From a1abfe1bfa28b426192bd1963e5976da7f97208d Mon Sep 17 00:00:00 2001
From: Fred Boniface <fjla@fredboniface.co.uk>
Date: Sun, 8 Feb 2026 20:06:55 +0000
Subject: [PATCH] Add trial restic script - commented by AI - not well though?

---
 scripts/restic.bash | 65 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 scripts/restic.bash

diff --git a/scripts/restic.bash b/scripts/restic.bash
new file mode 100644
index 0000000..370daf0
--- /dev/null
+++ b/scripts/restic.bash
@@ -0,0 +1,65 @@
+#!/bin/bash
+set -e
+
+# -- 1. Secure Environment Setup --
+# We use /tmp to ensure this works on Read-Only filesystems (PSA Restrictive)
+export SSH_DIR="/tmp/.ssh"
+mkdir -p "$SSH_DIR"
+
+# Copy key from K8s Secret mount to /tmp so we can chmod it
+cp "$SSH_KEY_PATH" "$SSH_DIR/key"
+chmod 0600 "$SSH_DIR/key"
+
+# -- 2. Build the "Magic" Command --
+# This string is what Restic will execute instead of the local 'rclone' binary.
+# It pipes Restic's requests directly to the remote server.
+SSH_CMD="ssh -p ${SSH_PORT:-22} -i $SSH_DIR/key -o StrictHostKeyChecking=accept-new ${SSH_USER}@${SSH_HOST}"
+
+# Why 'rclone:remote:/'? 
+# 'remote' is just a placeholder name. 
+# '/' works because the remote authorized_keys forces the directory path.
+REPO="rclone:remote:/"
+
+run_restic() {
+    # -o rclone.program tells Restic to execute our SSH string 
+    # instead of looking for an rclone binary.
+    restic -o rclone.program="$SSH_CMD" -r "$REPO" "$@"
+}
+
+# -- 3. Lifecycle Execution --
+
+echo "--- 1. Initialization Check ---"
+# We try to list snapshots. If it fails, we assume the repo needs init.
+# We suppress stdout to keep logs clean, only showing errors.
+if ! run_restic snapshots > /dev/null 2>&1; then
+    echo "Repository not found. Initializing..."
+    run_restic init
+else
+    echo "Repository exists."
+fi
+
+echo "--- 2. Starting Backup ---"
+run_restic backup "${SOURCE_DIR}" \
+    --tag "${BACKUP_TAG:-Default}" \
+    --verbose
+
+# -- 4. Retention (Optional) --
+if [ -n "$RETENTION_POLICY" ]; then
+    echo "--- 3. Retention & Pruning ---"
+    # shellcheck disable=SC2086
+    run_restic forget --group-by tag --tag "${BACKUP_TAG:-Default}" $RETENTION_POLICY --prune
+fi
+
+# -- 5. Health Check (Optional) --
+if [ "$RUN_CHECK" = "true" ]; then
+    echo "--- 4. Integrity Check ---"
+    # We use a default subset of 5% if not specified, to save bandwidth
+    CHECK_ARGS=${CHECK_ARGS:---read-data-subset=5%}
+    run_restic check $CHECK_ARGS
+fi
+
+# -- 6. Cache Cleanup --
+echo "--- 5. Cache Cleanup ---"
+run_restic cache --cleanup
+
+echo "Backup process completed successfully."
\ No newline at end of file