backup doc

peruna · peruna · commit 3c50687adbd6 · 2026-03-07T00:06:26.000-08:00
diff --git a/README.md b/README.md
@@ -307,4 +307,7 @@ Compose foundation adapted from [nicedexter](https://github.com/nicedexter).
 
 ## TODO
 
-- You tell me
+- Remaining known constraints (accepted for now):
+  - `code-interpreter-api` still needs `SYS_ADMIN` + `apparmor:unconfined` for current nsjail runtime.
+  - `api-proxy` remains dual-homed (`lan` + `wan`) because host port publishing fails when attached only to internal networks in this Docker/Colima setup.
+  - Search egress is intentionally auditable-not-allowlisted (to preserve SearX/Firecrawl web fetch behavior).
diff --git a/backup/README.md b/backup/README.md
@@ -1,57 +1,123 @@
-# Backups
+# Backups and Restore
 
-Create `~/Library/LaunchAgents/com.YOURUSER.librechat.backup.plist` (replace `YOURUSER`).
+This directory provides:
+- `backup_librechat.sh`: snapshots stack named volumes to tarballs.
+- `restore_librechat.sh`: restores a chosen snapshot (or latest per volume).
 
+Backup layout:
+- `~/Backups/LibreChatBackups/volumes/<volume>/<volume>-YYYY-MM-DD_HH-MM-SS.tar.gz`
+- If you use Colima, keep `BACKUP_ROOT` under your home directory (`/Users/...`) so Docker bind-mounts are visible.
+
+## Install scripts
+
+```bash
+mkdir -p ~/.local/bin ~/Library/Logs ~/Library/LaunchAgents
+cp backup/backup_librechat.sh ~/.local/bin/backup_librechat.sh
+cp backup/restore_librechat.sh ~/.local/bin/restore_librechat.sh
+chmod +x ~/.local/bin/backup_librechat.sh ~/.local/bin/restore_librechat.sh
 ```
+
+## LaunchAgent (daily automatic backup)
+
+Create `~/Library/LaunchAgents/com.YOURUSER.librechat.backup.plist` (replace `YOURUSER`):
+
+```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
   <key>Label</key><string>com.YOURUSER.librechat.backup</string>
-
   <key>ProgramArguments</key>
   <array>
     <string>/bin/zsh</string>
     <string>-lc</string>
     <string>/Users/YOURUSER/.local/bin/backup_librechat.sh</string>
   </array>
-
   <key>EnvironmentVariables</key>
   <dict>
     <key>DOCKER_CONTEXT</key><string>colima-aiarm</string>
-    <key>PROJECT_NET</key><string>librechat-stack_lan</string>
-    <key>RETENTION_DAYS</key><string>14</string>
+    <key>PROJECT_NAME</key><string>librechat-stack</string>
+    <key>BACKUP_ROOT</key><string>/Users/YOURUSER/Backups/LibreChatBackups</string>
+    <key>RETENTION_DAYS</key><string>30</string>
   </dict>
-
-  <!-- Run every day at 03:15 local -->
   <key>StartCalendarInterval</key>
   <dict>
     <key>Hour</key><integer>3</integer>
     <key>Minute</key><integer>15</integer>
   </dict>
-
   <key>RunAtLoad</key><true/>
-
   <key>WorkingDirectory</key><string>/Users/YOURUSER</string>
   <key>StandardOutPath</key><string>/Users/YOURUSER/Library/Logs/librechat-backup.log</string>
   <key>StandardErrorPath</key><string>/Users/YOURUSER/Library/Logs/librechat-backup.log</string>
 </dict>
 </plist>
+```
 
+Load/reload:
+
+```bash
+launchctl bootout "gui/$(id -u)" ~/Library/LaunchAgents/com.YOURUSER.librechat.backup.plist 2>/dev/null || true
+launchctl bootstrap "gui/$(id -u)" ~/Library/LaunchAgents/com.YOURUSER.librechat.backup.plist
+launchctl enable "gui/$(id -u)/com.YOURUSER.librechat.backup"
+launchctl kickstart -k "gui/$(id -u)/com.YOURUSER.librechat.backup"
 ```
 
-Load it:
+Check backup agent logs:
 
+```bash
+tail -n 200 ~/Library/Logs/librechat-backup.log
 ```
-mkdir -p ~/.local/bin ~/Library/Logs ~/Library/LaunchAgents
-chmod +x ~/.local/bin/backup_librechat.sh
-launchctl unload ~/Library/LaunchAgents/com.YOURUSER.librechat.backup.plist 
-launchctl load -w  ~/Library/LaunchAgents/com.YOURUSER.librechat.backup.plist
+
+## Manual backup test
+
+```bash
+~/.local/bin/backup_librechat.sh
+ls -lah "$HOME/Backups/LibreChatBackups/volumes"
 ```
 
-Run it once by hand to verify:
+## Restore runbook
+
+1. Stop the stack first (restore script refuses to run while the compose project is up):
 
