published on in tech linux servers sysadmin

Backing up you VM with borg

Recently, for no specific reason at all I did a review of my backup plans of my tiny personal VM:s I have.

Octave Klaba tweeting about the fire at OVH

As my disaster recover plan was mostly “I hope they don’t lose it all at once” I decided to upgrade it to “I have some backups, so I don’t lose it all at once”.

To keep things simple and as I love micro optimising to see for how cheap I can get my personal VM’s, I decided to use my home NAS for backups instead of just paying for third-party storage like B2.

So, here are a rough1 overview of how you can use a local Linux NAS as destination for backing up a cloud VM.

Turris Omnia

First we need2 to get borg working on the turris. Luckily the Turris has lxc, so we can just spin up an alpine instance and do apk add borgbackup and apk add openssh-server. Then update the network to none to share the host network and mount any disk you want.

# first comment out any other network = none
# bind-mount /mnt/sdb2/dir
lxc.mount.entry = /mnt/sdb2/mydir /mnt/sdb2/lxc/borg/rootfs/mnt/mydir rw,bind 0,0

I decided to use a separate ssh inside the lxc for a bit of additional sandboxing.

Add the following to authorized_keys to allow the server you want to back up to run borg, but nothing else.

command="borg serve --restrict-to-path /mnt/server-bakups",no-port-forwarding,no-agent-forwarding,no-pty,no-X11-forwarding ssh-rsa AAA...

C1 Server

Time to start backing up, first because C1 is an armv7 instance, download arm binaries from

Then check that you can connect to your Turris and get some borg output back from the limited ssh-key. Similar to below.

a example of borg backup output

If that works you can initialise the repository and start backing up according to the borg instructions

Something like this

borg init -e=repokey ssh://root@

and if that works

borg create ssh://root@{hostname}-{user}-{now} /home /etc /var/log

And if that works, then either call it a day or address the obvious issues like running the receiving borg as root :-)

  1. This is a very rough guide, it will not work without modifications so don’t try to just blindly copy and paste the instructions. These instructions are specific for Turris Omnia with tailscale and a Scaleway C1. [return]
  2. you can probably ignore this or restrict ssh some other way, but I did this because I started out from the other direction, trying to get borg running on the NAS, and it would then reach out to the servers. [return]