-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
gotosocial-backup.sh
executable file
·311 lines (268 loc) · 9.95 KB
/
gotosocial-backup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
#!/usr/bin/env bash
# Backup script for GoToSocial
# - exports data, backs up the SQLite database, and media files
# - optionally encrypts sensitive data for secure offsite storage
# - rotates backups and cleans up old backups based on retention policy
# - sends notifications on backup failure
# - https://docs.gotosocial.org/en/latest/admin/backup_and_restore/
# - https://litestream.io/alternatives/cron/
set +e # Disable errexit
set +u # Disable nounset
set +o pipefail # Disable pipefail
# Default configuration
CONFIG_DEFAULTS=(
'BACKUP_ROOT=/mnt/data/backup/gotosocial'
'GTS_CONFIG=/etc/gotosocial/config.yaml'
'GTS_DB=/var/lib/gotosocial/database.sqlite'
'RETENTION_DAYS=28'
'PASSPHRASE='
'NTFY_SERVER='
'NTFY_TOPIC='
)
# Load configuration from file if it exists
CONFIG_FILE="/etc/gotosocial-backup.conf"
if [ -f "${CONFIG_FILE}" ]; then
# shellcheck source=/dev/null
source "${CONFIG_FILE}"
fi
# Set defaults for any unset variables
for default in "${CONFIG_DEFAULTS[@]}"; do
var_name="${default%%=*}"
var_default="${default#*=}"
# Only set if not already set by environment or config file
if [ -z "${!var_name}" ]; then
declare "${var_name}=${var_default}"
fi
done
# Ensure script is run as root
if [ "$(id -u)" -ne 0 ]; then
echo "Error: This script must be run as root" >&2
exit 1
fi
# No need to edit below this line
STAMP=$(date +%Y%m%d_%H%M%S)
TODAY=$(echo "${STAMP}" | cut -d'_' -f 1)
BACKUP_DIR="${BACKUP_ROOT}/${STAMP}"
DB_BACKUP="${BACKUP_DIR}/database.sqlite"
EXPORT_BACKUP="${BACKUP_DIR}/export.json"
EXPORT_TEMP="/tmp/gotosocial_export_${STAMP}.json"
LATEST_LINK="${BACKUP_ROOT}/latest"
LOGFILE="${BACKUP_ROOT}/backup.log"
LOGLINES=4096
# Function to compress and optionally encrypt a file
function process_backup() {
local input_file="${1}"
if [ ! -f "${input_file}" ]; then
handle_error "Input file ${input_file} not found"
fi
if [ -n "${PASSPHRASE}" ]; then
# Compress and encrypt in one pipeline
if gzip -c "${input_file}" | openssl enc -aes-256-cbc -salt -pbkdf2 -out "${input_file}.gz.enc" -pass "pass:${PASSPHRASE}"; then
log_message "Successfully compressed and encrypted ${input_file}"
return 0
else
handle_error "Failed to compress and encrypt ${input_file}"
fi
else
# Just compress the file
if gzip -f "${input_file}"; then
log_message "Successfully compressed ${input_file}"
return 0
else
handle_error "Failed to compress ${input_file}"
fi
fi
}
# Function to get the expected backup extension
function get_backup_extension() {
if [ -n "${PASSPHRASE}" ]; then
echo "gz.enc"
else
echo "gz"
fi
}
# Function to rotate log file
function rotate_log() {
if [ -f "${LOGFILE}" ]; then
log_message "Rotating log file (keeping last ${LOGLINES} lines)"
local tmp_log="/tmp/backup_log_${STAMP}.tmp"
tail -n "${LOGLINES}" "${LOGFILE}" > "${tmp_log}"
mv "${tmp_log}" "${LOGFILE}"
chmod 600 "${LOGFILE}"
fi
}
# Function to execute gotosocial admin
# NixOS installs the gotosocial-admin helper, so use it if available
function gts_admin() {
local command="${1}"
# Remove the first argument, leaving the rest in $@
shift
if [ -x /run/current-system/sw/bin/gotosocial-admin ]; then
/run/current-system/sw/bin/gotosocial-admin "$command" "${@}"
else
gotosocial --config-path "${GTS_CONFIG}" admin "${command}" "${@}"
fi
}
# Simple notification function
function send_ntfy() {
local error_message="${1}"
if [ -n "${NTFY_SERVER}" ] && [ -n "${NTFY_TOPIC}" ]; then
curl -d "${error_message}" "https://${NTFY_SERVER}/${NTFY_TOPIC}"
fi
}
# Function to log messages
function log_message() {
echo "$(date '+%Y/%m/%d %H:%M:%S') ${1}" | tee -a "${LOGFILE}"
}
# Function to handle errors
function handle_error() {
log_message "ERROR: ${1}"
send_ntfy "GoToSocial backup failed: ${1}"
exit 1
}
# Function to clean up temporary files
function cleanup() {
[ -f "${TMPFILE}" ] && rm -f "${TMPFILE}"
[ -f "${EXPORT_TEMP}" ] && rm -f "${EXPORT_TEMP}"
log_message "Cleanup completed"
rotate_log
}
trap cleanup EXIT
# Rotate log file at the start of backup
rotate_log
# Log encryption status
if [ -n "${PASSPHRASE}" ]; then
log_message "Encryption enabled - backups will be encrypted"
else
log_message "Encryption disabled - backups will only be compressed"
fi
# Check if running under sudo and warn about potential environment issues
if [ -n "${SUDO_USER}" ]; then
log_message "Warning: Script is running via sudo. Environment variables from the user environment may not be preserved."
