jim
/
borg-setup
0
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
My backup scripts and tools
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29 Commits
1 Branch
157 MiB
 
 
 
Tree: 1a44035ae8
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1a44035ae8'
${ noResults }
borg-setup/initial-setup.sh

338 lines
8.6 KiB
Raw Blame History 

  1. #!/bin/bash

  2. 

  3. # These can be overridden when running this script

  4. BACKUP_HOST=${BACKUP_HOST:-backup.jim.sh}

  5. BACKUP_USER=${BACKUP_USER:-jim-backups}

  6. BACKUP_REPO=${BACKUP_REPO:-borg/$(hostname)}

  7. 

  8. # Main dir is where this repo was checked out

  9. BORG_DIR="$(realpath "$(dirname "$0")")"

  10. cd "${BORG_DIR}"

  11. 

  12. # This is named with uppercase so that it doesn't tab-complete for

  13. # "./b<tab>", which should give us "./borg.sh"

  14. BORG_BIN="${BORG_DIR}/Borg.bin"

  15. 

  16. # Use stable host ID in case MAC address changes

  17. HOSTID="$(hostname -f)@$(python -c 'import uuid;print(uuid.getnode())')"

  18. 

  19. function error_handler() {

  20.     echo "Error at $1 line $2:"

  21.     echo -n '>>> ' ; tail -n +"$2" < "$1" | head -1

  22.     echo "... exited with code $3"

  23.     exit "$3"

  24. }

  25. trap 'error_handler ${BASH_SOURCE} ${LINENO} $?' ERR

  26. set -o errexit

  27. set -o errtrace

  28. 

  29. if [ -e ".setup-complete" ]; then

  30.     echo "Error: BORG_DIR $BORG_DIR was already set up; giving up."

  31.     echo "Use \"git clean\" to return it to original state if desired"

  32.     exit 1

  33. fi

  34. 

  35. # Make a temp dir to work in

  36. TMP=$(mktemp -d)

  37. 

  38. # Install some cleanup handlers

  39. cleanup()

  40. {

  41.     set +o errexit

  42.     set +o errtrace

  43.     trap - ERR

  44.     ssh -o ControlPath="$TMP"/ssh-control -O exit x >/dev/null 2>&1

  45.     rm -rf -- "$TMP"

  46. }

  47. cleanup_int()

  48. {

  49.     echo

  50.     cleanup

  51.     exit 1

  52. }

  53. trap cleanup 0

  54. trap cleanup_int 1 2 15

  55. 

  56. msg()

  57. {

  58.     color="$1"

  59.     shift

  60.     echo -ne "\033[1;${color}m===\033[0;${color}m" "$@"

  61.     echo -e "\033[0m"

  62. }

  63. log(){ msg 33 "$@" ; }

  64. notice() { msg 32 "$@" ; }

  65. warn() { msg 31 "$@" ; }

  66. error() { msg 31 "Error:" "$@" ; exit 1 ; }

  67. 

  68. # Create pip environment

  69. setup_venv()

  70. {

  71.     mkdir .venv

  72.     pipenv install

  73. }

  74. 

  75. # Create wrapper to execute borg

  76. create_borg_wrapper()

  77. {

  78.     BORG=${BORG_DIR}/borg.sh

  79.     BORG_REPO="ssh://${BACKUP_USER}@${BACKUP_HOST}/./${BACKUP_REPO}"

  80.     SSH=$BORG_DIR/ssh

  81. 

  82.     cat >"$BORG" <<EOF

  83. #!/bin/sh

  84. 

  85. export BORG_REPO=${BORG_REPO}

  86. export BORG_PASSCOMMAND="cat ${BORG_DIR}/passphrase"

  87. export BORG_HOST_ID=${HOSTID}

  88. export BORG_BASE_DIR=${BORG_DIR}

  89. export BORG_CACHE_DIR=${BORG_DIR}/cache

  90. export BORG_CONFIG_DIR=${BORG_DIR}/config

  91. if [ "\$1" = "--rw" ] ; then

  92.     if [ "$BORG_RW_KEY_ADDED" != "1" ] ; then

  93.         echo "=== Need SSH key passphrase.  Check Bitwarden for:"

  94.         echo "===   borg $(hostname) / read-write SSH key"

  95.     fi

  96.     export BORG_RSH="ssh -F $SSH/config -o BatchMode=no -i $SSH/id_ecdsa"

  97.     shift

  98. else

  99.     export BORG_RSH="ssh -F $SSH/config -i $SSH/id_ecdsa_appendonly"

  100. fi

  101. 

  102. exec "${BORG_BIN}" "\$@"

  103. EOF

  104.     chmod +x "$BORG"

  105.     if ! "$BORG" -h >/dev/null ; then

  106.         error "Can't run the new borg wrapper; does borg work?"

