From 1acd4c68305d9a14bba43958f9ae5eee80c3b5d8 Mon Sep 17 00:00:00 2001 From: Micha Date: Mon, 4 May 2026 20:43:48 +0200 Subject: [PATCH] docs(borg): backup scope mit nextcloud, grafana, influxdb, hermes, backrest, bentopdf abgeglichen; portainer altlast entfernt; offene decisions explizit gemacht docs(borg): backup scope mit nextcloud, grafana, influxdb, hermes, backrest, bentopdf abgeglichen; portainer altlast entfernt; offene decisions explizit gemacht --- ops/borg-ui/BACKUP_SCOPE.md | 34 +++++++++++++++++++++++++++-- ops/hermes-agent/Dockerfile | 6 +++++ ops/hermes-agent/docker-compose.yml | 2 +- 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/ops/borg-ui/BACKUP_SCOPE.md b/ops/borg-ui/BACKUP_SCOPE.md index 4ac1f04..1770015 100644 --- a/ops/borg-ui/BACKUP_SCOPE.md +++ b/ops/borg-ui/BACKUP_SCOPE.md @@ -1,5 +1,7 @@ # Borg Backup Scope for KalliLabcore +Stand: 2026-05-04 + This file defines the target state for replacing Backrest with Borg in this homelab. ## Goal @@ -38,7 +40,36 @@ The inclusion of `/local/secrets` is intentional: Borg is expected to cover disa | Tailscale | file data | `/local/appdata/tailscale` | | AdGuard | config only | `/local/appdata/adguard/conf` | | Borg UI | self-backup | `/local/appdata/borg-ui/data` | -| Komodo | config/cache only, optional | `/local/appdata/komodo/periphery`, `/local/appdata/komodo/core` | +| Komodo | config + Mongo dump | `/local/borg-dumps`, `/local/appdata/komodo/periphery`, `/local/appdata/komodo/core` | +| Nextcloud | raw DB path + file data | `/local/appdata/nextcloud/html`, `/local/appdata/nextcloud/postgres`, `/local/appdata/nextcloud/redis`; user data path see gap below | +| Grafana | file data | `/local/appdata/grafana` | +| InfluxDB 3 Core | file data | `/local/appdata/influxdb3/data`, `/local/appdata/influxdb3/plugins` | +| Hermes Agent | file data + SSH key | `/local/appdata/hermes-agent/data`, `/local/secrets/hermes_runner_id_ed25519` | +| Backrest | file data | `/local/appdata/backrest/data`, `/local/appdata/backrest/config` | +| BentoPDF | rebuildable | no critical persistence in compose | + +## Open Decisions and Coverage Gaps + +These are deviations from the standard "DB dump first, file path second" strategy. Decide deliberately, do not silently extend. + +### Nextcloud database + +Recovery currently relies on the raw live DB path `/local/appdata/nextcloud/postgres`. This is inconsistent with the policy "Do not back up raw live database storage directories as the primary recovery artifact" stated below. + +Open decision: + +- Option A: extend `ops/borg-ui/scripts/pre-backup-dumps.sh` with a `nextcloud-postgres` dump and treat the raw path as transient. +- Option B: accept the raw path as a documented Nextcloud-specific exception. + +Until decided, the raw path is what Borg sees today and is the only Nextcloud DB recovery surface. + +### Nextcloud user data path is outside the borg-ui mount set + +`/mnt/user/documents/nextcloud-data` is not mounted into `borg-ui` in `ops/borg-ui/docker-compose.yml`. Nextcloud user files are therefore not in the current Borg scope. Resolution requires a separate Compose change (add a read-only mount) and is not silently fixed in this scope document. + +### Komodo Mongo dump + +`komodo-mongo.archive.gz` was produced and verified on 2026-05-04 (`gzip -t` ok). The dump function is in place in `pre-backup-dumps.sh`. Re-verify after any Komodo or Mongo major upgrade. ## Database Dumps Required @@ -77,7 +108,6 @@ These are not part of the first-class Borg scope: - scrutiny metrics history - dozzle, glances, speedtest - filebrowser app state -- portainer ## Suggested Retention diff --git a/ops/hermes-agent/Dockerfile b/ops/hermes-agent/Dockerfile index aae3997..d61f55e 100644 --- a/ops/hermes-agent/Dockerfile +++ b/ops/hermes-agent/Dockerfile @@ -5,3 +5,9 @@ USER root RUN apt-get update && \ apt-get install -y --no-install-recommends openssh-client && \ rm -rf /var/lib/apt/lists/* + +RUN cd /opt/hermes/web && \ + npm install && \ + npm run build + +RUN python3 -c "from pathlib import Path; p = Path('/opt/hermes/hermes_cli/main.py'); s = p.read_text(); old = ' if not (web_dir / \"package.json\").exists():\n return True\n'; new = ' if not (web_dir / \"package.json\").exists():\n return True\n prebuilt_dist = web_dir.parent / \"hermes_cli\" / \"web_dist\" / \"index.html\"\n if prebuilt_dist.exists():\n return True\n'; p.write_text(s.replace(old, new))" diff --git a/ops/hermes-agent/docker-compose.yml b/ops/hermes-agent/docker-compose.yml index 0a08448..2fe92b5 100644 --- a/ops/hermes-agent/docker-compose.yml +++ b/ops/hermes-agent/docker-compose.yml @@ -49,7 +49,7 @@ services: - dashboard restart: unless-stopped init: true - command: dashboard --host 0.0.0.0 + command: dashboard --host 0.0.0.0 --insecure --no-open security_opt: - no-new-privileges:true cap_drop: