ops: add integration secret rotation and offsite backup alerting

2026-04-18 09:33:17 +01:00
parent 95633a6722
commit 81be9c5e42
13 changed files with 1105 additions and 16 deletions
--- a/infra/deploy/db-backup-job.sh
+++ b/infra/deploy/db-backup-job.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+APP_DIR="${APP_DIR:-/opt/proxpanel}"
+SECRET_FILE="${SECRET_FILE:-$APP_DIR/.backup.env}"
+
+BACKUP_SCRIPT="${APP_DIR}/infra/deploy/db-backup-encrypted.sh"
+REPLICATE_SCRIPT="${APP_DIR}/infra/deploy/db-backup-replicate-offsite.sh"
+NOTIFY_SCRIPT="${APP_DIR}/infra/deploy/notify-backup-alert.sh"
+
+job_failed() {
+  local line="$1"
+  local message="Daily backup job failed (line ${line}) on host $(hostname -f 2>/dev/null || hostname)"
+  APP_DIR="$APP_DIR" "$NOTIFY_SCRIPT" \
+    --event backup_failed \
+    --severity critical \
+    --status failed \
+    --source db-backup-job \
+    --message "$message" \
+    --context-json "{\"line\":${line}}"
+}
+
+main() {
+  trap 'job_failed $LINENO' ERR
+
+  APP_DIR="$APP_DIR" "$BACKUP_SCRIPT"
+  APP_DIR="$APP_DIR" "$REPLICATE_SCRIPT"
+
+  local send_success="false"
+  if [[ -f "$SECRET_FILE" ]]; then
+    # shellcheck disable=SC1090
+    source "$SECRET_FILE"
+    send_success="${BACKUP_ALERT_SEND_SUCCESS:-false}"
+  fi
+
+  if [[ "$send_success" == "true" ]]; then
+    APP_DIR="$APP_DIR" "$NOTIFY_SCRIPT" \
+      --event backup_success \
+      --severity info \
+      --status ok \
+      --source db-backup-job \
+      --message "Daily backup + offsite replication completed successfully"
+  fi
+
+  trap - ERR
+}
+
+main "$@"