From 3de878dd2091c83326324eb66289f42c98359a79 Mon Sep 17 00:00:00 2001
From: Keiran Snowden <keiran@keiran.us>
Date: Sun, 26 Nov 2023 21:56:18 -0500
Subject: [PATCH] restic formula rewrite and gitea updates

---
 TODO                                |  1 +
 gitea/app_defaults.yaml             |  1 +
 gitea/files/app_ini.jinja           | 72 ++++++++++++++++------------
 restic/client.sls                   | 18 -------
 restic/files/backup.sh.jinja        |  8 ++++
 restic/files/env.sh.jinja           |  4 ++
 restic/files/install.sh.jinja       | 18 +++++++
 restic/files/restic_backup.sh.jinja | 12 -----
 restic/init.sls                     | 74 +++++++++++++++++++++++++++++
 restic/map.jinja                    |  6 ---
 restic/server.sls                   |  7 ---
 top.sls                             | 11 ++---
 users/files/bashrc.jinja            |  6 +--
 13 files changed, 154 insertions(+), 84 deletions(-)
 create mode 100644 TODO
 delete mode 100644 restic/client.sls
 create mode 100644 restic/files/backup.sh.jinja
 create mode 100644 restic/files/env.sh.jinja
 create mode 100644 restic/files/install.sh.jinja
 delete mode 100644 restic/files/restic_backup.sh.jinja
 create mode 100644 restic/init.sls
 delete mode 100644 restic/map.jinja
 delete mode 100644 restic/server.sls

diff --git a/TODO b/TODO
new file mode 100644
index 0000000..3bdac5c
--- /dev/null
+++ b/TODO
@@ -0,0 +1 @@
+restic rsa keys
diff --git a/gitea/app_defaults.yaml b/gitea/app_defaults.yaml
index e1fdfa7..90173de 100644
--- a/gitea/app_defaults.yaml
+++ b/gitea/app_defaults.yaml
@@ -2,6 +2,7 @@ global:
   APP_NAME: 'Gitea: Git with a cup of tea'
   RUN_USER: gitea
   RUN_MODE: prod
+  WORK_PATH: gitea
 sections:
   database:
     DB_TYPE: mysql
diff --git a/gitea/files/app_ini.jinja b/gitea/files/app_ini.jinja
index ddb48a1..b3f1df4 100644
--- a/gitea/files/app_ini.jinja
+++ b/gitea/files/app_ini.jinja
@@ -1,35 +1,45 @@
 # Managed by salt
-{% import_yaml 'gitea/app_defaults.yaml' as defaults -%}
-{% set secrets = salt.file.read(pillar['gitea']['path'] + '/etc/secrets.json') | load_json -%}
-{% set pillar_global = salt.pillar.get('gitea:config:global', {}) -%}
-{% set pillar_sections = salt.pillar.get('gitea:config:sections', {}) -%}
+{%- import_yaml 'gitea/app_defaults.yaml' as defaults %}
+{%- set secrets = salt.file.read(pillar['gitea']['path'] + '/etc/secrets.json') | load_json %}
+{%- set pillar_global = salt.pillar.get('gitea:config:global', {}) %}
+{%- set pillar_sections = salt.pillar.get('gitea:config:sections', {}) %}
+
+{%- for key in defaults['global'].keys() %}
+{%-   if key in pillar_global %}
+{{ key }} = {{ pillar_global[key] }}
+{%-   else %}
+{{ key }} = {{ defaults['global'][key] }}
+{%-   endif %}
+{%- endfor %}
+{%- for key, val in pillar_global.items() %}
+{%-   if key not in defaults['global'] %}
+{{ key }} = {{ val }}
+{%-   endif %}
+{%- endfor %}
 
-{% for key in defaults['global'].keys() -%}
-{%   if key in pillar_global -%}
-{{key}}                          = {{pillar_global[key]}}
-{%   else -%}
-{{key}}                          = {{defaults['global'][key]}}
-{%   endif -%}
-{% endfor %}
 [security]
-INTERNAL_TOKEN                    = {{secrets['INTERNAL_TOKEN']}}
-INSTALL_LOCK                      = true
-SECRET_KEY                        = {{secrets['SECRET_KEY']}}
+INTERNAL_TOKEN = {{ secrets['INTERNAL_TOKEN'] }}
+INSTALL_LOCK = true
+SECRET_KEY = {{ secrets['SECRET_KEY'] }}
 
