kamal-backup 0.3.0.beta18 → 0.3.0.beta20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f7b7f6a104e974d738b46ed67b5ece749627d8d33737845f9e9e7ea0e921ce21
-  data.tar.gz: e95a651804aa74ec1146989f0db3428e4c8510dc247ef07383e8b0f3d0168f43
+  metadata.gz: 85d6ee6e04e1765b7dcb8666deb42f63b151437a57bccfbc79c18c94b53e0af7
+  data.tar.gz: 6d456b02c442c3316eb48f990d2b486410ed1541fd363abd4bed62e3d6018e68
 SHA512:
-  metadata.gz: 447bbd9c378d92aef836e0f05cf751ef9b978121b9e3ff5d8675b943441f028aaa082809e9adf462d3380e6035e35dfd52cd74cac68c0ac6fef099632ff89429
-  data.tar.gz: 7f414a27f4c452371b9c88fb91ac7aece2bd9771d92ae835997487fa252aeb2f053955cce3a76741be12cd4f6fe31c7c206a2d2ccbdf356a595f34e5d007986b
+  metadata.gz: 9b7bd98124f478da8b1ee5bea4382880f924ab44dd9cb2325dd86d862dfb8fdcaf8f851fbaaf4003ba205243e81bcbdb7bbec928571655239964495e8753731b
+  data.tar.gz: a70c403b8b36a474339bd30ee84b8ae22fd11ff60b42aca6459abafc4fb43d3cb431ba1ab9f477f66326c0133d760043c7d35b28fca831451dfa705197132de3

data/lib/kamal_backup/app.rb

@@ -130,6 +130,12 @@ module KamalBackup
       restic.check.stdout
     end
 
+    def prune
+      config.validate_backup(check_files: false)
+      require_restic!
+      restic.prune
+    end
+
     def evidence
       config.validate_restic
       require_restic!

data/lib/kamal_backup/cli.rb

@@ -158,6 +158,17 @@ module KamalBackup
         end
       end
 
+      def print_prune_result(results)
+        output = Array(results).map(&:stdout).join
+
+        if output.empty?
+          puts("Prune completed")
+        else
+          print(output)
+          puts unless output.end_with?("\n")
+        end
+      end
+
       def validate_deploy_config
         config = Config.new(
           env: bridge.accessory_environment(accessory_name: accessory_name),
@@ -473,6 +484,15 @@ module KamalBackup
       end
     end
 
+    desc "prune", "Apply the configured restic retention policy and prune unneeded data"
+    def prune
+      if remote_command_mode?
+        exec_remote(["kamal-backup", "prune"])
+      else
+        print_prune_result(direct_app.prune)
+      end
+    end
+
     desc "evidence", "Print redacted backup, check, and restore-drill evidence as JSON"
     def evidence
       if remote_command_mode?
@@ -503,7 +523,6 @@ module KamalBackup
       puts deploy_snippet
       puts
       puts "The accessory runs scheduled database and file backups with backup.schedule."
-      puts "kamal-backup passes RESTIC_PASSWORD to restic through a private temporary password file."
       puts "For most Rails apps, restore local and drill local can infer the development database, Active Storage path, and tmp state directory."
       puts "Local restore and drill also require the restic binary on your machine."
       puts "Create config/kamal-backup.local.yml only if you need to override those local defaults."

data/lib/kamal_backup/redactor.rb

@@ -1,6 +1,7 @@
 module KamalBackup
   class Redactor
     SECRET_KEY_PATTERN = /(pass|password|secret|token|key|credential|authorization)/i
+    SENSITIVE_KEY_PATTERN = /(?:pass|password|secret|token|key|credential|authorization)|\A(?:user|username|pguser|.*_user|.*_username)\z/i
     REDACTED = "[REDACTED]"
 
     def initialize(secret_values: [], env: ENV)
@@ -16,7 +17,7 @@ module KamalBackup
 
     def redact_value(key, value)
       return nil if value.nil?
-      return REDACTED if key.to_s.match?(SECRET_KEY_PATTERN)
+      return REDACTED if key.to_s.match?(SENSITIVE_KEY_PATTERN)
 
       redact_string(value.to_s)
     end

data/lib/kamal_backup/restic.rb

@@ -1,7 +1,6 @@
 require "fileutils"
 require "json"
 require "open3"
-require "tempfile"
 require "time"
 require_relative "command"
 
