mirror of
https://github.com/borgbackup/borg.git
synced 2026-02-19 02:29:19 -05:00
220 lines
7.6 KiB
ReStructuredText
220 lines
7.6 KiB
ReStructuredText
.. include:: ../global.rst.inc
|
||
.. highlight:: none
|
||
.. _central-backup-server:
|
||
|
||
Central repository server with Ansible or Salt
|
||
==============================================
|
||
|
||
This section gives an example of how to set up a Borg repository server for multiple
|
||
clients.
|
||
|
||
Machines
|
||
--------
|
||
|
||
This section uses multiple machines, referred to by their
|
||
respective fully qualified domain names (FQDNs).
|
||
|
||
* The backup server: `backup01.srv.local`
|
||
* The clients:
|
||
|
||
- John Doe's desktop: `johndoe.clnt.local`
|
||
- Web server 01: `web01.srv.local`
|
||
- Application server 01: `app01.srv.local`
|
||
|
||
User and group
|
||
--------------
|
||
|
||
The repository server should have a single UNIX user for all the clients.
|
||
Recommended user and group with additional settings:
|
||
|
||
* User: `backup`
|
||
* Group: `backup`
|
||
* Shell: `/bin/bash` (or another shell capable of running the `borg serve` command)
|
||
* Home: `/home/backup`
|
||
|
||
Most clients should initiate a backup as the root user to capture all
|
||
users, groups, and permissions (e.g., when backing up `/home`).
|
||
|
||
Folders
|
||
-------
|
||
|
||
The following directory layout is suggested on the repository server:
|
||
|
||
* User home directory, /home/backup
|
||
* Repositories path (storage pool): /home/backup/repos
|
||
* Clients’ restricted paths (`/home/backup/repos/<client fqdn>`):
|
||
|
||
- johndoe.clnt.local: `/home/backup/repos/johndoe.clnt.local`
|
||
- web01.srv.local: `/home/backup/repos/web01.srv.local`
|
||
- app01.srv.local: `/home/backup/repos/app01.srv.local`
|
||
|
||
Restrictions
|
||
------------
|
||
|
||
Borg is instructed to restrict clients into their own paths:
|
||
``borg serve --restrict-to-path /home/backup/repos/<client fqdn>``
|
||
|
||
The client will be able to access any file or subdirectory inside of ``/home/backup/repos/<client fqdn>``
|
||
but no other directories. You can allow a client to access several separate directories by passing multiple
|
||
``--restrict-to-path`` flags, for instance: ``borg serve --restrict-to-path /home/backup/repos/<client fqdn> --restrict-to-path /home/backup/repos/<other client fqdn>``,
|
||
which could make sense if multiple machines belong to one person which should then have access to all the
|
||
backups of their machines.
|
||
|
||
Only one SSH key per client is allowed. Keys are added for ``johndoe.clnt.local``, ``web01.srv.local`` and
|
||
``app01.srv.local``. They will access the backup under a single UNIX user account as
|
||
``backup@backup01.srv.local``. Every key in ``$HOME/.ssh/authorized_keys`` has a
|
||
forced command and restrictions applied, as shown below:
|
||
|
||
::
|
||
|
||
command="cd /home/backup/repos/<client fqdn>;
|
||
borg serve --restrict-to-path /home/backup/repos/<client fqdn>",
|
||
restrict <keytype> <key> <host>
|
||
|
||
.. note:: The text shown above needs to be written on a single line!
|
||
|
||
The options added to the key perform the following:
|
||
|
||
1. Change working directory
|
||
2. Run ``borg serve`` restricted to the client base path
|
||
3. Restrict ssh and do not allow stuff which imposes a security risk
|
||
|
||
Because of the ``cd`` command, the server automatically changes the current
|
||
working directory. The client then does not need to know the absolute
|
||
or relative remote repository path and can directly access the repositories at
|
||
``ssh://<user>@<host>/./<repo>``.
|
||
|
||
.. note:: The setup above ignores all client-given command line parameters
|
||
that are normally appended to the `borg serve` command.
|
||
|
||
Client
|
||
------
|
||
|
||
The client needs to initialize the `pictures` repository like this:
|
||
|
||
::
|
||
|
||
borg init ssh://backup@backup01.srv.local/./pictures
|
||
|
||
Or with the full path (this should not be used in practice; it is only for demonstration purposes).
|
||
The server automatically changes the current working directory to the `<client fqdn>` directory.
|
||
|
||
::
|
||
|
||
borg init ssh://backup@backup01.srv.local/home/backup/repos/johndoe.clnt.local/pictures
|
||
|
||
When `johndoe.clnt.local` tries to access a path outside its restriction, the following error is raised.
