Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests 4 Actions Packages Projects Releases Wiki Activity

Close Dawarich backup and egress follow-ups

Browse Source
This commit is contained in:
Micha
2026-06-26 10:15:46 +02:00
parent 3956ab7e75
commit a54657a365
15 changed files with 143 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ops/borg-ui/BACKUP_SCOPE.md
+15 -10
View File
@@ -49,6 +49,7 @@ The Unraid flash configuration archive is intentional as well and must be treate
| Filebrowser | file-backed state dump + file data | `/local/borg-dumps`, `/local/appdata/filebrowser` |
| InfluxDB 3 Core | file data | `/local/appdata/influxdb3/data`, `/local/appdata/influxdb3/plugins` |
| n8n | SQLite dump + encrypted workflow/credential state | `/local/borg-dumps`, `/local/appdata/n8n/data` |
| Dawarich | PostGIS dump + file data | `/local/borg-dumps`, `/local/appdata/dawarich` |
| Home Assistant | HA-native backup + file state | `/local/appdata/homeassistant`, `/local/services/smart-home-kalli` |
| Smart-Home MQTT / Mosquitto | file data | `/local/appdata/mosquitto/config`, `/local/appdata/mosquitto/data` |
| Zigbee2MQTT (planned) | file data + coordinator state | `/local/appdata/zigbee2mqtt`, `/local/services/smart-home-kalli` |
@@ -79,22 +80,23 @@ Filebrowser serviert `/mnt/user/projekte`, `/mnt/user/documents` und `/mnt/user/
- **`/mnt/user/projekte`** ist aktuell in **keinem** Borg-Scope. Ad-hoc-Dateien, die direkt unter `documents/` oder `photos/` (ausserhalb der genannten App-Ordner) abgelegt werden, ebenfalls nicht.
- Entscheidung Operator offen (Eintrag in `docs/MASTER_TODO.md`): Entweder `projekte` als eigenen read-only Borg-UI-Mount + Quelllisten-Eintrag aufnehmen, oder bewusst als "nur lokal, nicht DR-relevant" bestaetigen. Bis zur Entscheidung gilt: dort liegende Originaldaten sind **nicht** wiederherstellbar.
### Dawarich (Standortdaten) - noch nicht im Scope
### Dawarich (Standortdaten) - repo-seitig verdrahtet, Host-Lauf offen
Dawarich (`apps/dawarich/docker-compose.yml`) speichert hochsensible
Standort-Historie in einer eigenen PostGIS-DB unter
`/mnt/user/appdata/dawarich/{postgres17,redis,shared,public,watched,storage}`.
`docs/SERVICE_CATALOG.md` nennt als Ziel "Tier 2, Borg + `dawarich.dump`", aber:
Repo-seitig ist der Scope jetzt geschlossen:
- Es gibt **keinen** `dawarich`-Eintrag in der Service Inventory oben.
- `pre-backup-dumps.sh` erzeugt **kein** `dawarich.dump` (PostGIS-`pg_dump`).
- Die Quellliste (`all-important-sources.txt`) enthaelt **keinen**
`/local/appdata/dawarich`-Pfad, und Borg-UI mountet ihn nicht.
- `pre-backup-dumps.sh` erzeugt `dawarich.dump` aus `dawarich_db`.
- `all-important-sources.txt` enthaelt `/local/appdata/dawarich`.
- Borg-UI sieht den Pfad ueber den bestehenden read-only Mount
`/mnt/user/appdata:/local/appdata:ro`.
Konsequenz: Standortdaten sind aktuell **nicht** DR-gesichert. Schliessen
(Operator + Host): `dawarich.dump` in `pre-backup-dumps.sh` (PostGIS), Pfad in
Quellliste + Borg-UI-Mount + diese Tabelle aufnehmen, danach `RESTORE_MATRIX.md`
Tier-2-Zeile + Reifegrad ergaenzen. Tracking: `docs/MASTER_TODO.md`.
