As a geek, I always imagine worst-case scenarios. I was worried about my data I had at home. My laptop is backuped on my server, which hosts some other websites (this wiki), and family stuff (photos, mainly).
At first, I had an external hard drive that I would connect once every blue moon (I tried at least every two months), and I would then launch a bash script that would backup the server drives into the external HDD. That was great, but I needed two things:
The first point was easy, but if I left the HDD plugged in, if someone broke into my server, they just had to
rm -rf /
to delete the backup; no good..
For the second point, sure, the server is screwed in the rack, but maybe that makes-it more valuable ? And what about floods, the house catching fire or EMPs (wink ;) ) ?
The first thought would be to assemble a simple computer, put an HDD inside it, an ask a friend to host it for me. But that's a bit dumb: for a backup box, you don't need very much “responsiveness” nor computing power: I don't want to waste energy for nothing.
So then I thought about using a Raspberry Pi: they're cheap, low power and noise-free. The final idea was to use an old 1U-rack case I had lying around: it'll be nicer, sturdier and “geekier” ;)
Surprisingly, and against Murphy's law, the hard drive fit perfectly between the two holders. I just had to bend to shape 2 aluminium plates in order to secure the HDD in place. After that, I put on some shock absorbers to prevent vibration between the HDD and the case:
As you know, the Pi is powered from a 5V supply, so that means that the box would need two PSU's from 230VAC to 12V and 5V. That's a bit dumb, so I took a simple switching supply (LM2596 based) that will step down the voltage from 12V to 5V. Also, I soldered the wires directly to the “expansion port”: that'll be more vibration proof than a USB micro connector.
I also added a red LED to make it nicer ;)
Holding the RPi to the case was challenging, but I realized that the case that Farnell gave with it's RPi's was quite good. So I glued-it to the case, and the Pi then fit really good ;)
I didn't want to add a jack connection to the box in order to connect a wall power supply: I thought that having an IEC C13-type connector would be way cooler. So I took apart the 12V wall switching power supply and hooked-it to the connector:
HomeLAN - Server/Router - INTERNET - ForgeinRouter - BackupBox
BackupBox should initiate a VPN connexion to the server, which is publicly available.
Every night, the BB connects to the server ssh/rsync and retrieves the files to backup. The are night backups, two-nights old backups and week-old backups.
The server should NOT know the passphrase of the BB. Clients (aka me) sshing to the BB should use dual auth (keypair and passphase).
At each reboot, the BB sends data to the server concerning it's current network config. In case of a robbery, we still have a hope of retrieving the thing. The BB also asks for the disk-decryption key.
So we finally have:
VPN→SSH→RSYNC → HDD (ecryptfs or equivalent)
Compression is SLOW. Do not use-it !
With SCP (over plain ethernet, without VPN), I'm able to reach ~1.5MB/s from disk to disk on small files, which is “reasonable”. If you enable compression, you drop to 1.0MB/s (and more latency).
If you make a big file (p. eg. a TAR archive), I can achieve speeds of 3.7MB/s.
Postfix as a relay/null client smartd client for HDD w/ mail sending munin for logs
#!/bin/bash cd /root/scripts ./send_ip_mail.sh ./notify_ask_pwd.sh openvpn /etc/openvpn/tunnel_to_home.conf
#!/bin/bash sleep 40 #wait for IP echo -e "I need my ecryptfs password !" | mail -s "/!\\[Backup box]: Ecrpytfs pwd" MY@EMAIL.TLD
#!/bin/bash echo -n "Entrez MDP ecryptfs: " read ecryptfs_pwd echo $ecryptfs_pwd > /dev/shm/ecryptfs_pwd /mnt/DDp2/mount-ecryptfs.sh
#!/bin/bash PASS_FILE=/dev/shm/ecryptfs_pwd EDIR=/mnt/DDp2/.crypted DIR=/mnt/DDp2/crypted PASS=$(cat $PASS_FILE) cd /mnt/DDp2 #modprobe ecryptfs mount -t ecryptfs \ -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no,passwd=$(echo $PASS) \ .crypted crypted rm $PASS_FILE
#!/bin/bash set -x ## SSH FORWARDING STUFF: make a tunnel into the main server and to the rsync port ssh -N -T -L 8733:localhost:873 villaro-dixon-BCK & #NB: rsync only allows **/** copies from localhost and authentified SSHID=$! sleep 10 trap kill $SSHID cd /mnt/DDp2/crypted/villaro-dixon.eu/ RS_PWD=/mnt/DDp2/crypted/rsync/password-backup-box RS_EXCLUDE=/mnt/DDp2/crypted/villaro-dixon.exclude DAY0=`date -I` DAY1=`date -I -d "1 day ago"` BCK_RO="/mnt/DDp2/crypted/villaro-dixon.eu/" TRG="$BCK_RO$DAY0" LNK="$BCK_RO$DAY1" OPT="-avpt --delete --port 8733 --password-file $RS_PWD --exclude-from=$RS_EXCLUDE --link-dest=$LNK" rsync $OPT backupbox@localhost::backup_box/ $TRG #Now, delete old backups, to be sure... DAY30=`date -I -d "30 days ago"` DAY31=`date -I -d "31 days ago"` DAY32=`date -I -d "32 days ago"` if [ -d /backup/website/$DAY30 ]; then rm /backup/website/$DAY30 fi if [ -d /backup/website/$DAY31 ]; then rm /backup/website/$DAY31 fi if [ -d /backup/website/$DAY32 ]; then rm /backup/website/$DAY32 fi kill $SSHID exit