sneak
bdaaadf990
- Add global --quiet/-q flag to suppress non-error output - Add --json flag to verify, snapshot rm, and prune commands - Add config file permission check (warns if world/group readable) - Update TODO.md to remove completed items
343 lines
11 KiB
Go
343 lines
11 KiB
Go
package config
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
"sort"
|
|
"strings"
|
|
"time"
|
|
|
|
"filippo.io/age"
|
|
"git.eeqj.de/sneak/smartconfig"
|
|
"git.eeqj.de/sneak/vaultik/internal/log"
|
|
"github.com/adrg/xdg"
|
|
"go.uber.org/fx"
|
|
"gopkg.in/yaml.v3"
|
|
)
|
|
|
|
const appName = "berlin.sneak.app.vaultik"
|
|
|
|
// expandTilde expands ~ at the start of a path to the user's home directory.
|
|
func expandTilde(path string) string {
|
|
if path == "~" {
|
|
home, _ := os.UserHomeDir()
|
|
return home
|
|
}
|
|
if strings.HasPrefix(path, "~/") {
|
|
home, _ := os.UserHomeDir()
|
|
return filepath.Join(home, path[2:])
|
|
}
|
|
return path
|
|
}
|
|
|
|
// expandTildeInURL expands ~ in file:// URLs.
|
|
func expandTildeInURL(url string) string {
|
|
if strings.HasPrefix(url, "file://~/") {
|
|
home, _ := os.UserHomeDir()
|
|
return "file://" + filepath.Join(home, url[9:])
|
|
}
|
|
return url
|
|
}
|
|
|
|
// SnapshotConfig represents configuration for a named snapshot.
|
|
// Each snapshot backs up one or more paths and can have its own exclude patterns
|
|
// in addition to the global excludes.
|
|
type SnapshotConfig struct {
|
|
Paths []string `yaml:"paths"`
|
|
Exclude []string `yaml:"exclude"` // Additional excludes for this snapshot
|
|
}
|
|
|
|
// GetExcludes returns the combined exclude patterns for a named snapshot.
|
|
// It merges global excludes with the snapshot-specific excludes.
|
|
func (c *Config) GetExcludes(snapshotName string) []string {
|
|
snap, ok := c.Snapshots[snapshotName]
|
|
if !ok {
|
|
return c.Exclude
|
|
}
|
|
|
|
if len(snap.Exclude) == 0 {
|
|
return c.Exclude
|
|
}
|
|
|
|
// Combine global and snapshot-specific excludes
|
|
combined := make([]string, 0, len(c.Exclude)+len(snap.Exclude))
|
|
combined = append(combined, c.Exclude...)
|
|
combined = append(combined, snap.Exclude...)
|
|
return combined
|
|
}
|
|
|
|
// SnapshotNames returns the names of all configured snapshots in sorted order.
|
|
func (c *Config) SnapshotNames() []string {
|
|
names := make([]string, 0, len(c.Snapshots))
|
|
for name := range c.Snapshots {
|
|
names = append(names, name)
|
|
}
|
|
// Sort for deterministic order
|
|
sort.Strings(names)
|
|
return names
|
|
}
|
|
|
|
// Config represents the application configuration for Vaultik.
|
|
// It defines all settings for backup operations, including source directories,
|
|
// encryption recipients, storage configuration, and performance tuning parameters.
|
|
// Configuration is typically loaded from a YAML file.
|
|
type Config struct {
|
|
AgeRecipients []string `yaml:"age_recipients"`
|
|
AgeSecretKey string `yaml:"age_secret_key"`
|
|
BackupInterval time.Duration `yaml:"backup_interval"`
|
|
BlobSizeLimit Size `yaml:"blob_size_limit"`
|
|
ChunkSize Size `yaml:"chunk_size"`
|
|
Exclude []string `yaml:"exclude"` // Global excludes applied to all snapshots
|
|
FullScanInterval time.Duration `yaml:"full_scan_interval"`
|
|
Hostname string `yaml:"hostname"`
|
|
IndexPath string `yaml:"index_path"`
|
|
MinTimeBetweenRun time.Duration `yaml:"min_time_between_run"`
|
|
S3 S3Config `yaml:"s3"`
|
|
Snapshots map[string]SnapshotConfig `yaml:"snapshots"`
|
|
CompressionLevel int `yaml:"compression_level"`
|
|
|
|
// StorageURL specifies the storage backend using a URL format.
|
|
// Takes precedence over S3Config if set.
|
|
// Supported formats:
|
|
// - s3://bucket/prefix?endpoint=host®ion=us-east-1
|
|
// - file:///path/to/backup
|
|
// For S3 URLs, credentials are still read from s3.access_key_id and s3.secret_access_key.
|
|
StorageURL string `yaml:"storage_url"`
|
|
}
|
|
|
|
// S3Config represents S3 storage configuration for backup storage.
