Compare commits

..

5 Commits

Author SHA1 Message Date
Jim Hague 5a3ecb2c50 Add backup operations and remote access configs. 2023-04-04 14:29:28 +01:00
Jim Hague 9260d39730 Add firewall definitions. 2023-04-04 14:28:19 +01:00
Jim Hague a39ca11730 Correct proxy comment. 2023-03-26 16:34:43 +01:00
Jim Hague f7639c230a Change webmail cert path to client path and add symlink on server.
So webmail can be moved between servers if necessary.
2023-03-09 16:58:46 +00:00
Jim Hague 8efa0b29d6 Activate webmail on scabbers and lunch website on hedwig. 2023-03-08 15:44:59 +00:00
12 changed files with 1018 additions and 12 deletions

View File

@ -0,0 +1 @@
command="/usr/bin/rrsync -ro /var/local/backup/backup2l",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDD0zo26093YaxgBBcLRie7hg9Psd11GzY6ksRCCJlA/t4FvqeI3h3mV3l2pyqhENjSE8I6L792XuKwo5maih3YC3Cv74d9FbKwUml7RMRypmUfa0xVVMEj/7nb8A9eZ95aQ0AZ9BcrvQ6QQ41Nw9yRvYr7qDl09IcHkPf9g+9GG3po7DJqJelltOwOpyXTQYzSEx8/cGXXubbcxe+TM+YH3MzwBut+ohIr/h9Pdks4tgXs1xzl0ObDRbsEk4fQ2ZEog+levKqV2KPQkVFzXWui93DpFr2BPfqlP19JyYgCe2xP2vwb3mu4X4WgJo0nicjF+d/gDqB13m3+uTGUyITRMo5cI8muc2CWeGZGdhIU4jnqplFXAoU2sN9SdB8KuQ9HKK14T2dVoi+sAn0hiRh3qyAYqypfZ6txE9OCKoXPvQluJfn7MzJt0kUPv5mEWkpkLQjjDOekntOTIX7AMvIX5UEU56+SXXSACkjBUVU9HQthsG2pR2oAwBJjphrXuqU= Salt backup clients

5
states/backup/hedwig.sls Normal file
View File

@ -0,0 +1,5 @@
hedwig_backup2l_conf:
file.managed:
- name: /etc/backup2l.conf
- source: salt://backup/hedwig_backup2l.conf
- mode: 0644

