• 0 Posts
  • 5 Comments
Joined 3 years ago
cake
Cake day: December 12th, 2023

help-circle
  • I’m going to post all the commands I use because I think that may be easier to follow. All the commands I’m posting will include the --dry-run option so if anyone tries to copy/paste this into their terminal, no actions will be taken. Instead it will show you what is going to happen if you ran the command without any changes.

    As I mentioned before, each partition will require it’s own command. The easiest way is using lsblk. Below is my current setup and here you can see I have 5 partitions. One partition is a swap so I will only be working with 4 partitions, /, /boot, /boot/efi and /home:

    dell:~ $ lsblk
    NAME                  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
    nvme0n1               259:0    0 953.9G  0 disk  
    ├─nvme0n1p1           259:1    0   500M  0 part  /boot/efi
    ├─nvme0n1p2           259:2    0  62.5G  0 part  
    │ └─luks1-dell        253:0    0  62.5G  0 crypt 
    │   ├─vg_dell-lv_boot 253:1    0   500M  0 lvm   /boot
    │   ├─vg_dell-lv_swap 253:2    0     8G  0 lvm   [SWAP]
    │   ├─vg_dell-lv_root 253:3    0    38G  0 lvm   /
    │   └─vg_dell-lv_home 253:4    0    16G  0 lvm   /home
    ├─nvme0n1p3           259:3    0   600G  0 part  
    ├─nvme0n1p4           259:4    0 270.9G  0 part  
    └─nvme0n1p5           259:5    0    20G  0 part 
    

    It’s good to first check what partitions you are using. My Raspberry Pi’s (ARM) only have / and /boot for example.

    The following rsync commands are what I use to make a complete backup of my system. I do exclude a number of directories because they are for temporary stuff like ram, processes or even devices/drives. It’s also important to exclude the specified backup directory to avoid recursing into the backup directory and filling up your storage space.

    I have a manual backup location and automated backup location. The following is for my manual backup location in /backup/main on my system. This location can be changed to wherever you want your backup.

    # Backup
    # /
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=/backup/* --exclude=/boot/* --exclude=home/* --exclude=proc/* --exclude=sys/* --exclude=dev/* --exclude=tmp/* --exclude=run/* --exclude=mnt/* --exclude=media/* '/' '/backup/main/'
    
    # /boot/
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found '/boot/' '/backup/main/boot/'
    
    # /boot/efi/
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found '/boot/efi/' '/backup/main/boot/efi/'
    
    # /home/
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found --exclude=.cache/* '/home/' '/backup/main/home/'
    
    rsync restore commands
    # Restore
    # /
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=/backup/* --exclude=/boot/* --exclude=home/* --exclude=proc/* --exclude=sys/* --exclude=dev/* --exclude=tmp/* --exclude=run/* --exclude=mnt/* --exclude=media/* '/backup/main/' '/'
    
    # /boot/
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found '/backup/main/boot/' '/boot/'
    
    #/boot/efi/
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found '/backup/main/boot/efi/' '/boot/efi/'
    
    # /home
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found --exclude=.cache/* '/backup/main/home/' '/home/'
    

    It’s been a while since I last researched these options so I’ll give a brief explanation of the types of options I used. I’d suggest having a look online or at the man page to get a better idea of what each option does.

    Options:

    --dry-run Only displays what rsync will do, remove this once you are ready to commit any syncs/changes

    archive --acls --one-file-system --xattrs --hard-links --sparse Helps preserve file attributes and other information. I think hard-links is also used to reduce backup size. There are many rsync guides that will give a better explanation of how hard-links work

    verbose --human-readable --partial --progress will display visual data about what rsync will do

    --numeric-ids I use this because I store multiple device backups on a single drive which gets copied to other storage devices. This stores file ownership information as numeric values to prevent ownership issues when restoring

    --delete this will force the destination directory to match the source directory completely. If you delete a file from the source directory, when you perform a sync, it will delete the same fie in the destination directory. This can be dangerous if you are not prepared for it. This is why --dry-run is so important and useful.

