feat: backup + preflight commands, decisions log, gitignore update
- tools/cmd/railiance-backup: pg_dump + config snapshot, age-encrypted, uploaded to Nextcloud file drop via curl PUT. Daily cron target. - tools/cmd/railiance-preflight: pre-migration safety gate — checks backup freshness, all repos clean/pushed, age key present. - bin/railiance: added backup and preflight subcommands. - DECISIONS.md: decision log (D1 ingress Nginx+Traefik, D2 Nextcloud backup). - .gitignore: exclude *backup-dropoff-link* files (contain upload tokens). - CLAUDE.md: state hub session protocol update. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
eb8a6902b6
commit
4381a079a2
6 changed files with 200 additions and 2 deletions
70
tools/cmd/railiance-backup
Executable file
70
tools/cmd/railiance-backup
Executable file
|
|
@ -0,0 +1,70 @@
|
|||
#!/usr/bin/env bash
|
||||
# tools/cmd/railiance-backup — backup custodian state to Nextcloud file drop
|
||||
set -euo pipefail
|
||||
|
||||
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
|
||||
source "${ROOT}/lib/railiance-print.sh"
|
||||
|
||||
# ── Configuration ─────────────────────────────────────────────────────────────
|
||||
AGE_PUBLIC_KEY="age1zvryunvjhvpkmasskauga2heeg0ztnte9ymgppvjge36ekumk50syr3tsz"
|
||||
NC_WEBDAV_URL="https://nx4069.your-storageshare.de/public.php/webdav"
|
||||
NC_TOKEN="MfTBEjcJTGS8Ywo"
|
||||
PG_CONTAINER="infra-postgres-1"
|
||||
PG_USER="custodian"
|
||||
PG_DB="custodian"
|
||||
BACKUP_DIR="${XDG_CACHE_HOME:-$HOME/.cache}/railiance/backups"
|
||||
TS="$(date -u +%Y%m%dT%H%M%SZ)"
|
||||
|
||||
# ── Helpers ───────────────────────────────────────────────────────────────────
|
||||
nc_upload() {
|
||||
local file="$1" name="$2"
|
||||
curl -sf -u "${NC_TOKEN}:" -T "$file" "${NC_WEBDAV_URL}/${name}" \
|
||||
|| { bad "upload" "failed to upload ${name}"; exit 1; }
|
||||
}
|
||||
|
||||
# ── Main ──────────────────────────────────────────────────────────────────────
|
||||
mkdir -p "$BACKUP_DIR"
|
||||
print_hdr "Railiance Backup — ${TS}"
|
||||
|
||||
# 1. PostgreSQL
|
||||
ok "postgres" "dumping ${PG_DB}…"
|
||||
TMP_DB="${BACKUP_DIR}/db-${TS}.sql.age"
|
||||
docker exec "${PG_CONTAINER}" pg_dump -U "${PG_USER}" "${PG_DB}" \
|
||||
| age -r "${AGE_PUBLIC_KEY}" -o "${TMP_DB}"
|
||||
ok "postgres" "encrypted → $(basename "$TMP_DB")"
|
||||
nc_upload "${TMP_DB}" "db-${TS}.sql.age"
|
||||
ok "postgres" "uploaded to Nextcloud"
|
||||
|
||||
# 2. Config snapshot
|
||||
ok "config" "snapshotting ~/.claude/ ~/.claude.json .gitconfig…"
|
||||
TMP_CFG_TAR="${BACKUP_DIR}/config-${TS}.tar.gz"
|
||||
TMP_CFG="${BACKUP_DIR}/config-${TS}.tar.gz.age"
|
||||
tar -czf "${TMP_CFG_TAR}" \
|
||||
-C "$HOME" \
|
||||
--ignore-failed-read \
|
||||
.claude \
|
||||
.claude.json \
|
||||
.gitconfig \
|
||||
2>/dev/null || true
|
||||
age -r "${AGE_PUBLIC_KEY}" -o "${TMP_CFG}" "${TMP_CFG_TAR}"
|
||||
rm -f "${TMP_CFG_TAR}"
|
||||
ok "config" "encrypted → $(basename "$TMP_CFG")"
|
||||
nc_upload "${TMP_CFG}" "config-${TS}.tar.gz.age"
|
||||
ok "config" "uploaded to Nextcloud"
|
||||
|
||||
# 3. Prune local cache (keep last 7 of each type)
|
||||
find "${BACKUP_DIR}" -name "db-*.sql.age" | sort -r | tail -n +8 | xargs -r rm -f
|
||||
find "${BACKUP_DIR}" -name "config-*.tar.gz.age" | sort -r | tail -n +8 | xargs -r rm -f
|
||||
ok "cache" "local copies pruned (keep last 7)"
|
||||
|
||||
# 4. Write stamp (preflight reads this)
|
||||
echo "${TS}" > "${BACKUP_DIR}/.last-backup"
|
||||
|
||||
echo
|
||||
ok "done" "Backup complete — ${TS}"
|
||||
echo " DB: db-${TS}.sql.age"
|
||||
echo " Config: config-${TS}.tar.gz.age"
|
||||
echo
|
||||
echo " ⚠️ The age private key at ~/.config/age/railiance-backup.key"
|
||||
echo " MUST also be stored in your password manager or written down."
|
||||
echo " Without it you cannot decrypt these backups."
|
||||
Loading…
Add table
Add a link
Reference in a new issue