Megaphone Commons

# Backup Setup when we don't have root

We normally rely on a modified version `backupninja` for backup, which requires root access.  When we don't have root access but we do have `borgbackup`, we have a modified procedure for backing up to rsync.net using borgbackup.

In the example below, `1234` should be your rsync.net user number, `yourrsyncserver.rsync.net` should be your rsync.net server (e.g. `usw-s008.rsync.net`). `clientname` and `servershortname` can be anything you want as long as they're consistent between `borg init` and the shell script. `server.longname.org` should be the name of the server as Icinga knows it. `/path/to/back/up` should be the path you want to back up.  You can have more than one, separated by spaces.

Run all the following on a local computer that has its public key on the rsync.net server.

```shell

#!/bin/bash

# This script requires jq.  Bail if not found.  You can download a static binary from the jq homepage.

if ! command -v ./jq &> /dev/null

then

    echo "jq could not be found. Please install and try again"

    exit

fi

# borg backupninja backup script

REPOSITORY="1234@yourrsyncserver.rsync.net:clientname-servershortname"

export BORG_PASSPHRASE='StrongPassphrase'

# On rsync.net: Specify /usr/local/bin/borg/borg for borg 0.29; /usr/local/bin/borg1 for 1.x

REMOTE_PATH=/usr/local/bin/borg1/borg1

ICINGA2_API_USER=backupninja

ICINGA2_SERVER_ADDRESS=icinga.megaphonetech.com

ICINGA2_API_PORT=5665

ICINGA2_API_PASSWORD=<Icinga2 API password>

ICINGA2_HOSTNAME=server.longname.org

# Set level to 0, "OK", and we'll change it if anything goes wrong.

LEVEL=0

# Run the backup.

OUTPUT=$( (

/usr/bin/borg create --warning --filter=AME --stats --compression lz4         \

--remote-path $REMOTE_PATH \

$REPOSITORY::'{hostname}-{now:%Y-%m-%d}' \

/path/to/back/up \

--exclude '*/templates_c' \

--exclude '*/Maildir' \

--exclude '.config/borg' \

--exclude '*/civicrm/upload/cache'

) 2>&1)

if [ $? -ne 0 ]

then

  LEVEL=2

fi

# Remove old backups.

OUTPUT=${OUTPUT}\\n$( (

/usr/bin/borg prune -v $REPOSITORY --prefix '{hostname}-' --keep-daily=15 --keep-weekly=9 --keep-monthly=6 --remote-path $REMOTE_PATH

) 2>&1)

if [ $? -ne 0 ]

  then

  LEVEL=2

fi

# Check the integrity of the backup.

OUTPUT=${OUTPUT}\\n$( (

/usr/bin/borg check $REPOSITORY --remote-path $REMOTE_PATH

) 2>&1)

if [ $? -ne 0 ]

  then

  LEVEL=2

fi

unset BORG_PASSPHRASE

# Escape JSON characters

echo $OUTPUT

OUTPUT=$( echo $OUTPUT | ./jq --raw-input --slurp --ascii-output . )

echo "after jq"

echo $OUTPUT

# Send to Icinga

DATA="{ \"exit_status\": $LEVEL, \"plugin_output\": ${OUTPUT} }"

/usr/bin/curl -k -s -u $ICINGA2_API_USER:$ICINGA2_API_PASSWORD -H 'Accept: application/json' -X POST "https://$ICINGA2_SERVER_ADDRESS:$ICINGA2_API_PORT/v1/actions/process-check-result?service=${ICINGA2_HOSTNAME}!backupninja" --data "${DATA}" > /dev/null

# Reschedule the next dummy backupninja check

RESCHEDULE_TIME=$(/bin/date -d "tomorrow 6am" "+%s")

RESCHEDULE_JSON="{ \"next_check\": \"${RESCHEDULE_TIME}\" }"

/usr/bin/curl -k -s -u $ICINGA2_API_USER:$ICINGA2_API_PASSWORD -H 'Accept: application/json' -X POST "https://$ICINGA2_SERVER_ADDRESS:$ICINGA2_API_PORT/v1/actions/reschedule-check?service=${ICINGA2_HOSTNAME}!backupninja" --data "${RESCHEDULE_JSON}" > /dev/null

```

`chmod +x` this file, then add it to the user's `crontab` looking something like this:

```

0 2 * * * cd /home/members/example/sites/crm.example.org/users/example/bin && /home/members/example/sites/crm.example.org/users/example/bin/borgbackup.sh 

```

Add `vars.has_backupninja = true` to the server's Icinga config and restart Icinga.