Add secrets directory support to backup/restore scripts

Extended backup and restore utilities to include the secrets/ directory
containing SSH keys for Oracle server access.

Changes:
- backup-secrets.sh: Added SECRET_DIRS array to backup entire directories as tar archives
- restore-secrets.sh: Added logic to detect and restore tar.enc directory archives
- Both scripts now handle:
  * Individual .env files (as before)
  * Complete directories (new: secrets/ with SSH keys)

Technical implementation:
- Directories are archived with tar and piped directly to openssl for encryption
- Uses tar -cf - to output to stdout, then pipes to openssl enc
- Restore decrypts and extracts in one step: openssl | tar -xf -
- Preserves directory structure and file permissions

Files backed up:
- reports-app/backend/.env and .env.prod
- reports-app/telegram-bot/.env and .env.prod
- secrets/ directory (SSH keys: roa_oracle_server, *.pub, .gitkeep)

Backup structure now includes:
- *.env.enc (individual encrypted files)
- secrets.tar.enc (encrypted tar archive of directory)

Tested successfully with encryption/decryption cycle.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

scripts/backup-secrets.sh

@@ -65,6 +65,11 @@ SECRET_FILES=(
     "reports-app/telegram-bot/.env.prod"
 )
 
+# List of secret directories to backup (will backup all files inside)
+SECRET_DIRS=(
+    "secrets"
+)
+
 # Counter for backed up files
 BACKED_UP=0
 SKIPPED=0
@@ -101,6 +106,35 @@ for file in "${SECRET_FILES[@]}"; do
     echo ""
 done
 
+# Backup directories
+for dir in "${SECRET_DIRS[@]}"; do
+    if [ -d "$dir" ]; then
+        echo -e "Encrypting directory: ${GREEN}$dir${NC}"
+
+        # Create tar archive of the directory
+        dir_name=$(basename "$dir")
+        output_file="${BACKUP_DIR}/${dir_name}.tar.enc"
+
+        # Create tar and encrypt (pipe tar directly to openssl)
+        if tar -cf - "$dir" 2>/dev/null | \
+           openssl enc -aes-256-cbc -salt -pbkdf2 \
+           -out "$output_file" -pass pass:"$BACKUP_PASSWORD" 2>/dev/null; then
+            echo -e "  ✅ Saved to: ${output_file}"
+            BACKED_UP=$((BACKED_UP + 1))
+
+            # Count files in directory
+            file_count=$(find "$dir" -type f | wc -l)
+            echo -e "  📁 Included ${file_count} file(s) from directory"
+        else
+            echo -e "  ${RED}❌ Failed to encrypt directory${NC}"
+        fi
+    else
+        echo -e "Skipping: ${YELLOW}$dir${NC} (not found)"
+        SKIPPED=$((SKIPPED + 1))
+    fi
+    echo ""
+done
+
 # Create README in backup directory
 cat > "${BACKUP_DIR}/README.md" <<EOF
 # ROA2WEB Secrets Backup
@@ -111,6 +145,7 @@ cat > "${BACKUP_DIR}/README.md" <<EOF
 
 ## Files in this backup:
 
+### Environment Files:
 $(for file in "${SECRET_FILES[@]}"; do
     if [ -f "$file" ]; then
         filename=$(basename "$file")
@@ -123,6 +158,15 @@ $(for file in "${SECRET_FILES[@]}"; do
     fi
 done)
 
+### Directories:
+$(for dir in "${SECRET_DIRS[@]}"; do
+    if [ -d "$dir" ]; then
+        dir_name=$(basename "$dir")
+        file_count=$(find "$dir" -type f 2>/dev/null | wc -l)
+        echo "- ${dir_name}.tar.enc (encrypted tar archive, ${file_count} files)"
+    fi
+done)
+
 ## How to restore:
 
 \`\`\`bash
@@ -157,6 +201,10 @@ openssl enc -aes-256-cbc -d -pbkdf2 \\
 openssl enc -aes-256-cbc -d -pbkdf2 \\
   -in telegram-bot-.env.prod.enc \\
   -out ../../../reports-app/telegram-bot/.env.prod
+
+# Decrypt and extract secrets directory
+openssl enc -aes-256-cbc -d -pbkdf2 -in secrets.tar.enc | \\
+  tar -xf - -C ../../..
 \`\`\`
 
 ## Security Notes:

scripts/restore-secrets.sh

@@ -63,21 +63,38 @@ echo ""
 
 # List encrypted files in backup
 ENCRYPTED_FILES=()
+ENCRYPTED_DIRS=()
+
 for file in "${BACKUP_DIR}"/*.enc; do
     if [ -f "$file" ]; then
-        ENCRYPTED_FILES+=("$file")
+        filename=$(basename "$file")
+        # Check if it's a tar archive (directory backup)
+        if [[ "$filename" == *.tar.enc ]]; then
+            ENCRYPTED_DIRS+=("$file")
+        else
+            ENCRYPTED_FILES+=("$file")
+        fi
     fi
 done
 
-if [ ${#ENCRYPTED_FILES[@]} -eq 0 ]; then
+if [ ${#ENCRYPTED_FILES[@]} -eq 0 ] && [ ${#ENCRYPTED_DIRS[@]} -eq 0 ]; then
     echo -e "${RED}Error: No encrypted files found in backup${NC}"
     exit 1
 fi
 
-echo "Found ${#ENCRYPTED_FILES[@]} encrypted file(s):"
+echo "Found in backup:"
-for file in "${ENCRYPTED_FILES[@]}"; do
+if [ ${#ENCRYPTED_FILES[@]} -gt 0 ]; then
-    echo "  - $(basename "$file")"
+    echo "  📄 ${#ENCRYPTED_FILES[@]} environment file(s):"
-done
+    for file in "${ENCRYPTED_FILES[@]}"; do
+        echo "     - $(basename "$file")"
+    done
+fi
+if [ ${#ENCRYPTED_DIRS[@]} -gt 0 ]; then
+    echo "  📁 ${#ENCRYPTED_DIRS[@]} directory archive(s):"
+    for file in "${ENCRYPTED_DIRS[@]}"; do
+        echo "     - $(basename "$file")"
+    done
+fi
 echo ""
 
 # Ask for confirmation
@@ -145,6 +162,30 @@ for encrypted_file in "${ENCRYPTED_FILES[@]}"; do
     echo ""
 done
 
+# Restore directory archives
+for encrypted_file in "${ENCRYPTED_DIRS[@]}"; do
+    filename=$(basename "$encrypted_file" .enc)
+    dir_name=$(basename "$filename" .tar)
+
+    echo -e "Decrypting directory: ${GREEN}$dir_name${NC}"
+    echo -e "  Target: $dir_name/"
+
+    # Decrypt and extract tar archive
+    if openssl enc -aes-256-cbc -d -pbkdf2 \
+        -in "$encrypted_file" -pass pass:"$BACKUP_PASSWORD" 2>/dev/null | tar -xf - 2>/dev/null; then
+        echo -e "  ✅ Restored successfully"
+        RESTORED=$((RESTORED + 1))
+
+        # Count restored files
+        file_count=$(find "$dir_name" -type f 2>/dev/null | wc -l)
+        echo -e "  📁 Extracted ${file_count} file(s)"
+    else
+        echo -e "  ${RED}❌ Failed to decrypt/extract (wrong password?)${NC}"
+        FAILED=$((FAILED + 1))
+    fi
+    echo ""
+done
+
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 if [ $FAILED -eq 0 ]; then
     echo -e "${GREEN}✅ Restore completed successfully${NC}"