From 070ab6113130613737e76dfe3ba758d8dfd5d005 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 18 Apr 2026 13:44:03 +0000
Subject: [PATCH 1/4] Initial plan
From 725aad3aac9b270b1fe9efccba63bdf14cbcdc3f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 18 Apr 2026 13:47:22 +0000
Subject: [PATCH 2/4] backup: include full /var/lib in manual backup stages
Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/d8d4b876-dfc7-42fd-954c-a9e5b05dc497
Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
---
.../scripts/sovran-hub-backup.sh | 60 ++++++++-----------
app/sovran_systemsos_web/static/js/support.js | 3 +-
docs/manual-backup.md | 18 +++---
3 files changed, 36 insertions(+), 45 deletions(-)
diff --git a/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh b/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh
index 1a7ce8b..c2434ba 100755
--- a/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh
+++ b/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh
@@ -239,33 +239,13 @@ mkdir -p "$BACKUP_DIR/secrets"
if [[ "$ROLE" == "desktop" ]]; then
log "Skipping /etc/nix-bitcoin-secrets — not applicable for Desktop Only role."
- # /var/lib/domains is still backed up if present (hub state)
- for SRC in /var/lib/domains; do
- if [[ -e "$SRC" ]]; then
- rsync -a --info=progress2 "$SRC" "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
- log "WARNING: Could not copy $SRC — continuing."
- else
- log " (not found: $SRC — skipping)"
- fi
- done
else
- for SRC in /etc/nix-bitcoin-secrets /var/lib/domains; do
- if [[ -e "$SRC" ]]; then
- rsync -a --info=progress2 "$SRC" "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
- log "WARNING: Could not copy $SRC — continuing."
- else
- log " (not found: $SRC — skipping)"
- fi
- done
-fi
-
-# Hub state files from /var/lib/secrets/ (backed up for all roles)
-if [[ -d /var/lib/secrets ]]; then
- mkdir -p "$BACKUP_DIR/secrets/hub-state"
- rsync -a --info=progress2 /var/lib/secrets/ "$BACKUP_DIR/secrets/hub-state/" 2>&1 | tee -a "$BACKUP_LOG" || \
- log "WARNING: Could not copy /var/lib/secrets — continuing."
-else
- log " (not found: /var/lib/secrets — skipping)"
+ if [[ -e /etc/nix-bitcoin-secrets ]]; then
+ rsync -a --info=progress2 /etc/nix-bitcoin-secrets "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
+ log "WARNING: Could not copy /etc/nix-bitcoin-secrets — continuing."
+ else
+ log " (not found: /etc/nix-bitcoin-secrets — skipping)"
+ fi
fi
log "Stage 2 complete."
@@ -286,20 +266,32 @@ else
log "WARNING: /home not found — skipping."
fi
-# ── Stage 4/4: Wallet and node data ─────────────────────────────
+# ── Stage 4/4: System data ───────────────────────────────────────
log ""
-log "── Stage 4/4: Wallet and node data (/var/lib/lnd) ──────────"
+log "── Stage 4/4: System data (/var/lib) ────────────────────────"
if [[ "$ROLE" == "desktop" ]]; then
- log "Skipping Stage 4 (LND wallet data) — not applicable for Desktop Only role."
-elif [[ -d /var/lib/lnd ]]; then
+ if [[ -d /var/lib ]]; then
+ rsync -a --info=progress2 \
+ --exclude='lnd/' \
+ --exclude='*/logs/' \
+ --exclude='*/log/' \
+ /var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \
+ fail "Stage 4 failed while copying /var/lib for Desktop Only role"
+ log "Stage 4 complete (Desktop Only role excludes /var/lib/lnd)."
+ else
+ log "WARNING: /var/lib not found — skipping."
+ fi
+elif [[ -d /var/lib ]]; then
rsync -a --info=progress2 \
- --exclude='logs/' \
- /var/lib/lnd/ "$BACKUP_DIR/lnd/" 2>&1 | tee -a "$BACKUP_LOG" || \
- fail "Stage 4 failed while copying /var/lib/lnd"
+ --exclude='lnd/logs/' \
+ --exclude='*/logs/' \
+ --exclude='*/log/' \
+ /var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \
+ fail "Stage 4 failed while copying /var/lib"
log "Stage 4 complete."
else
- log "WARNING: /var/lib/lnd not found — skipping."
