From: Julien Moutinho Date: Tue, 24 Sep 2013 19:24:58 +0000 (+0200) Subject: Ajout : remote/duplicity . X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=commitdiff_plain;h=7ec5ddab73855d65555a21873ccf8d2653a22ee6 Ajout : remote/duplicity . --- diff --git a/README b/README index efd9e72..2d49c6f 100644 --- a/README +++ b/README @@ -71,3 +71,7 @@ TASK: configurer un membre du groupe php5-fpm @local % local/runit-configure nginx -- lhc_www TASK: configurer un site nginx @local % local/runit-configure nginx -- lhc_www +TASK: instancier une sauvegarde duplicity sur une machine distante + @remote % name=mysql/test # NOTE: à adapter + @remote % remote/backup-fetch "$name" # NOTE: conserve les fichiers disparus ou modifiés dans var/backup/old/$(date +'%Y%m%d+%H%M%S%z')/ + @remote % remote/duplicity restore --time "7D" --name "$name" file://var/backup/current/data/"$name" var/backup/current/restore/"$name" diff --git a/remote/backup-fetch b/remote/backup-fetch index b8c5ccd..b888830 100755 --- a/remote/backup-fetch +++ b/remote/backup-fetch @@ -9,10 +9,10 @@ path=${1-}; test ! "${1+set}" || shift date=${date:-$(date +'%Y%m%d+%H%M%S%z')} mkdir -p \ "$tool"/var/backup/current \ - "$tool"/var/backup/"$date" + "$tool"/var/backup/old/"$date" rsync \ --backup \ - --backup-dir ../"$date" \ + --backup-dir ../old/"$date" \ --compress-level=0 \ --delete \ --delete-during \ @@ -22,8 +22,11 @@ rsync \ --partial \ ${TRACE:+--progress} \ --recursive \ + --relative \ --rsh "$tool/remote/ssh -o Compression=no" \ --times \ "$@" \ - backup@"$local_fqdn":data/"$path" \ + backup@"$local_fqdn":data/"$path" :archive/"$path" \ "$tool"/var/backup/current +#rmdir --ignore-fail-on-non-empty \ +# "$tool"/var/backup/old/"$date" diff --git a/remote/duplicity b/remote/duplicity new file mode 100755 index 0000000..621dc2d --- /dev/null +++ b/remote/duplicity @@ -0,0 +1,33 @@ +#!/bin/sh -eu +# SYNTAX: $duplicity_options +# DESCRIPTION: encapsuleur de duplicity(1) préchargeant sa clef OpenPGP. +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +uid=backup+"$local_hostname"@"$local_domainname" +trap_exit () { + errno=$? + "$tool"/remote/gpg-preset-passphrase --forget "$uid" + exit $errno + } +trap trap_exit EXIT +"$tool"/remote/gpg-preset-passphrase --preset "$uid" + +while IFS=: read -r type trust size algo keyid date x x x x x cap x + do case $type,$cap in + (sub,e) encrypt_key=${keyid#????????};; + (sub,s) sign_key=$keyid;; + esac done <<-EOF + $("$tool"/remote/gpg --list-public-keys --with-colons -- "$uid") + EOF + +/usr/bin/duplicity \ + --archive-dir "$tool"/var/backup/current/archive \ + --gpg-options --homedir="$tool"/var/pub/openpgp \ + --gpg-options --trusted-key="$sign_key" \ + --gpg-options --no-permission-warning \ + --encrypt-key "$encrypt_key" \ + --sign-key "${sign_key#????????}" \ + --use-agent \ + -vw ${TRACE:+--verbosity info} \ + "$@" diff --git a/remote/duplicity-key-send b/remote/duplicity-key-send index c576ec9..86290bd 100755 --- a/remote/duplicity-key-send +++ b/remote/duplicity-key-send @@ -1,19 +1,17 @@ #!