  107.     fi

  108. 

  109. }

  110. 

  111. print_random_key()

  112. {

  113.     dd if=/dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16

  114. }

  115. 

  116. generate_keys()

  117. {

  118.     PASS_SSH=$(print_random_key)

  119.     PASS_REPOKEY=$(print_random_key)

  120.     echo "$PASS_REPOKEY" > passphrase

  121.     chmod 600 passphrase

  122. }

  123. 

  124. # Run a command on the remote host over an existing SSH tunnel

  125. run_ssh_command()

  126. {

  127.     ssh -o ControlPath="$TMP"/ssh-control use-existing-control-tunnel "$@"

  128. }

  129. 

  130. # Configure SSH key-based login

  131. configure_ssh()

  132. {

  133.     mkdir "$SSH"

  134. 

  135.     # Create keys

  136.     log "Creating SSH keys"

  137.     ssh-keygen -N "" -t ecdsa \

  138.                -C "backup-appendonly@$HOSTID" -f "$SSH/id_ecdsa_appendonly"

  139.     ssh-keygen -N "$PASS_SSH" -t ecdsa \

  140.                -C "backup@$HOSTID" -f "$SSH/id_ecdsa"

  141. 

  142.     # Create config snippets

  143.     log "Creating SSH config and wrapper script"

  144.     cat >> "$SSH/config" <<EOF

  145. User $BACKUP_USER

  146. ControlPath none

  147. ServerAliveInterval 120

  148. Compression no

  149. UserKnownHostsFile $SSH/known_hosts

  150. ForwardX11 no

  151. ForwardAgent no

  152. BatchMode yes

  153. IdentitiesOnly yes

  154. EOF

  155. 

  156.     # Connect to backup host, using persistent control socket

  157.     log "Connecting to server"

  158.     log "Please enter password; look in Bitwarden for: ${BACKUP_USER}@${BACKUP_HOST}"

  159.     ssh -F "$SSH/config" -o BatchMode=no -o PubkeyAuthentication=no \

  160.         -o ControlMaster=yes -o ControlPath="$TMP/ssh-control" \

  161.         -o StrictHostKeyChecking=accept-new \

  162.         -f "${BACKUP_USER}@${BACKUP_HOST}" sleep 600

  163.     if ! run_ssh_command true >/dev/null 2>&1 </dev/null ; then

  164.         error "SSH failed"

  165.     fi

  166.     log "Connected to ${BACKUP_USER}@${BACKUP_HOST}"

  167. 

  168.     # Since we now have an SSH connection, check that the repo doesn't exist

  169.     if run_ssh_command "test -e $BACKUP_REPO" ; then

  170.         error "$BACKUP_REPO already exists on the server, bailing out"

  171.     fi

  172. 

  173.     # Copy SSH keys to the server's authorized_keys file, removing any

  174.     # existing keys with this HOSTID.

  175.     log "Setting up SSH keys on remote host"

  176.     cmd="borg/borg serve --restrict-to-repository ~/$BACKUP_REPO"

  177. 

  178.     keys=".ssh/authorized_keys"

  179.     backup="${keys}.old-$(date +%Y%m%d-%H%M%S)"

  180.     run_ssh_command "mkdir -p .ssh; chmod 700 .ssh; touch $keys"

  181.     run_ssh_command "mv $keys $backup; sed '/@$HOSTID\$/d' < $backup > $keys"

  182.     run_ssh_command "if cmp -s $backup $keys; then rm $backup ; fi"

  183.     run_ssh_command "cat >> .ssh/authorized_keys" <<EOF

  184. command="$cmd --append-only",restrict $(cat "$SSH/id_ecdsa_appendonly.pub")

  185. command="borg/notify.sh",restrict $(cat "$SSH/id_ecdsa_appendonly.pub")

  186. command="$cmd",restrict $(cat "$SSH/id_ecdsa.pub")

  187. EOF

  188. 

  189.     # Test that everything worked

  190.     log "Testing SSH login with new key"

  191.     if ! ssh -F "$SSH/config" -i "$SSH/id_ecdsa_appendonly" -T \

  192.          "${BACKUP_USER}@${BACKUP_HOST}" borg --version </dev/null ; then

  193.         error "Logging in with a key failed -- is server set up correctly?"

  194.     fi

  195.     log "Remote connection OK!"

  196. }

  197. 

  198. # Create the repository on the server

  199. create_repo()

  200. {

  201.     log "Creating repo $BACKUP_REPO"

  202.     # Create repo

  203.     $BORG init --make-parent-dirs --encryption repokey

  204. }

  205. 

  206. # Export keys as HTML page

  207. export_keys()

  208. {

  209.     log "Exporting keys"

  210.     $BORG key export --paper '' key.txt

  211.     chmod 600 key.txt

  212.     cat >>key.txt <<EOF

  213. 

