diff options
-rw-r--r-- | .gitmodules | 3 | ||||
-rw-r--r-- | environments/global/common.yaml | 7 | ||||
-rw-r--r-- | environments/global/roles/backup.yaml | 11 | ||||
-rw-r--r-- | environments/hiera.yaml | 1 | ||||
-rw-r--r-- | modules/profile/manifests/known_hosts.pp | 11 | ||||
-rw-r--r-- | modules/role/manifests/backup.pp | 122 | ||||
-rw-r--r-- | modules/role/templates/backup/backup_dirname_head.sh.erb | 27 | ||||
-rw-r--r-- | modules/role/templates/backup/backup_dirname_part.sh.erb | 26 | ||||
-rw-r--r-- | modules/role/templates/backup/backup_dirname_tail.sh.erb | 4 | ||||
-rw-r--r-- | modules/role/templates/backup/backup_head.sh.erb | 20 | ||||
-rw-r--r-- | modules/role/templates/backup/backup_immae_eu.sh.erb | 79 | ||||
-rw-r--r-- | modules/role/templates/backup/backup_tail.sh.erb | 0 | ||||
-rw-r--r-- | modules/role/templates/backup/ssh_host_changed.info.erb | 4 | ||||
-rw-r--r-- | modules/role/templates/backup/ssh_key_changed.info.erb | 5 | ||||
m--------- | modules/ssh_keygen | 0 |
15 files changed, 320 insertions, 0 deletions
diff --git a/.gitmodules b/.gitmodules index fa5163a..735ca8c 100644 --- a/.gitmodules +++ b/.gitmodules | |||
@@ -46,6 +46,9 @@ | |||
46 | [submodule "python/ovh"] | 46 | [submodule "python/ovh"] |
47 | path = python/ovh | 47 | path = python/ovh |
48 | url = git://git.immae.eu/github/ovh/python-ovh | 48 | url = git://git.immae.eu/github/ovh/python-ovh |
49 | [submodule "modules/ssh_keygen"] | ||
50 | path = modules/ssh_keygen | ||
51 | url = git://git.immae.eu/github/voxpupuli/puppet-ssh_keygen | ||
49 | [submodule "modules/ssl"] | 52 | [submodule "modules/ssl"] |
50 | path = modules/ssl | 53 | path = modules/ssl |
51 | url = git://git.immae.eu/github/fnerdwq/puppet-ssl | 54 | url = git://git.immae.eu/github/fnerdwq/puppet-ssl |
diff --git a/environments/global/common.yaml b/environments/global/common.yaml index e7c70d4..4836f6e 100644 --- a/environments/global/common.yaml +++ b/environments/global/common.yaml | |||
@@ -8,6 +8,10 @@ lookup_options: | |||
8 | merge: unique | 8 | merge: unique |
9 | letsencrypt::hosts: | 9 | letsencrypt::hosts: |
10 | merge: unique | 10 | merge: unique |
11 | role::backup::backups: | ||
12 | merge: unique | ||
13 | profile::known_hosts::hosts: | ||
14 | merge: unique | ||
11 | 15 | ||
12 | classes: | 16 | classes: |
13 | stdlib: ~ | 17 | stdlib: ~ |
@@ -31,5 +35,8 @@ base_installation::system_users: [] # Fetched via ldap | |||
31 | profile::xmr_stak::mining_pool: "" # Fetched via ldap | 35 | profile::xmr_stak::mining_pool: "" # Fetched via ldap |
32 | profile::xmr_stak::wallet: "" # Fetched via ldap | 36 | profile::xmr_stak::wallet: "" # Fetched via ldap |
33 | profile::mail::mailhub: "" # Fetched via ldap | 37 | profile::mail::mailhub: "" # Fetched via ldap |
38 | role::backup::mailto: "" # Fetched via ldap | ||
39 | role::backup::backups: [] # Fetched via ldap | ||
40 | profile::known_hosts::hosts: [] # Fetched via ldap | ||
34 | letsencrypt::email: ~ # Fetched via ldap | 41 | letsencrypt::email: ~ # Fetched via ldap |
35 | letsencrypt::try_for_real_hostname: true | 42 | letsencrypt::try_for_real_hostname: true |
diff --git a/environments/global/roles/backup.yaml b/environments/global/roles/backup.yaml new file mode 100644 index 0000000..52befe2 --- /dev/null +++ b/environments/global/roles/backup.yaml | |||
