jim
/
borg-setup
0
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
My backup scripts and tools
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
94 MiB
 
 
 
Tree: 0039ca1ee0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0039ca1ee0'
${ noResults }
borg-setup/initial-setup.sh

331 lines
8.6 KiB
Raw Blame History 

  1. #!/bin/bash

  2. 

  3. # These can be overridden when running this script

  4. BACKUP_HOST=${BACKUP_HOST:-backup.jim.sh}

  5. BACKUP_USER=${BACKUP_USER:-jim-backups}

  6. BACKUP_REPO=${BACKUP_REPO:-borg/$(hostname)}

  7. 

  8. # Borg binary and hash

  9. BORG_URL="https://github.com/borgbackup/borg/releases/download/1.2.0b3/borg-linux64"

  10. BORG_SHA256=8dd6c2769d9bf3ca7a65ebf6781302029fc3b15105aff63d33195c007f897360

  11. 

  12. # Main dir is where this repo was checked out

  13. BORG_DIR="$(realpath "$(dirname "$0")")"

  14. 

  15. # This is named with uppercase so that it doesn't tab-complete for

  16. # "./b<tab>", which should give us "./borg.sh"

  17. BORG_BIN="${BORG_DIR}/Borg.bin"

  18. 

  19. # Use stable host ID in case MAC address changes

  20. HOSTID="$(hostname -f)@$(python -c 'import uuid;print(uuid.getnode())')"

  21. 

  22. function error_handler() {

  23.     echo "Error at $1 line $2:"

  24.     echo -n '>>> ' ; tail -n +"$2" < "$1" | head -1

  25.     echo "... exited with code $3"

  26.     exit "$3"

  27. }

  28. trap 'error_handler ${BASH_SOURCE} ${LINENO} $?' ERR

  29. set -o errexit

  30. set -o errtrace

  31. 

  32. if [ -e "$BORG_DIR/.setup-complete" ]; then

  33.     echo "Error: BORG_DIR $BORG_DIR was already set up; giving up."

  34.     echo "Use \"git clean\" to return it to original state if desired"

  35.     exit 1

  36. fi

  37. 

  38. # Make a temp dir to work in

  39. TMP=$(mktemp -d --tmpdir="$BORG_DIR")

  40. 

  41. # Install some cleanup handlers

  42. cleanup()

  43. {

  44.     set +o errexit

  45.     set +o errtrace

  46.     trap - ERR

  47.     ssh -o ControlPath="$TMP"/ssh-control -O exit x >/dev/null 2>&1

  48.     rm -rf -- "$TMP"

  49. }

  50. cleanup_int()

  51. {

  52.     echo

  53.     cleanup

  54.     exit 1

  55. }

  56. trap cleanup 0

  57. trap cleanup_int 1 2 15

  58. 

  59. msg()

  60. {

  61.     color="$1"

  62.     shift

  63.     echo -ne "\033[1;${color}m===\033[0;${color}m" "$@"

  64.     echo -e "\033[0m"

  65. }

  66. log(){ msg 33 "$@" ; }

  67. notice() { msg 32 "$@" ; }

  68. warn() { msg 31 "$@" ; }

  69. error() { msg 31 "Error:" "$@" ; exit 1 ; }

  70. 

  71. # Create pip environment

  72. setup_venv()

  73. {

  74.     ( cd "${BORG_DIR}" && mkdir .venv && pipenv install )

  75. }

  76. 

  77. # Install borg

  78. install_borg()

  79. {

  80.     curl -L --progress-bar -o "${BORG_BIN}" "${BORG_URL}"

  81.     if ! echo "${BORG_SHA256} ${BORG_BIN}" | sha256sum -c ; then

  82.         error "hash error"

  83.     fi

  84.     chmod +x "${BORG_BIN}"

  85. }

  86. 

  87. # Create wrapper to execute borg

  88. create_borg_wrapper()

  89. {

  90.     BORG=${BORG_DIR}/borg.sh

  91.     BORG_REPO="ssh://${BACKUP_USER}@${BACKUP_HOST}/./${BACKUP_REPO}"

  92.     SSH=$BORG_DIR/ssh

  93. 

  94.     cat >"$BORG" <<EOF

  95. #!/bin/sh

  96. 

  97. export BORG_REPO=${BORG_REPO}

  98. export BORG_PASSCOMMAND="cat ${BORG_DIR}/passphrase"

  99. export BORG_HOST_ID=${HOSTID}

  100. export BORG_BASE_DIR=${BORG_DIR}

  101. export BORG_CACHE_DIR=${BORG_DIR}/cache

  102. export BORG_CONFIG_DIR=${BORG_DIR}/config

  103. if [ "\$1" = "--rw" ] ; then

  104.     echo "=== Need SSH key passphrase.  Check Bitwarden for:"

  105.     echo "===   borg $(hostname) / read-write SSH key"

  106.     export BORG_RSH="ssh -F $SSH/config -o BatchMode=no -i $SSH/id_ecdsa"

  107.     shift

  108. else

  109.     export BORG_RSH="ssh -F $SSH/config -i $SSH/id_ecdsa_appendonly"

  110. fi

  111. 

