[BackupRestore] Add support for archive testing and encryption

1 files changed, 79 insertions, 22 deletions

diff --git a/scripts/system-backup b/scripts/system-backup
index 9d65cd2..52422bb 100755
--- a/scripts/system-backup
+++ b/scripts/system-backup
@@ -1,11 +1,31 @@
 #!/bin/bash
 
+encrypt=
+destination=
+while (( $# > 0 )); do
+	case "$1" in
+	--encrypt)
+		encrypt="$2"
+		shift
+		;;
+	--destination)
+		destination="$2"
+		shift
+		;;
+	*)
+		echo "Unknown option, '$1'"
+		exit 1
+		;;
+	esac
+	shift
+done
+
 if [ "$(whoami)" != "root" ]; then
 	echo "Must be running as root!"
 	exit 1
 fi
 
-DIR="/root/backup/$(date +%s)"
+DIR="/tmp/bwlp-backup-$(date +%s)"
 
 if [ -d "$DIR" ]; then
 	echo "Backup already running!?"
@@ -15,48 +35,85 @@ fi
 mkdir -p "$DIR"
 cd "$DIR" || exit 1
 
-mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --add-locks --add-drop-database --default-character-set=utf8 --databases openslx > openslx.sql
+trap 'rm -rf -- "$DIR"' EXIT
+
+mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --add-locks --add-drop-database --default-character-set=utf8mb4 --databases openslx > openslx.sql
 RET1=$?
-mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --add-locks --add-drop-database --default-character-set=utf8 --databases sat > sat.sql
+mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --add-locks --add-drop-database --default-character-set=utf8mb4 --databases sat > sat.sql
 RET2=$?
-if [ $RET1 -ne 0 ] || [ $RET2 -ne 0 ]; then
+if (( RET1 != 0 || RET2 != 0 )); then
 	echo "Database dump failed with exit code $RET1/$RET2"
 	exit 1
 fi
 
-FILELIST="
-	/opt/openslx/configs
-	/etc/lighttpd/server.pem
-	/etc/lighttpd/chain.pem
-	/etc/lighttpd/pub-cert.pem
-"
+FILELIST=(
+	"/opt/openslx/configs"
+	"/etc/lighttpd/server.pem"
+	"/etc/lighttpd/chain.pem"
+	"/etc/lighttpd/pub-cert.pem"
+)
 
-tar --ignore-failed-read -k -c -p -z -f files.tgz $FILELIST # no quotes here!
+tar --ignore-failed-read -k -c -p -z -f "files.tgz" "${FILELIST[@]}"
 RET=$?
-if [ $RET -ne 0 ]; then
+if (( RET != 0 )); then
 	echo "WARNING: filesystem-tar exited with code $RET - backup might be incomplete!"
 fi
 
-tar -k -c -z -f backup.tgz files.tgz openslx.sql sat.sql
+ext="tgz"
+tmpfile="/tmp/bwlp-${RANDOM}-$(date +%s)-backup.${ext}"
+tar -k -c -z -f "backup.tgz" "files.tgz" "openslx.sql" "sat.sql"
 RET=$?
-if [ ! -f backup.tgz ]; then
+if ! [ -f "backup.tgz" ]; then
 	echo "Creating backup.tgz failed!"
 	exit 1
 fi
-if [ $RET -ne 0 ]; then
+if (( RET != 0 )); then
 	echo "WARNING: final tar exited with code $RET - backup might be incomplete!"
 fi
 
-chown www-data backup.tgz
-chmod 0600 backup.tgz
-
-FILE="/tmp/bwlp-backup-$(date +%s)-${RANDOM}.tgz"
-if ! mv backup.tgz "$FILE"; then
-	echo "moving backup to $FILE failed."
+chmod 0600 "backup.tgz"
+if ! mv "backup.tgz" "$tmpfile"; then
+	echo "ERROR: Could not move backup.tgz to $tmpfile"
 	exit 1
 fi
 
-rm -rf -- /root/backup/1*
+if [ -n "$encrypt" ]; then
+	if ! openssl enc -aes-256-cbc -pbkdf2 -pass "env:$encrypt" -in "${tmpfile}" -out "${tmpfile}.aes" \
+			&& ! openssl enc -aes-256-cbc -pass "env:$encrypt" -in "${tmpfile}" -out "${tmpfile}.aes"; then
+		rm -f -- "$tmpfile"
+		echo "Error encrypting backup with openssl"
+		exit 1
+	fi
+	rm -f -- "$tmpfile"
+	ext="${ext}.aes"
+	tmpfile="${tmpfile}.aes"
+fi
+
+if [ -z "$destination" ]; then
+	# No destination given, as this is for download, give www-data user access to file
+	FILE="${tmpfile}"
+	chown www-data "${tmpfile}"
+else
+	FILE="${destination}.${ext}"
+	dir="${destination%/*}"
+	for usr in "" "dmsd" "dnbd3" "FAIL"; do
+		[ "$usr" = "FAIL" ] && break
+		if [ -z "$usr" ]; then
+			mkdir -p "$dir"
+			mv "$tmpfile" "$FILE" && break
+		else
+			chown "$usr:$(id -g "$usr")" "$tmpfile"
+			sudo -n -u "$usr" mkdir -p "$dir"
+			sudo -n -u "$usr" cp "$tmpfile" "$FILE" && break
+		fi
+	done
+	if [ "$usr" = "FAIL" ] || ! [ -s "$FILE" ]; then
+		echo "Moving backup to '$FILE' failed."
+		exit 1
+	fi
+fi
+
+chmod 0600 "$FILE"
 
 echo "Location: $FILE"
 exit 0