|
||
John Doe tries to back up into the web01 path:
|
||
|
||
::
|
||
|
||
borg init ssh://backup@backup01.srv.local/home/backup/repos/web01.srv.local/pictures
|
||
|
||
::
|
||
|
||
~~~ SNIP ~~~
|
||
Remote: borg.remote.PathNotAllowed: /home/backup/repos/web01.srv.local/pictures
|
||
~~~ SNIP ~~~
|
||
Repository path not allowed
|
||
|
||
Ansible
|
||
-------
|
||
|
||
Ansible takes care of all the system-specific commands to add the user, create the
|
||
folder, install and configure software.
|
||
|
||
::
|
||
|
||
- hosts: backup01.srv.local
|
||
vars:
|
||
user: backup
|
||
group: backup
|
||
home: /home/backup
|
||
pool: "{{ home }}/repos"
|
||
auth_users:
|
||
- host: johndoe.clnt.local
|
||
key: "{{ lookup('file', '/path/to/keys/johndoe.clnt.local.pub') }}"
|
||
- host: web01.clnt.local
|
||
key: "{{ lookup('file', '/path/to/keys/web01.clnt.local.pub') }}"
|
||
- host: app01.clnt.local
|
||
key: "{{ lookup('file', '/path/to/keys/app01.clnt.local.pub') }}"
|
||
tasks:
|
||
- package: name=borg state=present
|
||
- group: name="{{ group }}" state=present
|
||
- user: name="{{ user }}" shell=/bin/bash home="{{ home }}" createhome=yes group="{{ group }}" groups= state=present
|
||
- file: path="{{ home }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
|
||
- file: path="{{ home }}/.ssh" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
|
||
- file: path="{{ pool }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
|
||
- authorized_key: user="{{ user }}"
|
||
key="{{ item.key }}"
|
||
key_options='command="cd {{ pool }}/{{ item.host }};borg serve --restrict-to-path {{ pool }}/{{ item.host }}",restrict'
|
||
with_items: "{{ auth_users }}"
|
||
- file: path="{{ home }}/.ssh/authorized_keys" owner="{{ user }}" group="{{ group }}" mode=0600 state=file
|
||
- file: path="{{ pool }}/{{ item.host }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
|
||
with_items: "{{ auth_users }}"
|
||
|
||
Salt
|
||
----
|
||
|
||
This is a configuration similar to the one above, configured to be deployed with
|
||
Salt running on a Debian system.
|
||
|
||
::
|
||
|
||
Install borg backup from pip:
|
||
pkg.installed:
|
||
- pkgs:
|
||
- python3
|
||
- python3-dev
|
||
- python3-pip
|
||
- python-virtualenv
|
||
- libssl-dev
|
||
- openssl
|
||
- libacl1-dev
|
||
- libacl1
|
||
- build-essential
|
||
- libfuse-dev
|
||
- fuse
|
||
- pkg-config
|
||
pip.installed:
|
||
- pkgs: ["borgbackup"]
|
||
- bin_env: /usr/bin/pip3
|
||
|
||
Setup backup user:
|
||
user.present:
|
||
- name: backup
|
||
- fullname: Backup User
|
||
- home: /home/backup
|
||
- shell: /bin/bash
|
||
# CAUTION!
|
||
# If you change the ssh command= option below, it won't necessarily get pushed to the backup
|
||
# server correctly unless you delete the ~/.ssh/authorized_keys file and re-create it!
|
||
{% for host in backupclients %}
|
||
Give backup access to {{host}}:
|
||
ssh_auth.present:
|
||
- user: backup
|
||
- source: salt://conf/ssh-pubkeys/{{host}}-backup.id_ecdsa.pub
|
||
- options:
|
||
- command="cd /home/backup/repos/{{host}}; borg serve --restrict-to-path /home/backup/repos/{{host}}"
|
||
- restrict
|
||
{% endfor %}
|
||
|
||
|
||
Enhancements
|
||
------------
|
||
|
||
As this section only describes a simple and effective setup, it could be further
|
||
enhanced when supporting (a limited set) of client supplied commands. A wrapper
|
||
for starting `borg serve` could be written. Or borg itself could be enhanced to
|
||
autodetect it runs under SSH by checking the `SSH_ORIGINAL_COMMAND` environment
|
||
variable. This is left open for future improvements.
|
||
|
||
When extending ssh autodetection in borg no external wrapper script is necessary
|
||
and no other interpreter or application has to be deployed.
|
||
|
||
See also
|
||
--------
|
||
|
||
* `SSH Daemon manpage <https://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8>`_
|
||
* `Ansible <https://docs.ansible.com>`_
|
||
* `Salt <https://docs.saltstack.com/>`_
|