This project is released under LGPL 3.0

This system is designed to be kept in two parts,
1> a docker container run on a schedule
2> a backup config/target git repo stored on a server

The docker part


The docker file is as follows, and its resultant image is intended to be run under rancher (as this provides secrets management)

FROM alpine:latest

RUN mkdir /root/.ssh && chmod 700 /root/.ssh
RUN echo "[git host puplic key 2]" > /root/.ssh/known_hosts
RUN echo "[git host puplic key 2]" >> /root/.ssh/known_hosts
...[more server public key lines here if required]...
RUN chmod 644 /root/.ssh/known_hosts
RUN apk update && apk upgrade && apk add openssh git curl gnupg sshpass bash nano netcat-openbsd
RUN mkdir /scripts
COPY docker-scripts/pullconfigs.sh /scripts/pullconfigs.sh
COPY docker-scripts/ssh-config /root/.ssh/config
COPY docker-scripts/decode-sshkey.sh /scripts/decode-sshkey.sh
COPY docker-scripts/seal-sshkey.sh /scripts/seal-sshkey.sh
COPY resources/sshkey.ssh.gpg /root/sshkey.ssh.gpg
RUN chmod 600 /root/.ssh/config
RUN mkdir /secure-config
you need to set the public key strings of your target git server(s) in this file as if they are not pre-authorised then the git commands used by the created container will not work as they will prompt for key trust.


The scripts/config files added to the docker image are as follows:

pullconfigs.sh
#!/bin/bash
/scripts/decode-sshkey.sh

rm -rf /infrastructure-configs
mkdir /infrastructure-configs

export gitbackupdir="/infrastructure-configs"
date=$(date +%s)

cd $gitbackupdir
git clone [git target for backup of configs] ./

./backup-config/config-backup.sh
/scripts/seal-sshkey.sh
you need to set the git target of your backup repo in this file
This script
> triggers decoding of the ssh private key used for accessing the backup repo
> sets up the base folder for cloning the the backup repo into (including folder cleanup of any old files etc.)
> clones the backup repo
> triggers the backup script from the backup repo
> reseals the backup repo ssh access key

decode-sshkey.sh
#! /bin/sh
mkdir /root/.ssh
chmod 700 /root/.ssh
cat /run/secrets/decode-pw | gpg --batch --passphrase-fd -d --output /root/.ssh/id_rsa /root/sshkey.ssh.gpg
chmod 600 /root/.ssh/id_rsa
This script
> cleans up and makes the needed folder & file structures to host the private ssh key used to access the backup repo ssh key
> decodes the backup repo ssh key using the password provided in '/run/secrets/decode-pw' within the running docker container instance

seal-sshkey.sh
#! /bin/sh
rm -f /root/.ssh/id_rsa
This script
> removes the runtime instance of the ssh private key used to access the backup repo

sshkey.ssh.gpg

This is the gpg encoded version of the private ssh key used to access the backup repo, it should be gpg encoded such that a password can be used to decode it


The backup repo part


The backup repo should have the following folder/file structure

[repo root]
        |-------[backup-config]
        |               |------------ code.gpg
        |               |------------ targets
        |               |------------ username
        |               |------------ config-backup.sh
        |
        |-------[backups]

The folder 'backups', and files 'code.gpg', 'targets' and 'username' are all optional and dependent on what is in the 'config-backup.sh' file.
NOTE: it is strongly recommended to encode the password or access key for the target network equipment

in this version 'code.gpg' contains a gpg encoded password to login to the network equipment, targets is a list of IPs of equipment to login to and username is the username to login to the equipment with.

config-backup.sh

This script version is tailored to cisco devices but could be modified to work with many other brands
git config --global user.email "[email address for your backup user]"
git config --global user.name "[name for your backup user]"


file1="$gitbackupdir/backup-config/targets"
read -d $'\x04' targets < "$file1"
file2="$gitbackupdir/backup-config/username"
read -d $'\x04' username < "$file2"

password=$(cat /run/secrets/net-access-decode-pw | gpg --batch --passphrase-fd -o- -d /infrastructure-configs/backup-config/code.gpg)

echo "backing up targets - "
echo $targets
echo "using account - "
echo $username
echo ""
echo "---------------------------------"
echo "-- starting config acquisition --"
echo ""
for device in $targets ; do
# Copy startup and running config to git repo
mkdir -p $gitbackupdir/backups/$device
echo $device
sshpass -p $password scp $username@$device:system:/running-config $gitbackupdir/backups/$device/running-config
sshpass -p $password scp $username@$device:startup-config $gitbackupdir/backups/$device/startup-config
done
echo ""
echo "-- config aquisition completed --"
echo ""
echo "-- uploading configs to github --"
echo ""
cd $gitbackupdir
git add .
git commit -m "Config backup from $(date)"
git push
echo""
echo "-- upload config to git completed --"
This script
> sets the git user data for the commit it is going to make to the backup repo
> reads in the target device file
> reads in the login username for the devices
> reads in the device login password from the gpg encoded 'code.gpg' file using the password provided in '/run/secrets/net-access-decode-pw' within the running docker container instance
> downloads the config of each devices in the 'targets' file
> commits the config and pushes it to the backup repo