0. Specifications

  • A backup on another server (ideally not in the same building/location)
  • Automatic
  • Lightweight / incremental
  • Encrypted

1. SSH setup and attic install

    +------------+                     +------------+
    |            |       backup        |            |
    |  Alouette  +  ---------------->  +   Belette  |
    |            |                     |            |
    +------------+                     +------------+
      
        Alice                                Bob
  • Alice and Bob install attic on their servers :
# For Jessie
$ apt-get install attic

# For wheezy
$ apt-get install python3-pip python3-dev python3-llfuse libacl1-dev
$ pip-3.2 install attic
  • Bob creates a user Alice on his server Belette (with a home, and possibility to login in ssh)
$ adduser alice
  • Alice creates a SSH key to connect to Belette from Alouette. Note that the key shouldn't be protected by a password, otherwise you won't be able to login from the cron script. Copy the key to Belette.
$ ssh-keygen -t rsa -b 4096
$ ssh-copy-id alice@belette
  • (Optionnal) Bob disables login for Alice on Belette :
$ groupadd sshNoPassword
$ usermod -a -G sshNoPassword alice
$ nano /etc/ssh/sshd_config           

# ---------
# Add to the end of file :
  Match Group sshNoPassword
      PasswordAuthentication no

2. Initialize the backup

  • Alice initializes the backup from Alouette :
$ BACKUP_LOCATION="alice@belette:/home/alice/aliceBackup"
$ attic init --encryption=passphrase $BACKUP_LOCATION
# Then your passphrase will be asked

3. Create your first backup point

  • Alice creates the first backup from Alouette :
$ PLACES_TO_BACKUP="/etc/ /var/www/"
$ attic create --stats $BACKUP_LOCATION::firstBackup $PLACES_TO_BACKUP

4. Backup automatique

  • Add a file atticBackup in /etc/cron.daily
  • Important : disable permissions for groups and other as we will put the backup passphrase in it :
$ chmod g-rwx /etc/cron.daily/atticBackup
$ chmod o-rwx /etc/cron.daily/atticBackup
  • Add the following content to atticBackup :
#!/bin/bash

# Your passphrase as an environment variable. It will be automatically grabbed by Attic after
ATTIC_PASSPHRASE="yourSuperSecurePassphrase"
export ATTIC_PASSPHRASE

# The backup location, and the folders and mysql database you want to backup
BACKUP_LOCATION="alice@belette:/home/alice/aliceBackup"
PLACES_TO_BACKUP="/etc/ /var/www/"
DATABASES_TO_BACKUP="mediawiki owncloud roundcube wordpress"

# Create dumps of the MySQL databases
for DB in $DATABASES_TO_BACKUP
do
    mysqldump --lock-tables -u root -p$(cat /etc/yunohost/mysql) $DB > /tmp/${DB}_`date +"%Y%m%d"`.db
done

# Add the new backup on the distant server, keep the logs in some files
LOGFILE=/var/log/backup_attic.log
ERRFILE=/var/log/backup_attic.err
attic create -s ${BACKUP_LOCATION}::auto_backup_`date +"%d_%m_%y_%H:%M"` ${PLACES_TO_BACKUP} >> $LOGFILE 2>> $ERRFILE

# Prune the backups (see the documentation. For instance --keep-monthly keeps one backup for each month for the last 6 monthes)
attic prune ${BACKUP_LOCATION} --keep-daily=7 --keep-weekly=4 --keep-monthly=6 >> $LOGFILE 2>> $ERRFILE

# Remove the mysql dumps
for DB in $DATABASES_TO_BACKUP
do
    rm /tmp/${DB}_`date +"%Y%m%d"`.db
done

# Print the errors if any (some stupid warning removed ... You can remove my grep if you don't believe it :D)
cat $ERRFILE | grep -v "cannot change locale\|bad interpreter\|Enter passphrase\|Keyboard interrupt"

5. Tester votre script de backup

Pour tester si le gestionnaire de tache automatique cron réussit à exécuter votre script, lancez la commande run-parts -v /etc/cron.daily (si vous avez mis atticBackup dans cron.daily pour un exécution journalière)

L'exécution peut prendre un certain temps si vous avez beaucoup de données à sauvegarder.

Ensuite vérifiez dans le fichier /var/log/backup_attic.log qu'un nouveau backup a bien été crée (vérifiez que l'heure correspond).

-)