Merge pull request #362 from databasus/develop

FEATURE (auth): Add optional CloudFlare Turnstile for sign in \ sign …

.dockerignore

@@ -21,6 +21,7 @@ backend/*.exe
 # Scripts and data directories
 scripts
 postgresus-data
+databasus-data
 
 # IDE and editor files
 .idea

.github/CODE_OF_CONDUCT.md

@@ -2,7 +2,7 @@
 
 ## Our Pledge
 
-We as members, contributors and maintainers pledge to make participation in the Postgresus community a friendly and welcoming experience for everyone, regardless of background, experience level or personal circumstances.
+We as members, contributors and maintainers pledge to make participation in the Databasus community a friendly and welcoming experience for everyone, regardless of background, experience level or personal circumstances.
 
 We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive and healthy community.
 
@@ -31,10 +31,10 @@ We pledge to act and interact in ways that contribute to an open, welcoming, div
 This Code of Conduct applies within all community spaces, including:
 
 - GitHub repositories (issues, pull requests, discussions, comments)
-- Telegram channels and direct messages related to Postgresus
+- Telegram channels and direct messages related to Databasus
 - Social media interactions when representing the project
 - Community forums and online discussions
-- Any other spaces where Postgresus community members interact
+- Any other spaces where Databasus community members interact
 
 This Code of Conduct also applies when an individual is officially representing the community in public spaces, such as using an official email address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
 
@@ -42,7 +42,7 @@ This Code of Conduct also applies when an individual is officially representing
 
 Instances of abusive or unacceptable behavior may be reported to the community leaders responsible for enforcement:
 
-- **Email**: [info@postgresus.com](mailto:info@postgresus.com)
+- **Email**: [info@databasus.com](mailto:info@databasus.com)
 - **Telegram**: [@rostislav_dugin](https://t.me/rostislav_dugin)
 
 All complaints will be reviewed and investigated promptly and fairly.
@@ -79,13 +79,13 @@ Community leaders will follow these Community Impact Guidelines in determining t
 
 ## Contributing with Respect
 
-When contributing to Postgresus, please:
+When contributing to Databasus, please:
 
 - Be patient with maintainers and other contributors
 - Understand that everyone has different levels of experience
 - Ask questions in a respectful manner
 - Accept that your contribution may not be accepted, and be open to feedback
-- Follow the [contribution guidelines](https://postgresus.com/contribute)
+- Follow the [contribution guidelines](https://databasus.com/contribute)
 
 For code contributions, remember to:
 

.github/SECURITY.md

@@ -2,13 +2,13 @@
 
 ## Reporting a Vulnerability
 
-If you discover a security vulnerability in Postgresus, please report it responsibly. **Do not create a public GitHub issue for security vulnerabilities.**
+If you discover a security vulnerability in Databasus, please report it responsibly. **Do not create a public GitHub issue for security vulnerabilities.**
 
 ### How to Report
 
-1. **Email** (preferred): Send details to [info@postgresus.com](mailto:info@postgresus.com)
+1. **Email** (preferred): Send details to [info@databasus.com](mailto:info@databasus.com)
 2. **Telegram**: Contact [@rostislav_dugin](https://t.me/rostislav_dugin)
-3. **GitHub Security Advisories**: Use the [private vulnerability reporting](https://github.com/RostislavDugin/postgresus/security/advisories/new) feature
+3. **GitHub Security Advisories**: Use the [private vulnerability reporting](https://github.com/databasus/databasus/security/advisories/new) feature
 
 ### What to Include
 
@@ -23,11 +23,23 @@ If you discover a security vulnerability in Postgresus, please report it respons
 | ------- | --------- |
 | Latest  | Yes       |
 
-We recommend always using the latest version of Postgresus. Security patches are applied to the most recent release.
+We recommend always using the latest version of Databasus. Security patches are applied to the most recent release.
 
 ### PostgreSQL Compatibility
 
-Postgresus supports PostgreSQL versions 12, 13, 14, 15, 16, 17 and 18.
+Databasus supports PostgreSQL versions 12, 13, 14, 15, 16, 17 and 18.
+
+### MySQL Compatibility
+
+Databasus supports MySQL versions 5.7, 8 and 9.
+
+### MariaDB Compatibility
+
+Databasus supports MariaDB versions 10 and 11.
+
+### MongoDB Compatibility
+
+Databasus supports MongoDB versions 4, 5, 6, 7 and 8.
 
 ## Response Timeline
 
@@ -39,16 +51,16 @@ We follow a coordinated disclosure policy. We ask that you give us reasonable ti
 
 ## Security Features
 
-Postgresus is designed with security in mind. For full details, see our [security documentation](https://postgresus.com/security).
+Databasus is designed with security in mind. For full details, see our [security documentation](https://databasus.com/security).
 
 Key features include:
 
 - **AES-256-GCM Encryption**: Enterprise-grade encryption for backup files and sensitive data
-- **Read-Only Database Access**: Postgresus uses read-only access by default and warns if write permissions are detected
+- **Read-Only Database Access**: Databasus uses read-only access by default and warns if write permissions are detected
 - **Role-Based Access Control**: Assign viewer, member, admin or owner roles within workspaces
 - **Audit Logging**: Track all system activities and changes made by users
 - **Zero-Trust Storage**: Encrypted backups are safe even in shared cloud storage
 
 ## License
 
-Postgresus is licensed under [Apache 2.0](../LICENSE).
+Databasus is licensed under [Apache 2.0](../LICENSE).

.github/workflows/ci-release.yml

@@ -9,25 +9,26 @@ on:
 
 jobs:
   lint-backend:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
+    container:
+      image: golang:1.24.9
+      volumes:
+        - /runner-cache/go-pkg:/go/pkg/mod
+        - /runner-cache/go-build:/root/.cache/go-build
+        - /runner-cache/golangci-lint:/root/.cache/golangci-lint
+        - /runner-cache/apt-archives:/var/cache/apt/archives
     steps:
       - name: Check out code
         uses: actions/checkout@v4
 
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24.4"
+      - name: Configure Git for container
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
 
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-go-${{ hashFiles('backend/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+      - name: Download Go modules
+        run: |
+          cd backend
+          go mod download
 
       - name: Install golangci-lint
         run: |
@@ -63,8 +64,6 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: "20"
-          cache: "npm"
-          cache-dependency-path: frontend/package-lock.json
 
       - name: Install dependencies
         run: |
@@ -82,6 +81,11 @@ jobs:
           cd frontend
           npm run lint
 
+      - name: Build frontend
+        run: |
+          cd frontend
+          npm run build
+
   test-frontend:
     runs-on: ubuntu-latest
     needs: [lint-frontend]
@@ -93,8 +97,6 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: "20"
-          cache: "npm"
-          cache-dependency-path: frontend/package-lock.json
 
       - name: Install dependencies
         run: |
@@ -107,63 +109,53 @@ jobs:
           npm run test
 
   test-backend:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     needs: [lint-backend]
+    container:
+      image: golang:1.24.9
+      options: --privileged -v /var/run/docker.sock:/var/run/docker.sock --add-host=host.docker.internal:host-gateway
+      volumes:
+        - /runner-cache/go-pkg:/go/pkg/mod
+        - /runner-cache/go-build:/root/.cache/go-build
+        - /runner-cache/apt-archives:/var/cache/apt/archives
     steps:
-      - name: Free up disk space
+      - name: Install Docker CLI
         run: |
-          echo "Disk space before cleanup:"
-          df -h
-          # Remove unnecessary pre-installed software
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /usr/local/lib/android
-          sudo rm -rf /opt/ghc
-          sudo rm -rf /opt/hostedtoolcache/CodeQL
-          sudo rm -rf /usr/local/share/boost
-          sudo rm -rf /usr/share/swift
-          # Clean apt cache
-          sudo apt-get clean
-          # Clean docker images (if any pre-installed)
-          docker system prune -af --volumes || true
-          echo "Disk space after cleanup:"
-          df -h
+          apt-get update -qq
+          apt-get install -y -qq docker.io docker-compose netcat-openbsd wget
 
       - name: Check out code
         uses: actions/checkout@v4
 
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24.4"
+      - name: Configure Git for container
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
 
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-go-${{ hashFiles('backend/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+      - name: Download Go modules
+        run: |
+          cd backend
+          go mod download
 
       - name: Create .env file for testing
         run: |
           cd backend
           cat > .env << EOF
           # docker-compose.yml
-          DEV_DB_NAME=postgresus
+          DEV_DB_NAME=databasus
           DEV_DB_USERNAME=postgres
           DEV_DB_PASSWORD=Q1234567
           #app
           ENV_MODE=development
-          # db
-          DATABASE_DSN=host=localhost user=postgres password=Q1234567 dbname=postgresus port=5437 sslmode=disable
-          DATABASE_URL=postgres://postgres:Q1234567@localhost:5437/postgresus?sslmode=disable
+          # db - using 172.17.0.1 to access host from container
+          DATABASE_DSN=host=172.17.0.1 user=postgres password=Q1234567 dbname=databasus port=5437 sslmode=disable
+          DATABASE_URL=postgres://postgres:Q1234567@172.17.0.1:5437/databasus?sslmode=disable
           # migrations
           GOOSE_DRIVER=postgres
-          GOOSE_DBSTRING=postgres://postgres:Q1234567@localhost:5437/postgresus?sslmode=disable
+          GOOSE_DBSTRING=postgres://postgres:Q1234567@172.17.0.1:5437/databasus?sslmode=disable
           GOOSE_MIGRATION_DIR=./migrations
-          # testing
+          # testing 
+          TEST_LOCALHOST=172.17.0.1
+          IS_SKIP_EXTERNAL_RESOURCES_TESTS=true
           # to get Google Drive env variables: add storage in UI and copy data from added storage here 
           TEST_GOOGLE_DRIVE_CLIENT_ID=${{ secrets.TEST_GOOGLE_DRIVE_CLIENT_ID }}
           TEST_GOOGLE_DRIVE_CLIENT_SECRET=${{ secrets.TEST_GOOGLE_DRIVE_CLIENT_SECRET }}
@@ -191,6 +183,7 @@ jobs:
           TEST_MYSQL_57_PORT=33057
           TEST_MYSQL_80_PORT=33080
           TEST_MYSQL_84_PORT=33084
+          TEST_MYSQL_90_PORT=33090
           # testing MariaDB
           TEST_MARIADB_55_PORT=33055
           TEST_MARIADB_101_PORT=33101
@@ -219,7 +212,15 @@ jobs:
           TEST_MONGODB_50_PORT=27050
           TEST_MONGODB_60_PORT=27060
           TEST_MONGODB_70_PORT=27070
-          TEST_MONGODB_80_PORT=27080
+          TEST_MONGODB_82_PORT=27082
+          # Valkey (cache) - using 172.17.0.1
+          VALKEY_HOST=172.17.0.1
+          VALKEY_PORT=6379
+          VALKEY_USERNAME=
+          VALKEY_PASSWORD=
+          VALKEY_IS_SSL=false
+          # Host for test databases (container -> host)
+          TEST_DB_HOST=172.17.0.1
           EOF
 
       - name: Start test containers
@@ -232,25 +233,30 @@ jobs:
           # Wait for main dev database
           timeout 60 bash -c 'until docker exec dev-db pg_isready -h localhost -p 5437 -U postgres; do sleep 2; done'
 
-          # Wait for test databases
-          timeout 60 bash -c 'until nc -z localhost 5000; do sleep 2; done'
-          timeout 60 bash -c 'until nc -z localhost 5001; do sleep 2; done'
-          timeout 60 bash -c 'until nc -z localhost 5002; do sleep 2; done'
-          timeout 60 bash -c 'until nc -z localhost 5003; do sleep 2; done'
-          timeout 60 bash -c 'until nc -z localhost 5004; do sleep 2; done'
-          timeout 60 bash -c 'until nc -z localhost 5005; do sleep 2; done'
+          # Wait for Valkey (cache)
+          echo "Waiting for Valkey..."
+          timeout 60 bash -c 'until docker exec dev-valkey valkey-cli ping 2>/dev/null | grep -q PONG; do sleep 2; done'
+          echo "Valkey is ready!"
+
+          # Wait for test databases (using 172.17.0.1 from container)
+          timeout 60 bash -c 'until nc -z 172.17.0.1 5000; do sleep 2; done'
+          timeout 60 bash -c 'until nc -z 172.17.0.1 5001; do sleep 2; done'
+          timeout 60 bash -c 'until nc -z 172.17.0.1 5002; do sleep 2; done'
+          timeout 60 bash -c 'until nc -z 172.17.0.1 5003; do sleep 2; done'
+          timeout 60 bash -c 'until nc -z 172.17.0.1 5004; do sleep 2; done'
+          timeout 60 bash -c 'until nc -z 172.17.0.1 5005; do sleep 2; done'
 
           # Wait for MinIO
-          timeout 60 bash -c 'until nc -z localhost 9000; do sleep 2; done'
+          timeout 60 bash -c 'until nc -z 172.17.0.1 9000; do sleep 2; done'
 
           # Wait for Azurite
-          timeout 60 bash -c 'until nc -z localhost 10000; do sleep 2; done'
+          timeout 60 bash -c 'until nc -z 172.17.0.1 10000; do sleep 2; done'
 
           # Wait for FTP
-          timeout 60 bash -c 'until nc -z localhost 7007; do sleep 2; done'
+          timeout 60 bash -c 'until nc -z 172.17.0.1 7007; do sleep 2; done'
 
           # Wait for SFTP
-          timeout 60 bash -c 'until nc -z localhost 7008; do sleep 2; done'
+          timeout 60 bash -c 'until nc -z 172.17.0.1 7008; do sleep 2; done'
 
           # Wait for MySQL containers
           echo "Waiting for MySQL 5.7..."
@@ -259,6 +265,8 @@ jobs:
           timeout 120 bash -c 'until docker exec test-mysql-80 mysqladmin ping -h localhost -u root -prootpassword --silent 2>/dev/null; do sleep 2; done'
           echo "Waiting for MySQL 8.4..."
           timeout 120 bash -c 'until docker exec test-mysql-84 mysqladmin ping -h localhost -u root -prootpassword --silent 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MySQL 9.0..."
+          timeout 120 bash -c 'until docker exec test-mysql-90 mysqladmin ping -h localhost -u root -prootpassword --silent 2>/dev/null; do sleep 2; done'
 
           # Wait for MariaDB containers
           echo "Waiting for MariaDB 5.5..."
@@ -297,77 +305,76 @@ jobs:
           timeout 120 bash -c 'until docker exec test-mongodb-60 mongosh --eval "db.adminCommand(\"ping\")" -u root -p rootpassword --authenticationDatabase admin 2>/dev/null; do sleep 2; done'
           echo "Waiting for MongoDB 7.0..."
           timeout 120 bash -c 'until docker exec test-mongodb-70 mongosh --eval "db.adminCommand(\"ping\")" -u root -p rootpassword --authenticationDatabase admin 2>/dev/null; do sleep 2; done'
-          echo "Waiting for MongoDB 8.0..."
-          timeout 120 bash -c 'until docker exec test-mongodb-80 mongosh --eval "db.adminCommand(\"ping\")" -u root -p rootpassword --authenticationDatabase admin 2>/dev/null; do sleep 2; done'
+          echo "Waiting for MongoDB 8.2..."
+          timeout 120 bash -c 'until docker exec test-mongodb-82 mongosh --eval "db.adminCommand(\"ping\")" -u root -p rootpassword --authenticationDatabase admin 2>/dev/null; do sleep 2; done'
 
       - name: Create data and temp directories
         run: |
           # Create directories that are used for backups and restore
           # These paths match what's configured in config.go
-          mkdir -p postgresus-data/backups
-          mkdir -p postgresus-data/temp
+          mkdir -p databasus-data/backups
+          mkdir -p databasus-data/temp
 
-      - name: Cache PostgreSQL client tools
-        id: cache-postgres
-        uses: actions/cache@v4
-        with:
-          path: /usr/lib/postgresql
-          key: postgres-clients-12-18-v1
-
-      - name: Cache MySQL client tools
-        id: cache-mysql
-        uses: actions/cache@v4
-        with:
-          path: backend/tools/mysql
-          key: mysql-clients-57-80-84-v1
-
-      - name: Cache MariaDB client tools
-        id: cache-mariadb
-        uses: actions/cache@v4
-        with:
-          path: backend/tools/mariadb
-          key: mariadb-clients-106-121-v1
-
-      - name: Cache MongoDB Database Tools
-        id: cache-mongodb
-        uses: actions/cache@v4
-        with:
-          path: backend/tools/mongodb
-          key: mongodb-database-tools-100.10.0-v1
-
-      - name: Install MySQL dependencies
+      - name: Install database client dependencies
         run: |
-          sudo apt-get update -qq
-          sudo apt-get install -y -qq libncurses6
-          sudo ln -sf /usr/lib/x86_64-linux-gnu/libncurses.so.6 /usr/lib/x86_64-linux-gnu/libncurses.so.5
-          sudo ln -sf /usr/lib/x86_64-linux-gnu/libtinfo.so.6 /usr/lib/x86_64-linux-gnu/libtinfo.so.5
+          apt-get update -qq
+          apt-get install -y -qq libncurses6 libpq5
+          ln -sf /usr/lib/x86_64-linux-gnu/libncurses.so.6 /usr/lib/x86_64-linux-gnu/libncurses.so.5 || true
+          ln -sf /usr/lib/x86_64-linux-gnu/libtinfo.so.6 /usr/lib/x86_64-linux-gnu/libtinfo.so.5 || true
 
-      - name: Install PostgreSQL, MySQL, MariaDB and MongoDB client tools
-        if: steps.cache-postgres.outputs.cache-hit != 'true' || steps.cache-mysql.outputs.cache-hit != 'true' || steps.cache-mariadb.outputs.cache-hit != 'true' || steps.cache-mongodb.outputs.cache-hit != 'true'
-        run: |
-          chmod +x backend/tools/download_linux.sh
-          cd backend/tools
-          ./download_linux.sh
-
-      - name: Setup PostgreSQL symlinks (when using cache)
-        if: steps.cache-postgres.outputs.cache-hit == 'true'
+      - name: Setup PostgreSQL, MySQL and MariaDB client tools from pre-built assets
         run: |
           cd backend/tools
-          mkdir -p postgresql
+
+          # Create directory structure
+          mkdir -p postgresql mysql mariadb mongodb/bin
+
+          # Copy PostgreSQL client tools (12-18) from pre-built assets
           for version in 12 13 14 15 16 17 18; do
-            version_dir="postgresql/postgresql-$version"
-            mkdir -p "$version_dir/bin"
-            pg_bin_dir="/usr/lib/postgresql/$version/bin"
-            if [ -d "$pg_bin_dir" ]; then
-              ln -sf "$pg_bin_dir/pg_dump" "$version_dir/bin/pg_dump"
-              ln -sf "$pg_bin_dir/pg_dumpall" "$version_dir/bin/pg_dumpall"
-              ln -sf "$pg_bin_dir/psql" "$version_dir/bin/psql"
-              ln -sf "$pg_bin_dir/pg_restore" "$version_dir/bin/pg_restore"
-              ln -sf "$pg_bin_dir/createdb" "$version_dir/bin/createdb"
-              ln -sf "$pg_bin_dir/dropdb" "$version_dir/bin/dropdb"
-            fi
+            mkdir -p postgresql/postgresql-$version
+            cp -r ../../assets/tools/x64/postgresql/postgresql-$version/bin postgresql/postgresql-$version/
           done
 
+          # Copy MySQL client tools (5.7, 8.0, 8.4, 9) from pre-built assets
+          for version in 5.7 8.0 8.4 9; do
+            mkdir -p mysql/mysql-$version
+            cp -r ../../assets/tools/x64/mysql/mysql-$version/bin mysql/mysql-$version/
+          done
+
+          # Copy MariaDB client tools (10.6, 12.1) from pre-built assets
+          for version in 10.6 12.1; do
+            mkdir -p mariadb/mariadb-$version
+            cp -r ../../assets/tools/x64/mariadb/mariadb-$version/bin mariadb/mariadb-$version/
+          done
+
+          # Make all binaries executable
+          chmod +x postgresql/*/bin/*
+          chmod +x mysql/*/bin/*
+          chmod +x mariadb/*/bin/*
+
+          echo "Pre-built client tools setup complete"
+
+      - name: Install MongoDB Database Tools
+        run: |
+          cd backend/tools
+
+          # MongoDB Database Tools must be downloaded (not in pre-built assets)
+          # They are backward compatible - single version supports all servers (4.0-8.0)
+          MONGODB_TOOLS_URL="https://fastdl.mongodb.org/tools/db/mongodb-database-tools-debian12-x86_64-100.10.0.deb"
+
+          echo "Downloading MongoDB Database Tools..."
+          wget -q "$MONGODB_TOOLS_URL" -O /tmp/mongodb-database-tools.deb
+
+          echo "Installing MongoDB Database Tools..."
+          dpkg -i /tmp/mongodb-database-tools.deb || apt-get install -f -y --no-install-recommends
+
+          # Create symlinks to tools directory
+          ln -sf /usr/bin/mongodump mongodb/bin/mongodump
+          ln -sf /usr/bin/mongorestore mongodb/bin/mongorestore
+
+          rm -f /tmp/mongodb-database-tools.deb
+          echo "MongoDB Database Tools installed successfully"
+
       - name: Verify MariaDB client tools exist
         run: |
           cd backend/tools
@@ -412,10 +419,28 @@ jobs:
         if: always()
         run: |
           cd backend
+          # Stop and remove containers (keeping images for next run)
           docker compose -f docker-compose.yml.example down -v
 
+          # Clean up all data directories created by docker-compose
+          echo "Cleaning up data directories..."
+          rm -rf pgdata || true
+          rm -rf valkey-data || true
+          rm -rf mysqldata || true
+          rm -rf mariadbdata || true
+          rm -rf temp/nas || true
+          rm -rf databasus-data || true
+
+          # Also clean root-level databasus-data if exists
+          cd ..
+          rm -rf databasus-data || true
+
+          echo "Cleanup complete"
+
   determine-version:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
+    container:
+      image: node:20
     needs: [test-backend, test-frontend]
     if: ${{ github.ref == 'refs/heads/main' && !contains(github.event.head_commit.message, '[skip-release]') }}
     outputs:
@@ -428,10 +453,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: "20"
+      - name: Configure Git for container
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
 
       - name: Install semver
         run: npm install -g semver
@@ -445,6 +469,7 @@ jobs:
 
       - name: Analyze commits and determine version bump
         id: version_bump
+        shell: bash
         run: |
           CURRENT_VERSION="${{ steps.current_version.outputs.current_version }}"
           LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
@@ -464,7 +489,7 @@ jobs:
           HAS_FIX=false
           HAS_BREAKING=false
 
-          # Analyze each commit
+          # Analyze each commit - USE PROCESS SUBSTITUTION to avoid subshell variable scope issues
           while IFS= read -r commit; do
             if [[ "$commit" =~ ^FEATURE ]]; then
               HAS_FEATURE=true
@@ -482,7 +507,7 @@ jobs:
               HAS_BREAKING=true
               echo "Found BREAKING CHANGE: $commit"
             fi
-          done <<< "$COMMITS"
+          done < <(printf '%s\n' "$COMMITS")
 
           # Determine version bump
           if [ "$HAS_BREAKING" = true ]; then
@@ -508,10 +533,15 @@ jobs:
           fi
 
   build-only:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     needs: [test-backend, test-frontend]
     if: ${{ github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[skip-release]') }}
     steps:
+      - name: Clean workspace
+        run: |
+          sudo rm -rf "$GITHUB_WORKSPACE"/* || true
+          sudo rm -rf "$GITHUB_WORKSPACE"/.* || true
+
       - name: Check out code
         uses: actions/checkout@v4
 
@@ -536,16 +566,21 @@ jobs:
           build-args: |
             APP_VERSION=dev-${{ github.sha }}
           tags: |
-            rostislavdugin/postgresus:latest
-            rostislavdugin/postgresus:${{ github.sha }}
+            databasus/databasus:latest
+            databasus/databasus:${{ github.sha }}
 
   build-and-push:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     needs: [determine-version]
     if: ${{ needs.determine-version.outputs.should_release == 'true' }}
     permissions:
       contents: write
     steps:
+      - name: Clean workspace
+        run: |
+          sudo rm -rf "$GITHUB_WORKSPACE"/* || true
+          sudo rm -rf "$GITHUB_WORKSPACE"/.* || true
+
       - name: Check out code
         uses: actions/checkout@v4
 
@@ -570,26 +605,38 @@ jobs:
           build-args: |
             APP_VERSION=${{ needs.determine-version.outputs.new_version }}
           tags: |
-            rostislavdugin/postgresus:latest
-            rostislavdugin/postgresus:v${{ needs.determine-version.outputs.new_version }}
-            rostislavdugin/postgresus:${{ github.sha }}
+            databasus/databasus:latest
+            databasus/databasus:v${{ needs.determine-version.outputs.new_version }}
+            databasus/databasus:${{ github.sha }}
 
   release:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
+    container:
+      image: node:20
     needs: [determine-version, build-and-push]
     if: ${{ needs.determine-version.outputs.should_release == 'true' }}
     permissions:
       contents: write
       pull-requests: write
     steps:
+      - name: Clean workspace
+        run: |
+          rm -rf "$GITHUB_WORKSPACE"/* || true
+          rm -rf "$GITHUB_WORKSPACE"/.* || true
+
       - name: Check out code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Configure Git for container
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
       - name: Generate changelog
         id: changelog
+        shell: bash
         run: |
           NEW_VERSION="${{ needs.determine-version.outputs.new_version }}"
           LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
@@ -609,6 +656,7 @@ jobs:
           FIXES=""
           REFACTORS=""
 
+          # USE PROCESS SUBSTITUTION to avoid subshell variable scope issues
           while IFS= read -r line; do
             if [ -n "$line" ]; then
               COMMIT_MSG=$(echo "$line" | cut -d'|' -f1)
@@ -642,7 +690,7 @@ jobs:
                 fi
               fi
             fi
-          done <<< "$COMMITS"
+          done < <(printf '%s\n' "$COMMITS")
 
           # Build changelog sections
           if [ -n "$FEATURES" ]; then
@@ -659,7 +707,7 @@ jobs:
 
           # Add Docker image info
           CHANGELOG="${CHANGELOG}### 🐳 Docker\n"
-          CHANGELOG="${CHANGELOG}- **Image**: \`rostislavdugin/postgresus:v${NEW_VERSION}\`\n"
+          CHANGELOG="${CHANGELOG}- **Image**: \`databasus/databasus:v${NEW_VERSION}\`\n"
           CHANGELOG="${CHANGELOG}- **Platforms**: linux/amd64, linux/arm64\n\n"
 
           # Set output for GitHub release
@@ -669,17 +717,6 @@ jobs:
             echo EOF
           } >> $GITHUB_OUTPUT
 
-      - name: Update CITATION.cff version
-        run: |
-          VERSION="${{ needs.determine-version.outputs.new_version }}"
-          sed -i "s/^version: .*/version: ${VERSION}/" CITATION.cff
-          sed -i "s/^date-released: .*/date-released: \"$(date +%Y-%m-%d)\"/" CITATION.cff
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add CITATION.cff
-          git commit -m "Update CITATION.cff to v${VERSION}" || true
-          git push || true
-
       - name: Create GitHub Release
         uses: actions/create-release@v1
         env:
@@ -692,16 +729,33 @@ jobs:
           prerelease: false
 
   publish-helm-chart:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
+    container:
+      image: alpine:3.19
+      volumes:
+        - /runner-cache/apk-cache:/etc/apk/cache
     needs: [determine-version, build-and-push]
     if: ${{ needs.determine-version.outputs.should_release == 'true' }}
     permissions:
       contents: read
       packages: write
     steps:
+      - name: Clean workspace
+        run: |
+          rm -rf "$GITHUB_WORKSPACE"/* || true
+          rm -rf "$GITHUB_WORKSPACE"/.* || true
+
+      - name: Install dependencies
+        run: |
+          apk add --no-cache git bash curl
+
       - name: Check out code
         uses: actions/checkout@v4
 
+      - name: Configure Git for container
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
       - name: Set up Helm
         uses: azure/setup-helm@v4
         with:
@@ -723,4 +777,4 @@ jobs:
       - name: Push Helm chart to GHCR
         run: |
           VERSION="${{ needs.determine-version.outputs.new_version }}"
-          helm push postgresus-${VERSION}.tgz oci://ghcr.io/rostislavdugin/charts
+          helm push databasus-${VERSION}.tgz oci://ghcr.io/databasus/charts

.gitignore

@@ -1,5 +1,7 @@
+ansible/
 postgresus_data/
 postgresus-data/
+databasus-data/
 .env
 pgdata/
 docker-compose.yml
@@ -8,4 +10,5 @@ node_modules/
 /articles
 
 .DS_Store
-/scripts
+/scripts
+.vscode/settings.json

.pre-commit-config.yaml

@@ -6,24 +6,38 @@ repos:
     hooks:
       - id: frontend-format
         name: Frontend Format (Prettier)
-        entry: powershell -Command "cd frontend; npm run format"
+        entry: bash -c "cd frontend && npm run format"
         language: system
         files: ^frontend/.*\.(ts|tsx|js|jsx|json|css|md)$
         pass_filenames: false
 
       - id: frontend-lint
         name: Frontend Lint (ESLint)
-        entry: powershell -Command "cd frontend; npm run lint"
+        entry: bash -c "cd frontend && npm run lint"
         language: system
         files: ^frontend/.*\.(ts|tsx|js|jsx)$
         pass_filenames: false
 
+      - id: frontend-build
+        name: Frontend Build
+        entry: bash -c "cd frontend && npm run build"
+        language: system
+        files: ^frontend/.*\.(ts|tsx|js|jsx|json|css)$
+        pass_filenames: false
+
   # Backend checks
   - repo: local
     hooks:
       - id: backend-format-and-lint
         name: Backend Format & Lint (golangci-lint)
-        entry: powershell -Command "cd backend; golangci-lint fmt; golangci-lint run"
+        entry: bash -c "cd backend && golangci-lint fmt ./internal/... ./cmd/... && golangci-lint run ./internal/... ./cmd/..."
         language: system
         files: ^backend/.*\.go$
-        pass_filenames: false
+        pass_filenames: false
+
+      - id: backend-go-mod-tidy
+        name: Backend Go Mod Tidy
+        entry: bash -c "cd backend && go mod tidy"
+        language: system
+        files: ^backend/.*\.go$
+        pass_filenames: false

CITATION.cff

@@ -1,13 +1,13 @@
 cff-version: 1.2.0
-title: Postgresus
+title: Databasus
 message: "If you use this software, please cite it as below."
 type: software
 authors:
   - family-names: Dugin
     given-names: Rostislav
-repository-code: https://github.com/RostislavDugin/postgresus
-url: https://postgresus.com
-abstract: "Free, open source and self-hosted solution for automated PostgreSQL backups with multiple storage options and notifications."
+repository-code: https://github.com/databasus/databasus
+url: https://databasus.com
+abstract: "Free, open source and self-hosted solution for automated databases backups with multiple storage options and notifications."
 keywords:
   - docker
   - kubernetes
@@ -28,6 +28,9 @@ keywords:
   - pg
   - system-administration
   - database-backup
+  - mysql
+  - mongodb
+  - mariadb
 license: Apache-2.0
-version: 2.13.0
-date-released: "2025-12-21"
+version: 2.21.0
+date-released: "2026-01-05"

Dockerfile

@@ -22,7 +22,7 @@ RUN npm run build
 
 # ========= BUILD BACKEND =========
 # Backend build stage
-FROM --platform=$BUILDPLATFORM golang:1.24.4 AS backend-build
+FROM --platform=$BUILDPLATFORM golang:1.24.9 AS backend-build
 
 # Make TARGET args available early so tools built here match the final image arch
 ARG TARGETOS
@@ -80,7 +80,7 @@ ENV ENV_MODE=production
 # ========= STEP 1: Install base packages =========
 RUN apt-get update
 RUN apt-get install -y --no-install-recommends \
-  wget ca-certificates gnupg lsb-release sudo gosu curl unzip xz-utils libncurses5
+  wget ca-certificates gnupg lsb-release sudo gosu curl unzip xz-utils libncurses5 libncurses6
 RUN rm -rf /var/lib/apt/lists/*
 
 # ========= Install PostgreSQL client binaries (versions 12-18) =========
@@ -123,6 +123,15 @@ RUN wget -qO- https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
   apt-get install -y --no-install-recommends postgresql-17 && \
   rm -rf /var/lib/apt/lists/*
 
+# Install Valkey server from debian repository
+# Valkey is only accessible internally (localhost) - not exposed outside container
+RUN wget -O /usr/share/keyrings/greensec.github.io-valkey-debian.key https://greensec.github.io/valkey-debian/public.key && \
+  echo "deb [signed-by=/usr/share/keyrings/greensec.github.io-valkey-debian.key] https://greensec.github.io/valkey-debian/repo $(lsb_release -cs) main" \
+  > /etc/apt/sources.list.d/valkey-debian.list && \
+  apt-get update && \
+  apt-get install -y --no-install-recommends valkey && \
+  rm -rf /var/lib/apt/lists/*
+
 # ========= Install rclone =========
 RUN apt-get update && \
   apt-get install -y --no-install-recommends rclone && \
@@ -130,10 +139,11 @@ RUN apt-get update && \
 
 # Create directories for all database clients
 RUN mkdir -p /usr/local/mysql-5.7/bin /usr/local/mysql-8.0/bin /usr/local/mysql-8.4/bin \
+  /usr/local/mysql-9/bin \
   /usr/local/mariadb-10.6/bin /usr/local/mariadb-12.1/bin \
   /usr/local/mongodb-database-tools/bin
 
-# ========= Install MySQL clients (5.7, 8.0, 8.4) =========
+# ========= Install MySQL clients (5.7, 8.0, 8.4, 9) =========
 # Pre-downloaded binaries from assets/tools/ - no network download needed
 # Note: MySQL 5.7 is only available for x86_64
 # Note: MySQL binaries require libncurses5 for terminal handling
@@ -142,11 +152,13 @@ COPY assets/tools/arm/mysql/ /tmp/mysql-arm/
 RUN if [ "$TARGETARCH" = "amd64" ]; then \
   cp /tmp/mysql-x64/mysql-5.7/bin/* /usr/local/mysql-5.7/bin/ && \
   cp /tmp/mysql-x64/mysql-8.0/bin/* /usr/local/mysql-8.0/bin/ && \
-  cp /tmp/mysql-x64/mysql-8.4/bin/* /usr/local/mysql-8.4/bin/; \
+  cp /tmp/mysql-x64/mysql-8.4/bin/* /usr/local/mysql-8.4/bin/ && \
+  cp /tmp/mysql-x64/mysql-9/bin/* /usr/local/mysql-9/bin/; \
   elif [ "$TARGETARCH" = "arm64" ]; then \
   echo "MySQL 5.7 not available for arm64, skipping..." && \
   cp /tmp/mysql-arm/mysql-8.0/bin/* /usr/local/mysql-8.0/bin/ && \
-  cp /tmp/mysql-arm/mysql-8.4/bin/* /usr/local/mysql-8.4/bin/; \
+  cp /tmp/mysql-arm/mysql-8.4/bin/* /usr/local/mysql-8.4/bin/ && \
+  cp /tmp/mysql-arm/mysql-9/bin/* /usr/local/mysql-9/bin/; \
   fi && \
   rm -rf /tmp/mysql-x64 /tmp/mysql-arm && \
   chmod +x /usr/local/mysql-*/bin/*
@@ -169,24 +181,28 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then \
 
 # ========= Install MongoDB Database Tools =========
 # Note: MongoDB Database Tools are backward compatible - single version supports all server versions (4.0-8.0)
-# Use dpkg with apt-get -f install to handle dependencies
+# Note: For ARM64, we use Ubuntu 22.04 package as MongoDB doesn't provide Debian 12 ARM64 packages
 RUN apt-get update && \
   if [ "$TARGETARCH" = "amd64" ]; then \
   wget -q https://fastdl.mongodb.org/tools/db/mongodb-database-tools-debian12-x86_64-100.10.0.deb -O /tmp/mongodb-database-tools.deb; \
   elif [ "$TARGETARCH" = "arm64" ]; then \
-  wget -q https://fastdl.mongodb.org/tools/db/mongodb-database-tools-debian12-aarch64-100.10.0.deb -O /tmp/mongodb-database-tools.deb; \
+  wget -q https://fastdl.mongodb.org/tools/db/mongodb-database-tools-ubuntu2204-arm64-100.10.0.deb -O /tmp/mongodb-database-tools.deb; \
   fi && \
-  dpkg -i /tmp/mongodb-database-tools.deb || true && \
-  apt-get install -f -y --no-install-recommends && \
-  rm /tmp/mongodb-database-tools.deb && \
+  dpkg -i /tmp/mongodb-database-tools.deb || apt-get install -f -y --no-install-recommends && \
+  rm -f /tmp/mongodb-database-tools.deb && \
   rm -rf /var/lib/apt/lists/* && \
-  ln -sf /usr/bin/mongodump /usr/local/mongodb-database-tools/bin/mongodump && \
-  ln -sf /usr/bin/mongorestore /usr/local/mongodb-database-tools/bin/mongorestore
+  mkdir -p /usr/local/mongodb-database-tools/bin && \
+  if [ -f /usr/bin/mongodump ]; then \
+  ln -sf /usr/bin/mongodump /usr/local/mongodb-database-tools/bin/mongodump; \
+  fi && \
+  if [ -f /usr/bin/mongorestore ]; then \
+  ln -sf /usr/bin/mongorestore /usr/local/mongodb-database-tools/bin/mongorestore; \
+  fi
 
 # Create postgres user and set up directories
 RUN useradd -m -s /bin/bash postgres || true && \
-  mkdir -p /postgresus-data/pgdata && \
-  chown -R postgres:postgres /postgresus-data/pgdata
+  mkdir -p /databasus-data/pgdata && \
+  chown -R postgres:postgres /databasus-data/pgdata
 
 WORKDIR /app
 
@@ -215,68 +231,215 @@ COPY <<EOF /app/start.sh
 #!/bin/bash
 set -e
 
+# Check for legacy postgresus-data volume mount
+if [ -d "/postgresus-data" ] && [ "\$(ls -A /postgresus-data 2>/dev/null)" ]; then
+    echo ""
+    echo "=========================================="
+    echo "ERROR: Legacy volume detected!"
+    echo "=========================================="
+    echo ""
+    echo "You are using the \`postgresus-data\` folder. It seems you changed the image name from Postgresus to Databasus without changing the volume."
+    echo ""
+    echo "Please either:"
+    echo "  1. Switch back to image rostislavdugin/postgresus:latest (supported until ~Dec 2026)"
+    echo "  2. Read the migration guide: https://databasus.com/installation/#postgresus-migration"
+    echo ""
+    echo "=========================================="
+    exit 1
+fi
+
 # PostgreSQL 17 binary paths
 PG_BIN="/usr/lib/postgresql/17/bin"
 
-# Ensure proper ownership of data directory
-echo "Setting up data directory permissions..."
-mkdir -p /postgresus-data/pgdata
-chown -R postgres:postgres /postgresus-data
+# Generate runtime configuration for frontend
+echo "Generating runtime configuration..."
 
