ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-01-01 13:01:53 +08:00
Code Issues Projects Releases Packages Wiki Activity
the-bastion/etc/bastion/osh-backup-acl-keys.conf.dist
Stéphane Lesimple ee776707c1 chore: standardize doc generation for config files
2022-02-09 14:31:33 +01:00

106 lines
4.3 KiB
Text
Raw Blame History

###############################################################################
## Config for ``bin/cron/osh-backup-acl-keys.sh``
##
## Any file in ``/etc/bastion/osh-backup-acl-keys.conf.d`` will also be
## sourced, in alphabetical order, and take precedence over any
## option specified in this file.
##
## Please ensure this file is owned by root and readable by root only.
##
## As it'll be sourced, THIS FILE MUST BE A VALID SHELL SCRIPT.
##
#@ .. note::
#@
#@ This script is called by cron and is responsible
#@ for backing up the bastion configuration, users & groups lists,
#@ credentials, and everything needed to be able to restore a functioning
#@ bastion from scratch.
#@
#@ .. warning::
#@
#@ If left unconfigured, this script won't do anything,
#@ and you won't have backups, unless this task is handled by
#@ some other external system.
###############################################################################
#
# > Logging & activation
# >> Script logging configuration and script activation
#
# LOGFILE (string, path to a file)
# DESC: File where the logs will be written to (don't forget to configure ``logrotate``!).
# Note that using this configuration option, the script will directly write to the file, without using syslog.
# If empty, won't log directly to any file.
# DEFAULT: ""
LOGFILE=""
#
# LOG_FACILITY (string)
# DESC: The syslog facility to use for logging the script output.
# If set to the empty string, we'll not log through syslog at all.
# If this configuration option is missing from your config file altogether,
# the default value will be used (local6), which means that we'll log to syslog.
# DEFAULT: "local6"
LOG_FACILITY="local6"
#
# ENABLED (0 or 1)
# DESC: If set to 1, the script is enabled and will run when started by crond.
# DEFAULT: 1
ENABLED=1
#
# > Backup policy
# >> These options configure the backup policy to apply
#
# DESTDIR (path to a folder)
# DESC: Folder where to put the backup artefacts (``.tar.gz`` files).
# This folder will be created if needed. If empty or omitted,
# the script won't run: this option is mandatory.
# EXAMPLE: "/root/backups"
# DEFAULT: ""
DESTDIR=""
#
# DAYSTOKEEP (int > 0)
# DESC: Number of days to keep the old backups on the filesystem before deleting them.
# DEFAULT: 90
DAYSTOKEEP=90
#
# > Encryption and signing
# >> These options configure how the script uses GPG to encrypt and sign the ttyrec files
#
# GPGKEYS (string, space-separated list of GPG keys IDs)
# DESC: List of public GPG keys to encrypt to (see ``gpg --list-keys``), these must be separated by spaces.
# Note that if this option is empty or omitted, backup artefacts will NOT be encrypted!
# EXAMPLE: "41FDB9C7 DA97EFD1 339483FF"
# DEFAULT: ""
GPGKEYS=""
#
# SIGNING_KEY (string, GPG key ID in short or long format)
# DESC: ID of the GPG key used to sign the ttyrec files.
# The key must be in the local root keyring, check it with ``gpg --list-secret-keys``.
# If empty, the archives will not be signed, but encrypted only (using the GPGKEYS configuration above).
# DEFAULT: (none)
SIGNING_KEY=""
#
# SIGNING_KEY_PASSPHRASE (string)
# DESC: This passphrase should be able to unlock the SIGNING_KEY defined above.
# Please ensure this configuration file only readable by root (0640), to protect this passphrase.
# As a security measure, the script will refuse to read the configuration otherwise.
# DEFAULT: (none)
SIGNING_KEY_PASSPHRASE=""
#
# > Remote backup
# >> These options configure how the script should push the encrypted backups to a remote system
#
# PUSH_REMOTE (string)
# DESC: The ``scp`` remote host push backups to. If empty or missing, won't push backups.
# This will also be the case if the ``GPGKEYS`` option above is empty or missing,
# because we will never push unencrypted backups.
# Don't forget to put a trailing ``/`` (except if you want to push to the remote ``$HOME``,
# in which case ending with a simple ``:`` works, as per standard ``scp``).
# EXAMPLE: "push@192.0.2.4:~/backup/"
# DEFAULT: ""
PUSH_REMOTE=""
#
# PUSH_OPTIONS (string)
# DESC: Additional options to pass to ``scp``, if needed.
# EXAMPLE: "-i $HOME/.ssh/id_backup"
# DEFAULT: ""
PUSH_OPTIONS=""
Reference in a new issue View git blame Copy permalink