restic formula rewrite and gitea updates

TODO

@@ -0,0 +1 @@
+restic rsa keys

gitea/app_defaults.yaml

@@ -2,6 +2,7 @@ global:
   APP_NAME: 'Gitea: Git with a cup of tea'
   RUN_USER: gitea
   RUN_MODE: prod
+  WORK_PATH: gitea
 sections:
   database:
     DB_TYPE: mysql

gitea/files/app_ini.jinja

@@ -1,35 +1,45 @@
 # Managed by salt
-{% import_yaml 'gitea/app_defaults.yaml' as defaults -%}
+{%- import_yaml 'gitea/app_defaults.yaml' as defaults %}
-{% set secrets = salt.file.read(pillar['gitea']['path'] + '/etc/secrets.json') | load_json -%}
+{%- set secrets = salt.file.read(pillar['gitea']['path'] + '/etc/secrets.json') | load_json %}
-{% set pillar_global = salt.pillar.get('gitea:config:global', {}) -%}
+{%- set pillar_global = salt.pillar.get('gitea:config:global', {}) %}
-{% set pillar_sections = salt.pillar.get('gitea:config:sections', {}) -%}
+{%- set pillar_sections = salt.pillar.get('gitea:config:sections', {}) %}
 
-{% for key in defaults['global'].keys() -%}
+{%- for key in defaults['global'].keys() %}
-{%   if key in pillar_global -%}
+{%-   if key in pillar_global %}
 {{ key }} = {{ pillar_global[key] }}
-{%   else -%}
+{%-   else %}
 {{ key }} = {{ defaults['global'][key] }}
-{%   endif -%}
+{%-   endif %}
-{% endfor %}
+{%- endfor %}
+{%- for key, val in pillar_global.items() %}
+{%-   if key not in defaults['global'] %}
+{{ key }} = {{ val }}
+{%-   endif %}
+{%- endfor %}
+
 [security]
 INTERNAL_TOKEN = {{ secrets['INTERNAL_TOKEN'] }}
 INSTALL_LOCK = true
 SECRET_KEY = {{ secrets['SECRET_KEY'] }}
 
-{% for section in defaults['sections'].keys() -%}
+{%- for section in defaults['sections'].keys() %}
+
 [{{ section }}]
-{%   if section == 'server' -%}
+{%-   if section == 'server' %}
 LFS_JWT_SECRET = {{ secrets['LFS_JWT_SECRET'] }}
-{%   elif section == 'database' -%}
+{%-   elif section == 'database' %}
 NAME = {{ pillar_sections['database']['NAME'] }}
 USER = {{ pillar_sections['database']['USER'] }}
 PASSWD = `{{ pillar_sections['database']['PASSWD'] }}`
-{%   endif -%}
+{%-   endif %}
-{%   for key in defaults['sections'][section] -%}
+{%-   for key in defaults['sections'][section] %}
-{%     if section in pillar_sections and key in pillar_sections[section] -%}
+{%-     if section in pillar_sections and key in pillar_sections[section] %}
-{{key.ljust(33)}} = {{pillar_sections[section][key]}}
+{{ key }} = {{pillar_sections[section][key]}}
-{%     else -%}
+{%-     else %}
-{{key.ljust(33)}} = {{defaults['sections'][section][key]}}
+{{ key }} = {{defaults['sections'][section][key]}}
-{%     endif -%}
+{%-     endif %}
-{%   endfor %}
+{%-   endfor %}
-{% endfor -%}
+{%- endfor %}
+
+[oauth2]
+JWT_SECRET = {{ pillar_sections['oauth2']['JWT_SECRET'] }}

restic/client.sls

@@ -1,18 +0,0 @@
-{% from "restic/map.jinja" import url with context %}
-
-'download restic':
-  cmd.run:
-    - name: 'wget {{url}} -O - | bzip2 -cd > /bin/restic ; chmod +x /bin/restic'
-    - unless: stat /bin/restic
-
-/opt/restic_backups.sh:
-  file.managed:
-    - source: 'salt://restic/files/restic_backup.sh.jinja'
-    - template: jinja
-    - user: root
-    - group: root
-    - mode: 0700
-  cron.present:
-    - minute: random
-    - hour: 4
-    - dayweek: 0

restic/files/backup.sh.jinja

@@ -0,0 +1,8 @@
+#!/bin/bash
+source /opt/restic/env.sh
+touch /var/log/restic/backup.log
+chmod 600 /var/log/restic/backup.log
+(
+  date
+  {{ '\n'.join(salt.pillar.get("restic:client:cmds")) | indent(2) }}
+) 2>&1 | tee -a /var/log/restic/backup.log

restic/files/env.sh.jinja

@@ -0,0 +1,4 @@
+#!/bin/bash
+{%- for var, val in salt.pillar.get("restic:client:environ").items() %}
+export {{ var }}={{ val }}
+{%- endfor %}

