Off-site Backup with Backupninja: Difference between revisions

From Run Your Own
Jump to navigation Jump to search
No edit summary
 
(15 intermediate revisions by 2 users not shown)
Line 6: Line 6:
* A <code>lurk</code> user created on the off-site backup that will be used specifically by the backup scripts
* A <code>lurk</code> user created on the off-site backup that will be used specifically by the backup scripts
* Debian based servers (not sure Backupninja will run otherwise without some slight modifications)
* Debian based servers (not sure Backupninja will run otherwise without some slight modifications)
* All the machines (servers and the backup machine) on a working Tinc VPN
* All the machines (servers and the backup machine) on a working [[VPN_with_Tinc | Tinc VPN]]
* Enough space on the off-site backup machine :)
* Enough space on the off-site backup machine :)


== On the Off-site machine ==
== On the Off-site machine ==
* As <code>lurk</code> create directories for each server
* As <code>lurk</code> create directories for each server
  mkdir /media/lurk_backup/douglas /media/lurk_backup/agnesbaxter
  mkdir /data/lurk/douglas /data/lurk/agnesbaxter
 
=== Hardening ===
 
Restrict the backup user in <code>/etc/ssh/sshd_config</code> and set longer timeouts for Borg
 
  Match user lurk
        X11Forwarding no
        PasswordAuthentication no
        AllowTcpForwarding no
        PubkeyAuthentication yes
        ClientAliveInterval 10
        ClientAliveCountMax 30
 
Copy the public ssh key and add it to <code>lurk</code>'s <code>~/.ssh/authorized_keys</code>. Then restrict the use of that key only to the <code>borg serve</code> command ([https://borgbackup.readthedocs.io/en/1.1.16/usage/serve.html?highlight=borg%20serve#examples more info]) so that your authorized_keys files looks something like this:
 
  command="borg serve --restrict-to-path /data/lurk/agnesbaxter" ecdsa-sha2-nistp521 AAAAasdsad[..]asdsad root@agnesbaxter
 


== On each server ==
== On each server ==
=== Installation ===
=== Installation ===
* As <code>root</code>
 
apt install backupninja
Clone Backupninja from https://0xacab.org/riseuplabs/backupninja
 
cd /usr/src/ && git clone https://0xacab.org/riseuplabs/backupninja
cd /usr/src/backupninja
 
./autogen.sh
./configure
make
make install
 
note that by running the above all configurations will be in <code>/usr/local/etc/</code>


=== Configuration ===
=== Configuration ===
Line 30: Line 57:
* mysql database backup
* mysql database backup
* path:
* path:
  /var/backups/mysql
  /var/backups/mysql # adjust if this location does not have much free space
* all the databases to backup.
* all the databases to backup.
* select the debian maintenance user for access
* select the debian maintenance user for access
* compress the sql output file
* compress the sql output file
* optional: select the action and test/run/review the config
* '''select the action and test/run/review the config'''
* leave ninjahelper
 
==== PostgreSQL local backups ====
* As <code>root</code> run the command:
ninjahelper
* create a new backup action
* postgresql database backup
* path:
/var/backups/postgres # adjust if this location does not have much free space
* backup the whole cluster
* compress the backups
* custom
* '''select the action and test/run/review the config'''
* leave ninjahelper
* leave ninjahelper
==== Borg Backup ====
This is the action that will not only allow you to select which part of your local filesystem to remotely send and rotate to the off-site backup machine, but it will also make sure the local backups above are sent as well!
* make sure you have <code>borgbackup</code> installed:
apt install borgbackup
* As <code>root</code> run:
ninjahelper
* create a new backup action, choose borg
* choose file to include & exclude, add paths, wildcard accepted
* configure backup destination:
** dest_directory <code>/data/lurk/name-of-server-to-backup</code>
** dest_host <code>10.0.1.2</code> Adjust to the Tinc IP of the off-site backup machine.
** dest_user <code>lurk</code>
** dest_type <code>remote</code>
* set up ssh keys and test remote connection
* enable encryption by setting <code>encryption = keyfile</code> and choosing a nice long passphrase
* enable pruning, keep <code>120D</code> (you can adjust if you will run out of space! Keep in mind this is incremental though, so don't panic)
* '''select the action and test/run/review the config'''
* check that everything is showing up nicely on the backup server in the destination directory!
== Fine tuning ==
=== Edit/Change the local filesystem path to include/exclude ===
By default Babckupninja will backup some folder and exclude some others. This can be changed during the initial configuration of the borg action but can also be done later.
* As root, edit <code>/etc/backup.d/90.borg</code>
* Make changes in the section <code># files to include in the backup</code>
* '''Optional:''' run <code>ninjahelper</code>, select the <code>90.borg</code> action and <code>run</code> it to make sure it's being sent to the off-site machine. If you're sure of your changes, you can also wait the next backup to happen to see if it worked.
[[Category:System]]