-# Initialize PostgreSQL if not already initialized
-if [ ! -s "/postgresus-data/pgdata/PG_VERSION" ]; then
-    echo "Initializing PostgreSQL database..."
-    gosu postgres \$PG_BIN/initdb -D /postgresus-data/pgdata --encoding=UTF8 --locale=C.UTF-8
-    
-    # Configure PostgreSQL
-    echo "host all all 127.0.0.1/32 md5" >> /postgresus-data/pgdata/pg_hba.conf
-    echo "local all all trust" >> /postgresus-data/pgdata/pg_hba.conf
-    echo "port = 5437" >> /postgresus-data/pgdata/postgresql.conf
-    echo "listen_addresses = 'localhost'" >> /postgresus-data/pgdata/postgresql.conf
-    echo "shared_buffers = 256MB" >> /postgresus-data/pgdata/postgresql.conf
-    echo "max_connections = 100" >> /postgresus-data/pgdata/postgresql.conf
+# Detect if email is configured (both SMTP_HOST and DATABASUS_URL must be set)
+if [ -n "\${SMTP_HOST:-}" ] && [ -n "\${DATABASUS_URL:-}" ]; then
+  IS_EMAIL_CONFIGURED="true"
+else
+  IS_EMAIL_CONFIGURED="false"
 fi
 
-# Start PostgreSQL in background
-echo "Starting PostgreSQL..."
-gosu postgres \$PG_BIN/postgres -D /postgresus-data/pgdata -p 5437 &
-POSTGRES_PID=\$!
+cat > /app/ui/build/runtime-config.js <<JSEOF
+// Runtime configuration injected at container startup
+// This file is generated dynamically and should not be edited manually
+window.__RUNTIME_CONFIG__ = {
+  IS_CLOUD: '\${IS_CLOUD:-false}',
+  GITHUB_CLIENT_ID: '\${GITHUB_CLIENT_ID:-}',
+  GOOGLE_CLIENT_ID: '\${GOOGLE_CLIENT_ID:-}',
+  IS_EMAIL_CONFIGURED: '\$IS_EMAIL_CONFIGURED',
+  CLOUDFLARE_TURNSTILE_SITE_KEY: '\${CLOUDFLARE_TURNSTILE_SITE_KEY:-}'
+};
+JSEOF
 
-# Wait for PostgreSQL to be ready
-echo "Waiting for PostgreSQL to be ready..."
+# Inject analytics script if provided (only if not already injected)
+if [ -n "\${ANALYTICS_SCRIPT:-}" ]; then
+  if ! grep -q "rybbit.databasus.com" /app/ui/build/index.html 2>/dev/null; then
+    echo "Injecting analytics script..."
+    sed -i "s#</head>#  \${ANALYTICS_SCRIPT}\\
+  </head>#" /app/ui/build/index.html
+  fi
+fi
+
+# Ensure proper ownership of data directory
+echo "Setting up data directory permissions..."
+mkdir -p /databasus-data/pgdata
+mkdir -p /databasus-data/temp
+mkdir -p /databasus-data/backups
+chown -R postgres:postgres /databasus-data
+chmod 700 /databasus-data/temp
+
+# ========= Start Valkey (internal cache) =========
+echo "Configuring Valkey cache..."
+cat > /tmp/valkey.conf << 'VALKEY_CONFIG'
+port 6379
+bind 127.0.0.1
+protected-mode yes
+save ""
+maxmemory 256mb
+maxmemory-policy allkeys-lru
+VALKEY_CONFIG
+
+echo "Starting Valkey..."
+valkey-server /tmp/valkey.conf &
+VALKEY_PID=\$!
+
+echo "Waiting for Valkey to be ready..."
 for i in {1..30}; do
-    if gosu postgres \$PG_BIN/pg_isready -p 5437 -h localhost >/dev/null 2>&1; then
-        echo "PostgreSQL is ready!"
+    if valkey-cli ping >/dev/null 2>&1; then
+        echo "Valkey is ready!"
         break
     fi
-    if [ \$i -eq 30 ]; then
-        echo "PostgreSQL failed to start"
-        exit 1
-    fi
     sleep 1
 done
 
+# Initialize PostgreSQL if not already initialized
+if [ ! -s "/databasus-data/pgdata/PG_VERSION" ]; then
+    echo "Initializing PostgreSQL database..."
+    gosu postgres \$PG_BIN/initdb -D /databasus-data/pgdata --encoding=UTF8 --locale=C.UTF-8
+    
+    # Configure PostgreSQL
+    echo "host all all 127.0.0.1/32 md5" >> /databasus-data/pgdata/pg_hba.conf
+    echo "local all all trust" >> /databasus-data/pgdata/pg_hba.conf
+    echo "port = 5437" >> /databasus-data/pgdata/postgresql.conf
+    echo "listen_addresses = 'localhost'" >> /databasus-data/pgdata/postgresql.conf
+    echo "shared_buffers = 256MB" >> /databasus-data/pgdata/postgresql.conf
+    echo "max_connections = 100" >> /databasus-data/pgdata/postgresql.conf
+fi
+
+# Function to start PostgreSQL and wait for it to be ready
+start_postgres() {
+    echo "Starting PostgreSQL..."
+    gosu postgres \$PG_BIN/postgres -D /databasus-data/pgdata -p 5437 &
+    POSTGRES_PID=\$!
+    
+    echo "Waiting for PostgreSQL to be ready..."
+    for i in {1..30}; do
+        if gosu postgres \$PG_BIN/pg_isready -p 5437 -h localhost >/dev/null 2>&1; then
+            echo "PostgreSQL is ready!"
+            return 0
+        fi
+        sleep 1
+    done
+    return 1
+}
+
+# Try to start PostgreSQL
+if ! start_postgres; then
+    echo ""
+    echo "=========================================="
+    echo "PostgreSQL failed to start. Attempting WAL reset recovery..."
+    echo "=========================================="
+    echo ""
+    
+    # Kill any remaining postgres processes
+    pkill -9 postgres 2>/dev/null || true
+    sleep 2
+    
+    # Attempt pg_resetwal to recover from WAL corruption
+    echo "Running pg_resetwal to reset WAL..."
+    if gosu postgres \$PG_BIN/pg_resetwal -f /databasus-data/pgdata; then
+        echo "WAL reset successful. Restarting PostgreSQL..."
+        
+        # Try starting PostgreSQL again after WAL reset
+        if start_postgres; then
+            echo "PostgreSQL recovered successfully after WAL reset!"
+        else
+            echo ""
+            echo "=========================================="
+            echo "ERROR: PostgreSQL failed to start even after WAL reset."
+            echo "The database may be severely corrupted."
+            echo ""
+            echo "Options:"
+            echo "  1. Delete the volume and start fresh (data loss)"
+            echo "  2. Manually inspect /databasus-data/pgdata for issues"
+            echo "=========================================="
+            exit 1
+        fi
+    else
+        echo ""
+        echo "=========================================="
+        echo "ERROR: pg_resetwal failed."
+        echo "The database may be severely corrupted."
+        echo ""
+        echo "Options:"
+        echo "  1. Delete the volume and start fresh (data loss)"
+        echo "  2. Manually inspect /databasus-data/pgdata for issues"
+        echo "=========================================="
+        exit 1
+    fi
+fi
+
 # Create database and set password for postgres user
 echo "Setting up database and user..."
 gosu postgres \$PG_BIN/psql -p 5437 -h localhost -d postgres << 'SQL'
 ALTER USER postgres WITH PASSWORD 'Q1234567';
-SELECT 'CREATE DATABASE postgresus OWNER postgres'
-WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'postgresus')
+SELECT 'CREATE DATABASE databasus OWNER postgres'
+WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'databasus')
 \\gexec
 \\q
 SQL
 
 # Start the main application
-echo "Starting Postgresus application..."
+echo "Starting Databasus application..."
+
+# Check and warn about external database/Valkey usage
+if [ -n "\${DANGEROUS_EXTERNAL_DATABASE_DSN:-}" ]; then
+    echo ""
+    echo "=========================================="
+    echo "WARNING: Using external database"
+    echo "=========================================="
+    echo "DANGEROUS_EXTERNAL_DATABASE_DSN is set."
+    echo "Application will connect to external PostgreSQL instead of internal instance."
+    echo "Internal PostgreSQL is still running in the background."
+    echo "=========================================="
+    echo ""
+fi
+
+if [ -n "\${DANGEROUS_VALKEY_HOST:-}" ]; then
+    echo ""
+    echo "=========================================="
+    echo "WARNING: Using external Valkey"
+    echo "=========================================="
+    echo "DANGEROUS_VALKEY_HOST is set."
+    echo "Application will connect to external Valkey instead of internal instance."
+    echo "Internal Valkey is still running in the background."
+    echo "=========================================="
+    echo ""
+fi
+
 exec ./main
 EOF
 
+LABEL org.opencontainers.image.source="https://github.com/databasus/databasus"
+
 RUN chmod +x /app/start.sh
 
 EXPOSE 4005
 
 # Volume for PostgreSQL data
-VOLUME ["/postgresus-data"]
+VOLUME ["/databasus-data"]
 
 ENTRYPOINT ["/app/start.sh"]
-CMD []
+CMD []

LICENSE

@@ -187,7 +187,7 @@
       same "license" line as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2025 Postgresus
+   Copyright 2026 Databasus
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1,18 +1,21 @@
 <div align="center">
-  <img src="assets/logo.svg" style="margin-bottom: 20px;" alt="Postgresus Logo" width="250"/>
+  <img src="assets/logo.svg" alt="Databasus Logo" width="250"/>
 
-  <h3>PostgreSQL backup</h3>
-  <p>Free, open source and self-hosted solution for automated PostgreSQL backups. With multiple storage options and notifications</p>
+  <h3>Backup tool for PostgreSQL, MySQL and MongoDB</h3>
+  <p>Databasus is a free, open source and self-hosted tool to backup databases (with focus on PostgreSQL). Make backups with different storages (S3, Google Drive, FTP, etc.) and notifications about progress (Slack, Discord, Telegram, etc.). Previously known as Postgresus (see migration guide).</p>
   
   <!-- Badges -->
+   [![PostgreSQL](https://img.shields.io/badge/PostgreSQL-336791?logo=postgresql&logoColor=white)](https://www.postgresql.org/)
+  [![MySQL](https://img.shields.io/badge/MySQL-4479A1?logo=mysql&logoColor=white)](https://www.mysql.com/)
+  [![MariaDB](https://img.shields.io/badge/MariaDB-003545?logo=mariadb&logoColor=white)](https://mariadb.org/)
+  [![MongoDB](https://img.shields.io/badge/MongoDB-47A248?logo=mongodb&logoColor=white)](https://www.mongodb.com/)
+  <br />
   [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
-  [![Docker Pulls](https://img.shields.io/docker/pulls/rostislavdugin/postgresus?color=brightgreen)](https://hub.docker.com/r/rostislavdugin/postgresus)
-  [![Platform](https://img.shields.io/badge/platform-linux%20%7C%20macos%20%7C%20windows-lightgrey)](https://github.com/RostislavDugin/postgresus)
-  
-  [![PostgreSQL](https://img.shields.io/badge/PostgreSQL-12%20%7C%2013%20%7C%2014%20%7C%2015%20%7C%2016%20%7C%2017%20%7C%2018-336791?logo=postgresql&logoColor=white)](https://www.postgresql.org/)
-  [![Self Hosted](https://img.shields.io/badge/self--hosted-yes-brightgreen)](https://github.com/RostislavDugin/postgresus)
-  [![Open Source](https://img.shields.io/badge/open%20source-❤️-red)](https://github.com/RostislavDugin/postgresus)
-  
+  [![Docker Pulls](https://img.shields.io/docker/pulls/databasus/databasus?color=brightgreen)](https://hub.docker.com/r/databasus/databasus)
+  [![Platform](https://img.shields.io/badge/platform-linux%20%7C%20macos%20%7C%20windows-lightgrey)](https://github.com/databasus/databasus)
+  [![Self Hosted](https://img.shields.io/badge/self--hosted-yes-brightgreen)](https://github.com/databasus/databasus)
+  [![Open Source](https://img.shields.io/badge/open%20source-❤️-red)](https://github.com/databasus/databasus)
+
   <p>
     <a href="#-features">Features</a> •
     <a href="#-installation">Installation</a> •
@@ -22,52 +25,51 @@
   </p>
 
   <p style="margin-top: 20px; margin-bottom: 20px; font-size: 1.2em;">
-    <a href="https://postgresus.com" target="_blank"><strong>🌐 Postgresus website</strong></a>
+    <a href="https://databasus.com" target="_blank"><strong>🌐 Databasus website</strong></a>
   </p>
   
-  <img src="assets/dashboard-dark.svg" alt="Postgresus Dark Dashboard" width="800" style="margin-bottom: 10px;"/>
+  <img src="assets/dashboard-dark.svg" alt="Databasus Dark Dashboard" width="800" style="margin-bottom: 10px;"/>
 
-  <img src="assets/dashboard.svg" alt="Postgresus Dashboard" width="800"/>
-  
- 
+  <img src="assets/dashboard.svg" alt="Databasus Dashboard" width="800"/>
 </div>
 
 ---
 
 ## ✨ Features
 
+### 💾 **Supported databases**
+
+- **PostgreSQL**: 12, 13, 14, 15, 16, 17 and 18
+- **MySQL**: 5.7, 8 and 9
+- **MariaDB**: 10 and 11
+- **MongoDB**: 4, 5, 6, 7 and 8
+
 ### 🔄 **Scheduled backups**
 
 - **Flexible scheduling**: hourly, daily, weekly, monthly or cron
 - **Precise timing**: run backups at specific times (e.g., 4 AM during low traffic)
 - **Smart compression**: 4-8x space savings with balanced compression (~20% overhead)
 
-### 🗄️ **Multiple storage destinations** <a href="https://postgresus.com/storages">(view supported)</a>
+### 🗄️ **Multiple storage destinations** <a href="https://databasus.com/storages">(view supported)</a>
 
 - **Local storage**: Keep backups on your VPS/server
 - **Cloud storage**: S3, Cloudflare R2, Google Drive, NAS, Dropbox, SFTP, Rclone and more
 - **Secure**: All data stays under your control
 
-### 📱 **Smart notifications** <a href="https://postgresus.com/notifiers">(view supported)</a>
+### 📱 **Smart notifications** <a href="https://databasus.com/notifiers">(view supported)</a>
 
 - **Multiple channels**: Email, Telegram, Slack, Discord, webhooks
 - **Real-time updates**: Success and failure notifications
 - **Team integration**: Perfect for DevOps workflows
 
-### 🐘 **PostgreSQL support**
-
-- **Multiple versions**: PostgreSQL 12, 13, 14, 15, 16, 17 and 18
-- **SSL support**: Secure connections available
-- **Easy restoration**: One-click restore from any backup
-
-### 🔒 **Enterprise-grade security** <a href="https://postgresus.com/security">(docs)</a>
+### 🔒 **Enterprise-grade security** <a href="https://databasus.com/security">(docs)</a>
 
 - **AES-256-GCM encryption**: Enterprise-grade protection for backup files
-- **Zero-trust storage**: Backups are encrypted and they are useless to attackers, so you can keep them in shared storages like S3, Azure Blob Storage, etc.
+- **Zero-trust storage**: Backups are encrypted and remain useless to attackers, so you can safely store them in shared storage like S3, Azure Blob Storage, etc.
 - **Encryption for secrets**: Any sensitive data is encrypted and never exposed, even in logs or error messages
-- **Read-only user**: Postgresus uses by default a read-only user for backups and never stores anything that can change your data
+- **Read-only user**: Databasus uses a read-only user by default for backups and never stores anything that can modify your data
 
-### 👥 **Suitable for teams** <a href="https://postgresus.com/access-management">(docs)</a>
+### 👥 **Suitable for teams** <a href="https://databasus.com/access-management">(docs)</a>
 
 - **Workspaces**: Group databases, notifiers and storages for different projects or teams
 - **Access management**: Control who can view or manage specific databases with role-based permissions
@@ -82,11 +84,11 @@
 
 ### ☁️ **Works with self-hosted & cloud databases**
 
-Postgresus works seamlessly with both self-hosted PostgreSQL and cloud-managed databases:
+Databasus works seamlessly with both self-hosted PostgreSQL and cloud-managed databases:
 
 - **Cloud support**: AWS RDS, Google Cloud SQL, Azure Database for PostgreSQL
 - **Self-hosted**: Any PostgreSQL instance you manage yourself
-- **Why no PITR?**: Cloud providers already offer native PITR, and external PITR backups cannot be restored to managed cloud databases — making them impractical for cloud-hosted PostgreSQL
+- **Why no PITR support?**: Cloud providers already offer native PITR, and external PITR backups cannot be restored to managed cloud databases — making them impractical for cloud-hosted PostgreSQL
 - **Practical granularity**: Hourly and daily backups are sufficient for 99% of projects without the operational complexity of WAL archiving
 
 ### 🐳 **Self-hosted & secure**
@@ -95,53 +97,54 @@ Postgresus works seamlessly with both self-hosted PostgreSQL and cloud-managed d
 - **Privacy-first**: All your data stays on your infrastructure
 - **Open source**: Apache 2.0 licensed, inspect every line of code
 
-### 📦 Installation <a href="https://postgresus.com/installation">(docs)</a>
+### 📦 Installation <a href="https://databasus.com/installation">(docs)</a>
 
-You have several ways to install Postgresus:
+You have four ways to install Databasus:
 
-- Script (recommended)
+- Automated script (recommended)
 - Simple Docker run
 - Docker Compose setup
+- Kubernetes with Helm
 
-<img src="assets/healthchecks.svg" alt="Postgresus Dashboard" width="800"/>
+<img src="assets/healthchecks.svg" alt="Databasus Dashboard" width="800"/>
 
 ---
 
 ## 📦 Installation
 
-You have three ways to install Postgresus: automated script (recommended), simple Docker run, or Docker Compose setup.
+You have four ways to install Databasus: automated script (recommended), simple Docker run, or Docker Compose setup.
 
 ### Option 1: Automated installation script (recommended, Linux only)
 
 The installation script will:
 
 - ✅ Install Docker with Docker Compose (if not already installed)
-- ✅ Set up Postgresus
+- ✅ Set up Databasus
 - ✅ Configure automatic startup on system reboot
 
 ```bash
 sudo apt-get install -y curl && \
-sudo curl -sSL https://raw.githubusercontent.com/RostislavDugin/postgresus/refs/heads/main/install-postgresus.sh \
+sudo curl -sSL https://raw.githubusercontent.com/databasus/databasus/refs/heads/main/install-databasus.sh \
 | sudo bash
 ```
 
 ### Option 2: Simple Docker run
 
-The easiest way to run Postgresus with embedded PostgreSQL:
+The easiest way to run Databasus:
 
 ```bash
 docker run -d \
-  --name postgresus \
+  --name databasus \
   -p 4005:4005 \
-  -v ./postgresus-data:/postgresus-data \
+  -v ./databasus-data:/databasus-data \
   --restart unless-stopped \
-  rostislavdugin/postgresus:latest
+  databasus/databasus:latest
 ```
 
 This single command will:
 
-- ✅ Start Postgresus
-- ✅ Store all data in `./postgresus-data` directory
+- ✅ Start Databasus
+- ✅ Store all data in `./databasus-data` directory
 - ✅ Automatically restart on system reboot
 
 ### Option 3: Docker Compose setup
@@ -150,13 +153,13 @@ Create a `docker-compose.yml` file with the following configuration:
 
 ```yaml
 services:
-  postgresus:
-    container_name: postgresus
-    image: rostislavdugin/postgresus:latest
+  databasus:
+    container_name: databasus
+    image: databasus/databasus:latest
     ports:
       - "4005:4005"
     volumes:
-      - ./postgresus-data:/postgresus-data
+      - ./databasus-data:/databasus-data
     restart: unless-stopped
 ```
 
@@ -173,33 +176,33 @@ For Kubernetes deployments, install directly from the OCI registry.
 **With ClusterIP + port-forward (development/testing):**
 
 ```bash
-helm install postgresus oci://ghcr.io/rostislavdugin/charts/postgresus \
-  -n postgresus --create-namespace
+helm install databasus oci://ghcr.io/databasus/charts/databasus \
+  -n databasus --create-namespace
 ```
 
 ```bash
-kubectl port-forward svc/postgresus-service 4005:4005 -n postgresus
+kubectl port-forward svc/databasus-service 4005:4005 -n databasus
 # Access at http://localhost:4005
 ```
 
 **With LoadBalancer (cloud environments):**
 
 ```bash
-helm install postgresus oci://ghcr.io/rostislavdugin/charts/postgresus \
-  -n postgresus --create-namespace \
+helm install databasus oci://ghcr.io/databasus/charts/databasus \
+  -n databasus --create-namespace \
   --set service.type=LoadBalancer
 ```
 
 ```bash
-kubectl get svc postgresus-service -n postgresus
+kubectl get svc databasus-service -n databasus
 # Access at http://<EXTERNAL-IP>:4005
 ```
 
 **With Ingress (domain-based access):**
 
 ```bash
-helm install postgresus oci://ghcr.io/rostislavdugin/charts/postgresus \
-  -n postgresus --create-namespace \
+helm install databasus oci://ghcr.io/databasus/charts/databasus \
+  -n databasus --create-namespace \
   --set ingress.enabled=true \
   --set ingress.hosts[0].host=backup.example.com
 ```
@@ -211,19 +214,19 @@ For more options (NodePort, TLS, HTTPRoute for Gateway API), see the [Helm chart
 ## 🚀 Usage
 
 1. **Access the dashboard**: Navigate to `http://localhost:4005`
-2. **Add first DB for backup**: Click "New Database" and follow the setup wizard
+2. **Add your first database for backup**: Click "New Database" and follow the setup wizard
 3. **Configure schedule**: Choose from hourly, daily, weekly, monthly or cron intervals
-4. **Set database connection**: Enter your PostgreSQL credentials and connection details
+4. **Set database connection**: Enter your database credentials and connection details
 5. **Choose storage**: Select where to store your backups (local, S3, Google Drive, etc.)
 6. **Add notifications** (optional): Configure email, Telegram, Slack, or webhook notifications
-7. **Save and start**: Postgresus will validate settings and begin the backup schedule
+7. **Save and start**: Databasus will validate settings and begin the backup schedule
 
-### 🔑 Resetting password <a href="https://postgresus.com/password">(docs)</a>
+### 🔑 Resetting password <a href="https://databasus.com/password">(docs)</a>
 
 If you need to reset the password, you can use the built-in password reset command:
 
 ```bash
-docker exec -it postgresus ./main --new-password="YourNewSecurePassword123" --email="admin"
+docker exec -it databasus ./main --new-password="YourNewSecurePassword123" --email="admin"
 ```
 
 Replace `admin` with the actual email address of the user whose password you want to reset.
@@ -238,4 +241,74 @@ This project is licensed under the Apache 2.0 License - see the [LICENSE](LICENS
 
 ## 🤝 Contributing
 
-Contributions are welcome! Read <a href="https://postgresus.com/contribute">contributing guide</a> for more details, priorities and rules are specified there. If you want to contribute, but don't know what and how - message me on Telegram [@rostislav_dugin](https://t.me/rostislav_dugin)
+Contributions are welcome! Read the <a href="https://databasus.com/contribute">contributing guide</a> for more details, priorities and rules. If you want to contribute but don't know where to start, message me on Telegram [@rostislav_dugin](https://t.me/rostislav_dugin)
+
+Also you can join our large community of developers, DBAs and DevOps engineers on Telegram [@databasus_community](https://t.me/databasus_community).
+
+--
+
+## 📖 Migration guide
+
+Databasus is the new name for Postgresus. You can stay with latest version of Postgresus if you wish. If you want to migrate - follow installation steps for Databasus itself.
+
+Just renaming an image is not enough as Postgresus and Databasus use different data folders and internal database naming.
+
+You can put a new Databasus image with updated volume near the old Postgresus and run it (stop Postgresus before):
+
+```
+services:
+  databasus:
+    container_name: databasus
+    image: databasus/databasus:latest
+    ports:
+      - "4005:4005"
+    volumes:
+      - ./databasus-data:/databasus-data
+    restart: unless-stopped
+```
+
+Then manually move databases from Postgresus to Databasus.
+
+### Why was Postgresus renamed to Databasus?
+
+Databasus has been developed since 2023. It was internal tool to backup production and home projects databases. In start of 2025 it was released as open source project on GitHub. By the end of 2025 it became popular and the time for renaming has come in December 2025.
+
+It was an important step for the project to grow. Actually, there are a couple of reasons:
+
+1. Postgresus is no longer a little tool that just adds UI for pg_dump for little projects. It became a tool both for individual users, DevOps, DBAs, teams, companies and even large enterprises. Tens of thousands of users use Postgresus every day. Postgresus grew into a reliable backup management tool. Initial positioning is no longer suitable: the project is not just a UI wrapper, it's a solid backup management system now (despite it's still easy to use).
+
+2. New databases are supported: although the primary focus is PostgreSQL (with 100% support in the most efficient way) and always will be, Databasus added support for MySQL, MariaDB and MongoDB. Later more databases will be supported.
+
+3. Trademark issue: "postgres" is a trademark of PostgreSQL Inc. and cannot be used in the project name. So for safety and legal reasons, we had to rename the project.
+
+## AI disclaimer
+
+There have been questions about AI usage in project development in issues and discussions. As the project focuses on security, reliability and production usage, it's important to explain how AI is used in the development process.
+
+AI is used as a helper for:
+
+- verification of code quality and searching for vulnerabilities
+- cleaning up and improving documentation, comments and code
+- assistance during development
+- double-checking PRs and commits after human review
+
+AI is not used for:
+
+- writing entire code
+- "vibe code" approach
+- code without line-by-line verification by a human
+- code without tests
+
+The project has:
+
+- solid test coverage (both unit and integration tests)
+- CI/CD pipeline automation with tests and linting to ensure code quality
+- verification by experienced developers with experience in large and secure projects
+
+So AI is just an assistant and a tool for developers to increase productivity and ensure code quality. The work is done by developers.
+
+Moreover, it's important to note that we do not differentiate between bad human code and AI vibe code. There are strict requirements for any code to be merged to keep the codebase maintainable.
+
+Even if code is written manually by a human, it's not guaranteed to be merged. Vibe code is not allowed at all and all such PRs are rejected by default (see [contributing guide](https://databasus.com/contribute)).
+
+We also draw attention to fast issue resolution and security [vulnerability reporting](https://github.com/databasus/databasus?tab=security-ov-file#readme).

assets/logo-square.svg

@@ -0,0 +1,12 @@
+<svg width="128" height="128" viewBox="0 0 128 128" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_287_1020)">
+<path d="M50.1522 115.189C50.1522 121.189 57.1564 121.193 59 118C60.1547 116 61 114 61 108C61 102 58.1044 96.9536 55.3194 91.5175C54.6026 90.1184 53.8323 88.6149 53.0128 86.9234C51.6073 84.0225 49.8868 81.3469 47.3885 79.2139C47.0053 78.8867 46.8935 78.0093 46.9624 77.422C47.2351 75.1036 47.5317 72.7876 47.8283 70.4718C48.3186 66.6436 48.8088 62.8156 49.1909 58.9766C49.459 56.2872 49.4542 53.5119 49.1156 50.8329C48.3833 45.0344 45.1292 40.7783 40.1351 37.9114C38.6818 37.0771 38.2533 36.1455 38.4347 34.5853C38.9402 30.2473 40.6551 26.3306 42.8342 22.6642C44.8356 19.297 47.1037 16.0858 49.3676 12.8804C49.6576 12.4699 49.9475 12.0594 50.2367 11.6488C50.6069 11.1231 51.5231 10.7245 52.1971 10.7075C60.4129 10.5017 68.6303 10.3648 76.8477 10.2636C77.4123 10.2563 78.1584 10.5196 78.5221 10.9246C83.6483 16.634 88.2284 22.712 90.9778 29.9784C91.1658 30.4758 91.3221 30.9869 91.4655 31.4997C92.4976 35.1683 92.4804 35.1803 89.5401 37.2499L89.4071 37.3436C83.8702 41.2433 81.8458 46.8198 82.0921 53.349C82.374 60.8552 84.0622 68.1313 85.9869 75.3539C86.3782 76.8218 86.6318 77.9073 85.2206 79.2609C82.3951 81.9698 81.2196 85.6872 80.6575 89.4687C80.0724 93.4081 79.599 97.3637 79.1254 101.32C78.8627 103.515 78.8497 105.368 78.318 107.904C76.2819 117.611 71 128 63 128H50.1522C45 128 41 123.189 41 115.189H50.1522Z" fill="#155DFC"/>
+<path d="M46.2429 6.56033C43.3387 11.1 40.3642 15.4031 37.7614 19.9209C35.413 23.9964 33.8487 28.4226 33.0913 33.1211C32.0998 39.2728 33.694 44.7189 38.0765 48.9775C41.6846 52.4835 42.6153 56.4472 42.152 61.1675C41.1426 71.4587 39.1174 81.5401 36.2052 91.4522C36.1769 91.5477 36.0886 91.6255 35.8974 91.8977C34.1517 91.3525 32.3161 90.8446 30.5266 90.2095C5.53011 81.3376 -12.7225 64.953 -24.1842 41.0298C-25.175 38.9625 -26.079 36.8498 -26.9263 34.7202C-27.0875 34.3151 -26.9749 33.5294 -26.6785 33.2531C-17.1479 24.3723 -7.64007 15.4647 2.00468 6.70938C8.64568 0.681612 16.5812 -1.21558 25.2457 0.739942C31.9378 2.24992 38.5131 4.27834 45.1363 6.09048C45.5843 6.2128 45.9998 6.45502 46.2429 6.56033Z" fill="#155DFC"/>
+<path d="M96.9586 89.3257C95.5888 84.7456 94.0796 80.4011 93.0111 75.9514C91.6065 70.0978 90.4683 64.1753 89.3739 58.2529C88.755 54.9056 89.3998 51.8176 91.89 49.2108C98.2669 42.5358 98.3933 34.7971 95.3312 26.7037C92.7471 19.8739 88.593 13.9904 83.7026 8.60904C83.1298 7.9788 82.5693 7.33641 81.918 6.60491C82.2874 6.40239 82.5709 6.18773 82.8909 6.07999C90.1281 3.64085 97.4495 1.54842 105.041 0.488845C112.781 -0.591795 119.379 1.81818 125.045 6.97592C130.017 11.5018 134.805 16.2327 139.812 20.7188C143.822 24.3115 148.013 27.7066 152.19 31.1073C152.945 31.7205 153.137 32.2154 152.913 33.1041C149.059 48.4591 141.312 61.4883 129.457 71.9877C120.113 80.2626 109.35 85.9785 96.9586 89.3265V89.3257Z" fill="#155DFC"/>
+</g>
+<defs>
+<clipPath id="clip0_287_1020">
+<rect width="128" height="128" rx="6" fill="white"/>
+</clipPath>
+</defs>
+</svg>

assets/tools/README.md

@@ -0,0 +1,17 @@
+We keep binaries here to speed up CI \ CD tasks and building.
+
+Docker image needs:
+- PostgreSQL client tools (versions 12-18)
+- MySQL client tools (versions 5.7, 8.0, 8.4, 9)
+- MariaDB client tools (versions 10.6, 12.1)
+- MongoDB Database Tools (latest)
+
+For the most of tools, we need a couple of binaries for each version. However, if we download them on each run, it will download a couple of GBs each time.
+
+So, for speed up we keep only required executables (like pg_dump, mysqldump, mariadb-dump, mongodump, etc.).
+
+It takes:
+- ~ 100MB for ARM
+- ~ 100MB for x64
+
+Instead of GBs. See Dockefile for usage details.

backend/.cursor/rules/codestyle-rule.mdc

@@ -1,152 +0,0 @@
----
-description:
-globs:
-alwaysApply: true
----
-
-Always place private methods to the bottom of file
-
-**This rule applies to ALL Go files including tests, services, controllers, repositories, etc.**
-
-In Go, exported (public) functions/methods start with uppercase letters, while unexported (private) ones start with lowercase letters.
-
-## Structure Order:
-
-1. Type definitions and constants
-2. Public methods/functions (uppercase)
-3. Private methods/functions (lowercase)
-
-## Examples:
-
-### Service with methods:
-
-```go
-type UserService struct {
-    repository *UserRepository
-}
-
-// Public methods first
-func (s *UserService) CreateUser(user *User) error {
-    if err := s.validateUser(user); err != nil {
-        return err
-    }
-    return s.repository.Save(user)
-}
-
-func (s *UserService) GetUser(id uuid.UUID) (*User, error) {
-    return s.repository.FindByID(id)
-}
-
-// Private methods at the bottom
-func (s *UserService) validateUser(user *User) error {
-    if user.Name == "" {
-        return errors.New("name is required")
-    }
-    return nil
-}
-```
-
-### Package-level functions:
-
-```go
-package utils
-
-// Public functions first
-func ProcessData(data []byte) (Result, error) {
-    cleaned := sanitizeInput(data)
-    return parseData(cleaned)
-}
-
-func ValidateInput(input string) bool {
-    return isValidFormat(input) && checkLength(input)
-}
-
-// Private functions at the bottom
-func sanitizeInput(data []byte) []byte {
-    // implementation
-}
-
-func parseData(data []byte) (Result, error) {
-    // implementation
-}
-
-func isValidFormat(input string) bool {
-    // implementation
-}
-
-func checkLength(input string) bool {
-    // implementation
-}
-```
-
-### Test files:
-
-```go
-package user_test
-
-// Public test functions first
-func Test_CreateUser_ValidInput_UserCreated(t *testing.T) {
-    user := createTestUser()
-    result, err := service.CreateUser(user)
-
-    assert.NoError(t, err)
-    assert.NotNil(t, result)
-}
-
-func Test_GetUser_ExistingUser_ReturnsUser(t *testing.T) {
-    user := createTestUser()
-    // test implementation
-}
-
-// Private helper functions at the bottom
-func createTestUser() *User {
-    return &User{
-        Name:  "Test User",
-        Email: "test@example.com",
-    }
-}
-
-func setupTestDatabase() *Database {
-    // setup implementation
-}
-```
-
-### Controller example:
-
-```go
-type ProjectController struct {
-    service *ProjectService
-}
-
-// Public HTTP handlers first
-func (c *ProjectController) CreateProject(ctx *gin.Context) {
-    var request CreateProjectRequest
-    if err := ctx.ShouldBindJSON(&request); err != nil {
-        c.handleError(ctx, err)
-        return
-    }
-    // handler logic
-}
-
-func (c *ProjectController) GetProject(ctx *gin.Context) {
-    projectID := c.extractProjectID(ctx)
-    // handler logic
-}
-
-// Private helper methods at the bottom
-func (c *ProjectController) handleError(ctx *gin.Context, err error) {
-    ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-}
-
-func (c *ProjectController) extractProjectID(ctx *gin.Context) uuid.UUID {
-    return uuid.MustParse(ctx.Param("projectId"))
-}
-```
-
-## Key Points:
-
-- **Exported/Public** = starts with uppercase letter (CreateUser, GetProject)
-- **Unexported/Private** = starts with lowercase letter (validateUser, handleError)
-- This improves code readability by showing the public API first
-- Private helpers are implementation details, so they go at the bottom
-- Apply this rule consistently across ALL Go files in the project

backend/.cursor/rules/comments.mdc

@@ -1,45 +0,0 @@
----
-description:
-globs:
-alwaysApply: true
----
-
-## Comment Guidelines
-
-1. **No obvious comments** - Don't state what the code already clearly shows
-2. **Functions and variables should have meaningful names** - Code should be self-documenting
-3. **Comments for unclear code only** - Only add comments when code logic isn't immediately clear
-
-## Key Principles:
-
-- **Code should tell a story** - Use descriptive variable and function names
-- **Comments explain WHY, not WHAT** - The code shows what happens, comments explain business logic or complex decisions
-- **Prefer refactoring over commenting** - If code needs explaining, consider making it clearer instead
-- **API documentation is required** - Swagger comments for all HTTP endpoints are mandatory
-- **Complex algorithms deserve comments** - Mathematical formulas, business rules, or non-obvious optimizations
-
-Example of useless comment:
-
-1.
-
-```sql
-// Create projects table
-CREATE TABLE projects (
-    id                    UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    name                  TEXT NOT NULL,
-    created_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-```
-
-2.
-
-```go
-// Create test project
-project := CreateTestProject(projectName, user, router)
-```
-
-3.
-
-```go
-// CreateValidLogItems creates valid log items for testing
-func CreateValidLogItems(count int, uniqueID string) []logs_receiving.LogItemRequestDTO {
-```

backend/.cursor/rules/controllers-rule.mdc

@@ -1,133 +0,0 @@
----
-description:
-globs:
-alwaysApply: true
----
-
-1. When we write controller:
-
-- we combine all routes to single controller
-- names them as .WhatWeDo (not "handlers") concept
-
-2. We use gin and \*gin.Context for all routes.
-   Example:
-
-func (c *TasksController) GetAvailableTasks(ctx *gin.Context) ...
-
-3. We document all routes with Swagger in the following format:
-
-package audit_logs
-
-import (
-"net/http"
-
-    user_models "postgresus/internal/features/users/models"
-
-    "github.com/gin-gonic/gin"
-    "github.com/google/uuid"
-
-)
-
-type AuditLogController struct {
-auditLogService \*AuditLogService
-}
-
-func (c *AuditLogController) RegisterRoutes(router *gin.RouterGroup) {
-// All audit log endpoints require authentication (handled in main.go)
-auditRoutes := router.Group("/audit-logs")
-
-    auditRoutes.GET("/global", c.GetGlobalAuditLogs)
-    auditRoutes.GET("/users/:userId", c.GetUserAuditLogs)
-
-}
-
-// GetGlobalAuditLogs
-// @Summary Get global audit logs (ADMIN only)
-// @Description Retrieve all audit logs across the system
-// @Tags audit-logs
-// @Accept json
-// @Produce json
-// @Security BearerAuth
-// @Param limit query int false "Limit number of results" default(100)
-// @Param offset query int false "Offset for pagination" default(0)
-// @Param beforeDate query string false "Filter logs created before this date (RFC3339 format)" format(date-time)
-// @Success 200 {object} GetAuditLogsResponse
-// @Failure 401 {object} map[string]string
-// @Failure 403 {object} map[string]string
-// @Router /audit-logs/global [get]
-func (c *AuditLogController) GetGlobalAuditLogs(ctx *gin.Context) {
-user, isOk := ctx.MustGet("user").(\*user_models.User)
-if !isOk {
-ctx.JSON(http.StatusInternalServerError, gin.H{"error": "Invalid user type in context"})
-return
-}
-
-    request := &GetAuditLogsRequest{}
-    if err := ctx.ShouldBindQuery(request); err != nil {
-    	ctx.JSON(http.StatusBadRequest, gin.H{"error": "Invalid query parameters"})
-    	return
-    }
-
-    response, err := c.auditLogService.GetGlobalAuditLogs(user, request)
-    if err != nil {
-    	if err.Error() == "only administrators can view global audit logs" {
-    		ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
-    		return
-    	}
-    	ctx.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to retrieve audit logs"})
-    	return
-    }
-
-    ctx.JSON(http.StatusOK, response)
-
-}
-
-// GetUserAuditLogs
-// @Summary Get user audit logs
-// @Description Retrieve audit logs for a specific user
-// @Tags audit-logs
-// @Accept json
-// @Produce json
-// @Security BearerAuth
-// @Param userId path string true "User ID"
-// @Param limit query int false "Limit number of results" default(100)
-// @Param offset query int false "Offset for pagination" default(0)
-// @Param beforeDate query string false "Filter logs created before this date (RFC3339 format)" format(date-time)
-// @Success 200 {object} GetAuditLogsResponse
-// @Failure 400 {object} map[string]string
-// @Failure 401 {object} map[string]string
-// @Failure 403 {object} map[string]string
-// @Router /audit-logs/users/{userId} [get]
-func (c *AuditLogController) GetUserAuditLogs(ctx *gin.Context) {
-user, isOk := ctx.MustGet("user").(\*user_models.User)
-if !isOk {
-ctx.JSON(http.StatusInternalServerError, gin.H{"error": "Invalid user type in context"})
-return
-}
-
-    userIDStr := ctx.Param("userId")
-    targetUserID, err := uuid.Parse(userIDStr)
-    if err != nil {
-    	ctx.JSON(http.StatusBadRequest, gin.H{"error": "Invalid user ID"})
-    	return
-    }
-
-    request := &GetAuditLogsRequest{}
-    if err := ctx.ShouldBindQuery(request); err != nil {
-    	ctx.JSON(http.StatusBadRequest, gin.H{"error": "Invalid query parameters"})
-    	return
-    }
-
-    response, err := c.auditLogService.GetUserAuditLogs(targetUserID, user, request)
-    if err != nil {
-    	if err.Error() == "insufficient permissions to view user audit logs" {
-    		ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
-    		return
-    	}
-    	ctx.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to retrieve audit logs"})
-    	return
-    }
-
-    ctx.JSON(http.StatusOK, response)
-
-}

