vault: deployment manifest, some docs, backup script - expected to run

on docker host
2026-01-14 14:48:09 +01:00
parent b5e1f4b737
commit 90a44bd59f
9 changed files with 214 additions and 0 deletions
--- a/docker-30/vault/vault-backup.sh
+++ b/docker-30/vault/vault-backup.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+
+# set -x  # Enable debug output
+
+# --- Configuration ---
+VAULT_DATA_DIR="${VAULT_DATA_DIR:-/srv/docker/vault/data/}"
+S3_BUCKET="${S3_BUCKET:-vault-backup}"
+MC_ALIAS="${MC_ALIAS:-synology}"  # Pre-configured mc alias
+RETENTION_DAYS="${RETENTION_DAYS:-60}"
+
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+BACKUP_FILE="/tmp/vault-backup-${TIMESTAMP}.tar.gz"
+
+log() { echo "[$(date -Iseconds)] $*"; }
+
+cleanup() {
+    rm -f "${BACKUP_FILE}"
+}
+trap cleanup EXIT
+
+# --- Create backup ---
+log "Backing up ${VAULT_DATA_DIR}..."
+tar -czf "${BACKUP_FILE}" -C "$(dirname "${VAULT_DATA_DIR}")" "$(basename "${VAULT_DATA_DIR}")"
+
+BACKUP_SIZE=$(stat -c%s "${BACKUP_FILE}")
+log "Backup size: ${BACKUP_SIZE} bytes"
+
+# --- Upload to MinIO ---
+log "Uploading to ${MC_ALIAS}/${S3_BUCKET}..."
+set -x
+mc cp --quiet "${BACKUP_FILE}" "${MC_ALIAS}/${S3_BUCKET}/vault-backup-${TIMESTAMP}.tar.gz"
+
+# --- Prune old backups ---
+log "Pruning backups older than ${RETENTION_DAYS} days..."
+mc rm --quiet --recursive --force --older-than "${RETENTION_DAYS}d" "${MC_ALIAS}/${S3_BUCKET}/"
+
+log "Backup complete: vault-backup-${TIMESTAMP}.tar.gz"