How to : Backup Yunohost server on Borgbase with Borgbackup

Introduction

• Hardware: refurbished laptop
• YunoHost version: up to date
• I have access to my server : Either through SSH or webadmin
• special context / particular tweaking : no yet

I recently started with Yunohost, and I don’t have all the tips to make my life easier.

So your comments are welcome, both to help me learn, and to simplify this tuto

Goal

Use the Yunohost Borgbackup application to externalize backups on a borgbase server.

This is a step-by-step tuto from scratch.

Prerequisite

• Create a pair of SSH keys and display the public key

$ ssh-keygen -t ed25519 -a 100
$ less .ssh/id_ed25519.pub

• Create an account on Borgbase

• drop the SSH public key

  • in Account, SSH keys, click onAdd Key
  • copy/paste SSH public key with a name (arbitrary) and validate

• Create a backup repository

  • in Repositories, click on New Repo
  • fill the name and choose the existing SSH key for a full access

• The repository list provide those information :
  • on the left, you can copy the repository name
  • the form of repository URL is <hash@hash>.repo.borgbase.com<:repo>
  • in the Security column, the printfinger icon provide you the SSH fingerprint of the Borgbase server

Borgbackup app on Yunohost

• Install Borg Backup App (through the webadmin)
  • provide Borgbase.com server URL in the form of ssh://<hash@hash>.repo.borgbase.com:22/~/repo
  • provide a strong backup passphrase and keep it safe (in several place following the 3-2-1 rules too)!
  • a mail is sent to the yunohost server administrator by install script in which is listed the public key to configure in borgbase repo
• add the SSH public key of the Borgbackup app on the Borgbase server
  • on the Yunohost serveur, copy the content of .ssh/id_borg_ed25519.pub or copy it from the email
  • on the Borgbase server, in Account, SSH keys, click on Add Key
  • past the public key, add a name (arbitrary) and validate
  • in Repositories, édit the repository
  • choose the new SSH key (we discourage yout to select the append-only access as this feature doesn’t act as its name suggest it, read attentively the following link to know more Additional Notes — Borg - Deduplicating Archiver 1.2.7 documentation)

The SSH key id_borg_ed25519 created by Borgbackup installer doesn’t ask password. It allow backup automation.

Initialize and test

• The first run will initialize the repository
  • By default, you have to wait the timer trigger specified at installation
  • At this time you received a “[YNH] First backup is starting” email.
• You can launch a backup manually
  • in Webadmin > Services > Borg
  • in shell with systemctl start borg.service

Troubleshooting

• check the repository

$ BORG_RSH="ssh -i /root/.ssh/id_borg_ed25519 " borg list <hash@hash>.repo.borgbase.com:repo
Enter passphrase for key ssh://<hash@hash>.repo.borgbase.com/./repo: 
auto_conf_21_03_21_00:00             Sun, 2021-03-21 06:00:11 [00858c0db2863e6ab144682f1b18002d9b5666b5f3352ff0f813cc50ae345d65]
auto_data_21_03_21_00:00             Sun, 2021-03-21 06:00:18 [cfc19598981410cccd17e98cec207c74211b596d5fb38a1a0f043712e70e34a0]
auto_borg_21_03_21_00:00             Sun, 2021-03-21 06:00:33 [07a3897f8621ab90a01a27ab9f73d974bb25492cf341a344290ffcb0fbd11fa8]
...

• display repository statistics

$ BORG_RSH="ssh -i /root/.ssh/id_borg_ed25519 " borg info <hash@hash>.repo.borgbase.com:repo
[...]
------------------------------------------------------------------------------
                       Original size      Compressed size    Deduplicated size
All archives:                5.02 GB              2.65 GB            418.51 MB

                       Unique chunks         Total chunks
Chunk index:                   37672               494522

