Harden borgmatic photos backup: restrict dirs, add keepalives + checkpoints

Restrict backup to library/ and upload/ only (skip regenerable encoded-video/, thumbs/, backups/). Add SSH ServerAliveInterval to prevent broken pipe on long transfers, and checkpoint_interval so interrupted backups save progress. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 10:30:02 -07:00 · 2026-03-30 10:30:02 -07:00 · c069f889d2
commit c069f889d2
parent b000efd6c3
3 changed files with 15 additions and 4 deletions
--- a/ansible/roles/borgmatic/defaults/main.yml
+++ b/ansible/roles/borgmatic/defaults/main.yml
@ -61,7 +61,9 @@ borgmatic_keep_yearly: 1000
 # pg_dump_command must be full path since LaunchAgent doesn't have homebrew in PATH
 # --- Immich photo library backup (BorgBase offsite only) ---
 borgmatic_photos_config: /Users/erichblume/.config/borgmatic/photos.yaml
-borgmatic_photos_source_dir: /Volumes/photos
+borgmatic_photos_source_directories:
+  - /Volumes/photos/library
+  - /Volumes/photos/upload
 borgmatic_photos_borgbase_repo: ssh://xcrtl5tg@xcrtl5tg.repo.borgbase.com/./repo
 # Schedule: runs daily at 4:00 AM (offset from main backup at 2:00 AM)
 borgmatic_photos_schedule_hour: 4
--- a/ansible/roles/borgmatic/templates/photos.yaml.j2
+++ b/ansible/roles/borgmatic/templates/photos.yaml.j2
@ -1,7 +1,10 @@
 # {{ ansible_managed }}
 #
 # Borgmatic config for immich photo library backup.
-# Backs up /Volumes/photos (sifaka SMB mount) to BorgBase offsite ONLY.
+# Backs up library/ and upload/ from /Volumes/photos (sifaka SMB mount)
+# to BorgBase offsite ONLY. Excludes encoded-video/, thumbs/, backups/
+# since those are regenerable from originals.
+#
 # Separate from the main borgmatic config to keep concerns isolated:
 # - main config: indri data → sifaka + borgbase
 # - this config: sifaka photos → borgbase (different repo)
@ -9,7 +12,9 @@
 local_path: {{ borgmatic_local_path }}

 source_directories:
-    - {{ borgmatic_photos_source_dir }}
+{% for dir in borgmatic_photos_source_directories %}
+    - {{ dir }}
+{% endfor %}

 source_directories_must_exist: true

@ -21,7 +26,10 @@ repositories:

 encryption_passcommand: {{ borgmatic_encryption_passcommand }}

-ssh_command: ssh -o IdentitiesOnly=yes -i {{ borgmatic_borgbase_ssh_key_path }}
+ssh_command: ssh -o IdentitiesOnly=yes -o ServerAliveInterval=30 -o ServerAliveCountMax=5 -i {{ borgmatic_borgbase_ssh_key_path }}
+
+# Save checkpoints every 10 minutes so interrupted backups don't lose all progress
+checkpoint_interval: 600

 # Retention policy — photos are precious, keep more history
 keep_daily: {{ borgmatic_photos_keep_daily }}
--- a/docs/changelog.d/+borgmatic-photos-hardening.infra.md
+++ b/docs/changelog.d/+borgmatic-photos-hardening.infra.md
@ -0,0 +1 @@
+Borgmatic photos backup: restrict to library/ and upload/ (skip regenerable dirs), add SSH keepalives and checkpoint interval to prevent broken pipe failures on large initial syncs.
				`@ -0,0 +1 @@`
				`Borgmatic photos backup: restrict to library/ and upload/ (skip regenerable dirs), add SSH keepalives and checkpoint interval to prevent broken pipe failures on large initial syncs.`