d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
proxmox/scripts/archive/backups/handle-backup-files.sh
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

207 lines
6.8 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# Safely handle backup files containing secrets
# Options: encrypt, move to secure location, or delete (with confirmation)
set -euo pipefail
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
log_error() { echo -e "${RED}[✗]${NC} $1"; }
PROJECT_ROOT="${PROJECT_ROOT:-/home/intlc/projects}"
ACTION="${ACTION:-list}" # list, encrypt, move, delete
SECURE_DIR="${SECURE_DIR:-$HOME/.secure-secrets-backups}"
DRY_RUN="${DRY_RUN:-true}"
echo "═══════════════════════════════════════════════════════════"
echo " Backup Files Handler"
echo "═══════════════════════════════════════════════════════════"
echo ""
# Find all backup files
log_info "Scanning for backup files..."
BACKUP_FILES=$(find "$PROJECT_ROOT" -type f \( -name "*.env.backup*" -o -name ".env.backup*" \) ! -path "*/node_modules/*" ! -path "*/.git/*" 2>/dev/null)
if [ -z "$BACKUP_FILES" ]; then
log_success "No backup files found"
exit 0
fi
# Identify files with secrets
FILES_WITH_SECRETS=()
while IFS= read -r backup_file; do
if [ -z "$backup_file" ]; then
continue
fi
if grep -qE "^(PRIVATE_KEY|API_KEY|SECRET|PASSWORD|TOKEN|CLOUDFLARE)" "$backup_file" 2>/dev/null; then
FILES_WITH_SECRETS+=("$backup_file")
fi
done <<< "$BACKUP_FILES"
if [ ${#FILES_WITH_SECRETS[@]} -eq 0 ]; then
log_success "No backup files with secrets found"
exit 0
fi
echo "Found ${#FILES_WITH_SECRETS[@]} backup file(s) with secrets:"
echo ""
for file in "${FILES_WITH_SECRETS[@]}"; do
echo " - $file"
# Show first secret type found
secret_type=$(grep -hE "^(PRIVATE_KEY|API_KEY|SECRET|PASSWORD|TOKEN|CLOUDFLARE)" "$file" 2>/dev/null | head -1 | cut -d'=' -f1)
if [ -n "$secret_type" ]; then
echo " Contains: $secret_type"
fi
done
echo ""
case "$ACTION" in
list)
log_info "Mode: LIST (no changes)"
log_info ""
log_info "Available actions:"
log_info " ACTION=encrypt - Encrypt and move to secure location"
log_info " ACTION=move - Move to secure location (unencrypted)"
log_info " ACTION=delete - Delete files (with confirmation)"
;;
encrypt)
log_info "Mode: ENCRYPT and move to secure location"
if [ "$DRY_RUN" = "true" ]; then
log_warn "DRY RUN - No changes will be made"
fi
# Create secure directory
if [ "$DRY_RUN" = "false" ]; then
mkdir -p "$SECURE_DIR"
chmod 700 "$SECURE_DIR"
fi
for file in "${FILES_WITH_SECRETS[@]}"; do
filename=$(basename "$file")
dirname=$(dirname "$file")
relative_path="${dirname#$PROJECT_ROOT/}"
secure_path="$SECURE_DIR/${relative_path//\//_}_${filename}.enc"
log_info "Processing: $file"
if [ "$DRY_RUN" = "false" ]; then
# Encrypt using openssl
if command -v openssl &> /dev/null; then
openssl enc -aes-256-cbc -salt -pbkdf2 -in "$file" -out "$secure_path" 2>/dev/null || {
log_error "Failed to encrypt $file"
continue
}
chmod 600 "$secure_path"
log_success " Encrypted to: $secure_path"
# Remove original
rm "$file"
log_success " Removed original: $file"
else
log_error "openssl not found. Cannot encrypt."
exit 1
fi
else
log_info " Would encrypt to: $secure_path"
log_info " Would remove: $file"
fi
done
if [ "$DRY_RUN" = "false" ]; then
log_success "Encryption complete!"
log_info "Encrypted files stored in: $SECURE_DIR"
log_info "To decrypt: openssl enc -d -aes-256-cbc -pbkdf2 -in <file.enc> -out <file>"
fi
;;
move)
log_info "Mode: MOVE to secure location"
if [ "$DRY_RUN" = "true" ]; then
log_warn "DRY RUN - No changes will be made"
fi
# Create secure directory
if [ "$DRY_RUN" = "false" ]; then
mkdir -p "$SECURE_DIR"
chmod 700 "$SECURE_DIR"
fi
for file in "${FILES_WITH_SECRETS[@]}"; do
filename=$(basename "$file")
dirname=$(dirname "$file")
relative_path="${dirname#$PROJECT_ROOT/}"
secure_path="$SECURE_DIR/${relative_path//\//_}_${filename}"
log_info "Processing: $file"
if [ "$DRY_RUN" = "false" ]; then
cp "$file" "$secure_path"
chmod 600 "$secure_path"
log_success " Moved to: $secure_path"
# Remove original
rm "$file"
log_success " Removed original: $file"
else
log_info " Would move to: $secure_path"
log_info " Would remove: $file"
fi
done
if [ "$DRY_RUN" = "false" ]; then
log_success "Move complete!"
log_info "Files stored in: $SECURE_DIR"
fi
;;
delete)
log_warn "Mode: DELETE"
log_warn "This will permanently delete backup files with secrets!"
echo ""
if [ "$DRY_RUN" = "true" ]; then
log_warn "DRY RUN - No files will be deleted"
for file in "${FILES_WITH_SECRETS[@]}"; do
log_info "Would delete: $file"
done
else
read -p "Are you sure you want to delete these files? (yes/no): " confirm
if [ "$confirm" != "yes" ]; then
log_info "Cancelled"
exit 0
fi
for file in "${FILES_WITH_SECRETS[@]}"; do
log_info "Deleting: $file"
rm "$file"
log_success " Deleted: $file"
done
log_success "Deletion complete!"
fi
;;
*)
log_error "Unknown action: $ACTION"
log_info "Valid actions: list, encrypt, move, delete"
exit 1
;;
esac
echo ""
echo "═══════════════════════════════════════════════════════════"
Reference in New Issue View Git Blame Copy Permalink