backend/.cursor/rules/crud.mdc

@@ -1,671 +0,0 @@
----
-alwaysApply: false
----
-
-This is example of CRUD:
-
------- backend/internal/features/audit_logs/controller.go ------
-
-```
-package audit_logs
-
-import (
-	"net/http"
-
-	user_models "postgresus/internal/features/users/models"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
-)
-
-type AuditLogController struct {
-	auditLogService *AuditLogService
-}
-
-func (c *AuditLogController) RegisterRoutes(router *gin.RouterGroup) {
-	// All audit log endpoints require authentication (handled in main.go)
-	auditRoutes := router.Group("/audit-logs")
-
-	auditRoutes.GET("/global", c.GetGlobalAuditLogs)
-	auditRoutes.GET("/users/:userId", c.GetUserAuditLogs)
-}
-
-// GetGlobalAuditLogs
-// @Summary Get global audit logs (ADMIN only)
-// @Description Retrieve all audit logs across the system
-// @Tags audit-logs
-// @Accept json
-// @Produce json
-// @Security BearerAuth
-// @Param limit query int false "Limit number of results" default(100)
-// @Param offset query int false "Offset for pagination" default(0)
-// @Param beforeDate query string false "Filter logs created before this date (RFC3339 format)" format(date-time)
-// @Success 200 {object} GetAuditLogsResponse
-// @Failure 401 {object} map[string]string
-// @Failure 403 {object} map[string]string
-// @Router /audit-logs/global [get]
-func (c *AuditLogController) GetGlobalAuditLogs(ctx *gin.Context) {
-	user, isOk := ctx.MustGet("user").(*user_models.User)
-	if !isOk {
-		ctx.JSON(http.StatusInternalServerError, gin.H{"error": "Invalid user type in context"})
-		return
-	}
-
-	request := &GetAuditLogsRequest{}
-	if err := ctx.ShouldBindQuery(request); err != nil {
-		ctx.JSON(http.StatusBadRequest, gin.H{"error": "Invalid query parameters"})
-		return
-	}
-
-	response, err := c.auditLogService.GetGlobalAuditLogs(user, request)
-	if err != nil {
-		if err.Error() == "only administrators can view global audit logs" {
-			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
-			return
-		}
-		ctx.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to retrieve audit logs"})
-		return
-	}
-
-	ctx.JSON(http.StatusOK, response)
-}
-
-// GetUserAuditLogs
-// @Summary Get user audit logs
-// @Description Retrieve audit logs for a specific user
-// @Tags audit-logs
-// @Accept json
-// @Produce json
-// @Security BearerAuth
-// @Param userId path string true "User ID"
-// @Param limit query int false "Limit number of results" default(100)
-// @Param offset query int false "Offset for pagination" default(0)
-// @Param beforeDate query string false "Filter logs created before this date (RFC3339 format)" format(date-time)
-// @Success 200 {object} GetAuditLogsResponse
-// @Failure 400 {object} map[string]string
-// @Failure 401 {object} map[string]string
-// @Failure 403 {object} map[string]string
-// @Router /audit-logs/users/{userId} [get]
-func (c *AuditLogController) GetUserAuditLogs(ctx *gin.Context) {
-	user, isOk := ctx.MustGet("user").(*user_models.User)
-	if !isOk {
-		ctx.JSON(http.StatusInternalServerError, gin.H{"error": "Invalid user type in context"})
-		return
-	}
-
-	userIDStr := ctx.Param("userId")
-	targetUserID, err := uuid.Parse(userIDStr)
-	if err != nil {
-		ctx.JSON(http.StatusBadRequest, gin.H{"error": "Invalid user ID"})
-		return
-	}
-
-	request := &GetAuditLogsRequest{}
-	if err := ctx.ShouldBindQuery(request); err != nil {
-		ctx.JSON(http.StatusBadRequest, gin.H{"error": "Invalid query parameters"})
-		return
-	}
-
-	response, err := c.auditLogService.GetUserAuditLogs(targetUserID, user, request)
-	if err != nil {
-		if err.Error() == "insufficient permissions to view user audit logs" {
-			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
-			return
-		}
-		ctx.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to retrieve audit logs"})
-		return
-	}
-
-	ctx.JSON(http.StatusOK, response)
-}
-
-```
-
------- backend/internal/features/audit_logs/controller_test.go ------
-
-```
-package audit_logs
-
-import (
-	"fmt"
-	"net/http"
-	"testing"
-	"time"
-
-	user_enums "postgresus/internal/features/users/enums"
-	users_middleware "postgresus/internal/features/users/middleware"
-	users_services "postgresus/internal/features/users/services"
-	users_testing "postgresus/internal/features/users/testing"
-	"postgresus/internal/storage"
-	test_utils "postgresus/internal/util/testing"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
-)
-
-func Test_GetGlobalAuditLogs_AdminSucceedsAndMemberGetsForbidden(t *testing.T) {
-	adminUser := users_testing.CreateTestUser(user_enums.UserRoleAdmin)
-	memberUser := users_testing.CreateTestUser(user_enums.UserRoleMember)
-	router := createRouter()
-	service := GetAuditLogService()
-	projectID := uuid.New()
-
-	// Create test logs
-	createAuditLog(service, "Test log with user", &adminUser.UserID, nil)
-	createAuditLog(service, "Test log with project", nil, &projectID)
-	createAuditLog(service, "Test log standalone", nil, nil)
-
-	// Test ADMIN can access global logs
-	var response GetAuditLogsResponse
-	test_utils.MakeGetRequestAndUnmarshal(t, router,
-		"/api/v1/audit-logs/global?limit=10", "Bearer "+adminUser.Token, http.StatusOK, &response)
-
-	assert.GreaterOrEqual(t, len(response.AuditLogs), 3)
-	assert.GreaterOrEqual(t, response.Total, int64(3))
-
-	messages := extractMessages(response.AuditLogs)
-	assert.Contains(t, messages, "Test log with user")
-	assert.Contains(t, messages, "Test log with project")
-	assert.Contains(t, messages, "Test log standalone")
-
-	// Test MEMBER cannot access global logs
-	resp := test_utils.MakeGetRequest(t, router, "/api/v1/audit-logs/global",
-		"Bearer "+memberUser.Token, http.StatusForbidden)
-	assert.Contains(t, string(resp.Body), "only administrators can view global audit logs")
-}
-
-func Test_GetUserAuditLogs_PermissionsEnforcedCorrectly(t *testing.T) {
-	adminUser := users_testing.CreateTestUser(user_enums.UserRoleAdmin)
-	user1 := users_testing.CreateTestUser(user_enums.UserRoleMember)
-	user2 := users_testing.CreateTestUser(user_enums.UserRoleMember)
-	router := createRouter()
-	service := GetAuditLogService()
-	projectID := uuid.New()
-
-	// Create test logs for different users
-	createAuditLog(service, "Test log user1 first", &user1.UserID, nil)
-	createAuditLog(service, "Test log user1 second", &user1.UserID, &projectID)
-	createAuditLog(service, "Test log user2 first", &user2.UserID, nil)
-	createAuditLog(service, "Test log user2 second", &user2.UserID, &projectID)
-	createAuditLog(service, "Test project log", nil, &projectID)
-
-	// Test ADMIN can view any user's logs
-	var user1Response GetAuditLogsResponse
-	test_utils.MakeGetRequestAndUnmarshal(t, router,
-		fmt.Sprintf("/api/v1/audit-logs/users/%s?limit=10", user1.UserID.String()),
-		"Bearer "+adminUser.Token, http.StatusOK, &user1Response)
-
-	assert.Equal(t, 2, len(user1Response.AuditLogs))
-	messages := extractMessages(user1Response.AuditLogs)
-	assert.Contains(t, messages, "Test log user1 first")
-	assert.Contains(t, messages, "Test log user1 second")
-
-	// Test user can view own logs
-	var ownLogsResponse GetAuditLogsResponse
-	test_utils.MakeGetRequestAndUnmarshal(t, router,
-		fmt.Sprintf("/api/v1/audit-logs/users/%s", user2.UserID.String()),
-		"Bearer "+user2.Token, http.StatusOK, &ownLogsResponse)
-	assert.Equal(t, 2, len(ownLogsResponse.AuditLogs))
-
-	// Test user cannot view other user's logs
-	resp := test_utils.MakeGetRequest(t, router,
-		fmt.Sprintf("/api/v1/audit-logs/users/%s", user1.UserID.String()),
-		"Bearer "+user2.Token, http.StatusForbidden)
-
-	assert.Contains(t, string(resp.Body), "insufficient permissions")
-}
-
-func Test_FilterAuditLogsByTime_ReturnsOnlyLogsBeforeDate(t *testing.T) {
-	adminUser := users_testing.CreateTestUser(user_enums.UserRoleAdmin)
-	router := createRouter()
-	service := GetAuditLogService()
-	db := storage.GetDb()
-	baseTime := time.Now().UTC()
-
-	// Create logs with different timestamps
-	createTimedLog(db, &adminUser.UserID, "Test old log", baseTime.Add(-2*time.Hour))
-	createTimedLog(db, &adminUser.UserID, "Test recent log", baseTime.Add(-30*time.Minute))
-	createAuditLog(service, "Test current log", &adminUser.UserID, nil)
-
-	// Test filtering - get logs before 1 hour ago
-	beforeTime := baseTime.Add(-1 * time.Hour)
-	var filteredResponse GetAuditLogsResponse
-	test_utils.MakeGetRequestAndUnmarshal(t, router,
-		fmt.Sprintf("/api/v1/audit-logs/global?beforeDate=%s", beforeTime.Format(time.RFC3339)),
-		"Bearer "+adminUser.Token, http.StatusOK, &filteredResponse)
-
-	// Verify only old log is returned
-	messages := extractMessages(filteredResponse.AuditLogs)
-	assert.Contains(t, messages, "Test old log")
-	assert.NotContains(t, messages, "Test recent log")
-	assert.NotContains(t, messages, "Test current log")
-
-	// Test without filter - should get all logs
-	var allResponse GetAuditLogsResponse
-	test_utils.MakeGetRequestAndUnmarshal(t, router, "/api/v1/audit-logs/global",
-		"Bearer "+adminUser.Token, http.StatusOK, &allResponse)
-	assert.GreaterOrEqual(t, len(allResponse.AuditLogs), 3)
-}
-
-func createRouter() *gin.Engine {
-	gin.SetMode(gin.TestMode)
-	router := gin.New()
-	SetupDependencies()
-
-	v1 := router.Group("/api/v1")
-	protected := v1.Group("").Use(users_middleware.AuthMiddleware(users_services.GetUserService()))
-	GetAuditLogController().RegisterRoutes(protected.(*gin.RouterGroup))
-
-	return router
-}
-
-```
-
------- backend/internal/features/audit_logs/di.go ------
-
-```
-package audit_logs
-
-import (
-	users_services "postgresus/internal/features/users/services"
-	"postgresus/internal/util/logger"
-)
-
-var auditLogRepository = &AuditLogRepository{}
-var auditLogService = &AuditLogService{
-	auditLogRepository: auditLogRepository,
-	logger:             logger.GetLogger(),
-}
-var auditLogController = &AuditLogController{
-	auditLogService: auditLogService,
-}
-
-func GetAuditLogService() *AuditLogService {
-	return auditLogService
-}
-
-func GetAuditLogController() *AuditLogController {
-	return auditLogController
-}
-
-func SetupDependencies() {
-	users_services.GetUserService().SetAuditLogWriter(auditLogService)
-	users_services.GetSettingsService().SetAuditLogWriter(auditLogService)
-	users_services.GetManagementService().SetAuditLogWriter(auditLogService)
-}
-
-```
-
------- backend/internal/features/audit_logs/dto.go ------
-
-```
-package audit_logs
-
-import "time"
-
-type GetAuditLogsRequest struct {
-	Limit      int        `form:"limit"      json:"limit"`
-	Offset     int        `form:"offset"     json:"offset"`
-	BeforeDate *time.Time `form:"beforeDate" json:"beforeDate"`
-}
-
-type GetAuditLogsResponse struct {
-	AuditLogs []*AuditLog `json:"auditLogs"`
-	Total     int64       `json:"total"`
-	Limit     int         `json:"limit"`
-	Offset    int         `json:"offset"`
-}
-
-```
-
------- backend/internal/features/audit_logs/models.go ------
-
-```
-package audit_logs
-
-import (
-	"time"
-
-	"github.com/google/uuid"
-)
-
-type AuditLog struct {
-	ID        uuid.UUID  `json:"id"        gorm:"column:id"`
-	UserID    *uuid.UUID `json:"userId"    gorm:"column:user_id"`
-	ProjectID *uuid.UUID `json:"projectId" gorm:"column:project_id"`
-	Message   string     `json:"message"   gorm:"column:message"`
-	CreatedAt time.Time  `json:"createdAt" gorm:"column:created_at"`
-}
-
-func (AuditLog) TableName() string {
-	return "audit_logs"
-}
-
-```
-
------- backend/internal/features/audit_logs/repository.go ------
-
-```
-package audit_logs
-
-import (
-	"postgresus/internal/storage"
-	"time"
-
-	"github.com/google/uuid"
-)
-
-type AuditLogRepository struct{}
-
-func (r *AuditLogRepository) Create(auditLog *AuditLog) error {
-	if auditLog.ID == uuid.Nil {
-		auditLog.ID = uuid.New()
-	}
-
-	return storage.GetDb().Create(auditLog).Error
-}
-
-func (r *AuditLogRepository) GetGlobal(limit, offset int, beforeDate *time.Time) ([]*AuditLog, error) {
-	var auditLogs []*AuditLog
-
-	query := storage.GetDb().Order("created_at DESC")
-
-	if beforeDate != nil {
-		query = query.Where("created_at < ?", *beforeDate)
-	}
-
-	err := query.
-		Limit(limit).
-		Offset(offset).
-		Find(&auditLogs).Error
-
-	return auditLogs, err
-}
-
-func (r *AuditLogRepository) GetByUser(
-	userID uuid.UUID,
-	limit, offset int,
-	beforeDate *time.Time,
-) ([]*AuditLog, error) {
-	var auditLogs []*AuditLog
-
-	query := storage.GetDb().
-		Where("user_id = ?", userID).
-		Order("created_at DESC")
-
-	if beforeDate != nil {
-		query = query.Where("created_at < ?", *beforeDate)
-	}
-
-	err := query.
-		Limit(limit).
-		Offset(offset).
-		Find(&auditLogs).Error
-
-	return auditLogs, err
-}
-
-func (r *AuditLogRepository) GetByProject(
-	projectID uuid.UUID,
-	limit, offset int,
-	beforeDate *time.Time,
-) ([]*AuditLog, error) {
-	var auditLogs []*AuditLog
-
-	query := storage.GetDb().
-		Where("project_id = ?", projectID).
-		Order("created_at DESC")
-
-	if beforeDate != nil {
-		query = query.Where("created_at < ?", *beforeDate)
-	}
-
-	err := query.
-		Limit(limit).
-		Offset(offset).
-		Find(&auditLogs).Error
-
-	return auditLogs, err
-}
-
-func (r *AuditLogRepository) CountGlobal(beforeDate *time.Time) (int64, error) {
-	var count int64
-	query := storage.GetDb().Model(&AuditLog{})
-
-	if beforeDate != nil {
-		query = query.Where("created_at < ?", *beforeDate)
-	}
-
-	err := query.Count(&count).Error
-	return count, err
-}
-
-```
-
------- backend/internal/features/audit_logs/service.go ------
-
-```
-package audit_logs
-
-import (
-	"errors"
-	"log/slog"
-	"time"
-
-	user_enums "postgresus/internal/features/users/enums"
-	user_models "postgresus/internal/features/users/models"
-
-	"github.com/google/uuid"
-)
-
-type AuditLogService struct {
-	auditLogRepository *AuditLogRepository
-	logger             *slog.Logger
-}
-
-func (s *AuditLogService) WriteAuditLog(
-	message string,
-	userID *uuid.UUID,
-	projectID *uuid.UUID,
-) {
-	auditLog := &AuditLog{
-		UserID:    userID,
-		ProjectID: projectID,
-		Message:   message,
-		CreatedAt: time.Now().UTC(),
-	}
-
-	err := s.auditLogRepository.Create(auditLog)
-	if err != nil {
-		s.logger.Error("failed to create audit log", "error", err)
-		return
-	}
-}
-
-func (s *AuditLogService) CreateAuditLog(auditLog *AuditLog) error {
-	return s.auditLogRepository.Create(auditLog)
-}
-
-func (s *AuditLogService) GetGlobalAuditLogs(
-	user *user_models.User,
-	request *GetAuditLogsRequest,
-) (*GetAuditLogsResponse, error) {
-	if user.Role != user_enums.UserRoleAdmin {
-		return nil, errors.New("only administrators can view global audit logs")
-	}
-
-	limit := request.Limit
-	if limit <= 0 || limit > 1000 {
-		limit = 100
-	}
-
-	offset := max(request.Offset, 0)
-
-	auditLogs, err := s.auditLogRepository.GetGlobal(limit, offset, request.BeforeDate)
-	if err != nil {
-		return nil, err
-	}
-
-	total, err := s.auditLogRepository.CountGlobal(request.BeforeDate)
-	if err != nil {
-		return nil, err
-	}
-
-	return &GetAuditLogsResponse{
-		AuditLogs: auditLogs,
-		Total:     total,
-		Limit:     limit,
-		Offset:    offset,
-	}, nil
-}
-
-func (s *AuditLogService) GetUserAuditLogs(
-	targetUserID uuid.UUID,
-	user *user_models.User,
-	request *GetAuditLogsRequest,
-) (*GetAuditLogsResponse, error) {
-	// Users can view their own logs, ADMIN can view any user's logs
-	if user.Role != user_enums.UserRoleAdmin && user.ID != targetUserID {
-		return nil, errors.New("insufficient permissions to view user audit logs")
-	}
-
-	limit := request.Limit
-	if limit <= 0 || limit > 1000 {
-		limit = 100
-	}
-
-	offset := max(request.Offset, 0)
-
-	auditLogs, err := s.auditLogRepository.GetByUser(targetUserID, limit, offset, request.BeforeDate)
-	if err != nil {
-		return nil, err
-	}
-
-	return &GetAuditLogsResponse{
-		AuditLogs: auditLogs,
-		Total:     int64(len(auditLogs)),
-		Limit:     limit,
-		Offset:    offset,
-	}, nil
-}
-
-func (s *AuditLogService) GetProjectAuditLogs(
-	projectID uuid.UUID,
-	request *GetAuditLogsRequest,
-) (*GetAuditLogsResponse, error) {
-	limit := request.Limit
-	if limit <= 0 || limit > 1000 {
-		limit = 100
-	}
-
-	offset := max(request.Offset, 0)
-
-	auditLogs, err := s.auditLogRepository.GetByProject(projectID, limit, offset, request.BeforeDate)
-	if err != nil {
-		return nil, err
-	}
-
-	return &GetAuditLogsResponse{
-		AuditLogs: auditLogs,
-		Total:     int64(len(auditLogs)),
-		Limit:     limit,
-		Offset:    offset,
-	}, nil
-}
-
-```
-
------- backend/internal/features/audit_logs/service_test.go ------
-
-```
-package audit_logs
-
-import (
-	"testing"
-	"time"
-
-	user_enums "postgresus/internal/features/users/enums"
-	users_testing "postgresus/internal/features/users/testing"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
-	"gorm.io/gorm"
-)
-
-func Test_AuditLogs_ProjectSpecificLogs(t *testing.T) {
-	service := GetAuditLogService()
-	user1 := users_testing.CreateTestUser(user_enums.UserRoleMember)
-	user2 := users_testing.CreateTestUser(user_enums.UserRoleMember)
-	project1ID, project2ID := uuid.New(), uuid.New()
-
-	// Create test logs for projects
-	createAuditLog(service, "Test project1 log first", &user1.UserID, &project1ID)
-	createAuditLog(service, "Test project1 log second", &user2.UserID, &project1ID)
-	createAuditLog(service, "Test project2 log first", &user1.UserID, &project2ID)
-	createAuditLog(service, "Test project2 log second", &user2.UserID, &project2ID)
-	createAuditLog(service, "Test no project log", &user1.UserID, nil)
-
-	request := &GetAuditLogsRequest{Limit: 10, Offset: 0}
-
-	// Test project 1 logs
-	project1Response, err := service.GetProjectAuditLogs(project1ID, request)
-	assert.NoError(t, err)
-	assert.Equal(t, 2, len(project1Response.AuditLogs))
-
-	messages := extractMessages(project1Response.AuditLogs)
-	assert.Contains(t, messages, "Test project1 log first")
-	assert.Contains(t, messages, "Test project1 log second")
-	for _, log := range project1Response.AuditLogs {
-		assert.Equal(t, &project1ID, log.ProjectID)
-	}
-
-	// Test project 2 logs
-	project2Response, err := service.GetProjectAuditLogs(project2ID, request)
-	assert.NoError(t, err)
-	assert.Equal(t, 2, len(project2Response.AuditLogs))
-
-	messages2 := extractMessages(project2Response.AuditLogs)
-	assert.Contains(t, messages2, "Test project2 log first")
-	assert.Contains(t, messages2, "Test project2 log second")
-
-	// Test pagination
-	limitedResponse, err := service.GetProjectAuditLogs(project1ID,
-		&GetAuditLogsRequest{Limit: 1, Offset: 0})
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(limitedResponse.AuditLogs))
-	assert.Equal(t, 1, limitedResponse.Limit)
-
-	// Test beforeDate filter
-	beforeTime := time.Now().UTC().Add(-1 * time.Minute)
-	filteredResponse, err := service.GetProjectAuditLogs(project1ID,
-		&GetAuditLogsRequest{Limit: 10, BeforeDate: &beforeTime})
-	assert.NoError(t, err)
-	for _, log := range filteredResponse.AuditLogs {
-		assert.True(t, log.CreatedAt.Before(beforeTime))
-	}
-}
-
-func createAuditLog(service *AuditLogService, message string, userID, projectID *uuid.UUID) {
-	service.WriteAuditLog(message, userID, projectID)
-}
-
-func extractMessages(logs []*AuditLog) []string {
-	messages := make([]string, len(logs))
-	for i, log := range logs {
-		messages[i] = log.Message
-	}
-	return messages
-}
-
-func createTimedLog(db *gorm.DB, userID *uuid.UUID, message string, createdAt time.Time) {
-	log := &AuditLog{
-		ID:        uuid.New(),
-		UserID:    userID,
-		Message:   message,
-		CreatedAt: createdAt,
-	}
-	db.Create(log)
-}
-
-```

backend/.cursor/rules/di-rule.mdc

@@ -1,74 +0,0 @@
----
-description: 
-globs: 
-alwaysApply: true
----
-For DI files use implicit fields declaration styles (espesially
-for controllers, services, repositories, use cases, etc., not simple
-data structures).
-
-So, instead of:
-
-var orderController = &OrderController{
-    orderService:   orderService,
-    botUserService: bot_users.GetBotUserService(),
-    botService:     bots.GetBotService(),
-    userService:    users.GetUserService(),
-}
-
-Use:
-
-var orderController = &OrderController{
-    orderService,
-    bot_users.GetBotUserService(),
-    bots.GetBotService(),
-    users.GetUserService(),
-}
-
-This is needed to avoid forgetting to update DI style
-when we add new dependency.
-
----
-
-Please force such usage if file look like this (see some
-services\controllers\repos definitions and getters):
-
-var orderBackgroundService = &OrderBackgroundService{
-	orderService:           orderService,
-	orderPaymentRepository: orderPaymentRepository,
-	botService:             bots.GetBotService(),
-	paymentSettingsService: payment_settings.GetPaymentSettingsService(),
-
-	orderSubscriptionListeners: []OrderSubscriptionListener{},
-}
-
-var orderController = &OrderController{
-	orderService:   orderService,
-	botUserService: bot_users.GetBotUserService(),
-	botService:     bots.GetBotService(),
-	userService:    users.GetUserService(),
-}
-
-func GetUniquePaymentRepository() *repositories.UniquePaymentRepository {
-	return uniquePaymentRepository
-}
-
-func GetOrderPaymentRepository() *repositories.OrderPaymentRepository {
-	return orderPaymentRepository
-}
-
-func GetOrderService() *OrderService {
-	return orderService
-}
-
-func GetOrderController() *OrderController {
-	return orderController
-}
-
-func GetOrderBackgroundService() *OrderBackgroundService {
-	return orderBackgroundService
-}
-
-func GetOrderRepository() *repositories.OrderRepository {
-	return orderRepository
-}

backend/.cursor/rules/migrations-rule.mdc

@@ -1,27 +0,0 @@
----
-description: 
-globs: 
-alwaysApply: true
----
-When writting migrations:
-
-- write them for PostgreSQL
-- for PRIMARY UUID keys use gen_random_uuid()
-- for time use TIMESTAMPTZ (timestamp with zone)
-- split table, constraint and indexes declaration (table first, them other one by one)
-- format SQL in pretty way (add spaces, align columns types), constraints split by lines. The example:
-
-CREATE TABLE marketplace_info (
-    bot_id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    title             TEXT NOT NULL,
-    description       TEXT NOT NULL,
-    short_description TEXT NOT NULL,
-    tutorial_url      TEXT,
-    info_order        BIGINT NOT NULL DEFAULT 0,
-    is_published      BOOLEAN NOT NULL DEFAULT FALSE
-);
-
-ALTER TABLE marketplace_info_images
-    ADD CONSTRAINT fk_marketplace_info_images_bot_id
-    FOREIGN KEY (bot_id)
-    REFERENCES marketplace_info (bot_id);

backend/.cursor/rules/refactor.mdc

@@ -1,12 +0,0 @@
----
-description:
-globs:
-alwaysApply: true
----
-
-When applying changes, do not forget to refactor old code.
-
-You can shortify, make more readable, improve code quality, etc.
-Common logic can be extracted to functions, constants, files, etc.
-
-After each large change with more than ~50-100 lines of code - always run `make lint` (from backend root folder) and, if you change frontend, run `npm run format` (from frontend root folder).

backend/.cursor/rules/tests.mdc

@@ -1,147 +0,0 @@
----
-description:
-globs:
-alwaysApply: true
----
-
-After writing tests, always launch them and verify that they pass.
-
-## Test Naming Format
-
-Use these naming patterns:
-
-- `Test_WhatWeDo_WhatWeExpect`
-- `Test_WhatWeDo_WhichConditions_WhatWeExpect`
-
-## Examples from Real Codebase:
-
-- `Test_CreateApiKey_WhenUserIsProjectOwner_ApiKeyCreated`
-- `Test_UpdateProject_WhenUserIsProjectAdmin_ProjectUpdated`
-- `Test_DeleteApiKey_WhenUserIsProjectMember_ReturnsForbidden`
-- `Test_GetProjectAuditLogs_WithDifferentUserRoles_EnforcesPermissionsCorrectly`
-- `Test_ProjectLifecycleE2E_CompletesSuccessfully`
-
-## Testing Philosophy
-
-**Prefer Controllers Over Unit Tests:**
-
-- Test through HTTP endpoints via controllers whenever possible
-- Avoid testing repositories, services in isolation - test via API instead
-- Only use unit tests for complex model logic when no API exists
-- Name test files `controller_test.go` or `service_test.go`, not `integration_test.go`
-
-**Extract Common Logic to Testing Utilities:**
-
-- Create `testing.go` or `testing/testing.go` files for shared test utilities
-- Extract router creation, user setup, models creation helpers (in API, not just structs creation)
-- Reuse common patterns across different test files
-
-**Refactor Existing Tests:**
-
-- When working with existing tests, always look for opportunities to refactor and improve
-- Extract repetitive setup code to common utilities
-- Simplify complex tests by breaking them into smaller, focused tests
-- Replace inline test data creation with reusable helper functions
-- Consolidate similar test patterns across different test files
-- Make tests more readable and maintainable for other developers
-
-## Testing Utilities Structure
-
-**Create `testing.go` or `testing/testing.go` files with common utilities:**
-
-```go
-package projects_testing
-
-// CreateTestRouter creates unified router for all controllers
-func CreateTestRouter(controllers ...ControllerInterface) *gin.Engine {
-	gin.SetMode(gin.TestMode)
-	router := gin.New()
-	v1 := router.Group("/api/v1")
-	protected := v1.Group("").Use(users_middleware.AuthMiddleware(users_services.GetUserService()))
-
-	for _, controller := range controllers {
-		if routerGroup, ok := protected.(*gin.RouterGroup); ok {
-			controller.RegisterRoutes(routerGroup)
-		}
-	}
-	return router
-}
-
-// CreateTestProjectViaAPI creates project through HTTP API
-func CreateTestProjectViaAPI(name string, owner *users_dto.SignInResponseDTO, router *gin.Engine) (*projects_models.Project, string) {
-	request := projects_dto.CreateProjectRequestDTO{Name: name}
-	w := MakeAPIRequest(router, "POST", "/api/v1/projects", "Bearer "+owner.Token, request)
-	// Handle response...
-	return project, owner.Token
-}
-
-// AddMemberToProject adds member via API call
-func AddMemberToProject(project *projects_models.Project, member *users_dto.SignInResponseDTO, role users_enums.ProjectRole, ownerToken string, router *gin.Engine) {
-	// Implementation...
-}
-```
-
-## Controller Test Examples
-
-**Permission-based testing:**
-
-```go
-func Test_CreateApiKey_WhenUserIsProjectOwner_ApiKeyCreated(t *testing.T) {
-	router := CreateApiKeyTestRouter(GetProjectController(), GetMembershipController())
-	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	project, _ := projects_testing.CreateTestProjectViaAPI("Test Project", owner, router)
-
-	request := CreateApiKeyRequestDTO{Name: "Test API Key"}
-	var response ApiKey
-	test_utils.MakePostRequestAndUnmarshal(t, router, "/api/v1/projects/api-keys/"+project.ID.String(), "Bearer "+owner.Token, request, http.StatusOK, &response)
-
-	assert.Equal(t, "Test API Key", response.Name)
-	assert.NotEmpty(t, response.Token)
-}
-```
-
-**Cross-project security testing:**
-
-```go
-func Test_UpdateApiKey_WithApiKeyFromDifferentProject_ReturnsBadRequest(t *testing.T) {
-	router := CreateApiKeyTestRouter(GetProjectController(), GetMembershipController())
-	owner1 := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	owner2 := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	project1, _ := projects_testing.CreateTestProjectViaAPI("Project 1", owner1, router)
-	project2, _ := projects_testing.CreateTestProjectViaAPI("Project 2", owner2, router)
-
-	apiKey := CreateTestApiKey("Cross Project Key", project1.ID, owner1.Token, router)
-
-	// Try to update via different project endpoint
-	request := UpdateApiKeyRequestDTO{Name: &"Hacked Key"}
-	resp := test_utils.MakePutRequest(t, router, "/api/v1/projects/api-keys/"+project2.ID.String()+"/"+apiKey.ID.String(), "Bearer "+owner2.Token, request, http.StatusBadRequest)
-
-	assert.Contains(t, string(resp.Body), "API key does not belong to this project")
-}
-```
-
-**E2E lifecycle testing:**
-
-```go
-func Test_ProjectLifecycleE2E_CompletesSuccessfully(t *testing.T) {
-	router := projects_testing.CreateTestRouter(GetProjectController(), GetMembershipController())
-
-	// 1. Create project
-	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	project := projects_testing.CreateTestProject("E2E Project", owner, router)
-
-	// 2. Add member
-	member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	projects_testing.AddMemberToProject(project, member, users_enums.ProjectRoleMember, owner.Token, router)
-
-	// 3. Promote to admin
-	projects_testing.ChangeMemberRole(project, member.UserID, users_enums.ProjectRoleAdmin, owner.Token, router)
-
-	// 4. Transfer ownership
-	projects_testing.TransferProjectOwnership(project, member.UserID, owner.Token, router)
-
-	// 5. Verify new owner can manage project
-	finalProject := projects_testing.GetProject(project.ID, member.Token, router)
-	assert.Equal(t, project.ID, finalProject.ID)
-}
-```

backend/.cursor/rules/time-rule.mdc

@@ -1,6 +0,0 @@
----
-description: 
-globs: 
-alwaysApply: true
----
-Always use time.Now().UTC() instead of time.Now()

backend/.env.development.example

@@ -1,16 +1,32 @@
 # docker-compose.yml
-DEV_DB_NAME=postgresus
+DEV_DB_NAME=databasus
 DEV_DB_USERNAME=postgres
 DEV_DB_PASSWORD=Q1234567
-#app
+# app
 ENV_MODE=development
+# logging
+SHOW_DB_INSTALLATION_VERIFICATION_LOGS=true
+VICTORIA_LOGS_URL=http://localhost:9428
+VICTORIA_LOGS_PASSWORD=devpassword
+# tests
+TEST_LOCALHOST=localhost
+IS_SKIP_EXTERNAL_RESOURCES_TESTS=false
+# cloudflare turnstile
+CLOUDFLARE_TURNSTILE_SITE_KEY=
+CLOUDFLARE_TURNSTILE_SECRET_KEY=
 # db
-DATABASE_DSN=host=dev-db user=postgres password=Q1234567 dbname=postgresus port=5437 sslmode=disable
-DATABASE_URL=postgres://postgres:Q1234567@dev-db:5437/postgresus?sslmode=disable
+DATABASE_DSN=host=dev-db user=postgres password=Q1234567 dbname=databasus port=5437 sslmode=disable
+DATABASE_URL=postgres://postgres:Q1234567@dev-db:5437/databasus?sslmode=disable
 # migrations
 GOOSE_DRIVER=postgres
-GOOSE_DBSTRING=postgres://postgres:Q1234567@dev-db:5437/postgresus?sslmode=disable
+GOOSE_DBSTRING=postgres://postgres:Q1234567@dev-db:5437/databasus?sslmode=disable
 GOOSE_MIGRATION_DIR=./migrations
+# valkey
+VALKEY_HOST=127.0.0.1
+VALKEY_PORT=6379
+VALKEY_USERNAME=
+VALKEY_PASSWORD=
+VALKEY_IS_SSL=false
 # testing
 # to get Google Drive env variables: add storage in UI and copy data from added storage here 
 TEST_GOOGLE_DRIVE_CLIENT_ID=
@@ -67,4 +83,4 @@ TEST_MONGODB_44_PORT=27044
 TEST_MONGODB_50_PORT=27050
 TEST_MONGODB_60_PORT=27060
 TEST_MONGODB_70_PORT=27070
-TEST_MONGODB_80_PORT=27080
+TEST_MONGODB_82_PORT=27082

backend/.env.production.example

@@ -1,13 +1,19 @@
 # docker-compose.yml
-DEV_DB_NAME=postgresus
+DEV_DB_NAME=databasus
 DEV_DB_USERNAME=postgres
 DEV_DB_PASSWORD=Q1234567
 #app
 ENV_MODE=production
 # db
-DATABASE_DSN=host=localhost user=postgres password=Q1234567 dbname=postgresus port=5437 sslmode=disable
-DATABASE_URL=postgres://postgres:Q1234567@localhost:5437/postgresus?sslmode=disable
+DATABASE_DSN=host=localhost user=postgres password=Q1234567 dbname=databasus port=5437 sslmode=disable
+DATABASE_URL=postgres://postgres:Q1234567@localhost:5437/databasus?sslmode=disable
 # migrations
 GOOSE_DRIVER=postgres
-GOOSE_DBSTRING=postgres://postgres:Q1234567@localhost:5437/postgresus?sslmode=disable
-GOOSE_MIGRATION_DIR=./migrations
+GOOSE_DBSTRING=postgres://postgres:Q1234567@localhost:5437/databasus?sslmode=disable
+GOOSE_MIGRATION_DIR=./migrations
+# valkey
+VALKEY_HOST=127.0.0.1
+VALKEY_PORT=6379
+VALKEY_USERNAME=
+VALKEY_PASSWORD=
+VALKEY_IS_SSL=false

backend/.gitignore

@@ -12,7 +12,11 @@ swagger/docs.go
 swagger/swagger.json
 swagger/swagger.yaml
 postgresus-backend.exe
+databasus-backend.exe
 ui/build/*
 pgdata-for-restore/
 temp/
-cmd.exe
+cmd.exe
+temp/
+valkey-data/
+victoria-logs-data/

backend/Makefile

@@ -2,10 +2,10 @@ run:
 	go run cmd/main.go
 
 test:
-	go test -p=1 -count=1 -failfast -timeout 10m .\internal\...
+	go test -p=1 -count=1 -failfast -timeout 15m ./internal/...
 
 lint:
-	golangci-lint fmt && golangci-lint run
+	golangci-lint fmt ./cmd/... ./internal/... && golangci-lint run ./cmd/... ./internal/...
 
 migration-create:
 	goose create $(name) sql

backend/README.md

@@ -1,7 +1,7 @@
 # Before run
 
 Keep in mind: you need to use dev-db from docker-compose.yml in this folder
-instead of postgresus-db from docker-compose.yml in the root folder.
+instead of databasus-db from docker-compose.yml in the root folder.
 
 > Copy .env.example to .env
 > Copy docker-compose.yml.example to docker-compose.yml (for development only)

backend/cmd/main.go

@@ -12,27 +12,32 @@ import (
 	"syscall"
 	"time"
 
-	"postgresus-backend/internal/config"
-	"postgresus-backend/internal/features/audit_logs"
-	"postgresus-backend/internal/features/backups/backups"
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/databases"
-	"postgresus-backend/internal/features/disk"
-	"postgresus-backend/internal/features/encryption/secrets"
-	healthcheck_attempt "postgresus-backend/internal/features/healthcheck/attempt"
-	healthcheck_config "postgresus-backend/internal/features/healthcheck/config"
-	"postgresus-backend/internal/features/notifiers"
-	"postgresus-backend/internal/features/restores"
-	"postgresus-backend/internal/features/storages"
-	system_healthcheck "postgresus-backend/internal/features/system/healthcheck"
-	users_controllers "postgresus-backend/internal/features/users/controllers"
-	users_middleware "postgresus-backend/internal/features/users/middleware"
-	users_services "postgresus-backend/internal/features/users/services"
-	workspaces_controllers "postgresus-backend/internal/features/workspaces/controllers"
-	env_utils "postgresus-backend/internal/util/env"
-	files_utils "postgresus-backend/internal/util/files"
-	"postgresus-backend/internal/util/logger"
-	_ "postgresus-backend/swagger" // swagger docs
+	"databasus-backend/internal/config"
+	"databasus-backend/internal/features/audit_logs"
+	"databasus-backend/internal/features/backups/backups"
+	"databasus-backend/internal/features/backups/backups/backuping"
+	backups_download "databasus-backend/internal/features/backups/backups/download"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/disk"
+	"databasus-backend/internal/features/encryption/secrets"
+	healthcheck_attempt "databasus-backend/internal/features/healthcheck/attempt"
+	healthcheck_config "databasus-backend/internal/features/healthcheck/config"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/restores"
+	"databasus-backend/internal/features/restores/restoring"
+	"databasus-backend/internal/features/storages"
+	system_healthcheck "databasus-backend/internal/features/system/healthcheck"
+	task_cancellation "databasus-backend/internal/features/tasks/cancellation"
+	users_controllers "databasus-backend/internal/features/users/controllers"
+	users_middleware "databasus-backend/internal/features/users/middleware"
+	users_services "databasus-backend/internal/features/users/services"
+	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
+	cache_utils "databasus-backend/internal/util/cache"
+	env_utils "databasus-backend/internal/util/env"
+	files_utils "databasus-backend/internal/util/files"
+	"databasus-backend/internal/util/logger"
+	_ "databasus-backend/swagger" // swagger docs
 
 	"github.com/gin-contrib/cors"
 	"github.com/gin-contrib/gzip"
@@ -41,9 +46,9 @@ import (
 	ginSwagger "github.com/swaggo/gin-swagger"
 )
 
-// @title Postgresus Backend API
+// @title Databasus Backend API
 // @version 1.0
-// @description API for Postgresus
+// @description API for Databasus
 // @termsOfService http://swagger.io/terms/
 
 // @host localhost:4005
@@ -52,7 +57,23 @@ import (
 func main() {
 	log := logger.GetLogger()
 
-	runMigrations(log)
+	cache_utils.TestCacheConnection()
+
+	if config.GetEnv().IsPrimaryNode {
+		log.Info("Clearing cache...")
+
+		err := cache_utils.ClearAllCache()
+		if err != nil {
+			log.Error("Failed to clear cache", "error", err)
+			os.Exit(1)
+		}
+	}
+
+	if config.GetEnv().IsPrimaryNode {
+		runMigrations(log)
+	} else {
+		log.Info("Skipping migrations (IS_PRIMARY_NODE is false)")
+	}
 
 	// create directories that used for backups and restore
 	err := files_utils.EnsureDirectories([]string{
@@ -96,7 +117,9 @@ func main() {
 	enableCors(ginApp)
 	setUpRoutes(ginApp)
 	setUpDependencies()
+
 	runBackgroundTasks(log)
+
 	mountFrontend(ginApp)
 
 	startServerWithGracefulShutdown(log, ginApp)
@@ -162,6 +185,9 @@ func startServerWithGracefulShutdown(log *slog.Logger, app *gin.Engine) {
 	<-quit
 	log.Info("Shutdown signal received")
 
+	// Gracefully shutdown VictoriaLogs writer
+	logger.ShutdownVictoriaLogs(5 * time.Second)
+
 	// The context is used to inform the server it has 10 seconds to finish
 	// the request it is currently handling
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
@@ -183,6 +209,7 @@ func setUpRoutes(r *gin.Engine) {
 	userController := users_controllers.GetUserController()
 	userController.RegisterRoutes(v1)
 	system_healthcheck.GetHealthcheckController().RegisterRoutes(v1)
+	backups.GetBackupController().RegisterPublicRoutes(v1)
 
 	// Setup auth middleware
 	userService := users_services.GetUserService()
@@ -217,27 +244,81 @@ func setUpDependencies() {
 	audit_logs.SetupDependencies()
 	notifiers.SetupDependencies()
 	storages.SetupDependencies()
+	backups_config.SetupDependencies()
+	task_cancellation.SetupDependencies()
 }
 
 func runBackgroundTasks(log *slog.Logger) {
 	log.Info("Preparing to run background tasks...")
 
+	// Create context that will be cancelled on shutdown
+	ctx, cancel := context.WithCancel(context.Background())
+
+	// Set up signal handling for graceful shutdown
+	quit := make(chan os.Signal, 1)
+	signal.Notify(quit, os.Interrupt, syscall.SIGTERM)
+	go func() {
+		<-quit
+		log.Info("Shutdown signal received, cancelling all background tasks")
+		cancel()
+	}()
+
 	err := files_utils.CleanFolder(config.GetEnv().TempFolder)
 	if err != nil {
 		log.Error("Failed to clean temp folder", "error", err)
 	}
 
-	go runWithPanicLogging(log, "backup background service", func() {
-		backups.GetBackupBackgroundService().Run()
-	})
+	if config.GetEnv().IsPrimaryNode {
+		log.Info("Starting primary node background tasks...")
 
-	go runWithPanicLogging(log, "restore background service", func() {
-		restores.GetRestoreBackgroundService().Run()
-	})
+		go runWithPanicLogging(log, "backup background service", func() {
+			backuping.GetBackupsScheduler().Run(ctx)
+		})
 
-	go runWithPanicLogging(log, "healthcheck attempt background service", func() {
-		healthcheck_attempt.GetHealthcheckAttemptBackgroundService().Run()
-	})
+		go runWithPanicLogging(log, "backup cleaner background service", func() {
+			backuping.GetBackupCleaner().Run(ctx)
+		})
+
+		go runWithPanicLogging(log, "restore background service", func() {
+			restoring.GetRestoresScheduler().Run(ctx)
+		})
+
+		go runWithPanicLogging(log, "healthcheck attempt background service", func() {
+			healthcheck_attempt.GetHealthcheckAttemptBackgroundService().Run(ctx)
+		})
+
+		go runWithPanicLogging(log, "audit log cleanup background service", func() {
+			audit_logs.GetAuditLogBackgroundService().Run(ctx)
+		})
+
+		go runWithPanicLogging(log, "download token cleanup background service", func() {
+			backups_download.GetDownloadTokenBackgroundService().Run(ctx)
+		})
+
+		go runWithPanicLogging(log, "backup nodes registry background service", func() {
+			backuping.GetBackupNodesRegistry().Run(ctx)
+		})
+
+		go runWithPanicLogging(log, "restore nodes registry background service", func() {
+			restoring.GetRestoreNodesRegistry().Run(ctx)
+		})
+	} else {
+		log.Info("Skipping primary node tasks as not primary node")
+	}
+
+	if config.GetEnv().IsProcessingNode {
+		log.Info("Starting backup node background tasks...")
+
+		go runWithPanicLogging(log, "backup node", func() {
+			backuping.GetBackuperNode().Run(ctx)
+		})
+
+		go runWithPanicLogging(log, "restore node", func() {
+			restoring.GetRestorerNode().Run(ctx)
+		})
+	} else {
+		log.Info("Skipping backup/restore node tasks as not backup node")
+	}
 }
 
 func runWithPanicLogging(log *slog.Logger, serviceName string, fn func()) {
@@ -280,16 +361,13 @@ func generateSwaggerDocs(log *slog.Logger) {
 func runMigrations(log *slog.Logger) {
 	log.Info("Running database migrations...")
 
