From 2695a79e8ad351c8a62a126c2b4d614a12319a07 Mon Sep 17 00:00:00 2001
From: Quentin Dufour <quentin@deuxfleurs.fr>
Date: Sat, 23 Apr 2022 13:27:52 +0200
Subject: Add garage backup info

---
 op_guide/backup_minio/README.md      | 164 -----------------------------------
 op_guide/garage/README.md            |   1 +
 op_guide/garage/backup.sh            |  65 ++++++++++++++
 op_guide/restic/README.md            | 164 +++++++++++++++++++++++++++++++++++
 op_guide/stolon/nomad_full_backup.md |   2 +-
 5 files changed, 231 insertions(+), 165 deletions(-)
 delete mode 100644 op_guide/backup_minio/README.md
 create mode 100644 op_guide/garage/README.md
 create mode 100644 op_guide/garage/backup.sh
 create mode 100644 op_guide/restic/README.md

(limited to 'op_guide')

diff --git a/op_guide/backup_minio/README.md b/op_guide/backup_minio/README.md
deleted file mode 100644
index a7576c0..0000000
--- a/op_guide/backup_minio/README.md
+++ /dev/null
@@ -1,164 +0,0 @@
-Add the admin account as `deuxfleurs` to your `~/.mc/config` file
-
-You need to choose some names/identifiers:
-
-```bash
-export ENDPOINT="https://s3.garage.tld"
-export SERVICE_NAME="example"
-
-
-export BUCKET_NAME="backups-${SERVICE_NAME}"
-export NEW_ACCESS_KEY_ID="key-${SERVICE_NAME}"
-export NEW_SECRET_ACCESS_KEY=$(openssl rand -base64 32)
-export POLICY_NAME="policy-$BUCKET_NAME"
-```
-
-Create a new bucket:
-
-```bash
-mc mb deuxfleurs/$BUCKET_NAME
-```
-
-Create a new user:
-
-```bash
-mc admin user add deuxfleurs $NEW_ACCESS_KEY_ID $NEW_SECRET_ACCESS_KEY
-```
-
-Add this new user to your `~/.mc/config.json`, run this command before to generate the snippet to copy/paste:
-
-```
-cat > /dev/stdout <<EOF
-"$NEW_ACCESS_KEY_ID": {
-	"url": "$ENDPOINT",
-	"accessKey": "$NEW_ACCESS_KEY_ID",
-	"secretKey": "$NEW_SECRET_ACCESS_KEY",
-	"api": "S3v4",
-	"path": "auto"
-},
-EOF
-```
-
----
-
-Create a policy for this bucket and save it as json:
-
-```bash
-cat > /tmp/policy.json <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "s3:ListBucket"
-            ],
-            "Resource": [
-                "arn:aws:s3:::${BUCKET_NAME}"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "s3:*"
-            ],
-            "Resource": [
-                "arn:aws:s3:::${BUCKET_NAME}/*"
-            ]
-        }
-    ]
-}
-EOF
-```
-
-Register it:
-
-```bash
-mc admin policy add deuxfleurs $POLICY_NAME /tmp/policy.json
-```
-
-Set it to your user:
-
-```bash
-mc admin policy set deuxfleurs $POLICY_NAME user=${NEW_ACCESS_KEY_ID}
-```
-
-Now it should display *only* your new bucket when running:
-
-```bash
-mc ls $NEW_ACCESS_KEY_ID
-```
-
----
-
-Now we need to initialize the repository with restic.
-
-```bash
-export AWS_ACCESS_KEY_ID=$NEW_ACCESS_KEY_ID
-export AWS_SECRET_ACCESS_KEY=$NEW_SECRET_ACCESS_KEY
-export RESTIC_REPOSITORY="s3:$ENDPOINT/$BUCKET_NAME"
-export RESTIC_PASSWORD=$(openssl rand -base64 32)
-```
-
-Then init the repo for restic from your machine:
-
-```
-restic init
-```
-
-*I am using restic version `restic 0.12.1 compiled with go1.16.9 on linux/amd64`*
-
-See your snapshots with:
-
-```
-restic snapshots
-```
-
-Check also these useful commands:
-
-```
-restic ls
-restic diff
-restic help
