Ark Ark · RWTS Backup

Setting up backups with Ark

Ark is the canonical, sanctioned way RWTS backs up Django (and other) databases. Each backup is encrypted on the host with a per-project public key — the host cannot decrypt its own backups — stored off RWTS in Wasabi (object-locked, region-replicated), and recorded here. Decryption is gated by Cloud KMS to a restricted group. It is disaster recovery, not an everyday restore.

1 Install the CLI

From devpi, inside the project's virtualenv:

pip install rwts-backup --index-url https://devpi.realworld.net.au/realworld/dev/+simple/

You must be in the backup-provisioners Duo group to provision.

2 Provision, schedule, run

Run these inside the project with its virtualenv active — Ark auto-detects the database and project name from Django settings:

rwts-backup init                          # authorise (Duo) + provision key, storage, run-token
rwts-backup deploy --scheduler systemd    # install the daily schedule (or cron / compose)
rwts-backup run                           # take a backup now (also what the scheduler runs)
rwts-backup status                        # health; also: list / verify
  • init opens a Duo device-login — approve it in your browser (you'll see the project name). Running init is the authorisation.
  • Commit backup.toml (public key, bucket, schedule). Keep the secrets env file root-only and out of git.

3 Non-Django or container-only hosts

Flask/SQLAlchemy and other non-Django apps work too (migration state is simply recorded empty). Since auto-detect reads Django settings, pass the database explicitly and supply the Postgres password with --pg-password-env (read from an env var — safer than --pg-password, which is visible in ps).

No host Python? Run the CLI straight from the agent image:

docker run --rm -e PGPW=… ghcr.io/realworldtech/rwts-backup-agent:latest \
  init --db postgres --project <p> \
       --pg-host db --pg-user <u> --pg-dbname <db> --pg-password-env PGPW

The compose sidecar then joins your stack's network and reaches Postgres at db:5432. Requires CLI ≥ 0.1.6.

Restore — the disaster path

Rare, deliberate, and gated: it needs the restore identity and Cloud KMS decrypt, and defaults to a scratch target. Never run it casually against a live database.

rwts-backup restore --backup latest --target-pg-dbname <scratch>

Use it from Claude — the ark-backup skill

So any Claude Code session sets up backups the canonical way (instead of hand-rolling pg_dump/cron/restic), install the skill into your personal skills directory:

git clone https://github.realworld.net.au/realworldtech/ark-backup.git ~/.claude/skills/ark-backup

It's auto-discovered next time you start Claude Code. Then just ask Claude to "add ARK backups to this project" — it follows this exact flow.

Reference

  • Dashboard & audit trail: https://ark.realworld.net.au
  • Source, design, and runbooks: the django-backup-process repo (docs/how-it-works.md).
  • Skill repo: realworldtech/ark-backup.