@local % local/runit-configure nginx -- lhc_www
TASK: configurer un site nginx
@local % local/runit-configure nginx -- lhc_www
+TASK: instancier une sauvegarde duplicity sur une machine distante
+ @remote % name=mysql/test # NOTE: à adapter
+ @remote % remote/backup-fetch "$name" # NOTE: conserve les fichiers disparus ou modifiés dans var/backup/old/$(date +'%Y%m%d+%H%M%S%z')/
+ @remote % remote/duplicity restore --time "7D" --name "$name" file://var/backup/current/data/"$name" var/backup/current/restore/"$name"
date=${date:-$(date +'%Y%m%d+%H%M%S%z')}
mkdir -p \
"$tool"/var/backup/current \
- "$tool"/var/backup/"$date"
+ "$tool"/var/backup/old/"$date"
rsync \
--backup \
- --backup-dir ../"$date" \
+ --backup-dir ../old/"$date" \
--compress-level=0 \
--delete \
--delete-during \
--partial \
${TRACE:+--progress} \
--recursive \
+ --relative \
--rsh "$tool/remote/ssh -o Compression=no" \
--times \
"$@" \
- backup@"$local_fqdn":data/"$path" \
+ backup@"$local_fqdn":data/"$path" :archive/"$path" \
"$tool"/var/backup/current
+#rmdir --ignore-fail-on-non-empty \
+# "$tool"/var/backup/old/"$date"
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $duplicity_options
+# DESCRIPTION: encapsuleur de duplicity(1) préchargeant sa clef OpenPGP.
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+uid=backup+"$local_hostname"@"$local_domainname"
+trap_exit () {
+ errno=$?
+ "$tool"/remote/gpg-preset-passphrase --forget "$uid"
+ exit $errno
+ }
+trap trap_exit EXIT
+"$tool"/remote/gpg-preset-passphrase --preset "$uid"
+
+while IFS=: read -r type trust size algo keyid date x x x x x cap x
+ do case $type,$cap in
+ (sub,e) encrypt_key=${keyid#????????};;
+ (sub,s) sign_key=$keyid;;
+ esac done <<-EOF
+ $("$tool"/remote/gpg --list-public-keys --with-colons -- "$uid")
+ EOF
+
+/usr/bin/duplicity \
+ --archive-dir "$tool"/var/backup/current/archive \
+ --gpg-options --homedir="$tool"/var/pub/openpgp \
+ --gpg-options --trusted-key="$sign_key" \
+ --gpg-options --no-permission-warning \
+ --encrypt-key "$encrypt_key" \
+ --sign-key "${sign_key#????????}" \
+ --use-agent \
+ -vw ${TRACE:+--verbosity info} \
+ "$@"
#!/bin/sh -eu
+# SYNTAX:
+# DESCRIPTION: envoie sur $local_fqdn la clef OpenPGP utilisée par duplicity(1).
tool=$(readlink -e "${0%/*}/..")
. "$tool"/remote/lib.sh
-PATH=/usr/lib/gnupg2:"$PATH"
+uid=backup+"$local_hostname"@"$local_domainname"
+trap_exit () {
+ "$tool"/remote/gpg-preset-passphrase --forget "$uid"
+ }
+trap trap_exit EXIT
+"$tool"/remote/gpg-preset-passphrase --preset "$uid"
-IFS= read -r pass <<-EOF
- $(gpg --decrypt "$tool"/var/sec/openpgp/backup+"$local_hostname"@"$local_domainname".pass.gpg)
- EOF
-for fpr in $("$tool"/remote/gpg --list-secret-keys --with-colons --with-fingerprint --with-fingerprint \
- -- "backup+$local_hostname@$local_domainname" | grep '^fpr:' | cut -d : -f 10)
- do gpg-preset-passphrase --preset -v $fpr <<-EOF
- $pass
- EOF
- done
-
-"$tool"/remote/gpg --export-options export-reset-subkey-passwd \
- --export-secret-subkeys "backup+$local_hostname@$local_domainname" |
-"$tool"/remote/ssh backup@$local_fqdn gpg --import -
+"$tool"/remote/gpg \
+ --export-options export-reset-subkey-passwd \
+ --export-secret-subkeys "$uid" |
+"$tool"/remote/ssh backup@"$local_fqdn" gpg --import -
#!/bin/sh -eu
+# SYNTAX: $gpg_options
+# DESCRIPTION: encapsuleur de gpg(1) utilisant une configuration propre.
tool=$(readlink -e "${0%/*}/..")
. "$tool"/remote/lib.sh
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: [--forget|--preset] $uid_email [...]
+# DESCRIPTION: encapsuleur de gpg-preset-passphrase(1) facilitant son usage.
+# XXX: il faut que gpg-agent(1) soit configuré avec allow-preset-passphrase.
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+if ! grep -Fqx allow-preset-passphrase $HOME/.gnupg/gpg-agent.conf &&
+ ! pgrep -fx >/dev/null '.*gpg-agent .*--allow-preset-passphrase.*'
+ then
+ cat >&2 <<-EOF
+ ${tput_rev-}WARNING${tput_sgr0-}: you MUST configure gpg-agent(1) with allow-preset-passphrase.
+ EOF
+ #exit 1
+ fi
+
+command=$1; shift
+PATH=/usr/lib/gnupg2:"$PATH"
+for uid in "$@"
+ do
+ pass_file="$tool"/var/sec/openpgp/"$uid".pass.gpg
+ test -e "$pass_file"
+
+ IFS= read -r pass <<-EOF
+ $(gpg --decrypt "$pass_file")
+ EOF
+ for fpr in $("$tool"/remote/gpg --list-secret-keys \
+ --with-colons --with-fingerprint --with-fingerprint \
+ -- "$@" | grep '^fpr:' | cut -d : -f 10)
+ do gpg-preset-passphrase $command ${TRACE:+--verbose} $fpr <<-EOF
+ $pass
+ EOF
+ done
+ done