steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity

P1 polish: agent-as-root, init-repo flow, rest creds passthrough, UX fixes

Browse Source 
Cohesive batch from a smoke-test session against a real rest-server.
Themed bullets:

* Agent runs as root, sandboxed via systemd. CapabilityBoundingSet
  drops to CAP_DAC_READ_SEARCH + restore caps; ProtectSystem=strict
  with ReadWritePaths confined to /etc + /var/lib/restic-manager;
  NoNewPrivileges blocks escalation. Install script no longer
  creates a service user. spec.md §4.2 / §14.1 / §14.3 explain the
  rationale (matches UrBackup / Veeam / Bareos defaults; trying to
  back up "everything" as an unprivileged user creates silent skips
  on /home, /root, /var/lib/* with no upside vs the threat model
  the agent already implies).

* Init-repo end-to-end. New JobKind="init" wired through agent
  runner, restic.Env.RunInit, server dispatcher, and a UI button
  (red "Initialise repo" in the run-now panel). hosts.repo_initialised_at
  flips on init success, on backup success, or on a non-empty
  snapshots.report. The "Run now" / "Init" / "Retry" branching now
  drives both the dashboard host row and the host-detail panel.
  Migrations 0004 (column), 0005 (jobs.kind CHECK widened — using
  the safe create-new-then-rename pattern; first version corrupted
  job_logs.job_id FK), 0006 (cleans up job_logs FK on already-
  affected DBs).

* rest-server creds embedded at exec time only. restic.Env gains
  RepoUsername; mergeRestCreds() builds the user:pass@-prefixed URL
  inside envSlice() and never assigns it back to the struct, so
  nothing slog-able ever sees the cleartext form. RedactURL helper
  for any future surface that needs to log a URL safely. Both
  helpers tested.

* Add-host UX. Repo password is now optional — server mints a
  24-byte URL-safe random one and surfaces it once, alongside an
  htpasswd snippet ("echo PASS | htpasswd -B -i ... USERNAME") so
  the operator pastes one command on the rest-server host and one
  on the endpoint. Result page also links the install snippet at
  /install/install.sh (was /install.sh — 404'd before) and pipes
  to bash (not sh — script uses set -o pipefail and other
  bashisms; on Debian/Ubuntu sh is dash).

* Late-subscriber race in JobHub. A fast-failing job could finish
  (DB write + Broadcast) before the browser's HX-Redirect → page
  load → WS-connect path completed, so the JS sat forever waiting
  on a job.finished that already passed. JobHub split into
  Register + Send + Run; handleJobStream now subscribes first,
  re-fetches the job, and sends a synthetic job.finished if the
  state is already terminal.

* HTMX error visibility. New toast partial listens to
  htmx:responseError and surfaces the response body as a
  bottom-right toast — every server-side validation error now
  becomes visible without per-handler JS wiring. Also handles
  custom rm:toast events for future server-pushed notifications
  via the HX-Trigger header. Themed via existing CSS vars.

* Dashboard rows are now whole-row clickable to host detail
  (CSS card-link pattern: absolute-positioned anchor + .row-action
  z-index restoration so the action button stays clickable).
  "View →" on a running job links to /jobs/<id> rather than
  /hosts/<id> since the row click already covers the host page.

* "Run first" / "Run first backup" → "Run now" everywhere for
  consistency.

* runbook (docs/e2e-smoke.md) updated — live-log streaming step
  now reflects P1-26; mentions the browser-driven Run-now flow.

