restic formula rewrite and gitea updates

2023-11-26 21:56:18 -05:00
parent 0bb12fde34
commit 3de878dd20
13 changed files with 154 additions and 84 deletions
--- a/1
+++ b/1
@@ -0,0 +1 @@
+restic rsa keys
--- a/gitea/app_defaults.yaml
+++ b/gitea/app_defaults.yaml
@@ -2,6 +2,7 @@ global:
  APP_NAME: 'Gitea: Git with a cup of tea'
  RUN_USER: gitea
  RUN_MODE: prod
+  WORK_PATH: gitea
 sections:
  database:
    DB_TYPE: mysql
--- a/gitea/files/app_ini.jinja
+++ b/gitea/files/app_ini.jinja
@@ -1,35 +1,45 @@
 # Managed by salt
-{% import_yaml 'gitea/app_defaults.yaml' as defaults -%}
-{% set secrets = salt.file.read(pillar['gitea']['path'] + '/etc/secrets.json') | load_json -%}
-{% set pillar_global = salt.pillar.get('gitea:config:global', {}) -%}
-{% set pillar_sections = salt.pillar.get('gitea:config:sections', {}) -%}
+{%- import_yaml 'gitea/app_defaults.yaml' as defaults %}
+{%- set secrets = salt.file.read(pillar['gitea']['path'] + '/etc/secrets.json') | load_json %}
+{%- set pillar_global = salt.pillar.get('gitea:config:global', {}) %}
+{%- set pillar_sections = salt.pillar.get('gitea:config:sections', {}) %}
+
+{%- for key in defaults['global'].keys() %}
+{%-   if key in pillar_global %}
+{{ key }} = {{ pillar_global[key] }}
+{%-   else %}
+{{ key }} = {{ defaults['global'][key] }}
+{%-   endif %}
+{%- endfor %}
+{%- for key, val in pillar_global.items() %}
+{%-   if key not in defaults['global'] %}
+{{ key }} = {{ val }}
+{%-   endif %}
+{%- endfor %}

-{% for key in defaults['global'].keys() -%}
-{%   if key in pillar_global -%}
-{{key}}                          = {{pillar_global[key]}}
-{%   else -%}
-{{key}}                          = {{defaults['global'][key]}}
-{%   endif -%}
-{% endfor %}
 [security]
-INTERNAL_TOKEN                    = {{secrets['INTERNAL_TOKEN']}}
-INSTALL_LOCK                      = true
-SECRET_KEY                        = {{secrets['SECRET_KEY']}}
+INTERNAL_TOKEN = {{ secrets['INTERNAL_TOKEN'] }}
+INSTALL_LOCK = true
+SECRET_KEY = {{ secrets['SECRET_KEY'] }}

-{% for section in defaults['sections'].keys() -%}
-[{{section}}]
-{%   if section == 'server' -%}
-LFS_JWT_SECRET                    = {{secrets['LFS_JWT_SECRET']}}
-{%   elif section == 'database' -%}
-NAME                              = {{pillar_sections['database']['NAME']}}
-USER                              = {{pillar_sections['database']['USER']}}
-PASSWD                            = `{{pillar_sections['database']['PASSWD']}}`
-{%   endif -%}
-{%   for key in defaults['sections'][section] -%}
-{%     if section in pillar_sections and key in pillar_sections[section] -%}
-{{key.ljust(33)}} = {{pillar_sections[section][key]}}
-{%     else -%}
-{{key.ljust(33)}} = {{defaults['sections'][section][key]}}
-{%     endif -%}
-{%   endfor %}
-{% endfor -%}
+{%- for section in defaults['sections'].keys() %}
+
+[{{ section }}]
+{%-   if section == 'server' %}
+LFS_JWT_SECRET = {{ secrets['LFS_JWT_SECRET'] }}
+{%-   elif section == 'database' %}
+NAME = {{ pillar_sections['database']['NAME'] }}
+USER = {{ pillar_sections['database']['USER'] }}
