#!/bin/bash
# Make backup of databases and keep daily copies for a set time.
#
# © 2012, Multapplied Networks, Inc.

BACKUP_DIR=/var/lib/bondingadmin/backups
BACKUP_DIR_CURRENT=$BACKUP_DIR/current
BACKUP_DAYS=7

. /usr/share/bondingadmin/default/ca-vars
. /usr/share/bondingadmin/default/openvpn-vars
test -f /etc/default/bondingadmin/backup && . /etc/default/bondingadmin/backup

umask 027 # User can do anything, group can read/execute, other gets nothing
DATE=$(date +%Y-%m-%d)
ETC_DEFAULT_FILENAME=$BACKUP_DIR/default.$DATE.tar
ETC_DEFAULT_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/default.tar
POSTGRESQL_FILENAME=$BACKUP_DIR/postgresql.$DATE.sql
POSTGRESQL_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/postgresql.sql
DJANGO_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/django.json
REDIS_FILENAME=$BACKUP_DIR/redis.$DATE.rdb
REDIS_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/redis.rdb
CONFIG_FILENAME=$BACKUP_DIR/configuration.$DATE.tar
CONFIG_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/configuration.tar
CA_FILENAME=$BACKUP_DIR/ca.$DATE.tar
CA_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/ca.tar
MGMTVPN_FILENAME=$BACKUP_DIR/mgmtvpn.$DATE.tar
MGMTVPN_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/mgmtvpn.tar
INFLUXDB_BUSINESS_FILENAME=$BACKUP_DIR/influxdb-business.$DATE.tar.gz
INFLUXDB_BUSINESS_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/influxdb-business.tar.gz
MEDIA_FILENAME=$BACKUP_DIR/media.$DATE.tar
MEDIA_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/media.tar
SALT_PKI_FILENAME=$BACKUP_DIR/salt.pki.master.$DATE.tar
SALT_PKI_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/salt.pki.master.tar
MOSQUITTO_FILENAME=$BACKUP_DIR/mosquitto.$DATE.tar
MOSQUITTO_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/mosquitto.tar
LAYWIRE_FILENAME=$BACKUP_DIR/laywire.$DATE.tar
LAYWIRE_FILENAME_CURRENT=$BACKUP_DIR_CURRENT/laywire.tar
BACKUP_LATEST_FILENAME=backup-latest.zip

# parse INFLUX_SERVER from the settings
eval $(ba print_settings INFLUX_SERVER | sed 's/ //g')

# Make backups directory and make sure it is owned by bondingadmin
mkdir -p $BACKUP_DIR
chown bondingadmin:bondingadmin-backups $BACKUP_DIR
mkdir -p $BACKUP_DIR_CURRENT

# /etc/default/
tar -cf "$ETC_DEFAULT_FILENAME" -C / \
etc/default/
ln -f "$ETC_DEFAULT_FILENAME" "$ETC_DEFAULT_FILENAME_CURRENT"

# PostgreSQL
sudo -u postgres pg_dumpall --clean > $POSTGRESQL_FILENAME
ln -f $POSTGRESQL_FILENAME $POSTGRESQL_FILENAME_CURRENT

# Clean up old Django backup from current, if present
rm -f $DJANGO_FILENAME_CURRENT

# Redis
redis-cli save > /dev/null
cp /var/lib/redis/dump.rdb $REDIS_FILENAME
ln -f $REDIS_FILENAME $REDIS_FILENAME_CURRENT

# /etc/bondingadmin
CONFIG_FOLDERS="etc/bondingadmin/"
if [ -d "/etc/letsencrypt" ]; then
    CONFIG_FOLDERS="${CONFIG_FOLDERS} etc/letsencrypt/"
fi
if [ -d "/var/lib/bondingadmin/certbot/" ]; then
    CONFIG_FOLDERS="${CONFIG_FOLDERS} var/lib/bondingadmin/certbot/"
fi
if [ -f "/var/lib/bondingadmin/version" ] ; then
    CONFIG_FOLDERS="${CONFIG_FOLDERS} var/lib/bondingadmin/version"
fi

tar -cf $CONFIG_FILENAME -C / \
    --exclude=iso.d/firmware \
    --exclude=packages \
    $CONFIG_FOLDERS
ln -f $CONFIG_FILENAME $CONFIG_FILENAME_CURRENT

# Media
tar -cf $MEDIA_FILENAME -C / \
    var/lib/bondingadmin/media
ln -f $MEDIA_FILENAME $MEDIA_FILENAME_CURRENT

# Salt
tar -cf $SALT_PKI_FILENAME -C / \
    var/lib/salt/pki/master
ln -f $SALT_PKI_FILENAME $SALT_PKI_FILENAME_CURRENT

# Certificate authority
tar -cf $CA_FILENAME -C / ${CA_DIR:1} # Drop leading slash from $CA_DIR
ln -f $CA_FILENAME $CA_FILENAME_CURRENT

# Management OpenVPN server
tar -cf $MGMTVPN_FILENAME -C / ${OPENVPN_DIR:1}
ln -f $MGMTVPN_FILENAME $MGMTVPN_FILENAME_CURRENT

# Influxdb business data
INFLUX_BACKUP_TMP=$(mktemp -d)
trap "rm -rf $INFLUX_BACKUP_TMP" EXIT
mkdir -p $INFLUX_BACKUP_TMP/business

influxd backup -portable -database business -host $INFLUX_SERVER:8088 $INFLUX_BACKUP_TMP/business > $INFLUX_BACKUP_TMP/business.log 2>&1
if [ $? != 0 ] ; then
    echo "influxdb business backup error:"
    cat $INFLUX_BACKUP_TMP/business.log
fi
tar -cf $INFLUXDB_BUSINESS_FILENAME -C $INFLUX_BACKUP_TMP business
ln -f $INFLUXDB_BUSINESS_FILENAME $INFLUXDB_BUSINESS_FILENAME_CURRENT

# Mosquitto
tar -cf $MOSQUITTO_FILENAME -C / \
    etc/mosquitto
ln -f $MOSQUITTO_FILENAME $MOSQUITTO_FILENAME_CURRENT

# Laywire
tar -cf $LAYWIRE_FILENAME -C / \
    etc/laywire
ln -f $LAYWIRE_FILENAME $LAYWIRE_FILENAME_CURRENT

# bondingadmin:bondingadmin should own everything under the backup directory
chown -R bondingadmin:bondingadmin $BACKUP_DIR/*

# Create backup-latest.zip and make it owned by bondingadmin with bondingadmin-backups as the group
pushd $BACKUP_DIR > /dev/null
rm --force $BACKUP_LATEST_FILENAME
zip --quiet $BACKUP_LATEST_FILENAME *.$DATE.*
# the backup zip file needs to be grouped to bondingadmin-backups so nginx can get some access to it
chown bondingadmin:bondingadmin-backups $BACKUP_LATEST_FILENAME
popd > /dev/null

# Delete old stuff
find $BACKUP_DIR -name "*" -mtime +$BACKUP_DAYS -delete
