Add backup routing before possibly tearing down machine

Create a new backup entry before running =terraform apply=, which may (or may
not) destroy the current machine.

This shouldn't be an issue for the backup itself, since all of the data should
be stored in a separate Block Storage Volume, but we can take advantage of the
sevices already needing to be taken down in order to perform a full backup of
the data.

6 files changed, 21 insertions, 11 deletions

diff --git a/TODOs.org b/TODOs.org
index 2f8d3ba..596793e 100644
--- a/TODOs.org
+++ b/TODOs.org
@@ -27,7 +27,8 @@ Put it in an environment variable?
 Done by appending to content of =~/.ssh/config=.
 **** DOING Automate deployment with Terraform and deployment scripts
 **** NEXT Use DigitalOcean's Floating IP in front of the droplet
-**** TODO Backup data during deployments
+**** DONE Backup data during deployments
+CLOSED: [2019-05-28 Tue 00:48]
 Is this approach feasible? Will it make the deployment take too much longer? What are the alternatives?
 
 Initial sketch of the backup commands:
@@ -36,6 +37,8 @@ rsync --verbose --progress --stats --update --recursive "$HOME/backups/" "$RSYNC
 borg create -svp -C lzma,6 "~/borgbackup::{hostname}-{now}-${VPS_COMMIT_SHA} ${VOLUME_HOME}"
 rsync --verbose --progress --stats --update --recursive "$RSYNC_REMOTE" "$HOME/borgbackups/"
 #+END_SOURCE
+
+Implemented with help from https://jstaf.github.io/2018/03/12/backups-with-borg-rsync.html
 **** TODO Test provisioning DNS entries with other DNS registrars
 **** DONE Namecheap whitelist IP limitation
 CLOSED: [2019-05-26 Sun 17:14]
diff --git a/backup-and-shutdown.sh b/backup-and-shutdown.sh
deleted file mode 100755
index c880a16..0000000
--- a/backup-and-shutdown.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -Eeuo pipefail
-cd "$(dirname "${BASH_SOURCE[0]}")"
-
-echo "FIXME: get current backup"
-echo docker-compose down
-echo "FIXME: create a new backup"
-echo "FIXME: rsync back new backup"
diff --git a/ci-setup.sh b/ci-setup.sh
index a5d0c0d..4c38993 100755
--- a/ci-setup.sh
+++ b/ci-setup.sh
@@ -14,6 +14,7 @@ echo "Done."
 
 # git smudge after git-crypt clears file permissions
 chmod 600 ./secrets/vps_box
+chmod 600 ./secrets/borg_remote
 cat .envrc >> ~/.buildenv
 
 source .envrc
diff --git a/provision.sh b/provision.sh
index 42e7990..e5f6baf 100755
--- a/provision.sh
+++ b/provision.sh
@@ -5,8 +5,11 @@ set -Eeuo pipefail
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
 echo "Shutting down running containers and backing up data..."
-envsubst < backup-and-shutdown.sh | ssh "$TLD" 'cat > /home/vps/backup-and-shutdown.sh'
-ssh "$TLD" /home/vps/backup-and-shutdown.sh
+ssh "$TLD" "cd /home/vps/ && docker-compose down"
+scp ./secrets/borg_remote.pub "$TLD":/root/.ssh/id_rsa.pub
+scp ./secrets/borg_remote "$TLD":/root/.ssh/id_rsa
+envsubst < run-backup-template.sh | ssh "$TLD" 'cat > /home/vps/run-backup.sh && chmod +x /home/vps/run-backup.sh'
+ssh "$TLD" /home/vps/run-backup.sh
 echo "Done."
 
 echo "Running 'terraform apply'..."
diff --git a/run-backup-template.sh b/run-backup-template.sh
new file mode 100755
index 0000000..34184b9
--- /dev/null
+++ b/run-backup-template.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+export BORG_REMOTE_PATH="${BORG_REMOTE_PATH}"
+export BORG_PASSPHRASE="${BORG_PASSPHRASE}"
+borg create                                               \
+     --verbose                                            \
+     --stats                                              \
+     --progress                                           \
+     --compression lzma,6                                 \
+     "${BORG_REPO}::{hostname}-{now}-${VPS_COMMIT_SHA}"   \
+     "${VOLUME_HOME}"
diff --git a/secrets/envrc.sh b/secrets/envrc.sh
index c0a0907..4aaa2bd 100644
--- a/secrets/envrc.sh
+++ b/secrets/envrc.sh