jim
/
borg-setup
0
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
My backup scripts and tools
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
94 MiB
 
 
 
Tree: 6978cfc012
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6978cfc012'
${ noResults }
borg-setup/initial-setup.sh

330 lines
8.5 KiB
Raw Blame History 

  1. #!/bin/bash

  2. 

  3. # These can be overridden when running this script

  4. BACKUP_HOST=${BACKUP_HOST:-backup.jim.sh}

  5. BACKUP_USER=${BACKUP_USER:-jim-backups}

  6. BACKUP_REPO=${BACKUP_REPO:-borg/$(hostname)}

  7. 

  8. # Borg binary and hash

  9. BORG_URL="https://github.com/borgbackup/borg/releases/download/1.2.0b3/borg-linux64"

  10. BORG_SHA256=8dd6c2769d9bf3ca7a65ebf6781302029fc3b15105aff63d33195c007f897360

  11. 

  12. # Main dir is where this repo was checked out

  13. BORG_DIR="$(realpath "$(dirname "$0")")"

  14. 

  15. # This is named with uppercase so that it doesn't tab-complete for

  16. # "./b<tab>", which should give us "./borg.sh"

  17. BORG_BIN="${BORG_DIR}/Borg.bin"

  18. 

  19. # Use stable host ID in case MAC address changes

  20. HOSTID="$(hostname -f)@$(python -c 'import uuid;print(uuid.getnode())')"

  21. 

  22. function error_handler() {

  23.     echo "Error at $1 line $2:"

  24.     echo -n '>>> ' ; tail -n +"$2" < "$1" | head -1

  25.     echo "... exited with code $3"

  26.     exit "$3"

  27. }

  28. trap 'error_handler ${BASH_SOURCE} ${LINENO} $?' ERR

  29. set -o errexit

  30. set -o errtrace

  31. 

  32. if [ -e "$BORG_DIR/.setup-complete" ]; then

  33.     echo "Error: BORG_DIR $BORG_DIR was already set up; giving up."

  34.     echo "Use \"git clean\" to return it to original state if desired"

  35.     exit 1

  36. fi

  37. 

  38. # Make a temp dir to work in

  39. TMP=$(mktemp -d --tmpdir="$BORG_DIR")

  40. 

  41. # Install some cleanup handlers

  42. cleanup()

  43. {

  44.     set +o errexit

  45.     set +o errtrace

  46.     trap - ERR

  47.     ssh -o ControlPath="$TMP"/ssh-control -O exit x >/dev/null 2>&1

  48.     rm -rf -- "$TMP"

  49. }

  50. cleanup_int()

  51. {

  52.     echo

  53.     cleanup

  54.     exit 1

  55. }

  56. trap cleanup 0

  57. trap cleanup_int 1 2 15

  58. 

  59. msg()

  60. {

  61.     color="$1"

  62.     shift

  63.     echo -ne "\033[1;${color}m===\033[0;${color}m" "$@"

  64.     echo -e "\033[0m"

  65. }

  66. log(){ msg 33 "$@" ; }

  67. notice() { msg 32 "$@" ; }

  68. warn() { msg 31 "$@" ; }

  69. error() { msg 31 "Error:" "$@" ; exit 1 ; }

  70. 

  71. # Create pip environment

  72. setup_venv()

  73. {

  74.     ( cd "${BORG_DIR}" && mkdir .venv && pipenv install )

  75. }

  76. 

  77. # Install borg

  78. install_borg()

  79. {

  80.     curl -L --progress-bar -o "${BORG_BIN}" "${BORG_URL}"

  81.     if ! echo "${BORG_SHA256} ${BORG_BIN}" | sha256sum -c ; then

  82.         error "hash error"

  83.     fi

  84.     chmod +x "${BORG_BIN}"

  85. }

  86. 

  87. # Create wrapper to execute borg

  88. create_borg_wrapper()

  89. {

  90.     BORG=${BORG_DIR}/borg.sh

  91.     BORG_REPO="ssh://${BACKUP_USER}@${BACKUP_HOST}/./${BACKUP_REPO}"

  92.     SSH=$BORG_DIR/ssh

  93. 

  94.     cat >"$BORG" <<EOF

  95. #!/bin/sh

  96. 

  97. export BORG_REPO=${BORG_REPO}

  98. export BORG_PASSCOMMAND="cat ${BORG_DIR}/passphrase"

  99. export BORG_HOST_ID=${HOSTID}

  100. export BORG_BASE_DIR=${BORG_DIR}

  101. export BORG_CACHE_DIR=${BORG_DIR}/cache

  102. export BORG_CONFIG_DIR=${BORG_DIR}/config

  103. if [ "\$1" = "--rw" ] ; then

  104.     echo "=== Need SSH key passphrase.  Check Bitwarden for:"

  105.     echo "===   borg $(hostname) / read-write SSH key"

  106.     export BORG_RSH="ssh -F $SSH/config -o BatchMode=no -i $SSH/id_ecdsa"

  107.     shift

  108. else

  109.     export BORG_RSH="ssh -F $SSH/config -i $SSH/id_ecdsa_appendonly"

  110. fi

  111. 

