Running a single-node Kubernetes cluster on bare metal means there is no built-in redundancy β no multi-node replication, no managed cloud snapshots. If the disk dies or a namespace is accidentally deleted, recovery depends entirely on backups. This article documents the full backup strategy: what is backed up, how, where, and how every backup run is monitored in real time.
A single backup approach fails in predictable ways. A Velero cluster snapshot doesnβt help if the host OS is corrupted. A raw file copy doesnβt capture the Kubernetes resource definitions needed to reassemble the cluster. The strategy is designed so that each layer covers a gap the others leave:
| Layer | What | Tool | Target |
|---|---|---|---|
| 1 | Kubernetes resource definitions + PV data | Velero + Kopia | OCI Object Storage |
| 2 | Raw PVC data (/opt/local-path-provisioner/) | restic | OCI Object Storage |
| 3 | PostgreSQL logical dump | pg_dumpall | Host disk β included in Layer 2 |
| 4 | Host configuration (/home/ifurlan, /etc) | restic | OCI Object Storage |
All remote backup data lands in Oracle Cloud Infrastructure (OCI) Object Storage, SΓ£o Paulo region (sa-saopaulo-1). OCIβs Always Free tier includes 20 GB of object storage β enough to hold compressed, deduplicated backup repositories across all four layers.
| Property | Value |
|---|---|
| Provider | Oracle Cloud Infrastructure |
| Region | sa-saopaulo-1 (SΓ£o Paulo) |
| Storage class | Standard |
| Free tier | 20 GB |
| Cost | $0 |
The bucket is organized by prefix, one per backup job:
| Prefix | Job |
|---|---|
velero/ | Velero-managed Kopia repository |
restic-k8s/ | Raw PVC data (restic) |
restic-host/ | Host configuration (restic) |
pg-dump/ | PostgreSQL dump files |
OCI access is configured through an API key pair. Credentials are stored as environment variables in the respective systemd service unit files and as a Kubernetes Secret for Veleroβs BackupStorageLocation.
Velero is the industry-standard Kubernetes backup tool. It captures two categories of data:
Velero originally used restic as its volume backup driver. Starting with Velero v1.10, Kopia became the recommended (and now default) driver. The reasons:
| Feature | restic | Kopia |
|---|---|---|
| Deduplication | Chunk-level | Chunk-level |
| Encryption | AES-256 | AES-256-GCM |
| Compression | No | Yes (zstd) |
| Parallel uploads | Limited | Yes (concurrent) |
| Repository locking | Pessimistic (slow) | Optimistic (fast) |
| Maintenance jobs | Manual | Automated |
Kopiaβs parallel upload capability and optimistic locking make it significantly faster for large PVCs. Automated maintenance (compaction, GC) keeps the repository size bounded without cron jobs.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ velero namespace ββ ββ ββββββββββββββββββββββββββββ βββββββββββββββββββ ββ β velero (pod) β β node-agent β ββ β - Schedules β β (DaemonSet) β ββ β - Orchestrates β β - Mounts PVCs β ββ β - BackupStorageLocation β β - Kopia β ββ ββββββββββ¬ββββββββββββββββββ βββββββββ¬ββββββββββ ββ β β ββββββββββββββΌββββββββββββββββββββββββββββββΌβββββββββββββ β β βΌ βΌ K8s API (resource PVC host paths snapshots β S3) β Kopia repo β β ββββββββββββ¬βββββββββββββββββββ βΌ OCI Object Storage (velero/ prefix)The velero pod orchestrates backup scheduling and communicates with the Kubernetes API to snapshot resource definitions. The node-agent DaemonSet runs on the host and mounts PVC directories directly from the local-path storage paths β bypassing the need for storage-provider snapshots.
