{"id":18844,"date":"2020-01-08T16:26:42","date_gmt":"2020-01-08T21:26:42","guid":{"rendered":"https:\/\/nuxx.net\/blog\/?p=18844"},"modified":"2023-01-26T08:57:26","modified_gmt":"2023-01-26T13:57:26","slug":"borgbackup-repository-on-synology-dsm-6-2-2","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2020\/01\/08\/borgbackup-repository-on-synology-dsm-6-2-2\/","title":{"rendered":"BorgBackup Repository on Synology DSM 6.2.2"},"content":{"rendered":"\n<p><a href=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2020\/01\/borgbackup_on_synology_dsm_6.2.2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-18850 size-large aligncenter\" src=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2020\/01\/borgbackup_on_synology_dsm_6.2.2-1024x662.png\" alt=\"\" width=\"1024\" height=\"662\" srcset=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2020\/01\/borgbackup_on_synology_dsm_6.2.2-1024x662.png 1024w, https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2020\/01\/borgbackup_on_synology_dsm_6.2.2-300x194.png 300w, https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2020\/01\/borgbackup_on_synology_dsm_6.2.2-768x496.png 768w, https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2020\/01\/borgbackup_on_synology_dsm_6.2.2.png 1442w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>(<strong>UPDATE: With the release of Synology DSM 7.0 this setup will break. It&#8217;s easy to fix and I&#8217;ve updated added <a href=\"\/blog\/2022\/11\/28\/borgbackup-repository-on-dsm-7-0\/\">this post<\/a> describing how to make this system work under the new version.)<\/p>\n<p>Lately I&#8217;ve become enamored with <a href=\"https:\/\/borgbackup.readthedocs.io\/\">BorgBackup (Borg)<\/a> for backups of remote *NIX servers, so after acquiring a <a href=\"https:\/\/www.synology.com\/en-us\/products\/DS1019+\">Synology DS1019+<\/a> for home I wanted to make it the destination repository for <a href=\"https:\/\/nuxx.net\/blog\/2019\/11\/10\/using-borg-for-backing-up-nuxx-net\/\">Borg-based backups of nuxx.net<\/a>. While setting up Borg is usually <a href=\"https:\/\/borgbackup.readthedocs.io\/en\/stable\/installation.html\">quite straightforward<\/a> (a package or stand-alone binary), it&#8217;s not so cut and dry on the <a href=\"https:\/\/www.synology.com\/en-us\/dsm\">Synology DiskStation Manager (DSM)<\/a>; the OS which runs on the DS1019+ and most other Synology NAS&#8217;.<\/p>\n<p>What follows here are the steps I used to make and the reason for each step. In the end it was fairly simple, but a few of the steps are obtuse and only relevant to DSM.<\/p>\n<p>These steps were written for <a href=\"https:\/\/www.synology.com\/en-us\/releaseNote\/FS3017#ver_24922\">DSM 6.2.2<\/a>; I have not checked to see if it applies to other versions. Also, I leave out all details of setting up public key authentication for SSH as this is thoroughly documented elsewhere.<\/p>\n<ol>\n<li><strong>Enable &#8220;User Home Service&#8221; via <em>Control Panel<\/em> \u2192 <em>User<\/em> \u2192 <em>Advanced<\/em> \u2192 <em>User Home<\/em> \u2192 <em>Enable user home service<\/em>:<\/strong> This creates a home directory for each user on the machine and thus a place to store <code>.ssh\/authorized_keys<\/code> for the backup user account.<\/li>\n<li><strong>Create a backup user account and make it part of the <em>administrators<\/em> group:<\/strong> Accounts must be part of&nbsp;<em>administrators<\/em> in order to log in via SSH. Starting with DSM 6.2.2 non-admin users do not have SSH access.<\/li>\n<li><strong>Change the permissions on the backup user&#8217;s home directory to 755:<\/strong> By default users&#8217; home directories have an ACL applied which has too broad of permissions and SSH will refuse to use the key, instead prompting for a password. Home directories are located under <code>\/var\/services\/homes<\/code> and this can be set via <code>chmod 755 \/var\/services\/homes\/backupuser<\/code>. (See <a href=\"https:\/\/forum.synology.com\/enu\/viewtopic.php?f=90&amp;t=116726&amp;p=441504#p427355\">this thread<\/a> for details.)