[Dev] Get your backups! Hot off the press!
Luke Shumaker
lukeshu at lukeshu.com
Sat Jan 20 21:00:01 GMT 2018
Hi all,
In the interest of having for-realsies backups, instead of having
long, drawn-out discussions about how we should do backups, I've gone
ahead and set up backups!
Description
-----------
Backups are public, but encrypted. They may be accessed at
https://winston.parabola.nu/backup/
https://proton.parabola.nu/backup/
by anyone who wants to download them and contribute to the
resilience of Parabola.
Each of the servers has a "backup@$HOSTNAME" GPG key that is used
exclusively for backups. The private keys for these are accessible
only by root on that server. The public keys are included below.
The backup files for each server are signed by that server's backup@
key; the integrity of the files can be verified by verifying the
signature. The backup files may be decrypted either by the backup@
key that signed it, or by my (Luke Shumaker's) GPG key.
The backups are created by Duplicity.
Once a file is publicly readable (doesn't return HTTP 403), it may
be considered immutable. If you're downloading the backups, rsync
fanciness isn't nescessary, you can just download any files that you
don't have.
Full backups are created monthly, and incremental backups are
created daily. The servers retain monthly backups indefinitely, and
daily backups for 2 months. If you are downloading the backups, you
are encouraged to retain the backups for longer, if you have the
disk space to spare.
Right now, the backups are only being downloaded to my computer.
Future directions
-----------------
It is bad that I am the only one that can decrypt the backups
without having access to the server (which is quite possibly
unavailable, if we're needing to use the backups). It makes sense
that I can; if something goes wrong with a server, it's probably me
who will deal with it. But, if I'm unavailable, someone else in the
project should be able to read the backups. We should discuss who
all that should be.
The backups should go other places, in addition to my home computer.
Maybe we just get several contributors to download them. Maybe we
pay for an account at rsync.net. Maybe we ask if rsync.net will
sponsor Parabola and store the backups for free.
/srv/repo/main is not backed up, as (1) it is very large, and (2)
our mirrors effectively do that for us. However, if something goes
wrong with the repo, and the mirrors have already synced that
breakage, there aren't backups to roll that back to.
SQL dumps are not performed. This is bad because taking a
filesystem backup of the SQL server's storage isn't guaranteed to
get everything in a consistent state.
The backup schedule and retention is subject to change, we'll see
how quickly incremental backups take up space.
I wish Duplicity had an option to trigger full-backup creation not
by time intervals, but as a ratio of
total-incremental-size:full-size. Maybe I should write that up as
part of our backup script.
For that matter, having something that didn't ever require full
backups, like Borg, would be nice. However, I wasn't able to find
satisfactory answers about Borg's encryption or data-portability and
replication. Beyond being a "documentation" issue, answers from the
Borg developers to questions about data-portability and replication
lead me to not put much faith in Borg.
Public keys
-----------
<backup at winston.parabola.nu>:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFpiHQQBCADeEwkcbKrkWmzocX/OcVfD2cRUMop4soWZsYk1jVAw/FNZnR/b