@@ -0,0 +1,11 @@ | |||
1 | --- | ||
2 | classes: | ||
3 | role::backup: ~ | ||
4 | role::backup::user: "backup" | ||
5 | role::backup::group: "backup" | ||
6 | base_installation::system_users: | ||
7 | - username: "%{lookup('role::backup::user')}" | ||
8 | userid: 976 | ||
9 | system: true | ||
10 | password: "!!" | ||
11 | |||
diff --git a/environments/hiera.yaml b/environments/hiera.yaml index eda5eb3..61d40d8 100644 --- a/environments/hiera.yaml +++ b/environments/hiera.yaml | |||
@@ -8,6 +8,7 @@ defaults: | |||
8 | hierarchy: | 8 | hierarchy: |
9 | - name: "Initialization variables" | 9 | - name: "Initialization variables" |
10 | path: "/root/puppet_variables.json" | 10 | path: "/root/puppet_variables.json" |
11 | data_hash: json_data | ||
11 | 12 | ||
12 | - name: "Puppet ldap variables" | 13 | - name: "Puppet ldap variables" |
13 | data_hash: ldap_data | 14 | data_hash: ldap_data |
diff --git a/modules/profile/manifests/known_hosts.pp b/modules/profile/manifests/known_hosts.pp new file mode 100644 index 0000000..ed9ec8e --- /dev/null +++ b/modules/profile/manifests/known_hosts.pp | |||
@@ -0,0 +1,11 @@ | |||
1 | class profile::known_hosts ( | ||
2 | Optional[Array] $hosts = [] | ||
3 | ) { | ||
4 | $hosts.each |$host| { | ||
5 | sshkey { $host["name"]: | ||
6 | ensure => "present", | ||
7 | key => $host["key"], | ||
8 | type => $host["type"], | ||
9 | } | ||
10 | } | ||
11 | } | ||
diff --git a/modules/role/manifests/backup.pp b/modules/role/manifests/backup.pp new file mode 100644 index 0000000..edfd5e0 --- /dev/null +++ b/modules/role/manifests/backup.pp | |||
@@ -0,0 +1,122 @@ | |||
1 | class role::backup ( | ||
2 | String $user, | ||
3 | String $group, | ||
4 | String $mailto, | ||
5 | Optional[Array] $backups = [], | ||
6 | Optional[String] $mountpoint = "/backup1", | ||
7 | Optional[String] $backup_script = "/usr/local/bin/backup.sh", | ||
8 | ) { | ||
9 | include "base_installation" | ||
10 | |||
11 | include "profile::mail" | ||
12 | include "profile::tools" | ||
13 | include "profile::xmr_stak" | ||
14 | include "profile::known_hosts" | ||
15 | |||
16 | ssh_keygen { $user: | ||
17 | notify => Notify_refresh["notify-backup-sshkey-change"] | ||
18 | } | ||
19 | |||
20 | $hosts = $backups.map |$backup| { $backup["host"] } | ||
21 | |||
22 | notify_refresh { "notify-backup-sshkey-change": | ||
23 | message => template("role/backup/ssh_key_changed.info.erb"), | ||
24 | refreshonly => true | ||
25 | } | ||
26 | |||
27 | $hosts.each |$host| { | ||
28 | notify_refresh { "notify-backup-sshhost-$host-changed": | ||
29 | message => template("role/backup/ssh_host_changed.info.erb"), | ||
30 | refreshonly => true, | ||
31 | subscribe => Sshkey[$host], | ||
32 | } | ||
33 | } | ||
34 | |||
35 | concat { $backup_script: | ||
36 | ensure => "present", | ||
37 | ensure_newline => true, | ||
38 | mode => "0755", | ||
39 | } | ||
40 | |||
41 | cron { "backup": | ||
42 | ensure => present, | ||
43 | command => $backup_script, | ||
44 | user => $user, | ||
45 | minute => 25, | ||
46 | hour => 3, | ||
47 | require => Concat[$backup_script], | ||
48 | } | ||
49 | |||
50 | concat::fragment { "backup_head": | ||
