Many Gitlab instances run in a docker or podman container. The following is a bash script which
- fetches the gitlab-configs and the gitlab-data from inside of the container,
- then creates a key (symmetric),
- which is again encrypted with a asymmetric key (certificate)
- and encrypted the gitlab-config & data with that
- And it deletes old backup data which is older then 7 days
gitlab040:/srv/gitlab # cat gitlab-backup.sh
#!/bin/bash
# remove tmp files
rm -rf /srv/gitlab/tmp
# create tmp directory
mkdir -p /srv/gitlab/tmp
# generate backups
docker exec -t gitlab /bin/sh -c 'umask 0077; tar cfz /secret/gitlab/backups/$(date +"%Y-%m-%d-%H-%M")_config_gitlab_backup.tgz -C / etc/gitlab'
docker exec -t gitlab gitlab-backup create CRON=1 BACKUP=$(date +"%Y-%m-%d-%H-%M")_data
# locate backup files
BACKUPCONFIG=$(ls -Art /srv/gitlab/backup-config/*config_gitlab_backup.tgz | tail -n 1)
BACKUPDATA=$(ls -Art /srv/gitlab/backup-data/*data_gitlab_backup.tar | tail -n 1)
# generate symmetric key
openssl rand -base64 32 > /srv/gitlab/tmp/symmetric_keyfile.key
# encrypt symmetric key with asm-key
openssl rsautl -encrypt -inkey /srv/gitlab/public_key.pem -pubin -in /srv/gitlab/tmp/symmetric_keyfile.key -out /srv/gitlab/tmp/symmetric_keyfile.enc
# generate hashes
sha1sum $BACKUPCONFIG >> /srv/gitlab/tmp/$(basename $BACKUPCONFIG).sha1sum
sha1sum $BACKUPDATA >> /srv/gitlab/tmp/$(basename $BACKUPDATA).sha1sum
# encrypt backup files
openssl enc -in $BACKUPCONFIG -out /srv/gitlab/tmp/$(basename $BACKUPCONFIG).enc -e -aes256 -kfile /srv/gitlab/tmp/symmetric_keyfile.key
openssl enc -in $BACKUPDATA -out /srv/gitlab/tmp/$(basename $BACKUPDATA).enc -e -aes256 -kfile /srv/gitlab/tmp/symmetric_keyfile.key
# archive backup files
cd /srv/gitlab/tmp
tar -cvzf /backup/gitlab-backup-$(date +"%Y-%m-%d-%H-%M").tgz *.enc *.sha1sum 1>/dev/null
# remove tmp files
rm -rf /srv/gitlab/tmp
# delete old config backups
find /srv/gitlab/backup-config -type f -mtime +7 -name '*config_gitlab_backup.tgz' -delete
find /srv/gitlab/backup-data -type f -mtime +7 -name '*data_gitlab_backup.tar' -delete
find /backup -type f -mtime +30 -name 'gitlab-backup-*.tgz' -delete
No comments:
Post a Comment