* _diag/dump-creds — moved out of cmd/ so go build doesn't pick
  it up; .gitignore now excludes /_diag/ entirely.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Steve Cliff
2026-05-02 11:02:12 +01:00
parent 8aa635f0c1
commit c8ead66f08
29 changed files with 885 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/static/css/styles.css
+1 -1
View File
File diff suppressed because one or more lines are too long
web/styles/input.css
+11
View File
@@ -174,6 +174,17 @@
.host-row.failed { border-left-color: color-mix(in oklch, var(--bad), transparent 50%); }
.host-row.offline { border-left-color: color-mix(in oklch, var(--off), transparent 70%); }
.host-row:hover { background: var(--panel-hi); }
/* Whole-row click → host detail. The action cell sits above via
z-index so its button keeps working. */
.host-row.clickable { position: relative; }
.host-row.clickable .row-link {
position: absolute; inset: 0; z-index: 0;
text-indent: -9999px; overflow: hidden;
}
.host-row.clickable:hover { cursor: pointer; }
.host-row.clickable > * { position: relative; z-index: 1; pointer-events: none; }
.host-row.clickable > .row-link { pointer-events: auto; }
.host-row.clickable > .row-action { pointer-events: auto; }
/* ---------- log viewer ---------- */
.log {
web/templates/layouts/base.html
+2
View File
@@ -18,6 +18,8 @@
{{block "content" .}}{{end}}
</main>
{{template "toast" .}}
</body>
</html>
{{end}}
web/templates/pages/add_host.html
+33 -9
View File
@@ -68,9 +68,9 @@
<div class="field-help">For <span class="mono text-ink-mid">rest-server</span> with htpasswd, this is the per-host user.</div>
</div>
<div class="mb-7">
<label class="field-label" for="ah-pass">Repo password</label>
<input id="ah-pass" name="repo_password" type="password" class="field" required>
<div class="field-help">Encrypted at rest using the servers AEAD key. Pushed to the agent only over the authenticated WebSocket.</div>
<label class="field-label" for="ah-pass">Repo password <span class="text-ink-fade font-normal">· optional — leave blank to generate</span></label>
<input id="ah-pass" name="repo_password" type="password" class="field">
<div class="field-help">Encrypted at rest using the servers AEAD key, pushed to the agent only over the authenticated WebSocket. Leave blank and well mint a 24-byte URL-safe random password and surface it once on the next page (alongside the <span class="mono text-ink-mid">htpasswd</span> snippet youll need to run on the rest-server).</div>
</div>
<div class="flex gap-2 pt-5 border-t border-line-soft">
@@ -135,18 +135,42 @@
dashboard within a few seconds of the agent connecting.
</p>
<div class="snippet mt-6 panel">
<div class="snippet-head">
<span>Install command · paste-and-run</span>
{{if and $page.RepoUsername $page.RepoPassword}}
<div class="snippet mt-6 panel" style="border-color: color-mix(in oklch, var(--warn), transparent 60%);">
<div class="snippet-head" style="background: color-mix(in oklch, var(--warn), transparent 92%);">
<span>
Run on the rest-server box first
{{if $page.PasswordGenerated}}
<span class="mono text-[10.5px] px-1.5 py-0.5 ml-2 rounded-[3px]"
style="background: color-mix(in oklch, var(--ok), transparent 88%); color: var(--ok); border: 1px solid color-mix(in oklch, var(--ok), transparent 70%);">password generated</span>
{{end}}
<span class="text-ink-fade ml-2">· this is the only time youll see the password</span>
</span>
<div class="flex gap-2">
<button type="button" class="btn"
