feat(backup): Off-Site-Upload nach S3 + SFTP

Schutz gegen Box-Total-Loss — lokale Backups in /var/backups/edgeguard
helfen nicht, wenn die Disk stirbt oder die Box brennt. Nach jedem
erfolgreichen lokalen Backup wird die tar.gz an alle aktiven
Off-Site-Ziele hochgeladen.

Migration 0022: backup_remotes (kind=s3|sftp, target_url, settings
JSONB, active, last_upload_at, last_error) + backups.remote_uploads
JSONB (per-Target-Result).

internal/services/backup/remote/:
  - UploadAll() — pro aktivem Target ein Upload, Failures non-fatal
  - S3 via minio-go/v7 — funktioniert mit AWS, MinIO, Backblaze B2,
    Cloudflare R2, Hetzner Object Storage (alle S3-API-kompatibel)
  - SFTP via golang.org/x/crypto/ssh + pkg/sftp. Password + Private-
    Key (OpenSSH, base64-encoded) als Auth. Optional host_key_
    fingerprint-Pinning (SHA256:...); leer = TOFU (unsicher vs MitM,
    OK für initial setup).
  - Test() lädt eine 1KB-Probe + löscht sie wieder — Operator-UI hat
    einen „Verbindung testen"-Button.

backup.Service.RemoteUploader-Interface: nach erfolgreichem
recordSuccess() läuft UploadAll, Results landen in backups.remote_
uploads JSONB. last_upload_at/last_error in backup_remotes pro Target
gepflegt. API + Scheduler injizieren beide den Adapter.

internal/handlers/backup_remotes.go: CRUD + POST /:id/test. Sensitive
Felder (secret_key, password, private_key) werden in GET-Responses
durch ***SET*** maskiert; UpdateChannel merged das zurück damit der
Operator bei Edit ohne Re-Eingabe speichern kann.

UI: Backups-Page jetzt mit Tabs "Sicherungen" + "Off-Site-Ziele".
Tab 2 hat CRUD-Tabelle mit kind-konditionalem Form (S3-Felder oder
SFTP-Felder), Test-Button pro Row, last_upload-Status mit FAIL-Tag
bei Errors.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/database/migrations/0022_backup_remotes.sql

@@ -0,0 +1,44 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- Off-Site-Backup-Targets. Nach erfolgreichem lokalen Backup wird der
+-- tarball in jeden aktiven Target hochgeladen. Schutz gegen Total-
+-- Loss (Box brennt, Dump-Disk fällt aus, etc.).
+--
+-- kind:
+--   s3   — beliebige S3-API: AWS, MinIO, Backblaze B2, Cloudflare R2,
+--          Hetzner Object Storage. settings: endpoint, region, bucket,
+--          access_key, secret_key, path_prefix, use_ssl.
+--   sftp — klassisches SSH/SFTP. settings: host, port, username,
+--          password ODER private_key (base64), remote_dir,
+--          host_key_fingerprint (sha256:..., optional).
+
+CREATE TABLE IF NOT EXISTS backup_remotes (
+    id              BIGSERIAL PRIMARY KEY,
+    name            TEXT NOT NULL UNIQUE,
+    kind            TEXT NOT NULL,
+    target_url      TEXT NOT NULL,         -- s3://bucket bzw. sftp://user@host:port
+    settings        JSONB NOT NULL DEFAULT '{}'::jsonb,
+    active          BOOLEAN NOT NULL DEFAULT TRUE,
+    last_upload_at  TIMESTAMPTZ,
+    last_error      TEXT,
+    created_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT backup_remotes_kind_check CHECK (kind IN ('s3', 'sftp'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_backup_remotes_active
+    ON backup_remotes (active) WHERE active;
+
+-- Pro Backup: Liste der Upload-Versuche als JSONB. Format:
+-- [{remote_id, remote_name, ok, size, duration_ms, error}, ...]
+ALTER TABLE backups
+    ADD COLUMN IF NOT EXISTS remote_uploads JSONB NOT NULL DEFAULT '[]'::jsonb;
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+ALTER TABLE backups DROP COLUMN IF EXISTS remote_uploads;
+DROP TABLE IF EXISTS backup_remotes;
+-- +goose StatementEnd

