101 lines
3.7 KiB
Org Mode
101 lines
3.7 KiB
Org Mode
:PROPERTIES:
|
|
:ID: 47ff77f9-3eae-43eb-886c-7513d05f047f
|
|
:ROAM_ALIASES: "set up backups"
|
|
:END:
|
|
#+TITLE: Secure Backup Infrastructure with Restic
|
|
#+filetags: :Project:
|
|
|
|
#+AUTO_TANGLE: t
|
|
#+ARROYO_NIXOS_MODULE: nixos/restic.nix
|
|
#+ARROYO_SYSTEM_ROLE: server
|
|
|
|
#+ARCOLOGY_KEY: cce/backups
|
|
#+ARCOLOGY_ALLOW_CRAWL: t
|
|
|
|
* Layer 1: [[id:cce/syncthing][Syncthing]] gives me strength in numbers
|
|
|
|
Anything that I care about flows in to [[id:20230506T010603.522707][Last Bank]] and is also persisted on my other laptops to prevent single-machine hardware failure or device loss from affecting me.
|
|
|
|
* Layer 2: Local ZFS Snapshots
|
|
|
|
ZFS snapshots let me quickly undo any mistakes I make locally, or recover if Syncthing blows away something I care about. NixOS gives me auto-snapshots every fifteen minutes and cleans up old stuff reasonably.
|
|
|
|
My [[id:20231129T105148.214325][Basic ZFS Configuration]] handles this.
|
|
|
|
* Layer 3: Remote Disaster Recovery
|
|
|
|
We're using [[id:11712730-aaf3-4a73-8c7c-6cc00e3a75c3][restic]] this time. Off-site backups are sent to Backblaze B2 which is decently affordable to store, don't charge for inbound bandwidth, and will mail you a disk with a snapshot if you ask for it.
|
|
|
|
#+begin_src nix :tangle ~/arroyo-nix/nixos/restic.nix
|
|
{ pkgs, lib, ... }:
|
|
|
|
let
|
|
reportingSpf = 300;
|
|
mkBackup = overrides: {
|
|
initialize = true;
|
|
timerConfig = {
|
|
OnCalendar = "00:00";
|
|
RandomizedDelaySec = "2h";
|
|
};
|
|
passwordFile = "/root/restic-password";
|
|
environmentFile = "/root/restic-env";
|
|
pruneOpts = [
|
|
"--keep-daily 7"
|
|
"--keep-weekly 5"
|
|
"--keep-monthly 12"
|
|
"--keep-yearly 75"
|
|
];
|
|
} // overrides;
|
|
in {
|
|
services.restic.backups.tank_media = mkBackup {
|
|
repository = "b2:restic-last-bank:media";
|
|
paths = ["/media"];
|
|
};
|
|
systemd.services.restic-backups-tank_media.environment.RESTIC_PROGRESS_FPS = toString (1.0 / reportingSpf);
|
|
services.restic.backups.tank_srv = mkBackup { #
|
|
repository = "b2:restic-last-bank:srv";
|
|
paths = ["/srv"];
|
|
timerConfig.OnCalendar = "03:00";
|
|
};
|
|
systemd.services.restic-backups-tank_srv.environment.RESTIC_PROGRESS_FPS = toString (1.0 / reportingSpf);
|
|
services.restic.backups.tank_home = mkBackup {
|
|
repository = "b2:restic-last-bank:home";
|
|
paths = ["/home"];
|
|
timerConfig.OnCalendar = "05:00";
|
|
};
|
|
systemd.services.restic-backups-tank_home.environment.RESTIC_PROGRESS_FPS = toString (1.0 / reportingSpf);
|
|
}
|
|
#+end_src
|
|
|
|
** restic · Backups done right!
|
|
:PROPERTIES:
|
|
:ID: 11712730-aaf3-4a73-8c7c-6cc00e3a75c3
|
|
:ROAM_REFS: https://restic.net/
|
|
:END:
|
|
|
|
#+BEGIN_QUOTE
|
|
Restic is a modern backup program that can back up your files:
|
|
- from Linux, BSD, Mac and Windows
|
|
- to many different storage types, including self-hosted and online services
|
|
- easily, being a single executable that you can run without a server or complex setup
|
|
- effectively, only transferring the parts that actually changed in the files you back up
|
|
- securely, by careful use of cryptography in every part of the process
|
|
- verifiably, enabling you to make sure that your files can be restored when needed
|
|
- freely - restic is entirely free to use and completely open source
|
|
#+END_QUOTE
|
|
|
|
* NEXT Layer 4: Local Offline =zpool= with snapshots sent to it
|
|
|
|
I need to buy more disks for this to work. would be nice to store them with [[id:20220920T221429.130071][Alice]] or have a pair that i swap between when I go to San Diego...
|
|
|
|
* INPROGRESS this entire project needs to be done... :Computer:
|
|
:LOGBOOK:
|
|
- State "INPROGRESS" from "NEXT" [2023-08-03 Thu 12:08]
|
|
:END:
|
|
|
|
i have enough ideas i just need to stop having tool anxiety and read about borg backup
|
|
|
|
* NEXT can this be more secure than having a password file legible by root....
|
|
|
|
the evergreen problem of backups
|