diff --git a/README.md b/README.md index ed98652..75209d1 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,8 @@ [![Integration level](https://dash.yunohost.org/integration/restic.svg)](https://dash.yunohost.org/appci/app/restic) [![GitHub license](https://img.shields.io/badge/license-GPLv3-blue.svg?style=flat)](https://raw.githubusercontent.com/YunoHost-Apps/restic_ynh/master/LICENSE) [![GitHub issues](https://img.shields.io/github/issues/YunoHost-Apps/restic_ynh.svg?style=flat)](https://github.com/YunoHost-Apps/restic_ynh/issues) -[![Install restic with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=restic) + +[![Install Restic with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=restic) > *This package allows you to install Restic quickly and simply on a YunoHost server. If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/install) to learn how to install it.* @@ -119,7 +120,7 @@ If you want to check the backups consistency: systemctl start restic_check.service ``` -If you want to make a complete check of the backups - keep in mind that this reads all the backed up data, it can take some time depending on your target server upload speed (more on this topic in [the Restic documentation](https://restic.readthedocs.io/en/latest/045_working_with_repos.html#checking-integrity-and-consistency): +If you want to make a complete check of the backups - keep in mind that this reads all the backed up data, it can take some time depending on your target server upload speed (more on this topic in [the Restic documentation](https://restic.readthedocs.io/en/latest/045_working_with_repos.html#checking-integrity-and-consistency)): ``` systemctl start restic_check_read_data.service ``` @@ -148,8 +149,7 @@ You can setup the Restic app several times on the same server so you can backup --- -Developer info ----------------- +## Developer info Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/restic_ynh/tree/testing). diff --git a/check_process b/check_process index 46082e3..9358a19 100644 --- a/check_process +++ b/check_process @@ -1,41 +1,29 @@ ;; Test complet ; Manifest -server="dst.domain.tld" -ssh_user="sam" -passphrase="APassphrase" -conf=1 -port=2222 -backup_path=src.domain.tld -data=1 -app="all" -allow_extra_space_use=1 -on_calendar="Daily" -check_on_calendar="*-*-8,15,22 3:15" -check_read_data_on_calendar="*-*-1 3:15" + server="dst.domain.tld" + ssh_user="sam" + passphrase="APassphrase" + conf=1 + port=2222 + backup_path=src.domain.tld + data=1 + app="all" + allow_extra_space_use=1 + on_calendar="Daily" + check_on_calendar="*-*-8,15,22 3:15" + check_read_data_on_calendar="*-*-1 3:15" ; Checks -pkg_linter=1 -setup_sub_dir=0 -setup_root=0 -setup_nourl=1 -setup_private=0 -setup_public=0 -upgrade=1 -backup_restore=1 -multi_instance=1 -incorrect_path=0 -port_already_use=0 -change_url=0 -;;; Levels -Level 1=auto -Level 2=auto -Level 3=auto -Level 4=na -Level 5=auto -Level 6=auto -Level 7=auto -Level 8=0 -Level 9=0 -Level 10=0 + pkg_linter=1 + setup_sub_dir=0 + setup_root=0 + setup_nourl=1 + setup_private=0 + setup_public=0 + upgrade=1 + backup_restore=1 + multi_instance=1 + port_already_use=0 + change_url=0 ;;; Options Email=restic-ynh@coupouchetty-ramouchetty.fr Notification=down diff --git a/conf/backup-with-restic.j2 b/conf/backup-with-restic.j2 index 2b26593..824d0b5 100644 --- a/conf/backup-with-restic.j2 +++ b/conf/backup-with-restic.j2 @@ -14,7 +14,7 @@ if [ -f "$LOCK_FILE" ];then exit 1 fi echo $$ > "$LOCK_FILE" -if yunohost -v | grep "version: 2." > /dev/null; then +if sudo yunohost -v | grep "version: 2." > /dev/null; then ignore_apps="--ignore-apps" ignore_system="--ignore-system" else @@ -26,19 +26,19 @@ filter_hooks() { } # Backup system part conf -conf=$(yunohost app setting {{ app }} conf) +conf=$(sudo yunohost app setting {{ app }} conf) if [ $conf -eq 1 ];then - yunohost backup create $ignore_apps -n auto_conf --method {{ app }}_app --system $(filter_hooks conf) + sudo yunohost backup create $ignore_apps -n auto_conf --method {{ app }}_app --system $(filter_hooks conf) fi # Backup system data -data=$(yunohost app setting {{ app }} data) +data=$(sudo yunohost app setting {{ app }} data) if [ $data -eq 1 ];then - yunohost backup create $ignore_apps -n auto_data --method {{ app }}_app --system $(filter_hooks data) + sudo yunohost backup create $ignore_apps -n auto_data --method {{ app }}_app --system $(filter_hooks data) fi # Backup all apps independently -apps=$(yunohost app setting {{ app }} apps) +apps=$(sudo yunohost app setting {{ app }} apps) for app in $(ls /etc/yunohost/apps/*/scripts/backup | cut -d / -f 5); do backup_app=false for selected_app in $(echo $apps | tr "," " ");do @@ -48,7 +48,7 @@ for app in $(ls /etc/yunohost/apps/*/scripts/backup | cut -d / -f 5); do fi done if [ "$backup_app" == "true" ];then - yunohost backup create $ignore_system -n auto_$app --method {{ app }}_app --apps $app + sudo yunohost backup create $ignore_system -n auto_$app --method {{ app }}_app --apps $app fi done rm "$LOCK_FILE" diff --git a/conf/restic_log.j2 b/conf/restic_log.j2 index c8f8228..a565acf 100644 --- a/conf/restic_log.j2 +++ b/conf/restic_log.j2 @@ -4,7 +4,7 @@ set -u invocation_id=$(systemctl show -p InvocationID --value {{ app }}.service) hostname=$(hostname) subject="YunoHost Restic backup log on ${hostname}" -backup_results=$(/bin/journalctl _SYSTEMD_INVOCATION_ID=${invocation_id} | grep -oP '(?<= )[a-zA-Z_-]+: \w+') +backup_results=$(sudo /bin/journalctl _SYSTEMD_INVOCATION_ID=${invocation_id} | grep -oP '(?<= )[a-zA-Z_-]+: \w+') echo ${backup_results} | grep -iqE 'error|fail' if [ "$?" -eq 0 ];then subject="${subject} (FAIL)" diff --git a/conf/systemd.service b/conf/systemd.service index 33fc4ce..81f856c 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -6,8 +6,8 @@ After=network.target Type=oneshot ExecStart=/usr/local/bin/backup-with-__APP__ ExecStartPost=/opt/yunohost/__APP__/restic_log___APP__ -User=root -Group=root +User=__APP__ +Group=__APP__ [Install] WantedBy=multi-user.target diff --git a/conf/systemd_check.service b/conf/systemd_check.service index d89608d..6304f4e 100644 --- a/conf/systemd_check.service +++ b/conf/systemd_check.service @@ -6,8 +6,8 @@ After=network.target Type=oneshot ExecStart=__FINALPATH__/check-__APP__ ExecStartPost=/bin/bash -c 'echo -e "Subject: YunoHost Restic check log on $(hostname)\n$(/bin/journalctl _SYSTEMD_INVOCATION_ID=`systemctl show -p InvocationID --value __APP___check.service`)" | /usr/sbin/sendmail root' -User=root -Group=root +User=__APP__ +Group=__APP__ [Install] WantedBy=multi-user.target diff --git a/conf/systemd_check_read_data.service b/conf/systemd_check_read_data.service index c5ee981..bb5b7e0 100644 --- a/conf/systemd_check_read_data.service +++ b/conf/systemd_check_read_data.service @@ -6,8 +6,8 @@ After=network.target Type=oneshot ExecStart=__FINALPATH__/check-__APP__ "1" ExecStartPost=/bin/bash -c 'echo -e "Subject: YunoHost Restic complete check log on $(hostname)\n$(/bin/journalctl _SYSTEMD_INVOCATION_ID=`systemctl show -p InvocationID --value __APP___check_read_data.service`)" | /usr/sbin/sendmail root' -User=root -Group=root +User=__APP__ +Group=__APP__ [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index d659f64..0a27f93 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Backup your server with restic.", "fr": "Sauvegardez votre serveur avec restic." }, - "version": "0.12.0~ynh3", + "version": "0.12.0~ynh4", "url": "https://restic.net/", "license": "BSD-2-Clause", "maintainer": { diff --git a/scripts/backup b/scripts/backup index 345406a..bc79252 100755 --- a/scripts/backup +++ b/scripts/backup @@ -37,6 +37,7 @@ ynh_backup "/etc/systemd/system/${app}_check_read_data.timer" ynh_backup "/etc/yunohost/hooks.d/backup_method/05-${app}_app" ynh_backup "${final_path}/check_method_${app}" ynh_backup "${final_path}/restic_log_${app}" -ynh_backup "/root/.ssh/id_${app}_ed25519" -ynh_backup "/root/.ssh/id_${app}_ed25519.pub" -ynh_backup "/root/.ssh/config" +ssh_dir="/root/.ssh" +ynh_backup "${ssh_dir}/id_${app}_ed25519" +ynh_backup "${ssh_dir}/id_${app}_ed25519.pub" +ynh_backup "${ssh_dir}/config" diff --git a/scripts/install b/scripts/install index 610dfcb..fc51360 100755 --- a/scripts/install +++ b/scripts/install @@ -36,6 +36,17 @@ ynh_save_args server port ssh_user backup_path passphrase on_calendar check_on_c ynh_script_progression --message="Installing restic binary" --weight=7 install_restic +#================================================= +# CREATE APP USER +#================================================= +ynh_script_progression --message="Creating user ${app}" +useradd -m ${app} +ynh_script_progression --message="Configure ${app} user sudoer rights" +cat > /tmp/${app}_sudoer << EOSUDOER +${app} ALL = (root) NOPASSWD: /usr/bin/yunohost*, /bin/journalctl* +EOSUDOER +visudo -cf /tmp/${app}_sudoer && mv /tmp/${app}_sudoer /etc/sudoers.d/${app} + #================================================= # ACTIVATE BACKUP METHODS #================================================= @@ -56,6 +67,7 @@ ynh_configure check_method "${final_path}/check_method_${app}" ynh_script_progression --message="Setting up log script" ynh_configure restic_log "${final_path}/restic_log_${app}" chmod u+x "${final_path}/restic_log_${app}" +chown ${app}: "${final_path}/restic_log_${app}" #================================================= # CONFIGURE CRON @@ -64,6 +76,7 @@ ynh_script_progression --message="Configuring cron" --weight=5 ynh_configure backup-with-restic "/usr/local/bin/backup-with-${app}" ynh_configure check-restic "${final_path}/check-${app}" chmod u+x "/usr/local/bin/backup-with-${app}" +chown ${app}: "/usr/local/bin/backup-with-${app}" chmod u+x "${final_path}/check-${app}" chmod u+x "${final_path}/check_method_${app}" ynh_add_systemd_config --service=${app} --template=systemd.service @@ -82,18 +95,28 @@ systemctl start ${app}.timer systemctl start ${app}_check.timer systemctl start ${app}_check_read_data.timer +#================================================= +# SET PERMISSIONS ON FINAL PATH +#================================================= +ynh_script_progression --message="Set permissions on ${final_path}" +chown -R ${app}: ${final_path} + #================================================= # GENERATE SSH KEY #================================================= ynh_script_progression --message="Generating private key" -private_key="/root/.ssh/id_${app}_ed25519" +ssh_dir="/root/.ssh" +if [ ! -d "${ssh_dir}" ];then + mkdir -p "${ssh_dir}" +fi +private_key="${ssh_dir}/id_${app}_ed25519" test -f $private_key || ssh-keygen -q -t ed25519 -N "" -f $private_key #================================================= # GENERATE SSH CONFIG #================================================= ynh_script_progression --message="Generating ssh config for ${app} server ${server}" -grep -q "${app}" /root/.ssh/config 2>/dev/null || cat << EOCONF >> ~/.ssh/config +grep -q "${app}" ${ssh_dir}/config 2>/dev/null || cat << EOCONF >> ${ssh_dir}/config # begin $app ssh config Host ${server} Hostname ${server} diff --git a/scripts/remove b/scripts/remove index 0400d37..c30cd14 100755 --- a/scripts/remove +++ b/scripts/remove @@ -43,5 +43,14 @@ ynh_secure_remove "${final_path}" #================================================= # REMOVE SSH CONFIG #================================================= -ynh_script_progression --message="Removing ssh config" --last -sed -e "/begin ${app}/,/end ${app}/{/.