oliver/backup-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
backup-server/backup
T
History
Oliver Walter 1ea0d846bb first commit
2026-06-17 01:54:53 +02:00
..
backup.sh
first commit
2026-06-17 01:54:53 +02:00
env.example
first commit
2026-06-17 01:54:53 +02:00
excludes.txt
first commit
2026-06-17 01:54:53 +02:00
README.md
first commit
2026-06-17 01:54:53 +02:00
recovery.txt
first commit
2026-06-17 01:54:53 +02:00
restic-backup-boot.timer
first commit
2026-06-17 01:54:53 +02:00
restic-backup.service
first commit
2026-06-17 01:54:53 +02:00
restic-backup.timer
first commit
2026-06-17 01:54:53 +02:00

README.md

Restic backup → TrueNAS REST server

Generic backup setup for any Linux machine (server, laptop, VM). Backs up over WireGuard to a restic REST server running on TrueNAS.

File overview

File Purpose Edit per machine?
backup.sh Backup script Never
restic-backup.service Systemd service Never
restic-backup.timer Daily timer (02:00) Never
restic-backup-boot.timer Boot timer — personal machines only Never
env.example Machine config template Yes — copy & fill in
excludes.txt Exclude patterns template Yes — copy & customize
recovery.txt Emergency credentials Yes — fill in, store on TrueNAS

backup.sh, the service, and the timers are identical on every machine. Only the env and excludes files are machine-specific.

Which timers to install

Machine type restic-backup.timer restic-backup-boot.timer
Server (always on)
Personal (laptop, desktop)

For personal machines the daily timer covers the case where the machine happens to be on at 02:00 (e.g. left overnight), while the boot timer ensures a backup runs whenever you start the machine during the day.

Note for personal machines: Persistent=true in the daily timer means systemd will catch up a missed 02:00 run at next boot — which would fire at the same time as the boot timer. Disable it on personal machines:

sudo systemctl edit restic-backup.timer
# Add:
# [Timer]
# Persistent=false

Prerequisites

  • TrueNAS REST server reachable (confirmed at nas.box:30248)
  • WireGuard tunnel active
  • restic installed
# Debian / Ubuntu
apt install restic

# Arch
pacman -S restic

# Any distro — latest binary from GitHub
# https://github.com/restic/restic/releases

Setup (repeat for each machine)

1. Create the config directory

sudo mkdir -p /etc/restic

2. Install and fill in the env file

sudo cp env.example /etc/restic/env
sudo nano /etc/restic/env
sudo chmod 600 /etc/restic/env

Set these values:

  • MACHINE_NAME — unique name for this machine (e.g. netcup, laptop, homeserver)
  • RESTIC_PASSWORD — generate with openssl rand -base64 32
  • BACKUP_PATHS — space-separated list of paths to back up

3. Install the excludes file

sudo cp excludes.txt /etc/restic/excludes.txt
# Edit to add any machine-specific paths to skip
sudo nano /etc/restic/excludes.txt

4. Initialize the repository on the REST server

sudo bash -c 'set -a && source /etc/restic/env && restic init'

5. Install the backup script

sudo cp backup.sh /usr/local/bin/restic-backup.sh
sudo chmod +x /usr/local/bin/restic-backup.sh

6. Install the systemd units

Server:

sudo cp restic-backup.service  /etc/systemd/system/
sudo cp restic-backup.timer    /etc/systemd/system/

sudo systemctl daemon-reload
sudo systemctl enable --now restic-backup.timer

Personal machine (laptop / desktop):

sudo cp restic-backup.service      /etc/systemd/system/
sudo cp restic-backup.timer        /etc/systemd/system/
sudo cp restic-backup-boot.timer   /etc/systemd/system/

sudo systemctl daemon-reload
sudo systemctl enable --now restic-backup.timer
sudo systemctl enable --now restic-backup-boot.timer

# Disable catch-up on the daily timer to avoid double backup at boot
sudo systemctl edit restic-backup.timer
# Add these lines, save and close:
# [Timer]
# Persistent=false

7. Run a first backup to verify

sudo systemctl start restic-backup.service
sudo journalctl -u restic-backup.service -f

Useful commands

# Check timer status and next run time
systemctl status restic-backup.timer restic-backup-boot.timer

# List all snapshots
sudo bash -c 'set -a && source /etc/restic/env && restic snapshots'

# Browse a snapshot interactively
sudo bash -c 'set -a && source /etc/restic/env && restic mount /mnt/restic'

# Restore a single file or directory
sudo bash -c 'set -a && source /etc/restic/env && restic restore latest --target /tmp/restore --include /etc/wireguard'

# Check repo integrity
sudo bash -c 'set -a && source /etc/restic/env && restic check'

Password recovery — avoid the bootstrap trap

If your password manager runs on the machine being backed up, losing that machine means losing access to the password — and the repo is unrecoverable.

Solution: store recovery.txt on TrueNAS, outside the restic repo.

# On TrueNAS — one file per machine
cp recovery.txt /mnt/pool/backups/recovery-netcup.txt
chmod 600 /mnt/pool/backups/recovery-netcup.txt

/mnt/pool/backups/
├── netcup/                  ← restic repo (encrypted)
├── laptop/                  ← restic repo (encrypted)
├── recovery-netcup.txt      ← credentials + restore steps
└── recovery-laptop.txt      ← credentials + restore steps

Recommended redundancy:

Copy Survives
TrueNAS recovery-<machine>.txt Machine loss
Personal device password manager TrueNAS loss
Printed in a safe Everything digital

Server reconstruction

On a fresh machine:

# 1. Install restic
apt install restic

# 2. Restore all files
RESTIC_PASSWORD=<from recovery.txt> \
restic -r rest:http://oliver:oli1oli1@nas.box:30248/<MACHINE_NAME> \
restore latest --target /

# 3. Reinstall packages (Debian/Ubuntu)
dpkg --set-selections < /etc/backup-package-list.txt
apt-get dselect-upgrade

# 4. Reload systemd
systemctl daemon-reload
Reference in New Issue View Git Blame Copy Permalink