#!/bin/bash
# backup-nginx.sh — nginx Proxy Manager Backup
# Mandant:  platform
# Umgebung: prod
# Zielpfad: tenants/platform/prod/nginx-proxy-manager/
# Holt: /data/compose/2/data + letsencrypt vom Raspi
# Verschlüsselt clientseitig mit age, pusht nach dmz-backup

set -euo pipefail

TIMESTAMP=$(date -u +%Y%m%dT%H%M%SZ)
TMPDIR=$(mktemp -d /tmp/nginx-bak-XXXXXX)
trap 'rm -rf "$TMPDIR"' EXIT

NGINX_HOST="kube-bot@192.168.20.20"
SSH_KEY="$HOME/.ssh/kube-bot-it15-ed25519"
AGE_BIN="/home/node/shared/tools/age"
DMZ_BACKUP_HOST="192.168.20.90"
DMZ_TARGET="/media/myCloudDrive/dmz-backup/k3s-dmz/tenants/platform/prod/nginx-proxy-manager/$TIMESTAMP"

log() { echo "[$(date -u +%H:%M:%SZ)] $*"; }
fail() { log "FEHLER: $*"; exit 1; }

log "=== nginx Backup $TIMESTAMP ==="

# Credentials aus Infisical
python3 << PYEOF
import json, urllib.request, os
creds={}
with open(os.path.expanduser('~/.openclaw/workspace/.hob-cattaro-creds')) as f:
    for l in f:
        l=l.strip()
        if l and not l.startswith('#') and '=' in l:
            k,v=l.split('=',1); creds[k]=v
def api(u,d=None,h={}):
    r=urllib.request.Request(u,data=json.dumps(d).encode() if d else None,headers={'Content-Type':'application/json',**h})
    return json.loads(urllib.request.urlopen(r,timeout=10).read())
t=api(f"{creds['HOB_CATTARO_INFISICAL_URL']}/api/v1/auth/universal-auth/login",
      {'clientId':creds['HOB_CATTARO_CLIENT_ID'],'clientSecret':creds['HOB_CATTARO_CLIENT_SECRET']})['accessToken']
s=api(f"{creds['HOB_CATTARO_INFISICAL_URL']}/api/v3/secrets/raw?workspaceId={creds['HOB_CATTARO_PROJECT_ID']}&environment=prod&secretPath=/kube-bot",
      h={'Authorization':f'Bearer {t}'})
sv={x['secretKey']:x['secretValue'] for x in s['secrets']}
ct=api(f"{sv['CATTARO_INFISICAL_URL']}/api/v1/auth/universal-auth/login",
       {'clientId':sv['CATTARO_INFISICAL_CLIENT_ID'],'clientSecret':sv['CATTARO_INFISICAL_CLIENT_SECRET']})['accessToken']
BR="ba0a79d9-32fe-474c-be2f-88384a3d9749"
def get(n):
    return api(f"{sv['CATTARO_INFISICAL_URL']}/api/v3/secrets/raw/{n}?workspaceId={BR}&environment=prod&secretPath=/",
               h={'Authorization':f'Bearer {ct}'})['secret']['secretValue']
with open('/tmp/nginx-bak-recipient', 'w') as f: f.write(get('BACKUP_NGINX_AGE_RECIPIENT'))
dk=get('KUBE_BOT_DMZ_BACKUP_SSH_PRIVATE_KEY')
with open('/tmp/nginx-bak-dmz.key','w') as f: f.write(dk+'\n')
os.chmod('/tmp/nginx-bak-dmz.key', 0o600)
PYEOF

RECIPIENT=$(cat /tmp/nginx-bak-recipient)

log "Hole data + letsencrypt vom Raspi..."
ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "$NGINX_HOST" \
  'sudo tar czf - -C /data/compose/2 data 2>/dev/null' > "$TMPDIR/data.tar.gz"
ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "$NGINX_HOST" \
  'sudo tar czf - -C /data/compose/2 letsencrypt 2>/dev/null' > "$TMPDIR/letsencrypt.tar.gz"
log "data: $(du -sh "$TMPDIR/data.tar.gz" | cut -f1), letsencrypt: $(du -sh "$TMPDIR/letsencrypt.tar.gz" | cut -f1)"

log "Verschlüssele..."
"$AGE_BIN" -r "$RECIPIENT" -o "$TMPDIR/nginx-data.tar.gz.age" "$TMPDIR/data.tar.gz"
"$AGE_BIN" -r "$RECIPIENT" -o "$TMPDIR/nginx-letsencrypt.tar.gz.age" "$TMPDIR/letsencrypt.tar.gz"

for f in nginx-data.tar.gz.age nginx-letsencrypt.tar.gz.age; do
  sha256sum "$TMPDIR/$f" | awk '{print $1"  '"$f"'"}' > "$TMPDIR/$f.sha256"
done

log "Push nach dmz-backup..."
ssh -i /tmp/nginx-bak-dmz.key -o StrictHostKeyChecking=no "openclaw@$DMZ_BACKUP_HOST" "mkdir -p '$DMZ_TARGET'"

for f in nginx-data.tar.gz.age nginx-data.tar.gz.age.sha256 nginx-letsencrypt.tar.gz.age nginx-letsencrypt.tar.gz.age.sha256; do
  scp -i /tmp/nginx-bak-dmz.key -o StrictHostKeyChecking=no "$TMPDIR/$f" "openclaw@$DMZ_BACKUP_HOST:$DMZ_TARGET/$f"
done

for f in nginx-data.tar.gz.age nginx-letsencrypt.tar.gz.age; do
  LOCAL=$(awk '{print $1}' "$TMPDIR/$f.sha256")
  REMOTE=$(ssh -i /tmp/nginx-bak-dmz.key -o StrictHostKeyChecking=no "openclaw@$DMZ_BACKUP_HOST" \
    "sha256sum '$DMZ_TARGET/$f' | awk '{print \$1}'")
  [ "$LOCAL" = "$REMOTE" ] && log "SHA256 OK: $f" || fail "SHA256 FAIL: $f"
done

rm -f /tmp/nginx-bak-recipient /tmp/nginx-bak-dmz.key
log "=== nginx Backup $TIMESTAMP abgeschlossen ==="
echo "$TIMESTAMP"
