Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
cd650b19ac057a1b74ac63503e5dba50eaf5b8ea
homelab-infra/ops/borg-ui/BACKUP_SCOPE.md
T
Micha cd650b19ac Close Gitea signup, dedup posture-check alerts, extend Borg scope 
Operational hardening across several services after live incident
analysis between 2026-05-18 and 2026-05-20:

- Gitea: disable public registration and OpenID signup/signin to
  stop the external POST / 5xx bursts that triggered availability
  alerts. New repo-wide policy requires every productive
  Micha/homelab-infra Komodo stack to ship with an active
  Gitea->Komodo webhook on the current stack ID (documented in
  CLAUDE.md, AI_CONTEXT.md, WORKFLOW.md).
- posture-check: extract the Disk1 fstype check into its own
  function so the documented Disk1 NTFS exception no longer raises
  ntfy warnings, skip POSIX inode checks on NTFS, and dedup ntfy
  alerts via a fingerprint state file with ALERT_REPEAT_SECONDS
  (default 24h). Repeat-spam on the same cause now suppressed.
- docker-critical-events: parse the event JSON for container name,
  action, exit code and signal; drop `die exit=0` events (clean
  stops); ship a structured ntfy message instead of the raw event
  line.
- Borg UI: mount /mnt/user/services into the backup container as
  /local/services:ro and include homelab-infra, stacks and
  posture-check in all-important-sources.txt. RESTORE_MATRIX and
  DISASTER_RECOVERY updated accordingly.
- Unraid user scripts: document the new
  homelab-operations-report-daily cron job and the SMTP password
  file it expects on the host.
- MIGRATION_LOG: capture the four live events from this window -
  Gitea 5xx burst + signup closure, Komodo webhook reconciliation,
  posture-check host-version verification, Borg scope extension,
  and Traefik 5xx alert detuning.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-23 11:05:35 +02:00

5.1 KiB
Raw Blame History

Borg Backup Scope for KalliLabcore

Stand: 2026-05-16

This file defines the target state for replacing Backrest with Borg in this homelab.

Goal

Use Borg as the single backup system for:

  • critical file-backed application data
  • secrets, keys, and reverse-proxy state
  • database dumps generated before each Borg backup

Do not back up raw live database storage directories as the primary recovery artifact.

Strategy

  1. A pre-backup dump script runs on the host and writes fresh dumps to /mnt/user/backups/borg/dumps/latest.
  2. Borg backs up /local/borg-dumps plus the critical mounted paths below.
  3. Borg retention handles history; the dump directory itself keeps only the latest artifacts.

The inclusion of /local/secrets is intentional: Borg is expected to cover disaster recovery for selected secret material as part of the current homelab restore strategy.

Service Inventory

Service Recovery Method What Borg Should Capture
Vaultwarden SQLite dump + file data /local/borg-dumps, /local/appdata/vaultwarden
Paperless DB dump + file data /local/borg-dumps, /local/appdata/paperless-ngx/data, /local/paperless/media, /local/paperless/export, /local/paperless/consume
Immich DB dump + file data /local/borg-dumps, /local/immich/upload, /local/immich/external
Gitea SQLite dump + file data /local/borg-dumps, /local/gitea/data
Mealie DB dump + file data /local/borg-dumps, /local/appdata/mealie/data
Mail-archiver shared Postgres dump + data protection keys /local/borg-dumps, /local/appdata/mailarchiver/data-protection-keys
Authelia shared Postgres dump + config + secrets /local/borg-dumps, /local/appdata/authelia/config, /local/secrets
Traefik file data /local/appdata/traefik
Homepage file data /local/appdata/homepage
ntfy file data /local/appdata/ntfy
Paperless-GPT file data /local/appdata/paperless-gpt
Tailscale file data /local/appdata/tailscale
AdGuard config only /local/appdata/adguard/conf
Borg UI SQLite dump + self-backup /local/borg-dumps, /local/appdata/borg-ui/data
Komodo config + Mongo dump /local/borg-dumps, /local/appdata/komodo/periphery, /local/appdata/komodo/core
GitOps host automation repo clone + Komodo workspaces + host-check state /local/services/homelab-infra, /local/services/stacks, /local/services/posture-check
Nextcloud DB dump + file data /local/borg-dumps, /local/appdata/nextcloud/html, /local/nextcloud/data
Grafana SQLite dump + file data /local/borg-dumps, /local/appdata/grafana
Filebrowser file-backed state dump + file data /local/borg-dumps, /local/appdata/filebrowser
InfluxDB 3 Core file data /local/appdata/influxdb3/data, /local/appdata/influxdb3/plugins
Hermes Agent file data + SSH key /local/appdata/hermes-agent/data, /local/secrets/hermes_runner_id_ed25519
BentoPDF rebuildable no critical persistence in compose

Open Decisions and Coverage Gaps

These are deviations from the standard "DB dump first, file path second" strategy. Decide deliberately, do not silently extend.

Nextcloud

Option A umgesetzt: pre-backup-dumps.sh writes nextcloud.dump from nextcloud-postgres. Borg UI also mounts /mnt/user/documents/nextcloud-data read-only as /local/nextcloud/data, so database and user files are both inside scope after the Borg UI stack is recreated.

Komodo Mongo dump

komodo-mongo.archive.gz was produced and verified on 2026-05-04 (gzip -t ok). The dump function is in place in pre-backup-dumps.sh. Re-verify after any Komodo or Mongo major upgrade.

GitOps host automation

The live Unraid User Scripts execute repo scripts from /mnt/user/services/homelab-infra, while Komodo keeps stack workspaces below /mnt/user/services/stacks. These paths are now mounted into Borg UI as /local/services/... and included explicitly so host-side script hotfixes, stack workspace state, and posture-check state are recoverable.

Database Dumps Required

Shared PostgreSQL (postgresql17)

  • mailarchiver
  • paperless
  • authelia

Dedicated PostgreSQL

  • mealie
  • immich
  • nextcloud

Other Databases

  • Komodo MongoDB
  • SQLite: gitea, vaultwarden, uptime-kuma, speedtest-tracker, borg-ui, grafana
  • File-backed state: filebrowser.bolt.dump

Explicitly Not Backed Up as Raw Live DB Files

  • /mnt/user/appdata/postgresql17
  • /mnt/user/appdata/mealie/postgres
  • /mnt/user/appdata/immich_postgres
  • /mnt/user/appdata/nextcloud/postgres
  • /mnt/user/appdata/komodo/mongo
  • /mnt/user/appdata/redis
  • /mnt/user/appdata/scrutiny/influxdb

Low-Priority / Rebuildable

These are not part of the first-class Borg scope:

  • Plex metadata and cache
  • AdGuard query log
  • code-server extensions cache
  • uptime-kuma
  • scrutiny metrics history
  • dozzle, glances, speedtest

Suggested Retention

  • daily: 7
  • weekly: 4
  • monthly: 6

Repository Recommendation

Recommended primary Borg repository: critical-infra

Primary sources are listed in all-important-sources.txt.

Reference in New Issue View Git Blame Copy Permalink