diff --git a/active/systemd_borg/borg.md b/active/systemd_borg/borg.md index 7309cea..414f42f 100644 --- a/active/systemd_borg/borg.md +++ b/active/systemd_borg/borg.md @@ -2,7 +2,8 @@ - [Borg Backup](#borg-backup) - [Install Borg](#install-borg) - - [Set up a new root client](#set-up-a-new-root-client) + - [Set up a laptop or workstation client](#set-up-a-laptop-or-workstation-client) + - [Set up a new server client](#set-up-a-new-server-client) - [Create a Backup Service](#create-a-backup-service) - [Check backup service logs](#check-backup-service-logs) - [Run a Manual Backup](#run-a-manual-backup) @@ -29,7 +30,81 @@ touch /home/backup/.ssh/authorized_keys chown -R backup:backup /home/backup/.ssh ``` -## Set up a new root client +## Set up a laptop or workstation client + +For backing up your laptop or personal account. + +1. On your personal account, set up the borg connection + + ```bash + export BACKUP_HOST="borg.reeselink.com" + + ssh-keygen -C ${USER}@${HOSTNAME} -f ~/.ssh/id_${BACKUP_HOST} + + cat <> ~/.ssh/config + Host ${BACKUP_HOST} + Hostname ${BACKUP_HOST} + IdentityFile ~/.ssh/id_${BACKUP_HOST} + User backup + Port 22 + EOF + + echo "export CLIENT_FQDN=${USER}.${HOSTNAME}.reeselink.com" + echo "export SSH_PUBKEY=\"$(cat ~/.ssh/id_${BACKUP_HOST}.pub)\"" + ``` + +2. On the borg backup server as the backup user: + + ```bash + # Use echo from above + export CLIENT_FQDN= + export SSH_PUBKEY= + + # Create the authkey entry to restrict the user's access to the borg repo folder + export BORG_COMMAND="cd /home/backup/repos/${CLIENT_FQDN}; borg serve --restrict-to-path /home/backup/repos/${CLIENT_FQDN}" + export AUTHKEY_ENTRY="command=\"${BORG_COMMAND}\",restrict ${SSH_PUBKEY}" + echo $AUTHKEY_ENTRY >> /home/backup/.ssh/authorized_keys + + # Create the directory + mkdir repos/${CLIENT_FQDN} + ``` + +3. On your personal account, create the repo and your first backup + + ```bash + # Do not include the first / in the path + export PATH_TO_BACKUP=home/${USER} + export BACKUP_HOST="borg.reeselink.com" + export BORG_REPO=${BACKUP_HOST}:home + + # If not initialized, do that now + borg init --encryption none $BORG_REPO + borg list + + # Run backup and timestamp it + borg create \ + --verbose \ + --filter AME \ + --list \ + --stats \ + --progress \ + --show-rc \ + --compression lz4 \ + --exclude-caches \ + ${BORG_REPO}::$(date +"%F-%H-%M-%S") \ + /${PATH_TO_BACKUP} + + # Mount a borg archive + borg mount $BORG_REPO::2025-05-14-00-44-05 /mnt/ + + # Restore a borg archive to a location (dry run) + # First, cd to the location you want to extract to + cd ~ + # Then, extract to that location. --strip-components takes the first n items off a path + borg extract --dry-run --list --strip-components 2 $BORG_REPO::my-files home/USERNAME + ``` + +## Set up a new server client Backups will be run as the root user. Generate them an SSH key to @@ -57,6 +132,8 @@ export SSH_PUBKEY="ssh-rsa abcd1234 backup@fqdn.something.com" export BORG_COMMAND="cd /home/backup/repos/${CLIENT_FQDN}; borg serve --restrict-to-path /home/backup/repos/${CLIENT_FQDN}" export AUTHKEY_ENTRY="command=\"${BORG_COMMAND}\",restrict ${SSH_PUBKEY}" echo $AUTHKEY_ENTRY >> /home/backup/.ssh/authorized_keys +mkdir /home/backup/repos/${CLIENT_FQDN} +chown -R backup:backup /home/backup/repos/${CLIENT_FQDN} ``` ## Create a Backup Service @@ -69,15 +146,14 @@ borg_user: backup borg_host: borg.reeselink.com borg_passphrase: "" backup_dirs: - - /home + - /home/foobar exclude_dirs: [] keep_daily: 7 keep_weekly: 4 keep_monthly: 1 stop_services: [] stop_user_services: - - gitea - - postgres + - foobar ``` ```bash @@ -85,7 +161,7 @@ stop_user_services: for var_file in $(ls active/systemd_borg/secrets); do ansible-playbook \ -i ansible/inventory.yaml \ --l podman \ +-l 3dserver \ active/systemd_borg/install_backup.yaml \ -e "@active/systemd_borg/secrets/$var_file" done @@ -94,7 +170,8 @@ done ## Check backup service logs ```bash -ssh podman journalctl -u 'backup-*' -f +export SERVER_SSH_NAME= +ssh $SERVER_SSH_NAME journalctl -u 'backup-*' -f ``` ## Run a Manual Backup