Automatic, periodic configuration backup via SCP

[drivera]

On that same note of backup/restore, I just had to do one b/c I swapped out the SSD that I had originally deployed on the firewall for a "real" (higher quality) one.

I noticed that the configuration file doesn't appear to contain information about the plugins installed, or the version. I realize why this is - so the configuration can be restored to an old(er) installation and still work, or be imported vertically to a newer one.

However, what I don't see anywhere is the means to actually run a "reproducible backup" where one can quickly, in "just a few clicks", restore the firewall to its prior state including all plugins, firewall version, packages, etc.

With this type of backup, the user would be able to restore a firewall to exactly the same state as it was before.  For example, at the start of the restore process the UI can ask if the user also wants to perform a roll-forward (or back, however the case may be) to the "installation state" (OPNSense version, packages, plugins) described by the configuration file (and, of course, show that state).

Does that make sense? Does that feature exist, and is it something that might be desirable?

[franco]

https://github.com/opnsense/core/issues/1663

It's half-working. But we don't want to auto-install plugins, just provide a hint and maybe a "reinstall all missing plugins" button.

With any backup, update to the latest version prior to restore or restore first and swiftly upgrade to the latest version before use.


Cheers,
Franco

[drivera]

Right. I understand why you wouldn't auto-install stuff, and that's definitely NOT what I'm suggesting.

However, you could give the user the option to accelerate restoring that bit, i.e. "Do you also want to update the installation as described in this configuration?" (and describe the updates), as well as "Please select which plugins you wish to restore" (and present a list of the plugins selected from which the user might untick the ones he doesn't want to restore)...

Optionally, once restored and on reboot (with all the above done), also compare the list of packages installed to the list of packages included in the restored configuration and tell the user "The following packages which you installed manually are still missing, do you wish for them to be installed now?"

Does that sound more sensible? I guess what I'm looking for is a means to restore the entire firewall to its backed-up state, to make it as painless as possible if I'm starting from scratch with fresh hardware (for example). I realize there are modifications users can do which would make this more difficult, but we shouldn't anticipate/account for those just yet. For now, something like the above would do very nicely.

Later on we can decide if we add a mechanism that actually tracks filesystem-level deviations from the base install and backs those up (or at least documents them for the user).