I am running Kopia inside a docker container, and using the WebGUI to do backups of my local system to the cloud. So far so good, everything seems to be running quite smoothly, highly impressed!
However, I cannot get rid of the feeling that the configuration of the Kopia server is somewhat beyond my understanding, and I find the documentation on the various features a bit confusing. It seems that by running kopia server start, I am not only starting the webgui, but also a backup backend, which other clients could potentially connect to?
Is this understanding correct? If so, how can I disable this kopia backend, so that no backup clients can ever connect, I just want to use the WebGUI to start/schedule/check on my local backups in a lazy way.
This is what I use to run the server as docker entrypoint:
kopia server start --insecure --readonly --htpasswd-file /config/htpasswd --address 0.0.0.0:51515 --server-username=XXX --random-server-control-password
Is this a secure configuration if I just want the GUI? Any better options?
Also, it seems I need to set the repository pwd via the container variable KOPIA_PASSWORD, which I don’t like, I don’t want my container config to contain credentials. Is there any way to supply the password in a file, or by other (automated) means on container start? Reading from console is not possible because of the docker setup.
I don’t see why not. It’d require manual intervention before you booted the docker image, however. I’d use gocryptfs for this. It’s nice & lightweight. It also happens to use the same cryptography as Kopia.
After you remove whatever is hard coded for KOPIA_PASSWORD from the docker compose file, subsequent launches should just be fired via $HOME/bin/get-creds-kopia.sh (you might want to set a bash alias).
#!/usr/bin/env bash
# the path to the encrypted gocryptfs dir
CRED_ENC="/path/cred.enc"
# path where unencrypted creds will be mounted
MNT="/media/vault/cred"
# create the mount point if it doesn't exist
# otherwise continue
mkdir -p "$MNT"
# mount the encrypted dir to the mount point
# this will prompt you for the password
gocryptfs "$CRED_ENC" "$MNT"
# read the path to the mounted, unencrypted creds for kopia
# ensure there is only _one_ 'kopia.YOURPASSWORD' file
CRED_MNT="$(ls $MNT/kopia.*)"
# extract the password from the filename
export KOPIA_PASSWORD="$(printf $CRED_MNT | cut -d '.' -f 2)"
# unmount the cred mount point now that the password is exported
umount "$MNT"
# don't use 'exit 0' or it will revoke the exported variable after successfully exiting.
# you could try the command to launch the docker image here, too. if you do, be
# sure to end the command with ' &' (note the space) to return control of the shell
# back to you.
Then fire the docker image as usual. That should do it (note: I do not use Docker).
Clarification: Using exit 0 as the last line to close out the script will ensure the KOPIA-PASSWORD=myPasswordHere variable is cleared. That may be necessary according to one’s goals if the intent is for more automation instead of manual intervention.
