otakup0pe.dupwrap

`dup`licity `wrap`per

This Ansible role sets up a simple tool that works with the duplicity backup software. You can use it in two ways: to back up to Amazon S3 or to an encrypted disk image on a Mac's external drive. The dupwrap tool allows you to manage multiple backup profiles on one machine. You can run it as the root user for server backups, or as another user for workstation backups.

S3 Mode

In this mode, you can upload GPG encrypted backups to a specified S3 bucket. Make sure the IAM user associated with your API keys has read/write permissions.

Mac USB Mode

This mode allows you to create and maintain an encrypted volume on external drives. Although this involves double encryption, it can be useful. Currently, this mode does not support scheduled backups.

Variables

Here are some variables that have default values. You can easily back up an entire server by just adding the source and destination.

dupwrap_user: defaults to root
dupwrap_group: defaults to root
dupwrap_config_prefix: defaults to /etc
dupwrap_bin_prefix: defaults to /usr/local/bin
dupwrap_cron: defaults to false, set to true for scheduling backups
dupwrap_cron_verbose: defaults to false, set to true for more detailed log information
dupwrap_n_full: defaults to 3, controls how many full backups to keep
dupwrap_remove_older: defaults to 12, removes backups older than the specified number of months
dupwrap_full_older: defaults to 30D, sets how often to force a full backup

You can define multiple backup profiles, which are stored in a directory named dupwrap relative to the config prefix. The dupwrap_backups variable defines backup profiles and can include global settings.

passphrase: the password for encryption routines
aws_access_key: AWS Access Key ID for S3 backups
aws_secret_key: AWS Secret Access Key for S3 backups
bucket: the S3 bucket URI for S3 backups

For Mac/USB backups, you need to provide these variables:

dupwrap_unencrypted_volume: name of the external volume
dupwrap_encrypted_volume: name of the encrypted volume to create
dupwrap_encrypted_volume_size: size of the volume, defaults to 256m

`dupwrap` script

This script acts as the interface for duplicity and is called by cron, if you are using it. When using Mac/USB, you will be prompted for a password.

Options

These options change default behavior. Some actions require you to specify a profile.

-d: keeps the volumes mounted after a Mac backup
-v: shows debugging information
-f: skips confirmation when permanently removing items
-c: specifies the config directory (defaults to dupwrap_config_prefix)
-p: specifies a backup profile
-t: sets the time for restoring a file (not sure why it works this way)

Actions

backup: starts a backup. If no profile is set, it runs all found backups.
list: lists everything in the latest backup
restore_file: restores a specific file to a chosen location
- Use restore_file <file> <dest> for the most recent backup
status: shows basic info about the backup set
prune: deletes old backups. Without a profile, it removes all found backups.

On macOS, there are some extra actions available:

init: creates the encrypted disk image
purge: removes the encrypted disk image
mount: mounts the encrypted disk image
unmount: unmounts the encrypted disk image

Swap Helper

The swap helper script (dupwrap-swap-helper) works with the pre_script and post_script variables in jobs. It requires a single argument: either pre or post.