How to properly setup kopia repository server via docker?

I want to run kopia repository server on my NAS, so I can backup desktop clients A and B to it.

From what I found in docs, I prepared following compose for custom app on TrueNAS Scale:

services:
  kopia:
      image: kopia/kopia:latest
      container_name: kopia
      hostname: kopia.mydomain.com     # Nginx Proxy Manager will proxy kopia.mydomain.com to truenas_ip:51515
      user: "568:568"                  # id/gid of `apps` user, who owns /mnt/alpha/kopia dataset
      restart: "unless-stopped"
      ports:
        - "51515:51515"
      command:
        - server
        - start
        - --disable-csrf-token-checks
        - --insecure                   # I want to handle HTTPS via Nginx Proxy Manager for easy cert renew
        - --address=0.0.0.0:51515
        - --server-username=serveruser      # this is I believe the HTTPS basic auth user
        - --server-password=serveruserpass  # this is I believe the HTTPS basic auth pass
      volumes:
        - /mnt/alpha/kopia/data:/repository     # this is where I want to store my backed up data
        - /mnt/alpha/kopia/config:/app/config
        - /mnt/alpha/kopia/cache:/app/cache     # do we really need cache to be persistent?
        - /mnt/alpha/kopia/logs:/app/logs
        - /mnt/alpha/kopia/tmp:/tmp:shared   # why do I need to mount /tmp?
      environment:
        KOPIA_PASSWORD: what_is_this_pass    # what is this env?
        TZ: Europe/Warsaw
        USER: what_is_this_user              # what is this env?

I already included some questions/notes above:

  • what are the KOPIA_PASSWORD and USER envs?
  • what is the basic auth user for? Only for the GUI? What about Clients A & B? Do they need to know those credentials?
  • do we really need cache to be persistent?
  • why do I need to mount /tmp?

I’d like to also understand the architecture.

I do not want to perform backup actions, tasks, etc on the NAS machine. I want it to only be the “receiving end” of backups - to be the backend for Kopia apps running in Client A & B.

Am I on a right track? When I start the above, the GUI on :51515 wants me to setup repository and lists all the supported backends (S3, SFTP, etc). Should I add one as “Local Directory or NAS”? Should it be /repository? It immediately asks to create a password. So should I add two repositories (/repository/A for client A, and /repository/B for client B, with their corresponding password)? It feels like any repository I’ll add would be only operational for the very instance of Kopia that runs within this container… Also - why does the repository server need a password for? Is it for allowing Clients to send their files? And the token used for encrypting the backups will be only known to Clients?

And what’s next? Let’s say on Client A (Windows machine) I install Kopia, and I Select Storage Type as “Kopia Repository Server” - it will ask me to enter trusted server certificate fingerprint printed at server startup - where do I find it?

Documentation about docker deployment and overall server approach is quite scarse, and docker in particular - in some places it lists requirements for FUSE and SYS_ADMIN, and it’s not clear why.

Can anyone shed some light on this?

I think this should be a single command - server start

not sure if it makes a difference, im still trying to figure this out myself. Especially the mountain of passwords…

This is kind of bad thing to do, someone wrote a couple of words about it here. Just bad security practise. Not sure why they put it into their example configs when its neither necessary nor recommended…

I think it’s the other way round:

the USER variable is the WebUser (at least to the things others have put into their docker files), in my case its labeled “repo user” and as a comment it says “This is the user that gets to use the repository”. I have no idea what its supposed to do because it doesn’t work.

I also feel like there is a mix between what you need to set on a client vs server config.

You can follow my own post here since our problems seem to overlap

The only thing i think i have figured out by now is that the Repo Key is only needed by the Server. The client doesn’t need to know it because the client access used the API instead of accessing the repo directly. That however still leaves three passwords to figure out:

server-passwordNot sure but i think you need this to connect the client to the server however what are user passwords created when using kopia server user addused for then?

server-controll-passwordWhy is this used? Does this replace the recular USER und KOPIA_PASSWORD when running in server mode?

Hey @shalak,

please take a look at this post, which should hopefully answer some questions regarding the Repository Server and password variables.

AFAICT the USER variable is never used. Maybe a copy & paste leftover.

Basic auth is only used for WebUI access. Clients don’t need to know this credentials when connected through Repository Server. You can omit this settings and disable the WebUI if you don’t plan on using it.

Persistent cache isn’t necessary but might be helpful when your server is connected to a slow storage backend (e.g. high latency SFTP).

Seems to be used for browsing mounted snapshots.

You can use the WebUI, but I prefer to use CLI. This command should create the repository and automatically use the KOPIA_PASSWORD from your docker-compose file as repository (master) password.
docker exec kopia kopia repo create filesystem --path=/repository

There is no need for 2 repositories as users can only see their own snapshots and policies when ACLs are enabled ( kopia server acl enable).

The server certificate fingerprint is printed to your console/logs when you start the server with the --tls-generate-cert parameter. Please see my post here for a mini-tutorial on this topic.