// Package remote uploads Backup-Tarballs in Off-Site-Targets (S3 + // SFTP). Wird vom backup.Service nach erfolgreichem Local-Backup // aufgerufen, einmal pro aktivem backup_remotes-Eintrag. package remote import ( "context" "encoding/base64" "encoding/json" "errors" "fmt" "io" "net" "os" "path/filepath" "strings" "time" "github.com/jackc/pgx/v5/pgxpool" "github.com/minio/minio-go/v7" miniocred "github.com/minio/minio-go/v7/pkg/credentials" "github.com/pkg/sftp" "golang.org/x/crypto/ssh" ) type Kind string const ( KindS3 Kind = "s3" KindSFTP Kind = "sftp" ) // Target ist eine Row aus backup_remotes. type Target struct { ID int64 `json:"id"` Name string `json:"name"` Kind Kind `json:"kind"` TargetURL string `json:"target_url"` Settings json.RawMessage `json:"settings"` Active bool `json:"active"` LastUpload *time.Time `json:"last_upload_at,omitempty"` LastError *string `json:"last_error,omitempty"` } // S3Settings: alle minio-go-Config-Felder. Funktioniert mit AWS S3, // MinIO, Backblaze B2, Cloudflare R2, Hetzner Object Storage. type S3Settings struct { Endpoint string `json:"endpoint"` // s3.amazonaws.com / minio.example.com:9000 Region string `json:"region"` // "eu-central-1" / "auto" (R2) Bucket string `json:"bucket"` AccessKey string `json:"access_key"` SecretKey string `json:"secret_key"` PathPrefix string `json:"path_prefix"` // "edgeguard/utm-1/" — vor jedem Filename UseSSL bool `json:"use_ssl"` } // SFTPSettings — klassisches SSH/SFTP. type SFTPSettings struct { Host string `json:"host"` Port int `json:"port"` Username string `json:"username"` Password string `json:"password,omitempty"` PrivateKeyB64 string `json:"private_key,omitempty"` // OpenSSH-Privkey, base64 RemoteDir string `json:"remote_dir"` // /var/backups/edgeguard HostKeyFingerprint string `json:"host_key_fingerprint,omitempty"` // "SHA256:..." optional } // UploadResult landet pro Target in backups.remote_uploads. type UploadResult struct { RemoteID int64 `json:"remote_id"` RemoteName string `json:"remote_name"` OK bool `json:"ok"` SizeBytes int64 `json:"size,omitempty"` DurationMs int64 `json:"duration_ms"` Error string `json:"error,omitempty"` } type Service struct { Pool *pgxpool.Pool } func New(pool *pgxpool.Pool) *Service { return &Service{Pool: pool} } // ListActive holt alle aktiven Targets. func (s *Service) ListActive(ctx context.Context) ([]Target, error) { rows, err := s.Pool.Query(ctx, ` SELECT id, name, kind, target_url, settings, active, last_upload_at, last_error FROM backup_remotes WHERE active = TRUE ORDER BY id ASC`) if err != nil { return nil, err } defer rows.Close() out := []Target{} for rows.Next() { var t Target if err := rows.Scan(&t.ID, &t.Name, &t.Kind, &t.TargetURL, &t.Settings, &t.Active, &t.LastUpload, &t.LastError); err != nil { return nil, err } out = append(out, t) } return out, rows.Err() } // UploadAll lädt das File in alle aktiven Targets. Eine Upload-Failure // blockiert nicht die anderen. Returns Result-Liste pro Target. func (s *Service) UploadAll(ctx context.Context, localPath string) ([]UploadResult, error) { targets, err := s.ListActive(ctx) if err != nil { return nil, err } out := make([]UploadResult, 0, len(targets)) for _, t := range targets { r := s.uploadOne(ctx, t, localPath) out = append(out, r) // last_upload_at / last_error in backup_remotes pflegen. s.markResult(ctx, t.ID, r) } return out, nil } func (s *Service) markResult(ctx context.Context, id int64, r UploadResult) { if r.OK { _, _ = s.Pool.Exec(ctx, ` UPDATE backup_remotes SET last_upload_at = NOW(), last_error = NULL, updated_at = NOW() WHERE id = $1`, id) } else { _, _ = s.Pool.Exec(ctx, ` UPDATE backup_remotes SET last_error = $1, updated_at = NOW() WHERE id = $2`, r.Error, id) } } func (s *Service) uploadOne(ctx context.Context, t Target, localPath string) UploadResult { start := time.Now() r := UploadResult{RemoteID: t.ID, RemoteName: t.Name} var err error switch t.Kind { case KindS3: var settings S3Settings if e := json.Unmarshal(t.Settings, &settings); e != nil { err = fmt.Errorf("parse s3 settings: %w", e) break } r.SizeBytes, err = uploadS3(ctx, settings, localPath) case KindSFTP: var settings SFTPSettings if e := json.Unmarshal(t.Settings, &settings); e != nil { err = fmt.Errorf("parse sftp settings: %w", e) break } r.SizeBytes, err = uploadSFTP(ctx, settings, localPath) default: err = fmt.Errorf("unknown kind: %s", t.Kind) } r.DurationMs = time.Since(start).Milliseconds() if err != nil { r.OK = false r.Error = err.Error() } else { r.OK = true } return r } // uploadS3 mit minio-go. Funktioniert mit jeder S3-API. func uploadS3(ctx context.Context, s S3Settings, localPath string) (int64, error) { if s.Endpoint == "" || s.Bucket == "" || s.AccessKey == "" || s.SecretKey == "" { return 0, errors.New("s3 settings incomplete (endpoint/bucket/access_key/secret_key required)") } cl, err := minio.New(s.Endpoint, &minio.Options{ Creds: miniocred.NewStaticV4(s.AccessKey, s.SecretKey, ""), Secure: s.UseSSL, Region: s.Region, }) if err != nil { return 0, fmt.Errorf("minio client: %w", err) } f, err := os.Open(localPath) if err != nil { return 0, err } defer f.Close() stat, err := f.Stat() if err != nil { return 0, err } objName := filepath.Base(localPath) if s.PathPrefix != "" { objName = strings.TrimRight(s.PathPrefix, "/") + "/" + objName } info, err := cl.PutObject(ctx, s.Bucket, objName, f, stat.Size(), minio.PutObjectOptions{ContentType: "application/gzip"}) if err != nil { return 0, fmt.Errorf("put: %w", err) } return info.Size, nil } // uploadSFTP — ssh dial + sftp client + Write. Verifiziert Host-Key // gegen settings.host_key_fingerprint wenn gesetzt (SHA256:...). func uploadSFTP(ctx context.Context, s SFTPSettings, localPath string) (int64, error) { if s.Host == "" || s.Port == 0 || s.Username == "" || s.RemoteDir == "" { return 0, errors.New("sftp settings incomplete (host/port/username/remote_dir required)") } var authMethods []ssh.AuthMethod if s.Password != "" { authMethods = append(authMethods, ssh.Password(s.Password)) } if s.PrivateKeyB64 != "" { keyBytes, err := base64.StdEncoding.DecodeString(s.PrivateKeyB64) if err != nil { return 0, fmt.Errorf("decode private_key: %w", err) } signer, err := ssh.ParsePrivateKey(keyBytes) if err != nil { return 0, fmt.Errorf("parse private_key: %w", err) } authMethods = append(authMethods, ssh.PublicKeys(signer)) } if len(authMethods) == 0 { return 0, errors.New("no auth method (password or private_key required)") } hostKeyCallback := ssh.InsecureIgnoreHostKey() if fp := strings.TrimSpace(s.HostKeyFingerprint); fp != "" { expected := fp