minecraft-server/scripts/systemd/mc-backup-playerdata.service

[Unit]
Description=Minecraft frequent backup (Class A — playerdata + DBs, every 5 min)
Documentation=https://git.s8n.ru/s8n/minecraft-server/src/branch/main/BACKUP-STRATEGY.md
After=docker.service
Wants=docker.service

[Service]
Type=oneshot
User=user
Group=user
EnvironmentFile=/etc/mc-backup.env
ExecStart=/usr/local/bin/restic-backup-playerdata.sh
Nice=10
IOSchedulingClass=best-effort
IOSchedulingPriority=7

# Hardening — restic only needs read on /opt/docker/minecraft and
# write under TARGET_HOME/restic + /var/lib/mc-backup + /var/log.
ProtectSystem=strict
ProtectHome=read-only
ReadOnlyPaths=/opt/docker/minecraft
ReadWritePaths=/home/user/restic /var/lib/mc-backup /var/log
PrivateTmp=true
NoNewPrivileges=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
LockPersonality=true
backup: phase 1 + phase 2 scripts; daily script repaired and deployed Repairs the orphaned synapse-signing-key block at scripts/backup.sh lines 119-122 that was exiting the script under set -e before the Minecraft block could run, leaving 5 of the last 7 days without a world backup and zero usable snapshots after 7-day retention. Phase 1 (deployed today to /opt/docker/backup.sh on nullstone): - Repaired script — orphan block removed, MC arm wrapped so failures in one tar don't kill the run - tar exit code 1 ("file changed as we read it") now treated as success on the live MC world; spark profiler tmp file noise silenced via --ignore-failed-read --warning=no-file-changed - Plugin DBs (homestead, AuthMe, CoreProtect, LuckPerms) and configs now backed up alongside the world - Sentinel /opt/backups/.last-success stamped only when the world arm succeeds — gives outside monitors a single mtime to alert on - Manually verified end-to-end: 12G world tarball, 492M plugins, 279M dbs, 14 config files, sentinel updated. Pre-fix script saved at /opt/docker/backup.sh.bak-20260507-pre-phase1. Phase 2 (scripts in repo, deployment pending operator sudo): - scripts/restic-backup-playerdata.sh — Class A 5-min restic snapshots of playerdata/, stats/, advancements/, plugin DBs, LuckPerms; rcon save-all flush before snapshot; tag-scoped retention - scripts/restic-init.sh — one-time bootstrap (root-only) for /etc/mc-backup.{env,pw} + repo init at /home/user/restic/ - scripts/systemd/mc-backup-playerdata.{service,timer} — 5-min timer with hardening (ProtectSystem=strict, ReadOnlyPaths, etc) - docs/RUNBOOK-BACKUP-RESTORE.md updated with both phases' deployment steps and the operator-action checklist Off-host mirror to onyx (Phase 4) and class B/C/D world snapshots (Phase 3) are still TODO — see BACKUP-STRATEGY.md §11 phase plan. 2026-05-07 18:29:30 +01:00			`[Unit]`
			`Description=Minecraft frequent backup (Class A — playerdata + DBs, every 5 min)`
			`Documentation=https://git.s8n.ru/s8n/minecraft-server/src/branch/main/BACKUP-STRATEGY.md`
			`After=docker.service`
			`Wants=docker.service`

			`[Service]`
			`Type=oneshot`
			`User=user`
			`Group=user`
			`EnvironmentFile=/etc/mc-backup.env`
			`ExecStart=/usr/local/bin/restic-backup-playerdata.sh`
			`Nice=10`
			`IOSchedulingClass=best-effort`
			`IOSchedulingPriority=7`

			`# Hardening — restic only needs read on /opt/docker/minecraft and`
			`# write under TARGET_HOME/restic + /var/lib/mc-backup + /var/log.`
			`ProtectSystem=strict`
			`ProtectHome=read-only`
			`ReadOnlyPaths=/opt/docker/minecraft`
			`ReadWritePaths=/home/user/restic /var/lib/mc-backup /var/log`
			`PrivateTmp=true`
			`NoNewPrivileges=true`
			`ProtectKernelTunables=true`
			`ProtectKernelModules=true`
			`ProtectControlGroups=true`
			`RestrictSUIDSGID=true`
			`LockPersonality=true`