restorable docs
Install

Prerequisites

What the agent's host needs before you run the installer. Most of what the old one-liner bootstrapped (container runtime, minisign) is now handled by the distro package's dependencies and the signed repo's GPG chain; this page lists what's still on you.

Host

A Linux host the agent can run on. The packaged install supports:

  • Ubuntu 22.04 LTS (jammy) or 24.04 LTS (noble)
  • Debian 12 (bookworm)
  • RHEL / Rocky / AlmaLinux / CentOS Stream 9
  • Amazon Linux 2023

Anything else: use the manual raw-binary install. A named customer request on any deferred distro moves it into scope; not before.

The reference shape is a small cloud VM. Scaleway DEV1-S in fr-par (€4 per month, 2 vCPU, 2 GB RAM, 20 GB disk) handles databases up to a few GB comfortably. Size up if your largest database dump exceeds 5 GB.

The agent does not need a public IP. It opens outbound HTTPS only. Behind NAT, behind a bastion, on a private subnet with outbound allowed: all fine.

System resources

The agent itself is small: about 40 MB of RAM resident, minimal CPU outside of active backup or restore work. Heavy work is elsewhere.

  • During backup: pg_dump (or your engine's equivalent) reads the database and streams to the agent's encryption pipeline. Memory and CPU come from the dump tool.
  • During restore test: an ephemeral Postgres container holds the restored database for the duration of the check run. Peak memory is whatever Postgres needs for that dataset plus the container runtime's overhead.

Rule of thumb: peak memory during a restore test is roughly the size of the source database's active working set, same as Postgres itself needs to serve it. The host should have that much RAM plus a comfortable overhead for the OS.

Disk

Two things take disk on the agent host:

  1. The outgoing backup queue. A backup is held on disk briefly, between pg_dump finishing and the upload to object storage completing. Size: the encrypted dump, roughly 25% to 50% of the raw database size after compression.
  2. The restore-test scratch. The ephemeral container uses disk equal to the restored database size, released when the container is destroyed.

Conservative sizing: budget twice your largest database size as free disk on the host. Tight but workable at 1.5x; uncomfortable below that.

Container runtime

The package's Recommends: pulls Podman in on apt and dnf installs, so a fresh VM ends up with a working runtime without a separate step. Docker is supported too; if you already have it, apt / dnf won't install Podman on top.

When no local runtime is possible (policy, air-gapped host), point restore_scratch.kind: uri in config.yaml at an external Postgres endpoint. The agent restores into that endpoint, runs checks, and truncates the database between sessions.

Engine client tools

You do not need to install postgresql-client, mongosh, or the MongoDB Database Tools on the host. The agent pulls the matching-version tool container when it needs to run pg_dump, pg_restore, mongodump, mongorestore, or mongosh. First invocation per source triggers an image pull (~120 MB); subsequent runs reuse the cached image.

Version-matching is a product feature: pg_dump 15 refuses to dump a Postgres 16 server, and the agent picks postgres:16 when your source is 16.x. No drift, no manual tracking.

Network

  • Outbound HTTPS to the orchestrator. app.restorable.app:443 and orch.restorable.app:443. The agent sustains a heartbeat on a 60-second cadence.
  • Outbound HTTPS to the ciphertext bucket. *.s3.fr-par.scw.cloud:443. Upload and download of encrypted backups goes directly to Scaleway Object Storage via pre-signed URLs; it does not transit the orchestrator.
  • Outbound to get.restorable.app. get.restorable.app:443. apt update and dnf makecache pull the repo index from here; apt upgrade / dnf upgrade pull new package versions.
  • Outbound to your database. Whatever port your engine listens on, reachable from the agent host.

No inbound ports are required. The agent never listens.

Database credentials

A role or user on the source database with enough permission to run the dump tool. For Postgres that is typically a user with CONNECT on the database and SELECT on every table and sequence you want backed up. Superuser is not required; in fact a dedicated read-capable role scopes the blast radius if the agent is ever compromised.

The connection URI goes into /var/lib/restorable/env at install time. It never appears in config.yaml directly; the config references the env var by name.

Checklist

Before running curl | sudo bash:

  • Supported distro (apt or dnf branch per the matrix above).
  • Outbound HTTPS reachable to app.restorable.app, orch.restorable.app, get.restorable.app, *.s3.fr-par.scw.cloud, plus container registries (docker.io, quay.io) for engine image pulls.
  • Free disk equal to twice your largest database size.
  • A database connection URI you can paste into an env file.
  • An auth key from the dashboard (good for fifteen minutes).

The quickstart picks it up from here.