  112. exec "${BORG_BIN}" "\$@"

  113. EOF

  114.     chmod +x "$BORG"

  115.     if ! "$BORG" -h >/dev/null ; then

  116.         error "Can't run the new borg wrapper; does borg work?"

  117.     fi

  118. 

  119. }

  120. 

  121. print_random_key()

  122. {

  123.     dd if=/dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16

  124. }

  125. 

  126. generate_keys()

  127. {

  128.     PASS_SSH=$(print_random_key)

  129.     PASS_REPOKEY=$(print_random_key)

  130.     echo "$PASS_REPOKEY" > "${BORG_DIR}/passphrase"

  131.     chmod 600 "${BORG_DIR}/passphrase"

  132. }

  133. 

  134. # Run a command on the remote host over an existing SSH tunnel

  135. run_ssh_command()

  136. {

  137.     ssh -o ControlPath="$TMP"/ssh-control use-existing-control-tunnel "$@"

  138. }

  139. 

  140. # Configure SSH key-based login

  141. configure_ssh()

  142. {

  143.     mkdir "$SSH"

  144. 

  145.     # Create keys

  146.     log "Creating SSH keys"

  147.     ssh-keygen -N "" -t ecdsa \

  148.                -C "backup-appendonly@$HOSTID" -f "$SSH/id_ecdsa_appendonly"

  149.     ssh-keygen -N "$PASS_SSH" -t ecdsa \

  150.                -C "backup@$HOSTID" -f "$SSH/id_ecdsa"

  151. 

  152.     # Create config snippets

  153.     log "Creating SSH config and wrapper script"

  154.     cat >> "$SSH/config" <<EOF

  155. User $BACKUP_USER

  156. ControlPath none

  157. ServerAliveInterval 120

  158. Compression no

  159. UserKnownHostsFile $SSH/known_hosts

  160. ForwardX11 no

  161. ForwardAgent no

  162. BatchMode yes

  163. IdentitiesOnly yes

  164. EOF

  165. 

  166.     # Connect to backup host, using persistent control socket

  167.     log "Connecting to server"

  168.     log "Please enter password; look in Bitwarden for: ${BACKUP_USER}@${BACKUP_HOST}"

  169.     ssh -F "$SSH/config" -o BatchMode=no -o PubkeyAuthentication=no \

  170.         -o ControlMaster=yes -o ControlPath="$TMP/ssh-control" \

  171.         -o StrictHostKeyChecking=accept-new \

  172.         -f "${BACKUP_USER}@${BACKUP_HOST}" sleep 600

  173.     if ! run_ssh_command true >/dev/null 2>&1 </dev/null ; then

  174.         error "SSH failed"

  175.     fi

  176.     log "Connected to ${BACKUP_USER}@${BACKUP_HOST}"

  177. 

  178.     # Since we now have an SSH connection, check that the repo doesn't exist

  179.     if run_ssh_command "test -e $BACKUP_REPO" ; then

  180.         error "$BACKUP_REPO already exists on the server, bailing out"

  181.     fi

  182. 

  183.     # Copy SSH keys to the server's authorized_keys file, removing any

  184.     # existing keys with this HOSTID.

  185.     log "Setting up SSH keys on remote host"

  186.     cmd="borg/borg serve --restrict-to-repository ~/$BACKUP_REPO"

  187. 

  188.     keys=".ssh/authorized_keys"

  189.     backup="${keys}.old-$(date +%Y%m%d-%H%M%S)"

  190.     run_ssh_command "mkdir -p .ssh; chmod 700 .ssh; touch $keys"

  191.     run_ssh_command "mv $keys $backup; sed '/@$HOSTID\$/d' < $backup > $keys"

  192.     run_ssh_command "if cmp -s $backup $keys; then rm $backup ; fi"

  193.     run_ssh_command "cat >> .ssh/authorized_keys" <<EOF

  194. command="$cmd --append-only",restrict $(cat "$SSH/id_ecdsa_appendonly.pub")

  195. command="borg/notify.sh",restrict $(cat "$SSH/id_ecdsa_appendonly.pub")

  196. command="$cmd",restrict $(cat "$SSH/id_ecdsa.pub")

  197. EOF

  198. 

  199.     # Test that everything worked

  200.     log "Testing SSH login with new key"

  201.     if ! ssh -F "$SSH/config" -i "$SSH/id_ecdsa_appendonly" -T \

  202.          "${BACKUP_USER}@${BACKUP_HOST}" borg --version </dev/null ; then

  203.         error "Logging in with a key failed -- is server set up correctly?"