  214. Repository: ${BORG_REPO}

  215. Passphrase: ${PASS_REPOKEY}

  216. EOF

  217. }

  218. 

  219. configure_systemd()

  220. {

  221.     TIMER=borg-backup.timer

  222.     SERVICE=borg-backup.service

  223.     TIMER_UNIT=${BORG_DIR}/${TIMER}

  224.     SERVICE_UNIT=${BORG_DIR}/${SERVICE}

  225. 

  226.     log "Creating systemd files"

  227. 

  228.     cat > "$TIMER_UNIT" <<EOF

  229. [Unit]

  230. Description=Borg backup to ${BACKUP_HOST}

  231. 

  232. [Timer]

  233. OnCalendar=*-*-* 01:00:00

  234. RandomizedDelaySec=1800

  235. FixedRandomDelay=true

  236. Persistent=true

  237. 

  238. [Install]

  239. WantedBy=timers.target

  240. EOF

  241. 

  242.     cat >> "$SERVICE_UNIT" <<EOF

  243. [Unit]

  244. Description=Borg backup to ${BACKUP_HOST}

  245. 

  246. [Service]

  247. Type=simple

  248. ExecStart=${BORG_DIR}/backup.py

  249. Nice=10

  250. IOSchedulingClass=best-effort

  251. IOSchedulingPriority=6

  252. EOF

  253. 

  254.     log "Setting up systemd"

  255.     if (

  256.         ln -sfv "${TIMER_UNIT}" /etc/systemd/system &&

  257.         ln -sfv "${SERVICE_UNIT}" /etc/systemd/system &&

  258.         systemctl --no-ask-password daemon-reload &&

  259.         systemctl --no-ask-password enable ${TIMER} &&

  260.         systemctl --no-ask-password start ${TIMER}

  261.     ); then

  262.         log "Backup timer installed:"

  263.         systemctl list-timers ${TIMER}

  264.     else

  265.         warn ""

  266.         warn "Systemd setup failed"

  267.         warn "Do something like this to configure automatic backups:"

  268.         echo "     sudo ln -sfv \"${TIMER_UNIT}\" /etc/systemd/system &&"

  269.         echo "     sudo ln -sfv \"${SERVICE_UNIT}\" /etc/systemd/system &&"

  270.         echo "     sudo systemctl daemon-reload &&"

  271.         echo "     sudo systemctl enable ${TIMER} &&"

  272.         echo "     sudo systemctl start ${TIMER}"

  273.         warn ""

  274.     fi

  275. }

  276. 

  277. update_paths()

  278. {

  279.     sed -i \

  280.         -e "s!\${HOSTNAME}!$(hostname)!g" \

  281.         -e "s!\${BORG_DIR}!${BORG_DIR}!g" \

  282.         -e "s!\${BACKUP_USER}!${BACKUP_USER}!g" \

  283.         -e "s!\${BACKUP_HOST}!${BACKUP_HOST}!g" \

  284.         -e "s!\${BACKUP_REPO}!${BACKUP_REPO}!g" \

  285.         README.md

  286. 

  287.     sed -i\

  288.         -e "1c#!${BORG_DIR}/.venv/bin/python" \

  289.         backup.py

  290. }

  291. 

  292. git_setup()

  293. {

  294.     if ! git checkout -b "setup-$(hostname)" ; then

  295.         warn "Git setup failed; ignoring"

  296.         return

  297.     fi

  298. 

  299.     log "Committing local changes to git"

  300.     git add README.md borg-backup.service borg-backup.timer borg.sh

  301.     git commit -a -m "autocommit after initial setup on $(hostname)"

  302. }

  303. 

  304. log "Configuration:"

  305. log "  Backup server host: ${BACKUP_HOST}"

  306. log "  Backup server user: ${BACKUP_USER}"

  307. log "     Repository path: ${BACKUP_REPO}"

  308. 

  309. setup_venv

  310. create_borg_wrapper

  311. generate_keys

  312. configure_ssh

  313. create_repo

  314. export_keys

  315. configure_systemd

  316. update_paths

  317. git_setup

  318. 

  319. echo

  320. notice "Add these two passwords to Bitwarden:"

  321. notice ""

  322. notice "      Name: borg $(hostname)"

  323. notice "  Username: read-write ssh key"

  324. notice "  Password: $PASS_SSH"

  325. notice ""

  326. notice "      Name: borg $(hostname)"

  327. notice "  Username: repo key"

  328. notice "  Password: $PASS_REPOKEY"

  329. notice ""

  330. notice "Test the backup file list with"

  331. notice "    sudo ${BORG_DIR}/backup.py --dry-run"

  332. notice "and make any necessary adjustments to:"

  333. notice "    ${BORG_DIR}/config.yaml"

  334. 

  335. echo

  336. 

  337. echo "All done"