backend/scripts/db_crypt.sh

#!/usr/bin/env bash

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
BACKEND_DIR="$(realpath "$SCRIPT_DIR/..")"
SPACE_NAME="thryyyyy/open-webui"

function check_requirements() {
    if ! command -v gpg >/dev/null; then
        echo "Error: gpg is not installed"
        return 1
    fi
}

function validate_secrets() {
    if [ -z "$BACKUP_PASSPHRASE" ]; then
        echo "Error: BACKUP_PASSPHRASE secret not set"
        return 1
    fi

    if [ -z "$HF_TOKEN" ]; then
        echo "Error: HF_TOKEN secret not set"
        return 1
    fi
}

function decrypt_database() {
    validate_secrets || return 1

    mkdir -p "$BACKEND_DIR/data"

    if [ -f "$BACKEND_DIR/db_backup/webui.db.gpg" ]; then
        echo "Decrypting database backup..."
        gpg --batch --yes --passphrase "$BACKUP_PASSPHRASE" -d \
            -o "$BACKEND_DIR/data/webui.db" "$BACKEND_DIR/db_backup/webui.db.gpg"

        if [ $? -eq 0 ]; then
            echo "Database decrypted successfully"
            return 0
        else
            echo "Failed to decrypt database"
            return 1
        fi
    else
        echo "No encrypted backup found at db_backup/webui.db.gpg"
        # Not an error, might be first run
        return 0
    fi
}

function encrypt_database() {
    validate_secrets || return 1

    if [ ! -f "$BACKEND_DIR/data/webui.db" ]; then
        echo "Database not found at data/webui.db"
        return 1
    fi

    mkdir -p "$BACKEND_DIR/db_backup"

    echo "Encrypting database..."
    gpg --batch --yes --passphrase "$BACKUP_PASSPHRASE" -c --cipher-algo AES256 \
        -o "$BACKEND_DIR/db_backup/webui.db.gpg" "$BACKEND_DIR/data/webui.db"

    if [ $? -eq 0 ]; then
        echo "Database encrypted successfully"
        cd "$BACKEND_DIR" || exit 1

        # Configure Git for this operation
        git config --local user.email "space-bot@huggingface.co"
        git config --local user.name "Space Bot"

        echo "Committing and pushing changes..."
        git add db_backup/webui.db.gpg
        git commit -m "Update encrypted database backup"

        # Push using the token
        REPO_URL="https://user:$HF_TOKEN@huggingface.co/spaces/$SPACE_NAME"
        if git push "$REPO_URL" main; then
            echo "Successfully pushed backup to repository"
            cd - >/dev/null
            return 0
        else
            echo "Failed to push to repository"
            cd - >/dev/null
            return 1
        fi
    else
        echo "Failed to encrypt database"
        return 1
    fi
}

# Check requirements first
check_requirements || exit 1

# If script is run directly, default to encryption
# (equivalent to fish's: if test (status filename) = (status -f))
if [ "${BASH_SOURCE[0]}" = "$0" ]; then
    encrypt_database
fi