diff --git a/README.md b/README.md index c98c719..5e9efe2 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,8 @@ Documentation and issue tracker about the ayb instance hosted by SofĂ­a ## Table of contents +* Documentation + * [Backup methodology](./docs/backups.md) * Legal * [Terms of Service](./legal/tos.md) * [Report abuse](./legal/abuse.md) diff --git a/docs/backups.md b/docs/backups.md new file mode 100644 index 0000000..c709633 --- /dev/null +++ b/docs/backups.md @@ -0,0 +1,42 @@ +# Backup Methodology + +ayb is working on improving persistence and database streaming, which means that this methodology will change in the future. + +The current backup system has two parts: +* Daily automatic backups of the hosted databases. +* Monthly manual off-site backups of the ayb database and the hosted databases. + +## Automatic backups + +A shell script (TODO(sofia): release script) is executed five times a day, this shell script does the following: +* Attempt to recursively backup hosted databases using a command like this: `sqlite3 username/database.db ".timeout 1000" ".backup bak/username/database-$(date +%s).db.bak"`. +* Delete backups older than 7 days. +* Delete backups older than 1 day and whose file size is bigger than 500MB. + +## Off-site backups + +Off-site backups include all of the hosted databases and the ayb database, which means that ayb needs to be taken down in order to close all of the connections. +A notice will be up three days prior at: +* [status.sofiaritz.com](https://status.sofiaritz.com) +* [ayb.sofiaritz.com](https://ayb.sofiaritz.com) + +This notice will contain: +* The reason of the downtime (off-site backup). +* The expected downtime (1 to 2 hours). +* The time of the downtime in UTC. + +When the time comes, the following is done: +* The instance is taken down. +* The `ayb_data` folder is tar-gzip-ed. +* The `ayb_data.tar.gz` file is encrypted using a public key. +* The encrypted backup is sent to my local machine. +* The encrypted backup is stored inside an external hard-drive. + * This hard-drive is stored inside a safe. + * The private key is stored inside another hard-drive located at another physical location. +* The encrypted backup in my local machine is deleted. +* The encrypted backup in the server is deleted. +* The tar-gzip-ed backup in the server is deleted. +* The instance is started. +* When everything is up and running, the notices are removed. + +This will be partially automated in the future, right now this process is completely manual.