*/d}" /root/.ssh/config -i || true +ynh_script_progression --message="Removing ssh config" +ssh_dir="/root/.ssh" +sed -e "/begin ${app}/,/end ${app}/{/.*/d}" ${ssh_dir}/config -i || true + +#================================================= +# REMOVE USER +#================================================= +ynh_script_progression --message="Removing sudoers rights for user ${app}" +rm /etc/sudoers.d/${app} +ynh_script_progression --message="Removing ${app} user" --last +userdel ${app} diff --git a/scripts/upgrade b/scripts/upgrade index 8cfa5ec..418c3fa 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -60,6 +60,42 @@ fi ynh_script_progression --message="Installing restic binary" --weight=7 install_restic +#================================================= +# CREATE APP USER +#================================================= +ynh_script_progression --message="Creating user ${app}" +id ${app} 2>/dev/null || useradd -m ${app} +ynh_script_progression --message="Configure ${app} user sudoer rights" +cat > /tmp/${app}_sudoer << EOSUDOER +${app} ALL = (root) NOPASSWD: /usr/bin/yunohost*, /bin/journalctl* +EOSUDOER +visudo -cf /tmp/${app}_sudoer && mv /tmp/${app}_sudoer /etc/sudoers.d/${app} +ynh_script_progression --message="Move ssh keys from root to ${app} user's home" +ynh_script_progression --message="Generate ssh config" +set +o errexit +set +o nounset +export ssh_dir="/root/.ssh" +export private_key="${ssh_dir}/id_${app}_ed25519" +mkdir ${ssh_dir} 2>/dev/null || true +touch ${ssh_dir}/config +grep -q "begin ${app}" ${ssh_dir}/config +missing_conf="$?" +if [ "$missing_conf" -eq "1" ];then + cat << EOCONF >> ${ssh_dir}/config + # begin $app ssh config + Host ${server} + Hostname ${server} + Port ${port} + User ${ssh_user} + IdentityFile ${private_key} + StrictHostKeyChecking no + UserKnownHostsFile /dev/null + # end $app ssh config +EOCONF +fi +chown -R ${app}: /home/${app} + + #================================================= # ACTIVATE BACKUP METHODS #================================================= @@ -80,6 +116,7 @@ ynh_configure check_method "${final_path}/check_method_${app}" ynh_script_progression --message="Setting up log script" ynh_configure restic_log "${final_path}/restic_log_${app}" chmod u+x "${final_path}/restic_log_${app}" +chown ${app}: "${final_path}/restic_log_${app}" #================================================= # CONFIGURE CRON @@ -88,6 +125,7 @@ ynh_script_progression --message="Configuring cron" --weight=5 ynh_configure backup-with-restic "/usr/local/bin/backup-with-${app}" ynh_configure check-restic "${final_path}/check-${app}" chmod u+x "/usr/local/bin/backup-with-${app}" +chown ${app}: "/usr/local/bin/backup-with-${app}" chmod u+x "${final_path}/check-${app}" chmod u+x "${final_path}/check_method_${app}" ynh_add_systemd_config --service=${app} --template=systemd.service @@ -112,19 +150,18 @@ ynh_script_progression --message="End of upgrade process" --last # UPGRADE SSH CONFIG #================================================= -# old versions did not have delimiters in /root/.ssh/config +# old versions did not have delimiters in ~/.ssh/config # making removal in multi-instance cases break the remaining # instances. # So we need to add the delimiters if they are missing set +o errexit set +o nounset -private_key="/root/.ssh/id_${app}_ed25519" -grep -q "begin ${app}" /root/.ssh/config +grep -q "begin ${app}" ${ssh_dir}/config missing_delimiters="$?" if [ "$missing_delimiters" -eq 1 ];then # did not find delimiters so removing old configuration - sed -e "/Host ${server}/,+6d" /root/.ssh/config -i || true - cat << EOCONF >> ~/.ssh/config + sed -e "/Host ${server}/,+6d" ${ssh_dir}/config -i || true + cat << EOCONF >> ${ssh_dir}/config # begin $app ssh config Host ${server} Hostname ${server}