Mesh/Backup

From Sudo Room
Jump to: navigation, search

Backup happens from all sudomesh servers to backup.sudomesh.org every 24 hours. The backup system uses duplicity over rsync. The backups are incremental and encrypted.

Client setup

Clients have this script in /etc/cron.daily:

#!/bin/sh

/root/scripts/db_dump
/root/scripts/secure_backup

and the db_dump script looks like:

#!/bin/sh

/usr/bin/mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --all-databases > /var/databases/all_mysql_databases.sql

and the secure_backup script looks like:

#!/bin/sh

PASSPHRASE="the_duplicity_passphrase" /usr/bin/duplicity --exclude-other-filesystems / rsync://clientuser@backup.sudomesh.org/backup/

WARNING: Make sure the secure_backup file is only readable by root!

Key-based login has been set up for logging into backup.sudomesh.org by first creating the user clientuser on backup.sudomesh.org with a long random password, and then using ssh-copy-id from the client.

The passphrase is long and randomly generated and is also stored in multiple secure offline locations.

Server setup

The server has a user called clientuser which is set up to allow key-based login with the client server's public ssh key.

The home directory of clientuser looks like:

root@backup:/home/clientuser# ls -l
total 12
drwxr-x--- 2 clientuser clientuser 12288 Oct 13 01:49 backup

The server has the cronjob /etc/cron.daily/backup_permissions:

#!/bin/sh

# This script prevents backups from being deleted
# by the user that created them.

/bin/chmod 640 /home/clientuser/backup/*
/bin/chown root.clientuser /home/clientuser/backup/*