-```
-
----
-
-Add the secrets to Consul, near your service secrets.
-The idea is that the backuping service is a component of the global running service.
-You must run in `app/<name>/secrets/<subpath>`:
-
-```bash
-echo "USER Backup AWS access key ID" > backup_aws_access_key_id
-echo "USER Backup AWS secret access key" > backup_aws_secret_access_key
-echo "USER Restic repository, eg. s3:https://s3.garage.tld" > backup_restic_repository
-echo "USER Restic password to encrypt backups" > backup_restic_password
-```
-
-Then run secretmgr:
-
-```bash
-# Spawning a nix shell is an easy way to get all the dependencies you need
-nix-shell
-
-# Check that secretmgr works for you
-python3 secretmgr.py check <name>
-
-# Now interactively feed the secrets
-python3 secretmgr.py gen <name>
-```
-
----
-
-Now we need a service that runs:
-
-```
-restic backup .
-```
-
-And also that garbage collect snapshots.
-I propose:
-
-```
-restic forget --prune --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y
-```
diff --git a/op_guide/garage/README.md b/op_guide/garage/README.md
new file mode 100644
index 0000000..44fda62
--- /dev/null
+++ b/op_guide/garage/README.md
@@ -0,0 +1 @@
+Not very generic currently, check the backup.sh script
diff --git a/op_guide/garage/backup.sh b/op_guide/garage/backup.sh
new file mode 100644
index 0000000..2ff18cd
--- /dev/null
+++ b/op_guide/garage/backup.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+cd $(dirname $0)
+
+if [ "$(hostname)" != "io" ]; then
+	echo "Please run this script on io"
+	exit 1
+fi
+
+if [ ! -d "buckets" ]; then
+	btrfs subvolume create $(pwd)/buckets
+fi
+
+
+AK=$1
+SK=$2
+
+function gctl {
+	docker exec garage /garage $@
+}
+
+gctl status
+BUCKETS=$(gctl bucket list | tail -n +2 | cut -d " " -f 3 | cut -d "," -f 1)
+
+for BUCKET in $BUCKETS; do
+	case $BUCKET in
+		*backup*)
+			echo "Skipping $BUCKET (not doing backup of backup)"
+			;;
+		*cache*)
+			echo "Skipping $BUCKET (not doing backup of cache)"
+			;;
+		*)
+			echo "Backing up $BUCKET"
+
+			if [ ! -d $(pwd)/buckets/$BUCKET ]; then
+				mkdir $(pwd)/buckets/$BUCKET
+			fi
+
+			gctl bucket allow --key $AK --read $BUCKET
+			rclone sync --s3-endpoint http://localhost:3900 \
+				--s3-access-key-id $AK \
+				--s3-secret-access-key $SK \
+				--s3-region garage \
+				--s3-force-path-style \
+				--transfers 32 \
+				--fast-list \
+				--stats-one-line \
+				--stats 10s \
+				--stats-log-level NOTICE \
+		       		:s3:$BUCKET $(pwd)/buckets/$BUCKET
+			;;
+	esac
+done
+
+# Remove duplicates
+#duperemove -dAr $(pwd)/buckets
+
+if [ ! -d "$(pwd)/snapshots" ]; then
+	mkdir snapshots
+fi
+
+SNAPSHOT=$(pwd)/snapshots/buckets-$(date +%F)
+echo "Making snapshot: $SNAPSHOT"
+btrfs subvolume snapshot $(pwd)/buckets $SNAPSHOT
diff --git a/op_guide/restic/README.md b/op_guide/restic/README.md
new file mode 100644
index 0000000..a7576c0
--- /dev/null
+++ b/op_guide/restic/README.md
@@ -0,0 +1,164 @@
+Add the admin account as `deuxfleurs` to your `~/.mc/config` file
+
+You need to choose some names/identifiers:
+
+```bash
+export ENDPOINT="https://s3.garage.tld"
+export SERVICE_NAME="example"
+
+
+export BUCKET_NAME="backups-${SERVICE_NAME}"
