# Config file for rdiff-image programs.  See rdiff-image.conf(5).
#
# Format of the lines is:
#
#   keyword:  value
#
# Usually value is a pathname.  Pathnames can not contain spaces, there can
# only be one, and it must be absolute.  It can contain shell globs if the
# keyword is allowed to appear multiple times.  The shell globs will match
# files whose names start with '.'.
#
# Example configuration lines start "#; "
#

# What to backup
# --------------
#
#   backup: pathname
#   	rdiff-image-backup.sh is to backup this directory.  The backup will
#	not cross file systems.  Multiple directories can be backed up.
#
#   work: pathname
#	rdiff-image-backup and rdiff-image-cron use the directory
#	pathname to store information between runs, and as a scratch
#	area during runs.  It must exist.  Erasing all files in this
#	directory will cause new full backups to be created.  This
#	option must appear exactly once and it must be unique across
#	all rdiff-image.conf files.
#
backup:	/
work:	/var/lib/rdiff-image


# Modifying the data backed up
# ----------------------------
#
#   add: pathname
#	rdiff-image-backup.sh adds all files in under the given directory, but
#	strips the directory name given.  Eg, if /etc/dummy contained:
#	    /etc/dummy/foo/x
#	    /etc/dummy/foo/y
#	the files in /foo/x and /foo/y would appear in the backup.  This allows
#	files removed with "secret" to be replaced, so you end up with a
#	working image.  There can be any number of "add" directories.
#
#   filter: pathnname [command...]
#   	rdiff-image-backup.sh will remove or modify the backed up copy of the
#	file.  This line has a file name (or glob) followed by an optional
#	shell filter.  If the optional filter is absent the file isn't backed
#	up.  Otherwise the filter is fed the original file on its standard
#	input and whatever it writes to its standard output is put into the
#	backup under the file name.  The filter is also supplied the input
#	and output file names as the environment variables FILTER_FROM and
#	FILTER_TO respectively.  Any file or directory can be removed, but only
#	regular files can be filtered.  This option can appear many times.
#
# This is a useful list of stuff to strip out of a normal Debian installation.
#
filter:	/etc/group-
filter:	/etc/gshadow-
filter:	/etc/passwd-
filter:	/etc/shadow-
filter:	/tmp/*
filter:	/usr/share/info/*.old
filter:	/var/backups/*
filter:	/var/cache/apt/archives/*.deb
filter:	/var/cache/apt/archives/partial/*
filter:	/var/cache/apt/*.bin
filter:	/var/cache/dpkg/*-old
filter:	/var/cache/debconf/*-old
filter:	/var/cache/locate/*
filter:	/var/cache/man/*
filter:	/var/lib/aptitude/*.old
filter:	/var/lib/apt/listchanges.db
filter:	/var/lib/apt/lists/*_*
filter:	/var/lib/apt/lists/partial/*
filter:	/var/lib/apt/periodic/*-stamp
filter:	/var/lib/dpkg/*-old
filter:	/var/lib/dpkg/lock
filter: /var/lib/logrotate/status
filter: /var/lib/rkhunter/db/rkhunter.*
filter: /var/lib/rkhunter/tmp/*
filter: /var/lock/*
filter:	/var/tmp/*

#
# Log files can be interesting, but can make the differential backups
# grow quickly.
#
filter: /var/log/*/*.[0-9]
filter: /var/log/*.[0-9]
filter: /var/log/*/*.gz
filter: /var/log/*.gz
filter: /var/log/account/*
filter: /var/log/apache2/*.log
filter:	/var/log/apt/term.log
filter: /var/log/auth.log
filter: /var/log/cron.log
filter: /var/log/daemon.log
filter: /var/log/dpkg.log
filter: /var/log/journal/*
filter: /var/log/kern.log
filter: /var/log/lastlog
filter: /var/log/mail.info
filter: /var/log/mail.log
filter: /var/log/mail.warn
filter: /var/log/mailman/*
filter: /var/log/messages
filter:	/var/log/mysql.log
filter: /var/log/rkhunter.log*
filter: /var/log/syslog
filter:	/var/log/unattended-upgrades/*
filter: /var/log/wtmp
filter: /var/mail/*
filter:	/var/run/*.pid
filter:	/var/run/*.reboot
filter:	/var/run/*/*.pid
filter:	/var/run/screen/*
filter:	/var/run/sudo/*
filter:	/var/run/utmp

#
# Example of ignoring moinmoin cache's.
#
#; filter: /var/www/moinmoin/data/cache/*
#; filter: /var/www/moinmoin/data/event-log
#; filter: /var/www/moinmoin/data/pages/*/cache/*
#; filter: /var/www/moinmoin/data/pages/*/edit-lock
#; filter: /var/www/moinmoin/data/pages/*/edit-log

#
# Example of ignoring postfix's queues.
#
#; filter: /var/spool/postfix/defer/*/*
#; filter: /var/spool/postfix/deferred/*/*

