Mesh/Backup
Backup happens from all sudomesh servers to backup.sudomesh.org every 24 hours. The backup system uses duplicity over rsync. The backups are incremental and encrypted.
Client setup
Clients have this script in /etc/cron.daily:
#!/bin/sh /root/scripts/db_dump /root/scripts/secure_backup
and the db_dump script looks like:
#!/bin/sh /usr/bin/mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --all-databases > /var/databases/all_mysql_databases.sql
and the secure_backup script looks like:
#!/bin/sh PASSPHRASE="the_duplicity_passphrase" /usr/bin/duplicity --exclude-other-filesystems / rsync://clientuser@backup.sudomesh.org/backup/
WARNING: Make sure the secure_backup file is only readable by root!
Key-based login has been set up for logging into backup.sudomesh.org by first creating the user clientuser on backup.sudomesh.org with a long random password, and then using ssh-copy-id from the client.
The passphrase is long and randomly generated and is also stored in multiple secure offline locations.
Server setup
The server has a user called clientuser which is set up to allow key-based login with the client server's public ssh key.
The home directory of clientuser looks like:
root@backup:/home/clientuser# ls -l total 12 drwxr-x--- 2 clientuser clientuser 12288 Oct 13 01:49 backup
The server has the cronjob /etc/cron.daily/backup_permissions:
#!/bin/sh # This script prevents backups from being deleted # by the user that created them. /bin/chmod 640 /home/clientuser/backup/* /bin/chown root.ccl /home/clientuser/backup/*