ded7d24924
Some checks failed
CI / Frontend Lint (pull_request) Failing after 7s
CI / Frontend Type Check (pull_request) Failing after 7s
CI / Frontend Build (pull_request) Failing after 6s
CI / Frontend E2E Tests (pull_request) Failing after 7s
CI / Orchestrator Build (pull_request) Failing after 7s
CI / Orchestrator Unit Tests (pull_request) Failing after 6s
CI / Orchestrator E2E (Testcontainers) (pull_request) Has been skipped
CI / Contracts Compile (pull_request) Failing after 5s
CI / Contracts Test (pull_request) Failing after 6s
Code Quality / SonarQube Analysis (pull_request) Failing after 20s
Code Quality / Code Quality Checks (pull_request) Failing after 7s
Security Scan / Dependency Vulnerability Scan (pull_request) Failing after 4s
Security Scan / OWASP ZAP Scan (pull_request) Failing after 4s
- deploy-currencicombo-8604.sh: on readiness timeout, print loud failure summary (journalctl tails + exact --rollback command with specific backup path) instead of silently exiting. Deliberately does NOT auto-rollback; first cutovers often fail because of env/migration mistakes and auto-restore hides the failure state ops needs. - install.sh: on first run, write the three API keys + EVENT_SIGNING_SECRET to /root/currencicombo-first-keys.txt (0600, root:root) as a handoff copy. Canonical values still live in /etc/currencicombo/orchestrator.env. Log one pointer line (not the secrets themselves) to journald. Handoff file is NOT regenerated if orchestrator.env already exists. - install-prune-cron.sh (new, opt-in): installs /etc/cron.daily/ currencicombo-prune-backups that deletes entries older than 30 days from /var/lib/currencicombo/backups/ WHILE always keeping the newest 5 regardless of age. Enforced via newest-first sort + i<KEEP_MIN skip. - webapp-nginx.conf: drop the misleading /events/* 421 guard-rail. The orchestrator's SSE endpoint is /api/plans/:id/events/stream (under /api/), so one /api/* guard-rail covers both normal REST and SSE. - README.md: corrected NPMplus rule table to TWO rules (/api/* with SSE-friendly proxy_buffering=off + 24h read_timeout + Connection "" + http/1.1, and /); added post-cutover smoke checks section with a concrete SSE streaming test that catches silent proxy_buffering=on misconfig; documented the /root/currencicombo-first-keys.txt handoff and the install-prune-cron.sh workflow; replaced stale 'not auto-pruned' note. Verification: - shellcheck --severity=warning: clean on all 3 scripts. - bash -n: clean on install-prune-cron.sh. - install-prune-cron.sh --dry-run: prints the pruner body with resolved env values as expected. - install.sh --dry-run: walks through user/dirs/nginx-apt steps, then fails fast on missing psql (expected on a build box without Postgres). Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>
103 lines
3.2 KiB
Bash
Executable File
103 lines
3.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# install-prune-cron.sh — opt-in cron job to prune old deploy backups.
