feat(backup): Off-Site-Upload nach S3 + SFTP
Schutz gegen Box-Total-Loss — lokale Backups in /var/backups/edgeguard
helfen nicht, wenn die Disk stirbt oder die Box brennt. Nach jedem
erfolgreichen lokalen Backup wird die tar.gz an alle aktiven
Off-Site-Ziele hochgeladen.
Migration 0022: backup_remotes (kind=s3|sftp, target_url, settings
JSONB, active, last_upload_at, last_error) + backups.remote_uploads
JSONB (per-Target-Result).
internal/services/backup/remote/:
- UploadAll() — pro aktivem Target ein Upload, Failures non-fatal
- S3 via minio-go/v7 — funktioniert mit AWS, MinIO, Backblaze B2,
Cloudflare R2, Hetzner Object Storage (alle S3-API-kompatibel)
- SFTP via golang.org/x/crypto/ssh + pkg/sftp. Password + Private-
Key (OpenSSH, base64-encoded) als Auth. Optional host_key_
fingerprint-Pinning (SHA256:...); leer = TOFU (unsicher vs MitM,
OK für initial setup).
- Test() lädt eine 1KB-Probe + löscht sie wieder — Operator-UI hat
einen „Verbindung testen"-Button.
backup.Service.RemoteUploader-Interface: nach erfolgreichem
recordSuccess() läuft UploadAll, Results landen in backups.remote_
uploads JSONB. last_upload_at/last_error in backup_remotes pro Target
gepflegt. API + Scheduler injizieren beide den Adapter.
internal/handlers/backup_remotes.go: CRUD + POST /:id/test. Sensitive
Felder (secret_key, password, private_key) werden in GET-Responses
durch ***SET*** maskiert; UpdateChannel merged das zurück damit der
Operator bei Edit ohne Re-Eingabe speichern kann.
UI: Backups-Page jetzt mit Tabs "Sicherungen" + "Off-Site-Ziele".
Tab 2 hat CRUD-Tabelle mit kind-konditionalem Form (S3-Felder oder
SFTP-Felder), Test-Button pro Row, last_upload-Status mit FAIL-Tag
bei Errors.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
@@ -68,6 +68,7 @@ type Result struct {
|
||||
StartedAt time.Time
|
||||
FinishedAt time.Time
|
||||
Error error
|
||||
RemoteUploads []RemoteResult
|
||||
}
|
||||
|
||||
// Manifest ist der content von manifest.json im tarball.
|
||||
@@ -80,6 +81,39 @@ type Manifest struct {
|
||||
FilesBytes int64 `json:"files_bytes"`
|
||||
}
|
||||
|
||||
// RemoteUploader ist das Service-Interface das nach erfolgreichem
|
||||
// Backup die tar.gz in Off-Site-Targets (S3/SFTP) hochlädt. Wird im
|
||||
// Konstruktor optional gesetzt; nil = kein Off-Site.
|
||||
type RemoteUploader interface {
|
||||
UploadAll(ctx context.Context, localPath string) ([]RemoteUploadInfo, error)
|
||||
}
|
||||
|
||||
// RemoteUploadInfo ist die minimale Sicht die der Service braucht.
|
||||
// remote.UploadResult passt direkt rein.
|
||||
type RemoteUploadInfo = remoteUploadResult
|
||||
|
||||
// remoteUploadResult ist das Struct das remote.UploadResult spiegelt
|
||||
// (separate Datei um Import-Cycle zu vermeiden). Die remote/-Package
|
||||
// implementiert RemoteUploader.
|
||||
type remoteUploadResult struct {
|
||||
RemoteID int64
|
||||
RemoteName string
|
||||
OK bool
|
||||
SizeBytes int64
|
||||
DurationMs int64
|
||||
Error string
|
||||
}
|
||||
|
||||
// RemoteResult ist die UI-Sicht, eine Liste davon landet im Result
|
||||
// der Run()-Methode.
|
||||
type RemoteResult struct {
|
||||
Name string `json:"name"`
|
||||
OK bool `json:"ok"`
|
||||
Bytes int64 `json:"bytes,omitempty"`
|
||||
DurationMs int64 `json:"duration_ms,omitempty"`
|
||||
Error string `json:"error,omitempty"`
|
||||
}
|
||||
|
||||
// Service bündelt Backup + Restore + Retention. Stateless — alle
|
||||
// Konfig kommt als Konstruktor-Param + Methode-Param.
