Close the known gap: backup bundles were uploaded unencrypted, relying
solely on destination access control. Now every data artifact is
age-encrypted on the VM before upload and decrypted on restore.
- backup-remote.sh: assemble rustfs blobs into rustfs-blobs.tar.zst (so the
whole bundle is one encrypted unit), then age -r <recipient> each artifact
to <name>.age and drop the plaintext. MANIFEST.json stays cleartext — it
is the inventory + integrity gate and carries no secrets; it records each
artifact's PLAINTEXT sha256 so restore verifies after decrypt.
- restore-remote.sh: materialise the age identity to a 0600 file, decrypt
each .age, then run the existing sha + scratch-restore asserts; add a
rustfs-blobs extract+assert.
- backup.sh / restore.sh: pass the public recipient (arg) / secret identity
(stdin, never argv) from passphrase-encrypted config.
- provision/index.ts: install age + zstd on the VM via cloud-init so a fresh
DR VM (T13) has the backup tools from first boot.
- Pulumi.foundation.yaml: seed backup.ageRecipient (public) + backup.ageIdentity
(secure:). The identity lives in config so {repo + passphrase} can decrypt a
bundle even after total Vault loss (CONTRACT_004 §4.3).
Validated live: encrypted backup + restore-verify PASS from both RustFS and
offsite; bucket shows only *.age + cleartext MANIFEST.json.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
34 lines
1.8 KiB
Bash
Executable file
34 lines
1.8 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# restore.sh — CONTRACT_004 §4.6 restore verifier (operator orchestrator).
|
|
#
|
|
# ./backup/restore.sh <UTC-timestamp> [rfs|off]
|
|
#
|
|
# Pulls the bundle (default from RustFS; `off` checks the offsite copy) and asserts
|
|
# it reconstructs into scratch resources — NON-DESTRUCTIVE, it never touches the
|
|
# live platform. The real disaster restore is dr/restore-to-fresh-vm.sh (T13).
|
|
set -euo pipefail
|
|
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
|
DIR="$ROOT/bootstrap"
|
|
TS="${1:?usage: restore.sh <UTC-timestamp> [rfs|off]}"
|
|
SRC="${2:-rfs}"
|
|
export PULUMI_BACKEND_URL="file://${DIR}/state"
|
|
export PULUMI_CONFIG_PASSPHRASE="$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)"
|
|
KEY="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}"
|
|
MC_IMAGE="$(grep '^IMAGE_MC=' "$ROOT/VERSIONS" | cut -d= -f2-)"
|
|
PG_IMAGE="$(grep '^IMAGE_POSTGRES=' "$ROOT/VERSIONS" | cut -d= -f2-)"
|
|
cd "$DIR"
|
|
pulumi stack select foundation >/dev/null
|
|
|
|
OFF_EP=$(pulumi config get foundation:backup.offsiteEndpoint)
|
|
OFF_AK=$(pulumi config get foundation:backup.offsiteAccessKey)
|
|
OFF_SK=$(pulumi config get foundation:backup.offsiteSecretKey)
|
|
BUCKET=$(pulumi config get foundation:backup.bucket)
|
|
AGE_IDENTITY=$(pulumi config get foundation:backup.ageIdentity) # secret; CONTRACT_004 §4.3
|
|
HOST=$(pulumi config get foundation:vm.host)
|
|
PORT=$(pulumi config get foundation:vm.sshPort)
|
|
SUSER=$(pulumi config get foundation:vm.user)
|
|
SSHX="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=15 -i $KEY -p $PORT $SUSER@$HOST"
|
|
|
|
$SSHX "cat > /tmp/restore-remote-$TS.sh" < "$ROOT/backup/restore-remote.sh"
|
|
printf '%s\n%s\n%s\n%s\n%s\n' "$OFF_EP" "$OFF_AK" "$OFF_SK" "$BUCKET" "$AGE_IDENTITY" \
|
|
| $SSHX "sh /tmp/restore-remote-$TS.sh '$TS' '$MC_IMAGE' '$PG_IMAGE' '$SRC'; rm -f /tmp/restore-remote-$TS.sh"
|