Before pruning a repo, we must ensure that the client machine backing-up to this repo has not been compromised.
For now there is a cron that checks for free space and will email tech@ when 90% is used.
Why do we keep append-only mode enabled? We could ditch it and just have automated prune, but keeping it would save us if an attack was visible enough for us to find out when it happened and roll back the borg repo (the hints.*, index.*, integrity.* files)
Prune the repo
- On spica:
- Remove
--append-only
in the corresponding client line in /home/borgy/.ssh/authorized_keys - Change
append-only = 1
toappend-only = 0
in repo/config
- Remove
- On the client:
- Comment out the
prefix:
entry in/etc/borgmatic/config.yaml
- Run
borgmatic prune
- Comment out the
- Wait till it's finished
- On the client:
- Uncomment the
prefix:
entry in borgmatic's config
- Uncomment the
- On spica:
- Add
--append-only
in theborg serve
part of the client's line in/home/borgy/.ssh/authorized_keys
- Change back
append-only =
from 0 to 1 in repo/config
- Add