Initial vault-backup project

- R2 백업 스크립트 (Raft 스냅샷 + fallback) - 경로 기반 백업 스크립트 - 환경변수 템플릿 - README 문서 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 22:09:45 +09:00
commit 750f8ac241
5 changed files with 375 additions and 0 deletions
--- a/scripts/vault-backup-mcp.sh
+++ b/scripts/vault-backup-mcp.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+# Simple Vault Backup using known paths
+# For use when you know the secret paths to backup
+
+set -euo pipefail
+
+# R2 Configuration
+R2_ACCOUNT_ID="${R2_ACCOUNT_ID:?R2_ACCOUNT_ID is required}"
+R2_ACCESS_KEY="${R2_ACCESS_KEY:?R2_ACCESS_KEY is required}"
+R2_SECRET_KEY="${R2_SECRET_KEY:?R2_SECRET_KEY is required}"
+R2_BUCKET="${R2_BUCKET:-vault-backup}"
+R2_ENDPOINT="https://${R2_ACCOUNT_ID}.r2.cloudflarestorage.com"
+
+VAULT_ADDR="${VAULT_ADDR:-https://vault.anvil.it.com}"
+VAULT_TOKEN="${VAULT_TOKEN:?VAULT_TOKEN is required}"
+
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+BACKUP_FILE="/tmp/vault-backup-${TIMESTAMP}.json"
+
+echo "[INFO] Starting Vault backup at $(date)"
+
+# Known secret paths to backup (add your paths here)
+PATHS=(
+    "app/config"
+    "app/database"
+    "shared/api-keys"
+    # Add more paths as needed
+)
+
+echo '{"backup_time": "'$(date -Iseconds)'", "secrets": [' > "$BACKUP_FILE"
+
+first=true
+for path in "${PATHS[@]}"; do
+    echo "[INFO] Backing up: $path"
+
+    secret=$(curl -s -H "X-Vault-Token: ${VAULT_TOKEN}" \
+        "${VAULT_ADDR}/v1/secret/data/${path}" 2>/dev/null | \
+        jq '.data.data // empty' 2>/dev/null || echo "")
+
+    if [[ -n "$secret" && "$secret" != "null" ]]; then
+        if [[ "$first" == "true" ]]; then
+            first=false
+        else
+            echo "," >> "$BACKUP_FILE"
+        fi
+        echo "{\"path\": \"${path}\", \"data\": ${secret}}" >> "$BACKUP_FILE"
+    else
+        echo "[WARN] Path not found or empty: $path"
+    fi
+done
+
+echo ']}' >> "$BACKUP_FILE"
+
+# Compress
+gzip "$BACKUP_FILE"
+BACKUP_FILE="${BACKUP_FILE}.gz"
+
+# Upload to R2
+echo "[INFO] Uploading to R2..."
+export AWS_ACCESS_KEY_ID="$R2_ACCESS_KEY"
+export AWS_SECRET_ACCESS_KEY="$R2_SECRET_KEY"
+
+aws s3 cp "$BACKUP_FILE" "s3://${R2_BUCKET}/$(basename $BACKUP_FILE)" \
+    --endpoint-url "$R2_ENDPOINT"
+
+# Cleanup
+rm -f "$BACKUP_FILE"
+
+echo "[INFO] Backup complete: s3://${R2_BUCKET}/$(basename $BACKUP_FILE)"