These are the scripts I use for my backup strategy and my installation guides.
Copy the machine specific env file and name it .env
.
You can overwrite the current crontab with the machine specific one:
sudo crontab xyz-crontab.txt
Note to adjust the healthchecks.io ping address.
After starting the SWAG container, change the security settings in the $HOME/docker/swag/nginx/ssl.conf
file. That is, enable HSTS and uncomment all optional headers for additional security, see this post for more information.
My settings are given in the gitea.app.ini file. This needs to be renamed to app.ini and moved into the gitea directory.
Generate a htpasswd file:
registry_user=
registry_pass=
docker run --entrypoint htpasswd registry:2 -Bbn $registry_user $registry_pass > ${DOCKER_REGISTRY_ROOT}/auth/htpasswd
I am running this on a server that is only accessible via Tailscale, so the HTTP protocol is sufficient for my usecase.
sudo apt install restic
sudo adduser --system restic-server
# Find the latest release on Github
wget https://github.com/restic/rest-server/releases/download/v0.12.0/rest-server_0.12.0_linux_amd64.tar.gz
tar xzf rest-server_0.12.0_linux_amd64.tar.gz
sudo cp rest-server_0.12.0_linux_amd64/rest-server /usr/local/bin/restic-server
sudo chown root:root /usr/local/bin/restic-server
sudo chmod +x /usr/local/bin/restic-server
sudo restic-server --version
I call my directories simba and homebridge:
sudo mkdir -p /home/restic-server/simba
sudo mkdir -p /home/restic-server/homebridge
sudo chown -R restic-server /home/restic-server/
sudo -s
apt install apache2-utils
cd /home/restic-server
htpasswd -B -c .htpasswd simba
htpasswd -B .htpasswd homebridge
chown -R restic-server .htpasswd
chmod 600 .htpasswd
exit
Note that the usernames and backup directories need to have the same name.
sudo nano /etc/systemd/system/restic-server.service
This is the contents of the file:
[Unit]
Description=Restic Server
After=syslog.target
After=network.target
[Service]
Type=simple
User=restic-server
ExecStart=/usr/local/bin/restic-server --path /home/restic-server --private-repos --append-only
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable restic-server
sudo systemctl start restic-server
sudo systemctl status restic-server
Log into the server where the data to be backed up is located and create a new restic repository following the prepare a new restic repository instructions. I use the following command (note the trailing space in front of command to not save it in the history):
restic -r rest:http://simba:RESTPASSWORD@TAILSCALEIP:8000/simba init
restic -r rest:http://homebridge:RESTPASSWORD@TAILSCALEIP:8000/homebridge init
For machines that don't run constantly I use a systemd timer for btrbk
instead of cron
:
sudo cp $HOME/scripts/btrfs-btrbk-systemd.timer /lib/systemd/system/btrfs-btrbk-systemd.timer
sudo cp $HOME/scripts/btrfs-btrbk-systemd.service /lib/systemd/system/btrfs-btrbk-systemd.service
sudo chmod 644 /lib/systemd/system/btrfs-btrbk-systemd.timer
sudo chmod 644 /lib/systemd/system/btrfs-btrbk-systemd.service
mkdir -p $HOME/logs
Now let's test it first:
sudo systemctl start btrfs-btrbk-systemd.service
sudo systemctl status btrfs-btrbk-systemd.service
cat /var/log/btrbk.log
cat $HOME/logs/btrfs-btrbk.log
Check if snapshots are created and if any errors occured. If all is well, then enable the timer:
sudo systemctl enable btrfs-btrbk-systemd.timer
sudo systemctl start btrfs-btrbk-systemd.timer
sudo systemctl daemon-reload
sudo systemctl list-timers --all
You should see the timer enabled:
NEXT LEFT LAST PASSED UNIT >
Fri 2021-09-10 10:00:00 CEST 36min left n/a n/a btrfs-btrbk-systemd.timer >
Recheck the houerly timer after an hour to make sure everything is working:
sudo systemctl list-timers --all
cat /var/log/btrbk.log
cat $HOME/logs/btrfs-btrbk.log