#!/usr/bin/env bash
# = /usr/local/bin/vw-backup.sh (права 700). Запуск по systemd-таймеру vw-backup.timer (03:30 MSK).
set -euo pipefail

VOL="/var/lib/docker/volumes/core_vaultwarden_data/_data"
DEST="/opt/backups/vaultwarden"
KEEP=14
TS="$(date +%Y%m%d-%H%M%S)"
WORK="$(mktemp -d)"
trap 'rm -rf "$WORK"' EXIT

mkdir -p "$DEST"

sqlite3 "$VOL/db.sqlite3" ".timeout 10000" ".backup '$WORK/db.sqlite3'"

cp -a "$VOL"/rsa_key*    "$WORK"/ 2>/dev/null || true
cp -a "$VOL"/config.json "$WORK"/ 2>/dev/null || true
cp -a "$VOL"/attachments "$WORK"/ 2>/dev/null || true
cp -a "$VOL"/sends       "$WORK"/ 2>/dev/null || true

ARCHIVE="$DEST/vaultwarden-$TS.tar.gz"
tar -czf "$ARCHIVE" -C "$WORK" .

ls -1t "$DEST"/vaultwarden-*.tar.gz | tail -n +$((KEEP+1)) | xargs -r rm -f

# офсайт 1: Google Drive (обязательный)
rclone copy "$ARCHIVE" gdrive:vaultwarden-backups/
rclone delete --min-age 90d gdrive:vaultwarden-backups/ 2>/dev/null || true

# офсайт 2: домашний SMB через WG (best-effort)
if rclone copy "$ARCHIVE" "homesmb:TOSHIBA EXT/vaultwarden-backups/" 2>/dev/null; then
    rclone delete --min-age 90d "homesmb:TOSHIBA EXT/vaultwarden-backups/" 2>/dev/null || true
    SMB="ok"
else
    SMB="недоступен"
fi

echo "OK: $ARCHIVE ($(du -h "$ARCHIVE" | cut -f1)) -> локально + gdrive + smb:$SMB"