Add Unraid flash config to Borg preflight

2026-05-25 19:36:16 +02:00
parent 09eeac51e1
commit d50b11784d
10 changed files with 88 additions and 9 deletions
@@ -14,6 +14,10 @@ Fresh dump artifacts are written to:

 Borg UI should include `/local/borg-dumps` as a backup source.

+The dump set also includes `unraid-flash-config.tar.gz`, a host-generated
+archive of `/boot/config` plus checksum and manifest. Treat this archive as
+secret backup material.
+
 ## Notes

 - The script is written for host execution where `docker` is available.
@@ -17,7 +17,7 @@ It should **not** be implemented as a Borg UI inline hook in the current design.
 `pre-borg.sh` currently chains the host-side checks:

 - `services/posture-check/posture-check.sh`
- `ops/borg-ui/scripts/pre-backup-dumps.sh`
+- `ops/borg-ui/scripts/pre-backup-dumps.sh` including the Unraid flash config archive
 - `ops/restore-tests/check-restore-freshness.sh`

 The dump step assumes:
@@ -56,9 +56,10 @@ The intended sequence is:

 1. Host wrapper checks posture.
 2. Host script refreshes `latest` dump artifacts.
-3. Freshness check verifies expected dumps.
-4. Borg UI backs up `/local/borg-dumps` together with the rest of `critical_infra`.
-5. Borg history preserves dump history, so the host only needs to keep the most recent dump set.
+3. Host script writes `unraid-flash-config.tar.gz` plus checksum and manifest into the same dump set.
+4. Freshness check verifies expected dumps and the flash config archive.
+5. Borg UI backs up `/local/borg-dumps` together with the rest of `critical_infra`.
+6. Borg history preserves dump history, so the host only needs to keep the most recent dump set.

 ## Current dump target

@@ -155,6 +155,56 @@ dump_file_copy() {
  atomic_write "$output" "$tmp"
 }

+backup_unraid_flash_config() {
+  output="$LATEST_DIR/unraid-flash-config.tar.gz"
+  checksum="$LATEST_DIR/unraid-flash-config.tar.gz.sha256"
+  manifest="$LATEST_DIR/unraid-flash-config.manifest.txt"
+  tmp="$TMP_DIR/unraid-flash-config.tar.gz.tmp"
+  tmp_checksum="$TMP_DIR/unraid-flash-config.tar.gz.sha256.tmp"
+  tmp_manifest="$TMP_DIR/unraid-flash-config.manifest.txt.tmp"
+
+  if [ ! -d /boot/config ]; then
+    warn "Skipping Unraid flash config backup because /boot/config is missing"
+    return 1
+  fi
+
+  log "Backing up Unraid flash configuration from /boot/config"
+  rm -f "$tmp" "$tmp_checksum" "$tmp_manifest"
+
+  tar -C /boot \
+    --exclude='config/plugins/*/*.txz' \
+    --exclude='config/plugins/*/*.tgz' \
+    --exclude='config/plugins/*/*.tar' \
+    --exclude='config/plugins/*/*.tar.*' \
+    --exclude='config/plugins/*/*.zip' \
+    --exclude='config/plugins/*/*.md5' \
+    -czf "$tmp" config
+  chmod 600 "$tmp"
+  atomic_write "$output" "$tmp"
+
+  (
+    cd "$LATEST_DIR"
+    sha256sum "$(basename "$output")"
+  ) > "$tmp_checksum"
+  chmod 600 "$tmp_checksum"
+  atomic_write "$checksum" "$tmp_checksum"
+
+  {
+    printf 'created_utc=%s\n' "$(date -u '+%Y-%m-%dT%H:%M:%SZ')"
+    printf 'host=%s\n' "$(hostname)"
+    if [ -f /etc/unraid-version ]; then
+      sed 's/^/unraid_/' /etc/unraid-version
+    fi
+    printf 'source=/boot/config\n'
+    printf 'archive=%s\n' "$(basename "$output")"
+    printf 'checksum=%s\n' "$(basename "$checksum")"
+    printf 'note=%s\n' 'Contains Unraid configuration and must be treated as secret backup material.'
+    printf 'excluded=%s\n' 'downloadable plugin package archives under /boot/config/plugins/*/'
+  } > "$tmp_manifest"
+  chmod 600 "$tmp_manifest"
+  atomic_write "$manifest" "$tmp_manifest"
+}
+
 dump_optional_pg_db() {
  container="$1"
  password="$2"
@@ -219,6 +269,8 @@ dump_mongo_container() {
 main() {
  need_cmd docker
  need_cmd sqlite3
+  need_cmd tar
+  need_cmd sha256sum
  ensure_dirs

  # Shared PostgreSQL 17
@@ -272,6 +324,10 @@ main() {
  # MongoDB
  dump_mongo_container "komodo-mongo" "$LATEST_DIR/komodo-mongo.archive.gz"

+  # Unraid USB flash configuration. This is generated into the existing dump
+  # set so Borg carries it off-site together with the database artifacts.
+  backup_unraid_flash_config
+
  log "Finished refreshing dump set in $LATEST_DIR"
 }