credential-rotation #1
4 changed files with 108 additions and 30 deletions
|
@ -5,6 +5,6 @@ ADD resources /tmp/
|
||||||
RUN /tmp/install.sh
|
RUN /tmp/install.sh
|
||||||
ADD local/ /usr/local/lib/dda-backup
|
ADD local/ /usr/local/lib/dda-backup
|
||||||
RUN init-bb.bb
|
RUN init-bb.bb
|
||||||
ADD resources2 /tmp/
|
#ADD resources2 /tmp/
|
||||||
RUN install -m 0700 -o root -g root /tmp/test.bb /usr/local/bin/
|
#RUN install -m 0700 -o root -g root /tmp/test.bb /usr/local/bin/
|
||||||
RUN test.bb
|
#RUN test.bb
|
||||||
|
|
|
@ -1,35 +1,87 @@
|
||||||
#!/usr/bin/env bb
|
#!/usr/bin/env bb
|
||||||
|
|
||||||
(require '[babashka.tasks :as tasks]
|
(require '[babashka.tasks :as tasks]
|
||||||
|
'[dda.backup.core :as bc]
|
||||||
'[dda.backup.cred-rot :as cr]
|
'[dda.backup.cred-rot :as cr]
|
||||||
'[dda.backup.restic :as rc]
|
'[dda.backup.restic :as rc]
|
||||||
'[dda.backup.postgresql :as pg])
|
'[dda.backup.postgresql :as pg]
|
||||||
|
'[dda.backup.backup :as bak]
|
||||||
|
'[dda.backup.restore :as rs])
|
||||||
|
|
||||||
(def restic-repo {:password-file "restic-pwd"
|
(def restic-repo {:password-file "restic-pwd"
|
||||||
:restic-repository "restic-repo"})
|
:restic-repository "/restic-repo"})
|
||||||
|
|
||||||
(def file-config (merge restic-repo {:backup-path "files"
|
(def file-config (merge restic-repo {:backup-path "files"
|
||||||
:files ["test-backup"]
|
:files ["/test-backup"]
|
||||||
:restore-target-directory "test-restore"}))
|
:restore-target-directory "/test-restore"}))
|
||||||
|
|
||||||
(def cred-config (merge restic-repo
|
|
||||||
{:new-password-config {:new-password-file "new-pw"
|
(def db-config (merge restic-repo {:backup-path "db"
|
||||||
|
:pg-db "mydb"
|
||||||
|
:pg-user "user"
|
||||||
|
:pg-password "password"}))
|
||||||
|
|
||||||
|
(def cred-config (merge file-config
|
||||||
|
{:restic-repository "/restic-repo/files"
|
||||||
|
:new-password-config {:new-password-file "new-pw"
|
||||||
:valid-from "2024-12-12 00:00:00"}}))
|
:valid-from "2024-12-12 00:00:00"}}))
|
||||||
|
|
||||||
|
|
||||||
(def dry-run {:dry-run true :debug true})
|
(def dry-run {:dry-run true :debug true})
|
||||||
|
|
||||||
(defn prepare!
|
(defn prepare!
|
||||||
[]
|
[]
|
||||||
(spit "restic-pwd" "thePassword")
|
(spit "/tmp/file_password" "file-password")
|
||||||
(spit "new-pw" "newPassword")
|
|
||||||
(tasks/shell "mkdir" "-p" "test-backup")
|
(spit "/restic-pwd" "ThePassword")
|
||||||
(spit "test-backup/file" "I was here")
|
(spit "/new-pw" "newPassword")
|
||||||
(tasks/shell "mkdir" "-p" "test-restore"))
|
|
||||||
|
(tasks/shell "mkdir" "-p" "/test-backup")
|
||||||
|
(spit "/test-backup/file" "I was here")
|
||||||
|
(tasks/shell "mkdir" "-p" "/test-restore")
|
||||||
|
(pg/create-pg-pass! db-config))
|
||||||
|
|
||||||
|
(defn check-env-or-file
|
||||||
|
[]
|
||||||
|
(println "check-env-or-file")
|
||||||
|
(println (bc/env-or-file "FILE_PASSWORD"))
|
||||||
|
(println (bc/env-or-file "ENV_PASSWORD")))
|
||||||
|
|
||||||
(defn restic-repo-init!
|
(defn restic-repo-init!
|
||||||
[]
|
[]
|
||||||
(rc/init! restic-repo))
|
(println "restic-repo-init!")
