· 4 min read

Dockerized Borgmatic with Multiple Configs

Running a single borgmatic docker container with the intention of maintaining multiple borg repos.

I use Borgmatic for backing up family photos from my NAS to Borgbase.com. I have previously recommended this post getting started with Borgmatic with Docker. Since that post is so good I didn’t write my own post as I am not going to improve upon it, but now I may have a contribution. Now, I want to backup a second directory on my NAS but to a different remote directory which will require I add a second configuration file to my Borgmatic deployment.

Preparing For Multiple Configuration files

There’s actually a small section about using multiple configuration files on their docs but I still I had to experiment and confirm some behavior because I’m using a dockerized Borgmatic instance. Going forward this post will assume you are also using the official Borgmatic container image which has opinions about directories and environment variables which I may reference, but the general ideas can be reused in other setups.

First, Setup The Remote Repository

Using Borgbase.com my first task is to setup the remote repository so I can get its URL. Set a name and select where you want your files located and keep the repo format on “Borg”.

pic

Temporarily include your personal SSH key in the “Full Access” category until you’re done setting up the backup repo later. I’ve also gone ahead and included the SSH key for my server where I make the backups to the “Append-Only” category so a compromised NAS can’t delete files from the remote backup.

pic

Now you can “Add Repository” and you’re all set. It’s pretty straightforward but the key lesson here for me was that the backup repo will not be encrypted until your local Borg instance connects for the first time to set encryption so when you see the repo “unlocked” icon you can ignore that until after you connect.

pic

Without that bit of information it feels like your repo is incorrectly setup while you search for how to configure encryption online when you should be on your machine starting the next step.

Second, Explicit Passphrase

By default the BORG_PASSPHRASE environment variable is assumed to be present and Borg will search for this environment variable automatically when it needs to (d)encrypt your files so you don’t have to explicitly include it your configuration file. However, unless you wish to use the same passphrase for all of your Borg repos then you’ll need to explicitly define an encryption_passphrase in each configuration file. And you really should.

With multiple passphrases you will now need to include new environment variables in your container for each passphrase. To avoid any mistakes I don’t use the default BORG_PASSPHRASE value either.

docker-compose.yml
services:
  borgmatic:
    image: ghcr.io/borgmatic-collective/borgmatic
    container_name: borgmatic
    volumes:
      ...
    environment:
      PASSPHRASE_REPO_ONE: my-super-secret-passphrase-for-repo-one
      PASSPHRASE_REPO_TWO: a-very-different-passphrase-for-repo-two
    ...

[!NOTE] It is better to not write your passphrase directly in the compose script, use an .env file, especially if you will be saving your backup configurations somewhere remote like on Github.

And include the encryption_passphrase option in each configuration file.

conf-repo-one.yml
encryption_passphrase: {{ PASSPHRASE_REPO_ONE }}
conf-repo-two.yml
encryption_passphrase: {{ PASSPHRASE_REPO_TWO }}

Third, Dividing the Source Directory

The next step is to mount each Borgmatic repository’s source directory as a subdirectory of the container’s /mnt/cource directory. Previously, I had mounted the single directory I wanted to backup directly on /mnt/source itself. Now with more than one directory to backup with different configuration files for each I needed to re-mount the backup directory to some subdirectory of /mnt/source and update my configuration to point to this new sub-directory.

docker-compose.yml
services:
  borgmatic:
    image: ghcr.io/borgmatic-collective/borgmatic
    container_name: borgmatic
    volumes:
      - /path/to/backup/source1:/mnt/source/repo_one:ro
      - /path/to/backup/source2:/mnt/source/repo_two:ro
      ...
    environment:
      PASSPHRASE_REPO_ONE: my-super-secret-passphrase-for-repo-one
      PASSPHRASE_REPO_TWO: a-very-different-passphrase-for-repo-two
    ...

Then reference repo_one subdirectory in the configuration file source_directories. Plus, the earlier mentioned explicit passphrase.

conf-repo-one.yml
encryption_passphrase: {{ PASSPHRASE_REPO_ONE }}
 
source_directories:
  - /mnt/source/repo_one

At first I was worried this step would wreck my existing Borg repository and my remote side would essentially double in size but because Borg is a de-duplicating backup tool there was no issue when I made the first backup after changing the source directory location. Just a helpful FYI.

    Share:
    Back to Blog