OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • Automatic config backups using os-api-backup
« previous next »
  • Print
Pages: [1]

Author Topic: Automatic config backups using os-api-backup  (Read 11377 times)

danb35

  • Newbie
  • *
  • Posts: 34
  • Karma: 8
    • View Profile
Automatic config backups using os-api-backup
« on: July 23, 2020, 12:09:17 pm »
I just migrated from pfSense to OPNsense.  Under pfSense, I had my FreeNAS box running a daily script to download a config file backup from the pfSense box, using the method recommended in their own docs.  It was a little messy.  OPNsense has the os-api-backup plugin, which makes the process (especially the script) much simpler.  However, I didn't see everything pulled together in one place, so here goes:

Assumptions:
  • You have a Unix-y machine (Linux, BSD, macOS, maybe even Windows Subsystem for Linux) to run the backup script on
  • The WebUI cert on your OPNsense router is trusted on that Unix-y machine
  • curl is available on that Unix-y machine
That's really it, so let's get started.

First step, of course, is to install the os-api-backup plugin if it isn't already installed.

Next, you'll want to create a group with limited permissions.  In the OPNsense WebUI, go to System -> Access -> Groups and add a new group (I called mine backup).  Save the group, then edit it.  On the edit screen, under Assigned Privileges, click the edit button, find "Backup API" in the list, and check it.  Leave everything else unchecked and click Save.  Click Save again to return to the Groups screen.

Now create a user in that group.  Go to System -> Access -> Users and add a new user (I called mine, creatively enough, backup_user).  I generated a long random password using my password manager, and then discarded it--this user will never log in using that password.  Add the user to the backup group and save.  Then edit the user, find the API keys heading, and click + to create a new one.  This will download a small text file containing an API key and a secret, save it someplace convenient.  Click Save to return to the users screen.

That's all you need to do in the OPNsense UI.  Now it's time to create the script.

Go to whatever machine you're going to use to run the backup script, fire up your favorite text editor (I like nano--don't judge me), and create the script.  Contents are as below:
Code: [Select]
#!/bin/bash
KEY="api_key"
SECRET="api_secret"
HOST="opnsense_hostname"
PATH="/path/to/backups"

curl -s -k -u $KEY:$SECRET https://$HOST/api/backup/backup/download \
 -o $PATH/opnsense-config-$(date +%Y%m%d).xml

find $PATH/ -type f -name '*.xml' -mtime +30 -exec rm {} \;
No doubt it's obvious, but edit the variables at the top to match your environment.  This will save the backup files with a filename of "opnsense-config-yyyymmdd.xml", and delete everything over 30 days old.

Set up a cron job to run this on your desired schedule, and you're set
Logged

danb35

  • Newbie
  • *
  • Posts: 34
  • Karma: 8
    • View Profile
Re: Automatic config backups using os-api-backup
« Reply #1 on: July 23, 2020, 03:52:07 pm »
Figures.  I promise, I searched before I posted this, to see if there was already a guide on this, and I didn't find one.  But after I post, of course, I see this one:
https://forum.opnsense.org/index.php?topic=15349.0
Logged

sbeccato

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: Automatic config backups using os-api-backup
« Reply #2 on: November 05, 2020, 04:13:26 pm »
Hi danb35,

I'm just adding this functionality to my infrastructure and I figured out the same solution you posted, it works like a charm.

Do you know if is possible to request an encrypted backup using the APIs? (Passwords are in clear text!)

I see that is possible with the manual download but I don't find anyting regarding the API.

Best
Simone
Logged

kevinfason

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: Automatic config backups using os-api-backup
« Reply #3 on: March 18, 2021, 09:28:54 pm »
I made some minor tweaks to share. Shouldn't really use PATH as a variable as it can override the system path. escaped some stuff etc.

Code: [Select]
#!/bin/bash

KEY="api_key"
SECRET="api_secret"
HOST="opnsense_hostname"
PATHCONFIG="/path/to/backups"
DATE=`date +%Y%m%d`

curl -s -u ${KEY}:${SECRET} https://${HOST}/api/backup/backup/download -o $PATHCONFIG/opnsense-config-${DATE}.xml
find ${PATHCONFIG} -type f -name opnsense-config\*.xml -mtime +30 -delete
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Automatic config backups using os-api-backup
« Reply #4 on: March 18, 2021, 09:49:33 pm »
Quote from: sbeccato on November 05, 2020, 04:13:26 pm
Do you know if is possible to request an encrypted backup using the APIs? (Passwords are in clear text!)

No, it is plaintext only but you can pipe it through openssl to encrypt it.
"-o -" should write it to stdout and "openssl enc <opts>" encrypts it. You can find the options here:
https://www.openssl.org/docs/manmaster/man1/openssl-enc.html

The transfer is secure due to TLS and it makes no sense to encrypt it here since you would transfer the key in the request, so that is not the issue.
Logged

dp

  • Newbie
  • *
  • Posts: 25
  • Karma: 1
    • View Profile
Re: Automatic config backups using os-api-backup
« Reply #5 on: January 14, 2022, 04:00:12 am »
danb35,

So about duplicating the other instructions, don't sweat it as it is nice to have two sets of instructions. Everyone explains things differently and if I don't understand it in one example I can then look at it in the other. Rather have two working examples and approaches than none.

Oh and yours comes up in DuckDuckGo where the other one does not for some reason.

Thanks
Logged

murmelbahn

  • Newbie
  • *
  • Posts: 42
  • Karma: 1
    • View Profile
Re: Automatic config backups using os-api-backup
« Reply #6 on: March 24, 2022, 12:11:30 pm »
Thanks buddy! Works perfect!
Logged

SWEETGOOD

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
    • SWEETGOOD
Re: Automatic config backups using os-api-backup
« Reply #7 on: January 23, 2023, 11:35:19 pm »
I took your script as an example and created a version which also encrypts the backups using GPG.

You can find the script here:
https://codeberg.org/SWEETGOOD/andersgood-opnsense-scripts/src/branch/main/backup-opnsense-via-api.sh

I also wrote a short blogpost in German with some explanations:
https://andersgood.de/kurz-notiert/opnsense-per-api-verschluesseltes-backup-der-konfiguration-anlegen

Thanks to the TS for your work!
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • Automatic config backups using os-api-backup
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2