@@ -28,49 +27,43 @@ module KamalBackup
     end
 
     def backup_stream(command, filename:, tags:)
-      with_restic_env do |env|
-        restic_command = CommandSpec.new(
-          argv: ["restic", "backup"] + host_args + ["--stdin", "--stdin-filename", filename] + tag_args(common_tags + tags),
-          env: env
-        )
-        log("backing up stream as #{filename}")
-        pipe_commands(command, restic_command, producer_label: "dump", consumer_label: "restic backup")
-      end
+      restic_command = CommandSpec.new(
+        argv: ["restic", "backup"] + host_args + ["--stdin", "--stdin-filename", filename] + tag_args(common_tags + tags),
+        env: restic_env
+      )
+      log("backing up stream as #{filename}")
+      pipe_commands(command, restic_command, producer_label: "dump", consumer_label: "restic backup")
     end
 
     def backup_file(path, filename:, tags:)
-      command = nil
+      command = CommandSpec.new(
+        argv: ["restic", "backup"] + host_args + ["--stdin", "--stdin-filename", filename] + tag_args(common_tags + tags),
+        env: restic_env
+      )
+      log("backing up file content as #{filename}")
 
-      with_restic_env do |env|
-        command = CommandSpec.new(
-          argv: ["restic", "backup"] + host_args + ["--stdin", "--stdin-filename", filename] + tag_args(common_tags + tags),
-          env: env
-        )
-        log("backing up file content as #{filename}")
-
-        File.open(path, "rb") do |file|
-          output = Command.output
-          context = output&.command_start(command, redactor: redactor)
-          Open3.popen3(command.env, *command.argv) do |stdin, stdout, stderr, wait_thread|
-            stdout_reader = Thread.new { Command.collect_stream(stdout, command_output: output, context: context, stream: :stdout, redactor: redactor) }
-            stderr_reader = Thread.new { Command.collect_stream(stderr, command_output: output, context: context, stream: :stderr, redactor: redactor) }
-            copy_error = nil
-            begin
-              IO.copy_stream(file, stdin)
-            rescue Errno::EPIPE => e
-              copy_error = e
-            ensure
-              stdin.close unless stdin.closed?
-            end
-            out = stdout_reader.value
-            err = stderr_reader.value
-            status = wait_thread.value
-            output&.command_exit(context, status.exitstatus)
-            raise_command_error(command, status, out, err) unless status.success?
-            raise_stream_error(command, copy_error, out, err) if copy_error
-
-            CommandResult.new(stdout: out, stderr: err, status: status.exitstatus)
+      File.open(path, "rb") do |file|
+        output = Command.output
+        context = output&.command_start(command, redactor: redactor)
+        Open3.popen3(command.env, *command.argv) do |stdin, stdout, stderr, wait_thread|
+          stdout_reader = Thread.new { Command.collect_stream(stdout, command_output: output, context: context, stream: :stdout, redactor: redactor) }
+          stderr_reader = Thread.new { Command.collect_stream(stderr, command_output: output, context: context, stream: :stderr, redactor: redactor) }
+          copy_error = nil
+          begin
+            IO.copy_stream(file, stdin)
+          rescue Errno::EPIPE => e
+            copy_error = e
+          ensure
+            stdin.close unless stdin.closed?
           end
+          out = stdout_reader.value
+          err = stderr_reader.value
+          status = wait_thread.value
+          output&.command_exit(context, status.exitstatus)
+          raise_command_error(command, status, out, err) unless status.success?
+          raise_stream_error(command, copy_error, out, err) if copy_error
+
+          CommandResult.new(stdout: out, stderr: err, status: status.exitstatus)
         end
       end
     rescue Errno::ENOENT => e
@@ -92,7 +85,11 @@ module KamalBackup
     end
 
     def forget_after_success
-      retention_tag_sets.each do |tags|
+      prune
+    end
+
+    def prune
+      retention_tag_sets.map do |tags|
         args = ["forget", "--prune", "--group-by", "host"] + config.retention_args + filter_tag_args(tags)
         log("running restic forget/prune with retention policy for #{retention_scope(tags)}")
         run(args)
@@ -160,31 +157,26 @@ module KamalBackup
     end
 