-{% for section in defaults['sections'].keys() -%}
-[{{section}}]
-{%   if section == 'server' -%}
-LFS_JWT_SECRET                    = {{secrets['LFS_JWT_SECRET']}}
-{%   elif section == 'database' -%}
-NAME                              = {{pillar_sections['database']['NAME']}}
-USER                              = {{pillar_sections['database']['USER']}}
-PASSWD                            = `{{pillar_sections['database']['PASSWD']}}`
-{%   endif -%}
-{%   for key in defaults['sections'][section] -%}
-{%     if section in pillar_sections and key in pillar_sections[section] -%}
-{{key.ljust(33)}} = {{pillar_sections[section][key]}}
-{%     else -%}
-{{key.ljust(33)}} = {{defaults['sections'][section][key]}}
-{%     endif -%}
-{%   endfor %}
-{% endfor -%}
+{%- for section in defaults['sections'].keys() %}
+
+[{{ section }}]
+{%-   if section == 'server' %}
+LFS_JWT_SECRET = {{ secrets['LFS_JWT_SECRET'] }}
+{%-   elif section == 'database' %}
+NAME = {{ pillar_sections['database']['NAME'] }}
+USER = {{ pillar_sections['database']['USER'] }}
+PASSWD = `{{ pillar_sections['database']['PASSWD'] }}`
+{%-   endif %}
+{%-   for key in defaults['sections'][section] %}
+{%-     if section in pillar_sections and key in pillar_sections[section] %}
+{{ key }} = {{pillar_sections[section][key]}}
+{%-     else %}
+{{ key }} = {{defaults['sections'][section][key]}}
+{%-     endif %}
+{%-   endfor %}
+{%- endfor %}
+
+[oauth2]
+JWT_SECRET = {{ pillar_sections['oauth2']['JWT_SECRET'] }}
diff --git a/restic/client.sls b/restic/client.sls
deleted file mode 100644
index 73a835f..0000000
--- a/restic/client.sls
+++ /dev/null
@@ -1,18 +0,0 @@
-{% from "restic/map.jinja" import url with context %}
-
-'download restic':
-  cmd.run:
-    - name: 'wget {{url}} -O - | bzip2 -cd > /bin/restic ; chmod +x /bin/restic'
-    - unless: stat /bin/restic
-
-/opt/restic_backups.sh:
-  file.managed:
-    - source: 'salt://restic/files/restic_backup.sh.jinja'
-    - template: jinja
-    - user: root
-    - group: root
-    - mode: 0700
-  cron.present:
-    - minute: random
-    - hour: 4
-    - dayweek: 0
diff --git a/restic/files/backup.sh.jinja b/restic/files/backup.sh.jinja
new file mode 100644
index 0000000..3b78047
--- /dev/null
+++ b/restic/files/backup.sh.jinja
@@ -0,0 +1,8 @@
+#!/bin/bash
+source /opt/restic/env.sh
+touch /var/log/restic/backup.log
+chmod 600 /var/log/restic/backup.log
+(
+  date
+  {{ '\n'.join(salt.pillar.get("restic:client:cmds")) | indent(2) }}
+) 2>&1 | tee -a /var/log/restic/backup.log
diff --git a/restic/files/env.sh.jinja b/restic/files/env.sh.jinja
new file mode 100644
index 0000000..8966ac5
--- /dev/null
+++ b/restic/files/env.sh.jinja
@@ -0,0 +1,4 @@
+#!/bin/bash
+{%- for var, val in salt.pillar.get("restic:client:environ").items() %}
+export {{ var }}={{ val }}
+{%- endfor %}
diff --git a/restic/files/install.sh.jinja b/restic/files/install.sh.jinja
new file mode 100644
index 0000000..e940468
--- /dev/null
+++ b/restic/files/install.sh.jinja
@@ -0,0 +1,18 @@
+#!/bin/bash
+{% set arch = 'arm' salt.grains.get(cpuarch).startswith('arm') else 'amd64' %}
+
+if test -z "$RESTIC_VERSION"; then
+  echo "RESTIC_VERSION is not defined"
+  exit 1
+fi
+
+URL="https://github.com/restic/restic/releases/download/v${RESTIC_VERSION}/restic_${RESTIC_VERSION}_linux_{{ arch }}.bz2"
+
+wget --quiet "${URL}" -O - | bzip2 -cd > /bin/restic.tmp
+if [ $? -eq 0 ]; then
+  chmod +x /bin/restic.tmp
+  mv /bin/restic.tmp /bin/restic
+else
+  rm -f /bin/restic.tmp
+  exit 1
+fi
diff --git a/restic/files/restic_backup.sh.jinja b/restic/files/restic_backup.sh.jinja
deleted file mode 100644
index 597b2b0..0000000
--- a/restic/files/restic_backup.sh.jinja
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/sh
-export HOME=/root
-export RESTIC_PASSWORD={{ salt.pillar.get('restic:pass') }}
-export RESTIC_REPOSITORY={{ salt.pillar.get('restic:repo') }}
-restic backup --tag files {{ salt.pillar.get('restic:files') }}
-{% if salt.pillar.get('restic:mysql', False) -%}
-mysqldump --all-databases | restic backup --stdin --stdin-filename /all_databases.sql --tag mysql
