I though I could do
/export file=somewhere/all.rsc

#!/bin/bash
host=my-router
cd /path/to/svn/checkout/directory
ssh $host export > $host-export.rsc &&
         ssh $host '/system backup save' &&
         fn=$(ssh $host '/file print detail without-paging' |
              grep 'name="flash/.* type="backup"' |
              tail -1 | 
              cut -f2 -d\") &&
         scp $host:$fn $host-binary.backup &&
         svn ci -m "Backup of $host on $(date "+%F @ $T")"

• You may have generated a host-specific SSH key pair on your workstation for secure login rather than reuse your workstation's default SSH key. If so, make sure both halves are backed up: you can't get the public half back out of the router once it's uploaded short of a binary backup & restoration.
• If you ran "/ip ssh set strong-crypto=yes" (as I recommend) and then ran the subsequently-necessary "/ip ssh regenerate-host-keys", you need to export those SSH host keys via "/ip ssh export-host-key". Otherwise, you'll have to regenerate the host keys after each RSC (non-binary) restoration, causing your SSH clients to gripe about changed host keys and how that oooobviously means someone's trying to hack your connection. 😉
• X.509 certificates generated by the router are only included in binary backups. Rather than let this push you to use binary backup and restore, I recommend downloading them after generating them, saving them alongside the other backup data for that router. You do that via:
  
  
  Code: Select all

  /certificate export-certificate export-passphrase=PASS file-name=my-router MyRouterTLS
  

  
  It's critical to give a passphrase, since without it, RouterOS will give you the public half of the key only. That's fine for some purposes, but for router restoration from backup, you need both halves. Store the passphrase somewhere secure, such as in a password manager, since it's what protects the private key from getting loose now that you've extracted it from the router.

due to "add ..." , this procedure would not overwrite the current config

1. I usually need to restore because the router isn't working at all, since otherwise I could fix it in place without a restore. If this is because the router's lost its entire mind — it can happen! — then go to the next step. Otherwise, do a full reset so you're starting from a clean slate.
2. Connect to the router via its MAC address using either WinBox or MAC-Telnet.
3. Create a “full” capability login user with the credentials you've previously saved. (I ditch the "admin" user as soon as I'm able to.) I keep my login credentials in a password manager. If you have a router-specific SSH key, upload it to Files and import it for that user. Also load the saved SSH host keys and import them with "/ip ssh import-host-key". Try SSHing in now.
4. Upload the certificates you backed up with the command above. Run "/cert import" to bring the keys in, unlocking them with the PEM passphrase used and saved above. Attach them to the necessary services: TLS certs on the www-ssl and api-ssl services, IPsec certs on the IPsec tunnels, etc.
5. Since we aren't using the "run-after-reset" feature, it's now time to upload the *.rsc file for the router's filesystem root. At the Terminal prompt, say "/import" to run it. No arguments needed: it finds the file by extension and runs it.
6. Reboot to be sure it all works as it did at the time of the last backup.
7. If your login user with "full" capabilities is not "admin", you can delete the admin user now.

Yeah, thats Beginner Basics for sure! ;-PP

Do you have any hints on the "restoring configuration from export" ?