-	cmd := exec.Command("goose", "up")
+	cmd := exec.Command("goose", "-dir", "./migrations", "up")
 	cmd.Env = append(
 		os.Environ(),
 		"GOOSE_DRIVER=postgres",
 		"GOOSE_DBSTRING="+config.GetEnv().DatabaseDsn,
 	)
 
-	// Set the working directory to where migrations are located
-	cmd.Dir = "./migrations"
-
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		log.Error("Failed to run migrations", "error", err, "output", string(output))

backend/docker-compose.yml.example

@@ -19,6 +19,35 @@ services:
     command: -p 5437
     shm_size: 10gb
 
+  # Valkey for caching
+  dev-valkey:
+    image: valkey/valkey:9.0.1-alpine
+    ports:
+      - "${VALKEY_PORT:-6379}:6379"
+    volumes:
+      - ./valkey-data:/data
+    container_name: dev-valkey
+    healthcheck:
+      test: ["CMD", "valkey-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 20s
+
+  # VictoriaLogs for external logging
+  victoria-logs:
+    image: victoriametrics/victoria-logs:latest
+    container_name: victoria-logs
+    ports:
+      - "9428:9428"
+    command:
+      - -storageDataPath=/victoria-logs-data
+      - -retentionPeriod=7d
+      - -httpAuth.password=devpassword
+    volumes:
+      - ./victoria-logs-data:/victoria-logs-data
+    restart: unless-stopped
+
   # Test MinIO container
   test-minio:
     image: minio/minio:latest
@@ -213,6 +242,25 @@ services:
       timeout: 5s
       retries: 10
 
+  test-mysql-90:
+    image: mysql:9.5
+    ports:
+      - "${TEST_MYSQL_90_PORT:-33090}:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=rootpassword
+      - MYSQL_DATABASE=testdb
+      - MYSQL_USER=testuser
+      - MYSQL_PASSWORD=testpassword
+    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - ./mysqldata/mysql-90:/var/lib/mysql
+    container_name: test-mysql-90
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-prootpassword"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
   # Test MariaDB containers
   test-mariadb-55:
     image: mariadb:5.5
@@ -520,11 +568,11 @@ services:
       timeout: 5s
       retries: 10
 
-  test-mongodb-80:
-    image: mongo:8.0
-    container_name: test-mongodb-80
+  test-mongodb-82:
+    image: mongo:8.2.3-noble
+    container_name: test-mongodb-82
     ports:
-      - "${TEST_MONGODB_80_PORT:-27080}:27017"
+      - "${TEST_MONGODB_82_PORT:-27082}:27017"
     environment:
       MONGO_INITDB_ROOT_USERNAME: root
       MONGO_INITDB_ROOT_PASSWORD: rootpassword

backend/go.mod

@@ -1,6 +1,6 @@
-module postgresus-backend
+module databasus-backend
 
-go 1.24.4
+go 1.24.9
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
@@ -25,9 +25,9 @@ require (
 	github.com/swaggo/files v1.0.1
 	github.com/swaggo/gin-swagger v1.6.0
 	github.com/swaggo/swag v1.16.4
+	github.com/valkey-io/valkey-go v1.0.70
 	go.mongodb.org/mongo-driver v1.17.6
 	golang.org/x/crypto v0.46.0
-	golang.org/x/time v0.14.0
 	gorm.io/driver/postgres v1.5.11
 	gorm.io/gorm v1.26.1
 )
@@ -185,6 +185,7 @@ require (
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
 	golang.org/x/term v0.38.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/validator.v2 v2.0.1 // indirect
 	moul.io/http2curl/v2 v2.3.0 // indirect
@@ -269,7 +270,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.38.0 // indirect
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	golang.org/x/arch v0.17.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
 	golang.org/x/oauth2 v0.33.0
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect

backend/go.sum

@@ -539,8 +539,8 @@ github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU=
 github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc=
-github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
-github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/onsi/gomega v1.38.3 h1:eTX+W6dobAYfFeGC2PV6RwXRu/MyT+cQguijutvkpSM=
+github.com/onsi/gomega v1.38.3/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4=
 github.com/oracle/oci-go-sdk/v65 v65.104.0 h1:l9awEvzWvxmYhy/97A0hZ87pa7BncYXmcO/S8+rvgK0=
 github.com/oracle/oci-go-sdk/v65 v65.104.0/go.mod h1:oB8jFGVc/7/zJ+DbleE8MzGHjhs2ioCz5stRTdZdIcY=
 github.com/panjf2000/ants/v2 v2.11.3 h1:AfI0ngBoXJmYOpDh9m516vjqoUu2sLrIVgppI9TZVpg=
@@ -660,6 +660,8 @@ github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
 github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/unknwon/goconfig v1.0.0 h1:rS7O+CmUdli1T+oDm7fYj1MwqNWtEJfNj+FqcUHML8U=
 github.com/unknwon/goconfig v1.0.0/go.mod h1:qu2ZQ/wcC/if2u32263HTVC39PeOQRSmidQk3DuDFQ8=
+github.com/valkey-io/valkey-go v1.0.70 h1:mjYNT8qiazxDAJ0QNQ8twWT/YFOkOoRd40ERV2mB49Y=
+github.com/valkey-io/valkey-go v1.0.70/go.mod h1:VGhZ6fs68Qrn2+OhH+6waZH27bjpgQOiLyUQyXuYK5k=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
@@ -720,6 +722,8 @@ go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
 go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/arch v0.17.0 h1:4O3dfLzd+lQewptAHqjewQZQDyEdejz3VwgeYwkZneU=
 golang.org/x/arch v0.17.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -818,8 +822,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

backend/internal/config/config.go

@@ -1,11 +1,11 @@
 package config
 
 import (
+	env_utils "databasus-backend/internal/util/env"
+	"databasus-backend/internal/util/logger"
+	"databasus-backend/internal/util/tools"
 	"os"
 	"path/filepath"
-	env_utils "postgresus-backend/internal/util/env"
-	"postgresus-backend/internal/util/logger"
-	"postgresus-backend/internal/util/tools"
 	"strings"
 	"sync"
 
@@ -22,13 +22,32 @@ const (
 
 type EnvVariables struct {
 	IsTesting            bool
-	DatabaseDsn          string            `env:"DATABASE_DSN"         required:"true"`
 	EnvMode              env_utils.EnvMode `env:"ENV_MODE"             required:"true"`
 	PostgresesInstallDir string            `env:"POSTGRES_INSTALL_DIR"`
 	MysqlInstallDir      string            `env:"MYSQL_INSTALL_DIR"`
 	MariadbInstallDir    string            `env:"MARIADB_INSTALL_DIR"`
 	MongodbInstallDir    string            `env:"MONGODB_INSTALL_DIR"`
 
+	// Internal database
+	DatabaseDsn string `env:"DATABASE_DSN"    required:"true"`
+	// Internal Valkey
+	ValkeyHost     string `env:"VALKEY_HOST"     required:"true"`
+	ValkeyPort     string `env:"VALKEY_PORT"     required:"true"`
+	ValkeyUsername string `env:"VALKEY_USERNAME" required:"true"`
+	ValkeyPassword string `env:"VALKEY_PASSWORD" required:"true"`
+	ValkeyIsSsl    bool   `env:"VALKEY_IS_SSL"   required:"true"`
+
+	IsCloud       bool   `env:"IS_CLOUD"`
+	TestLocalhost string `env:"TEST_LOCALHOST"`
+
+	ShowDbInstallationVerificationLogs bool `env:"SHOW_DB_INSTALLATION_VERIFICATION_LOGS"`
+	IsSkipExternalResourcesTests       bool `env:"IS_SKIP_EXTERNAL_RESOURCES_TESTS"`
+
+	IsManyNodesMode          bool `env:"IS_MANY_NODES_MODE"`
+	IsPrimaryNode            bool `env:"IS_PRIMARY_NODE"`
+	IsProcessingNode         bool `env:"IS_PROCESSING_NODE"`
+	NodeNetworkThroughputMBs int  `env:"NODE_NETWORK_THROUGHPUT_MBPS"`
+
 	DataFolder    string
 	TempFolder    string
 	SecretKeyPath string
@@ -57,6 +76,7 @@ type EnvVariables struct {
 	TestMysql57Port string `env:"TEST_MYSQL_57_PORT"`
 	TestMysql80Port string `env:"TEST_MYSQL_80_PORT"`
 	TestMysql84Port string `env:"TEST_MYSQL_84_PORT"`
+	TestMysql90Port string `env:"TEST_MYSQL_90_PORT"`
 
 	TestMariadb55Port   string `env:"TEST_MARIADB_55_PORT"`
 	TestMariadb101Port  string `env:"TEST_MARIADB_101_PORT"`
@@ -76,7 +96,7 @@ type EnvVariables struct {
 	TestMongodb50Port string `env:"TEST_MONGODB_50_PORT"`
 	TestMongodb60Port string `env:"TEST_MONGODB_60_PORT"`
 	TestMongodb70Port string `env:"TEST_MONGODB_70_PORT"`
-	TestMongodb80Port string `env:"TEST_MONGODB_80_PORT"`
+	TestMongodb82Port string `env:"TEST_MONGODB_82_PORT"`
 
 	// oauth
 	GitHubClientID     string `env:"GITHUB_CLIENT_ID"`
@@ -84,6 +104,10 @@ type EnvVariables struct {
 	GoogleClientID     string `env:"GOOGLE_CLIENT_ID"`
 	GoogleClientSecret string `env:"GOOGLE_CLIENT_SECRET"`
 
+	// Cloudflare Turnstile
+	CloudflareTurnstileSecretKey string `env:"CLOUDFLARE_TURNSTILE_SECRET_KEY"`
+	CloudflareTurnstileSiteKey   string `env:"CLOUDFLARE_TURNSTILE_SITE_KEY"`
+
 	// testing Telegram
 	TestTelegramBotToken string `env:"TEST_TELEGRAM_BOT_TOKEN"`
 	TestTelegramChatID   string `env:"TEST_TELEGRAM_CHAT_ID"`
@@ -94,6 +118,15 @@ type EnvVariables struct {
 	TestSupabaseUsername string `env:"TEST_SUPABASE_USERNAME"`
 	TestSupabasePassword string `env:"TEST_SUPABASE_PASSWORD"`
 	TestSupabaseDatabase string `env:"TEST_SUPABASE_DATABASE"`
+
+	// SMTP configuration (optional)
+	SMTPHost     string `env:"SMTP_HOST"`
+	SMTPPort     int    `env:"SMTP_PORT"`
+	SMTPUser     string `env:"SMTP_USER"`
+	SMTPPassword string `env:"SMTP_PASSWORD"`
+
+	// Application URL (optional) - used for email links
+	DatabasusURL string `env:"DATABASUS_URL"`
 }
 
 var (
@@ -154,6 +187,21 @@ func loadEnvVariables() {
 		os.Exit(1)
 	}
 
+	// Set default value for ShowDbInstallationVerificationLogs if not defined
+	if os.Getenv("SHOW_DB_INSTALLATION_VERIFICATION_LOGS") == "" {
+		env.ShowDbInstallationVerificationLogs = true
+	}
+
+	// Set default value for IsSkipExternalTests if not defined
+	if os.Getenv("IS_SKIP_EXTERNAL_RESOURCES_TESTS") == "" {
+		env.IsSkipExternalResourcesTests = false
+	}
+
+	// Set default value for IsCloud if not defined
+	if os.Getenv("IS_CLOUD") == "" {
+		env.IsCloud = false
+	}
+
 	for _, arg := range os.Args {
 		if strings.Contains(arg, "test") {
 			env.IsTesting = true
@@ -161,6 +209,14 @@ func loadEnvVariables() {
 		}
 	}
 
+	// Check for external database override
+	if externalDsn := os.Getenv("DANGEROUS_EXTERNAL_DATABASE_DSN"); externalDsn != "" {
+		log.Warn(
+			"Using DANGEROUS_EXTERNAL_DATABASE_DSN - connecting to external database instead of internal PostgreSQL",
+		)
+		env.DatabaseDsn = externalDsn
+	}
+
 	if env.DatabaseDsn == "" {
 		log.Error("DATABASE_DSN is empty")
 		os.Exit(1)
@@ -177,22 +233,86 @@ func loadEnvVariables() {
 	log.Info("ENV_MODE loaded", "mode", env.EnvMode)
 
 	env.PostgresesInstallDir = filepath.Join(backendRoot, "tools", "postgresql")
-	tools.VerifyPostgresesInstallation(log, env.EnvMode, env.PostgresesInstallDir)
+	tools.VerifyPostgresesInstallation(
+		log,
+		env.EnvMode,
+		env.PostgresesInstallDir,
+		env.ShowDbInstallationVerificationLogs,
+	)
 
 	env.MysqlInstallDir = filepath.Join(backendRoot, "tools", "mysql")
-	tools.VerifyMysqlInstallation(log, env.EnvMode, env.MysqlInstallDir)
+	tools.VerifyMysqlInstallation(
+		log,
+		env.EnvMode,
+		env.MysqlInstallDir,
+		env.ShowDbInstallationVerificationLogs,
+	)
 
 	env.MariadbInstallDir = filepath.Join(backendRoot, "tools", "mariadb")
-	tools.VerifyMariadbInstallation(log, env.EnvMode, env.MariadbInstallDir)
+	tools.VerifyMariadbInstallation(
+		log,
+		env.EnvMode,
+		env.MariadbInstallDir,
+		env.ShowDbInstallationVerificationLogs,
+	)
 
 	env.MongodbInstallDir = filepath.Join(backendRoot, "tools", "mongodb")
-	tools.VerifyMongodbInstallation(log, env.EnvMode, env.MongodbInstallDir)
+	tools.VerifyMongodbInstallation(
+		log,
+		env.EnvMode,
+		env.MongodbInstallDir,
+		env.ShowDbInstallationVerificationLogs,
+	)
+
+	if env.NodeNetworkThroughputMBs == 0 {
+		env.NodeNetworkThroughputMBs = 125 // 1 Gbit/s
+	}
+
+	if !env.IsManyNodesMode {
+		env.IsPrimaryNode = true
+		env.IsProcessingNode = true
+	}
+
+	if env.TestLocalhost == "" {
+		env.TestLocalhost = "localhost"
+	}
+
+	// Valkey
+	if env.ValkeyHost == "" {
+		log.Error("VALKEY_HOST is empty")
+		os.Exit(1)
+	}
+	if env.ValkeyPort == "" {
+		log.Error("VALKEY_PORT is empty")
+		os.Exit(1)
+	}
+
+	// Check for external Valkey override
+	if externalValkeyHost := os.Getenv("DANGEROUS_VALKEY_HOST"); externalValkeyHost != "" {
+		log.Warn(
+			"Using DANGEROUS_VALKEY_* variables - connecting to external Valkey instead of internal instance",
+		)
+		env.ValkeyHost = externalValkeyHost
+
+		if externalValkeyPort := os.Getenv("DANGEROUS_VALKEY_PORT"); externalValkeyPort != "" {
+			env.ValkeyPort = externalValkeyPort
+		}
+		if externalValkeyUsername := os.Getenv("DANGEROUS_VALKEY_USERNAME"); externalValkeyUsername != "" {
+			env.ValkeyUsername = externalValkeyUsername
+		}
+		if externalValkeyPassword := os.Getenv("DANGEROUS_VALKEY_PASSWORD"); externalValkeyPassword != "" {
+			env.ValkeyPassword = externalValkeyPassword
+		}
+		if externalValkeyIsSsl := os.Getenv("DANGEROUS_VALKEY_IS_SSL"); externalValkeyIsSsl != "" {
+			env.ValkeyIsSsl = externalValkeyIsSsl == "true"
+		}
+	}
 
 	// Store the data and temp folders one level below the root
-	// (projectRoot/postgresus-data -> /postgresus-data)
-	env.DataFolder = filepath.Join(filepath.Dir(backendRoot), "postgresus-data", "backups")
-	env.TempFolder = filepath.Join(filepath.Dir(backendRoot), "postgresus-data", "temp")
-	env.SecretKeyPath = filepath.Join(filepath.Dir(backendRoot), "postgresus-data", "secret.key")
+	// (projectRoot/databasus-data -> /databasus-data)
+	env.DataFolder = filepath.Join(filepath.Dir(backendRoot), "databasus-data", "backups")
+	env.TempFolder = filepath.Join(filepath.Dir(backendRoot), "databasus-data", "temp")
+	env.SecretKeyPath = filepath.Join(filepath.Dir(backendRoot), "databasus-data", "secret.key")
 
 	if env.IsTesting {
 		if env.TestPostgres12Port == "" {

backend/internal/features/audit_logs/background_service.go

@@ -0,0 +1,54 @@
+package audit_logs
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+type AuditLogBackgroundService struct {
+	auditLogService *AuditLogService
+	logger          *slog.Logger
+
+	runOnce sync.Once
+	hasRun  atomic.Bool
+}
+
+func (s *AuditLogBackgroundService) Run(ctx context.Context) {
+	wasAlreadyRun := s.hasRun.Load()
+
+	s.runOnce.Do(func() {
+		s.hasRun.Store(true)
+
+		s.logger.Info("Starting audit log cleanup background service")
+
+		if ctx.Err() != nil {
+			return
+		}
+
+		ticker := time.NewTicker(1 * time.Hour)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				if err := s.cleanOldAuditLogs(); err != nil {
+					s.logger.Error("Failed to clean old audit logs", "error", err)
+				}
+			}
+		}
+	})
+
+	if wasAlreadyRun {
+		panic(fmt.Sprintf("%T.Run() called multiple times", s))
+	}
+}
+
+func (s *AuditLogBackgroundService) cleanOldAuditLogs() error {
+	return s.auditLogService.CleanOldAuditLogs()
+}

backend/internal/features/audit_logs/background_service_test.go

@@ -0,0 +1,141 @@
+package audit_logs
+
+import (
+	"databasus-backend/internal/storage"
+	"fmt"
+	"testing"
+	"time"
+
+	user_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"gorm.io/gorm"
+)
+
+func Test_CleanOldAuditLogs_DeletesLogsOlderThanOneYear(t *testing.T) {
+	service := GetAuditLogService()
+	user := users_testing.CreateTestUser(user_enums.UserRoleMember)
+	db := storage.GetDb()
+	baseTime := time.Now().UTC()
+
+	// Create old logs (more than 1 year old)
+	createTimedAuditLog(db, &user.UserID, "Old log 1", baseTime.Add(-400*24*time.Hour))
+	createTimedAuditLog(db, &user.UserID, "Old log 2", baseTime.Add(-370*24*time.Hour))
+
+	// Create recent logs (less than 1 year old)
+	createAuditLog(service, "Recent log 1", &user.UserID, nil)
+	createAuditLog(service, "Recent log 2", &user.UserID, nil)
+
+	// Run cleanup
+	err := service.CleanOldAuditLogs()
+	assert.NoError(t, err)
+
+	// Verify old logs were deleted
+	oneYearAgo := baseTime.Add(-365 * 24 * time.Hour)
+	var oldLogs []*AuditLog
+	db.Where("created_at < ?", oneYearAgo).Find(&oldLogs)
+	assert.Equal(t, 0, len(oldLogs), "All logs older than 1 year should be deleted")
+
+	// Verify recent logs still exist
+	var recentLogs []*AuditLog
+	db.Where("created_at >= ?", oneYearAgo).Find(&recentLogs)
+	assert.GreaterOrEqual(t, len(recentLogs), 2, "Recent logs should not be deleted")
+}
+
+func Test_CleanOldAuditLogs_PreservesLogsNewerThanOneYear(t *testing.T) {
+	service := GetAuditLogService()
+	user := users_testing.CreateTestUser(user_enums.UserRoleMember)
+	db := storage.GetDb()
+	baseTime := time.Now().UTC()
+
+	// Create logs exactly at boundary (1 year old)
+	boundaryTime := baseTime.Add(-365 * 24 * time.Hour)
+	createTimedAuditLog(db, &user.UserID, "Boundary log", boundaryTime)
+
+	// Create recent logs
+	createTimedAuditLog(db, &user.UserID, "Recent log 1", baseTime.Add(-364*24*time.Hour))
+	createTimedAuditLog(db, &user.UserID, "Recent log 2", baseTime.Add(-100*24*time.Hour))
+	createAuditLog(service, "Current log", &user.UserID, nil)
+
+	// Get count before cleanup
+	var countBefore int64
+	db.Model(&AuditLog{}).Count(&countBefore)
+
+	// Run cleanup
+	err := service.CleanOldAuditLogs()
+	assert.NoError(t, err)
+
+	// Get count after cleanup
+	var countAfter int64
+	db.Model(&AuditLog{}).Count(&countAfter)
+
+	// Verify logs newer than 1 year are preserved
+	oneYearAgo := baseTime.Add(-365 * 24 * time.Hour)
+	var recentLogs []*AuditLog
+	db.Where("created_at >= ?", oneYearAgo).Find(&recentLogs)
+
+	messages := make([]string, len(recentLogs))
+	for i, log := range recentLogs {
+		messages[i] = log.Message
+	}
+
+	assert.Contains(t, messages, "Recent log 1")
+	assert.Contains(t, messages, "Recent log 2")
+	assert.Contains(t, messages, "Current log")
+}
+
+func Test_CleanOldAuditLogs_HandlesEmptyDatabase(t *testing.T) {
+	service := GetAuditLogService()
+
+	// Run cleanup on database that may have no old logs
+	err := service.CleanOldAuditLogs()
+	assert.NoError(t, err)
+}
+
+func Test_CleanOldAuditLogs_DeletesMultipleOldLogs(t *testing.T) {
+	service := GetAuditLogService()
+	user := users_testing.CreateTestUser(user_enums.UserRoleMember)
+	db := storage.GetDb()
+	baseTime := time.Now().UTC()
+
+	// Create many old logs with specific UUIDs to track them
+	testLogIDs := make([]uuid.UUID, 5)
+	for i := 0; i < 5; i++ {
+		testLogIDs[i] = uuid.New()
+		daysAgo := 400 + (i * 10)
+		log := &AuditLog{
+			ID:        testLogIDs[i],
+			UserID:    &user.UserID,
+			Message:   fmt.Sprintf("Test old log %d", i),
+			CreatedAt: baseTime.Add(-time.Duration(daysAgo) * 24 * time.Hour),
+		}
+		result := db.Create(log)
+		assert.NoError(t, result.Error)
+	}
+
+	// Verify logs exist before cleanup
+	var logsBeforeCleanup []*AuditLog
+	db.Where("id IN ?", testLogIDs).Find(&logsBeforeCleanup)
+	assert.Equal(t, 5, len(logsBeforeCleanup), "All test logs should exist before cleanup")
+
+	// Run cleanup
+	err := service.CleanOldAuditLogs()
+	assert.NoError(t, err)
+
+	// Verify test logs were deleted
+	var logsAfterCleanup []*AuditLog
+	db.Where("id IN ?", testLogIDs).Find(&logsAfterCleanup)
+	assert.Equal(t, 0, len(logsAfterCleanup), "All old test logs should be deleted")
+}
+
+func createTimedAuditLog(db *gorm.DB, userID *uuid.UUID, message string, createdAt time.Time) {
+	log := &AuditLog{
+		ID:        uuid.New(),
+		UserID:    userID,
+		Message:   message,
+		CreatedAt: createdAt,
+	}
+	db.Create(log)
+}

backend/internal/features/audit_logs/controller.go

@@ -1,9 +1,10 @@
 package audit_logs
 
 import (
+	"errors"
 	"net/http"
 
-	user_models "postgresus-backend/internal/features/users/models"
+	user_models "databasus-backend/internal/features/users/models"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
@@ -50,7 +51,7 @@ func (c *AuditLogController) GetGlobalAuditLogs(ctx *gin.Context) {
 
 	response, err := c.auditLogService.GetGlobalAuditLogs(user, request)
 	if err != nil {
-		if err.Error() == "only administrators can view global audit logs" {
+		if errors.Is(err, ErrOnlyAdminsCanViewGlobalLogs) {
 			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
 			return
 		}
@@ -99,7 +100,7 @@ func (c *AuditLogController) GetUserAuditLogs(ctx *gin.Context) {
 
 	response, err := c.auditLogService.GetUserAuditLogs(targetUserID, user, request)
 	if err != nil {
-		if err.Error() == "insufficient permissions to view user audit logs" {
+		if errors.Is(err, ErrInsufficientPermissionsToViewLogs) {
 			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
 			return
 		}

backend/internal/features/audit_logs/controller_test.go

@@ -6,11 +6,11 @@ import (
 	"testing"
 	"time"
 
-	user_enums "postgresus-backend/internal/features/users/enums"
-	users_middleware "postgresus-backend/internal/features/users/middleware"
-	users_services "postgresus-backend/internal/features/users/services"
-	users_testing "postgresus-backend/internal/features/users/testing"
-	test_utils "postgresus-backend/internal/util/testing"
+	user_enums "databasus-backend/internal/features/users/enums"
+	users_middleware "databasus-backend/internal/features/users/middleware"
+	users_services "databasus-backend/internal/features/users/services"
+	users_testing "databasus-backend/internal/features/users/testing"
+	test_utils "databasus-backend/internal/util/testing"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"

backend/internal/features/audit_logs/di.go

@@ -1,17 +1,26 @@
 package audit_logs
 
 import (
-	users_services "postgresus-backend/internal/features/users/services"
-	"postgresus-backend/internal/util/logger"
+	"sync"
+	"sync/atomic"
+
+	users_services "databasus-backend/internal/features/users/services"
+	"databasus-backend/internal/util/logger"
 )
 
 var auditLogRepository = &AuditLogRepository{}
 var auditLogService = &AuditLogService{
-	auditLogRepository: auditLogRepository,
-	logger:             logger.GetLogger(),
+	auditLogRepository,
+	logger.GetLogger(),
 }
 var auditLogController = &AuditLogController{
+	auditLogService,
+}
+var auditLogBackgroundService = &AuditLogBackgroundService{
 	auditLogService: auditLogService,
+	logger:          logger.GetLogger(),
+	runOnce:         sync.Once{},
+	hasRun:          atomic.Bool{},
 }
 
 func GetAuditLogService() *AuditLogService {
@@ -22,8 +31,27 @@ func GetAuditLogController() *AuditLogController {
 	return auditLogController
 }
 
-func SetupDependencies() {
-	users_services.GetUserService().SetAuditLogWriter(auditLogService)
-	users_services.GetSettingsService().SetAuditLogWriter(auditLogService)
-	users_services.GetManagementService().SetAuditLogWriter(auditLogService)
+func GetAuditLogBackgroundService() *AuditLogBackgroundService {
+	return auditLogBackgroundService
+}
+
+var (
+	setupOnce sync.Once
+	isSetup   atomic.Bool
+)
+
+func SetupDependencies() {
+	wasAlreadySetup := isSetup.Load()
+
+	setupOnce.Do(func() {
+		users_services.GetUserService().SetAuditLogWriter(auditLogService)
+		users_services.GetSettingsService().SetAuditLogWriter(auditLogService)
+		users_services.GetManagementService().SetAuditLogWriter(auditLogService)
+
+		isSetup.Store(true)
+	})
+
+	if wasAlreadySetup {
+		logger.GetLogger().Warn("SetupDependencies called multiple times, ignoring subsequent call")
+	}
 }

backend/internal/features/audit_logs/errors.go

@@ -0,0 +1,12 @@
+package audit_logs
+
+import "errors"
+
+var (
+	ErrOnlyAdminsCanViewGlobalLogs = errors.New(
+		"only administrators can view global audit logs",
+	)
+	ErrInsufficientPermissionsToViewLogs = errors.New(
+		"insufficient permissions to view user audit logs",
+	)
+)

backend/internal/features/audit_logs/repository.go

@@ -1,7 +1,7 @@
 package audit_logs
 
 import (
-	"postgresus-backend/internal/storage"
+	"databasus-backend/internal/storage"
 	"time"
 
 	"github.com/google/uuid"
@@ -137,3 +137,15 @@ func (r *AuditLogRepository) CountGlobal(beforeDate *time.Time) (int64, error) {
 	err := query.Count(&count).Error
 	return count, err
 }
+
+func (r *AuditLogRepository) DeleteOlderThan(beforeDate time.Time) (int64, error) {
+	result := storage.GetDb().
+		Where("created_at < ?", beforeDate).
+		Delete(&AuditLog{})
+
+	if result.Error != nil {
+		return 0, result.Error
+	}
+
+	return result.RowsAffected, nil
+}

backend/internal/features/audit_logs/service.go

@@ -1,12 +1,11 @@
 package audit_logs
 
 import (
-	"errors"
 	"log/slog"
 	"time"
 
-	user_enums "postgresus-backend/internal/features/users/enums"
-	user_models "postgresus-backend/internal/features/users/models"
+	user_enums "databasus-backend/internal/features/users/enums"
+	user_models "databasus-backend/internal/features/users/models"
 
 	"github.com/google/uuid"
 )
@@ -44,7 +43,7 @@ func (s *AuditLogService) GetGlobalAuditLogs(
 	request *GetAuditLogsRequest,
 ) (*GetAuditLogsResponse, error) {
 	if user.Role != user_enums.UserRoleAdmin {
-		return nil, errors.New("only administrators can view global audit logs")
+		return nil, ErrOnlyAdminsCanViewGlobalLogs
 	}
 
 	limit := request.Limit
@@ -79,7 +78,7 @@ func (s *AuditLogService) GetUserAuditLogs(
 ) (*GetAuditLogsResponse, error) {
 	// Users can view their own logs, ADMIN can view any user's logs
 	if user.Role != user_enums.UserRoleAdmin && user.ID != targetUserID {
-		return nil, errors.New("insufficient permissions to view user audit logs")
+		return nil, ErrInsufficientPermissionsToViewLogs
 	}
 
 	limit := request.Limit
@@ -135,3 +134,19 @@ func (s *AuditLogService) GetWorkspaceAuditLogs(
 		Offset:    offset,
 	}, nil
 }
+
+func (s *AuditLogService) CleanOldAuditLogs() error {
+	oneYearAgo := time.Now().UTC().Add(-365 * 24 * time.Hour)
+
+	deletedCount, err := s.auditLogRepository.DeleteOlderThan(oneYearAgo)
+	if err != nil {
+		s.logger.Error("Failed to delete old audit logs", "error", err)
+		return err
+	}
+
+	if deletedCount > 0 {
+		s.logger.Info("Deleted old audit logs", "count", deletedCount, "olderThan", oneYearAgo)
+	}
+
+	return nil
+}

backend/internal/features/audit_logs/service_test.go

@@ -4,8 +4,8 @@ import (
 	"testing"
 	"time"
 
-	user_enums "postgresus-backend/internal/features/users/enums"
-	users_testing "postgresus-backend/internal/features/users/testing"
+	user_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"

backend/internal/features/backups/backups/background_service.go

@@ -1,254 +0,0 @@
-package backups
-
-import (
-	"log/slog"
-	"postgresus-backend/internal/config"
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/storages"
-	"postgresus-backend/internal/util/encryption"
-	"postgresus-backend/internal/util/period"
-	"time"
-)
-
-type BackupBackgroundService struct {
-	backupService       *BackupService
-	backupRepository    *BackupRepository
-	backupConfigService *backups_config.BackupConfigService
-	storageService      *storages.StorageService
-
-	lastBackupTime time.Time
-	logger         *slog.Logger
-}
-
-func (s *BackupBackgroundService) Run() {
-	s.lastBackupTime = time.Now().UTC()
-
-	if err := s.failBackupsInProgress(); err != nil {
-		s.logger.Error("Failed to fail backups in progress", "error", err)
-		panic(err)
-	}
-
-	if config.IsShouldShutdown() {
-		return
-	}
-
-	for {
-		if config.IsShouldShutdown() {
-			return
-		}
-
-		if err := s.cleanOldBackups(); err != nil {
-			s.logger.Error("Failed to clean old backups", "error", err)
-		}
-
-		if err := s.runPendingBackups(); err != nil {
-			s.logger.Error("Failed to run pending backups", "error", err)
-		}
-
-		s.lastBackupTime = time.Now().UTC()
-		time.Sleep(1 * time.Minute)
-	}
-}
-
-func (s *BackupBackgroundService) IsBackupsWorkerRunning() bool {
-	// if last backup time is more than 5 minutes ago, return false
-	return s.lastBackupTime.After(time.Now().UTC().Add(-5 * time.Minute))
-}
-
-func (s *BackupBackgroundService) failBackupsInProgress() error {
-	backupsInProgress, err := s.backupRepository.FindByStatus(BackupStatusInProgress)
-	if err != nil {
-		return err
-	}
-
-	for _, backup := range backupsInProgress {
-		backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(backup.DatabaseID)
-		if err != nil {
-			s.logger.Error("Failed to get backup config by database ID", "error", err)
-			continue
-		}
-
-		failMessage := "Backup failed due to application restart"
-		backup.FailMessage = &failMessage
-		backup.Status = BackupStatusFailed
-		backup.BackupSizeMb = 0
-
-		s.backupService.SendBackupNotification(
-			backupConfig,
-			backup,
-			backups_config.NotificationBackupFailed,
-			&failMessage,
-		)
-
-		if err := s.backupRepository.Save(backup); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (s *BackupBackgroundService) cleanOldBackups() error {
-	enabledBackupConfigs, err := s.backupConfigService.GetBackupConfigsWithEnabledBackups()
-	if err != nil {
-		return err
-	}
-
-	for _, backupConfig := range enabledBackupConfigs {
-		backupStorePeriod := backupConfig.StorePeriod
-
-		if backupStorePeriod == period.PeriodForever {
-			continue
-		}
-
-		storeDuration := backupStorePeriod.ToDuration()
-		dateBeforeBackupsShouldBeDeleted := time.Now().UTC().Add(-storeDuration)
-
-		oldBackups, err := s.backupRepository.FindBackupsBeforeDate(
-			backupConfig.DatabaseID,
-			dateBeforeBackupsShouldBeDeleted,
-		)
-		if err != nil {
-			s.logger.Error(
-				"Failed to find old backups for database",
-				"databaseId",
-				backupConfig.DatabaseID,
-				"error",
-				err,
-			)
-			continue
-		}
-
-		for _, backup := range oldBackups {
-			storage, err := s.storageService.GetStorageByID(backup.StorageID)
-			if err != nil {
-				s.logger.Error(
-					"Failed to get storage by ID",
-					"storageId",
-					backup.StorageID,
-					"error",
-					err,
-				)
-				continue
-			}
-
-			encryptor := encryption.GetFieldEncryptor()
-			err = storage.DeleteFile(encryptor, backup.ID)
-			if err != nil {
-				s.logger.Error("Failed to delete backup file", "backupId", backup.ID, "error", err)
-			}
-
-			if err := s.backupRepository.DeleteByID(backup.ID); err != nil {
-				s.logger.Error("Failed to delete old backup", "backupId", backup.ID, "error", err)
-				continue
-			}
-
-			s.logger.Info(
-				"Deleted old backup",
-				"backupId",
-				backup.ID,
-				"databaseId",
-				backupConfig.DatabaseID,
-			)
-		}
-	}
-
-	return nil
-}
-
-func (s *BackupBackgroundService) runPendingBackups() error {
-	enabledBackupConfigs, err := s.backupConfigService.GetBackupConfigsWithEnabledBackups()
-	if err != nil {
-		return err
-	}
-
-	for _, backupConfig := range enabledBackupConfigs {
-		if backupConfig.BackupInterval == nil {
-			continue
-		}
-
-		lastBackup, err := s.backupRepository.FindLastByDatabaseID(backupConfig.DatabaseID)
-		if err != nil {
-			s.logger.Error(
-				"Failed to get last backup for database",
-				"databaseId",
-				backupConfig.DatabaseID,
-				"error",
-				err,
-			)
-			continue
-		}
-
-		var lastBackupTime *time.Time
-		if lastBackup != nil {
-			lastBackupTime = &lastBackup.CreatedAt
-		}
-
-		remainedBackupTryCount := s.GetRemainedBackupTryCount(lastBackup)
-
-		if backupConfig.BackupInterval.ShouldTriggerBackup(time.Now().UTC(), lastBackupTime) ||
-			remainedBackupTryCount > 0 {
-			s.logger.Info(
-				"Triggering scheduled backup",
-				"databaseId",
-				backupConfig.DatabaseID,
-				"intervalType",
-				backupConfig.BackupInterval.Interval,
-			)
-
-			go s.backupService.MakeBackup(backupConfig.DatabaseID, remainedBackupTryCount == 1)
-			s.logger.Info(
-				"Successfully triggered scheduled backup",
-				"databaseId",
-				backupConfig.DatabaseID,
-			)
-		}
-	}
-
-	return nil
-}
-
-// GetRemainedBackupTryCount returns the number of remaining backup tries for a given backup.
-// If the backup is not failed or the backup config does not allow retries, it returns 0.
-// If the backup is failed and the backup config allows retries, it returns the number of remaining tries.
-// If the backup is failed and the backup config does not allow retries, it returns 0.
-func (s *BackupBackgroundService) GetRemainedBackupTryCount(lastBackup *Backup) int {
-	if lastBackup == nil {
-		return 0
-	}
-
-	if lastBackup.Status != BackupStatusFailed {
-		return 0
-	}
-
-	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(lastBackup.DatabaseID)
-	if err != nil {
-		s.logger.Error("Failed to get backup config by database ID", "error", err)
-		return 0
-	}
-
-	if !backupConfig.IsRetryIfFailed {
-		return 0
-	}
-
-	maxFailedTriesCount := backupConfig.MaxFailedTriesCount
-
-	lastBackups, err := s.backupRepository.FindByDatabaseIDWithLimit(
-		lastBackup.DatabaseID,
-		maxFailedTriesCount,
-	)
-	if err != nil {
-		s.logger.Error("Failed to find last backups by database ID", "error", err)
-		return 0
-	}
-
-	lastFailedBackups := make([]*Backup, 0)
-
-	for _, backup := range lastBackups {
-		if backup.Status == BackupStatusFailed {
-			lastFailedBackups = append(lastFailedBackups, backup)
-		}
-	}
-
-	return maxFailedTriesCount - len(lastFailedBackups)
-}

backend/internal/features/backups/backups/background_service_test.go

@@ -1,321 +0,0 @@
-package backups
-
-import (
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/databases"
-	"postgresus-backend/internal/features/intervals"
-	"postgresus-backend/internal/features/notifiers"
-	"postgresus-backend/internal/features/storages"
-	users_enums "postgresus-backend/internal/features/users/enums"
-	users_testing "postgresus-backend/internal/features/users/testing"
-	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
-	"postgresus-backend/internal/util/period"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func Test_MakeBackupForDbHavingBackupDayAgo_BackupCreated(t *testing.T) {
-	// setup data
-	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-	router := CreateTestRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	// Enable backups for the database
-	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
-	assert.NoError(t, err)
-
-	timeOfDay := "04:00"
-	backupConfig.BackupInterval = &intervals.Interval{
-		Interval:  intervals.IntervalDaily,
-		TimeOfDay: &timeOfDay,
-	}
-	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
-	backupConfig.Storage = storage
-	backupConfig.StorageID = &storage.ID
-
-	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	// add old backup
-	backupRepository.Save(&Backup{
-		DatabaseID: database.ID,
-		StorageID:  storage.ID,
-
-		Status: BackupStatusCompleted,
-
-		CreatedAt: time.Now().UTC().Add(-24 * time.Hour),
-	})
-
-	GetBackupBackgroundService().runPendingBackups()
-
-	time.Sleep(100 * time.Millisecond)
-
-	// assertions
-	backups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Len(t, backups, 2)
-
-	// cleanup
-	for _, backup := range backups {
-		err := backupRepository.DeleteByID(backup.ID)
-		assert.NoError(t, err)
-	}
-
-	databases.RemoveTestDatabase(database)
-	time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
-	notifiers.RemoveTestNotifier(notifier)
-	storages.RemoveTestStorage(storage.ID)
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}
-
-func Test_MakeBackupForDbHavingHourAgoBackup_BackupSkipped(t *testing.T) {
-	// setup data
-	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-	router := CreateTestRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	// Enable backups for the database
-	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
-	assert.NoError(t, err)
-
-	timeOfDay := "04:00"
-	backupConfig.BackupInterval = &intervals.Interval{
-		Interval:  intervals.IntervalDaily,
-		TimeOfDay: &timeOfDay,
-	}
-	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
-	backupConfig.Storage = storage
-	backupConfig.StorageID = &storage.ID
-
-	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	// add recent backup (1 hour ago)
-	backupRepository.Save(&Backup{
-		DatabaseID: database.ID,
-		StorageID:  storage.ID,
-
-		Status: BackupStatusCompleted,
-
-		CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
-	})
-
-	GetBackupBackgroundService().runPendingBackups()
-
-	time.Sleep(100 * time.Millisecond)
-
-	// assertions
-	backups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Len(t, backups, 1) // Should still be 1 backup, no new backup created
-
-	// cleanup
-	for _, backup := range backups {
-		err := backupRepository.DeleteByID(backup.ID)
-		assert.NoError(t, err)
-	}
-
-	databases.RemoveTestDatabase(database)
-	time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
-	notifiers.RemoveTestNotifier(notifier)
-	storages.RemoveTestStorage(storage.ID)
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}
-
-func Test_MakeBackupHavingFailedBackupWithoutRetries_BackupSkipped(t *testing.T) {
-	// setup data
-	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-	router := CreateTestRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	// Enable backups for the database with retries disabled
-	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
-	assert.NoError(t, err)
-
-	timeOfDay := "04:00"
-	backupConfig.BackupInterval = &intervals.Interval{
-		Interval:  intervals.IntervalDaily,
-		TimeOfDay: &timeOfDay,
-	}
-	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
-	backupConfig.Storage = storage
-	backupConfig.StorageID = &storage.ID
-	backupConfig.IsRetryIfFailed = false
-	backupConfig.MaxFailedTriesCount = 0
-
-	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	// add failed backup
-	failMessage := "backup failed"
-	backupRepository.Save(&Backup{
-		DatabaseID: database.ID,
-		StorageID:  storage.ID,
-
-		Status:      BackupStatusFailed,
-		FailMessage: &failMessage,
-
-		CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
-	})
-
-	GetBackupBackgroundService().runPendingBackups()
-
-	time.Sleep(100 * time.Millisecond)
-
-	// assertions
-	backups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Len(t, backups, 1) // Should still be 1 backup, no retry attempted
-
-	// cleanup
-	for _, backup := range backups {
-		err := backupRepository.DeleteByID(backup.ID)
-		assert.NoError(t, err)
-	}
-
-	databases.RemoveTestDatabase(database)
-	time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
-	notifiers.RemoveTestNotifier(notifier)
-	storages.RemoveTestStorage(storage.ID)
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}
-
-func Test_MakeBackupHavingFailedBackupWithRetries_BackupCreated(t *testing.T) {
-	// setup data
-	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-	router := CreateTestRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	// Enable backups for the database with retries enabled
-	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
-	assert.NoError(t, err)
-
-	timeOfDay := "04:00"
-	backupConfig.BackupInterval = &intervals.Interval{
-		Interval:  intervals.IntervalDaily,
-		TimeOfDay: &timeOfDay,
-	}
-	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
-	backupConfig.Storage = storage
-	backupConfig.StorageID = &storage.ID
-	backupConfig.IsRetryIfFailed = true
-	backupConfig.MaxFailedTriesCount = 3
-
-	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	// add failed backup
-	failMessage := "backup failed"
-	backupRepository.Save(&Backup{
-		DatabaseID: database.ID,
-		StorageID:  storage.ID,
-
-		Status:      BackupStatusFailed,
-		FailMessage: &failMessage,
-
-		CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
-	})
-
-	GetBackupBackgroundService().runPendingBackups()
-
-	time.Sleep(100 * time.Millisecond)
-
-	// assertions
-	backups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Len(t, backups, 2) // Should have 2 backups, retry was attempted
-
-	// cleanup
-	for _, backup := range backups {
-		err := backupRepository.DeleteByID(backup.ID)
-		assert.NoError(t, err)
-	}
-
-	databases.RemoveTestDatabase(database)
-	time.Sleep(100 * time.Millisecond) // Wait for cascading deletes
-	notifiers.RemoveTestNotifier(notifier)
-	storages.RemoveTestStorage(storage.ID)
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}
-
-func Test_MakeBackupHavingFailedBackupWithRetries_RetriesCountNotExceeded(t *testing.T) {
-	// setup data
-	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-	router := CreateTestRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	// Enable backups for the database with retries enabled
-	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
-	assert.NoError(t, err)
-
-	timeOfDay := "04:00"
-	backupConfig.BackupInterval = &intervals.Interval{
-		Interval:  intervals.IntervalDaily,
-		TimeOfDay: &timeOfDay,
-	}
-	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
-	backupConfig.Storage = storage
-	backupConfig.StorageID = &storage.ID
-	backupConfig.IsRetryIfFailed = true
-	backupConfig.MaxFailedTriesCount = 3
-
-	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	failMessage := "backup failed"
-
-	for i := 0; i < 3; i++ {
-		backupRepository.Save(&Backup{
-			DatabaseID: database.ID,
-			StorageID:  storage.ID,
-
-			Status:      BackupStatusFailed,
-			FailMessage: &failMessage,
-
-			CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
-		})
-	}
-
-	GetBackupBackgroundService().runPendingBackups()
-
-	time.Sleep(100 * time.Millisecond)
-
-	// assertions
-	backups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Len(t, backups, 3) // Should have 3 backups, not more than max
-
-	// cleanup
-	for _, backup := range backups {
-		err := backupRepository.DeleteByID(backup.ID)
-		assert.NoError(t, err)
-	}
-
-	databases.RemoveTestDatabase(database)
-	time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
-	notifiers.RemoveTestNotifier(notifier)
-	storages.RemoveTestStorage(storage.ID)
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}

backend/internal/features/backups/backups/backup_context_manager.go

@@ -1,60 +0,0 @@
-package backups
-
-import (
-	"context"
-	"sync"
-
-	"github.com/google/uuid"
-)
-
-type BackupContextManager struct {
-	mu               sync.RWMutex
-	cancelFuncs      map[uuid.UUID]context.CancelFunc
-	cancelledBackups map[uuid.UUID]bool
-}
-
-func NewBackupContextManager() *BackupContextManager {
-	return &BackupContextManager{
-		cancelFuncs:      make(map[uuid.UUID]context.CancelFunc),
-		cancelledBackups: make(map[uuid.UUID]bool),
-	}
-}
-
-func (m *BackupContextManager) RegisterBackup(backupID uuid.UUID, cancelFunc context.CancelFunc) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.cancelFuncs[backupID] = cancelFunc
-	delete(m.cancelledBackups, backupID)
-}
-
-func (m *BackupContextManager) CancelBackup(backupID uuid.UUID) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	if m.cancelledBackups[backupID] {
-		return nil
-	}
-
-	cancelFunc, exists := m.cancelFuncs[backupID]
-	if exists {
-		cancelFunc()
-		delete(m.cancelFuncs, backupID)
-	}
-
-	m.cancelledBackups[backupID] = true
-
-	return nil
-}
-
-func (m *BackupContextManager) IsCancelled(backupID uuid.UUID) bool {
-	m.mu.RLock()
-	defer m.mu.RUnlock()
-	return m.cancelledBackups[backupID]
-}
-
-func (m *BackupContextManager) UnregisterBackup(backupID uuid.UUID) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	delete(m.cancelFuncs, backupID)
-	delete(m.cancelledBackups, backupID)
-}

