eddie/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
homelab/compose/services/backrest/README.md
Claude cce203ed62
feat: Add service template, backup solution, dashboard, and IaC tooling 
This commit adds several new features to enhance homelab management:

## New Services

### Backrest (backup.fig.systems)
- Modern web UI for managing Restic backups
- Encrypted, deduplicated backups to Backblaze B2
- Automated scheduling and retention policies
- Pre-configured to backup Immich photos and homelab configs
- SSO protected via tinyauth

### Homarr (home.fig.systems)
- Auto-discovery dashboard for all homelab services
- Docker socket integration for service monitoring
- Clean, modern interface with customizable widgets
- SSO protected via tinyauth

## Infrastructure

### Service Template System (templates/service-template/)
- Complete template with all common patterns
- Traefik labels, health checks, dependencies
- Environment variable examples
- Comprehensive README with usage instructions
- Ensures consistency across all new services

### OpenTofu/Terraform IaC (terraform/)
- Complete Proxmox VM provisioning setup
- Cloud-init automation for Docker host creation
- Automated Docker installation and configuration
- Media directory structure creation
- Step-by-step documentation including:
  - Cloud template creation guide
  - Variable configuration examples
  - Resource sizing recommendations
  - Security hardening options

## Documentation Updates
- Updated README with new service URLs
- Added Homarr and Backrest to directory structure
- Updated deployment instructions
- Added service table entries for new services

All new services follow established patterns:
- External homelab network
- Let's Encrypt SSL via Traefik
- Dual domain support (fig.systems + edfig.dev)
- Consistent naming and structure
2025-11-05 21:54:30 +00:00