  204.     fi

  205.     log "Remote connection OK!"

  206. }

  207. 

  208. # Create the repository on the server

  209. create_repo()

  210. {

  211.     log "Creating repo $BACKUP_REPO"

  212.     # Create repo

  213.     $BORG init --make-parent-dirs --encryption repokey

  214. }

  215. 

  216. # Export keys as HTML page

  217. export_keys()

  218. {

  219.     log "Exporting keys"

  220.     $BORG key export --paper '' "${BORG_DIR}/key.txt"

  221.     chmod 600 "${BORG_DIR}/key.txt"

  222.     cat >>"${BORG_DIR}/key.txt" <<EOF

  223. 

  224. Repository: ${BORG_REPO}

  225. Passphrase: ${PASS_REPOKEY}

  226. EOF

  227. }

  228. 

  229. configure_systemd()

  230. {

  231.     TIMER=borg-backup.timer

  232.     SERVICE=borg-backup.service

  233.     TIMER_UNIT=${BORG_DIR}/${TIMER}

  234.     SERVICE_UNIT=${BORG_DIR}/${SERVICE}

  235. 

  236.     log "Creating systemd files"

  237. 

  238.     cat > "$TIMER_UNIT" <<EOF

  239. [Unit]

  240. Description=Borg backup to ${BACKUP_HOST}

  241. 

  242. [Timer]

  243. OnCalendar=*-*-* 01:00:00

  244. RandomizedDelaySec=1800

  245. FixedRandomDelay=true

  246. Persistent=true

  247. 

  248. [Install]

  249. WantedBy=timers.target

  250. EOF

  251. 

  252.     cat >> "$SERVICE_UNIT" <<EOF

  253. [Unit]

  254. Description=Borg backup to ${BACKUP_HOST}

  255. 

  256. [Service]

  257. Type=simple

  258. ExecStart=${BORG_DIR}/backup.py

  259. Nice=10

  260. IOSchedulingClass=best-effort

  261. IOSchedulingPriority=6

  262. EOF

  263. 

  264.     log "Setting up systemd"

  265.     if (

  266.         ln -sfv "${TIMER_UNIT}" /etc/systemd/system &&

  267.         ln -sfv "${SERVICE_UNIT}" /etc/systemd/system &&

  268.         systemctl --no-ask-password daemon-reload &&

  269.         systemctl --no-ask-password enable ${TIMER} &&

  270.         systemctl --no-ask-password start ${TIMER}

  271.     ); then

  272.         log "Backup timer installed:"

  273.         systemctl list-timers ${TIMER}

  274.     else

  275.         warn ""

  276.         warn "Systemd setup failed"

  277.         warn "Do something like this to configure automatic backups:"

  278.         echo "     sudo ln -sfv \"${TIMER_UNIT}\" /etc/systemd/system &&"

  279.         echo "     sudo ln -sfv \"${SERVICE_UNIT}\" /etc/systemd/system &&"

  280.         echo "     sudo systemctl daemon-reload &&"

  281.         echo "     sudo systemctl enable ${TIMER} &&"

  282.         echo "     sudo systemctl start ${TIMER}"

  283.         warn ""

  284.     fi

  285. }

  286. 

  287. update_readme()

  288. {

  289.     sed -i \

  290.         -e "s!\${HOSTNAME}!$(hostname)!g" \

  291.         -e "s!\${BORG_DIR}!${BORG_DIR}!g" \

  292.         -e "s!\${BACKUP_USER}!${BACKUP_USER}!g" \

  293.         -e "s!\${BACKUP_HOST}!${BACKUP_HOST}!g" \

  294.         -e "s!\${BACKUP_REPO}!${BACKUP_REPO}!g" \

  295.         "${BORG_DIR}/README.md"

  296. }

  297. 

  298. log "Configuration:"

  299. log "  Backup server host: ${BACKUP_HOST}"

  300. log "  Backup server user: ${BACKUP_USER}"

  301. log "     Repository path: ${BACKUP_REPO}"

  302. 

  303. setup_venv

  304. install_borg

  305. create_borg_wrapper

  306. generate_keys

  307. configure_ssh

  308. create_repo

  309. export_keys

  310. configure_systemd

  311. update_readme

  312. 

  313. echo

  314. notice "Add these two passwords to Bitwarden:"

  315. notice ""

  316. notice "      Name: borg $(hostname)"

  317. notice "  Username: read-write ssh key"

  318. notice "  Password: $PASS_SSH"

  319. notice ""

  320. notice "      Name: borg $(hostname)"

  321. notice "  Username: repo key"

  322. notice "  Password: $PASS_REPOKEY"

  323. notice "     Notes: (paste the following key)"

  324. sed -ne '/BORG/,/^$/{/./p}' "${BORG_DIR}/key.txt"

  325. notice ""

  326. notice ""

  327. 

  328. echo

  329. 

  330. echo "All done"