RubyGems - kamal-backup - Versions diffs - 0.3.0.beta20 → 0.3.0 - Mend

kamal-backup 0.3.0.beta20 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

checksums.yaml +4 -4
data/README.md +1 -0
data/exe/kamal-backup +7 -6
data/lib/kamal_backup/app.rb +350 -356
data/lib/kamal_backup/cli.rb +107 -111
data/lib/kamal_backup/command.rb +165 -161
data/lib/kamal_backup/config.rb +555 -437
data/lib/kamal_backup/databases/base.rb +17 -14
data/lib/kamal_backup/databases/mysql.rb +68 -67
data/lib/kamal_backup/databases/postgres.rb +59 -58
data/lib/kamal_backup/databases/sqlite.rb +21 -20
data/lib/kamal_backup/errors.rb +3 -1
data/lib/kamal_backup/evidence.rb +62 -61
data/lib/kamal_backup/kamal_bridge.rb +254 -250
data/lib/kamal_backup/rails_app.rb +102 -101
data/lib/kamal_backup/redactor.rb +18 -13
data/lib/kamal_backup/restic.rb +196 -163
data/lib/kamal_backup/scheduler.rb +17 -14
data/lib/kamal_backup/schema.rb +2 -0
data/lib/kamal_backup/version.rb +3 -1
data/lib/kamal_backup.rb +19 -17
metadata +30 -2

data/lib/kamal_backup/config.rb CHANGED Viewed

@@ -1,21 +1,23 @@
-require "uri"
-require "yaml"
-require_relative "errors"
-require_relative "rails_app"
+# frozen_string_literal: true
+require 'uri'
+require 'yaml'
+require_relative 'errors'
+require_relative 'rails_app'
 module KamalBackup
   class Config
     DEFAULT_RETENTION = {
-      "RESTIC_KEEP_LAST" => "7",
-      "RESTIC_KEEP_DAILY" => "7",
-      "RESTIC_KEEP_WEEKLY" => "4",
-      "RESTIC_KEEP_MONTHLY" => "6",
-      "RESTIC_KEEP_YEARLY" => "2"
+      'RESTIC_KEEP_LAST' => '7',
+      'RESTIC_KEEP_DAILY' => '7',
+      'RESTIC_KEEP_WEEKLY' => '4',
+      'RESTIC_KEEP_MONTHLY' => '6',
+      'RESTIC_KEEP_YEARLY' => '2'
     }.freeze
     SUSPICIOUS_BACKUP_PATHS = %w[/ /var /etc /root /usr /bin /sbin /boot /dev /proc /sys /run].freeze
-    SHARED_CONFIG_PATH = "config/kamal-backup.yml"
-    LOCAL_CONFIG_PATH = "config/kamal-backup.local.yml"
+    SHARED_CONFIG_PATH = 'config/kamal-backup.yml'
+    LOCAL_CONFIG_PATH = 'config/kamal-backup.local.yml'
     DEFAULT_CONFIG_PATHS = [SHARED_CONFIG_PATH, LOCAL_CONFIG_PATH].freeze
     TOP_LEVEL_YAML_KEYS = %w[app accessory databases paths restore_from restic backup state].freeze
     LEGACY_YAML_KEYS = %w[
@@ -46,11 +48,13 @@ module KamalBackup
       pgpassword
       mysql_pwd
     ].freeze
-    ConfigData = Struct.new(:env, :database_definitions, :path_definitions, :restore_from_definitions, keyword_init: true) do
+    ConfigData = Struct.new(:env, :database_definitions, :path_definitions, :restore_from_definitions,
+                            keyword_init: true) do
       def self.empty
         new(env: {}, database_definitions: nil, path_definitions: nil, restore_from_definitions: nil)
       end
     end
+    PathDefinition = Struct.new(:path, :exclude, keyword_init: true)
     class DatabaseSource
       CONNECTION_KEYS = %w[
@@ -97,7 +101,7 @@ module KamalBackup
       end
       def database_name
-        name.empty? ? "app" : name
+        name.empty? ? 'app' : name
       end
       def database_adapter
@@ -144,93 +148,99 @@ module KamalBackup
     end
     def app_name
-      value("APP_NAME")
+      value('APP_NAME')
     end
     def required_app_name
-      required_value("APP_NAME")
+      required_value('APP_NAME')
     end
     def accessory_name
-      value("KAMAL_BACKUP_ACCESSORY")
+      value('KAMAL_BACKUP_ACCESSORY')
     end
     def restic_repository
-      value("RESTIC_REPOSITORY")
+      value('RESTIC_REPOSITORY')
     end
     def restic_repository_file
-      value("RESTIC_REPOSITORY_FILE")
+      value('RESTIC_REPOSITORY_FILE')
     end
     def restic_password
-      value("RESTIC_PASSWORD")
+      value('RESTIC_PASSWORD')
     end
     def restic_password_file
-      value("RESTIC_PASSWORD_FILE")
+      value('RESTIC_PASSWORD_FILE')
     end
     def restic_password_command
-      value("RESTIC_PASSWORD_COMMAND")
+      value('RESTIC_PASSWORD_COMMAND')
     end
     def restic_init_if_missing?
-      truthy?("RESTIC_INIT_IF_MISSING")
+      truthy?('RESTIC_INIT_IF_MISSING')
     end
     def check_after_backup?
-      truthy?("RESTIC_CHECK_AFTER_BACKUP")
+      truthy?('RESTIC_CHECK_AFTER_BACKUP')
     end
     def forget_after_backup?
-      !falsey?("RESTIC_FORGET_AFTER_BACKUP")
+      !falsey?('RESTIC_FORGET_AFTER_BACKUP')
     end
     def check_read_data_subset
-      value("RESTIC_CHECK_READ_DATA_SUBSET")
+      value('RESTIC_CHECK_READ_DATA_SUBSET')
     end
     def allow_in_place_file_restore?
-      truthy?("KAMAL_BACKUP_ALLOW_IN_PLACE_FILE_RESTORE")
+      truthy?('KAMAL_BACKUP_ALLOW_IN_PLACE_FILE_RESTORE')
     end
     def allow_suspicious_backup_paths?
