20de584759
Kleine correcties bovenop ab87c0f, gevonden tijdens de eerste install
op scrum4me-srv (zie docs/runbooks/server-backup.md addendum):
- restic-backup.env.example: NAS-pad → /mnt/nas/backups/restic/scrum4me-srv,
Forgejo-container → scrum4me-forgejo (waren placeholders die niet matchten
met de actuele server-state).
- server-backup.service: ReadWritePaths uitgebreid met /mnt/nas/backups —
ProtectSystem=strict blokkeerde anders schrijven naar de NAS-repo.
RequiresMountsFor=/mnt/nas/backups toegevoegd om cifs-automount te triggeren
bij timer-fire. Documentation=-URL gecorrigeerd naar /srv/scrum4me/.
- server-backup.sh: --skip-db verwijderd uit forgejo dump (Forgejo 11.x heeft
die flag niet meer; DB komt nu mee in de zip, redundant met de aparte
forgejo_db_dump-fase maar onschuldig).
- server-backup.sh: subshell-bug in determine_exit_code gefixt — werd
aangeroepen via $(...), dus OVERALL_STATUS lekte niet naar de parent
en write_status_json schreef altijd "unknown".
- restore-test.sh: --include filter toegevoegd op de assertion-paden — een
full restore (~476 GiB logical) liep direct vol op /tmp (7.6 GB tmpfs)
met 3.3M ENOSPC-errors. Nu 59 MiB in 10s.
- runbook: paden /srv/ops/repos/... → /srv/scrum4me/ops-dashboard/...,
<forgejo>-placeholders → scrum4me-forgejo, concrete cifs-prefixpath
fstab-regel in Deel A3, en een gevuld addendum met alle bevindingen
van de eerste install (B2-bucket-naam ScrumForMeSrvBackup, sudo -E quirk,
storage-cap incident, dedup-cijfers).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
44 lines
2.3 KiB
Text
44 lines
2.3 KiB
Text
# Copy to /etc/restic-backup.env on the host. Permissions: 0600 root:root.
|
|
# RESTIC_PASSWORD lives in /etc/restic-backup.password (mode 0400 root:root)
|
|
# — the backup script sets RESTIC_PASSWORD_FILE from there, so the password
|
|
# never appears in the process listing or this env file.
|
|
|
|
# ── Restic repositories ────────────────────────────────────────────────────
|
|
# Local NAS path (must be mounted before the timer fires; see runbook).
|
|
RESTIC_REPO_NAS=/mnt/nas/backups/restic/scrum4me-srv
|
|
|
|
# Backblaze B2 repo, format: b2:<bucket-name>:<prefix>
|
|
# Bucket must have Object Lock (Governance) with default retention >= 30 days.
|
|
RESTIC_REPO_B2=b2:scrum4me-srv-backup:scrum4me-srv
|
|
|
|
# ── Backblaze B2 server key ────────────────────────────────────────────────
|
|
# Capabilities REQUIRED: listBuckets, listFiles, readFiles, writeFiles
|
|
# Capabilities FORBIDDEN: deleteFiles, deleteKeys, bypassGovernance
|
|
# Create with:
|
|
# b2 application-key create \
|
|
# --bucket scrum4me-srv-backup \
|
|
# --name-prefix scrum4me-srv \
|
|
# server-backup-key \
|
|
# listBuckets,listFiles,readFiles,writeFiles
|
|
B2_ACCOUNT_ID=REPLACE_WITH_B2_KEY_ID
|
|
B2_ACCOUNT_KEY=REPLACE_WITH_B2_APPLICATION_KEY
|
|
|
|
# ── Forgejo backup target (optional — set to skip if Forgejo not deployed) ─
|
|
# Container name as it appears in `docker ps`. Set to "" or comment out to
|
|
# skip the Forgejo phases entirely.
|
|
FORGEJO_CONTAINER=scrum4me-forgejo
|
|
# Path to app.ini INSIDE the Forgejo container (used by `forgejo dump -c`).
|
|
FORGEJO_CONFIG=/data/gitea/conf/app.ini
|
|
# Postgres database name for Forgejo (empty = use SQLite, skip forgejo_db_dump).
|
|
FORGEJO_DB_NAME=forgejo
|
|
# Postgres container + role for Forgejo's DB (defaults match scrum4me stack).
|
|
FORGEJO_DB_CONTAINER=scrum4me-postgres
|
|
FORGEJO_DB_USER=scrum4me
|
|
|
|
# ── Scrum4Me Postgres (required for postgres_dump phase) ───────────────────
|
|
PG_CONTAINER=scrum4me-postgres
|
|
PG_DUMPALL_USER=scrum4me
|
|
|
|
# ── Optional bandwidth limit for restic B2 upload (KiB/s; 0 = unlimited) ──
|
|
# Translated by the script into `restic --limit-upload "$BACKUP_LIMIT_UPLOAD_KIB"`.
|
|
# BACKUP_LIMIT_UPLOAD_KIB=5000
|