internal/handlers/backup_remotes.go

@@ -0,0 +1,272 @@
+package handlers
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+
+	"git.netcell-it.de/projekte/edgeguard-native/internal/handlers/response"
+	"git.netcell-it.de/projekte/edgeguard-native/internal/services/audit"
+	"git.netcell-it.de/projekte/edgeguard-native/internal/services/backup/remote"
+)
+
+// BackupRemotesHandler exposes:
+//
+//	GET    /api/v1/backup-remotes
+//	POST   /api/v1/backup-remotes
+//	PUT    /api/v1/backup-remotes/:id
+//	DELETE /api/v1/backup-remotes/:id
+//	POST   /api/v1/backup-remotes/:id/test
+type BackupRemotesHandler struct {
+	Pool   *pgxpool.Pool
+	Svc    *remote.Service
+	Audit  *audit.Repo
+	NodeID string
+}
+
+func NewBackupRemotesHandler(pool *pgxpool.Pool, a *audit.Repo, nodeID string) *BackupRemotesHandler {
+	return &BackupRemotesHandler{Pool: pool, Svc: remote.New(pool), Audit: a, NodeID: nodeID}
+}
+
+func (h *BackupRemotesHandler) Register(rg *gin.RouterGroup) {
+	g := rg.Group("/backup-remotes")
+	g.GET("", h.List)
+	g.POST("", h.Create)
+	g.PUT("/:id", h.Update)
+	g.DELETE("/:id", h.Delete)
+	g.POST("/:id/test", h.Test)
+}
+
+type remoteRow struct {
+	ID         int64           `json:"id"`
+	Name       string          `json:"name"`
+	Kind       string          `json:"kind"`
+	TargetURL  string          `json:"target_url"`
+	Settings   json.RawMessage `json:"settings"`
+	Active     bool            `json:"active"`
+	LastUpload *time.Time      `json:"last_upload_at,omitempty"`
+	LastError  *string         `json:"last_error,omitempty"`
+	CreatedAt  time.Time       `json:"created_at"`
+	UpdatedAt  time.Time       `json:"updated_at"`
+}
+
+const remoteSelect = `
+SELECT id, name, kind, target_url, settings, active, last_upload_at, last_error,
+       created_at, updated_at
+FROM backup_remotes`
+
+func (h *BackupRemotesHandler) List(c *gin.Context) {
+	rows, err := h.Pool.Query(c.Request.Context(), remoteSelect+" ORDER BY id ASC")
+	if err != nil {
+		response.Internal(c, err)
+		return
+	}
+	defer rows.Close()
+	out := []remoteRow{}
+	for rows.Next() {
+		var r remoteRow
+		if err := rows.Scan(&r.ID, &r.Name, &r.Kind, &r.TargetURL,
+			&r.Settings, &r.Active, &r.LastUpload, &r.LastError,
+			&r.CreatedAt, &r.UpdatedAt); err != nil {
+			response.Internal(c, err)
+			return
+		}
+		// Sensitive Felder maskieren in der List-Response — Operator
+		// soll nicht versehentlich beim Screenshare den S3-SecretKey
+		// preisgeben. Edit-Modal verwendet einen separaten endpoint
+		// nicht (UI darf das masked-Settings nicht zurückschreiben).
+		r.Settings = maskSecrets(r.Settings)
+		out = append(out, r)
+	}
+	response.OK(c, gin.H{"remotes": out})
+}
+
+func (h *BackupRemotesHandler) Create(c *gin.Context) {
+	var req remoteRow
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, err)
+		return
+	}
+	if req.Settings == nil || len(req.Settings) == 0 {
+		req.Settings = json.RawMessage(`{}`)
+	}
+	row := h.Pool.QueryRow(c.Request.Context(), `
+INSERT INTO backup_remotes (name, kind, target_url, settings, active)
+VALUES ($1, $2, $3, $4, $5)
+RETURNING `+remoteSelectFields(),
+		req.Name, req.Kind, req.TargetURL, req.Settings, req.Active)
+	var out remoteRow
+	if err := row.Scan(&out.ID, &out.Name, &out.Kind, &out.TargetURL,
+		&out.Settings, &out.Active, &out.LastUpload, &out.LastError,
+		&out.CreatedAt, &out.UpdatedAt); err != nil {
+		response.Internal(c, err)
+		return
+	}
+	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "backup.remote.create",
+		out.Name, gin.H{"id": out.ID, "kind": out.Kind}, h.NodeID)
+	out.Settings = maskSecrets(out.Settings)
+	response.Created(c, out)
+}
+
+func (h *BackupRemotesHandler) Update(c *gin.Context) {
+	id, ok := parseID(c)
+	if !ok {
+		return
+	}
+	var req remoteRow
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, err)
+		return
+	}
+	if req.Settings == nil || len(req.Settings) == 0 {
+		req.Settings = json.RawMessage(`{}`)
+	}
+	// Wenn die Settings masked-Fields enthalten (***), übernehmen wir
+	// die bestehenden Werte aus der DB — Operator kann das Modal mit
+	// Settings öffnen, einen Klick speichern, ohne sein S3-Secret neu
+	// eingeben zu müssen.