-      truthy?("KAMAL_BACKUP_ALLOW_SUSPICIOUS_PATHS")
+      truthy?('KAMAL_BACKUP_ALLOW_SUSPICIOUS_PATHS')
     end
     def backup_schedule_seconds
-      integer("BACKUP_SCHEDULE_SECONDS", 86_400, minimum: 1)
+      integer('BACKUP_SCHEDULE_SECONDS', 86_400, minimum: 1)
     end
     def backup_start_delay_seconds
-      integer("BACKUP_START_DELAY_SECONDS", 0, minimum: 0)
+      integer('BACKUP_START_DELAY_SECONDS', 0, minimum: 0)
     end
     def state_dir
-      value("KAMAL_BACKUP_STATE_DIR") || "/var/lib/kamal-backup"
+      value('KAMAL_BACKUP_STATE_DIR') || '/var/lib/kamal-backup'
     end
     def last_check_path
-      File.join(state_dir, "last_check.json")
+      File.join(state_dir, 'last_check.json')
     end
     def last_backup_path
-      File.join(state_dir, "last_backup.json")
+      File.join(state_dir, 'last_backup.json')
     end
     def last_restore_drill_path
-      File.join(state_dir, "last_restore_drill.json")
+      File.join(state_dir, 'last_restore_drill.json')
     end
     def backup_paths
       if path_definitions?
-        @path_definitions
+        @path_definitions.map(&:path)
       else
         legacy_backup_paths
       end
     end
+    def backup_path_excludes(paths = backup_paths)
+      paths = Array(paths).compact.map(&:to_s).reject(&:empty?)
+      configured_backup_path_excludes(paths) + sqlite_backup_path_excludes(paths)
+    end
     def local_restore_source_paths
       if path_definitions?
         @restore_from_definitions || legacy_local_restore_source_paths || backup_paths
@@ -243,16 +253,14 @@ module KamalBackup
       source_paths = local_restore_source_paths
       target_paths = backup_paths
-      if source_paths.size == target_paths.size
-        source_paths.zip(target_paths)
-      else
-        raise ConfigurationError, "local restore source paths must contain the same number of paths as file paths"
-      end
+      raise ConfigurationError, 'local restore source paths must contain the same number of paths as file paths' unless source_paths.size == target_paths.size
+      source_paths.zip(target_paths)
     end
     def backup_path_label(path)
-      label = path.to_s.sub(%r{\A/+}, "").gsub(%r{[^A-Za-z0-9_.-]+}, "-")
-      label.empty? ? "root" : label
+      label = path.to_s.sub(%r{\A/+}, '').gsub(/[^A-Za-z0-9_.-]+/, '-')
+      label.empty? ? 'root' : label
     end
     def database_adapter
@@ -264,36 +272,34 @@ module KamalBackup
     end
     def database_name
-      "app"
+      'app'
     end
     def databases
-      @databases ||= begin
-        if database_definitions?
-          @database_definitions.map do |definition|
-            DatabaseSource.new(
-              parent: self,
-              name: definition.fetch(:name),
-              adapter: definition.fetch(:adapter),
-              env: definition.fetch(:env),
-              structured: true,
-              missing_secrets: definition.fetch(:missing_secrets, [])
-            )
-          end
-        elsif legacy_database_adapter
-          [
-            DatabaseSource.new(
-              parent: self,
-              name: database_name,
-              adapter: legacy_database_adapter,
-              env: {},
-              structured: false
-            )
-          ]
-        else
-          []
-        end
-      end
+      @databases ||= if database_definitions?
+                       @database_definitions.map do |definition|
+                         DatabaseSource.new(
+                           parent: self,
+                           name: definition.fetch(:name),
+                           adapter: definition.fetch(:adapter),
+                           env: definition.fetch(:env),
+                           structured: true,
+                           missing_secrets: definition.fetch(:missing_secrets, [])
+                         )
+                       end
+                     elsif legacy_database_adapter
+                       [
+                         DatabaseSource.new(
+                           parent: self,
+                           name: database_name,
+                           adapter: legacy_database_adapter,
+                           env: {},
+                           structured: false
+                         )
+                       ]
+                     else
+                       []
+                     end
     end
     def retention
@@ -309,7 +315,7 @@ module KamalBackup
         number = Integer(raw)
         next if number <= 0
-        flag = "--#{key.sub("RESTIC_KEEP_", "keep-").downcase.tr("_", "-")}"
+        flag = "--#{key.sub('RESTIC_KEEP_', 'keep-').downcase.tr('_', '-')}"
         args.concat([flag, number.to_s])
       rescue ArgumentError
         raise ConfigurationError, "#{key} must be an integer"
@@ -334,27 +340,34 @@ module KamalBackup
     end
     def validate_database_backup(check_files: true)
-      raise ConfigurationError, "databases must contain at least one database" if databases.empty?
+      raise ConfigurationError, 'databases must contain at least one database' if databases.empty?
       databases.each do |database|
         unless database.missing_secrets.empty?
-          raise ConfigurationError, "database #{database.database_name} requires missing secret #{database.missing_secrets.join(", ")}"
+          raise ConfigurationError,
+                "database #{database.database_name} requires missing secret #{database.missing_secrets.join(', ')}"
         end
         case database.database_adapter
-        when "postgres"
-          unless database.value("DATABASE_URL") || database.value("PGDATABASE")
-            raise ConfigurationError, "PostgreSQL database #{database.database_name} requires url or PGDATABASE/libpq environment"
+        when 'postgres'
+          unless database.value('DATABASE_URL') || database.value('PGDATABASE')
+            raise ConfigurationError,
+                  "PostgreSQL database #{database.database_name} requires url or PGDATABASE/libpq environment"
+          end
+        when 'mysql'
+          unless database.value('DATABASE_URL') || database.value('MYSQL_DATABASE') || database.value('MARIADB_DATABASE')
+            raise ConfigurationError,
+                  "MySQL database #{database.database_name} requires url or MYSQL_DATABASE/MARIADB_DATABASE"
           end
-        when "mysql"
-          unless database.value("DATABASE_URL") || database.value("MYSQL_DATABASE") || database.value("MARIADB_DATABASE")
-            raise ConfigurationError, "MySQL database #{database.database_name} requires url or MYSQL_DATABASE/MARIADB_DATABASE"
+        when 'sqlite'
+          path = database.required_value('SQLITE_DATABASE_PATH')
+          if check_files && !File.file?(path)
+            raise ConfigurationError,
+                  "SQLite database #{database.database_name} does not exist: #{path}"
           end
-        when "sqlite"
-          path = database.required_value("SQLITE_DATABASE_PATH")
-          raise ConfigurationError, "SQLite database #{database.database_name} does not exist: #{path}" if check_files && !File.file?(path)
         else
-          raise ConfigurationError, "database #{database.database_name} adapter is required and must be postgres, mysql, or sqlite"
+          raise ConfigurationError,
+                "database #{database.database_name} adapter is required and must be postgres, mysql, or sqlite"
         end
       end
     end
@@ -363,49 +376,49 @@ module KamalBackup
       backup_paths.each do |path|
         expanded = File.expand_path(path)
         if SUSPICIOUS_BACKUP_PATHS.include?(expanded) && !allow_suspicious_backup_paths?