Offen bleibt der erste Host-Lauf: auf Unraid `pre-backup-dumps.sh` ausfuehren,
Vorhandensein/Frische von `/mnt/user/backups/borg/dumps/latest/dawarich.dump`
pruefen und danach einen Restore-Smoke in einer isolierten PostGIS-17-Instanz
terminieren. Bis dieser Host-Beleg existiert, ist der Status "verdrahtet, noch
nicht restore-validiert".
### Komodo keys
@@ -113,6 +115,7 @@ Production still stores Komodo Core/Periphery keys in the Docker named volume `k
- `mealie`
- `immich`
- `nextcloud`
- `dawarich`
### Other Databases
@@ -129,6 +132,8 @@ Production still stores Komodo Core/Periphery keys in the Docker named volume `k
- `/mnt/user/appdata/mealie/postgres18`
- `/mnt/user/appdata/immich_postgres_vectorchord`
- `/mnt/user/appdata/nextcloud/postgres18`
- `/mnt/user/appdata/dawarich/postgres17`
- `/mnt/user/appdata/dawarich/redis`
- `/mnt/user/appdata/komodo/mongo`
- `/mnt/user/appdata/redis`
- `/mnt/user/appdata/scrutiny/influxdb`
ops/borg-ui/all-important-sources.txt
+1
View File
@@ -21,6 +21,7 @@
/local/appdata/nextcloud/html
/local/nextcloud/data
/local/appdata/n8n/data
/local/appdata/dawarich
/local/appdata/filebrowser
/local/appdata/influxdb3/data
/local/appdata/influxdb3/plugins
ops/borg-ui/scripts/pre-backup-dumps.sh
+9
View File
@@ -314,6 +314,15 @@ main() {
warn "Skipping missing container: nextcloud-postgres"
fi
if need_container "dawarich_db"; then
dawarich_password="$(cat /mnt/user/appdata/secrets/dawarich_postgres_password.txt)"
dawarich_user="$(docker exec dawarich_db sh -lc 'printf "%s" "${POSTGRES_USER:-dawarich}"')"
dawarich_db="$(docker exec dawarich_db sh -lc 'printf "%s" "${POSTGRES_DB:-dawarich_production}"')"
dump_pg_db "dawarich_db" "$dawarich_password" "$dawarich_user" "$dawarich_db" "$LATEST_DIR/dawarich.dump"
else
warn "Skipping missing container: dawarich_db"
fi
# SQLite databases
dump_sqlite_container "gitea" "/data/gitea/gitea.db" "$LATEST_DIR/gitea.sqlite.dump" "/mnt/user/services/gitea/data/gitea/gitea.db"
dump_sqlite_container "vaultwarden" "/data/db.sqlite3" "$LATEST_DIR/vaultwarden.sqlite.dump" "/mnt/user/appdata/vaultwarden/db.sqlite3"
ops/h-drive-nearline/pull-critical-backups.ps1
+2
View File
@@ -43,6 +43,7 @@ $Jobs = @(
ExcludeFiles = @("unraid-flash-config.tar.gz", "unraid-flash-config.tar.gz.sha256", "unraid-flash-config.manifest.txt")
Files = @(
"borg-ui.sqlite",
"dawarich.dump",
"filebrowser.bolt.dump",
"gitea.sqlite.dump",
"grafana.sqlite",
@@ -202,6 +203,7 @@ try {
$lines += "Expected critical artifacts after run:"
$lines += ""
$lines += "- ``borg-dumps/latest/immich.dump``"
$lines += "- ``borg-dumps/latest/dawarich.dump``"
$lines += "- ``borg-dumps/latest/komodo-mongo.archive.gz``"
$lines += "- ``git-bundles/gitea/latest-report.md``"
$lines += "- ``git-bundles/gitea/micha/*.bundle``"
ops/hermes-agent/services.yaml
+61
View File
@@ -318,6 +318,67 @@ services:
first_check: "mealie_internal Netz? Disk-Space?"
