Backup GitLab running in a Container and encrypt the backup

Many Gitlab instances run in a docker or podman container. The following is a bash script which 

  1. fetches the gitlab-configs and the gitlab-data from inside of the container, 
  2. then creates a key (symmetric), 
  3. which is again encrypted with a asymmetric key (certificate)
  4. and encrypted the gitlab-config & data with that
  5. And it deletes old backup data which is older then 7 days

 

gitlab040:/srv/gitlab # cat gitlab-backup.sh
#!/bin/bash
# remove tmp files 
rm -rf /srv/gitlab/tmp

# create tmp directory
mkdir -p /srv/gitlab/tmp

# generate backups
docker exec -t gitlab /bin/sh -c 'umask 0077; tar cfz /secret/gitlab/backups/$(date +"%Y-%m-%d-%H-%M")_config_gitlab_backup.tgz -C / etc/gitlab'
docker exec -t gitlab gitlab-backup create CRON=1 BACKUP=$(date +"%Y-%m-%d-%H-%M")_data

# locate backup files
BACKUPCONFIG=$(ls -Art /srv/gitlab/backup-config/*config_gitlab_backup.tgz | tail -n 1)
BACKUPDATA=$(ls -Art /srv/gitlab/backup-data/*data_gitlab_backup.tar | tail -n 1)

# generate symmetric key
openssl rand -base64 32 > /srv/gitlab/tmp/symmetric_keyfile.key

# encrypt symmetric key with asm-key
openssl rsautl -encrypt -inkey /srv/gitlab/public_key.pem -pubin -in /srv/gitlab/tmp/symmetric_keyfile.key -out /srv/gitlab/tmp/symmetric_keyfile.enc

# generate hashes
sha1sum $BACKUPCONFIG >> /srv/gitlab/tmp/$(basename $BACKUPCONFIG).sha1sum
sha1sum $BACKUPDATA >> /srv/gitlab/tmp/$(basename $BACKUPDATA).sha1sum

# encrypt backup files
openssl enc -in $BACKUPCONFIG -out /srv/gitlab/tmp/$(basename $BACKUPCONFIG).enc -e -aes256 -kfile /srv/gitlab/tmp/symmetric_keyfile.key
openssl enc -in $BACKUPDATA -out /srv/gitlab/tmp/$(basename $BACKUPDATA).enc -e -aes256 -kfile /srv/gitlab/tmp/symmetric_keyfile.key

# archive backup files
cd /srv/gitlab/tmp
tar -cvzf /backup/gitlab-backup-$(date +"%Y-%m-%d-%H-%M").tgz *.enc *.sha1sum 1>/dev/null

# remove tmp files
rm -rf /srv/gitlab/tmp

# delete old config backups
find /srv/gitlab/backup-config -type f -mtime +7 -name '*config_gitlab_backup.tgz' -delete
find /srv/gitlab/backup-data -type f -mtime +7 -name '*data_gitlab_backup.tar' -delete
find /backup -type f -mtime +30 -name 'gitlab-backup-*.tgz' -delete 
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Nextcloud v31 on Ubuntu 22.04 - update php v8.1 to v8.4

If you are running HanssonIT Nextcloud VM with Ubuntu 22.04 and your Nextcloud has version 31 and you want to update to version 32, you are ...