Megaphone Commons

# Backup Setup when we don't have root

We normally rely on a modified version `backupninja` for backup, which requires root access.  When we don't have root access but we do have `borgbackup`, we have a modified procedure for backing up to rsync.net using borgbackup.

In the example below, `1234` should be your rsync.net user number, `yourrsyncserver.rsync.net` should be your rsync.net server (e.g. `usw-s008.rsync.net`). `clientname` and `servershortname` can be anything you want as long as they're consistent between `borg init` and the shell script. `server.longname.org` should be the name of the server as Icinga knows it. `/path/to/back/up` should be the path you want to back up.  You can have more than one, separated by spaces.

Run all the following on a local computer that has its public key on the rsync.net server.

```shell

# Get the public key for the SSH user who will be running the backup on the client's server.

# Add it to the rsync.net account:

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1SlLpapSVuMm5O35LN/FWNa8DmRgxYRiaIhcrlFetmso3/+6s2ZGaMHtheTmfZuCm9VNHHp3YHXYqsDPPLuxFg4iKw7ccDc6nRRV32rl5doQE6708fZc6dMp4hFIGNLA1RBFvK/7bGBdQw+ryG/rKFuW7o1X2DrhWRYPVwavjqci2NiHEB5SwjLzetXKF6VLnoZxERZJcBG0d8uQ/EgbcMLN4xXbDDsNsofM4wok0aMULucogSvayHezu5HDt6Dta8iDaWbqQtJwtpcgWrqy+HTPZTxJ5PtZuOfG4KrVR0R+TQSdYe6CFFevGPp3TujO03h885zyXPiLqjEmrVLkt " | ssh 1234@yourrsyncserver.rsync.net 'dd of=.ssh/authorized_keys oflag=append conv=notrunc'

# Create a borg repo.

borg init 1234@yourrsyncserver.rsync.net:clientname-servershortname -e repokey --remote-path=/usr/local/bin/borg1/borg1

```

Then, drop this script on the server (e.g. in `$HOME/bin`):

```shell

#!/bin/bash

# borg backupninja backup script

REPOSITORY="1234@yourrsyncserver.rsync.net:clientname-servershortname"

export BORG_PASSPHRASE='StrongPassphrase'

# On rsync.net: Specify /usr/local/bin/borg/borg for borg 0.29; /usr/local/bin/borg1 for 1.x

REMOTE_PATH=/usr/local/bin/borg1/borg1

ICINGA2_API_USER=backupninja

ICINGA2_SERVER_ADDRESS=icinga.megaphonetech.com

ICINGA2_API_PORT=5665

ICINGA2_API_PASSWORD=<Icinga2 API password>

ICINGA2_HOSTNAME=server.longname.org

# Set level to 0, "OK", and we'll change it if anything goes wrong.

LEVEL=0

# Run the backup.

OUTPUT=$( (

/usr/bin/borg create --warning --filter=AME --stats  --list --compression lz4         \

--remote-path $REMOTE_PATH \

$REPOSITORY::'{hostname}-{now:%Y-%m-%d}' \

/path/to/back/up \

--exclude '*/templates_c'

) 2>&1)

if [ $? -ne 0 ]

then

  LEVEL=2

fi

# Remove old backups.

OUTPUT=${OUTPUT}\n$( (

/usr/bin/borg prune -v $REPOSITORY --prefix '{hostname}-' --keep-daily=15 --keep-weekly=9 --keep-monthly=6 --remote-path $REMOTE_PATH

) 2>&1)

if [ $? -ne 0 ]

  then

  LEVEL=2

fi

# Check the integrity of the backup.

OUTPUT=${OUTPUT}\n$( (

/usr/bin/borg check $REPOSITORY --remote-path $REMOTE_PATH

) 2>&1)

if [ $? -ne 0 ]

  then

  LEVEL=2

fi

unset BORG_PASSPHRASE

# Send to Icinga

/usr/bin/curl -k -s -u $ICINGA2_API_USER:$ICINGA2_API_PASSWORD -H 'Accept: application/json' -X POST "https://$ICINGA2_SERVER_ADDRESS:$ICINGA2_API_PORT/v1/actions/process-check-result?service=${ICINGA2_HOSTNAME}!backupninja" --data "{ \"exit_status\": $LEVEL, \"plugin_output\": $OUTPUT}" #> /dev/null

# Reschedule the next dummy backupninja check

RESCHEDULE_TIME=$(/bin/date -d "tomorrow 6am" "+%s")

/usr/bin/curl -k -s -u $ICINGA2_API_USER:$ICINGA2_API_PASSWORD -H 'Accept: application/json' -X POST "https://$ICINGA2_SERVER_ADDRESS:$ICINGA2_API_PORT/v1/actions/process-check-result?service=${ICINGA2_HOSTNAME}!backupninja" --data "{ \"next_check\": \"${RESCHEDULE_TIME}\"}" #> /dev/null

```

`chmod +x` this file, then add it to the user's `crontab`.

Add `vars.has_backupninja = true` to the server's Icinga config and restart Icinga.