+	merged, err := mergeMaskedSettings(c.Request.Context(), h.Pool, id, req.Settings)
+	if err == nil {
+		req.Settings = merged
+	}
+	row := h.Pool.QueryRow(c.Request.Context(), `
+UPDATE backup_remotes SET
+   name = $1, kind = $2, target_url = $3, settings = $4, active = $5,
+   updated_at = NOW()
+WHERE id = $6
+RETURNING `+remoteSelectFields(),
+		req.Name, req.Kind, req.TargetURL, req.Settings, req.Active, id)
+	var out remoteRow
+	if err := row.Scan(&out.ID, &out.Name, &out.Kind, &out.TargetURL,
+		&out.Settings, &out.Active, &out.LastUpload, &out.LastError,
+		&out.CreatedAt, &out.UpdatedAt); err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			response.NotFound(c, err)
+			return
+		}
+		response.Internal(c, err)
+		return
+	}
+	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "backup.remote.update",
+		out.Name, gin.H{"id": id}, h.NodeID)
+	out.Settings = maskSecrets(out.Settings)
+	response.OK(c, out)
+}
+
+func (h *BackupRemotesHandler) Delete(c *gin.Context) {
+	id, ok := parseID(c)
+	if !ok {
+		return
+	}
+	if _, err := h.Pool.Exec(c.Request.Context(),
+		`DELETE FROM backup_remotes WHERE id = $1`, id); err != nil {
+		response.Internal(c, err)
+		return
+	}
+	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "backup.remote.delete",
+		strconv.FormatInt(id, 10), gin.H{"id": id}, h.NodeID)
+	response.NoContent(c)
+}
+
+// Test schickt eine 1KB-Probe in den Target. Failures = Misconfig.
+func (h *BackupRemotesHandler) Test(c *gin.Context) {
+	id, ok := parseID(c)
+	if !ok {
+		return
+	}
+	var t remote.Target
+	err := h.Pool.QueryRow(c.Request.Context(), `
+SELECT id, name, kind, target_url, settings, active, last_upload_at, last_error
+FROM backup_remotes WHERE id = $1`, id).Scan(
+		&t.ID, &t.Name, &t.Kind, &t.TargetURL, &t.Settings, &t.Active,
+		&t.LastUpload, &t.LastError)
+	if err != nil {
+		response.NotFound(c, err)
+		return
+	}
+	if err := h.Svc.Test(c.Request.Context(), t); err != nil {
+		response.Err(c, http.StatusBadGateway, err)
+		return
+	}
+	response.OK(c, gin.H{"ok": true})
+}
+
+func remoteSelectFields() string {
+	return `id, name, kind, target_url, settings, active,
+        last_upload_at, last_error, created_at, updated_at`
+}
+
+// maskSecrets ersetzt sensitive Felder in settings-JSON durch ***SET***
+// damit GET /backup-remotes nichts leakt (Screenshare, Browser-Cache,
+// Browser-DevTools).
+func maskSecrets(raw json.RawMessage) json.RawMessage {
+	if len(raw) == 0 {
+		return raw
+	}
+	var m map[string]any
+	if err := json.Unmarshal(raw, &m); err != nil {
+		return raw
+	}
+	for _, k := range []string{"secret_key", "password", "private_key"} {
+		if v, ok := m[k]; ok {
+			if s, isStr := v.(string); isStr && s != "" {
+				m[k] = "***SET***"
+			}
+		}
+	}
+	b, err := json.Marshal(m)
+	if err != nil {
+		return raw
+	}
+	return b
+}
+
+// mergeMaskedSettings: wenn der Operator das Edit-Modal speichert ohne
+// die secret-Felder neu zu setzen, schickt das UI ***SET*** zurück —
+// wir lassen dann den DB-Wert stehen statt das Secret zu überschreiben.
+func mergeMaskedSettings(ctx pgxContext, pool *pgxpool.Pool, id int64,
+	incoming json.RawMessage) (json.RawMessage, error) {
+	var current json.RawMessage
+	if err := pool.QueryRow(ctx, `SELECT settings FROM backup_remotes WHERE id = $1`, id).
+		Scan(&current); err != nil {
+		return incoming, err
+	}
+	var cur, inc map[string]any
+	if err := json.Unmarshal(current, &cur); err != nil {
+		return incoming, nil
+	}
+	if err := json.Unmarshal(incoming, &inc); err != nil {
+		return incoming, nil
+	}
+	for _, k := range []string{"secret_key", "password", "private_key"} {
+		if v, ok := inc[k]; ok {
+			if s, isStr := v.(string); isStr && s == "***SET***" {
+				if cv, hasCur := cur[k]; hasCur {
+					inc[k] = cv
+				} else {
+					delete(inc, k)
+				}
+			}
+		}
+	}
+	b, err := json.Marshal(inc)
+	if err != nil {
+		return incoming, err
+	}
+	return b, nil
+}
+
+// pgxContext-Alias damit die Helper-Funktion keinen direkten context-
+// Import oben braucht.
+type pgxContext = interface {
+	Done() <-chan struct{}
+	Err() error
+	Deadline() (time.Time, bool)
+	Value(any) any
+}