backend/internal/features/backups/backups/backuping/backuper.go

@@ -0,0 +1,427 @@
+package backuping
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"slices"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/google/uuid"
+
+	"databasus-backend/internal/config"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/storages"
+	tasks_cancellation "databasus-backend/internal/features/tasks/cancellation"
+	workspaces_services "databasus-backend/internal/features/workspaces/services"
+	util_encryption "databasus-backend/internal/util/encryption"
+)
+
+const (
+	heartbeatTickerInterval     = 15 * time.Second
+	backuperHeathcheckThreshold = 5 * time.Minute
+)
+
+type BackuperNode struct {
+	databaseService     *databases.DatabaseService
+	fieldEncryptor      util_encryption.FieldEncryptor
+	workspaceService    *workspaces_services.WorkspaceService
+	backupRepository    *backups_core.BackupRepository
+	backupConfigService *backups_config.BackupConfigService
+	storageService      *storages.StorageService
+	notificationSender  backups_core.NotificationSender
+	backupCancelManager *tasks_cancellation.TaskCancelManager
+	backupNodesRegistry *BackupNodesRegistry
+	logger              *slog.Logger
+	createBackupUseCase backups_core.CreateBackupUsecase
+	nodeID              uuid.UUID
+
+	lastHeartbeat time.Time
+
+	runOnce sync.Once
+	hasRun  atomic.Bool
+}
+
+func (n *BackuperNode) Run(ctx context.Context) {
+	wasAlreadyRun := n.hasRun.Load()
+
+	n.runOnce.Do(func() {
+		n.hasRun.Store(true)
+
+		n.lastHeartbeat = time.Now().UTC()
+
+		throughputMBs := config.GetEnv().NodeNetworkThroughputMBs
+
+		backupNode := BackupNode{
+			ID:            n.nodeID,
+			ThroughputMBs: throughputMBs,
+			LastHeartbeat: time.Now().UTC(),
+		}
+
+		if err := n.backupNodesRegistry.HearthbeatNodeInRegistry(time.Now().UTC(), backupNode); err != nil {
+			n.logger.Error("Failed to register node in registry", "error", err)
+			panic(err)
+		}
+
+		backupHandler := func(backupID uuid.UUID, isCallNotifier bool) {
+			go func() {
+				n.MakeBackup(backupID, isCallNotifier)
+				if err := n.backupNodesRegistry.PublishBackupCompletion(n.nodeID, backupID); err != nil {
+					n.logger.Error(
+						"Failed to publish backup completion",
+						"error",
+						err,
+						"backupID",
+						backupID,
+					)
+				}
+			}()
+		}
+
+		err := n.backupNodesRegistry.SubscribeNodeForBackupsAssignment(n.nodeID, backupHandler)
+		if err != nil {
+			n.logger.Error("Failed to subscribe to backup assignments", "error", err)
+			panic(err)
+		}
+		defer func() {
+			if err := n.backupNodesRegistry.UnsubscribeNodeForBackupsAssignments(); err != nil {
+				n.logger.Error("Failed to unsubscribe from backup assignments", "error", err)
+			}
+		}()
+
+		ticker := time.NewTicker(heartbeatTickerInterval)
+		defer ticker.Stop()
+
+		n.logger.Info("Backup node started", "nodeID", n.nodeID, "throughput", throughputMBs)
+
+		for {
+			select {
+			case <-ctx.Done():
+				n.logger.Info("Shutdown signal received, unregistering node", "nodeID", n.nodeID)
+
+				if err := n.backupNodesRegistry.UnregisterNodeFromRegistry(backupNode); err != nil {
+					n.logger.Error("Failed to unregister node from registry", "error", err)
+				}
+
+				return
+			case <-ticker.C:
+				n.sendHeartbeat(&backupNode)
+			}
+		}
+	})
+
+	if wasAlreadyRun {
+		panic(fmt.Sprintf("%T.Run() called multiple times", n))
+	}
+}
+
+func (n *BackuperNode) IsBackuperRunning() bool {
+	return n.lastHeartbeat.After(time.Now().UTC().Add(-backuperHeathcheckThreshold))
+}
+
+func (n *BackuperNode) MakeBackup(backupID uuid.UUID, isCallNotifier bool) {
+	backup, err := n.backupRepository.FindByID(backupID)
+	if err != nil {
+		n.logger.Error("Failed to get backup by ID", "backupId", backupID, "error", err)
+		return
+	}
+
+	databaseID := backup.DatabaseID
+
+	database, err := n.databaseService.GetDatabaseByID(databaseID)
+	if err != nil {
+		n.logger.Error("Failed to get database by ID", "databaseId", databaseID, "error", err)
+		return
+	}
+
+	backupConfig, err := n.backupConfigService.GetBackupConfigByDbId(databaseID)
+	if err != nil {
+		n.logger.Error("Failed to get backup config by database ID", "error", err)
+		return
+	}
+
+	if backupConfig.StorageID == nil {
+		n.logger.Error("Backup config storage ID is not defined")
+		return
+	}
+
+	storage, err := n.storageService.GetStorageByID(*backupConfig.StorageID)
+	if err != nil {
+		n.logger.Error("Failed to get storage by ID", "error", err)
+		return
+	}
+
+	start := time.Now().UTC()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	n.backupCancelManager.RegisterTask(backup.ID, cancel)
+	defer n.backupCancelManager.UnregisterTask(backup.ID)
+
+	backupProgressListener := func(
+		completedMBs float64,
+	) {
+		backup.BackupSizeMb = completedMBs
+		backup.BackupDurationMs = time.Since(start).Milliseconds()
+
+		// Check size limit (0 = unlimited)
+		if backupConfig.MaxBackupSizeMB > 0 &&
+			completedMBs > float64(backupConfig.MaxBackupSizeMB) {
+			errMsg := fmt.Sprintf(
+				"backup size (%.2f MB) exceeded maximum allowed size (%d MB)",
+				completedMBs,
+				backupConfig.MaxBackupSizeMB,
+			)
+
+			backup.Status = backups_core.BackupStatusFailed
+			backup.IsSkipRetry = true
+			backup.FailMessage = &errMsg
+			if err := n.backupRepository.Save(backup); err != nil {
+				n.logger.Error("Failed to save backup with size exceeded error", "error", err)
+			}
+			cancel() // Cancel the backup context
+
+			return
+		}
+
+		if err := n.backupRepository.Save(backup); err != nil {
+			n.logger.Error("Failed to update backup progress", "error", err)
+		}
+	}
+
+	backupMetadata, err := n.createBackupUseCase.Execute(
+		ctx,
+		backup.ID,
+		backupConfig,
+		database,
+		storage,
+		backupProgressListener,
+	)
+	if err != nil {
+		// Check if backup was already marked as failed by progress listener (e.g., size limit exceeded)
+		// If so, skip error handling to avoid overwriting the status
+		currentBackup, fetchErr := n.backupRepository.FindByID(backup.ID)
+		if fetchErr == nil && currentBackup.Status == backups_core.BackupStatusFailed {
+			n.logger.Warn(
+				"Backup already marked as failed by progress listener, skipping error handling",
+				"backupId",
+				backup.ID,
+				"failMessage",
+				*currentBackup.FailMessage,
+			)
+
+			// Still call notification for size limit failures
+			n.SendBackupNotification(
+				backupConfig,
+				currentBackup,
+				backups_config.NotificationBackupFailed,
+				currentBackup.FailMessage,
+			)
+
+			return
+		}
+
+		errMsg := err.Error()
+
+		// Log detailed error information for debugging
+		n.logger.Error("Backup execution failed",
+			"backupId", backup.ID,
+			"databaseId", databaseID,
+			"databaseType", database.Type,
+			"storageId", storage.ID,
+			"storageType", storage.Type,
+			"error", err,
+			"errorMessage", errMsg,
+		)
+
+		// Check if backup was cancelled (not due to shutdown)
+		isCancelled := strings.Contains(errMsg, "backup cancelled") ||
+			strings.Contains(errMsg, "context canceled") ||
+			errors.Is(err, context.Canceled)
+		isShutdown := strings.Contains(errMsg, "shutdown")
+
+		if isCancelled && !isShutdown {
+			n.logger.Warn("Backup was cancelled by user or system",
+				"backupId", backup.ID,
+				"isCancelled", isCancelled,
+				"isShutdown", isShutdown,
+			)
+
+			backup.Status = backups_core.BackupStatusCanceled
+			backup.BackupDurationMs = time.Since(start).Milliseconds()
+			backup.BackupSizeMb = 0
+
+			if err := n.backupRepository.Save(backup); err != nil {
+				n.logger.Error("Failed to save cancelled backup", "error", err)
+			}
+
+			// Delete partial backup from storage
+			storage, storageErr := n.storageService.GetStorageByID(backup.StorageID)
+			if storageErr == nil {
+				if deleteErr := storage.DeleteFile(n.fieldEncryptor, backup.ID); deleteErr != nil {
+					n.logger.Error(
+						"Failed to delete partial backup file",
+						"backupId",
+						backup.ID,
+						"error",
+						deleteErr,
+					)
+				}
+			}
+
+			return
+		}
+
+		backup.FailMessage = &errMsg
+		backup.Status = backups_core.BackupStatusFailed
+		backup.BackupDurationMs = time.Since(start).Milliseconds()
+		backup.BackupSizeMb = 0
+
+		if updateErr := n.databaseService.SetBackupError(databaseID, errMsg); updateErr != nil {
+			n.logger.Error(
+				"Failed to update database last backup time",
+				"databaseId",
+				databaseID,
+				"error",
+				updateErr,
+			)
+		}
+
+		if err := n.backupRepository.Save(backup); err != nil {
+			n.logger.Error("Failed to save backup", "error", err)
+		}
+
+		n.SendBackupNotification(
+			backupConfig,
+			backup,
+			backups_config.NotificationBackupFailed,
+			&errMsg,
+		)
+
+		return
+	}
+
+	backup.Status = backups_core.BackupStatusCompleted
+	backup.BackupDurationMs = time.Since(start).Milliseconds()
+
+	// Update backup with encryption metadata if provided
+	if backupMetadata != nil {
+		backup.EncryptionSalt = backupMetadata.EncryptionSalt
+		backup.EncryptionIV = backupMetadata.EncryptionIV
+		backup.Encryption = backupMetadata.Encryption
+	}
+
+	if err := n.backupRepository.Save(backup); err != nil {
+		n.logger.Error("Failed to save backup", "error", err)
+		return
+	}
+
+	// Update database last backup time
+	now := time.Now().UTC()
+	if updateErr := n.databaseService.SetLastBackupTime(databaseID, now); updateErr != nil {
+		n.logger.Error(
+			"Failed to update database last backup time",
+			"databaseId",
+			databaseID,
+			"error",
+			updateErr,
+		)
+	}
+
+	if backup.Status != backups_core.BackupStatusCompleted && !isCallNotifier {
+		return
+	}
+
+	n.SendBackupNotification(
+		backupConfig,
+		backup,
+		backups_config.NotificationBackupSuccess,
+		nil,
+	)
+}
+
+func (n *BackuperNode) SendBackupNotification(
+	backupConfig *backups_config.BackupConfig,
+	backup *backups_core.Backup,
+	notificationType backups_config.BackupNotificationType,
+	errorMessage *string,
+) {
+	database, err := n.databaseService.GetDatabaseByID(backupConfig.DatabaseID)
+	if err != nil {
+		return
+	}
+
+	workspace, err := n.workspaceService.GetWorkspaceByID(*database.WorkspaceID)
+	if err != nil {
+		return
+	}
+
+	for _, notifier := range database.Notifiers {
+		if !slices.Contains(
+			backupConfig.SendNotificationsOn,
+			notificationType,
+		) {
+			continue
+		}
+
+		title := ""
+		switch notificationType {
+		case backups_config.NotificationBackupFailed:
+			title = fmt.Sprintf(
+				"❌ Backup failed for database \"%s\" (workspace \"%s\")",
+				database.Name,
+				workspace.Name,
+			)
+		case backups_config.NotificationBackupSuccess:
+			title = fmt.Sprintf(
+				"✅ Backup completed for database \"%s\" (workspace \"%s\")",
+				database.Name,
+				workspace.Name,
+			)
+		}
+
+		message := ""
+		if errorMessage != nil {
+			message = *errorMessage
+		} else {
+			// Format size conditionally
+			var sizeStr string
+			if backup.BackupSizeMb < 1024 {
+				sizeStr = fmt.Sprintf("%.2f MB", backup.BackupSizeMb)
+			} else {
+				sizeGB := backup.BackupSizeMb / 1024
+				sizeStr = fmt.Sprintf("%.2f GB", sizeGB)
+			}
+
+			// Format duration as "0m 0s 0ms"
+			totalMs := backup.BackupDurationMs
+			minutes := totalMs / (1000 * 60)
+			seconds := (totalMs % (1000 * 60)) / 1000
+			durationStr := fmt.Sprintf("%dm %ds", minutes, seconds)
+
+			message = fmt.Sprintf(
+				"Backup completed successfully in %s.\nCompressed backup size: %s",
+				durationStr,
+				sizeStr,
+			)
+		}
+
+		n.notificationSender.SendNotification(
+			&notifier,
+			title,
+			message,
+		)
+	}
+}
+
+func (n *BackuperNode) sendHeartbeat(backupNode *BackupNode) {
+	n.lastHeartbeat = time.Now().UTC()
+	if err := n.backupNodesRegistry.HearthbeatNodeInRegistry(time.Now().UTC(), *backupNode); err != nil {
+		n.logger.Error("Failed to send heartbeat", "error", err)
+	}
+}

backend/internal/features/backups/backups/backuping/backuper_test.go

@@ -0,0 +1,273 @@
+package backuping
+
+import (
+	"strings"
+	"testing"
+	"time"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+	users_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
+	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
+	cache_utils "databasus-backend/internal/util/cache"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+func Test_BackupExecuted_NotificationSent(t *testing.T) {
+	cache_utils.ClearAllCache()
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+	backups_config.EnableBackupsForTestDatabase(database.ID, storage)
+
+	defer func() {
+		// cleanup backups first
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	t.Run("BackupFailed_FailNotificationSent", func(t *testing.T) {
+		mockNotificationSender := &MockNotificationSender{}
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.notificationSender = mockNotificationSender
+		backuperNode.createBackupUseCase = &CreateFailedBackupUsecase{}
+
+		// Create a backup record directly that will be looked up by MakeBackup
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
+		}
+		err := backupRepository.Save(backup)
+		assert.NoError(t, err)
+
+		// Set up expectations
+		mockNotificationSender.On("SendNotification",
+			mock.Anything,
+			mock.MatchedBy(func(title string) bool {
+				return strings.Contains(title, "❌ Backup failed")
+			}),
+			mock.MatchedBy(func(message string) bool {
+				return strings.Contains(message, "backup failed")
+			}),
+		).Once()
+
+		backuperNode.MakeBackup(backup.ID, true)
+
+		// Verify all expectations were met
+		mockNotificationSender.AssertExpectations(t)
+	})
+
+	t.Run("BackupSuccess_SuccessNotificationSent", func(t *testing.T) {
+		mockNotificationSender := &MockNotificationSender{}
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.notificationSender = mockNotificationSender
+		backuperNode.createBackupUseCase = &CreateSuccessBackupUsecase{}
+
+		// Create a backup record directly that will be looked up by MakeBackup
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
+		}
+		err := backupRepository.Save(backup)
+		assert.NoError(t, err)
+
+		// Set up expectations
+		mockNotificationSender.On("SendNotification",
+			mock.Anything,
+			mock.MatchedBy(func(title string) bool {
+				return strings.Contains(title, "✅ Backup completed")
+			}),
+			mock.MatchedBy(func(message string) bool {
+				return strings.Contains(message, "Backup completed successfully")
+			}),
+		).Once()
+
+		backuperNode.MakeBackup(backup.ID, true)
+
+		// Verify all expectations were met
+		mockNotificationSender.AssertExpectations(t)
+	})
+
+	t.Run("BackupSuccess_VerifyNotificationContent", func(t *testing.T) {
+		mockNotificationSender := &MockNotificationSender{}
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.notificationSender = mockNotificationSender
+		backuperNode.createBackupUseCase = &CreateSuccessBackupUsecase{}
+
+		// Create a backup record directly that will be looked up by MakeBackup
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
+		}
+		err := backupRepository.Save(backup)
+		assert.NoError(t, err)
+
+		// capture arguments
+		var capturedNotifier *notifiers.Notifier
+		var capturedTitle string
+		var capturedMessage string
+
+		mockNotificationSender.On("SendNotification",
+			mock.Anything,
+			mock.AnythingOfType("string"),
+			mock.AnythingOfType("string"),
+		).Run(func(args mock.Arguments) {
+			capturedNotifier = args.Get(0).(*notifiers.Notifier)
+			capturedTitle = args.Get(1).(string)
+			capturedMessage = args.Get(2).(string)
+		}).Once()
+
+		backuperNode.MakeBackup(backup.ID, true)
+
+		// Verify expectations were met
+		mockNotificationSender.AssertExpectations(t)
+
+		// Additional detailed assertions
+		assert.Contains(t, capturedTitle, "✅ Backup completed")
+		assert.Contains(t, capturedTitle, database.Name)
+		assert.Contains(t, capturedMessage, "Backup completed successfully")
+		assert.Contains(t, capturedMessage, "10.00 MB")
+		assert.Equal(t, notifier.ID, capturedNotifier.ID)
+	})
+}
+
+func Test_BackupSizeLimits(t *testing.T) {
+	cache_utils.ClearAllCache()
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		// cleanup backups first
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	t.Run("UnlimitedSize_MaxBackupSizeMBIsZero_BackupCompletes", func(t *testing.T) {
+		// Enable backups with unlimited size (0)
+		backupConfig := backups_config.EnableBackupsForTestDatabase(database.ID, storage)
+		backupConfig.MaxBackupSizeMB = 0 // unlimited
+		backupConfig, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+		assert.NoError(t, err)
+
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.createBackupUseCase = &CreateLargeBackupUsecase{}
+
+		// Create a backup record
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+
+		backuperNode.MakeBackup(backup.ID, false)
+
+		// Verify backup completed successfully even with large size
+		updatedBackup, err := backupRepository.FindByID(backup.ID)
+		assert.NoError(t, err)
+		assert.Equal(t, backups_core.BackupStatusCompleted, updatedBackup.Status)
+		assert.Equal(t, float64(10000), updatedBackup.BackupSizeMb)
+		assert.Nil(t, updatedBackup.FailMessage)
+	})
+
+	t.Run("SizeExceeded_BackupFailedWithIsSkipRetry", func(t *testing.T) {
+		// Enable backups with 5 MB limit
+		backupConfig := backups_config.EnableBackupsForTestDatabase(database.ID, storage)
+		backupConfig.MaxBackupSizeMB = 5
+		backupConfig, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+		assert.NoError(t, err)
+
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.createBackupUseCase = &CreateProgressiveBackupUsecase{}
+
+		// Create a backup record
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+
+		backuperNode.MakeBackup(backup.ID, false)
+
+		// Verify backup was marked as failed with IsSkipRetry=true
+		updatedBackup, err := backupRepository.FindByID(backup.ID)
+		assert.NoError(t, err)
+		assert.Equal(t, backups_core.BackupStatusFailed, updatedBackup.Status)
+		assert.True(t, updatedBackup.IsSkipRetry)
+		assert.NotNil(t, updatedBackup.FailMessage)
+		assert.Contains(t, *updatedBackup.FailMessage, "exceeded maximum allowed size")
+		assert.Contains(t, *updatedBackup.FailMessage, "10.00 MB")
+		assert.Contains(t, *updatedBackup.FailMessage, "5 MB")
+		assert.Greater(t, updatedBackup.BackupSizeMb, float64(5))
+	})
+
+	t.Run("SizeWithinLimit_BackupCompletes", func(t *testing.T) {
+		// Enable backups with 100 MB limit
+		backupConfig := backups_config.EnableBackupsForTestDatabase(database.ID, storage)
+		backupConfig.MaxBackupSizeMB = 100
+		backupConfig, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+		assert.NoError(t, err)
+
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.createBackupUseCase = &CreateMediumBackupUsecase{}
+
+		// Create a backup record
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+
+		backuperNode.MakeBackup(backup.ID, false)
+
+		// Verify backup completed successfully
+		updatedBackup, err := backupRepository.FindByID(backup.ID)
+		assert.NoError(t, err)
+		assert.Equal(t, backups_core.BackupStatusCompleted, updatedBackup.Status)
+		assert.Equal(t, float64(50), updatedBackup.BackupSizeMb)
+		assert.Nil(t, updatedBackup.FailMessage)
+	})
+}

backend/internal/features/backups/backups/backuping/cleaner.go

@@ -0,0 +1,242 @@
+package backuping
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/google/uuid"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/storages"
+	util_encryption "databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/period"
+)
+
+const (
+	cleanerTickerInterval = 1 * time.Minute
+)
+
+type BackupCleaner struct {
+	backupRepository      *backups_core.BackupRepository
+	storageService        *storages.StorageService
+	backupConfigService   *backups_config.BackupConfigService
+	fieldEncryptor        util_encryption.FieldEncryptor
+	logger                *slog.Logger
+	backupRemoveListeners []backups_core.BackupRemoveListener
+
+	runOnce sync.Once
+	hasRun  atomic.Bool
+}
+
+func (c *BackupCleaner) Run(ctx context.Context) {
+	wasAlreadyRun := c.hasRun.Load()
+
+	c.runOnce.Do(func() {
+		c.hasRun.Store(true)
+
+		if ctx.Err() != nil {
+			return
+		}
+
+		ticker := time.NewTicker(cleanerTickerInterval)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				if err := c.cleanOldBackups(); err != nil {
+					c.logger.Error("Failed to clean old backups", "error", err)
+				}
+
+				if err := c.cleanExceededBackups(); err != nil {
+					c.logger.Error("Failed to clean exceeded backups", "error", err)
+				}
+			}
+		}
+	})
+
+	if wasAlreadyRun {
+		panic(fmt.Sprintf("%T.Run() called multiple times", c))
+	}
+}
+
+func (c *BackupCleaner) DeleteBackup(backup *backups_core.Backup) error {
+	for _, listener := range c.backupRemoveListeners {
+		if err := listener.OnBeforeBackupRemove(backup); err != nil {
+			return err
+		}
+	}
+
+	storage, err := c.storageService.GetStorageByID(backup.StorageID)
+	if err != nil {
+		return err
+	}
+
+	err = storage.DeleteFile(c.fieldEncryptor, backup.ID)
+	if err != nil {
+		// we do not return error here, because sometimes clean up performed
+		// before unavailable storage removal or change - therefore we should
+		// proceed even in case of error. It's possible that some S3 or
+		// storage is not available yet, it should not block us
+		c.logger.Error("Failed to delete backup file", "error", err)
+	}
+
+	return c.backupRepository.DeleteByID(backup.ID)
+}
+
+func (c *BackupCleaner) AddBackupRemoveListener(listener backups_core.BackupRemoveListener) {
+	c.backupRemoveListeners = append(c.backupRemoveListeners, listener)
+}
+
+func (c *BackupCleaner) cleanOldBackups() error {
+	enabledBackupConfigs, err := c.backupConfigService.GetBackupConfigsWithEnabledBackups()
+	if err != nil {
+		return err
+	}
+
+	for _, backupConfig := range enabledBackupConfigs {
+		backupStorePeriod := backupConfig.StorePeriod
+
+		if backupStorePeriod == period.PeriodForever {
+			continue
+		}
+
+		storeDuration := backupStorePeriod.ToDuration()
+		dateBeforeBackupsShouldBeDeleted := time.Now().UTC().Add(-storeDuration)
+
+		oldBackups, err := c.backupRepository.FindBackupsBeforeDate(
+			backupConfig.DatabaseID,
+			dateBeforeBackupsShouldBeDeleted,
+		)
+		if err != nil {
+			c.logger.Error(
+				"Failed to find old backups for database",
+				"databaseId",
+				backupConfig.DatabaseID,
+				"error",
+				err,
+			)
+			continue
+		}
+
+		for _, backup := range oldBackups {
+			if err := c.DeleteBackup(backup); err != nil {
+				c.logger.Error("Failed to delete old backup", "backupId", backup.ID, "error", err)
+				continue
+			}
+
+			c.logger.Info(
+				"Deleted old backup",
+				"backupId",
+				backup.ID,
+				"databaseId",
+				backupConfig.DatabaseID,
+			)
+		}
+	}
+
+	return nil
+}
+
+func (c *BackupCleaner) cleanExceededBackups() error {
+	enabledBackupConfigs, err := c.backupConfigService.GetBackupConfigsWithEnabledBackups()
+	if err != nil {
+		return err
+	}
+
+	for _, backupConfig := range enabledBackupConfigs {
+		if backupConfig.MaxBackupsTotalSizeMB <= 0 {
+			continue
+		}
+
+		if err := c.cleanExceededBackupsForDatabase(
+			backupConfig.DatabaseID,
+			backupConfig.MaxBackupsTotalSizeMB,
+		); err != nil {
+			c.logger.Error(
+				"Failed to clean exceeded backups for database",
+				"databaseId",
+				backupConfig.DatabaseID,
+				"error",
+				err,
+			)
+			continue
+		}
+	}
+
+	return nil
+}
+
+func (c *BackupCleaner) cleanExceededBackupsForDatabase(
+	databaseID uuid.UUID,
+	limitperDbMB int64,
+) error {
+	for {
+		backupsTotalSizeMB, err := c.backupRepository.GetTotalSizeByDatabase(databaseID)
+		if err != nil {
+			return err
+		}
+
+		if backupsTotalSizeMB <= float64(limitperDbMB) {
+			break
+		}
+
+		oldestBackups, err := c.backupRepository.FindOldestByDatabaseExcludingInProgress(
+			databaseID,
+			1,
+		)
+		if err != nil {
+			return err
+		}
+
+		if len(oldestBackups) == 0 {
+			c.logger.Warn(
+				"No backups to delete but still over limit",
+				"databaseId",
+				databaseID,
+				"totalSizeMB",
+				backupsTotalSizeMB,
+				"limitMB",
+				limitperDbMB,
+			)
+			break
+		}
+
+		backup := oldestBackups[0]
+		if err := c.DeleteBackup(backup); err != nil {
+			c.logger.Error(
+				"Failed to delete exceeded backup",
+				"backupId",
+				backup.ID,
+				"databaseId",
+				databaseID,
+				"error",
+				err,
+			)
+			return err
+		}
+
+		c.logger.Info(
+			"Deleted exceeded backup",
+			"backupId",
+			backup.ID,
+			"databaseId",
+			databaseID,
+			"backupSizeMB",
+			backup.BackupSizeMb,
+			"totalSizeMB",
+			backupsTotalSizeMB,
+			"limitMB",
+			limitperDbMB,
+		)
+	}
+
+	return nil
+}

backend/internal/features/backups/backups/backuping/cleaner_test.go

@@ -0,0 +1,595 @@
+package backuping
+
+import (
+	"testing"
+	"time"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/intervals"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+	users_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
+	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
+	"databasus-backend/internal/storage"
+	"databasus-backend/internal/util/period"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_CleanOldBackups_DeletesBackupsOlderThanStorePeriod(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		StorageID:        &storage.ID,
+		BackupIntervalID: interval.ID,
+		BackupInterval:   interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create backups with different ages
+	now := time.Now().UTC()
+	oldBackup1 := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10,
+		CreatedAt:    now.Add(-10 * 24 * time.Hour), // 10 days old
+	}
+	oldBackup2 := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10,
+		CreatedAt:    now.Add(-8 * 24 * time.Hour), // 8 days old
+	}
+	recentBackup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10,
+		CreatedAt:    now.Add(-3 * 24 * time.Hour), // 3 days old
+	}
+
+	err = backupRepository.Save(oldBackup1)
+	assert.NoError(t, err)
+	err = backupRepository.Save(oldBackup2)
+	assert.NoError(t, err)
+	err = backupRepository.Save(recentBackup)
+	assert.NoError(t, err)
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanOldBackups()
+	assert.NoError(t, err)
+
+	// Verify old backups deleted, recent backup remains
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Equal(t, 1, len(remainingBackups))
+	assert.Equal(t, recentBackup.ID, remainingBackups[0].ID)
+}
+
+func Test_CleanOldBackups_SkipsDatabaseWithForeverStorePeriod(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodForever,
+		StorageID:        &storage.ID,
+		BackupIntervalID: interval.ID,
+		BackupInterval:   interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create very old backup
+	oldBackup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10,
+		CreatedAt:    time.Now().UTC().Add(-365 * 24 * time.Hour), // 1 year old
+	}
+	err = backupRepository.Save(oldBackup)
+	assert.NoError(t, err)
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanOldBackups()
+	assert.NoError(t, err)
+
+	// Verify backup still exists
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Equal(t, 1, len(remainingBackups))
+	assert.Equal(t, oldBackup.ID, remainingBackups[0].ID)
+}
+
+func Test_CleanExceededBackups_WhenUnderLimit_NoBackupsDeleted(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:            database.ID,
+		IsBackupsEnabled:      true,
+		StorePeriod:           period.PeriodForever,
+		StorageID:             &storage.ID,
+		MaxBackupsTotalSizeMB: 100, // 100 MB limit
+		BackupIntervalID:      interval.ID,
+		BackupInterval:        interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create 3 backups totaling 50MB (under limit)
+	for i := 0; i < 3; i++ {
+		backup := &backups_core.Backup{
+			ID:           uuid.New(),
+			DatabaseID:   database.ID,
+			StorageID:    storage.ID,
+			Status:       backups_core.BackupStatusCompleted,
+			BackupSizeMb: 16.67,
+			CreatedAt:    time.Now().UTC().Add(-time.Duration(i) * time.Hour),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+	}
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanExceededBackups()
+	assert.NoError(t, err)
+
+	// Verify all backups remain
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Equal(t, 3, len(remainingBackups))
+}
+
+func Test_CleanExceededBackups_WhenOverLimit_DeletesOldestBackups(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:            database.ID,
+		IsBackupsEnabled:      true,
+		StorePeriod:           period.PeriodForever,
+		StorageID:             &storage.ID,
+		MaxBackupsTotalSizeMB: 30, // 30 MB limit
+		BackupIntervalID:      interval.ID,
+		BackupInterval:        interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create 5 backups of 10MB each (total 50MB, over 30MB limit)
+	now := time.Now().UTC()
+	var backupIDs []uuid.UUID
+	for i := 0; i < 5; i++ {
+		backup := &backups_core.Backup{
+			ID:           uuid.New(),
+			DatabaseID:   database.ID,
+			StorageID:    storage.ID,
+			Status:       backups_core.BackupStatusCompleted,
+			BackupSizeMb: 10,
+			CreatedAt:    now.Add(-time.Duration(4-i) * time.Hour), // Oldest first
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+		backupIDs = append(backupIDs, backup.ID)
+	}
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanExceededBackups()
+	assert.NoError(t, err)
+
+	// Verify 2 oldest backups deleted, 3 newest remain
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Equal(t, 3, len(remainingBackups))
+
+	// Check that the newest 3 backups remain
+	remainingIDs := make(map[uuid.UUID]bool)
+	for _, backup := range remainingBackups {
+		remainingIDs[backup.ID] = true
+	}
+	assert.False(t, remainingIDs[backupIDs[0]]) // Oldest deleted
+	assert.False(t, remainingIDs[backupIDs[1]]) // 2nd oldest deleted
+	assert.True(t, remainingIDs[backupIDs[2]])  // 3rd remains
+	assert.True(t, remainingIDs[backupIDs[3]])  // 4th remains
+	assert.True(t, remainingIDs[backupIDs[4]])  // Newest remains
+}
+
+func Test_CleanExceededBackups_SkipsInProgressBackups(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:            database.ID,
+		IsBackupsEnabled:      true,
+		StorePeriod:           period.PeriodForever,
+		StorageID:             &storage.ID,
+		MaxBackupsTotalSizeMB: 50, // 50 MB limit
+		BackupIntervalID:      interval.ID,
+		BackupInterval:        interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	now := time.Now().UTC()
+
+	// Create 3 completed backups of 30MB each
+	completedBackups := make([]*backups_core.Backup, 3)
+	for i := 0; i < 3; i++ {
+		backup := &backups_core.Backup{
+			ID:           uuid.New(),
+			DatabaseID:   database.ID,
+			StorageID:    storage.ID,
+			Status:       backups_core.BackupStatusCompleted,
+			BackupSizeMb: 30,
+			CreatedAt:    now.Add(-time.Duration(3-i) * time.Hour),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+		completedBackups[i] = backup
+	}
+
+	// Create 1 in-progress backup (should be excluded from size calculation and deletion)
+	inProgressBackup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusInProgress,
+		BackupSizeMb: 10,
+		CreatedAt:    now,
+	}
+	err = backupRepository.Save(inProgressBackup)
+	assert.NoError(t, err)
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanExceededBackups()
+	assert.NoError(t, err)
+
+	// Verify: only completed backups deleted, in-progress remains
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+
+	// Should have in-progress + 1 completed (total 40MB completed + 10MB in-progress)
+	assert.GreaterOrEqual(t, len(remainingBackups), 2)
+
+	// Verify in-progress backup still exists
+	var inProgressFound bool
+	for _, backup := range remainingBackups {
+		if backup.ID == inProgressBackup.ID {
+			inProgressFound = true
+			assert.Equal(t, backups_core.BackupStatusInProgress, backup.Status)
+		}
+	}
+	assert.True(t, inProgressFound, "In-progress backup should not be deleted")
+}
+
+func Test_CleanExceededBackups_WithZeroLimit_SkipsDatabase(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create backup interval
+	interval := createTestInterval()
+
+	backupConfig := &backups_config.BackupConfig{
+		DatabaseID:            database.ID,
+		IsBackupsEnabled:      true,
+		StorePeriod:           period.PeriodForever,
+		StorageID:             &storage.ID,
+		MaxBackupsTotalSizeMB: 0, // No size limit
+		BackupIntervalID:      interval.ID,
+		BackupInterval:        interval,
+	}
+	_, err := backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create large backups
+	for i := 0; i < 10; i++ {
+		backup := &backups_core.Backup{
+			ID:           uuid.New(),
+			DatabaseID:   database.ID,
+			StorageID:    storage.ID,
+			Status:       backups_core.BackupStatusCompleted,
+			BackupSizeMb: 100,
+			CreatedAt:    time.Now().UTC().Add(-time.Duration(i) * time.Hour),
+		}
+		err = backupRepository.Save(backup)
+		assert.NoError(t, err)
+	}
+
+	// Run cleanup
+	cleaner := GetBackupCleaner()
+	err = cleaner.cleanExceededBackups()
+	assert.NoError(t, err)
+
+	// Verify all backups remain
+	remainingBackups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Equal(t, 10, len(remainingBackups))
+}
+
+func Test_GetTotalSizeByDatabase_CalculatesCorrectly(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Create completed backups
+	completedBackup1 := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10.5,
+		CreatedAt:    time.Now().UTC(),
+	}
+	completedBackup2 := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 20.3,
+		CreatedAt:    time.Now().UTC(),
+	}
+	// Create failed backup (should be included)
+	failedBackup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusFailed,
+		BackupSizeMb: 5.2,
+		CreatedAt:    time.Now().UTC(),
+	}
+	// Create in-progress backup (should be excluded)
+	inProgressBackup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusInProgress,
+		BackupSizeMb: 100,
+		CreatedAt:    time.Now().UTC(),
+	}
+
+	err := backupRepository.Save(completedBackup1)
+	assert.NoError(t, err)
+	err = backupRepository.Save(completedBackup2)
+	assert.NoError(t, err)
+	err = backupRepository.Save(failedBackup)
+	assert.NoError(t, err)
+	err = backupRepository.Save(inProgressBackup)
+	assert.NoError(t, err)
+
+	// Calculate total size
+	totalSize, err := backupRepository.GetTotalSizeByDatabase(database.ID)
+	assert.NoError(t, err)
+
+	// Should be 10.5 + 20.3 + 5.2 = 36.0 (excluding in-progress 100)
+	assert.InDelta(t, 36.0, totalSize, 0.1)
+}
+
+// Mock listener for testing
+type mockBackupRemoveListener struct {
+	onBeforeBackupRemove func(*backups_core.Backup) error
+}
+
+func (m *mockBackupRemoveListener) OnBeforeBackupRemove(backup *backups_core.Backup) error {
+	if m.onBeforeBackupRemove != nil {
+		return m.onBeforeBackupRemove(backup)
+	}
+
+	return nil
+}
+
+// Test_DeleteBackup_WhenStorageDeleteFails_BackupStillRemovedFromDatabase verifies resilience
+// when storage becomes unavailable. Even if storage.DeleteFile fails (e.g., storage is offline,
+// credentials changed, or storage was deleted), the backup record should still be removed from
+// the database. This prevents orphaned backup records when storage is no longer accessible.
+func Test_DeleteBackup_WhenStorageDeleteFails_BackupStillRemovedFromDatabase(t *testing.T) {
+	router := CreateTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	testStorage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, testStorage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(testStorage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	backup := &backups_core.Backup{
+		ID:           uuid.New(),
+		DatabaseID:   database.ID,
+		StorageID:    testStorage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 10,
+		CreatedAt:    time.Now().UTC(),
+	}
+	err := backupRepository.Save(backup)
+	assert.NoError(t, err)
+
+	cleaner := GetBackupCleaner()
+
+	err = cleaner.DeleteBackup(backup)
+	assert.NoError(t, err, "DeleteBackup should succeed even when storage file doesn't exist")
+
+	deletedBackup, err := backupRepository.FindByID(backup.ID)
+	assert.Error(t, err, "Backup should not exist in database")
+	assert.Nil(t, deletedBackup)
+}
+
+func createTestInterval() *intervals.Interval {
+	timeOfDay := "04:00"
+	interval := &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+
+	err := storage.GetDb().Create(interval).Error
+	if err != nil {
+		panic(err)
+	}
+
+	return interval
+}

backend/internal/features/backups/backups/backuping/di.go

@@ -0,0 +1,97 @@
+package backuping
+
+import (
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/google/uuid"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	"databasus-backend/internal/features/backups/backups/usecases"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+	tasks_cancellation "databasus-backend/internal/features/tasks/cancellation"
+	workspaces_services "databasus-backend/internal/features/workspaces/services"
+	cache_utils "databasus-backend/internal/util/cache"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/logger"
+)
+
+var backupRepository = &backups_core.BackupRepository{}
+
+var taskCancelManager = tasks_cancellation.GetTaskCancelManager()
+
+var backupCleaner = &BackupCleaner{
+	backupRepository:      backupRepository,
+	storageService:        storages.GetStorageService(),
+	backupConfigService:   backups_config.GetBackupConfigService(),
+	fieldEncryptor:        encryption.GetFieldEncryptor(),
+	logger:                logger.GetLogger(),
+	backupRemoveListeners: []backups_core.BackupRemoveListener{},
+	runOnce:               sync.Once{},
+	hasRun:                atomic.Bool{},
+}
+
+var backupNodesRegistry = &BackupNodesRegistry{
+	client:            cache_utils.GetValkeyClient(),
+	logger:            logger.GetLogger(),
+	timeout:           cache_utils.DefaultCacheTimeout,
+	pubsubBackups:     cache_utils.NewPubSubManager(),
+	pubsubCompletions: cache_utils.NewPubSubManager(),
+	runOnce:           sync.Once{},
+	hasRun:            atomic.Bool{},
+}
+
+func getNodeID() uuid.UUID {
+	return uuid.New()
+}
+
+var backuperNode = &BackuperNode{
+	databaseService:     databases.GetDatabaseService(),
+	fieldEncryptor:      encryption.GetFieldEncryptor(),
+	workspaceService:    workspaces_services.GetWorkspaceService(),
+	backupRepository:    backupRepository,
+	backupConfigService: backups_config.GetBackupConfigService(),
+	storageService:      storages.GetStorageService(),
+	notificationSender:  notifiers.GetNotifierService(),
+	backupCancelManager: taskCancelManager,
+	backupNodesRegistry: backupNodesRegistry,
+	logger:              logger.GetLogger(),
+	createBackupUseCase: usecases.GetCreateBackupUsecase(),
+	nodeID:              getNodeID(),
+	lastHeartbeat:       time.Time{},
+	runOnce:             sync.Once{},
+	hasRun:              atomic.Bool{},
+}
+
+var backupsScheduler = &BackupsScheduler{
+	backupRepository:      backupRepository,
+	backupConfigService:   backups_config.GetBackupConfigService(),
+	taskCancelManager:     taskCancelManager,
+	backupNodesRegistry:   backupNodesRegistry,
+	lastBackupTime:        time.Now().UTC(),
+	logger:                logger.GetLogger(),
+	backupToNodeRelations: make(map[uuid.UUID]BackupToNodeRelation),
+	backuperNode:          backuperNode,
+	runOnce:               sync.Once{},
+	hasRun:                atomic.Bool{},
+}
+
+func GetBackupsScheduler() *BackupsScheduler {
+	return backupsScheduler
+}
+
+func GetBackuperNode() *BackuperNode {
+	return backuperNode
+}
+
+func GetBackupNodesRegistry() *BackupNodesRegistry {
+	return backupNodesRegistry
+}
+
+func GetBackupCleaner() *BackupCleaner {
+	return backupCleaner
+}

backend/internal/features/backups/backups/backuping/dto.go

@@ -0,0 +1,34 @@
+package backuping
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type BackupToNodeRelation struct {
+	NodeID     uuid.UUID   `json:"nodeId"`
+	BackupsIDs []uuid.UUID `json:"backupsIds"`
+}
+
+type BackupNode struct {
+	ID            uuid.UUID `json:"id"`
+	ThroughputMBs int       `json:"throughputMBs"`
+	LastHeartbeat time.Time `json:"lastHeartbeat"`
+}
+
+type BackupNodeStats struct {
+	ID            uuid.UUID `json:"id"`
+	ActiveBackups int       `json:"activeBackups"`
+}
+
+type BackupSubmitMessage struct {
+	NodeID         uuid.UUID `json:"nodeId"`
+	BackupID       uuid.UUID `json:"backupId"`
+	IsCallNotifier bool      `json:"isCallNotifier"`
+}
+
+type BackupCompletionMessage struct {
+	NodeID   uuid.UUID `json:"nodeId"`
+	BackupID uuid.UUID `json:"backupId"`
+}

backend/internal/features/backups/backups/backuping/mocks.go

@@ -0,0 +1,194 @@
+package backuping
+
+import (
+	"context"
+	"errors"
+	"sync/atomic"
+	"time"
+
+	common "databasus-backend/internal/features/backups/backups/common"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/mock"
+)
+
+type MockNotificationSender struct {
+	mock.Mock
+}
+
+func (m *MockNotificationSender) SendNotification(
+	notifier *notifiers.Notifier,
+	title string,
+	message string,
+) {
+	m.Called(notifier, title, message)
+}
+
+type CreateFailedBackupUsecase struct{}
+
+func (uc *CreateFailedBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	backupProgressListener(10)
+	return nil, errors.New("backup failed")
+}
+
+type CreateSuccessBackupUsecase struct{}
+
+func (uc *CreateSuccessBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	backupProgressListener(10)
+	return &common.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
+}
+
+// CreateLargeBackupUsecase simulates a large backup (10000 MB)
+type CreateLargeBackupUsecase struct{}
+
+func (uc *CreateLargeBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	backupProgressListener(10000)
+	return &common.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
+}
+
+// CreateProgressiveBackupUsecase simulates progressive size updates that exceed limit
+type CreateProgressiveBackupUsecase struct{}
+
+func (uc *CreateProgressiveBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	// Simulate progressive backup that grows beyond limit
+	backupProgressListener(1)
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	backupProgressListener(3)
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	backupProgressListener(5)
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	backupProgressListener(10) // This exceeds the 5 MB limit
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	// Should not reach here due to cancellation
+	return &common.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
+}
+
+// CreateMediumBackupUsecase simulates a 50 MB backup
+type CreateMediumBackupUsecase struct{}
+
+func (uc *CreateMediumBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	backupProgressListener(50)
+	return &common.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
+}
+
+// MockTrackingBackupUsecase tracks backup use case calls for testing parallel execution
+type MockTrackingBackupUsecase struct {
+	callCount       atomic.Int32
+	calledBackupIDs chan uuid.UUID
+}
+
+func NewMockTrackingBackupUsecase() *MockTrackingBackupUsecase {
+	return &MockTrackingBackupUsecase{
+		calledBackupIDs: make(chan uuid.UUID, 10),
+	}
+}
+
+func (m *MockTrackingBackupUsecase) Execute(
+	ctx context.Context,
+	backupID uuid.UUID,
+	backupConfig *backups_config.BackupConfig,
+	database *databases.Database,
+	storage *storages.Storage,
+	backupProgressListener func(completedMBs float64),
+) (*common.BackupMetadata, error) {
+	m.callCount.Add(1)
+
+	// Send backup ID to channel (non-blocking)
+	select {
+	case m.calledBackupIDs <- backupID:
+	default:
+	}
+
+	// Simulate backup work
+	time.Sleep(100 * time.Millisecond)
+	backupProgressListener(10)
+
+	return &common.BackupMetadata{
+		EncryptionSalt: nil,
+		EncryptionIV:   nil,
+		Encryption:     backups_config.BackupEncryptionNone,
+	}, nil
+}
+
+func (m *MockTrackingBackupUsecase) GetCallCount() int32 {
+	return m.callCount.Load()
+}
+
+func (m *MockTrackingBackupUsecase) GetCalledBackupIDs() []uuid.UUID {
+	ids := []uuid.UUID{}
+	for {
+		select {
+		case id := <-m.calledBackupIDs:
+			ids = append(ids, id)
+		default:
+			return ids
+		}
+	}
+}

