confusedpuppy
@confusedpuppy@lemmy.dbzer0.com
- Comment on PSA Mint + Timeshift + KVM hosters: /var/lib/libvirt is excluded by default from snapshots 5 days ago:
I’m going to post all the commands I use because I think that may be easier to follow. All the commands I’m posting will include the
–dry-runoption so if anyone tries to copy/paste this into their terminal, no actions will be taken. Instead it will show you what is going to happen if you ran the command without any changes.As I mentioned before, each partition will require it’s own command. The easiest way is using
lsblk. Below is my current setup and here you can see I have 5 partitions. One partition is aswapso I will only be working with 4 partitions,/,/boot,/boot/efiand/home:dell:~ $ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 953.9G 0 disk ├─nvme0n1p1 259:1 0 500M 0 part /boot/efi ├─nvme0n1p2 259:2 0 62.5G 0 part │ └─luks1-dell 253:0 0 62.5G 0 crypt │ ├─vg_dell-lv_boot 253:1 0 500M 0 lvm /boot │ ├─vg_dell-lv_swap 253:2 0 8G 0 lvm [SWAP] │ ├─vg_dell-lv_root 253:3 0 38G 0 lvm / │ └─vg_dell-lv_home 253:4 0 16G 0 lvm /home ├─nvme0n1p3 259:3 0 600G 0 part ├─nvme0n1p4 259:4 0 270.9G 0 part └─nvme0n1p5 259:5 0 20G 0 part
It’s good to first check what partitions you are using. My Raspberry Pi’s (ARM) only have
/and/bootfor example.The following
rsynccommands are what I use to make a complete backup of my system. I do exclude a number of directories because they are for temporary stuff like ram, processes or even devices/drives. It’s also important to exclude the specified backup directory to avoid recursing into the backup directory and filling up your storage space.I have a manual backup location and automated backup location. The following is for my manual backup location in
/backup/mainon my system. This location can be changed to wherever you want your backup.# Backup # / rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=/backup/* --exclude=/boot/* --exclude=home/* --exclude=proc/* --exclude=sys/* --exclude=dev/* --exclude=tmp/* --exclude=run/* --exclude=mnt/* --exclude=media/* '/' '/backup/main/' # /boot/ rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found '/boot/' '/backup/main/boot/' # /boot/efi/ rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found '/boot/efi/' '/backup/main/boot/efi/' # /home/ rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found --exclude=.cache/* '/home/' '/backup/main/home/'
`rsync` restore commands
# Restore # / rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=/backup/* --exclude=/boot/* --exclude=home/* --exclude=proc/* --exclude=sys/* --exclude=dev/* --exclude=tmp/* --exclude=run/* --exclude=mnt/* --exclude=media/* ‘/backup/main/’ ‘/’ # /boot/ rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found ‘/backup/main/boot/’ ‘/boot/’ #/boot/efi/ rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found ‘/backup/main/boot/efi/’ ‘/boot/efi/’ # /home rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found --exclude=.cache/* ‘/backup/main/home/’ ‘/home/’It’s been a while since I last researched these options so I’ll give a brief explanation of the types of options I used. I’d suggest having a look online or at the
manpage to get a better idea of what each option does.Options:
–dry-runOnly displays whatrsyncwill do, remove this once you are ready to commit any syncs/changesarchive --acls --one-file-system --xattrs --hard-links --sparseHelps preserve file attributes and other information. I think hard-links is also used to reduce backup size. There are manyrsyncguides that will give a better explanation of how hard-links workverbose --human-readable --partial --progresswill display visual data about whatrsyncwill do–numeric-idsI use this because I store multiple device backups on a single drive which gets copied to other storage devices. This stores file ownership information as numeric values to prevent ownership issues when restoring–deletethis will force the destination directory to match the source directory completely. If you delete a file from the source directory, when you perform a sync, it will delete the same fie in the destination directory. This can be dangerous if you are not prepared for it. This is why–dry-runis so important and useful.Extra options: My automated scripts use 2 additional options. I keep a rolling set of 4 backups (One month of weekly backups). I create a new directory
/backup/updatingand use a symlink from/backup/latestthat points to the most recent automated backup. After the backup is created, I rename/backup/updatingto something with a timestamp like/backup/backup_2026-07-01_1782882013–mkpathwill create any non existing directories specified in the command–link-dest=/backup/latest/will use the unchanged files from this directory to help reduce backup sizes. I think this is called an incremental backupThis has been the most reliable way to handle backups for myself. I do run into issues with
docker/podmancontainers sometimes and will have to manually delete those directories. I haven’t figured out how to deal with that issue yet but fortunately it’s easy to find those directories. Running the command will give errors about what directories can’t be removed which makes it easy to hand delete them in another terminal window. - Comment on PSA Mint + Timeshift + KVM hosters: /var/lib/libvirt is excluded by default from snapshots 6 days ago:
Timeshift is essentially a gui on top of rsync anyway, if you look at what it’s doing behind the scenes.
