# # General backup conventions and definitions according to # http://padrao.sarava.org/trac/wiki/Backups/Convencoes # # This module is distributed under the GNU Affero General Public License: # # Backup module for puppet # Copyright (C) 2009 Sarava Group # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . # backup folder $backupdir = "/var/backups" $backupdir_remote = "$backupdir/remote" # for data that's going to be encrypted and signed $backup_include_unencrypted = [ "/etc", "/var", "/home", ] $backup_exclude_unencrypted = [ "$backupdir_remote", "$backupdir/duplicity", "/var/cache", "/var/log", "/var/vservers", "/var/chroot" ] # for data that were previously encrypted and signed $backup_include_encrypted = [ "$backupdir/duplicity", ] $backup_exclude_encrypted = [ "$backupdir/duplicity/.ssh", ] class backup { include backupninja::server include backupninja::client::duplicity include backupninja::client::rdiff_backup package { "debconf-utils": ensure => installed, } package { "hwinfo": ensure => installed, } case $backup_when { '': { $backup_when = 'everyday at 01:00' } } backupninja::config { "conf": loglvl => 4, usecolors => false, when => $backup_when, } file { "$backupdir_remote": ensure => directory, owner => root, group => root, mode => 0755, } file { "/var/log/backup": ensure => directory, owner => root, group => root, mode => 0755, } file { "/etc/logrotate.d/backup": ensure => present, owner => root, group => root, mode => 0644, source => "puppet://$server/modules/backup/logrotate.d/backup", } # rdiff-check script file { "/usr/local/sbin/rdiff-check": content => template('backup/rdiff-check.sh.erb'), owner => root, group => root, mode => 0755, ensure => present, } # check rdiff-backups once a week cron { "rdiff_check": command => "/usr/local/sbin/rdiff-check", user => root, hour => "0", minute => "0", weekday => "0", ensure => present, require => File['/usr/local/sbin/rdiff-check'], } # rsync-check script file { "/usr/local/sbin/rsync-check": content => template('backup/rsync-check.sh.erb'), owner => root, group => root, mode => 0755, ensure => present, } # check rsync-backups once a week cron { "rsync_check": command => "/usr/local/sbin/rsync-check", user => root, hour => "0", minute => "0", weekday => "0", ensure => present, require => File['/usr/local/sbin/rsync-check'], } # we have to keep that as we have custom changes that # might not be merged and released in backupninja file { "/usr/share/backupninja/rsync": ensure => present, owner => "root", group => "root", mode => 0644, source => "puppet://$server/modules/backup/handlers/rsync", } # sync-backups script file { "/usr/local/sbin/sync-backups": owner => root, group => root, mode => 0755, ensure => present, source => "puppet://$server/modules/backup/sync-backups", } # default backupninja::rdiff configuration define rdiff($port = '22', $ensure = present, $installkey = true) { backupninja::rdiff { "rdiff-$title.$domain": ensure => $ensure, options => "--remote-schema 'ssh -p $port -C %s rdiff-backup --server'", # [source] keep => "10", include => $backup_include_encrypted, exclude => $backup_exclude_encrypted, # [dest] type => "remote", host => "$title.$domain", home => "$backupdir/remote/$fqdn", subfolder => "rdiff", user => "$hostname", sshoptions => "-p $port", installkey => $installkey, backupkeytype => "rsa", backupkeystore => "puppet:///modules/site-keys", } } define rsync($port = '22', $ensure = present, $installkey = true, $bandwidthlimit = false) { backupninja::rsync { "rsync-$title.$domain": # [general] ensure => $ensure, installkey => $installkey, home => "$backupdir/remote/$fqdn", backupdir => "$backupdir/remote/$fqdn/rsync", backupkeytype => "rsa", id_file => "/root/.ssh/id_rsa", backupkeystore => "puppet:///modules/site-keys", keepdaily => '7', keepweekly => '4', keepmonthly => '3', format => 'long', log => "/var/log/backup/rsync-$title.$domain.log", lockfile => "/var/lock/rsync-$title.$domain.lock", # [source] include => $backup_include_encrypted, exclude => $backup_exclude_encrypted, # [dest] user => "$hostname", host => "$title.$domain", port => $port, bandwidthlimit => $bandwidthlimit, compress => '1', testconnect => 'yes', } } # local backups using duplicity define duplicity($encryptkey = false, $password = false, $order = 50, $ensure = present, $full_if_older_than = "1M", $remove_older_than = "45D", $periodic_check = absent, $directory = "${backupdir}/duplicity") { case $encryptkey { false: { err("need to define a key!") } } case $password { false: { err("need to define password!") } } include backupninja::client # backup dest folder file { "$backupdir/duplicity": ensure => directory, owner => "root", group => "root", } # the backupninja rule for this duplicity backup file { "${backupninja::client::defaults::configdir}/${order}_duplicity-${title}.sh": ensure => $ensure, content => template('backup/dup.conf.erb'), owner => root, group => root, mode => 0600, require => File["${backupninja::client::defaults::configdir}"], } # check duplicity backups once a week cron { "duplicity_check-$title.$domain": command => "/bin/bash ${backupninja::client::defaults::configdir}/${order}_duplicity-${title}.sh --check", user => root, hour => "0", minute => "0", weekday => "0", ensure => $periodic_check, } } }