Add post on raspi as backup server
This commit is contained in:
147
content/post/raspi-backup.md
Normal file
147
content/post/raspi-backup.md
Normal file
@@ -0,0 +1,147 @@
|
|||||||
|
---
|
||||||
|
title: "Raspberry Pi as Offsite Backup"
|
||||||
|
date: 2022-10-23T10:12:54+02:00
|
||||||
|
draft: false
|
||||||
|
image: "uploads/logos/raspi_backup.png"
|
||||||
|
categrories: ["homelab"]
|
||||||
|
tags: ["english"]
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
# Use Case
|
||||||
|
|
||||||
|
You have one (or more) servers at a hosting provider and a raspberry pi at home. You want to have an offsite backup of the websites, apps and databases at home.
|
||||||
|
|
||||||
|
# Prerequesits
|
||||||
|
|
||||||
|
You configure your raspberry pi to be reachable from *the internet* using DynDNS. In the following we assume that it is reachable at offsite.example.com.
|
||||||
|
|
||||||
|
# Preparing your backup raspberry pi
|
||||||
|
|
||||||
|
We want to make sure that backups on the raspberry pi can come from multiple sources and one source can not delete another.
|
||||||
|
|
||||||
|
## Create an additional user
|
||||||
|
|
||||||
|
and change to that user afterwards. You can change service1 to the name of the service that this user should backup.
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo useradd service1_backup
|
||||||
|
sudo su service1_backup
|
||||||
|
cd ~
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Create an SSH key for the user
|
||||||
|
|
||||||
|
This SSH key will later be used by your server to push backups automatically. Therefore you should not set a passphrase for the key (just press enter until the key is generated)
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ssh-keygen -t ed25519
|
||||||
|
```
|
||||||
|
|
||||||
|
## Create your backup directory
|
||||||
|
|
||||||
|
```
|
||||||
|
mkdir backup && cd backup
|
||||||
|
```
|
||||||
|
|
||||||
|
If you want to use an external drive you can mount it to this users home directory.
|
||||||
|
|
||||||
|
## Initialzie the borg repository
|
||||||
|
|
||||||
|
```
|
||||||
|
borg init --encryption=repokey ./
|
||||||
|
```
|
||||||
|
|
||||||
|
Make sure to set a strong passphrase and note it down somewhere safe. Without it you will not be able to access you backup!
|
||||||
|
|
||||||
|
|
||||||
|
## Make sure the user can only access the backup directory
|
||||||
|
|
||||||
|
Put the following in `~/.ssh/authorized_keys` and make sure everything is in one line. The last values are simply your public key that can be found in `~/.ssh/id_ed25519.pub`
|
||||||
|
|
||||||
|
```
|
||||||
|
command="borg serve --restrict-to-repository /home/<user>/backup",restrict <key type> <key> <key host>
|
||||||
|
```
|
||||||
|
|
||||||
|
**Done with the raspberry pi**
|
||||||
|
|
||||||
|
# Configure your server
|
||||||
|
|
||||||
|
In this guide we will use [borgmatic](https://torsion.org/borgmatic/) to configure and automatically run the backup in the server.
|
||||||
|
|
||||||
|
## Install borgmatic
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo pip3 install --user --upgrade borgmatic
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configure borgmatic
|
||||||
|
|
||||||
|
The following is a small configuration example. Place it in `/etc/borgmatic.d/servic1.yaml`. If you need more options check out the [full configuration file reference](https://torsion.org/borgmatic/docs/reference/configuration/)
|
||||||
|
|
||||||
|
```
|
||||||
|
location:
|
||||||
|
source_directories:
|
||||||
|
- /home/service1/static
|
||||||
|
repositories:
|
||||||
|
- ssh://service1_backup@offsite1.example.com/./backup
|
||||||
|
storage:
|
||||||
|
encryption_passphrase: "ThePassphraseouUsedOnYourRaspi"
|
||||||
|
ssh_command: ssh -i /etc/borgmatic.d/service1_backup_key
|
||||||
|
retention:
|
||||||
|
# Number of daily archives to keep.
|
||||||
|
keep_daily: 7
|
||||||
|
hooks:
|
||||||
|
# List of one or more shell commands or scripts to execute
|
||||||
|
# before creating a backup, run once per configuration file.
|
||||||
|
before_backup:
|
||||||
|
- echo "Starting a backup."
|
||||||
|
# List of one or more shell commands or scripts to execute
|
||||||
|
# after creating a backup, run once per configuration file.
|
||||||
|
after_backup:
|
||||||
|
- echo "Finished a backup."
|
||||||
|
after_everything:
|
||||||
|
- echo "Completed actions."
|
||||||
|
|
||||||
|
postgresql_databases:
|
||||||
|
- name: service1
|
||||||
|
# mysql_databases:
|
||||||
|
# - name: users
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Place the private SSH key
|
||||||
|
|
||||||
|
The server will need the private SSH key so connect to your raspberry pi
|
||||||
|
|
||||||
|
On the raspberry pi use
|
||||||
|
|
||||||
|
```
|
||||||
|
cat ~/.ssh/id_ed25519
|
||||||
|
```
|
||||||
|
|
||||||
|
to get the private key and place it on your server in the file `/etc/borgmatic.d/service1_backup_key`.
|
||||||
|
As this is a private SSH key it must only be readable by the user. Ro change its permissions correctly use
|
||||||
|
|
||||||
|
```
|
||||||
|
chown 600 service1_backup_key
|
||||||
|
```
|
||||||
|
|
||||||
|
## Check if the backup works
|
||||||
|
|
||||||
|
Create your backup with
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo borgmatic create --verbosity 1 --list --stats
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Now check out the [borgmatic configuration](https://torsion.org/borgmatic/docs/how-to/set-up-backups/#autopilot) on how to properly set up automated backups
|
||||||
|
|
||||||
|
|
||||||
|
# Done
|
||||||
|
|
||||||
|
Congrats, you should now have a fully functioning backup configuration!
|
||||||
|
|
||||||
|
{{< chat raspi-backup>}}
|
||||||
Reference in New Issue
Block a user