Store mikrotik backup in repository

I am not a power user of Mikrotik devices so far, judging by the fact that I am not using terminal there as much as I am using web interface (or WebFig as they call it). But Mikrotik, being a powerful platform can help me understand what I am doing.

One of the things I figured out recently goes something like this:

1. do some changes in router config (via UI or terminal)
2. export config into human readable file (not binary)
3. commit the file into git repository under same filename
4. take a look at what changed

This approach provides not one but at least two benefits, so far:

• my router config is safely stored in case something happens
• the human readable format is actually commands themselves, so I can learn how to call them

By observing what commands are stored in the config, I can experiment with them and maybe one day become a power user too. So how did I automate it?

SSH into Mikrotik

To prevent script from asking password, we can login via ssh public key. But it first has to be put into the router, via plain old password authentication:

scp ~/.ssh/my-public-key.pub [email protected]:pubkey.txt

ssh [email protected]
/user ssh-keys import public-key-file=pubkey.txt user=username-i-chose

It can also be done via WebFig, for completeness:

1. Go to System → Users
2. Select your user
3. Go to SSH Keys tab
4. Click '+' and paste your public key

Note the pubkey file will then probably be removed from the filesystem.

The script

After I make changes I just manually run this script. It could be automated to do it periodically, but I did not want to compromise security even more, so I just kept it simple like this so far:

#!/bin/bash

# Configuration
ROUTER_IP="192.168.1.1"
ROUTER_USER="username-i-chose"
FILENAME="config.rsc"

# Create backup and download using SSH key authentication
ssh $ROUTER_USER@$ROUTER_IP "/export file=$FILENAME"
sleep 2
scp $ROUTER_USER@$ROUTER_IP:$FILENAME "$FILENAME"

# Add and commit if there are changes
git add "$FILENAME"
if git diff --staged --quiet; then
    echo "No changes to commit"
else
    git commit -m "update config"
    git push origin main  # Assuming 'main' branch and 'origin' remote is set up
fi

Note that it requires quite a lot of permissions on the router's user to to this, so you have been warned. Enjoy!

Links

• https://help.mikrotik.com/docs/spaces/ROS/pages/132350014/SSH
• https://help.mikrotik.com/docs/spaces/ROS/pages/328155/Configuration+Management#ConfigurationManagement-ConfigurationExport