Application Development Azure

Kopia on Ubuntu 24.04 on Azure User Guide

| Product: Kopia on Ubuntu 24.04 LTS on Azure

Overview

Kopia is a fast, secure, open-source backup tool. It creates encrypted, compressed, deduplicated snapshots of your files and stores them in a repository that you control - on a local disk, a network share, or any major cloud object store. The cloudimg image installs Kopia 0.23.1, runs its HTML web UI and REST API as a systemd service bound to loopback behind an nginx reverse proxy on port 80, holds a filesystem repository on a dedicated Azure data disk, and generates a unique set of repository and server passwords on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • Kopia 0.23.1 (binary /usr/bin/kopia) installed from the official Debian package
  • A filesystem repository at /var/lib/kopia/repo on a dedicated Azure data disk
  • The Kopia HTML web UI / REST API served on loopback 127.0.0.1:51515 with HTTP Basic auth
  • nginx on :80 as a reverse proxy to the loopback Kopia backend, plus an unauthenticated static /health endpoint
  • Per-VM repository, server and server-control passwords generated on first boot and recorded in a root-only file
  • kopia.service + nginx.service as systemd units, enabled and active
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a good starting point. NSG inbound: allow 22/tcp from your management network and 80/tcp. Kopia serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Kopia by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name kopia \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name kopia --port 80 --priority 1010

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

systemctl is-active kopia.service nginx.service

Both report active. On first boot Kopia generates per-VM passwords and creates the filesystem repository.

kopia.service and nginx.service active with the dedicated data disk mounted

Step 5 - Retrieve your server password

The Kopia server (web UI) password is generated uniquely on the first boot of your VM and written to a root-only file:

sudo cat /root/kopia-credentials.txt

This file contains KOPIA_SERVER_USERNAME (admin), kopia.server.pass (the web UI password) and kopia.repository.pass (needed only if you open the repository directly with the CLI). Store these somewhere safe.

Step 6 - Confirm the health endpoint

The image exposes an unauthenticated health endpoint, served by nginx, for load balancers and probes:

curl -s http://localhost/health

It returns ok. The Kopia API itself requires authentication (see Step 8).

Kopia health endpoint returning ok and the installed Kopia version

Step 7 - Open the Kopia web UI

Browse to http://<vm-public-ip>/ and sign in as admin with the password from Step 5. The web UI is where you browse snapshots, manage repository policies, define snapshot sources and watch running tasks.

Kopia web UI snapshots view

The Repository tab shows the connected filesystem repository, its status, capacity and storage configuration.

Kopia repository status

The Policies tab is where you set retention, compression, scheduling and file-ignore rules - globally or per source.

Kopia policies view

The Tasks tab lists running and recent operations (snapshots, maintenance, restores) with live progress.

Kopia tasks view

Step 8 - Verify the server from the command line

The Kopia server exposes a control API that uses HTTP Basic auth with the dedicated server-control account. An unauthenticated request is rejected with 401, and the per-VM server-control password authenticates. First read the password into a variable, then call the status endpoint:

KOPIA_CTRL_PASS=$(sudo grep '^kopia.server.control.pass=' /root/kopia-credentials.txt | cut -d= -f2-)
curl -s -u "server-control:<KOPIA_SERVER_CONTROL_PASSWORD>" http://localhost/api/v1/control/status | head -c 200; echo

The response is a JSON object with "connected": true and the repository configuration - proof the server is connected to the filesystem repository and your credentials work. (The browser web UI on port 80 signs in with the admin account and kopia.server.pass from Step 5.)

Retrieving the per-VM server password and authenticating against the Kopia API

Step 9 - Confirm the repository lives on the dedicated disk

The Kopia filesystem repository and config live on the dedicated Azure data disk so they survive OS changes and can be resized independently:

findmnt /var/lib/kopia

The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM. The repository is at /var/lib/kopia/repo.

Building your backup workflow

Use the web UI to add snapshot sources (directories to back up), set policies (retention, compression, scheduling), and run snapshots on demand or on a schedule. From the VM you can also drive everything with the kopia CLI - the server already holds the repository connection, so commands like kopia snapshot list and kopia policy set work once you connect the CLI to the same repository. See the Kopia documentation for repository back-ends (S3, Azure Blob, B2, GCS), encryption, and command reference.

Maintenance

  • Snapshots: create and browse snapshots from the web UI, or with kopia snapshot on the VM.
  • Repository back-ends: this image ships a filesystem repository; Kopia also supports S3, Azure Blob, Google Cloud Storage, Backblaze B2 and more.
  • Repository location: the repository and config live under /var/lib/kopia on the dedicated data disk.
  • TLS: Kopia serves plain HTTP on port 80; front it with TLS (e.g. certbot) and your own domain before production use.
  • Upgrades: install a newer Kopia .deb (or replace /usr/bin/kopia) and sudo systemctl restart kopia.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.