From 24d0d9067057fb1d59464a94e993aa5f86e5e733 Mon Sep 17 00:00:00 2001
From: Micha <michideheld@gmx.de>
Date: Wed, 27 May 2026 20:44:50 +0200
Subject: [PATCH] Make dump output 0644 by default, exclude flash config from H
 pull

pre-backup-dumps.sh: atomic_write nimmt jetzt einen optionalen
mode-Parameter (Default 0644). Damit sind alle DB-/SQLite-/BoltDB-
/Mongo-Dumps konsistent 0644 und vom Nearline-Pull lesbar. Die
sensible unraid-flash-config-Familie (.tar.gz, .sha256, .manifest)
ruft explizit mit mode 600 auf und bleibt damit Operator-only.
Loest das Permission-Problem fuer filebrowser.bolt.dump (Source
ist 0640) im naechsten regulaeren Dump-Lauf.

pull-critical-backups.ps1: Jobs koennen ExcludeFiles ueber /XF
mitliefern. borg-dumps-latest schliesst die unraid-flash-config-
Artefakte aus, weil sie bewusst 0600 bleiben sollen und sonst den
Lauf abbrechen lassen. Restore-Quelle fuer Flash-Config bleibt
das Hetzner-Borg-Repo.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 ops/borg-ui/scripts/pre-backup-dumps.sh        | 17 +++++++++++------
 ops/h-drive-nearline/pull-critical-backups.ps1 | 18 ++++++++++++++++--
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/ops/borg-ui/scripts/pre-backup-dumps.sh b/ops/borg-ui/scripts/pre-backup-dumps.sh
index ffb0543..f7ec53b 100755
--- a/ops/borg-ui/scripts/pre-backup-dumps.sh
+++ b/ops/borg-ui/scripts/pre-backup-dumps.sh
@@ -37,7 +37,13 @@ ensure_dirs() {
 atomic_write() {
   target="$1"
   tmp="$2"
+  mode="${3:-644}"
   mkdir -p "$(dirname "$target")"
+  # Standard 0644, damit der Nearline-Pull-Workflow (docs/H_DRIVE_NEARLINE_PULL.md)
+  # und Restore-Test-Skripte die Dumps per SMB-Read-Share oder unprivilegiert
+  # lesen koennen. Sensible Sonderfaelle wie unraid-flash-config rufen mit
+  # explizitem 600 auf, damit die bewusste Beschraenkung erhalten bleibt.
+  chmod "$mode" "$tmp"
   mv "$tmp" "$target"
 }
 
@@ -179,15 +185,15 @@ backup_unraid_flash_config() {
     --exclude='config/plugins/*/*.zip' \
     --exclude='config/plugins/*/*.md5' \
     -czf "$tmp" config
-  chmod 600 "$tmp"
-  atomic_write "$output" "$tmp"
+  # Flash-Config ist sensibel (enthaelt /boot/config inkl. Plugin-/SMB-/Network-Settings);
+  # bewusst 0600, damit der Nearline-Pull ueber SMB sie nicht versehentlich greift.
+  atomic_write "$output" "$tmp" 600
 
   (
     cd "$LATEST_DIR"
     sha256sum "$(basename "$output")"
   ) > "$tmp_checksum"
-  chmod 600 "$tmp_checksum"
-  atomic_write "$checksum" "$tmp_checksum"
+  atomic_write "$checksum" "$tmp_checksum" 600
 
   {
     printf 'created_utc=%s\n' "$(date -u '+%Y-%m-%dT%H:%M:%SZ')"
@@ -201,8 +207,7 @@ backup_unraid_flash_config() {
     printf 'note=%s\n' 'Contains Unraid configuration and must be treated as secret backup material.'
     printf 'excluded=%s\n' 'downloadable plugin package archives under /boot/config/plugins/*/'
   } > "$tmp_manifest"
-  chmod 600 "$tmp_manifest"
-  atomic_write "$manifest" "$tmp_manifest"
+  atomic_write "$manifest" "$tmp_manifest" 600
 }
 
 dump_optional_pg_db() {
diff --git a/ops/h-drive-nearline/pull-critical-backups.ps1 b/ops/h-drive-nearline/pull-critical-backups.ps1
index 2063f43..5175d94 100644
--- a/ops/h-drive-nearline/pull-critical-backups.ps1
+++ b/ops/h-drive-nearline/pull-critical-backups.ps1
@@ -11,13 +11,19 @@ $Jobs = @(
     Name = "borg-dumps-latest"
     Source = Join-Path $SourceRoot "borg\dumps\latest"
     Destination = Join-Path $DestinationRoot "borg-dumps\latest"
-    Purpose = "Latest database/application dumps, including unraid-flash-config.tar.gz"
+    Purpose = "Latest database/application dumps (Unraid-Flash-Artefakte bewusst ausgeschlossen, weil 0600 root:root - dafuer bleibt die Hetzner-Borg-Kette die Restore-Quelle)"
+    # /XF schliesst bewusst die unraid-flash-config-Artefakte aus,
+    # weil sie hostseitig 0600 root:root sind und der SMB-Share das
+    # nicht ueberbruecken kann. Restore-Quelle dafuer bleibt das
+    # Hetzner-Borg-Repo (siehe docs/RESTORE_MATRIX.md Tier 1 Unraid OS Flash).
+    ExcludeFiles = @("unraid-flash-config.tar.gz", "unraid-flash-config.tar.gz.sha256", "unraid-flash-config.manifest.txt")
   },
   @{
     Name = "gitea-bundles"
     Source = Join-Path $SourceRoot "git-bundles\gitea"
     Destination = Join-Path $DestinationRoot "git-bundles\gitea"
     Purpose = "Verified bare-repository bundles for Gitea bootstrap"
+    ExcludeFiles = @()
   }
 )
 
@@ -58,6 +64,11 @@ function Invoke-RobocopyJob {
     "/LOG:$logPath"
   )
 
+  if ($Job.ContainsKey("ExcludeFiles") -and $Job.ExcludeFiles.Count -gt 0) {
+    $args += "/XF"
+    $args += $Job.ExcludeFiles
+  }
+
   Write-Host "Running robocopy job: $($Job.Name)"
   Write-Host "  Source:      $($Job.Source)"
   Write-Host "  Destination: $($Job.Destination)"
@@ -128,9 +139,12 @@ $lines += "Expected critical artifacts after run:"
 $lines += ""
 $lines += "- ``borg-dumps/latest/immich.dump``"
 $lines += "- ``borg-dumps/latest/komodo-mongo.archive.gz``"
-$lines += "- ``borg-dumps/latest/unraid-flash-config.tar.gz``"
 $lines += "- ``git-bundles/gitea/latest-report.md``"
 $lines += "- ``git-bundles/gitea/micha/*.bundle``"
+$lines += ""
+$lines += "Bewusst NICHT in Nearline-Scope:"
+$lines += ""
+$lines += "- ``unraid-flash-config.tar.gz`` (hostseitig 0600 root:root; Restore aus Hetzner-Borg)"
 
 $lines | Set-Content -LiteralPath $reportPath -Encoding UTF8