published on March 21, 2021 in tech linux servers sysadmin

Backing up you VM with borg

Recently, for no specific reason at all I did a review of my backup plans of my tiny personal VM:s I have.

Octave Klaba tweeting about the fire at OVH

As my disaster recover plan was mostly “I hope they don’t lose it all at once” I decided to upgrade it to “I have some backups, so I don’t lose it all at once”.

To keep things simple and as I love micro optimising to see for how cheap I can get my personal VM’s, I decided to use my home NAS for backups instead of just paying for third-party storage like B2.

So, here are a rough¹ overview of how you can use a local Linux NAS as destination for backing up a cloud VM.

Turris Omnia

First we need² to get borg working on the turris. Luckily the Turris has lxc, so we can just spin up an alpine instance and do apk add borgbackup and apk add openssh-server. Then update the network to none to share the host network and mount any disk you want.

# first comment out any other network
lxc.net.0.type = none
# bind-mount /mnt/sdb2/dir
lxc.mount.entry = /mnt/sdb2/mydir /mnt/sdb2/lxc/borg/rootfs/mnt/mydir rw,bind 0,0

I decided to use a separate ssh inside the lxc for a bit of additional sandboxing.

Add the following to authorized_keys to allow the server you want to back up to run borg, but nothing else.

command="borg serve --restrict-to-path /mnt/server-bakups",no-port-forwarding,no-agent-forwarding,no-pty,no-X11-forwarding ssh-rsa AAA...

C1 Server

Time to start backing up, first because C1 is an armv7 instance, download arm binaries from https://borg.bauerj.eu.

Then check that you can connect to your Turris and get some borg output back from the limited ssh-key. Similar to below.

a example of borg backup output

If that works you can initialise the repository and start backing up according to the borg instructions

Something like this

borg init -e=repokey ssh://root@100.127.112.32:40022/mnt/mydir/myserver

and if that works

borg create ssh://root@100.127.112.32:40022/mnt/server-bakups/personal::{hostname}-{user}-{now} /home /etc /var/log

And if that works, then either call it a day or address the obvious issues like running the receiving borg as root :-)

This is a very rough guide, it will not work without modifications so don’t try to just blindly copy and paste the instructions. These instructions are specific for Turris Omnia with tailscale and a Scaleway C1. ^[return]
you can probably ignore this or restrict ssh some other way, but I did this because I started out from the other direction, trying to get borg running on the NAS, and it would then reach out to the servers. ^[return]