The backup engine already drops to the backup user (sudo -E -u $docker_install_user) and backupLocationOwner == $docker_install_user, which is exactly what runFileOp/runFileWrite resolve to in both modes. So convert the raw-sudo data ops (mkdir/chmod/rm/find/cat/grep/mv/chown/tee on backup repos, location configs, keys, manifests) to runFileOp/runFileWrite — creating files as the owner directly, no root chown. backup_verify creates its scratch as the backup user (runFileOp mktemp) instead of chown-after. Binary installs (kopia tar/install, borg dnf) -> runSystem. The 44 sudo -u engine drops stay (already least-privilege; the scoped sudoers will grant them). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
94 lines
2.9 KiB
Bash
94 lines
2.9 KiB
Bash
#!/bin/bash
|
|
|
|
kopiaInitLocation()
|
|
{
|
|
local idx="$1"
|
|
|
|
if ! resticLocationEnabled "$idx"; then
|
|
isNotice "Location $(resticLocationName "$idx") disabled — skipping init"
|
|
return 0
|
|
fi
|
|
|
|
kopiaEnvExport "$idx" || return 1
|
|
|
|
local t
|
|
t=$(resticLocationType "$idx")
|
|
|
|
# Already initialized? `kopia repository status` returns 0 only if the
|
|
# config file is connected to a repo.
|
|
if sudo -E -u "$docker_install_user" kopia repository status --json >/dev/null 2>&1; then
|
|
isNotice "$(resticLocationName "$idx") already initialized"
|
|
kopiaEnvUnset
|
|
return 0
|
|
fi
|
|
|
|
local args
|
|
case "$t" in
|
|
local)
|
|
local path
|
|
path=$(backupLocationResolvedPath "$idx")
|
|
runFileOp mkdir -p "$path"
|
|
runFileOp chown -R "$docker_install_user":"$docker_install_user" "$path"
|
|
args=(repository create filesystem --path="$path")
|
|
;;
|
|
sftp)
|
|
local user host port path auth keyfile
|
|
user=$(resticLocationField "$idx" SSH_USER)
|
|
host=$(resticLocationField "$idx" SSH_HOST)
|
|
port=$(resticLocationField "$idx" SSH_PORT)
|
|
[[ -z "$port" ]] && port=22
|
|
path=$(resticLocationField "$idx" SSH_PATH)
|
|
auth=$(resticLocationField "$idx" SSH_AUTH)
|
|
if [[ "$auth" == "password" ]]; then
|
|
isError "Kopia's SFTP backend supports key auth only. Switch this location's engine to restic or borg if you need password auth, or generate an SSH key on the location's edit panel."
|
|
kopiaEnvUnset
|
|
return 1
|
|
fi
|
|
keyfile=$(backupSshKeyFile "$idx")
|
|
if [[ ! -f "$keyfile" ]]; then
|
|
isError "Kopia SFTP needs a private key at $keyfile — generate or paste one on the location's edit panel."
|
|
kopiaEnvUnset
|
|
return 1
|
|
fi
|
|
args=(repository create sftp --host="$host" --port="$port" --username="$user" --path="$path" --known-hosts-data="" --keyfile="$keyfile")
|
|
;;
|
|
*)
|
|
isError "Kopia adapter doesn't support type=$t yet"
|
|
kopiaEnvUnset
|
|
return 1
|
|
;;
|
|
esac
|
|
|
|
isNotice "Initializing $(resticLocationName "$idx") with Kopia"
|
|
if sudo -E -u "$docker_install_user" kopia "${args[@]}"; then
|
|
isSuccessful "$(resticLocationName "$idx") initialized"
|
|
else
|
|
isError "Failed to initialize $(resticLocationName "$idx") with Kopia"
|
|
kopiaEnvUnset
|
|
return 1
|
|
fi
|
|
|
|
kopiaEnvUnset
|
|
}
|
|
|
|
kopiaEnsureLocationReady()
|
|
{
|
|
local idx="$1"
|
|
[[ -z "$idx" ]] && return 1
|
|
|
|
if ! resticLocationEnabled "$idx"; then
|
|
return 1
|
|
fi
|
|
|
|
local cfg
|
|
cfg=$(kopiaConfigPath "$idx")
|
|
if [[ -f "$cfg" ]]; then
|
|
return 0
|
|
fi
|
|
|
|
if ! command -v kopia >/dev/null 2>&1; then
|
|
kopiaInstall || return 1
|
|
fi
|
|
kopiaInitLocation "$idx"
|
|
}
|