You have one (or more) servers at a hosting provider and a raspberry pi at home. You want to have an offsite backup of the websites, apps and databases at home.
You configure your raspberry pi to be reachable from the internet using DynDNS. In the following we assume that it is reachable at offsite.example.com.
Preparing your backup raspberry pi
We want to make sure that backups on the raspberry pi can come from multiple sources and one source can not delete another.
Create an additional user
and change to that user afterwards. You can change service1 to the name of the service that this user should backup.
sudo useradd service1_backup sudo su service1_backup cd ~
Create an SSH key for the user
This SSH key will later be used by your server to push backups automatically. Therefore you should not set a passphrase for the key (just press enter until the key is generated)
$ ssh-keygen -t ed25519
Create your backup directory
mkdir backup && cd backup
If you want to use an external drive you can mount it to this users home directory.
Initialzie the borg repository
borg init --encryption=repokey ./
Make sure to set a strong passphrase and note it down somewhere safe. Without it you will not be able to access you backup!
Make sure the user can only access the backup directory
Put the following in
~/.ssh/authorized_keys and make sure everything is in one line. The last values are simply your public key that can be found in
command="borg serve --restrict-to-repository /home/<user>/backup",restrict <key type> <key> <key host>
Done with the raspberry pi
Configure your server
In this guide we will use borgmatic to configure and automatically run the backup in the server.
sudo pip3 install --user --upgrade borgmatic
The following is a small configuration example. Place it in
/etc/borgmatic.d/servic1.yaml. If you need more options check out the full configuration file reference
location: source_directories: - /home/service1/static repositories: - ssh://firstname.lastname@example.org/./backup storage: encryption_passphrase: "ThePassphraseouUsedOnYourRaspi" ssh_command: ssh -i /etc/borgmatic.d/service1_backup_key retention: # Number of daily archives to keep. keep_daily: 7 hooks: # List of one or more shell commands or scripts to execute # before creating a backup, run once per configuration file. before_backup: - echo "Starting a backup." # List of one or more shell commands or scripts to execute # after creating a backup, run once per configuration file. after_backup: - echo "Finished a backup." after_everything: - echo "Completed actions." postgresql_databases: - name: service1 # mysql_databases: # - name: users
Place the private SSH key
The server will need the private SSH key so connect to your raspberry pi
On the raspberry pi use
to get the private key and place it on your server in the file
As this is a private SSH key it must only be readable by the user. Ro change its permissions correctly use
chown 600 service1_backup_key
Check if the backup works
Create your backup with
sudo borgmatic create --verbosity 1 --list --stats
Now check out the borgmatic configuration on how to properly set up automated backups
Congrats, you should now have a fully functioning backup configuration!