Making Offsite Yunohost Backups using Rest-Server, Restic & Wireguard
If you only have local backups, you might be unprotected if the backups are physically compromised by fire, flood, or earthquake. It is prudent to have offsite backups.
- Why Wireguard? Because it is much easier than trying to setup firewalls, port forwarding, and HTTPS certificates on Computer B.
Before You Begin
- Basic knowledge of Restic
- Yunohost server with a working Wireguard installation (Computer A)
- Extra computer (Computer B)
- Read my tutorial on making Daily Automated (local) Restic Backups.
- Computer A
- Yunohost, Debian 10 system
- located at my home
- Wireguard IP 10.10.10.0
- 3 TB exernal RAID1 for local backups
- Computer B
- Debian 11 system
- located at my wife’s workplace
- Wireguard IP 10.10.10.1
- running rest-server via Docker
- 3 TB external RAID1 for backups
Computer A: Is Wireguard working with other devices? Yes? Please continue.
Prepare Computer B
- Install Debian 11
- Install Wireguard
Computer A: Create a Wireguard profile
- Go to the web address you installed Wireguard on, create a profile
- Download the wg0.conf file
Login to Computer B
- Paste wg0.conf contents into the /etc/wireguard/wg0.conf
# will look sort of like this [Interface] Address = 10.10.10.1/32,fd42::1/32 PrivateKey = wAspKTj43EE3NZrCfJt4BxdllaHNVnM6Wd+VDsMtqE0= DNS = 126.96.36.199 [Peer] PublicKey = PUBLIC_KEY_HERE PresharedKey = PRESHAREDKEY_HERE AllowedIPs = 0.0.0.0/0 Endpoint = 188.8.131.52:8095 PersistentKeepalive = 15```
Connect Computer B to Computer A to test the Wireguard connection
wg-quick up wg0
- On Computer B run
sudo wgdoes Computer B (10.10.10.1) make a handshake with Computer A (10.10.10.0)? If not, troubleshoot this.
$ sudo wg interface: wg0 public key: PUBLIC_KEY_HERE private key: (hidden) listening port: 8095 peer: PEER_KEY_HERE preshared key: (hidden) endpoint: 155.782.163.111:28759 allowed ips: 10.10.10.1/32 latest handshake: 1 minute, 50 seconds ago #THIS IS GOOD! transfer: 4.30 GiB received, 30.39 GiB sent
- Install docker on Computer B
sudo apt-get install ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \ $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
- Install rest-server on Computer B
docker pull restic/rest-server:latest
docker run -p 8000:8000 -v /my/data:/data --name rest_server restic/rest-server(NOTE: Change /my/data to the location you want the rest-server to store you backups. On my server I pointed it to my USB RAID1 @ /mnt/titan. See example below.)
sudo docker run -d -p 8000:8000 -v /mnt/titan/backup:/data --restart always --name rest_server restic/rest-server
- Setup user(s) in Rest-server
- Don’t worry about making a super secure password here. You will only be connecting to this server through Wireguard which is already secure.
docker exec -it rest_server create_user USERNAME_HERE PASSWORD_HERE
docker exec -it rest_server create_user john john123
- Read more about how you can use rest-server for multiple users at the Github page. You could have your whole family have their own restic repository on your backup server, or even have a shared repository.
- Setup Restic repository on Computer B
- If you use my example location,
/mnt/titan, see example below.
- If you use my example location,
$ restic init --repo /mnt/titan/backup-repo enter password for new repository: enter password again: created restic repository 085b3c76b9 at /mnt/titan/backup-repo Please note that knowledge of your password is required to access the repository. Losing your password means that your data is irrecoverably lost.
Test Your Setup
- Do a Backup Test from Computer A to Computer B
- Run this restic command from Computer A.
sudo restic -r rest:http://john:firstname.lastname@example.org:8000/backup-repo/ backup /home/john/ --tag home
- Example above explained:
- This command is using user: john, password: john123 to connect to Computer B at 10.10.10.1 port 8000. It’s making a backup of /home/john/ files to the repository at
/mnt/titan/backup-repo/on Computer B.
Automate Your Backups
I recommend automating your backups so you never forget to make a backup. I backup to my offsite rest-server daily.
- Setup a bash script with multiple lines like in the test you just did.
- Use Cron to run this daily
- Setup another script/cronjob to run a prune job once a week, or month. See my example below where I delete snapshots older than 60 days. On my local restic repository, I keep snapshots for 30 days.
restic -r rest:http://john:email@example.com:8000/backup-repo/ forget --group-by tags --keep-last 60 --prune
You need to keep the Wireguard connection active from Computer B to make this all work. Setup up a Wireguard service to auto connect on every reboot.
sudo systemctl enable firstname.lastname@example.org
sudo systemctl daemon-reload
sudo systemctl start wg-quick@wg0
- Reboot Computer B to make sure this service automatically starts Wireguard again.
- You can check the systemd status of this service.
systemctl status wg-quick@wg0
Congratulations! Your backups are now safe from fire, flood, earthquake, and other physical dangers in your home.