3.7 KiB
Secure Backup Infrastructure with Restic
- Layer 1: Syncthing gives me strength in numbers
- Layer 2: Local ZFS Snapshots
- Layer 3: Remote Disaster Recovery
- NEXT Layer 4: Local Offline
zpoolwith snapshots sent to it - INPROGRESS this entire project needs to be done…
- NEXT can this be more secure than having a password file legible by root….
Layer 1: Syncthing gives me strength in numbers
Anything that I care about flows in to Last Bank and is also persisted on my other laptops to prevent single-machine hardware failure or device loss from affecting me.
Layer 2: Local ZFS Snapshots
ZFS snapshots let me quickly undo any mistakes I make locally, or recover if Syncthing blows away something I care about. NixOS gives me auto-snapshots every fifteen minutes and cleans up old stuff reasonably.
My Basic ZFS Configuration handles this.
Layer 3: Remote Disaster Recovery
We're using restic this time. Off-site backups are sent to Backblaze B2 which is decently affordable to store, don't charge for inbound bandwidth, and will mail you a disk with a snapshot if you ask for it.
{ pkgs, lib, ... }:
let
reportingSpf = 300;
mkBackup = overrides: {
initialize = true;
timerConfig = {
OnCalendar = "00:00";
RandomizedDelaySec = "2h";
};
passwordFile = "/root/restic-password";
environmentFile = "/root/restic-env";
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
} // overrides;
in {
services.restic.backups.tank_media = mkBackup {
repository = "b2:restic-last-bank:media";
paths = ["/media"];
};
systemd.services.restic-backups-tank_media.environment.RESTIC_PROGRESS_FPS = toString (1.0 / reportingSpf);
services.restic.backups.tank_srv = mkBackup { #
repository = "b2:restic-last-bank:srv";
paths = ["/srv"];
timerConfig.OnCalendar = "03:00";
};
systemd.services.restic-backups-tank_srv.environment.RESTIC_PROGRESS_FPS = toString (1.0 / reportingSpf);
services.restic.backups.tank_home = mkBackup {
repository = "b2:restic-last-bank:home";
paths = ["/home"];
timerConfig.OnCalendar = "05:00";
};
systemd.services.restic-backups-tank_home.environment.RESTIC_PROGRESS_FPS = toString (1.0 / reportingSpf);
}restic · Backups done right!
Restic is a modern backup program that can back up your files:
- from Linux, BSD, Mac and Windows
- to many different storage types, including self-hosted and online services
- easily, being a single executable that you can run without a server or complex setup
- effectively, only transferring the parts that actually changed in the files you back up
- securely, by careful use of cryptography in every part of the process
- verifiably, enabling you to make sure that your files can be restored when needed
- freely - restic is entirely free to use and completely open source
NEXT Layer 4: Local Offline zpool with snapshots sent to it
I need to buy more disks for this to work. would be nice to store them with Alice or have a pair that i swap between when I go to San Diego…
INPROGRESS this entire project needs to be done… Computer
- State "INPROGRESS" from "NEXT" [2023-08-03 Thu 12:08]
i have enough ideas i just need to stop having tool anxiety and read about borg backup
NEXT can this be more secure than having a password file legible by root….
the evergreen problem of backups