dotfiles/install/borg.sh

#!/bin/bash

set -e

# Packages
sudo apt update
sudo apt install -y borgbackup

# Backup script - not symlinked to avoid potential privilege escalation
sudo cp borg/backup.sh /usr/local/sbin/backup.sh
sudo chown root:root /usr/local/sbin/backup.sh
sudo chmod 744 /usr/local/sbin/backup.sh

# Passphrase
if [ ! -f /usr/local/etc/borg/passphrase.key ]; then
  sudo mkdir --parents --mode=700 /usr/local/etc/borg/
  echo '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@'
  echo '@@    PLEASE BACKUP BORG PASSPHRASE:    @@'
  pwgen 32 1 | sudo tee /usr/local/etc/borg/passphrase.key
  echo '@@ (/usr/local/etc/borg/passphrase.key) @@'
  echo '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@'
  read -p 'Press any key to continue..'
  sudo chmod 600 /usr/local/etc/borg/passphrase.key
fi


# Systemd service and timer - not symlinked to avoid potential privilege escalation
sudo cp borg/borg-daily.service /etc/systemd/system/
sudo cp borg/borg-daily.timer /etc/systemd/system/
sudo chown root:root /etc/systemd/system/borg-daily.service /etc/systemd/system/borg-daily.timer
sudo systemctl enable borg-daily.timer


# SSH
ssh-keyscan -t ed25519 -p 222 sigma.caspervk.net | sudo tee /root/.ssh/known_hosts  # add backup server to known_hosts
sudo ssh-keygen -t ed25519  # generate key for the root user
echo "Please add the following to ~borg/.ssh/authorized_keys on the server:"
echo "command=\"mkdir -p ~/repos/$(hostname); cd ~/repos/$(hostname); borg serve --append-only --restrict-to-path ~/repos/$(hostname)\",restrict $(sudo cat /root/.ssh/id_ed25519.pub)"
read -p 'Press any key when done to test the connection.. (should return "PTY allocation request failed on channel 0")'
sudo ssh borg@sigma.caspervk.net -p 222


# To setup the server:
# sudo apt install borgbackup
# sudo adduser --disabled-password borg
# sudo su borg
# cd ~
# mkdir --mode=700 repos/