Backup GitLab running in a Container and encrypt the backup

Many Gitlab instances run in a docker or podman container. The following is a bash script which 

  1. fetches the gitlab-configs and the gitlab-data from inside of the container, 
  2. then creates a key (symmetric), 
  3. which is again encrypted with a asymmetric key (certificate)
  4. and encrypted the gitlab-config & data with that
  5. And it deletes old backup data which is older then 7 days

 

gitlab040:/srv/gitlab # cat gitlab-backup.sh
#!/bin/bash
# remove tmp files 
rm -rf /srv/gitlab/tmp

# create tmp directory
mkdir -p /srv/gitlab/tmp

# generate backups
docker exec -t gitlab /bin/sh -c 'umask 0077; tar cfz /secret/gitlab/backups/$(date +"%Y-%m-%d-%H-%M")_config_gitlab_backup.tgz -C / etc/gitlab'
docker exec -t gitlab gitlab-backup create CRON=1 BACKUP=$(date +"%Y-%m-%d-%H-%M")_data

# locate backup files
BACKUPCONFIG=$(ls -Art /srv/gitlab/backup-config/*config_gitlab_backup.tgz | tail -n 1)
BACKUPDATA=$(ls -Art /srv/gitlab/backup-data/*data_gitlab_backup.tar | tail -n 1)

# generate symmetric key
openssl rand -base64 32 > /srv/gitlab/tmp/symmetric_keyfile.key

# encrypt symmetric key with asm-key
openssl rsautl -encrypt -inkey /srv/gitlab/public_key.pem -pubin -in /srv/gitlab/tmp/symmetric_keyfile.key -out /srv/gitlab/tmp/symmetric_keyfile.enc

# generate hashes
sha1sum $BACKUPCONFIG >> /srv/gitlab/tmp/$(basename $BACKUPCONFIG).sha1sum
sha1sum $BACKUPDATA >> /srv/gitlab/tmp/$(basename $BACKUPDATA).sha1sum

# encrypt backup files
openssl enc -in $BACKUPCONFIG -out /srv/gitlab/tmp/$(basename $BACKUPCONFIG).enc -e -aes256 -kfile /srv/gitlab/tmp/symmetric_keyfile.key
openssl enc -in $BACKUPDATA -out /srv/gitlab/tmp/$(basename $BACKUPDATA).enc -e -aes256 -kfile /srv/gitlab/tmp/symmetric_keyfile.key

# archive backup files
cd /srv/gitlab/tmp
tar -cvzf /backup/gitlab-backup-$(date +"%Y-%m-%d-%H-%M").tgz *.enc *.sha1sum 1>/dev/null

# remove tmp files
rm -rf /srv/gitlab/tmp

# delete old config backups
find /srv/gitlab/backup-config -type f -mtime +7 -name '*config_gitlab_backup.tgz' -delete
find /srv/gitlab/backup-data -type f -mtime +7 -name '*data_gitlab_backup.tar' -delete
find /backup -type f -mtime +30 -name 'gitlab-backup-*.tgz' -delete 
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Backup GitLab running in a Container and encrypt the backup

Many Gitlab instances run in a docker or podman container. The following is a bash script which  fetches the gitlab-configs and the gitlab-d...