y4RCjOLnBTLMw5m2slbLf4rUKPRDTwJB8HDmEuEMtJcMeulkKQG5kqiZG7gKQ7C4
oaic+76tlFpttNu84G1Z5qnCDTEZ7UpMIIJ5clMibfKAUtp40feQol6cKaFVt8/F
ywSQmGUr/kcnUPhnJRB7GmsmYOTJU5sxxx+Tex9rLVDewNWTEocZ4774vFPBj3fQ
GFr3wU4JPdY5ma0HjoGOhj2jGsfqNXEEIyplW7FCvWQ8TIzMcLrdKmTJJ9Louuym
fanKX45J3XKsGFgR702WyOGzqj78dCAvbBx5ABEBAAG0I0JhY2t1cCA8YmFja3Vw
QHdpbnN0b24ucGFyYWJvbGEubnU+iQFOBBMBCAA4FiEEv48a4hj1Rx9XENoTuofP
3rwtWVIFAlpiHQQCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQuofP3rwt
WVJodgf/W6J20OWelTQ24Et8+XExTrcwlOFriJwu9ihVAYaRedK+yICmAI3iSFu/
C7uBGWgz1eBAnuoGpNR947QMC4gzHBlULLrOh5USoqesT4FHRU+UQQ+URP+aQym6
dSLb0kf3hX3VPDJdbGs2WIDxKT8/BR2RBATFcGnvxywfcus0a6hl4P+F7jJc4pfa
F9pr1YYKP1CTt52aEh5KjuN+OqEwS28Y83k/IUUAbktLHz70e8Av3JfNl8tgpydH
+IEMRMOe0bG1hAzK6hx7S5lQEmTSUZki9WVEqFutdfBvTGH0eK/OvrcBvBFiWP1P
jGTkF1cDS0SMynD0BnTLLsn6a6pLMbkBDQRaYh0EAQgAzTJpiw35lDKvEr5gB4M4
J35GIcL3eVxuSwSq7SofLmAziHj2qBn+pfF06biW8YQcF8eUH8YrfVUSEJOW8Z7A
1NNZSEVfsC17Daxp/9z5B2vg7sW/DD7FJDSM9+skch2EfKXLZRkw5avRbqKTI4nN
7xrP0Ft4aKKktm4vGd8OubItCJIpPPJjnn2dDbVsqWOF4OH4y7yJ/L0MdF26GEhs
A8ZzNuD5+5kt4JQu26tTSCqSz0wGaGG32ZGmBFD8zkCzb1lryK2KdkZUHCuV0UnZ
ULdQyy7TU3iL6vEycucSGuhE9dAhzJ5SVM1gL8DcoKRcMJc49+Cc6RHTbf4Rkn8h
EQARAQABiQE2BBgBCAAgFiEEv48a4hj1Rx9XENoTuofP3rwtWVIFAlpiHQQCGwwA
CgkQuofP3rwtWVIJDwf/ZwXbG6cS0p8RO505GBcW1wB6QrROcZniNeGIwZjUGt05
W28QCHdagE5X1qz3njqTpe8hHqbn67hRIKwz0pX6o4awR5h61L0koGmdn5vuhKrd
U9cI0ajLA2KKCOfpt3gvM/HnT0iWxk8S684n+Ux0+IQ9vp67KkhUGh16RAci+lBV
87XP2r0mz3ScyuV4OBXNkpvuR82L5jGwFPI/NBSdPvjgu0egkvPKWr/7Z88HPR2h
DVQs/tA5FE/mBNgNpvWO+Qu12L2JcgD32WmPWrxa6qAgsIfRYvIqNfFHN4kHBzHD
XCtSQcYYRmW/MJmMv94wHK3DqJ6Wzz0rVb1QsrxPww==
=u8iO
-----END PGP PUBLIC KEY BLOCK-----
<backup at proton.parabola.nu>:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFpjgVQBCADrjhASExndqjByp01o9H5tWP7fshHIyTvJV2WtB0a45x18R11f
u/uGi4XRjvIeqJnS7AP6ef5gf6Qd/1bQGpJ1J8DiXx+Y0dCXon811h0RvaOs00lb
hLlBcN3NoVVRkUVy8MVe5/GwK7GkwhhZbO4ILP+xJmveRAHgJBke2kgcjfY3iAy8
BkisLOshws6gMjp1JqQOE/elecVU8zyBEro7i4/w470jyjaMmPphLMM00WnYUoWC
j0Gten2D4QZt0jMkQ3wdtpa2HWwMHtoGIHOMbMN4WHpMLnpb1JOn3N9YRjYT3/wV
45h5VSnNXo0trXcaoHwM/ZzmHMs5im2VCJ9vABEBAAG0IkJhY2t1cCA8YmFja3Vw
QHByb3Rvbi5wYXJhYm9sYS5udT6JAU4EEwEIADgWIQTxP0sVxG1PzDz6200sjfCu
KjMZpAUCWmOBVAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAsjfCuKjMZ
pEC1CACQ92Rmna9CSgU8zutd4uuPEsK37FsXoSZcmRe+JpzMyU/3hN4Pg70CUu0p
oS8Gzc1XGBhNOdoKPB3z8y0UcWScTpVLru8X5cpUz4sE+LALFtDipH63cT4l5pfI
QONG1JPAhlBtaMKlmc62dx+m/RNgCfxNSi1gNnYx2M6mgevMQHr1m821StHAKQ5/
WzMWS1Qt2GxdR3mTOKZltPwO83LKcTFySHXXvUNxKlAaIy/ZeZW7c/ikEdvNW0Fa
Z8zsdhpUhS18sYIVnpyvRPt12LUmtG44a2U2Z4//bacCTkIi6SmoKScZIybiyWEl
a14fbCYf0OLjL5/C6/194a0eV5s4uQENBFpjgVQBCADWCCwqmwaMcO9xymx9ZuMu
9V0EFKVBtcqVhez3TiQSYAEkpIb4tFyiInMSAqJ/9w7YJyfV92KLXr2gMRLZ6lYr
R5iaop2X+5x2+AQoh6YswLJ+DaSHnTdCLEZGq/BU4Jaw7/AR4Wvc8ANZ+rlZGlle
ZiYWu9t0+tBI4564bML7wXFd0bjtgMEI0pPBelgO5jcop/HQrgkhzLJ34l2kg6ws
MyQwwjELai5+RAgckoCzxFnZ573UBBC7ppMoemv7x+XyDGS1cv2yujOZ4w+o0IOB
9zTyE6Gk9HVZjJU4FLCEdHMqplGfJ9iQf+y7GQyHDObSWUsPLlSkNsOGoh1h/Jml
ABEBAAGJATYEGAEIACAWIQTxP0sVxG1PzDz6200sjfCuKjMZpAUCWmOBVAIbDAAK
CRAsjfCuKjMZpD++CADFcPRfuyOYYJuHbAva4i0dp5aGJu3GQuzJF9P1C+gCJpS6
aSeAJpY28NWV9sDIDBxBXjEGnl26QMjbbpP/vQUOzb2Fm9tnWoLDHn5QRRY0kw8S
rx3AINkHGpOLxn+3yUxBZvyoZAu2xUK+7bFCIc7oddqobmi+2+aQTcb9B0YVv3ii
jvXoKZuPHZNFnZTbYh+vvLeMMeQ86KyTgUDsfhsjkgjf+mik4IJoV7x1x+OK3HWG
Pf/eG3dSVAYNoLtCc7gRcpV6gzLCbIfKUm10SJ1P1GPmWfwKO989K76TWyjYrcqg
EkBxcDCdC4zKNXtlpQgdxajEug7d2TXpbh32y4FF
=LbXS
-----END PGP PUBLIC KEY BLOCK-----
--
Happy hacking,
~ Luke Shumaker
More information about the Dev
mailing list