  112. exec "${BORG_BIN}" "\$@"

  113. EOF

  114.     chmod +x "$BORG"

  115.     if ! "$BORG" -h >/dev/null ; then

  116.         error "Can't run the new borg wrapper; does borg work?"

  117.     fi

  118. 

  119. }

  120. 

  121. print_random_key()

  122. {

  123.     dd if=/dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16

  124. }

  125. 

  126. generate_keys()

  127. {

  128.     PASS_SSH=$(print_random_key)

  129.     PASS_REPOKEY=$(print_random_key)

  130.     echo "$PASS_REPOKEY" > "${BORG_DIR}/passphrase"

  131.     chmod 600 "${BORG_DIR}/passphrase"

  132. }

  133. 

  134. # Run a command on the remote host over an existing SSH tunnel

  135. run_ssh_command()

  136. {

  137.     ssh -o ControlPath="$TMP"/ssh-control use-existing-control-tunnel "$@"

  138. }

  139. 

  140. # Configure SSH key-based login

  141. configure_ssh()

  142. {

  143.     mkdir "$SSH"

  144. 

  145.     # Create keys

  146.     log "Creating SSH keys"

  147.     ssh-keygen -N "" -t ecdsa \

  148.                -C "backup-appendonly@$HOSTID" -f "$SSH/id_ecdsa_appendonly"

  149.     ssh-keygen -N "$PASS_SSH" -t ecdsa \

  150.                -C "backup@$HOSTID" -f "$SSH/id_ecdsa"

  151. 

  152.     # Create config snippets

  153.     log "Creating SSH config and wrapper script"

  154.     cat >> "$SSH/config" <<EOF

  155. User $BACKUP_USER

  156. ControlPath none

  157. ServerAliveInterval 120

  158. Compression no

  159. UserKnownHostsFile $SSH/known_hosts

  160. ForwardX11 no

  161. ForwardAgent no

  162. BatchMode yes

  163. IdentitiesOnly yes

  164. EOF

  165. 

  166.     # Connect to backup host, using persistent control socket

  167.     log "Connecting to server"

  168.     log "Please enter password; look in Bitwarden for: ${BACKUP_USER}@${BACKUP_HOST}"

  169.     ssh -F "$SSH/config" -o BatchMode=no -o PubkeyAuthentication=no \

  170.         -o ControlMaster=yes -o ControlPath="$TMP/ssh-control" \

  171.         -o StrictHostKeyChecking=accept-new \

  172.         -f "${BACKUP_USER}@${BACKUP_HOST}" sleep 600

  173.     if ! run_ssh_command true >/dev/null 2>&1 </dev/null ; then

  174.         error "SSH failed"

  175.     fi

  176.     log "Connected to ${BACKUP_USER}@${BACKUP_HOST}"

  177. 

  178.     # Since we now have an SSH connection, check that the repo doesn't exist

  179.     if run_ssh_command "test -e $BACKUP_REPO" ; then

  180.         error "$BACKUP_REPO already exists on the server, bailing out"

  181.     fi

  182. 

  183.     # Copy SSH keys to the server's authorized_keys file, removing any

  184.     # existing keys with this HOSTID.

  185.     log "Setting up SSH keys on remote host"

  186.     cmd="borg/borg serve --restrict-to-repository ~/$BACKUP_REPO"

  187. 

  188.     keys=".ssh/authorized_keys"

  189.     backup="${keys}.old-$(date +%Y%m%d-%H%M%S)"

  190.     run_ssh_command "mkdir -p .ssh; chmod 700 .ssh; touch $keys"

  191.     run_ssh_command "mv $keys $backup; sed '/@$HOSTID\$/d' < $backup > $keys"

  192.     run_ssh_command "if cmp -s $backup $keys; then rm $backup ; fi"

  193.     run_ssh_command "cat >> .ssh/authorized_keys" <<EOF

  194. command="$cmd --append-only",restrict $(cat "$SSH/id_ecdsa_appendonly.pub")

  195. command="$cmd",restrict $(cat "$SSH/id_ecdsa.pub")

  196. EOF

  197. 

  198.     # Test that everything worked

  199.     log "Testing SSH login with new key"

  200.     if ! ssh -F "$SSH/config" -i "$SSH/id_ecdsa_appendonly" -T \

  201.          "${BACKUP_USER}@${BACKUP_HOST}" borg --version </dev/null ; then

  202.         error "Logging in with a key failed -- is server set up correctly?"

  203.     fi

  204.     log "Remote connection OK!"

