Merge pull request 'Fix backup email notifications' (#366) from bugfix/358-backups into master

Reviewed-on: #366
2021-12-01 22:52:58 +00:00 · 2021-12-01 22:52:58 +00:00 · 91905e0490
parent 3d1937823a f7afc21f9e
commit 91905e0490
3 changed files with 33 additions and 3 deletions
--- a/doc/backups.md
+++ b/doc/backups.md
@ -12,4 +12,10 @@ The S3 credentials as well as the backup password are stored in the

 To decrypt a backup archive, use the following command:

+    openssl aes-256-cbc -d -base64 -pbkdf2 -in my_backup.tar.enc -out my_backup.tar
+
+If you get an error message along the lines of "bad decrypt", the archive was
+likely encrypted before we switched the key derivation scheme. Try without
+`-pbkdf2` in this case:
+
    openssl aes-256-cbc -d -base64 -in my_backup.tar.enc -out my_backup.tar
--- a/site-cookbooks/backup/recipes/default.rb
+++ b/site-cookbooks/backup/recipes/default.rb
@ -32,6 +32,8 @@ gem_package 'backup' do
  version '5.0.0.beta.2'
 end

+smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
+
 backup_data = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 backup_dir = node["backup"]["dir"]
 directory backup_dir
@ -46,8 +48,12 @@ template "#{backup_dir}/config.rb" do
            s3_secret_access_key: backup_data["s3_secret_access_key"],
            s3_region: backup_data["s3_region"],
            encryption_password: backup_data["encryption_password"],
+            mail_from: "backups@kosmos.org",
            mail_to: "ops@5apps.com",
-            mail_from: "backups@kosmos.org"
+            mail_address: 'smtp.mailgun.org',
+            mail_domain: 'kosmos.org',
+            mail_user_name: smtp_credentials["user_name"],
+            mail_password: smtp_credentials["password"]
 end

 template "#{backup_dir}/models/default.rb" do
--- a/site-cookbooks/backup/templates/default/config.rb.erb
+++ b/site-cookbooks/backup/templates/default/config.rb.erb
@ -6,6 +6,18 @@
 # Documentation: http://backup.github.io/backup
 # Issue Tracker: https://github.com/backup/backup/issues

+#
+# Monkey patch to not use deprecated key derivation scheme
+# https://github.com/backup/backup/issues/949#issuecomment-589883577
+#
+module OpenSSLFixDeprecatedKeyDerivation
+  def options
+    super + ' -pbkdf2'
+  end
+end
+require 'backup/encryptor/open_ssl'
+Backup::Encryptor::OpenSSL.prepend(OpenSSLFixDeprecatedKeyDerivation)
+
 Storage::S3.defaults do |s3|
  s3.access_key_id     = "<%= @s3_access_key_id %>"
  s3.secret_access_key = "<%= @s3_secret_access_key %>"
@ -22,7 +34,13 @@ end
 Notifier::Mail.defaults do |mail|
  mail.from                 = "<%= node.name %> <<%= @mail_from %>>"
  mail.to                   = "<%= @mail_to %>"
-  mail.delivery_method      = :sendmail
+  mail.address              = "<%= @mail_address %>"
+  mail.domain               = "<%= @mail_domain %>"
+  mail.user_name            = "<%= @mail_user_name %>"
+  mail.password             = "<%= @mail_password %>"
+  mail.port                 = <%= @mail_port || 587  %>
+  mail.authentication       = "<%= @mail_authentication || 'plain' %>"
+  mail.encryption           = <%= @mail_encryption || ':starttls' %>
 end

 <%- if node["backup"]["mongodb"] -%>
@ -75,7 +93,7 @@ preconfigure 'KosmosBackup' do
  encrypt_with OpenSSL
  notify_by Mail do |mail|
    mail.on_success = false
-    mail.on_warning = false
+    mail.on_warning = true
    mail.on_failure = true
  end
 end