tenseleyflow/shithub / 9eff67e

 # both buckets using its on-disk config (which references the just-

 # updated scoped key). A failure here means either the key cache

 # hasn't propagated (wait 30s, re-run) or the scoped key isn't the

 echo "verifying droplet → both WAL buckets..." >&2

 ssh -o BatchMode=yes "root@$DEPLOY_HOST" "

         set -e

         echo wal-write-probe-\$(date -u +%Y%m%dT%H%M%SZ) \

                         --s3-no-check-bucket \

                         rcat spaces-prod:$WAL_BUCKET/.write-probe

         echo wal-write-probe-\$(date -u +%Y%m%dT%H%M%SZ) \

                         --s3-no-check-bucket \

                         rcat spaces-dr:$WAL_DR_BUCKET/.write-probe

                 delete spaces-prod:$WAL_BUCKET/.write-probe spaces-dr:$WAL_DR_BUCKET/.write-probe

         echo OK

 "

 Verify within ~60s:

   ssh root@$DEPLOY_HOST 'sudo -u postgres psql -xc "SELECT * FROM pg_stat_archiver"'

 ==============================================================

 DONE

 fi

 echo "syncing to $BUCKET..."

        sync --transfers 8 --checkers 16 \

        build/docs "$BUCKET"

 # --s3-no-check-bucket: scoped Spaces keys lack GetBucketLocation; the

 # actual PUT works fine on a key with bucket-level readwrite. Matches

 # the same flag in backup-daily.sh + sync-cross-region.sh.

        --s3-no-check-bucket \

        --quiet \

        copyto "$SRC" "$BUCKET/$(date +%Y/%m/%d)/$NAME"

 # --s3-no-check-bucket: skip the GetBucketLocation pre-check that

 # requires a permission our scoped-RW Spaces key doesn't grant.

 # The actual PUT works fine on a key with bucket-level readwrite.

        copyto "$LOCAL_DIR/$NAME" "$BUCKET/daily/$(date -u +%Y/%m/%d)/$NAME"

 # Local retention: keep the last 7 dumps; bucket lifecycle handles

 # 1. Resolve dump path. --s3-no-check-bucket: scoped Spaces keys lack

 # GetBucketLocation; the actual GET works fine.

 if [[ -z "$DUMP" ]]; then

                    lsf "$BUCKET/daily/" --recursive --files-only \

                 | sort | tail -n 1)"

   if [[ -z "$LATEST" ]]; then

   fi

   DUMP="$WORK/$(basename "$LATEST")"

   say "fetching $LATEST"

          copyto "$BUCKET/daily/$LATEST" "$DUMP"

 fi

 chown postgres:postgres "$DUMP"

 {

   echo "[$(ts)] sync start"

          copy --transfers 8 --checkers 16 --fast-list \

          "$PRIMARY" "$DR"

          copy --transfers 8 --checkers 16 --fast-list \

          "$WAL_PRIMARY" "$WAL_DR"

    Edit) to grant `readwrite` on `shithub-wal`. The `dr` key needs

    `readwrite` on `shithub-wal-dr` so `sync-cross-region.sh` can push.

 3. **Confirm the rclone config on the app droplet** has both keys

    `spaces-dr` remotes).

 4. **Re-run ansible** (or drop the conf.d file by hand at

    `/etc/postgresql/16/main/conf.d/99_shithub_archive.conf`), then

    # last_archived_wal: 000000010000000000000003 (or similar)

    # last_archived_time: <recent timestamp>

    # failed_count: 0

           lsf spaces-prod:shithub-wal/ --recursive | head

    ```

 6. **If `failed_count > 0`** before any successful archive:

 ```sh

 ssh db

      lsf spaces-prod:shithub-backups/daily/$(date -u +%Y/%m/%d)/

 ```

 1. **Backups.** The first daily logical backup should have run.

    ```sh

    ssh db

         lsf spaces-prod:shithub-backups/daily/$(date -u +%Y/%m/%d)/

    ```

    Should list one `.dump` file. If empty, see

 ```sh

 ssh db

      lsf spaces-prod:shithub-backups/daily/$(date -u +%Y/%m/%d)/

 ```

 Confirm by hand:

 ```sh

      lsd spaces-prod:

 ```