fix(infra): add R2_ENDPOINT to prod secrets for landing backup

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(infra): switch landing backup to shared r2-landing rclone remote
2026-03-01 18:41:42 +01:00 · 2026-03-01 18:36:57 +01:00
3 changed files with 39 additions and 14 deletions
--- a/.env.prod.sops
+++ b/.env.prod.sops
@@ -56,13 +56,14 @@ CENSUS_API_KEY=ENC[AES256_GCM,data:9RbKlxSD17LqIuuNXaOKSgZ8LnFh9Wbze3XHgpctfV/1T
 R2_LANDING_BUCKET=ENC[AES256_GCM,data:yZXLNQb8yN9nQPdxqmqv61fLWbRYCjjOqQ==,iv:fAwBLC/EuU0lgYOxZSkTagWyeQCdEadjssapxpCEGjA=,tag:VUmuVw76WZAaukp71Desag==,type:str]
 R2_LANDING_ACCESS_KEY_ID=ENC[AES256_GCM,data:Y6y+U1ayhpFDcoaDjl7hyMVjU3gVvtORAH5gbd+HXbM=,iv:ra9kuch1DT+2tfz140bvxQRIXypsdiUrX1QYQ59gNRI=,tag:Wt85qliUMFvgbvoUrOXT7A==,type:str]
 R2_LANDING_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:99wB9aKSq2GihW9FOwBSMgHYzNKBHlol2Mf2kg4Ma6Fr4Cr21t/blzPxNQ7YRdeKk6ypFgViXlS4BJz9nC+v0g==,iv:/AmbXtj/uSGcMp+NBhN5tiVb2U56tvO5e1UpG2/ijPo=,tag:Qg2Tt11DUJPyeYcq9iSVnQ==,type:str]
+R2_ENDPOINT=ENC[AES256_GCM,data:PBWTzUfhc/qVZ4n3GqJdZu8W7Ee0+FpsgikWVxgptQ3BJ2rQ4ewDuEB05inB1Agz1sB42VEBAsTtR3c5waPPRNs=,iv:ILZ0999fsPYYzVQYuIgAxpyystcplnykVoT5RpSEW2w=,tag:FxFOjQ+YcZuLf+jJr2OVFQ==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUVk0UEVqdmtsM3VzQnpZ\nZjJDZ1lsM0VqWFpVVXUvNzdQcCtHbVJLNjFnCmhna01vTkVBaFQ5ZVlXeGhYNXdH\ncWJ5Qi9PdkxLaHBhQnR3cmtoblkxdEUKLS0tIDhHamY4NXhxOG9YN1NpbTN1aVRh\nOHVKcEN1d0QwQldVTDlBWUU4SDVDWlUKRJU+CTfTzIx6LLKin9sTXAHPVAfiUerZ\nCqYVFncsCJE3TbMI424urQj7kragPoGl1z4++yqAXNTRxfZIY4KTkg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1f5002gj4s78jju45jd28kuejtcfhn5cdujz885fl7z2p9ym68pnsgky87a
 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVEticFRVemlzZnlzek4x\nbWJ0d0h5ejJVUk5remo1VkdxNjVpdllqbFhFClc1UXlNd09xVVA5MnltMlN5MWRy\nYUlNRmNybHh1RGdPVC9yWlYrVmRTdkkKLS0tIHBUbU9qSDMrVGVHZDZGSFdpWlBh\nT3NXTGl0SmszaU9hRmU5bXI0cDRoRW8KLvbNYsBEwz+ITKvn7Yn+iNHiRzyyjtQt\no9/HupykJ3WjSdleGz7ZN6UiPGelHp0D/rzSASTYaI1+0i0xZ4PUoQ==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1wjepykv3glvsrtegu25tevg7vyn3ngpl607u3yjc9ucay04s045s796msw
 sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFeHhaOURNZnRVMEwxNThu\nUjF4Q0kwUXhTUE1QSzZJbmpubnh3RnpQTmdvCjRmWWxpNkxFUmVGb3NRbnlydW5O\nWEg3ZXJQTU4vcndzS2pUQXY3Q0ttYjAKLS0tIE9IRFJ1c2ZxbGVHa2xTL0swbGN1\nTzgwMThPUDRFTWhuZHJjZUYxOTZrU00KY62qrNBCUQYxwcLMXFEnLkwncxq3BPJB\nKm4NzeHBU87XmPWVrgrKuf+PH1mxJlBsl7Hev8xBTy7l6feiZjLIvQ==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1c783ym2q5x9tv7py5d28uc4k44aguudjn03g97l9nzs00dd9tsrqum8h4d
-sops_lastmodified=2026-03-01T16:31:40Z
-sops_mac=ENC[AES256_GCM,data:+9Sk7wVRPMDeDf6FkuNAOyUT6/OD8Rk6jtJuy5CGQXdxxCYY12F6dAGF6V5fE0toqfYxhVTJbSqH32qTZM2Tc28n36zCtXNnaTdv9rS4XFfPq+MrhuIIv5bJYwDXDgW4F5TCeCBB09jgUKDRaQVGBn2hO3+k8auaPdqWp2cd+es=,iv:wtN61uo7vixY1/EQteyTMzG73C6Gz8AFu1qodR9JvQw=,tag:Z1izDo6EAS03OhA1bj0ArA==,type:str]
+sops_lastmodified=2026-03-01T17:40:31Z
+sops_mac=ENC[AES256_GCM,data:xiTAz5BSk9F7GqQHcy0UpU7jCS2wHbfi27hOvpdoxAKtGLxaZ5PISQHVWEStWjHS+8g+3ACrTj/UQfUuCTr/55UVU0Wu6hyAWnuZ3DuaMfYUNer+9XZm5V2jTibQIYH01ZWyt4aeqs/Njn39FMx33s4hRdYVjfN391wgkx2+Hsg=,iv:UbgoSuVPu9H7Gu+HwZ6m60KgfGxZwKITMrkT54nd1yY=,tag:pM0hoz6XDQk6HaSJBkOR1Q==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.12.1
--- a/infra/bootstrap_supervisor.sh
+++ b/infra/bootstrap_supervisor.sh
@@ -54,6 +54,40 @@ chmod 600 "${REPO_DIR}/.env"

