fix(backup): bundle the whole forgejo /data (app.ini + ssh host keys)

The backup tarred only /data/git, but CONTRACT_004 §4.2 requires the git
repos AND app.ini AND the host SSH keys — without app.ini a restored Forgejo
has no DB/S3 config and won't start. Discovered during the T13 DR rehearsal:
restore reached Forgejo and it had nothing to configure from.

Tar the whole /data volume (git/, gitea/conf/app.ini, ssh/ssh_host_*). It is
~1 MB at Layer 0 — the DB and LFS/packages are externalised to Postgres +
RustFS, so /data holds no large recreatable state. Restored end-to-end on a
fresh VM: Forgejo comes up fully configured against the restored PG + RustFS.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-06-30 23:58:07 +02:00
parent 82c34c9a42
commit 4cc5d10f51

View file

@ -30,9 +30,12 @@ mkdir -p "$W"
echo "[backup] postgres pg_dumpall" >&2
docker exec foundation-postgres pg_dumpall -U postgres | gzip > "$W/postgres.sql.gz"
echo "[backup] forgejo git repos (tar.zst)" >&2
# Forgejo keeps repos under /data/git; use the container's own tar (no extra image).
docker exec foundation-forgejo sh -c 'tar -C /data -cf - git' | zstd -q -T0 > "$W/forgejo-repos.tar.zst"
echo "[backup] forgejo data volume (tar.zst)" >&2
# CONTRACT_004 §4.2 needs the git repos AND app.ini AND the host SSH keys — all live
# in the /data volume (git/, gitea/conf/app.ini, ssh/ssh_host_*). Tar the WHOLE volume
# (it is ~1 MB; the DB + LFS/packages are externalised to PG + RustFS, so /data has no
# large recreatable state at Layer 0). Use the container's own tar (no extra image).
docker exec foundation-forgejo sh -c 'tar -C /data -cf - .' | zstd -q -T0 > "$W/forgejo-repos.tar.zst"
echo "[backup] vault raft snapshot" >&2
docker exec -e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN="$VAULT_TOKEN" foundation-vault \