--- title: "Raspberry Pi as Offsite Backup" date: 2022-10-23T10:12:54+02:00 draft: false image: "uploads/logos/raspi_backup.png" categrories: ["homelab"] tags: ["english"] --- # Use Case You have one (or more) servers at a hosting provider and a raspberry pi at home. You want to have an offsite backup of the websites, apps and databases at home. # Prerequesits You configure your raspberry pi to be reachable from *the internet* using DynDNS. In the following we assume that it is reachable at offsite.example.com. # Preparing your backup raspberry pi We want to make sure that backups on the raspberry pi can come from multiple sources and one source can not delete another. ## Create an additional user and change to that user afterwards. You can change service1 to the name of the service that this user should backup. ``` sudo useradd service1_backup sudo su service1_backup cd ~ ``` ## Create an SSH key for the user This SSH key will later be used by your server to push backups automatically. Therefore you should not set a passphrase for the key (just press enter until the key is generated) ``` $ ssh-keygen -t ed25519 ``` ## Create your backup directory ``` mkdir backup && cd backup ``` If you want to use an external drive you can mount it to this users home directory. ## Initialzie the borg repository ``` borg init --encryption=repokey ./ ``` Make sure to set a strong passphrase and note it down somewhere safe. Without it you will not be able to access you backup! ## Make sure the user can only access the backup directory Put the following in `~/.ssh/authorized_keys` and make sure everything is in one line. The last values are simply your public key that can be found in `~/.ssh/id_ed25519.pub` ``` command="borg serve --restrict-to-repository /home//backup",restrict ``` **Done with the raspberry pi** # Configure your server In this guide we will use [borgmatic](https://torsion.org/borgmatic/) to configure and automatically run the backup in the server. ## Install borgmatic ``` sudo pip3 install --user --upgrade borgmatic ``` ## Configure borgmatic The following is a small configuration example. Place it in `/etc/borgmatic.d/servic1.yaml`. If you need more options check out the [full configuration file reference](https://torsion.org/borgmatic/docs/reference/configuration/) ``` location: source_directories: - /home/service1/static repositories: - ssh://service1_backup@offsite1.example.com/./backup storage: encryption_passphrase: "ThePassphraseouUsedOnYourRaspi" ssh_command: ssh -i /etc/borgmatic.d/service1_backup_key retention: # Number of daily archives to keep. keep_daily: 7 hooks: # List of one or more shell commands or scripts to execute # before creating a backup, run once per configuration file. before_backup: - echo "Starting a backup." # List of one or more shell commands or scripts to execute # after creating a backup, run once per configuration file. after_backup: - echo "Finished a backup." after_everything: - echo "Completed actions." postgresql_databases: - name: service1 # mysql_databases: # - name: users ``` ## Place the private SSH key The server will need the private SSH key so connect to your raspberry pi On the raspberry pi use ``` cat ~/.ssh/id_ed25519 ``` to get the private key and place it on your server in the file `/etc/borgmatic.d/service1_backup_key`. As this is a private SSH key it must only be readable by the user. Ro change its permissions correctly use ``` chown 600 service1_backup_key ``` ## Check if the backup works Create your backup with ``` sudo borgmatic create --verbosity 1 --list --stats ``` Now check out the [borgmatic configuration](https://torsion.org/borgmatic/docs/how-to/set-up-backups/#autopilot) on how to properly set up automated backups # Done Congrats, you should now have a fully functioning backup configuration! {{< chat raspi-backup>}}