#!/bin/bash
# Vaultwarden backup — uses built-in container backup command (safe with live DB).
# Runs every 3 days via root crontab. Keeps last 5 backups.
# Notifies Zabbix (item vaultwarden.backup.ts, id 70368 on AgapHost) after success.

set -euo pipefail

BACKUP_DIR="/mnt/backups/vaultwarden"
DATA_DIR="/mnt/ssd/dbs/vw-data"
DATE=$(date '+%Y%m%d-%H%M')
DEST="$BACKUP_DIR/$DATE"

mkdir -p "$DEST"

# Run built-in backup inside container — writes db_<timestamp>.sqlite3 to /data/ on the host
docker exec vaultwarden /vaultwarden backup 2>&1

# Move the newly created sqlite3 backup file out of the data dir
find "$DATA_DIR" -maxdepth 1 -name 'db_*.sqlite3' -newer "$DATA_DIR/db.sqlite3" | xargs -r mv -t "$DEST/"

# Copy config and RSA keys
cp "$DATA_DIR/config.json" "$DEST/"
cp "$DATA_DIR"/rsa_key* "$DEST/"
[ -d "$DATA_DIR/attachments" ] && cp -r "$DATA_DIR/attachments" "$DEST/"
[ -d "$DATA_DIR/sends" ]       && cp -r "$DATA_DIR/sends"       "$DEST/"

echo "$(date): Backup complete: $DEST"
ls "$DEST/"

# Notify Zabbix (token stored in /root/.zabbix_token)
if [[ -f /root/.zabbix_token ]]; then
  ZABBIX_TOKEN=$(cat /root/.zabbix_token)
  curl -s -X POST http://localhost:81/api_jsonrpc.php \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $ZABBIX_TOKEN" \
    -d "{\"jsonrpc\":\"2.0\",\"method\":\"history.push\",\"id\":1,\"params\":{\"itemid\":\"70368\",\"value\":\"$(date '+%Y-%m-%d %H:%M')\"}}" > /dev/null \
    && echo "Zabbix notified."
fi

# Rotate: keep last 5 backups
ls -1dt "$BACKUP_DIR"/[0-9]*-[0-9]* 2>/dev/null | tail -n +6 | xargs -r rm -rf