backend/internal/features/backups/backups/backuping/registry.go

@@ -0,0 +1,633 @@
+package backuping
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	cache_utils "databasus-backend/internal/util/cache"
+
+	"github.com/google/uuid"
+	"github.com/valkey-io/valkey-go"
+)
+
+const (
+	nodeInfoKeyPrefix       = "backup:node:"
+	nodeInfoKeySuffix       = ":info"
+	nodeActiveBackupsPrefix = "backup:node:"
+	nodeActiveBackupsSuffix = ":active_backups"
+	backupSubmitChannel     = "backup:submit"
+	backupCompletionChannel = "backup:completion"
+
+	deadNodeThreshold     = 2 * time.Minute
+	cleanupTickerInterval = 1 * time.Second
+)
+
+// BackupNodesRegistry helps to sync backups scheduler and backup nodes.
+//
+// Features:
+// - Track node availability and load level
+// - Assign from scheduler to node backups needed to be processed
+// - Notify scheduler from node about backup completion
+//
+// Important things to remember:
+//   - Nodes without heartbeat for more than 2 minutes are not included
+//     in available nodes list and stats
+//
+// Cleanup dead nodes performed on 2 levels:
+//   - List and stats functions do not return dead nodes
+//   - Periodically dead nodes are cleaned up in cache (to not
+//     accumulate too many dead nodes in cache)
+type BackupNodesRegistry struct {
+	client            valkey.Client
+	logger            *slog.Logger
+	timeout           time.Duration
+	pubsubBackups     *cache_utils.PubSubManager
+	pubsubCompletions *cache_utils.PubSubManager
+
+	runOnce sync.Once
+	hasRun  atomic.Bool
+}
+
+func (r *BackupNodesRegistry) Run(ctx context.Context) {
+	wasAlreadyRun := r.hasRun.Load()
+
+	r.runOnce.Do(func() {
+		r.hasRun.Store(true)
+
+		if err := r.cleanupDeadNodes(); err != nil {
+			r.logger.Error("Failed to cleanup dead nodes on startup", "error", err)
+		}
+
+		ticker := time.NewTicker(cleanupTickerInterval)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				if err := r.cleanupDeadNodes(); err != nil {
+					r.logger.Error("Failed to cleanup dead nodes", "error", err)
+				}
+			}
+		}
+	})
+
+	if wasAlreadyRun {
+		panic(fmt.Sprintf("%T.Run() called multiple times", r))
+	}
+}
+
+func (r *BackupNodesRegistry) GetAvailableNodes() ([]BackupNode, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	var allKeys []string
+	cursor := uint64(0)
+	pattern := nodeInfoKeyPrefix + "*" + nodeInfoKeySuffix
+
+	for {
+		result := r.client.Do(
+			ctx,
+			r.client.B().Scan().Cursor(cursor).Match(pattern).Count(1_000).Build(),
+		)
+
+		if result.Error() != nil {
+			return nil, fmt.Errorf("failed to scan node keys: %w", result.Error())
+		}
+
+		scanResult, err := result.AsScanEntry()
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse scan result: %w", err)
+		}
+
+		allKeys = append(allKeys, scanResult.Elements...)
+
+		cursor = scanResult.Cursor
+		if cursor == 0 {
+			break
+		}
+	}
+
+	if len(allKeys) == 0 {
+		return []BackupNode{}, nil
+	}
+
+	keyDataMap, err := r.pipelineGetKeys(allKeys)
+	if err != nil {
+		return nil, fmt.Errorf("failed to pipeline get node keys: %w", err)
+	}
+
+	threshold := time.Now().UTC().Add(-deadNodeThreshold)
+	var nodes []BackupNode
+
+	for key, data := range keyDataMap {
+		// Skip if the key doesn't exist (data is empty)
+		if len(data) == 0 {
+			continue
+		}
+
+		var node BackupNode
+		if err := json.Unmarshal(data, &node); err != nil {
+			r.logger.Warn("Failed to unmarshal node data", "key", key, "error", err)
+			continue
+		}
+
+		// Skip nodes with zero/uninitialized heartbeat
+		if node.LastHeartbeat.IsZero() {
+			continue
+		}
+
+		if node.LastHeartbeat.Before(threshold) {
+			continue
+		}
+
+		nodes = append(nodes, node)
+	}
+
+	return nodes, nil
+}
+
+func (r *BackupNodesRegistry) GetBackupNodesStats() ([]BackupNodeStats, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	var allKeys []string
+	cursor := uint64(0)
+	pattern := nodeActiveBackupsPrefix + "*" + nodeActiveBackupsSuffix
+
+	for {
+		result := r.client.Do(
+			ctx,
+			r.client.B().Scan().Cursor(cursor).Match(pattern).Count(100).Build(),
+		)
+
+		if result.Error() != nil {
+			return nil, fmt.Errorf("failed to scan active backups keys: %w", result.Error())
+		}
+
+		scanResult, err := result.AsScanEntry()
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse scan result: %w", err)
+		}
+
+		allKeys = append(allKeys, scanResult.Elements...)
+
+		cursor = scanResult.Cursor
+		if cursor == 0 {
+			break
+		}
+	}
+
+	if len(allKeys) == 0 {
+		return []BackupNodeStats{}, nil
+	}
+
+	keyDataMap, err := r.pipelineGetKeys(allKeys)
+	if err != nil {
+		return nil, fmt.Errorf("failed to pipeline get active backups keys: %w", err)
+	}
+
+	var nodeInfoKeys []string
+	nodeIDToStatsKey := make(map[string]string)
+	for key := range keyDataMap {
+		nodeID := r.extractNodeIDFromKey(key, nodeActiveBackupsPrefix, nodeActiveBackupsSuffix)
+		nodeIDStr := nodeID.String()
+		infoKey := fmt.Sprintf("%s%s%s", nodeInfoKeyPrefix, nodeIDStr, nodeInfoKeySuffix)
+		nodeInfoKeys = append(nodeInfoKeys, infoKey)
+		nodeIDToStatsKey[infoKey] = key
+	}
+
+	nodeInfoMap, err := r.pipelineGetKeys(nodeInfoKeys)
+	if err != nil {
+		return nil, fmt.Errorf("failed to pipeline get node info keys: %w", err)
+	}
+
+	threshold := time.Now().UTC().Add(-deadNodeThreshold)
+	var stats []BackupNodeStats
+	for infoKey, nodeData := range nodeInfoMap {
+		// Skip if the info key doesn't exist (nodeData is empty)
+		if len(nodeData) == 0 {
+			continue
+		}
+
+		var node BackupNode
+		if err := json.Unmarshal(nodeData, &node); err != nil {
+			r.logger.Warn("Failed to unmarshal node data", "key", infoKey, "error", err)
+			continue
+		}
+
+		// Skip nodes with zero/uninitialized heartbeat
+		if node.LastHeartbeat.IsZero() {
+			continue
+		}
+
+		if node.LastHeartbeat.Before(threshold) {
+			continue
+		}
+
+		statsKey := nodeIDToStatsKey[infoKey]
+		tasksData := keyDataMap[statsKey]
+		count, err := r.parseIntFromBytes(tasksData)
+		if err != nil {
+			r.logger.Warn("Failed to parse active backups count", "key", statsKey, "error", err)
+			continue
+		}
+
+		stat := BackupNodeStats{
+			ID:            node.ID,
+			ActiveBackups: int(count),
+		}
+		stats = append(stats, stat)
+	}
+
+	return stats, nil
+}
+
+func (r *BackupNodesRegistry) IncrementBackupsInProgress(nodeID uuid.UUID) error {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	key := fmt.Sprintf("%s%s%s", nodeActiveBackupsPrefix, nodeID.String(), nodeActiveBackupsSuffix)
+	result := r.client.Do(ctx, r.client.B().Incr().Key(key).Build())
+
+	if result.Error() != nil {
+		return fmt.Errorf(
+			"failed to increment backups in progress for node %s: %w",
+			nodeID,
+			result.Error(),
+		)
+	}
+
+	return nil
+}
+
+func (r *BackupNodesRegistry) DecrementBackupsInProgress(nodeID uuid.UUID) error {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	key := fmt.Sprintf("%s%s%s", nodeActiveBackupsPrefix, nodeID.String(), nodeActiveBackupsSuffix)
+	result := r.client.Do(ctx, r.client.B().Decr().Key(key).Build())
+
+	if result.Error() != nil {
+		return fmt.Errorf(
+			"failed to decrement backups in progress for node %s: %w",
+			nodeID,
+			result.Error(),
+		)
+	}
+
+	newValue, err := result.AsInt64()
+	if err != nil {
+		return fmt.Errorf("failed to parse decremented value for node %s: %w", nodeID, err)
+	}
+
+	if newValue < 0 {
+		setCtx, setCancel := context.WithTimeout(context.Background(), r.timeout)
+		r.client.Do(setCtx, r.client.B().Set().Key(key).Value("0").Build())
+		setCancel()
+		r.logger.Warn("Active backups counter went below 0, reset to 0", "nodeID", nodeID)
+	}
+
+	return nil
+}
+
+func (r *BackupNodesRegistry) HearthbeatNodeInRegistry(now time.Time, backupNode BackupNode) error {
+	if now.IsZero() {
+		return fmt.Errorf("cannot register node with zero heartbeat timestamp")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	backupNode.LastHeartbeat = now
+
+	data, err := json.Marshal(backupNode)
+	if err != nil {
+		return fmt.Errorf("failed to marshal backup node: %w", err)
+	}
+
+	key := fmt.Sprintf("%s%s%s", nodeInfoKeyPrefix, backupNode.ID.String(), nodeInfoKeySuffix)
+	result := r.client.Do(
+		ctx,
+		r.client.B().Set().Key(key).Value(string(data)).Build(),
+	)
+
+	if result.Error() != nil {
+		return fmt.Errorf("failed to register node %s: %w", backupNode.ID, result.Error())
+	}
+
+	return nil
+}
+
+func (r *BackupNodesRegistry) UnregisterNodeFromRegistry(backupNode BackupNode) error {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	infoKey := fmt.Sprintf("%s%s%s", nodeInfoKeyPrefix, backupNode.ID.String(), nodeInfoKeySuffix)
+	counterKey := fmt.Sprintf(
+		"%s%s%s",
+		nodeActiveBackupsPrefix,
+		backupNode.ID.String(),
+		nodeActiveBackupsSuffix,
+	)
+
+	result := r.client.Do(
+		ctx,
+		r.client.B().Del().Key(infoKey, counterKey).Build(),
+	)
+
+	if result.Error() != nil {
+		return fmt.Errorf("failed to unregister node %s: %w", backupNode.ID, result.Error())
+	}
+
+	r.logger.Info("Unregistered node from registry", "nodeID", backupNode.ID)
+	return nil
+}
+
+func (r *BackupNodesRegistry) AssignBackupToNode(
+	targetNodeID uuid.UUID,
+	backupID uuid.UUID,
+	isCallNotifier bool,
+) error {
+	ctx := context.Background()
+
+	message := BackupSubmitMessage{
+		NodeID:         targetNodeID,
+		BackupID:       backupID,
+		IsCallNotifier: isCallNotifier,
+	}
+
+	messageJSON, err := json.Marshal(message)
+	if err != nil {
+		return fmt.Errorf("failed to marshal backup submit message: %w", err)
+	}
+
+	err = r.pubsubBackups.Publish(ctx, backupSubmitChannel, string(messageJSON))
+	if err != nil {
+		return fmt.Errorf("failed to publish backup submit message: %w", err)
+	}
+
+	return nil
+}
+
+func (r *BackupNodesRegistry) SubscribeNodeForBackupsAssignment(
+	nodeID uuid.UUID,
+	handler func(backupID uuid.UUID, isCallNotifier bool),
+) error {
+	ctx := context.Background()
+
+	wrappedHandler := func(message string) {
+		var msg BackupSubmitMessage
+		if err := json.Unmarshal([]byte(message), &msg); err != nil {
+			r.logger.Warn("Failed to unmarshal backup submit message", "error", err)
+			return
+		}
+
+		if msg.NodeID != nodeID {
+			return
+		}
+
+		handler(msg.BackupID, msg.IsCallNotifier)
+	}
+
+	err := r.pubsubBackups.Subscribe(ctx, backupSubmitChannel, wrappedHandler)
+	if err != nil {
+		return fmt.Errorf("failed to subscribe to backup submit channel: %w", err)
+	}
+
+	r.logger.Info("Subscribed to backup submit channel", "nodeID", nodeID)
+	return nil
+}
+
+func (r *BackupNodesRegistry) UnsubscribeNodeForBackupsAssignments() error {
+	err := r.pubsubBackups.Close()
+	if err != nil {
+		return fmt.Errorf("failed to unsubscribe from backup submit channel: %w", err)
+	}
+
+	r.logger.Info("Unsubscribed from backup submit channel")
+	return nil
+}
+
+func (r *BackupNodesRegistry) PublishBackupCompletion(nodeID uuid.UUID, backupID uuid.UUID) error {
+	ctx := context.Background()
+
+	message := BackupCompletionMessage{
+		NodeID:   nodeID,
+		BackupID: backupID,
+	}
+
+	messageJSON, err := json.Marshal(message)
+	if err != nil {
+		return fmt.Errorf("failed to marshal backup completion message: %w", err)
+	}
+
+	err = r.pubsubCompletions.Publish(ctx, backupCompletionChannel, string(messageJSON))
+	if err != nil {
+		return fmt.Errorf("failed to publish backup completion message: %w", err)
+	}
+
+	return nil
+}
+
+func (r *BackupNodesRegistry) SubscribeForBackupsCompletions(
+	handler func(nodeID uuid.UUID, backupID uuid.UUID),
+) error {
+	ctx := context.Background()
+
+	wrappedHandler := func(message string) {
+		var msg BackupCompletionMessage
+		if err := json.Unmarshal([]byte(message), &msg); err != nil {
+			r.logger.Warn("Failed to unmarshal backup completion message", "error", err)
+			return
+		}
+
+		handler(msg.NodeID, msg.BackupID)
+	}
+
+	err := r.pubsubCompletions.Subscribe(ctx, backupCompletionChannel, wrappedHandler)
+	if err != nil {
+		return fmt.Errorf("failed to subscribe to backup completion channel: %w", err)
+	}
+
+	r.logger.Info("Subscribed to backup completion channel")
+	return nil
+}
+
+func (r *BackupNodesRegistry) UnsubscribeForBackupsCompletions() error {
+	err := r.pubsubCompletions.Close()
+	if err != nil {
+		return fmt.Errorf("failed to unsubscribe from backup completion channel: %w", err)
+	}
+
+	r.logger.Info("Unsubscribed from backup completion channel")
+	return nil
+}
+
+func (r *BackupNodesRegistry) extractNodeIDFromKey(key, prefix, suffix string) uuid.UUID {
+	nodeIDStr := strings.TrimPrefix(key, prefix)
+	nodeIDStr = strings.TrimSuffix(nodeIDStr, suffix)
+
+	nodeID, err := uuid.Parse(nodeIDStr)
+	if err != nil {
+		r.logger.Warn("Failed to parse node ID from key", "key", key, "error", err)
+		return uuid.Nil
+	}
+
+	return nodeID
+}
+
+func (r *BackupNodesRegistry) pipelineGetKeys(keys []string) (map[string][]byte, error) {
+	if len(keys) == 0 {
+		return make(map[string][]byte), nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	commands := make([]valkey.Completed, 0, len(keys))
+	for _, key := range keys {
+		commands = append(commands, r.client.B().Get().Key(key).Build())
+	}
+
+	results := r.client.DoMulti(ctx, commands...)
+
+	keyDataMap := make(map[string][]byte, len(keys))
+	for i, result := range results {
+		if result.Error() != nil {
+			r.logger.Warn("Failed to get key in pipeline", "key", keys[i], "error", result.Error())
+			continue
+		}
+
+		data, err := result.AsBytes()
+		if err != nil {
+			r.logger.Warn("Failed to parse key data in pipeline", "key", keys[i], "error", err)
+			continue
+		}
+
+		keyDataMap[keys[i]] = data
+	}
+
+	return keyDataMap, nil
+}
+
+func (r *BackupNodesRegistry) parseIntFromBytes(data []byte) (int64, error) {
+	str := string(data)
+	var count int64
+	_, err := fmt.Sscanf(str, "%d", &count)
+	if err != nil {
+		return 0, fmt.Errorf("failed to parse integer from bytes: %w", err)
+	}
+	return count, nil
+}
+
+func (r *BackupNodesRegistry) cleanupDeadNodes() error {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	var allKeys []string
+	cursor := uint64(0)
+	pattern := nodeInfoKeyPrefix + "*" + nodeInfoKeySuffix
+
+	for {
+		result := r.client.Do(
+			ctx,
+			r.client.B().Scan().Cursor(cursor).Match(pattern).Count(1_000).Build(),
+		)
+
+		if result.Error() != nil {
+			return fmt.Errorf("failed to scan node keys: %w", result.Error())
+		}
+
+		scanResult, err := result.AsScanEntry()
+		if err != nil {
+			return fmt.Errorf("failed to parse scan result: %w", err)
+		}
+
+		allKeys = append(allKeys, scanResult.Elements...)
+
+		cursor = scanResult.Cursor
+		if cursor == 0 {
+			break
+		}
+	}
+
+	if len(allKeys) == 0 {
+		return nil
+	}
+
+	keyDataMap, err := r.pipelineGetKeys(allKeys)
+	if err != nil {
+		return fmt.Errorf("failed to pipeline get node keys: %w", err)
+	}
+
+	threshold := time.Now().UTC().Add(-deadNodeThreshold)
+	var deadNodeKeys []string
+
+	for key, data := range keyDataMap {
+		// Skip if the key doesn't exist (data is empty)
+		if len(data) == 0 {
+			continue
+		}
+
+		var node BackupNode
+		if err := json.Unmarshal(data, &node); err != nil {
+			r.logger.Warn("Failed to unmarshal node data during cleanup", "key", key, "error", err)
+			continue
+		}
+
+		// Skip nodes with zero/uninitialized heartbeat
+		if node.LastHeartbeat.IsZero() {
+			continue
+		}
+
+		if node.LastHeartbeat.Before(threshold) {
+			nodeID := node.ID.String()
+			infoKey := fmt.Sprintf("%s%s%s", nodeInfoKeyPrefix, nodeID, nodeInfoKeySuffix)
+			statsKey := fmt.Sprintf(
+				"%s%s%s",
+				nodeActiveBackupsPrefix,
+				nodeID,
+				nodeActiveBackupsSuffix,
+			)
+
+			deadNodeKeys = append(deadNodeKeys, infoKey, statsKey)
+			r.logger.Info(
+				"Marking node for cleanup",
+				"nodeID", nodeID,
+				"lastHeartbeat", node.LastHeartbeat,
+				"threshold", threshold,
+			)
+		}
+	}
+
+	if len(deadNodeKeys) == 0 {
+		return nil
+	}
+
+	delCtx, delCancel := context.WithTimeout(context.Background(), r.timeout)
+	defer delCancel()
+
+	result := r.client.Do(
+		delCtx,
+		r.client.B().Del().Key(deadNodeKeys...).Build(),
+	)
+
+	if result.Error() != nil {
+		return fmt.Errorf("failed to delete dead node keys: %w", result.Error())
+	}
+
+	deletedCount, err := result.AsInt64()
+	if err != nil {
+		return fmt.Errorf("failed to parse deleted count: %w", err)
+	}
+
+	r.logger.Info("Cleaned up dead nodes", "deletedKeysCount", deletedCount)
+	return nil
+}

backend/internal/features/backups/backups/backuping/scheduler.go

@@ -0,0 +1,574 @@
+package backuping
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/google/uuid"
+
+	"databasus-backend/internal/config"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_config "databasus-backend/internal/features/backups/config"
+	task_cancellation "databasus-backend/internal/features/tasks/cancellation"
+)
+
+const (
+	schedulerStartupDelay         = 1 * time.Minute
+	schedulerTickerInterval       = 1 * time.Minute
+	schedulerHealthcheckThreshold = 5 * time.Minute
+)
+
+type BackupsScheduler struct {
+	backupRepository    *backups_core.BackupRepository
+	backupConfigService *backups_config.BackupConfigService
+	taskCancelManager   *task_cancellation.TaskCancelManager
+	backupNodesRegistry *BackupNodesRegistry
+
+	lastBackupTime time.Time
+	logger         *slog.Logger
+
+	backupToNodeRelations map[uuid.UUID]BackupToNodeRelation
+	backuperNode          *BackuperNode
+
+	runOnce sync.Once
+	hasRun  atomic.Bool
+}
+
+func (s *BackupsScheduler) Run(ctx context.Context) {
+	wasAlreadyRun := s.hasRun.Load()
+
+	s.runOnce.Do(func() {
+		s.hasRun.Store(true)
+
+		s.lastBackupTime = time.Now().UTC()
+
+		if config.GetEnv().IsManyNodesMode {
+			// wait other nodes to start
+			time.Sleep(schedulerStartupDelay)
+		}
+
+		if err := s.failBackupsInProgress(); err != nil {
+			s.logger.Error("Failed to fail backups in progress", "error", err)
+			panic(err)
+		}
+
+		err := s.backupNodesRegistry.SubscribeForBackupsCompletions(s.onBackupCompleted)
+		if err != nil {
+			s.logger.Error("Failed to subscribe to backup completions", "error", err)
+			panic(err)
+		}
+
+		defer func() {
+			if err := s.backupNodesRegistry.UnsubscribeForBackupsCompletions(); err != nil {
+				s.logger.Error("Failed to unsubscribe from backup completions", "error", err)
+			}
+		}()
+
+		if ctx.Err() != nil {
+			return
+		}
+
+		ticker := time.NewTicker(schedulerTickerInterval)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				if err := s.checkDeadNodesAndFailBackups(); err != nil {
+					s.logger.Error("Failed to check dead nodes and fail backups", "error", err)
+				}
+
+				if err := s.runPendingBackups(); err != nil {
+					s.logger.Error("Failed to run pending backups", "error", err)
+				}
+
+				s.lastBackupTime = time.Now().UTC()
+			}
+		}
+	})
+
+	if wasAlreadyRun {
+		panic(fmt.Sprintf("%T.Run() called multiple times", s))
+	}
+}
+
+func (s *BackupsScheduler) IsSchedulerRunning() bool {
+	// if last backup time is more than 5 minutes ago, return false
+	return s.lastBackupTime.After(time.Now().UTC().Add(-schedulerHealthcheckThreshold))
+}
+
+func (s *BackupsScheduler) IsBackupNodesAvailable() bool {
+	nodes, err := s.backupNodesRegistry.GetAvailableNodes()
+	if err != nil {
+		s.logger.Error("Failed to get available nodes for health check", "error", err)
+		return false
+	}
+
+	return len(nodes) > 0
+}
+
+func (s *BackupsScheduler) StartBackup(databaseID uuid.UUID, isCallNotifier bool) {
+	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(databaseID)
+	if err != nil {
+		s.logger.Error("Failed to get backup config by database ID", "error", err)
+		return
+	}
+
+	if backupConfig.StorageID == nil {
+		s.logger.Error("Backup config storage ID is nil", "databaseId", databaseID)
+		return
+	}
+
+	// Check for existing in-progress backups
+	inProgressBackups, err := s.backupRepository.FindByDatabaseIdAndStatus(
+		databaseID,
+		backups_core.BackupStatusInProgress,
+	)
+	if err != nil {
+		s.logger.Error(
+			"Failed to check for in-progress backups",
+			"databaseId",
+			databaseID,
+			"error",
+			err,
+		)
+		return
+	}
+
+	if len(inProgressBackups) > 0 {
+		s.logger.Warn(
+			"Backup already in progress for database, skipping new backup",
+			"databaseId",
+			databaseID,
+			"existingBackupId",
+			inProgressBackups[0].ID,
+		)
+		return
+	}
+
+	leastBusyNodeID, err := s.calculateLeastBusyNode()
+	if err != nil {
+		s.logger.Error(
+			"Failed to calculate least busy node",
+			"databaseId",
+			backupConfig.DatabaseID,
+			"error",
+			err,
+		)
+		return
+	}
+
+	fmt.Println("make backup")
+	backup := &backups_core.Backup{
+		DatabaseID:   backupConfig.DatabaseID,
+		StorageID:    *backupConfig.StorageID,
+		Status:       backups_core.BackupStatusInProgress,
+		BackupSizeMb: 0,
+		CreatedAt:    time.Now().UTC(),
+	}
+
+	if err := s.backupRepository.Save(backup); err != nil {
+		s.logger.Error(
+			"Failed to save backup",
+			"databaseId",
+			backupConfig.DatabaseID,
+			"error",
+			err,
+		)
+		return
+	}
+
+	if err := s.backupNodesRegistry.IncrementBackupsInProgress(*leastBusyNodeID); err != nil {
+		s.logger.Error(
+			"Failed to increment backups in progress",
+			"nodeId",
+			leastBusyNodeID,
+			"backupId",
+			backup.ID,
+			"error",
+			err,
+		)
+		return
+	}
+
+	if err := s.backupNodesRegistry.AssignBackupToNode(*leastBusyNodeID, backup.ID, isCallNotifier); err != nil {
+		s.logger.Error(
+			"Failed to submit backup",
+			"nodeId",
+			leastBusyNodeID,
+			"backupId",
+			backup.ID,
+			"error",
+			err,
+		)
+		if decrementErr := s.backupNodesRegistry.DecrementBackupsInProgress(*leastBusyNodeID); decrementErr != nil {
+			s.logger.Error(
+				"Failed to decrement backups in progress after submit failure",
+				"nodeId",
+				leastBusyNodeID,
+				"error",
+				decrementErr,
+			)
+		}
+		return
+	}
+
+	if relation, exists := s.backupToNodeRelations[*leastBusyNodeID]; exists {
+		relation.BackupsIDs = append(relation.BackupsIDs, backup.ID)
+		s.backupToNodeRelations[*leastBusyNodeID] = relation
+	} else {
+		s.backupToNodeRelations[*leastBusyNodeID] = BackupToNodeRelation{
+			NodeID:     *leastBusyNodeID,
+			BackupsIDs: []uuid.UUID{backup.ID},
+		}
+	}
+
+	s.logger.Info(
+		"Successfully triggered scheduled backup",
+		"databaseId",
+		backupConfig.DatabaseID,
+		"backupId",
+		backup.ID,
+		"nodeId",
+		leastBusyNodeID,
+	)
+}
+
+// GetRemainedBackupTryCount returns the number of remaining backup tries for a given backup.
+// If the backup is not failed or the backup config does not allow retries, it returns 0.
+// If the backup is failed and the backup config allows retries, it returns the number of remaining tries.
+// If the backup is failed and the backup config does not allow retries, it returns 0.
+func (s *BackupsScheduler) GetRemainedBackupTryCount(lastBackup *backups_core.Backup) int {
+	if lastBackup == nil {
+		return 0
+	}
+
+	if lastBackup.Status != backups_core.BackupStatusFailed {
+		return 0
+	}
+
+	if lastBackup.IsSkipRetry {
+		return 0
+	}
+
+	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(lastBackup.DatabaseID)
+	if err != nil {
+		s.logger.Error("Failed to get backup config by database ID", "error", err)
+		return 0
+	}
+
+	if !backupConfig.IsRetryIfFailed {
+		return 0
+	}
+
+	maxFailedTriesCount := backupConfig.MaxFailedTriesCount
+
+	lastBackups, err := s.backupRepository.FindByDatabaseIDWithLimit(
+		lastBackup.DatabaseID,
+		maxFailedTriesCount,
+	)
+	if err != nil {
+		s.logger.Error("Failed to find last backups by database ID", "error", err)
+		return 0
+	}
+
+	lastFailedBackups := make([]*backups_core.Backup, 0)
+
+	for _, backup := range lastBackups {
+		if backup.Status == backups_core.BackupStatusFailed {
+			lastFailedBackups = append(lastFailedBackups, backup)
+		}
+	}
+
+	return maxFailedTriesCount - len(lastFailedBackups)
+}
+
+func (s *BackupsScheduler) runPendingBackups() error {
+	enabledBackupConfigs, err := s.backupConfigService.GetBackupConfigsWithEnabledBackups()
+	if err != nil {
+		return err
+	}
+
+	for _, backupConfig := range enabledBackupConfigs {
+		if backupConfig.BackupInterval == nil {
+			continue
+		}
+
+		lastBackup, err := s.backupRepository.FindLastByDatabaseID(backupConfig.DatabaseID)
+		if err != nil {
+			s.logger.Error(
+				"Failed to get last backup for database",
+				"databaseId",
+				backupConfig.DatabaseID,
+				"error",
+				err,
+			)
+			continue
+		}
+
+		var lastBackupTime *time.Time
+		if lastBackup != nil {
+			lastBackupTime = &lastBackup.CreatedAt
+		}
+
+		remainedBackupTryCount := s.GetRemainedBackupTryCount(lastBackup)
+
+		if backupConfig.BackupInterval.ShouldTriggerBackup(time.Now().UTC(), lastBackupTime) ||
+			remainedBackupTryCount > 0 {
+			s.logger.Info(
+				"Triggering scheduled backup",
+				"databaseId",
+				backupConfig.DatabaseID,
+				"intervalType",
+				backupConfig.BackupInterval.Interval,
+			)
+
+			s.StartBackup(backupConfig.DatabaseID, remainedBackupTryCount == 1)
+			continue
+		}
+	}
+
+	return nil
+}
+
+func (s *BackupsScheduler) failBackupsInProgress() error {
+	backupsInProgress, err := s.backupRepository.FindByStatus(backups_core.BackupStatusInProgress)
+	if err != nil {
+		return err
+	}
+
+	for _, backup := range backupsInProgress {
+		if err := s.taskCancelManager.CancelTask(backup.ID); err != nil {
+			s.logger.Error(
+				"Failed to cancel backup via task cancel manager",
+				"backupId",
+				backup.ID,
+				"error",
+				err,
+			)
+		}
+
+		backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(backup.DatabaseID)
+		if err != nil {
+			s.logger.Error("Failed to get backup config by database ID", "error", err)
+			continue
+		}
+
+		failMessage := "Backup failed due to application restart"
+		backup.FailMessage = &failMessage
+		backup.Status = backups_core.BackupStatusFailed
+		backup.BackupSizeMb = 0
+
+		s.backuperNode.SendBackupNotification(
+			backupConfig,
+			backup,
+			backups_config.NotificationBackupFailed,
+			&failMessage,
+		)
+
+		if err := s.backupRepository.Save(backup); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *BackupsScheduler) calculateLeastBusyNode() (*uuid.UUID, error) {
+	nodes, err := s.backupNodesRegistry.GetAvailableNodes()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get available nodes: %w", err)
+	}
+
+	if len(nodes) == 0 {
+		return nil, fmt.Errorf("no nodes available")
+	}
+
+	stats, err := s.backupNodesRegistry.GetBackupNodesStats()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get backup nodes stats: %w", err)
+	}
+
+	statsMap := make(map[uuid.UUID]int)
+	for _, stat := range stats {
+		statsMap[stat.ID] = stat.ActiveBackups
+	}
+
+	var bestNode *BackupNode
+	var bestScore float64 = -1
+
+	for i := range nodes {
+		node := &nodes[i]
+
+		activeBackups := statsMap[node.ID]
+
+		var score float64
+		if node.ThroughputMBs > 0 {
+			score = float64(activeBackups) / float64(node.ThroughputMBs)
+		} else {
+			score = float64(activeBackups) * 1000
+		}
+
+		if bestNode == nil || score < bestScore {
+			bestNode = node
+			bestScore = score
+		}
+	}
+
+	if bestNode == nil {
+		return nil, fmt.Errorf("no suitable nodes available")
+	}
+
+	return &bestNode.ID, nil
+}
+
+func (s *BackupsScheduler) onBackupCompleted(nodeID uuid.UUID, backupID uuid.UUID) {
+	// Verify this task is actually a backup (registry contains multiple task types)
+	_, err := s.backupRepository.FindByID(backupID)
+	if err != nil {
+		// Not a backup task, ignore it
+		return
+	}
+
+	relation, exists := s.backupToNodeRelations[nodeID]
+	if !exists {
+		s.logger.Warn(
+			"Received completion for unknown node",
+			"nodeId",
+			nodeID,
+			"backupId",
+			backupID,
+		)
+		return
+	}
+
+	newBackupIDs := make([]uuid.UUID, 0)
+	found := false
+	for _, id := range relation.BackupsIDs {
+		if id == backupID {
+			found = true
+			continue
+		}
+		newBackupIDs = append(newBackupIDs, id)
+	}
+
+	if !found {
+		s.logger.Warn(
+			"Backup not found in node's backup list",
+			"nodeId",
+			nodeID,
+			"backupId",
+			backupID,
+		)
+		return
+	}
+
+	if len(newBackupIDs) == 0 {
+		delete(s.backupToNodeRelations, nodeID)
+	} else {
+		relation.BackupsIDs = newBackupIDs
+		s.backupToNodeRelations[nodeID] = relation
+	}
+
+	if err := s.backupNodesRegistry.DecrementBackupsInProgress(nodeID); err != nil {
+		s.logger.Error(
+			"Failed to decrement backups in progress",
+			"nodeId",
+			nodeID,
+			"backupId",
+			backupID,
+			"error",
+			err,
+		)
+	}
+}
+
+func (s *BackupsScheduler) checkDeadNodesAndFailBackups() error {
+	nodes, err := s.backupNodesRegistry.GetAvailableNodes()
+	if err != nil {
+		return fmt.Errorf("failed to get available nodes: %w", err)
+	}
+
+	aliveNodeIDs := make(map[uuid.UUID]bool)
+	for _, node := range nodes {
+		aliveNodeIDs[node.ID] = true
+	}
+
+	for nodeID, relation := range s.backupToNodeRelations {
+		if aliveNodeIDs[nodeID] {
+			continue
+		}
+
+		s.logger.Warn(
+			"Node is dead, failing its backups",
+			"nodeId",
+			nodeID,
+			"backupCount",
+			len(relation.BackupsIDs),
+		)
+
+		for _, backupID := range relation.BackupsIDs {
+			backup, err := s.backupRepository.FindByID(backupID)
+			if err != nil {
+				s.logger.Error(
+					"Failed to find backup for dead node",
+					"nodeId",
+					nodeID,
+					"backupId",
+					backupID,
+					"error",
+					err,
+				)
+				continue
+			}
+
+			failMessage := "Backup failed due to node unavailability"
+			backup.FailMessage = &failMessage
+			backup.Status = backups_core.BackupStatusFailed
+			backup.BackupSizeMb = 0
+
+			if err := s.backupRepository.Save(backup); err != nil {
+				s.logger.Error(
+					"Failed to save failed backup for dead node",
+					"nodeId",
+					nodeID,
+					"backupId",
+					backupID,
+					"error",
+					err,
+				)
+				continue
+			}
+
+			if err := s.backupNodesRegistry.DecrementBackupsInProgress(nodeID); err != nil {
+				s.logger.Error(
+					"Failed to decrement backups in progress for dead node",
+					"nodeId",
+					nodeID,
+					"backupId",
+					backupID,
+					"error",
+					err,
+				)
+			}
+
+			s.logger.Info(
+				"Failed backup due to dead node",
+				"nodeId",
+				nodeID,
+				"backupId",
+				backupID,
+			)
+		}
+
+		delete(s.backupToNodeRelations, nodeID)
+	}
+
+	return nil
+}

backend/internal/features/backups/backups/backuping/testing.go

@@ -0,0 +1,318 @@
+package backuping
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	"databasus-backend/internal/features/backups/backups/usecases"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
+	workspaces_services "databasus-backend/internal/features/workspaces/services"
+	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/logger"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+func CreateTestRouter() *gin.Engine {
+	router := workspaces_testing.CreateTestRouter(
+		workspaces_controllers.GetWorkspaceController(),
+		workspaces_controllers.GetMembershipController(),
+		databases.GetDatabaseController(),
+		backups_config.GetBackupConfigController(),
+	)
+
+	return router
+}
+
+func CreateTestBackuperNode() *BackuperNode {
+	return &BackuperNode{
+		databaseService:     databases.GetDatabaseService(),
+		fieldEncryptor:      encryption.GetFieldEncryptor(),
+		workspaceService:    workspaces_services.GetWorkspaceService(),
+		backupRepository:    backupRepository,
+		backupConfigService: backups_config.GetBackupConfigService(),
+		storageService:      storages.GetStorageService(),
+		notificationSender:  notifiers.GetNotifierService(),
+		backupCancelManager: taskCancelManager,
+		backupNodesRegistry: backupNodesRegistry,
+		logger:              logger.GetLogger(),
+		createBackupUseCase: usecases.GetCreateBackupUsecase(),
+		nodeID:              uuid.New(),
+		lastHeartbeat:       time.Time{},
+		runOnce:             sync.Once{},
+		hasRun:              atomic.Bool{},
+	}
+}
+
+func CreateTestBackuperNodeWithUseCase(useCase backups_core.CreateBackupUsecase) *BackuperNode {
+	return &BackuperNode{
+		databaseService:     databases.GetDatabaseService(),
+		fieldEncryptor:      encryption.GetFieldEncryptor(),
+		workspaceService:    workspaces_services.GetWorkspaceService(),
+		backupRepository:    backupRepository,
+		backupConfigService: backups_config.GetBackupConfigService(),
+		storageService:      storages.GetStorageService(),
+		notificationSender:  notifiers.GetNotifierService(),
+		backupCancelManager: taskCancelManager,
+		backupNodesRegistry: backupNodesRegistry,
+		logger:              logger.GetLogger(),
+		createBackupUseCase: useCase,
+		nodeID:              uuid.New(),
+		lastHeartbeat:       time.Time{},
+		runOnce:             sync.Once{},
+		hasRun:              atomic.Bool{},
+	}
+}
+
+func CreateTestScheduler() *BackupsScheduler {
+	return &BackupsScheduler{
+		backupRepository:      backupRepository,
+		backupConfigService:   backups_config.GetBackupConfigService(),
+		taskCancelManager:     taskCancelManager,
+		backupNodesRegistry:   backupNodesRegistry,
+		lastBackupTime:        time.Now().UTC(),
+		logger:                logger.GetLogger(),
+		backupToNodeRelations: make(map[uuid.UUID]BackupToNodeRelation),
+		backuperNode:          CreateTestBackuperNode(),
+		runOnce:               sync.Once{},
+		hasRun:                atomic.Bool{},
+	}
+}
+
+// WaitForBackupCompletion waits for a new backup to be created and completed (or failed)
+// for the given database. It checks for backups with count greater than expectedInitialCount.
+func WaitForBackupCompletion(
+	t *testing.T,
+	databaseID uuid.UUID,
+	expectedInitialCount int,
+	timeout time.Duration,
+) {
+	deadline := time.Now().UTC().Add(timeout)
+
+	for time.Now().UTC().Before(deadline) {
+		backups, err := backupRepository.FindByDatabaseID(databaseID)
+		if err != nil {
+			t.Logf("WaitForBackupCompletion: error finding backups: %v", err)
+			time.Sleep(50 * time.Millisecond)
+			continue
+		}
+
+		t.Logf(
+			"WaitForBackupCompletion: found %d backups (expected > %d)",
+			len(backups),
+			expectedInitialCount,
+		)
+
+		if len(backups) > expectedInitialCount {
+			// Check if the newest backup has completed or failed
+			newestBackup := backups[0]
+			t.Logf("WaitForBackupCompletion: newest backup status: %s", newestBackup.Status)
+
+			if newestBackup.Status == backups_core.BackupStatusCompleted ||
+				newestBackup.Status == backups_core.BackupStatusFailed ||
+				newestBackup.Status == backups_core.BackupStatusCanceled {
+				t.Logf(
+					"WaitForBackupCompletion: backup finished with status %s",
+					newestBackup.Status,
+				)
+				return
+			}
+		}
+
+		time.Sleep(50 * time.Millisecond)
+	}
+
+	t.Logf("WaitForBackupCompletion: timeout waiting for backup to complete")
+}
+
+// StartBackuperNodeForTest starts a BackuperNode in a goroutine for testing.
+// The node registers itself in the registry and subscribes to backup assignments.
+// Returns a context cancel function that should be deferred to stop the node.
+func StartBackuperNodeForTest(t *testing.T, backuperNode *BackuperNode) context.CancelFunc {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	done := make(chan struct{})
+
+	go func() {
+		backuperNode.Run(ctx)
+		close(done)
+	}()
+
+	// Poll registry for node presence instead of fixed sleep
+	deadline := time.Now().UTC().Add(5 * time.Second)
+	for time.Now().UTC().Before(deadline) {
+		nodes, err := backupNodesRegistry.GetAvailableNodes()
+		if err == nil {
+			for _, node := range nodes {
+				if node.ID == backuperNode.nodeID {
+					t.Logf("BackuperNode registered in registry: %s", backuperNode.nodeID)
+
+					return func() {
+						cancel()
+						select {
+						case <-done:
+							t.Log("BackuperNode stopped gracefully")
+						case <-time.After(2 * time.Second):
+							t.Log("BackuperNode stop timeout")
+						}
+					}
+				}
+			}
+		}
+		time.Sleep(50 * time.Millisecond)
+	}
+
+	t.Fatalf("BackuperNode failed to register in registry within timeout")
+	return nil
+}
+
+// StartSchedulerForTest starts the BackupsScheduler in a goroutine for testing.
+// The scheduler subscribes to task completions and manages backup lifecycle.
+// Returns a context cancel function that should be deferred to stop the scheduler.
+func StartSchedulerForTest(t *testing.T, scheduler *BackupsScheduler) context.CancelFunc {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	done := make(chan struct{})
+
+	go func() {
+		scheduler.Run(ctx)
+		close(done)
+	}()
+
+	// Give scheduler time to subscribe to completions
+	time.Sleep(100 * time.Millisecond)
+	t.Log("BackupsScheduler started")
+
+	return func() {
+		cancel()
+		select {
+		case <-done:
+			t.Log("BackupsScheduler stopped gracefully")
+		case <-time.After(2 * time.Second):
+			t.Log("BackupsScheduler stop timeout")
+		}
+	}
+}
+
+// StopBackuperNodeForTest stops the BackuperNode by canceling its context.
+// It waits for the node to unregister from the registry.
+func StopBackuperNodeForTest(t *testing.T, cancel context.CancelFunc, backuperNode *BackuperNode) {
+	cancel()
+
+	// Wait for node to unregister from registry
+	deadline := time.Now().UTC().Add(2 * time.Second)
+	for time.Now().UTC().Before(deadline) {
+		nodes, err := backupNodesRegistry.GetAvailableNodes()
+		if err == nil {
+			found := false
+			for _, node := range nodes {
+				if node.ID == backuperNode.nodeID {
+					found = true
+					break
+				}
+			}
+			if !found {
+				t.Logf("BackuperNode unregistered from registry: %s", backuperNode.nodeID)
+				return
+			}
+		}
+		time.Sleep(50 * time.Millisecond)
+	}
+
+	t.Logf("BackuperNode stop completed for %s", backuperNode.nodeID)
+}
+
+func CreateMockNodeInRegistry(nodeID uuid.UUID, throughputMBs int, lastHeartbeat time.Time) error {
+	backupNode := BackupNode{
+		ID:            nodeID,
+		ThroughputMBs: throughputMBs,
+		LastHeartbeat: lastHeartbeat,
+	}
+
+	return backupNodesRegistry.HearthbeatNodeInRegistry(lastHeartbeat, backupNode)
+}
+
+func UpdateNodeHeartbeatDirectly(
+	nodeID uuid.UUID,
+	throughputMBs int,
+	lastHeartbeat time.Time,
+) error {
+	backupNode := BackupNode{
+		ID:            nodeID,
+		ThroughputMBs: throughputMBs,
+		LastHeartbeat: lastHeartbeat,
+	}
+
+	return backupNodesRegistry.HearthbeatNodeInRegistry(lastHeartbeat, backupNode)
+}
+
+func GetNodeFromRegistry(nodeID uuid.UUID) (*BackupNode, error) {
+	nodes, err := backupNodesRegistry.GetAvailableNodes()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, node := range nodes {
+		if node.ID == nodeID {
+			return &node, nil
+		}
+	}
+
+	return nil, fmt.Errorf("node not found")
+}
+
+// WaitForActiveTasksDecrease waits for the active task count to decrease below the initial count.
+// It polls the registry every 500ms until the count decreases or the timeout is reached.
+// Returns true if the count decreased, false if timeout was reached.
+func WaitForActiveTasksDecrease(
+	t *testing.T,
+	nodeID uuid.UUID,
+	initialCount int,
+	timeout time.Duration,
+) bool {
+	deadline := time.Now().UTC().Add(timeout)
+
+	for time.Now().UTC().Before(deadline) {
+		stats, err := backupNodesRegistry.GetBackupNodesStats()
+		if err != nil {
+			t.Logf("WaitForActiveTasksDecrease: error getting node stats: %v", err)
+			time.Sleep(500 * time.Millisecond)
+			continue
+		}
+
+		for _, stat := range stats {
+			if stat.ID == nodeID {
+				t.Logf(
+					"WaitForActiveTasksDecrease: current active tasks = %d (initial = %d)",
+					stat.ActiveBackups,
+					initialCount,
+				)
+				if stat.ActiveBackups < initialCount {
+					t.Logf(
+						"WaitForActiveTasksDecrease: active tasks decreased from %d to %d",
+						initialCount,
+						stat.ActiveBackups,
+					)
+					return true
+				}
+				break
+			}
+		}
+
+		time.Sleep(500 * time.Millisecond)
+	}
+
+	t.Logf("WaitForActiveTasksDecrease: timeout waiting for active tasks to decrease")
+	return false
+}

backend/internal/features/backups/backups/common/dto.go

@@ -0,0 +1,17 @@
+package common
+
+import backups_config "databasus-backend/internal/features/backups/config"
+
+type BackupType string
+
+const (
+	BackupTypeDefault   BackupType = "DEFAULT"   // For MySQL, MongoDB, PostgreSQL legacy (-Fc)
+	BackupTypeDirectory BackupType = "DIRECTORY" // PostgreSQL directory type (-Fd)
+)
+
+type BackupMetadata struct {
+	EncryptionSalt *string
+	EncryptionIV   *string
+	Encryption     backups_config.BackupEncryption
+	Type           BackupType
+}

backend/internal/features/backups/backups/controller.go

@@ -1,11 +1,15 @@
 package backups
 
 import (
+	"context"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_download "databasus-backend/internal/features/backups/backups/download"
+	"databasus-backend/internal/features/databases"
+	users_middleware "databasus-backend/internal/features/users/middleware"
 	"fmt"
 	"io"
 	"net/http"
-	"postgresus-backend/internal/features/databases"
-	users_middleware "postgresus-backend/internal/features/users/middleware"
+	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
@@ -18,11 +22,17 @@ type BackupController struct {
 func (c *BackupController) RegisterRoutes(router *gin.RouterGroup) {
 	router.GET("/backups", c.GetBackups)
 	router.POST("/backups", c.MakeBackup)
-	router.GET("/backups/:id/file", c.GetFile)
+	router.POST("/backups/:id/download-token", c.GenerateDownloadToken)
 	router.DELETE("/backups/:id", c.DeleteBackup)
 	router.POST("/backups/:id/cancel", c.CancelBackup)
 }
 