|
|
// It supports both AWS S3 and S3-compatible storage services.
|
|
// All fields except UseSSL and PartSize are required.
|
|
type S3Config struct {
|
|
Endpoint string `yaml:"endpoint"`
|
|
Bucket string `yaml:"bucket"`
|
|
Prefix string `yaml:"prefix"`
|
|
AccessKeyID string `yaml:"access_key_id"`
|
|
SecretAccessKey string `yaml:"secret_access_key"`
|
|
Region string `yaml:"region"`
|
|
UseSSL bool `yaml:"use_ssl"`
|
|
PartSize Size `yaml:"part_size"`
|
|
}
|
|
|
|
// ConfigPath wraps the config file path for fx dependency injection.
|
|
// This type allows the config file path to be injected as a distinct type
|
|
// rather than a plain string, avoiding conflicts with other string dependencies.
|
|
type ConfigPath string
|
|
|
|
// New creates a new Config instance by loading from the specified path.
|
|
// This function is used by the fx dependency injection framework.
|
|
// Returns an error if the path is empty or if loading fails.
|
|
func New(path ConfigPath) (*Config, error) {
|
|
if path == "" {
|
|
return nil, fmt.Errorf("config path not provided")
|
|
}
|
|
|
|
cfg, err := Load(string(path))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load config: %w", err)
|
|
}
|
|
|
|
return cfg, nil
|
|
}
|
|
|
|
// Load reads and parses the configuration file from the specified path.
|
|
// It applies default values for optional fields, performs environment variable
|
|
// substitution using smartconfig, and validates the configuration.
|
|
// The configuration file should be in YAML format. Returns an error if the file
|
|
// cannot be read, parsed, or if validation fails.
|
|
func Load(path string) (*Config, error) {
|
|
// Load config using smartconfig for interpolation
|
|
sc, err := smartconfig.NewFromConfigPath(path)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load config file: %w", err)
|
|
}
|
|
|
|
cfg := &Config{
|
|
// Set defaults
|
|
BlobSizeLimit: Size(10 * 1024 * 1024 * 1024), // 10GB
|
|
ChunkSize: Size(10 * 1024 * 1024), // 10MB
|
|
BackupInterval: 1 * time.Hour,
|
|
FullScanInterval: 24 * time.Hour,
|
|
MinTimeBetweenRun: 15 * time.Minute,
|
|
IndexPath: filepath.Join(xdg.DataHome, appName, "index.sqlite"),
|
|
CompressionLevel: 3,
|
|
}
|
|
|
|
// Convert smartconfig data to YAML then unmarshal
|
|
configData := sc.Data()
|
|
yamlBytes, err := yaml.Marshal(configData)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to marshal config data: %w", err)
|
|
}
|
|
|
|
if err := yaml.Unmarshal(yamlBytes, cfg); err != nil {
|
|
return nil, fmt.Errorf("failed to parse config: %w", err)
|
|
}
|
|
|
|
// Expand tilde in all path fields
|
|
cfg.IndexPath = expandTilde(cfg.IndexPath)
|
|
cfg.StorageURL = expandTildeInURL(cfg.StorageURL)
|
|
|
|
// Expand tildes in snapshot paths
|
|
for name, snap := range cfg.Snapshots {
|
|
for i, path := range snap.Paths {
|
|
snap.Paths[i] = expandTilde(path)
|
|
}
|
|
cfg.Snapshots[name] = snap
|
|
}
|
|
|
|
// Check for environment variable override for IndexPath
|
|
if envIndexPath := os.Getenv("VAULTIK_INDEX_PATH"); envIndexPath != "" {
|
|
cfg.IndexPath = expandTilde(envIndexPath)
|
|
}
|
|
|
|
// Check for environment variable override for AgeSecretKey
|
|
if envAgeSecretKey := os.Getenv("VAULTIK_AGE_SECRET_KEY"); envAgeSecretKey != "" {
|
|
cfg.AgeSecretKey = extractAgeSecretKey(envAgeSecretKey)
|
|
}
|
|
|
|
// Get hostname if not set
|
|
if cfg.Hostname == "" {
|
|
hostname, err := os.Hostname()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get hostname: %w", err)
|
|
}
|
|
cfg.Hostname = hostname
|
|
}
|
|
|
|
// Set default S3 settings
|
|
if cfg.S3.Region == "" {
|
|
cfg.S3.Region = "us-east-1"
|
|
}
|
|
if cfg.S3.PartSize == 0 {
|
|
cfg.S3.PartSize = Size(5 * 1024 * 1024) // 5MB
|
|
}
|
|
|
|
// Check config file permissions (warn if world or group readable)
|
|
if info, err := os.Stat(path); err == nil {
|
|
mode := info.Mode().Perm()
|
|
if mode&0044 != 0 { // group or world readable
|
|
log.Warn("Config file has insecure permissions (contains S3 credentials)",
|
|
"path", path,
|
|
"mode", fmt.Sprintf("%04o", mode),
|
|
"recommendation", "chmod 600 "+path)
|
|
}
|
|
}
|
|
|
|
if err := cfg.Validate(); err != nil {
|
|
return nil, fmt.Errorf("invalid config: %w", err)
|
|
}
|
|
|
|
return cfg, nil
|
|
}
|
|
|
|
// Validate checks if the configuration is valid and complete.