    Extra options: My automated scripts use 2 additional options. I keep a rolling set of 4 backups (One month of weekly backups). I create a new directory /backup/updating and use a symlink from/backup/latest that points to the most recent automated backup. After the backup is created, I rename /backup/updating to something with a timestamp like /backup/backup_2026-07-01_1782882013

    --mkpath will create any non existing directories specified in the command

    --link-dest=/backup/latest/ will use the unchanged files from this directory to help reduce backup sizes. I think this is called an incremental backup

    This has been the most reliable way to handle backups for myself. I do run into issues with docker/podman containers sometimes and will have to manually delete those directories. I haven’t figured out how to deal with that issue yet but fortunately it’s easy to find those directories. Running the command will give errors about what directories can’t be removed which makes it easy to hand delete them in another terminal window.


  • Timeshift is essentially a gui on top of rsync anyway, if you look at what it’s doing behind the scenes.

    That’s the reason why I chose to learn rsync. I was frustrated with Timeshift. It failed to restore some changes multiple times. It gave me issues with docker. It also had default excludes that were annoying to change as well.

    I then learned how to make a complete system backup with rsync itself. /, /boot/ and /boot/efi/ has to be done on separate rsync commands. Basically one command per partition.

    A restore involves flipping the source and destination in the rsync command. It also allows me to boot into a live USB and perform a restore in the event that I really mess up and can’t perform a restore normally through the installed OS.

    By leaving behind the GUI, I got a lot more flexibility. It’s also a lot more reliable and I’ve had a lot less restore issues.



  • I’ve been trying to find a balance between what I currently own, what I can do with it and using as little outside resources to self host. I’m also cautious about what has access to the internet which limits what I host.

    I have two Raspberry Pi’s. One is only accessible through my home’s local network through my WiFi Extender network. That WiFi extender also helps hide my personal network from my ISP which see’s everything connected to the main modem/router. This Pi is strictly for my IoT devices.

    My other Pi is a web facing server. It has Caddy and Kiwix. It hosts a static blog, simple file server which servers my git repositories, some survival ebooks, plain text recipes and a bunch of programming related resources. Kiwix has a bunch of wikis, Wikipedia to survival stuff, vegetarianism, coding stuff and things surrounding those topics generally. I generally avoid anything that uses databases because I don’t have the energy to learn, maintain and protect that. Plus I have a focus on small, low powered minimalism.

    Those Pi’s both use Alpine Linux. I chose Alpine because it’s small and uses less common tools. doas over sudo, OpenRC over SystemD, and Musl over glibc. It’s a bit of security by obscurity but I’ve also made efforts to harden Alpine Linux itself too. I’ve disabled a lot of kernel modules, made strict firewall rules, and made sure to include the use of apparmor. I’ve also written all my backup solutions and maintenance scripts myself and tested as thoroughly as I am capable of. I also avoid complexity by keeping things as minimal as possible to reduce the surface area of any possible attacks.

    I use podman containers to keep everything in the userspace. Caddy is my reverse proxy which means only one port is freely accessible to the internet. I also use a wildcard cert to obscure my publicly available information and use an uncommon port instead of the standard 80/433 ports. Because of the wildcard cert/uncommon port, I receive no bot traffic so I don’t feel the need to use Cloudflare or Anubis. I’m hidden enough and the only people I want on my blog/file server/Kiwix wiki’s are close friends.

    For SSH, I’ve hidden all those behind WireGuard so the second open port to my web server looks hidden from scanners (at least that’s how I understand it). I used to use a custom port which only got about 15 hits a week from bots appearing from the Netherlands. That number has since dropped to zero after setting up WireGuard. I’m sure the bots are attempting but they aren’t making any appearances in my logs and that’s good enough for me.

    I’m happy more talk about security has been popping up lately. So many websites focus on getting things running and just don’t take any time to talk about security. I had to switch from docker to podman because docker had so much control over iptables that never got reported to ufw which was a concern for me. That point is rarely talked about since it’s so easy to copy and run a docker-compose.yml file.