aboutsummaryrefslogtreecommitdiff
path: root/templates/borg.sh.erb
blob: 646a41cb4a96e16dc40182b6e404c214168abe1c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#!/bin/bash
#
# Borg backup procedure for Backupninja
# Adapted from https://borgbackup.readthedocs.io/en/stable/quickstart.html#automating-backups
#

# Parameters
export SSH_SERVER="<%= @user %>@<%= @host %>"
export SSH_PORT="<%= @port %>"
export HOSTNAME=`cat /etc/hostname`

# Set the repository
# Setting this, so the repo does not need to be given on the commandline:
export BORG_REPO=ssh://$SSH_SERVER:$SSH_PORT//var/backups/remote/$HOSTNAME/borg

# Set the passphrase
# Setting this, so you won't be asked for your repository passphrase:
export BORG_PASSPHRASE='<%= @password %>'

# Optional OpenPGP encryption for the keyfile
GPG_KEY="<%= @gpgkey %>"
GPG_PASS='<%= @gpgpass %>'

# Setting the password command
# This allows to ask an external program to supply the passphrase:
#export BORG_PASSCOMMAND='pass show backup'

# Custom keyfile support
if [ "<%= @encryption %>" == "keyfile" ] && [ ! -z "<%= @keyfile %>" ]; then
  # Borg does not support providing a pre-generate key file anymore
  # Details at https://github.com/borgbackup/borg/issues/7047
  #if [ ! -e "<%= @keyfile %>" ]; then
  #  fatal "Keyfile not found: <%= @keyfile %>. Please create it manually."
  #fi

  export BORG_KEY_FILE="<%= @keyfile %>"
fi

# Error handling
#info() { printf "\n%s %s\n\n" "$( date )" "$*" >&2; }
trap 'info $( date ) Backup interrupted >&2; exit 2' INT TERM

# Check
if [ "$1" == "--check" ]; then
  borg list
  exit $?
fi

# Initialize
if ! ssh $SSH_SERVER -p $SSH_PORT test -f /var/backups/remote/$HOSTNAME/borg/config; then
  info "Initializing borg repository at ssh://$SSH_SERVER:$SSH_PORT//var/backups/remote/$HOSTNAME/borg..."
  borg init --encryption=<%= @encryption %> ssh://$SSH_SERVER:$SSH_PORT//var/backups/remote/$HOSTNAME/borg

  init_exit=$?

  if [ "$init_exit" != "0" ]; then
    fatal "Error initializing repository"
  fi
fi

# Backup the most important directories into an archive named after
# the machine this script is currently running on:

info "Starting backup..."

borg create                          \
  --verbose                          \
  --filter AME                       \
  --list                             \
  --stats                            \
  --show-rc                          \
  --compression lz4                  \
  --exclude-caches                   \
  --exclude '/home/*/.cache/*'       \
  --exclude '/var/cache/*'           \
  --exclude '/var/tmp/*'             \
<% @exclude_unencrypted.each do |del| -%>
  --exclude <%= del %>               \
<% end -%>
  ::'{hostname}-{now}'               \
<% @include_unencrypted.each do |add| -%>
  <%= add %>                         \
<% end -%>

  backup_exit=$?

#if [ "$backup_exit" != "0" ]; then
#  fatal "Error creating snapshot"
#fi

info "Pruning repository..."

# Use the `prune` subcommand to maintain 7 daily, 4 weekly and 6 monthly
# archives of THIS machine. The '{hostname}-' prefix is very important to
# limit prune's operation to this machine's archives and not apply to
# other machines' archives also:

# Warning: "--prefix" has been deprecated. Use "--glob-archives 'yourprefix*'" (-a) instead.
#--prefix '{hostname}-' \
borg prune                            \
  --list                              \
  --glob-archives '{hostname}-*'      \
  --show-rc                           \
  --keep-daily    <%= @keepdaily %>   \
  --keep-weekly   <%= @keepweekly %>  \
  --keep-monthly  <%= @keepmonthly %> \

  prune_exit=$?

#if [ "$prune_exit" != "0" ]; then
#  fatal "Error pruning repository"
#fi

# Have an OpenPGP-encrypted copy of the keyfile
#
# This is not ideal, but it's the workaround for configuration management.
#
# Borg does not support using pre-generated keys anymore (as of 2024-05-16), so
# we need an alternative way to access the repository keys if the original
# system becomes unavailable.
#
# The solution is to OpenPGP-encrypt the key file and upload it to the server,
# assuming that the operators have pre-generated the OpenPGP key and have a copy
# of it. They can use the same OpenPGP key used for Duplicity backups.
#
# The level of protection for the key will then be as strong as the OpenPGP key.
#
# Check also https://github.com/borgbackup/borg/issues/7047
#            https://borgbackup.readthedocs.io/en/latest/faq.html#how-important-is-the-home-config-borg-directory
if [ "<%= @encryption %>" == "keyfile" ] && [ ! -z "<%= @keyfile %>" ]; then
  if [ ! -z "$GPG_KEY" ] && [ ! -z "$GPG_PASS" ]; then
    info "Backing up the OpenPGP-encrypted repository key into the remote destination..."

    rm -f $BORG_KEY_FILE

    echo $GPG_PASS | gpg --armor --encrypt --passphrase-fd 0 \
                         --recipient $GPG_KEY --default-key $GPG_KEY \
                         --output $BORG_KEY_FILE.asc \
                         $BORG_KEY_FILE

    gpg_exit=$?

    chmod 600 $BORG_KEY_FILE.asc

    scp -o Port=$SSH_PORT $BORG_KEY_FILE.asc \
                          $SSH_SERVER:/var/backups/remote/$HOSTNAME/borg/keyfile.asc

    gpg_copy_exit=$?
  fi
fi

# Use highest exit code as global exit code
global_exit=$(( backup_exit > prune_exit ? backup_exit : prune_exit ))

if [ ${global_exit} -eq 1 ]; then
  info "Backup and/or Prune finished with a warning"
fi

if [ ${global_exit} -gt 1 ]; then
  info "Backup and/or Prune finished with an error"
fi

if [ "${global_exit}" != "0" ]; then
  fatal "Error completing borg action: exit code ${global_exit}"
fi

if [ "${gpg_exit}" != "0" ] || [ "${gpg_copy_exit}" != "0" ]; then
  fatal "Error backing the GPG-encrypted copy of the keyfile into the remote repository"
fi