Guide: Remote backup of MiaB using an Rsync host

This guide configures MiaB as a source server for synchronization of the encrypted backup files using rsync from a remote host that will not have permissions to access anything else on MiaB or delete any of the backup files.

On the MiaB ‘Backup Status’ page in the dashboard, the ‘Backup to:’ setting is selected to box.example.net.

The tool used in MiaB is rrsync, “a script to setup restricted rsync users via ssh logins” that is included with rsync.

In Ubuntu 18.04, rrsync is not configured for use. The following commands will add rrsync to the available commands in the same way it is implemented in Ubuntu 22.04.

sudo mkdir -p /usr/share/rsync/scripts/
zcat /usr/share/doc/rsync/scripts/rrsync.gz | sudo tee /usr/share/rsync/scripts/rrsync >/dev/null
sudo chmod 755 /usr/share/rsync/scripts/rrsync
sudo ln -rs /usr/share/rsync/scripts/rrsync /usr/bin/rrsync

Create a user on MiaB that the remote host server will use to log into MiaB.

sudo adduser rsync-user

Open authorized_keys for editing:

sudo nano /home/rsync-user/.ssh/authorized_keys

Using a unique user to perform the synchronization allows use of any available SSH keypair from the remote host to be used for authentication of rsync-user on MiaB. Add the key with the following options:

command="/usr/bin/rrsync -ro /home/user-data/backup/encrypted/",restrict [ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp521,etc] AAAAB0C...

From man ssh:

comand="command"

Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. If an 8-bit clean channel is required, one must not request a pty or should specify no-pty. A quote may be included in the command by quoting it with a backslash.

restrict

Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and execution of ~/.ssh/rc. If any future restriction capabilities are added to authorized_keys files they will be included in this set.

The -ro option means that rrsync will allow only reading from the directory.

What this means is that the remote host server can only run the configured rrsync command, rrsync will only allow rsync to read, and only the configured directory can be accessed.

This tutorial doesn’t go very far to instruct on how to configure rsync on the remote host machine as systems and configurations can vary greatly. Adding this to cron job (e.g., crontab -e with the remote host user that performs the rsync) in Debian-based Linux distributions (check crontab(5) if you are on something else) would keep a local version of the files currently on MiaB:

30 3 * * * rsync -a --delete rsync-user@box.example.net:/ /backup/directory/

Note that rrsync will treat /home/user-data/backup/encrypted/ as the root directory for the remote host server, so the command only includes / as the source location.

The -a option is archive mode which uses a suitable and common selection of options for this purpose (-rlptgoD). The --delete option deletes files from the remote host server directory that are not on MiaB.

Feedback, corrections and questions are much appreciated.

2 Likes

Nice writeup :+1:t2:
To make it more dummy proof I suggest:

  • Indicating where you get the key you add to authorized_keys (I presume the AAAAB0C… is the place where you insert the key)
  • Note explicitly that crontab is a file under /etc on the host computer, not the MiaB box (had to read it twice :wink: )
1 Like

I did a few edits and added the command for crontab, as that is the best way to edit that file.