Back

Making Offsite Yunohost Backups using Rest-Server, Restic & Wireguard

Making Offsite Yunohost Backups using Rest-Server, Restic & Wireguard

If you only have local backups, you might be unprotected if the backups are physically compromised by fire, flood, or earthquake. It is prudent to have offsite backups.

Aim

To make daily offsite backups with Restic from Computer A to Computer B running a Rest-server. The computers will be connected through Wireguard*.

  • Why Wireguard? Because it is much easier than trying to setup firewalls, port forwarding, and HTTPS certificates on Computer B.

Before You Begin

My Setup

  • Computer A
    • Yunohost, Debian 10 system
    • located at my home
    • Wireguard IP 10.10.10.0
    • 3 TB exernal RAID1 for local backups
  • Computer B
    • Debian 11 system
    • located at my wife’s workplace
    • Wireguard IP 10.10.10.1
    • running rest-server via Docker
    • 3 TB external RAID1 for backups

Step-by-Step Tutorial

Setup Wireguard

  • Computer A: Is Wireguard working with other devices? Yes? Please continue.

  • Prepare Computer B

    • Install Debian 11
    • Install Wireguard
  • Computer A: Create a Wireguard profile

    • Go to the web address you installed Wireguard on, create a profile
    • Download the wg0.conf file
  • Login to Computer B

    • Paste wg0.conf contents into the /etc/wireguard/wg0.conf
    # will look sort of like this
    [Interface]
    Address = 10.10.10.1/32,fd42::1/32
    PrivateKey = wAspKTj43EE3NZrCfJt4BxdllaHNVnM6Wd+VDsMtqE0=
    DNS = 1.1.1.1
    
    [Peer]
    PublicKey = PUBLIC_KEY_HERE
    PresharedKey = PRESHAREDKEY_HERE
    AllowedIPs = 0.0.0.0/0
    Endpoint = 49.159.85.76:8095
    PersistentKeepalive = 15```
    
  • Connect Computer B to Computer A to test the Wireguard connection

    • Run wg-quick up wg0
    • On Computer B run sudo wg does Computer B (10.10.10.1) make a handshake with Computer A (10.10.10.0)? If not, troubleshoot this.
$ sudo wg
interface: wg0
public key: PUBLIC_KEY_HERE
private key: (hidden)
listening port: 8095

peer: PEER_KEY_HERE
preshared key: (hidden)
endpoint: 155.782.163.111:28759
allowed ips: 10.10.10.1/32
latest handshake: 1 minute, 50 seconds ago #THIS IS GOOD!
transfer: 4.30 GiB received, 30.39 GiB sent

Setup Docker

  • Install docker on Computer B
    1. sudo apt-get install ca-certificates curl gnupg lsb-release
    2. curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
    3. echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \ $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
    4. sudo apt-get update
    5. sudo apt-get install docker-ce docker-ce-cli containerd.io

Setup Rest-Server

  • Install rest-server on Computer B
    1. docker pull restic/rest-server:latest
    2. docker run -p 8000:8000 -v /my/data:/data --name rest_server restic/rest-server (NOTE: Change /my/data to the location you want the rest-server to store you backups. On my server I pointed it to my USB RAID1 @ /mnt/titan. See example below.)
sudo docker run -d -p 8000:8000 -v /mnt/titan/backup:/data --restart always --name rest_server restic/rest-server
  • Setup user(s) in Rest-server
    • Don’t worry about making a super secure password here. You will only be connecting to this server through Wireguard which is already secure.
    • docker exec -it rest_server create_user USERNAME_HERE PASSWORD_HERE
    • example: docker exec -it rest_server create_user john john123
    • Read more about how you can use rest-server for multiple users at the Github page. You could have your whole family have their own restic repository on your backup server, or even have a shared repository.
  • Setup Restic repository on Computer B
    • If you use my example location, /mnt/titan, see example below.
$ restic init --repo /mnt/titan/backup-repo
enter password for new repository:
enter password again:
created restic repository 085b3c76b9 at /mnt/titan/backup-repo
Please note that knowledge of your password is required to access the repository.
Losing your password means that your data is irrecoverably lost.

Test Your Setup

  • Do a Backup Test from Computer A to Computer B
    • Run this restic command from Computer A.
sudo restic -r rest:http://john:john123@10.10.10.1:8000/backup-repo/ backup /home/john/ --tag home
  • Example above explained: - This command is using user: john, password: john123 to connect to Computer B at 10.10.10.1 port 8000. It’s making a backup of /home/john/ files to the repository at /mnt/titan/backup-repo/ on Computer B.

Wrapping Up

Automate Your Backups

I recommend automating your backups so you never forget to make a backup. I backup to my offsite rest-server daily.

  • Setup a bash script with multiple lines like in the test you just did.
  • Use Cron to run this daily
  • Setup another script/cronjob to run a prune job once a week, or month. See my example below where I delete snapshots older than 60 days. On my local restic repository, I keep snapshots for 30 days.
restic -r rest:http://john:john123@10.10.10.1:8000/backup-repo/ forget --group-by tags --keep-last 60 --prune

Wireguard Autostart

You need to keep the Wireguard connection active from Computer B to make this all work. Setup up a Wireguard service to auto connect on every reboot.

  1. sudo systemctl enable wg-quick@wg0.service
  2. sudo systemctl daemon-reload
  3. sudo systemctl start wg-quick@wg0
  4. Reboot Computer B to make sure this service automatically starts Wireguard again.
  5. You can check the systemd status of this service.systemctl status wg-quick@wg0

Finished!

Congratulations! Your backups are now safe from fire, flood, earthquake, and other physical dangers in your home.

Troubleshooting

  • Problems? Ask me on the Yunohost Forums.
  • If you have more Restic/Rest-server questions, the people on the Restic forum are very helpful as well.
Built with Hugo
Theme Stack designed by Jimmy