Configuring duplicacy CLI on macOS with SIP enabled

• The problem
• The solution
  • Prerequisities
  • To run
  • The Script
• History

This is a handy script to download and install duplicacy CLI and configure it to run under launchd to back up all users, without the need to disable SIP.

The problem

Pre-Sequoia: Duplicacy CLI on macOS cannot access sensitive user folders such as Documents and Pictures when running standalone. It does not seem possible to grant full disk access to a naked executable that is not an app bundle. When launched via Duplicacy Web GUI, that problem does not exist as the CLI engine inherits permissions granted to the parent app bundle.

Post-Sequoia: This is no longer an issue, therefore, we don’t need to create application wrappers, duplicacy CLI engine can be granted Full Disk Access just fine.

Using Duplicacy GUI, however, is still undesirable for several reasons:

• It’s impossible to control CPU utilization of the CLI engine (without jumping through hoops)
• Running a closed source app that fetches executables from the internet under an account that needs access to all users’ data is suboptimal.

The solution

A script to accomplish the following tasks is provided in this post:

• Fetch the specified version of duplicacy from the web or local build directly. Support specific version number, specific local path, and “Latest” and “Stable” channels.
• Create an aux script to launch and throttle duplicacy_cli depending on the power status of your Mac—support separate limits on battery vs. on wall power. (cpulimit)
• Prompt the user to add the downloaded duplicacy CLI to Full Disk Access
• Configure launchd daemon to run the backup and prune with configurable retention policy

Prerequisities

We will assume that the following is true:

• Duplicacy is configured under /Library/Duplicacy to back up /Users. This boils down to doing something along these lines when initializing the repository:

    sudo mkdir -p /Library/Duplicacy
    cd /Library/Duplicacy
    sudo duplicacy init -repository /Users <snapshot id> <storage url>
  

• homebrew is installed. Depending on the configuration we would need one or a few of the following utilities: platypus, cpulimit, wget, jq, curl. The script will prompt for the missing ones, which then could be installed with

    brew install platypus cpulimit wget jq curl
  

To run

• Clone the repository https://github.com/arrogantrabbit/duplicacy_cli_macos
• review the install.sh file
• make changes as needed to the schedule and/or duplicacy version and/or other options or specify the overridables, as suggested in the README file.

The script will download the correct binaries for your platform, prepare the scripting and launchd daemons, and open Finder in the enclosed folder with the duplicacy CLI file highlighted and Full Disk Access section of the System Preferences for you. Please drag the file to Full Disk Access to Full Disk Access section; authenticate if required.

Note: Logs that duplicacy outputs to stdout and stderr go to /Library/Logs/Duplicacy. However, Duplicacy still places cache under .duplicacy/cache and some logs still go under .duplicacy/logs. That is a hidden folder under /Library/Duplicacy. To see it in Finder, press ⌘+⇧+. Until this is configurable, nothing can be done short of symlinking the locations to the right places. This is left as an exercise for the reader.

The Script

The embedded version below is facilitated by https://emgithub.com.

History

Jan 16, 2021	initial publication
Dec 9, 2024	get rid of platypus