Document review matrix and drift checks

2026-06-26 08:29:32 +02:00
parent ad9bb40b95
commit 5fbda4989d
15 changed files with 282 additions and 11 deletions
@@ -11,7 +11,9 @@ ALLOW_DISK1_NTFS="${ALLOW_DISK1_NTFS:-0}"
 ALERT_STATE_PATH="${ALERT_STATE_PATH:-/mnt/user/services/posture-check/last-alert.state}"
 ALERT_REPEAT_SECONDS="${ALERT_REPEAT_SECONDS:-86400}"
 SKIP_AUTHELIA_DRIFT="${SKIP_AUTHELIA_DRIFT:-0}"
+SKIP_TRAEFIK_DYNAMIC_DRIFT="${SKIP_TRAEFIK_DYNAMIC_DRIFT:-0}"
 AUTHELIA_DIFF_SCRIPT="${AUTHELIA_DIFF_SCRIPT:-/mnt/user/services/homelab-infra/services/authelia-diff.sh}"
+TRAEFIK_DYNAMIC_DIFF_SCRIPT="${TRAEFIK_DYNAMIC_DIFF_SCRIPT:-/mnt/user/services/homelab-infra/services/traefik-dynamic-diff.sh}"

 mkdir -p "$TMP_DIR"
 RESULTS_FILE="$TMP_DIR/results.$$"
@@ -232,10 +234,12 @@ check_authelia_config_drift() {
    return
  fi

-  local output
+  local output=""
  local rc
+  set +e
  output="$(bash "$AUTHELIA_DIFF_SCRIPT" 2>&1)"
  rc=$?
+  set -e

  case "$rc" in
    0)
@@ -256,6 +260,43 @@ check_authelia_config_drift() {
  esac
 }

+check_traefik_dynamic_drift() {
+  if [ "$SKIP_TRAEFIK_DYNAMIC_DRIFT" = "1" ]; then
+    add_result "ok" "traefik_dynamic_drift" "Traefik dynamic drift check skipped via SKIP_TRAEFIK_DYNAMIC_DRIFT=1"
+    return
+  fi
+
+  if [ ! -x "$TRAEFIK_DYNAMIC_DIFF_SCRIPT" ] && [ ! -f "$TRAEFIK_DYNAMIC_DIFF_SCRIPT" ]; then
+    add_result "warning" "traefik_dynamic_drift" "Traefik dynamic diff script missing: $TRAEFIK_DYNAMIC_DIFF_SCRIPT"
+    return
+  fi
+
+  local output=""
+  local rc
+  set +e
+  output="$(bash "$TRAEFIK_DYNAMIC_DIFF_SCRIPT" 2>&1)"
+  rc=$?
+  set -e
+
+  case "$rc" in
+    0)
+      add_result "ok" "traefik_dynamic_drift" "Traefik dynamic repo baseline matches host directory"
+      ;;
+    1)
+      add_result "warning" "traefik_dynamic_drift" "Traefik dynamic repo<->host drift; run traefik-dynamic-diff.sh for details"
+      ;;
+    2)
+      add_result "warning" "traefik_dynamic_drift" "Traefik dynamic diff aborted: $output"
+      ;;
+    4)
+      add_result "warning" "traefik_dynamic_drift" "Traefik dynamic diff missing tool: $output"
+      ;;
+    *)
+      add_result "warning" "traefik_dynamic_drift" "Traefik dynamic diff returned unexpected rc=$rc: $output"
+      ;;
+  esac
+}
+
 send_ntfy() {
  local severity="$1"
  local topic="$2"
@@ -426,6 +467,7 @@ main() {

  check_nvme_smart
  check_authelia_config_drift
+  check_traefik_dynamic_drift
  write_json
 }

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+# Vergleicht die Traefik dynamic File-Provider-Dateien aus dem Repo-Spiegel
+# gegen die produktive Host-Dateiablage. Der Check ist read-only:
+# rsync laeuft mit --dry-run und schreibt nichts.
+#
+# Aufruf-Defaults siehe Variablen unten. Aufruf typischerweise:
+#   bash services/traefik-dynamic-diff.sh
+#
+# Exit-Codes:
+#   0  Repo und Host sind identisch
+#   1  Drift festgestellt (rsync itemized output auf stdout)
+#   2  Repo- oder Host-Verzeichnis fehlt
+#   4  internes Werkzeug fehlt (rsync)
+
+set -uo pipefail
+
+TRAEFIK_DYNAMIC_REPO_DIR="${TRAEFIK_DYNAMIC_REPO_DIR:-/mnt/user/services/homelab-infra/traefik/dynamic}"
+TRAEFIK_DYNAMIC_HOST_DIR="${TRAEFIK_DYNAMIC_HOST_DIR:-/mnt/user/appdata/traefik/dynamic}"
+
+if ! command -v rsync >/dev/null 2>&1; then
+  echo "traefik-dynamic-diff: missing required command 'rsync'" >&2
+  exit 4
+fi
+
+if [ ! -d "$TRAEFIK_DYNAMIC_REPO_DIR" ]; then
+  echo "traefik-dynamic-diff: repo directory not found: $TRAEFIK_DYNAMIC_REPO_DIR" >&2
+  exit 2
+fi
+
+if [ ! -d "$TRAEFIK_DYNAMIC_HOST_DIR" ]; then
+  echo "traefik-dynamic-diff: host directory not found: $TRAEFIK_DYNAMIC_HOST_DIR" >&2
+  exit 2
+fi
+
+diff_output="$(rsync -rni --checksum --delete \
+  "$TRAEFIK_DYNAMIC_REPO_DIR"/ \
+  "$TRAEFIK_DYNAMIC_HOST_DIR"/)"
+
+if [ -n "$diff_output" ]; then
+  printf '%s\n' "$diff_output"
+  exit 1
+fi
+
+exit 0