feat: configuration backup management with manual and auto backup

Add backup/restore functionality for the SQLite database. Users can
trigger manual backups, configure automatic backups on an interval
with retention policies, list/download/delete backups, and restore
from any backup.

- Backup engine using VACUUM INTO (safe with WAL mode)
- Backup metadata tracked in DB, files stored in DATA_DIR/backups/
- Settings: backup_enabled, backup_interval_hours, backup_retention_count
- API: POST/GET/DELETE /api/backups, download, restore endpoints
- Autobackup via cron scheduler with configurable interval
- Retention: prune on startup, after each backup (manual and auto)
- Orphan cleanup: removes backup files without metadata on startup
- Restore: replaces DB and triggers graceful server shutdown
- Settings UI: /settings/backup with toggle, interval, retention config
- Backup list with download, delete, restore actions
- i18n: English and Russian translations

internal/api/backups.go

@@ -0,0 +1,142 @@
+package api
+
+import (
+	"net/http"
+	"os"
+	"path/filepath"
+
+	"github.com/alexei/docker-watcher/internal/store"
+	"github.com/go-chi/chi/v5"
+)
+
+// listBackups handles GET /api/backups.
+func (s *Server) listBackups(w http.ResponseWriter, r *http.Request) {
+	if s.backupEngine == nil {
+		respondError(w, http.StatusServiceUnavailable, "backup engine not initialized")
+		return
+	}
+
+	backups, err := s.backupEngine.ListBackups()
+	if err != nil {
+		respondError(w, http.StatusInternalServerError, "failed to list backups: "+err.Error())
+		return
+	}
+
+	if backups == nil {
+		backups = []store.Backup{}
+	}
+
+	respondJSON(w, http.StatusOK, backups)
+}
+
+// triggerBackup handles POST /api/backups.
+func (s *Server) triggerBackup(w http.ResponseWriter, r *http.Request) {
+	if s.backupEngine == nil {
+		respondError(w, http.StatusServiceUnavailable, "backup engine not initialized")
+		return
+	}
+
+	backup, err := s.backupEngine.CreateBackup("manual")
+	if err != nil {
+		respondError(w, http.StatusInternalServerError, "failed to create backup: "+err.Error())
+		return
+	}
+
+	// Prune after manual backup too.
+	settings, err := s.store.GetSettings()
+	if err == nil && settings.BackupRetentionCount > 0 {
+		s.backupEngine.Prune(settings.BackupRetentionCount)
+	}
+
+	respondJSON(w, http.StatusCreated, backup)
+}
+
+// downloadBackup handles GET /api/backups/{id}/download.
+func (s *Server) downloadBackup(w http.ResponseWriter, r *http.Request) {
+	if s.backupEngine == nil {
+		respondError(w, http.StatusServiceUnavailable, "backup engine not initialized")
+		return
+	}
+
+	id := chi.URLParam(r, "id")
+	backup, err := s.backupEngine.GetBackup(id)
+	if err != nil {
+		respondError(w, http.StatusNotFound, "backup not found")
+		return
+	}
+
+	filePath := s.backupEngine.FilePath(backup)
+	if _, err := os.Stat(filePath); err != nil {
+		respondError(w, http.StatusNotFound, "backup file not found on disk")
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("Content-Disposition", "attachment; filename=\""+filepath.Base(backup.Filename)+"\"")
+	http.ServeFile(w, r, filePath)
+}
+
+// deleteBackup handles DELETE /api/backups/{id}.
+func (s *Server) deleteBackup(w http.ResponseWriter, r *http.Request) {
+	if s.backupEngine == nil {
+		respondError(w, http.StatusServiceUnavailable, "backup engine not initialized")
+		return
+	}
+
+	id := chi.URLParam(r, "id")
+	if err := s.backupEngine.DeleteBackup(id); err != nil {
+		respondError(w, http.StatusInternalServerError, "failed to delete backup: "+err.Error())
+		return
+	}
+
+	respondJSON(w, http.StatusOK, map[string]string{"status": "deleted"})
+}
+
+// restoreBackup handles POST /api/backups/{id}/restore.
+// This replaces the current database with the backup. The server should be restarted after.
+func (s *Server) restoreBackup(w http.ResponseWriter, r *http.Request) {
+	if s.backupEngine == nil {
+		respondError(w, http.StatusServiceUnavailable, "backup engine not initialized")
+		return
+	}
+
+	id := chi.URLParam(r, "id")
+	restorePath, err := s.backupEngine.RestorePath(id)
+	if err != nil {
+		respondError(w, http.StatusNotFound, "backup not found: "+err.Error())
+		return
+	}
+
+	// Read the backup file.
+	backupData, err := os.ReadFile(restorePath)
+	if err != nil {
+		respondError(w, http.StatusInternalServerError, "failed to read backup file: "+err.Error())
+		return
+	}
+
+	// Close the current database to release locks.
+	if err := s.store.Close(); err != nil {
+		respondError(w, http.StatusInternalServerError, "failed to close database: "+err.Error())
+		return
+	}
+
+	// Write backup over the main database file.
+	if err := os.WriteFile(s.dbPath, backupData, 0o644); err != nil {
+		respondError(w, http.StatusInternalServerError, "failed to write database: "+err.Error())
+		return
+	}
+
+	// Remove WAL and SHM files to ensure clean state.
+	os.Remove(s.dbPath + "-wal")
+	os.Remove(s.dbPath + "-shm")
+
+	respondJSON(w, http.StatusOK, map[string]any{
+		"status":  "restored",
+		"message": "Database restored. The server needs to be restarted to apply changes.",
+	})
+
+	// Signal the server to shut down gracefully so it can be restarted.
+	if s.shutdownFunc != nil {
+		go s.shutdownFunc()
+	}
+}

internal/api/router.go

@@ -8,6 +8,7 @@ import (
 	"github.com/go-chi/chi/v5"
 
