h0tw1r3 · August 29, 2023 15:15
diff --git a/pe-backup.sh b/pe-backup.sh
 #!/bin/bash
 #
 # Puppet Enterprise backup script
 #
 # Limits retained backup archives
 # Optionally creates a backup of the PE service secure keys
 #
 # All arguments supplied via environment variables.
 #
 # License: MIT
 #          https://opensource.org/licenses/MIT
 # Copyright: 2022 Jeffrey Clark
 #            https://github.com/h0tw1r3

 set -o pipefail

 ENVIRONMENT="${ENVIRONMENT:-production}"
 BACKUP_DIR="${BACKUP_DIR:-/var/puppetlabs/backups}/${ENVIRONMENT}"
 SCOPE="${SCOPE:-all}"
 KEYS="${KEYS:-1}"
 RETAIN="${RETAIN:-4}"
 UMASK="${UMASK:-027}"

 last_backup() {
  find "${BACKUP_DIR}" -name "pe_backup*tgz" -printf "%T@\t%p\0" | sort -zrn | awk 'BEGIN{RS=ORS="\x00";FS="\t"} NR==1 { print $2 }' | tr -d '\0'
 }

 check_brc() {
  if [ $BRC -ne 0 ] ; then
      echo >&2 "error ${BRC} creating puppet backup"
      exit $BRC
  fi
 }

 tidy_all() {
    tidy_match "pe_backup*tgz"
    tidy_match "keys-pe_backup*tgz"
 }

 tidy_match() {
  find "${BACKUP_DIR}" -name "$1" -printf "%T@\t%p\0" | \
    sort -zrn | awk 'BEGIN{RS=ORS="\x00";FS="\t"} NR>'$RETAIN' { print $2 }' | \
    xargs -0 -n1 --no-run-if-empty rm -v
 }

 check_permissions() {
  if [ ! -d "${BACKUP_DIR}" ] ; then
    echo >&2 "${BACKUP_DIR} is not a directory" && exit 2
  fi

  if [ ! -w "${BACKUP_DIR}" ] ; then
    echo >&2 "${BACKUP_DIR} is not writable by ${USER}" && exit 1
  fi

  if find "${BACKUP_DIR}" -perm -o+r -type d | grep -q '.*' ; then
    echo >&2 "WARNING! ${BACKUP_DIR} is readable by all users"
    echo >&2 "recommend: chgrp pe-postgres ${BACKUP_DIR} && chmod 770 ${BACKUP_DIR}"
  fi
 }

 # send output to system logger if non-interactive (cron)
 if [ ! -t 0 ] ; then
  coproc { stdbuf -oL logger -i -e -t pe-backup -p local7.info; }
  exec 1>&${COPROC[1]}
  exec 2>&${COPROC[2]}
 fi

 check_permissions

 umask $UMASK

 /opt/puppetlabs/bin/puppet-backup create --pe-environment=${ENVIRONMENT} --scope=${SCOPE} --dir=${BACKUP_DIR} | sed '/^$/d' && BRC=$? || BRC=$?

 check_brc

 if [ "${KEYS}x" != "x" ] && [ "${KEYS}x" != "0x" ] ; then
    NEW_BACKUP=$(last_backup)
    echo "backing up pe service encryption keys"
    tar czf ${BACKUP_DIR}/keys-$(basename $NEW_BACKUP) -C / etc/puppetlabs/orchestration-services/conf.d/secrets/ etc/puppetlabs/console-services/conf.d/secrets/ && BRC=$? || BRC=$?
    check_brc
 fi

 echo "tidy backups, retaining the last $RETAIN"
 tidy_all
	#!/bin/bash
	#
	# Puppet Enterprise backup script
	#
	# Limits retained backup archives
	# Optionally creates a backup of the PE service secure keys
	#
	# All arguments supplied via environment variables.
	#
	# License: MIT
	# https://opensource.org/licenses/MIT
	# Copyright: 2022 Jeffrey Clark
	# https://github.com/h0tw1r3

	set -o pipefail

	ENVIRONMENT="${ENVIRONMENT:-production}"
	BACKUP_DIR="${BACKUP_DIR:-/var/puppetlabs/backups}/${ENVIRONMENT}"
	SCOPE="${SCOPE:-all}"
	KEYS="${KEYS:-1}"
	RETAIN="${RETAIN:-4}"
	UMASK="${UMASK:-027}"

	last_backup() {
	find "${BACKUP_DIR}" -name "pe_backup*tgz" -printf "%T@\t%p\0" \| sort -zrn \| awk 'BEGIN{RS=ORS="\x00";FS="\t"} NR==1 { print $2 }' \| tr -d '\0'
	}

	check_brc() {
	if [ $BRC -ne 0 ] ; then
	echo >&2 "error ${BRC} creating puppet backup"
	exit $BRC
	fi
	}

	tidy_all() {
	tidy_match "pe_backup*tgz"
	tidy_match "keys-pe_backup*tgz"
	}

	tidy_match() {
	find "${BACKUP_DIR}" -name "$1" -printf "%T@\t%p\0" \| \
	sort -zrn \| awk 'BEGIN{RS=ORS="\x00";FS="\t"} NR>'$RETAIN' { print $2 }' \| \
	xargs -0 -n1 --no-run-if-empty rm -v
	}

	check_permissions() {
	if [ ! -d "${BACKUP_DIR}" ] ; then
	echo >&2 "${BACKUP_DIR} is not a directory" && exit 2
	fi

	if [ ! -w "${BACKUP_DIR}" ] ; then
	echo >&2 "${BACKUP_DIR} is not writable by ${USER}" && exit 1
	fi

	if find "${BACKUP_DIR}" -perm -o+r -type d \| grep -q '.*' ; then
	echo >&2 "WARNING! ${BACKUP_DIR} is readable by all users"
	echo >&2 "recommend: chgrp pe-postgres ${BACKUP_DIR} && chmod 770 ${BACKUP_DIR}"
	fi
	}

	# send output to system logger if non-interactive (cron)
	if [ ! -t 0 ] ; then
	coproc { stdbuf -oL logger -i -e -t pe-backup -p local7.info; }
	exec 1>&${COPROC[1]}
	exec 2>&${COPROC[2]}
	fi

	check_permissions

	umask $UMASK

	/opt/puppetlabs/bin/puppet-backup create --pe-environment=${ENVIRONMENT} --scope=${SCOPE} --dir=${BACKUP_DIR} \| sed '/^$/d' && BRC=$? \|\| BRC=$?

	check_brc

	if [ "${KEYS}x" != "x" ] && [ "${KEYS}x" != "0x" ] ; then
	NEW_BACKUP=$(last_backup)
	echo "backing up pe service encryption keys"
	tar czf ${BACKUP_DIR}/keys-$(basename $NEW_BACKUP) -C / etc/puppetlabs/orchestration-services/conf.d/secrets/ etc/puppetlabs/console-services/conf.d/secrets/ && BRC=$? \|\| BRC=$?
	check_brc
	fi

	echo "tidy backups, retaining the last $RETAIN"
	tidy_all