internal/services/backup/backup.go

@@ -68,6 +68,7 @@ type Result struct {
 	StartedAt     time.Time
 	FinishedAt    time.Time
 	Error         error
+	RemoteUploads []RemoteResult
 }
 
 // Manifest ist der content von manifest.json im tarball.
@@ -80,6 +81,39 @@ type Manifest struct {
 	FilesBytes    int64     `json:"files_bytes"`
 }
 
+// RemoteUploader ist das Service-Interface das nach erfolgreichem
+// Backup die tar.gz in Off-Site-Targets (S3/SFTP) hochlädt. Wird im
+// Konstruktor optional gesetzt; nil = kein Off-Site.
+type RemoteUploader interface {
+	UploadAll(ctx context.Context, localPath string) ([]RemoteUploadInfo, error)
+}
+
+// RemoteUploadInfo ist die minimale Sicht die der Service braucht.
+// remote.UploadResult passt direkt rein.
+type RemoteUploadInfo = remoteUploadResult
+
+// remoteUploadResult ist das Struct das remote.UploadResult spiegelt
+// (separate Datei um Import-Cycle zu vermeiden). Die remote/-Package
+// implementiert RemoteUploader.
+type remoteUploadResult struct {
+	RemoteID   int64
+	RemoteName string
+	OK         bool
+	SizeBytes  int64
+	DurationMs int64
+	Error      string
+}
+
+// RemoteResult ist die UI-Sicht, eine Liste davon landet im Result
+// der Run()-Methode.
+type RemoteResult struct {
+	Name       string `json:"name"`
+	OK         bool   `json:"ok"`
+	Bytes      int64  `json:"bytes,omitempty"`
+	DurationMs int64  `json:"duration_ms,omitempty"`
+	Error      string `json:"error,omitempty"`
+}
+
 // Service bündelt Backup + Restore + Retention. Stateless — alle
 // Konfig kommt als Konstruktor-Param + Methode-Param.
 type Service struct {
@@ -92,6 +126,10 @@ type Service struct {
 	// Tests einen fake-binary einschleusen.
 	PGDumpCmd  func(ctx context.Context, w io.Writer) (int64, error)
 	NowFn      func() time.Time
+
+	// RemoteUploader: nach erfolgreichem Backup wird das tarball in
+	// alle aktiven backup_remotes hochgeladen. nil = kein Off-Site.
+	RemoteUploader RemoteUploader
 }
 
