{"id":19174617,"url":"https://github.com/equalitie/eqbackup","last_synced_at":"2025-10-18T13:45:33.778Z","repository":{"id":32644351,"uuid":"36230869","full_name":"equalitie/eqbackup","owner":"equalitie","description":"Automated deployment of encrypted offsite backup using Duplicity and Backupninja","archived":false,"fork":false,"pushed_at":"2022-03-22T00:11:25.000Z","size":70,"stargazers_count":8,"open_issues_count":3,"forks_count":4,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-01-04T01:36:45.518Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/equalitie.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-05-25T12:46:53.000Z","updated_at":"2023-01-10T03:16:05.000Z","dependencies_parsed_at":"2022-09-09T20:12:06.021Z","dependency_job_id":null,"html_url":"https://github.com/equalitie/eqbackup","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/equalitie%2Feqbackup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/equalitie%2Feqbackup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/equalitie%2Feqbackup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/equalitie%2Feqbackup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/equalitie","download_url":"https://codeload.github.com/equalitie/eqbackup/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240254182,"owners_count":19772386,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T10:18:31.976Z","updated_at":"2025-10-18T13:45:28.743Z","avatar_url":"https://github.com/equalitie.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"eqbackup\n========\n\neqbackup is a set of ansible recipes developed for the setup of a\ncomprehensive backup system on Debian systems, with a secondary backup\nof the backups. Backups are encrypted and all remote file accesses are\nrestricted by SSHd's chroot functionality and the use of per-host SSH\nkeys.\n\neqbackup will:\n* Install and configure backupninja and duplicity on all hosts except\n  for the secondary backup, which is not backed up.\n* Install SSH and GPG keys as appropriate around the system.\n* Configure SSHd on both backup primary and secondary to restrict\n  accesses by backup clients and to force SSH key logins for all\n  users - not just backup users. Be warned!\n* Open firewall to on backup primary server to allow clients ssh and\n  open firewall on backup secondary server to allow primary ssh.\n  We do not enable the firewall. This is add just in case there is\n  a firewall blocking ssh.\n  Note: This expects that some other firewall was set to allow ssh\n  from our controller, ie; eQ cityhall\n\nConfiguring eqbackup\n-------\n\nAlmost all configuration of eqbackup is done in inventory, example hosts.yml. All\n`gpg_keyid` varaibles should be specified as full fingerprints with no\nspaces and not as 8 digit key IDs.\n\n`backup_primary`: this group should consist of a single host, the\nserver that will be receiving the backups from groups in the\n`backup_clients` group. This server should have the `secondary_server`\nhostname specified, and the self-explanatory `gpg_keyid` and\n`gpg_passphrase` variables.\n\n`backup_secondary`: This group takes no configuration options and\nshould contain a single host.\n\n`backup_clients`: This group features the same GPG options as in\nbackup_primary. The remote user used to back up the specific system\nshould be specified as `backup_user` (in order to avoid creating\ninvalid usernames featuring \".\" characters etc). In addition to the\nbackup paths configured by default in `vars.yml`, per-host rules can\nbe set via `backup_exclude` and `backup_include` to customise the list\nof directories to be backed up.\n\nSome additional configuration can be changed in `vars.yml`, such as the\nusername used for secondary backups, the duplicity version and the\ndefault backup paths.\n\nThe easy way to start is to copy the `hosts.yml` file to `inventory`\nand edit the `inventory` file to fit your hosts. We will default to use\nthe file `inventory` for your production setup. If you change this use the\n-i my_inventory on you command line.\n\nWarning: You will need to manually set systems timezone since we do not\nwant to overwrite any existing time zone setting deployed by other methods.\n\nAlso these roles expect Debian 9+ and Ansible 2.8+\n\nGenerating SSH keys for a client host\n--------\n\nEach client host needs its own SSH key pair so as to access the primary backup\nhost. SSH keys file names follow a strict naming rule, as represented by this\ncommand to generate such files:\n\n    You can manually generate keys but now the role will do it automatically for\n    you if the key does not exist\n\n    ssh-keygen -f ssh_keys/THE_EXACT_HOSTNAME.id_rsa -t rsa -b 4096\n\n    No need to add passphrase on your key since we do not support it here.\n\nGenerating GPG keys for a client host\n--------\n\nEach client host also needs its own PGP key pair, for encryption and decryption\nof its own backups:\n\n    You can manually generate if you know what you are doing and do not\n    want default gpg keys generate or run the interactive script\n\n    contrib/gpg-genkey.sh\n\n    Manual method:\n\n    gpg --gen-key # Follow instructions as usual\n\n    Adding a passphrase here is recommented and supported. Passphrase should\n    not have any quotes.\n\n    gpg --export-secret-keys THE_KEY_ID \u003e gpg_keys/THE_EXACT_HOSTNAME.gpg\n\nSSH and PGP keys for backup from primary to secondary\n--------\n\nThe primary backup server acts as a client of the secondary. Its PGP and SSH\nkeys must generated exactly like client hosts, but have to be prefixed with\n\"secondary\" (i.e. filenames will be `secondary.gpg`, `secondary.id_rsa` and\n`secondary.id_rsa.pub`).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fequalitie%2Feqbackup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fequalitie%2Feqbackup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fequalitie%2Feqbackup/lists"}