Duplicity jail

Setup for Duplicity service jail with iocage.

On FreeNAS

Create jail:

iocage create --release 11.1-RELEASE --name duplicity \ boot="on" vnet=on \ allow_raw_sockets="1" \ ip4_addr="vnet1|172.20.40.41/24" \ interfaces="vnet1:bridge1" \ defaultrouter="172.20.40.1" \ resolver="search ramsden.network;nameserver 172.20.40.1;nameserver 8.8.8.8"

Create user on FreeNAS with ID 983, nologin to match the user in the jail.

Nullfs mount datasets to backup in jail:

Duplicity data:

iocage exec duplicity 'mkdir -p /mnt/duplicity/data' iocage fstab --add duplicity '/mnt/tank/data/syncthing/sync /mnt/duplicity/data nullfs rw 0 0'

Start jail and enter.

iocage console duplicity

Jail

In the jail, update all packages and install duplicity and py27-boto.

pkg update && pkg upgrade pkg install duplicity py27-boto

Create a user with uid 983 to match mounted data.

pw useradd -n duplicity -u 983

Add script /usr/local/scripts/duplicitybak, put secrets in /usr/local/scripts/duplicitybak.auth.

#!/bin/sh # on freebsd install duplicity, py27-boto # Place auth variables: PASSPHRASE, GS_ACCESS_KEY_ID, GS_SECRET_ACCESS_KEY . "/usr/local/scripts/duplicitybak.auth" # Folders to backup BACKUP_DATA_REGEXP='Workspace|Computer|Personal|Pictures|University' BACKUP_ROOT="/mnt/duplicity/data" # GS configuration variables GS_BUCKET="johnramsdenbackup" # Remove files older than 60 days from GS duplicity remove-older-than 60D --force gs://${GS_BUCKET} # Sync everything to GS duplicity --include-regexp "${BACKUP_DATA_REGEXP}" \ --exclude='**' \ ${BACKUP_ROOT} gs://${GS_BUCKET} # Cleanup failures duplicity cleanup --force gs://${GS_BUCKET} unset PASSPHRASE unset GS_ACCESS_KEY_ID unset GS_SECRET_ACCESS_KEY

Secrets in /usr/local/scripts/duplicitybak.auth:

# Create password to use for symetric GPG encryption export PASSPHRASE="" # Create GS bucket, https://console.cloud.google.com/storage/ # enable interoperable access, get keys export GS_ACCESS_KEY_ID="" export GS_SECRET_ACCESS_KEY=""

Set executable:

chmod +x /usr/local/scripts/duplicitybak

Now I can be run from a crontab outside of the jail:

iocage exec duplicity /usr/local/scripts/duplicitybak

results matching ""

    No results matching ""