Adds a server-wide backup capability beyond the existing ops_dashboard
pg_dump flow:
- Daily systemd timer (03:30) runs pg_dumpall + Forgejo dump, then restic
to a local NAS repo and an offsite Backblaze B2 repo with Object Lock.
Phase-based script with single-instance flock, structured statusfile,
systemd hardening, and live-datadir excludes (Postgres / Forgejo) so
the dumps stay authoritative.
- Ops-agent gets nine new read-only/trigger commands (snapshots, stats,
status, logs, plus two triggers) backed by sudoers-whitelisted wrapper
scripts that source /etc/restic-backup.env so the agent never sees the
restic password or B2 keys.
- Two new flows (server_backup_full, server_backup_restore_test) drive
the dashboard's "Backup now" and "Restore test" buttons.
- /settings/backups gains a Server backup section with overall + per-phase
status, NAS / B2 snapshot tables, restore-size / raw-data / dedup-ratio
stats, and the last restore-test result. The existing pg_dump section
is preserved unchanged.
- Runbook docs/runbooks/server-backup.md follows the tailscale-setup
pattern (plan + addendum) and covers B2 Object Lock + scoped keys,
Forgejo subplan with isolated restore-test stack, the off-server
maintenance flow for B2 prune, and the integrity-check schedule.
Code-only change — installation on scrum4me-srv follows the runbook.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`npm ci --omit=dev` voor `npx tsc` faalde omdat TypeScript in
devDependencies zit. npx probeerde de typo-squatter `tsc@2.0.4` te
installeren. Nu: volledige install → tsc → prune --omit=dev voor
slanke runtime.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds pg_dump_ops_db, list_ops_backups, and cleanup_ops_backups to the
agent command whitelist. Includes a backup_ops_db flow YAML (dump +
30-day retention), and a systemd service/timer for daily automated
backups at 02:00.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
/etc/sudoers.d/ops-agent grants NOPASSWD to ops-agent for the exact
systemctl restart invocations whitelisted in commands.yml.
setup.sh installs and validates it via visudo -c.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ops-agent/src/auth.ts: constant-time compare via timingSafeEqual to prevent timing attacks; store secret as Buffer
- ops-agent/src/index.ts + ops-agent.service: bind on 127.0.0.1:3099 (was 4242, per plan)
- app/api/agent/[...path]/route.ts: Next.js proxy route that verifies ops_session cookie then forwards requests to agent with Authorization: Bearer <secret>
- .env.example + deploy/ops-dashboard.env.example: add OPS_AGENT_SECRET and OPS_AGENT_URL
- README.md: rotation procedure for the shared secret
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
