librelad 7acfdabbac refactor(de-sudo): backup subsystem data ops via runFileOp/runFileWrite
The backup engine already drops to the backup user (sudo -E -u
$docker_install_user) and backupLocationOwner == $docker_install_user, which is
exactly what runFileOp/runFileWrite resolve to in both modes. So convert the
raw-sudo data ops (mkdir/chmod/rm/find/cat/grep/mv/chown/tee on backup repos,
location configs, keys, manifests) to runFileOp/runFileWrite — creating files
as the owner directly, no root chown. backup_verify creates its scratch as the
backup user (runFileOp mktemp) instead of chown-after. Binary installs
(kopia tar/install, borg dnf) -> runSystem. The 44 sudo -u engine drops stay
(already least-privilege; the scoped sudoers will grant them).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 17:01:05 +01:00

94 lines
2.9 KiB
Bash

#!/bin/bash
kopiaInitLocation()
{
local idx="$1"
if ! resticLocationEnabled "$idx"; then
isNotice "Location $(resticLocationName "$idx") disabled — skipping init"
return 0
fi
kopiaEnvExport "$idx" || return 1
local t
t=$(resticLocationType "$idx")
# Already initialized? `kopia repository status` returns 0 only if the
# config file is connected to a repo.
if sudo -E -u "$docker_install_user" kopia repository status --json >/dev/null 2>&1; then
isNotice "$(resticLocationName "$idx") already initialized"
kopiaEnvUnset
return 0
fi
local args
case "$t" in
local)
local path
path=$(backupLocationResolvedPath "$idx")
runFileOp mkdir -p "$path"
runFileOp chown -R "$docker_install_user":"$docker_install_user" "$path"
args=(repository create filesystem --path="$path")
;;
sftp)
local user host port path auth keyfile
user=$(resticLocationField "$idx" SSH_USER)
host=$(resticLocationField "$idx" SSH_HOST)
port=$(resticLocationField "$idx" SSH_PORT)
[[ -z "$port" ]] && port=22
path=$(resticLocationField "$idx" SSH_PATH)
auth=$(resticLocationField "$idx" SSH_AUTH)
if [[ "$auth" == "password" ]]; then
isError "Kopia's SFTP backend supports key auth only. Switch this location's engine to restic or borg if you need password auth, or generate an SSH key on the location's edit panel."
kopiaEnvUnset
return 1
fi
keyfile=$(backupSshKeyFile "$idx")
if [[ ! -f "$keyfile" ]]; then
isError "Kopia SFTP needs a private key at $keyfile — generate or paste one on the location's edit panel."
kopiaEnvUnset
return 1
fi
args=(repository create sftp --host="$host" --port="$port" --username="$user" --path="$path" --known-hosts-data="" --keyfile="$keyfile")
;;
*)
isError "Kopia adapter doesn't support type=$t yet"
kopiaEnvUnset
return 1
;;
esac
isNotice "Initializing $(resticLocationName "$idx") with Kopia"
if sudo -E -u "$docker_install_user" kopia "${args[@]}"; then
isSuccessful "$(resticLocationName "$idx") initialized"
else
isError "Failed to initialize $(resticLocationName "$idx") with Kopia"
kopiaEnvUnset
return 1
fi
kopiaEnvUnset
}
kopiaEnsureLocationReady()
{
local idx="$1"
[[ -z "$idx" ]] && return 1
if ! resticLocationEnabled "$idx"; then
return 1
fi
local cfg
cfg=$(kopiaConfigPath "$idx")
if [[ -f "$cfg" ]]; then
return 0
fi
if ! command -v kopia >/dev/null 2>&1; then
kopiaInstall || return 1
fi
kopiaInitLocation "$idx"
}