first commit

scripts/ops/backup-job.sh

@@ -0,0 +1,121 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+ENV_FILE="${1:-$ROOT_DIR/.env.production}"
+BACKUP_ROOT="${2:-$ROOT_DIR/backups}"
+KEEP_COUNT="${3:-14}"
+LOCK_FILE="$BACKUP_ROOT/.backup.lock"
+OPS_NOTIFY_ON_SUCCESS="${OPS_NOTIFY_ON_SUCCESS:-0}"
+OPS_ALERT_WEBHOOK_URL="${OPS_ALERT_WEBHOOK_URL:-}"
+OPS_ALERT_TIMEOUT_SECONDS="${OPS_ALERT_TIMEOUT_SECONDS:-10}"
+OPS_ALERT_WEBHOOK_BEARER_TOKEN="${OPS_ALERT_WEBHOOK_BEARER_TOKEN:-}"
+started_at_utc="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+latest_backup=""
+
+if [[ "${1:-}" == "--help" || "${1:-}" == "-h" ]]; then
+  cat <<'USAGE'
+Usage:
+  scripts/ops/backup-job.sh [env-file] [backup-root] [keep-count]
+
+Examples:
+  scripts/ops/backup-job.sh
+  scripts/ops/backup-job.sh .env.production /var/backups/productier 30
+
+Behavior:
+  - Acquires a non-blocking lock to avoid overlapping runs.
+  - Executes production backup.
+  - Verifies resulting backup integrity.
+  - Prunes old backups using keep-count retention.
+  - Sends webhook alerts when OPS_ALERT_WEBHOOK_URL is configured.
+USAGE
+  exit 0
+fi
+
+if ! [[ "$KEEP_COUNT" =~ ^[0-9]+$ ]] || [[ "$KEEP_COUNT" -lt 1 ]]; then
+  echo "[error] keep-count must be a positive integer" >&2
+  exit 1
+fi
+
+json_escape() {
+  local value="$1"
+  value="${value//\\/\\\\}"
+  value="${value//\"/\\\"}"
+  value="${value//$'\n'/\\n}"
+  value="${value//$'\r'/\\r}"
+  printf '%s' "$value"
+}
+
+send_alert() {
+  local status="$1"
+  local message="$2"
+
+  if [[ -z "$OPS_ALERT_WEBHOOK_URL" ]]; then
+    return
+  fi
+  if ! command -v curl >/dev/null 2>&1; then
+    echo "[warn] OPS_ALERT_WEBHOOK_URL is set but curl is unavailable; skipping alert"
+    return
+  fi
+
+  local payload
+  payload="$(cat <<EOF
+{"service":"productier-backup-job","status":"$(json_escape "$status")","startedAt":"$started_at_utc","finishedAt":"$(date -u +%Y-%m-%dT%H:%M:%SZ)","backup":"$(json_escape "$latest_backup")","message":"$(json_escape "$message")"}
+EOF
+)"
+
+  local auth_header=()
+  if [[ -n "$OPS_ALERT_WEBHOOK_BEARER_TOKEN" ]]; then
+    auth_header=(-H "Authorization: Bearer $OPS_ALERT_WEBHOOK_BEARER_TOKEN")
+  fi
+
+  if ! curl -fsS -m "$OPS_ALERT_TIMEOUT_SECONDS" \
+    -H "Content-Type: application/json" \
+    "${auth_header[@]}" \
+    -d "$payload" \
+    "$OPS_ALERT_WEBHOOK_URL" >/dev/null; then
+    echo "[warn] failed to deliver backup alert webhook"
+  fi
+}
+
+on_error() {
+  local exit_code="$1"
+  send_alert "failure" "backup job failed with exit code ${exit_code}"
+}
+
+trap 'on_error $?' ERR
+
+mkdir -p "$BACKUP_ROOT"
+
+if command -v flock >/dev/null 2>&1; then
+  exec 9>"$LOCK_FILE"
+  if ! flock -n 9; then
+    echo "[error] backup job already running (lock file: $LOCK_FILE)" >&2
+    exit 1
+  fi
+else
+  echo "[warn] flock not found; running without lock protection"
+fi
+
+echo "[info] starting backup job (env=$ENV_FILE root=$BACKUP_ROOT keep=$KEEP_COUNT)"
+
+bash "$ROOT_DIR/scripts/ops/backup-prod.sh" "$ENV_FILE" "$BACKUP_ROOT"
+
+latest_backup="$(find "$BACKUP_ROOT" -mindepth 1 -maxdepth 1 -type d -printf '%f\n' \
+  | grep -E '^[0-9]{8}T[0-9]{6}Z$' \
+  | sort \
+  | tail -n 1)"
+
+if [[ -z "$latest_backup" ]]; then
+  echo "[error] no backup directory found after backup execution" >&2
+  exit 1
+fi
+
+bash "$ROOT_DIR/scripts/ops/verify-backup.sh" "$BACKUP_ROOT/$latest_backup"
+bash "$ROOT_DIR/scripts/ops/prune-backups.sh" "$BACKUP_ROOT" "$KEEP_COUNT"
+
+echo "[ok] backup job completed"
+
+if [[ "$OPS_NOTIFY_ON_SUCCESS" == "1" || "$OPS_NOTIFY_ON_SUCCESS" == "true" ]]; then
+  send_alert "success" "backup job completed successfully"
+fi