Initial commit: bpp-backup.sh

Shell script to pull a full backup of a remote BPP deployment to the
local machine. Packages ~/bpp-deploy and $BPP_CONFIGS_DIR (read from
the remote .env) into a single ./backup-<host>-<project>-<ts>.tar.gz.

Includes MIT license, GitHub Actions CI (bash -n + ShellCheck +
pre-commit), and pre-commit config with detect-private-key.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mpasternak

.github/workflows/ci.yml

@@ -0,0 +1,33 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  shell:
+    name: Shell syntax + ShellCheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: bash -n
+        run: bash -n bpp-backup.sh
+
+      - name: ShellCheck
+        uses: ludeeus/action-shellcheck@2.0.0
+        with:
+          scandir: '.'
+          severity: warning
+
+  pre-commit:
+    name: Pre-commit hooks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - uses: pre-commit/action@v3.0.1

.gitignore

@@ -0,0 +1 @@
+backup*tar.gz

.pre-commit-config.yaml

@@ -0,0 +1,17 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-merge-conflict
+      - id: check-added-large-files
+        args: ['--maxkb=500']
+      - id: detect-private-key
+
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.10.0.1
+    hooks:
+      - id: shellcheck
+        args: ['-e', 'SC1091,SC2086']

CLAUDE.md

@@ -0,0 +1,33 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## What this repo is
+
+A single-purpose helper for pulling backups of a remote BPP (Bibliografia Publikacji Pracowników) deployment to the local machine. The entire codebase is one shell script: `bpp-backup.sh`. Backup archives produced by the script (`backup-*.tar.gz`) live alongside it.
+
+## How the backup script works
+
+`./bpp-backup.sh <ssh-host>` connects to the given host and:
+
+1. SSHes in and reads `$HOME/bpp-deploy/.env`, extracting `BPP_CONFIGS_DIR` and `COMPOSE_PROJECT_NAME` (falling back to `basename "$BPP_CONFIGS_DIR"` when the latter is unset — this matches the convention documented in the upstream `bpp-deploy/.env.sample`).
+2. Streams a single `tar -czf -` over SSH that packages **two** directories: `$HOME/bpp-deploy` and `$BPP_CONFIGS_DIR`. Two `-C` flags are used so the archive contains `bpp-deploy/...` and `<configs-basename>/...` at the top level (no `/home/<user>/` prefix).
+3. Writes the stream locally to `./backup-<host>-<compose_project>-<YYYYMMDD-HHMMSS>.tar.gz` via a `.partial` file that is `mv`'d into place only on success; an `EXIT` trap cleans up the partial on failure.
+
+The remote host is assumed to follow the upstream layout: `bpp-deploy` checked out at `$HOME/bpp-deploy`, with `.env` defining `BPP_CONFIGS_DIR` pointing at a configs directory **outside** the deploy repo. Reference layout (for understanding the format) lives at `/Users/mpasternak/Programowanie/bpp-deploy/` on this machine.
+
+## Common commands
+
+- Run a backup: `./bpp-backup.sh deploy@host`
+- Syntax check before committing changes: `bash -n bpp-backup.sh`
+- Inspect a produced archive: `tar -tzf backup-<host>-<project>-<timestamp>.tar.gz | head`
+
+## Conventions when editing the script
+
+- Keep `set -euo pipefail` and the `trap 'rm -f "$PARTIAL"' EXIT` (cleared with `trap - EXIT` on success) — together they guarantee no half-written archive masquerades as a real backup.
+- The remote-side logic runs inside heredocs passed to `ssh "$HOST" 'bash -s'`. Watch the heredoc quoting carefully: the env-reading heredoc uses `<<'REMOTE'` (no expansion, everything resolved on the remote), but the tar heredoc uses unquoted `<<REMOTE_TAR` so that `${BPP_CONFIGS_DIR}` is interpolated locally while `\$HOME`, `\$(dirname …)`, etc. are escaped to run remotely.
+- Per the user's global instructions: never silently swallow errors. Any new `if`/`grep`/parse step that can fail must either log+exit or propagate the error.
+
+## License
+
+MIT — see `LICENSE` at the repo root. Copyright © 2026 Michał Pasternak.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Michał Pasternak
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

