LibrePortal/scripts/backup/engine/kopia_backup.sh
librelad 0b27ed1072 refactor(desudo): funnel backup-engine privilege drop through runBackupOp
The borg/restic/kopia engines all dropped to the dedicated backup user
via scattered 'sudo -E -u $docker_install_user'. Centralize that into a
single runBackupOp helper so the backup subsystem has one audit point and
the scoped sudoers needs only the (dockerinstall) drop rule.

Also:
- owncloud config heredoc tees -> runSystem (container-UID file)
- webui_display_logins: fix the broken 'command -v sudo sqlite3' guard
  to 'command -v sqlite3' (body already runs sqlite3 via runInstallOp)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 18:01:51 +01:00

63 lines
2.0 KiB
Bash

#!/bin/bash
kopiaBackupAppToLocation()
{
local idx="$1"
local app_name="$2"
local manifest_sha="$3"
local source_path="$containers_dir$app_name"
if [[ ! -d "$source_path" ]]; then
isError "Source path missing for $app_name: $source_path"
return 1
fi
kopiaEnvExport "$idx" || return 1
local host_tag="${CFG_INSTALL_NAME:-libreportal}"
local tags=("--tags" "app:$app_name" "--tags" "host:$host_tag" "--tags" "engine:libreportal")
[[ -n "$manifest_sha" ]] && tags+=("--tags" "manifest:$manifest_sha")
local loc_name
loc_name=$(resticLocationName "$idx")
isNotice "Snapshotting $app_name$loc_name (kopia)" >&2
# Kopia has no per-run --exclude; it reads .kopiaignore from the source
# tree. On the live path write the raw DB data dirs (made relative to the
# source) as ignore patterns, snapshot, then remove it so the rule never
# leaks into a later non-live backup of the same app.
local ignore_file="$source_path/.kopiaignore"
local wrote_ignore=false
if [[ -n "${backup_exclude_paths:-}" ]]; then
local rel
: | runFileWrite "$ignore_file"
while IFS= read -r p; do
[[ -z "$p" ]] && continue
rel="/${p#"$source_path"/}"
echo "$rel" | runFileWrite -a "$ignore_file"
done <<< "$backup_exclude_paths"
runFileOp chown "$docker_install_user":"$docker_install_user" "$ignore_file" 2>/dev/null
wrote_ignore=true
fi
local output
output=$(runBackupOp kopia snapshot create "$source_path" "${tags[@]}" --json 2>&1)
local rc=$?
[[ "$wrote_ignore" == true ]] && runFileOp rm -f "$ignore_file"
local snapshot_id
snapshot_id=$(echo "$output" | grep -oE '"id":\s*"[^"]+"' | head -1 | cut -d'"' -f4)
if [[ $rc -eq 0 ]]; then
isSuccessful "Backup created in $loc_name: ${snapshot_id:0:12}" >&2
echo "$snapshot_id"
else
isError "Kopia backup to $loc_name failed for $app_name" >&2
echo "$output" | tail -10 >&2
fi
kopiaEnvUnset
return $rc
}