backups - configuration snapshots ingest and management

[edospadoni]

Overview

Implement the Configuration Backup subsystem alongside the existing heartbeat and inventory paths: ingest on collect, managed reads on backend, S3-compatible object storage, retention + GDPR purge, security hardening, legacy-client transition via the nethinfra proxy, and the admin UI.

Requirements

Core features

• End-to-end GPG ciphertext round-trip through collect / S3 / backend.
• Per-system retention: default 10 backups / 500 MB, optional per-org aggregate cap.
• RBAC cascade: Owner → Distributor → Reseller → Customer.
• GDPR Article 17 purge on DestroySystem.

collect (ingest + appliance-facing read)

• POST /api/systems/backups — streaming upload with SHA-256 tee, metadata sanitised, inline retention under Redis lock, per-system rate limit.
• GET /api/systems/backups — list for the authenticated system (paginated internally — never truncated at S3's 1000-item cap).
• GET /api/systems/backups/:id — download for the authenticated system.
• Cross-service auth invalidation bus on Redis pub/sub so backend-side secret rotation propagates to collect within ~30 s.

backend (UI-facing read + GDPR)

• GET /api/systems/:id/backups with aggregate counters (slots_used, quota_used_bytes).
• GET /api/systems/:id/backups/:backup_id/download — short-lived presigned URL.
• DELETE /api/systems/:id/backups/:backup_id.
• RBAC gated as GET /api/systems/:id.

Storage abstraction

• Shared storage/s3.go between backend + collect.
• Works with DigitalOcean Spaces, AWS S3, Cloudflare R2, MinIO, Garage — no hard dependency on a specific provider.
• Optional split credentials (write-only for collect, read-only for backend).

Frontend

• Backups tab on the system detail page.
• Table with kebab menu; Delete marked destructive (red).
• Retention / quota tiles sourced from the backend payload.
• Alerts + Backups indicators on the Overview Status card.

Docs

• User-facing page under docs/systems/backups (EN + IT).
• collect/README.md, backend/README.md — setup, env vars, bucket layout, split credentials.
• AGENTS.md — new endpoint family, key layout, naming convention (plural vs singular).

PRs

• NethServer/my server + UI: feat(backup): configuration backup service (collect ingest + backend UI API) #81
• NethServer/ns8-core client dual-send: feat(backup): dual-send cluster backup to my-new proxy ns8-core#1146
• NethServer/nethsecurity client dual-send: feat(ns-plug): dual-send backup to my-new proxy nethsecurity#1608
• nethinfra proxy: internal repo commit (not upstream)

---

Design mockup: #82

---

Remaining work to go live

Blocking

• Revert the COLLECT_BACKUP_URL override on my-ent (currently points at the PR feat(backup): configuration backup service (collect ingest + backend UI API) #81 Render preview) back to the stable my.nethesis.it host once feat(backup): configuration backup service (collect ingest + backend UI API) #81 is promoted.
• Merge feat(backup): dual-send cluster backup to my-new proxy ns8-core#1146 (coordinated with the NS8 release train).
• Merge feat(ns-plug): dual-send backup to my-new proxy nethsecurity#1608 (coordinated with the NSEC release train).

Operational (at production cutover)

• Configure BACKUP_S3_* env on the Render prod environment (endpoint, region, bucket, access key, secret).
• Decide the prod bucket (dedicated e.g. my-backups-prod vs. shared with QA).
• Decide whether to split S3 credentials between collect (write-only) and backend (read-only). Documented as an option in collect/README.md.