mount.j2 b/roles/sshfs/templates/sshfs.mount.j2
@@ -0,0 +1,13 @@
+[Unit]
+Description=SSHFS mount {{ item.remote_user }}@{{ item.remote_host }}:{{ item.remote_path }}
+After=network-online.target tailscaled.service
+Wants=network-online.target
+
+[Mount]
+What={{ item.remote_user }}@{{ item.remote_host }}:{{ item.remote_path }}
+Where={{ item.local_path }}
+Type=fuse.sshfs
+Options=reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,allow_other,IdentityFile={{ item.ssh_key }},uid={{ item.uid }},gid={{ item.gid }},StrictHostKeyChecking=accept-new,_netdev
+
+[Install]
+WantedBy=multi-user.target
diff --git a/site.yml b/site.yml
@@ -19,6 +19,8 @@
       tags: [traefik, ingress]
     - role: tailscale
       tags: [tailscale]
+    - role: sshfs
+      tags: [sshfs, backup]
     - role: borg
       tags: [borg, backup]
     - role: datadog