• check a backup

$ BORG_RSH="ssh -i /root/.ssh/id_borg_ed25519 " borg check --debug <hash@hash>.repo.borgbase.com:repo::auto_borg_21_03_21_00:00
using builtin fallback logging configuration
35 self tests completed in 0.10 seconds
[...]
Enter passphrase for key ssh://<hash@hash>.repo.borgbase.com/./repo: 
TAM-verified manifest
Analyzing archive auto_borg_21_03_21_00:00 (1/1)
RepositoryCache: current items 1, size 2.24 kB / 2.15 GB, 0 hits, 1 misses, 0 slow misses (+0.0s), 0 evictions, 0 ENOSPC hit
Orphaned objects check skipped (needs all archives checked).
Archive consistency check complete, no problems found.
RemoteRepository: 640 B bytes sent, 1.52 MB bytes received, 15 messages sent

• Change Borg repository URL in Yunohost configuration :

$ yunohost app setting borg repository -v <hash@hash>.repo.borgbase.com:repo

• You can also find Borgbackup logs in :

  • /var/log/backup_borg.err
  • /var/log/borg/*

• Borgbase allow to set an alert when no activity is detected within a given period.

Restore

• Export to restore

$ BORG_RSH="ssh -i /root/.ssh/id_borg_ed25519 " borg export-tar <hash@hash>.repo.borgbase.com:repo::_auto_borg_21_03_21_00:00 /home/yunohost.backup/archives/_auto_borg_21_03_21_00:00.tar.gz

• Restore the archive through the admin interface (the archive appears in the backups section), or in command line :

$ yunohost backup restore _auto_borg_21_03_21_00:00.tar.gz --apps

you can also restore system parts with the --system option

• Mount to restore

$ BORG_RSH="ssh -i /root/.ssh/id_borg_ed25519 " borg mount <hash@hash>.repo.borgbase.com:repo /media/borg-repo

Thanks toad for this contribution !

Here are my comments:

I think the repo path should be added like that: ssh://<hash@hash>.repo.borgbase.com/~/repo . Indeed, the current version doesn’t support the USER@DOMAIN:PATH notation without change by hand like you do.

Now the question about username has been removed from install question, the user is directly contained in the repository question.

So i suggest to change this part like this:

* Install `Borg Backup App` (through the webadmin)
  * provide [Borgbase.com](http://Borgbase.com) server URL in the form of `ssh://<hash@hash>.repo.borgbase.com/~/repo`
  * provide a strong backup passphrase and keep it safe (in several place following the 3-2-1 rules too)!
  * a mail is sent to the yunohost server administrator by install script in which is listed the public key to configure in borgbase repo

I suggest here to remove the append-only access. We studied in details how this option works during the yunohost infra hackaton 10 days ago. This features is an anti-feature and doesn’t act as expected. See here for more details Additional Notes — Borg - Deduplicating Archiver 1.2.7 documentation . We conclude this option doesn’t really protect from an attacker that delete your repo, because deletion operations are just paused until the next operation from a full access repo.

In more append only repo management need a full access to the repo, i mean, you have to be able to read some logfile from the repo, and i don’t think borgbase allow you to do that.

SO here i suggest this change:

* add the SSH public key of the Borgbackup app on the Borgbase server
  * on the Yunohost serveur, copy the content of `.ssh/id_borg_ed25519.pub` or copy it from the email
  * on the Borgbase server, in `Account`, `SSH keys`, click on `Add Key`
  * past the public key, add a name (arbitrary) and validate
  * in `Repositories`, édit the repository
  * choose the new SSH key (**we discourage yout to select the `append-only access` as this feature doesn't act as its name suggest it, read attentively the following link to know more https://borgbackup.readthedocs.io/en/stable/usage/notes.html#append-only-mode**)

You don’t have to manually initialize your repo. It should be done by borg_ynh. If you don’t want to wait for timer trigger you can run the borg service in Webadmin > Services > Borg
At this time you received a “[YNH] First backup is starting” email.

You don’t have to do this if you use the notation ssh://<hash@hash>.repo.borgbase.com:22/~/repo as explained in help comment on the first question during install.