restic/files/install.sh.jinja

@@ -0,0 +1,18 @@
+#!/bin/bash
+{% set arch = 'arm' salt.grains.get(cpuarch).startswith('arm') else 'amd64' %}
+
+if test -z "$RESTIC_VERSION"; then
+  echo "RESTIC_VERSION is not defined"
+  exit 1
+fi
+
+URL="https://github.com/restic/restic/releases/download/v${RESTIC_VERSION}/restic_${RESTIC_VERSION}_linux_{{ arch }}.bz2"
+
+wget --quiet "${URL}" -O - | bzip2 -cd > /bin/restic.tmp
+if [ $? -eq 0 ]; then
+  chmod +x /bin/restic.tmp
+  mv /bin/restic.tmp /bin/restic
+else
+  rm -f /bin/restic.tmp
+  exit 1
+fi

restic/files/restic_backup.sh.jinja

@@ -1,12 +0,0 @@
-#!/bin/sh
-export HOME=/root
-export RESTIC_PASSWORD={{ salt.pillar.get('restic:pass') }}
-export RESTIC_REPOSITORY={{ salt.pillar.get('restic:repo') }}
-restic backup --tag files {{ salt.pillar.get('restic:files') }}
-{% if salt.pillar.get('restic:mysql', False) -%}
-mysqldump --all-databases | restic backup --stdin --stdin-filename /all_databases.sql --tag mysql
-{% endif -%}
-restic forget --keep-last 4 --tag mysql --prune
-{% if salt.pillar.get('restic:mysql', False) -%}
-restic forget --keep-last 4 --tag files --prune
-{% endif -%}

restic/init.sls

@@ -0,0 +1,74 @@
+{% for client in salt.pillar.get("restic:server:clients", []) %}
+restic-{{ client }}:
+  user.present:
+    - home: {{ salt.pillar.get("restic:server:mount") }}/{{ client }}
+    - createhome: true
+    - system: true
+{% endfor %}
+
+{% if salt.pillar.get("restic:client", None) is not none %}
+{%   if salt.pillar.get("restic:client:install", True)%}
+'download restic':
+  cmd.script:
+    - shell: /bin/bash
+    - source: salt://restic/files/install.sh.jinja
+    - templates: jinja
+    - unless: "/bin/restic version | grep 'restic 0.16.2 '"
+    - env:
+       - RESTIC_VERSION: 0.16.2
+{%   endif %}
+
+/etc/logrotate.d/restic-backup:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 644
+    - contents: |
+        /var/log/restic/backup.log {
+            monthly
+            rotate 3
+            compress
+            missingok
+            notifempty
+            create 600 root root
+        }
+
+/opt/restic:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 700
+
+/opt/restic/env.sh:
+  file.managed:
+    - source: 'salt://restic/files/env.sh.jinja'
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 700
+    - require:
+      - file: /opt/restic
+
+/opt/restic/backup.sh:
+  file.managed:
+    - source: 'salt://restic/files/backup.sh.jinja'
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 700
+    - require:
+      - file: /opt/restic
+"/opt/restic/backup.sh 2>&1 >/dev/null":
+  cron.present:
+    - identifier: restic backup
+    - minute: random
+    - hour: 4
+    - dayweek: 0
+
+/var/log/restic:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 700
+
+{% endif %}

restic/map.jinja

@@ -1,6 +0,0 @@
-
-{% if salt.grains.get('cpuarch').startswith('arm') %}
-{%   set url = 'https://github.com/restic/restic/releases/download/v0.9.6/restic_0.9.6_linux_arm.bz2' %}
-{% else %}
-{%   set url = 'https://github.com/restic/restic/releases/download/v0.9.6/restic_0.9.6_linux_amd64.bz2' %}
-{% endif %}

restic/server.sls

@@ -1,7 +0,0 @@
-
-restic-vps:
-  user.present:
-    - home: /mnt/bak1/restic-vps
-    - uid: 1002
-    - gid: 1002
-

top.sls

@@ -1,22 +1,19 @@
 {{saltenv}}:
   '*':
     - common
-    - users
     - salt
 {% if salt.pillar.get('restic', None) is not none %}
-#    - restic.client
+    - restic
 {% endif %}
-  'fen.keiran.us':
-    - workstation
-  'pawbs.keiran.us':
-    - workstation
   '*.keiran.us':
+    - users
     - firewall
     - resolv
   'vps47492.inmotionhosting.com':
+    - users
     - gitea
   'kpi.keiran.us':
     - icinga2
     - nginx
-#    - restic.server
+    - restic
     - samba

users/files/bashrc.jinja

@@ -63,9 +63,9 @@ PATH="${PATH}:${HOME}/.local/bin"
 
 alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo'
 {%- if bashrc_user is defined %}
-{%-   if bashrc_user == 'root' and 'restic' in pillar %}
+{%-   if bashrc_user == 'root' and salt.pillar.get('restic:client', None) is not none %}
-export RESTIC_REPOSITORY={{ salt.pillar.get('restic:repo') }}
+export RESTIC_REPOSITORY={{ salt.pillar.get('restic:client:repo') }}
-export RESTIC_PASSWORD={{ salt.pillar.get('restic:pass') }}
+export RESTIC_PASSWORD={{ salt.pillar.get('restic:client:pass') }}
 {%-   endif %}
 {%-   for alias, cmd_str in salt.pillar.get("bash_aliases:{}".format(bashrc_user), {}).items() %}
 alias {{ alias }}="{{ cmd_str }}"