ops: add production hardening automation for secrets, backups, and rollback
This commit is contained in:
Austin A
74
infra/deploy/db-backup-encrypted.sh
Executable file
74
infra/deploy/db-backup-encrypted.sh
Executable file
@@ -0,0 +1,74 @@
|
||||
#!/usr/bin/env bash
|
||||
set -Eeuo pipefail
|
||||
|
||||
APP_DIR="${APP_DIR:-/opt/proxpanel}"
|
||||
ENV_FILE="${ENV_FILE:-$APP_DIR/.env.production}"
|
||||
SECRET_FILE="${SECRET_FILE:-$APP_DIR/.backup.env}"
|
||||
BACKUP_ROOT="${BACKUP_ROOT:-/opt/proxpanel-backups/daily}"
|
||||
RETENTION_DAYS="${RETENTION_DAYS:-14}"
|
||||
|
||||
log() {
|
||||
printf '[%s] %s\n' "$(date -u +'%Y-%m-%d %H:%M:%S UTC')" "$*"
|
||||
}
|
||||
|
||||
die() {
|
||||
printf '[ERROR] %s\n' "$*" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
require_file() {
|
||||
[[ -f "$1" ]] || die "Missing required file: $1"
|
||||
}
|
||||
|
||||
require_command() {
|
||||
command -v "$1" >/dev/null 2>&1 || die "Missing required command: $1"
|
||||
}
|
||||
|
||||
main() {
|
||||
require_command docker
|
||||
require_command openssl
|
||||
require_command sha256sum
|
||||
require_file "$ENV_FILE"
|
||||
require_file "$SECRET_FILE"
|
||||
|
||||
# shellcheck disable=SC1090
|
||||
source "$ENV_FILE"
|
||||
# shellcheck disable=SC1090
|
||||
source "$SECRET_FILE"
|
||||
|
||||
[[ -n "${BACKUP_ENCRYPTION_KEY:-}" ]] || die "BACKUP_ENCRYPTION_KEY is empty in $SECRET_FILE"
|
||||
export BACKUP_ENCRYPTION_KEY
|
||||
[[ -n "${POSTGRES_USER:-}" ]] || die "POSTGRES_USER missing in $ENV_FILE"
|
||||
[[ -n "${POSTGRES_DB:-}" ]] || die "POSTGRES_DB missing in $ENV_FILE"
|
||||
|
||||
local ts backup_dir plain_sql encrypted_sql
|
||||
ts="$(date -u +%Y%m%d-%H%M%S)"
|
||||
backup_dir="${BACKUP_ROOT}/${ts}"
|
||||
plain_sql="${backup_dir}/proxpanel.sql"
|
||||
encrypted_sql="${plain_sql}.enc"
|
||||
|
||||
mkdir -p "$backup_dir"
|
||||
chmod 700 "$backup_dir"
|
||||
|
||||
log "Creating plaintext dump"
|
||||
docker exec proxpanel-postgres pg_dump -U "$POSTGRES_USER" -d "$POSTGRES_DB" --clean --if-exists >"$plain_sql"
|
||||
|
||||
log "Encrypting dump"
|
||||
openssl enc -aes-256-cbc -salt -pbkdf2 -iter 200000 \
|
||||
-in "$plain_sql" \
|
||||
-out "$encrypted_sql" \
|
||||
-pass env:BACKUP_ENCRYPTION_KEY
|
||||
|
||||
log "Writing checksum"
|
||||
sha256sum "$encrypted_sql" >"${encrypted_sql}.sha256"
|
||||
|
||||
rm -f "$plain_sql"
|
||||
chmod 600 "$encrypted_sql" "${encrypted_sql}.sha256"
|
||||
|
||||
log "Applying retention policy (${RETENTION_DAYS} days)"
|
||||
find "$BACKUP_ROOT" -mindepth 1 -maxdepth 1 -type d -mtime +"$RETENTION_DAYS" -exec rm -rf {} +
|
||||
|
||||
log "Encrypted backup created: $encrypted_sql"
|
||||
}
|
||||
|
||||
main "$@"
|
||||
Reference in New Issue
Block a user