# System backup contracts — declarative description of how out-of-cluster
# artefacts are backed up: etcd, k8s certs, host configs, external DNS,
# builder environment, provisioning state itself, log archives, vault state.
# Disparado por system cron / systemd timer / daemon coordinator.

let bp    = import "backup_policy.ncl" in
let vault = import "vault_refs.ncl" in

{
  # Selector for the host(s) where the backup runs. Either an explicit list
  # of hostnames, a control-plane role selector, or a single primary.
  HostSelector = {
    kind    | [| 'cp_only, 'cp_first, 'control_planes, 'workers, 'all_servers, 'list |],
    members | Array String | doc "Hostnames when kind = 'list" | default = [],
  },

  # Discriminated target: what kind of off-cluster artefact is being captured.
  SystemBackupTarget = {
    kind | [| 'etcd, 'k8s_certs, 'cluster_resources, 'longhorn_engine, 'host_configs,
              'external_dns, 'builder_env, 'provisioning_state, 'logs_archive,
              'sops_keys, 'vault_state |],

    # 'etcd
    endpoints   | Array String | default = [],
    ca_ref      | vault.VaultCredRef | optional,
    cert_ref    | vault.VaultCredRef | optional,
    key_ref     | vault.VaultCredRef | optional,

    # 'k8s_certs / 'host_configs / 'logs_archive (paths)
    paths       | Array String | default = [],
    exclude     | Array String | default = [],

    # 'cluster_resources
    namespaces  | Array String | default = [],
    kinds       | Array String | default = [],

    # 'longhorn_engine
    components  | Array String | default = [],

    # 'external_dns
    source_kind | [| 'coredns, 'powerdns, 'unbound, 'loki, 'journald, 'files |] | optional,
    config_paths| Array String | default = [],
    zones_paths | Array String | default = [],

    # 'builder_env
    tools       | Array String | default = [],
    secrets     | Array String | doc "Secret names that must accompany the artefact" | default = [],

    # 'provisioning_state
    definitions_path | String | optional,
    state_path       | String | optional,
    lock_path        | String | optional,

    # 'logs_archive
    selector | String | optional,
    format   | [| 'jsonl_gz, 'tar_gz, 'restic_native |] | optional,

    # 'sops_keys / 'vault_state
    age_keys        | Array String | default = [],
    recipients      | Array String | default = [],
    vault_endpoint  | String | optional,
    vault_paths     | Array String | default = [],
  },

  SystemBackupDef = {
    name          | String | doc "Identifier (used in CLI: prvng-backup one-shot backup <name>)",
    target        | SystemBackupTarget,
    host_selector | HostSelector,
    provider      | bp.BackupProviderRef,
    schedule      | bp.Schedule,
    retention     | bp.RetentionPolicy,
    destinations  | Array bp.Destination,
    encryption    | vault.VaultKeyRef,
    tag_strategy  | bp.TagStrategy,
    verify        | bp.VerifyPolicyRef | optional,
    hooks         | bp.Hooks  | optional,
    throttle      | bp.Throttle | optional,
  },
}