Backup and data retention
Our backups are handled through a gitlab pipeline that will scan your whole Jelastic account, and backup volumes the containers. Additionaly, it will add a file named topology.json that will backup all the nodes topologies, and the environments used.
Dependancies
To have backup working you will need few things:
- A. gitlab instance with scheduled pipelines
- A jelastic environment with
alpineordebiancontainers - A s3 compatible with credentials
- A safe place to save your backup encryption key
Backup encryption
Backups are encrypted through Restic, this allow to handle key encryption rotation while beeing able to save only changed data. You can read more on Restic Threat model here: https://restic.readthedocs.io/en/latest/100_references.html#threat-model
DailyTask script
Voca offers a Jelastic Virtuozzo script that can be run on daily basis to make backups and gives you an overview of the cost structure. This will enable you to be sure your data is backuped, and that you are in the line with your credit projections.
The script is placed in the voca-system repository: https://git.octree.ch/decidim/vocacity/system/-/raw/main/contrib/jelastic-manifests/scripts/backup.yml?ref_type=heads
Restore
A Jelastic Virtuozzo script is also available to restore an environment from an other environment. This will enable to prepare new releases, prepare environments for pentests, or just restore a backup from the same environment.
topology.json
It is vital for Rails application to keep a backup off environment variables, as the SECRET_KEY_BASE is used as key for encrypted data (encryption at rest). In decidim, things like:
- Authorizations
- SMTP settings
- Omniauth Settings
are all encrypted at rest. Loosing the key on restoring backup will loose the access of these data.