Others thigs are ok for me

It is great that you have taken the time to help other users with this! Backup is an important topic and is not yet as usable as I’d like it to be for Yunohost. However, in reading your post on Borgbase and such, I am happy to see that there are positive developments!

If you would consider putting screenshots in the tutorial, that would be really helpful in people’s understanding I think Is that something you would want upgrade your tutorial with?

Thanks and cheers!

Hi ljf, and thanks a lot for your comment. It leaned me severals tricks, and connect things I had not paid attention.

I didn’t know the mapping between the two notations. It’s a good thing to know about Borg.

Another good peace of knowledge about Borg. I also correct my config.

It makes sense that the borg_ynh app facilitates this step, I was too focused to realize.

It makes me connect the fact that each time I restart service, it launch a backup…

I modify the tuto according to your propositions. Thank you also for taking the time to format them.

Thank you MrMorals for your comment.

I understand the visual interest of screenshots, particularly for people who try and discover.

I’m not sure having time to maintain such a tuto, considering that I’m not familiar with tools to manipulate and enrich raw screenshot. Closing this gap has too low a priority to be achieved in the near future.

As you said, backup is a far more important topic…

Thanks so much. So important. We should add this guide to the official documentation, I think. Then others might be able to add screenshots as well

Thanks for this tuto, I am backing up my server on a borgbase repo

Here is a list of providers for backup borg (found on borgmatic)

Borg Hosting providers
Need somewhere to store your encrypted offsite backups? The following hosting providers include specific support for Borg/borgmatic. Using these links and services helps support borgmatic development and hosting. (These are referral links, but without any tracking scripts or cookies.)
rsync.net: Cloud Storage provider with full support for borg and any other SSH/SFTP tool (18€/an 100Go)
BorgBase: Borg hosting service with support for monitoring, 2FA, and append-only repos (24€/an 100Go)
Lima-Labs: Affordable, reliable cloud data storage accessable via SSH/SCP/FTP for Borg backups or any other bulk storage needs. (22, 5€/an 250Go)

Bonjour,
J’essaye de faire un backup vers Borgbase. J’ai finalement réussi à installer l’application Borgbackup, mais à l’initialisation je reçois un mail disant :

borg init: error: argument REPOSITORY: Invalid location format: “ssh://xxx@xxx.repo.borgbase.com:repo:22/~/yunohost”
Could not run script: /etc/yunohost/hooks.d/backup_method/05-borg_app
Custom backup method could not get past the ‘backup’ step

Dans le tuto, lors de l’installation de Borgbackup, il est indiqué de remplir suivant : ssh://hash@hash.repo.borgbase.com:22/~/repo

J’ai changé repo à la fin par yunohost (le nom de mon repo sur Borgbase), ce qui donne :
ssh://xxx@xxx.repo.borgbase.com:repo:22/~/yunohost
est-cela qu’il faut faire ou dois-je conserver ? :
ssh://hash@hash.repo.borgbase.com:22/~/repo
Merci.

Hello,
I am trying to make a backup to Borgbase. I finally succeeded in installing the Borgbackup application, but at initialization I receive an email saying :

borg init: error: argument REPOSITORY: Invalid location format: “ssh://xxx@xxx.repo.borgbase.com:repo:22/~/yunohost”
Could not run script: /etc/yunohost/hooks.d/backup_method/05-borg_app
Custom backup method could not get past the ‘backup’ step

In the tutorial, when installing Borgbackup, it is indicated to fill the following: ssh://hash@hash.repo.borgbase.com:22/~/repo

I changed repo at the end to yunohost (the name of my repo on Borgbase), which gives :
ssh://xxx@xxx.repo.borgbase.com:repo:22/~/yunohost
is this the right thing to do or should I keep repo instead of yunohost ? :
ssh://hash@hash.repo.borgbase.com:22/~/repo
Thank you.

Il faut plutôt mettre:
ssh://xxx@xxx.repo.borgbase.com:22/~/yunohost

Tu as mis un :repo de trop.

Merci. j’y suis arrivé, mon premier backup vers Borgbase semble être un succès.

