#!/usr/bin/env bash # backup.sh — CONTRACT_004 backup producer (operator orchestrator). # # ./backup/backup.sh [UTC-timestamp] # # The timestamp is supplied by the caller (CI/cron) per CONTRACT_004 §4.1; it # defaults to now for manual runs. The operator contributes the Pulumi state # (local file backend) and the secrets (from passphrase-encrypted config); the # heavy lifting runs on the VM via backup-remote.sh. Result: a bundle in RustFS # foundation-backups// replicated to the offsite bucket. set -euo pipefail ROOT="$(cd "$(dirname "$0")/.." && pwd)" DIR="$ROOT/bootstrap" TS="${1:-$(date -u +%Y%m%dT%H%M%SZ)}" export PULUMI_BACKEND_URL="file://${DIR}/state" export PULUMI_CONFIG_PASSPHRASE="$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)" KEY="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}" MC_IMAGE="$(grep '^IMAGE_MC=' "$ROOT/VERSIONS" | cut -d= -f2-)" cd "$DIR" pulumi stack select foundation >/dev/null RT=$(pulumi config get vaultCredentials:rootToken) OFF_EP=$(pulumi config get foundation:backup.offsiteEndpoint) OFF_AK=$(pulumi config get foundation:backup.offsiteAccessKey) OFF_SK=$(pulumi config get foundation:backup.offsiteSecretKey) BUCKET=$(pulumi config get foundation:backup.bucket) AGE_RECIPIENT=$(pulumi config get foundation:backup.ageRecipient) # public; CONTRACT_004 §4.3 HOST=$(pulumi config get foundation:vm.host) PORT=$(pulumi config get foundation:vm.sshPort) SUSER=$(pulumi config get foundation:vm.user) SSHX="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=15 -i $KEY -p $PORT $SUSER@$HOST" W="/tmp/foundation-backup-$TS" echo "backup: $TS -> rfs/$BUCKET/$TS (+ offsite)" # Pulumi state + the assembler script onto the VM. pulumi stack export | $SSHX "mkdir -p $W && cat > $W/pulumi-state.json" $SSHX "cat > /tmp/backup-remote-$TS.sh" < "$ROOT/backup/backup-remote.sh" # Run the assembler: secrets on stdin (never argv); TS, MC_IMAGE, age recipient as args. printf '%s\n%s\n%s\n%s\n%s\n' "$RT" "$OFF_EP" "$OFF_AK" "$OFF_SK" "$BUCKET" \ | $SSHX "sh /tmp/backup-remote-$TS.sh '$TS' '$MC_IMAGE' '$AGE_RECIPIENT'; rm -f /tmp/backup-remote-$TS.sh" echo "backup: done ($TS)"