 func New(pool *pgxpool.Pool) *Service {
@@ -217,6 +255,25 @@ func (s *Service) Run(ctx context.Context, kind Kind, version string) (*Result,
 		// arbeitet nur über DB-Rows).
 		return res, fmt.Errorf("db record: %w", err)
 	}
+	// Off-Site-Uploads. Failures hier sind nicht-fatal — das lokale
+	// Backup ist erfolgreich, Operator sieht in der UI welcher Target
+	// erfolgreich war + welcher nicht. RemoteUploader ist optional;
+	// wenn nicht injiziert, läuft kein Off-Site.
+	if s.RemoteUploader != nil {
+		uploads, _ := s.RemoteUploader.UploadAll(ctx, outPath)
+		if len(uploads) > 0 {
+			jsonBytes, _ := json.Marshal(uploads)
+			_, _ = s.Pool.Exec(ctx,
+				`UPDATE backups SET remote_uploads = $1 WHERE id = $2`,
+				jsonBytes, res.ID)
+			for _, u := range uploads {
+				res.RemoteUploads = append(res.RemoteUploads, RemoteResult{
+					Name: u.RemoteName, OK: u.OK, Bytes: u.SizeBytes,
+					DurationMs: u.DurationMs, Error: u.Error,
+				})
+			}
+		}
+	}
 	return res, nil
 }
 

