Update 'infrastructure/server-backup-with-rsync.md'

infrastructure/server-backup-with-rsync.md

@@ -1,12 +1,11 @@
 # Server Backup With Rsync
 
-1. Make sure that rsync is installed on the server:
+First of all make sure that rsync is installed on the server: `apt install rsync`
 
-   ```
-   apt install rsync
-   ```
 
-1. Create a backup user, for example `backup1`:
+## 1. Create a backup user with ssh-key access
+
+1. Create a backup user, for example `backup1` (in ubuntu there is already a user named `backup`):
 
    ```
    useradd backup1 -m
@@ -59,6 +58,8 @@
    ls -al test1
    ```
 
+## 2. Restrict the ssh key of the backup user for using only rsync
+
 1. Let's find out the command that the client is sending to the server through SSH.
    Let's try the same rsync command again, with the added SSH switch `-v` (verbose):
 
@@ -105,7 +106,52 @@
    ls -l test1
    ```
 
-1. For convenience, we can combine the command and the key in a bash script that looks like this:
+## 3. Create a read-only view of the parts of the filesystem that need to be backed up
+
+1. Install `bindfs`:
+
+   ```
+   apt list bindfs
+   apt show bindfs
+   apt install bindfs
+   ```
+
+2. Create mount directories:
+
+   ```
+   mkdir -p /mnt/backup-server/scripts
+   mkdir -p /mnt/backup-server/apps
+   ```
+
+3. Add these lines to `/etc/fstab` for mounting directories read-only:
+
+   ```console
+   /opt/docker-scripts /mnt/backup-server/scripts fuse.bindfs perms=0000:u=rD,force-user=backup1,force-group=nogroup 0 0
+   /var/ds             /mnt/backup-server/apps    fuse.bindfs perms=0000:u=rD,force-user=backup1,force-group=nogroup 0 0
+   ```
+
+   Since we are using **docker-scripts** for installing and managing apps, these two directories
+   are what we need to backup: `/opt/docker-scripts` and `/var/ds`.
+
+4. Mount them:
+
+   ```console
+   mount -a
+   ls -al /mnt/backup-server/scripts
+   ls -al /mnt/backup-server/apps
+   ```
+
+5. Test that they are read-only:
+
+   ```console
+   sudo -u backup1 ls -al /mnt/backup-server/scripts
+   sudo -u backup1 touch /mnt/backup-server/scripts/test1.txt
+   ```
+
+## 4. Create and use a backup script
+
+1. For convenience, we can combine the command and the key in a bash script named `backup-server.sh`
+   that looks like this:
 
    ```
    #!/bin/bash
@@ -113,6 +159,7 @@
    server=127.0.0.1
    port=22
    
+   cd $(dirname $0)
    rsync -a -e "ssh -p $port -i $0" backup1@${server}: .
    
    exit 0
@@ -127,18 +174,34 @@
    Let's try it:
 
    ```
-   chmod 700 backup1.sh
+   chmod 700 backup-server.sh
    rm -rf test1/
-   ./backup1.sh
+   ./backup-server.sh
    ls -l test1/
    ```
 
-1. Now we can move this script to the client (backup server), making sure to change
-   the variable `server` with the IP of the server, and it should work.
+1. Now we can move this script to the client (backup server), making sure to set
+   the proper values for the variables `server` and `port`, and it should work.
 
-1. To change the directory on the server that is being backed up, we should change it
-   on `/home/backup1/.ssh/authorized_keys` (for example from `~/test1` to `/var/backup`,
-   or anything else where the user `backup1` has read access).
+1. Let's also fix the directory on the server that is being backed up. We should edit
+   `/home/backup1/.ssh/authorized_keys` and change `~/test1` to `/mnt/backup-server`
 
-1. To backup a second directory we can create a second SSH key, append it to
-   `/home/backup1/.ssh/authorized_keys`, and create a second backup script.
+1. On the client (computer that is receiving the backup), let's place the script `backup-server.sh`
+   on a directory like `/var/backup`:
+
+   ```
+   mkdir -p /var/backup
+   mv backup-server.sh /var/backup/
+   
+   cd /var/backup/
+   ./backup-server.sh
+   ```
+
+1. Let's also create a cron job that runs this script periodically each week:
+
+   ```
+   cat <<EOF > /etc/cron.d/backup-server
+   # backup the server each tuesday
+   0 0 * * TUE  root  /var/backup/backup-server.sh
+   EOF
+   ```