|
||||
type Service struct {
|
||||
@@ -92,6 +126,10 @@ type Service struct {
|
||||
// Tests einen fake-binary einschleusen.
|
||||
PGDumpCmd func(ctx context.Context, w io.Writer) (int64, error)
|
||||
NowFn func() time.Time
|
||||
|
||||
// RemoteUploader: nach erfolgreichem Backup wird das tarball in
|
||||
// alle aktiven backup_remotes hochgeladen. nil = kein Off-Site.
|
||||
RemoteUploader RemoteUploader
|
||||
}
|
||||
|
||||
func New(pool *pgxpool.Pool) *Service {
|
||||
@@ -217,6 +255,25 @@ func (s *Service) Run(ctx context.Context, kind Kind, version string) (*Result,
|
||||
// arbeitet nur über DB-Rows).
|
||||
return res, fmt.Errorf("db record: %w", err)
|
||||
}
|
||||
// Off-Site-Uploads. Failures hier sind nicht-fatal — das lokale
|
||||
// Backup ist erfolgreich, Operator sieht in der UI welcher Target
|
||||
// erfolgreich war + welcher nicht. RemoteUploader ist optional;
|
||||
// wenn nicht injiziert, läuft kein Off-Site.
|
||||
if s.RemoteUploader != nil {
|
||||
uploads, _ := s.RemoteUploader.UploadAll(ctx, outPath)
|
||||
if len(uploads) > 0 {
|
||||
jsonBytes, _ := json.Marshal(uploads)
|
||||
_, _ = s.Pool.Exec(ctx,
|
||||
`UPDATE backups SET remote_uploads = $1 WHERE id = $2`,
|
||||
jsonBytes, res.ID)
|
||||
for _, u := range uploads {
|
||||
res.RemoteUploads = append(res.RemoteUploads, RemoteResult{
|
||||
Name: u.RemoteName, OK: u.OK, Bytes: u.SizeBytes,
|
||||
DurationMs: u.DurationMs, Error: u.Error,
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
return res, nil
|
||||
}
|
||||
|
||||
|
||||
342
internal/services/backup/remote/remote.go
Normal file
342
internal/services/backup/remote/remote.go
Normal file
@@ -0,0 +1,342 @@
|
||||
// Package remote uploads Backup-Tarballs in Off-Site-Targets (S3 +
|
||||
// SFTP). Wird vom backup.Service nach erfolgreichem Local-Backup
|
||||
// aufgerufen, einmal pro aktivem backup_remotes-Eintrag.
|
||||
package remote
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/jackc/pgx/v5/pgxpool"
|
||||
"github.com/minio/minio-go/v7"
|
||||
miniocred "github.com/minio/minio-go/v7/pkg/credentials"
|
||||
"github.com/pkg/sftp"
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
||||
type Kind string
|
||||
|
||||
const (
|
||||
KindS3 Kind = "s3"
|
||||
KindSFTP Kind = "sftp"
|
||||
)
|
||||
|
||||
// Target ist eine Row aus backup_remotes.
|
||||
type Target struct {
|
||||
ID int64 `json:"id"`
|
||||
Name string `json:"name"`
|
||||
Kind Kind `json:"kind"`
|
||||
TargetURL string `json:"target_url"`
|
||||
Settings json.RawMessage `json:"settings"`
|
||||
Active bool `json:"active"`
|
||||
LastUpload *time.Time `json:"last_upload_at,omitempty"`
|
||||
LastError *string `json:"last_error,omitempty"`
|
||||
}
|
||||
|
||||
// S3Settings: alle minio-go-Config-Felder. Funktioniert mit AWS S3,
|
||||
// MinIO, Backblaze B2, Cloudflare R2, Hetzner Object Storage.
|
||||
type S3Settings struct {
|
||||
Endpoint string `json:"endpoint"` // s3.amazonaws.com / minio.example.com:9000
|
||||
Region string `json:"region"` // "eu-central-1" / "auto" (R2)
|
||||
Bucket string `json:"bucket"`
|
||||
AccessKey string `json:"access_key"`
|
||||
SecretKey string `json:"secret_key"`
|
||||
PathPrefix string `json:"path_prefix"` // "edgeguard/utm-1/" — vor jedem Filename
|
||||
UseSSL bool `json:"use_ssl"`
|
||||
}
|
||||
|
||||
// SFTPSettings — klassisches SSH/SFTP.