 sudo -u "${SERVICE_USER}" bash -c "cd ${REPO_DIR} && ${UV} sync --all-packages"

+# ── rclone config (r2-landing remote) ────────────────────────────────────────
+
+_env_get() { grep -E "^${1}=" "${REPO_DIR}/.env" 2>/dev/null | head -1 | cut -d= -f2- | tr -d '"'"'" || true; }
+
+R2_LANDING_KEY=$(_env_get R2_LANDING_ACCESS_KEY_ID)
+R2_LANDING_SECRET=$(_env_get R2_LANDING_SECRET_ACCESS_KEY)
+R2_ENDPOINT=$(_env_get R2_ENDPOINT)
+
+if [ -n "${R2_LANDING_KEY}" ] && [ -n "${R2_LANDING_SECRET}" ] && [ -n "${R2_ENDPOINT}" ]; then
+    RCLONE_CONF_DIR="/home/${SERVICE_USER}/.config/rclone"
+    RCLONE_CONF="${RCLONE_CONF_DIR}/rclone.conf"
+
+    sudo -u "${SERVICE_USER}" mkdir -p "${RCLONE_CONF_DIR}"
+
+    grep -v '^\[r2-landing\]' "${RCLONE_CONF}" 2>/dev/null > "${RCLONE_CONF}.tmp" || true
+    cat >> "${RCLONE_CONF}.tmp" <<EOF
+
+[r2-landing]
+type = s3
+provider = Cloudflare
+access_key_id = ${R2_LANDING_KEY}
+secret_access_key = ${R2_LANDING_SECRET}
+endpoint = ${R2_ENDPOINT}
+acl = private
+no_check_bucket = true
+EOF
+    mv "${RCLONE_CONF}.tmp" "${RCLONE_CONF}"
+    chown "${SERVICE_USER}:${SERVICE_USER}" "${RCLONE_CONF}"
+    chmod 600 "${RCLONE_CONF}"
+    echo "$(date '+%H:%M:%S') ==> rclone [r2-landing] remote configured."
+else
+    echo "$(date '+%H:%M:%S') ==> R2_LANDING_* not set — skipping rclone config."
+fi
+
 # ── Systemd services ──────────────────────────────────────────────────────────

 cp "${REPO_DIR}/infra/landing-backup/padelnomics-landing-backup.service" /etc/systemd/system/
--- a/infra/landing-backup/padelnomics-landing-backup.service
+++ b/infra/landing-backup/padelnomics-landing-backup.service
@@ -7,15 +7,5 @@ Wants=network-online.target
 Type=oneshot
 User=padelnomics_service
 EnvironmentFile=/opt/padelnomics/.env
-Environment=LANDING_DIR=/data/padelnomics/landing
-ExecStart=/usr/bin/rclone sync ${LANDING_DIR} :s3:${LITESTREAM_R2_BUCKET}/padelnomics/landing \
-    --s3-provider Cloudflare \
-    --s3-access-key-id ${LITESTREAM_R2_ACCESS_KEY_ID} \
-    --s3-secret-access-key ${LITESTREAM_R2_SECRET_ACCESS_KEY} \
-    --s3-endpoint https://${LITESTREAM_R2_ENDPOINT} \
-    --s3-no-check-bucket \
-    --exclude ".state.sqlite*"
-
-StandardOutput=journal
-StandardError=journal
-SyslogIdentifier=padelnomics-landing-backup
+ExecStart=/bin/sh -c 'exec /usr/bin/rclone sync /data/padelnomics/landing/ r2-landing:${R2_LANDING_BUCKET}/padelnomics/ --log-level INFO --exclude ".state.sqlite*"'
+TimeoutStartSec=1800
Author	SHA1	Message	Date
Deeman	7d2950928e	fix(infra): add R2_ENDPOINT to prod secrets for landing backup All checks were successful CI / test (push) Successful in 50s Details CI / tag (push) Successful in 3s Details Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-01 18:41:42 +01:00
Deeman	65e51d2972	fix(infra): switch landing backup to shared r2-landing rclone remote All checks were successful CI / test (push) Successful in 52s Details CI / tag (push) Successful in 3s Details Replace inline LITESTREAM_R2_* credentials in the backup service with the named [r2-landing] rclone remote and R2_LANDING_* env vars, matching the beanflows pattern. Add rclone.conf setup to bootstrap_supervisor.sh so the remote is written from env on each bootstrap run. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-01 18:36:57 +01:00