     def pipe_dump_to_command(snapshot, filename, command)
-      with_restic_env do |env|
-        restic_command = CommandSpec.new(argv: ["restic", "dump", snapshot, filename], env: env)
-        pipe_commands(restic_command, command, producer_label: "restic dump", consumer_label: command.argv.first)
-      end
+      restic_command = CommandSpec.new(argv: ["restic", "dump", snapshot, filename], env: restic_env)
+      pipe_commands(restic_command, command, producer_label: "restic dump", consumer_label: command.argv.first)
     end
 
     def write_dump_to_path(snapshot, filename, target_path)
-      command = nil
+      command = CommandSpec.new(argv: ["restic", "dump", snapshot, filename], env: restic_env)
       target_path = File.expand_path(target_path)
       FileUtils.mkdir_p(File.dirname(target_path))
       temp_path = "#{target_path}.kamal-backup-#{$$}.tmp"
 
-      with_restic_env do |env|
-        command = CommandSpec.new(argv: ["restic", "dump", snapshot, filename], env: env)
-        output = Command.output
-        context = output&.command_start(command, redactor: redactor)
-        Open3.popen3(command.env, *command.argv) do |stdin, stdout, stderr, wait_thread|
-          stdin.close
-          stderr_reader = Thread.new { Command.collect_stream(stderr, command_output: output, context: context, stream: :stderr, redactor: redactor) }
-          File.open(temp_path, "wb") { |file| IO.copy_stream(stdout, file) }
-          err = stderr_reader.value
-          status = wait_thread.value
-          output&.command_exit(context, status.exitstatus)
-          raise_command_error(command, status, "", err) unless status.success?
-        end
+      output = Command.output
+      context = output&.command_start(command, redactor: redactor)
+      Open3.popen3(command.env, *command.argv) do |stdin, stdout, stderr, wait_thread|
+        stdin.close
+        stderr_reader = Thread.new { Command.collect_stream(stderr, command_output: output, context: context, stream: :stderr, redactor: redactor) }
+        File.open(temp_path, "wb") { |file| IO.copy_stream(stdout, file) }
+        err = stderr_reader.value
+        status = wait_thread.value
+        output&.command_exit(context, status.exitstatus)
+        raise_command_error(command, status, "", err) unless status.success?
       end
       File.rename(temp_path, target_path)
       target_path
@@ -202,13 +194,11 @@ module KamalBackup
     end
 
     def run(args, log_output: true)
-      with_restic_env do |env|
-        Command.capture(
-          CommandSpec.new(argv: ["restic"] + args, env: env),
-          redactor: redactor,
-          log_output: log_output
-        )
-      end
+      Command.capture(
+        CommandSpec.new(argv: ["restic"] + args, env: restic_env),
+        redactor: redactor,
+        log_output: log_output
+      )
     end
 
     def common_tags
@@ -270,25 +260,6 @@ module KamalBackup
         end
       end
 
-      def with_restic_env
-        env = restic_env
-        password_file = nil
-
-        if env["RESTIC_PASSWORD_FILE"] || env["RESTIC_PASSWORD_COMMAND"]
-          env.delete("RESTIC_PASSWORD")
-        elsif env["RESTIC_PASSWORD"]
-          password_file = Tempfile.new("kamal-backup-restic-password")
-          password_file.write(env.delete("RESTIC_PASSWORD"))
-          password_file.flush
-          File.chmod(0o600, password_file.path)
-          env["RESTIC_PASSWORD_FILE"] = password_file.path
-        end
-
-        yield env
-      ensure
-        password_file&.close!
-      end
-
       def pipe_commands(producer, consumer, producer_label:, consumer_label:)
         output = Command.output
         producer_context = output&.command_start(producer, redactor: redactor)

data/lib/kamal_backup/version.rb

@@ -1,3 +1,3 @@
 module KamalBackup
-  VERSION = "0.3.0.beta18"
+  VERSION = "0.3.0.beta20"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kamal-backup
 version: !ruby/object:Gem::Version
-  version: 0.3.0.beta18
+  version: 0.3.0.beta20
 platform: ruby
 authors:
 - crmne