data-snippet="curl -fsSL {{$page.ServerURL}}/install.sh | sudo RM_SERVER={{$page.ServerURL}} RM_TOKEN={{$page.Token}} sh"
data-snippet="echo '{{$page.RepoPassword}}' | sudo htpasswd -B -i /path/to/htpasswd {{$page.RepoUsername}}"
onclick="navigator.clipboard.writeText(this.dataset.snippet); this.textContent='Copied'; setTimeout(()=>this.textContent='Copy', 2000);">Copy</button>
</div>
</div>
<pre>curl -fsSL <span class="var">{{$page.ServerURL}}/install.sh</span> | sudo \
<pre>echo '<span class="var">{{$page.RepoPassword}}</span>' | sudo htpasswd -B -i <span class="var">/path/to/htpasswd</span> <span class="var">{{$page.RepoUsername}}</span></pre>
<div class="px-4 pt-1 pb-3 text-[12px] text-ink-mute leading-[1.55]">
Replace <span class="mono text-ink-mid">/path/to/htpasswd</span> with whatever your <span class="mono text-ink-mid">restic/rest-server</span> reads (typically the file passed via <span class="mono text-ink-mid">--htpasswd-file</span>, or <span class="mono text-ink-mid">/data/.htpasswd</span> in the official Docker image). The <span class="mono text-ink-mid">-i</span> flag reads the password from stdin so it never appears in your shells process list. Then either send <span class="mono text-ink-mid">SIGHUP</span> to the rest-server process or restart the container to pick up the new entry.
</div>
</div>
{{end}}
<div class="snippet mt-4 panel">
<div class="snippet-head">
<span>Install command · paste-and-run on the host youre backing up</span>
<div class="flex gap-2">
<button type="button" class="btn"
data-snippet="curl -fsSL {{$page.ServerURL}}/install/install.sh | sudo RM_SERVER={{$page.ServerURL}} RM_TOKEN={{$page.Token}} bash"
onclick="navigator.clipboard.writeText(this.dataset.snippet); this.textContent='Copied'; setTimeout(()=>this.textContent='Copy', 2000);">Copy</button>
</div>
</div>
<pre>curl -fsSL <span class="var">{{$page.ServerURL}}/install/install.sh</span> | sudo \
RM_SERVER=<span class="var">{{$page.ServerURL}}</span> \
RM_TOKEN=<span class="var">{{$page.Token}}</span> sh</pre>
RM_TOKEN=<span class="var">{{$page.Token}}</span> bash</pre>
</div>
<div class="grid grid-cols-12 gap-6 mt-7">
web/templates/pages/host_detail.html
+30 -9
View File
@@ -38,13 +38,19 @@
</div>
</div>
<div class="flex items-center gap-2">
{{if ne $host.Status "offline"}}
{{if eq $host.Status "offline"}}
<button class="btn" disabled title="agent is offline">Run backup now</button>
{{else if not $host.RepoInitialisedAt}}
<button class="btn btn-danger"
hx-post="/hosts/{{$host.ID}}/init-repo"
hx-swap="none"
hx-disabled-elt="this"
title="restic repo not yet initialised — run this once before the first backup">Initialise repo</button>
{{else}}
<button class="btn btn-primary"
hx-post="/hosts/{{$host.ID}}/run-backup"
hx-swap="none"
hx-disabled-elt="this">Run backup now</button>
{{else}}
<button class="btn" disabled title="agent is offline">Run backup now</button>
{{end}}
<button class="btn">Edit credentials</button>
<button class="btn btn-ghost text-base px-2.5"></button>
@@ -113,10 +119,17 @@
</p>
{{if ne $host.Status "offline"}}
<div class="mt-5">
<button class="btn btn-primary"
hx-post="/hosts/{{$host.ID}}/run-backup"
hx-swap="none"
hx-disabled-elt="this">Run first backup</button>
{{if not $host.RepoInitialisedAt}}
<button class="btn btn-danger"
hx-post="/hosts/{{$host.ID}}/init-repo"
hx-swap="none"
hx-disabled-elt="this">Initialise repo</button>
{{else}}
<button class="btn btn-primary"
