I’m looking for some advice on how to make a full encrypted backup of my home Nextcloud instance.
I’ve done some searching online, but it seems like there are several ways to do this, and I couldn’t really find any good example scripts. A couple tools that I’ve seen people use are duplicity, borg, restic, and kopia, but apparently some are better than others, especially when making incremental backups.
To give some additional context, the amount of data we are talking about is 1 Tb, and incremental backups every week or month would be pretty small. Ideally, this should work easily with some sort of cloud storage (like another Nextcloud or owncloud instance), and it would be even better if there were some simple scripts that could be used to do a full restore if necessary.
The answer is “whatever gets you to do backups” + “whatever you’ve confirmed you can restore from”
There are many backup solutions, but a lot of the debates are fairly meaningless unless you’re running into specific issues (note: I’m referring to general data backups here - things are different when we start talking about how to minimize recovery time/etc, but that’s an entirely different discussion)
I’d try to settle on your core requirements - e.g. supports B2, has reasonable encryption, reasonably performant in my environment, useable by me in a recovery situation, have a reasonable delta implementation that maps to how I want to manage my data coverage, etc.
Some, like Duplicacy, are CLI based but also have optional Web interfaces that can be used for both backup job management and recovery.
I’d suggest trying out at least one or two. There really isn’t much downside. And if one immediately is frustrating you, shift your focus to a different one.
Restic is similar to Borg. But the last time I checked, it wasn’t as feature-rich e.g. Borg does compression as well as de-duplication. Note that there’s https://www.borgbase.com/ for cloud backups.
Long answer
DISCLAIMER: Some of what follows is specific to my instance and setup (Linux, LVM, ZFS, Apache, Postgres etc). And I’m sure other people do it differently (and possibly much better). So YMMV.
At a minimum, I think one should backup:
the Nextcloud data directory
the Nextcloud database
…but I also backup:
the Nextcloud home/install directory
various server-level things
The system backs up every night (to a remote server) like this:
Run the pre-flight script on the remote backup server
Take snapshots of various system Logical Volumes (on the Nextcloud server)
Temporarily put Nextcloud into Maintenance Mode
Take a snapshot of the Logical Volume that houses the Nextcloud install dir
Take a snapshot of the ZFS dataset that houses the Nextcloud data dir
Dump out the Nextcloud DB
Take Nextcloud out of Maintenance Mode
Backup the LVM & ZFS snapshots and the DB to the remote backup server
Prune old backups from the repo
Trigger the post-flight script on the remote backup server
Snapshotting is virtually instantaneous and dumping out the DB doesn’t take very long, so NC is only unavailable briefly.
In addition to the backup script itself (on the Nextcloud server) and the pre- and post-flight scripts (on the remote backup server), there’s also:
a “borg” user account (on the Nextcloud server) to do all this
a sudoers file for it (because it needs to run various commands with elevated privileges)
an SSH config file (so it can connect to the remote backup server)
a .pgpass file for it (so that it has access to the Postgres “backup” role)
a .bashrc file for it (to set various env vars)
a systemd service file and timer file (to trigger this in the early hours of the morning)
It works well.
When backups fail, it’s usually due to DB changes caused by installing or updating apps or Nextcloud itself (obvious in the log file). So I just re-GRANT the required perms 9and ALTER DEFAULT PRIVS) then do a test dump of the DB. The next night the backup runs fine.