I finally tried to set this up following this tutorial. The second time I made it right. But the first time I was so stupid to just copy the url of the repository from the Borgbase admin while the Yunohost set up requires a small change which is :22/~/repo as the end of the URL as it is written in this tutorial as well.

So the question is: How do I change the URL? I did not find any way to do so. Do we have to uninstall the Borg app and start from scratch?

And to complete the tutorial we need instructions how to restore from a backup as there are no ways to do so in the Yunohost webadmin.

It seems it can be done this way from the yunohost command-line:

borg export-tar /path/to/repo::your_backup your_backup_yunohost.tar.gz

according to [Borg & Borg Server] Deduplicated, encrypted and remote backups - #18 by charly

Then, I suppose, it will show up as a normal backup in the Yunohost webadmin, and from there we can restore individual apps. right?

I will have to check if this works with Borgbase

That’s it (if you put your tar.?gz into /home/yunohost.backup/archives/

It is not as straight forward as it seems. So when I run this command

borg export-tar ssh://XXXXXXXXX.repo.borgbase.com:22/~/repo /home/yunohost.backup/archives/yunohost.tar.gz

I get the error message:

borg export-tar: error: argument ARCHIVE: "ssh://XXXXXXXX.repo.borgbase.com:22/~/repo": No archive specified

EDIT: Looking at the complexity involved here Restore | BorgBase Docs I start wondering if Borg is the best solution for non IT-professionals?

You have to use borg list to identify the archive before.

borg list ssh://XXXXXXXXX.repo.borgbase.com:22/~/repo

And next you can export it:

borg export-tar ssh://XXXXXXXXX.repo.borgbase.com:22/~/repo::ARCHIVE_NAME /home/yunohost.backup/archives/ARCHIVE_NAME.tar.gz

Thanks! Running this command gives me a permission error:

Remote: xxxx@xxxx.repo.borgbase.com: Permission denied (publickey).
Connection closed by remote host. Is borg working on the server?

Borg is running, I double-checked and started a manual backup which worked well

Try with:

BORG_RSH="ssh -i /root/.ssh/id_borg_ed25519 -oStrictHostKeyChecking=yes " borg list ssh://XXXXXXXXX.repo.borgbase.com:22/~/repo

Yes, that worked. Just had to remove the whitespace after =yes so that it is =yes" and I was asked for the repository password and got connected

then also the export command had to start with
BORG_RSH="ssh -i /root/.ssh/id_borg_ed25519 -oStrictHostKeyChecking=yes"

so that both commands would be

1. list archives:

BORG_RSH="ssh -i /root/.ssh/id_borg_ed25519 -oStrictHostKeyChecking=yes" borg list ssh://xxxxx@xxxxxx.repo.borgbase.com:22/~/repo

2. export to restore

BORG_RSH="ssh -i /root/.ssh/id_borg_ed25519 -oStrictHostKeyChecking=yes" borg export-tar ssh://xxxxx@xxxxxx.repo.borgbase.com:22/~/repo::ARCHIVE_NAME /home/yunohost.backup/archives/ARCHIVE_NAME.tar.gz

I then tried to restore an application (Dokuwiki) from this backup and it worked! Yeah, thanks a lot! Now we just need to publish these instruction in the Yunohost documentation, I think

Instructions are in the readme of borg_ynh GitHub - YunoHost-Apps/borg_ynh: An experimental Borg implementation for YunoHost but you are probably right, i think backup with borg should be describe on this page Backing up your server and apps | Yunohost Documentation

Yes, and the readme you mention is confusing for non-experts as me and does not include backing up to borgbase (or other external services). It also says in the beginning that " This doc is partially obsolete and should be reworked!".

What we should have in my opinion are newbie-friendly instructions to backup to different external providers on the one hand and on the other hand to another yunohost server with Borg server app.

Later today or so, I hope, I will try to set up the backup on my main Yunohost instance (so far I have used a test instance with YH 4.2) and will make some notes.