My current hack for encrypted yunohost back-ups using restic
Because I'm new to server provisioning and to self-hosting, I've elected to use Yunohost to serve my single-person fediverse instance. It also serves this blog and a few other things. It's only been a couple of weeks, but it's been lovely so far and the documentation is excellent.
Yunohost back-ups
Back-ups are a particular concern to me; so is successfully restoring a back-up, but that's a problem for another day. The Yunohost web admin portal offers a ready way to manually back up the system—including config files and other important things—to /home/yunohost.backup/archives. It seems to prepare a json file and a tarball for each back-up. I've explored neither but my three back-ups look like this:
ls -lahF /home/yunohost.backup/archives/
total 67G
drwxrwx--- 2 root admins 4.0K May 29 11:18 ./
drwxrwx--- 4 root admins 4.0K May 22 13:26 ../
-rw-rw-rw- 1 root root 2.0K May 25 17:20 20240526-001735.info.json
-rw-rw-rw- 1 root root 14G May 25 17:20 20240526-001735.tar
-rw-rw-rw- 1 root root 2.0K May 26 14:03 20240526-205908.info.json
-rw-rw-rw- 1 root root 22G May 26 14:03 20240526-205908.tar
-rw-rw-rw- 1 root root 2.0K May 29 11:18 20240529-181256.info.json
-rw-rw-rw- 1 root root 31G May 29 11:18 20240529-181256.tar
The admin portal does not yet provide a way to automate creating new or deleting old back-ups, although yunohost provides a powerful CLI tool yunohost backup {create,restore,list,info,download,delete} that could be automated via a cron job, system service, etc. This is on my to-do list, for now I'm trying to remember to do manual back-ups; my memory is trash so my back-up system will also be trash until I sort this part out.
Backing up the yunohost back-ups
Anyway, with these back-ups created, I've landed on restic as the tool I'll use to encrypt my the Yunohost back-ups. Their website provides pretty simple, thorough instructions for this command-line tool. It allows me to backup to a local drive, and VPS, and more. For now I've just done prepared a separate local drive; I'll try to figure out how to do the sync to my linode account in the coming weeks.
I plugged in a spare USB and followed the instrcuctions to initiate a restic repository on it. I immediately encountered an error: the drive that I had formatted was plugged in to /dev/sdb, but couldn't be written to because it wasn't mounted. After poking around online, I found this article to be extremely help. After setting up the drive to auto-mount, I needed to change permissions to allow non-root access like this:
sudo setfacl -R -m u:username:rwx mount-point
and replacing 'username' with my non-privileged username and 'mount-point' with the auto-mount folder I had just created.
From here on out, following the restic instructions was simple and direct. For what it's worth, these backups are encrypted (yay!) but, the process for setting the password:
export RESTIC_PASSWORD=some-strong-password
Leaves the restic password as an environmental variable and in your shell history. Is this safe? I don't know! I deleted it from my shell history anyway.
Things I still need to do
Automate the yunohost back-ups
Automate the local restic back-ups of the yunohost backups
Figure out a strategy for paring older backups
Create restic back-ups to an off-site VPS (linode, probably, for me)
Restic snapshots can be iteratively smaller due to its ability to de-duplicate. I'm not sure that it's able to since each of the yunohost back-ups is a tarball. I need to look into this and perhaps adjust strategies.
Each of these things will be new to me and there's a lot to learn, so I'll probably document each one.
All posts CC BY-SA-NC 4.0 or later, unless otherwise stated.