View File

@ -0,0 +1,466 @@
##################################################
# Configuration file for backup2l #
##################################################
# Define the backup2l version for which the configuration file is written.
# This way, future versions can automatically warn if the syntax has changed.
FOR_VERSION=1.6
##################################################
# Volume identification
# This is the prefix for all output files;
# multiple volumes can be handled by using different configuration files
VOLNAME="all"
##################################################
# Source files
# List of directories to make backups of.
# All paths MUST be absolute and start with a '/'!
SRCLIST=(/etc /root /home /var/mail /usr/local)
# The following expression specifies the files not to be archived.
# See the find(1) man page for further info. It is discouraged to
# use anything different from conditions (e. g. actions) as it may have
# unforeseeable side effects.
# This example skips all files and directories with a path name containing
# '.nobackup' and all .o files:
SKIPCOND=(-path "*.nobackup*" -o -name "*.o")
# Some background on 'SKIPCOND': The method of using a find(1) expression to determine
# files to backup or to skip is very powerful. Some of the following examples result from feature
# requests by various users who were not always aware that their "feature" was already implemented. ;-)
#
# If you want to exclude several directories use the following expression:
# SKIPCOND=(-path '/path1' -o -path '/path1/*' -o -path '/path2' -o -path '/path2/*')
#
# If you do not have anything to skip, use:
# SKIPCOND=(-false) # "SKIPCOND=()" does not work
#
# To skip directory trees (for performance reasons) you can add the '-prune' action to your SKIPCOND setting, e.g.:
# SKIPCOND=( -name "unimportant_dir" -prune )
#
# To prevent backup2l from crossing filesystem boundaries you can add '-xdev' or '-mount' to your SKIPCOND setting.
##################################################
# Destination
# Mount point of backup device (optional)
#BACKUP_DEV="/disk2"
# Destination directory for backups;
# it must exist and must not be the top-level of BACKUP_DEV
BACKUP_DIR="/var/local/backup/backup2l"
##################################################
# Backup parameters
# Number of levels of differential backups (1..9)
MAX_LEVEL=2
# Maximum number of differential backups per level (1..9)
MAX_PER_LEVEL=5
# Maximum number of full backups (1..8)
MAX_FULL=1
# For differential backups: number of generations to keep per level;
# old backups are removed such that at least GENERATIONS * MAX_PER_LEVEL
# recent versions are still available for the respective level
GENERATIONS=1
# If the following variable is 1, a check file is automatically generated
CREATE_CHECK_FILE=1
##################################################
# Pre-/Post-backup functions
# This user-defined bash function is executed before a backup is made
PRE_BACKUP ()
{
echo " pre-backup: nothing to do"
# e. g., shut down some mail/db servers if their files are to be backup'ed
# On a Debian system, the following statements dump a machine-readable list of
# all installed packages to a file.
#echo " writing dpkg selections to /root/dpkg-selections.log..."
#dpkg --get-selections | diff - /root/dpkg-selections.log > /dev/null || dpkg --get-selections > /root/dpkg-selections.log
}
# This user-defined bash function is executed after a backup is made
POST_BACKUP ()
{
# e. g., restart some mail/db server if its files are to be backup'ed
echo " post-backup: nothing to do"
}
##################################################
# Misc.
# Create a backup when invoked without arguments?
AUTORUN=0
# Size units
SIZE_UNITS="" # set to "B", "K", "M" or "G" to obtain unified units in summary list
# Time zone for meta data
TIME_ZONE="UTC" # if unset (= ""), the local time zone is used for backup meta data;
# For new archives, the value "UTC" is recommended. However, older versions (<= 1.5) used local time,
# and changing the value causes backup2l to consider ALL files as new. So, change this value with care!
# Remove this line after the setup is finished.
#UNCONFIGURED=1
# Archive driver for new backups (default = "DRIVER_TAR_GZ")
#CREATE_DRIVER="DRIVER_TAR_BZ2"
# Usable built-in drivers for CREATE_DRIVER:
# DRIVER_TAR, DRIVER_TAR_GZ, DRIVER_TAR_BZ2, DRIVER_AFIOZ
##################################################
