From 4f281fbcb08d1b8fba72f681aee11f8be4070bde Mon Sep 17 00:00:00 2001 From: turtlebasket Date: Sun, 25 Jun 2023 09:23:54 -0700 Subject: [PATCH 1/4] encrypted backups + tweaks --- .gitignore | 9 +++++++++ cuddlefish/backup | 8 ++++---- cuddlefish/docker-compose.yaml | 5 +++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 55a58f3..0cf6b81 100644 --- a/.gitignore +++ b/.gitignore @@ -81,3 +81,12 @@ Temporary Items # .nfs files are created when an open file is removed but is still being accessed .nfs* +# Keys & Secrets +*.key +*.asc +*.txt + +# Backups +*.tar.gz +*.tar.gz.enc +*.tar.gz.age diff --git a/cuddlefish/backup b/cuddlefish/backup index ea56d23..db28390 100755 --- a/cuddlefish/backup +++ b/cuddlefish/backup @@ -1,11 +1,11 @@ #!/bin/bash - # NOTE: DEPENDING ON PERMISSIONING, YOU MAY NEED TO RUN THIS SCRIPT USING SUDO source .env DATESTRING=$(date +"%Y-%m-%d_%H%M%S" | tr '[:upper:]' '[:lower:]' | tr ' ' '_') ARCHIVE="gitea-data-${DATESTRING}.tar.gz" -tar -czvf $ARCHIVE gitea-data/ -scp -i $BACKUP_KEYPATH -P $BACKUP_SSH_PORT $ARCHIVE $BACKUP_HOST:~/backups/ -rm $ARCHIVE && echo Removed $ARCHIVE. +tar -czvf $ARCHIVE gitea-data/ && \ + age -e -r age1grpe9c934q09933g7mxne03z7k6e572tjcqxdkne6rwyfht2saeq90sf3f -o $ARCHIVE.enc $ARCHIVE && \ + scp -i $BACKUP_KEYPATH -P $BACKUP_SSH_PORT $ARCHIVE.enc $BACKUP_HOST:~/backups/ +rm -f $ARCHIVE $ARCHIVE.age && echo Removed $ARCHIVE, $ARCHIVE.enc. diff --git a/cuddlefish/docker-compose.yaml b/cuddlefish/docker-compose.yaml index 3acf857..4d8fa6f 100644 --- a/cuddlefish/docker-compose.yaml +++ b/cuddlefish/docker-compose.yaml @@ -6,6 +6,10 @@ networks: services: + # ======================================== + # GIT.MICHAELLISANO.COM + # ======================================== + gitea-server: image: gitea/gitea:1.19.3 container_name: gitea @@ -33,3 +37,4 @@ services: networks: - gitea + From f0f9ab7800ac390fb711541d580969d231bced84 Mon Sep 17 00:00:00 2001 From: turtlebasket Date: Sun, 25 Jun 2023 09:25:32 -0700 Subject: [PATCH 2/4] backup host + tweaks --- README.md | 38 +++++++++++++++++++++++++++----------- backup/README.md | 24 ++++++++++++++++++++++++ backup/prune.sh | 15 +++++++++++++++ 3 files changed, 66 insertions(+), 11 deletions(-) create mode 100644 backup/README.md create mode 100644 backup/prune.sh diff --git a/README.md b/README.md index 323e962..24bf9c9 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,14 @@ # Michael's Homelab -## Hosts & Services +## Hosts -### Cuddlefish +| Host | OS | Services | +| :--- | :--- | :------- | +| Cuddlefish | ![CentOS](https://img.shields.io/badge/centos%207-002260?style=for-the-badge&logo=centos&logoColor=F0F0F0) | Gitea | +| Rocktiplex | ![Rocky Linux](https://img.shields.io/badge/-Rocky%20Linux%209-%2310B981?style=for-the-badge&logo=rockylinux&logoColor=white) | Fathom | -![CentOS](https://img.shields.io/badge/centos%207-002260?style=for-the-badge&logo=centos&logoColor=F0F0F0) - -- `git.michaellisano.com` - -### Rocktiplex - -![Rocky Linux](https://img.shields.io/badge/-Rocky%20Linux%209-%2310B981?style=for-the-badge&logo=rockylinux&logoColor=white) - -- `analytics.michaellisano.com` + + ## Dockerized Cloudflared Notes @@ -34,3 +30,23 @@ Then in this case the name of the target service is `gitea-server`, and (per Doc https://git.michaellisano.com -> http://gitea-server:3000 ``` +## Backup Decryption Notes + +Everything is encrypted with [age](https://github.com/FiloSottile/age). + +All keys are generated using age-keygen and stored in a text file, e.g. + +**backup-key.txt** + +``` +# created: 2023-06-24T18:01:36-07:00 +# public key: age12345... +AGE-SECRET-KEY-xyz123... +``` + +Decrypting a file: + +``` +age -d -i backup-key.txt -o NAME.tar.gz NAME.tar.gz.enc +``` + diff --git a/backup/README.md b/backup/README.md new file mode 100644 index 0000000..f22548e --- /dev/null +++ b/backup/README.md @@ -0,0 +1,24 @@ +# Generic Backup Host + +## Filenames + +Container volume backups are of the format: + +``` +gitea-data-2023-06-17_050002.tar.gz.enc +^ ^ ^ +| | Backups are encrypted tarballs +| | +| ISO Datetime separated by _ +| +Container volume name (*-data) +``` + +## Matching + +Regex to match backups that are *not* from the first of every month: + +``` +.