#
# Example of ignoring postgrey's time stamps.
#
#; filter: /var/lib/postgrey/*

#
# Example for Mailman.  Mailman leaves some junk lying around.
# Warning: You may not consider the held messages junk.
#
#; filter: /var/lib/mailman/lists/*/*.last
#; filter: /var/lib/mailman/qfiles/retry/*
#; filter: /var/lib/mailman/data/bounce-*
#; filter: /var/lib/mailman/data/heldmsg-*
#; filter: /var/lock/mailman/*
#; filter: /var/log/mailman/*

#
# Not backing up the mailman archives is a bit of a compromise.  Mailman
# won't look the same without them of course, but they are redundant.  They
# also contain .gz's, which won't rdiff very well.  Regenerate them using:
# 
#  cd /var/lib/mailman/lists
#  screen sh -c 'for list in *; do (cd /usr/lib/mailman/bin; sudo ./arch --wipe $list); done'
#
#; filter: /var/lib/mailman/archives/private/*/*.gz
#; filter: /var/lib/mailman/archives/private/*/*.html
#; filter: /var/lib/mailman/archives/private/*/*.pck
#; filter: /var/lib/mailman/archives/private/*/*/*.html
#; filter: /var/lib/mailman/archives/private/*/*.old
#; filter: /var/lib/mailman/archives/private/*/*.txt
#; filter: /var/lib/mailman/archives/private/*/attachments/*
#; filter: /var/lib/mailman/archives/private/*/database/*

#
# Example for planet.  Note that this will render planet unusable until
# it next runs.
#
#; filter: /var/www/planet/cache/*
#; filter: /var/www/planet/niftylayout.css
#; filter: /var/www/planet/*.html
#; filter: /var/www/planet/*.js
#; filter: /var/www/planet/*.php
#; filter: /var/www/planet/*.xml


# Where to output data for HTTP download
# --------------------------------------
#
#   html: template_pathname output_pathname
#	rdiff-image-cron uses the file template_pathname to generate
#	the html file output_pathname.  This option can appear at
#	most once.  If not present no HTML files are produced.  The
#	template has the following text in it replaced:
#
#	  {{BACKUP_DATE}}
#	    Replaced with the date the backup took place.
#
#	  {{BACKUP_TABLE}}
#	    Replaced with a <table> element describing the files produced.
#
#	  {{BACKUP_TABLE_A}}
#	    As for {{BACKUP_TABLE}}, but the each file name is enclosed with
#	    an <a> element pointing to the  file in output_pathname.
#
#	  {{GPG_KEYS}}
#	    Replaced with a <ul> element listing the GPG keys the secret
#	    backup is encrypted with.
#
#   wwwdir: pathname
#	rdiff-image-cron.sh will place its output here.  The output consists
#	of the backup files, .sha1 checksums of them.  This option must appear
#	exactly once.
#
#wwwdir: REQUIRED


# Amazon S3
# ---------
#
#   s3: S3-credentials bucket QTYxAGE[,...]
#	S3 backup storage configuration.  S3-credentials has the format
#	AWS-Access-Key:AWS-Access-Secret.  The S3 bucket names will be
#	<bucket>_base and <bucket>_secret.  QTY is of backups to keep of a
#	particular age.  AGE is a number followed by the unit, which is one of:
#	hour,day,week,month,year.  An example: 24x1hour,7x1day,4x1week,6xmonth
#	would keep 24 hourly backups, 7 daily backups, 4 weekly backups and 6
#	monthly backups.  A "base" backup is automatically kept if there is a
#	"rdiff" backup that depends on it.  This can appear at most once.  If
#	not present no backup is sent to S3.
#
#   s3-log: pathname
#	The file rdiff-image-s3.py will write its log to.  There can be at most
#	one of these.  If not present no log is written.  
#
#; s3:	   kkkkk:ssssssss a-s3-bucket-name 24x1hour,7x1day,5x1week,6x30days
#; s3-log: (usually under www-dir)


# Enabling & Errors
# -----------------
#
#   enable: no
#	If this option present the rdiff-image-cron.sh won't do a backup.
#	It will send an email saying why not if the email option is set.
#
#   email: email-address[,...]
#	rdiff-image-cron.sh sends email to these addresses if the backup or
#	transfer to S3 fails.
#
# Disabled to prevent mistakes.  Rdiff-image-cron will not do anything until
# this line is removed.
enable: no
email:  root


