From 5f35a74bd13c173c6dca6ae591692f5174b32c63 Mon Sep 17 00:00:00 2001 From: Bill Kaguru Wanjohi Date: Fri, 26 Apr 2019 14:26:05 +0000 Subject: [PATCH 1/3] use template files to improve security, reproducibility --- .gitignore | 2 ++ Makefile | 13 ++++++++++--- etc/restic/{b2_env.sh => b2_env.sh.template} | 0 etc/restic/{b2_pw.txt => b2_pw.txt.template} | 0 4 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 .gitignore rename etc/restic/{b2_env.sh => b2_env.sh.template} (100%) rename etc/restic/{b2_pw.txt => b2_pw.txt.template} (100%) diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4836d90 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +b2_env.sh +b2_pw.txt diff --git a/Makefile b/Makefile index 1058ffd..7a239f1 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ ### Macros ### SRCS_SCRIPTS = $(filter-out %cron_mail, $(wildcard usr/local/sbin/*)) -SRCS_CONF = $(wildcard etc/restic/*) +SRCS_CONF = $(filter-out %template, $(wildcard etc/restic/*)) SRCS_EXCLUDE = .backup_exclude SRCS_SYSTEMD = $(wildcard etc/systemd/system/*) @@ -32,10 +32,17 @@ install-scripts: install -d $(DEST_SCRIPTS) install -m 744 $(SRCS_SCRIPTS) $(DEST_SCRIPTS) +etc/restic/b2_env.sh: + install -m 0600 etc/restic/b2_env.sh.template etc/restic/b2_env.sh + +etc/restic/b2_pw.txt: + install -m 0600 etc/restic/b2_pw.txt.template etc/restic/b2_pw.txt + # target: install-conf - Install restic configuration files. -install-conf: +# will create these files locally only if they don't already exist +install-conf: | etc/restic/b2_env.sh etc/restic/b2_pw.txt install -d $(DEST_CONF) -m 700 - install $(SRCS_CONF) $(DEST_CONF) + install -m 0600 $(SRCS_CONF) $(DEST_CONF) # target: install-exclude - Install backup exclude file. install-exclude: diff --git a/etc/restic/b2_env.sh b/etc/restic/b2_env.sh.template similarity index 100% rename from etc/restic/b2_env.sh rename to etc/restic/b2_env.sh.template diff --git a/etc/restic/b2_pw.txt b/etc/restic/b2_pw.txt.template similarity index 100% rename from etc/restic/b2_pw.txt rename to etc/restic/b2_pw.txt.template From 280ab682c6f16fe9665634c5da56ab5e3c4ab5be Mon Sep 17 00:00:00 2001 From: Bill Kaguru Wanjohi Date: Fri, 26 Apr 2019 14:27:03 +0000 Subject: [PATCH 2/3] clean up some other file permissions --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 7a239f1..5562134 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,7 @@ install: install-scripts install-conf install-exclude install-systemd # target: install-scripts - Install executables. install-scripts: install -d $(DEST_SCRIPTS) - install -m 744 $(SRCS_SCRIPTS) $(DEST_SCRIPTS) + install -m 0744 $(SRCS_SCRIPTS) $(DEST_SCRIPTS) etc/restic/b2_env.sh: install -m 0600 etc/restic/b2_env.sh.template etc/restic/b2_env.sh @@ -41,7 +41,7 @@ etc/restic/b2_pw.txt: # target: install-conf - Install restic configuration files. # will create these files locally only if they don't already exist install-conf: | etc/restic/b2_env.sh etc/restic/b2_pw.txt - install -d $(DEST_CONF) -m 700 + install -d $(DEST_CONF) install -m 0600 $(SRCS_CONF) $(DEST_CONF) # target: install-exclude - Install backup exclude file. @@ -51,4 +51,4 @@ install-exclude: # target: install-systemd - Install systemd timer and service files install-systemd: install -d $(DEST_SYSTEMD) - install -m 0644 $(SRCS_SYSTEMD) $(DEST_SYSTEMD) + install $(SRCS_SYSTEMD) $(DEST_SYSTEMD) From 91c5b98f85c6cb84fdabb5178d26753709fae83f Mon Sep 17 00:00:00 2001 From: Bill Kaguru Wanjohi Date: Fri, 26 Apr 2019 14:35:51 +0000 Subject: [PATCH 3/3] typos --- usr/local/sbin/restic_check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/sbin/restic_check.sh b/usr/local/sbin/restic_check.sh index 46384ce..8b54786 100644 --- a/usr/local/sbin/restic_check.sh +++ b/usr/local/sbin/restic_check.sh @@ -22,7 +22,7 @@ source /etc/restic/b2_env.sh B2_CONNECTIONS=50 # Remove locks from other stale processes to keep the automated backup running. -# NOTE nope, dont' unlock liek restic_backup.sh. restic_backup.sh should take preceedance over this script. +# NOTE nope, don't unlock like restic_backup.sh. restic_backup.sh should take precedence over this script. #restic unlock & #wait $!