feat: mirror repositories

feat: mirror backup repositories
2025-12-10 12:10:51 +01:00 · 2025-11-28 19:17:05 +01:00
parent 8e90c4ace1
commit b0e09c61e2
22 changed files with 2351 additions and 88 deletions
--- a/app/server/utils/backend-compatibility.ts
+++ b/app/server/utils/backend-compatibility.ts
@@ -0,0 +1,154 @@
+import type { RepositoryConfig } from "~/schemas/restic";
+import { cryptoUtils } from "./crypto";
+
+type BackendConflictGroup = "s3" | "gcs" | "azure" | "rest" | "sftp" | null;
+
+export const getBackendConflictGroup = (backend: string): BackendConflictGroup => {
+	switch (backend) {
+		case "s3":
+		case "r2":
+			return "s3";
+		case "gcs":
+			return "gcs";
+		case "azure":
+			return "azure";
+		case "rest":
+			return "rest";
+		case "sftp":
+			return "sftp";
+		case "local":
+		case "rclone":
+			return null;
+		default:
+			return null;
+	}
+};
+
+/**
+ * Checks if two repository configurations have compatible credentials.
+ * Two repositories are compatible if:
+ * - They are not in the same conflict group, OR
+ * - They are in the same conflict group AND use identical credentials
+ */
+export const hasCompatibleCredentials = async (
+	config1: RepositoryConfig,
+	config2: RepositoryConfig,
+): Promise<boolean> => {
+	const group1 = getBackendConflictGroup(config1.backend);
+	const group2 = getBackendConflictGroup(config2.backend);
+
+	if (!group1 || !group2 || group1 !== group2) {
+		return true;
+	}
+
+	switch (group1) {
+		case "s3": {
+			if (
+				(config1.backend === "s3" || config1.backend === "r2") &&
+				(config2.backend === "s3" || config2.backend === "r2")
+			) {
+				const accessKey1 = await cryptoUtils.decrypt(config1.accessKeyId);
+				const secretKey1 = await cryptoUtils.decrypt(config1.secretAccessKey);
+
+				const accessKey2 = await cryptoUtils.decrypt(config2.accessKeyId);
+				const secretKey2 = await cryptoUtils.decrypt(config2.secretAccessKey);
+
+				return accessKey1 === accessKey2 && secretKey1 === secretKey2;
+			}
+			return false;
+		}
+		case "gcs": {
+			if (config1.backend === "gcs" && config2.backend === "gcs") {
+				const credentials1 = await cryptoUtils.decrypt(config1.credentialsJson);
+				const credentials2 = await cryptoUtils.decrypt(config2.credentialsJson);
+
+				return credentials1 === credentials2 && config1.projectId === config2.projectId;
+			}
+			return false;
+		}
+		case "azure": {
+			if (config1.backend === "azure" && config2.backend === "azure") {
+				const config1Accountkey = await cryptoUtils.decrypt(config1.accountKey);
+				const config2Accountkey = await cryptoUtils.decrypt(config2.accountKey);
+
+				return config1.accountName === config2.accountName && config1Accountkey === config2Accountkey;
+			}
+			return false;
+		}
+		case "rest": {
+			if (config1.backend === "rest" && config2.backend === "rest") {
+				if (!config1.username && !config2.username && !config1.password && !config2.password) {
+					return true;
+				}
+
+				const config1Username = await cryptoUtils.decrypt(config1.username || "");
+				const config1Password = await cryptoUtils.decrypt(config1.password || "");
+				const config2Username = await cryptoUtils.decrypt(config2.username || "");
+				const config2Password = await cryptoUtils.decrypt(config2.password || "");
+
+				return config1Username === config2Username && config1Password === config2Password;
+			}
+			return false;
+		}
+		case "sftp": {
+			return false;
+		}
+		default:
+			return false;
+	}
+};
+
+export interface CompatibilityResult {
+	repositoryId: string;
+	compatible: boolean;
+	reason: string | null;
+}
+
+export const checkMirrorCompatibility = async (
+	primaryConfig: RepositoryConfig,
+	mirrorConfig: RepositoryConfig,
+	mirrorRepositoryId: string,
+): Promise<CompatibilityResult> => {
+	const primaryConflictGroup = getBackendConflictGroup(primaryConfig.backend);
+	const mirrorConflictGroup = getBackendConflictGroup(mirrorConfig.backend);
+
+	if (!primaryConflictGroup || !mirrorConflictGroup) {
+		return {
+			repositoryId: mirrorRepositoryId,
+			compatible: true,
+			reason: null,
+		};
+	}
+
+	if (primaryConflictGroup !== mirrorConflictGroup) {
+		return {
+			repositoryId: mirrorRepositoryId,
+			compatible: true,
+			reason: null,
+		};
+	}
+
+	const compatible = await hasCompatibleCredentials(primaryConfig, mirrorConfig);
+
+	if (compatible) {
+		return {
+			repositoryId: mirrorRepositoryId,
+			compatible: true,
+			reason: null,
+		};
+	}
+
+	return {
+		repositoryId: mirrorRepositoryId,
+		compatible: false,
+		reason: `Both use ${primaryConflictGroup.toUpperCase()} backends with different credentials`,
+	};
+};
+
+export const getIncompatibleMirrorError = (mirrorRepoName: string, primaryBackend: string, mirrorBackend: string) => {
+	return (
+		`Cannot mirror to ${mirrorRepoName}: both repositories use the same backend type (${primaryBackend}/${mirrorBackend}) with different credentials. ` +
+		"Restic cannot use different credentials for the same backend in a copy operation. " +
+		"Consider creating a new backup scheduler with the desired destination instead."