Latest revision as of 08:45, 5 July 2023

Goal: Setup a remote machine that will be used for incremental backup of critical parts of the LURK servers.

Requirements

This document assumes you already have:

  • A configure Linux/BSD machine to work as off-site backup
  • A lurk user created on the off-site backup that will be used specifically by the backup scripts
  • Debian based servers (not sure Backupninja will run otherwise without some slight modifications)
  • All the machines (servers and the backup machine) on a working Tinc VPN
  • Enough space on the off-site backup machine :)

On the Off-site machine

  • As lurk create directories for each server
mkdir /data/lurk/douglas /data/lurk/agnesbaxter

Hardening

Restrict the backup user in /etc/ssh/sshd_config and set longer timeouts for Borg

 Match user lurk
       X11Forwarding no
       PasswordAuthentication no
       AllowTcpForwarding no
       PubkeyAuthentication yes
       ClientAliveInterval 10
       ClientAliveCountMax 30

Copy the public ssh key and add it to lurk's ~/.ssh/authorized_keys. Then restrict the use of that key only to the borg serve command (more info) so that your authorized_keys files looks something like this:

 command="borg serve --restrict-to-path /data/lurk/agnesbaxter" ecdsa-sha2-nistp521 AAAAasdsad[..]asdsad root@agnesbaxter


On each server

Installation

Clone Backupninja from https://0xacab.org/riseuplabs/backupninja

cd /usr/src/ && git clone https://0xacab.org/riseuplabs/backupninja
cd /usr/src/backupninja
./autogen.sh
./configure
make
make install

note that by running the above all configurations will be in /usr/local/etc/

Configuration

/etc/backupninja.conf

Some changes:

reportemail = some@where.nice
when = everyday at 05:55

MySQL local backups

  • As root run the command:
ninjahelper
  • create a new backup action
  • mysql database backup
  • path:
/var/backups/mysql # adjust if this location does not have much free space
  • all the databases to backup.
  • select the debian maintenance user for access
  • compress the sql output file
  • select the action and test/run/review the config
  • leave ninjahelper

PostgreSQL local backups

  • As root run the command:
ninjahelper
  • create a new backup action
  • postgresql database backup
  • path:
/var/backups/postgres # adjust if this location does not have much free space
  • backup the whole cluster
  • compress the backups
  • custom
  • select the action and test/run/review the config
  • leave ninjahelper

Borg Backup

This is the action that will not only allow you to select which part of your local filesystem to remotely send and rotate to the off-site backup machine, but it will also make sure the local backups above are sent as well!

  • make sure you have borgbackup installed:
apt install borgbackup
  • As root run:
ninjahelper
  • create a new backup action, choose borg
  • choose file to include & exclude, add paths, wildcard accepted
  • configure backup destination:
    • dest_directory /data/lurk/name-of-server-to-backup
    • dest_host 10.0.1.2 Adjust to the Tinc IP of the off-site backup machine.
    • dest_user lurk
    • dest_type remote
  • set up ssh keys and test remote connection
  • enable encryption by setting encryption = keyfile and choosing a nice long passphrase
  • enable pruning, keep 120D (you can adjust if you will run out of space! Keep in mind this is incremental though, so don't panic)
  • select the action and test/run/review the config
  • check that everything is showing up nicely on the backup server in the destination directory!

Fine tuning

Edit/Change the local filesystem path to include/exclude

By default Babckupninja will backup some folder and exclude some others. This can be changed during the initial configuration of the borg action but can also be done later.

  • As root, edit /etc/backup.d/90.borg
  • Make changes in the section # files to include in the backup
  • Optional: run ninjahelper, select the 90.borg action and run it to make sure it's being sent to the off-site machine. If you're sure of your changes, you can also wait the next backup to happen to see if it worked.