# Secret backups
# --------------
#
#   gpgdir: pathname
#	rdiff-image-cron will encrypt the secret backup using the
#	public gpg keys listed in the directory pathname.  This
#	option can appear at most once.  If no gpg keys are supplied
#	the secret backup is discarded.  There is one gpg key per
#	file.  The file name must be in a format accepted by gpg's
#	--recipient option.  This is  one way to generate a suitable
#	file:
#
#	  gpg --armor \
#	    --export-options export-minimal,no-export-attributes \
#	    --output russell-gpg@stuart.id.au \
#	    --export russell-gpg@stuart.id.au
#
#	Notice how the arguments to --output and --export are identical.
#	This is one way to guarantee the resulting file name will be
#	acceptable to gpg's --recipient option.
#	
#   secret: pathname [command...]
#	rdiff-image-backup.sh will put this file in the secret image.  Apart
#	from the additional step of putting the unmodified file in the secret
#	backup, this is identical to the filter option.  This option can
#	appear many times.
#
# Examples that replace passwords with "x":
#; secret: /etc/gshadow				sed 's/^\([^:]*\):[^:*]\+/\1:$1$TGQc4.1k$cZ1N8DCrTQCCB1AczDG7s./'
#; secret: /etc/rdiff-image/rdiff-image.conf	sed 's,^\([[:space:]]*s3:[^:]\+\)[^[:space:]]\+,\1:x,'
#; secret: /etc/shadow				sed 's/^\([^:]*\):[^:*]\+/\1:$1$TGQc4.1k$cZ1N8DCrTQCCB1AczDG7s./'
#
# moinmoin example, replacing all passwords with "x":
#; secret: /var/www/moinmoin/data/user/[1-9]*	sed 's/^\(enc_password\)=.*/\1={SHA}EfatjsUqKYSrqv18O1FlA3hcIHI=/'
#; secret: /var/www/moinmoin/data/pages/*Private*
#
# mailman example, replacing all passwords with "x":
#; secret: /var/lib/mailman/data/adm.pw			python3 -c 'import sha; print(sha.new("x").hexdigest())'
#; secret: /var/lib/mailman/lists/*/config.pck		PYTHONPATH=/usr/lib/mailman python3 -c 'import sys,pickle,sha; x=pickle.load(sys.stdin); x["password"]=sha.new("x").hexdigest(); x["passwords"]=dict([(u,"x") for u in x["passwords"]]); pickle.dump(x,sys.stdout)'
#; secret: /var/lib/mailman/lists/*/request.pck		PYTHONPATH=/usr/lib/mailman python3 -c 'import sys,pickle; x=pickle.load(sys.stdin); x=dict([(k,v if k=="version" or v[0]!=2 else v[:3] + ("x",) + v[4:]) for k,v in x.items()]); pickle.dump(x,sys.stdout)'
gpgdir:	/etc/rdiff-image/gpg-keys


# Booting options
# ---------------
#
#   mounts: /path/dir[:[/mount/point]] ...
#	"rdiff-image-boot.sh boot" and "rdiff-image-boot.sh mountsh" do the
#	mounts listed here.  They come in three versions:
#	  /dir		-- mount -o bind /dir /path/to/chroot/dir
#	  /dir:/cdir	-- mount -o bind /dir /path/to/chroot/cdir
#	  xfs:/cdir	-- mount -t xfs xfs /path/to/chroot/cdir
#	The target directory is created if it doesn't exist.
#
#   init.d: script ...
#	"rdiff-image-boot.sh boot" starts these services in the chroot using
#	""rdiff-image-boot.sh start-service" after the mounts are done.  If
#	"script" doesn't start with a "/" the files
#	"/etc/systemd/systemd/script.servce",
#	"/lib/systemd/systemd/script.servce", and "/etc/init.d/script"
#	are checked in that order, and the first existing one is used.
#	Files in systemd directories are started as systemd services,
#	otherwise the script is just executed with one argument: "start".
#	Only the services listed here are started (eg, systemd Requires=
#	is ignored), and they are started sequentially in the order listed
#	(ef, systemd Before= is ignored).
#
# These mounts and init.d scripts listed below are the minimum are needed to
# get a debian stretch running.
#
mounts: /dev: /dev/hugepages /dev/mqueue /dev/pts
mounts: /proc: /proc/fs/nfsd /proc/run /proc/sys/fs/binfmt_misc
mounts: tmpfs:/run tmpfs:/run/lock
mounts: /sys: /sys/fs/fuse/connections /sys/fs/pstore /sys/kernel/debug /sys/kernel/security 

init.d:	systemd-tmpfiles-setup-dev
init.d: mountdevsubfs.sh checkroot-bootclean.sh mountall-bootclean.sh
init.d: systemd-tmpfiles-setup sudo rsyslog systemd-user-sessions


#
# If you have ssh installed.  Alter the ssh config to listen on some
# additional port other than port 22 so you can test it running in a
# chroot.
#; init.d: ssh
#
# If you have bind installed:
#; init.d: bind9
#
# If you have a mysql server running.  Add the line "skip-networking" in
# /etc/mysql/my.cnf to avoid conflicts when running in a chroot.
#; init.d: mysql-ndb-mgm mysql-ndb mysql
#
# If you have postgrey installed.
#; init.d: postgrey
#
# If you have mailman installed.  Setting "VIRTUAL_HOST_OVERVIEW = False" in
# /etc/mailman/mm_cfg.py help when running in a chroot.  It makes the mailman
# web interface ignore the host name.
#; init.d: mailman
# 
# If you are running postfix.  To make postfix work in a chroot you have to
# stop any SMTP server on the host.
#; init.d: postfix
#
#
# If you have apache2.  To work on a chroot you have to stop any www server
# that uses the same TCP ports.  To test within a chroot ensure you don't
# bind to a particular IP address, and in virtual hosts use wild card 
# ServerAlias's to make it easy to use a test domain name.
#; init.d: apache2