notes: "interne DB; mealie_internal Netz"
dawarich_app:
description: Standort-Historie / Google-Timeline-Ersatz
tier: 2
category: app
container_name: dawarich_app
dependencies:
- dawarich_db
- dawarich_redis
- traefik
- authelia
url: https://dawarich.kaleschke.info
dump_file: dawarich.dump
data_paths:
- /mnt/user/appdata/dawarich/public
- /mnt/user/appdata/dawarich/watched
- /mnt/user/appdata/dawarich/storage
first_check: "dawarich_db und dawarich_redis healthy? /api/v1/health ok? Authelia-UI-Router und API-Key-Router getrennt?"
notes: "Standortdaten sind hochsensibel; UI hinter Authelia, API-Key-Ingest-Pfade ohne ForwardAuth; Backup repo-seitig via dawarich.dump + /local/appdata/dawarich verdrahtet"
dawarich_db:
description: Dawarich PostGIS-Datenbank
tier: 2
category: infra
container_name: dawarich_db
dependencies: []
url: null
dump_file: dawarich.dump
data_paths:
- /mnt/user/appdata/dawarich/postgres17
first_check: "backend_net Konnektivitaet? pg_isready im Container? dawarich.dump frisch?"
notes: "PostGIS 17; raw DB nicht primaerer Restore-Weg"
dawarich_redis:
description: Dawarich Cache / Queue-Backend
tier: 2
category: infra
container_name: dawarich_redis
dependencies: []
url: null
dump_file: null
data_paths:
- /mnt/user/appdata/dawarich/redis
first_check: "backend_net Konnektivitaet? redis-cli auth ping?"
notes: "aus DB/Appdaten rekonstruierbar, aber Appdata-Pfad ist im Borg-Scope"
dawarich_sidekiq:
description: Dawarich Hintergrundjobs
tier: 2
category: app
container_name: dawarich_sidekiq
dependencies:
- dawarich_db
- dawarich_redis
- dawarich_app
url: null
dump_file: dawarich.dump
data_paths:
- /mnt/user/appdata/dawarich/storage
first_check: "sidekiq-Prozess laeuft? DB/Redis erreichbar? Metriken auf :9394 erreichbar?"
notes: "nutzt dasselbe Dawarich-Image wie dawarich_app"
mail-archiver:
description: Mail-Archivierung (IMAP)
tier: 2
ops/restore-tests/check-restore-freshness.ps1
+1
View File
@@ -12,6 +12,7 @@ $checks = @(
@{ Name = "mealie.dump"; Path = Join-Path $DumpRoot "mealie.dump" },
@{ Name = "immich.dump"; Path = Join-Path $DumpRoot "immich.dump" },
@{ Name = "nextcloud.dump"; Path = Join-Path $DumpRoot "nextcloud.dump" },
@{ Name = "dawarich.dump"; Path = Join-Path $DumpRoot "dawarich.dump" },
@{ Name = "gitea.sqlite.dump"; Path = Join-Path $DumpRoot "gitea.sqlite.dump" },
@{ Name = "vaultwarden.sqlite.dump"; Path = Join-Path $DumpRoot "vaultwarden.sqlite.dump" },
@{ Name = "n8n.sqlite.dump"; Path = Join-Path $DumpRoot "n8n.sqlite.dump" },
ops/restore-tests/check-restore-freshness.sh
+2 -1
View File
@@ -28,7 +28,7 @@ check_file_age_days() {
# pg_restore --list als billiger Header-Check fuer Custom-Format-Dumps;
# erkennt Korruption, die mit reinem "exists+nonempty" durchrutscht. Wir
# brauchen kein laufendes Postgres; der Check liest nur die Toc-Section.
PG_DUMPS="postgresql17-paperless.dump postgresql17-mailarchiver.dump postgresql17-authelia.dump mealie.dump immich.dump nextcloud.dump"
PG_DUMPS="postgresql17-paperless.dump postgresql17-mailarchiver.dump postgresql17-authelia.dump mealie.dump immich.dump nextcloud.dump dawarich.dump"
is_pg_custom_dump() {
case " $PG_DUMPS " in *" $1 "*) return 0;; *) return 1;; esac
}
@@ -95,6 +95,7 @@ for dump in \
mealie.dump \
immich.dump \
nextcloud.dump \
dawarich.dump \
gitea.sqlite.dump \
vaultwarden.sqlite.dump \
n8n.sqlite.dump \