# User-defined archive drivers (optional)
# This section demonstrates how user-defined archive drivers can be added.
# The example shows a modified version of the "afioz" driver with some additional parameters
# one may want to pass to afio in order to tune the speed, archive size etc. .
# An archive driver consists of a bash function named
# "DRIVER_<your-driver-name>" implementing the (sometimes simple) operations "-test", "-suffix",
# "-create", "-toc", and "-extract".
# If you do not want to write your own archive driver, you can remove the remainder of this file.
# registering custom drivers below for use as CREATE_DRIVER (optional)
#USER_DRIVER_LIST="DRIVER_MY_AFIOZ DRIVER_MY_AFIOBZ2 DRIVER_TAR_GZ_SPLIT DRIVER_ZIP"
DRIVER_MY_AFIOZ ()
{
case $1 in
-test)
# This function should check whether all prerequisites are met, especially if all
# required tools are installed. This prevents backup2l to fail in inconvenient
# situations, e. g. during a backup or restore operation. If everything is ok, the
# string "ok" should be returned. Everything else is interpreted as a failure.
require_tools afio
# The function 'require_tools' checks for the existence of all tools passed as
# arguments. If one of the tools is not found by which(1), an error message is
# displayed and the function does not return.
echo "ok"
;;
-suffix)
# This function should return the suffix of backup archive files. If the driver
# does not create a file (e. g. transfers the backup data immediately to a tape
# or network device), an empty string has to be returned. backup2l uses this suffix
# to select a driver for unpacking. If a user-configured driver supports the same
# suffix as a built-in driver, the user driver is preferred (as in this case).
echo "afioz"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
# This function is called to create a backup file. The argument $3 is the full file
# name of the archive file including path and suffix. $4 contains an alphabetically
# sorted list of files (full pathname) to be backed up. Directories are not contained,
# they are handled by backup2l directly without using the driver.
# All output to stderr should be directed to stdout ("2>&1").
afio -Zo -G 9 -M 30m -T 2k $3 < $4 2>&1
# This line passes some additional options to afio (see afio(1)):
# '-G 9' maximizes the compression by gzip.
# '-M 30m' increases the size of the internal file buffer. Larger files have to
# be compressed twice.
# '-T 2k' prevents the compression of files smaller than 2k in order to save time.
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
# This function is used to validate the correct generation of an archive file.
# The output is compared to the list file passed to the '-create' function.
# Any difference is reported as an error.
afio -Zt $3 | sed 's#^#/#'
# The sed command adds a leading slash to each entry.
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
# This function is called by backup2l's restore procedure for each archive.
# It is extremely important that only those files contained in $4 are restored.
# Otherwise it may happen that files are overwritten by incorrect (e. g. older)
# versions of the same file.
afio -Zinw $4 $3 2>&1
;;
esac
}
##################################################
# More sample archive drivers (optional)
# This is an unordered collection of drivers that may be useful for you,
# either to use them directly or to derive own drivers.
# Here's a version of the standard DRIVER_TAR_GZ driver,
# modified to split the output archive file into multiple sections.
# (donated by Michael Moedt)
DRIVER_TAR_GZ_SPLIT ()
{
case $1 in
-test)
require_tools tar split cat
echo "ok"
;;
-suffix)
echo "tgz_split"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
mkdir -p ${3}
tar cz --no-recursion -T $4 | split --bytes=725100100 - ${3}/part_
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
cat ${3}/part_* | tar tz | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
cat ${3}/part_* | tar xz --same-permission --same-owner -T $4 2>&1
;;
esac
}
# The following driver is equivalent to the built-in DRIVER_TAR_GZ driver, but
# does not change the access times of the original files during backup
# (Adrian Bunk, Gundolf Kiefer)
DRIVER_TAR_GZ ()
{
case $1 in
-test)
require_tools tar
echo "ok"
;;
-suffix)
echo "tar.gz"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar czf $3 --no-recursion -T $4 --atime-preserve 2>&1 \
| grep -v 'tar: Removing leading .* from .* names'
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
tar tzf $3 | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar zx --same-permission --same-owner -f $3 -T $4 2>&1
;;
esac
}
# This driver uses afio and bzip2, where bzip2 is invoked by afio.
# (donated by Carl Staelin)
DRIVER_MY_AFIOBZ2 ()
{
case $1 in
-test)
require_tools afio bzip2
echo "ok"
;;
-suffix)
echo "afio-bz2"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