51 | target => $backup_script, | ||
52 | content => template("role/backup/backup_head.sh.erb"), | ||
53 | order => "01-50", | ||
54 | } | ||
55 | |||
56 | concat::fragment { "backup_tail": | ||
57 | target => $backup_script, | ||
58 | content => template("role/backup/backup_tail.sh.erb"), | ||
59 | order => "99-50", | ||
60 | } | ||
61 | |||
62 | $backups.each |$infos| { | ||
63 | $dirname = $infos["name"] | ||
64 | $login = $infos["login"] | ||
65 | $host = $infos["host"] | ||
66 | $dest = "$login@$host" | ||
67 | $base = "$mountpoint/$dirname" | ||
68 | $nbr = $infos["nbr"] | ||
69 | $order_dirname = $infos["order"] | ||
70 | |||
71 | file { $base: | ||
72 | ensure => "directory", | ||
73 | owner => $user, | ||
74 | group => $group, | ||
75 | require => Mount[$mountpoint], | ||
76 | } -> | ||
77 | file { "$base/older": | ||
78 | ensure => "directory", | ||
79 | owner => $user, | ||
80 | group => $group, | ||
81 | } -> | ||
82 | file { "$base/rsync_output": | ||
83 | ensure => "directory", | ||
84 | owner => $user, | ||
85 | group => $group, | ||
86 | } | ||
87 | |||
88 | concat::fragment { "backup_${dirname}_head": | ||
89 | target => $backup_script, | ||
90 | content => template("role/backup/backup_dirname_head.sh.erb"), | ||
91 | order => "$order_dirname-01", | ||
92 | } | ||
93 | |||
94 | concat::fragment { "backup_${dirname}_tail": | ||
95 | target => $backup_script, | ||
96 | content => template("role/backup/backup_dirname_tail.sh.erb"), | ||
97 | order => "$order_dirname-99", | ||
98 | } | ||
99 | |||
100 | $infos["parts"].each |$part| { | ||
101 | $local_folder = $part["local_folder"] | ||
102 | $remote_folder = $part["remote_folder"] | ||
103 | $exclude_from = $part["exclude_from"] | ||
104 | $files_from = $part["files_from"] | ||
105 | $args = $part["args"] | ||
106 | $order_part = $part["order"] | ||
107 | |||
108 | file { "$base/$local_folder": | ||
109 | ensure => "directory", | ||
110 | owner => $user, | ||
111 | group => $group, | ||
112 | require => File[$base], | ||
113 | } | ||
114 | |||
115 | concat::fragment { "backup_${dirname}_${local_folder}": | ||
116 | target => $backup_script, | ||
117 | content => template("role/backup/backup_dirname_part.sh.erb"), | ||
118 | order => "$order_dirname-$order_part", | ||
119 | } | ||
120 | } | ||
121 | } | ||
122 | } | ||
diff --git a/modules/role/templates/backup/backup_dirname_head.sh.erb b/modules/role/templates/backup/backup_dirname_head.sh.erb new file mode 100644 index 0000000..e20cfd3 --- /dev/null +++ b/modules/role/templates/backup/backup_dirname_head.sh.erb | |||
@@ -0,0 +1,27 @@ | |||
1 | ##### <%= @dirname %> ##### | ||
2 | DEST="<%= @dest %>" | ||
3 | BASE="<%= @base %>" | ||
4 | OLD_BAK_BASE=$BASE/older/j | ||
5 | BAK_BASE=${OLD_BAK_BASE}0 | ||
6 | RSYNC_OUTPUT=$BASE/rsync_output | ||
7 | NBR=<%= @nbr %> | ||
8 | |||
9 | if ! ssh \ | ||
10 | -o PreferredAuthentications=publickey \ | ||
11 | -o StrictHostKeyChecking=yes \ | ||
12 | -o ClearAllForwardings=yes \ | ||
13 | $DEST backup; then | ||
14 | echo "Fichier de verrouillage backup sur $DEST ou impossible de se connecter" >&2 | ||
15 | skip=$DEST | ||
16 | fi | ||
17 | |||
18 | rm -rf ${OLD_BAK_BASE}${NBR} | ||
19 | for j in `seq -w $(($NBR-1)) -1 0`; do | ||
