goals:

  • postgres setup
  • add storage
  • TLS client setup

add official debian repo

## edit /etc/apt/sources.list.d/bareos.list
deb http://download.bareos.org/bareos/release/20/Debian_10 /

## download and check release key (gpg required)
> wget -qO /tmp/bareos20_release.key \
	'https://download.bareos.org/bareos/release/20/Debian_10/Release.key' \
	&& gpg --keyid-format LONG --show-keys < /tmp/bareos20_release.key

## import release key
> apt-key add /tmp/bareos20_release.key

## refresh package list
> apt update

## install required software
> apt install bareos bareos-database-postgresql

please abort the dbconfig-common dialog - we do it advanced

configure postgresql

## install postgres
> apt install postgres

## edit /etc/postgresql/11/main/postgresql.conf
password_encryption = scram-sha-256

## enable & start postgres service
> systemctl enable postgresql \
  && systemctl restart postgresql

## run postgres backend scripts
> su postgres -c /usr/lib/bareos/scripts/create_bareos_database
> su postgres -c /usr/lib/bareos/scripts/make_bareos_tables
> su postgres -c /usr/lib/bareos/scripts/grant_bareos_privileges

check services and configurations

## ensure bareos services are ready
> systemctl restart bareos-dir \
  && systemctl restart bareos-sd \
  && systemctl restart bareos-fd

## test config files
> su bareos -s /bin/sh -c "/usr/sbin/bareos-dir -t"
> su bareos -s /bin/sh -c "/usr/sbin/bareos-sd -t"
> bareos-fd -t
> bconsole -t

how ever - bareos set database encoding to C instead of UTF-8
manual postgres setup fails with:
"Database encoding bad. Do not use this database"

using bareos

## get into bareos shell
> bconsole
## reload console
*reload
## show filesets
*show filesets
## show dir status
*status dir
## show client status
*status client
## show storage
*status storage
## run a backup job
* run
## show messages (show only one time per job)
*message
## show job per ID and wait to be finished
*wait jobid=1
## restore all > all files are market to restore
*restore all
## restore > manually mark/unmark files to restore
*restore
## if a restore fails you can try
*rerun jobid=1

run test backup and restore

## run backup and select client (choose "1" and "yes")
*run
## check messages
*messages
## restore all files (select "5")
*restore all
## now you got a cmd line promt (type "help" for available commands)
cwd is: /
$
## after playing around choose "done" to start backup
## now you can hit "yes" or "mod" the specify restore path etc.

default restore path is /tmp/bareos-restores
restore on remote host will also placed on remote /tmp/bareos-restores

configure remote client

## on server add client
*configure add client name=debian-client address=10.0.0.100 password=secret
## Created resource config file "/etc/bareos/bareos-dir.d/client/debian-client.conf

## on client install required software
## see: "https://download.bareos.org/bareos/release/20/"
> apt install bareos-filedaemon

## copy the content of the following server file:
## "/etc/bareos/bareos-dir-export/client/debian-client/bareos-fd.d/director/bareos-dir.conf"
## to: "/etc/bareos/bareos-fd.d/director/bareos-dir.conf" on client side

## after copy config from server to client - restart client service
> systemctl restart bareos-filedaemon

## on server check client status
*status client=debian-client
## Connecting to Client debian at 10.0.0.100:9102
## we've got: "Handshake: Cleartext, Encryption: None"
## this must be better configured later

## add a job ressource
*configure add job name=debian-client-job client=debian-client jobdefs=DefaultJob
## Created resource config file "/etc/bareos/bareos-dir.d/job/debian-client-job.conf":

## dry run
*estimate listing job=debian-client-job

## run backup job (yes/mod/no) > runs in BG
*run job=debian-client-job

## FG job and wait until ready
*wait jobid=4

## verify and check job
*list joblog jobid=4
*list files jobid=4
*list volumes

add storage

## create backup directory
> mkdir /mnt/backup \
  && chown bareos:bareos /mnt/backup \
  && chmod 750 /mnt/backup

## create new device
## edit /etc/bareos/bareos-sd.d/device/FileStorageDir.conf
Device {
Name = FileStorageDir
Device Type = File
Media Type = FileDir # unique name
Archive Device = /mnt/backup # backup path
LabelMedia = yes;
Random Access = yes;
AutomaticMount = yes;
RemovableMedia = no;
AlwaysOpen = yes;
Description = "Backup to /mnt/backup"
}
## for nfs append
...
Requires Mount = yes
Mount Point = /mnt/nfs
Mount Command = "/bin/mount %m"
Unmount Command = "/bin/umount %m"
...
## set file owner
> chown bareos:bareos /etc/bareos/bareos-sd.d/device/FileStorageDir.conf

## create new storage
## edit nano /etc/bareos/bareos-dir.d/storage/FileDir.conf
Storage {
Name = FileDir
Address = bareos.example.com # use FQDN or IP and check messages
Password = "secure" # same like in "/etc/bareos/bareos-sd.d/director/bareos-dir.conf"
Device = FileStorageDir # same as defined in /etc/bareos/bareos-sd.d/device/FileStorageDir.conf
Media Type = FileDir # same as definded in /etc/bareos/bareos-sd.d/device/FileStorageDir.conf
Maximum Concurrent Jobs = 2
}
## set file owner
> chown bareos:bareos /etc/bareos/bareos-dir.d/storage/FileDir.conf

