VyOS Configuration Backup Automation with Git

Photo by Yancy Min on Unsplash

VyOS Configuration Backup Automation with Git

Backup to a Git Repository with Every VyOS Commit

Many years ago when I ran a Ubiquiti EdgeRouter Lite as my primary home router, I came across psitem/edgerouter-backup while searching forums for someone who may have already developed a solution. This worked great for me for as long as I had the EdgeRouter.

Fast-forward a while, and I've switched to running a VyOS VM as my primary router at home. VyOS and EdgeOS were both forked from Vyatta, so they share a lot of similarities, but there are almost as many differences.

I wanted to continue backing up my configuration to a git repository to protect against loss as well as keep a versioned history of every change I make to my router, so I put together a single script that runs as a post-commit hook in VyOS.

Today, I will review the script I've created to automatically back up my VyOS router config to a git repository with every configuration commit.

The script itself is fairly straightforward, but there's a little bit of setup you'll have to do beforehand for it to be successful.

This tutorial assumes you are using key-based SSH authentication to your router--it will be required in order to push to your remote repository.

Build Your Own Image with Git Installed

The default ISOs do not include Git, so you'll need to build your own with Git integrated. Luckily, I covered that for you in an earlier post titled How I Automate Building VyOS Images. If you're not running a custom image, you'll want to go back and build one, then boot your router from it before you continue.

Set up Agent Forwarding

For this to work properly, you'll need to set up SSH Agent Forwarding in your local .ssh/config file. This will prevent you from having to generate new SSH keys specifically for your router. Agent forwarding allows your SSH keys on your local machine to 'pass through' to the router and be used for pushing to your remote Git repo via SSH.

Open ~/.ssh/config in your favorite editor, and then add the following to the end of the file, then save and exit. This works because the default ssh config in VyOS rolling release has the flag AllowAgentForwarding set to yes.

Host <enter your VyOS hostname here>
    ForwardAgent Yes

Don't forget to modify the text above, replacing vyos-hostname with the actual hostname of your router.

Create Git Repository

First, you'll need a repository for your router. I've used config-hostname for my repo names. The easiest way to do this is to log into your git provider website, create a new private repository with a README.md file in it.

⚠️ A NOTE ON SECURITY: The configuration files the script will create are not sanitized in any way and contain secret information you do not want to be published publicly. This is why it's extremely important to use a private repository. I personally use Gitea in a Docker container to store my router configs, so there's very little risk of accidentally making them public. I cannot recommend this option enough.

Log into VyOS and Clone Repository

Log into your VyOS router and set your user.name and user.email for Git.

git config --global user.name "Your Name Here"
git config --global user.email "Your Email Address Here"

Now, let's change to the /config/user-data directory. Once there, clone your repository into the directory. In the example below, I'm using git@git.internal for my Git server, which is a my private Gitea docker container.

cd /config/user-data
git clone git@git.internal:brav0charlie/config-router01

It's important to clone into /config/user-data, because this location is persistent across reboots and upgrades. This prevents your local repository from getting wiped out with every reboot or upgrade.

Copy Script into Place

Copy the contents of the 99-git-commit script below to your clipboard, then create the script on your router. While logged into your router, use the following command to create the script.

nano /config/scripts/commit/post-hooks.d/99-git-commit

Paste the script into the file, then hit Ctrl+X to exit. Hit Y to save, then Enter to confirm the file name. Now we'll mark the script as executable.

chmod +x /config/scripts/commit/post-hooks.d/99-git-commit

That's All There is To It!

You're done! Now, when you make commit changes to your VyOS instance, the script will create a copy of the JSON config file and a copy of the configuration commands to the repo. Then, it'll perform a git commit and a git push to send your config off to your Git host for safekeeping.

The script will use a generic "commit message" when committing to the repository, however, you can specify a custom commit message by setting the variable $M before issuing the VyOS commit command. For example:

M="This is my custom commit message." commit;save

The line above sets the custom commit message in the $M variable and then issues a commit and save command on the same line.

Testing the Script

You can test the script's functionality without actually performing a VyOS commit beforehand. Just run the script directly like so:

/config/scripts/commit/post-hooks.d/99-git-commit

A final note on upgrades

When you upgrade your system image, your user profile folder gets wiped out. This wipes out your .gitconfig file, so you'll need to reissue your git config after an upgrade.

git config --global user.name "Your Name Here"
git config --global user.email "Your Email Address Here"