Setting-up backups for an IdeaLoom server

Scripts are included to use Borg Backup (en encrypting, deduplicating archiver)

These instructions are for Ubuntu Linux, but Borg is cross-platform

Installing Borg Backup

Installing an up to date Borg Backup (https://borgbackup.github.io/borgbackup/) Ubuntu:

sudo apt-get install python3-pip libacl1-dev liblz4-dev libssl-dev
sudo pip3 install --upgrade borgbackup

Using

The script is in doc/borg_backup_script/idealoom_borg_backup.sh

It assumes:

  • borgbackup is installed on both the IdeaLoom server and the backup server
  • The user running the script has access over ssh to the backup server with key authentication (no passphrase). Typically, this will be the www-data user.
  • The user running the script has access over ssh to itself with key authentication (no passphrase).

The script takes two environment variables:

IDEALOOM_PATH: the path to the idealoom installation to backup REPOSITORY: the address of the borg backup repository to backup to

Create a script such as: /home/backups/backup_all_idealoom.sh

::

#!/bin/bash

export PATH=$PATH:/usr/local/bin export IDEALOOM_PATH=/home/www/idealoom_discussions_conversence_com export REPOSITORY=www-data@coeus.ca:/media/backup/idealoom_backups_conversence_discussions.borg bash ${IDEALOOM_PATH}/doc/borg_backup_script/idealoom_borg_backup.sh > $IDEALOOM_PATH/var/log/idealoom_backup.log 2>&1

You can then automate with cron. For example:

sudo su - www-data
crontab -e
0 3 * * * /bin/bash /home/backups/backup_all_idealoom.sh

All backups are encrypted. Make SURE you backup the keys (normally in ~/.borg/keys/) somewhere safe, otherwise your backups will be useless!

To secure the user, use an extemely restricted permission in ~/.ssh/authorized_keys

# Allow an SSH keypair to only run |project_name|, and only have access to /media/backup.
# This will help to secure an automated remote backup system.
$ cat ~/.ssh/authorized_keys
command="borg serve --restrict-to-path /media/backup" ssh-rsa AAAAB3[...]

Restoring

TODO