From 994cfe4fe4a607be2996c6923c0f9851fd56c8e1 Mon Sep 17 00:00:00 2001 From: lasimik Date: Mon, 17 May 2021 00:57:19 +0000 Subject: [PATCH] Update 'README.md' --- README.md | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 155 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d4a6ac0..6a8b695 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,156 @@ -# borgmatic_notifications +# Desktop notifications from borgmatic when it is run from systemd -Linux: How to set up desktop notifications to an arbitrary user, while borgmatic is automatically run from a systemd timer. \ No newline at end of file +How to set up desktop notifications to an arbitrary user, while borgmatic is automatically run from a systemd timer. That implies a Linux machine, of course. + +This includes workarounds for current (borgmatic 1.5.13, borg 1.1.16) limitations of borg/borgmatic. They may or may not be necessary in the future. This HowTo was written on 2021-05-17, some downloaded files may have changed since then. + +- + +The following needs to be set up for the notifications: + +- + +### In the systemd timer +The template from the borgmatic site (the`borgmatic.timer`) is fine, insert a string for `Description=…`, and set the `[Timer]` section if not already done. No special changes here. + +- + + +### In the systemd service +Again, the template from the borgmatic site (the `borgmatic.service`) is good, but needs an essential change: + +The line `CapabilityBoundingSet=…` must give the additional capabilities `AP_SETUID `and `CAP_SETGID`. This will allow borgmatic (and whatever is called from it!!) to impersonate a different user (other than root). + +*_This means a softening of security settings._ Make sure all permissions on borgmatic and scripts are set correctly!* + +- + +### In the borgmatic config + +#### Notifications directly from borgmatic +A notification sent by borgmatic itself is set in its `config.yaml` for each hook, impersonating (`sudo -u`) the target user with their user name (`NAME`) and user id (`UID`). (This is what the additional capabilities in the `timer` were needed for.) `NAME` and `UID` can be looked up with `userdbctl`. + +(Note: If the display is not ":0", the web knows a way to find the right value. This is not covered here.) + +The `notify-send` command sets the urgency of the notifications, and sends a headline and a body text. The latter may include (very rudimentary) HTML formatting (to varying degrees, depending on the desktop). In the `config.yaml` it looks like this (replace `NAME` and `UID`): + +``` +hooks: + before_backup: + - sudo -u NAME DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/UID/bus notify-send --urgency=normal 'Headline' 'Body text goes here.' + ``` + (Note: The config file is in YAML, you cannot use the shell line continuation (" \\"). And use spaces, not tabs.) + + - + + #### Notifications from a script + Borgmatic calls an executable script that can do more magic and send the notifications in the same way as explained above. + + ``` + hooks: + on_error: + - /etc/borgmatic/notify-error.sh "{configuration_filename}" "{repository}" "{error}" "{output}" + ``` + (Note: The placeholders (`{configuration_filename}`, `{repository}`, `{error}`, and `{output}`) are not all supported under all hooks.) + + (Note: Some scripts from the web can send notifications to *all* users. Also not covered here.) + + The notification command in the script: + + ``` + #!/usr/bin/bash + + sudo -u NAME DISPLAY=:0 \ + DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/UID/bus \ + notify-send --urgency=normal 'Headline' 'Body text goes here.'` + ``` + (Note: Line continuation and the use of variables make complexer notifications substantially easier to set up than in `config.yaml`.) + + --- + + ### Example for Overdue Backups Alert + #### In the borgmatic config + To know when the last complete backup was made, even if there is no connection to the repository, the date and time needs to be stored locally (here in a `last-successful-backup` file), after every successful backup (hook `after_backup`). + + This example uses date and time of the last *complete* backup. Borgmatic does not supply this in a placeholder, so it is identified with `borgmatic list --successful --last 1`, returning only date and time (`--format {time}`) and without control characters (`--no-color `), then the header line is skipped (`sed -n 2p`), and the timezone (that the borgmatic return lacks) is appended (`date +'%:z'`). + + It's a good idea to store this value together with the other files for that repository, so `/root/{repository}` would be nice. Unfortunately, `{repository}` is not resolved within borgmatic; the path must be manually copied from the top of the config file. + + If an error occurs during backup, a script (here, `notify-error.sh`) will read that date and time and do the subsequent processing. + + Example for a remote repository: + + ``` + location: + repositories: + - BackupUser@BackupServer:/path/to/repository + ... + hooks: + after_backup: + - echo "$(borgmatic list --successful --last 1 --format {time} --no-color | sed -n 2p) $(date +'%:z')" \ + > "/root/BackupUser@BackupServer:/path/to/repository/last-successful-backup" + ... + on_error: + - /etc/borgmatic/notify-error.sh "{configuration_filename}" "{repository}" "{error}" "{output}" + ``` + Note: Inside the quotes of `echo …` we can use line continuation (" \") for better readability. + + #### The notification script + For easy date and time calculations, this script makes use of `dateutils`. It will send slightly different notifications, depending on the age of the last successful backup: + + ``` + #!/usr/bin/bash + + # Notifies user of overdue borgmatic backups. + + # Is called by borgmatic on errors during a prune, create, or check action as + # /etc/borgmatic/notify.sh "{configuration_filename}" "{repository}" "{error}" "{output}" + + # Requires: dateutils + + + # set user to be notified (find name and id with userdbctl) + NOTIFYUSER=XXXXX + NOTIFYUSERID=NNNN + + # read date of last successful backup, get current datetime + LASTBACKUP=$(<"/root/BackupUser@BackupServer:/path/to/repository/last-successful-backup") + NOW=$(date +'%F %H:%M %Z') + + # time calculations: backup age... + # ...in full hours for branching by age + BACKUPAGEHOURS=$(datediff -i "%a, %F %T %Z" -f "%rH" \ + "$LASTBACKUP" now) + # ...as string for notifications, with removal of zero values + BACKUPAGESTRING=$(datediff -i "%a, %F %T %Z" -f "%rY years %rm months %rw weeks %rd days %rH hours %rM minutes" \ + "$LASTBACKUP" now | sed -E 's/(0 years |0 months |0 weeks |0 days |0 hours)//g') + + # set message text + NOTIFYTEXT="Backup attempted $NOW. + Last full backup: $BACKUPAGESTRING ago. + Error details (more info in systemd journal): + ⚫ Configuration file + $1 + ⚫ Repository + $2 + ⚫ Command output + $4 + ⚫ Error Message + $3" + + + # different actions depending on backup age + if [ "$BACKUPAGEHOURS" -gt 72 ] # backup is older than 72 hours + then + sudo -u "$NOTIFYUSER" DISPLAY=:0 "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$NOTIFYUSERID/bus" \ + notify-send --urgency=critical 'Borgmatic Backup SERIOUSLY OVERDUE!' "$NOTIFYTEXT" + elif [ "$BACKUPAGEHOURS" -gt 24 ] # backup is older than 24 hours + then + sudo -u "$NOTIFYUSER" DISPLAY=:0 "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$NOTIFYUSERID/bus" \ + notify-send --urgency=critical 'Borgmatic Backup Overdue' "$NOTIFYTEXT" + else # backup age is 24 hours or less + sudo -u "$NOTIFYUSER" DISPLAY=:0 "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$NOTIFYUSERID/bus" \ + notify-send --urgency=critical "Borgmatic Backup Failed" "$NOTIFYTEXT" + fi + ``` + \ No newline at end of file