Remote hosts over SSH
One backup server pulls several remote machines over SSH — stock tools run on each client, archives stream home, nothing is installed on the clients.
When to use this
You have one backup server and a handful of machines to protect, and you don’t
want to install anything on them. NBackup runs stock tar (and, optionally, the
compressor and gpg) on each client over an ordinary SSH connection and streams
the archive back to the server. There is no NBackup software, no daemon, and no
open port on the client beyond SSH — intermediate bytes never touch the client’s
disk. The server holds the catalog, the media, and the schedule; the clients just
answer when SSH knocks.
Config
Save this as nbackup.yaml on the backup server. Any source host that isn’t
localhost is reached over SSH automatically.
cycle: 7d
compress:
scheme: zstd
level: 3
# A single disk landing on the backup server. Runs from every host — local and
# remote — are written here.
media:
disk:
type: disk
path: /var/lib/nbackup/disk
capacity: 10TB
landing: disk
# SSH defaults applied to EVERY remote host (Amanda's global auth settings).
# identity_file is a PATH, not a key — NBackup stores no secret; the key itself
# lives in the operator's ssh agent/config.
ssh:
user: backup
identity_file: ~/.ssh/nbackup
options: ["-o", "StrictHostKeyChecking=accept-new"]
# hosts: is OPTIONAL and only OVERRIDES the ssh: defaults for a named host — it is
# NOT what makes a host remote. Per-host fields merge over the global ssh: block.
hosts:
app01:
ssh:
port: "2222" # this host listens on a non-standard port
state_dir: /var/lib/nbackup # where THIS host keeps its incremental (.snar) state
archivers:
gnutar:
tar_path: /usr/local/bin/gtar # this host's GNU tar lives off the default PATH
archivers:
default:
type: gnutar
one-file-system: "true"
sparse: "true"
dumptypes:
default:
archiver: default
no-logs:
archiver: default
exclude: ["*.log", "*.tmp"]
# The disklist, grouped by dumptype then host. localhost is dumped locally; every
# other host name is a remote SSH client.
sources:
default:
app01: [/home, /etc]
db01: [/var/lib/postgresql/backups]
localhost: [/etc]
no-logs:
web01: [/srv/www, /opt/app]
Any non-localhost host is remote by default. app01, db01, and web01
above are all backed up over SSH simply by not being localhost; only app01
appears under hosts:, and only to override the SSH port, its state directory, and
its tar path. db01 and web01 use the global ssh: defaults unchanged.
No secret is stored. Credentials come from the operator’s SSH agent and config
— identity_file is a path NBackup hands to ssh, never a key it reads or keeps,
the same no-secrets-in-config rule as cloud and gpg.
Each host owns its own incremental state. A client’s .snar listed-incremental
library lives on the client under its state_dir (a host property, not an archiver
option — see Concepts). Losing a client only forces its next dump
to a full; the others are unaffected.
Commands
nb check # reach EVERY source host — confirm connectivity before a run
nb check --offline # validate config only, skip the SSH reachability probe
nb plan # preview the next run across all hosts
nb dump # dump every host (remote hosts run tar over SSH)
nb status # progress of the running (or most recent) dump
Run nb check before the first real run, and from cron’s perspective whenever the
fleet changes — it connects to each host so a misconfigured key or a down machine
surfaces as a clear error instead of a failed dump.
What happens
- For each remote DLE, NBackup opens an SSH connection, runs stock
tar(plus the compressor /gpgif the dumptype runs them client-side) on the client, and streams the archive back to the server, where it lands as a run ondisk. localhostDLEs are dumped locally in the same run — one run covers the whole fleet.- Each host’s incremental chain is tracked independently against its own
.snarstate, so levels and bumps are decided per host.
What to watch
- Combine with offsite replication. This scenario lands everything on one disk;
add a cloud medium and a
sync:rule to push those runs offsite. See Disk → S3. - Client-side encryption is available. A dumptype can run compression and encryption on the client so only ciphertext crosses the wire and plaintext never leaves the source. See Encryption.
- SSH paths aren’t exercised in CI. The remote transport is not covered by the
automated test suite, so validate your hosts with
nb checkand a dry-run dump before trusting an unattended schedule.
See Remote sources over SSH for the full feature reference.