afio -z -1 m -P bzip2 -Q -9 -Z -M 50m -T 1k -o $3 <$4 2>&1
# This line passes some additional options to afio (see afio(1)):
# '-P bzip2' utilizes bzip2 as an external compressor
# '-Q 9' maximizes the compression by bzip2.
# '-M 50m' increases the size of the internal file buffer. Larger files have to
# be compressed twice.
# '-T 1k' prevents the compression of files smaller than 1k in order to save time.
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
afio -t -Z -P bzip2 -Q -d - <$3 | sed 's#^#/#'
# The sed command adds a leading slash to each entry.
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
afio -Zinw $4 -P bzip2 -Q -d - <$3 2>&1
;;
esac
}
# This driver uses afio and bzip2, such that the I/O stream is piped through bzip2.
# (donated by Carl Staelin)
DRIVER_MY_AFIO_BZ2 ()
{
case $1 in
-test)
require_tools afio bzip2
echo "ok"
;;
-suffix)
echo "afio.bz2"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
afio -o - < $4 | bzip2 --best > $3 2>&1
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
bzip2 -d < $3 | afio -t - | sed 's#^#/#'
# The sed command adds a leading slash to each entry.
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
bzip2 -d < $3 | afio -inw $4 - 2>&1
;;
esac
}
# This driver uses the Info-ZIP tools to generate zip files. Unfourtunately unzip
# expects all file names to be on the command line. So unless there is a work-
# around it's not possible to use the "-extract" command.
# (donated by Georg Lutz)
DRIVER_ZIP ()
{
case $1 in
-test)
require_tools zip
echo "ok"
;;
-suffix)
echo "zip"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
cat $4| zip -qy $3 -@
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
zipinfo -1 $3| sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
echo "Not implemented yet! Sorry."
#unzip $3
;;
esac
}
# This driver uses tar and pipes the output through gnupg. You can specifiy
# the passphrase in a file (/etc/backup2l.pass in the example). You have to
# invoke gpg at least one time before backup because gnupg has to initiate
# first thing in the home directory.
DRIVER_TAR_GPG ()
{
case $1 in
-test)
require_tools tar gpg
echo "ok"
;;
-suffix)
echo "tar.pgp"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar -c --no-recursion -T $4 | /usr/bin/gpg --batch --no-tty -q --passphrase-fd 3 3</etc/backup2l.pass -c - > $3
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
/usr/bin/gpg --batch --no-tty -q --passphrase-fd 3 3</etc/backup2l.pass -d $3 2>/dev/null | tar t | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
/usr/bin/gpg --batch --no-tty -q --passphrase-fd 3 3</etc/backup2l.pass -d $3 2>/dev/null | tar -x --same-permission --same-owner -T $4 2>&1
;;
esac
}
# PIGZ driver (donated by Thomas R. Bailey <siggma@trbailey.net>)
# (improved by Sven Hartge <sven@svenhartge.de>)
#
# NOTES: USE ONLY WITH MULTI CORE CPU
# REQUIRES YOU TO DOWNLOAD AND COMPILE PIGZ
# OR INSTALL IT FROM YOUR DISTRO REPOSITORY
# http://www.zlib.net/pigz/
#
DRIVER_TAR_PIGZ ()
{
case $1 in
-test)
require_tools tar pigz gzip
echo "ok"
;;
-suffix)
echo "tar.gz"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar cf $3 --no-recursion --atime-preserve -I pigz -T $4 2>&1 | grep -v 'tar: Removing leading .* from .* names'
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
tar tf $3 -I pigz | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar xf $3 --same-permission --same-owner -I pigz -T $4 2>&1
;;
esac
}
# This driver uses tar and LZMA (lzip) compression. LZMA compresses better than
# bzip2, but at the expense of more memory usage. (donated by Amedee Van Gasse)
DRIVER_TAR_LZ ()
{
case $1 in
-test)
require_tools tar lzip
echo "ok"
;;
-suffix)
echo "tar.lz"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar -c --no-recursion -T $4 | lzip --best -c > $3 2>&1 \
| grep -v 'tar: Removing leading .* from .*'
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
lzip -d $3 -c | tar t | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
lzip -d $3 -c | tar -x --same-permission --same-owner -T $4 2>&1
;;
esac
}
# This driver uses tar and XZ compression. XZ compresses better than
# bzip2, but at the expense of more memory usage. (donated by Sven Hartge)
DRIVER_TAR_XZ ()
{
case $1 in
-test)
require_tools tar xz
echo "ok"
;;
-suffix)
echo "tar.xz"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar cJf $3 --no-recursion --atime-preserve -T $4 2>&1 | grep -v 'tar: Removing leading .* from .* names'
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
tar tJf $3 | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar Jx --same-permission --same-owner -f $3 -T $4 2>&1
;;
esac
}