hx-post="/hosts/{{$host.ID}}/run-backup"
hx-swap="none"
hx-disabled-elt="this">Run now</button>
{{end}}
</div>
{{end}}
</div>
@@ -162,10 +175,18 @@
<div class="panel rounded-[7px] px-4 py-3.5">
<div class="text-[11px] text-ink-fade uppercase tracking-[0.1em] mb-2.5">Run-now</div>
<div class="flex flex-col gap-1.5">
<button class="btn justify-start w-full {{if eq $host.Status "offline"}}opacity-50 cursor-not-allowed pointer-events-none{{end}}"
{{if not $host.RepoInitialisedAt}}
<button class="btn justify-start w-full text-bad font-medium {{if eq $host.Status "offline"}}opacity-50 cursor-not-allowed pointer-events-none{{end}}"
hx-post="/hosts/{{$host.ID}}/init-repo"
hx-swap="none"
hx-disabled-elt="this"
title="restic repo not yet initialised — click to run `restic init` once">init</button>
{{end}}
<button class="btn justify-start w-full {{if or (eq $host.Status "offline") (not $host.RepoInitialisedAt)}}opacity-50 cursor-not-allowed pointer-events-none{{end}}"
hx-post="/hosts/{{$host.ID}}/run-backup"
hx-swap="none"
hx-disabled-elt="this">backup</button>
hx-disabled-elt="this"
{{if not $host.RepoInitialisedAt}}title="initialise the repo first"{{end}}>backup</button>
<button class="btn justify-start w-full" disabled title="lands with P2-05">forget <span class="text-[10px] text-ink-fade ml-1.5">P2</span></button>
<button class="btn justify-start w-full" disabled title="lands with P2-06">prune <span class="text-[10px] text-ink-fade ml-1.5">admin</span></button>
<button class="btn justify-start w-full" disabled title="lands with P2-07">check <span class="text-[10px] text-ink-fade ml-1.5">P2</span></button>
web/templates/partials/host_row.html
+10 -8
View File
@@ -1,5 +1,6 @@
{{define "host_row"}}
<div class="row-hover host-row hairline {{.Status}}{{if eq (deref .LastBackupStatus) "failed"}} failed{{end}}">
<div class="row-hover host-row clickable hairline {{.Status}}{{if eq (deref .LastBackupStatus) "failed"}} failed{{end}}">
<a href="/hosts/{{.ID}}" class="row-link" aria-label="Open {{.Name}}">{{.Name}}</a>
<div>
{{- if eq .Status "online" -}}
<span class="dot dot-online{{if .CurrentJobID}} pulse{{end}}"></span>
@@ -45,21 +46,22 @@
<span class="tag">{{.}}</span>
{{- end -}}
</div>
<div class="text-right">
<div class="text-right row-action">
{{- if eq .Status "offline" -}}
<span class="mono text-xs text-ink-fade">offline</span>
{{- else if .CurrentJobID -}}
<a href="/hosts/{{.ID}}" class="btn btn-ghost">View →</a>
<a href="/jobs/{{deref .CurrentJobID}}" class="btn btn-ghost">View job </a>
{{- else if not .RepoInitialisedAt -}}
<button class="btn btn-danger"
hx-post="/hosts/{{.ID}}/init-repo"
hx-swap="none"
hx-disabled-elt="this"
title="restic repo not yet initialised">Init repo</button>
{{- else if eq (deref .LastBackupStatus) "failed" -}}
<button class="btn"
hx-post="/hosts/{{.ID}}/run-backup"
hx-swap="none"
hx-disabled-elt="this">Retry</button>
{{- else if eq .SnapshotCount 0 -}}
<button class="btn"
hx-post="/hosts/{{.ID}}/run-backup"
hx-swap="none"
hx-disabled-elt="this">Run first</button>
{{- else -}}
<button class="btn"
hx-post="/hosts/{{.ID}}/run-backup"
web/templates/partials/toast.html
+108
View File
@@ -0,0 +1,108 @@
{{define "toast"}}
{{/*
Global toast notifications.
Two trigger paths:
1. htmx:responseError — fires on any 4xx/5xx HTMX response. We
grab the response body (already a plain-text human message)
and show it as an error toast.
2. rm:toast — custom DOM event the server can fire from any
