Harden backup and posture checks

ops/restore-tests/check-restore-freshness.sh

@@ -3,7 +3,7 @@ set -euo pipefail
 
 DUMP_ROOT="${DUMP_ROOT:-/mnt/user/backups/borg/dumps/latest}"
 REPORT_ROOT="${REPORT_ROOT:-/mnt/user/backups/restore-reports}"
-MAX_DUMP_AGE_HOURS="${MAX_DUMP_AGE_HOURS:-36}"
+MAX_DUMP_AGE_HOURS="${MAX_DUMP_AGE_HOURS:-26}"
 MAX_REPORT_AGE_DAYS="${MAX_REPORT_AGE_DAYS:-45}"
 
 now_epoch="$(date +%s)"
@@ -25,21 +25,40 @@ check_file_age_days() {
   echo $(( (now_epoch - mtime) / 86400 ))
 }
 
-for dump in postgresql17-paperless.dump postgresql17-mailarchiver.dump mealie.dump immich.dump; do
+for dump in \
+  postgresql17-paperless.dump \
+  postgresql17-mailarchiver.dump \
+  mealie.dump \
+  immich.dump \
+  nextcloud.dump \
+  gitea.sqlite.dump \
+  vaultwarden.sqlite.dump \
+  uptime-kuma.sqlite.dump \
+  speedtest-tracker.sqlite.dump \
+  filebrowser.sqlite.dump; do
   path="$DUMP_ROOT/$dump"
   if [ ! -f "$path" ]; then
     critical+=("DUMP_MISSING $dump")
     continue
   fi
+  if [ ! -s "$path" ]; then
+    critical+=("DUMP_EMPTY $dump")
+    continue
+  fi
   age="$(check_file_age_hours "$path")"
   if [ "$age" -gt "$MAX_DUMP_AGE_HOURS" ]; then
-    warnings+=("DUMP_STALE $dump age=${age}h")
+    critical+=("DUMP_STALE $dump age=${age}h")
   else
     info+=("DUMP_OK $dump age=${age}h")
   fi
 done
 
 for service in vaultwarden gitea paperless; do
+  if [ ! -d "$REPORT_ROOT" ]; then
+    warnings+=("REPORT_ROOT_MISSING $REPORT_ROOT")
+    break
+  fi
+
   latest="$(find "$REPORT_ROOT" -maxdepth 1 -type f -name "$service-*.md" | sort | tail -n 1 || true)"
   if [ -z "$latest" ]; then
     warnings+=("REPORT_MISSING $service")