meissa/dda-backup
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

credential-rotation now works

Browse source
This commit is contained in:
Michael Jerger 2024-12-11 19:48:23 +01:00
parent 10902da998
commit b4d9a690f9
4 changed files with 108 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
infrastructure/backup/image/Dockerfile
View file

@ -5,6 +5,6 @@ ADD resources /tmp/
RUN /tmp/install.sh RUN /tmp/install.sh
ADD local/ /usr/local/lib/dda-backup ADD local/ /usr/local/lib/dda-backup
RUN init-bb.bb RUN init-bb.bb
ADD resources2 /tmp/ #ADD resources2 /tmp/
RUN install -m 0700 -o root -g root /tmp/test.bb /usr/local/bin/ #RUN install -m 0700 -o root -g root /tmp/test.bb /usr/local/bin/
RUN test.bb #RUN test.bb

78
infrastructure/backup/image/resources2/test.bb
View file

@ -1,35 +1,87 @@
#!/usr/bin/env bb #!/usr/bin/env bb
(require '[babashka.tasks :as tasks] (require '[babashka.tasks :as tasks]
'[dda.backup.core :as bc]
'[dda.backup.cred-rot :as cr] '[dda.backup.cred-rot :as cr]
'[dda.backup.restic :as rc] '[dda.backup.restic :as rc]
'[dda.backup.postgresql :as pg]) '[dda.backup.postgresql :as pg]
'[dda.backup.backup :as bak]
'[dda.backup.restore :as rs])
(def restic-repo {:password-file "restic-pwd" (def restic-repo {:password-file "restic-pwd"
:restic-repository "restic-repo"}) :restic-repository "/restic-repo"})
(def file-config (merge restic-repo {:backup-path "files" (def file-config (merge restic-repo {:backup-path "files"
:files ["test-backup"] :files ["/test-backup"]
:restore-target-directory "test-restore"})) :restore-target-directory "/test-restore"}))
(def cred-config (merge restic-repo
{:new-password-config {:new-password-file "new-pw" (def db-config (merge restic-repo {:backup-path "db"
:pg-db "mydb"
:pg-user "user"
:pg-password "password"}))
(def cred-config (merge file-config
{:restic-repository "/restic-repo/files"
:new-password-config {:new-password-file "new-pw"
:valid-from "2024-12-12 00:00:00"}})) :valid-from "2024-12-12 00:00:00"}}))
(def dry-run {:dry-run true :debug true}) (def dry-run {:dry-run true :debug true})
(defn prepare! (defn prepare!
[] []
(spit "restic-pwd" "thePassword") (spit "/tmp/file_password" "file-password")
(spit "new-pw" "newPassword")
(tasks/shell "mkdir" "-p" "test-backup") (spit "/restic-pwd" "ThePassword")
(spit "test-backup/file" "I was here") (spit "/new-pw" "newPassword")
(tasks/shell "mkdir" "-p" "test-restore"))
(tasks/shell "mkdir" "-p" "/test-backup")
(spit "/test-backup/file" "I was here")
(tasks/shell "mkdir" "-p" "/test-restore")
(pg/create-pg-pass! db-config))
(defn check-env-or-file
[]
(println "check-env-or-file")
(println (bc/env-or-file "FILE_PASSWORD"))
(println (bc/env-or-file "ENV_PASSWORD")))
(defn restic-repo-init! (defn restic-repo-init!
[] []
(rc/init! restic-repo)) (println "restic-repo-init!")
(rc/init! file-config)
(rc/init! (merge db-config dry-run)))
(defn restic-backup!
[]
(println "restic-backup!")
(bak/backup-file! file-config)
(bak/backup-db! (merge db-config dry-run)))
(defn list-snapshots!
[]
(println "list-snapshots!")
(rc/list-snapshots! file-config)
(rc/list-snapshots! (merge db-config dry-run)))
(defn restic-restore!
[]
(println "restic-restore!")
(rs/restore-file! file-config)
(pg/drop-create-db! (merge db-config dry-run))
(rs/restore-db! (merge db-config dry-run)))
(defn change-password!
[]
(println "change-password!")
(cr/change-password! cred-config))
(prepare!) (prepare!)
(restic-repo-init!) (restic-repo-init!)
(cr/change-password! cred-config) (restic-backup!)
(list-snapshots!)
(restic-restore!)
(change-password!)

