homelab/active/systemd_borg/borg.md

# Borg Backup

- [Borg Backup](#borg-backup)
  - [Server Setup](#server-setup)
    - [Adding a Client](#adding-a-client)
    - [Installing the Backup Service](#installing-the-backup-service)
      - [Adding Nextcloud](#adding-nextcloud)
  - [Manual Client Use](#manual-client-use)

## Server Setup

<https://borgbackup.readthedocs.io/en/stable/deployment/central-backup-server.html#user-and-group>

User: backup

Group: backup

Shell: /bin/bash (or other capable to run the borg serve command)

Home: /home/backup

```bash
dnf install borgbackup

useradd backup
mkdir /home/backup/.ssh
touch /home/backup/.ssh/authorized_keys
chown -R backup:backup /home/backup/.ssh
```

### Adding a Client

Note: See [adding nextcloud](#adding-nextcloud) for nextcloud instructions here.

```bash
export BACKUP_HOST=""

ssh-keygen -C ${USER}@${HOSTNAME} -f ~/.ssh/id_${BACKUP_HOST}

cat <<EOF >> ~/.ssh/config
Host ${BACKUP_HOST}
    Hostname ${BACKUP_HOST}
    IdentityFile ~/.ssh/id_${BACKUP_HOST}
    User backup
    Port 22
    KeepAlive yes
EOF
```

Now on the server:

```bash
export CLIENT_FQDN=""
# Should look like ssh-rsa abcd1234 backup@fqdn.something.com
export SSH_PUBKEY=""
export AUTHKEY_ENTRY="command=\"cd /home/backup/repos/${CLIENT_FQDN}; borg serve --restrict-to-path /home/backup/repos/${CLIENT_FQDN}\",restrict ${SSH_PUBKEY}"
echo $AUTHKEY_ENTRY >> /home/backup/.ssh/authorized_keys

mkdir /home/backup/repos/${CLIENT_FQDN}
chown backup:backup /home/backup/repos/${CLIENT_FQDN}
```

Then back on the client:

```bash
ssh borg.reeselink.com

# root
borg init --encryption none backup@${BACKUP_HOST}:root
# home
borg init --encryption none backup@${BACKUP_HOST}:home
# app
borg init --encryption none backup@${BACKUP_HOST}:gitea
# another app
borg init --encryption none backup@${BACKUP_HOST}:nextcloud
```

### Installing the Backup Service

Create your vars file in `secrets/host_vars.yaml`

```yaml
repo_name: my_repo
borg_user: backup
borg_host: borg.reeselink.com
borg_passphrase: ""
backup_dirs:
  - /home
exclude_dirs: []
keep_daily: 7
keep_weekly: 4
keep_monthly: 1
stop_services: []
stop_user_services:
  - gitea
  - postgres
```

```bash
ansible-playbook \
-i active/ansible/inventory.yaml \
-l podman \
active/systemd_borg/install_backup.yaml \
-e "@active/systemd_borg/secrets/gitea_vars.yaml"
```

#### Adding Nextcloud

Rather than creating a client, just set the borg backup location to:

```text
backup@borg.reeselink.com:nextcloud
```

Then run the backup. It will generate a pubkey. Copy this into the authorized_keys file.

## Manual Client Use

```bash
borg list borg.reeselink.com:home

# Do not include the first / in the path
export PATH_TO_BACKUP=var/home/ducoterra
export BORG_REPO=borg.reeselink.com:home

# If not initialized, do that now
borg init --encryption none $BORG_REPO

# Run backup and timestamp it
borg create \
--verbose \
--filter AME \
--list \
--stats \
--progress \
--show-rc \
--compression lz4 \
--exclude-caches \
-e "pp:/${PATH_TO_BACKUP}/.cache" \
-e "re:^${PATH_TO_BACKUP}/\.var/app/[^/]+/cache/" \
-e "CACHEDIR.TAG" \
-e "pp:/${PATH_TO_BACKUP}/.local/share/gnome-boxes" \
-e "pp:/${PATH_TO_BACKUP}/.var/app/org.gnome.Boxes" \
-e "pp:/${PATH_TO_BACKUP}/.var/app/org.gnome.BoxesDevel" \
-e "pp:/${PATH_TO_BACKUP}/.local/share/bottles" \
-e "pp:/${PATH_TO_BACKUP}/.var/app/com.usebottles.bottles" \
-e "pp:/${PATH_TO_BACKUP}/.local/share/libvirt" \
-e "pp:/${PATH_TO_BACKUP}/.config/libvirt" \
-e "pp:/${PATH_TO_BACKUP}/.local/share/containers" \
-e "pp:/${PATH_TO_BACKUP}/.local/share/docker" \
${BORG_REPO}::$(date +"%F-%H-%M-%S") \
/${PATH_TO_BACKUP}

# Mount a borg archive
borg mount $BORG_REPO::2025-05-14-00-44-05 /mnt/

# Restore a borg archive to a location (dry run)
borg extract --dry-run --list --strip-components 1 $BORG_REPO::my-files home/USERNAME
```