jim
/
borg-setup
0
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
My backup scripts and tools
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
77 MiB
 
 
 
Tree: 883f984aef
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '883f984aef'
${ noResults }
borg-setup/README.md

1.5 KiB
Raw Blame History

Design

  • On server, we have a separate user account “jim-backups”. Password for this account is in bitwarden in the “Backups” folder, under ssh backup.jim.sh.

  • Repository keys are repokeys, which get stored on the server, inside the repo. Passphrases are stored:

    • on clients (in /opt/borg/passphrase, for making backups)
    • in bitwarden (under borg <hostname>, user repo key)

  • Each client has two SSH keys for connecting to the server:

    • /opt/borg/ssh/id_ecdsa_appendonly
      • configured on server for append-only operation
      • used for making backups
      • no password
    • /opt/borg/ssh/id_ecdsa
      • configured on server for read-write operation
      • used for manual recovery, management, pruning
      • password in bitwarden (under borg [hostname], user read-write ssh key)

  • Pruning requires the password and is a manual operation, and should only be run when the client has not been compromised.

    sudo /opt/borg/prune.sh

  • Systemd timers start daily backups:

    /etc/systemd/system/borg-backup.service -> /opt/borg/borg-backup.service
/etc/systemd/system/borg-backup.timer -> /opt/borg/borg-backup.timer

  • Backup script /opt/borg/backup.py uses configuration in /opt/borg/backup.yaml to generate our own list of files, excluding anything that’s too large by default. This requires borg 1.2.0b1 or newer, which is why the setup scripts download a specific version.

Usage

Run on client:

sudo git clone https://git.jim.sh/jim/borg-setup.git /opt/borg
sudo /opt/borg/initial-setup.sh