|
||||
type SFTPSettings struct {
|
||||
Host string `json:"host"`
|
||||
Port int `json:"port"`
|
||||
Username string `json:"username"`
|
||||
Password string `json:"password,omitempty"`
|
||||
PrivateKeyB64 string `json:"private_key,omitempty"` // OpenSSH-Privkey, base64
|
||||
RemoteDir string `json:"remote_dir"` // /var/backups/edgeguard
|
||||
HostKeyFingerprint string `json:"host_key_fingerprint,omitempty"` // "SHA256:..." optional
|
||||
}
|
||||
|
||||
// UploadResult landet pro Target in backups.remote_uploads.
|
||||
type UploadResult struct {
|
||||
RemoteID int64 `json:"remote_id"`
|
||||
RemoteName string `json:"remote_name"`
|
||||
OK bool `json:"ok"`
|
||||
SizeBytes int64 `json:"size,omitempty"`
|
||||
DurationMs int64 `json:"duration_ms"`
|
||||
Error string `json:"error,omitempty"`
|
||||
}
|
||||
|
||||
type Service struct {
|
||||
Pool *pgxpool.Pool
|
||||
}
|
||||
|
||||
func New(pool *pgxpool.Pool) *Service { return &Service{Pool: pool} }
|
||||
|
||||
// ListActive holt alle aktiven Targets.
|
||||
func (s *Service) ListActive(ctx context.Context) ([]Target, error) {
|
||||
rows, err := s.Pool.Query(ctx, `
|
||||
SELECT id, name, kind, target_url, settings, active, last_upload_at, last_error
|
||||
FROM backup_remotes WHERE active = TRUE ORDER BY id ASC`)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
out := []Target{}
|
||||
for rows.Next() {
|
||||
var t Target
|
||||
if err := rows.Scan(&t.ID, &t.Name, &t.Kind, &t.TargetURL,
|
||||
&t.Settings, &t.Active, &t.LastUpload, &t.LastError); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
out = append(out, t)
|
||||
}
|
||||
return out, rows.Err()
|
||||
}
|
||||
|
||||
// UploadAll lädt das File in alle aktiven Targets. Eine Upload-Failure
|
||||
// blockiert nicht die anderen. Returns Result-Liste pro Target.
|
||||
func (s *Service) UploadAll(ctx context.Context, localPath string) ([]UploadResult, error) {
|
||||
targets, err := s.ListActive(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
out := make([]UploadResult, 0, len(targets))
|
||||
for _, t := range targets {
|
||||
r := s.uploadOne(ctx, t, localPath)
|
||||
out = append(out, r)
|
||||
// last_upload_at / last_error in backup_remotes pflegen.
|
||||
s.markResult(ctx, t.ID, r)
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
func (s *Service) markResult(ctx context.Context, id int64, r UploadResult) {
|
||||
if r.OK {
|
||||
_, _ = s.Pool.Exec(ctx, `
|
||||
UPDATE backup_remotes SET last_upload_at = NOW(), last_error = NULL, updated_at = NOW()
|
||||
WHERE id = $1`, id)
|
||||
} else {
|
||||
_, _ = s.Pool.Exec(ctx, `
|
||||
UPDATE backup_remotes SET last_error = $1, updated_at = NOW() WHERE id = $2`,
|
||||
r.Error, id)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Service) uploadOne(ctx context.Context, t Target, localPath string) UploadResult {
|
||||
start := time.Now()
|
||||
r := UploadResult{RemoteID: t.ID, RemoteName: t.Name}
|
||||
var err error
|
||||
switch t.Kind {
|
||||
case KindS3:
|
||||
var settings S3Settings
|
||||
if e := json.Unmarshal(t.Settings, &settings); e != nil {
|
||||
err = fmt.Errorf("parse s3 settings: %w", e)
|
||||
break
|
||||
}
|
||||
r.SizeBytes, err = uploadS3(ctx, settings, localPath)
|
||||
case KindSFTP:
|
||||
var settings SFTPSettings
|
||||
if e := json.Unmarshal(t.Settings, &settings); e != nil {
|
||||
err = fmt.Errorf("parse sftp settings: %w", e)
|
||||
break
|
||||
}
|
||||
r.SizeBytes, err = uploadSFTP(ctx, settings, localPath)
|
||||
default:
|
||||
err = fmt.Errorf("unknown kind: %s", t.Kind)
|
||||
}
|
||||
r.DurationMs = time.Since(start).Milliseconds()
|
||||
if err != nil {
|
||||
r.OK = false
|
||||
r.Error = err.Error()
|
||||
} else {
|
||||
r.OK = true
|
||||
}
|
||||
return r
|
||||
}
|
||||
|
||||
// uploadS3 mit minio-go. Funktioniert mit jeder S3-API.