18
states/backup/init.sls Normal file
View File

@ -0,0 +1,18 @@
backup2l:
pkg.installed: []
backup_directory:
file.directory:
- name: /var/local/backup
- mode: 0755
backup2l_directory:
file.directory:
- name: /var/local/backup/backup2l
- mode: 0700
backup_server_key:
ssh_auth.present:
- user: root
- source: salt://backup/backups_id_rsa.pub

View File

@ -0,0 +1,11 @@
jenkins_backup_directory:
file.directory:
- name: /var/local/backup/jenkins
- owner: jenkins
- mode: 0700
scabbers_backup2l_conf:
file.managed:
- name: /etc/backup2l.conf
- source: salt://backup/scabbers_backup2l.conf
- mode: 0644

View File

@ -0,0 +1,466 @@
##################################################
# Configuration file for backup2l #
##################################################
# Define the backup2l version for which the configuration file is written.
# This way, future versions can automatically warn if the syntax has changed.
FOR_VERSION=1.6
##################################################
# Volume identification
# This is the prefix for all output files;
# multiple volumes can be handled by using different configuration files
VOLNAME="all"
##################################################
# Source files
# List of directories to make backups of.
# All paths MUST be absolute and start with a '/'!
SRCLIST=(/etc /root /home /var/mail /usr/local /var/lib/gitea /var/lib/dehydrated /var/local/backup/jenkins)
# The following expression specifies the files not to be archived.
# See the find(1) man page for further info. It is discouraged to
# use anything different from conditions (e. g. actions) as it may have
# unforeseeable side effects.
# This example skips all files and directories with a path name containing
# '.nobackup' and all .o files:
SKIPCOND=(-path "*.nobackup*" -o -name "*.o")
# Some background on 'SKIPCOND': The method of using a find(1) expression to determine
# files to backup or to skip is very powerful. Some of the following examples result from feature
# requests by various users who were not always aware that their "feature" was already implemented. ;-)
#
# If you want to exclude several directories use the following expression:
# SKIPCOND=(-path '/path1' -o -path '/path1/*' -o -path '/path2' -o -path '/path2/*')
#
# If you do not have anything to skip, use:
# SKIPCOND=(-false) # "SKIPCOND=()" does not work
#
# To skip directory trees (for performance reasons) you can add the '-prune' action to your SKIPCOND setting, e.g.:
# SKIPCOND=( -name "unimportant_dir" -prune )
#
# To prevent backup2l from crossing filesystem boundaries you can add '-xdev' or '-mount' to your SKIPCOND setting.
##################################################
# Destination
# Mount point of backup device (optional)
#BACKUP_DEV="/disk2"
# Destination directory for backups;
# it must exist and must not be the top-level of BACKUP_DEV
BACKUP_DIR="/var/local/backup/backup2l"
##################################################
# Backup parameters
# Number of levels of differential backups (1..9)
MAX_LEVEL=2
# Maximum number of differential backups per level (1..9)
MAX_PER_LEVEL=5
# Maximum number of full backups (1..8)
MAX_FULL=1
# For differential backups: number of generations to keep per level;
# old backups are removed such that at least GENERATIONS * MAX_PER_LEVEL
# recent versions are still available for the respective level
GENERATIONS=1
# If the following variable is 1, a check file is automatically generated
CREATE_CHECK_FILE=1
##################################################
# Pre-/Post-backup functions
# This user-defined bash function is executed before a backup is made
PRE_BACKUP ()
{
echo " pre-backup: nothing to do"
# e. g., shut down some mail/db servers if their files are to be backup'ed
# On a Debian system, the following statements dump a machine-readable list of
# all installed packages to a file.
#echo " writing dpkg selections to /root/dpkg-selections.log..."
#dpkg --get-selections | diff - /root/dpkg-selections.log > /dev/null || dpkg --get-selections > /root/dpkg-selections.log
}
# This user-defined bash function is executed after a backup is made
POST_BACKUP ()
{
# e. g., restart some mail/db server if its files are to be backup'ed
echo " post-backup: nothing to do"
}
##################################################
# Misc.
# Create a backup when invoked without arguments?
AUTORUN=0
# Size units
SIZE_UNITS="" # set to "B", "K", "M" or "G" to obtain unified units in summary list
# Time zone for meta data
TIME_ZONE="UTC" # if unset (= ""), the local time zone is used for backup meta data;
# For new archives, the value "UTC" is recommended. However, older versions (<= 1.5) used local time,
# and changing the value causes backup2l to consider ALL files as new. So, change this value with care!
# Remove this line after the setup is finished.
#UNCONFIGURED=1
# Archive driver for new backups (default = "DRIVER_TAR_GZ")
#CREATE_DRIVER="DRIVER_TAR_BZ2"