+ log "WARNING: /var/lib not found — skipping."
fi
# ── Generate manifest ────────────────────────────────────────────
diff --git a/app/sovran_systemsos_web/static/js/support.js b/app/sovran_systemsos_web/static/js/support.js
index 25dcc4d..6078888 100644
--- a/app/sovran_systemsos_web/static/js/support.js
+++ b/app/sovran_systemsos_web/static/js/support.js
@@ -500,9 +500,8 @@ function renderBackupReady(drives) {
'What gets backed up
',
'',
'- NixOS configuration (
/etc/nixos) ',
- '- Bitcoin & Lightning wallet data (
/var/lib/lnd) ',
'- nix-bitcoin secrets (
/etc/nix-bitcoin-secrets) ',
- '- Domain configurations (
/var/lib/domains) ',
+ '- System service data (
/var/lib) including Vaultwarden, bitcoind, LND, sovran-hub, domains, and secrets ',
'- Home directory (
/home) ',
'
',
'',
diff --git a/docs/manual-backup.md b/docs/manual-backup.md
index aa6268d..1f608f4 100644
--- a/docs/manual-backup.md
+++ b/docs/manual-backup.md
@@ -19,9 +19,9 @@ The script always attempts all four stages, but skips stages that are irrelevant
| Stage | Directory | Contents |
|-------|-----------|----------|
| **1/4 — NixOS config** | `/etc/nixos/` | Full NixOS system configuration: `role-state.nix`, `custom.nix`, flake files, and any other config managed by the Hub |
-| **2/4 — Secrets** | `/etc/nix-bitcoin-secrets`, `/var/lib/domains`, `/var/lib/secrets` | Bitcoin/LND secrets, domain configurations for all web services, and Hub state files |
+| **2/4 — Secrets** | `/etc/nix-bitcoin-secrets` | Bitcoin/LND secrets stored under `/etc/` |
| **3/4 — Home directory** | `/home/` | All user home directories (`.cache/` and Trash are excluded) |
-| **4/4 — LND wallet data** | `/var/lib/lnd/` | Lightning Network node wallet and channel data (log files excluded) |
+| **4/4 — System data** | `/var/lib/` | Full service data tree, including Vaultwarden, bitcoind, LND, sovran-hub config, domains, secrets, and other `/var/lib` service directories (logs excluded as appropriate) |
---
@@ -36,9 +36,9 @@ All services are enabled: Bitcoin, Matrix Synapse, Vaultwarden, WordPress, Nextc
| Stage | Status | Notes |
|-------|--------|-------|
| Stage 1 — NixOS config | ✅ Backed up | Full server configuration |
-| Stage 2 — Secrets | ✅ Backed up | Bitcoin secrets, domain configs, and Hub state |
+| Stage 2 — Secrets | ✅ Backed up | `/etc/nix-bitcoin-secrets` |
| Stage 3 — Home directory | ✅ Backed up | Desktop user data |
-| Stage 4 — LND wallet | ✅ Backed up | Lightning wallet and channel data |
+| Stage 4 — System data (`/var/lib`) | ✅ Backed up | Includes Vaultwarden, bitcoind, LND, sovran-hub config, domains, secrets, and all other service data under `/var/lib` (logs excluded) |
This produces the largest backup. All four stages generate meaningful data.
@@ -49,9 +49,9 @@ All server services are disabled (`bitcoin = false`, `synapse = false`, `vaultwa
| Stage | Status | Notes |
|-------|--------|-------|
| Stage 1 — NixOS config | ✅ Backed up | Simpler config (no server services) |
-| Stage 2 — Secrets | ⚠️ Partial | `/etc/nix-bitcoin-secrets` is **skipped** (not applicable for Desktop Only role). `/var/lib/domains` and `/var/lib/secrets` (Hub state) are still backed up if present |
+| Stage 2 — Secrets | ⏭️ Skipped | `/etc/nix-bitcoin-secrets` is not applicable for Desktop Only role |
| Stage 3 — Home directory | ✅ Backed up | **The most important data for this role** |
-| Stage 4 — LND wallet | ⏭️ Skipped | Explicitly skipped — not applicable for Desktop Only role |
+| Stage 4 — System data (`/var/lib`) | ✅ Backed up | Full `/var/lib` backup with `/var/lib/lnd` excluded for Desktop Only role |
This produces the smallest and fastest backup. Stages 1 and 3 are the primary sources of meaningful data.