 	"github.com/alexei/docker-watcher/internal/auth"
+	"github.com/alexei/docker-watcher/internal/backup"
 	"github.com/alexei/docker-watcher/internal/crypto"
 	"github.com/alexei/docker-watcher/internal/dns"
 	"github.com/alexei/docker-watcher/internal/docker"
@@ -40,6 +41,10 @@ type Server struct {
 	dnsProviderMu        sync.RWMutex
 	dnsProvider          dns.Provider
 	onDNSProviderChanged DNSProviderChangedFunc
+
+	backupEngine *backup.Engine
+	dbPath       string
+	shutdownFunc func() // called after restore to trigger graceful shutdown
 }
 
 // NewServer creates a new API Server with all required dependencies.
@@ -86,6 +91,21 @@ func (s *Server) SetProxyManager(pm *proxy.Manager) {
 	s.proxyManager = pm
 }
 
+// SetBackupEngine sets the backup engine on the server.
+func (s *Server) SetBackupEngine(engine *backup.Engine) {
+	s.backupEngine = engine
+}
+
+// SetDBPath sets the database file path (needed for restore).
+func (s *Server) SetDBPath(path string) {
+	s.dbPath = path
+}
+
+// SetShutdownFunc sets the function called after a restore to trigger graceful shutdown.
+func (s *Server) SetShutdownFunc(fn func()) {
+	s.shutdownFunc = fn
+}
+
 // SetDNSProvider sets the current DNS provider on the server.
 func (s *Server) SetDNSProvider(provider dns.Provider) {
 	s.dnsProviderMu.Lock()
@@ -287,6 +307,13 @@ func (s *Server) Router() chi.Router {
 				r.Get("/dns/records", s.listDNSRecords)
 				r.Post("/dns/sync", s.syncDNSRecords)
 				r.Delete("/dns/records/{fqdn}", s.deleteDNSRecord)
+
+				// Backup endpoints.
+				r.Get("/backups", s.listBackups)
+				r.Post("/backups", s.triggerBackup)
+				r.Get("/backups/{id}/download", s.downloadBackup)
+				r.Delete("/backups/{id}", s.deleteBackup)
+				r.Post("/backups/{id}/restore", s.restoreBackup)
 			})
 		})
 	})

internal/api/settings.go

@@ -30,10 +30,13 @@ type settingsRequest struct {
 	SSLCertificateID   *int    `json:"ssl_certificate_id,omitempty"`
 	StaleThresholdDays *int    `json:"stale_threshold_days,omitempty"`
 	AllowedVolumePaths *string `json:"allowed_volume_paths,omitempty"`
-	WildcardDNS        *bool   `json:"wildcard_dns,omitempty"`
-	DNSProvider        *string `json:"dns_provider,omitempty"`
-	CloudflareAPIToken string  `json:"cloudflare_api_token"`
-	CloudflareZoneID   *string `json:"cloudflare_zone_id,omitempty"`
+	WildcardDNS          *bool   `json:"wildcard_dns,omitempty"`
+	DNSProvider          *string `json:"dns_provider,omitempty"`
+	CloudflareAPIToken   string  `json:"cloudflare_api_token"`
+	CloudflareZoneID     *string `json:"cloudflare_zone_id,omitempty"`
+	BackupEnabled        *bool   `json:"backup_enabled,omitempty"`
+	BackupIntervalHours  *int    `json:"backup_interval_hours,omitempty"`
+	BackupRetentionCount *int    `json:"backup_retention_count,omitempty"`
 }
 
 // getSettings handles GET /api/settings.
@@ -62,6 +65,9 @@ func (s *Server) getSettings(w http.ResponseWriter, r *http.Request) {
 		"dns_provider":              settings.DNSProvider,
 		"has_cloudflare_api_token":  settings.CloudflareAPIToken != "",
 		"cloudflare_zone_id":        settings.CloudflareZoneID,
+		"backup_enabled":            settings.BackupEnabled,
+		"backup_interval_hours":     settings.BackupIntervalHours,
+		"backup_retention_count":    settings.BackupRetentionCount,
 		"updated_at":                settings.UpdatedAt,
 	})
 }
@@ -160,6 +166,25 @@ func (s *Server) updateSettings(w http.ResponseWriter, r *http.Request) {
 		updated.CloudflareZoneID = *req.CloudflareZoneID
 	}
 
+	// Backup settings.
+	if req.BackupEnabled != nil {
+		updated.BackupEnabled = *req.BackupEnabled
+	}
+	if req.BackupIntervalHours != nil {
+		if *req.BackupIntervalHours < 1 {
+			respondError(w, http.StatusBadRequest, "backup_interval_hours must be at least 1")
+			return
+		}
+		updated.BackupIntervalHours = *req.BackupIntervalHours
+	}
+	if req.BackupRetentionCount != nil {
+		if *req.BackupRetentionCount < 1 {
+			respondError(w, http.StatusBadRequest, "backup_retention_count must be at least 1")
+			return
+		}
+		updated.BackupRetentionCount = *req.BackupRetentionCount
+	}
+
 	if err := s.store.UpdateSettings(updated); err != nil {
 		respondError(w, http.StatusInternalServerError, "failed to update settings: "+err.Error())
 		return