/bin/sh -eu +# SYNTAX: +# DESCRIPTION: envoie sur $local_fqdn la clef OpenPGP utilisée par duplicity(1). tool=$(readlink -e "${0%/*}/..") . "$tool"/remote/lib.sh -PATH=/usr/lib/gnupg2:"$PATH" +uid=backup+"$local_hostname"@"$local_domainname" +trap_exit () { + "$tool"/remote/gpg-preset-passphrase --forget "$uid" + } +trap trap_exit EXIT +"$tool"/remote/gpg-preset-passphrase --preset "$uid" -IFS= read -r pass <<-EOF - $(gpg --decrypt "$tool"/var/sec/openpgp/backup+"$local_hostname"@"$local_domainname".pass.gpg) - EOF -for fpr in $("$tool"/remote/gpg --list-secret-keys --with-colons --with-fingerprint --with-fingerprint \ - -- "backup+$local_hostname@$local_domainname" | grep '^fpr:' | cut -d : -f 10) - do gpg-preset-passphrase --preset -v $fpr <<-EOF - $pass - EOF - done - -"$tool"/remote/gpg --export-options export-reset-subkey-passwd \ - --export-secret-subkeys "backup+$local_hostname@$local_domainname" | -"$tool"/remote/ssh backup@$local_fqdn gpg --import - +"$tool"/remote/gpg \ + --export-options export-reset-subkey-passwd \ + --export-secret-subkeys "$uid" | +"$tool"/remote/ssh backup@"$local_fqdn" gpg --import - diff --git a/remote/gpg b/remote/gpg index 0c5e0a7..c0b67d3 100755 --- a/remote/gpg +++ b/remote/gpg @@ -1,4 +1,6 @@ #!/bin/sh -eu +# SYNTAX: $gpg_options +# DESCRIPTION: encapsuleur de gpg(1) utilisant une configuration propre. tool=$(readlink -e "${0%/*}/..") . "$tool"/remote/lib.sh diff --git a/remote/gpg-preset-passphrase b/remote/gpg-preset-passphrase new file mode 100755 index 0000000..36e9fd1 --- /dev/null +++ b/remote/gpg-preset-passphrase @@ -0,0 +1,34 @@ +#!/bin/sh -eu +# SYNTAX: [--forget|--preset] $uid_email [...] +# DESCRIPTION: encapsuleur de gpg-preset-passphrase(1) facilitant son usage. +# XXX: il faut que gpg-agent(1) soit configuré avec allow-preset-passphrase. +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +if ! grep -Fqx allow-preset-passphrase $HOME/.gnupg/gpg-agent.conf && + ! pgrep -fx >/dev/null '.*gpg-agent .*--allow-preset-passphrase.*' + then + cat >&2 <<-EOF + ${tput_rev-}WARNING${tput_sgr0-}: you MUST configure gpg-agent(1) with allow-preset-passphrase. + EOF + #exit 1 + fi + +command=$1; shift +PATH=/usr/lib/gnupg2:"$PATH" +for uid in "$@" + do + pass_file="$tool"/var/sec/openpgp/"$uid".pass.gpg + test -e "$pass_file" + + IFS= read -r pass <<-EOF + $(gpg --decrypt "$pass_file") + EOF + for fpr in $("$tool"/remote/gpg --list-secret-keys \ + --with-colons --with-fingerprint --with-fingerprint \ + -- "$@" | grep '^fpr:' | cut -d : -f 10) + do gpg-preset-passphrase $command ${TRACE:+--verbose} $fpr <<-EOF + $pass + EOF + done + done diff --git a/var/pub/openpgp/pubring.gpg b/var/pub/openpgp/pubring.gpg index 1183b3a..c39d97d 100644 Binary files a/var/pub/openpgp/pubring.gpg and b/var/pub/openpgp/pubring.gpg differ diff --git a/var/pub/openpgp/pubring.gpg~ b/var/pub/openpgp/pubring.gpg~ index 1183b3a..c39d97d 100644 Binary files a/var/pub/openpgp/pubring.gpg~ and b/var/pub/openpgp/pubring.gpg~ differ diff --git a/var/pub/openpgp/trustdb.gpg b/var/pub/openpgp/trustdb.gpg index a7cb818..06d643f 100644 Binary files a/var/pub/openpgp/trustdb.gpg and b/var/pub/openpgp/trustdb.gpg differ