346 lines
8.4 KiB
Markdown
Raw Blame History

# Backrest - Web UI for Restic Backups
Backrest provides a modern web interface for managing Restic backups with support for Backblaze B2 (S3-compatible) storage.
## Features
- **Web UI**: User-friendly interface for managing backups
- **Encrypted Backups**: Uses Restic for encrypted, deduplicated backups
- **Scheduling**: Built-in scheduler for automatic backups
- **Monitoring**: View backup status, logs, and statistics
- **Multiple Repositories**: Support for multiple backup destinations
- **Retention Policies**: Automatic cleanup of old backups
- **Notifications**: Email and webhook notifications for backup events
## Quick Start
### 1. Start the Service
```bash
cd compose/services/backrest
docker compose up -d
```
### 2. Access Web UI
Open your browser and navigate to:
- https://backup.fig.systems
- Or: https://backup.edfig.dev
Login with your SSO credentials (tinyauth).
### 3. Configure Backblaze B2 Repository
1. **Create B2 Bucket** (if not already done):
- Go to https://secure.backblaze.com/b2_buckets.htm
- Click "Create a Bucket"
- Name: `homelab-backups` (or your choice)
- Files: Private
- Encryption: Server-Side (or Disabled - Backrest encrypts client-side)
2. **Create Application Key**:
- Go to https://secure.backblaze.com/app_keys.htm
- Click "Add a New Application Key"
- Name: `backrest-homelab`
- Access: Read and Write
- Bucket: Select your backup bucket
- Save the `keyID` and `applicationKey`
3. **Add Repository in Backrest**:
- Click "Add Repository"
- Repository Name: `B2 Immich Photos`
- Storage Type: `S3-compatible storage`
- Configuration:
```
Endpoint: s3.us-west-002.backblazeb2.com
Region: us-west-002
Bucket: homelab-backups
Path: /immich-photos
Access Key ID: [your B2 keyID]
Secret Access Key: [your B2 applicationKey]
```
- Encryption Password: Set a strong password (SAVE THIS!)
- Click "Initialize Repository"
### 4. Create Backup Plan
1. **Add Plan**:
- Click "Add Plan"
- Plan Name: `Immich Daily Backup`
- Repository: Select your B2 repository
- Paths to Backup:
- `/backups/immich`
- Exclude Patterns (optional):
- `*.tmp`
- `*.log`
2. **Schedule**:
- Backup Schedule: `0 3 * * *` (3 AM daily)
- Enable "Automatic Backups"
3. **Retention Policy**:
- Keep Last: 7 daily backups
- Keep Weekly: 4 weekly backups
- Keep Monthly: 6 monthly backups
- Keep Yearly: 2 yearly backups
4. **Notifications** (optional):
- Configure email or webhook for backup status
- Alert on failures
### 5. Run First Backup
Click "Run Now" to start your first backup immediately.
## Backup Locations
The service has access to these directories:
- `/backups/immich` - Immich photos (read-only)
- `/backups/homelab-config` - All compose configurations (read-only)
You can add more volumes in `compose.yaml` as needed.
## Monitoring
### View Backup Status
In the Backrest web UI:
- Dashboard shows all backup plans and their status
- Click on a plan to see backup history
- View logs for detailed information
### Check Repository Size
```bash
# Via web UI: Repository → Statistics
# Shows: Total size, deduplicated size, number of snapshots
```
### Verify Backups
Backrest has built-in verification:
1. Go to Repository → Verify
2. Click "Run Verification"
3. Check results for any errors
## Restore Files
### Via Web UI
1. Go to Plan → Snapshots
2. Select snapshot to restore
3. Click "Browse Files"
4. Select files/folders to restore
5. Choose restore location
6. Click "Restore"
### Via CLI (Advanced)
```bash
# List snapshots
docker exec backrest restic -r [repository] snapshots
# Restore specific snapshot
docker exec backrest restic -r [repository] restore [snapshot-id] --target /restore
# Restore specific file
docker exec backrest restic -r [repository] restore [snapshot-id] --target /restore --include /path/to/file
```
## Configuration Backup
### Backup Backrest Config
Your Backrest configuration (plans, schedules, repositories) is stored in:
- `./config/config.json`
**Important**: Backup this file! It contains your repository credentials (encrypted).
```bash
# Create backup
cp config/config.json config/config.json.backup
# Restore backup
cp config/config.json.backup config/config.json
docker compose restart
```
### Export Configuration
In Web UI:
1. Settings → Export Configuration
2. Save JSON file securely
3. Store encryption passwords separately
## Troubleshooting
### Cannot Access Web UI
Check container status:
```bash
docker compose logs backrest
docker compose ps
```
Verify Traefik routing:
```bash
docker logs traefik | grep backrest
```
### Backup Fails
1. **Check Logs**:
- Web UI: Plan → View Logs
- Or: `docker compose logs -f backrest`
2. **Verify B2 Credentials**:
- Test connection in Repository settings
- Ensure application key has read/write access
3. **Check Disk Space**:
```bash
df -h
docker exec backrest df -h /cache
```
### Repository Locked
If a backup is interrupted, the repository may be locked:
```bash
# Via Web UI: Repository → Unlock
# Or via CLI:
docker exec backrest restic -r [repository] unlock
```
### Slow Backups
1. **Enable Caching**: Already configured via `XDG_CACHE_HOME`
2. **Increase Upload Speed**: Check B2 endpoint is geographically close
3. **Exclude Unnecessary Files**: Add patterns to exclude list
## Security Considerations
### Encryption
- **Client-side**: All data encrypted before upload
- **Repository Password**: Required to access backups
- **Storage**: Store repository passwords in password manager
### Access Control
- **SSO Protected**: Web UI requires authentication via tinyauth
- **API Keys**: B2 application keys scoped to specific bucket
- **Read-Only Mounts**: Backup sources mounted read-only
### Best Practices
1. **Test Restores**: Regularly test restoring files
2. **Monitor Backups**: Check backup status weekly
3. **Verify Integrity**: Run verification monthly
4. **Secure Passwords**: Use strong, unique repository passwords
5. **Document Recovery**: Keep recovery procedures documented
6. **Offsite Storage**: B2 provides geographic redundancy
## Advanced Configuration
### Add More Backup Sources
Edit `compose.yaml` to add more volumes:
```yaml
volumes:
- /path/to/backup:/backups/name:ro
```
Then create a new backup plan in the web UI.
### Multiple Repositories
Configure multiple destinations:
1. Primary: Backblaze B2
2. Secondary: Local NAS/USB drive
3. Archive: Another cloud provider
### Webhooks
Configure webhooks for monitoring:
1. Settings → Notifications
2. Add Webhook URL (e.g., Discord, Slack, Uptime Kuma)
3. Select events: Backup Success, Backup Failure
### Custom Retention
Fine-tune retention policies:
```
--keep-within 7d
--keep-within-daily 30d
--keep-within-weekly 90d
--keep-within-monthly 1y
--keep-within-yearly 5y
```
## Resource Usage
**Typical Usage:**
- CPU: Low (spikes during backup)
- Memory: ~200-500MB
- Disk: Cache grows over time (monitor)
- Network: Depends on backup size
**Monitoring Cache Size:**
```bash
du -sh compose/services/backrest/cache
```
Clean cache if needed (safe to delete - will rebuild):
```bash
rm -rf compose/services/backrest/cache/*
docker compose restart
```
## Backrest vs Duplicati
We chose Backrest over Duplicati because:
- **Modern**: Built on Restic (actively developed)
- **Performance**: Better deduplication and compression
- **Reliability**: Restic is battle-tested
- **Features**: More advanced scheduling and monitoring
- **UI**: Clean, responsive interface
## Cost Estimation
**Backblaze B2 Pricing (2024):**
- Storage: $0.006/GB/month
- Download: $0.01/GB (first 3x storage free)
- Upload: Free
**Example: 100GB Immich photos**
- Storage Cost: $0.60/month
- Download (3 restores/month): Free
- **Total: ~$0.60/month**
**With Deduplication:**
- First backup: 100GB
- Daily incrementals: ~1-5GB
- Monthly growth: ~20GB
- Avg monthly cost: ~$0.70
## Resources
- [Backrest Documentation](https://github.com/garethgeorge/backrest)
- [Restic Documentation](https://restic.readthedocs.io/)
- [Backblaze B2 Documentation](https://www.backblaze.com/b2/docs/)
- [S3-compatible API Guide](https://www.backblaze.com/b2/docs/s3_compatible_api.html)
## Next Steps
1. ✅ Configure B2 repository
2. ✅ Create backup plan for Immich
3. ⬜ Run initial backup
4. ⬜ Verify backup integrity
5. ⬜ Test restore procedure
6. ⬜ Set up notifications
7. ⬜ Add homelab-config backups
8. ⬜ Schedule monthly verification
Reference in a new issue View git blame Copy permalink