# GnuPG keys that should be used for encryption. Normally the encryption key is # not available locally. GPG_KEYS_ENC='{{ backup_encryption_key_id.stdout }}{% if backup_additional_encryption_keys %},{{ backup_additional_encryption_keys_ids.stdout }}{% endif %}' # GnuPG key used for signing. GPG_KEY_SIGN='{{ backup_encryption_key_id.stdout }}' # Trust all keys available in the GnuPG keyring. GPG_OPTS="--homedir /etc/duply/main/gnupg/ --trust-model always" # Destination where the backups are stored at. # # Use the pexpect+sftp backend for Duplicity so we can (see also # DUPL_PARAMS and --ssh-options): # # - Pass in custom options for user/global known_hosts files (not # possible with Duplicity shipping with Debian 10 Buster). # - Reduce logging verbosity (avoiding output from sftp that mentions # updates of user's known_hosts file with IP addresses). TARGET='pexpect+sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}/{{ backup_server_destination }}' # Base directory to backup (root). File selection is done via include/exclude # patterns. SOURCE='/' # Maximum age for preserving old backups. Used when running the "purge" # command. MAX_AGE=6M # Maximum age of the last full backup performed before a new full backup is # taken. MAX_FULLBKP_AGE=1M DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE " # Duplicity volume size in megabytes. VOLSIZE=1024 DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE " # Output verbosity (error 0, warning 1-2, notice 3-4, info 5-8, debug 9) VERBOSITY=4 # Path to a directory used for restoring files from backups. The file is stored # there temporarily. TEMP_DIR="/tmp" # Directory for storing (caching) unencrypted metadata. This metadata is used # for producting incremental backups. ARCH_DIR="/var/cache/duply/main/" # Use the GnuPG agent for passwords prompts. Since we deploy the signing key # without any encryption, this effectively means no prompts. DUPL_PARAMS="$DUPL_PARAMS --use-agent" # Rely only on global known_hosts file (which should only contain # resolvable names), bypassing addition of IP addresses to root's # known_hosts file. Log level is configured to reduce verbosity # (mentions of IP address additions to user's known_hosts file). Use # dedicated private key for performing logins towards the backup # server. DUPL_PARAMS="$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'" # By default we exclude everything, and then include only specific patterns. DUPL_PARAMS="$DUPL_PARAMS --include-globbing-filelist /etc/duply/main/include"