On bucket, we have a separate user account “jim-backups”. Password for this account is in bitwarden.
Repository keys are repokeys, with passphrases saved on clients and in bitwarden.
Each client has two SSH keys: one for append-only operation (no pass) and one for read-write (password in bitwarden)
Pruning requires the password and is a manual operation (run sudo /opt/borg/prune.sh
)
Systemd timers start daily backups
python3 -m venv venv
venv/bin/pip3 install -r requirements.txt
venv/bin/python3 lister.py
Run on client:
wget https://psy.jim.sh/borg-setup.sh
sudo ./borg-setup.sh