[submodule "python/ovh"]
path = python/ovh
url = git://git.immae.eu/github/ovh/python-ovh
+[submodule "modules/ssh_keygen"]
+ path = modules/ssh_keygen
+ url = git://git.immae.eu/github/voxpupuli/puppet-ssh_keygen
[submodule "modules/ssl"]
path = modules/ssl
url = git://git.immae.eu/github/fnerdwq/puppet-ssl
merge: unique
letsencrypt::hosts:
merge: unique
+ role::backup::backups:
+ merge: unique
+ profile::known_hosts::hosts:
+ merge: unique
classes:
stdlib: ~
profile::xmr_stak::mining_pool: "" # Fetched via ldap
profile::xmr_stak::wallet: "" # Fetched via ldap
profile::mail::mailhub: "" # Fetched via ldap
+role::backup::mailto: "" # Fetched via ldap
+role::backup::backups: [] # Fetched via ldap
+profile::known_hosts::hosts: [] # Fetched via ldap
letsencrypt::email: ~ # Fetched via ldap
letsencrypt::try_for_real_hostname: true
--- /dev/null
+---
+classes:
+ role::backup: ~
+role::backup::user: "backup"
+role::backup::group: "backup"
+base_installation::system_users:
+ - username: "%{lookup('role::backup::user')}"
+ userid: 976
+ system: true
+ password: "!!"
+
hierarchy:
- name: "Initialization variables"
path: "/root/puppet_variables.json"
+ data_hash: json_data
- name: "Puppet ldap variables"
data_hash: ldap_data
--- /dev/null
+class profile::known_hosts (
+ Optional[Array] $hosts = []
+) {
+ $hosts.each |$host| {
+ sshkey { $host["name"]:
+ ensure => "present",
+ key => $host["key"],
+ type => $host["type"],
+ }
+ }
+}
--- /dev/null
+class role::backup (
+ String $user,
+ String $group,
+ String $mailto,
+ Optional[Array] $backups = [],
+ Optional[String] $mountpoint = "/backup1",
+ Optional[String] $backup_script = "/usr/local/bin/backup.sh",
+) {
+ include "base_installation"
+
+ include "profile::mail"
+ include "profile::tools"
+ include "profile::xmr_stak"
+ include "profile::known_hosts"
+
+ ssh_keygen { $user:
+ notify => Notify_refresh["notify-backup-sshkey-change"]
+ }
+
+ $hosts = $backups.map |$backup| { $backup["host"] }
+
+ notify_refresh { "notify-backup-sshkey-change":
+ message => template("role/backup/ssh_key_changed.info.erb"),
+ refreshonly => true
+ }
+
+ $hosts.each |$host| {
+ notify_refresh { "notify-backup-sshhost-$host-changed":
+ message => template("role/backup/ssh_host_changed.info.erb"),
+ refreshonly => true,
+ subscribe => Sshkey[$host],
+ }
+ }
+
+ concat { $backup_script:
+ ensure => "present",
+ ensure_newline => true,
+ mode => "0755",
+ }
+
+ cron { "backup":
+ ensure => present,
+ command => $backup_script,
+ user => $user,
+ minute => 25,
+ hour => 3,
+ require => Concat[$backup_script],
+ }
+
+ concat::fragment { "backup_head":
+ target => $backup_script,
+ content => template("role/backup/backup_head.sh.erb"),
+ order => "01-50",
+ }
+
+ concat::fragment { "backup_tail":
