From 2140a45ce6543bd72ac49cd8b809505930d461d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Thu, 27 Oct 2022 10:39:09 +0200 Subject: [PATCH] Add post on raspi as backup server --- content/post/raspi-backup.md | 147 +++++++++++++++++++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 content/post/raspi-backup.md diff --git a/content/post/raspi-backup.md b/content/post/raspi-backup.md new file mode 100644 index 0000000..02dc21b --- /dev/null +++ b/content/post/raspi-backup.md @@ -0,0 +1,147 @@ +--- +title: "Raspberry Pi as Offsite Backup" +date: 2022-10-23T10:12:54+02:00 +draft: false +image: "uploads/logos/raspi_backup.png" +categrories: ["homelab"] +tags: ["english"] +--- + + +# Use Case + +You have one (or more) servers at a hosting provider and a raspberry pi at home. You want to have an offsite backup of the websites, apps and databases at home. + +# Prerequesits + +You configure your raspberry pi to be reachable from *the internet* using DynDNS. In the following we assume that it is reachable at offsite.example.com. + +# Preparing your backup raspberry pi + +We want to make sure that backups on the raspberry pi can come from multiple sources and one source can not delete another. + +## Create an additional user + +and change to that user afterwards. You can change service1 to the name of the service that this user should backup. + +``` +sudo useradd service1_backup +sudo su service1_backup +cd ~ +``` + + +## Create an SSH key for the user + +This SSH key will later be used by your server to push backups automatically. Therefore you should not set a passphrase for the key (just press enter until the key is generated) + +``` +$ ssh-keygen -t ed25519 +``` + +## Create your backup directory + +``` +mkdir backup && cd backup +``` + +If you want to use an external drive you can mount it to this users home directory. + +## Initialzie the borg repository + +``` +borg init --encryption=repokey ./ +``` + +Make sure to set a strong passphrase and note it down somewhere safe. Without it you will not be able to access you backup! + + +## Make sure the user can only access the backup directory + +Put the following in `~/.ssh/authorized_keys` and make sure everything is in one line. The last values are simply your public key that can be found in `~/.ssh/id_ed25519.pub` + +``` +command="borg serve --restrict-to-repository /home//backup",restrict +``` + +**Done with the raspberry pi** + +# Configure your server + +In this guide we will use [borgmatic](https://torsion.org/borgmatic/) to configure and automatically run the backup in the server. + +## Install borgmatic + +``` +sudo pip3 install --user --upgrade borgmatic +``` + +## Configure borgmatic + +The following is a small configuration example. Place it in `/etc/borgmatic.d/servic1.yaml`. If you need more options check out the [full configuration file reference](https://torsion.org/borgmatic/docs/reference/configuration/) + +``` +location: + source_directories: + - /home/service1/static + repositories: + - ssh://service1_backup@offsite1.example.com/./backup +storage: + encryption_passphrase: "ThePassphraseouUsedOnYourRaspi" + ssh_command: ssh -i /etc/borgmatic.d/service1_backup_key +retention: + # Number of daily archives to keep. + keep_daily: 7 +hooks: + # List of one or more shell commands or scripts to execute + # before creating a backup, run once per configuration file. + before_backup: + - echo "Starting a backup." + # List of one or more shell commands or scripts to execute + # after creating a backup, run once per configuration file. + after_backup: + - echo "Finished a backup." + after_everything: + - echo "Completed actions." + + postgresql_databases: + - name: service1 + # mysql_databases: + # - name: users +``` + + +## Place the private SSH key + +The server will need the private SSH key so connect to your raspberry pi + +On the raspberry pi use + +``` +cat ~/.ssh/id_ed25519 +``` + +to get the private key and place it on your server in the file `/etc/borgmatic.d/service1_backup_key`. +As this is a private SSH key it must only be readable by the user. Ro change its permissions correctly use + +``` +chown 600 service1_backup_key +``` + +## Check if the backup works + +Create your backup with + +``` +sudo borgmatic create --verbosity 1 --list --stats +``` + + +Now check out the [borgmatic configuration](https://torsion.org/borgmatic/docs/how-to/set-up-backups/#autopilot) on how to properly set up automated backups + + +# Done + +Congrats, you should now have a fully functioning backup configuration! + +{{< chat raspi-backup>}}