2bb910b72c
- brain-backup: daily borg + pg_dump, 7d/4w/3m retention, cron at 3AM
- brain-triage: full system health check (services, ports, firewall,
headers, kernel, app, DB, disk, backups, security scan)
- brain-recover: restore from backup (full/db/configs/app) + emergency
lockdown mode that blocks all external access except LAN SSH
All accessible via /usr/local/bin/brain-{backup,triage,recover}
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
74 lines
2.2 KiB
Bash
Executable File
74 lines
2.2 KiB
Bash
Executable File
#!/bin/bash
|
|
# =============================================================================
|
|
# brain server backup — runs daily via cron
|
|
# Backs up: app, configs, database, nginx, systemd, SSL, fail2ban, sysctl
|
|
# Storage: /var/backups/brain/ (borg repo + pg dumps)
|
|
# Retention: 7 daily, 4 weekly, 3 monthly
|
|
# =============================================================================
|
|
|
|
set -euo pipefail
|
|
BACKUP_DIR="/var/backups/brain"
|
|
BORG_REPO="$BACKUP_DIR/borg-repo"
|
|
PG_DIR="$BACKUP_DIR/pg-dumps"
|
|
LOG="/var/log/brain-backup.log"
|
|
TIMESTAMP=$(date +%Y-%m-%d_%H%M)
|
|
|
|
export BORG_PASSPHRASE=""
|
|
|
|
log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG"; }
|
|
|
|
log "=== Backup starting ==="
|
|
|
|
# --- PostgreSQL dump ---
|
|
mkdir -p "$PG_DIR"
|
|
log "Dumping PostgreSQL knowledge_base..."
|
|
sudo -u postgres pg_dump -Fc knowledge_base > "$PG_DIR/knowledge_base_${TIMESTAMP}.dump" 2>> "$LOG"
|
|
# Keep last 14 dumps
|
|
ls -t "$PG_DIR"/knowledge_base_*.dump 2>/dev/null | tail -n +15 | xargs -r rm --
|
|
log " pg_dump OK ($(du -sh "$PG_DIR/knowledge_base_${TIMESTAMP}.dump" | cut -f1))"
|
|
|
|
# --- Borg backup ---
|
|
log "Running borg backup..."
|
|
borg create \
|
|
--stats \
|
|
--compression zstd,3 \
|
|
--exclude '*.pyc' \
|
|
--exclude '__pycache__' \
|
|
--exclude '.git' \
|
|
--exclude 'node_modules' \
|
|
"$BORG_REPO::${TIMESTAMP}" \
|
|
/root/llm_team_ui.py \
|
|
/root/llm_team_config.json \
|
|
/home/profit/.env \
|
|
/etc/nginx/sites-available/ \
|
|
/etc/nginx/sites-enabled/ \
|
|
/etc/nginx/nginx.conf \
|
|
/etc/fail2ban/jail.local \
|
|
/etc/fail2ban/jail.d/ \
|
|
/etc/ssh/sshd_config \
|
|
/etc/sysctl.d/99-security.conf \
|
|
/etc/systemd/system/llm-team-ui.service \
|
|
/etc/systemd/system/goaccess.service \
|
|
/etc/systemd/system/ollama.service \
|
|
/etc/systemd/system/minio.service \
|
|
/etc/systemd/system/vault.service \
|
|
/var/backups/brain/pg-dumps/ \
|
|
2>> "$LOG"
|
|
|
|
log " borg OK"
|
|
|
|
# --- Prune old backups ---
|
|
log "Pruning old backups..."
|
|
borg prune \
|
|
--keep-daily=7 \
|
|
--keep-weekly=4 \
|
|
--keep-monthly=3 \
|
|
"$BORG_REPO" 2>> "$LOG"
|
|
|
|
borg compact "$BORG_REPO" 2>> "$LOG"
|
|
log " prune OK"
|
|
|
|
# --- Report ---
|
|
REPO_SIZE=$(du -sh "$BORG_REPO" | cut -f1)
|
|
log "=== Backup complete. Repo size: $REPO_SIZE ==="
|