Skip to content
This repository has been archived by the owner on Oct 2, 2024. It is now read-only.

jwillikers/btrbk-config

Repository files navigation

btrbk Config

My configuration files for the btrbk backup tool. This configuration utilizes Btrfs to take hourly snapshots and incremental backups of specific subvolumes.

Usage

This repository contains the btrbk configuration files for my various systems. Devices that take snapshots of subvolumes, dubbed target devices, do so hourly via their configurations. Backups are handled from an isolated, remote system via a pull strategy over an SSH connection. The setup and configuration vary according to whether the device is a remote backup device or a system taking local snapshots of the important data. The instructions here describe how to configure everything to get this working for both the target and backup roles. It’s recommended that the backup systems be configured first, as this will produce the SSH public keys required to configure the target systems.

  1. Install btrbk.

    sudo rpm-ostree install btrbk
  2. Reboot.

    sudo systemctl reboot
  3. Create the necessary subvolumes and directories.

    Backup
    1. Create the target directories where the backups will reside.

      sudo mkdir --parents /run/media/system/jwillikers_Backup_02/{meerkat,rockpro64}.jwillikers.io
    Target
    1. Configure any Btrfs filesystems as necessary. The argument following the volumes directive denotes root of the particular Btrfs filesystem. In many cases, this might just be / if the root filesystem is Btrfs. My configurations for target devices have the home directory on its own disk and therefore its own Btrfs filesystem, which results in volume /var/home. Get this part sorted out first by orchestrating the underlying disks, partitions, and filesystems as they should be.

    2. Ensure that any subvolumes mentioned in the configuration file exist. Either create new subvolumes or migrate any existing directories to be subvolumes. The following command creates the subvolume /var/home/core/container-volumes.

      sudo btrfs subvolume create /var/home/core/container-volumes
    3. Correct ownership of the subvolume as needed.

      sudo chown --recursive core:core /var/home/core/container-volumes
    4. Create the necessary .snapshots subvolumes where the snapshots will be stored. Each volume in the configuration must contain its own .snapshots subvolume owned by the root user. For instance, when backing up a subvolume that is under the volume /run/media/system/JWillikers_Data create the /run/media/system/JWillikers_Data/.snapshots subvolume.

      sudo btrfs subvolume create /run/media/system/JWillikers_Data/.snapshots
  4. Configure SSH.

    Backup
    1. Create a directory for storing the SSH key that will be used to access the target machine for creating backups.

      sudo mkdir --parents /etc/backup/ssh
    2. Generate the backup SSH key.

      sudo ssh-keygen -t rsa -b 4096 -f /etc/backup/ssh/id_rsa -C $USER@(hostname) -N ""
    3. Note the public key just created. This key will be placed in the authorized_keys file of the backup user.

      sudo cat /etc/backup/ssh/id_rsa.pub
      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDU9d2LjH01...3dmTrNfJavtZ7Q62GqxnL0D6cjNNrxew== [email protected]
    4. Add the host keys of the target machine to the user’s known_hosts file on the machine carrying out the backups.

      sudo --user root ssh -i /etc/backup/ssh/id_rsa rockpro64.jwillikers.io
    Target
    1. Create a dedicated backup group for the backup user.

      sudo groupadd --gid 801 --system backup
    2. Create a dedicated backup user account to allow Btrbk to login.

      sudo useradd \
        --btrfs-subvolume-home \
        --comment "Account used for remote backups." \
        --create-home \
        --gid backup \
        --shell /usr/bin/bash \
        --system \
        --uid 801 \
        backup
    3. Create a new sudoers policy file for the backup user.

      sudoedit /etc/sudoers.d/99-backup
    4. Allow the backup user to run the necessary commands as root to manipulate Btrfs snapshots.

      /etc/sudoers.d/99-backup
      Cmnd_Alias BTRBK_BACKUP = /usr/sbin/btrfs, /usr/bin/readlink
      
      backup rockpro64.jwillikers.io=NOPASSWD:BTRBK_BACKUP
      ℹ️

      Ensure that btrfs is at the correct location, i.e. /usr/sbin/btrfs, if using a different installation method.

    5. Create the backup user’s SSH directory.

      sudo --user backup mkdir --parents /home/backup/.ssh
    6. Configure Btrbk’s SSH command filter so that only the relevant Btrfs commands can be executed from the backup machine. Replace the sample key used here with the public SSH key generated on the backup machine.

      /home/backup/.ssh/authorized_keys
      command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --sudo --source --target --delete --info --send --receive --restrict-path /run/media/system/JWillikers_Data" ssh-rsa AAAAB3NzaC1...hwumXFRQBL [email protected]

      This uses the --restrict-path option to restrict commands to operating only on paths at or below /btrfs_pool. Be sure to configure this appropriately so that access is only allowed for the necessary volumes in the system’s configuration.

    7. Make sure that the backup user’s .ssh directory and included files have the correct ownership.

      sudo chown --recursive backup:backup /home/backup/.ssh
  5. Make a ~/Projects directory in which to clone the repository.

    mkdir --parents ~/Projects
  6. Clone this repository.

    git -C ~/Projects clone [email protected]:jwillikers/btrbk-config.git
  7. Change to the repository directory.

    cd btrbk-config
  8. Copy the relevant config file to the /etc/btrbk/ directory as btrbk.conf.

    sudo cp btrbk.rockpro64.conf /etc/btrbk/btrbk.conf
  9. Edit the btrbk.timer systemd unit to fire as often as you want.

    sudo systemctl edit btrbk.timer

    I switch my timer to run hourly instead of daily using the configuration below.

    /etc/systemd/system/btrbk.timer.d/override.conf
    [Unit]
    Description=btrbk hourly backup
    
    [Timer]
    OnCalendar=hourly
  10. Enable and start the systemd timer.

    sudo systemctl enable --now btrbk.timer
  11. Start a tmux session in case the first sync takes a while to complete.

    tmux
  12. Manually run the btrbk.service service.

    sudo systemctl start btrbk.service

Code of Conduct

Please refer to the project’s Code of Conduct.

License

This repository is licensed under the GPLv3. Please refer to the bundled license.

© 2023 Jordan Williams

Authors