hostKeyCallback = func(_ string, _ net.Addr, key ssh.PublicKey) error { got := ssh.FingerprintSHA256(key) if got != expected { return fmt.Errorf("host key mismatch: got %s, expected %s", got, expected) } return nil } } cfg := &ssh.ClientConfig{ User: s.Username, Auth: authMethods, HostKeyCallback: hostKeyCallback, Timeout: 15 * time.Second, } addr := fmt.Sprintf("%s:%d", s.Host, s.Port) conn, err := ssh.Dial("tcp", addr, cfg) if err != nil { return 0, fmt.Errorf("ssh dial %s: %w", addr, err) } defer conn.Close() cl, err := sftp.NewClient(conn) if err != nil { return 0, fmt.Errorf("sftp client: %w", err) } defer cl.Close() // remote-dir anlegen (idempotent) _ = cl.MkdirAll(s.RemoteDir) src, err := os.Open(localPath) if err != nil { return 0, err } defer src.Close() stat, err := src.Stat() if err != nil { return 0, err } dstPath := strings.TrimRight(s.RemoteDir, "/") + "/" + filepath.Base(localPath) dst, err := cl.Create(dstPath) if err != nil { return 0, fmt.Errorf("create remote: %w", err) } defer dst.Close() if _, err := io.Copy(dst, src); err != nil { return 0, fmt.Errorf("copy: %w", err) } return stat.Size(), nil } // Test schickt ein 1KB-Probe-File und löscht es wieder. Failures hier // = Konfig-Problem, nicht relevant für Operator-Backup. UI-Endpoint // nutzt das für den „Verbindung testen"-Button. func (s *Service) Test(ctx context.Context, t Target) error { tmp, err := os.CreateTemp("", "eg-remote-test-*.txt") if err != nil { return err } defer os.Remove(tmp.Name()) _, _ = tmp.WriteString("edgeguard remote-target test " + time.Now().Format(time.RFC3339)) tmp.Close() r := s.uploadOne(ctx, t, tmp.Name()) if !r.OK { return errors.New(r.Error) } // Cleanup: für S3 → DeleteObject, für SFTP → Remove. Lass uns // bei beiden ignorieren wenn der Cleanup-Delete fehlschlägt — // der Operator sieht im Bucket halt eine 1KB-Datei. switch t.Kind { case KindS3: var settings S3Settings if json.Unmarshal(t.Settings, &settings) == nil { if cl, err := minio.New(settings.Endpoint, &minio.Options{ Creds: miniocred.NewStaticV4(settings.AccessKey, settings.SecretKey, ""), Secure: settings.UseSSL, Region: settings.Region, }); err == nil { objName := filepath.Base(tmp.Name()) if settings.PathPrefix != "" { objName = strings.TrimRight(settings.PathPrefix, "/") + "/" + objName } _ = cl.RemoveObject(ctx, settings.Bucket, objName, minio.RemoveObjectOptions{}) } } case KindSFTP: var settings SFTPSettings if json.Unmarshal(t.Settings, &settings) == nil { var authMethods []ssh.AuthMethod if settings.Password != "" { authMethods = append(authMethods, ssh.Password(settings.Password)) } if settings.PrivateKeyB64 != "" { if keyBytes, err := base64.StdEncoding.DecodeString(settings.PrivateKeyB64); err == nil { if signer, err := ssh.ParsePrivateKey(keyBytes); err == nil { authMethods = append(authMethods, ssh.PublicKeys(signer)) } } } if len(authMethods) > 0 { if conn, err := ssh.Dial("tcp", fmt.Sprintf("%s:%d", settings.Host, settings.Port), &ssh.ClientConfig{User: settings.Username, Auth: authMethods, HostKeyCallback: ssh.InsecureIgnoreHostKey(), Timeout: 5 * time.Second}); err == nil { if cl, err := sftp.NewClient(conn); err == nil { _ = cl.Remove(strings.TrimRight(settings.RemoteDir, "/") + "/" + filepath.Base(tmp.Name())) cl.Close() } conn.Close() } } } } return nil }