infrastructure/op_guide/backup_minio/README.md

Add the admin account as `deuxfleurs` to your `~/.mc/config` file

You need to choose some names/identifiers:

```bash
export BUCKET_NAME=example
export NEW_ACCESS_KEY_ID=hello

export NEW_SECRET_ACCESS_KEY=$(openssl rand -base64 32)
export POLICY_NAME="policy-$BUCKET_NAME"
```

Create a new bucket:

```bash
mc mb deuxfleurs/$BUCKET_NAME
```

Create a new user:

```bash
mc admin user add deuxfleurs $NEW_ACCESS_KEY_ID $NEW_SECRET_ACCESS_KEY
```

Add this new user to your `~/.mc/config.json` file, as `backup-user` for example.

---

Create a policy for this bucket and save it as json:

```bash
cat > /tmp/policy.json <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET_NAME}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET_NAME}/*"
            ]
        }
    ]
}
EOF
```

Register it:

```bash
mc admin policy add deuxfleurs $POLICY_NAME /tmp/policy.json
```

Set it to your user:

```bash
mc admin policy set deuxfleurs $POLICY_NAME user=${NEW_ACCESS_KEY_ID}
```

Now it should display *only* your new bucket when running:

```bash
mc ls backup-user/
```

---

Now we need to initialize the repository with restic.

```bash
export ENDPOINT="https://garage.tld"

export AWS_ACCESS_KEY_ID=$NEW_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$NEW_SECRET_ACCESS_KEY
export RESTIC_REPOSITORY="s3:$ENDPOINT/$BUCKET_NAME"
export RESTIC_PASSWORD=$(openssl rand -base64 32)
```

Then init the repo for restic from your machine:

```
restic init
```

*I am using restic version `restic 0.12.1 compiled with go1.16.9 on linux/amd64`*

See your snapshots with:

```
restic snapshots
```

---

Add the secrets to Consul, near your service secrets.
The idea is that the backuping service is a component of the global running service.
You must add:
  - `backup_aws_access_key_id`
  - `backup_aws_secret_access_key`
  - `backup_restic_repository`
  - `backup_restic_password`


---

Now we need a service that runs:

```
restic backup .
```

And also that garbage collect snapshots.
I propose:

```
restic forget --prune --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y
```
Migrate jitsi + WIP backup doc 2022-01-26 18:09:26 +00:00			Add the admin account as `deuxfleurs` to your `~/.mc/config` file

			`You need to choose some names/identifiers:`

			```bash
			`export BUCKET_NAME=example`
			`export NEW_ACCESS_KEY_ID=hello`

Update guide 2022-01-26 18:31:44 +00:00			`export NEW_SECRET_ACCESS_KEY=$(openssl rand -base64 32)`
Migrate jitsi + WIP backup doc 2022-01-26 18:09:26 +00:00			`export POLICY_NAME="policy-$BUCKET_NAME"`
			```

			`Create a new bucket:`

			```bash
			`mc mb deuxfleurs/$BUCKET_NAME`
			```

			`Create a new user:`

			```bash
			`mc admin user add deuxfleurs $NEW_ACCESS_KEY_ID $NEW_SECRET_ACCESS_KEY`
			```

Update guide 2022-01-26 18:31:44 +00:00			Add this new user to your `~/.mc/config.json` file, as `backup-user` for example.
Migrate jitsi + WIP backup doc 2022-01-26 18:09:26 +00:00
			`---`

			`Create a policy for this bucket and save it as json:`

			```bash
			`cat > /tmp/policy.json <<EOF`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": [`
			`"s3:ListBucket"`
			`],`
			`"Resource": [`
			`"arn:aws:s3:::${BUCKET_NAME}"`
			`]`
			`},`
			`{`
			`"Effect": "Allow",`
			`"Action": [`
			`"s3:*"`
			`],`
			`"Resource": [`
			`"arn:aws:s3:::${BUCKET_NAME}/*"`
			`]`
			`}`
			`]`
			`}`
Update guide 2022-01-26 18:31:44 +00:00			`EOF`
Migrate jitsi + WIP backup doc 2022-01-26 18:09:26 +00:00			```

			`Register it:`

			```bash
			`mc admin policy add deuxfleurs $POLICY_NAME /tmp/policy.json`
			```

			`Set it to your user:`

			```bash
			`mc admin policy set deuxfleurs $POLICY_NAME user=${NEW_ACCESS_KEY_ID}`
			```

Update guide 2022-01-26 18:31:44 +00:00			`Now it should display only your new bucket when running:`
Migrate jitsi + WIP backup doc 2022-01-26 18:09:26 +00:00
Update guide 2022-01-26 18:31:44 +00:00			```bash
			`mc ls backup-user/`
			```

			`---`

			`Now we need to initialize the repository with restic.`

			```bash
			`export ENDPOINT="https://garage.tld"`

			`export AWS_ACCESS_KEY_ID=$NEW_ACCESS_KEY_ID`
			`export AWS_SECRET_ACCESS_KEY=$NEW_SECRET_ACCESS_KEY`
			`export RESTIC_REPOSITORY="s3:$ENDPOINT/$BUCKET_NAME"`
			`export RESTIC_PASSWORD=$(openssl rand -base64 32)`
			```

			`Then init the repo for restic from your machine:`

			```
			`restic init`
			```

			I am using restic version `restic 0.12.1 compiled with go1.16.9 on linux/amd64`

			`See your snapshots with:`

			```
			`restic snapshots`
			```

			`---`

			`Add the secrets to Consul, near your service secrets.`
			`The idea is that the backuping service is a component of the global running service.`
			`You must add:`
			- `backup_aws_access_key_id`
			- `backup_aws_secret_access_key`
Add a backup script for emails 2022-01-26 20:48:48 +00:00			- `backup_restic_repository`
Update guide 2022-01-26 18:31:44 +00:00			- `backup_restic_password`


			`---`

			`Now we need a service that runs:`

			```
			`restic backup .`
			```

			`And also that garbage collect snapshots.`
			`I propose:`

			```
			`restic forget --prune --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y`
			```