Add 'infrastructure/server-backup-with-rsync.md'

infrastructure/server-backup-with-rsync.md

@@ -0,0 +1,77 @@
+# Server Backup
+
+There are many ways to make a server backup, but we will use `rsync` (remote sync), `bindfs`, and `rssh` (restricted shell).
+
+## Create a backup user with restricted shell access
+
+1. Install rssh: 
+
+   ```console
+   apt list rssh
+   apt show rssh
+   apt install rssh
+   ```
+
+2. Create a user for backups that uses the restricted shell:
+
+   ```console
+   useradd apps_backup -m -s /usr/bin/rssh
+   ls -al /home/apps_backup/
+   grep apps_backup /etc/passwd
+   ```
+
+3. Edit `/etc/rssh.conf` to allow `rsync` and use a chroot jail for restricting access:
+
+   ```console
+   allowrsync
+   chrootpath = /home/apps_backup
+   ```
+
+4. Test that the shell of the user `apps_backup` is restricted:
+
+   ```console
+   su apps_backup
+   ```
+
+## Create a read-only view of the parts of the filesystem that need to be backed up
+
+1. Install `bindfs`:
+
+   ```console
+   apt list bindfs
+   apt show bindfs
+   apt install bindfs
+   ```
+
+2. Create mount directories:
+
+   ```console
+   mkdir -p /home/apps_backup/opt-scripts
+   mkdir -p /home/apps_backup/var-ds
+   ```
+
+3. Add these lines to `/etc/fstab` for mounting directories read-only:
+
+   ```console
+   /opt/docker-scripts /home/apps_backup/opt-scripts fuse.bindfs perms=0000:u=rD,force-user=apps_backup,force-group=nogroup 0 0
+   /var/ds /home/apps_backup/var-ds fuse.bindfs perms=0000:u=rD,force-user=apps_backup,force-group=nogroup 0 0
+   ```
+
+4. Mount them:
+
+   ```console
+   mount -a
+   ls -al /home/apps_backup/opt-scripts
+   ls -al /home/apps_backup/var-ds
+   ```
+
+5. Test that they are read-only:
+
+   ```console
+   sudo -u apps_backup ls -al /home/apps_backup/var-ds
+   sudo -u apps_backup touch /home/apps_backup/var-ds/test1.txt
+   ```
+
+# References
+
+- http://jorgenmodin.net/index_html/how-to-create-a-read-only-view-of-files-to-back-up-with-e.g.-rsync