-          raise ConfigurationError, "refusing suspicious backup path #{expanded}; set KAMAL_BACKUP_ALLOW_SUSPICIOUS_PATHS=true to override"
+          raise ConfigurationError,
+                "refusing suspicious backup path #{expanded}; set KAMAL_BACKUP_ALLOW_SUSPICIOUS_PATHS=true to override"
         end
         raise ConfigurationError, "backup path does not exist: #{path}" if check_files && !File.exist?(path)
       end
     end
     def validate_local_database_restore_target(target)
-      raise ConfigurationError, "local restore database target is required" if target.to_s.strip.empty?
+      raise ConfigurationError, 'local restore database target is required' if target.to_s.strip.empty?
-      if production_named_target?(target)
-        raise ConfigurationError, "refusing production-looking local restore target #{target}; use restore production for production restores"
-      end
+      return unless production_named_target?(target)
+      raise ConfigurationError,
+            "refusing production-looking local restore target #{target}; use restore production for production restores"
     end
     def validate_file_restore_target(target)
-      raise ConfigurationError, "restore target cannot be empty" if target.to_s.strip.empty?
+      raise ConfigurationError, 'restore target cannot be empty' if target.to_s.strip.empty?
       expanded_target = File.expand_path(target)
-      raise ConfigurationError, "refusing to restore files to /" if expanded_target == "/"
+      raise ConfigurationError, 'refusing to restore files to /' if expanded_target == '/'
       if in_place_file_restore?(expanded_target) && !allow_in_place_file_restore?
-        raise ConfigurationError, "refusing in-place file restore to #{expanded_target}; set KAMAL_BACKUP_ALLOW_IN_PLACE_FILE_RESTORE=true to override"
+        raise ConfigurationError,
+              "refusing in-place file restore to #{expanded_target}; set KAMAL_BACKUP_ALLOW_IN_PLACE_FILE_RESTORE=true to override"
       end
       expanded_target
     end
     def validate_database_restore_target(target)
-      raise ConfigurationError, "restore database target is required" if target.to_s.strip.empty?
+      raise ConfigurationError, 'restore database target is required' if target.to_s.strip.empty?
-      if production_like_target?(target)
-        raise ConfigurationError, "refusing production-looking restore target #{target}; choose a scratch target that does not look like production"
-      end
+      return unless production_like_target?(target)
+      raise ConfigurationError,
+            "refusing production-looking restore target #{target}; choose a scratch target that does not look like production"
     end
     def production_like_target?(target)
       target = target.to_s
-      if source_database_targets.include?(target)
-        true
-      else
-        production_named_target?(target.downcase)
-      end
+      source_database_targets.include?(target) || production_named_target?(target.downcase)
     end
     def value(key)
@@ -429,450 +442,555 @@ module KamalBackup
     end
     private
-      def project_defaults(cwd:)
-        RailsApp.new(cwd: cwd).defaults
-      end
-      def load_config_files(raw_env, cwd:, paths:)
-        config_paths(raw_env, cwd: cwd, paths: paths).each_with_object(ConfigData.empty) do |path, merged|
-          next unless File.file?(path)
+    def project_defaults(cwd:)
+      RailsApp.new(cwd: cwd).defaults
+    end
-          data = normalize_config_file(path, raw_env: raw_env)
-          merged.env.merge!(data.env)
-          merged.database_definitions = data.database_definitions if data.database_definitions
-          merged.path_definitions = data.path_definitions if data.path_definitions
-          merged.restore_from_definitions = data.restore_from_definitions if data.restore_from_definitions
-        end
-      end
+    def load_config_files(raw_env, cwd:, paths:)
+      config_paths(raw_env, cwd: cwd, paths: paths).each_with_object(ConfigData.empty) do |path, merged|
+        next unless File.file?(path)
-      def config_paths(raw_env, cwd:, paths:)
-        if paths
-          Array(paths).map { |path| File.expand_path(path, cwd) }
-        elsif explicit = raw_env["KAMAL_BACKUP_CONFIG"]
-          [File.expand_path(explicit, cwd)]
-        else
-          DEFAULT_CONFIG_PATHS.map { |relative| File.expand_path(relative, cwd) }
-        end
+        data = normalize_config_file(path, raw_env: raw_env)
+        merged.env.merge!(data.env)
+        merged.database_definitions = data.database_definitions if data.database_definitions
+        merged.path_definitions = data.path_definitions if data.path_definitions
+        merged.restore_from_definitions = data.restore_from_definitions if data.restore_from_definitions
       end
+    end
-      def validate_restic_repository(check_files:)
-        return if restic_repository
+    def config_paths(raw_env, cwd:, paths:)
+      if paths
+        Array(paths).map { |path| File.expand_path(path, cwd) }
+      elsif (explicit = raw_env['KAMAL_BACKUP_CONFIG'])
+        [File.expand_path(explicit, cwd)]
+      else
+        DEFAULT_CONFIG_PATHS.map { |relative| File.expand_path(relative, cwd) }
+      end
+    end
-        if path = restic_repository_file
-          raise ConfigurationError, "RESTIC_REPOSITORY_FILE does not exist: #{path}" if check_files && !File.file?(path)
+    def validate_restic_repository(check_files:)
+      return if restic_repository
-          return
-        end
+      if (path = restic_repository_file)
+        raise ConfigurationError, "RESTIC_REPOSITORY_FILE does not exist: #{path}" if check_files && !File.file?(path)
-        raise ConfigurationError, "RESTIC_REPOSITORY or RESTIC_REPOSITORY_FILE is required"
+        return
       end
-      def validate_restic_password(check_files:)
-        return if restic_password || restic_password_command
+      raise ConfigurationError, 'RESTIC_REPOSITORY or RESTIC_REPOSITORY_FILE is required'
+    end
-        if path = restic_password_file
-          raise ConfigurationError, "RESTIC_PASSWORD_FILE does not exist: #{path}" if check_files && !File.file?(path)
+    def validate_restic_password(check_files:)
+      return if restic_password || restic_password_command
-          return
-        end
+      if (path = restic_password_file)
+        raise ConfigurationError, "RESTIC_PASSWORD_FILE does not exist: #{path}" if check_files && !File.file?(path)
-        raise ConfigurationError, "RESTIC_PASSWORD, RESTIC_PASSWORD_FILE, or RESTIC_PASSWORD_COMMAND is required"
+        return
       end
-      def normalize_config_file(path, raw_env:)
-        data = YAML.safe_load(File.read(path), permitted_classes: [], aliases: false)
-        return ConfigData.empty if data.nil?
