I want to run kopia repository server on my NAS, so I can backup desktop clients A and B to it.
From what I found in docs, I prepared following compose for custom app on TrueNAS Scale:
services:
kopia:
image: kopia/kopia:latest
container_name: kopia
hostname: kopia.mydomain.com # Nginx Proxy Manager will proxy kopia.mydomain.com to truenas_ip:51515
user: "568:568" # id/gid of `apps` user, who owns /mnt/alpha/kopia dataset
restart: "unless-stopped"
ports:
- "51515:51515"
command:
- server
- start
- --disable-csrf-token-checks
- --insecure # I want to handle HTTPS via Nginx Proxy Manager for easy cert renew
- --address=0.0.0.0:51515
- --server-username=serveruser # this is I believe the HTTPS basic auth user
- --server-password=serveruserpass # this is I believe the HTTPS basic auth pass
volumes:
- /mnt/alpha/kopia/data:/repository # this is where I want to store my backed up data
- /mnt/alpha/kopia/config:/app/config
- /mnt/alpha/kopia/cache:/app/cache # do we really need cache to be persistent?
- /mnt/alpha/kopia/logs:/app/logs
- /mnt/alpha/kopia/tmp:/tmp:shared # why do I need to mount /tmp?
environment:
KOPIA_PASSWORD: what_is_this_pass # what is this env?
TZ: Europe/Warsaw
USER: what_is_this_user # what is this env?
I already included some questions/notes above:
- what are the
KOPIA_PASSWORDandUSERenvs? - what is the basic auth user for? Only for the GUI? What about Clients A & B? Do they need to know those credentials?
- do we really need cache to be persistent?
- why do I need to mount /tmp?
I’d like to also understand the architecture.
I do not want to perform backup actions, tasks, etc on the NAS machine. I want it to only be the “receiving end” of backups - to be the backend for Kopia apps running in Client A & B.
Am I on a right track? When I start the above, the GUI on :51515 wants me to setup repository and lists all the supported backends (S3, SFTP, etc). Should I add one as “Local Directory or NAS”? Should it be /repository? It immediately asks to create a password. So should I add two repositories (/repository/A for client A, and /repository/B for client B, with their corresponding password)? It feels like any repository I’ll add would be only operational for the very instance of Kopia that runs within this container… Also - why does the repository server need a password for? Is it for allowing Clients to send their files? And the token used for encrypting the backups will be only known to Clients?
And what’s next? Let’s say on Client A (Windows machine) I install Kopia, and I Select Storage Type as “Kopia Repository Server” - it will ask me to enter trusted server certificate fingerprint printed at server startup - where do I find it?
Documentation about docker deployment and overall server approach is quite scarse, and docker in particular - in some places it lists requirements for FUSE and SYS_ADMIN, and it’s not clear why.
Can anyone shed some light on this?