Qlockify/qlockify-core-deployment
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(scripts): migrate to rclone from aws-cli and add cleanup actions
Some checks failed
Deployment CI/CD / validate (push) Has been cancelled
Details
Deployment CI/CD / deploy (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Amirhossein Khalili
2026-06-06 14:24:17 +03:30
parent 09952319e8
commit caf482e9f4
4 changed files with 177 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
scripts/restore-from-s3.sh Normal file → Executable file
View File

@@ -15,8 +15,7 @@ Environment:
DEPLOY_ROOT Deployment directory. Defaults to ~/qlockify-deployment.
S3_BACKUP_BUCKET S3 bucket name.
S3_BACKUP_PREFIX S3 object prefix. Defaults to qlockify.
S3_BACKUP_REGION S3 region. Defaults to us-east-1.
S3_BACKUP_ENDPOINT_URL Optional S3-compatible endpoint URL.
S3_BACKUP_ENDPOINT_URL S3-compatible endpoint URL.
S3_BACKUP_ACCESS_KEY_ID S3 access key.
S3_BACKUP_SECRET_ACCESS_KEY S3 secret key.
BACKUP_ENCRYPTION_PASSPHRASE Passphrase used to decrypt backup archives.
@@ -27,11 +26,11 @@ EOF
}
log() {
printf '[restore-s3] %s\n' "$*"
printf '[restore-rclone] %s\n' "$*"
}
fail() {
printf '[restore-s3] %s\n' "$*" >&2
printf '[restore-rclone] %s\n' "$*" >&2
exit 1
}
@@ -49,14 +48,6 @@ load_env() {
set +a
}
aws_s3() {
if [[ -n "${S3_BACKUP_ENDPOINT_URL:-}" ]]; then
aws --endpoint-url "$S3_BACKUP_ENDPOINT_URL" s3 "$@"
else
aws s3 "$@"
fi
}
normalize_prefix() {
local value="${1:-qlockify}"
value="${value#/}"
@@ -64,12 +55,19 @@ normalize_prefix() {
printf '%s' "$value"
}
latest_object_key() {
aws_s3 ls "s3://$S3_BACKUP_BUCKET/$S3_BACKUP_PREFIX/" --recursive \
| awk '{print $4}' \
rclone_remote_path() {
printf 'parspack:%s/%s' "$S3_BACKUP_BUCKET" "$S3_BACKUP_PREFIX"
}
latest_object_name() {
rclone lsf "$REMOTE_PATH" \
--config "$RCLONE_CONFIG" \
--s3-no-check-bucket \
--files-only \
| grep '\.tar\.gz\.enc$' \
| sort \
| tail -n 1
| tail -n 1 \
|| true
}
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
@@ -83,7 +81,7 @@ REQUESTED_KEY="${1:-}"
exit 1
}
command -v aws >/dev/null 2>&1 || fail "aws CLI is required"
command -v rclone >/dev/null 2>&1 || fail "rclone is required"
command -v openssl >/dev/null 2>&1 || fail "openssl is required"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
@@ -95,35 +93,48 @@ RESTORE_SCRIPT="$SCRIPT_DIR/restore.sh"
load_env "$DEPLOY_ENV"
S3_BACKUP_PREFIX="$(normalize_prefix "${S3_BACKUP_PREFIX:-qlockify}")"
S3_BACKUP_REGION="${S3_BACKUP_REGION:-us-east-1}"
require_var S3_BACKUP_BUCKET
require_var S3_BACKUP_ENDPOINT_URL
require_var S3_BACKUP_ACCESS_KEY_ID
require_var S3_BACKUP_SECRET_ACCESS_KEY
require_var BACKUP_ENCRYPTION_PASSPHRASE
export AWS_ACCESS_KEY_ID="$S3_BACKUP_ACCESS_KEY_ID"
export AWS_SECRET_ACCESS_KEY="$S3_BACKUP_SECRET_ACCESS_KEY"
export AWS_DEFAULT_REGION="$S3_BACKUP_REGION"
export AWS_EC2_METADATA_DISABLED=true
if [[ "$REQUESTED_KEY" == "latest" ]]; then
log "Resolving latest encrypted backup object"
OBJECT_KEY="$(latest_object_key)"
[[ -n "$OBJECT_KEY" ]] || fail "No encrypted backups found in s3://$S3_BACKUP_BUCKET/$S3_BACKUP_PREFIX/"
else
OBJECT_KEY="${REQUESTED_KEY#s3://$S3_BACKUP_BUCKET/}"
fi
WORK_DIR="$(mktemp -d)"
trap 'rm -rf "$WORK_DIR"' EXIT
ENCRYPTED_PATH="$WORK_DIR/$(basename "$OBJECT_KEY")"
RCLONE_CONFIG="$WORK_DIR/rclone.conf"
cat > "$RCLONE_CONFIG" <<EOF
[parspack]
type = s3
provider = Other
access_key_id = $S3_BACKUP_ACCESS_KEY_ID
secret_access_key = $S3_BACKUP_SECRET_ACCESS_KEY
endpoint = $S3_BACKUP_ENDPOINT_URL
acl = private
force_path_style = true
EOF
REMOTE_PATH="$(rclone_remote_path)"
if [[ "$REQUESTED_KEY" == "latest" ]]; then
log "Resolving latest encrypted backup object"
OBJECT_NAME="$(latest_object_name)"
[[ -n "$OBJECT_NAME" ]] || fail "No encrypted backups found in $REMOTE_PATH"
else
OBJECT_NAME="${REQUESTED_KEY##*/}"
fi
ENCRYPTED_PATH="$WORK_DIR/$OBJECT_NAME"
DECRYPTED_PATH="$WORK_DIR/${ENCRYPTED_PATH##*/}"
DECRYPTED_PATH="${DECRYPTED_PATH%.enc}"
log "Downloading encrypted backup from s3://$S3_BACKUP_BUCKET/$OBJECT_KEY"
aws_s3 cp "s3://$S3_BACKUP_BUCKET/$OBJECT_KEY" "$ENCRYPTED_PATH" --only-show-errors
log "Downloading encrypted backup from $REMOTE_PATH/$OBJECT_NAME"
rclone copyto "$REMOTE_PATH/$OBJECT_NAME" "$ENCRYPTED_PATH" \
--config "$RCLONE_CONFIG" \
--s3-no-check-bucket \
--progress
log "Decrypting backup archive"
openssl enc -d -aes-256-cbc -pbkdf2 -iter 200000 \
@@ -134,4 +145,4 @@ openssl enc -d -aes-256-cbc -pbkdf2 -iter 200000 \
log "Restoring decrypted backup archive"
DEPLOY_ROOT="$DEPLOY_ROOT" "$RESTORE_SCRIPT" "$DECRYPTED_PATH"
log "S3 restore completed from: s3://$S3_BACKUP_BUCKET/$OBJECT_KEY"
log "S3 restore completed from: $REMOTE_PATH/$OBJECT_NAME"