*-data-\d{4}-\d{2}-([^0][0-9]|[0-9][^1])_.* +``` + diff --git a/backup/prune.sh b/backup/prune.sh new file mode 100644 index 0000000..38c4bca --- /dev/null +++ b/backup/prune.sh @@ -0,0 +1,15 @@ +#!/usr/bin/bash + +# Prunes container data folders monthly on backup host +# - Regex has been tested and works +# - Script is not yet tested + +ARCHIVES=$(ls | grep -E "[0-9A-Za-z]+-data-\d{4}-\d{2}-([^0][0-9]|[0-9][^1])_.*") + +for archive in $ARCHIVES; do + if [ -d $archive ]; then + echo "Removing $archive" + rm -f $archive + fi +done + From 1ae8b3160da7bf5ea5106993e199a844f36d1980 Mon Sep 17 00:00:00 2001 From: turtlebasket Date: Thu, 27 Jul 2023 23:45:33 -0700 Subject: [PATCH 3/4] backup changes --- backup/README.md | 8 ++++++++ backup/prune.sh | 17 ++++++++--------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/backup/README.md b/backup/README.md index f22548e..e46c21f 100644 --- a/backup/README.md +++ b/backup/README.md @@ -1,5 +1,13 @@ # Generic Backup Host +## Crontab + +Runs on the second of every month. + +``` +0 0 2 * * cd /home/USER/backups && bash prune.sh +``` + ## Filenames Container volume backups are of the format: diff --git a/backup/prune.sh b/backup/prune.sh index 38c4bca..5bdff32 100644 --- a/backup/prune.sh +++ b/backup/prune.sh @@ -1,15 +1,14 @@ #!/usr/bin/bash -# Prunes container data folders monthly on backup host -# - Regex has been tested and works -# - Script is not yet tested +# Prunes container data folders monthly on backup host. +# Removes all items but the backup from the first day of the month. +# Should run on the first day of every month - since it doesn't remove the backup +# from that time, it doesn't matter what time it's run -ARCHIVES=$(ls | grep -E "[0-9A-Za-z]+-data-\d{4}-\d{2}-([^0][0-9]|[0-9][^1])_.*") - -for archive in $ARCHIVES; do - if [ -d $archive ]; then - echo "Removing $archive" - rm -f $archive +for item in *; do + if [[ "$item" =~ [0-9A-Za-z]+-data-[0-9]{4}-[0-9]{2}-([^0][0-9]|[0-9][^1])_.* ]]; then + echo "Removing $item" + rm -f $item fi done From 7d581c87c02ea83fd6b6922858c117a8a97c8c2a Mon Sep 17 00:00:00 2001 From: turtlebasket Date: Thu, 27 Jul 2023 23:50:53 -0700 Subject: [PATCH 4/4] doc update --- README.md | 11 +++++++++-- backup/README.md | 8 +++----- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 24bf9c9..9458379 100644 --- a/README.md +++ b/README.md @@ -6,9 +6,16 @@ | :--- | :--- | :------- | | Cuddlefish | ![CentOS](https://img.shields.io/badge/centos%207-002260?style=for-the-badge&logo=centos&logoColor=F0F0F0) | Gitea | | Rocktiplex | ![Rocky Linux](https://img.shields.io/badge/-Rocky%20Linux%209-%2310B981?style=for-the-badge&logo=rockylinux&logoColor=white) | Fathom | +| Cloud8 | ![Rocky Linux](https://img.shields.io/badge/-Rocky%20Linux%209-%2310B981?style=for-the-badge&logo=rockylinux&logoColor=white) | NextCloud | - - +## SELinux Notes + +Docker volumes violate some SELinux policies. Use `setenforce 0` to disable it temporarily, or make the following permanent change to `/etc/sysconfig/selinux`: + +```bash +# SELINUX=enforcing +SELINUX=permissive +``` ## Dockerized Cloudflared Notes diff --git a/backup/README.md b/backup/README.md index e46c21f..73b489f 100644 --- a/backup/README.md +++ b/backup/README.md @@ -8,7 +8,7 @@ Runs on the second of every month. 0 0 2 * * cd /home/USER/backups && bash prune.sh ``` -## Filenames +## Filename Pattern Container volume backups are of the format: @@ -22,11 +22,9 @@ gitea-data-2023-06-17_050002.tar.gz.enc Container volume name (*-data) ``` -## Matching - -Regex to match backups that are *not* from the first of every month: +Regex to match backups that are *not* from the first of every month, using the above format: ``` -.*-data-\d{4}-\d{2}-([^0][0-9]|[0-9][^1])_.* +[0-9A-Za-z]+-data-[0-9]{4}-[0-9]{2}-([^0][0-9]|[0-9][^1])_.* ```