20 | [ ! -d ${OLD_BAK_BASE}$j ] && continue | ||
21 | mv ${OLD_BAK_BASE}$j ${OLD_BAK_BASE}$(($j+1)) | ||
22 | done | ||
23 | mkdir $BAK_BASE | ||
24 | mv $RSYNC_OUTPUT $BAK_BASE | ||
25 | mkdir $RSYNC_OUTPUT | ||
26 | |||
27 | if [ "$skip" != "$DEST" ]; then | ||
diff --git a/modules/role/templates/backup/backup_dirname_part.sh.erb b/modules/role/templates/backup/backup_dirname_part.sh.erb new file mode 100644 index 0000000..ec662c4 --- /dev/null +++ b/modules/role/templates/backup/backup_dirname_part.sh.erb | |||
@@ -0,0 +1,26 @@ | |||
1 | ### <%= @dirname %> <%= @local_folder %> ### | ||
2 | LOCAL="<%= @local_folder %>" | ||
3 | REMOTE="<%= @remote_folder %>" | ||
4 | |||
5 | cd $BASE/$LOCAL | ||
6 | cat > $EXCL_FROM <<EOF | ||
7 | <%= @exclude_from.join("\n") %> | ||
8 | EOF | ||
9 | cat > $FILES_FROM <<EOF | ||
10 | <%= @files_from.join("\n") %> | ||
11 | EOF | ||
12 | |||
13 | OUT=$RSYNC_OUTPUT/$LOCAL | ||
14 | rsync -XAavbrz --fake-super -e ssh --numeric-ids --delete \ | ||
15 | --backup-dir=$BAK_BASE/$LOCAL \ | ||
16 | <%- unless @args.empty? -%> | ||
17 | <%= @args %>\ | ||
18 | <% end -%> | ||
19 | <%- unless @exclude_from.empty? -%> | ||
20 | --exclude-from=$EXCL_FROM \ | ||
21 | <% end -%> | ||
22 | <%- unless @files_from.empty? -%> | ||
23 | --files-from=$FILES_FROM \ | ||
24 | <% end -%> | ||
25 | $DEST:$REMOTE . > $OUT || true | ||
26 | ### End <%= @dirname %> <%= @local_folder %> ### | ||
diff --git a/modules/role/templates/backup/backup_dirname_tail.sh.erb b/modules/role/templates/backup/backup_dirname_tail.sh.erb new file mode 100644 index 0000000..6b16c9d --- /dev/null +++ b/modules/role/templates/backup/backup_dirname_tail.sh.erb | |||
@@ -0,0 +1,4 @@ | |||
1 | |||
2 | ssh $DEST sh -c "date > .last_backup" | ||
3 | fi # [ "$skip" != "$DEST" ] | ||
4 | ##### End <%= @dirname %> ##### | ||
diff --git a/modules/role/templates/backup/backup_head.sh.erb b/modules/role/templates/backup/backup_head.sh.erb new file mode 100644 index 0000000..be9f5bf --- /dev/null +++ b/modules/role/templates/backup/backup_head.sh.erb | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/bash | ||
2 | MAILTO="<%= @mailto %>" | ||
3 | |||
4 | EXCL_FROM=`mktemp` | ||
5 | FILES_FROM=`mktemp` | ||
6 | TMP_STDERR=`mktemp` | ||
7 | |||
8 | on_exit() { | ||
9 | if [ -s "$TMP_STDERR" ]; then | ||
10 | cat "$TMP_STDERR" | mail -Ssendwait -s "save_distant rsync error" "$MAILTO" | ||
11 | fi | ||
12 | rm -f $TMP_STDERR $EXCL_FROM $FILES_FROM | ||
13 | } | ||
14 | |||
15 | trap "on_exit" EXIT | ||
16 | |||
17 | exec 2> "$TMP_STDERR" | ||
18 | exec < /dev/null | ||
19 | |||
20 | set -e | ||
diff --git a/modules/role/templates/backup/backup_immae_eu.sh.erb b/modules/role/templates/backup/backup_immae_eu.sh.erb new file mode 100644 index 0000000..4fab30e --- /dev/null +++ b/modules/role/templates/backup/backup_immae_eu.sh.erb | |||
@@ -0,0 +1,79 @@ | |||
1 | #!/bin/bash | ||
2 | DEST="<%= @dest %>" | ||
3 | MAILTO="<%= @mailto %>" | ||
4 | BASE="<%= @base %>" | ||
5 | OLD_BAK_BASE=$BASE/older/j | ||
6 | BAK_BASE=${OLD_BAK_BASE}0 | ||
7 | RSYNC_OUTPUT=$BASE/rsync_output | ||
8 | NBR=7 | ||
9 | |||
10 | TMP=`mktemp` | ||
11 | TMP_STDERR=`mktemp` | ||
12 | |||
13 | trap "rm -f $TMP $TMP_STDERR" EXIT | ||
14 | |||
15 | exec 2> "$TMP_STDERR" | ||