@@ -62,11 +62,11 @@ Only the Bitcoin ecosystem is active: `bitcoind`, `electrs`, `lnd`, `rtl`, `btcp
| Stage | Status | Notes |
|-------|--------|-------|
| Stage 1 — NixOS config | ✅ Backed up | Node-specific configuration |
-| Stage 2 — Secrets | ✅ Backed up | Bitcoin secrets and Hub state. `/var/lib/domains` may be minimal (BTCPay runs but is not exposed via Caddy) |
+| Stage 2 — Secrets | ✅ Backed up | `/etc/nix-bitcoin-secrets` |
| Stage 3 — Home directory | ✅ Backed up | User data |
-| Stage 4 — LND wallet | ✅ Backed up | **Critical** — Lightning wallet and channel data |
+| Stage 4 — System data (`/var/lib`) | ✅ Backed up | **Critical** — includes Lightning wallet/channel data plus all other `/var/lib` service data |
-All four stages run, matching Server + Desktop behaviour. The `/var/lib/domains` directory may be sparsely populated since non-Bitcoin web services are not configured.
+All four stages run, matching Server + Desktop behaviour. Some non-Bitcoin service directories under `/var/lib` may be sparse or absent depending on role.
---
From 530961874718ddde20ea8f95153ccf5e220ec5c2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 18 Apr 2026 13:49:07 +0000
Subject: [PATCH 3/4] backup: tighten rsync var-lib exclude patterns
Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/d8d4b876-dfc7-42fd-954c-a9e5b05dc497
Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
---
app/sovran_systemsos_web/scripts/sovran-hub-backup.sh | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh b/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh
index c2434ba..53bbf24 100755
--- a/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh
+++ b/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh
@@ -273,7 +273,7 @@ log "── Stage 4/4: System data (/var/lib) ───────────
if [[ "$ROLE" == "desktop" ]]; then
if [[ -d /var/lib ]]; then
rsync -a --info=progress2 \
- --exclude='lnd/' \
+ --exclude='/lnd/' \
--exclude='*/logs/' \
--exclude='*/log/' \
/var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \
@@ -284,7 +284,6 @@ if [[ "$ROLE" == "desktop" ]]; then
fi
elif [[ -d /var/lib ]]; then
rsync -a --info=progress2 \
- --exclude='lnd/logs/' \
--exclude='*/logs/' \
--exclude='*/log/' \
/var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \
From c85eea719dfe733e31f6af87e36548133ec3b5e6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 18 Apr 2026 13:49:57 +0000
Subject: [PATCH 4/4] backup: harden desktop var-lib exclusions
Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/d8d4b876-dfc7-42fd-954c-a9e5b05dc497
Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
---
app/sovran_systemsos_web/scripts/sovran-hub-backup.sh | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh b/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh
index 53bbf24..d6a285f 100755
--- a/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh
+++ b/app/sovran_systemsos_web/scripts/sovran-hub-backup.sh
@@ -273,7 +273,9 @@ log "── Stage 4/4: System data (/var/lib) ───────────
if [[ "$ROLE" == "desktop" ]]; then
if [[ -d /var/lib ]]; then
rsync -a --info=progress2 \
- --exclude='/lnd/' \
+ --filter='- /lnd/***' \
+ --exclude='logs/' \
+ --exclude='log/' \
--exclude='*/logs/' \
--exclude='*/log/' \
/var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \
@@ -284,6 +286,8 @@ if [[ "$ROLE" == "desktop" ]]; then
fi
elif [[ -d /var/lib ]]; then
rsync -a --info=progress2 \
+ --exclude='logs/' \
+ --exclude='log/' \
--exclude='*/logs/' \
--exclude='*/log/' \
/var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \