Today I finally got to upgrading our BorgBase.com Ceph cluster in the EU region from Mimic to Nautilus. The process is rather simple using Ceph-Ansible's
rolling-update.yml playbook, but I still want to document some gotchas and collect links to resources that may be useful for others.
I'm a big fan of Rspamd for filtering your emails for spam. One thing I wanted to achieve is to reject viruses from logged-in users. This would mainly happen if a user machine is compromised. Rspamd makes this quite easy using the user settings module.
Using the snipped from that website, you can reject all emails with a score higher than e.g. 15. On the other hand, greylisting and adding a spam header is disabled for authenticated users.
priority = high;
authenticated = yes;
groups_disabled = ["rbl", "spf"];
reject = 15.0;
greylist = null;
"add header" = null;
I also recommend looking at the Mailcow Github repo. They make it easy to run your own mailserver and have very thoughful config files for Rspamd, Postfix and others.
Update Feb 2020: You can now use a Yubikey directly via OpenSSH 8.2 in FIDO2/U2F mode.
SSH is critical in most people's devops process, be it remote server logins or Git commits. After reading about one too many stories about companies getting hacked that way, I decided to use Yubikeys to store my private SSH keys.
I have blogged about how great Borg is to back up servers and your Macbook while on the go. There just wasn't a good hosting service to stash your backup repos that took full advantage of all Borg features. Issues I saw with existing services, like Hetzner's Storagebox and rsync.net:
- Only one single user. If a machine gets compromised they can access all your backups.
- No support for append-only mode. An attacker could remove old backups.
- Quotas per-account, not per-repo. If a backup goes wrong on one machine, it will fill up your whole account and stop other backups.
When looking at other "backup" solutions, like S3, B2, Dropbox or Google Drive, you will find those issues:
- No compression or deduplication. You pay for the full size.
- A sync service is no real backup because broken or cryptolocked files will be synced as well and the good copies lost.
- Object storage services are great for many things, but there is no local file cache. So during each run the existing metadata is downloaded. This can be expensive when the provider charges you for API calls (S3).
- No easy way to encrypt. With GDPR you are responsible for your data. An unencrypted cloud backup is a huge risk for a company.
To solve these problems I built BorgBase.com. The first storage service dedicated to Borg repos. It solves the above problems and allows admins to easily separate backups into different repos. Other features are:
- Full encryption if you choose to use a key or password when setting up the repo. I will never see the files in your backup.
- Compression and deduplication. Borg supports a range of compression algorithms. You can choose any one.
- Economical. Only the compressed and deduplicated data counts against your total quota. So you get roughly 3x more mileage from each MB of storage.
- Simple admin interface. Quickly add repos and SSH keys. Manage quotas and view current usage.
- Monitoring. I want to be notified if backups stop working. Preferably before any data is lost. That's why you can set a monitoring interval and will get a notification if no backups are done during that time.
- Configuration wizard. I always liked Github's copy+past commands to connect your local repo. So I added the same for Borg. The wizard lets you choose a repo and displays the relevant commands or a full Borgmatic file.
If you have experienced one or more of the above problems, I'd be happy to have you on board as beta tester. Just leave your email on BorgBase.com and I'll send you a registration link early next week. All service (100GB storage and 5 repos) will be free during beta testing, which will last until mid-2019 or so.