# # General backup conventions and definitions according to # http://padrao.sarava.org/trac/wiki/Backups/Convencoes # # This module is distributed under the GNU Affero General Public License: # # Backup module for puppet # Copyright (C) 2009 Sarava Group # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . # backup folder $backupdir = "/var/backups" $backupdir_remote = "$backupdir/remote" $backupdir_ensure = hiera('backup::dir::ensure', 'directory') # for data that's going to be encrypted and signed $backup_include_unencrypted = [ "/etc", "/var", "/home", ] $backup_exclude_unencrypted = [ "$backupdir_remote", "$backupdir/duplicity", "$backupdir/restore", "/var/cache", "/var/log", "/var/vservers", "/var/chroot", "/root/.cache", "/var/lib/dpkg", "/var/lib/apt", "/var/lib/aptitude/", "/var/sites/backups", "/var/data/crypt", "/data/backups", "/data/cache" ] # for data that were previously encrypted and signed $backup_include_encrypted = [ "$backupdir/duplicity", ] $backup_exclude_encrypted = [ "$backupdir/duplicity/.ssh", ] # ensure the latest backup version $backupninja_ensure_version = 'latest' class backup( $when = hiera('backup::when', 'everyday at 01:00'), $audit_rsync = hiera('backup::audit_rsync', True), $reportwarning = hiera('backup::reportwarning', True) ) { include backupninja::server include backupninja::client::duplicity include backupninja::client::rdiff_backup package { "debconf-utils": ensure => installed, } package { "hwinfo": ensure => installed, } # See http://www.rfc3092.net/2013/09/missing-modules-for-paramiko-and-gio-in-duplicity-foo/ package { "python-gobject-2": ensure => $::lsbdistcodename ? { 'squeeze' => absent, default => present, }, } backupninja::config { "conf": loglvl => 4, usecolors => false, when => $when, reportwarning => $reportwarning, } file { "$backupdir_remote": ensure => directory, owner => root, group => root, mode => 0755, } file { "/var/log/backup": ensure => directory, owner => root, group => root, mode => 0755, } file { "/etc/logrotate.d/backup": ensure => present, owner => root, group => root, mode => 0644, source => "puppet:///modules/backup/logrotate.d/backup", } # rdiff-check script file { "/usr/local/sbin/rdiff-check": content => template('backup/rdiff-check.sh.erb'), owner => root, group => root, mode => 0755, ensure => present, } # check rdiff-backups once a week cron { "rdiff_check": command => "/usr/local/sbin/rdiff-check", user => root, hour => "0", minute => "0", weekday => "0", ensure => present, require => File['/usr/local/sbin/rdiff-check'], } # rsync-check script file { "/usr/local/sbin/rsync-check": content => template('backup/rsync-check.sh.erb'), owner => root, group => root, mode => 0755, ensure => present, } # check rsync-backups once a week cron { "rsync_check": command => "/usr/local/sbin/rsync-check", user => root, hour => "0", minute => "0", weekday => $audit_rsync ? { true => '*', default => "0", }, ensure => present, require => File['/usr/local/sbin/rsync-check'], } # we have to keep that as we have custom changes that # might not be merged and released in backupninja file { "/usr/share/backupninja/rsync": ensure => present, owner => "root", group => "root", mode => 0644, source => "puppet:///modules/backup/handlers/rsync", } # sync-backups script file { "/usr/local/sbin/sync-backups": owner => root, group => root, mode => 0755, ensure => present, source => "puppet:///modules/backup/sync-backups", } # sync-media script file { "/usr/local/sbin/sync-media": owner => root, group => root, mode => 0755, ensure => present, source => "puppet:///modules/backup/sync-media", } # sync-media-export script file { "/usr/local/sbin/sync-media-export": owner => root, group => root, mode => 0755, ensure => present, source => "puppet:///modules/backup/sync-media-export", } # sync-media-init script file { "/usr/local/sbin/sync-media-init": owner => root, group => root, mode => 0755, ensure => present, source => "puppet:///modules/backup/sync-media-init", } # mount-media script file { "/usr/local/sbin/mount-media": owner => root, group => root, mode => 0755, ensure => present, source => "puppet:///modules/backup/mount-media", } # umount-media script file { "/usr/local/sbin/umount-media": owner => root, group => root, ensure => '/usr/local/sbin/mount-media', require => File['/usr/local/sbin/mount-media'], } # default backupninja::rdiff configuration define rdiff($port = '22', $ensure = present, $installkey = true) { backupninja::rdiff { "rdiff-$title.$domain": ensure => $ensure, options => "--remote-schema 'ssh -p $port -C %s rdiff-backup --server'", # [source] keep => "10", include => $backup_include_encrypted, exclude => $backup_exclude_encrypted, # [dest] type => "remote", host => "$title.$domain", home => "$backupdir/remote/$fqdn", subfolder => "rdiff", user => "$hostname", sshoptions => "-p $port", installkey => $installkey, backupkeytype => "rsa", backupkeystore => "puppet:///modules/site_keys", } } define rsync($port = '22', $ensure = present, $installkey = true, $bandwidthlimit = false, $use_domain = $::domain, $use_fqdn = $::fqdn) { backupninja::rsync { "rsync-$title.$use_domain": # [general] ensure => $ensure, installkey => $installkey, home => "$backupdir/remote/$use_fqdn", backupdir => "$backupdir/remote/$use_fqdn/rsync", backupkeytype => "rsa", id_file => "/root/.ssh/id_rsa", backupkeystore => "puppet:///modules/site_keys", keepdaily => '4', keepweekly => '2', keepmonthly => '2', format => 'long', log => "/var/log/backup/rsync-$title.$use_domain.log", lockfile => "/var/lock/rsync-$title.$use_domain.lock", # [source] include => $backup_include_encrypted, exclude => $backup_exclude_encrypted, # [dest] user => "$hostname", host => "$title.$use_domain", port => $port, bandwidthlimit => $bandwidthlimit, compress => '1', testconnect => 'yes', } } # local backups using duplicity define duplicity($encryptkey = false, $password = false, $order = 50, $ensure = present, $full_if_older_than = "1M", $remove_older_than = "45D", $remove_all_but_n_full = "1", $periodic_check = absent, $directory = "${backupdir}/duplicity") { case $encryptkey { false: { err("need to define a key!") } } case $password { false: { err("need to define password!") } } include backupninja::client # backup dest folder file { "$backupdir/duplicity": ensure => directory, owner => "root", group => "root", } # the backupninja rule for this duplicity backup file { "${backupninja::client::defaults::configdir}/${order}_duplicity-${title}.sh": ensure => $ensure, content => template('backup/dup.conf.erb'), owner => root, group => root, mode => 0600, require => File["${backupninja::client::defaults::configdir}"], } # check duplicity backups once a week cron { "duplicity_check-$title.$domain": command => "/bin/bash ${backupninja::client::defaults::configdir}/${order}_duplicity-${title}.sh --check", user => root, hour => "0", minute => "0", weekday => "0", ensure => $periodic_check, } } }