From d65337d3e722582874d8ced4e3be5fc3d2778e70 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 15 Nov 2014 13:42:04 -0400 Subject: [PATCH 1/2] add Obnam backupEncrypted This after I typoed an obnam setup and accidentially had a repo that was backing up non-encrypted. --- config-joey.hs | 7 ++----- src/Propellor/Property/Obnam.hs | 18 ++++++++++++++---- .../Property/SiteSpecific/JoeySites.hs | 5 ++--- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/config-joey.hs b/config-joey.hs index 74647df..583c3bd 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -10,7 +10,6 @@ import qualified Propellor.Property.Apt as Apt import qualified Propellor.Property.Network as Network import qualified Propellor.Property.Service as Service import qualified Propellor.Property.Ssh as Ssh -import qualified Propellor.Property.Gpg as Gpg import qualified Propellor.Property.Cron as Cron import qualified Propellor.Property.Sudo as Sudo import qualified Propellor.Property.User as User @@ -115,17 +114,15 @@ kite = standardSystemUnhardened "kite.kitenet.net" Unstable "amd64" & Ssh.passwordAuthentication True -- Since ssh password authentication is allowed: & Apt.serviceInstalledRunning "fail2ban" - & Obnam.backup "/" "33 1 * * *" + & Obnam.backupEncrypted "/" "33 1 * * *" [ "--repository=sftp://joey@eubackup.kitenet.net/~/lib/backup/kite.obnam" , "--client-name=kitenet.net" - , "--encrypt-with=98147487" , "--exclude=/var/cache" , "--exclude=/var/tmp" , "--exclude=/home/joey/lib" , "--exclude=.*/tmp/" , "--one-file-system" - ] Obnam.OnlyClient - `requires` Gpg.keyImported "98147487" "root" + ] Obnam.OnlyClient "98147487" `requires` Ssh.keyImported SshRsa "root" (Context "kite.kitenet.net") `requires` Ssh.knownHost hosts "eubackup.kitenet.net" "root" diff --git a/src/Propellor/Property/Obnam.hs b/src/Propellor/Property/Obnam.hs index 1e7c2c2..e18ca3f 100644 --- a/src/Propellor/Property/Obnam.hs +++ b/src/Propellor/Property/Obnam.hs @@ -3,6 +3,7 @@ module Propellor.Property.Obnam where import Propellor import qualified Propellor.Property.Apt as Apt import qualified Propellor.Property.Cron as Cron +import qualified Propellor.Property.Gpg as Gpg import Utility.SafeCommand import Data.List @@ -31,15 +32,24 @@ data NumClients = OnlyClient | MultipleClients -- -- > & Obnam.backup "/srv/git" "33 3 * * *" -- > [ "--repository=sftp://2318@usw-s002.rsync.net/~/mygitrepos.obnam" --- > , "--encrypt-with=1B169BE1" -- > ] Obnam.OnlyClient --- > `requires` Gpg.keyImported "1B169BE1" "root" -- > `requires` Ssh.keyImported SshRsa "root" (Context hostname) -- -- How awesome is that? backup :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Property -backup dir crontimes params numclients = backup' dir crontimes params numclients - `requires` restored dir params +backup dir crontimes params numclients = + backup' dir crontimes params numclients + `requires` restored dir params + +-- | Like backup, but the specified gpg key id is used to encrypt +-- the repository. +-- +-- The gpg secret key will be automatically imported +-- into root's keyring using Propellor.Property.Gpg.keyImported +backupEncrypted :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Gpg.GpgKeyId -> Property +backupEncrypted dir crontimes params numclients keyid = + backup dir crontimes (("--encrypt-with=" ++ keyid):params) numclients + `requires` Gpg.keyImported keyid "root" -- | Does a backup, but does not automatically restore. backup' :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Property diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index bd9e01e..7b8216f 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -142,12 +142,11 @@ obnamLowMem = combineProperties "obnam tuned for low memory use" gitServer :: [Host] -> Property gitServer hosts = propertyList "git.kitenet.net setup" [ Obnam.latestVersion - , Obnam.backup "/srv/git" "33 3 * * *" + , Obnam.backupEncrypted "/srv/git" "33 3 * * *" [ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net" , "--encrypt-with=1B169BE1" , "--client-name=wren" -- historical - ] Obnam.OnlyClient - `requires` Gpg.keyImported "1B169BE1" "root" + ] Obnam.OnlyClient "1B169BE1" `requires` Ssh.keyImported SshRsa "root" (Context "git.kitenet.net") `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" `requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net") From 269996e25d8f5481024f472a57debfd51dfcc703 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 15 Nov 2014 13:44:37 -0400 Subject: [PATCH 2/2] moving privdata to privdata.joey (for joeyconfig branch only) This will be reverted on master. This way, my ongoing development on my joeyconfig branch, including privdata changes, won't result in changes being merged into the privdata/ dir on master. Such changes can cause problems for other propellor users, who can get conflicts in their own privdata when merging from master. --- {privdata => privdata.joey}/keyring.gpg | Bin {privdata => privdata.joey}/privdata.gpg | 0 src/Propellor/PrivData/Paths.hs | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) rename {privdata => privdata.joey}/keyring.gpg (100%) rename {privdata => privdata.joey}/privdata.gpg (100%) diff --git a/privdata/keyring.gpg b/privdata.joey/keyring.gpg similarity index 100% rename from privdata/keyring.gpg rename to privdata.joey/keyring.gpg diff --git a/privdata/privdata.gpg b/privdata.joey/privdata.gpg similarity index 100% rename from privdata/privdata.gpg rename to privdata.joey/privdata.gpg diff --git a/src/Propellor/PrivData/Paths.hs b/src/Propellor/PrivData/Paths.hs index 7c29f1b..1922a31 100644 --- a/src/Propellor/PrivData/Paths.hs +++ b/src/Propellor/PrivData/Paths.hs @@ -3,7 +3,7 @@ module Propellor.PrivData.Paths where import System.FilePath privDataDir :: FilePath -privDataDir = "privdata" +privDataDir = "privdata.joey" privDataFile :: FilePath privDataFile = privDataDir "privdata.gpg"