Harden backup and posture checks

ops/borg-ui/scripts/pre-backup-dumps.sh

@@ -94,6 +94,39 @@ dump_sqlite_file() {
   atomic_write "$output" "$tmp"
 }
 
+dump_sqlite_container() {
+  container="$1"
+  db_path="$2"
+  output="$3"
+
+  if ! need_container "$container"; then
+    warn "Skipping missing container: $container"
+    return 0
+  fi
+
+  container_tmp="/tmp/$(basename "$output").bak"
+  tmp="$TMP_DIR/$(basename "$output").tmp"
+
+  log "Dumping SQLite database '$db_path' from $container"
+  rm -f "$tmp"
+  docker exec "$container" rm -f "$container_tmp" >/dev/null 2>&1 || true
+  if ! docker exec "$container" sqlite3 "$db_path" ".backup $container_tmp"; then
+    warn "SQLite backup failed for $container:$db_path"
+    docker exec "$container" rm -f "$container_tmp" >/dev/null 2>&1 || true
+    rm -f "$tmp"
+    return 1
+  fi
+  docker cp "$container:$container_tmp" "$tmp"
+  docker exec "$container" rm -f "$container_tmp" >/dev/null 2>&1 || true
+
+  if [ "$(sqlite3 "$tmp" 'PRAGMA quick_check;')" != "ok" ]; then
+    warn "SQLite quick_check failed for $container:$db_path"
+    rm -f "$tmp"
+    return 1
+  fi
+  atomic_write "$output" "$tmp"
+}
+
 dump_optional_pg_db() {
   container="$1"
   password="$2"
@@ -196,12 +229,14 @@ main() {
     warn "Skipping missing container: nextcloud-postgres"
   fi
 
-  # SQLite databases. Use host-side sqlite3 so the dump does not depend on
-  # utility packages inside application images.
-  dump_sqlite_file "/mnt/user/services/gitea/data/gitea/gitea.db" "$LATEST_DIR/gitea.sqlite" "gitea"
-  dump_sqlite_file "/mnt/user/appdata/vaultwarden/db.sqlite3" "$LATEST_DIR/vaultwarden.sqlite" "vaultwarden"
-  dump_sqlite_file "/mnt/user/appdata/uptime-kuma/kuma.db" "$LATEST_DIR/uptime-kuma.sqlite" "uptime-kuma"
-  dump_sqlite_file "/mnt/user/appdata/speedtest-tracker/config/database.sqlite" "$LATEST_DIR/speedtest-tracker.sqlite" "speedtest-tracker"
+  # SQLite databases
+  dump_sqlite_container "gitea" "/data/gitea/gitea.db" "$LATEST_DIR/gitea.sqlite.dump"
+  dump_sqlite_container "vaultwarden" "/data/db.sqlite3" "$LATEST_DIR/vaultwarden.sqlite.dump"
+  dump_sqlite_container "uptime-kuma" "/app/data/kuma.db" "$LATEST_DIR/uptime-kuma.sqlite.dump"
+  dump_sqlite_container "speedtest-tracker" "/config/database.sqlite" "$LATEST_DIR/speedtest-tracker.sqlite.dump"
+  dump_sqlite_container "filebrowser" "/database/filebrowser.db" "$LATEST_DIR/filebrowser.sqlite.dump"
+
+  # Additional host-side SQLite dumps for admin tooling with appdata files.
   dump_sqlite_file "/mnt/user/appdata/borg-ui/data/borg.db" "$LATEST_DIR/borg-ui.sqlite" "borg-ui"
   dump_sqlite_file "/mnt/user/appdata/grafana/grafana.db" "$LATEST_DIR/grafana.sqlite" "grafana"