#!/bin/bash set -e # -- 1. Secure Environment Setup -- # We use /tmp to ensure this works on Read-Only filesystems (PSA Restrictive) export SSH_DIR="/tmp/.ssh" mkdir -p "$SSH_DIR" # Copy key from K8s Secret mount to /tmp so we can chmod it cp "$SSH_KEY_PATH" "$SSH_DIR/key" chmod 0600 "$SSH_DIR/key" # -- 2. Build the "Magic" Command -- # This string is what Restic will execute instead of the local 'rclone' binary. # It pipes Restic's requests directly to the remote server. SSH_CMD="ssh -p ${SSH_PORT:-22} -i $SSH_DIR/key -o StrictHostKeyChecking=accept-new ${SSH_USER}@${SSH_HOST}" # Why 'rclone:remote:/'? # 'remote' is just a placeholder name. # '/' works because the remote authorized_keys forces the directory path. REPO="rclone:remote:/" run_restic() { # -o rclone.program tells Restic to execute our SSH string # instead of looking for an rclone binary. restic -o rclone.program="$SSH_CMD" -r "$REPO" "$@" } # -- 3. Lifecycle Execution -- echo "--- 1. Initialization Check ---" # We try to list snapshots. If it fails, we assume the repo needs init. # We suppress stdout to keep logs clean, only showing errors. if ! run_restic snapshots > /dev/null 2>&1; then echo "Repository not found. Initializing..." run_restic init else echo "Repository exists." fi echo "--- 2. Starting Backup ---" run_restic backup "${SOURCE_DIR}" \ --tag "${BACKUP_TAG:-Default}" \ --verbose # -- 4. Retention (Optional) -- if [ -n "$RETENTION_POLICY" ]; then echo "--- 3. Retention & Pruning ---" # shellcheck disable=SC2086 run_restic forget --group-by tag --tag "${BACKUP_TAG:-Default}" $RETENTION_POLICY --prune fi # -- 5. Health Check (Optional) -- if [ "$RUN_CHECK" = "true" ]; then echo "--- 4. Integrity Check ---" # We use a default subset of 5% if not specified, to save bandwidth CHECK_ARGS=${CHECK_ARGS:---read-data-subset=5%} run_restic check $CHECK_ARGS fi # -- 6. Cache Cleanup -- echo "--- 5. Cache Cleanup ---" run_restic cache --cleanup echo "Backup process completed successfully."