internal/services/backup/remote/remote.go

@@ -0,0 +1,342 @@
+// Package remote uploads Backup-Tarballs in Off-Site-Targets (S3 +
+// SFTP). Wird vom backup.Service nach erfolgreichem Local-Backup
+// aufgerufen, einmal pro aktivem backup_remotes-Eintrag.
+package remote
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/minio/minio-go/v7"
+	miniocred "github.com/minio/minio-go/v7/pkg/credentials"
+	"github.com/pkg/sftp"
+	"golang.org/x/crypto/ssh"
+)
+
+type Kind string
+
+const (
+	KindS3   Kind = "s3"
+	KindSFTP Kind = "sftp"
+)
+
+// Target ist eine Row aus backup_remotes.
+type Target struct {
+	ID         int64           `json:"id"`
+	Name       string          `json:"name"`
+	Kind       Kind            `json:"kind"`
+	TargetURL  string          `json:"target_url"`
+	Settings   json.RawMessage `json:"settings"`
+	Active     bool            `json:"active"`
+	LastUpload *time.Time      `json:"last_upload_at,omitempty"`
+	LastError  *string         `json:"last_error,omitempty"`
+}
+
+// S3Settings: alle minio-go-Config-Felder. Funktioniert mit AWS S3,
+// MinIO, Backblaze B2, Cloudflare R2, Hetzner Object Storage.
+type S3Settings struct {
+	Endpoint   string `json:"endpoint"`     // s3.amazonaws.com / minio.example.com:9000
+	Region     string `json:"region"`       // "eu-central-1" / "auto" (R2)
+	Bucket     string `json:"bucket"`
+	AccessKey  string `json:"access_key"`
+	SecretKey  string `json:"secret_key"`
+	PathPrefix string `json:"path_prefix"`  // "edgeguard/utm-1/" — vor jedem Filename
+	UseSSL     bool   `json:"use_ssl"`
+}
+
+// SFTPSettings — klassisches SSH/SFTP.
+type SFTPSettings struct {
+	Host                 string `json:"host"`
+	Port                 int    `json:"port"`
+	Username             string `json:"username"`
+	Password             string `json:"password,omitempty"`
+	PrivateKeyB64        string `json:"private_key,omitempty"`         // OpenSSH-Privkey, base64
+	RemoteDir            string `json:"remote_dir"`                    // /var/backups/edgeguard
+	HostKeyFingerprint   string `json:"host_key_fingerprint,omitempty"` // "SHA256:..." optional
+}
+
+// UploadResult landet pro Target in backups.remote_uploads.
+type UploadResult struct {
+	RemoteID   int64  `json:"remote_id"`
+	RemoteName string `json:"remote_name"`
+	OK         bool   `json:"ok"`
+	SizeBytes  int64  `json:"size,omitempty"`
+	DurationMs int64  `json:"duration_ms"`
+	Error      string `json:"error,omitempty"`
+}
+
+type Service struct {
+	Pool *pgxpool.Pool
+}
+
+func New(pool *pgxpool.Pool) *Service { return &Service{Pool: pool} }
+
+// ListActive holt alle aktiven Targets.
+func (s *Service) ListActive(ctx context.Context) ([]Target, error) {
+	rows, err := s.Pool.Query(ctx, `
+SELECT id, name, kind, target_url, settings, active, last_upload_at, last_error
+FROM backup_remotes WHERE active = TRUE ORDER BY id ASC`)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	out := []Target{}
+	for rows.Next() {
+		var t Target
+		if err := rows.Scan(&t.ID, &t.Name, &t.Kind, &t.TargetURL,
+			&t.Settings, &t.Active, &t.LastUpload, &t.LastError); err != nil {
+			return nil, err
+		}
+		out = append(out, t)
+	}
+	return out, rows.Err()
+}
+
+// UploadAll lädt das File in alle aktiven Targets. Eine Upload-Failure
+// blockiert nicht die anderen. Returns Result-Liste pro Target.
+func (s *Service) UploadAll(ctx context.Context, localPath string) ([]UploadResult, error) {
+	targets, err := s.ListActive(ctx)
+	if err != nil {
+		return nil, err
+	}
+	out := make([]UploadResult, 0, len(targets))
+	for _, t := range targets {
+		r := s.uploadOne(ctx, t, localPath)
+		out = append(out, r)