# Usable built-in drivers for CREATE_DRIVER:
# DRIVER_TAR, DRIVER_TAR_GZ, DRIVER_TAR_BZ2, DRIVER_AFIOZ
##################################################
# User-defined archive drivers (optional)
# This section demonstrates how user-defined archive drivers can be added.
# The example shows a modified version of the "afioz" driver with some additional parameters
# one may want to pass to afio in order to tune the speed, archive size etc. .
# An archive driver consists of a bash function named
# "DRIVER_<your-driver-name>" implementing the (sometimes simple) operations "-test", "-suffix",
# "-create", "-toc", and "-extract".
# If you do not want to write your own archive driver, you can remove the remainder of this file.
# registering custom drivers below for use as CREATE_DRIVER (optional)
#USER_DRIVER_LIST="DRIVER_MY_AFIOZ DRIVER_MY_AFIOBZ2 DRIVER_TAR_GZ_SPLIT DRIVER_ZIP"
DRIVER_MY_AFIOZ ()
{
case $1 in
-test)
# This function should check whether all prerequisites are met, especially if all
# required tools are installed. This prevents backup2l to fail in inconvenient
# situations, e. g. during a backup or restore operation. If everything is ok, the
# string "ok" should be returned. Everything else is interpreted as a failure.
require_tools afio
# The function 'require_tools' checks for the existence of all tools passed as
# arguments. If one of the tools is not found by which(1), an error message is
# displayed and the function does not return.
echo "ok"
;;
-suffix)
# This function should return the suffix of backup archive files. If the driver
# does not create a file (e. g. transfers the backup data immediately to a tape
# or network device), an empty string has to be returned. backup2l uses this suffix
# to select a driver for unpacking. If a user-configured driver supports the same
# suffix as a built-in driver, the user driver is preferred (as in this case).
echo "afioz"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
# This function is called to create a backup file. The argument $3 is the full file
# name of the archive file including path and suffix. $4 contains an alphabetically
# sorted list of files (full pathname) to be backed up. Directories are not contained,
# they are handled by backup2l directly without using the driver.
# All output to stderr should be directed to stdout ("2>&1").
afio -Zo -G 9 -M 30m -T 2k $3 < $4 2>&1
# This line passes some additional options to afio (see afio(1)):
# '-G 9' maximizes the compression by gzip.
# '-M 30m' increases the size of the internal file buffer. Larger files have to
# be compressed twice.
# '-T 2k' prevents the compression of files smaller than 2k in order to save time.
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
# This function is used to validate the correct generation of an archive file.
# The output is compared to the list file passed to the '-create' function.
# Any difference is reported as an error.
afio -Zt $3 | sed 's#^#/#'
# The sed command adds a leading slash to each entry.
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
# This function is called by backup2l's restore procedure for each archive.
# It is extremely important that only those files contained in $4 are restored.
# Otherwise it may happen that files are overwritten by incorrect (e. g. older)
# versions of the same file.
afio -Zinw $4 $3 2>&1
;;
esac
}
##################################################
# More sample archive drivers (optional)
# This is an unordered collection of drivers that may be useful for you,
# either to use them directly or to derive own drivers.
# Here's a version of the standard DRIVER_TAR_GZ driver,
# modified to split the output archive file into multiple sections.
# (donated by Michael Moedt)
DRIVER_TAR_GZ_SPLIT ()
{
case $1 in
-test)
require_tools tar split cat
echo "ok"
;;
-suffix)
echo "tgz_split"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
mkdir -p ${3}
tar cz --no-recursion -T $4 | split --bytes=725100100 - ${3}/part_
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
cat ${3}/part_* | tar tz | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
cat ${3}/part_* | tar xz --same-permission --same-owner -T $4 2>&1
;;
esac
}
# The following driver is equivalent to the built-in DRIVER_TAR_GZ driver, but
# does not change the access times of the original files during backup
# (Adrian Bunk, Gundolf Kiefer)
DRIVER_TAR_GZ ()
{
case $1 in
-test)
require_tools tar
echo "ok"
;;
-suffix)
echo "tar.gz"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar czf $3 --no-recursion -T $4 --atime-preserve 2>&1 \
| grep -v 'tar: Removing leading .* from .* names'
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
tar tzf $3 | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar zx --same-permission --same-owner -f $3 -T $4 2>&1
;;
esac
}