-{% endif -%}
-restic forget --keep-last 4 --tag mysql --prune
-{% if salt.pillar.get('restic:mysql', False) -%}
-restic forget --keep-last 4 --tag files --prune
-{% endif -%}
diff --git a/restic/init.sls b/restic/init.sls
new file mode 100644
index 0000000..3fdb75b
--- /dev/null
+++ b/restic/init.sls
@@ -0,0 +1,74 @@
+{% for client in salt.pillar.get("restic:server:clients", []) %}
+restic-{{ client }}:
+  user.present:
+    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ client }}
+    - createhome: true
+    - system: true
+{% endfor %}
+
+{% if salt.pillar.get("restic:client", None) is not none %}
+{%   if salt.pillar.get("restic:client:install", True)%}
+'download restic':
+  cmd.script:
+    - shell: /bin/bash
+    - source: salt://restic/files/install.sh.jinja
+    - templates: jinja
+    - unless: "/bin/restic version | grep 'restic 0.16.2 '"
+    - env:
+       - RESTIC_VERSION: 0.16.2
+{%   endif %}
+
+/etc/logrotate.d/restic-backup:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 644
+    - contents: |
+        /var/log/restic/backup.log {
+            monthly
+            rotate 3
+            compress
+            missingok
+            notifempty
+            create 600 root root
+        }
+
+/opt/restic:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 700
+
+/opt/restic/env.sh:
+  file.managed:
+    - source: 'salt://restic/files/env.sh.jinja'
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 700
+    - require:
+      - file: /opt/restic
+
+/opt/restic/backup.sh:
+  file.managed:
+    - source: 'salt://restic/files/backup.sh.jinja'
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 700
+    - require:
+      - file: /opt/restic
+"/opt/restic/backup.sh 2>&1 >/dev/null":
+  cron.present:
+    - identifier: restic backup
+    - minute: random
+    - hour: 4
+    - dayweek: 0
+
+/var/log/restic:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 700
+
+{% endif %}
diff --git a/restic/map.jinja b/restic/map.jinja
deleted file mode 100644
index 47fe697..0000000
--- a/restic/map.jinja
+++ /dev/null
@@ -1,6 +0,0 @@
-
-{% if salt.grains.get('cpuarch').startswith('arm') %}
-{%   set url = 'https://github.com/restic/restic/releases/download/v0.9.6/restic_0.9.6_linux_arm.bz2' %}
-{% else %}
-{%   set url = 'https://github.com/restic/restic/releases/download/v0.9.6/restic_0.9.6_linux_amd64.bz2' %}
-{% endif %}
diff --git a/restic/server.sls b/restic/server.sls
deleted file mode 100644
index 616c5cd..0000000
--- a/restic/server.sls
+++ /dev/null
@@ -1,7 +0,0 @@
-
-restic-vps:
-  user.present:
-    - home: /mnt/bak1/restic-vps
-    - uid: 1002
-    - gid: 1002
-
diff --git a/top.sls b/top.sls
index f2fc270..ace14ac 100644
--- a/top.sls
+++ b/top.sls
@@ -1,22 +1,19 @@
 {{saltenv}}:
   '*':
     - common
-    - users
     - salt
 {% if salt.pillar.get('restic', None) is not none %}
-#    - restic.client
+    - restic
 {% endif %}
-  'fen.keiran.us':
-    - workstation
-  'pawbs.keiran.us':
-    - workstation
   '*.keiran.us':
+    - users
     - firewall
     - resolv
   'vps47492.inmotionhosting.com':
+    - users
     - gitea
   'kpi.keiran.us':
     - icinga2
     - nginx
-#    - restic.server
+    - restic
     - samba
diff --git a/users/files/bashrc.jinja b/users/files/bashrc.jinja
index 7bb5607..207483d 100644
--- a/users/files/bashrc.jinja
+++ b/users/files/bashrc.jinja
@@ -63,9 +63,9 @@ PATH="${PATH}:${HOME}/.local/bin"
 
 alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo'
 {%- if bashrc_user is defined %}
-{%-   if bashrc_user == 'root' and 'restic' in pillar %}
-export RESTIC_REPOSITORY={{ salt.pillar.get('restic:repo') }}
-export RESTIC_PASSWORD={{ salt.pillar.get('restic:pass') }}
+{%-   if bashrc_user == 'root' and salt.pillar.get('restic:client', None) is not none %}
+export RESTIC_REPOSITORY={{ salt.pillar.get('restic:client:repo') }}
+export RESTIC_PASSWORD={{ salt.pillar.get('restic:client:pass') }}
 {%-   endif %}
 {%-   for alias, cmd_str in salt.pillar.get("bash_aliases:{}".format(bashrc_user), {}).items() %}
 alias {{ alias }}="{{ cmd_str }}"