librelad 7acfdabbac refactor(de-sudo): backup subsystem data ops via runFileOp/runFileWrite
The backup engine already drops to the backup user (sudo -E -u
$docker_install_user) and backupLocationOwner == $docker_install_user, which is
exactly what runFileOp/runFileWrite resolve to in both modes. So convert the
raw-sudo data ops (mkdir/chmod/rm/find/cat/grep/mv/chown/tee on backup repos,
location configs, keys, manifests) to runFileOp/runFileWrite — creating files
as the owner directly, no root chown. backup_verify creates its scratch as the
backup user (runFileOp mktemp) instead of chown-after. Binary installs
(kopia tar/install, borg dnf) -> runSystem. The 44 sudo -u engine drops stay
(already least-privilege; the scoped sudoers will grant them).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 17:01:05 +01:00

51 lines
1.3 KiB
Bash

#!/bin/bash
borgInitLocation()
{
local idx="$1"
if ! resticLocationEnabled "$idx"; then
isNotice "Location $(resticLocationName "$idx") disabled — skipping init"
return 0
fi
borgEnvExport "$idx" || return 1
if [[ "$(resticLocationType "$idx")" == "local" ]]; then
runFileOp mkdir -p "$BORG_REPO"
runFileOp chown -R "$docker_install_user":"$docker_install_user" "$BORG_REPO"
fi
if sudo -E -u "$docker_install_user" borg info "$BORG_REPO" >/dev/null 2>&1; then
isNotice "$(resticLocationName "$idx") already initialized at $BORG_REPO"
borgEnvUnset
return 0
fi
isNotice "Initializing $(resticLocationName "$idx") at $BORG_REPO"
if sudo -E -u "$docker_install_user" borg init --encryption=repokey-blake2 "$BORG_REPO"; then
isSuccessful "$(resticLocationName "$idx") initialized"
else
isError "Failed to initialize $(resticLocationName "$idx")"
borgEnvUnset
return 1
fi
borgEnvUnset
}
borgEnsureLocationReady()
{
local idx="$1"
[[ -z "$idx" ]] && return 1
if ! resticLocationEnabled "$idx"; then
return 1
fi
if ! command -v borg >/dev/null 2>&1; then
borgInstall || return 1
fi
borgInitLocation "$idx"
}