Compare commits

...

8 Commits

4 changed files with 109 additions and 56 deletions

115
README.md
View File

@ -25,36 +25,40 @@ This script automates the following tasks:
- [Environment notes](#environment-notes)
- [Why this script must be run as root](#why-this-script-must-be-run-as-root)
- [Script parameters](#script-parameters)
- [Required parameters](#required-parameters)
- [NextCloud data directory: -d _/path/to/data/_](#nextcloud-data-directory--d-_pathtodata_)
- [NextCloud webroot: -n _/path/to/nextcloud/_](#nextcloud-webroot--n-_pathtonextcloud_)
- [webuser account: -w _accountName_](#webuser-account--w-_accountname_)
- [Optional parameters](#optional-parameters)
- [Path to 503 error page: -5 _/path/to/filename.html_](#path-to-503-error-page--5-_pathtofilenamehtml_)
- [Path to borg details file: -b _/path/to/filename.file_](#path-to-borg-details-file--b-_pathtofilenamefile_)
- [Desired log file location: -l _/path/to/filename.file_](#desired-log-file-location--l-_pathtofilenamefile_)
- [Path to SQL details file: -s _/path/to/filename.file_](#path-to-sql-details-file--s-_pathtofilenamefile_)
- [Verbose output from borg: -v (no arguments)](#verbose-output-from-borg--v-no-arguments)
- [Path to webroot: -w _/path/to/webroot/_](#path-to-webroot--w-_pathtowebroot_)
- [Required parameters](#required-parameters)
- [NextCloud data directory: -d _/path/to/data/_](#nextcloud-data-directory--d-pathtodata)
- [NextCloud webroot: -n _/path/to/nextcloud/_](#nextcloud-webroot--n-pathtonextcloud)
- [webuser account: -w _accountName_](#webuser-account--w-accountname)
- [Optional parameters](#optional-parameters)
- [Path to 503 error page: -5 _/path/to/filename.html_](#path-to-503-error-page--5-pathtofilenamehtml)
- [Path to borg details file: -b _/path/to/filename.file_](#path-to-borg-details-file--b-pathtofilenamefile)
- [Desired log file location: -l _/path/to/filename.file_](#desired-log-file-location--l-pathtofilenamefile)
- [Path to SQL details file: -s _/path/to/filename.file_](#path-to-sql-details-file--s-pathtofilenamefile)
- [Verbose output from borg: -v (no arguments)](#verbose-output-from-borg--v-no-arguments)
- [Path to webroot: -w _/path/to/webroot/_](#path-to-webroot--w-pathtowebroot)
- [Borg details file](#borg-details-file)
- [Protect your borg details file](#protect-your-borg-details-file)
- [borg specific entries (lines 1-4)](#borg-specific-entries-lines-1-4)
- [additional files/directories to backup](#additional-filesdirectories-to-backup)
- [exclusion patterns](#exclusion-patterns)
- [prune timeframe options](#prune-timeframe-options)
- [borg remote location](#borg-remote-location)
- [Examples](#examples)
- [Protect your borg details file](#protect-your-borg-details-file)
- [borg specific entries (lines 1-4)](#borg-specific-entries-lines-1-4)
- [Line 1: Path to borg base directory](#line-1-path-to-borg-base-directory)
- [Line 2: Path to SSH key for remote server](#line-2-path-to-ssh-key-for-remote-server)
- [Line 3: Connection string to remote repo](#line-3-connection-string-to-remote-repo)
- [Line 4: Password for borg repo/repo key](#line-4-password-for-borg-reporepo-key)
- [additional files/directories to backup](#additional-filesdirectories-to-backup)
- [exclusion patterns](#exclusion-patterns)
- [prune timeframe options](#prune-timeframe-options)
- [borg remote location](#borg-remote-location)
- [Examples](#examples)
- [SQL details file](#sql-details-file)
- [Protect your sql details file](#protect-your-sql-details-file)
- [Protect your sql details file](#protect-your-sql-details-file)
- [503 functionality](#503-functionality)
- [Conditional forwarding by your webserver](#conditional-forwarding-by-your-webserver)
- [NGINX](#nginx)
- [Apache](#apache)
- [Disabling 503 functionality altogether](#disabling-503-functionality-altogether)