+```bash
+docker compose --env-file .env \
+  -f docker-compose.yml \
+  -f compose.hardening.yml \
+  -f optional/code-interpreter/compose.yml \
+  -f optional/local-search/compose.yml \
+  down
 ```
-~/.local/bin/backup_librechat.sh
-open "$HOME/Backups/LibreChatBackups"
+
+2. Inspect what would be restored:
+
+```bash
+~/.local/bin/restore_librechat.sh --list
+```
+
+3. Restore latest per volume:
+
+```bash
+~/.local/bin/restore_librechat.sh --yes
 ```
+
+Or restore a specific timestamp (example):
+
+```bash
+~/.local/bin/restore_librechat.sh --snapshot 2026-03-06_03-15-00 --yes
+```
+
+4. Start stack again:
+
+```bash
+docker compose --env-file .env \
+  -f docker-compose.yml \
+  -f compose.hardening.yml \
+  -f optional/code-interpreter/compose.yml \
+  -f optional/local-search/compose.yml \
+  up -d
+```
+
+5. Verify:
+- login works at `http://127.0.0.1:3081`
+- previous chats/files are present
+- API health: `curl -fsS http://127.0.0.1:3081/login >/dev/null && echo ok`
diff --git a/backup/backup_librechat.sh b/backup/backup_librechat.sh
@@ -58,8 +58,10 @@ backup_volume() {
 }
 
 prune_old() {
+  local prune_dir="$BACKUP_ROOT/volumes"
+  mkdir -p "$prune_dir"
   log "Pruning backups older than ${RETENTION_DAYS} days in $BACKUP_ROOT"
-  find "$BACKUP_ROOT/volumes" -type f -name '*.tar.gz' -mtime +"$RETENTION_DAYS" -print -delete || true
+  find "$prune_dir" -type f -name '*.tar.gz' -mtime +"$RETENTION_DAYS" -print -delete || true
 }
 
