fix(restore): harden restore checks and add authelia smoke scaffold
This commit is contained in:
@@ -25,6 +25,65 @@ check_file_age_days() {
|
||||
echo $(( (now_epoch - mtime) / 86400 ))
|
||||
}
|
||||
|
||||
# pg_restore --list als billiger Header-Check fuer Custom-Format-Dumps;
|
||||
# erkennt Korruption, die mit reinem "exists+nonempty" durchrutscht. Wir
|
||||
# brauchen kein laufendes Postgres; der Check liest nur die Toc-Section.
|
||||
PG_DUMPS="postgresql17-paperless.dump postgresql17-mailarchiver.dump postgresql17-authelia.dump mealie.dump immich.dump nextcloud.dump"
|
||||
is_pg_custom_dump() {
|
||||
case " $PG_DUMPS " in *" $1 "*) return 0;; *) return 1;; esac
|
||||
}
|
||||
|
||||
pg_header_ok() {
|
||||
local path="$1"
|
||||
if ! command -v pg_restore >/dev/null 2>&1; then
|
||||
# ohne Host-pg_restore: in laufendem Postgres-Container probieren
|
||||
if command -v docker >/dev/null 2>&1 && docker inspect postgresql17 >/dev/null 2>&1; then
|
||||
docker exec -i postgresql17 pg_restore --list </"$path" >/dev/null 2>&1 && return 0
|
||||
fi
|
||||
return 2 # nicht pruefbar
|
||||
fi
|
||||
pg_restore --list "$path" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
check_pg_header() {
|
||||
local dump="$1"
|
||||
local path="$2"
|
||||
local age="$3"
|
||||
local missing_mode="${4:-critical}"
|
||||
|
||||
if [ ! -f "$path" ]; then
|
||||
if [ "$missing_mode" = "optional" ]; then
|
||||
info+=("DUMP_OPTIONAL_MISSING $dump")
|
||||
else
|
||||
critical+=("DUMP_MISSING $dump")
|
||||
fi
|
||||
return
|
||||
fi
|
||||
if [ ! -s "$path" ]; then
|
||||
critical+=("DUMP_EMPTY $dump")
|
||||
return
|
||||
fi
|
||||
if [ "$age" -gt "$MAX_DUMP_AGE_HOURS" ]; then
|
||||
if [ "$missing_mode" = "optional" ]; then
|
||||
warnings+=("DUMP_OPTIONAL_STALE $dump age=${age}h")
|
||||
else
|
||||
critical+=("DUMP_STALE $dump age=${age}h")
|
||||
fi
|
||||
return
|
||||
fi
|
||||
|
||||
if pg_header_ok "$path"; then
|
||||
rc=0
|
||||
else
|
||||
rc=$?
|
||||
fi
|
||||
case "$rc" in
|
||||
0) info+=("DUMP_OK $dump age=${age}h header=ok") ;;
|
||||
1) critical+=("DUMP_HEADER_INVALID $dump (pg_restore --list failed)") ;;
|
||||
2) info+=("DUMP_OK $dump age=${age}h header=unchecked") ;;
|
||||
esac
|
||||
}
|
||||
|
||||
for dump in \
|
||||
postgresql17-paperless.dump \
|
||||
postgresql17-mailarchiver.dump \
|
||||
@@ -48,11 +107,24 @@ for dump in \
|
||||
age="$(check_file_age_hours "$path")"
|
||||
if [ "$age" -gt "$MAX_DUMP_AGE_HOURS" ]; then
|
||||
critical+=("DUMP_STALE $dump age=${age}h")
|
||||
continue
|
||||
fi
|
||||
|
||||
if is_pg_custom_dump "$dump"; then
|
||||
check_pg_header "$dump" "$path" "$age"
|
||||
else
|
||||
info+=("DUMP_OK $dump age=${age}h")
|
||||
fi
|
||||
done
|
||||
|
||||
optional_dump="postgresql17-authelia.dump"
|
||||
optional_path="$DUMP_ROOT/$optional_dump"
|
||||
optional_age=0
|
||||
if [ -f "$optional_path" ]; then
|
||||
optional_age="$(check_file_age_hours "$optional_path")"
|
||||
fi
|
||||
check_pg_header "$optional_dump" "$optional_path" "$optional_age" optional
|
||||
|
||||
for service in vaultwarden gitea paperless; do
|
||||
if [ ! -d "$REPORT_ROOT" ]; then
|
||||
warnings+=("REPORT_ROOT_MISSING $REPORT_ROOT")
|
||||
|
||||
Reference in New Issue
Block a user