#!/bin/bash
# /usr/local/sbin/vexor-keycloak-backup
#
# Nightly dump of the Keycloak Postgres database with 14-day retention.
# Run from the vexor-keycloak-backup.timer systemd unit at 03:30 local time.
#
# Output: /var/backups/vexor/keycloak/keycloak-YYYYMMDD-HHMM.sql.gz
# Permissions: dir 0700 root:root, files 0600 root:root.

set -euo pipefail

BACKUP_DIR=/var/backups/vexor/keycloak
RETAIN_DAYS=14
TS=$(date +%Y%m%d-%H%M)
OUT="$BACKUP_DIR/keycloak-$TS.sql.gz"

mkdir -p "$BACKUP_DIR"
chmod 0700 "$BACKUP_DIR"

# Load DB credentials from keycloak.env
if [ -r /etc/vexor/keycloak.env ]; then
  # shellcheck disable=SC1091
  set -a; . /etc/vexor/keycloak.env; set +a
fi

if [ -z "${KC_DB_PASSWORD:-}" ]; then
  echo "[vexor-keycloak-backup] KC_DB_PASSWORD missing from /etc/vexor/keycloak.env" >&2
  exit 1
fi

# Dump
PGPASSWORD="$KC_DB_PASSWORD" pg_dump \
  -h 127.0.0.1 -p 5432 -U "${KC_DB_USERNAME:-keycloak}" \
  -d keycloak --clean --if-exists --no-owner --no-privileges \
  | gzip -9 > "$OUT.tmp"
mv "$OUT.tmp" "$OUT"
chmod 0600 "$OUT"

# Verify it's non-trivially-sized (gzip of empty schema would be ~100B)
SIZE=$(stat -c%s "$OUT")
if [ "$SIZE" -lt 1024 ]; then
  echo "[vexor-keycloak-backup] WARNING: dump suspiciously small ($SIZE bytes)" >&2
fi

# Retention: delete .sql.gz older than RETAIN_DAYS
find "$BACKUP_DIR" -maxdepth 1 -type f -name "keycloak-*.sql.gz" -mtime "+$RETAIN_DAYS" -delete

echo "[vexor-keycloak-backup] OK $OUT ($(numfmt --to=iec $SIZE))"