+		// last_upload_at / last_error in backup_remotes pflegen.
+		s.markResult(ctx, t.ID, r)
+	}
+	return out, nil
+}
+
+func (s *Service) markResult(ctx context.Context, id int64, r UploadResult) {
+	if r.OK {
+		_, _ = s.Pool.Exec(ctx, `
+UPDATE backup_remotes SET last_upload_at = NOW(), last_error = NULL, updated_at = NOW()
+WHERE id = $1`, id)
+	} else {
+		_, _ = s.Pool.Exec(ctx, `
+UPDATE backup_remotes SET last_error = $1, updated_at = NOW() WHERE id = $2`,
+			r.Error, id)
+	}
+}
+
+func (s *Service) uploadOne(ctx context.Context, t Target, localPath string) UploadResult {
+	start := time.Now()
+	r := UploadResult{RemoteID: t.ID, RemoteName: t.Name}
+	var err error
+	switch t.Kind {
+	case KindS3:
+		var settings S3Settings
+		if e := json.Unmarshal(t.Settings, &settings); e != nil {
+			err = fmt.Errorf("parse s3 settings: %w", e)
+			break
+		}
+		r.SizeBytes, err = uploadS3(ctx, settings, localPath)
+	case KindSFTP:
+		var settings SFTPSettings
+		if e := json.Unmarshal(t.Settings, &settings); e != nil {
+			err = fmt.Errorf("parse sftp settings: %w", e)
+			break
+		}
+		r.SizeBytes, err = uploadSFTP(ctx, settings, localPath)
+	default:
+		err = fmt.Errorf("unknown kind: %s", t.Kind)
+	}
+	r.DurationMs = time.Since(start).Milliseconds()
+	if err != nil {
+		r.OK = false
+		r.Error = err.Error()
+	} else {
+		r.OK = true
+	}
+	return r
+}
+
+// uploadS3 mit minio-go. Funktioniert mit jeder S3-API.
+func uploadS3(ctx context.Context, s S3Settings, localPath string) (int64, error) {
+	if s.Endpoint == "" || s.Bucket == "" || s.AccessKey == "" || s.SecretKey == "" {
+		return 0, errors.New("s3 settings incomplete (endpoint/bucket/access_key/secret_key required)")
+	}
+	cl, err := minio.New(s.Endpoint, &minio.Options{
+		Creds:  miniocred.NewStaticV4(s.AccessKey, s.SecretKey, ""),
+		Secure: s.UseSSL,
+		Region: s.Region,
+	})
+	if err != nil {
+		return 0, fmt.Errorf("minio client: %w", err)
+	}
+	f, err := os.Open(localPath)
+	if err != nil {
+		return 0, err
+	}
+	defer f.Close()
+	stat, err := f.Stat()
+	if err != nil {
+		return 0, err
+	}
+	objName := filepath.Base(localPath)
+	if s.PathPrefix != "" {
+		objName = strings.TrimRight(s.PathPrefix, "/") + "/" + objName
+	}
+	info, err := cl.PutObject(ctx, s.Bucket, objName, f, stat.Size(),
+		minio.PutObjectOptions{ContentType: "application/gzip"})
+	if err != nil {
+		return 0, fmt.Errorf("put: %w", err)
+	}
+	return info.Size, nil
+}
+
+// uploadSFTP — ssh dial + sftp client + Write. Verifiziert Host-Key
+// gegen settings.host_key_fingerprint wenn gesetzt (SHA256:...).
+func uploadSFTP(ctx context.Context, s SFTPSettings, localPath string) (int64, error) {
+	if s.Host == "" || s.Port == 0 || s.Username == "" || s.RemoteDir == "" {
+		return 0, errors.New("sftp settings incomplete (host/port/username/remote_dir required)")
+	}
+	var authMethods []ssh.AuthMethod
+	if s.Password != "" {
+		authMethods = append(authMethods, ssh.Password(s.Password))
+	}
+	if s.PrivateKeyB64 != "" {
+		keyBytes, err := base64.StdEncoding.DecodeString(s.PrivateKeyB64)
+		if err != nil {
+			return 0, fmt.Errorf("decode private_key: %w", err)
+		}
+		signer, err := ssh.ParsePrivateKey(keyBytes)
+		if err != nil {
+			return 0, fmt.Errorf("parse private_key: %w", err)
+		}
+		authMethods = append(authMethods, ssh.PublicKeys(signer))
+	}
+	if len(authMethods) == 0 {
+		return 0, errors.New("no auth method (password or private_key required)")
+	}
+
+	hostKeyCallback := ssh.InsecureIgnoreHostKey()
+	if fp := strings.TrimSpace(s.HostKeyFingerprint); fp != "" {
+		expected := fp
+		hostKeyCallback = func(_ string, _ net.Addr, key ssh.PublicKey) error {
