Backups: pg_dump → S3 (MEGA S4); drop local PVC

values.yaml

@@ -78,11 +78,24 @@ backups:
   # Cron schedule for the automatic backup job. Default 03:00 UTC
   # daily — quiet hour for most timezones, non-business in EU/US/AS.
   schedule: "0 3 * * *"
-  # PVC size for retained dumps. Holds ~7 days of dumps for a small
-  # instance; scale up via overlay if the instance has a large DB.
-  storage: 10Gi
-  # How many dumps to retain. Older ones are pruned by the same Job.
+  # How many dumps to retain in S3. The backup job prunes older
+  # objects matching the instance's prefix on every successful run.
   retain: 7
+  # S3-compatible destination. The endpoint + region + bucket are
+  # NON-secret and live in this committed values.yaml; the AWS
+  # credentials live in a K8s Secret named by `credentialsSecret`,
+  # provisioned out-of-band by Tower's bootstrap script (which reads
+  # from OpenBao). The chart never sees access/secret keys directly.
+  s3:
+    endpoint: https://s3.eu-central-1.s4.mega.io
+    region: eu-central-1
+    bucket: odoosky-v3-backups
+    # Per-instance S3 key prefix. Each instance writes under its own
+    # code/ subdirectory inside the shared bucket.
+    prefix: "{{ .Values.instance.code }}"
+  # Name of the K8s Secret holding AWS_ACCESS_KEY_ID +
+  # AWS_SECRET_ACCESS_KEY. Mounted via envFrom on the backup Job.
+  credentialsSecret: s3-backup-creds
 
 ingress:
   # Traefik entrypoint name (set on the Traefik install in the