This repository was archived by the owner on Feb 24, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathentrypoint.sh
More file actions
executable file
·163 lines (132 loc) · 5.44 KB
/
entrypoint.sh
File metadata and controls
executable file
·163 lines (132 loc) · 5.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
#!/bin/bash
exec 1>&2
# die on failure
set -e
source /app/functions.sh
source /app/gpgcrypt.sh
source /app/s3sync.sh
load_settings_file
set_debug
: "${SOURCE_REMOVE_PLAIN:=0}"
: "${SOURCE_FILE_PATTERN:=}"
: "${SOURCE_FILE_MODIFIED_MINUTES_AGO:=30}"
: "${SOURCE_PATH:=/data/plain}"
: "${ENCRYPTED_PATH:=/data/encrypted}"
get_path_info() {
stat -c '%U:%G %A %N' "$1"; return 0
}
backup() {
# source-path must be a directory and be readable and searchable
test_all drx "${SOURCE_PATH}" ||
bail "Cannot read from source-path (SOURCE_PATH: $(get_path_info "${SOURCE_PATH}"))"
# if plain file is to be removed after 'backup', source-path must be writable
( [ "${SOURCE_REMOVE_PLAIN}" = 0 ] || [ -w "${SOURCE_PATH}" ] ) || {
bail "Cannot write to source-path (Cannot remove plain file; SOURCE_REMOVE_PLAIN='$SOURCE_REMOVE_PLAIN'," \
"SOURCE_PATH: $(get_path_info "${SOURCE_PATH}"))"
}
# destination/encrypted-path must be a directory and be writable and searchable
test_all drwx "${ENCRYPTED_PATH}" ||
bail "Cannot write to encrypted-path (ENCRYPTED_PATH: $(get_path_info "${ENCRYPTED_PATH}"))"
local all_backups=( $(list-backups --batch-mode) )
find_opts=("$SOURCE_PATH")
find_opts+=(-mindepth 1)
find_opts+=(-maxdepth 1)
find_opts+=(-type f)
[ -z "$SOURCE_FILE_PATTERN" ] || \
find_opts+=(-name "$SOURCE_FILE_PATTERN")
if is_number "$SOURCE_FILE_MODIFIED_MINUTES_AGO" && [ "$SOURCE_FILE_MODIFIED_MINUTES_AGO" -gt 0 ]; then
find_opts+=(-mmin +"$SOURCE_FILE_MODIFIED_MINUTES_AGO")
fi
find "${find_opts[@]}" | while read file; do
# If file is already present either in ENCRYPTED_PATH or in S3 bucket, skip it
if in_array "${file}.gpg" "${all_backups[@]}"; then
debug "'$file' already backed up; skipping"
continue;
fi
debug "Encrypting '${file}'"
gpg encrypt "$file" "${ENCRYPTED_PATH}"
if [ "0$SOURCE_REMOVE_PLAIN" -eq 1 ] &>/dev/null; then
debug "Removing '${file}'"
rm "$file"
fi
done
if s3sync is_enabled; then
debug "Syncing up to ${AWS_S3_BUCKET}/${AWS_S3_BUCKET_PATH} ..."
s3sync up
fi
}
restore() {
[ -n "$1" ] || bail "No GPG file specified"
[[ "$1" =~ \.gpg$ ]] || bail "Given file does not have '.gpg' extension"
# destination/encrypted-path must be a directory and be readable and searchable
test_all drx "${ENCRYPTED_PATH}" ||
bail "Cannot read from encrypted-path (ENCRYPTED_PATH: $(get_path_info "${ENCRYPTED_PATH}"))"
# source-path to which the file is restored, must be a directory and be writable and searchable
test_all drwx "${SOURCE_PATH}" ||
bail "Cannot write to source-path (SOURCE_PATH: $(get_path_info "${SOURCE_PATH}"))"
local gpg_file="$ENCRYPTED_PATH/$1"
# make sure we can proceed before syncing and decrypting
local plain_file_path="${SOURCE_PATH}/$(basename "${gpg_file%%.gpg}")";
bail_file_exists "$plain_file_path"
if file_not_exists "$gpg_file"; then
if s3sync is_enabled; then
# Inorder for sync-down to work, the encrypted path must be writable
[ -w "${ENCRYPTED_PATH}" ] ||
bail "Cannot write to encrypted-path (ENCRYPTED_PATH='${ENCRYPTED_PATH}' $(get_path_info "${ENCRYPTED_PATH}"))"
debug "Syncing down from ${AWS_S3_BUCKET}/${AWS_S3_BUCKET_PATH} ... $*"
s3sync down "$@"
if file_not_exists "$gpg_file"; then
bail "Specified GPG file could not be found (after sync-down)"
fi
else
bail "Specified GPG file could not be found (no sync attempted)"
fi
fi
debug "Decrypting '$gpg_file'"
gpg decrypt "$gpg_file" "${plain_file_path}"
}
list-backups() {
# source-path must be a directory and be readable and searchable
test_all drx "${SOURCE_PATH}" ||
bail "Source path could not be found (SOURCE_PATH: $(get_path_info "${SOURCE_PATH}"))"
# destination/encrypted-path must be a directory and be readable and searchable
test_all drx "${ENCRYPTED_PATH}" ||
bail "Encrypted path could not be found (ENCRYPTED_PATH: $(get_path_info "${ENCRYPTED_PATH}"))"
local batch_mode=$([[ "$1" = "--batch-mode" ]] && echo true || echo false)
local files_in_s3=();
if s3sync is_enabled; then
files_in_s3=( $(s3sync list) )
fi
local files_local=( $(find "$ENCRYPTED_PATH" -type f -printf "%f\n") );
in_s3() {
in_array "$1" "${files_in_s3[@]}" && echo " [s3]"
}
in_local() {
in_array "$1" "${files_local[@]}" && echo " [local]"
}
# get a list of all files, with no duplicates
local all_files=( $(for file in "${files_in_s3[@]}" "${files_local[@]}"; do echo "$file"; done | sort | uniq) )
local file;
for file in "${all_files[@]}"; do
if $batch_mode; then
# print just the file name; no frills
echo "$file"
else
# print status for each file
echo "$file$(in_s3 "$file")$(in_local "$file")"
fi
done
}
# Quit if the AWS S3 config values are improperly specified
s3sync is_enabled || info "AWS S3 sync not enabled"
info "SOURCE_PATH: $(get_path_info "${SOURCE_PATH}")"
info "ENCRYPTED_PATH: $(get_path_info "${ENCRYPTED_PATH}")"
cmd="$1"; shift
case "$cmd" in
backup|restore|list-backups)
$cmd "$@"
;;
*)
bail "entrypoint: Invalid invocation"
;;
esac