bpp-backup.sh

@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+#
+# bpp-backup.sh — pobiera lokalnie kopię zapasową instancji BPP ze zdalnego hosta.
+#
+# Backup obejmuje:
+#   - $HOME/bpp-deploy na zdalnym hoście
+#   - katalog wskazany przez BPP_CONFIGS_DIR z $HOME/bpp-deploy/.env
+#
+# Wynik: ./backup-<host>-<compose_project>-<YYYYMMDD-HHMMSS>.tar.gz
+#
+# Użycie: ./bpp-backup.sh <host-ssh>
+
+set -euo pipefail
+
+if [ "$#" -lt 1 ] || [ -z "${1:-}" ]; then
+    echo "Użycie: $0 <host-ssh>" >&2
+    echo "Przykład: $0 deploy@bpp.uczelnia.pl" >&2
+    exit 1
+fi
+
+HOST="$1"
+
+echo "==> Odczytuję ~/bpp-deploy/.env z ${HOST}..." >&2
+
+remote_env=$(ssh "$HOST" 'bash -s' <<'REMOTE'
+set -euo pipefail
+ENV_FILE="$HOME/bpp-deploy/.env"
+if [ ! -f "$ENV_FILE" ]; then
+    echo "ERR: brak $ENV_FILE na zdalnym hoscie" >&2
+    exit 1
+fi
+
+get() {
+    grep -E "^$1=" "$ENV_FILE" | tail -n1 | cut -d= -f2- \
+        | sed -e 's/^"\(.*\)"$/\1/' -e "s/^'\(.*\)'$/\1/"
+}
+
+BPP_CONFIGS_DIR=$(get BPP_CONFIGS_DIR)
+COMPOSE_PROJECT_NAME=$(get COMPOSE_PROJECT_NAME)
+
+if [ -z "$BPP_CONFIGS_DIR" ]; then
+    echo "ERR: BPP_CONFIGS_DIR puste w $ENV_FILE" >&2
+    exit 1
+fi
+if [ ! -d "$BPP_CONFIGS_DIR" ]; then
+    echo "ERR: katalog $BPP_CONFIGS_DIR nie istnieje na zdalnym hoscie" >&2
+    exit 1
+fi
+
+if [ -z "$COMPOSE_PROJECT_NAME" ]; then
+    COMPOSE_PROJECT_NAME=$(basename "$BPP_CONFIGS_DIR")
+fi
+
+printf 'BPP_CONFIGS_DIR=%s\n' "$BPP_CONFIGS_DIR"
+printf 'COMPOSE_PROJECT_NAME=%s\n' "$COMPOSE_PROJECT_NAME"
+REMOTE
+)
+
+BPP_CONFIGS_DIR=$(printf '%s\n' "$remote_env" | sed -n 's/^BPP_CONFIGS_DIR=//p')
+COMPOSE_PROJECT_NAME=$(printf '%s\n' "$remote_env" | sed -n 's/^COMPOSE_PROJECT_NAME=//p')
+
+if [ -z "$BPP_CONFIGS_DIR" ] || [ -z "$COMPOSE_PROJECT_NAME" ]; then
+    echo "ERR: nie udało się odczytać zmiennych ze zdalnego .env" >&2
+    exit 1
+fi
+
+echo "    BPP_CONFIGS_DIR=${BPP_CONFIGS_DIR}" >&2
+echo "    COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME}" >&2
+
+TS=$(date +%Y%m%d-%H%M%S)
+HOST_TAG=$(printf '%s' "$HOST" | tr '@:/' '___')
+OUT="./backup-${HOST_TAG}-${COMPOSE_PROJECT_NAME}-${TS}.tar.gz"
+PARTIAL="${OUT}.partial"
+
+trap 'rm -f "$PARTIAL"' EXIT
+
+echo "==> Pakuję zdalnie i pobieram do ${OUT}..." >&2
+
+# shellcheck disable=SC2087  # heredoc celowo niesquotowane: ${BPP_CONFIGS_DIR}
+# rozwija się lokalnie, a \$HOME / \$CONFIGS_DIR na zdalnym hoście.
+ssh "$HOST" 'bash -s' > "$PARTIAL" <<REMOTE_TAR
+set -euo pipefail
+CONFIGS_DIR="${BPP_CONFIGS_DIR}"
+CONFIGS_PARENT=\$(dirname "\$CONFIGS_DIR")
+CONFIGS_BASE=\$(basename "\$CONFIGS_DIR")
+# Każde -C zmienia katalog roboczy tar-a, więc w archiwum zapisujemy
+# wyłącznie nazwy bazowe (bpp-deploy/, <configs>/) bez prefiksu /home/...
+tar -czf - \\
+    -C "\$HOME" bpp-deploy \\
+    -C "\$CONFIGS_PARENT" "\$CONFIGS_BASE"
+REMOTE_TAR
+
+if [ ! -s "$PARTIAL" ]; then
+    echo "ERR: pusty plik backupu — coś poszło nie tak po stronie SSH/tar" >&2
+    exit 1
+fi
+
+mv "$PARTIAL" "$OUT"
+trap - EXIT
+
+echo "==> Gotowe: ${OUT}" >&2
+du -h "$OUT" >&2