+      raise ConfigurationError, 'RESTIC_PASSWORD, RESTIC_PASSWORD_FILE, or RESTIC_PASSWORD_COMMAND is required'
+    end
-        unless data.is_a?(Hash)
-          raise ConfigurationError, "#{path} must contain a YAML mapping"
-        end
+    def normalize_config_file(path, raw_env:)
+      data = YAML.safe_load(File.read(path), permitted_classes: [], aliases: false)
+      return ConfigData.empty if data.nil?
-        result = ConfigData.empty
-        data.each do |raw_key, raw_value|
-          key = raw_key.to_s
-          validate_top_level_yaml_key!(path, key)
-          case key
-          when "app"
-            result.env["APP_NAME"] = normalize_yaml_value(raw_value)
-          when "accessory"
-            result.env["KAMAL_BACKUP_ACCESSORY"] = normalize_yaml_value(raw_value)
-          when "databases"
-            result.database_definitions = normalize_yaml_databases(raw_value, raw_env: raw_env, path: path)
-          when "paths"
-            result.path_definitions = normalize_yaml_paths(raw_value, "#{path} paths")
-          when "restore_from"
-            result.restore_from_definitions = normalize_yaml_paths(raw_value, "#{path} restore_from")
-          when "restic"
-            result.env.merge!(normalize_yaml_restic(raw_value, raw_env: raw_env, path: path))
-          when "backup"
-            result.env.merge!(normalize_yaml_backup(raw_value, path: path))
-          when "state"
-            result.env.merge!(normalize_yaml_state(raw_value, path: path))
-          end
+      raise ConfigurationError, "#{path} must contain a YAML mapping" unless data.is_a?(Hash)
+      result = ConfigData.empty
+      data.each do |raw_key, raw_value|
+        key = raw_key.to_s
+        validate_top_level_yaml_key!(path, key)
+        case key
+        when 'app'
+          result.env['APP_NAME'] = normalize_yaml_value(raw_value)
+        when 'accessory'
+          result.env['KAMAL_BACKUP_ACCESSORY'] = normalize_yaml_value(raw_value)
+        when 'databases'
+          result.database_definitions = normalize_yaml_databases(raw_value, raw_env: raw_env, path: path)
+        when 'paths'
+          result.path_definitions = normalize_yaml_backup_paths(raw_value, "#{path} paths")
+        when 'restore_from'
+          result.restore_from_definitions = normalize_yaml_paths(raw_value, "#{path} restore_from")
+        when 'restic'
+          result.env.merge!(normalize_yaml_restic(raw_value, raw_env: raw_env, path: path))
+        when 'backup'
+          result.env.merge!(normalize_yaml_backup(raw_value, path: path))
+        when 'state'
+          result.env.merge!(normalize_yaml_state(raw_value, path: path))
         end
-        result
-      rescue Psych::SyntaxError => e
-        raise ConfigurationError, "invalid YAML in #{path}: #{e.message}"
+      end
+      result
+    rescue Psych::SyntaxError => e
+      raise ConfigurationError, "invalid YAML in #{path}: #{e.message}"
+    end
+    def validate_top_level_yaml_key!(path, key)
+      if LEGACY_YAML_KEYS.include?(key)
+        raise ConfigurationError,
+              "#{path} uses legacy key #{key}; use databases, paths, restic, and backup instead. See the upgrading guide for the 0.3 config migration."
       end
-      def validate_top_level_yaml_key!(path, key)
-        if LEGACY_YAML_KEYS.include?(key)
-          raise ConfigurationError, "#{path} uses legacy key #{key}; use databases, paths, restic, and backup instead. See the upgrading guide for the 0.3 config migration."
-        end
+      return if TOP_LEVEL_YAML_KEYS.include?(key)
-        return if TOP_LEVEL_YAML_KEYS.include?(key)
+      raise ConfigurationError,
+            "#{path} contains unknown key #{key.inspect}; expected #{TOP_LEVEL_YAML_KEYS.join(', ')}"
+    end
-        raise ConfigurationError, "#{path} contains unknown key #{key.inspect}; expected #{TOP_LEVEL_YAML_KEYS.join(", ")}"
+    def normalize_yaml_value(raw_value)
+      case raw_value
+      when Array
+        raw_value.map(&:to_s).join("\n")
+      when NilClass
+        nil
+      else
+        raw_value.to_s
       end
+    end
-      def normalize_yaml_value(raw_value)
-        case raw_value
-        when Array
-          raw_value.map(&:to_s).join("\n")
-        when NilClass
-          nil
-        else
-          raw_value.to_s
+    def normalize_yaml_databases(raw_value, raw_env:, path:)
+      entries = require_array(raw_value, "#{path} databases")
+      entries.map.with_index(1) do |entry, index|
+        hash = require_mapping(entry, "#{path} databases[#{index}]")
+        name = required_yaml_scalar(hash, 'name', "#{path} databases[#{index}]")
+        adapter = normalize_adapter(required_yaml_scalar(hash, 'adapter', "#{path} databases[#{index}]"))
+        unless adapter
+          raise ConfigurationError,
+                "#{path} databases[#{index}] adapter must be postgres, mysql, or sqlite"
         end
-      end
-      def normalize_yaml_databases(raw_value, raw_env:, path:)
-        entries = require_array(raw_value, "#{path} databases")
-        entries.map.with_index(1) do |entry, index|
-          hash = require_mapping(entry, "#{path} databases[#{index}]")
-          name = required_yaml_scalar(hash, "name", "#{path} databases[#{index}]")
-          adapter = normalize_adapter(required_yaml_scalar(hash, "adapter", "#{path} databases[#{index}]"))
-          raise ConfigurationError, "#{path} databases[#{index}] adapter must be postgres, mysql, or sqlite" unless adapter
-          env = {}
-          missing_secrets = []
-          case adapter
-          when "postgres"
-            if hash.key?("url")
-              env["DATABASE_URL"] = resolve_yaml_value(hash["url"], raw_env: raw_env, context: "#{path} databases[#{index}].url")
-              missing_secrets.concat(missing_yaml_secrets(hash["url"], raw_env: raw_env))
-            end
-            if hash.key?("password")
-              env["PGPASSWORD"] = resolve_yaml_value(hash["password"], raw_env: raw_env, context: "#{path} databases[#{index}].password")
-              missing_secrets.concat(missing_yaml_secrets(hash["password"], raw_env: raw_env))
-            end
-          when "mysql"
-            if hash.key?("url")
-              env["DATABASE_URL"] = resolve_yaml_value(hash["url"], raw_env: raw_env, context: "#{path} databases[#{index}].url")
-              missing_secrets.concat(missing_yaml_secrets(hash["url"], raw_env: raw_env))