+PASSWD = `{{ pillar_sections['database']['PASSWD'] }}`
+{%-   endif %}
+{%-   for key in defaults['sections'][section] %}
+{%-     if section in pillar_sections and key in pillar_sections[section] %}
+{{ key }} = {{pillar_sections[section][key]}}
+{%-     else %}
+{{ key }} = {{defaults['sections'][section][key]}}
+{%-     endif %}
+{%-   endfor %}
+{%- endfor %}
+
+[oauth2]
+JWT_SECRET = {{ pillar_sections['oauth2']['JWT_SECRET'] }}
--- a/restic/client.sls
+++ b/restic/client.sls
@@ -1,18 +0,0 @@
-{% from "restic/map.jinja" import url with context %}
-
-'download restic':
-  cmd.run:
-    - name: 'wget {{url}} -O - | bzip2 -cd > /bin/restic ; chmod +x /bin/restic'
-    - unless: stat /bin/restic
-
-/opt/restic_backups.sh:
-  file.managed:
-    - source: 'salt://restic/files/restic_backup.sh.jinja'
-    - template: jinja
-    - user: root
-    - group: root
-    - mode: 0700
-  cron.present:
-    - minute: random
-    - hour: 4
-    - dayweek: 0
--- a/restic/files/backup.sh.jinja
+++ b/restic/files/backup.sh.jinja
@@ -0,0 +1,8 @@
+#!/bin/bash
+source /opt/restic/env.sh
+touch /var/log/restic/backup.log
+chmod 600 /var/log/restic/backup.log
+(
+  date
+  {{ '\n'.join(salt.pillar.get("restic:client:cmds")) | indent(2) }}
+) 2>&1 | tee -a /var/log/restic/backup.log
--- a/restic/files/env.sh.jinja
+++ b/restic/files/env.sh.jinja
@@ -0,0 +1,4 @@
+#!/bin/bash
+{%- for var, val in salt.pillar.get("restic:client:environ").items() %}
+export {{ var }}={{ val }}
+{%- endfor %}
--- a/restic/files/install.sh.jinja
+++ b/restic/files/install.sh.jinja
@@ -0,0 +1,18 @@
+#!/bin/bash
+{% set arch = 'arm' salt.grains.get(cpuarch).startswith('arm') else 'amd64' %}
+
+if test -z "$RESTIC_VERSION"; then
+  echo "RESTIC_VERSION is not defined"
+  exit 1
+fi
+
+URL="https://github.com/restic/restic/releases/download/v${RESTIC_VERSION}/restic_${RESTIC_VERSION}_linux_{{ arch }}.bz2"
+
+wget --quiet "${URL}" -O - | bzip2 -cd > /bin/restic.tmp
+if [ $? -eq 0 ]; then
+  chmod +x /bin/restic.tmp
+  mv /bin/restic.tmp /bin/restic
+else
+  rm -f /bin/restic.tmp
+  exit 1
+fi
--- a/restic/files/restic_backup.sh.jinja
+++ b/restic/files/restic_backup.sh.jinja
@@ -1,12 +0,0 @@
-#!/bin/sh
-export HOME=/root
-export RESTIC_PASSWORD={{ salt.pillar.get('restic:pass') }}
-export RESTIC_REPOSITORY={{ salt.pillar.get('restic:repo') }}
-restic backup --tag files {{ salt.pillar.get('restic:files') }}
-{% if salt.pillar.get('restic:mysql', False) -%}
-mysqldump --all-databases | restic backup --stdin --stdin-filename /all_databases.sql --tag mysql
-{% endif -%}
-restic forget --keep-last 4 --tag mysql --prune
-{% if salt.pillar.get('restic:mysql', False) -%}
-restic forget --keep-last 4 --tag files --prune
-{% endif -%}
--- a/restic/init.sls
+++ b/restic/init.sls
@@ -0,0 +1,74 @@
+{% for client in salt.pillar.get("restic:server:clients", []) %}
+restic-{{ client }}:
+  user.present:
+    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ client }}
+    - createhome: true
+    - system: true
+{% endfor %}
+
+{% if salt.pillar.get("restic:client", None) is not none %}