+// RegisterPublicRoutes registers routes that don't require Bearer authentication
+// (they have their own authentication mechanisms like download tokens)
+func (c *BackupController) RegisterPublicRoutes(router *gin.RouterGroup) {
+	router.GET("/backups/:id/file", c.GetFile)
+}
+
 // GetBackups
 // @Summary Get backups for a database
 // @Description Get paginated backups for the specified database
@@ -159,17 +169,17 @@ func (c *BackupController) CancelBackup(ctx *gin.Context) {
 	ctx.Status(http.StatusNoContent)
 }
 
-// GetFile
-// @Summary Download a backup file
-// @Description Download the backup file for the specified backup
+// GenerateDownloadToken
+// @Summary Generate short-lived download token
+// @Description Generate a token for downloading a backup file (valid for 5 minutes)
 // @Tags backups
 // @Param id path string true "Backup ID"
-// @Success 200 {file} file
+// @Success 200 {object} backups_download.GenerateDownloadTokenResponse
 // @Failure 400
 // @Failure 401
-// @Failure 500
-// @Router /backups/{id}/file [get]
-func (c *BackupController) GetFile(ctx *gin.Context) {
+// @Failure 409 {object} map[string]string "Download already in progress"
+// @Router /backups/{id}/download-token [post]
+func (c *BackupController) GenerateDownloadToken(ctx *gin.Context) {
 	user, ok := users_middleware.GetUserFromContext(ctx)
 	if !ok {
 		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "User not authenticated"})
@@ -182,35 +192,197 @@ func (c *BackupController) GetFile(ctx *gin.Context) {
 		return
 	}
 
-	fileReader, dbType, err := c.backupService.GetBackupFile(user, id)
+	response, err := c.backupService.GenerateDownloadToken(user, id)
 	if err != nil {
+		if err == backups_download.ErrDownloadAlreadyInProgress {
+			ctx.JSON(
+				http.StatusConflict,
+				gin.H{
+					"error": "Download already in progress for some of backups. Please wait until previous download completed or cancel it",
+				},
+			)
+			return
+		}
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
 	}
+
+	ctx.JSON(http.StatusOK, response)
+}
+
+// GetFile
+// @Summary Download a backup file
+// @Description Download the backup file for the specified backup using a download token.
+// @Description
+// @Description **Download Concurrency Control:**
+// @Description - Only one download per user is allowed at a time
+// @Description - If a download is already in progress, returns 409 Conflict
+// @Description - Downloads are tracked using cache with 5-second TTL and 3-second heartbeat
+// @Description - Browser cancellations automatically release the download lock
+// @Description - Server crashes are handled via automatic cache expiry (5 seconds)
+// @Tags backups
+// @Param id path string true "Backup ID"
+// @Param token query string true "Download token"
+// @Success 200 {file} file
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Failure 409 {object} map[string]string "Download already in progress"
+// @Failure 500 {object} map[string]string
+// @Router /backups/{id}/file [get]
+func (c *BackupController) GetFile(ctx *gin.Context) {
+	token := ctx.Query("token")
+	if token == "" {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "download token is required"})
+		return
+	}
+
+	backupIDParam := ctx.Param("id")
+	backupID, err := uuid.Parse(backupIDParam)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid backup ID"})
+		return
+	}
+
+	downloadToken, rateLimiter, err := c.backupService.ValidateDownloadToken(token)
+	if err != nil {
+		if err == backups_download.ErrDownloadAlreadyInProgress {
+			ctx.JSON(
+				http.StatusConflict,
+				gin.H{
+					"error": "download already in progress for this user. Please wait until previous download completed or cancel it",
+				},
+			)
+			return
+		}
+
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid or expired download token"})
+		return
+	}
+
+	if downloadToken.BackupID != backupID {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid or expired download token"})
+		return
+	}
+
+	fileReader, backup, database, err := c.backupService.GetBackupFileWithoutAuth(
+		downloadToken.BackupID,
+	)
+	if err != nil {
+		c.backupService.UnregisterDownload(downloadToken.UserID)
+		c.backupService.ReleaseDownloadLock(downloadToken.UserID)
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	rateLimitedReader := backups_download.NewRateLimitedReader(fileReader, rateLimiter)
+
+	heartbeatCtx, cancelHeartbeat := context.WithCancel(context.Background())
 	defer func() {
-		if err := fileReader.Close(); err != nil {
+		cancelHeartbeat()
+		c.backupService.UnregisterDownload(downloadToken.UserID)
+		c.backupService.ReleaseDownloadLock(downloadToken.UserID)
+		if err := rateLimitedReader.Close(); err != nil {
 			fmt.Printf("Error closing file reader: %v\n", err)
 		}
 	}()
 
-	extension := ".dump.zst"
-	if dbType == databases.DatabaseTypeMysql {
-		extension = ".sql.zst"
+	go c.startDownloadHeartbeat(heartbeatCtx, downloadToken.UserID)
+
+	filename := c.generateBackupFilename(backup, database)
+
+	if backup.BackupSizeMb > 0 {
+		sizeBytes := int64(backup.BackupSizeMb * 1024 * 1024)
+		ctx.Header("Content-Length", fmt.Sprintf("%d", sizeBytes))
 	}
 
 	ctx.Header("Content-Type", "application/octet-stream")
 	ctx.Header(
 		"Content-Disposition",
-		fmt.Sprintf("attachment; filename=\"backup_%s%s\"", id.String(), extension),
+		fmt.Sprintf("attachment; filename=\"%s\"", filename),
 	)
 
-	_, err = io.Copy(ctx.Writer, fileReader)
+	_, err = io.Copy(ctx.Writer, rateLimitedReader)
 	if err != nil {
-		ctx.JSON(http.StatusInternalServerError, gin.H{"error": "failed to stream file"})
+		fmt.Printf("Error streaming file: %v\n", err)
 		return
 	}
+
+	c.backupService.WriteAuditLogForDownload(downloadToken.UserID, backup, database)
 }
 
 type MakeBackupRequest struct {
 	DatabaseID uuid.UUID `json:"database_id" binding:"required"`
 }
+
+func (c *BackupController) generateBackupFilename(
+	backup *backups_core.Backup,
+	database *databases.Database,
+) string {
+	// Format timestamp as YYYY-MM-DD_HH-mm-ss
+	timestamp := backup.CreatedAt.Format("2006-01-02_15-04-05")
+
+	// Sanitize database name for filename (replace spaces and special chars)
+	safeName := sanitizeFilename(database.Name)
+
+	// Determine extension based on database type
+	extension := c.getBackupExtension(database.Type)
+
+	return fmt.Sprintf("%s_backup_%s%s", safeName, timestamp, extension)
+}
+
+func (c *BackupController) getBackupExtension(
+	dbType databases.DatabaseType,
+) string {
+	switch dbType {
+	case databases.DatabaseTypeMysql, databases.DatabaseTypeMariadb:
+		return ".sql.zst"
+	case databases.DatabaseTypePostgres:
+		// PostgreSQL custom format
+		return ".dump"
+	case databases.DatabaseTypeMongodb:
+		return ".archive"
+	default:
+		return ".backup"
+	}
+}
+
+func sanitizeFilename(name string) string {
+	// Replace characters that are invalid in filenames
+	replacer := map[rune]rune{
+		' ':  '_',
+		'/':  '-',
+		'\\': '-',
+		':':  '-',
+		'*':  '-',
+		'?':  '-',
+		'"':  '-',
+		'<':  '-',
+		'>':  '-',
+		'|':  '-',
+	}
+
+	result := make([]rune, 0, len(name))
+	for _, char := range name {
+		if replacement, exists := replacer[char]; exists {
+			result = append(result, replacement)
+		} else {
+			result = append(result, char)
+		}
+	}
+
+	return string(result)
+}
+
+func (c *BackupController) startDownloadHeartbeat(ctx context.Context, userID uuid.UUID) {
+	ticker := time.NewTicker(backups_download.GetDownloadHeartbeatInterval())
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			c.backupService.RefreshDownloadLock(userID)
+		}
+	}
+}

backend/internal/features/backups/backups/core/enums.go

@@ -1,4 +1,4 @@
-package backups
+package backups_core
 
 type BackupStatus string
 

backend/internal/features/backups/backups/core/interfaces.go

@@ -1,13 +1,13 @@
-package backups
+package backups_core
 
 import (
 	"context"
 
-	usecases_common "postgresus-backend/internal/features/backups/backups/usecases/common"
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/databases"
-	"postgresus-backend/internal/features/notifiers"
-	"postgresus-backend/internal/features/storages"
+	usecases_common "databasus-backend/internal/features/backups/backups/common"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
 
 	"github.com/google/uuid"
 )

backend/internal/features/backups/backups/core/model.go

@@ -1,7 +1,7 @@
-package backups
+package backups_core
 
 import (
-	backups_config "postgresus-backend/internal/features/backups/config"
+	backups_config "databasus-backend/internal/features/backups/config"
 	"time"
 
 	"github.com/google/uuid"
@@ -15,6 +15,7 @@ type Backup struct {
 
 	Status      BackupStatus `json:"status"      gorm:"column:status;not null"`
 	FailMessage *string      `json:"failMessage" gorm:"column:fail_message"`
+	IsSkipRetry bool         `json:"isSkipRetry" gorm:"column:is_skip_retry;type:boolean;not null"`
 
 	BackupSizeMb float64 `json:"backupSizeMb" gorm:"column:backup_size_mb;default:0"`
 

backend/internal/features/backups/backups/core/repository.go

@@ -1,8 +1,8 @@
-package backups
+package backups_core
 
 import (
+	"databasus-backend/internal/storage"
 	"errors"
-	"postgresus-backend/internal/storage"
 
 	"time"
 
@@ -212,3 +212,36 @@ func (r *BackupRepository) CountByDatabaseID(databaseID uuid.UUID) (int64, error
 
 	return count, nil
 }
+
+func (r *BackupRepository) GetTotalSizeByDatabase(databaseID uuid.UUID) (float64, error) {
+	var totalSize float64
+
+	if err := storage.
+		GetDb().
+		Model(&Backup{}).
+		Select("COALESCE(SUM(backup_size_mb), 0)").
+		Where("database_id = ? AND status != ?", databaseID, BackupStatusInProgress).
+		Scan(&totalSize).Error; err != nil {
+		return 0, err
+	}
+
+	return totalSize, nil
+}
+
+func (r *BackupRepository) FindOldestByDatabaseExcludingInProgress(
+	databaseID uuid.UUID,
+	limit int,
+) ([]*Backup, error) {
+	var backups []*Backup
+
+	if err := storage.
+		GetDb().
+		Where("database_id = ? AND status != ?", databaseID, BackupStatusInProgress).
+		Order("created_at ASC").
+		Limit(limit).
+		Find(&backups).Error; err != nil {
+		return nil, err
+	}
+
+	return backups, nil
+}

backend/internal/features/backups/backups/di.go

@@ -1,23 +1,28 @@
 package backups
 
 import (
-	"time"
+	"sync"
+	"sync/atomic"
 
-	audit_logs "postgresus-backend/internal/features/audit_logs"
-	"postgresus-backend/internal/features/backups/backups/usecases"
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/databases"
-	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
-	"postgresus-backend/internal/features/notifiers"
-	"postgresus-backend/internal/features/storages"
-	workspaces_services "postgresus-backend/internal/features/workspaces/services"
-	"postgresus-backend/internal/util/encryption"
-	"postgresus-backend/internal/util/logger"
+	audit_logs "databasus-backend/internal/features/audit_logs"
+	"databasus-backend/internal/features/backups/backups/backuping"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_download "databasus-backend/internal/features/backups/backups/download"
+	"databasus-backend/internal/features/backups/backups/usecases"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	encryption_secrets "databasus-backend/internal/features/encryption/secrets"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+	task_cancellation "databasus-backend/internal/features/tasks/cancellation"
+	workspaces_services "databasus-backend/internal/features/workspaces/services"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/logger"
 )
 
-var backupRepository = &BackupRepository{}
+var backupRepository = &backups_core.BackupRepository{}
 
-var backupContextManager = NewBackupContextManager()
+var taskCancelManager = task_cancellation.GetTaskCancelManager()
 
 var backupService = &BackupService{
 	databases.GetDatabaseService(),
@@ -30,32 +35,17 @@ var backupService = &BackupService{
 	encryption.GetFieldEncryptor(),
 	usecases.GetCreateBackupUsecase(),
 	logger.GetLogger(),
-	[]BackupRemoveListener{},
+	[]backups_core.BackupRemoveListener{},
 	workspaces_services.GetWorkspaceService(),
 	audit_logs.GetAuditLogService(),
-	backupContextManager,
-}
-
-var backupBackgroundService = &BackupBackgroundService{
-	backupService,
-	backupRepository,
-	backups_config.GetBackupConfigService(),
-	storages.GetStorageService(),
-	time.Now().UTC(),
-	logger.GetLogger(),
+	taskCancelManager,
+	backups_download.GetDownloadTokenService(),
+	backuping.GetBackupsScheduler(),
+	backuping.GetBackupCleaner(),
 }
 
 var backupController = &BackupController{
-	backupService,
-}
-
-func SetupDependencies() {
-	backups_config.
-		GetBackupConfigService().
-		SetDatabaseStorageChangeListener(backupService)
-
-	databases.GetDatabaseService().AddDbRemoveListener(backupService)
-	databases.GetDatabaseService().AddDbCopyListener(backups_config.GetBackupConfigService())
+	backupService: backupService,
 }
 
 func GetBackupService() *BackupService {
@@ -66,6 +56,26 @@ func GetBackupController() *BackupController {
 	return backupController
 }
 
-func GetBackupBackgroundService() *BackupBackgroundService {
-	return backupBackgroundService
+var (
+	setupOnce sync.Once
+	isSetup   atomic.Bool
+)
+
+func SetupDependencies() {
+	wasAlreadySetup := isSetup.Load()
+
+	setupOnce.Do(func() {
+		backups_config.
+			GetBackupConfigService().
+			SetDatabaseStorageChangeListener(backupService)
+
+		databases.GetDatabaseService().AddDbRemoveListener(backupService)
+		databases.GetDatabaseService().AddDbCopyListener(backups_config.GetBackupConfigService())
+
+		isSetup.Store(true)
+	})
+
+	if wasAlreadySetup {
+		logger.GetLogger().Warn("SetupDependencies called multiple times, ignoring subsequent call")
+	}
 }

backend/internal/features/backups/backups/download/background.go

@@ -0,0 +1,50 @@
+package backups_download
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+type DownloadTokenBackgroundService struct {
+	downloadTokenService *DownloadTokenService
+	logger               *slog.Logger
+
+	runOnce sync.Once
+	hasRun  atomic.Bool
+}
+
+func (s *DownloadTokenBackgroundService) Run(ctx context.Context) {
+	wasAlreadyRun := s.hasRun.Load()
+
+	s.runOnce.Do(func() {
+		s.hasRun.Store(true)
+
+		s.logger.Info("Starting download token cleanup background service")
+
+		if ctx.Err() != nil {
+			return
+		}
+
+		ticker := time.NewTicker(1 * time.Minute)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				if err := s.downloadTokenService.CleanExpiredTokens(); err != nil {
+					s.logger.Error("Failed to clean expired download tokens", "error", err)
+				}
+			}
+		}
+	})
+
+	if wasAlreadyRun {
+		panic(fmt.Sprintf("%T.Run() called multiple times", s))
+	}
+}

backend/internal/features/backups/backups/download/bandwidth.go

@@ -0,0 +1,81 @@
+package backups_download
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/google/uuid"
+)
+
+type BandwidthManager struct {
+	mu                        sync.RWMutex
+	activeDownloads           map[uuid.UUID]*activeDownload
+	maxTotalBytesPerSecond    int64
+	bytesPerSecondPerDownload int64
+}
+
+type activeDownload struct {
+	userID      uuid.UUID
+	rateLimiter *RateLimiter
+}
+
+func NewBandwidthManager(throughputMBs int) *BandwidthManager {
+	// Use 75% of total throughput
+	maxBytes := int64(throughputMBs) * 1024 * 1024 * 75 / 100
+
+	return &BandwidthManager{
+		activeDownloads:           make(map[uuid.UUID]*activeDownload),
+		maxTotalBytesPerSecond:    maxBytes,
+		bytesPerSecondPerDownload: maxBytes,
+	}
+}
+
+func (bm *BandwidthManager) RegisterDownload(userID uuid.UUID) (*RateLimiter, error) {
+	bm.mu.Lock()
+	defer bm.mu.Unlock()
+
+	if _, exists := bm.activeDownloads[userID]; exists {
+		return nil, fmt.Errorf("download already registered for user %s", userID)
+	}
+
+	rateLimiter := NewRateLimiter(bm.bytesPerSecondPerDownload)
+
+	bm.activeDownloads[userID] = &activeDownload{
+		userID:      userID,
+		rateLimiter: rateLimiter,
+	}
+
+	bm.recalculateRates()
+
+	return rateLimiter, nil
+}
+
+func (bm *BandwidthManager) UnregisterDownload(userID uuid.UUID) {
+	bm.mu.Lock()
+	defer bm.mu.Unlock()
+
+	delete(bm.activeDownloads, userID)
+	bm.recalculateRates()
+}
+
+func (bm *BandwidthManager) GetActiveDownloadCount() int {
+	bm.mu.RLock()
+	defer bm.mu.RUnlock()
+	return len(bm.activeDownloads)
+}
+
+func (bm *BandwidthManager) recalculateRates() {
+	activeCount := len(bm.activeDownloads)
+
+	if activeCount == 0 {
+		bm.bytesPerSecondPerDownload = bm.maxTotalBytesPerSecond
+		return
+	}
+
+	newRate := bm.maxTotalBytesPerSecond / int64(activeCount)
+	bm.bytesPerSecondPerDownload = newRate
+
+	for _, download := range bm.activeDownloads {
+		download.rateLimiter.UpdateRate(newRate)
+	}
+}

backend/internal/features/backups/backups/download/bandwidth_test.go

@@ -0,0 +1,150 @@
+package backups_download
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_BandwidthManager_RegisterSingleDownload(t *testing.T) {
+	throughputMBs := 100
+	manager := NewBandwidthManager(throughputMBs)
+
+	expectedBytesPerSec := int64(100 * 1024 * 1024 * 75 / 100)
+	assert.Equal(t, expectedBytesPerSec, manager.maxTotalBytesPerSecond)
+	assert.Equal(t, expectedBytesPerSec, manager.bytesPerSecondPerDownload)
+
+	userID := uuid.New()
+	rateLimiter, err := manager.RegisterDownload(userID)
+	assert.NoError(t, err)
+	assert.NotNil(t, rateLimiter)
+
+	assert.Equal(t, 1, manager.GetActiveDownloadCount())
+	assert.Equal(t, expectedBytesPerSec, manager.bytesPerSecondPerDownload)
+	assert.Equal(t, expectedBytesPerSec, rateLimiter.bytesPerSecond)
+}
+
+func Test_BandwidthManager_RegisterMultipleDownloads_BandwidthShared(t *testing.T) {
+	throughputMBs := 100
+	manager := NewBandwidthManager(throughputMBs)
+
+	maxBytes := int64(100 * 1024 * 1024 * 75 / 100)
+
+	user1 := uuid.New()
+	rateLimiter1, err := manager.RegisterDownload(user1)
+	assert.NoError(t, err)
+	assert.Equal(t, maxBytes, rateLimiter1.bytesPerSecond)
+
+	user2 := uuid.New()
+	rateLimiter2, err := manager.RegisterDownload(user2)
+	assert.NoError(t, err)
+
+	expectedPerDownload := maxBytes / 2
+	assert.Equal(t, expectedPerDownload, manager.bytesPerSecondPerDownload)
+	assert.Equal(t, expectedPerDownload, rateLimiter1.bytesPerSecond)
+	assert.Equal(t, expectedPerDownload, rateLimiter2.bytesPerSecond)
+	assert.Equal(t, expectedPerDownload, rateLimiter2.bytesPerSecond)
+
+	user3 := uuid.New()
+	rateLimiter3, err := manager.RegisterDownload(user3)
+	assert.NoError(t, err)
+
+	expectedPerDownload = maxBytes / 3
+	assert.Equal(t, expectedPerDownload, manager.bytesPerSecondPerDownload)
+	assert.Equal(t, expectedPerDownload, rateLimiter1.bytesPerSecond)
+	assert.Equal(t, expectedPerDownload, rateLimiter2.bytesPerSecond)
+	assert.Equal(t, expectedPerDownload, rateLimiter3.bytesPerSecond)
+	assert.Equal(t, 3, manager.GetActiveDownloadCount())
+}
+
+func Test_BandwidthManager_UnregisterDownload_BandwidthRebalanced(t *testing.T) {
+	throughputMBs := 100
+	manager := NewBandwidthManager(throughputMBs)
+
+	maxBytes := int64(100 * 1024 * 1024 * 75 / 100)
+
+	user1 := uuid.New()
+	rateLimiter1, _ := manager.RegisterDownload(user1)
+
+	user2 := uuid.New()
+	_, _ = manager.RegisterDownload(user2)
+
+	user3 := uuid.New()
+	rateLimiter3, _ := manager.RegisterDownload(user3)
+
+	assert.Equal(t, 3, manager.GetActiveDownloadCount())
+	expectedPerDownload := maxBytes / 3
+	assert.Equal(t, expectedPerDownload, rateLimiter1.bytesPerSecond)
+
+	manager.UnregisterDownload(user2)
+
+	assert.Equal(t, 2, manager.GetActiveDownloadCount())
+	expectedPerDownload = maxBytes / 2
+	assert.Equal(t, expectedPerDownload, manager.bytesPerSecondPerDownload)
+	assert.Equal(t, expectedPerDownload, rateLimiter1.bytesPerSecond)
+	assert.Equal(t, expectedPerDownload, rateLimiter3.bytesPerSecond)
+
+	manager.UnregisterDownload(user1)
+
+	assert.Equal(t, 1, manager.GetActiveDownloadCount())
+	assert.Equal(t, maxBytes, manager.bytesPerSecondPerDownload)
+	assert.Equal(t, maxBytes, rateLimiter3.bytesPerSecond)
+
+	manager.UnregisterDownload(user3)
+	assert.Equal(t, 0, manager.GetActiveDownloadCount())
+	assert.Equal(t, maxBytes, manager.bytesPerSecondPerDownload)
+}
+
+func Test_BandwidthManager_RegisterDuplicateUser_ReturnsError(t *testing.T) {
+	manager := NewBandwidthManager(100)
+
+	userID := uuid.New()
+	_, err := manager.RegisterDownload(userID)
+	assert.NoError(t, err)
+
+	_, err = manager.RegisterDownload(userID)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "download already registered")
+}
+
+func Test_RateLimiter_TokenBucketBasic(t *testing.T) {
+	bytesPerSec := int64(1024 * 1024)
+	limiter := NewRateLimiter(bytesPerSec)
+
+	assert.Equal(t, bytesPerSec, limiter.bytesPerSecond)
+	assert.Equal(t, bytesPerSec*2, limiter.bucketSize)
+
+	start := time.Now()
+	limiter.Wait(512 * 1024)
+	elapsed := time.Since(start)
+
+	assert.Less(t, elapsed, 100*time.Millisecond)
+}
+
+func Test_RateLimiter_UpdateRate(t *testing.T) {
+	limiter := NewRateLimiter(1024 * 1024)
+
+	assert.Equal(t, int64(1024*1024), limiter.bytesPerSecond)
+
+	newRate := int64(2 * 1024 * 1024)
+	limiter.UpdateRate(newRate)
+
+	assert.Equal(t, newRate, limiter.bytesPerSecond)
+	assert.Equal(t, newRate*2, limiter.bucketSize)
+}
+
+func Test_RateLimiter_ThrottlesCorrectly(t *testing.T) {
+	bytesPerSec := int64(1024 * 1024)
+	limiter := NewRateLimiter(bytesPerSec)
+
+	limiter.availableTokens = 0
+
+	start := time.Now()
+	limiter.Wait(bytesPerSec / 2)
+	elapsed := time.Since(start)
+
+	assert.GreaterOrEqual(t, elapsed, 400*time.Millisecond)
+	assert.LessOrEqual(t, elapsed, 700*time.Millisecond)
+}

backend/internal/features/backups/backups/download/di.go

@@ -0,0 +1,53 @@
+package backups_download
+
+import (
+	"sync"
+	"sync/atomic"
+
+	"databasus-backend/internal/config"
+	cache_utils "databasus-backend/internal/util/cache"
+	"databasus-backend/internal/util/logger"
+)
+
+var downloadTokenRepository = &DownloadTokenRepository{}
+
+var downloadTracker = NewDownloadTracker(cache_utils.GetValkeyClient())
+
+var bandwidthManager *BandwidthManager
+var downloadTokenService *DownloadTokenService
+var downloadTokenBackgroundService *DownloadTokenBackgroundService
+
+func init() {
+	env := config.GetEnv()
+	throughputMBs := env.NodeNetworkThroughputMBs
+	if throughputMBs == 0 {
+		throughputMBs = 125
+	}
+	bandwidthManager = NewBandwidthManager(throughputMBs)
+
+	downloadTokenService = &DownloadTokenService{
+		downloadTokenRepository,
+		logger.GetLogger(),
+		downloadTracker,
+		bandwidthManager,
+	}
+
+	downloadTokenBackgroundService = &DownloadTokenBackgroundService{
+		downloadTokenService: downloadTokenService,
+		logger:               logger.GetLogger(),
+		runOnce:              sync.Once{},
+		hasRun:               atomic.Bool{},
+	}
+}
+
+func GetDownloadTokenService() *DownloadTokenService {
+	return downloadTokenService
+}
+
+func GetDownloadTokenBackgroundService() *DownloadTokenBackgroundService {
+	return downloadTokenBackgroundService
+}
+
+func GetBandwidthManager() *BandwidthManager {
+	return bandwidthManager
+}

backend/internal/features/backups/backups/download/dto.go

@@ -0,0 +1,9 @@
+package backups_download
+
+import "github.com/google/uuid"
+
+type GenerateDownloadTokenResponse struct {
+	Token    string    `json:"token"`
+	Filename string    `json:"filename"`
+	BackupID uuid.UUID `json:"backupId"`
+}

backend/internal/features/backups/backups/download/model.go

@@ -0,0 +1,21 @@
+package backups_download
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type DownloadToken struct {
+	ID        uuid.UUID `json:"id"        gorm:"column:id;primaryKey"`
+	Token     string    `json:"token"     gorm:"column:token;uniqueIndex;not null"`
+	BackupID  uuid.UUID `json:"backupId"  gorm:"column:backup_id;not null"`
+	UserID    uuid.UUID `json:"userId"    gorm:"column:user_id;not null"`
+	ExpiresAt time.Time `json:"expiresAt" gorm:"column:expires_at;not null"`
+	Used      bool      `json:"used"      gorm:"column:used;not null;default:false"`
+	CreatedAt time.Time `json:"createdAt" gorm:"column:created_at;not null"`
+}
+
+func (DownloadToken) TableName() string {
+	return "download_tokens"
+}

backend/internal/features/backups/backups/download/rate_limiter.go

@@ -0,0 +1,101 @@
+package backups_download
+
+import (
+	"io"
+	"sync"
+	"time"
+)
+
+type RateLimiter struct {
+	mu              sync.Mutex
+	bytesPerSecond  int64
+	bucketSize      int64
+	availableTokens float64
+	lastRefill      time.Time
+}
+
+func NewRateLimiter(bytesPerSecond int64) *RateLimiter {
+	if bytesPerSecond <= 0 {
+		bytesPerSecond = 1024 * 1024 * 100
+	}
+
+	return &RateLimiter{
+		bytesPerSecond:  bytesPerSecond,
+		bucketSize:      bytesPerSecond * 2,
+		availableTokens: float64(bytesPerSecond * 2),
+		lastRefill:      time.Now().UTC(),
+	}
+}
+
+func (rl *RateLimiter) UpdateRate(bytesPerSecond int64) {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+
+	if bytesPerSecond <= 0 {
+		bytesPerSecond = 1024 * 1024 * 100
+	}
+
+	rl.bytesPerSecond = bytesPerSecond
+	rl.bucketSize = bytesPerSecond * 2
+
+	if rl.availableTokens > float64(rl.bucketSize) {
+		rl.availableTokens = float64(rl.bucketSize)
+	}
+}
+
+func (rl *RateLimiter) Wait(bytes int64) {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+
+	for {
+		now := time.Now().UTC()
+		elapsed := now.Sub(rl.lastRefill).Seconds()
+
+		tokensToAdd := elapsed * float64(rl.bytesPerSecond)
+		rl.availableTokens += tokensToAdd
+		if rl.availableTokens > float64(rl.bucketSize) {
+			rl.availableTokens = float64(rl.bucketSize)
+		}
+		rl.lastRefill = now
+
+		if rl.availableTokens >= float64(bytes) {
+			rl.availableTokens -= float64(bytes)
+			return
+		}
+
+		tokensNeeded := float64(bytes) - rl.availableTokens
+		waitTime := time.Duration(tokensNeeded/float64(rl.bytesPerSecond)*1000) * time.Millisecond
+
+		if waitTime < time.Millisecond {
+			waitTime = time.Millisecond
+		}
+
+		rl.mu.Unlock()
+		time.Sleep(waitTime)
+		rl.mu.Lock()
+	}
+}
+
+type RateLimitedReader struct {
+	reader      io.ReadCloser
+	rateLimiter *RateLimiter
+}
+
+func NewRateLimitedReader(reader io.ReadCloser, limiter *RateLimiter) *RateLimitedReader {
+	return &RateLimitedReader{
+		reader:      reader,
+		rateLimiter: limiter,
+	}
+}
+
+func (r *RateLimitedReader) Read(p []byte) (n int, err error) {
+	n, err = r.reader.Read(p)
+	if n > 0 {
+		r.rateLimiter.Wait(int64(n))
+	}
+	return n, err
+}
+
+func (r *RateLimitedReader) Close() error {
+	return r.reader.Close()
+}

backend/internal/features/backups/backups/download/repository.go

@@ -0,0 +1,60 @@
+package backups_download
+
+import (
+	"crypto/rand"
+	"databasus-backend/internal/storage"
+	"encoding/base64"
+	"time"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+type DownloadTokenRepository struct{}
+
+func (r *DownloadTokenRepository) Create(token *DownloadToken) error {
+	if token.ID == uuid.Nil {
+		token.ID = uuid.New()
+	}
+	if token.CreatedAt.IsZero() {
+		token.CreatedAt = time.Now().UTC()
+	}
+	return storage.GetDb().Create(token).Error
+}
+
+func (r *DownloadTokenRepository) FindByToken(token string) (*DownloadToken, error) {
+	var downloadToken DownloadToken
+
+	err := storage.GetDb().
+		Where("token = ?", token).
+		First(&downloadToken).Error
+
+	if err != nil {
+		if err == gorm.ErrRecordNotFound {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	return &downloadToken, nil
+}
+
+func (r *DownloadTokenRepository) Update(token *DownloadToken) error {
+	return storage.GetDb().Save(token).Error
+}
+
+func (r *DownloadTokenRepository) DeleteExpired(before time.Time) error {
+	return storage.GetDb().
+		Where("expires_at < ?", before).
+		Delete(&DownloadToken{}).Error
+}
+
+func GenerateSecureToken() string {
+	b := make([]byte, 32)
+
+	if _, err := rand.Read(b); err != nil {
+		panic("failed to generate secure random token: " + err.Error())
+	}
+
+	return base64.URLEncoding.EncodeToString(b)
+}

backend/internal/features/backups/backups/download/service.go

@@ -0,0 +1,105 @@
+package backups_download
+
+import (
+	"errors"
+	"log/slog"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type DownloadTokenService struct {
+	repository       *DownloadTokenRepository
+	logger           *slog.Logger
+	downloadTracker  *DownloadTracker
+	bandwidthManager *BandwidthManager
+}
+
+func (s *DownloadTokenService) Generate(backupID, userID uuid.UUID) (string, error) {
+	if s.downloadTracker.IsDownloadInProgress(userID) {
+		return "", ErrDownloadAlreadyInProgress
+	}
+
+	token := GenerateSecureToken()
+
+	downloadToken := &DownloadToken{
+		Token:     token,
+		BackupID:  backupID,
+		UserID:    userID,
+		ExpiresAt: time.Now().UTC().Add(5 * time.Minute),
+		Used:      false,
+	}
+
+	if err := s.repository.Create(downloadToken); err != nil {
+		return "", err
+	}
+
+	s.logger.Info("Generated download token", "backupId", backupID, "userId", userID)
+	return token, nil
+}
+
+func (s *DownloadTokenService) ValidateAndConsume(
+	token string,
+) (*DownloadToken, *RateLimiter, error) {
+	dt, err := s.repository.FindByToken(token)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if dt == nil {
+		return nil, nil, errors.New("invalid token")
+	}
+
+	if dt.Used {
+		return nil, nil, errors.New("token already used")
+	}
+
+	if time.Now().UTC().After(dt.ExpiresAt) {
+		return nil, nil, errors.New("token expired")
+	}
+
+	if err := s.downloadTracker.AcquireDownloadLock(dt.UserID); err != nil {
+		return nil, nil, err
+	}
+
+	rateLimiter, err := s.bandwidthManager.RegisterDownload(dt.UserID)
+	if err != nil {
+		s.downloadTracker.ReleaseDownloadLock(dt.UserID)
+		return nil, nil, err
+	}
+
+	dt.Used = true
+	if err := s.repository.Update(dt); err != nil {
+		s.logger.Error("Failed to mark token as used", "error", err)
+	}
+
+	s.logger.Info("Token validated and consumed", "backupId", dt.BackupID, "userId", dt.UserID)
+	return dt, rateLimiter, nil
+}
+
+func (s *DownloadTokenService) RefreshDownloadLock(userID uuid.UUID) {
+	s.downloadTracker.RefreshDownloadLock(userID)
+}
+
+func (s *DownloadTokenService) ReleaseDownloadLock(userID uuid.UUID) {
+	s.downloadTracker.ReleaseDownloadLock(userID)
+	s.logger.Info("Released download lock", "userId", userID)
+}
+
+func (s *DownloadTokenService) IsDownloadInProgress(userID uuid.UUID) bool {
+	return s.downloadTracker.IsDownloadInProgress(userID)
+}
+
+func (s *DownloadTokenService) UnregisterDownload(userID uuid.UUID) {
+	s.bandwidthManager.UnregisterDownload(userID)
+	s.logger.Info("Unregistered from bandwidth manager", "userId", userID)
+}
+
+func (s *DownloadTokenService) CleanExpiredTokens() error {
+	now := time.Now().UTC()
+	if err := s.repository.DeleteExpired(now); err != nil {
+		return err
+	}
+	s.logger.Debug("Cleaned expired download tokens")
+	return nil
+}

backend/internal/features/backups/backups/download/tracking.go

@@ -0,0 +1,66 @@
+package backups_download
+
+import (
+	cache_utils "databasus-backend/internal/util/cache"
+	"errors"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/valkey-io/valkey-go"
+)
+
+const (
+	downloadLockPrefix     = "backup_download_lock:"
+	downloadLockTTL        = 5 * time.Second
+	downloadLockValue      = "1"
+	downloadHeartbeatDelay = 3 * time.Second
+)
+
+var (
+	ErrDownloadAlreadyInProgress = errors.New("download already in progress for this user")
+)
+
+type DownloadTracker struct {
+	cache *cache_utils.CacheUtil[string]
+}
+
+func NewDownloadTracker(client valkey.Client) *DownloadTracker {
+	return &DownloadTracker{
+		cache: cache_utils.NewCacheUtil[string](client, downloadLockPrefix),
+	}
+}
+
+func (t *DownloadTracker) AcquireDownloadLock(userID uuid.UUID) error {
+	key := userID.String()
+
+	existingLock := t.cache.Get(key)
+	if existingLock != nil {
+		return ErrDownloadAlreadyInProgress
+	}
+
+	value := downloadLockValue
+	t.cache.Set(key, &value)
+
+	return nil
+}
+
+func (t *DownloadTracker) RefreshDownloadLock(userID uuid.UUID) {
+	key := userID.String()
+	value := downloadLockValue
+	t.cache.Set(key, &value)
+}
+
+func (t *DownloadTracker) ReleaseDownloadLock(userID uuid.UUID) {
+	key := userID.String()
+	t.cache.Invalidate(key)
+}
+
+func (t *DownloadTracker) IsDownloadInProgress(userID uuid.UUID) bool {
+	key := userID.String()
+	existingLock := t.cache.Get(key)
+	return existingLock != nil
+}
+
+func GetDownloadHeartbeatInterval() time.Duration {
+	return downloadHeartbeatDelay
+}

backend/internal/features/backups/backups/dto.go

@@ -1,8 +1,9 @@
 package backups
 
 import (
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	"databasus-backend/internal/features/backups/backups/encryption"
 	"io"
-	"postgresus-backend/internal/features/backups/backups/encryption"
 )
 
 type GetBackupsRequest struct {
@@ -12,17 +13,17 @@ type GetBackupsRequest struct {
 }
 
 type GetBackupsResponse struct {
-	Backups []*Backup `json:"backups"`
-	Total   int64     `json:"total"`
-	Limit   int       `json:"limit"`
-	Offset  int       `json:"offset"`
+	Backups []*backups_core.Backup `json:"backups"`
+	Total   int64                  `json:"total"`
+	Limit   int                    `json:"limit"`
+	Offset  int                    `json:"offset"`
 }
 
-type decryptionReaderCloser struct {
+type DecryptionReaderCloser struct {
 	*encryption.DecryptionReader
-	baseReader io.ReadCloser
+	BaseReader io.ReadCloser
 }
 
-func (r *decryptionReaderCloser) Close() error {
-	return r.baseReader.Close()
+func (r *DecryptionReaderCloser) Close() error {
+	return r.BaseReader.Close()
 }

backend/internal/features/backups/backups/mocks.go

@@ -1,19 +0,0 @@
-package backups
-
-import (
-	"postgresus-backend/internal/features/notifiers"
-
-	"github.com/stretchr/testify/mock"
-)
-
-type MockNotificationSender struct {
-	mock.Mock
-}
-
-func (m *MockNotificationSender) SendNotification(
-	notifier *notifiers.Notifier,
-	title string,
-	message string,
-) {
-	m.Called(notifier, title, message)
-}

backend/internal/features/backups/backups/service.go

@@ -1,26 +1,26 @@
 package backups
 
 import (
-	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"log/slog"
-	"slices"
-	"strings"
-	"time"
 
-	audit_logs "postgresus-backend/internal/features/audit_logs"
-	"postgresus-backend/internal/features/backups/backups/encryption"
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/databases"
-	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
-	"postgresus-backend/internal/features/notifiers"
-	"postgresus-backend/internal/features/storages"
-	users_models "postgresus-backend/internal/features/users/models"
-	workspaces_services "postgresus-backend/internal/features/workspaces/services"
-	util_encryption "postgresus-backend/internal/util/encryption"
+	audit_logs "databasus-backend/internal/features/audit_logs"
+	"databasus-backend/internal/features/backups/backups/backuping"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_download "databasus-backend/internal/features/backups/backups/download"
+	"databasus-backend/internal/features/backups/backups/encryption"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	encryption_secrets "databasus-backend/internal/features/encryption/secrets"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+	task_cancellation "databasus-backend/internal/features/tasks/cancellation"
+	users_models "databasus-backend/internal/features/users/models"
+	workspaces_services "databasus-backend/internal/features/workspaces/services"
+	util_encryption "databasus-backend/internal/util/encryption"
 
 	"github.com/google/uuid"
 )
@@ -28,25 +28,28 @@ import (
 type BackupService struct {
 	databaseService     *databases.DatabaseService
 	storageService      *storages.StorageService
-	backupRepository    *BackupRepository
+	backupRepository    *backups_core.BackupRepository
 	notifierService     *notifiers.NotifierService
-	notificationSender  NotificationSender
+	notificationSender  backups_core.NotificationSender
 	backupConfigService *backups_config.BackupConfigService
 	secretKeyService    *encryption_secrets.SecretKeyService
 	fieldEncryptor      util_encryption.FieldEncryptor
 
-	createBackupUseCase CreateBackupUsecase
+	createBackupUseCase backups_core.CreateBackupUsecase
 
 	logger *slog.Logger
 
-	backupRemoveListeners []BackupRemoveListener
+	backupRemoveListeners []backups_core.BackupRemoveListener
 
-	workspaceService     *workspaces_services.WorkspaceService
-	auditLogService      *audit_logs.AuditLogService
-	backupContextManager *BackupContextManager
+	workspaceService       *workspaces_services.WorkspaceService
+	auditLogService        *audit_logs.AuditLogService
+	taskCancelManager      *task_cancellation.TaskCancelManager
+	downloadTokenService   *backups_download.DownloadTokenService
+	backupSchedulerService *backuping.BackupsScheduler
+	backupCleaner          *backuping.BackupCleaner
 }
 
-func (s *BackupService) AddBackupRemoveListener(listener BackupRemoveListener) {
+func (s *BackupService) AddBackupRemoveListener(listener backups_core.BackupRemoveListener) {
 	s.backupRemoveListeners = append(s.backupRemoveListeners, listener)
 }
 
@@ -89,7 +92,7 @@ func (s *BackupService) MakeBackupWithAuth(
 		return errors.New("insufficient permissions to create backup for this database")
 	}
 
-	go s.MakeBackup(databaseID, true)
+	s.backupSchedulerService.StartBackup(databaseID, true)
 
 	s.auditLogService.WriteAuditLog(
 		fmt.Sprintf("Backup manually initiated for database: %s", database.Name),
@@ -173,7 +176,7 @@ func (s *BackupService) DeleteBackup(
 		return errors.New("insufficient permissions to delete backup for this database")
 	}
 
-	if backup.Status == BackupStatusInProgress {
+	if backup.Status == backups_core.BackupStatusInProgress {
 		return errors.New("backup is in progress")
 	}
 