-            end
-            if hash.key?("password")
-              env["MYSQL_PWD"] = resolve_yaml_value(hash["password"], raw_env: raw_env, context: "#{path} databases[#{index}].password")
-              missing_secrets.concat(missing_yaml_secrets(hash["password"], raw_env: raw_env))
-            end
-          when "sqlite"
-            sqlite_path = hash.key?("path") ? hash["path"] : hash["database"]
-            if sqlite_path
-              env["SQLITE_DATABASE_PATH"] = resolve_yaml_value(sqlite_path, raw_env: raw_env, context: "#{path} databases[#{index}].path")
-              missing_secrets.concat(missing_yaml_secrets(sqlite_path, raw_env: raw_env))
-            end
+        env = {}
+        missing_secrets = []
+        case adapter
+        when 'postgres'
+          if hash.key?('url')
+            env['DATABASE_URL'] =
+              resolve_yaml_value(hash['url'], raw_env: raw_env, context: "#{path} databases[#{index}].url")
+            missing_secrets.concat(missing_yaml_secrets(hash['url'], raw_env: raw_env))
+          end
+          if hash.key?('password')
+            env['PGPASSWORD'] =
+              resolve_yaml_value(hash['password'], raw_env: raw_env, context: "#{path} databases[#{index}].password")
+            missing_secrets.concat(missing_yaml_secrets(hash['password'], raw_env: raw_env))
+          end
+        when 'mysql'
+          if hash.key?('url')
+            env['DATABASE_URL'] =
+              resolve_yaml_value(hash['url'], raw_env: raw_env, context: "#{path} databases[#{index}].url")
+            missing_secrets.concat(missing_yaml_secrets(hash['url'], raw_env: raw_env))
+          end
+          if hash.key?('password')
+            env['MYSQL_PWD'] =
+              resolve_yaml_value(hash['password'], raw_env: raw_env, context: "#{path} databases[#{index}].password")
+            missing_secrets.concat(missing_yaml_secrets(hash['password'], raw_env: raw_env))
+          end
+        when 'sqlite'
+          sqlite_path = hash.key?('path') ? hash['path'] : hash['database']
+          if sqlite_path
+            env['SQLITE_DATABASE_PATH'] =
+              resolve_yaml_value(sqlite_path, raw_env: raw_env, context: "#{path} databases[#{index}].path")
+            missing_secrets.concat(missing_yaml_secrets(sqlite_path, raw_env: raw_env))
           end
-          {
-            name: name,
-            adapter: adapter,
-            env: env.compact,
-            missing_secrets: missing_secrets
-          }
         end
+        {
+          name: name,
+          adapter: adapter,
+          env: env.compact,
+          missing_secrets: missing_secrets
+        }
       end
+    end
-      def normalize_yaml_restic(raw_value, raw_env:, path:)
-        hash = require_mapping(raw_value, "#{path} restic")
-        env = {}
+    def normalize_yaml_restic(raw_value, raw_env:, path:)
+      hash = require_mapping(raw_value, "#{path} restic")
+      env = {}
-        env["RESTIC_REPOSITORY"] = resolve_yaml_value(hash["repository"], raw_env: raw_env, context: "#{path} restic.repository") if hash.key?("repository")
-        env["RESTIC_REPOSITORY_FILE"] = normalize_yaml_value(hash["repository_file"]) if hash.key?("repository_file")
+      if hash.key?('repository')
+        env['RESTIC_REPOSITORY'] =
+          resolve_yaml_value(hash['repository'], raw_env: raw_env,
+                                                 context: "#{path} restic.repository")
+      end
+      env['RESTIC_REPOSITORY_FILE'] = normalize_yaml_value(hash['repository_file']) if hash.key?('repository_file')
-        if hash.key?("password")
-          normalize_yaml_restic_password(hash["password"], raw_env: raw_env, path: path).each do |key, value|
-            env[key] = value
-          end
+      if hash.key?('password')
+        normalize_yaml_restic_password(hash['password'], raw_env: raw_env, path: path).each do |key, value|
+          env[key] = value
         end
+      end
+      env.merge!(normalize_yaml_restic_rest(hash['rest'], raw_env: raw_env, path: path)) if hash.key?('rest')
-        env.merge!(normalize_yaml_restic_rest(hash["rest"], raw_env: raw_env, path: path)) if hash.key?("rest")
+      {
+        'init_if_missing' => 'RESTIC_INIT_IF_MISSING',
+        'check_after_backup' => 'RESTIC_CHECK_AFTER_BACKUP',
+        'check_read_data_subset' => 'RESTIC_CHECK_READ_DATA_SUBSET',
+        'forget_after_backup' => 'RESTIC_FORGET_AFTER_BACKUP'
+      }.each do |source, target|
+        env[target] = normalize_yaml_value(hash[source]) if hash.key?(source)
+      end
+      if hash.key?('retention')
+        retention = require_mapping(hash['retention'], "#{path} restic.retention")
         {
-          "init_if_missing" => "RESTIC_INIT_IF_MISSING",
-          "check_after_backup" => "RESTIC_CHECK_AFTER_BACKUP",
-          "check_read_data_subset" => "RESTIC_CHECK_READ_DATA_SUBSET",
-          "forget_after_backup" => "RESTIC_FORGET_AFTER_BACKUP"
+          'keep_last' => 'RESTIC_KEEP_LAST',
+          'keep_daily' => 'RESTIC_KEEP_DAILY',
+          'keep_weekly' => 'RESTIC_KEEP_WEEKLY',
+          'keep_monthly' => 'RESTIC_KEEP_MONTHLY',
+          'keep_yearly' => 'RESTIC_KEEP_YEARLY'
         }.each do |source, target|
-          env[target] = normalize_yaml_value(hash[source]) if hash.key?(source)
-        end
-        if hash.key?("retention")
-          retention = require_mapping(hash["retention"], "#{path} restic.retention")
-          {
-            "keep_last" => "RESTIC_KEEP_LAST",
-            "keep_daily" => "RESTIC_KEEP_DAILY",
-            "keep_weekly" => "RESTIC_KEEP_WEEKLY",
-            "keep_monthly" => "RESTIC_KEEP_MONTHLY",
-            "keep_yearly" => "RESTIC_KEEP_YEARLY"
-          }.each do |source, target|
-            env[target] = normalize_yaml_value(retention[source]) if retention.key?(source)
-          end
+          env[target] = normalize_yaml_value(retention[source]) if retention.key?(source)
         end
-        env.compact
       end
-      def normalize_yaml_restic_password(raw_value, raw_env:, path:)
-        case raw_value
-        when Hash
-          hash = stringify_keys(raw_value)
-          if hash.key?("secret")
-            { "RESTIC_PASSWORD" => resolve_yaml_value(hash, raw_env: raw_env, context: "#{path} restic.password") }
-          elsif hash.key?("file")
-            { "RESTIC_PASSWORD_FILE" => normalize_yaml_value(hash["file"]) }