# This driver uses afio and bzip2, where bzip2 is invoked by afio.
# (donated by Carl Staelin)
DRIVER_MY_AFIOBZ2 ()
{
case $1 in
-test)
require_tools afio bzip2
echo "ok"
;;
-suffix)
echo "afio-bz2"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
afio -z -1 m -P bzip2 -Q -9 -Z -M 50m -T 1k -o $3 <$4 2>&1
# This line passes some additional options to afio (see afio(1)):
# '-P bzip2' utilizes bzip2 as an external compressor
# '-Q 9' maximizes the compression by bzip2.
# '-M 50m' increases the size of the internal file buffer. Larger files have to
# be compressed twice.
# '-T 1k' prevents the compression of files smaller than 1k in order to save time.
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
afio -t -Z -P bzip2 -Q -d - <$3 | sed 's#^#/#'
# The sed command adds a leading slash to each entry.
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
afio -Zinw $4 -P bzip2 -Q -d - <$3 2>&1
;;
esac
}
# This driver uses afio and bzip2, such that the I/O stream is piped through bzip2.
# (donated by Carl Staelin)
DRIVER_MY_AFIO_BZ2 ()
{
case $1 in
-test)
require_tools afio bzip2
echo "ok"
;;
-suffix)
echo "afio.bz2"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
afio -o - < $4 | bzip2 --best > $3 2>&1
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
bzip2 -d < $3 | afio -t - | sed 's#^#/#'
# The sed command adds a leading slash to each entry.
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
bzip2 -d < $3 | afio -inw $4 - 2>&1
;;
esac
}
# This driver uses the Info-ZIP tools to generate zip files. Unfourtunately unzip
# expects all file names to be on the command line. So unless there is a work-
# around it's not possible to use the "-extract" command.
# (donated by Georg Lutz)
DRIVER_ZIP ()
{
case $1 in
-test)
require_tools zip
echo "ok"
;;
-suffix)
echo "zip"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
cat $4| zip -qy $3 -@
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
zipinfo -1 $3| sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
echo "Not implemented yet! Sorry."
#unzip $3
;;
esac
}
# This driver uses tar and pipes the output through gnupg. You can specifiy
# the passphrase in a file (/etc/backup2l.pass in the example). You have to
# invoke gpg at least one time before backup because gnupg has to initiate
# first thing in the home directory.
DRIVER_TAR_GPG ()
{
case $1 in
-test)
require_tools tar gpg
echo "ok"
;;
-suffix)
echo "tar.pgp"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar -c --no-recursion -T $4 | /usr/bin/gpg --batch --no-tty -q --passphrase-fd 3 3</etc/backup2l.pass -c - > $3
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
/usr/bin/gpg --batch --no-tty -q --passphrase-fd 3 3</etc/backup2l.pass -d $3 2>/dev/null | tar t | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
/usr/bin/gpg --batch --no-tty -q --passphrase-fd 3 3</etc/backup2l.pass -d $3 2>/dev/null | tar -x --same-permission --same-owner -T $4 2>&1
;;
esac
}
# PIGZ driver (donated by Thomas R. Bailey <siggma@trbailey.net>)
# (improved by Sven Hartge <sven@svenhartge.de>)
#
# NOTES: USE ONLY WITH MULTI CORE CPU
# REQUIRES YOU TO DOWNLOAD AND COMPILE PIGZ
# OR INSTALL IT FROM YOUR DISTRO REPOSITORY
# http://www.zlib.net/pigz/
#
DRIVER_TAR_PIGZ ()
{
case $1 in
-test)
require_tools tar pigz gzip
echo "ok"
;;
-suffix)
echo "tar.gz"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar cf $3 --no-recursion --atime-preserve -I pigz -T $4 2>&1 | grep -v 'tar: Removing leading .* from .* names'
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
tar tf $3 -I pigz | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar xf $3 --same-permission --same-owner -I pigz -T $4 2>&1
;;
esac
}
# This driver uses tar and LZMA (lzip) compression. LZMA compresses better than
# bzip2, but at the expense of more memory usage. (donated by Amedee Van Gasse)
DRIVER_TAR_LZ ()
{
case $1 in
-test)
require_tools tar lzip
echo "ok"
;;
-suffix)
echo "tar.lz"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar -c --no-recursion -T $4 | lzip --best -c > $3 2>&1 \
| grep -v 'tar: Removing leading .* from .*'
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
lzip -d $3 -c | tar t | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
lzip -d $3 -c | tar -x --same-permission --same-owner -T $4 2>&1
;;
esac
}
# This driver uses tar and XZ compression. XZ compresses better than
# bzip2, but at the expense of more memory usage. (donated by Sven Hartge)
DRIVER_TAR_XZ ()
{
case $1 in
-test)
require_tools tar xz
echo "ok"
;;
-suffix)
echo "tar.xz"
;;
-create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar cJf $3 --no-recursion --atime-preserve -T $4 2>&1 | grep -v 'tar: Removing leading .* from .* names'
;;
-toc) # Arguments: $2 = BID, $3 = archive file name
tar tJf $3 | sed 's#^#/#'
;;
-extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
tar Jx --same-permission --same-owner -f $3 -T $4 2>&1
;;
esac
}