apiVersion: velero.io/v1kind: BackupStorageLocationmetadata: name: default namespace: velerospec: provider: community.openshift.io/object-store objectStorage: bucket: homelab-backups prefix: velero config: region: sa-saopaulo-1 s3Url: https://objectstorage.sa-saopaulo-1.oraclecloud.com s3ForcePathStyle: "true"Separate schedules are defined for each critical namespace, allowing independent retention policies and granular restore points:
| Schedule | Namespace | Cadence |
|---|---|---|
backstage-daily | backstage | Daily |
harbor-daily | harbor | Daily |
n8n-daily | n8n | Daily |
postgres-daily | postgres | Daily |
cnpg-system-daily | cnpg-system | Daily |
velero-daily | velero | Daily (includes sealed-secrets backup) |
After each backup, Velero triggers a maintenance job that runs compaction and garbage collection on the Kopia repository. These appear as short-lived pods in the velero namespace:
velero backstage-default-kopia-maintain-job Completedvelero harbor-default-kopia-maintain-job Completedvelero n8n-default-kopia-maintain-job Completedvelero postgres-default-kopia-maintain-job Completedvelero cnpg-system-default-kopia-maintain-job Completedvelero velero-default-kopia-maintain-job CompletedMaintenance keeps the repository lean by removing unreferenced data chunks left by expired or deleted backups.
Velero covers Kubernetes-aware backups, but a second restic job backs up the raw PVC data on the host independently. This provides a safety net that doesnβt depend on Velero or the Kubernetes API:
/opt/local-path-provisioner/ βββ all PVC data, all namespaces β βΌ restic backup (systemd timer: daily) β βΌOCI Object Storage (restic-k8s/ prefix)The backup uses a restic repository initialized directly in the OCI bucket. Restic deduplicates and compresses data before uploading, so only changed chunks are sent on each run.
The job is managed by a systemd timer (restic-k8s-backup.timer) that fires the restic-k8s-backup.service unit daily. After completing, the service pushes metrics to Prometheus Pushgateway:
# Metrics pushed after each runbackup_success{job="restic_k8s_data"} 1backup_duration_seconds{job="restic_k8s_data"} 42.3backup_files_new{job="restic_k8s_data"} 12backup_files_changed{job="restic_k8s_data"} 87backup_timestamp{job="restic_k8s_data"} 1748000000These metrics power the backup monitoring dashboard in Grafana (covered below).
Application data lives in the CloudNativePG-managed PostgreSQL cluster (postgres namespace). Even though the PVC data is backed up by both Velero (Layer 1) and restic (Layer 2), a logical dump adds an extra recovery option: restoring into a clean database instance without needing to replay a PVC snapshot.
A daily systemd timer runs pg_dumpall and writes the dump to the host filesystem. The dump file is then automatically included in the Layer 2 restic backup.
pg_dumpall (all databases) β βΌ/var/backups/pg_dump/dump.sql β βΌIncluded in Layer 2 restic backup β βΌOCI Object Storage (restic-k8s/ prefix)After each run, the dump size is pushed to Pushgateway:
pg_dump_size_bytes{job="pg_dump"} 4823042pg_dump_success{job="pg_dump"} 1pg_dump_duration_seconds{job="pg_dump"} 8.2The dump size trend in Grafana serves as an early warning: an unexpected drop indicates a database problem, an unexpected spike indicates unusual data growth.
The host OS and user configuration is backed up to a separate restic repository (restic-host/ prefix in OCI). This covers the files that wouldnβt exist in a Kubernetes PVC:
| Path | Contents |
|---|---|
/home/ifurlan | Shell configs, SSH keys, scripts, dotfiles |
/etc | System configuration, network settings, systemd units |
A separate restic repository is used (not the same as Layer 2) so that retention and exclusion policies can be tuned independently. Large binary files and cache directories are excluded via a .resticignore file.
After each run, metrics are pushed to Pushgateway:
backup_success{job="restic_host"} 1backup_duration_seconds{job="restic_host"} 15.6backup_timestamp{job="restic_host"} 1748000000A fifth systemd service (oci-bucket-stats.service) runs after all backup jobs and queries the OCI API to collect bucket-level statistics. These are pushed to Pushgateway:
oci_bucket_size_bytes{prefix="velero"} 1234567890oci_bucket_size_bytes{prefix="restic-k8s"} 987654321oci_bucket_size_bytes{prefix="restic-host"} 456789012oci_bucket_size_bytes{prefix="pg-dump"} 123456789oci_bucket_object_count{prefix="velero"} 4821oci_bucket_limit_bytes 21474836480The oci_bucket_limit_bytes metric represents the 20 GB OCI free tier ceiling. Tracking the total usage against this limit drives the OCIBucketNearLimit alert β fired when usage exceeds 85% of 20 GB.
