From ea14f2703d7fd900326d926b224c9ce0f9a9e2fa Mon Sep 17 00:00:00 2001
From: Dirk Heilig <heilig@adesso-mobile.de>
Date: Tue, 14 Feb 2023 09:32:15 +0100
Subject: [PATCH] init

---
 Dockerfile       | 12 +++++++++
 Readme.md        | 53 +++++++++++++++++++++++++++++++++++++
 htdocs/index.php | 68 ++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 133 insertions(+)
 create mode 100644 Dockerfile
 create mode 100644 Readme.md
 create mode 100644 htdocs/index.php

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..547414c
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,12 @@
+FROM debian:buster
+RUN apt-get update \
+  && apt-get upgrade -y \
+  && apt-get install -y apache2 php php-curl php-mbstring \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+RUN rm /var/www/html/index.html
+ADD htdocs /var/www/html
+RUN mkdir /var/www/data
+RUN chown www-data:www-data /var/www/ -R
+EXPOSE 80
+CMD apachectl -D FOREGROUND
diff --git a/Readme.md b/Readme.md
new file mode 100644
index 0000000..f314da4
--- /dev/null
+++ b/Readme.md
@@ -0,0 +1,53 @@
+# restic kumar connector
+
+This is a restic connector for kumar. It allows you to check if you backups did run in time.
+
+## Usage
+
+### Running the Container
+
+Just run the container, ideally using compose and expose port 80, maybe use something like traffic to make it https.
+You could add a volume to /var/www/data to persist the data.
+This is not necessary, but a fresh container will not report functional backups until you reported something.
+If it's nor prevented on a network level for the world to submit data, you might whant to set RKC_USER and RKC_PASS to prevent random people from submitting data.
+You need to use these credentials when reporting to the webservice.
+
+### Reporting
+
+To report your you need to post the output of `restic snapshots` to the webservice, eg:
+
+```bash
+restic snapshots | curl -X POST -d @- http://restic_kumar_reporter/
+```
+
+or
+
+```bash
+restic snapshots | curl -X POST -d @- -u "$USER:$PASS" http://restic_kumar_reporter/
+```
+
+when RKC_USER and RKC_PASS are set.
+
+### Checking with kumar
+
+Just point kumar to your webservice.
+The Output looks something like this:
+
+```
+BACKUP|host1|/opt/mailcow|OK
+BACKUP|host1|/var/lib/docker/volumes|OK
+BACKUP|host2|/opt/docker|OK
+BACKUP|host2|/var/lib/docker/volumes|OK
+BACKUP|host3|/opt/docker|TOO_OLD
+BACKUP|host3|/var/lib/docker/volumes|OK
+BACKUP|host4|/opt/docker|OK
+BACKUP|host4|/var/lib/docker/volumes|OK
+BACKUP|host5|/opt/docker|TOO_OLD
+BACKUP|host5|/var/lib/docker/volumes|TOO_OLD
+
+```
+
+output is always sorted by host and path. so you might check a whole block of hosts at once.
+
+A Backup is okay if it is not older than X hours (default 28).
+You can change this by requesting with `?maxage=XX` where XX is the maximum age in hours.
diff --git a/htdocs/index.php b/htdocs/index.php
new file mode 100644
index 0000000..3bb5dec
--- /dev/null
+++ b/htdocs/index.php
@@ -0,0 +1,68 @@
+<?php
+
+if ($_SERVER["REQUEST_METHOD"] === "POST") {
+    $user = getenv("RKC_USER");
+    $pass = getenv("RKC_PASS");
+    if (false !== $user or false !== $pass) {
+        if (
+            !isset($_SERVER["PHP_AUTH_USER"]) ||
+            !isset($_SERVER["PHP_AUTH_PW"]) ||
+            $_SERVER["PHP_AUTH_USER"] !== $user ||
+            $_SERVER["PHP_AUTH_PW"] !== $pass
+        ) {
+            header('WWW-Authenticate: Basic realm="RKC"');
+            header("HTTP/1.0 401 Unauthorized");
+            echo "You are not authorized to access this page.";
+            exit();
+        }
+    }
+
+    $resticData = file_get_contents("php://input");
+    $resticData = explode("\n", $resticData);
+    $backups = [];
+    foreach ($resticData as $snapshot) {
+        if (
+            !preg_match(
+                "/^(?<id>[a-z0-9]{8}) +(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2}) +(?<hour>\d{2}):+(?<minute>\d{2}):+(?<second>\d{2}) +(?<host>[^ ]+) +(?<path>[^ ]+).*/",
+                $snapshot,
+                $m
+            )
+        ) {
+            continue;
+        }
+        $backupName = $m["host"] . "|" . $m["path"];
+        if (!isset($backups[$backupName])) {
+            $backups[$backupName] = 0;
+        }
+        $backupTime = mktime(
+            $m["hour"],
+            $m["minute"],
+            $m["second"],
+            $m["month"],
+            $m["day"],
+            $m["year"]
+        );
+        if ($backupTime > $backups[$backupName]) {
+            $backups[$backupName] = $backupTime;
+        }
+    }
+    ksort($backups);
+    file_put_contents(
+        "/var/www/data/backups.json",
+        json_encode($backups, JSON_UNESCAPED_SLASHES + JSON_PRETTY_PRINT)
+    );
+    exit();
+}
+header("Content-Type: text/plain");
+$maxAge = isset($_GET["maxage"]) ? intval($_GET["maxage"]) : 28;
+$maxAge = $maxAge * 60 * 60;
+$backups = json_decode(file_get_contents("/var/www/data/backups.json"), true);
+foreach ($backups as $backupName => $backupTime) {
+    echo "BACKUP|$backupName|";
+    if ($backupTime + $maxAge < time()) {
+        echo "TOO_OLD";
+    } else {
+        echo "OK";
+    }
+    echo "\n";
+}