#+PROPERTY: Effort_ALL 0 0:30 1:00 2:00 0.5d 1d 1.5d 2d 3d 4d 5d
#+PROPERTY: Max_effort_ALL 0 0:30 1:00 2:00 0.5d 1d 1.5d 2d 3d 4d 5d
#+PROPERTY: header-args:python :var filename=(buffer-file-name)
#+PROPERTY: header-args:sh :var filename=(buffer-file-name)
#+TODO: TODO WIP BLOCKED | DONE CANCELED
#+LATEX_HEADER: \usepackage[margin=0.5in]{geometry}
#+LaTeX_HEADER: \hypersetup{linktoc = all, colorlinks = true, urlcolor = DodgerBlue4, citecolor = PaleGreen1, linkcolor = blue}
#+LaTeX_CLASS: article
#+OPTIONS: H:8 ^:nil prop:("Effort" "Max_effort") tags:not-in-toc
#+COLUMNS: %50ITEM %Effort(Min Effort) %Max_effort(Max Effort)

#+TITLE: rsync-backup-target

#+LATEX: \pagebreak

Usage of this service

#+LATEX: \pagebreak

#+LATEX: \pagebreak


* Configuration example


#+begin_src yaml
rsync-backup-target:
  # docker-compose:
  #   ports:
  #     - "10023:22"
  options:
    admin:   ## These keys are for the allowed rsync-backup to write stuff with rsync
      myadmin:
      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDESdz8bWtVcDQJ68IE/KpuZM9tAq\
        ZDXGbvEVnTg16/yWqBGQg0QZdDjISsPn7D3Zr64g2qgD9n7EZghfGP9TkitvfrBYx8p\
        7JkkUyt8nxklwOlKZFD5b3PF2bHloSsmjnP8ZMp5Ar7E+tn1guGrCrTcFIebpVGR3qF\
        hRN9AlWNR+ekWo88ZlLJIrqD26jbWRJZm4nPCgqwhJwfHE3aVwfWGOqjSp4ij+jr2ac\
        Arg7eD4clBPYIqKlqbfNRD5MFAH9sbB6jkebQCAUwNRwV7pKwCEt79HnCMoMjnZh6Ww\
        6TlHIFw936C2ZiTBuofMx7yoAeqpifyzz/T5wsFLYWwSnX rsync@zen"
#+end_src

* ssh API
** Adding new keys for backup

This can be done through the admin accounts configured in =compose.yml=.

You can use then =ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key=:

#+begin_example
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key ls
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key add "ssh-rsa AAA...Jdhwhv rsync@sourcelabel"
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key ls
..Jdhwhv sourcelabel
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key rm sourcelabel
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key ls
$
#+end_example

** Requesting a recover only key

*** as an admin

As an admin, by requesting a recover-only key on an ident that you
own, you are allowed to read (and only read) the content of the given
ident. This will allow you to give the credentials to any new host to
have a direct read access so-as to deploy the backup on a new host.

#+begin_example
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key request-recovery-key myident > /tmp/private_key
$ chmod 500 /tmp/private_key
$ rsync -e "ssh -p 22 -i /tmp/private_key -l rsync" \
      -azvArH --delete --delete-excluded \
      --partial --partial-dir .rsync-partial \
      --numeric-ids $RSYNC_BACKUP_TARGET:/var/mirror/myident/etc/ /tmp/etc
#+end_example

This key will expire after 15 mn of the last recovery.

*** as a standard backup account

With a standard backup account, you can log on as =rsync= user and
request without any arguments a recovery key. Indeed, every standard
backup account is tied to one backup identifier only. So the recover
key received will be for this backup identifier only.

You'll probably want to use the received key from another computer to
restore the backup for instance.

#+begin_example
$ ssh rsync@$RSYNC_BACKUP_TARGET request-recovery-key > /tmp/private_key
$ chmod 500 /tmp/private_key
$ rsync -e "ssh -p 22 -i /tmp/private_key -l rsync" \
      -azvArH --delete --delete-excluded \
      --partial --partial-dir .rsync-partial \
      --numeric-ids $RSYNC_BACKUP_TARGET:/var/mirror/myident/etc/ /tmp/etc
#+end_example


* Troubleshooting

** Faking access from client

This should work:

#+begin_src sh
RSYNC_BACKUP_TARGET_IP=172.18.0.2
rsync -azvA -e "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
  /tmp/toto "$RSYNC_BACKUP_TARGET":/var/mirror/client1
#+end_src

** Direct ssh access should be refused

#+begin_src sh
RSYNC_BACKUP_TARGET_IP=172.18.0.2
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
  "$RSYNC_BACKUP_TARGET"
#+end_src

** Wrong directory should be refused

#+begin_src sh
RSYNC_BACKUP_TARGET_IP=172.18.0.2
rsync -azvA -e "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
  /tmp/toto "$RSYNC_BACKUP_TARGET":/var/mirror/client2
#+end_src