Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: adding db recovery practices (bye bye db)
Some checks failed
Security Tests / security-non-db (push) Successful in 18s
Details
Security Tests / security-db (push) Successful in 23s
Details
Deploy / deploy (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Ricearoni1245
2026-03-02 11:16:52 -06:00
parent 301b3f8967
commit d9df9b0fe4
11 changed files with 409 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
scripts/backup.sh
View File

@@ -1,11 +1,6 @@
#!/usr/bin/env bash
set -euo pipefail
if [[ -z "${DATABASE_URL:-}" && -z "${BACKUP_DATABASE_URL:-}" ]]; then
echo "DATABASE_URL or BACKUP_DATABASE_URL is required."
exit 1
fi
ENV_FILE="${ENV_FILE:-./.env}"
if [[ -f "$ENV_FILE" ]]; then
set -a
@@ -14,6 +9,48 @@ if [[ -f "$ENV_FILE" ]]; then
set +a
fi
if [[ -z "${DATABASE_URL:-}" && -z "${BACKUP_DATABASE_URL:-}" ]]; then
echo "DATABASE_URL or BACKUP_DATABASE_URL is required."
exit 1
fi
BACKUP_URL="${BACKUP_DATABASE_URL:-$DATABASE_URL}"
extract_host() {
local url="$1"
sed -E 's#^[a-zA-Z][a-zA-Z0-9+.-]*://[^@/]+@([^/:?]+).*$#\1#' <<< "$url"
}
extract_db() {
local url="$1"
sed -E 's#^[a-zA-Z][a-zA-Z0-9+.-]*://[^/]+/([^?]+).*$#\1#' <<< "$url"
}
if [[ "${BACKUP_ENFORCE_TARGET_CHECK:-0}" == "1" ]]; then
if [[ -z "${EXPECTED_PROD_DB_HOST:-}" || -z "${EXPECTED_PROD_DB_NAME:-}" ]]; then
echo "BACKUP_ENFORCE_TARGET_CHECK=1 requires EXPECTED_PROD_DB_HOST and EXPECTED_PROD_DB_NAME."
exit 1
fi
ACTUAL_HOST="$(extract_host "$BACKUP_URL")"
ACTUAL_DB="$(extract_db "$BACKUP_URL")"
if [[ "$ACTUAL_HOST" == "$BACKUP_URL" || "$ACTUAL_DB" == "$BACKUP_URL" ]]; then
echo "Unable to parse backup database URL."
exit 1
fi
if [[ "$ACTUAL_HOST" != "$EXPECTED_PROD_DB_HOST" ]]; then
echo "Backup target host mismatch. expected=$EXPECTED_PROD_DB_HOST actual=$ACTUAL_HOST"
exit 1
fi
if [[ "$ACTUAL_DB" != "$EXPECTED_PROD_DB_NAME" ]]; then
echo "Backup target db mismatch. expected=$EXPECTED_PROD_DB_NAME actual=$ACTUAL_DB"
exit 1
fi
fi
OUT_DIR="${BACKUP_DIR:-./backups}"
mkdir -p "$OUT_DIR"
@@ -22,8 +59,12 @@ OUT_FILE="${OUT_DIR}/skymoney_${STAMP}.dump"
OUT_BASENAME="$(basename "$OUT_FILE")"
OUT_DIR_ABS="$(cd "$OUT_DIR" && pwd)"
pg_dump "${BACKUP_DATABASE_URL:-$DATABASE_URL}" -Fc -f "$OUT_FILE"
START_TS="$(date +%s)"
pg_dump "$BACKUP_URL" -Fc -f "$OUT_FILE"
(cd "$OUT_DIR_ABS" && sha256sum "$OUT_BASENAME" > "${OUT_BASENAME}.sha256")
END_TS="$(date +%s)"
RUNTIME_SEC="$((END_TS - START_TS))"
echo "Backup written to: $OUT_FILE"
echo "Checksum written to: ${OUT_FILE}.sha256"
echo "Backup runtime seconds: $RUNTIME_SEC"

50
scripts/validate-prod-db-target.sh Normal file
View File

@@ -0,0 +1,50 @@
#!/usr/bin/env bash
set -euo pipefail
ENV_FILE="${ENV_FILE:-./.env}"
if [[ -f "$ENV_FILE" ]]; then
set -a
# shellcheck source=/dev/null
. "$ENV_FILE"
set +a
fi
if [[ -z "${DATABASE_URL:-}" ]]; then
echo "DATABASE_URL is required."
exit 1
fi
if [[ -z "${EXPECTED_PROD_DB_HOST:-}" || -z "${EXPECTED_PROD_DB_NAME:-}" ]]; then
echo "EXPECTED_PROD_DB_HOST and EXPECTED_PROD_DB_NAME are required."
exit 1
fi
extract_host() {
local url="$1"
sed -E 's#^[a-zA-Z][a-zA-Z0-9+.-]*://[^@/]+@([^/:?]+).*$#\1#' <<< "$url"
}
extract_db() {
local url="$1"
sed -E 's#^[a-zA-Z][a-zA-Z0-9+.-]*://[^/]+/([^?]+).*$#\1#' <<< "$url"
}
ACTUAL_HOST="$(extract_host "$DATABASE_URL")"
ACTUAL_DB="$(extract_db "$DATABASE_URL")"
if [[ "$ACTUAL_HOST" == "$DATABASE_URL" || "$ACTUAL_DB" == "$DATABASE_URL" ]]; then
echo "Unable to parse DATABASE_URL."
exit 1
fi
if [[ "$ACTUAL_HOST" != "$EXPECTED_PROD_DB_HOST" ]]; then
echo "DATABASE_URL host mismatch. expected=$EXPECTED_PROD_DB_HOST actual=$ACTUAL_HOST"
exit 1
fi
if [[ "$ACTUAL_DB" != "$EXPECTED_PROD_DB_NAME" ]]; then
echo "DATABASE_URL db mismatch. expected=$EXPECTED_PROD_DB_NAME actual=$ACTUAL_DB"
exit 1
fi
echo "DATABASE_URL target check passed (host=$ACTUAL_HOST db=$ACTUAL_DB)."