#!/bin/sh
set -eu
cd $HOME
LOG=.cache/duplicity/log
PATH=$PATH:/sbin:/usr/sbin
RESTIC="restic --password-file $HOME/.config/backup-passphrase --repo sftp:piware.de:backup/restic"

fail() {
    notify-send -i network-error-symbolic -u critical -t 180 "${1:-BACKUP FAILED!}"
    exit 1
}

# do backup every day
if [ -e "$LOG" ] && [ $(( `date +%s` - `stat -c %Y $LOG` )) -lt 86300 ]; then
    exit 0
fi

# figure out $DISPLAY when running from cron
export DISPLAY="${DISPLAY:-:0}"

if ! ip route show default | grep -Eq 'dev (enp|wl)'; then
    notify-send "Backup skipped, not on WLAN"
    exit 0
fi

# figure out ssh agent when running from cron
if [ -z "${SSH_AUTH_SOCK:-}" ]; then
    ssh_socket=$(ls /run/user/`id -u`/keyring*/ssh 2>/dev/null)
    if [ -S "$ssh_socket" ]; then
        export SSH_AUTH_SOCK="$ssh_socket"
    fi
fi

notify-send "Backup started"
mkdir -p $(dirname $LOG)
env PASSPHRASE="$(cat ~/.config/backup-passphrase)" duplicity --allow-source-mismatch --full-if-older-than 1M --exclude-filelist ~/.config/backup-ignore . rsync://piware.de/backup/laptop >> $LOG || fail
duplicity remove-all-but-n-full 6 --force rsync://piware.de/backup/laptop

$RESTIC backup --exclude-file=$HOME/.config/backup-ignore $HOME || fail
# TODO: forget --prune policy: https://restic.readthedocs.io/en/stable/060_forget.html
notify-send "Backup finished successfully"

scp .config/backup-passphrase piware.de:.cache/
ssh piware.de chmod u+w .cache/backup-passphrase
trap "ssh piware.de shred -u .cache/backup-passphrase" EXIT INT QUIT PIPE
ssh piware.de restic --password-file .cache/backup-passphrase --repo backup/restic check || fail "BACKUP CHECK FAILED!"

notify-send "Backup checked successfully"