|
||||
func uploadS3(ctx context.Context, s S3Settings, localPath string) (int64, error) {
|
||||
if s.Endpoint == "" || s.Bucket == "" || s.AccessKey == "" || s.SecretKey == "" {
|
||||
return 0, errors.New("s3 settings incomplete (endpoint/bucket/access_key/secret_key required)")
|
||||
}
|
||||
cl, err := minio.New(s.Endpoint, &minio.Options{
|
||||
Creds: miniocred.NewStaticV4(s.AccessKey, s.SecretKey, ""),
|
||||
Secure: s.UseSSL,
|
||||
Region: s.Region,
|
||||
})
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("minio client: %w", err)
|
||||
}
|
||||
f, err := os.Open(localPath)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
defer f.Close()
|
||||
stat, err := f.Stat()
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
objName := filepath.Base(localPath)
|
||||
if s.PathPrefix != "" {
|
||||
objName = strings.TrimRight(s.PathPrefix, "/") + "/" + objName
|
||||
}
|
||||
info, err := cl.PutObject(ctx, s.Bucket, objName, f, stat.Size(),
|
||||
minio.PutObjectOptions{ContentType: "application/gzip"})
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("put: %w", err)
|
||||
}
|
||||
return info.Size, nil
|
||||
}
|
||||
|
||||
// uploadSFTP — ssh dial + sftp client + Write. Verifiziert Host-Key
|
||||
// gegen settings.host_key_fingerprint wenn gesetzt (SHA256:...).
|
||||
func uploadSFTP(ctx context.Context, s SFTPSettings, localPath string) (int64, error) {
|
||||
if s.Host == "" || s.Port == 0 || s.Username == "" || s.RemoteDir == "" {
|
||||
return 0, errors.New("sftp settings incomplete (host/port/username/remote_dir required)")
|
||||
}
|
||||
var authMethods []ssh.AuthMethod
|
||||
if s.Password != "" {
|
||||
authMethods = append(authMethods, ssh.Password(s.Password))
|
||||
}
|
||||
if s.PrivateKeyB64 != "" {
|
||||
keyBytes, err := base64.StdEncoding.DecodeString(s.PrivateKeyB64)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("decode private_key: %w", err)
|
||||
}
|
||||
signer, err := ssh.ParsePrivateKey(keyBytes)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("parse private_key: %w", err)
|
||||
}
|
||||
authMethods = append(authMethods, ssh.PublicKeys(signer))
|
||||
}
|
||||
if len(authMethods) == 0 {
|
||||
return 0, errors.New("no auth method (password or private_key required)")
|
||||
}
|
||||
|
||||
hostKeyCallback := ssh.InsecureIgnoreHostKey()
|
||||
if fp := strings.TrimSpace(s.HostKeyFingerprint); fp != "" {
|
||||
expected := fp
|
||||
hostKeyCallback = func(_ string, _ net.Addr, key ssh.PublicKey) error {
|
||||
got := ssh.FingerprintSHA256(key)
|
||||
if got != expected {
|
||||
return fmt.Errorf("host key mismatch: got %s, expected %s", got, expected)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
cfg := &ssh.ClientConfig{
|
||||
User: s.Username,
|
||||
Auth: authMethods,
|
||||
HostKeyCallback: hostKeyCallback,
|
||||
Timeout: 15 * time.Second,
|
||||
}
|
||||
addr := fmt.Sprintf("%s:%d", s.Host, s.Port)
|
||||
conn, err := ssh.Dial("tcp", addr, cfg)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("ssh dial %s: %w", addr, err)
|
||||
}
|
||||
defer conn.Close()
|
||||
cl, err := sftp.NewClient(conn)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("sftp client: %w", err)
|
||||
}
|
||||
defer cl.Close()
|
||||
|
||||
// remote-dir anlegen (idempotent)
|
||||
_ = cl.MkdirAll(s.RemoteDir)
|
||||
|
||||
src, err := os.Open(localPath)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
defer src.Close()
|
||||
stat, err := src.Stat()
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
dstPath := strings.TrimRight(s.RemoteDir, "/") + "/" + filepath.Base(localPath)
|
||||
dst, err := cl.Create(dstPath)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("create remote: %w", err)
|
||||
}
|
||||
defer dst.Close()
|
||||
if _, err := io.Copy(dst, src); err != nil {
|
||||
return 0, fmt.Errorf("copy: %w", err)
|
||||
}
|
||||
return stat.Size(), nil
|
||||
}
|
||||
|
||||
// Test schickt ein 1KB-Probe-File und löscht es wieder. Failures hier
|
||||
// = Konfig-Problem, nicht relevant für Operator-Backup. UI-Endpoint
|
||||
// nutzt das für den „Verbindung testen"-Button.
