LibrePortal/scripts/backup/engine/kopia_backup.sh
librelad 43779a992b harden(desudo): backup engines (restic/kopia/borg) + crowdsec host helpers
- restic_install, crowdsec_update/verify_firewall/fix_priority: pure host
  ops (apt/cscli/nft/systemctl, /etc/crowdsec) -> runSystem.
- kopia_backup/borg_restore: ignore-file/target tee+chown+mkdir -> runFileOp/
  runFileWrite; kept the 'sudo -E -u dockerinstall' engine calls as-is —
  those already run as the unprivileged backup user (least-privilege; the
  scoped sudoers will permit (dockerinstall)).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 23:48:23 +01:00

63 lines
2.1 KiB
Bash

#!/bin/bash
kopiaBackupAppToLocation()
{
local idx="$1"
local app_name="$2"
local manifest_sha="$3"
local source_path="$containers_dir$app_name"
if [[ ! -d "$source_path" ]]; then
isError "Source path missing for $app_name: $source_path"
return 1
fi
kopiaEnvExport "$idx" || return 1
local host_tag="${CFG_INSTALL_NAME:-libreportal}"
local tags=("--tags" "app:$app_name" "--tags" "host:$host_tag" "--tags" "engine:libreportal")
[[ -n "$manifest_sha" ]] && tags+=("--tags" "manifest:$manifest_sha")
local loc_name
loc_name=$(resticLocationName "$idx")
isNotice "Snapshotting $app_name$loc_name (kopia)" >&2
# Kopia has no per-run --exclude; it reads .kopiaignore from the source
# tree. On the live path write the raw DB data dirs (made relative to the
# source) as ignore patterns, snapshot, then remove it so the rule never
# leaks into a later non-live backup of the same app.
local ignore_file="$source_path/.kopiaignore"
local wrote_ignore=false
if [[ -n "${backup_exclude_paths:-}" ]]; then
local rel
: | runFileWrite "$ignore_file"
while IFS= read -r p; do
[[ -z "$p" ]] && continue
rel="/${p#"$source_path"/}"
echo "$rel" | runFileWrite -a "$ignore_file"
done <<< "$backup_exclude_paths"
runFileOp chown "$docker_install_user":"$docker_install_user" "$ignore_file" 2>/dev/null
wrote_ignore=true
fi
local output
output=$(sudo -E -u "$docker_install_user" kopia snapshot create "$source_path" "${tags[@]}" --json 2>&1)
local rc=$?
[[ "$wrote_ignore" == true ]] && runFileOp rm -f "$ignore_file"
local snapshot_id
snapshot_id=$(echo "$output" | grep -oE '"id":\s*"[^"]+"' | head -1 | cut -d'"' -f4)
if [[ $rc -eq 0 ]]; then
isSuccessful "Backup created in $loc_name: ${snapshot_id:0:12}" >&2
echo "$snapshot_id"
else
isError "Kopia backup to $loc_name failed for $app_name" >&2
echo "$output" | tail -10 >&2
fi
kopiaEnvUnset
return $rc
}