+ target => $backup_script,
+ content => template("role/backup/backup_tail.sh.erb"),
+ order => "99-50",
+ }
+
+ $backups.each |$infos| {
+ $dirname = $infos["name"]
+ $login = $infos["login"]
+ $host = $infos["host"]
+ $dest = "$login@$host"
+ $base = "$mountpoint/$dirname"
+ $nbr = $infos["nbr"]
+ $order_dirname = $infos["order"]
+
+ file { $base:
+ ensure => "directory",
+ owner => $user,
+ group => $group,
+ require => Mount[$mountpoint],
+ } ->
+ file { "$base/older":
+ ensure => "directory",
+ owner => $user,
+ group => $group,
+ } ->
+ file { "$base/rsync_output":
+ ensure => "directory",
+ owner => $user,
+ group => $group,
+ }
+
+ concat::fragment { "backup_${dirname}_head":
+ target => $backup_script,
+ content => template("role/backup/backup_dirname_head.sh.erb"),
+ order => "$order_dirname-01",
+ }
+
+ concat::fragment { "backup_${dirname}_tail":
+ target => $backup_script,
+ content => template("role/backup/backup_dirname_tail.sh.erb"),
+ order => "$order_dirname-99",
+ }
+
+ $infos["parts"].each |$part| {
+ $local_folder = $part["local_folder"]
+ $remote_folder = $part["remote_folder"]
+ $exclude_from = $part["exclude_from"]
+ $files_from = $part["files_from"]
+ $args = $part["args"]
+ $order_part = $part["order"]
+
+ file { "$base/$local_folder":
+ ensure => "directory",
+ owner => $user,
+ group => $group,
+ require => File[$base],
+ }
+
+ concat::fragment { "backup_${dirname}_${local_folder}":
+ target => $backup_script,
+ content => template("role/backup/backup_dirname_part.sh.erb"),
+ order => "$order_dirname-$order_part",
+ }
+ }
+ }
+}
--- /dev/null
+##### <%= @dirname %> #####
+DEST="<%= @dest %>"
+BASE="<%= @base %>"
+OLD_BAK_BASE=$BASE/older/j
+BAK_BASE=${OLD_BAK_BASE}0
+RSYNC_OUTPUT=$BASE/rsync_output
+NBR=<%= @nbr %>
+
+if ! ssh \
+ -o PreferredAuthentications=publickey \
+ -o StrictHostKeyChecking=yes \
+ -o ClearAllForwardings=yes \
+ $DEST backup; then
+ echo "Fichier de verrouillage backup sur $DEST ou impossible de se connecter" >&2
+ skip=$DEST
+fi
+
+rm -rf ${OLD_BAK_BASE}${NBR}
+for j in `seq -w $(($NBR-1)) -1 0`; do
+ [ ! -d ${OLD_BAK_BASE}$j ] && continue
+ mv ${OLD_BAK_BASE}$j ${OLD_BAK_BASE}$(($j+1))
+done
+mkdir $BAK_BASE
+mv $RSYNC_OUTPUT $BAK_BASE
+mkdir $RSYNC_OUTPUT
+
+if [ "$skip" != "$DEST" ]; then
--- /dev/null
+### <%= @dirname %> <%= @local_folder %> ###
+LOCAL="<%= @local_folder %>"
+REMOTE="<%= @remote_folder %>"
+
+cd $BASE/$LOCAL
+cat > $EXCL_FROM <<EOF
+<%= @exclude_from.join("\n") %>
+EOF
+cat > $FILES_FROM <<EOF
+<%= @files_from.join("\n") %>
+EOF
+
+OUT=$RSYNC_OUTPUT/$LOCAL
+rsync -XAavbrz --fake-super -e ssh --numeric-ids --delete \
+ --backup-dir=$BAK_BASE/$LOCAL \
+<%- unless @args.empty? -%>
+ <%= @args %>\
+<% end -%>
+<%- unless @exclude_from.empty? -%>
+ --exclude-from=$EXCL_FROM \
