Complete Cross-Drive Backup + Per-Tier UI (v0.12.8)

controller/README.md

@@ -163,19 +163,23 @@ The `/apps/{slug}` page renders hero section, screenshots, setup guide, and opti
 
 ### 2. Backup System
 
-The backup system implements a **3-2-1 backup architecture**:
+The backup system implements a **3-2-1 backup architecture**. Each tier is a **complete,
+self-sufficient backup** — any single tier can fully restore an app.
 
-| Rule | What | Where | Status |
-|------|------|-------|--------|
-| **1. Nightly backup** | DB dumps + config + ALL user data | Same drive as app | Mandatory, automatic |
-| **2. Cross-drive backup** | User data copy to secondary drive | Different physical device | Opt-in per app |
-| **3. Remote backup** | Offsite copy for disaster recovery | Cloud / remote server | Future |
+| Tier | Contents | Location | Can fully restore? |
+|------|----------|----------|--------------------|
+| **1. Nightly restic** | DB + Config + User data | Same drive as app | Yes (not against drive failure) |
+| **2. Cross-drive** | DB + Config + User data | Different physical device | Yes |
+| **3. Remote** | Everything | Cloud / remote server | Future |
 
-**Key principle:** User data backup is **mandatory** — every app with HDD bind mounts
-is included in the nightly restic snapshot automatically. There is no per-app toggle.
-The `AppBackupPrefs.Enabled` field in settings.json is legacy and not read by any code.
+**Key principles:**
+- User data backup is **mandatory** — every app with HDD bind mounts is included
+  automatically. There is no per-app toggle.
+- Each tier includes **everything** needed to restore: DB dumps, config, and user data.
+  No tier depends on another tier's data.
+- The `AppBackupPrefs.Enabled` field in settings.json is legacy and not read by any code.
 
-#### Rule 1: Nightly Backup (mandatory, same drive)
+#### Tier 1: Nightly Backup (mandatory, same drive)
 
 The nightly backup has two phases that run sequentially:
 
@@ -199,18 +203,18 @@ The nightly backup has two phases that run sequentially:
 - Weekly prune on Sundays with configurable retention (keep-daily, keep-weekly, keep-monthly)
 - Weekly integrity check (`restic check`) on Sunday 04:00
 
-**What this protects against:** accidental deletion, data corruption, point-in-time rollback.
+**Protects against:** accidental deletion, data corruption, point-in-time rollback.
 Does NOT protect against drive failure (backup is on the same physical drive).
 
-#### Rule 2: Cross-Drive Backup (opt-in, different device) (`internal/backup/crossdrive.go`)
+#### Tier 2: Cross-Drive Backup (opt-in, different device) (`internal/backup/crossdrive.go`)
 
-Copies user data to a **different physical drive**, providing the second copy for 3-2-1.
+**Complete backup** to a different physical drive — DB dumps + config + user data.
 
 - **Two methods:**
-  - **rsync** — Simple mirror with `--delete` (fast, no versioning)
-  - **restic** — Versioned, deduplicated, encrypted (shared repo across apps, auto-generated password)
+  - **rsync** — Simple mirror with `--delete` (fast, no versioning, **browsable** on disk)
+  - **restic** — Versioned, deduplicated, encrypted (shared repo across apps, not browsable)
 - Per-app configuration in settings.json: destination path, method, schedule (daily/weekly/manual)
-- **Pre-backup DB dump:** `DumpStackDB()` runs fresh pg_dump/mariadb-dump before each cross-drive backup to ensure DB state matches user data; non-fatal on failure (wired via `DBDumper` interface to avoid circular imports)
+- **Pre-backup DB dump:** `DumpStackDB()` runs fresh pg_dump/mariadb-dump before each cross-drive backup; non-fatal on failure (wired via `DBDumper` interface to avoid circular imports)
 - **Drive-type-aware validation** (`ValidateDestination`):
 
   | Destination type | Space checks |
@@ -218,20 +222,26 @@ Copies user data to a **different physical drive**, providing the second copy fo
   | External mount (different device than `/`) | Block if <100 MB free |
   | System drive (same device as `/`) | Require ≥10 GB free AND <90% used; logged warning |
 