@@ -187,268 +190,10 @@ func (s *BackupService) DeleteBackup(
 		database.WorkspaceID,
 	)
 
-	return s.deleteBackup(backup)
+	return s.backupCleaner.DeleteBackup(backup)
 }
 
-func (s *BackupService) MakeBackup(databaseID uuid.UUID, isLastTry bool) {
-	database, err := s.databaseService.GetDatabaseByID(databaseID)
-	if err != nil {
-		s.logger.Error("Failed to get database by ID", "error", err)
-		return
-	}
-
-	lastBackup, err := s.backupRepository.FindLastByDatabaseID(databaseID)
-	if err != nil {
-		s.logger.Error("Failed to find last backup by database ID", "error", err)
-		return
-	}
-
-	if lastBackup != nil && lastBackup.Status == BackupStatusInProgress {
-		s.logger.Error("Backup is in progress")
-		return
-	}
-
-	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(databaseID)
-	if err != nil {
-		s.logger.Error("Failed to get backup config by database ID", "error", err)
-		return
-	}
-
-	if !backupConfig.IsBackupsEnabled {
-		s.logger.Info("Backups are not enabled for this database")
-		return
-	}
-
-	if backupConfig.StorageID == nil {
-		s.logger.Error("Backup config storage ID is not defined")
-		return
-	}
-
-	storage, err := s.storageService.GetStorageByID(*backupConfig.StorageID)
-	if err != nil {
-		s.logger.Error("Failed to get storage by ID", "error", err)
-		return
-	}
-
-	backup := &Backup{
-		DatabaseID: databaseID,
-		StorageID:  storage.ID,
-
-		Status: BackupStatusInProgress,
-
-		BackupSizeMb: 0,
-
-		CreatedAt: time.Now().UTC(),
-	}
-
-	if err := s.backupRepository.Save(backup); err != nil {
-		s.logger.Error("Failed to save backup", "error", err)
-		return
-	}
-
-	start := time.Now().UTC()
-
-	backupProgressListener := func(
-		completedMBs float64,
-	) {
-		backup.BackupSizeMb = completedMBs
-		backup.BackupDurationMs = time.Since(start).Milliseconds()
-
-		if err := s.backupRepository.Save(backup); err != nil {
-			s.logger.Error("Failed to update backup progress", "error", err)
-		}
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	s.backupContextManager.RegisterBackup(backup.ID, cancel)
-	defer s.backupContextManager.UnregisterBackup(backup.ID)
-
-	backupMetadata, err := s.createBackupUseCase.Execute(
-		ctx,
-		backup.ID,
-		backupConfig,
-		database,
-		storage,
-		backupProgressListener,
-	)
-	if err != nil {
-		errMsg := err.Error()
-
-		// Check if backup was cancelled (not due to shutdown)
-		isCancelled := strings.Contains(errMsg, "backup cancelled") ||
-			strings.Contains(errMsg, "context canceled") ||
-			errors.Is(err, context.Canceled)
-		isShutdown := strings.Contains(errMsg, "shutdown")
-
-		if isCancelled && !isShutdown {
-			backup.Status = BackupStatusCanceled
-			backup.BackupDurationMs = time.Since(start).Milliseconds()
-			backup.BackupSizeMb = 0
-
-			if err := s.backupRepository.Save(backup); err != nil {
-				s.logger.Error("Failed to save cancelled backup", "error", err)
-			}
-
-			// Delete partial backup from storage
-			storage, storageErr := s.storageService.GetStorageByID(backup.StorageID)
-			if storageErr == nil {
-				if deleteErr := storage.DeleteFile(s.fieldEncryptor, backup.ID); deleteErr != nil {
-					s.logger.Error(
-						"Failed to delete partial backup file",
-						"backupId",
-						backup.ID,
-						"error",
-						deleteErr,
-					)
-				}
-			}
-
-			return
-		}
-
-		backup.FailMessage = &errMsg
-		backup.Status = BackupStatusFailed
-		backup.BackupDurationMs = time.Since(start).Milliseconds()
-		backup.BackupSizeMb = 0
-
-		if updateErr := s.databaseService.SetBackupError(databaseID, errMsg); updateErr != nil {
-			s.logger.Error(
-				"Failed to update database last backup time",
-				"databaseId",
-				databaseID,
-				"error",
-				updateErr,
-			)
-		}
-
-		if err := s.backupRepository.Save(backup); err != nil {
-			s.logger.Error("Failed to save backup", "error", err)
-		}
-
-		s.SendBackupNotification(
-			backupConfig,
-			backup,
-			backups_config.NotificationBackupFailed,
-			&errMsg,
-		)
-
-		return
-	}
-
-	backup.Status = BackupStatusCompleted
-	backup.BackupDurationMs = time.Since(start).Milliseconds()
-
-	// Update backup with encryption metadata if provided
-	if backupMetadata != nil {
-		backup.EncryptionSalt = backupMetadata.EncryptionSalt
-		backup.EncryptionIV = backupMetadata.EncryptionIV
-		backup.Encryption = backupMetadata.Encryption
-	}
-
-	if err := s.backupRepository.Save(backup); err != nil {
-		s.logger.Error("Failed to save backup", "error", err)
-		return
-	}
-
-	// Update database last backup time
-	now := time.Now().UTC()
-	if updateErr := s.databaseService.SetLastBackupTime(databaseID, now); updateErr != nil {
-		s.logger.Error(
-			"Failed to update database last backup time",
-			"databaseId",
-			databaseID,
-			"error",
-			updateErr,
-		)
-	}
-
-	if backup.Status != BackupStatusCompleted && !isLastTry {
-		return
-	}
-
-	s.SendBackupNotification(
-		backupConfig,
-		backup,
-		backups_config.NotificationBackupSuccess,
-		nil,
-	)
-}
-
-func (s *BackupService) SendBackupNotification(
-	backupConfig *backups_config.BackupConfig,
-	backup *Backup,
-	notificationType backups_config.BackupNotificationType,
-	errorMessage *string,
-) {
-	database, err := s.databaseService.GetDatabaseByID(backupConfig.DatabaseID)
-	if err != nil {
-		return
-	}
-
-	workspace, err := s.workspaceService.GetWorkspaceByID(*database.WorkspaceID)
-	if err != nil {
-		return
-	}
-
-	for _, notifier := range database.Notifiers {
-		if !slices.Contains(
-			backupConfig.SendNotificationsOn,
-			notificationType,
-		) {
-			continue
-		}
-
-		title := ""
-		switch notificationType {
-		case backups_config.NotificationBackupFailed:
-			title = fmt.Sprintf(
-				"❌ Backup failed for database \"%s\" (workspace \"%s\")",
-				database.Name,
-				workspace.Name,
-			)
-		case backups_config.NotificationBackupSuccess:
-			title = fmt.Sprintf(
-				"✅ Backup completed for database \"%s\" (workspace \"%s\")",
-				database.Name,
-				workspace.Name,
-			)
-		}
-
-		message := ""
-		if errorMessage != nil {
-			message = *errorMessage
-		} else {
-			// Format size conditionally
-			var sizeStr string
-			if backup.BackupSizeMb < 1024 {
-				sizeStr = fmt.Sprintf("%.2f MB", backup.BackupSizeMb)
-			} else {
-				sizeGB := backup.BackupSizeMb / 1024
-				sizeStr = fmt.Sprintf("%.2f GB", sizeGB)
-			}
-
-			// Format duration as "0m 0s 0ms"
-			totalMs := backup.BackupDurationMs
-			minutes := totalMs / (1000 * 60)
-			seconds := (totalMs % (1000 * 60)) / 1000
-			durationStr := fmt.Sprintf("%dm %ds", minutes, seconds)
-
-			message = fmt.Sprintf(
-				"Backup completed successfully in %s.\nCompressed backup size: %s",
-				durationStr,
-				sizeStr,
-			)
-		}
-
-		s.notificationSender.SendNotification(
-			&notifier,
-			title,
-			message,
-		)
-	}
-}
-
-func (s *BackupService) GetBackup(backupID uuid.UUID) (*Backup, error) {
+func (s *BackupService) GetBackup(backupID uuid.UUID) (*backups_core.Backup, error) {
 	return s.backupRepository.FindByID(backupID)
 }
 
@@ -478,11 +223,11 @@ func (s *BackupService) CancelBackup(
 		return errors.New("insufficient permissions to cancel backup for this database")
 	}
 
-	if backup.Status != BackupStatusInProgress {
+	if backup.Status != backups_core.BackupStatusInProgress {
 		return errors.New("backup is not in progress")
 	}
 
-	if err := s.backupContextManager.CancelBackup(backupID); err != nil {
+	if err := s.taskCancelManager.CancelTask(backupID); err != nil {
 		return err
 	}
 
@@ -502,19 +247,19 @@ func (s *BackupService) CancelBackup(
 func (s *BackupService) GetBackupFile(
 	user *users_models.User,
 	backupID uuid.UUID,
-) (io.ReadCloser, databases.DatabaseType, error) {
+) (io.ReadCloser, *backups_core.Backup, *databases.Database, error) {
 	backup, err := s.backupRepository.FindByID(backupID)
 	if err != nil {
-		return nil, "", err
+		return nil, nil, nil, err
 	}
 
 	database, err := s.databaseService.GetDatabaseByID(backup.DatabaseID)
 	if err != nil {
-		return nil, "", err
+		return nil, nil, nil, err
 	}
 
 	if database.WorkspaceID == nil {
-		return nil, "", errors.New("cannot download backup for database without workspace")
+		return nil, nil, nil, errors.New("cannot download backup for database without workspace")
 	}
 
 	canAccess, _, err := s.workspaceService.CanUserAccessWorkspace(
@@ -522,10 +267,12 @@ func (s *BackupService) GetBackupFile(
 		user,
 	)
 	if err != nil {
-		return nil, "", err
+		return nil, nil, nil, err
 	}
 	if !canAccess {
-		return nil, "", errors.New("insufficient permissions to download backup for this database")
+		return nil, nil, nil, errors.New(
+			"insufficient permissions to download backup for this database",
+		)
 	}
 
 	s.auditLogService.WriteAuditLog(
@@ -540,39 +287,16 @@ func (s *BackupService) GetBackupFile(
 
 	reader, err := s.getBackupReader(backupID)
 	if err != nil {
-		return nil, "", err
+		return nil, nil, nil, err
 	}
 
-	return reader, database.Type, nil
-}
-
-func (s *BackupService) deleteBackup(backup *Backup) error {
-	for _, listener := range s.backupRemoveListeners {
-		if err := listener.OnBeforeBackupRemove(backup); err != nil {
-			return err
-		}
-	}
-
-	storage, err := s.storageService.GetStorageByID(backup.StorageID)
-	if err != nil {
-		return err
-	}
-
-	err = storage.DeleteFile(s.fieldEncryptor, backup.ID)
-	if err != nil {
-		// we do not return error here, because sometimes clean up performed
-		// before unavailable storage removal or change - therefore we should
-		// proceed even in case of error
-		s.logger.Error("Failed to delete backup file", "error", err)
-	}
-
-	return s.backupRepository.DeleteByID(backup.ID)
+	return reader, backup, database, nil
 }
 
 func (s *BackupService) deleteDbBackups(databaseID uuid.UUID) error {
 	dbBackupsInProgress, err := s.backupRepository.FindByDatabaseIdAndStatus(
 		databaseID,
-		BackupStatusInProgress,
+		backups_core.BackupStatusInProgress,
 	)
 	if err != nil {
 		return err
@@ -590,7 +314,7 @@ func (s *BackupService) deleteDbBackups(databaseID uuid.UUID) error {
 	}
 
 	for _, dbBackup := range dbBackups {
-		err := s.deleteBackup(dbBackup)
+		err := s.backupCleaner.DeleteBackup(dbBackup)
 		if err != nil {
 			return err
 		}
@@ -681,8 +405,136 @@ func (s *BackupService) getBackupReader(backupID uuid.UUID) (io.ReadCloser, erro
 
 	s.logger.Info("Returning encrypted backup with decryption", "backupId", backupID)
 
-	return &decryptionReaderCloser{
-		decryptionReader,
-		fileReader,
+	return &DecryptionReaderCloser{
+		DecryptionReader: decryptionReader,
+		BaseReader:       fileReader,
 	}, nil
 }
+
+func (s *BackupService) GenerateDownloadToken(
+	user *users_models.User,
+	backupID uuid.UUID,
+) (*backups_download.GenerateDownloadTokenResponse, error) {
+	backup, err := s.backupRepository.FindByID(backupID)
+	if err != nil {
+		return nil, err
+	}
+
+	database, err := s.databaseService.GetDatabaseByID(backup.DatabaseID)
+	if err != nil {
+		return nil, err
+	}
+
+	if database.WorkspaceID == nil {
+		return nil, errors.New("cannot download backup for database without workspace")
+	}
+
+	canAccess, _, err := s.workspaceService.CanUserAccessWorkspace(*database.WorkspaceID, user)
+	if err != nil {
+		return nil, err
+	}
+	if !canAccess {
+		return nil, errors.New("insufficient permissions to download backup for this database")
+	}
+
+	token, err := s.downloadTokenService.Generate(backupID, user.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	filename := s.generateBackupFilename(backup, database)
+
+	s.auditLogService.WriteAuditLog(
+		fmt.Sprintf("Download token generated for backup of database: %s", database.Name),
+		&user.ID,
+		database.WorkspaceID,
+	)
+
+	return &backups_download.GenerateDownloadTokenResponse{
+		Token:    token,
+		Filename: filename,
+		BackupID: backupID,
+	}, nil
+}
+
+func (s *BackupService) ValidateDownloadToken(
+	token string,
+) (*backups_download.DownloadToken, *backups_download.RateLimiter, error) {
+	return s.downloadTokenService.ValidateAndConsume(token)
+}
+
+func (s *BackupService) GetBackupFileWithoutAuth(
+	backupID uuid.UUID,
+) (io.ReadCloser, *backups_core.Backup, *databases.Database, error) {
+	backup, err := s.backupRepository.FindByID(backupID)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	database, err := s.databaseService.GetDatabaseByID(backup.DatabaseID)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	reader, err := s.getBackupReader(backupID)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	return reader, backup, database, nil
+}
+
+func (s *BackupService) WriteAuditLogForDownload(
+	userID uuid.UUID,
+	backup *backups_core.Backup,
+	database *databases.Database,
+) {
+	s.auditLogService.WriteAuditLog(
+		fmt.Sprintf(
+			"Backup file downloaded for database: %s (ID: %s)",
+			database.Name,
+			backup.ID.String(),
+		),
+		&userID,
+		database.WorkspaceID,
+	)
+}
+
+func (s *BackupService) RefreshDownloadLock(userID uuid.UUID) {
+	s.downloadTokenService.RefreshDownloadLock(userID)
+}
+
+func (s *BackupService) ReleaseDownloadLock(userID uuid.UUID) {
+	s.downloadTokenService.ReleaseDownloadLock(userID)
+}
+
+func (s *BackupService) IsDownloadInProgress(userID uuid.UUID) bool {
+	return s.downloadTokenService.IsDownloadInProgress(userID)
+}
+
+func (s *BackupService) UnregisterDownload(userID uuid.UUID) {
+	s.downloadTokenService.UnregisterDownload(userID)
+}
+
+func (s *BackupService) generateBackupFilename(
+	backup *backups_core.Backup,
+	database *databases.Database,
+) string {
+	timestamp := backup.CreatedAt.Format("2006-01-02_15-04-05")
+	safeName := sanitizeFilename(database.Name)
+	extension := s.getBackupExtension(database.Type)
+	return fmt.Sprintf("%s_backup_%s%s", safeName, timestamp, extension)
+}
+
+func (s *BackupService) getBackupExtension(dbType databases.DatabaseType) string {
+	switch dbType {
+	case databases.DatabaseTypeMysql, databases.DatabaseTypeMariadb:
+		return ".sql.zst"
+	case databases.DatabaseTypePostgres:
+		return ".dump"
+	case databases.DatabaseTypeMongodb:
+		return ".archive"
+	default:
+		return ".backup"
+	}
+}

backend/internal/features/backups/backups/service_test.go

@@ -1,203 +0,0 @@
-package backups
-
-import (
-	"context"
-	"errors"
-	"strings"
-	"testing"
-	"time"
-
-	"postgresus-backend/internal/features/backups/backups/usecases/common"
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/databases"
-	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
-	"postgresus-backend/internal/features/notifiers"
-	"postgresus-backend/internal/features/storages"
-	users_enums "postgresus-backend/internal/features/users/enums"
-	users_testing "postgresus-backend/internal/features/users/testing"
-	workspaces_services "postgresus-backend/internal/features/workspaces/services"
-	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
-	"postgresus-backend/internal/util/encryption"
-	"postgresus-backend/internal/util/logger"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-)
-
-func Test_BackupExecuted_NotificationSent(t *testing.T) {
-	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-	router := CreateTestRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-	backups_config.EnableBackupsForTestDatabase(database.ID, storage)
-
-	defer func() {
-		// cleanup backups first
-		backups, _ := backupRepository.FindByDatabaseID(database.ID)
-		for _, backup := range backups {
-			backupRepository.DeleteByID(backup.ID)
-		}
-
-		databases.RemoveTestDatabase(database)
-		time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
-		notifiers.RemoveTestNotifier(notifier)
-		storages.RemoveTestStorage(storage.ID)
-		workspaces_testing.RemoveTestWorkspace(workspace, router)
-	}()
-
-	t.Run("BackupFailed_FailNotificationSent", func(t *testing.T) {
-		mockNotificationSender := &MockNotificationSender{}
-		backupService := &BackupService{
-			databases.GetDatabaseService(),
-			storages.GetStorageService(),
-			backupRepository,
-			notifiers.GetNotifierService(),
-			mockNotificationSender,
-			backups_config.GetBackupConfigService(),
-			encryption_secrets.GetSecretKeyService(),
-			encryption.GetFieldEncryptor(),
-			&CreateFailedBackupUsecase{},
-			logger.GetLogger(),
-			[]BackupRemoveListener{},
-			workspaces_services.GetWorkspaceService(),
-			nil,
-			NewBackupContextManager(),
-		}
-
-		// Set up expectations
-		mockNotificationSender.On("SendNotification",
-			mock.Anything,
-			mock.MatchedBy(func(title string) bool {
-				return strings.Contains(title, "❌ Backup failed")
-			}),
-			mock.MatchedBy(func(message string) bool {
-				return strings.Contains(message, "backup failed")
-			}),
-		).Once()
-
-		backupService.MakeBackup(database.ID, true)
-
-		// Verify all expectations were met
-		mockNotificationSender.AssertExpectations(t)
-	})
-
-	t.Run("BackupSuccess_SuccessNotificationSent", func(t *testing.T) {
-		mockNotificationSender := &MockNotificationSender{}
-
-		// Set up expectations
-		mockNotificationSender.On("SendNotification",
-			mock.Anything,
-			mock.MatchedBy(func(title string) bool {
-				return strings.Contains(title, "✅ Backup completed")
-			}),
-			mock.MatchedBy(func(message string) bool {
-				return strings.Contains(message, "Backup completed successfully")
-			}),
-		).Once()
-
-		backupService := &BackupService{
-			databases.GetDatabaseService(),
-			storages.GetStorageService(),
-			backupRepository,
-			notifiers.GetNotifierService(),
-			mockNotificationSender,
-			backups_config.GetBackupConfigService(),
-			encryption_secrets.GetSecretKeyService(),
-			encryption.GetFieldEncryptor(),
-			&CreateSuccessBackupUsecase{},
-			logger.GetLogger(),
-			[]BackupRemoveListener{},
-			workspaces_services.GetWorkspaceService(),
-			nil,
-			NewBackupContextManager(),
-		}
-
-		backupService.MakeBackup(database.ID, true)
-
-		// Verify all expectations were met
-		mockNotificationSender.AssertExpectations(t)
-	})
-
-	t.Run("BackupSuccess_VerifyNotificationContent", func(t *testing.T) {
-		mockNotificationSender := &MockNotificationSender{}
-		backupService := &BackupService{
-			databases.GetDatabaseService(),
-			storages.GetStorageService(),
-			backupRepository,
-			notifiers.GetNotifierService(),
-			mockNotificationSender,
-			backups_config.GetBackupConfigService(),
-			encryption_secrets.GetSecretKeyService(),
-			encryption.GetFieldEncryptor(),
-			&CreateSuccessBackupUsecase{},
-			logger.GetLogger(),
-			[]BackupRemoveListener{},
-			workspaces_services.GetWorkspaceService(),
-			nil,
-			NewBackupContextManager(),
-		}
-
-		// capture arguments
-		var capturedNotifier *notifiers.Notifier
-		var capturedTitle string
-		var capturedMessage string
-
-		mockNotificationSender.On("SendNotification",
-			mock.Anything,
-			mock.AnythingOfType("string"),
-			mock.AnythingOfType("string"),
-		).Run(func(args mock.Arguments) {
-			capturedNotifier = args.Get(0).(*notifiers.Notifier)
-			capturedTitle = args.Get(1).(string)
-			capturedMessage = args.Get(2).(string)
-		}).Once()
-
-		backupService.MakeBackup(database.ID, true)
-
-		// Verify expectations were met
-		mockNotificationSender.AssertExpectations(t)
-
-		// Additional detailed assertions
-		assert.Contains(t, capturedTitle, "✅ Backup completed")
-		assert.Contains(t, capturedTitle, database.Name)
-		assert.Contains(t, capturedMessage, "Backup completed successfully")
-		assert.Contains(t, capturedMessage, "10.00 MB")
-		assert.Equal(t, notifier.ID, capturedNotifier.ID)
-	})
-}
-
-type CreateFailedBackupUsecase struct {
-}
-
-func (uc *CreateFailedBackupUsecase) Execute(
-	ctx context.Context,
-	backupID uuid.UUID,
-	backupConfig *backups_config.BackupConfig,
-	database *databases.Database,
-	storage *storages.Storage,
-	backupProgressListener func(completedMBs float64),
-) (*common.BackupMetadata, error) {
-	backupProgressListener(10)
-	return nil, errors.New("backup failed")
-}
-
-type CreateSuccessBackupUsecase struct{}
-
-func (uc *CreateSuccessBackupUsecase) Execute(
-	ctx context.Context,
-	backupID uuid.UUID,
-	backupConfig *backups_config.BackupConfig,
-	database *databases.Database,
-	storage *storages.Storage,
-	backupProgressListener func(completedMBs float64),
-) (*common.BackupMetadata, error) {
-	backupProgressListener(10)
-	return &common.BackupMetadata{
-		EncryptionSalt: nil,
-		EncryptionIV:   nil,
-		Encryption:     backups_config.BackupEncryptionNone,
-	}, nil
-}

backend/internal/features/backups/backups/testing.go

@@ -1,20 +1,97 @@
 package backups
 
 import (
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/databases"
-	workspaces_controllers "postgresus-backend/internal/features/workspaces/controllers"
-	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
+	"testing"
+	"time"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
+	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 )
 
 func CreateTestRouter() *gin.Engine {
-	return workspaces_testing.CreateTestRouter(
+	router := workspaces_testing.CreateTestRouter(
 		workspaces_controllers.GetWorkspaceController(),
 		workspaces_controllers.GetMembershipController(),
 		databases.GetDatabaseController(),
 		backups_config.GetBackupConfigController(),
 		GetBackupController(),
 	)
+
+	// Register public routes (no auth required - token-based)
+	v1 := router.Group("/api/v1")
+	GetBackupController().RegisterPublicRoutes(v1)
+
+	return router
+}
+
+// WaitForBackupCompletion waits for a new backup to be created and completed (or failed)
+// for the given database. It checks for backups with count greater than expectedInitialCount.
+func WaitForBackupCompletion(
+	t *testing.T,
+	databaseID uuid.UUID,
+	expectedInitialCount int,
+	timeout time.Duration,
+) {
+	deadline := time.Now().UTC().Add(timeout)
+
+	for time.Now().UTC().Before(deadline) {
+		backups, err := backupRepository.FindByDatabaseID(databaseID)
+		if err != nil {
+			t.Logf("WaitForBackupCompletion: error finding backups: %v", err)
+			time.Sleep(50 * time.Millisecond)
+			continue
+		}
+
+		t.Logf(
+			"WaitForBackupCompletion: found %d backups (expected > %d)",
+			len(backups),
+			expectedInitialCount,
+		)
+
+		if len(backups) > expectedInitialCount {
+			// Check if the newest backup has completed or failed
+			newestBackup := backups[0]
+			t.Logf("WaitForBackupCompletion: newest backup status: %s", newestBackup.Status)
+
+			if newestBackup.Status == backups_core.BackupStatusCompleted ||
+				newestBackup.Status == backups_core.BackupStatusFailed ||
+				newestBackup.Status == backups_core.BackupStatusCanceled {
+				t.Logf(
+					"WaitForBackupCompletion: backup finished with status %s",
+					newestBackup.Status,
+				)
+				return
+			}
+		}
+
+		time.Sleep(50 * time.Millisecond)
+	}
+
+	t.Logf("WaitForBackupCompletion: timeout waiting for backup to complete")
+}
+
+// CreateTestBackup creates a simple test backup record for testing purposes
+func CreateTestBackup(databaseID, storageID uuid.UUID) *backups_core.Backup {
+	backup := &backups_core.Backup{
+		ID:               uuid.New(),
+		DatabaseID:       databaseID,
+		StorageID:        storageID,
+		Status:           backups_core.BackupStatusCompleted,
+		BackupSizeMb:     10.5,
+		BackupDurationMs: 1000,
+		CreatedAt:        time.Now().UTC(),
+	}
+
+	repo := &backups_core.BackupRepository{}
+	if err := repo.Save(backup); err != nil {
+		panic(err)
+	}
+
+	return backup
 }

backend/internal/features/backups/backups/usecases/common/dto.go

@@ -1,9 +0,0 @@
-package common
-
-import backups_config "postgresus-backend/internal/features/backups/config"
-
-type BackupMetadata struct {
-	EncryptionSalt *string
-	EncryptionIV   *string
-	Encryption     backups_config.BackupEncryption
-}

backend/internal/features/backups/backups/usecases/create_backup_uc.go

@@ -4,14 +4,14 @@ import (
 	"context"
 	"errors"
 
-	usecases_common "postgresus-backend/internal/features/backups/backups/usecases/common"
-	usecases_mariadb "postgresus-backend/internal/features/backups/backups/usecases/mariadb"
-	usecases_mongodb "postgresus-backend/internal/features/backups/backups/usecases/mongodb"
-	usecases_mysql "postgresus-backend/internal/features/backups/backups/usecases/mysql"
-	usecases_postgresql "postgresus-backend/internal/features/backups/backups/usecases/postgresql"
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/databases"
-	"postgresus-backend/internal/features/storages"
+	common "databasus-backend/internal/features/backups/backups/common"
+	usecases_mariadb "databasus-backend/internal/features/backups/backups/usecases/mariadb"
+	usecases_mongodb "databasus-backend/internal/features/backups/backups/usecases/mongodb"
+	usecases_mysql "databasus-backend/internal/features/backups/backups/usecases/mysql"
+	usecases_postgresql "databasus-backend/internal/features/backups/backups/usecases/postgresql"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/storages"
 
 	"github.com/google/uuid"
 )
@@ -30,7 +30,7 @@ func (uc *CreateBackupUsecase) Execute(
 	database *databases.Database,
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	switch database.Type {
 	case databases.DatabaseTypePostgres:
 		return uc.CreatePostgresqlBackupUsecase.Execute(

backend/internal/features/backups/backups/usecases/di.go

@@ -1,10 +1,10 @@
 package usecases
 
 import (
-	usecases_mariadb "postgresus-backend/internal/features/backups/backups/usecases/mariadb"
-	usecases_mongodb "postgresus-backend/internal/features/backups/backups/usecases/mongodb"
-	usecases_mysql "postgresus-backend/internal/features/backups/backups/usecases/mysql"
-	usecases_postgresql "postgresus-backend/internal/features/backups/backups/usecases/postgresql"
+	usecases_mariadb "databasus-backend/internal/features/backups/backups/usecases/mariadb"
+	usecases_mongodb "databasus-backend/internal/features/backups/backups/usecases/mongodb"
+	usecases_mysql "databasus-backend/internal/features/backups/backups/usecases/mysql"
+	usecases_postgresql "databasus-backend/internal/features/backups/backups/usecases/postgresql"
 )
 
 var createBackupUsecase = &CreateBackupUsecase{

backend/internal/features/backups/backups/usecases/mariadb/create_backup_uc.go

@@ -17,16 +17,16 @@ import (
 	"github.com/google/uuid"
 	"github.com/klauspost/compress/zstd"
 
-	"postgresus-backend/internal/config"
-	backup_encryption "postgresus-backend/internal/features/backups/backups/encryption"
-	usecases_common "postgresus-backend/internal/features/backups/backups/usecases/common"
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/databases"
-	mariadbtypes "postgresus-backend/internal/features/databases/databases/mariadb"
-	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
-	"postgresus-backend/internal/features/storages"
-	"postgresus-backend/internal/util/encryption"
-	"postgresus-backend/internal/util/tools"
+	"databasus-backend/internal/config"
+	common "databasus-backend/internal/features/backups/backups/common"
+	backup_encryption "databasus-backend/internal/features/backups/backups/encryption"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	mariadbtypes "databasus-backend/internal/features/databases/databases/mariadb"
+	encryption_secrets "databasus-backend/internal/features/encryption/secrets"
+	"databasus-backend/internal/features/storages"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/tools"
 )
 
 const (
@@ -57,17 +57,13 @@ func (uc *CreateMariadbBackupUsecase) Execute(
 	db *databases.Database,
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info(
 		"Creating MariaDB backup via mariadb-dump",
 		"databaseId", db.ID,
 		"storageId", storage.ID,
 	)
 
-	if !backupConfig.IsBackupsEnabled {
-		return nil, fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
-	}
-
 	mdb := db.Mariadb
 	if mdb == nil {
 		return nil, fmt.Errorf("mariadb database configuration is required")
@@ -111,16 +107,24 @@ func (uc *CreateMariadbBackupUsecase) buildMariadbDumpArgs(
 		"--user=" + mdb.Username,
 		"--single-transaction",
 		"--routines",
-		"--triggers",
-		"--events",
 		"--quick",
+		"--skip-extended-insert",
 		"--verbose",
 	}
 
+	if mdb.HasPrivilege("TRIGGER") {
+		args = append(args, "--triggers")
+	}
+
+	if mdb.HasPrivilege("EVENT") && !mdb.IsExcludeEvents {
+		args = append(args, "--events")
+	}
+
 	args = append(args, "--compress")
 
 	if mdb.IsHttps {
 		args = append(args, "--ssl")
+		args = append(args, "--skip-ssl-verify-server-cert")
 	}
 
 	if mdb.Database != nil && *mdb.Database != "" {
@@ -140,7 +144,7 @@ func (uc *CreateMariadbBackupUsecase) streamToStorage(
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
 	mdbConfig *mariadbtypes.MariadbDatabase,
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info("Streaming MariaDB backup to storage", "mariadbBin", mariadbBin)
 
 	ctx, cancel := uc.createBackupContext(parentCtx)
@@ -196,7 +200,7 @@ func (uc *CreateMariadbBackupUsecase) streamToStorage(
 	if err != nil {
 		return nil, fmt.Errorf("failed to create zstd writer: %w", err)
 	}
-	countingWriter := usecases_common.NewCountingWriter(zstdWriter)
+	countingWriter := common.NewCountingWriter(zstdWriter)
 
 	saveErrCh := make(chan error, 1)
 	go func() {
@@ -264,11 +268,24 @@ func (uc *CreateMariadbBackupUsecase) createTempMyCnfFile(
 	mdbConfig *mariadbtypes.MariadbDatabase,
 	password string,
 ) (string, error) {
-	tempDir, err := os.MkdirTemp("", "mycnf")
+	tempFolder := config.GetEnv().TempFolder
+	if err := os.MkdirAll(tempFolder, 0700); err != nil {
+		return "", fmt.Errorf("failed to ensure temp folder exists: %w", err)
+	}
+	if err := os.Chmod(tempFolder, 0700); err != nil {
+		return "", fmt.Errorf("failed to set temp folder permissions: %w", err)
+	}
+
+	tempDir, err := os.MkdirTemp(tempFolder, "mycnf_"+uuid.New().String())
 	if err != nil {
 		return "", fmt.Errorf("failed to create temp directory: %w", err)
 	}
 
+	if err := os.Chmod(tempDir, 0700); err != nil {
+		_ = os.RemoveAll(tempDir)
+		return "", fmt.Errorf("failed to set temp directory permissions: %w", err)
+	}
+
 	myCnfFile := filepath.Join(tempDir, ".my.cnf")
 
 	content := fmt.Sprintf(`[client]
@@ -286,6 +303,7 @@ port=%d
 
 	err = os.WriteFile(myCnfFile, []byte(content), 0600)
 	if err != nil {
+		_ = os.RemoveAll(tempDir)
 		return "", fmt.Errorf("failed to write .my.cnf: %w", err)
 	}
 
@@ -401,8 +419,8 @@ func (uc *CreateMariadbBackupUsecase) setupBackupEncryption(
 	backupID uuid.UUID,
 	backupConfig *backups_config.BackupConfig,
 	storageWriter io.WriteCloser,
-) (io.Writer, *backup_encryption.EncryptionWriter, usecases_common.BackupMetadata, error) {
-	metadata := usecases_common.BackupMetadata{}
+) (io.Writer, *backup_encryption.EncryptionWriter, common.BackupMetadata, error) {
+	metadata := common.BackupMetadata{}
 
 	if backupConfig.Encryption != backups_config.BackupEncryptionEncrypted {
 		metadata.Encryption = backups_config.BackupEncryptionNone

backend/internal/features/backups/backups/usecases/mariadb/di.go

@@ -1,9 +1,9 @@
 package usecases_mariadb
 
 import (
-	"postgresus-backend/internal/features/encryption/secrets"
-	"postgresus-backend/internal/util/encryption"
-	"postgresus-backend/internal/util/logger"
+	"databasus-backend/internal/features/encryption/secrets"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/logger"
 )
 
 var createMariadbBackupUsecase = &CreateMariadbBackupUsecase{

backend/internal/features/backups/backups/usecases/mongodb/create_backup_uc.go

@@ -14,16 +14,16 @@ import (
 
 	"github.com/google/uuid"
 
-	"postgresus-backend/internal/config"
-	backup_encryption "postgresus-backend/internal/features/backups/backups/encryption"
-	usecases_common "postgresus-backend/internal/features/backups/backups/usecases/common"
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/databases"
-	mongodbtypes "postgresus-backend/internal/features/databases/databases/mongodb"
-	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
-	"postgresus-backend/internal/features/storages"
-	"postgresus-backend/internal/util/encryption"
-	"postgresus-backend/internal/util/tools"
+	"databasus-backend/internal/config"
+	common "databasus-backend/internal/features/backups/backups/common"
+	backup_encryption "databasus-backend/internal/features/backups/backups/encryption"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	mongodbtypes "databasus-backend/internal/features/databases/databases/mongodb"
+	encryption_secrets "databasus-backend/internal/features/encryption/secrets"
+	"databasus-backend/internal/features/storages"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/tools"
 )
 
 const (
@@ -51,17 +51,13 @@ func (uc *CreateMongodbBackupUsecase) Execute(
 	db *databases.Database,
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info(
 		"Creating MongoDB backup via mongodump",
 		"databaseId", db.ID,
 		"storageId", storage.ID,
 	)
 
-	if !backupConfig.IsBackupsEnabled {
-		return nil, fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
-	}
-
 	mdb := db.Mongodb
 	if mdb == nil {
 		return nil, fmt.Errorf("mongodb database configuration is required")
@@ -106,6 +102,13 @@ func (uc *CreateMongodbBackupUsecase) buildMongodumpArgs(
 		"--gzip",
 	}
 
+	// Use numParallelCollections based on CPU count
+	// Cap between 1 and 16 to balance performance and resource usage
+	parallelCollections := max(1, min(mdb.CpuCount, 16))
+	if parallelCollections > 1 {
+		args = append(args, "--numParallelCollections="+fmt.Sprintf("%d", parallelCollections))
+	}
+
 	return args
 }
 
@@ -117,7 +120,7 @@ func (uc *CreateMongodbBackupUsecase) streamToStorage(
 	args []string,
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info("Streaming MongoDB backup to storage", "mongodumpBin", mongodumpBin)
 
 	ctx, cancel := uc.createBackupContext(parentCtx)
@@ -168,7 +171,7 @@ func (uc *CreateMongodbBackupUsecase) streamToStorage(
 		return nil, err
 	}
 
-	countingWriter := usecases_common.NewCountingWriter(finalWriter)
+	countingWriter := common.NewCountingWriter(finalWriter)
 
 	saveErrCh := make(chan error, 1)
 	go func() {
@@ -257,8 +260,8 @@ func (uc *CreateMongodbBackupUsecase) setupBackupEncryption(
 	backupID uuid.UUID,
 	backupConfig *backups_config.BackupConfig,
 	storageWriter io.WriteCloser,
-) (io.Writer, *backup_encryption.EncryptionWriter, usecases_common.BackupMetadata, error) {
-	backupMetadata := usecases_common.BackupMetadata{
+) (io.Writer, *backup_encryption.EncryptionWriter, common.BackupMetadata, error) {
+	backupMetadata := common.BackupMetadata{
 		Encryption: backups_config.BackupEncryptionNone,
 	}
 

backend/internal/features/backups/backups/usecases/mongodb/di.go

@@ -1,9 +1,9 @@
 package usecases_mongodb
 
 import (
-	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
-	"postgresus-backend/internal/util/encryption"
-	"postgresus-backend/internal/util/logger"
+	encryption_secrets "databasus-backend/internal/features/encryption/secrets"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/logger"
 )
 
 var createMongodbBackupUsecase = &CreateMongodbBackupUsecase{

backend/internal/features/backups/backups/usecases/mysql/create_backup_uc.go

@@ -17,16 +17,16 @@ import (
 	"github.com/google/uuid"
 	"github.com/klauspost/compress/zstd"
 
-	"postgresus-backend/internal/config"
-	backup_encryption "postgresus-backend/internal/features/backups/backups/encryption"
-	usecases_common "postgresus-backend/internal/features/backups/backups/usecases/common"
-	backups_config "postgresus-backend/internal/features/backups/config"
-	"postgresus-backend/internal/features/databases"
-	mysqltypes "postgresus-backend/internal/features/databases/databases/mysql"
-	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
-	"postgresus-backend/internal/features/storages"
-	"postgresus-backend/internal/util/encryption"
-	"postgresus-backend/internal/util/tools"
+	"databasus-backend/internal/config"
+	common "databasus-backend/internal/features/backups/backups/common"
+	backup_encryption "databasus-backend/internal/features/backups/backups/encryption"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	mysqltypes "databasus-backend/internal/features/databases/databases/mysql"
+	encryption_secrets "databasus-backend/internal/features/encryption/secrets"
+	"databasus-backend/internal/features/storages"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/tools"
 )
 
 const (
@@ -57,17 +57,13 @@ func (uc *CreateMysqlBackupUsecase) Execute(
 	db *databases.Database,
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info(
 		"Creating MySQL backup via mysqldump",
 		"databaseId", db.ID,
 		"storageId", storage.ID,
 	)
 
-	if !backupConfig.IsBackupsEnabled {
-		return nil, fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
-	}
-
 	my := db.Mysql
 	if my == nil {
 		return nil, fmt.Errorf("mysql database configuration is required")
@@ -109,13 +105,19 @@ func (uc *CreateMysqlBackupUsecase) buildMysqldumpArgs(my *mysqltypes.MysqlDatab
 		"--user=" + my.Username,
 		"--single-transaction",
 		"--routines",
-		"--triggers",
-		"--events",
 		"--set-gtid-purged=OFF",
 		"--quick",
+		"--skip-extended-insert",
 		"--verbose",
 	}
 
+	if my.HasPrivilege("TRIGGER") {
+		args = append(args, "--triggers")
+	}
+	if my.HasPrivilege("EVENT") {
+		args = append(args, "--events")
+	}
+
 	args = append(args, uc.getNetworkCompressionArgs(my.Version)...)
 
 	if my.IsHttps {
@@ -133,7 +135,7 @@ func (uc *CreateMysqlBackupUsecase) getNetworkCompressionArgs(version tools.Mysq
 	const zstdCompressionLevel = 5
 
 	switch version {
-	case tools.MysqlVersion80, tools.MysqlVersion84:
+	case tools.MysqlVersion80, tools.MysqlVersion84, tools.MysqlVersion9:
 		return []string{
 			"--compression-algorithms=zstd",
 			fmt.Sprintf("--zstd-compression-level=%d", zstdCompressionLevel),
@@ -155,7 +157,7 @@ func (uc *CreateMysqlBackupUsecase) streamToStorage(
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
 	myConfig *mysqltypes.MysqlDatabase,
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info("Streaming MySQL backup to storage", "mysqlBin", mysqlBin)
 
 	ctx, cancel := uc.createBackupContext(parentCtx)
@@ -211,7 +213,7 @@ func (uc *CreateMysqlBackupUsecase) streamToStorage(
 	if err != nil {
 		return nil, fmt.Errorf("failed to create zstd writer: %w", err)
 	}
-	countingWriter := usecases_common.NewCountingWriter(zstdWriter)
+	countingWriter := common.NewCountingWriter(zstdWriter)
 
 	saveErrCh := make(chan error, 1)
 	go func() {
@@ -279,11 +281,24 @@ func (uc *CreateMysqlBackupUsecase) createTempMyCnfFile(
 	myConfig *mysqltypes.MysqlDatabase,
 	password string,
 ) (string, error) {
-	tempDir, err := os.MkdirTemp("", "mycnf")
+	tempFolder := config.GetEnv().TempFolder
+	if err := os.MkdirAll(tempFolder, 0700); err != nil {
+		return "", fmt.Errorf("failed to ensure temp folder exists: %w", err)
+	}
+	if err := os.Chmod(tempFolder, 0700); err != nil {
+		return "", fmt.Errorf("failed to set temp folder permissions: %w", err)
+	}
+
+	tempDir, err := os.MkdirTemp(tempFolder, "mycnf_"+uuid.New().String())
 	if err != nil {
 		return "", fmt.Errorf("failed to create temp directory: %w", err)
 	}
 
+	if err := os.Chmod(tempDir, 0700); err != nil {
+		_ = os.RemoveAll(tempDir)
+		return "", fmt.Errorf("failed to set temp directory permissions: %w", err)
+	}
+
 	myCnfFile := filepath.Join(tempDir, ".my.cnf")
 
 	content := fmt.Sprintf(`[client]
@@ -299,6 +314,7 @@ port=%d
 
 	err = os.WriteFile(myCnfFile, []byte(content), 0600)
 	if err != nil {
+		_ = os.RemoveAll(tempDir)
 		return "", fmt.Errorf("failed to write .my.cnf: %w", err)
 	}
 
@@ -414,8 +430,8 @@ func (uc *CreateMysqlBackupUsecase) setupBackupEncryption(
 	backupID uuid.UUID,
 	backupConfig *backups_config.BackupConfig,
 	storageWriter io.WriteCloser,
-) (io.Writer, *backup_encryption.EncryptionWriter, usecases_common.BackupMetadata, error) {
-	metadata := usecases_common.BackupMetadata{}
+) (io.Writer, *backup_encryption.EncryptionWriter, common.BackupMetadata, error) {
+	metadata := common.BackupMetadata{}
 
 	if backupConfig.Encryption != backups_config.BackupEncryptionEncrypted {
 		metadata.Encryption = backups_config.BackupEncryptionNone

backend/internal/features/backups/backups/usecases/mysql/di.go

@@ -1,9 +1,9 @@
 package usecases_mysql
 
 import (
-	"postgresus-backend/internal/features/encryption/secrets"
-	"postgresus-backend/internal/util/encryption"
-	"postgresus-backend/internal/util/logger"
+	"databasus-backend/internal/features/encryption/secrets"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/logger"
 )
 
 var createMysqlBackupUsecase = &CreateMysqlBackupUsecase{