# -*- coding: utf-8 -*- from setuphelpers import * import os, random, string, time from jinja2 import Environment, FileSystemLoader uninstallkey = [] variables = { 'backup_servers': [ '192.168.100.31' ], 'backup_rsync_pass': 's3cretp@ssw0rd', 'backup_ssh_keys': [] } # Read local variables file if available if isfile(makepath(programfiles32,'wapt','private','symetric.txt')) and isfile(makepath(programfiles32,'wapt','private','variables.txt')): print('Reading local encrypted variables file') from cryptography.fernet import Fernet import yaml f = Fernet(open(makepath(programfiles32,'wapt','private','symetric.txt'),'r').read()) variables.update(yaml.safe_load(f.decrypt(open(makepath(programfiles32,'wapt','private','variables.txt'),'r').read()))) # Create a random pass for the local backup account if not defined if not 'backup_pass' in variables: variables['backup_pass'] = ''.join(random.sample(string.lowercase+string.uppercase+string.digits,60)) overrides = ['rsyncd.conf', 'rsync.cmd', 'pre-exec.cmd', 'vsrsync.cmd', 'cygiconv-2.dll', 'cygwin1.dll', 'cygz.dll', 'rsync.exe'] install_dir = makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC') def install(): print('Installing BackupPC Agent') version = control['version'].split('-',1)[0] install_exe_if_needed("backuppc-client.exe",silentflags='/S',key='BackupPC',min_version=version,killbefore=['rsync.exe']) # We override some files # cygwin and rsync are needed because version 3.1.1 is very unreliable on Win2012, so we downgrade to 3.0.9 # our own pre-exec adds an exclusive lock # And vsrsync.cmd fixes an issue when PATH contains a & char print('Overriding scripts and binaries') for file in overrides: print('Copying %s' % file) filecopyto(file, install_dir) # We write credential file print('Writing credential file') open(r'%s\rsyncd.secrets' % install_dir,'w').write('backup:%s' % variables['backup_rsync_pass']) # The default behaviour is to add a firewall rule allowing local network. We'll remove this rule to create a more restrictive one print('Removing uneeded firewall rules') run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1]) # Create the backup account print('Create a local account and add it to the admin group') run('net user lbkp /add', accept_returncodes=[0,2]) run('net user lbkp %s' % variables['backup_pass']) run('net localgroup Administrateurs lbkp /add', accept_returncodes=[0,2]) print('Restricting permissions on private files') run(r'icacls.exe "%s" /inheritance:d' % install_dir) run(r'icacls.exe "%s" /remove:g "*S-1-5-32-545" /t /c /q' % install_dir) run(r'icacls.exe "%s" /remove:g "*S-1-5-11" /t /c /q' % install_dir) run(r'icacls.exe "%s" /remove:g "*S-1-5-1" /t /c /q' % install_dir) run(r'icacls.exe "%s" /remove:g "*S-1-1-0" /t /c /q' % install_dir) print('Creating the deploy_keys.bat') jinja2 = Environment( loader=FileSystemLoader('.'), trim_blocks=True ) open(r'%s\deploy_keys.bat' % install_dir,'w').write( jinja2.get_template('deploy_keys.bat.j2').render( ssh_keys = variables['backup_ssh_keys'] ) ) # We need to create lbkp profile dir and put it's .ssh.authorized_keys file. # We can't use runas, we can't use psexec either as waptservice runs as SYSTEM. So we create a one-time task running as user lbkp # This task just creates .ssh and populate .ssh/authorized_keys print('Deploying ssh keys through a scheduled task') run(r'schtasks /Create /SC ONCE /TN "deploy_backup_ssh_keys" /TR "%s\deploy_keys.bat" /ST "%s" /RU lbkp /RP %s /F /V1 /Z' % (install_dir, time.strftime('%H:%M:%S',time.localtime(time.time() + 120)), variables['backup_pass'])) run_task('deploy_backup_ssh_keys') #delete_task('deploy_backup_ssh_keys') def uninstall(): print('Removing BackupPC Agent') print('Removing lbkp account') delete_user('lbkp') print('Removing files') for file in overrides: path = makepath(install_dir, file) if isfile(path): os.unlink(path) def audit(): for file in overrides + ['rsyncd.secrets','part.cmd' ]: if not isfile(makepath(install_dir, file)): print('%s is missing' % makepath(install_dir, file)) return "ERROR" return "OK"