Every backup layer feeds metrics into Prometheus Pushgateway, making the full backup posture visible in Grafana. The custom βHomelab Backup & Storageβ dashboard provides an at-a-glance view of backup health across all jobs.
Backup Status
Type: Stat panels (one per job)
Shows OK (green) or FAILED (red) for each backup job. Backed by backup_success from Pushgateway. The most important panels β any red is immediately actionable.
Jobs tracked: restic_k8s_data, restic_host, pg_dump
Time Since Last Backup
Type: Stat panels
Displays how long ago the last successful backup ran, derived from backup_timestamp. Color thresholds:
Red here triggers the BackupStale alert in AlertManager.
Backup Duration
Type: Bar chart (time series)
Historical backup durations per job. Useful for spotting regressions β a job that suddenly takes 3Γ longer than usual may indicate a large new file, a slow OCI connection, or repository fragmentation.
Backup Files Changed
Type: Stacked bars
Shows files_new and files_changed per restic run. Helps understand backup churn β high change volume correlates with longer backup durations and higher OCI egress.
PostgreSQL Dump Size
Type: Line chart
Tracks pg_dump_size_bytes over time. The trend line shows database growth. A sudden drop is a red flag (backup or dump failure); gradual growth is expected and healthy.
OCI Bucket Usage vs Limit
Type: Gauge
Shows total OCI bucket usage against the 20 GB free tier ceiling. The gauge turns yellow at 85% and red at 95%, matching the OCIBucketNearLimit alert threshold.
OCI Bucket Size by Prefix
Type: Pie chart (donut)
Breaks down bucket usage by prefix (velero/, restic-k8s/, restic-host/, pg-dump/). Makes it easy to see which backup layer is consuming the most storage.
OCI Bucket Objects by Prefix
Type: Bar gauge
Shows the object count per prefix. Kopia/Velero tends to produce many small objects (chunks); a rapidly growing object count can indicate that maintenance jobs are not running.
Backup alerts are defined in the homelab-alerts PrometheusRule and routed by AlertManager to Telegram and Gmail:
| Alert | Condition | Severity |
|---|---|---|
BackupFailed | backup_success == 0 for any job | critical |
BackupStale | time() - backup_timestamp > 172800 (48h) | warning |
OCIBucketNearLimit | Total bucket usage > 85% of 20 GB | warning |
Critical alerts fire immediately to both the Telegram bot (musashi_homelab_bot) and Gmail. Warning alerts follow the same path.
# List available backupsvelero backup get
# Restore a specific namespace from the latest backupvelero restore create --from-backup <backup-name> \ --include-namespaces backstage
# Watch restore progressvelero restore describe <restore-name>
# Mount the restic repository and browse snapshotsrestic -r s3:https://objectstorage.sa-saopaulo-1.oraclecloud.com/homelab-backups/restic-k8s \ snapshots
# Restore a specific snapshot to a target directoryrestic -r <repo> restore <snapshot-id> \ --target /opt/local-path-provisioner/# Restore into a running PostgreSQL instancepsql -U postgres < /var/backups/pg_dump/dump.sqlrestic -r s3:https://objectstorage.sa-saopaulo-1.oraclecloud.com/homelab-backups/restic-host \ restore latest --target /| Layer | RPO (max data loss) | RTO (recovery time) |
|---|---|---|
| Velero + Kopia | ~24 hours | Minutes (velero restore) |
| restic PVC backup | ~24 hours | Minutes to hours (depends on PVC size) |
| pg_dumpall | ~24 hours | Minutes |
| Host config | ~24 hours | Minutes |
All jobs run daily. RPO is therefore bounded at approximately 24 hours across all layers.