+{%   if salt.pillar.get("restic:client:install", True)%}
+'download restic':
+  cmd.script:
+    - shell: /bin/bash
+    - source: salt://restic/files/install.sh.jinja
+    - templates: jinja
+    - unless: "/bin/restic version | grep 'restic 0.16.2 '"
+    - env:
+       - RESTIC_VERSION: 0.16.2
+{%   endif %}
+
+/etc/logrotate.d/restic-backup:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 644
+    - contents: |
+        /var/log/restic/backup.log {
+            monthly
+            rotate 3
+            compress
+            missingok
+            notifempty
+            create 600 root root
+        }
+
+/opt/restic:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 700
+
+/opt/restic/env.sh:
+  file.managed:
+    - source: 'salt://restic/files/env.sh.jinja'
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 700
+    - require:
+      - file: /opt/restic
+
+/opt/restic/backup.sh:
+  file.managed:
+    - source: 'salt://restic/files/backup.sh.jinja'
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 700
+    - require:
+      - file: /opt/restic
+"/opt/restic/backup.sh 2>&1 >/dev/null":
+  cron.present:
+    - identifier: restic backup
+    - minute: random
+    - hour: 4
+    - dayweek: 0
+
+/var/log/restic:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 700
+
+{% endif %}
--- a/restic/map.jinja
+++ b/restic/map.jinja
@@ -1,6 +0,0 @@
-
-{% if salt.grains.get('cpuarch').startswith('arm') %}
-{%   set url = 'https://github.com/restic/restic/releases/download/v0.9.6/restic_0.9.6_linux_arm.bz2' %}
-{% else %}
-{%   set url = 'https://github.com/restic/restic/releases/download/v0.9.6/restic_0.9.6_linux_amd64.bz2' %}
-{% endif %}
--- a/restic/server.sls
+++ b/restic/server.sls
@@ -1,7 +0,0 @@
-
-restic-vps:
-  user.present:
-    - home: /mnt/bak1/restic-vps
-    - uid: 1002
-    - gid: 1002
-
--- a/top.sls
+++ b/top.sls
@@ -1,22 +1,19 @@
 {{saltenv}}:
  '*':
    - common
-    - users
    - salt
 {% if salt.pillar.get('restic', None) is not none %}
-#    - restic.client
+    - restic
 {% endif %}
-  'fen.keiran.us':
-    - workstation
-  'pawbs.keiran.us':
-    - workstation
  '*.keiran.us':
+    - users
    - firewall
    - resolv
  'vps47492.inmotionhosting.com':
+    - users
    - gitea
  'kpi.keiran.us':
    - icinga2
    - nginx
-#    - restic.server
+    - restic
    - samba
--- a/users/files/bashrc.jinja
+++ b/users/files/bashrc.jinja
@@ -63,9 +63,9 @@ PATH="${PATH}:${HOME}/.local/bin"

 alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo'
 {%- if bashrc_user is defined %}
-{%-   if bashrc_user == 'root' and 'restic' in pillar %}
-export RESTIC_REPOSITORY={{ salt.pillar.get('restic:repo') }}
-export RESTIC_PASSWORD={{ salt.pillar.get('restic:pass') }}
+{%-   if bashrc_user == 'root' and salt.pillar.get('restic:client', None) is not none %}
+export RESTIC_REPOSITORY={{ salt.pillar.get('restic:client:repo') }}
+export RESTIC_PASSWORD={{ salt.pillar.get('restic:client:pass') }}
 {%-   endif %}
 {%-   for alias, cmd_str in salt.pillar.get("bash_aliases:{}".format(bashrc_user), {}).items() %}
 alias {{ alias }}="{{ cmd_str }}"