+			got := ssh.FingerprintSHA256(key)
+			if got != expected {
+				return fmt.Errorf("host key mismatch: got %s, expected %s", got, expected)
+			}
+			return nil
+		}
+	}
+
+	cfg := &ssh.ClientConfig{
+		User:            s.Username,
+		Auth:            authMethods,
+		HostKeyCallback: hostKeyCallback,
+		Timeout:         15 * time.Second,
+	}
+	addr := fmt.Sprintf("%s:%d", s.Host, s.Port)
+	conn, err := ssh.Dial("tcp", addr, cfg)
+	if err != nil {
+		return 0, fmt.Errorf("ssh dial %s: %w", addr, err)
+	}
+	defer conn.Close()
+	cl, err := sftp.NewClient(conn)
+	if err != nil {
+		return 0, fmt.Errorf("sftp client: %w", err)
+	}
+	defer cl.Close()
+
+	// remote-dir anlegen (idempotent)
+	_ = cl.MkdirAll(s.RemoteDir)
+
+	src, err := os.Open(localPath)
+	if err != nil {
+		return 0, err
+	}
+	defer src.Close()
+	stat, err := src.Stat()
+	if err != nil {
+		return 0, err
+	}
+	dstPath := strings.TrimRight(s.RemoteDir, "/") + "/" + filepath.Base(localPath)
+	dst, err := cl.Create(dstPath)
+	if err != nil {
+		return 0, fmt.Errorf("create remote: %w", err)
+	}
+	defer dst.Close()
+	if _, err := io.Copy(dst, src); err != nil {
+		return 0, fmt.Errorf("copy: %w", err)
+	}
+	return stat.Size(), nil
+}
+
+// Test schickt ein 1KB-Probe-File und löscht es wieder. Failures hier
+// = Konfig-Problem, nicht relevant für Operator-Backup. UI-Endpoint
+// nutzt das für den „Verbindung testen"-Button.
+func (s *Service) Test(ctx context.Context, t Target) error {
+	tmp, err := os.CreateTemp("", "eg-remote-test-*.txt")
+	if err != nil {
+		return err
+	}
+	defer os.Remove(tmp.Name())
+	_, _ = tmp.WriteString("edgeguard remote-target test " + time.Now().Format(time.RFC3339))
+	tmp.Close()
+
+	r := s.uploadOne(ctx, t, tmp.Name())
+	if !r.OK {
+		return errors.New(r.Error)
+	}
+	// Cleanup: für S3 → DeleteObject, für SFTP → Remove. Lass uns
+	// bei beiden ignorieren wenn der Cleanup-Delete fehlschlägt —
+	// der Operator sieht im Bucket halt eine 1KB-Datei.
+	switch t.Kind {
+	case KindS3:
+		var settings S3Settings
+		if json.Unmarshal(t.Settings, &settings) == nil {
+			if cl, err := minio.New(settings.Endpoint, &minio.Options{
+				Creds:  miniocred.NewStaticV4(settings.AccessKey, settings.SecretKey, ""),
+				Secure: settings.UseSSL,
+				Region: settings.Region,
+			}); err == nil {
+				objName := filepath.Base(tmp.Name())
+				if settings.PathPrefix != "" {
+					objName = strings.TrimRight(settings.PathPrefix, "/") + "/" + objName
+				}
+				_ = cl.RemoveObject(ctx, settings.Bucket, objName, minio.RemoveObjectOptions{})
+			}
+		}
+	case KindSFTP:
+		var settings SFTPSettings
+		if json.Unmarshal(t.Settings, &settings) == nil {
+			var authMethods []ssh.AuthMethod
+			if settings.Password != "" {
+				authMethods = append(authMethods, ssh.Password(settings.Password))
+			}
+			if settings.PrivateKeyB64 != "" {
+				if keyBytes, err := base64.StdEncoding.DecodeString(settings.PrivateKeyB64); err == nil {
+					if signer, err := ssh.ParsePrivateKey(keyBytes); err == nil {
+						authMethods = append(authMethods, ssh.PublicKeys(signer))
+					}
+				}
+			}
+			if len(authMethods) > 0 {
+				if conn, err := ssh.Dial("tcp", fmt.Sprintf("%s:%d", settings.Host, settings.Port),
+					&ssh.ClientConfig{User: settings.Username, Auth: authMethods,
+						HostKeyCallback: ssh.InsecureIgnoreHostKey(), Timeout: 5 * time.Second}); err == nil {
+					if cl, err := sftp.NewClient(conn); err == nil {
+						_ = cl.Remove(strings.TrimRight(settings.RemoteDir, "/") + "/" + filepath.Base(tmp.Name()))
+						cl.Close()
+					}
+					conn.Close()
+				}
+			}
+		}
+	}
+	return nil
+}