16 | |||
17 | set -e | ||
18 | if ! `ssh -o ClearAllForwardings=yes $DEST backup`; then | ||
19 | echo "Fichier de verrouillage backup sur $DEST" | ||
20 | exit 1 | ||
21 | fi | ||
22 | |||
23 | rm -rf ${OLD_BAK_BASE}${NBR} | ||
24 | for j in `seq -w $(($NBR-1)) -1 0`; do | ||
25 | [ ! -d ${OLD_BAK_BASE}$j ] && continue | ||
26 | mv ${OLD_BAK_BASE}$j ${OLD_BAK_BASE}$(($j+1)) | ||
27 | done | ||
28 | mkdir $BAK_BASE | ||
29 | mv $RSYNC_OUTPUT $BAK_BASE | ||
30 | mkdir $RSYNC_OUTPUT | ||
31 | |||
32 | ############## | ||
33 | NAME="home" | ||
34 | FOLDER="/home/immae" | ||
35 | |||
36 | cd $BASE/$NAME | ||
37 | cat > $TMP <<EOF | ||
38 | /.no_backup/ | ||
39 | /hosts/florian/nobackup/ | ||
40 | /hosts/connexionswing.com/ | ||
41 | /hosts/connexionswing.immae.eu/ | ||
42 | /hosts/ludivine.immae.eu/ | ||
43 | /hosts/ludivinecassal.com/ | ||
44 | /hosts/piedsjaloux.fr/ | ||
45 | /hosts/piedsjaloux.immae.eu/ | ||
46 | /hosts/spip/sites/*/ | ||
47 | /hosts/spip/spip* | ||
48 | EOF | ||
49 | OUT=$RSYNC_OUTPUT/$NAME | ||
50 | rsync -XAavbrz --fake-super -e ssh --numeric-ids --delete \ | ||
51 | --backup-dir=$BAK_BASE/$NAME --exclude-from=$TMP \ | ||
52 | $DEST:$FOLDER . > $OUT || true | ||
53 | |||
54 | ############## | ||
55 | NAME="system" | ||
56 | FOLDER="/" | ||
57 | |||
58 | cd $BASE/$NAME | ||
59 | cat > $TMP <<EOF | ||
60 | /etc/ | ||
61 | /srv/ | ||
62 | /var/lib/ | ||
63 | /var/spool/ | ||
64 | /var/named/ | ||
65 | /usr/local/ | ||
66 | EOF | ||
67 | OUT=$RSYNC_OUTPUT/$NAME | ||
68 | rsync -XAavbrz -R --fake-super -e ssh --numeric-ids --delete \ | ||
69 | --rsync-path='sudo rsync' \ | ||
70 | --backup-dir=$BAK_BASE/$NAME \ | ||
71 | --files-from=$TMP \ | ||
72 | $DEST:$FOLDER . > $OUT || true | ||
73 | |||
74 | ############## | ||
75 | ssh $DEST sh -c "date > .last_backup" | ||
76 | |||
77 | if [ -s "$TMP_STDERR" ]; then | ||
78 | cat "$TMP_STDERR" | mail -Ssendwait -s "save_distant rsync error" "$MAILTO" | ||
79 | fi | ||
diff --git a/modules/role/templates/backup/backup_tail.sh.erb b/modules/role/templates/backup/backup_tail.sh.erb new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/modules/role/templates/backup/backup_tail.sh.erb | |||
diff --git a/modules/role/templates/backup/ssh_host_changed.info.erb b/modules/role/templates/backup/ssh_host_changed.info.erb new file mode 100644 index 0000000..ebf202e --- /dev/null +++ b/modules/role/templates/backup/ssh_host_changed.info.erb | |||
@@ -0,0 +1,4 @@ | |||
1 | Host <%= @host %> added, please send <%= @user %> key if necessary. | ||
2 | <%- if File.exist?("/home/#{@user}/.ssh/id_rsa.pub") %> | ||
3 | <%= File.read("/home/#{@user}/.ssh/id_rsa.pub") %> | ||
4 | <% end -%> | ||
diff --git a/modules/role/templates/backup/ssh_key_changed.info.erb b/modules/role/templates/backup/ssh_key_changed.info.erb new file mode 100644 index 0000000..43fd2ec --- /dev/null +++ b/modules/role/templates/backup/ssh_key_changed.info.erb | |||
@@ -0,0 +1,5 @@ | |||
1 | ssh key of <%= @user %> changed, | ||
2 | please update hosts: | ||
3 | <%- @hosts.each do |host| %> | ||
4 | - <%= host %> | ||
5 | <% end -%> | ||
diff --git a/modules/ssh_keygen b/modules/ssh_keygen new file mode 160000 | |||
Subproject ca53363249b58af96f90cb810c7c51dda8ba803 | |||