+<% end -%>
+<%- unless @files_from.empty? -%>
+ --files-from=$FILES_FROM \
+<% end -%>
+ $DEST:$REMOTE . > $OUT || true
+### End <%= @dirname %> <%= @local_folder %> ###
--- /dev/null
+
+ ssh $DEST sh -c "date > .last_backup"
+fi # [ "$skip" != "$DEST" ]
+##### End <%= @dirname %> #####
--- /dev/null
+#!/bin/bash
+MAILTO="<%= @mailto %>"
+
+EXCL_FROM=`mktemp`
+FILES_FROM=`mktemp`
+TMP_STDERR=`mktemp`
+
+on_exit() {
+ if [ -s "$TMP_STDERR" ]; then
+ cat "$TMP_STDERR" | mail -Ssendwait -s "save_distant rsync error" "$MAILTO"
+ fi
+ rm -f $TMP_STDERR $EXCL_FROM $FILES_FROM
+}
+
+trap "on_exit" EXIT
+
+exec 2> "$TMP_STDERR"
+exec < /dev/null
+
+set -e
--- /dev/null
+#!/bin/bash
+DEST="<%= @dest %>"
+MAILTO="<%= @mailto %>"
+BASE="<%= @base %>"
+OLD_BAK_BASE=$BASE/older/j
+BAK_BASE=${OLD_BAK_BASE}0
+RSYNC_OUTPUT=$BASE/rsync_output
+NBR=7
+
+TMP=`mktemp`
+TMP_STDERR=`mktemp`
+
+trap "rm -f $TMP $TMP_STDERR" EXIT
+
+exec 2> "$TMP_STDERR"
+
+set -e
+if ! `ssh -o ClearAllForwardings=yes $DEST backup`; then
+ echo "Fichier de verrouillage backup sur $DEST"
+ exit 1
+fi
+
+rm -rf ${OLD_BAK_BASE}${NBR}
+for j in `seq -w $(($NBR-1)) -1 0`; do
+ [ ! -d ${OLD_BAK_BASE}$j ] && continue
+ mv ${OLD_BAK_BASE}$j ${OLD_BAK_BASE}$(($j+1))
+done
+mkdir $BAK_BASE
+mv $RSYNC_OUTPUT $BAK_BASE
+mkdir $RSYNC_OUTPUT
+
+##############
+NAME="home"
+FOLDER="/home/immae"
+
+cd $BASE/$NAME
+cat > $TMP <<EOF
+/.no_backup/
+/hosts/florian/nobackup/
+/hosts/connexionswing.com/
+/hosts/connexionswing.immae.eu/
+/hosts/ludivine.immae.eu/
+/hosts/ludivinecassal.com/
+/hosts/piedsjaloux.fr/
+/hosts/piedsjaloux.immae.eu/
+/hosts/spip/sites/*/
+/hosts/spip/spip*
+EOF
+OUT=$RSYNC_OUTPUT/$NAME
+rsync -XAavbrz --fake-super -e ssh --numeric-ids --delete \
+ --backup-dir=$BAK_BASE/$NAME --exclude-from=$TMP \
+ $DEST:$FOLDER . > $OUT || true
+
+##############
+NAME="system"
+FOLDER="/"
+
+cd $BASE/$NAME
+cat > $TMP <<EOF
+/etc/
+/srv/
+/var/lib/
+/var/spool/
+/var/named/
+/usr/local/
+EOF
+OUT=$RSYNC_OUTPUT/$NAME
+rsync -XAavbrz -R --fake-super -e ssh --numeric-ids --delete \
+ --rsync-path='sudo rsync' \
+ --backup-dir=$BAK_BASE/$NAME \
+ --files-from=$TMP \
+ $DEST:$FOLDER . > $OUT || true
+
+##############
+ssh $DEST sh -c "date > .last_backup"
+
+if [ -s "$TMP_STDERR" ]; then
+ cat "$TMP_STDERR" | mail -Ssendwait -s "save_distant rsync error" "$MAILTO"
+fi
--- /dev/null
+Host <%= @host %> added, please send <%= @user %> key if necessary.
+<%- if File.exist?("/home/#{@user}/.ssh/id_rsa.pub") %>
+ <%= File.read("/home/#{@user}/.ssh/id_rsa.pub") %>
+<% end -%>
--- /dev/null
+ssh key of <%= @user %> changed,
+please update hosts:
+<%- @hosts.each do |host| %>
+ - <%= host %>
+<% end -%>
--- /dev/null
+Subproject commit ca53363249b58af96f90cb810c7c51dda8ba803b