Ajout : remote/duplicity .

diff --git a/README b/README
index efd9e72..2d49c6f 100644 (file)
--- a/README
+++ b/README
@@ -71,3 +71,7 @@ TASK: configurer un membre du groupe php5-fpm
        @local  %  local/runit-configure nginx -- lhc_www
 TASK: configurer un site nginx
        @local % local/runit-configure nginx -- lhc_www
        @local  %  local/runit-configure nginx -- lhc_www
 TASK: configurer un site nginx
        @local % local/runit-configure nginx -- lhc_www

+TASK: instancier une sauvegarde duplicity sur une machine distante
+       @remote % name=mysql/test # NOTE: à adapter
+       @remote % remote/backup-fetch "$name" # NOTE: conserve les fichiers disparus ou modifiés dans var/backup/old/$(date +'%Y%m%d+%H%M%S%z')/
+       @remote % remote/duplicity restore --time "7D" --name "$name" file://var/backup/current/data/"$name" var/backup/current/restore/"$name"

diff --git a/remote/backup-fetch b/remote/backup-fetch
index b8c5ccd..b888830 100755 (executable)
--- a/remote/backup-fetch
+++ b/remote/backup-fetch
@@ -9,10 +9,10 @@ path=${1-}; test ! "${1+set}" || shift
 date=${date:-$(date +'%Y%m%d+%H%M%S%z')}
 mkdir -p \
  "$tool"/var/backup/current \
 date=${date:-$(date +'%Y%m%d+%H%M%S%z')}
 mkdir -p \
  "$tool"/var/backup/current \

- "$tool"/var/backup/"$date"
+ "$tool"/var/backup/old/"$date"

 rsync \
  --backup \
 rsync \
  --backup \

- --backup-dir ../"$date" \
+ --backup-dir ../old/"$date" \

  --compress-level=0 \
  --delete \
  --delete-during \
  --compress-level=0 \
  --delete \
  --delete-during \


@@ -22,8 +22,11 @@ rsync \
  --partial \
  ${TRACE:+--progress} \
  --recursive \
  --partial \
  ${TRACE:+--progress} \
  --recursive \

+ --relative \

  --rsh "$tool/remote/ssh -o Compression=no" \
  --times \
  "$@" \
  --rsh "$tool/remote/ssh -o Compression=no" \
  --times \
  "$@" \

- backup@"$local_fqdn":data/"$path" \
+ backup@"$local_fqdn":data/"$path" :archive/"$path" \

  "$tool"/var/backup/current
  "$tool"/var/backup/current

+#rmdir --ignore-fail-on-non-empty \
+# "$tool"/var/backup/old/"$date"

diff --git a/remote/duplicity b/remote/duplicity
new file mode 100755 (executable)
index 0000000..621dc2d
--- /dev/null
+++ b/remote/duplicity
@@ -0,0 +1,33 @@
+#!/bin/sh -eu
+# SYNTAX: $duplicity_options
+# DESCRIPTION: encapsuleur de duplicity(1) préchargeant sa clef OpenPGP.
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+uid=backup+"$local_hostname"@"$local_domainname"
+trap_exit () {
+       errno=$?
+       "$tool"/remote/gpg-preset-passphrase --forget "$uid"
+       exit $errno
+ }
+trap trap_exit EXIT
+"$tool"/remote/gpg-preset-passphrase --preset "$uid"
+
+while IFS=: read -r type trust size algo keyid date x x x x x cap x
+ do case $type,$cap in
+       (sub,e) encrypt_key=${keyid#????????};;
+       (sub,s) sign_key=$keyid;;
+ esac done <<-EOF
+       $("$tool"/remote/gpg --list-public-keys --with-colons -- "$uid")
+       EOF
+
+/usr/bin/duplicity \
+ --archive-dir "$tool"/var/backup/current/archive \
+ --gpg-options --homedir="$tool"/var/pub/openpgp \
+ --gpg-options --trusted-key="$sign_key" \
+ --gpg-options --no-permission-warning \
+ --encrypt-key "$encrypt_key" \
+ --sign-key "${sign_key#????????}" \
+ --use-agent \
+ -vw ${TRACE:+--verbosity info} \
+ "$@"

diff --git a/remote/duplicity-key-send b/remote/duplicity-key-send
index c576ec9..86290bd 100755 (executable)
--- a/remote/duplicity-key-send
+++ b/remote/duplicity-key-send
@@ -1,19 +1,17 @@
 #!/bin/sh -eu
 #!/bin/sh -eu

+# SYNTAX:
+# DESCRIPTION: envoie sur $local_fqdn la clef OpenPGP utilisée par duplicity(1).

