blob: 94ed5aac092f5f8264f6f2581590cf6116dde934 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
|
% resteasy(8)
% Jakob Odersky <jakob@odersky.com>
% February 2020
# NAME
resteasy \- plug and play backups with borg
# SYNOPSIS
**resteasy** `<command>` `[<args>]`
# DESCRIPTION
Resteasy is a set of commands and services around Borg Backup. It provides a
system for automating backups to external hard drives without user interaction.
The idea is that a user simply plugs in a prepared drive, and a backup is
automatically started.
Note that although resteasy supports backing up the same system to many prepared
drives, only one may be connected at a time. This is because resteasy is geared
towards simple command invocation and hence always mounts drives to a hardcoded
location. No data loss will occur if multiple drives are connected at the same
time (and any currently running backups will not be interrupted), however many
resteasy commands will not work until only one compatible drive is connected.
## Internals
Resteasy works with GPT-formatted (GUID Partition Table) drives. When a block
device with a partition type of 8e8e0bae-5627-4acd-8fd9-70873806d42e is
detected, it is mounted and a backup is created using borg.
Resteasy is implemented as a set of many individual commands (see [RESTEASY
COMMANDS](#RESTEASY-COMMANDS) section). Their implementation structure is
heavily inspired by Git.
See also the output of **systemctl cat resteasy.service** for a list of commands
the automatic backup service runs, and **/usr/libexec/resteasy/** for their
implementations.
## Security Considerations
Automatically mounting and executing a backup when a drive is connected has
security implications. An attacker could simply insert a resteasy drive to
exfiltrate all data. Note however that this vector is mitigated because:
1. Resteasy uses encrypted borg repositories.
2. Physical access is required for this attack.
3. Someone with physical access could do something much more nefarious, for
example steal the machine.
# OPTIONS
**--exec-path**
: Path to wherever your core resteasy programs are installed. This will print
the current setting and then exit.
# RESTEASY COMMANDS
Resteasy is divided into high level ("porcelain") commands and low level
("plumbing") commands.
# HIGH-LEVEL COMMANDS
**resteasy-inhibit**
: Pause the automatic backup service temporarily, until **resteasy-uninhibit** is
called or the system is rebooted. Note that this will also stop any backups that
are in progress.
**resteasy-init**
: Initialize a borg repository. The drive containing the repository should have
previously been mounted with **resteasy-mount**.
**resteasy-mount** `[ro]`
: Find and mount a connected resteasy drive. Resteasy drives are GPT partitions
identified by type UUID `8e8e0bae-5627-4acd-8fd9-70873806d42e`.
**resteasy-prepare-drive** `<drive>`
: Prepare a drive to be recognized by the resteasy system.
Once prepared, drives will trigger automatic mounts and backups. It is hence
recommended that the autobackup service be inhibited before running this
operation (otherwise a backup will be attempted on an uninitialized repo,
causing an error to be reported). **Note that this operation reformats the
drive.**
**resteasy-umount**
: Unmount a previously mounted resteasy drive.
**resteasy-uninhibit**
: Resume the automatic backup service. Note that this will NOT start new backup
runs; any connected resteasy drives must be disconnected and reconnected to
start a new backup.
# LOW-LEVEL COMMANDS
**resteasy-find-uuid**
: Find the GPT partition UUID of a connected resteasy drive. Note that exactly
one resteasy drive mamusty be connected to the system. This command will fail if
it detects more than one.
**resteasy-run-backup**
: Trigger a backup. Note that this is typically not run by the user but by the
init system when a resteasy drive is connected. It requires that a drive be
mounted with **resteasy-mount** beforehand.
# FILES
/etc/resteasy
: Contains the passphrase used by borg to encrypt backups. Trailing new lines
are stripped.
# EXAMPLES
## Prepare a New Drive
```
# temporarily stop the automatic backup service
resteasy inhibit
# <connect drive>, assumed /dev/sdc in this example
# set the passphrase for encrypting resteasy backups
echo "1234" > /etc/resteasy
# wipe and prepare the new drive to be recognized by resteasy
resteasy prepare-drive /dev/sdc
# initialize new borg repo
resteasy mount
resteasy init
resteasy umount
# re-enable automatic backup service
resteasy uninhibit
```
## Create a Backup
Simply plug in the drive!
You can watch backup logs by running:
```
journalctl -u resteasy.service -f
```
Unplug drive when done.
## Create a Backup Manually
```
resteasy mount
resteasy run-backup
resteasy umount
```
## Restore Data
```
resteasy inhibit
# <connect resteasy drive>
resteasy mount ro
# perform restore operations
# e.g. borg mount /run/resteasy/mounts/... /mnt
# borg extract...
# ...
resteasy umount
resteasy uninhibit
```
# SEE ALSO
Borg Backup https://borgbackup.readthedocs.io/en/stable/
|