50
infrastructure/backup/test/resources/test.bb
View file

@ -2,17 +2,18 @@
(require '[babashka.tasks :as tasks] (require '[babashka.tasks :as tasks]
'[dda.backup.core :as bc] '[dda.backup.core :as bc]
'[dda.backup.cred-rot :as cr]
'[dda.backup.restic :as rc] '[dda.backup.restic :as rc]
'[dda.backup.postgresql :as pg] '[dda.backup.postgresql :as pg]
'[dda.backup.backup :as bak] '[dda.backup.backup :as bak]
'[dda.backup.restore :as rs]) '[dda.backup.restore :as rs])
(def restic-repo {:password-file "restic-pwd" (def restic-repo {:password-file "restic-pwd"
:restic-repository "restic-repo"}) :restic-repository "/restic-repo"})
(def file-config (merge restic-repo {:backup-path "files" (def file-config (merge restic-repo {:backup-path "files"
:files ["test-backup"] :files ["/test-backup"]
:restore-target-directory "test-restore"})) :restore-target-directory "/test-restore"}))
(def db-config (merge restic-repo {:backup-path "db" (def db-config (merge restic-repo {:backup-path "db"
@ -20,43 +21,68 @@
:pg-user "user" :pg-user "user"
:pg-password "password"})) :pg-password "password"}))
(def cred-config (merge file-config
{:restic-repository "/restic-repo/files"
:new-password-config {:new-password-file "new-pw"
:valid-from "2024-12-12 00:00:00"}}))
(def dry-run {:dry-run true :debug true}) (def dry-run {:dry-run true :debug true})
(defn prepare! (defn prepare!
[] []
(spit "/tmp/file_password" "file-password") (spit "/tmp/file_password" "file-password")
(println (bc/env-or-file "FILE_PASSWORD"))
(println (bc/env-or-file "ENV_PASSWORD")) (spit "/restic-pwd" "ThePassword")
(spit "restic-pwd" "ThePassword") (spit "/new-pw" "newPassword")
(tasks/shell "mkdir" "-p" "test-backup")
(spit "test-backup/file" "I was here") (tasks/shell "mkdir" "-p" "/test-backup")
(tasks/shell "mkdir" "-p" "test-restore") (spit "/test-backup/file" "I was here")
(tasks/shell "mkdir" "-p" "/test-restore")
(pg/create-pg-pass! db-config)) (pg/create-pg-pass! db-config))
(defn check-env-or-file
[]
(println "check-env-or-file")
(println (bc/env-or-file "FILE_PASSWORD"))
(println (bc/env-or-file "ENV_PASSWORD")))
(defn restic-repo-init! (defn restic-repo-init!
[] []
(println "restic-repo-init!")
(rc/init! file-config) (rc/init! file-config)
(rc/init! (merge db-config dry-run))) (rc/init! (merge db-config dry-run)))
(defn restic-backup! (defn restic-backup!
[] []
(println "restic-backup!")
(bak/backup-file! file-config) (bak/backup-file! file-config)
(bak/backup-db! (merge db-config dry-run))) (bak/backup-db! (merge db-config dry-run)))
(defn list-snapshots! (defn list-snapshots!
[] []
(println "list-snapshots!")
(rc/list-snapshots! file-config) (rc/list-snapshots! file-config)
(rc/list-snapshots! (merge db-config dry-run))) (rc/list-snapshots! (merge db-config dry-run)))
(defn restic-restore! (defn restic-restore!
[] []
(println "restic-restore!")
(rs/restore-file! file-config) (rs/restore-file! file-config)
(pg/drop-create-db! (merge db-config dry-run)) (pg/drop-create-db! (merge db-config dry-run))
(rs/restore-db! (merge db-config dry-run))) (rs/restore-db! (merge db-config dry-run)))
(defn change-password!
[]
(println "change-password!")
(cr/change-password! cred-config))
(prepare!) (prepare!)
(check-env-or-file)
(restic-repo-init!) (restic-repo-init!)
(restic-backup!) (restic-backup!)
(list-snapshots!) (list-snapshots!)
(restic-restore!) (restic-restore!)
(change-password!)

4
src/dda/backup/cred_rot.clj
View file

@ -20,7 +20,7 @@
[config ::cred-rot] [config ::cred-rot]
(i/execute-out! (domain/list-passwords-command config) config)) (i/execute-out! (domain/list-passwords-command config) config))
(defn-spec change-password-step! nil? (defn-spec change-password-step! ::domain/set-password-action
[config ::cred-rot] [config ::cred-rot]
(when-some [new-password-config (:new-password-config config)] (when-some [new-password-config (:new-password-config config)]
(let [{:keys [new-password-file replace-until]} new-password-config (let [{:keys [new-password-file replace-until]} new-password-config
@ -31,7 +31,7 @@
config)] config)]
(cond (cond
(= action :wait-for-new-pwd) (= action :wait-for-new-pwd)
(println "wait till new password is valid") (println "nothing to do.")
(= action :set-new-pwd) (= action :set-new-pwd)
(i/execute! (domain/add-password-command config) config) (i/execute! (domain/add-password-command config) config)
(= action :remove-old-pwd) (= action :remove-old-pwd)