View File

@ -51,3 +51,8 @@ server_key:
ssh_auth.present:
- user: root
- source: salt://certificates/certificates_id_ed25519.pub
server_client_certificate_location:
file.symlink:
- name: /var/local/certificates
- target: /var/lib/dehydrated/certs

View File

@ -2,9 +2,22 @@ hedwig_public:
firewalld.present:
- name: public
- default: False
- ports:
- 22/tcp
- 80/tcp
- 443/tcp
- services:
- dhcpv6-client
- ssh
- prune_services: True
- require:
- firewalld
hedwig_mythic_proxy:
firewalld.present:
- name: mythicproxy
- default: False
- services:
- http
- https
- prune_services: True
- sources:
- 2a00:1098::82:1000:3b:1:1
- 2a00:1098::80:1000:3b:1:1

View File

@ -2,9 +2,23 @@ scabbers_public:
firewalld.present:
- name: public
- default: False
- ports:
- 22/tcp
- 80/tcp
- 443/tcp
- services:
- dhcpv6-client
- ssh
- prune_services: True
- require:
- firewalld
scabbers_mythic_proxy:
firewalld.present:
- name: mythicproxy
- default: False
- services:
- http
- https
- prune_services: True
- sources:
- 2a00:1098::82:1000:3b:1:1
- 2a00:1098::80:1000:3b:1:1

View File

@ -8,7 +8,7 @@
RemoteIPProxyProtocol On
# Jenkins
# Gitea proxy
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000
ProxyRequests Off

View File

@ -3,15 +3,21 @@ base:
- common
'hedwig.lunch.org.uk':
- certificates/client
- debian
- apache
- backup
- backup/hedwig
- certificates/client
- fail2ban
- firewalls/hedwig
- lunch_website
'scabbers.lunch.org.uk':
- debian
- certificates
- apache
- backup
- backup/scabbers
- dottes_website
- fail2ban
- firewalls/scabbers
@ -19,3 +25,4 @@ base:
- jenkins
- jenkins/worker
- mercurial
- webmail

View File

@ -54,8 +54,8 @@
</Directory>
SSLEngine on
SSLCertificateFile /var/lib/dehydrated/certs/mail.lunch.org.uk/fullchain.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/mail.lunch.org.uk/privkey.pem
SSLCertificateFile /var/local/certificates/mail.lunch.org.uk/fullchain.pem
SSLCertificateKeyFile /var/local/certificates/mail.lunch.org.uk/privkey.pem
</VirtualHost>
</IfModule>