handler by setting the HX-Trigger header to:
HX-Trigger: {"rm:toast":{"level":"info","message":"…"}}
Levels: error|warn|info|success.
Toasts auto-dismiss after 5s; click to dismiss early.
*/}}
<div id="toast-container"
class="fixed bottom-5 right-5 z-50 flex flex-col gap-2 pointer-events-none"></div>
<style>
.rm-toast {
pointer-events: auto;
min-width: 280px;
max-width: 480px;
padding: 11px 14px 12px;
border-radius: 7px;
border: 1px solid var(--line);
background: var(--panel);
color: var(--ink);
box-shadow: 0 6px 24px -8px rgba(0,0,0,0.35);
font-size: 13px;
line-height: 1.5;
display: flex;
gap: 10px;
align-items: flex-start;
transform: translateX(8px);
opacity: 0;
transition: transform 180ms ease-out, opacity 180ms ease-out;
}
.rm-toast.shown { transform: translateX(0); opacity: 1; }
.rm-toast.fading { opacity: 0; transform: translateX(12px); }
.rm-toast .rm-toast-tag {
font-family: var(--mono, ui-monospace, SFMono-Regular, monospace);
font-size: 10.5px;
text-transform: uppercase;
letter-spacing: 0.06em;
padding: 2px 6px;
border-radius: 3px;
flex: none;
}
.rm-toast.lvl-error { border-color: color-mix(in oklch, var(--bad), transparent 50%); }
.rm-toast.lvl-error .rm-toast-tag { background: color-mix(in oklch, var(--bad), transparent 85%); color: var(--bad); }
.rm-toast.lvl-warn { border-color: color-mix(in oklch, var(--warn), transparent 50%); }
.rm-toast.lvl-warn .rm-toast-tag { background: color-mix(in oklch, var(--warn), transparent 85%); color: var(--warn); }
.rm-toast.lvl-success{ border-color: color-mix(in oklch, var(--ok), transparent 50%); }
.rm-toast.lvl-success.rm-toast-tag,
.rm-toast.lvl-success .rm-toast-tag { background: color-mix(in oklch, var(--ok), transparent 85%); color: var(--ok); }
.rm-toast.lvl-info .rm-toast-tag { background: color-mix(in oklch, var(--accent), transparent 85%); color: var(--accent); }
.rm-toast .rm-toast-msg { flex: 1; word-break: break-word; }
</style>
<script>
(function() {
const container = document.getElementById('toast-container');
const TAGS = { error: 'ERR', warn: 'WARN', success: 'OK', info: 'INFO' };
function showToast(message, level) {
if (!container) return;
level = level || 'info';
const t = document.createElement('div');
t.className = 'rm-toast lvl-' + level;
const tag = document.createElement('span');
tag.className = 'rm-toast-tag';
tag.textContent = TAGS[level] || level.toUpperCase();
const body = document.createElement('span');
body.className = 'rm-toast-msg';
body.textContent = message;
t.appendChild(tag);
t.appendChild(body);
t.addEventListener('click', () => dismiss(t));
container.appendChild(t);
requestAnimationFrame(() => t.classList.add('shown'));
setTimeout(() => dismiss(t), 5000);
}
function dismiss(t) {
if (!t.parentNode) return;
t.classList.add('fading');
setTimeout(() => t.remove(), 220);
}
// 1. HTMX 4xx/5xx → error toast with the response body verbatim.
document.body.addEventListener('htmx:responseError', (e) => {
const xhr = e.detail.xhr;
let msg = (xhr.responseText || '').trim();
if (!msg) msg = 'Request failed (' + xhr.status + ')';
showToast(msg, 'error');
});
// 2. Server-pushed custom events via HX-Trigger header. Payload
// can be a string (treated as info) or {level, message}.
document.body.addEventListener('rm:toast', (e) => {
const d = e.detail || {};
if (typeof d === 'string') return showToast(d, 'info');
showToast(d.message || 'Done', d.level || 'info');
});
})();
</script>
{{end}}