-          elsif hash.key?("command")
-            { "RESTIC_PASSWORD_COMMAND" => normalize_yaml_value(hash["command"]) }
-          else
-            raise ConfigurationError, "#{path} restic.password must use secret, file, or command"
-          end
+      env.compact
+    end
+    def normalize_yaml_restic_password(raw_value, raw_env:, path:)
+      case raw_value
+      when Hash
+        hash = stringify_keys(raw_value)
+        if hash.key?('secret')
+          { 'RESTIC_PASSWORD' => resolve_yaml_value(hash, raw_env: raw_env, context: "#{path} restic.password") }
+        elsif hash.key?('file')
+          { 'RESTIC_PASSWORD_FILE' => normalize_yaml_value(hash['file']) }
+        elsif hash.key?('command')
+          { 'RESTIC_PASSWORD_COMMAND' => normalize_yaml_value(hash['command']) }
         else
-          { "RESTIC_PASSWORD" => normalize_yaml_value(raw_value) }
+          raise ConfigurationError, "#{path} restic.password must use secret, file, or command"
         end
+      else
+        { 'RESTIC_PASSWORD' => normalize_yaml_value(raw_value) }
       end
+    end
-      def normalize_yaml_restic_rest(raw_value, raw_env:, path:)
-        hash = require_mapping(raw_value, "#{path} restic.rest")
-        env = {}
-        username = hash.key?("username") ? hash["username"] : hash["user"]
+    def normalize_yaml_restic_rest(raw_value, raw_env:, path:)
+      hash = require_mapping(raw_value, "#{path} restic.rest")
+      env = {}
+      username = hash.key?('username') ? hash['username'] : hash['user']
-        env["RESTIC_REST_USERNAME"] = resolve_yaml_value(username, raw_env: raw_env, context: "#{path} restic.rest.username") if username
-        env["RESTIC_REST_PASSWORD"] = resolve_yaml_value(hash["password"], raw_env: raw_env, context: "#{path} restic.rest.password") if hash.key?("password")
-        env.compact
+      if username
+        env['RESTIC_REST_USERNAME'] =
+          resolve_yaml_value(username, raw_env: raw_env, context: "#{path} restic.rest.username")
+      end
+      if hash.key?('password')
+        env['RESTIC_REST_PASSWORD'] =
+          resolve_yaml_value(hash['password'], raw_env: raw_env,
+                                               context: "#{path} restic.rest.password")
       end
+      env.compact
+    end
-      def normalize_yaml_backup(raw_value, path:)
-        hash = require_mapping(raw_value, "#{path} backup")
-        env = {}
-        env["BACKUP_SCHEDULE_SECONDS"] = normalize_duration(hash["schedule"], "#{path} backup.schedule") if hash.key?("schedule")
-        env.compact
+    def normalize_yaml_backup(raw_value, path:)
+      hash = require_mapping(raw_value, "#{path} backup")
+      env = {}
+      if hash.key?('schedule')
+        env['BACKUP_SCHEDULE_SECONDS'] =
+          normalize_duration(hash['schedule'], "#{path} backup.schedule")
       end
+      env.compact
+    end
-      def normalize_yaml_state(raw_value, path:)
-        hash = require_mapping(raw_value, "#{path} state")
-        env = {}
-        env["KAMAL_BACKUP_STATE_DIR"] = normalize_yaml_value(hash["path"]) if hash.key?("path")
-        env.compact
+    def normalize_yaml_state(raw_value, path:)
+      hash = require_mapping(raw_value, "#{path} state")
+      env = {}
+      env['KAMAL_BACKUP_STATE_DIR'] = normalize_yaml_value(hash['path']) if hash.key?('path')
+      env.compact
+    end
+    def normalize_yaml_paths(raw_value, context)
+      case raw_value
+      when Array
+        raw_value.map { |path| normalize_yaml_path(path, context) }.reject(&:empty?)
+      when NilClass
+        []
+      else
+        [normalize_yaml_path(raw_value, context)].reject(&:empty?)
       end
+    end
-      def normalize_yaml_paths(raw_value, context)
-        case raw_value
-        when Array
-          raw_value.map { |path| normalize_yaml_path(path, context) }.reject(&:empty?)
-        when NilClass
-          []
-        else
-          [normalize_yaml_path(raw_value, context)].reject(&:empty?)
+    def normalize_yaml_path(raw_value, context)
+      raise ConfigurationError, "#{context} entries must be path strings" if raw_value.is_a?(Hash) || raw_value.is_a?(Array)
+      normalize_yaml_value(raw_value)
+    end
+    def normalize_yaml_backup_paths(raw_value, context)
+      case raw_value
+      when Array
+        definitions = raw_value.map.with_index(1) do |entry, index|
+          normalize_yaml_backup_path(entry, "#{context}[#{index}]")
         end
+        definitions.reject { |definition| definition.path.to_s.empty? }
+      when NilClass
+        []
+      else
+        [normalize_yaml_backup_path(raw_value, "#{context}[1]")].reject { |definition| definition.path.to_s.empty? }
       end
+    end
-      def normalize_yaml_path(raw_value, context)
-        if raw_value.is_a?(Hash) || raw_value.is_a?(Array)
-          raise ConfigurationError, "#{context} entries must be path strings"
+    def normalize_yaml_backup_path(raw_value, context)
+      case raw_value
+      when Hash
+        hash = require_mapping(raw_value, context)
+        unknown_keys = hash.keys - %w[path exclude]
+        unless unknown_keys.empty?
+          raise ConfigurationError,
+                "#{context} contains unknown key #{unknown_keys.first.inspect}; expected path and exclude"
         end
-        normalize_yaml_value(raw_value)
+        path = required_yaml_string(hash, 'path', context)
+        exclude = hash.key?('exclude') ? normalize_yaml_excludes(hash['exclude'], "#{context}.exclude") : []
+        PathDefinition.new(path: path, exclude: exclude)
+      when Array
+        raise ConfigurationError, "#{context} must be a path string or a mapping with path and optional exclude"
+      else
+        PathDefinition.new(path: normalize_yaml_value(raw_value), exclude: [])
       end
+    end
-      def resolve_yaml_value(raw_value, raw_env:, context:)
-        case raw_value
-        when Hash
-          hash = stringify_keys(raw_value)
-          unless hash.keys == ["secret"]
-            raise ConfigurationError, "#{context} must be a scalar value or { secret: NAME }"
-          end
+    def normalize_yaml_excludes(raw_value, context)
+      entries = require_array(raw_value, context)
+      entries.map.with_index(1) do |entry, index|
+        pattern = optional_yaml_string(entry, "#{context}[#{index}]")
+        raise ConfigurationError, "#{context}[#{index}] must not be empty" if pattern.to_s.strip.empty?