- [Conditional forwarding by your webserver](#conditional-forwarding-by-your-webserver)
- [NGINX](#nginx)
- [Apache](#apache)
- [Disabling 503 functionality altogether](#disabling-503-functionality-altogether)
- [Scheduling: Cron](#scheduling-cron)
- [The log file](#the-log-file)
- [Using Logwatch](#using-logwatch)
- [Remember to rotate your logs](#remember-to-rotate-your-logs)
- [Using Logwatch](#using-logwatch)
- [Remember to rotate your logs](#remember-to-rotate-your-logs)
- [Final notes](#final-notes)
## Installation/copying
@ -201,9 +205,9 @@ example entries. The file must have the following information in the following
order:
1. path to borg base directory **(required)**
2. path to ssh private key for repo **(required)**
2. path to ssh private key for remote server **(required)**
3. connection string to remote repo **(required)**
4. password for ssh key/repo **(required)**
4. password for borg repo/repo key **(required)**
5. path to file listing additional files/directories to backup
6. path to file containing borg-specific exclusion patterns
7. prune timeframe options
@ -226,10 +230,59 @@ chmod 600 nc_borg.details # restrict access to root only (read/write)
If you need help with these options, then you should consult the borg
documentation or search my blog at
[https://mytechiethoughts.com](https://mytechiethoughts.com) for borg. This is
especially true if you want to understand why an SSH key and passphrase are
preferred and why just a passphrase on it's own presents problems automating
borg backups.
[https://mytechiethoughts.com](https://mytechiethoughts.com) for borg. Here's a
very brief overview:
#### Line 1: Path to borg base directory
This is primary directory on your local system where your borg configuration is
located, **NOT* the path to your borg binary. The base directory contains the
borg configuration, cache, security files and keys.
#### Line 2: Path to SSH key for remote server
This is the SSH key used to connect to your remote (backup) server where your
borg repo is located. **This is NOT your borg repo key!**
> Please note: If you are planning on executing this script via cron or some
> other form of automation, it is *highly recommended* that you use an SSH key
> **without** a password! SSH is designed such that passwords cannot simply be
> passed to it via environment variables, etc. so this is something not easily
> automated by a script such as this for security reasons. As such, your
> computer will sit and wait for you to enter the password and will NOT execute
> the actual backup portion of the script until the SSH key password is provided.
>
> If you really want/need to use an SSH key password, you will have to look into
> somethign like GNOME keyring or SSH-agent to provide a secure automated way to
> provide that password to SSH and allow this script to continue.
>
> In practice, SSH keys without passwords are still quite safe since the key
> must still be known in order to connect and most keys are quite long. In
> addition, they key only connects to the remote server, your actual information
> within the borg repository is still encrypted and secured with both a key and
> password.
#### Line 3: Connection string to remote repo
This is the full server and path required to connect to your borg repo on the
remote server. Very often it is the in the form of:
```
user@servername.tld:repo-name/
```
for rsync.net it is in the following form:
```
username@server-number.rsync.net:repo-name/
```
#### Line 4: Password for borg repo/repo key
This is the password needed to access and decrypt your *borg repo*. Assuming
you set up your borg repo using recommended practices, this will actually be the
password for your *borg repo private key*. **This is NOT your SSH key
password!**
### additional files/directories to backup