fi
# Check if we're using gotosocial-admin or gotosocial
if [ -x /run/current-system/sw/bin/gotosocial-admin ]; then
log_message "Using gotosocial-admin"
elif command -v gotosocial >/dev/null 2>&1; then
log_message "Using gotosocial with ${GTS_CONFIG}"
else
handle_error "gotosocial not found in the PATH"
fi
# Ensure backup root directory exists
mkdir -p "${BACKUP_ROOT}"
chmod 700 "${BACKUP_ROOT}"
# Create new backup directory
mkdir -p "${BACKUP_DIR}" || handle_error "Failed to create backup directory"
chmod 700 "${BACKUP_DIR}"
# Check if source database exists and is readable
if [ ! -r "${GTS_DB}" ]; then
handle_error "Database file ${GTS_DB} does not exist or is not readable"
fi
# Export GoToSocial data
log_message "Starting GoToSocial export"
if gts_admin "export" "--path" "${EXPORT_TEMP}"; then
log_message "GoToSocial export completed successfully"
# Move export file to backup directory
if mv "${EXPORT_TEMP}" "${EXPORT_BACKUP}"; then
log_message "Export file moved to backup directory"
# Process the export file
process_backup "${EXPORT_BACKUP}"
else
handle_error "Failed to move export file to backup directory"
fi
else
handle_error "GoToSocial export failed"
fi
# Backup SQLite database
log_message "Starting database backup"
# Create database backup with VACUUM
if sqlite3 "${GTS_DB}" "VACUUM INTO '${DB_BACKUP}'"; then
log_message "Database backup created successfully"
# Check database integrity
log_message "Checking database integrity"
INTEGRITY_CHECK=$(sqlite3 "${DB_BACKUP}" 'PRAGMA integrity_check')
if [ "${INTEGRITY_CHECK}" = "ok" ]; then
log_message "Database integrity check passed"
# Process the database backup
process_backup "${DB_BACKUP}"
else
handle_error "Database integrity check failed: ${INTEGRITY_CHECK}"
fi
else
handle_error "Database backup failed"
fi
# Initialize rsync arguments for media backup
# -av Archive mode and verbose
# --relative Preserve path structure
# --files-from=- Read file list from stdin
RSYNC_ARGS="-av --relative --files-from=-"
# Add --link-dest only if latest backup exists
if [ -d "${LATEST_LINK}" ]; then
RSYNC_ARGS+=" --link-dest=${LATEST_LINK}"
fi
# Perform the media backup
log_message "Starting media backup to ${BACKUP_DIR}"
# Create a temporary file for the source list
TMPFILE=$(mktemp)
# Get the list of files and prepare them for rsync
for MEDIA in attachment emoji; do
gts_admin "media" "list-${MEDIA}s" "--local-only" | grep ${MEDIA} | while read -r file; do
# Remove leading slash for rsync --relative
echo ".${file}" >> "${TMPFILE}"
done
done
# Check if we have files to backup
if [ -s "${TMPFILE}" ]; then
# Perform the rsync backup
# $RSYNC_ARGS is a string and should not be quoted
# shellcheck disable=SC2086
if rsync ${RSYNC_ARGS} / "${BACKUP_DIR}" < "${TMPFILE}"; then
log_message "Media backup completed successfully"
# Calculate and log space usage
BACKUP_SIZE=$(du -sh "${BACKUP_DIR}" | cut -f 1)
log_message "Total backup size: ${BACKUP_SIZE}"
# Get the expected backup extension
BACKUP_EXT=$(get_backup_extension)
# Verify the backup contents
log_message "Verifying backup contents"
if [ -f "${DB_BACKUP}.${BACKUP_EXT}" ]; then
log_message "✓ Database backup present and processed"
else
handle_error "Database backup missing or not processed"
fi
if [ -f "${EXPORT_BACKUP}.${BACKUP_EXT}" ]; then
log_message "✓ GoToSocial export present and processed"
else
handle_error "GoToSocial export missing or not processed"
fi
# Count media files
MEDIA_COUNT=$(find "${BACKUP_DIR}" -type f ! -name "*.${BACKUP_EXT}" | wc -l)
log_message "✓ Files backed up: ${MEDIA_COUNT}"
# Only proceed with cleanup and latest link update if verification passed
if [ -f "${DB_BACKUP}.${BACKUP_EXT}" ] && [ -f "${EXPORT_BACKUP}.${BACKUP_EXT}" ] && [ "${MEDIA_COUNT}" -gt 0 ]; then
log_message "Backup verification completed successfully"
# Update the 'latest' symlink
rm -f "${LATEST_LINK}"
ln -s "${BACKUP_DIR}" "${LATEST_LINK}"
# Clean up old backups
log_message "Looking for backups older than ${RETENTION_DAYS} days (excluding today's backups)"
while read -r backup_dir; do
backup_date=$(basename "${backup_dir}" | cut -d'_' -f 1)
if [ "${backup_date}" != "${TODAY}" ]; then
log_message "Removing old backup: ${backup_dir}"
rm -rf "${backup_dir}"
else
log_message "Keeping today's backup: ${backup_dir}"
fi
done < <(find "${BACKUP_ROOT}" -maxdepth 1 -type d -mtime "+${RETENTION_DAYS}" -name "20*")
log_message "Retention policy: keeping backups for ${RETENTION_DAYS} days"
else
handle_error "Backup verification failed"
fi
else
handle_error "Media backup failed"
fi
else
log_message "No media files found to backup"
fi
log_message "Backup process completed"