-          secret_name = normalize_yaml_value(hash.fetch("secret"))
-          raw_env[secret_name]
-        else
-          normalize_yaml_value(raw_value)
-        end
+        pattern
       end
+    end
-      def missing_yaml_secrets(raw_value, raw_env:)
-        return [] unless raw_value.is_a?(Hash)
+    def resolve_yaml_value(raw_value, raw_env:, context:)
+      case raw_value
+      when Hash
         hash = stringify_keys(raw_value)
-        return [] unless hash.key?("secret")
+        raise ConfigurationError, "#{context} must be a scalar value or { secret: NAME }" unless hash.keys == ['secret']
-        secret_name = normalize_yaml_value(hash.fetch("secret"))
-        raw_env[secret_name].to_s.strip.empty? ? [secret_name] : []
+        secret_name = normalize_yaml_value(hash.fetch('secret'))
+        raw_env[secret_name]
+      else
+        normalize_yaml_value(raw_value)
       end
+    end
-      def normalize_duration(raw_value, context)
-        value = normalize_yaml_value(raw_value)
-        raise ConfigurationError, "#{context} is required" if value.to_s.empty?
+    def missing_yaml_secrets(raw_value, raw_env:)
+      return [] unless raw_value.is_a?(Hash)
-        return value if value.match?(/\A\d+\z/)
+      hash = stringify_keys(raw_value)
+      return [] unless hash.key?('secret')
-        match = value.match(/\A(\d+)\s*([smhdw])\z/i)
-        unless match
-          raise ConfigurationError, "#{context} must be seconds or a duration like 30m, 6h, or 1d"
-        end
+      secret_name = normalize_yaml_value(hash.fetch('secret'))
+      raw_env[secret_name].to_s.strip.empty? ? [secret_name] : []
+    end
-        amount = match[1].to_i
-        multiplier = {
-          "s" => 1,
-          "m" => 60,
-          "h" => 3600,
-          "d" => 86_400,
-          "w" => 604_800
-        }.fetch(match[2].downcase)
-        (amount * multiplier).to_s
-      end
+    def normalize_duration(raw_value, context)
+      value = normalize_yaml_value(raw_value)
+      raise ConfigurationError, "#{context} is required" if value.to_s.empty?
-      def require_array(value, context)
-        return value if value.is_a?(Array)
+      return value if value.match?(/\A\d+\z/)
-        raise ConfigurationError, "#{context} must be a YAML sequence"
-      end
+      match = value.match(/\A(\d+)\s*([smhdw])\z/i)
+      raise ConfigurationError, "#{context} must be seconds or a duration like 30m, 6h, or 1d" unless match
-      def require_mapping(value, context)
-        raise ConfigurationError, "#{context} must be a YAML mapping" unless value.is_a?(Hash)
+      amount = match[1].to_i
+      multiplier = {
+        's' => 1,
+        'm' => 60,
+        'h' => 3600,
+        'd' => 86_400,
+        'w' => 604_800
+      }.fetch(match[2].downcase)
+      (amount * multiplier).to_s
+    end
-        stringify_keys(value)
-      end
+    def require_array(value, context)
+      return value if value.is_a?(Array)
-      def required_yaml_scalar(hash, key, context)
-        value = normalize_yaml_value(hash[key])
-        raise ConfigurationError, "#{context} #{key} is required" if value.to_s.empty?
+      raise ConfigurationError, "#{context} must be a YAML sequence"
+    end
-        value
-      end
+    def require_mapping(value, context)
+      raise ConfigurationError, "#{context} must be a YAML mapping" unless value.is_a?(Hash)
-      def stringify_keys(hash)
-        hash.each_with_object({}) { |(key, value), result| result[key.to_s] = value }
-      end
+      stringify_keys(value)
+    end
-      def validate_local_machine_environment
-        if environment = local_restore_environment
-          key, value = environment
+    def optional_yaml_string(value, context)
+      raise ConfigurationError, "#{context} must be a string" if value.is_a?(Hash) || value.is_a?(Array)
-          if production_environment?(value)
-            raise ConfigurationError, "restore local refuses to run with #{key}=#{value}; unset #{key} or use restore production"
-          end
-        end
-      end
+      normalize_yaml_value(value)
+    end
-      def validate_local_machine_paths
-        path_pairs = local_restore_path_pairs
+    def required_yaml_string(hash, key, context)
+      raise ConfigurationError, "#{context} #{key} is required" unless hash.key?(key)
-        path_pairs.each do |_source_path, target_path|
-          expanded = File.expand_path(target_path)
-          if SUSPICIOUS_BACKUP_PATHS.include?(expanded) && !allow_suspicious_backup_paths?
-            raise ConfigurationError, "refusing suspicious local restore path #{expanded}; set KAMAL_BACKUP_ALLOW_SUSPICIOUS_PATHS=true to override"
-          end
-        end
-      end
+      value = optional_yaml_string(hash[key], "#{context}.#{key}")
+      raise ConfigurationError, "#{context} #{key} is required" if value.to_s.strip.empty?
-      def integer(key, default, minimum:)
-        raw = value(key)
-        number = raw ? Integer(raw) : default
-        raise ConfigurationError, "#{key} must be >= #{minimum}" if number < minimum
+      value
+    end
-        number
-      rescue ArgumentError
-        raise ConfigurationError, "#{key} must be an integer"
-      end
+    def required_yaml_scalar(hash, key, context)
+      value = normalize_yaml_value(hash[key])
+      raise ConfigurationError, "#{context} #{key} is required" if value.to_s.empty?
-      def normalize_adapter(value)
-        case value.to_s.downcase
-        when "postgres", "postgresql"
-          "postgres"
-        when "mysql", "mysql2", "mariadb"
-          "mysql"
-        when "sqlite", "sqlite3"
-          "sqlite"
-        else
-          nil
-        end
-      end
+      value
+    end
-      def database_definitions?
-        !@database_definitions.nil?
-      end
+    def stringify_keys(hash)
+      hash.each_with_object({}) { |(key, value), result| result[key.to_s] = value }
+    end
-      def path_definitions?
-        !@path_definitions.nil?