|
|
// It ensures all required fields are present and have valid values:
|
|
// - At least one age recipient must be specified
|
|
// - At least one snapshot must be configured with at least one path
|
|
// - Storage must be configured (either storage_url or s3.* fields)
|
|
// - Chunk size must be at least 1MB
|
|
// - Blob size limit must be at least the chunk size
|
|
// - Compression level must be between 1 and 19
|
|
// Returns an error describing the first validation failure encountered.
|
|
func (c *Config) Validate() error {
|
|
if len(c.AgeRecipients) == 0 {
|
|
return fmt.Errorf("at least one age_recipient is required")
|
|
}
|
|
|
|
if len(c.Snapshots) == 0 {
|
|
return fmt.Errorf("at least one snapshot must be configured")
|
|
}
|
|
|
|
for name, snap := range c.Snapshots {
|
|
if len(snap.Paths) == 0 {
|
|
return fmt.Errorf("snapshot %q must have at least one path", name)
|
|
}
|
|
}
|
|
|
|
// Validate storage configuration
|
|
if err := c.validateStorage(); err != nil {
|
|
return err
|
|
}
|
|
|
|
if c.ChunkSize.Int64() < 1024*1024 { // 1MB minimum
|
|
return fmt.Errorf("chunk_size must be at least 1MB")
|
|
}
|
|
|
|
if c.BlobSizeLimit.Int64() < c.ChunkSize.Int64() {
|
|
return fmt.Errorf("blob_size_limit must be at least chunk_size")
|
|
}
|
|
|
|
if c.CompressionLevel < 1 || c.CompressionLevel > 19 {
|
|
return fmt.Errorf("compression_level must be between 1 and 19")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// validateStorage validates storage configuration.
|
|
// If StorageURL is set, it takes precedence. S3 URLs require credentials.
|
|
// File URLs don't require any S3 configuration.
|
|
// If StorageURL is not set, legacy S3 configuration is required.
|
|
func (c *Config) validateStorage() error {
|
|
if c.StorageURL != "" {
|
|
// URL-based configuration
|
|
if strings.HasPrefix(c.StorageURL, "file://") {
|
|
// File storage doesn't need S3 credentials
|
|
return nil
|
|
}
|
|
if strings.HasPrefix(c.StorageURL, "s3://") {
|
|
// S3 storage needs credentials
|
|
if c.S3.AccessKeyID == "" {
|
|
return fmt.Errorf("s3.access_key_id is required for s3:// URLs")
|
|
}
|
|
if c.S3.SecretAccessKey == "" {
|
|
return fmt.Errorf("s3.secret_access_key is required for s3:// URLs")
|
|
}
|
|
return nil
|
|
}
|
|
return fmt.Errorf("storage_url must start with s3:// or file://")
|
|
}
|
|
|
|
// Legacy S3 configuration
|
|
if c.S3.Endpoint == "" {
|
|
return fmt.Errorf("s3.endpoint is required (or set storage_url)")
|
|
}
|
|
|
|
if c.S3.Bucket == "" {
|
|
return fmt.Errorf("s3.bucket is required (or set storage_url)")
|
|
}
|
|
|
|
if c.S3.AccessKeyID == "" {
|
|
return fmt.Errorf("s3.access_key_id is required")
|
|
}
|
|
|
|
if c.S3.SecretAccessKey == "" {
|
|
return fmt.Errorf("s3.secret_access_key is required")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// extractAgeSecretKey extracts the AGE-SECRET-KEY from the input using
|
|
// the age library's parser, which handles comments and whitespace.
|
|
func extractAgeSecretKey(input string) string {
|
|
identities, err := age.ParseIdentities(strings.NewReader(input))
|
|
if err != nil || len(identities) == 0 {
|
|
// Fall back to trimmed input if parsing fails
|
|
return strings.TrimSpace(input)
|
|
}
|
|
// Return the string representation of the first identity
|
|
if id, ok := identities[0].(*age.X25519Identity); ok {
|
|
return id.String()
|
|
}
|
|
return strings.TrimSpace(input)
|
|
}
|
|
|
|
// Module exports the config module for fx dependency injection.
|
|
// It provides the Config type to other modules in the application.
|
|
var Module = fx.Module("config",
|
|
fx.Provide(New),
|
|
)
|