How to set up a Borg backup client and server¶
For example we have a backup server named backup-server.net and a client
server named myserver (which is not a domain name, just an account name on
the backup server).
On the client:
$ sudo apt install borgbackup
$ sudo ssh-keygen -t rsa
When asked for a passphrase, leave it empty because this key will be used by a
cron job. The key will be saved to /root/.ssh/id_rsa.
On the server, install borgbackup, create user myserver:
$ sudo apt install borgbackup
$ sudo adduser --disabled-password myserver
$ sudo su - myserver
$ mkdir backups
$ mkdir .ssh && chmod 700 .ssh
$ touch .ssh/authorized_keys && chmod 600 .ssh/authorized_keys
$ cat >> .ssh/authorized_keys
Paste the client’s public key to the terminal. Press ENTER to add at least one newline. Press Ctrl+D to say you’re finished with pasting content.
Back on the client:
Create a file /usr/local/bin/backup2borg.sh with this content:
#!/bin/sh
set -e # exit on error
# Inspired from https://borgbackup.readthedocs.io/en/stable/quickstart.html#automating-backups
export BORG_REPO=myserver@backup-server.net:/home/myserver/backups
export BORG_PASSPHRASE=`cat /root/backup2borg_passwd`
echo "Stop supervisor and make snapshots"
service supervisor stop
/usr/local/lino/lino_local/first/make_snapshot.sh
/usr/local/lino/lino_local/second/make_snapshot.sh
echo "Stop mysql"
service mysqld stop
echo "Start backup"
borg create \
--filter AME \
--compression lz4 \
--exclude-caches \
--exclude '/home/*/.cache/*' \
--exclude '/var/cache/*' \
--exclude '/var/tmp/*' \
--exclude '/var/backups/*' \
::'{hostname}-{now}' \
/etc \
/home \
/root \
/usr/local \
/var \
echo "Restart mysqld and supervisor"
service mysqld start
service supervisor start
echo "Remove old backups"
borg prune \
--prefix '{hostname}-' \
--keep-daily 7 \
--keep-weekly 4 \
--keep-monthly 6 \
Write your Borg passphrase into a file named /root/backup2borg_passwd
and make the file readable only by root:
$ sudo nano /root/backup2borg_passwd
$ sudo chmod go-r /root/backup2borg_passwd
Create the Borg repository:
$ sudo su
# export BORG_REPO=myserver@backup-server.net:/home/myserver/backups
# export BORG_PASSPHRASE=`cat /root/backup2borg_passwd`
# borg init --encryption=repokey-blake2
Hit Ctrl+D to terminate the sudo session and to remove the environment variables. Make a manual backup to see whether it works:
$ sudo /usr/local/bin/backup2borg.sh
Check whether your backup worked:
$ sudo borg mount myserver@backup-server.net:/home/myserver/backups ~/myserver
This should ask you interactively for your passphrase (the one you stored in
your /root/backup2borg_passwd).
To make it run automatically every day, create a file
/etc/cron.daily/backup2borg with this content:
#!/bin/sh
/usr/local/bin/backup2borg.sh > /dev/null
Restoring a backup to another machine¶
Now imagine that your original server, myserver no longer exists. The ssh key is gone, nobody will every log in as myserver to your backup server. Of course you can login as root, and you know the passphrase.
$ sudo su # borg mount root@backup-server.net:/home/myserver/backups ~/myserver
Notes¶
The first time ssh will ask you to confirm that IP address and server name are correct:
The authenticity of host 'backup-server.net (backup-server.net)' can't be established.
ECDSA key fingerprint is SHA256:/xxxxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'backup-server.net' (ECDSA) to the list of known hosts.
You can also log in manually:
$ sudo ssh myserver@backup-server.net