|
||||
func (s *Service) Test(ctx context.Context, t Target) error {
|
||||
tmp, err := os.CreateTemp("", "eg-remote-test-*.txt")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer os.Remove(tmp.Name())
|
||||
_, _ = tmp.WriteString("edgeguard remote-target test " + time.Now().Format(time.RFC3339))
|
||||
tmp.Close()
|
||||
|
||||
r := s.uploadOne(ctx, t, tmp.Name())
|
||||
if !r.OK {
|
||||
return errors.New(r.Error)
|
||||
}
|
||||
// Cleanup: für S3 → DeleteObject, für SFTP → Remove. Lass uns
|
||||
// bei beiden ignorieren wenn der Cleanup-Delete fehlschlägt —
|
||||
// der Operator sieht im Bucket halt eine 1KB-Datei.
|
||||
switch t.Kind {
|
||||
case KindS3:
|
||||
var settings S3Settings
|
||||
if json.Unmarshal(t.Settings, &settings) == nil {
|
||||
if cl, err := minio.New(settings.Endpoint, &minio.Options{
|
||||
Creds: miniocred.NewStaticV4(settings.AccessKey, settings.SecretKey, ""),
|
||||
Secure: settings.UseSSL,
|
||||
Region: settings.Region,
|
||||
}); err == nil {
|
||||
objName := filepath.Base(tmp.Name())
|
||||
if settings.PathPrefix != "" {
|
||||
objName = strings.TrimRight(settings.PathPrefix, "/") + "/" + objName
|
||||
}
|
||||
_ = cl.RemoveObject(ctx, settings.Bucket, objName, minio.RemoveObjectOptions{})
|
||||
}
|
||||
}
|
||||
case KindSFTP:
|
||||
var settings SFTPSettings
|
||||
if json.Unmarshal(t.Settings, &settings) == nil {
|
||||
var authMethods []ssh.AuthMethod
|
||||
if settings.Password != "" {
|
||||
authMethods = append(authMethods, ssh.Password(settings.Password))
|
||||
}
|
||||
if settings.PrivateKeyB64 != "" {
|
||||
if keyBytes, err := base64.StdEncoding.DecodeString(settings.PrivateKeyB64); err == nil {
|
||||
if signer, err := ssh.ParsePrivateKey(keyBytes); err == nil {
|
||||
authMethods = append(authMethods, ssh.PublicKeys(signer))
|
||||
}
|
||||
}
|
||||
}
|
||||
if len(authMethods) > 0 {
|
||||
if conn, err := ssh.Dial("tcp", fmt.Sprintf("%s:%d", settings.Host, settings.Port),
|
||||
&ssh.ClientConfig{User: settings.Username, Auth: authMethods,
|
||||
HostKeyCallback: ssh.InsecureIgnoreHostKey(), Timeout: 5 * time.Second}); err == nil {
|
||||
if cl, err := sftp.NewClient(conn); err == nil {
|
||||
_ = cl.Remove(strings.TrimRight(settings.RemoteDir, "/") + "/" + filepath.Base(tmp.Name()))
|
||||
cl.Close()
|
||||
}
|
||||
conn.Close()
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user