+	);
+};
--- a/app/server/utils/restic.ts
+++ b/app/server/utils/restic.ts
@@ -40,6 +40,7 @@ const snapshotInfoSchema = type({
 	time: "string",
 	uid: "number?",
 	username: "string",
+	tags: "string[]?",
 	summary: type({
 		backup_end: "string",
 		backup_start: "string",
@@ -716,6 +717,79 @@ const repairIndex = async (config: RepositoryConfig) => {
 	};
 };

+const copy = async (
+	sourceConfig: RepositoryConfig,
+	destConfig: RepositoryConfig,
+	options: {
+		tag?: string;
+		snapshotId?: string;
+	},
+) => {
+	const sourceRepoUrl = buildRepoUrl(sourceConfig);
+	const destRepoUrl = buildRepoUrl(destConfig);
+
+	const destEnv = await buildEnv(destConfig);
+	const sourceEnv = await buildEnv(sourceConfig);
+
+	const env: Record<string, string> = {
+		...destEnv,
+		RESTIC_FROM_PASSWORD_FILE: sourceEnv.RESTIC_PASSWORD_FILE,
+	};
+
+	for (const [key, value] of Object.entries(sourceEnv)) {
+		if (
+			key.startsWith("AWS_") ||
+			key.startsWith("GOOGLE_") ||
+			key.startsWith("AZURE_") ||
+			key.startsWith("RESTIC_REST_") ||
+			key.startsWith("_SFTP_")
+		) {
+			// Prefix source credentials to avoid conflicts with dest credentials
+			env[`FROM_${key}`] = value;
+		}
+	}
+
+	const args: string[] = ["--repo", destRepoUrl, "copy", "--from-repo", sourceRepoUrl];
+
+	if (options.tag) {
+		args.push("--tag", options.tag);
+	}
+
+	if (options.snapshotId) {
+		args.push(options.snapshotId);
+	} else {
+		args.push("latest");
+	}
+
+	addRepoSpecificArgs(args, destConfig, destEnv);
+
+	if (sourceConfig.backend === "sftp" && sourceEnv._SFTP_SSH_ARGS) {
+		args.push("-o", `sftp.args=${sourceEnv._SFTP_SSH_ARGS}`);
+	}
+
+	logger.info(`Copying snapshots from ${sourceRepoUrl} to ${destRepoUrl}...`);
+	logger.debug(`Executing: restic ${args.join(" ")}`);
+
+	const res = await $`restic ${args}`.env(env).nothrow();
+
+	await cleanupTemporaryKeys(sourceConfig, sourceEnv);
+	await cleanupTemporaryKeys(destConfig, destEnv);
+
+	const stdout = res.text();
+	const stderr = res.stderr.toString();
+
+	if (res.exitCode !== 0) {
+		logger.error(`Restic copy failed: ${stderr}`);
+		throw new ResticError(res.exitCode, stderr);
+	}
+
+	logger.info(`Restic copy completed from ${sourceRepoUrl} to ${destRepoUrl}`);
+	return {
+		success: true,
+		output: stdout,
+	};
+};
+
 const addRepoSpecificArgs = (args: string[], config: RepositoryConfig, env: Record<string, string>) => {
 	if (config.backend === "sftp" && env._SFTP_SSH_ARGS) {
 		args.push("-o", `sftp.args=${env._SFTP_SSH_ARGS}`);
@@ -744,4 +818,5 @@ export const restic = {
 	ls,
 	check,
 	repairIndex,
+	copy,
 };