diff --git a/manifest.jps b/manifest.jps index 7625abc..3b5a987 100644 --- a/manifest.jps +++ b/manifest.jps @@ -322,9 +322,36 @@ actions: head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16 | sudo tee /etc/restic-password fi - # Set the correct permissions and ownership for the password file - sudo chown litespeed:litespeed /etc/restic-password - sudo chmod 640 /etc/restic-password + # Detect web server environment and set appropriate ownership + WEB_USER="" + if id "litespeed" &>/dev/null; then + WEB_USER="litespeed" + elif id "nginx" &>/dev/null; then + WEB_USER="nginx" + elif id "www-data" &>/dev/null; then + WEB_USER="www-data" + elif id "apache" &>/dev/null; then + WEB_USER="apache" + else + WEB_USER="root" + fi + + echo "Detected web server user: $WEB_USER" + + # Set ownership with fallback to root + if [ "$WEB_USER" != "root" ]; then + sudo chown $WEB_USER:$WEB_USER /etc/restic-password + # Make readable by all users in case of permission issues + sudo chmod 644 /etc/restic-password + else + sudo chown root:root /etc/restic-password + sudo chmod 644 /etc/restic-password + fi + + # Ensure backup directories exist with proper permissions + sudo mkdir -p /mnt/backups + sudo chown $WEB_USER:$WEB_USER /mnt/backups + sudo chmod 755 /mnt/backups # Set up log rotation for backup logs echo "/var/log/backup_addon.log { diff --git a/scripts/imports/check_repo_stats.sh b/scripts/imports/check_repo_stats.sh index 31c4ca6..98338fa 100644 --- a/scripts/imports/check_repo_stats.sh +++ b/scripts/imports/check_repo_stats.sh @@ -18,6 +18,71 @@ log_message() { echo "[$(date +'%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } +# Function: Get Restic Password with robust access handling +get_restic_password() { + local password="" + + # Method 1: Try direct file access (works for root and litespeed users) + if [ -f "$PASSWORD_FILE" ] && [ -r "$PASSWORD_FILE" ]; then + password=$(cat "$PASSWORD_FILE" 2>/dev/null || echo "") + if [ -n "$password" ]; then + log_message "Password accessed directly from $PASSWORD_FILE" + echo "$password" + return 0 + fi + fi + + # Method 2: Try sudo access (for non-root users who can sudo) + if [ "$EUID" -ne 0 ] && command -v sudo >/dev/null 2>&1; then + if sudo -n test -r "$PASSWORD_FILE" 2>/dev/null; then + password=$(sudo cat "$PASSWORD_FILE" 2>/dev/null || echo "") + if [ -n "$password" ]; then + log_message "Password accessed via sudo from $PASSWORD_FILE" + echo "$password" + return 0 + fi + fi + fi + + # Method 3: Check if running as root but password file has wrong permissions + if [ "$EUID" -eq 0 ] && [ -f "$PASSWORD_FILE" ]; then + password=$(cat "$PASSWORD_FILE" 2>/dev/null || echo "") + if [ -n "$password" ]; then + log_message "Password accessed as root from $PASSWORD_FILE" + echo "$password" + return 0 + fi + fi + + # Method 4: Environment variable fallback + if [ -n "$RESTIC_PASSWORD" ]; then + log_message "Using RESTIC_PASSWORD environment variable" + echo "$RESTIC_PASSWORD" + return 0 + fi + + # Method 5: Check alternative locations + local alt_locations=( + "/home/jelastic/.restic-password" + "/home/litespeed/.restic-password" + "/home/nginx/.restic-password" + "/root/.restic-password" + ) + + for alt_file in "${alt_locations[@]}"; do + if [ -f "$alt_file" ] && [ -r "$alt_file" ]; then + password=$(cat "$alt_file" 2>/dev/null || echo "") + if [ -n "$password" ]; then + log_message "Password found at alternative location: $alt_file" + echo "$password" + return 0 + fi + fi + done + + return 1 +} + # Function: Validate dependencies validate_dependencies() { for cmd in restic; do @@ -28,20 +93,42 @@ validate_dependencies() { done } -# Function: Validate repository access +# Function: Validate repository access with robust password handling validate_repository() { - if [ ! -f "$PASSWORD_FILE" ]; then - log_message "ERROR: Password file not found at $PASSWORD_FILE." + log_message "Attempting to access Restic repository..." + + # Get password using robust method + local restic_password + if ! restic_password=$(get_restic_password); then + log_message "ERROR: Unable to access Restic password from any source." + log_message "Checked locations:" + log_message " - Primary: $PASSWORD_FILE" + log_message " - Environment: RESTIC_PASSWORD" + log_message " - Alternative locations in home directories" + log_message "Current user: $(whoami) (UID: $EUID)" + log_message "Password file permissions: $(ls -la $PASSWORD_FILE 2>/dev/null || echo 'File not found')" exit 1 fi - export RESTIC_PASSWORD=$(cat "$PASSWORD_FILE") + + # Export password and repository + export RESTIC_PASSWORD="$restic_password" export RESTIC_REPOSITORY="$BACKUP_REPO_PATH" + # Test repository access if ! restic snapshots &>/dev/null; then - log_message "ERROR: Unable to access the Restic repository. Check password and repository path." + log_message "ERROR: Unable to access the Restic repository at $BACKUP_REPO_PATH" + log_message "Repository path exists: $([ -d "$BACKUP_REPO_PATH" ] && echo 'Yes' || echo 'No')" + log_message "Repository contents: $(ls -la "$BACKUP_REPO_PATH" 2>/dev/null | wc -l || echo '0') items" + + # Check if repository needs initialization + if [ ! -d "$BACKUP_REPO_PATH" ] || [ -z "$(ls -A "$BACKUP_REPO_PATH" 2>/dev/null)" ]; then + log_message "Repository appears to be empty or non-existent. It may need initialization." + log_message "Run check_backup_repo.sh to initialize the repository." + fi exit 1 fi - log_message "Repository access validated." + + log_message "Repository access validated successfully." } # Function: Check repository stats @@ -96,6 +183,9 @@ perform_integrity_check() { # Main execution main() { log_message "Starting repository stats check and maintenance..." + log_message "Running as user: $(whoami) (UID: $EUID)" + log_message "Repository path: $BACKUP_REPO_PATH" + validate_dependencies validate_repository check_and_remove_stale_locks