+export NEW_ACCESS_KEY_ID="key-${SERVICE_NAME}"
+export NEW_SECRET_ACCESS_KEY=$(openssl rand -base64 32)
+export POLICY_NAME="policy-$BUCKET_NAME"
+```
+
+Create a new bucket:
+
+```bash
+mc mb deuxfleurs/$BUCKET_NAME
+```
+
+Create a new user:
+
+```bash
+mc admin user add deuxfleurs $NEW_ACCESS_KEY_ID $NEW_SECRET_ACCESS_KEY
+```
+
+Add this new user to your `~/.mc/config.json`, run this command before to generate the snippet to copy/paste:
+
+```
+cat > /dev/stdout <<EOF
+"$NEW_ACCESS_KEY_ID": {
+	"url": "$ENDPOINT",
+	"accessKey": "$NEW_ACCESS_KEY_ID",
+	"secretKey": "$NEW_SECRET_ACCESS_KEY",
+	"api": "S3v4",
+	"path": "auto"
+},
+EOF
+```
+
+---
+
+Create a policy for this bucket and save it as json:
+
+```bash
+cat > /tmp/policy.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${BUCKET_NAME}"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:*"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${BUCKET_NAME}/*"
+            ]
+        }
+    ]
+}
+EOF
+```
+
+Register it:
+
+```bash
+mc admin policy add deuxfleurs $POLICY_NAME /tmp/policy.json
+```
+
+Set it to your user:
+
+```bash
+mc admin policy set deuxfleurs $POLICY_NAME user=${NEW_ACCESS_KEY_ID}
+```
+
+Now it should display *only* your new bucket when running:
+
+```bash
+mc ls $NEW_ACCESS_KEY_ID
+```
+
+---
+
+Now we need to initialize the repository with restic.
+
+```bash
+export AWS_ACCESS_KEY_ID=$NEW_ACCESS_KEY_ID
+export AWS_SECRET_ACCESS_KEY=$NEW_SECRET_ACCESS_KEY
+export RESTIC_REPOSITORY="s3:$ENDPOINT/$BUCKET_NAME"
+export RESTIC_PASSWORD=$(openssl rand -base64 32)
+```
+
+Then init the repo for restic from your machine:
+
+```
+restic init
+```
+
+*I am using restic version `restic 0.12.1 compiled with go1.16.9 on linux/amd64`*
+
+See your snapshots with:
+
+```
+restic snapshots
+```
+
+Check also these useful commands:
+
+```
+restic ls
+restic diff
+restic help
+```
+
+---
+
+Add the secrets to Consul, near your service secrets.
+The idea is that the backuping service is a component of the global running service.
+You must run in `app/<name>/secrets/<subpath>`:
+
+```bash
+echo "USER Backup AWS access key ID" > backup_aws_access_key_id
+echo "USER Backup AWS secret access key" > backup_aws_secret_access_key
+echo "USER Restic repository, eg. s3:https://s3.garage.tld" > backup_restic_repository
+echo "USER Restic password to encrypt backups" > backup_restic_password
+```
+
+Then run secretmgr:
+
+```bash
+# Spawning a nix shell is an easy way to get all the dependencies you need
+nix-shell
+
+# Check that secretmgr works for you
+python3 secretmgr.py check <name>
+
+# Now interactively feed the secrets
+python3 secretmgr.py gen <name>
+```
+
+---
+
+Now we need a service that runs:
+
+```
+restic backup .
+```
+
+And also that garbage collect snapshots.
+I propose:
+
+```
+restic forget --prune --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y
+```
diff --git a/op_guide/stolon/nomad_full_backup.md b/op_guide/stolon/nomad_full_backup.md
index 574043a..2fb5822 100644
--- a/op_guide/stolon/nomad_full_backup.md
+++ b/op_guide/stolon/nomad_full_backup.md
@@ -1,4 +1,4 @@
-Start by following ../backup-minio
+Start by following ../restic
 
 ## Garbage collect old backups
 
-- 
cgit v1.2.3