That’s the reason why I chose to learn rsync. I was frustrated with Timeshift. It failed to restore some changes multiple times. It gave me issues with docker. It also had default excludes that were annoying to change as well.
I then learned how to make a complete system backup with rsync itself.
/,/boot/and/boot/efi/has to be done on separate rsync commands. Basically one command per partition.A restore involves flipping the source and destination in the rsync command. It also allows me to boot into a live USB and perform a restore in the event that I really mess up and can’t perform a restore normally through the installed OS.
By leaving behind the GUI, I got a lot more flexibility. It’s also a lot more reliable and I’ve had a lot less restore issues.
- Comment on PSA Mint + Timeshift + KVM hosters: /var/lib/libvirt is excluded by default from snapshots 6 days ago:
Timeshift is the reason I learned how to use
rsync. I wrote my own script that made a more complete backup and can automate multiple incremental backups with a customizable max number of backups.It’s simple and so much more reliable. Even when I forget to test my backups, they still work when the time comes.
At least Timeshift taught me how to use rsync, so there’s that.
- Comment on What actual damage do you secure your servers against? Whats the attack vector? 1 week ago:
I’ve been trying to find a balance between what I currently own, what I can do with it and using as little outside resources to self host. I’m also cautious about what has access to the internet which limits what I host.
I have two Raspberry Pi’s. One is only accessible through my home’s local network through my WiFi Extender network. That WiFi extender also helps hide my personal network from my ISP which see’s everything connected to the main modem/router. This Pi is strictly for my IoT devices.
My other Pi is a web facing server. It has Caddy and Kiwix. It hosts a static blog, simple file server which servers my git repositories, some survival ebooks, plain text recipes and a bunch of programming related resources. Kiwix has a bunch of wikis, Wikipedia to survival stuff, vegetarianism, coding stuff and things surrounding those topics generally. I generally avoid anything that uses databases because I don’t have the energy to learn, maintain and protect that. Plus I have a focus on small, low powered minimalism.
Those Pi’s both use Alpine Linux. I chose Alpine because it’s small and uses less common tools.
doasoversudo, OpenRC over SystemD, and Musl over glibc. It’s a bit of security by obscurity but I’ve also made efforts to harden Alpine Linux itself too. I’ve disabled a lot of kernel modules, made strict firewall rules, and made sure to include the use of apparmor. I’ve also written all my backup solutions and maintenance scripts myself and tested as thoroughly as I am capable of. I also avoid complexity by keeping things as minimal as possible to reduce the surface area of any possible attacks.I use
podmancontainers to keep everything in the userspace. Caddy is my reverse proxy which means only one port is freely accessible to the internet. I also use a wildcard cert to obscure my publicly available information and use an uncommon port instead of the standard 80/433 ports. Because of the wildcard cert/uncommon port, I receive no bot traffic so I don’t feel the need to use Cloudflare or Anubis. I’m hidden enough and the only people I want on my blog/file server/Kiwix wiki’s are close friends.For SSH, I’ve hidden all those behind WireGuard so the second open port to my web server looks hidden from scanners (at least that’s how I understand it). I used to use a custom port which only got about 15 hits a week from bots appearing from the Netherlands. That number has since dropped to zero after setting up WireGuard. I’m sure the bots are attempting but they aren’t making any appearances in my logs and that’s good enough for me.
I’m happy more talk about security has been popping up lately. So many websites focus on getting things running and just don’t take any time to talk about security. I had to switch from docker to podman because docker had so much control over
iptablesthat never got reported toufwwhich was a concern for me. That point is rarely talked about since it’s so easy to copy and run a docker-compose.yml file. - Comment on My entire production website runs on a Raspberry Pi 4B + Orange Pi Zero 3 — real traffic, public dashboard, zero cloud 2 weeks ago:
Aaah that’s good to know. I’ve seen HAproxy mentioned before and this was the first time I looked at it.
I am happy I went with Caddy because networking is not my strength and Caddy is quite simple in comparison to other reverse proxies. Nginx config files will forever look like scribbles to me.