 tool=$(readlink -e "${0%/*}/..")
 . "$tool"/remote/lib.sh
 
 tool=$(readlink -e "${0%/*}/..")
 . "$tool"/remote/lib.sh
 

-PATH=/usr/lib/gnupg2:"$PATH"
+uid=backup+"$local_hostname"@"$local_domainname"
+trap_exit () {
+       "$tool"/remote/gpg-preset-passphrase --forget "$uid"
+ }
+trap trap_exit EXIT
+"$tool"/remote/gpg-preset-passphrase --preset "$uid"

 
 

-IFS= read -r pass <<-EOF
-       $(gpg --decrypt "$tool"/var/sec/openpgp/backup+"$local_hostname"@"$local_domainname".pass.gpg)
-       EOF
-for fpr in $("$tool"/remote/gpg --list-secret-keys --with-colons --with-fingerprint --with-fingerprint \
- -- "backup+$local_hostname@$local_domainname" | grep '^fpr:' | cut -d : -f 10)
- do gpg-preset-passphrase --preset -v $fpr <<-EOF
-       $pass
-       EOF
- done
-
-"$tool"/remote/gpg --export-options export-reset-subkey-passwd \
- --export-secret-subkeys "backup+$local_hostname@$local_domainname" |
-"$tool"/remote/ssh backup@$local_fqdn gpg --import -
+"$tool"/remote/gpg \
+ --export-options export-reset-subkey-passwd \
+ --export-secret-subkeys "$uid" |
+"$tool"/remote/ssh backup@"$local_fqdn" gpg --import -

diff --git a/remote/gpg b/remote/gpg
index 0c5e0a7..c0b67d3 100755 (executable)
--- a/remote/gpg
+++ b/remote/gpg
@@ -1,4 +1,6 @@
 #!/bin/sh -eu
 #!/bin/sh -eu

+# SYNTAX: $gpg_options
+# DESCRIPTION: encapsuleur de gpg(1) utilisant une configuration propre.

 tool=$(readlink -e "${0%/*}/..")
 . "$tool"/remote/lib.sh
 
 tool=$(readlink -e "${0%/*}/..")
 . "$tool"/remote/lib.sh
 

diff --git a/remote/gpg-preset-passphrase b/remote/gpg-preset-passphrase
new file mode 100755 (executable)
index 0000000..36e9fd1
--- /dev/null
+++ b/remote/gpg-preset-passphrase
@@ -0,0 +1,34 @@
+#!/bin/sh -eu
+# SYNTAX: [--forget|--preset] $uid_email [...]
+# DESCRIPTION: encapsuleur de gpg-preset-passphrase(1) facilitant son usage.
+# XXX: il faut que gpg-agent(1) soit configuré avec allow-preset-passphrase.
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+if ! grep -Fqx allow-preset-passphrase $HOME/.gnupg/gpg-agent.conf &&
+ ! pgrep -fx >/dev/null '.*gpg-agent .*--allow-preset-passphrase.*'
+ then
+       cat >&2 <<-EOF
+               ${tput_rev-}WARNING${tput_sgr0-}: you MUST configure gpg-agent(1) with allow-preset-passphrase.
+               EOF
+       #exit 1
+ fi
+
+command=$1; shift
+PATH=/usr/lib/gnupg2:"$PATH"
+for uid in "$@"
+ do
+       pass_file="$tool"/var/sec/openpgp/"$uid".pass.gpg
+       test -e "$pass_file"
+       
+       IFS= read -r pass <<-EOF
+               $(gpg --decrypt "$pass_file")
+               EOF
+       for fpr in $("$tool"/remote/gpg --list-secret-keys \
+        --with-colons --with-fingerprint --with-fingerprint \
+        -- "$@" | grep '^fpr:' | cut -d : -f 10)
+        do gpg-preset-passphrase $command ${TRACE:+--verbose} $fpr <<-EOF
+               $pass
+               EOF
+        done
+ done

diff --git a/var/pub/openpgp/pubring.gpg b/var/pub/openpgp/pubring.gpg
index 1183b3a..c39d97d 100644 (file)
Binary files a/var/pub/openpgp/pubring.gpg and b/var/pub/openpgp/pubring.gpg differ

diff --git a/var/pub/openpgp/pubring.gpg~ b/var/pub/openpgp/pubring.gpg~
index 1183b3a..c39d97d 100644 (file)
Binary files a/var/pub/openpgp/pubring.gpg~ and b/var/pub/openpgp/pubring.gpg~ differ

diff --git a/var/pub/openpgp/trustdb.gpg b/var/pub/openpgp/trustdb.gpg
index a7cb818..06d643f 100644 (file)
Binary files a/var/pub/openpgp/trustdb.gpg and b/var/pub/openpgp/trustdb.gpg differ