|
||||||
|
(rc/init! file-config)
|
||||||
|
(rc/init! (merge db-config dry-run)))
|
||||||
|
|
||||||
|
(defn restic-backup!
|
||||||
|
[]
|
||||||
|
(println "restic-backup!")
|
||||||
|
(bak/backup-file! file-config)
|
||||||
|
(bak/backup-db! (merge db-config dry-run)))
|
||||||
|
|
||||||
|
(defn list-snapshots!
|
||||||
|
[]
|
||||||
|
(println "list-snapshots!")
|
||||||
|
(rc/list-snapshots! file-config)
|
||||||
|
(rc/list-snapshots! (merge db-config dry-run)))
|
||||||
|
|
||||||
|
|
||||||
|
(defn restic-restore!
|
||||||
|
[]
|
||||||
|
(println "restic-restore!")
|
||||||
|
(rs/restore-file! file-config)
|
||||||
|
(pg/drop-create-db! (merge db-config dry-run))
|
||||||
|
(rs/restore-db! (merge db-config dry-run)))
|
||||||
|
|
||||||
|
(defn change-password!
|
||||||
|
[]
|
||||||
|
(println "change-password!")
|
||||||
|
(cr/change-password! cred-config))
|
||||||
|
|
||||||
|
|
||||||
(prepare!)
|
(prepare!)
|
||||||
(restic-repo-init!)
|
(restic-repo-init!)
|
||||||
(cr/change-password! cred-config)
|
(restic-backup!)
|
||||||
|
(list-snapshots!)
|
||||||
|
(restic-restore!)
|
||||||
|
(change-password!)
|
||||||
|
|
|
@ -2,17 +2,18 @@
|
||||||
|
|
||||||
(require '[babashka.tasks :as tasks]
|
(require '[babashka.tasks :as tasks]
|
||||||
'[dda.backup.core :as bc]
|
'[dda.backup.core :as bc]
|
||||||
|
'[dda.backup.cred-rot :as cr]
|
||||||
'[dda.backup.restic :as rc]
|
'[dda.backup.restic :as rc]
|
||||||
'[dda.backup.postgresql :as pg]
|
'[dda.backup.postgresql :as pg]
|
||||||
'[dda.backup.backup :as bak]
|
'[dda.backup.backup :as bak]
|
||||||
'[dda.backup.restore :as rs])
|
'[dda.backup.restore :as rs])
|
||||||
|
|
||||||
(def restic-repo {:password-file "restic-pwd"
|
(def restic-repo {:password-file "restic-pwd"
|
||||||
:restic-repository "restic-repo"})
|
:restic-repository "/restic-repo"})
|
||||||
|
|
||||||
(def file-config (merge restic-repo {:backup-path "files"
|
(def file-config (merge restic-repo {:backup-path "files"
|
||||||
:files ["test-backup"]
|
:files ["/test-backup"]
|
||||||
:restore-target-directory "test-restore"}))
|
:restore-target-directory "/test-restore"}))
|
||||||
|
|
||||||
|
|
||||||
(def db-config (merge restic-repo {:backup-path "db"
|
(def db-config (merge restic-repo {:backup-path "db"
|
||||||
|
@ -20,43 +21,68 @@
|
||||||
:pg-user "user"
|
:pg-user "user"
|
||||||
:pg-password "password"}))
|
:pg-password "password"}))
|
||||||
|
|
||||||
|
(def cred-config (merge file-config
|
||||||
|
{:restic-repository "/restic-repo/files"
|
||||||
|
:new-password-config {:new-password-file "new-pw"
|
||||||
|
:valid-from "2024-12-12 00:00:00"}}))
|
||||||
|
|
||||||
|
|
||||||
(def dry-run {:dry-run true :debug true})
|
(def dry-run {:dry-run true :debug true})
|
||||||
|
|
||||||
(defn prepare!
|
(defn prepare!