<\/li>\n<li><strong>Put <code>~\/.ssh\/authorized_keys<\/code>, containing the remote user&#8217;s public key, in place under the backup user&#8217;s home directory and ensure that the file is set to 700:<\/strong> If permissions are too open, sshd will refuse to use the key.<\/li>\n<li><strong>Test that you can log in remotely with ssh and public key authentication.<\/strong><\/li>\n<li><strong>Place the borg-linux64 binary (named <code>borg<\/code>) in the user&#8217;s home directory and confirm that it&#8217;s executable:<\/strong> Binaries available <a href=\"https:\/\/github.com\/borgbackup\/borg\/releases\">here<\/a>.<\/li>\n<li><strong>Create a directory on the NAS to be used the backup destination and give the backup user read and write permissions.<\/strong><\/li>\n<li><strong>Modify the backup user&#8217;s <code>~\/.ssh\/authorized_keys<\/code> to prevent remote interactive logins and restrict how borg is run:<\/strong> This is optional, but a good idea.<br><br>In this example only the <a href=\"https:\/\/borgbackup.readthedocs.io\/en\/stable\/usage\/serve.html\"><code>borg serve<\/code><\/a> command (the borg repository server) can be run remotely, is restricted to 120GB of disk, in a repository on DSM under the backup directory of <code>\/volume2\/Backups\/borg<\/code>, and from remote IP of 192.168.0.23:<br><br><code>command=\"\/var\/services\/homes\/backupuser\/borg serve --storage-quota 120G --restrict-to-repository \/volume2\/Backups\/borg\",restrict,from=\"192.168.0.23\" ssh-rsa AAAA[...restofkeygoeshere...] remoteuser@remoteserver.example.com<\/code><\/li>\n<\/ol>\n<p>Please note, there are a number of articles about enabling public key authentication for SSH on DSM which mention uncommenting and setting <code>PubkeyAuthentication yes<\/code> and <code>AuthorizedKeysFile .ssh\/authorized_keys<\/code> in <code>\/etc\/ssh\/sshd_config<\/code> and restarting sshd. I did <span style=\"text-decoration: underline;\">not<\/span> need to do this. The settings, as commented out, are the defaults and thus already set that way (see <code><a href=\"https:\/\/man.openbsd.org\/sshd_config\">sshd_config(5)<\/a><\/code> for details).<\/p>\n<p>At this point DSM should allow a remote user, authenticating with a public key and restricted to a particular source IP address, to use the Synology NAS as a <a href=\"https:\/\/borgbackup.readthedocs.io\/\">BorgBackup<\/a> repository. For more information about automating backups check out <a href=\"https:\/\/nuxx.net\/blog\/2019\/11\/10\/using-borg-for-backing-up-nuxx-net\/\">this article about how I use borg for backing up nuxx.net<\/a>, including a wrapper script that can be run automatically via <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cron\">cron<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>(UPDATE: With the release of Synology DSM 7.0 this setup will break. It&#8217;s easy to fix and I&#8217;ve updated added this post describing how to&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/nuxx.net\/blog\/2020\/01\/08\/borgbackup-repository-on-synology-dsm-6-2-2\/\">Continue reading<span class=\"screen-reader-text\">BorgBackup Repository on Synology DSM 6.2.2<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-18844","post","type-post","status-publish","format-standard","hentry","category-computers","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/18844","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=18844"}],"version-history":[{"count":19,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/18844\/revisions"}],"predecessor-version":[{"id":19616,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/18844\/revisions\/19616"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=18844"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=18844"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=18844"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}