diff options
1 files changed, 142 insertions, 0 deletions
diff --git a/ b/
new file mode 100755
index 0000000..90d6f73
--- /dev/null
+++ b/
@@ -0,0 +1,142 @@
+# This script was created to make Duplicity backups. Full backups are made on
+# Sundays. Then incremental backups are made on the other days.
+# Basic rule: dont backup packaged data, only unpackaged files, and changed config files
+# Step 1) sudo yum install duplicity gnupg openssh-clients
+# Step 2) Create /root/.passphrase with some phrase you will remember.
+# Step 3) Edit the BACKUP_URL below.
+# Step 4) Copy this file to /etc/cron.daily/
+# User settings:
+# Where to upload the backups
+# Extra duplicity options
+EXTRA_DUPLICITY="--allow-source-mismatch --extra-clean"
+# Loading the day of the month in a variable.
+DOW=$(/bin/date +%u)
+# Check to see if we have a SSH key
+if [ ! -e /root/.ssh/id_rsa ]; then
+ /bin/cat - <<EOT
+Create an SSH key first. An example method:
+ /usr/bin/ssh-keygen -t rsa -N ''
+ /usr/bin/ssh-copy-id -i ~/.ssh/
+ exit 1
+# Check to see if we have a passphrase
+if [ ! -e /root/.passphrase ]; then
+ /bin/cat - <<EOT
+Create /root/.passphrase first. Add any long phrase you can remember easily.
+Always keep your passphrase secret!
+Even if your secret key is accessed by someone else, they will be unable to use
+it without your passphrase. Do not choose a passphrase that someone else might
+easily guess. Do not use single words (in any language), strings of numbers
+such as your telephone number or an official document number, or biographical
+data about yourself or your family for a passphrase. The most secure
+passphrases are very long and contain a mixture of uppercase and lowercase
+letters, numbers, digits, and symbols. Choose a passphrase that you will be
+able to remember, however, since writing this passphrase down anywhere makes it
+immediately less secure.
+ exit 1
+# Setting the pass phrase to encrypt the backup files.
+export PASSPHRASE=$(/bin/cat /root/.passphrase |/usr/bin/sha512sum |/bin/awk '{print$1}')
+# Create gnupg keys if they do not already exist
+if [ ! -e /root/.gnupg ]; then
+ echo "Create a GNUPG keychain first"
+ /bin/cat -> /root/tmp/gnupg-batch.txt <<EOT
+ %echo Generating a standard key
+ Key-Type: RSA
+ Key-Length: 4096
+ Subkey-Type: RSA
+ Subkey-Length: 4096
+ Name-Real: Root of all Evil
+ Name-Comment: with stupid passphrase
+ Name-Email: root@$HOSTNAME
+ Expire-Date: 0
+ Passphrase: $PASSPHRASE
+ # %pubring
+ # %secring foo.sec
+ # Do a commit here, so that we can later print "done" :-)
+ %commit
+ %echo done
+ /usr/bin/gpg --gen-key --batch /root/tmp/gnupg-batch.txt
+ /usr/bin/gpg --export-secret-keys --armor root@$HOSTNAME > /root/.gnupg/root-privkey.asc
+ /bin/chmod 0400 /root/.gnupg/root-privkey.asc
+ /usr/bin/gpg --export --armor root@$HOSTNAME > /root/.gnupg/root-pubkey.asc
+ /bin/rm /root/tmp/gnupg-batch.txt
+ exit 1
+# Generate some base OS configs
+[ -d "${TMPDIR}" ] || mkdir -p "${TMPDIR}"
+/usr/bin/show-installed -f kickstart -o ${TMPDIR}/SHOW-INSTALLED2.txt
+/usr/bin/yum repolist > ${TMPDIR}/YUM-REPOLIST.txt
+/usr/sbin/semanage -o ${TMPDIR}/SELINUX-CUSTOM-CONFIG.txt
+# Directories to backup
+/bin/cat - > ${TMPDIR}/duplicity-backups.txt <<EOT
++ /
+- /bin
+- /boot
+- /dev
++ /etc
++ /home
+- /home/lost+found
+- /lib
+- /lib64
+- /lost+found
+- /media
+- /mnt
++ /opt
+- /proc
++ /root
+- /run
+- /sbin
++ /srv
+- /sys
+- /usr
++ /usr/local
+- /var
++ /var/lib/libvirt
++ /var/lib/lxc
++ /var/lib/znc
++ /var/www
+# Full backup on Sunday
+if [ $DOW = 7 ]; then
+ FULL="full"
+ FULL=""
+/usr/bin/duplicity $FULL $EXTRA_DUPLICITY --no-encryption /root/.gnupg $BACKUP_URL/keys
+/usr/bin/duplicity $FULL $EXTRA_DUPLICITY --include-filelist ${TMPDIR}/duplicity-backups.txt / $BACKUP_URL
+# Check for all the options
+# available for Duplicity.
+# Deleting old backups
+/usr/bin/duplicity remove-older-than 1M --force $BACKUP_URL/keys
+/usr/bin/duplicity remove-older-than 1M --force $BACKUP_URL
+# Unsetting the confidential variables so they are gone for sure.
+exit 0