|
||||||
[]
|
[]
|
||||||
(spit "/tmp/file_password" "file-password")
|
(spit "/tmp/file_password" "file-password")
|
||||||
(println (bc/env-or-file "FILE_PASSWORD"))
|
|
||||||
(println (bc/env-or-file "ENV_PASSWORD"))
|
(spit "/restic-pwd" "ThePassword")
|
||||||
(spit "restic-pwd" "ThePassword")
|
(spit "/new-pw" "newPassword")
|
||||||
(tasks/shell "mkdir" "-p" "test-backup")
|
|
||||||
(spit "test-backup/file" "I was here")
|
(tasks/shell "mkdir" "-p" "/test-backup")
|
||||||
(tasks/shell "mkdir" "-p" "test-restore")
|
(spit "/test-backup/file" "I was here")
|
||||||
|
(tasks/shell "mkdir" "-p" "/test-restore")
|
||||||
(pg/create-pg-pass! db-config))
|
(pg/create-pg-pass! db-config))
|
||||||
|
|
||||||
|
(defn check-env-or-file
|
||||||
|
[]
|
||||||
|
(println "check-env-or-file")
|
||||||
|
(println (bc/env-or-file "FILE_PASSWORD"))
|
||||||
|
(println (bc/env-or-file "ENV_PASSWORD")))
|
||||||
|
|
||||||
(defn restic-repo-init!
|
(defn restic-repo-init!
|
||||||
[]
|
[]
|
||||||
|
(println "restic-repo-init!")
|
||||||
(rc/init! file-config)
|
(rc/init! file-config)
|
||||||
(rc/init! (merge db-config dry-run)))
|
(rc/init! (merge db-config dry-run)))
|
||||||
|
|
||||||
(defn restic-backup!
|
(defn restic-backup!
|
||||||
[]
|
[]
|
||||||
|
(println "restic-backup!")
|
||||||
(bak/backup-file! file-config)
|
(bak/backup-file! file-config)
|
||||||
(bak/backup-db! (merge db-config dry-run)))
|
(bak/backup-db! (merge db-config dry-run)))
|
||||||
|
|
||||||
(defn list-snapshots!
|
(defn list-snapshots!
|
||||||
[]
|
[]
|
||||||
|
(println "list-snapshots!")
|
||||||
(rc/list-snapshots! file-config)
|
(rc/list-snapshots! file-config)
|
||||||
(rc/list-snapshots! (merge db-config dry-run)))
|
(rc/list-snapshots! (merge db-config dry-run)))
|
||||||
|
|
||||||
|
|
||||||
(defn restic-restore!
|
(defn restic-restore!
|
||||||
[]
|
[]
|
||||||
|
(println "restic-restore!")
|
||||||
(rs/restore-file! file-config)
|
(rs/restore-file! file-config)
|
||||||
(pg/drop-create-db! (merge db-config dry-run))
|
(pg/drop-create-db! (merge db-config dry-run))
|
||||||
(rs/restore-db! (merge db-config dry-run)))
|
(rs/restore-db! (merge db-config dry-run)))
|
||||||
|
|
||||||
|
(defn change-password!
|
||||||
|
[]
|
||||||
|
(println "change-password!")
|
||||||
|
(cr/change-password! cred-config))
|
||||||
|
|
||||||
|
|
||||||
(prepare!)
|
(prepare!)
|
||||||
|
(check-env-or-file)
|
||||||
(restic-repo-init!)
|
(restic-repo-init!)
|
||||||
(restic-backup!)
|
(restic-backup!)
|
||||||
(list-snapshots!)
|
(list-snapshots!)
|
||||||
(restic-restore!)
|
(restic-restore!)
|
||||||
|
(change-password!)
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
[config ::cred-rot]
|
[config ::cred-rot]
|
||||||
(i/execute-out! (domain/list-passwords-command config) config))
|
(i/execute-out! (domain/list-passwords-command config) config))
|
||||||
|
|
||||||
(defn-spec change-password-step! nil?
|
(defn-spec change-password-step! ::domain/set-password-action
|
||||||
[config ::cred-rot]
|
[config ::cred-rot]
|
||||||
(when-some [new-password-config (:new-password-config config)]
|
(when-some [new-password-config (:new-password-config config)]
|
||||||
(let [{:keys [new-password-file replace-until]} new-password-config
|
(let [{:keys [new-password-file replace-until]} new-password-config
|
||||||
|
@ -31,7 +31,7 @@
|
||||||
config)]
|
config)]
|
||||||
(cond
|
(cond
|
||||||
(= action :wait-for-new-pwd)
|
(= action :wait-for-new-pwd)
|
||||||
(println "wait till new password is valid")
|
(println "nothing to do.")
|
||||||
(= action :set-new-pwd)
|
(= action :set-new-pwd)
|
||||||
(i/execute! (domain/add-password-command config) config)
|
(i/execute! (domain/add-password-command config) config)
|
||||||
(= action :remove-old-pwd)
|
(= action :remove-old-pwd)
|
||||||
|
|
Loading…
Reference in a new issue