diff options
Diffstat (limited to 'duplicity-backups.sh')
-rwxr-xr-x | duplicity-backups.sh | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/duplicity-backups.sh b/duplicity-backups.sh new file mode 100755 index 0000000..90d6f73 --- /dev/null +++ b/duplicity-backups.sh @@ -0,0 +1,142 @@ +#!/bin/bash +# +# This script was created to make Duplicity backups. Full backups are made on +# Sundays. Then incremental backups are made on the other days. +# +# Basic rule: dont backup packaged data, only unpackaged files, and changed config files +# +# Step 1) sudo yum install duplicity gnupg openssh-clients +# Step 2) Create /root/.passphrase with some phrase you will remember. +# Step 3) Edit the BACKUP_URL below. +# Step 4) Copy this file to /etc/cron.daily/ + +# User settings: +# Where to upload the backups +BACKUP_URL="sftp://User@BackupHost.local.lan//home/duplicity/$HOSTNAME/" + +# Extra duplicity options +EXTRA_DUPLICITY="--allow-source-mismatch --extra-clean" + +# Loading the day of the month in a variable. +DOW=$(/bin/date +%u) +TMPDIR=/root/tmp + +# Check to see if we have a SSH key +if [ ! -e /root/.ssh/id_rsa ]; then + /bin/cat - <<EOT +Create an SSH key first. An example method: + /usr/bin/ssh-keygen -t rsa -N '' + /usr/bin/ssh-copy-id -i ~/.ssh/id_rsa.pub user@backup.host.name +EOT + exit 1 +fi + +# Check to see if we have a passphrase +if [ ! -e /root/.passphrase ]; then + /bin/cat - <<EOT +Create /root/.passphrase first. Add any long phrase you can remember easily. + +Always keep your passphrase secret! + +Even if your secret key is accessed by someone else, they will be unable to use +it without your passphrase. Do not choose a passphrase that someone else might +easily guess. Do not use single words (in any language), strings of numbers +such as your telephone number or an official document number, or biographical +data about yourself or your family for a passphrase. The most secure +passphrases are very long and contain a mixture of uppercase and lowercase +letters, numbers, digits, and symbols. Choose a passphrase that you will be +able to remember, however, since writing this passphrase down anywhere makes it +immediately less secure. +EOT + exit 1 +fi + +# Setting the pass phrase to encrypt the backup files. +export PASSPHRASE=$(/bin/cat /root/.passphrase |/usr/bin/sha512sum |/bin/awk '{print$1}') + +# Create gnupg keys if they do not already exist +if [ ! -e /root/.gnupg ]; then + echo "Create a GNUPG keychain first" + /bin/cat -> /root/tmp/gnupg-batch.txt <<EOT + %echo Generating a standard key + Key-Type: RSA + Key-Length: 4096 + Subkey-Type: RSA + Subkey-Length: 4096 + Name-Real: Root of all Evil + Name-Comment: with stupid passphrase + Name-Email: root@$HOSTNAME + Expire-Date: 0 + Passphrase: $PASSPHRASE + # %pubring foo.pub + # %secring foo.sec + # Do a commit here, so that we can later print "done" :-) + %commit + %echo done +EOT + /usr/bin/gpg --gen-key --batch /root/tmp/gnupg-batch.txt + /usr/bin/gpg --export-secret-keys --armor root@$HOSTNAME > /root/.gnupg/root-privkey.asc + /bin/chmod 0400 /root/.gnupg/root-privkey.asc + /usr/bin/gpg --export --armor root@$HOSTNAME > /root/.gnupg/root-pubkey.asc + /bin/rm /root/tmp/gnupg-batch.txt + exit 1 +fi + +# Generate some base OS configs +[ -d "${TMPDIR}" ] || mkdir -p "${TMPDIR}" +/usr/bin/show-installed -f kickstart -o ${TMPDIR}/SHOW-INSTALLED2.txt +/usr/bin/yum repolist > ${TMPDIR}/YUM-REPOLIST.txt +/usr/sbin/semanage -o ${TMPDIR}/SELINUX-CUSTOM-CONFIG.txt + +# Directories to backup +/bin/cat - > ${TMPDIR}/duplicity-backups.txt <<EOT ++ / +- /bin +- /boot +- /dev ++ /etc ++ /home +- /home/lost+found +- /lib +- /lib64 +- /lost+found +- /media +- /mnt ++ /opt +- /proc ++ /root +- /run +- /sbin ++ /srv +- /sys +- /usr ++ /usr/local +- /var ++ /var/lib/libvirt ++ /var/lib/lxc ++ /var/lib/znc ++ /var/www +EOT + +# Full backup on Sunday +if [ $DOW = 7 ]; then + FULL="full" +else + FULL="" +fi + +/usr/bin/duplicity $FULL $EXTRA_DUPLICITY --no-encryption /root/.gnupg $BACKUP_URL/keys +/usr/bin/duplicity $FULL $EXTRA_DUPLICITY --include-filelist ${TMPDIR}/duplicity-backups.txt / $BACKUP_URL + +# Check http://www.nongnu.org/duplicity/duplicity.1.html for all the options +# available for Duplicity. + +# Deleting old backups +/usr/bin/duplicity remove-older-than 1M --force $BACKUP_URL/keys +/usr/bin/duplicity remove-older-than 1M --force $BACKUP_URL + +# Unsetting the confidential variables so they are gone for sure. +unset PASSPHRASE + +exit 0 +#EOF |