summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Palfrader <peter@palfrader.org>2016-02-01 21:08:39 +0000
committerPeter Palfrader <peter@palfrader.org>2016-02-01 21:08:39 +0000
commitf79e3a2077f60fb979d62299351187a6a91ca92a (patch)
tree8e67fd36d52a26d45a7850c542d16ef33860770e
parent9c292f48d4c4a28085684bb990a744590d807ec1 (diff)
Add experimental rsync over SSL (stunnel) support
-rwxr-xr-xbin/ftpsync47
-rw-r--r--etc/ftpsync.conf.sample9
2 files changed, 52 insertions, 4 deletions
diff --git a/bin/ftpsync b/bin/ftpsync
index e8aa021..0088619 100755
--- a/bin/ftpsync
+++ b/bin/ftpsync
@@ -212,6 +212,7 @@ tracefile() {
out="GUESSED:{${ARCHLIST}}"
echo "Architectures: ${out}"
echo "Upstream-mirror: ${RSYNC_HOST}"
+ echo "SSL: ${RSYNC_SSL}"
total=0
if [[ -e ${LOGDIR}/rsync-${NAME}.log ]]; then
for bytes in $(awk -F': ' '$1 == "Total bytes received" {print $2} ' "${LOGDIR}/rsync-${NAME}.log"); do
@@ -255,6 +256,38 @@ tracefile() {
esac
}
+setup_stunnel_config() {
+ if [[ "$(declare -p RSYNC)" =~ "declare -a" ]]; then
+ : # RSYNC already is an array
+ else
+ RSYNC=($RSYNC)
+ fi
+
+ if [[ true != ${RSYNC_SSL} ]]; then
+ return
+ fi
+ STUNNEL_CONFIG="${BASEDIR}/etc/stunnel-${NAME}.conf"
+ cat << EOF > "$STUNNEL_CONFIG"
+# This file has been automatically created by ftpsync for syncing
+# from ${RSYNC_HOST}.
+#
+# Do not edit it, it will be overwritten next time ftpsync runs.
+#
+# To test if things works, try the following:
+# rsync -e 'stunnel4 ${STUNNEL_CONFIG}' ${RSYNC_USER}@dummy::
+#
+client = yes
+verify = 2
+CApath = ${RSYNC_SSL_CAPATH}
+
+syslog = no
+debug = 4
+output = /dev/stderr
+
+connect = ${RSYNC_HOST}:${RSYNC_SSL_PORT}
+EOF
+ RSYNC+=('-e' "stunnel4 ${STUNNEL_CONFIG}")
+}
########################################################################
########################################################################
@@ -441,6 +474,10 @@ RSYNC_PASSWORD=${RSYNC_PASSWORD:-""}
# a possible proxy
RSYNC_PROXY=${RSYNC_PROXY:-""}
+RSYNC_SSL=${RSYNC_SSL:-"false"}
+RSYNC_SSL_PORT=${RSYNC_SSL_PORT:-"1873"}
+RSYNC_SSL_CAPATH=${RSYNC_SSL_CAPATH:-"/etc/ssl/certs"}
+
# Do we sync stage1?
SYNCSTAGE1=${SYNCSTAGE1:-"false"}
# Do we sync stage2?
@@ -493,6 +530,8 @@ HOOK5=${HOOK5:-""}
# Are we a hub?
HUB=${HUB:-"false"}
+setup_stunnel_config
+
DATE_STARTED=$(LC_ALL=POSIX LANG=POSIX date -u -R)
########################################################################
# Really nothing to see below here. Only code follows. #
@@ -596,12 +635,12 @@ while [[ -e ${UPDATEREQUIRED} ]]; do
if [[ true = ${SYNCSTAGE1} ]] || [[ true = ${SYNCALL} ]]; then
while [[ -e ${UPDATEREQUIRED} ]]; do
rm -f "${UPDATEREQUIRED}"
- log "Running stage1: ${RSYNC} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS1} ${EXCLUDE} ${SOURCE_EXCLUDE} ${RSYNCPTH}::${RSYNC_PATH} ${TO}"
+ log "Running stage1: ${RSYNC[@]} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS1} ${EXCLUDE} ${SOURCE_EXCLUDE} ${RSYNCPTH}::${RSYNC_PATH} ${TO}"
set +e
# Step one, sync everything except Packages/Releases
rsync_started=$(date +%s)
- ${RSYNC} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS1} ${EXCLUDE} ${SOURCE_EXCLUDE} \
+ "${RSYNC[@]}" ${RSYNC_OPTIONS} ${RSYNC_OPTIONS1} ${EXCLUDE} ${SOURCE_EXCLUDE} \
${RSYNCPTH}::${RSYNC_PATH} "${TO}" >>"${LOGDIR}/rsync-${NAME}.log" 2>>"${LOGDIR}/rsync-${NAME}.error"
result=$?
rsync_ended=$(date +%s)
@@ -670,13 +709,13 @@ while [[ -e ${UPDATEREQUIRED} ]]; do
result=1
fi
else
- log "Running stage2: ${RSYNC} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS2} ${EXCLUDE} ${SOURCE_EXCLUDE} ${RSYNCPTH}::${RSYNC_PATH} ${TO}"
+ log "Running stage2: ${RSYNC[@]} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS2} ${EXCLUDE} ${SOURCE_EXCLUDE} ${RSYNCPTH}::${RSYNC_PATH} ${TO}"
set +e
# We are lucky, it worked. Now do step 2 and sync again, this time including
# the packages/releases files
rsync_started=$(date +%s)
- ${RSYNC} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS2} ${EXCLUDE} ${SOURCE_EXCLUDE} \
+ "${RSYNC[@]}" ${RSYNC_OPTIONS} ${RSYNC_OPTIONS2} ${EXCLUDE} ${SOURCE_EXCLUDE} \
${RSYNCPTH}::${RSYNC_PATH} "${TO}" >>"${LOGDIR}/rsync-${NAME}.log" 2>>"${LOGDIR}/rsync-${NAME}.error"
result=$?
rsync_ended=$(date +%s)
diff --git a/etc/ftpsync.conf.sample b/etc/ftpsync.conf.sample
index bcefbb6..d58fbaf 100644
--- a/etc/ftpsync.conf.sample
+++ b/etc/ftpsync.conf.sample
@@ -31,6 +31,15 @@
## If we need a user we also need a password
#RSYNC_PASSWORD=
+## Set to "true" to tunnel your rsync through stunnel. Requires that stunnel4 be
+## available in PATH. ftpsync will then create an stunnel config file and use
+## rsync's -e to connect to RSYNC_SSL_PORT on the remote site. (This requires
+## server support, obviously.) The presented certificate is checked by stunnel
+## against the certificate authorities in RSYNC_SSL_CAPATH.
+#RSYNC_SSL=false
+#RSYNC_SSL_PORT=1873
+#RSYNC_SSL_CAPATH=/etc/ssl/certs
+
## In which directory should logfiles end up
## Note that BASEDIR defaults to $HOME, but can be set before calling the
## ftpsync script to any value you want (for example using pam_env)