#!/bin/bash # ============================================================================ # ROA2WEB - Restore Environment Secrets (From Encrypted Backup) # ============================================================================ # This script restores .env files from encrypted backups # Usage: # ./scripts/restore-secrets.sh [backup-date] # Interactive (prompts for password) # BACKUP_PASSWORD="your-pass" ./scripts/restore-secrets.sh [backup-date] # Non-interactive # # Example: ./scripts/restore-secrets.sh 2025-01-15_10-30-00 # ./scripts/restore-secrets.sh (uses latest backup) set -e # Colors for output GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' BLUE='\033[0;34m' NC='\033[0m' # No Color echo -e "${GREEN}=== ROA2WEB Secrets Restore Tool ===${NC}" echo "" # Check if openssl is installed if ! command -v openssl &> /dev/null; then echo -e "${RED}Error: openssl is not installed${NC}" echo "Install with: sudo apt-get install openssl" exit 1 fi # Check if secrets-backup directory exists if [ ! -d "secrets-backup" ]; then echo -e "${RED}Error: No backups found${NC}" echo "Run ./scripts/backup-secrets.sh first" exit 1 fi # Determine which backup to use if [ -z "$1" ]; then # Use latest backup BACKUP_DATE=$(ls -t secrets-backup | head -1) echo -e "${YELLOW}Using latest backup: ${BACKUP_DATE}${NC}" else BACKUP_DATE="$1" echo -e "${YELLOW}Using specified backup: ${BACKUP_DATE}${NC}" fi BACKUP_DIR="secrets-backup/${BACKUP_DATE}" # Check if backup exists if [ ! -d "$BACKUP_DIR" ]; then echo -e "${RED}Error: Backup not found: ${BACKUP_DIR}${NC}" echo "" echo "Available backups:" ls -1 secrets-backup exit 1 fi echo "" echo -e "${BLUE}Backup location: ${BACKUP_DIR}${NC}" echo "" # List encrypted files in backup ENCRYPTED_FILES=() ENCRYPTED_DIRS=() for file in "${BACKUP_DIR}"/*.enc; do if [ -f "$file" ]; then filename=$(basename "$file") # Check if it's a tar archive (directory backup) if [[ "$filename" == *.tar.enc ]]; then ENCRYPTED_DIRS+=("$file") else ENCRYPTED_FILES+=("$file") fi fi done if [ ${#ENCRYPTED_FILES[@]} -eq 0 ] && [ ${#ENCRYPTED_DIRS[@]} -eq 0 ]; then echo -e "${RED}Error: No encrypted files found in backup${NC}" exit 1 fi echo "Found in backup:" if [ ${#ENCRYPTED_FILES[@]} -gt 0 ]; then echo " 📄 ${#ENCRYPTED_FILES[@]} environment file(s):" for file in "${ENCRYPTED_FILES[@]}"; do echo " - $(basename "$file")" done fi if [ ${#ENCRYPTED_DIRS[@]} -gt 0 ]; then echo " 📁 ${#ENCRYPTED_DIRS[@]} directory archive(s):" for file in "${ENCRYPTED_DIRS[@]}"; do echo " - $(basename "$file")" done fi echo "" # Ask for confirmation echo -e "${YELLOW}⚠️ This will overwrite existing .env files!${NC}" read -p "Continue? (y/N): " -n 1 -r echo "" if [[ ! $REPLY =~ ^[Yy]$ ]]; then echo "Restore cancelled" exit 0 fi # Get password if [ -z "$BACKUP_PASSWORD" ]; then echo "" echo -e "${YELLOW}Enter decryption password:${NC}" read -s BACKUP_PASSWORD echo "" if [ -z "$BACKUP_PASSWORD" ]; then echo -e "${RED}Error: Password cannot be empty${NC}" exit 1 fi fi echo "" # Counter for restored files RESTORED=0 FAILED=0 # Restore each file for encrypted_file in "${ENCRYPTED_FILES[@]}"; do filename=$(basename "$encrypted_file" .enc) # Determine target path based on filename if [[ "$filename" == "backend-.env" ]]; then target="backend/.env" elif [[ "$filename" == "backend-.env.prod" ]]; then target="backend/.env.prod" elif [[ "$filename" == "telegram-bot-.env" ]]; then target="backend/modules/telegram/.env" elif [[ "$filename" == "telegram-bot-.env.prod" ]]; then target="backend/modules/telegram/.env.prod" else echo -e "${YELLOW}Skipping unknown file: $filename${NC}" continue fi echo -e "Decrypting: ${GREEN}$filename${NC}" echo -e " Target: $target" # Create target directory if needed mkdir -p "$(dirname "$target")" # Decrypt if echo "$BACKUP_PASSWORD" | openssl enc -aes-256-cbc -d -pbkdf2 \ -in "$encrypted_file" -out "$target" -pass stdin 2>/dev/null; then echo -e " ✅ Restored successfully" RESTORED=$((RESTORED + 1)) else echo -e " ${RED}❌ Failed to decrypt (wrong password?)${NC}" FAILED=$((FAILED + 1)) fi echo "" done # Restore directory archives for encrypted_file in "${ENCRYPTED_DIRS[@]}"; do filename=$(basename "$encrypted_file" .enc) dir_name=$(basename "$filename" .tar) echo -e "Decrypting directory: ${GREEN}$dir_name${NC}" echo -e " Target: $dir_name/" # Decrypt and extract tar archive if openssl enc -aes-256-cbc -d -pbkdf2 \ -in "$encrypted_file" -pass pass:"$BACKUP_PASSWORD" 2>/dev/null | tar -xf - 2>/dev/null; then echo -e " ✅ Restored successfully" RESTORED=$((RESTORED + 1)) # Count restored files file_count=$(find "$dir_name" -type f 2>/dev/null | wc -l) echo -e " 📁 Extracted ${file_count} file(s)" else echo -e " ${RED}❌ Failed to decrypt/extract (wrong password?)${NC}" FAILED=$((FAILED + 1)) fi echo "" done echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" if [ $FAILED -eq 0 ]; then echo -e "${GREEN}✅ Restore completed successfully${NC}" else echo -e "${YELLOW}⚠️ Restore completed with errors${NC}" fi echo "" echo "📊 Summary:" echo " - Restored: ${RESTORED} files" echo " - Failed: ${FAILED} files" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"