infrastructure/op_guide/backup_minio/README.md

2.4 KiB

Add the admin account as deuxfleurs to your ~/.mc/config file

You need to choose some names/identifiers:

export BUCKET_NAME=example
export NEW_ACCESS_KEY_ID=hello

export NEW_SECRET_ACCESS_KEY=$(openssl rand -base64 32)
export POLICY_NAME="policy-$BUCKET_NAME"

Create a new bucket:

mc mb deuxfleurs/$BUCKET_NAME

Create a new user:

mc admin user add deuxfleurs $NEW_ACCESS_KEY_ID $NEW_SECRET_ACCESS_KEY

Add this new user to your ~/.mc/config.json file, as backup-user for example.


Create a policy for this bucket and save it as json:

cat > /tmp/policy.json <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET_NAME}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET_NAME}/*"
            ]
        }
    ]
}
EOF

Register it:

mc admin policy add deuxfleurs $POLICY_NAME /tmp/policy.json

Set it to your user:

mc admin policy set deuxfleurs $POLICY_NAME user=${NEW_ACCESS_KEY_ID}

Now it should display only your new bucket when running:

mc ls backup-user/

Now we need to initialize the repository with restic.

export ENDPOINT="https://garage.tld"

export AWS_ACCESS_KEY_ID=$NEW_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$NEW_SECRET_ACCESS_KEY
export RESTIC_REPOSITORY="s3:$ENDPOINT/$BUCKET_NAME"
export RESTIC_PASSWORD=$(openssl rand -base64 32)

Then init the repo for restic from your machine:

restic init

I am using restic version restic 0.12.1 compiled with go1.16.9 on linux/amd64

See your snapshots with:

restic snapshots

Add the secrets to Consul, near your service secrets. The idea is that the backuping service is a component of the global running service. You must add:

  • backup_aws_access_key_id
  • backup_aws_secret_access_key
  • backup_restic_repository
  • backup_restic_password

Now we need a service that runs:

restic backup .

And also that garbage collect snapshots. I propose:

restic forget --prune --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y