Configuring duplicacy CLI on macOS with SIP enabled
This is a handy script to download and install duplicacy CLI and configure it to run under launchd to back up all users, without the need to disable SIP.
The problem
Pre-Sequoia: Duplicacy CLI on macOS cannot access sensitive user folders such as Documents and Pictures when running standalone. It does not seem possible to grant full disk access to a naked executable that is not an app bundle. When launched via Duplicacy Web GUI, that problem does not exist as the CLI engine inherits permissions granted to the parent app bundle.
Post-Sequoia: This is no longer an issue, therefore, we don’t need to create application wrappers, duplicacy CLI engine can be granted Full Disk Access just fine.
Using Duplicacy GUI, however, is still undesirable for several reasons:
- It’s impossible to control CPU utilization of the CLI engine (without jumping through hoops)
- Running a closed source app that fetches executables from the internet under an account that needs access to all users’ data is suboptimal.
The solution
A script to accomplish the following tasks is provided in this post:
- Fetch the specified version of duplicacy from the web or local build directly. Support specific version number, specific local path, and “Latest” and “Stable” channels.
- Create an aux script to launch and throttle duplicacy_cli depending on the power status of your Mac—support separate limits on battery vs. on wall power. (cpulimit)
- Prompt the user to add the downloaded duplicacy CLI to Full Disk Access
- Configure launchd daemon to run the backup and prune with configurable retention policy
Prerequisities
We will assume that the following is true:
- Duplicacy is configured under
/Library/Duplicacy
to back up/Users
. This boils down to doing something along these lines when initializing the repository:sudo mkdir -p /Library/Duplicacy cd /Library/Duplicacy sudo duplicacy init -repository /Users <snapshot id> <storage url>
- homebrew is installed. Depending on the configuration we would need one or a few of the following utilities:
platypus
,cpulimit
,wget
,jq
,curl
. The script will prompt for the missing ones, which then could be installed withbrew install platypus cpulimit wget jq curl
To run
- Clone the repository https://github.com/arrogantrabbit/duplicacy_cli_macos
- review the
install.sh
file - make changes as needed to the schedule and/or duplicacy version and/or other options or specify the overridables, as suggested in the README file.
The script will download the correct binaries for your platform, prepare the scripting and launchd daemons, and open Finder in the enclosed folder with the duplicacy CLI file highlighted and Full Disk Access section of the System Preferences for you. Please drag the file to Full Disk Access
to Full Disk Access
section; authenticate if required.
Note: Logs that duplicacy outputs to stdout and stderr go to /Library/Logs/Duplicacy. However, Duplicacy still places cache under .duplicacy/cache
and some logs still go under .duplicacy/logs
. That is a hidden folder under /Library/Duplicacy
. To see it in Finder, press ⌘+⇧+. Until this is configurable, nothing can be done short of symlinking the locations to the right places. This is left as an exercise for the reader.
The Script
The embedded version below is facilitated by https://emgithub.com.
History
Jan 16, 2021 | initial publication |
Dec 9, 2024 | get rid of platypus |