View File

@ -120,7 +120,7 @@ function quit {
for errCode in "${exitError[@]}"; do
errStamp="${errCode%%_*}"
errValue="${errCode##*_}"
echo -e "${err}${errStamp}-- [ERROR] ${errorExplain[$errValue]}" \
echo -e "${err}${errStamp} -- [ERROR] ${errorExplain[$errValue]}" \
"(code: ${errValue}) --${normal}" >> "$logFile"
done
exit 2
@ -151,7 +151,7 @@ function checkExist {
### ncMaint - pass requested mode change type to NextCloud occ
function ncMaint {
sudo -u ${webUser} php ${ncRoot}/occ maintenance:mode --$1 \
sudo -u "${webUser}" php "${ncRoot}/occ" maintenance:mode --"$1" \
>> "$logFile" 2>&1
maintResult="$?"
return "$maintResult"
@ -277,7 +277,7 @@ warningExplain[5032]="The specified webroot (-w parameter) could not be found"
warningExplain[5033]="No 503 error page could be found. If not using the default located in the script directory, then check your -5 parameter"
warningExplain[5035]="Error copying 503 error page to webroot"
warn503="Web users will NOT be informed the server is down!"
warningExplain[2111]="No password used for SSH keys or access to remote borg repo. This is an insecure configuration"
warningExplain[2111]="No password used for access to remote borg repo. This is an insecure configuration"
warningExplain[2112]="No remote borg instance specified. Operations will be slower in this configuration"
warningExplain[2113]="The specified file containing extra files for inclusion in borgbackup could not be found"
warningExplain[2114]="The specified file containing exclusion patterns for borgbackup could not be found. Backup was performed as though NO exclusions were defined"
@ -381,8 +381,8 @@ if [ -z "$webUser" ]; then
exit 1
# Check if supplied webUser account exists
elif [ -n "$webUser" ]; then
user_exists=$(id -u $webUser > /dev/null 2>&1; echo $?)
if [ $user_exists -ne 0 ]; then
user_exists=$(id -u "$webUser" > /dev/null 2>&1; echo $?)
if [ "$user_exists" -ne 0 ]; then
echo -e "\n${err}The supplied webuser account (-u parameter) does not" \
"exist.${normal}\n"
exit 1
@ -429,9 +429,9 @@ fi
### Log start of script operations
echo -e "${note}[$(stamp)]--- Start $scriptName execution ---${normal}" \
echo -e "${note}[$(stamp)] --- Start $scriptName execution ---${normal}" \
>> "$logFile"
echo -e "${info}[$(stamp)]-- [INFO] Log file located at ${lit}${logFile}${info}" \
echo -e "${info}[$(stamp)] -- [INFO] Log file located at ${lit}${logFile}${info}" \
"--${normal}" >> "$logFile"
@ -600,7 +600,7 @@ else
fi
# repo password
if [ -n "${borgConfig[3]}" ]; then
echo -e "${op}[$(stamp)] Borg SSH/REPO password... OK${normal}" >> "$logFile"
echo -e "${op}[$(stamp)] Borg REPO password... OK${normal}" >> "$logFile"
export BORG_PASSPHRASE="${borgConfig[3]}"
else
exitWarn+=("[$(stamp)]_2111")
@ -706,17 +706,17 @@ if [ -z "$borgExclude" ]; then
echo -e "${info}[$(stamp)] --[INFO] Executing borg without exclusions --" \
"${normal}" >> "$logFile"
borg --show-rc create ${borgCreateParams} ::`date +%Y-%m-%d_%H%M%S` \
${xtraFiles[@]} \
${sqlDumpDir} ${ncDataDir} \
"${xtraFiles[@]}" \
"${sqlDumpDir}" "${ncDataDir}" \
2>> "$logFile"
else
# borgExclude is not empty
echo -e "${info}[$(stamp)] --[INFO] Executing borg with exclusions --" \
"${normal}" >> "$logFile"
borg --show-rc create ${borgCreateParams} --exclude-from ${borgExclude} \
borg --show-rc create ${borgCreateParams} --exclude-from "${borgExclude}" \
::`date +%Y-%m-%d_%H%M%S` \
${xtraFiles[@]} \
${sqlDumpDir} ${ncDataDir} \
"${xtraFiles[@]}" \
"${sqlDumpDir}" "${ncDataDir}" \
2>> "$logFile"
fi

View File

@ -1,8 +1,8 @@
<path to borgbackup base directory> /var/borgbackup
<path to SSH private key for repo> /var/borgbackup/sshPrivate.key
<connection string to remote repo> user@server-number.rsync.net:repoName/
<password for SSH key/repo> pAsSwOrd
<path to file listing extra files> /root/NCscripts/xtraLocations.borg
<path to file with exclusions> /root/NCscripts/excludeLocations.borg
<purge timeframe options> --keep-within=7d --keep-daily=30 --keep-weekly=12 --keep-monthly=-1
<location of borg remote instance> borg1
<path to borgbackup base directory> /var/borgbackup
<path to SSH private key for remote server> /var/borgbackup/sshPrivate.key
<connection string to remote repo> user@servername.tld:repoName/
<password for repo> pAsSwOrd
<path to file listing extra files> /root/NCscripts/xtraLocations.borg
<path to file with exclusions> /root/NCscripts/excludeLocations.borg
<purge timeframe options> --keep-within=7d --keep-daily=30 --keep-weekly=12 --keep-monthly=-1
<location of borg remote instance> borg1

View File

@ -25,9 +25,9 @@
/root/.ssh/
/etc/mysql/my.cnf
/etc/nginx/
/etc/php/7.0/cli/php.ini
/etc/php/7.0/fpm/php-fpm.conf
/etc/php/7.0/fpm/php.ini
/etc/php/7.0/fpm/pool.d/www.conf
/etc/php/7.2/cli/php.ini
/etc/php/7.2/fpm/php-fpm.conf
/etc/php/7.2/fpm/php.ini
/etc/php/7.2/fpm/pool.d/www.conf
/etc/redis/redis.conf
/usr/share/nginx/html/