Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Make dump output 0644 by default, exclude flash config from H pull

Browse Source 
pre-backup-dumps.sh: atomic_write nimmt jetzt einen optionalen
mode-Parameter (Default 0644). Damit sind alle DB-/SQLite-/BoltDB-
/Mongo-Dumps konsistent 0644 und vom Nearline-Pull lesbar. Die
sensible unraid-flash-config-Familie (.tar.gz, .sha256, .manifest)
ruft explizit mit mode 600 auf und bleibt damit Operator-only.
Loest das Permission-Problem fuer filebrowser.bolt.dump (Source
ist 0640) im naechsten regulaeren Dump-Lauf.

pull-critical-backups.ps1: Jobs koennen ExcludeFiles ueber /XF
mitliefern. borg-dumps-latest schliesst die unraid-flash-config-
Artefakte aus, weil sie bewusst 0600 bleiben sollen und sonst den
Lauf abbrechen lassen. Restore-Quelle fuer Flash-Config bleibt
das Hetzner-Borg-Repo.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Micha
2026-05-27 20:44:50 +02:00
parent 0ae44bd797
commit 24d0d90670
2 changed files with 27 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ops/borg-ui/scripts/pre-backup-dumps.sh
+11 -6
View File
@@ -37,7 +37,13 @@ ensure_dirs() {
atomic_write() { atomic_write() {
target="$1" target="$1"
tmp="$2" tmp="$2"
mode="${3:-644}"
mkdir -p "$(dirname "$target")" mkdir -p "$(dirname "$target")"
# Standard 0644, damit der Nearline-Pull-Workflow (docs/H_DRIVE_NEARLINE_PULL.md)
# und Restore-Test-Skripte die Dumps per SMB-Read-Share oder unprivilegiert
# lesen koennen. Sensible Sonderfaelle wie unraid-flash-config rufen mit
# explizitem 600 auf, damit die bewusste Beschraenkung erhalten bleibt.
chmod "$mode" "$tmp"
mv "$tmp" "$target" mv "$tmp" "$target"
} }
@@ -179,15 +185,15 @@ backup_unraid_flash_config() {
--exclude='config/plugins/*/*.zip' \ --exclude='config/plugins/*/*.zip' \
--exclude='config/plugins/*/*.md5' \ --exclude='config/plugins/*/*.md5' \
-czf "$tmp" config -czf "$tmp" config
chmod 600 "$tmp" # Flash-Config ist sensibel (enthaelt /boot/config inkl. Plugin-/SMB-/Network-Settings);
atomic_write "$output" "$tmp" # bewusst 0600, damit der Nearline-Pull ueber SMB sie nicht versehentlich greift.
atomic_write "$output" "$tmp" 600
( (
cd "$LATEST_DIR" cd "$LATEST_DIR"
sha256sum "$(basename "$output")" sha256sum "$(basename "$output")"
) > "$tmp_checksum" ) > "$tmp_checksum"
chmod 600 "$tmp_checksum" atomic_write "$checksum" "$tmp_checksum" 600
atomic_write "$checksum" "$tmp_checksum"
{ {
printf 'created_utc=%s\n' "$(date -u '+%Y-%m-%dT%H:%M:%SZ')" printf 'created_utc=%s\n' "$(date -u '+%Y-%m-%dT%H:%M:%SZ')"
@@ -201,8 +207,7 @@ backup_unraid_flash_config() {
printf 'note=%s\n' 'Contains Unraid configuration and must be treated as secret backup material.' printf 'note=%s\n' 'Contains Unraid configuration and must be treated as secret backup material.'