  205. }

  206. 

  207. # Create the repository on the server

  208. create_repo()

  209. {

  210.     log "Creating repo $BACKUP_REPO"

  211.     # Create repo

  212.     $BORG init --make-parent-dirs --encryption repokey

  213. }

  214. 

  215. # Export keys as HTML page

  216. export_keys()

  217. {

  218.     log "Exporting keys"

  219.     $BORG key export --paper '' "${BORG_DIR}/key.txt"

  220.     chmod 600 "${BORG_DIR}/key.txt"

  221.     cat >>"${BORG_DIR}/key.txt" <<EOF

  222. 

  223. Repository: ${BORG_REPO}

  224. Passphrase: ${PASS_REPOKEY}

  225. EOF

  226. }

  227. 

  228. configure_systemd()

  229. {

  230.     TIMER=borg-backup.timer

  231.     SERVICE=borg-backup.service

  232.     TIMER_UNIT=${BORG_DIR}/${TIMER}

  233.     SERVICE_UNIT=${BORG_DIR}/${SERVICE}

  234. 

  235.     log "Creating systemd files"

  236. 

  237.     cat > "$TIMER_UNIT" <<EOF

  238. [Unit]

  239. Description=Borg backup to ${BACKUP_HOST}

  240. 

  241. [Timer]

  242. OnCalendar=*-*-* 01:00:00

  243. RandomizedDelaySec=1800

  244. FixedRandomDelay=true

  245. Persistent=true

  246. 

  247. [Install]

  248. WantedBy=timers.target

  249. EOF

  250. 

  251.     cat >> "$SERVICE_UNIT" <<EOF

  252. [Unit]

  253. Description=Borg backup to ${BACKUP_HOST}

  254. 

  255. [Service]

  256. Type=simple

  257. ExecStart=${BORG_DIR}/backup.py

  258. Nice=10

  259. IOSchedulingClass=best-effort

  260. IOSchedulingPriority=6

  261. EOF

  262. 

  263.     log "Setting up systemd"

  264.     if (

  265.         ln -sfv "${TIMER_UNIT}" /etc/systemd/system &&

  266.         ln -sfv "${SERVICE_UNIT}" /etc/systemd/system &&

  267.         systemctl --no-ask-password daemon-reload &&

  268.         systemctl --no-ask-password enable ${TIMER} &&

  269.         systemctl --no-ask-password start ${TIMER}

  270.     ); then

  271.         log "Backup timer installed:"

  272.         systemctl list-timers ${TIMER}

  273.     else

  274.         warn ""

  275.         warn "Systemd setup failed"

  276.         warn "Do something like this to configure automatic backups:"

  277.         echo "     sudo ln -sfv \"${TIMER_UNIT}\" /etc/systemd/system &&"

  278.         echo "     sudo ln -sfv \"${SERVICE_UNIT}\" /etc/systemd/system &&"

  279.         echo "     sudo systemctl daemon-reload &&"

  280.         echo "     sudo systemctl enable ${TIMER} &&"

  281.         echo "     sudo systemctl start ${TIMER}"

  282.         warn ""

  283.     fi

  284. }

  285. 

  286. update_readme()

  287. {

  288.     sed -i \

  289.         -e "s!\${HOSTNAME}!$(hostname)!g" \

  290.         -e "s!\${BORG_DIR}!${BORG_DIR}!g" \

  291.         -e "s!\${BACKUP_USER}!${BACKUP_USER}!g" \

  292.         -e "s!\${BACKUP_HOST}!${BACKUP_HOST}!g" \

  293.         -e "s!\${BACKUP_REPO}!${BACKUP_REPO}!g" \

  294.         "${BORG_DIR}/README.md"

  295. }

  296. 

  297. log "Configuration:"

  298. log "  Backup server host: ${BACKUP_HOST}"

  299. log "  Backup server user: ${BACKUP_USER}"

  300. log "     Repository path: ${BACKUP_REPO}"

  301. 

  302. setup_venv

  303. install_borg

  304. create_borg_wrapper

  305. generate_keys

  306. configure_ssh

  307. create_repo

  308. export_keys

  309. configure_systemd

  310. update_readme

  311. 

  312. echo

  313. notice "Add these two passwords to Bitwarden:"

  314. notice ""

  315. notice "      Name: borg $(hostname)"

  316. notice "  Username: read-write ssh key"

  317. notice "  Password: $PASS_SSH"

  318. notice ""

  319. notice "      Name: borg $(hostname)"

  320. notice "  Username: repo key"

  321. notice "  Password: $PASS_REPOKEY"

  322. notice "     Notes: (paste the following key)"

  323. sed -ne '/BORG/,/^$/{/./p}' "${BORG_DIR}/key.txt"

  324. notice ""

  325. notice ""

  326. 

  327. echo

  328. 

  329. echo "All done"