Sysop:BorgBackup
Prepare Server for ssh-key-based backups
BORG_USER=borgbackup
BACKUPDIR=/home/$BORG_USER/backup
useradd $BORG_USER
for d in $BACKUPDIR /home/$BORG_USER/.ssh; do
mkdir $d
chown $BORG_USER $d
chmod 0700 $d
done
SSH_AUTH_FILE=/home/$BORG_USER/.ssh/authorized_keys
echo "command=\"cd $BACKUPDIR; borg serve --restrict-to-path $BACKUPDIR\",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa AAAA...KEYFROMUSER" > $SSH_AUTH_FILE
chown $BORG_USER:$BORG_USER $SSH_AUTH_FILE
chmod 0600 $SSH_AUTH_FILE
As a user
Copy the following script and save it as borg_backup.sh:
#!/bin/sh
export BORG_RSH='ssh -i /home/localuser/.ssh/id_rsa_borg'
REPOSITORY=borgbackup@backup.example.com:home
echoerr() { echo "$@" 1>&2; }
script_loc=$(dirname $0)
BORG_PASSPHRASE_FILE=$script_loc/$(basename $(readlink -f $0) .sh).pwd
if [ ! -f $BORG_PASSPHRASE_FILE ]; then
echoerr "Backupkeyfile ${BORG_PASSPHRASE_FILE} does not exist! Aborting..."
exit 1
fi
BORG_LOCK_FILE=$script_loc/$(basename $(readlink -f $0) .sh).lock
if [ -f $BORG_LOCK_FILE ]; then
pid=$(cat $BORG_LOCK_FILE)
if [ -d /proc/$pid ]; then
echo "Lokfile still exists, running pid: ${pid}"
echo "Exiting"
exit 0
else
echoerr "Lockfile exists but no process running anymore... Continue to run...."
fi
fi
echo $$ > $BORG_LOCK_FILE
export BORG_PASSPHRASE=$(cat ${BORG_PASSPHRASE_FILE})
# Backup all of /home/localuser except some dirs
# and some compiled python scripts
borg create --stats \
$REPOSITORY::backup-`hostname`-`date +%Y-%m-%d` \
/home/localuser \
--exclude=/home/localuser/\.Trash \
--exclude=/home/localuser/\.cache/ \
--exclude=/home/localuser/\.gem/ \
--exclude=/home/localuser/\.rvm/ \
--exclude '*.pyc'
# Use the `prune` subcommand to maintain 7 daily, 4 weekly
# and 6 monthly archives.
# we want some output so we get informed
borg prune -v $REPOSITORY --keep-daily=7 --keep-weekly=4 --keep-monthly=6 -s --list
rm $BORG_LOCK_FILE
Adjust keyfile, repository and directories to backup.
Initialize repo:
openssl rand -base64 32 > borg_backup.pwd # must have same basename as script and in same location chmod 0600 borg_backup.pwd export BORG_RSH='ssh -i /home/localuser/.ssh/id_rsa_borg' export BORG_PASSPHRASE=$(cat borg_backup.pwd) borg init --encryption=keyfile borgbackup@backup.example.com:home
And now you're ready to run the backup script
sh borg_backup.sh
And afterwards add it to a cronjob.
Backup your encryption key!
The keyfile mode that we use above to initialize the borg backup repository, encrypts the backup in such a way, that there is no keymaterial within the backup (contrary to the repokey mode). This means you not only need the passphrase but also the keyfile to get back access to your keyfile.
So you should backup this one as well, e.g. by storing it as an encrypted mail (if you have other means to access the encryption key for your emails than the backup!) or as a symmetric encrypted blob:
Export encrypted to your mail:
borg key export $REPOSITORY /dev/stdout | gpg -a --encrypt-to youremail@example.com --encrypt
Symmetric encryption to store as a blob (e.g. within your mailbox)
borg key export $REPOSITORY /dev/stdout | gpg -a --symmetric --encrypt