printf 'excluded=%s\n' 'downloadable plugin package archives under /boot/config/plugins/*/' printf 'excluded=%s\n' 'downloadable plugin package archives under /boot/config/plugins/*/'
} > "$tmp_manifest" } > "$tmp_manifest"
chmod 600 "$tmp_manifest" atomic_write "$manifest" "$tmp_manifest" 600
atomic_write "$manifest" "$tmp_manifest"
} }
dump_optional_pg_db() { dump_optional_pg_db() {
ops/h-drive-nearline/pull-critical-backups.ps1
+16 -2
View File
@@ -11,13 +11,19 @@ $Jobs = @(
Name = "borg-dumps-latest" Name = "borg-dumps-latest"
Source = Join-Path $SourceRoot "borg\dumps\latest" Source = Join-Path $SourceRoot "borg\dumps\latest"
Destination = Join-Path $DestinationRoot "borg-dumps\latest" Destination = Join-Path $DestinationRoot "borg-dumps\latest"
Purpose = "Latest database/application dumps, including unraid-flash-config.tar.gz" Purpose = "Latest database/application dumps (Unraid-Flash-Artefakte bewusst ausgeschlossen, weil 0600 root:root - dafuer bleibt die Hetzner-Borg-Kette die Restore-Quelle)"
# /XF schliesst bewusst die unraid-flash-config-Artefakte aus,
# weil sie hostseitig 0600 root:root sind und der SMB-Share das
# nicht ueberbruecken kann. Restore-Quelle dafuer bleibt das
# Hetzner-Borg-Repo (siehe docs/RESTORE_MATRIX.md Tier 1 Unraid OS Flash).
ExcludeFiles = @("unraid-flash-config.tar.gz", "unraid-flash-config.tar.gz.sha256", "unraid-flash-config.manifest.txt")
}, },
@{ @{
Name = "gitea-bundles" Name = "gitea-bundles"
Source = Join-Path $SourceRoot "git-bundles\gitea" Source = Join-Path $SourceRoot "git-bundles\gitea"
Destination = Join-Path $DestinationRoot "git-bundles\gitea" Destination = Join-Path $DestinationRoot "git-bundles\gitea"
Purpose = "Verified bare-repository bundles for Gitea bootstrap" Purpose = "Verified bare-repository bundles for Gitea bootstrap"
ExcludeFiles = @()
} }
) )
@@ -58,6 +64,11 @@ function Invoke-RobocopyJob {
"/LOG:$logPath" "/LOG:$logPath"
) )
if ($Job.ContainsKey("ExcludeFiles") -and $Job.ExcludeFiles.Count -gt 0) {
$args += "/XF"
$args += $Job.ExcludeFiles
}
Write-Host "Running robocopy job: $($Job.Name)" Write-Host "Running robocopy job: $($Job.Name)"
Write-Host " Source: $($Job.Source)" Write-Host " Source: $($Job.Source)"
Write-Host " Destination: $($Job.Destination)" Write-Host " Destination: $($Job.Destination)"
@@ -128,9 +139,12 @@ $lines += "Expected critical artifacts after run:"
$lines += "" $lines += ""
$lines += "- ``borg-dumps/latest/immich.dump``" $lines += "- ``borg-dumps/latest/immich.dump``"
$lines += "- ``borg-dumps/latest/komodo-mongo.archive.gz``" $lines += "- ``borg-dumps/latest/komodo-mongo.archive.gz``"
$lines += "- ``borg-dumps/latest/unraid-flash-config.tar.gz``"
$lines += "- ``git-bundles/gitea/latest-report.md``" $lines += "- ``git-bundles/gitea/latest-report.md``"
$lines += "- ``git-bundles/gitea/micha/*.bundle``" $lines += "- ``git-bundles/gitea/micha/*.bundle``"
$lines += ""
$lines += "Bewusst NICHT in Nearline-Scope:"
$lines += ""
$lines += "- ``unraid-flash-config.tar.gz`` (hostseitig 0600 root:root; Restore aus Hetzner-Borg)"
$lines | Set-Content -LiteralPath $reportPath -Encoding UTF8 $lines | Set-Content -LiteralPath $reportPath -Encoding UTF8