|
|
#
|
|
# Run ONCE as root (or with sudo) after install.sh to enable daily
|
|
# pruning of /var/lib/currencicombo/backups/. The pruner:
|
|
# - deletes entries older than 30 days
|
|
# - ALWAYS keeps the newest N backups regardless of age (default 5)
|
|
#
|
|
# No-op on re-run. Opt out by removing /etc/cron.daily/currencicombo-prune-backups.
|
|
|
|
set -euo pipefail
|
|
|
|
BACKUP_DIR="${CC_BACKUP_DIR:-/var/lib/currencicombo/backups}"
|
|
RETAIN_DAYS="${CC_BACKUP_RETAIN_DAYS:-30}"
|
|
KEEP_MIN="${CC_BACKUP_KEEP_MIN:-5}"
|
|
CRON_FILE="/etc/cron.daily/currencicombo-prune-backups"
|
|
DRY_RUN=0
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--dry-run) DRY_RUN=1; shift ;;
|
|
-h|--help)
|
|
cat <<'USAGE'
|
|
Usage: sudo ./install-prune-cron.sh [--dry-run]
|
|
|
|
Env overrides:
|
|
CC_BACKUP_DIR (default: /var/lib/currencicombo/backups)
|
|
CC_BACKUP_RETAIN_DAYS (default: 30)
|
|
CC_BACKUP_KEEP_MIN (default: 5)
|
|
USAGE
|
|
exit 0 ;;
|
|
*) echo "unknown arg: $1" >&2; exit 2 ;;
|
|
esac
|
|
done
|
|
|
|
log() { printf '[install-prune-cron] %s\n' "$*" >&2; }
|
|
die() { printf '[install-prune-cron][FATAL] %s\n' "$*" >&2; exit 1; }
|
|
|
|
[[ "$EUID" -eq 0 ]] || die "must run as root (sudo)"
|
|
|
|
# The pruner script body. Runs daily via cron.daily.
|
|
# KEEP_MIN is enforced by listing backups newest-first, skipping the
|
|
# first KEEP_MIN, then deleting any remaining entries older than
|
|
# RETAIN_DAYS. This means we always keep at least KEEP_MIN (even if
|
|
# they're all <30 days old), and never delete one of the newest
|
|
# KEEP_MIN (even if it's >30 days old on a dormant host).
|
|
read -r -d '' PRUNER_BODY <<PRUNER || true
|
|
#!/usr/bin/env bash
|
|
# Managed by scripts/deployment/install-prune-cron.sh. Edits overwritten
|
|
# on next install. Opt out by deleting this file.
|
|
set -euo pipefail
|
|
|
|
BACKUP_DIR="${BACKUP_DIR}"
|
|
RETAIN_DAYS=${RETAIN_DAYS}
|
|
KEEP_MIN=${KEEP_MIN}
|
|
|
|
[[ -d "\$BACKUP_DIR" ]] || exit 0
|
|
|
|
cd "\$BACKUP_DIR"
|
|
mapfile -t all < <(find . -mindepth 1 -maxdepth 1 -type d -printf '%T@ %p\n' 2>/dev/null | sort -rn | awk '{print \$2}')
|
|
|
|
count=\${#all[@]}
|
|
if (( count <= KEEP_MIN )); then
|
|
logger -t currencicombo-prune "count=\$count <= KEEP_MIN=\$KEEP_MIN; nothing to prune"
|
|
exit 0
|
|
fi
|
|
|
|
cutoff=\$(date -d "\$RETAIN_DAYS days ago" +%s)
|
|
deleted=0
|
|
kept=0
|
|
for i in "\${!all[@]}"; do
|
|
p="\${all[\$i]}"
|
|
if (( i < KEEP_MIN )); then
|
|
kept=\$((kept + 1))
|
|
continue
|
|
fi
|
|
mtime=\$(stat -c %Y "\$p" 2>/dev/null || echo 0)
|
|
if (( mtime < cutoff )); then
|
|
rm -rf -- "\$p"
|
|
deleted=\$((deleted + 1))
|
|
else
|
|
kept=\$((kept + 1))
|
|
fi
|
|
done
|
|
logger -t currencicombo-prune "deleted=\$deleted kept=\$kept total_before=\$count"
|
|
PRUNER
|
|
|
|
if [[ "${DRY_RUN}" -eq 1 ]]; then
|
|
log "[dry-run] would write ${CRON_FILE} (0755) with pruner targeting ${BACKUP_DIR}, retain ${RETAIN_DAYS}d, keep-min ${KEEP_MIN}"
|
|
echo "---"
|
|
echo "${PRUNER_BODY}"
|
|
echo "---"
|
|
exit 0
|
|
fi
|
|
|
|
printf '%s\n' "${PRUNER_BODY}" > "${CRON_FILE}"
|
|
chmod 0755 "${CRON_FILE}"
|
|
chown root:root "${CRON_FILE}"
|
|
|
|
log "installed ${CRON_FILE} (backups older than ${RETAIN_DAYS}d, keep-min ${KEEP_MIN}, target ${BACKUP_DIR})"
|
|
log "runs daily via /etc/cron.daily/. Opt out: sudo rm ${CRON_FILE}"
|
|
log "logs to syslog (tag currencicombo-prune); journalctl -t currencicombo-prune"
|