-      end
+    def validate_local_machine_environment
+      if (environment = local_restore_environment)
+        key, value = environment
-      def legacy_database_adapter
-        if explicit = value("DATABASE_ADAPTER")
-          normalize_adapter(explicit)
-        elsif adapter = adapter_from_database_url
-          adapter
-        elsif value("SQLITE_DATABASE_PATH")
-          "sqlite"
+        if production_environment?(value)
+          raise ConfigurationError,
+                "restore local refuses to run with #{key}=#{value}; unset #{key} or use restore production"
         end
       end
+    end
+    def validate_local_machine_paths
+      path_pairs = local_restore_path_pairs
-      def adapter_from_database_url
-        if url = value("DATABASE_URL")
-          normalize_adapter(URI.parse(url).scheme)
+      path_pairs.each do |path_pair|
+        target_path = path_pair.last
+        expanded = File.expand_path(target_path)
+        if SUSPICIOUS_BACKUP_PATHS.include?(expanded) && !allow_suspicious_backup_paths?
+          raise ConfigurationError,
+                "refusing suspicious local restore path #{expanded}; set KAMAL_BACKUP_ALLOW_SUSPICIOUS_PATHS=true to override"
         end
-      rescue URI::InvalidURIError
-        nil
       end
+    end
-      def in_place_file_restore?(expanded_target)
-        backup_paths.any? do |path|
-          expanded_path = File.expand_path(path)
-          expanded_target == expanded_path || expanded_path.start_with?(expanded_target + "/") || expanded_target.start_with?(expanded_path + "/")
-        end
+    def integer(key, default, minimum:)
+      raw = value(key)
+      number = raw ? Integer(raw) : default
+      raise ConfigurationError, "#{key} must be >= #{minimum}" if number < minimum
+      number
+    rescue ArgumentError
+      raise ConfigurationError, "#{key} must be an integer"
+    end
+    def normalize_adapter(value)
+      case value.to_s.downcase
+      when 'postgres', 'postgresql'
+        'postgres'
+      when 'mysql', 'mysql2', 'mariadb'
+        'mysql'
+      when 'sqlite', 'sqlite3'
+        'sqlite'
       end
+    end
-      def source_database_targets
-        databases.flat_map do |database|
-          [
-            database.value("DATABASE_URL"),
-            database.value("SQLITE_DATABASE_PATH"),
-            database.value("PGDATABASE"),
-            database.value("MYSQL_DATABASE"),
-            database.value("MARIADB_DATABASE")
-          ]
-        end.compact
+    def database_definitions?
+      !@database_definitions.nil?
+    end
+    def path_definitions?
+      !@path_definitions.nil?
+    end
+    def backup_path_definitions
+      if path_definitions?
+        @path_definitions
+      else
+        legacy_backup_paths.map { |path| PathDefinition.new(path: path, exclude: []) }
       end
+    end
-      def legacy_backup_paths
-        split_paths(value("BACKUP_PATHS"))
+    def configured_backup_path_excludes(paths)
+      backup_path_definitions.each_with_object([]) do |definition, excludes|
+        excludes.concat(definition.exclude) if paths.include?(definition.path)
       end
+    end
-      def legacy_local_restore_source_paths
-        if raw = value("LOCAL_RESTORE_SOURCE_PATHS")
-          split_paths(raw)
-        end
+    def sqlite_backup_path_excludes(paths)
+      databases.select { |database| database.database_adapter == 'sqlite' }.flat_map do |database|
+        sqlite_database_path = database.value('SQLITE_DATABASE_PATH')
+        next [] if sqlite_database_path.to_s.empty?
+        next [] unless paths.any? { |path| path_contains?(path, sqlite_database_path) }
+        [sqlite_database_path, "#{sqlite_database_path}-wal", "#{sqlite_database_path}-shm"]
+      end.uniq
+    end
+    def path_contains?(parent, child)
+      expanded_parent = File.expand_path(parent)
+      expanded_child = File.expand_path(child)
+      expanded_child == expanded_parent || expanded_child.start_with?("#{expanded_parent}/")
+    end
+    def legacy_database_adapter
+      if (explicit = value('DATABASE_ADAPTER'))
+        normalize_adapter(explicit)
+      elsif (adapter = adapter_from_database_url)
+        adapter
+      elsif value('SQLITE_DATABASE_PATH')
+        'sqlite'
       end
+    end
-      def split_paths(raw)
-        raw.to_s.split(/[\n:]+/).map(&:strip).reject(&:empty?)
+    def adapter_from_database_url
+      if (url = value('DATABASE_URL'))
+        normalize_adapter(URI.parse(url).scheme)
       end
+    rescue URI::InvalidURIError
+      nil
+    end
-      def local_restore_environment
-        %w[RAILS_ENV RACK_ENV APP_ENV KAMAL_ENVIRONMENT].each do |key|
-          if value(key)
-            return [key, value(key)]
-          end
-        end
+    def in_place_file_restore?(expanded_target)
+      backup_paths.any? do |path|
+        expanded_path = File.expand_path(path)
+        expanded_target == expanded_path || expanded_path.start_with?("#{expanded_target}/") || expanded_target.start_with?("#{expanded_path}/")
       end
+    end
+    def source_database_targets
+      databases.flat_map do |database|
+        [
+          database.value('DATABASE_URL'),
+          database.value('SQLITE_DATABASE_PATH'),
+          database.value('PGDATABASE'),
+          database.value('MYSQL_DATABASE'),
+          database.value('MARIADB_DATABASE')
+        ]
+      end.compact
+    end
-      def production_environment?(value)
-        %w[production prod live].include?(value.to_s.downcase)
+    def legacy_backup_paths
+      split_paths(value('BACKUP_PATHS'))
+    end
+    def legacy_local_restore_source_paths
+      if (raw = value('LOCAL_RESTORE_SOURCE_PATHS'))
+        split_paths(raw)
       end
+    end
+    def split_paths(raw)
+      raw.to_s.split(/[\n:]+/).map(&:strip).reject(&:empty?)
+    end
-      def production_named_target?(target)
-        target.include?("production") ||
-          target.match?(%r{(^|[/_.:-])prod([/_.:-]|$)}) ||
-          target.match?(%r{(^|[/_.:-])live([/_.:-]|$)})
+    def local_restore_environment
+      %w[RAILS_ENV RACK_ENV APP_ENV KAMAL_ENVIRONMENT].each do |key|
+        return [key, value(key)] if value(key)
       end
+    end
+    def production_environment?(value)
+      %w[production prod live].include?(value.to_s.downcase)
+    end
+    def production_named_target?(target)
+      target.include?('production') ||
+        target.match?(%r{(^|[/_.:-])prod([/_.:-]|$)}) ||
+        target.match?(%r{(^|[/_.:-])live([/_.:-]|$)})
+    end
   end
 end