 main() {
diff --git a/backup/restore_librechat.sh b/backup/restore_librechat.sh
@@ -0,0 +1,167 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# ========= CONFIG =========
+BACKUP_ROOT="${BACKUP_ROOT:-$HOME/Backups/LibreChatBackups}"
+DOCKER_CONTEXT="${DOCKER_CONTEXT:-colima-aiarm}"
+PROJECT_NAME="${PROJECT_NAME:-librechat-stack}"
+VOLUMES_DEFAULT="mongo_data meili_data pgdata2 lbc_api_uploads lbc_api_images lbc_app_logs lbc_app_api_logs lbc_app_data"
+VOLUMES="${VOLUMES:-$VOLUMES_DEFAULT}"
+SNAPSHOT="${SNAPSHOT:-}"   # expected format: YYYY-MM-DD_HH-MM-SS
+ASSUME_YES=0
+LIST_ONLY=0
+
+log() { printf '%s %s\n' "$(date '+%Y-%m-%dT%H:%M:%S%z')" "$*"; }
+die() { printf 'ERROR: %s\n' "$*" >&2; exit 1; }
+
+usage() {
+  cat <<'EOF'
+Usage:
+  restore_librechat.sh [--snapshot YYYY-MM-DD_HH-MM-SS] [--volumes "v1 v2"] [--yes] [--list]
+
+Options:
+  --snapshot <stamp>   Restore a specific snapshot timestamp.
+                       If omitted, restores the latest backup per volume.
+  --volumes "<list>"   Space-delimited volume keys (defaults to all stack volumes).
+  --yes                Skip interactive confirmation.
+  --list               Show resolved restore plan and exit.
+  -h, --help           Show this help.
+
+Environment:
+  BACKUP_ROOT, DOCKER_CONTEXT, PROJECT_NAME, VOLUMES, SNAPSHOT
+EOF
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --snapshot)
+      [[ $# -ge 2 ]] || die "--snapshot requires a value"
+      SNAPSHOT="$2"
+      shift 2
+      ;;
+    --volumes)
+      [[ $# -ge 2 ]] || die "--volumes requires a value"
+      VOLUMES="$2"
+      shift 2
+      ;;
+    --yes)
+      ASSUME_YES=1
+      shift
+      ;;
+    --list)
+      LIST_ONLY=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      die "Unknown argument: $1"
+      ;;
+  esac
+done
+
+if ! command -v docker >/dev/null 2>&1; then
+  die "docker CLI not found"
+fi
+docker context use "${DOCKER_CONTEXT}" >/dev/null 2>&1 || true
+
+volume_exists() { docker volume inspect "$1" >/dev/null 2>&1; }
+
+resolve_volume() {
+  local short="$1"
+  local prefixed="${PROJECT_NAME}_${short}"
+  if volume_exists "${prefixed}"; then
+    echo "${prefixed}"
+  elif volume_exists "${short}"; then
+    echo "${short}"
+  else
+    echo ""
+  fi
+}
+
+resolve_archive() {
+  local short="$1"
+  local dir="${BACKUP_ROOT}/volumes/${short}"
+  [[ -d "${dir}" ]] || return 1
+
+  if [[ -n "${SNAPSHOT}" ]]; then
+    local explicit="${dir}/${short}-${SNAPSHOT}.tar.gz"
+    [[ -f "${explicit}" ]] || return 1
+    echo "${explicit}"
+    return 0
+  fi
+
+  ls -1t "${dir}/${short}-"*.tar.gz 2>/dev/null | head -n 1
+}
+
+ensure_stack_stopped() {
+  local running
+  running="$(
+    docker ps \
+      --filter "label=com.docker.compose.project=${PROJECT_NAME}" \
+      --format '{{.Names}}'
+  )"
+  if [[ -n "${running}" ]]; then
+    printf '%s\n' "${running}" | sed 's/^/  - /'
+    die "compose project '${PROJECT_NAME}' is running; stop it before restore"
+  fi
+}
+
+restore_volume() {
+  local short="$1"
+  local vol archive archive_dir archive_name
+
+  vol="$(resolve_volume "${short}")"
+  [[ -n "${vol}" ]] || die "volume '${short}' not found (looked for '${PROJECT_NAME}_${short}' and '${short}')"
+
+  archive="$(resolve_archive "${short}")" || die "no backup archive found for '${short}' (snapshot='${SNAPSHOT:-latest}')"
+  archive_dir="$(dirname "${archive}")"
+  archive_name="$(basename "${archive}")"
+
+  printf '%s -> %s (%s)\n' "${short}" "${vol}" "${archive_name}"
+  if [[ "${LIST_ONLY}" -eq 1 ]]; then
+    return 0
+  fi
+
+  log "Restoring ${short} from ${archive_name}"
+  docker run --rm \
+    -v "${vol}:/data" \
+    -v "${archive_dir}:/backup:ro" \
+    alpine:3 sh -lc "set -e; find /data -mindepth 1 -maxdepth 1 -exec rm -rf -- {} +; tar -xzf /backup/${archive_name} -C /data"
+}
+
+main() {
+  local requested_list_only="${LIST_ONLY}"
+  [[ -d "${BACKUP_ROOT}" ]] || die "backup root not found: ${BACKUP_ROOT}"
+  ensure_stack_stopped
+
+  log "Restore plan (snapshot: ${SNAPSHOT:-latest-per-volume})"
+  LIST_ONLY=1
+  for v in ${VOLUMES}; do
+    restore_volume "${v}"
+  done
+
+  if [[ "${requested_list_only}" -eq 1 ]]; then
+    log "List-only mode complete"
+    return 0
+  fi
+
+  if [[ "${ASSUME_YES}" -ne 1 ]]; then
+    printf 'Type YES to overwrite the listed volumes: '
+    read -r ack
+    [[ "${ack}" == "YES" ]] || die "restore cancelled by user"
+
+  fi
+
+  LIST_ONLY=0
+  log "Applying restore"
+  for v in ${VOLUMES}; do
+    restore_volume "${v}"
+  done
+
+  log "Restore complete"
+}
+
+main "$@"
diff --git a/scripts/ci/smoke.sh b/scripts/ci/smoke.sh
@@ -164,6 +164,20 @@ if ! docker port api-proxy 81/tcp | grep -q '127.0.0.1:80'; then
   echo "api-proxy is missing host bind 127.0.0.1:80->81 for sandpack ingress" >&2
   exit 1
 fi
+api_proxy_compose_block="$(
+  compose \
+    --env-file .env \
+    "${compose_files[@]}" \
+    config | awk '
+      /^  api-proxy:$/ { in_block=1; print; next }
+      /^  [^ ]/ && in_block { exit }
+      in_block { print }
+    '
+)"
+if grep -q '^    environment:' <<<"${api_proxy_compose_block}"; then
+  echo "api-proxy should not have explicit environment proxy wiring in compose config" >&2
+  exit 1
+fi
 if docker port sandpack-bundler 80/tcp >/dev/null 2>&1; then
   echo "sandpack-bundler should not expose host port 80 directly" >&2
   exit 1

Original file line number	Diff line number	Diff line change
`@@ -58,8 +58,10 @@ backup_volume() {`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`prune_old() {`
	`61`	`+ local prune_dir="$BACKUP_ROOT/volumes"`
	`62`	`+ mkdir -p "$prune_dir"`
`61`	`63`	`log "Pruning backups older than ${RETENTION_DAYS} days in $BACKUP_ROOT"`
`62`		`- find "$BACKUP_ROOT/volumes" -type f -name '*.tar.gz' -mtime +"$RETENTION_DAYS" -print -delete \|\| true`
	`64`	`+ find "$prune_dir" -type f -name '*.tar.gz' -mtime +"$RETENTION_DAYS" -print -delete \|\| true`
`63`	`65`	`}`
`64`	`66`
`65`	`67`	`main() {`