## reload bconsole
*reload
## check storage
*status storage
## run backup > mod > select storage "2"
*run job=debian-client-job
## check messages
*messages

setup a scheduler

## create new scheduler
## edit /etc/bareos/bareos-dir.d/schedule/Nightly.conf
Schedule {
  Name = "Nightly"
  Run = daily at 23:30
}
## set file permissions
> chown bareos:bareos /etc/bareos/bareos-dir.d/schedule/Nightly.conf

define filesets or what have to backup

## create new fileset /etc/bareos/bareos-dir.d/fileset/LinuxFullClient.conf
FileSet {
  Name = "LinuxFullClient"
  Description = "Backup whole system"
  Include {
    Options {
      Signature = SHA1 # signature
      Compression = LZ4 # compression
      noatime = yes # minize writes on client
    }
    File = / # backup whole FHS
  }
  Exclude {
    File = /var/lib/bareos # exclude bareos itself
    File = /var/lib/bareos/storage # like above
    File = /proc # exlude virtual directory of the current Sysconfig
    File = /tmp # exclude temp
    File = /media # exclude removable media
    File = /mnt # exclude mounts
    File = /run # exclude run time variable data
    File = /sys # exclude virtual directory of system settings
    File = /dev # exclude device files
  }
}
## set file permissions
> chown bareos:bareos /etc/bareos/bareos-dir.d/fileset/LinuxFullClientBackup.conf

combine filesets and scheduler to a job

## create new jobdef /etc/bareos/bareos-dir.d/jobdefs/LinuxFullClientJob.conf
JobDefs {
  Name = "LinuxFullClientJob"
  Type = Backup # allowed are backup|restore|verify
  Level = Incremental # allowed are Full|Differential|Incremental
  Client = bareos-fd   # overwritten by client-job.conf
  FileSet = "LinuxFullClient"
  Schedule = "Nightly"
  Storage = FileDir
  Messages = Standard
  Pool = Incremental
  Priority = 10
  Write Bootstrap = "/var/lib/bareos/%c.bsr"
  Full Backup Pool = Full
  Differential Backup Pool = Differential
  Incremental Backup Pool = Incremental
}
## set permissions
> chown bareos:bareos /etc/bareos/bareos-dir.d/jobdefs/LinuxFullClientJob.conf

configure job per client-job.conf

## edit /etc/bareos/bareos-dir.d/job/debian-client-job.conf
Job {
  Name = debian-client-job
  Client = debian-client
  JobDefs = LinuxFullClientJob
}
## in a bconsole this looks like
*configure add job name=debian-client-job client=debian-client jobdefs=LinuxFullClientJob

at this point you should reload the bconsole

tls setup - server side

## create key directory and change in directory
> mkdir /etc/bareos/keys
> cd /etc/bareos/keys

## generate masterkey and store the passphrase
> openssl genrsa -aes256 -out master.key 4096

## generate a client certificate from masterkey
> openssl req -new -key master.key -x509 -out master.cert -days 3650

## each client needs a keypair we have to generate like this - store password
> openssl genrsa -aes256 -out fd-hostname.key 4096
> openssl req -new -key fd-hostname.key -x509 -out fd-hostname.cert -days 3650

## create a PEM file for filedaemon encryption
> openssl rsa -in fd-hostname.key -out fd-hostname-clear.key
> cat fd-hostname-clear.key fd-hostname.cert > fd-hostname.pem

## create key directory on client
> mkdir /etc/bareos/keys

## copy "fd-hostname.pem" and "master.cert" from server to client "/etc/bareos/keys"
## maybe with scp or stuff like that

## after we copy the files server to client we remove not needed files on server
> rm fd-hostname-clear.key fd-hostname.pem

## now set right permissions
> chown root:bareos master.key master.cert fd-hostname.key fd-hostname.cert
> chmod 640 master.key master.cert fd-hostname.key fd-hostname.cert

## == as script:
#!/bin/bash

echo "type in hostname:"
read HOSTNAME

openssl genrsa -aes256 -out $HOSTNAME-fd.key 4096

openssl req -new -key $HOSTNAME-fd.key \
  -x509 -out $HOSTNAME-fd.cert  \
  -subj "/C=DE/ST=Sachsen-Anhalt/L=Magdeburg/O=x33u.org/OU=IT/CN=x33u.org" \
  -days 3650

openssl rsa -in $HOSTNAME-fd.key -out $HOSTNAME-fd-clear.key

cat $HOSTNAME-fd-clear.key $HOSTNAME-fd.cert > $HOSTNAME-fd.pem

rm $HOSTNAME-fd-clear.key $HOSTNAME-fd.cert $HOSTNAME-fd.key

mkdir $HOSTNAME

chmod 640 $HOSTNAME-fd.pem

mv $HOSTNAME-fd.pem $HOSTNAME/.

tls setup - client side

## setup right permissions on client side
> cd /etc/bareos/keys
> chown root:bareos master.cert fd-hostname.pem
> chmod 640 master.cert fd-hostname.pem

## edit /etc/bareos/bareos-fd.d/client/myself.conf
Client {
  Name = debian-client-fd
  Maximum Concurrent Jobs = 20
  PKI Signatures = Yes # Enable Data Signing
  PKI Encryption = Yes # Enable Data Encryption
  PKI Keypair = "/etc/bareos/keys/hostname-fd.pem" # Public and Private Keys
  PKI Master Key = "/etc/bareos/keys/master.pub.key" # ONLY the Public Key
  PKI Cipher = aes256 # Specify desired PKI Cipher here
}

## restart service
> systemctl restart bareos-filedaemon

run bareos-fd -f -d 100 if this caused trouble -
on debian default packages encryption is not compiled