-- **Rsync destination layout:**
-  - Single mount: `backups/rsync/<app>/` (flat, no extra nesting)
-  - Multiple mounts: `backups/rsync/<app>/<leaf>/` per mount; duplicate leaf names get `_N` suffix
-  - DB dump files excluded (`--exclude backups/*.sql.gz/sql/dump`) — already handled by pg_dump
+- **Rsync destination layout** (complete — can restore app independently):
+  ```
+  backups/rsync/<app>/
+    _db/              ← DB dump files (stackName_postgres.sql, etc.)
+    _config/          ← compose.yml, app.yaml, .felhom.yml
+    <user data>       ← HDD mount contents (single mount: flat; multi-mount: leaf subfolders)
+  ```
+  - DB dump files excluded from user data rsync (`--exclude backups/*.sql.gz/sql/dump`) to avoid duplicating app-internal dumps
+  - `_` prefix directories prevent collision with user data
+- **Restic backup paths:** includes HDD mounts + config dir + DB dump dir (deduplication handles overlap)
 - Safety guards: destination ≠ source, path-overlap check, writable check
 - **Chained execution:** runs immediately after nightly restic — daily apps every night, weekly apps on Sundays
 - Per-app concurrency lock prevents overlapping runs
 - Status (last_run, duration, size, error) persisted to settings.json
 
-**What this protects against:** primary drive failure, drive theft/damage.
+**Protects against:** primary drive failure, drive theft/damage.
 
-#### Rule 3: Remote Backup (future)
+#### Tier 3: Remote Backup (future)
 
-Offsite backup for disaster recovery. Not yet implemented.
+Complete offsite backup for disaster recovery. Not yet implemented.
 
 #### Restore (`internal/backup/restore.go`)
 
@@ -244,7 +254,7 @@ All deployed apps appear in the restore dropdown — every app has restic snapsh
 | DB only, no HDD | ✓ | ✓ | n/a |
 | No DB, no HDD | ✓ | — | n/a |
 
-- **Snapshot API** returns ALL snapshots unfiltered — older snapshots (pre-mandatory HDD backup) still allow config+DB restore; `RestoreApp` extracts whatever paths are available
+- **Snapshot API** returns ALL snapshots unfiltered — older snapshots still allow config+DB restore; `RestoreApp` extracts whatever paths are available
 - **Restore type info** shown per-app when selected in dropdown (Hungarian banners):
   - Has HDD: "Teljes visszaállítás: adatbázis + konfiguráció + felhasználói adatok"
   - Has DB, no HDD: "Adatbázis és konfiguráció visszaállítása"
@@ -253,9 +263,12 @@ All deployed apps appear in the restore dropdown — every app has restic snapsh
 - Running flag prevents concurrent backup/restore operations
 - Snapshot ID validated (8–64 lowercase hex)
 
+**Note:** Restore currently uses Tier 1 (primary restic repo) only. Restoring from Tier 2
+(cross-drive) is a future enhancement.
+
 #### Backup Page UI (`internal/web/templates/backups.html`)
 
-Unified per-app status table with expandable rows showing 3 backup layers per app:
+Unified per-app status table with expandable rows showing **per-tier** backup status:
 
 **Status dot per app:**
 
@@ -266,13 +279,17 @@ Unified per-app status table with expandable rows showing 3 backup layers per ap
 | Red | Cross-drive destination blocked or inaccessible |
 | Gray (auto) | No user data — only config/DB backup (automatic) |
 
-**Three backup layers per app row:**
-1. **Adatbázis mentés** — Auto badge + last run timestamp + status
-2. **Konfiguráció** — Auto badge + last restic snapshot timestamp + status
-3. **Felhasználói adatok** — one of:
-   - Cross-drive configured: method + destination + schedule + last run + status + "Futtatás most" button
-   - HDD data, no cross-drive: "✓ Helyi mentés auto" (green) + "⚠ Nincs 2. másolat" (yellow) + settings link
-   - No HDD data: "— (nincs HDD adat)" (muted)
+**Per-app backup tiers:**
+- **1. mentés** (Tier 1, always present) — Auto badge + "helyi" + last run + contents (e.g., "DB + Konfig + Adatok")
+- **2. mentés** (Tier 2, only for apps with HDD data) — one of:
+  - Configured: method (rsync/restic) + destination + schedule + last run + status + contents + browsable indicator (📁 for rsync) + action buttons
+  - Not configured: "✓ 1. mentés auto" + "⚠ Nincs 2. másolat" + settings link
+
+**Backup contents per app** (shown per tier):
+- Apps with DB + HDD: "DB + Konfig + Adatok"
+- Apps with DB only: "DB + Konfig"
+- Apps with HDD, no DB: "Konfig + Adatok"
+- Apps with neither: "Konfig"
 
 **Other sections:**
 - Schedule overview with next run times for DB dump, restic, prune