I don’t know about the limitations of using an uncommom port though because my needs are quite small and obscure by design. I do wonder if other people could benefit from using wildcard certs + uncommon ports. Watching bots/scrapers drop to zero attempts and stay zero has been really satisfying and I haven’t had the desire to use outside services like Anubis or Cloudflare.
I know someone out there with itchy fingers is ready to warn that obscurity isn’t security and I wouldn’t deny that. However, I do believe obscurity layered with security is valid as long as security takes the main focus.
- Comment on My entire production website runs on a Raspberry Pi 4B + Orange Pi Zero 3 — real traffic, public dashboard, zero cloud 2 weeks ago:
For the past year I’ve been learning to self host minimally on a used Raspberry Pi 5. I do have a Pi 4 as well but that’s dedicated to HomeAssistant for the small handful of lights and switches it controls.
Both Pi’s run Alpine Linux with Podman containers. For my Pi 5 server it runs Caddy as my reverse proxy/SSL cert handler plus another contained for Kiwix. It’s super simple. Caddy also has a basic file server for me to host my git repositories as well as hosting my static site.
The static site is based off a script I found called BashWrite but it hasn’t been updated in a year so I decided to add some of my own changes to it here. I also fixed up some of the English grammar since the original creater wasn’t an English native speaker.
I’m still focusing on the background stuff but I’ve put a lot of effort into security and hardening. I’ve written all the maintenance (backup, keep-alive, updating) myself using POSIX portable scripts which can all be found on my codeberg page. It’s been a long process but I’m nearly there. I just have to switch from
iptablestonftablesand add secrets to my Caddyfile configuration to hide important keys that are currently sitting as plain text. After that I can focus on my blog/static site.Since I’m not doing this for a business, I’ve decided to use a wildcard domain for my SSL cert plus an uncommon port as a low effort way to hide myself from bots/scraper. Also I set up Wireguard infront of my SSH connection to also hide from bots. My log activity only shows my own activity which is comforting to know, especially since I’ve seen just how active bots and scrapers are in comparison to a year ago when I was just getting started and beginning to learn things.
It’s really cool to see another minimal project like this and I think it’s refreshing to see. A lot of the times I see people with dozens on intensive services running and I feel a bit out of place with my scaled down self hosted project.
My only question about your setup is about HAproxy. How important is a load balancer for your site? I don’t think I will need one for myself since the traffic will mostly be for myself and a few people I know personally but I am still curious about how it works and how effective it is for your setup.
- Comment on Mod changes and an intro 5 weeks ago:
This was a number of months ago so I doubt it would be remembered anywhere at this point. After that, a number of posts I commented in were also removed as well. It was very confusing because everything seemed appropriate for the community. I do look forward to seeing how this community grows/changes now.
I’ve taken a very minimalist approach to self-hosting but I’ve given extra attention towards security. I feel like security doesn’t get talked about as much as it could be. It’s especially important these days with bots roaming around everywhere.
I also use some unconventional methods that I’d like to share (layering security with obscurity with a focus on security first). It’s not a one size fits all solution but I can stay private while exposing my server with minimal tools. It works for me though and my logs haven’t shown any outside activity besides my own.
- Comment on Mod changes and an intro 5 weeks ago:
I stopped posting and commenting on this community because things kept getting deleted even though it was all very clearly about self-hosting. It was very disappointing because I spent a lot of time on my contributions. One post I made a while ago was about self-hosting security and had tons of activity only for all that information to be removed over rule 3. Very confusing and disappointing.
I’m interested in seeing how the vibe around here changes going forward. Maybe I’ll be less cautious about participating.
- Comment on What are your self–hosted alternatives for inter device communication? 5 weeks ago:
I just use SSH+Rsync for everything. I traded two-way sync for minimalism and reliability. I’ve had nothing but headaches with anything else, especially Syncthing.
My Computer and both Raspberry Pi servers both run Linux and I have Termux installed on my Android phone so OpenSSL and Rsync are easily available.
I made a script that runs Rsync commands from files containing all the information which easily swaps source/target files so I can easily transfer in both directions with a simple command line option. It’s reliable and simple and I’ve had a lot less headaches troubleshooting the rarely occurring issues.
- Comment on Self hosting Sunday! What's up and how long? 5 months ago:
My server mysteriously stopped working in December. After a scheduled restart, the OS wouldn’t load so the fan was running on high for a few days while I was staying at a friends for a few days.
I checked the logs and couldn’t find anything suspicious. Loaded a previous backup that worked and still nothing loaded on startup. Tested the Pi 5 with a USB drive that had a fresh Alpine Linux install on it and everything loaded up fine so I was able to rule out any hardware issues. The HDD with the old OS mounted just fine to my laptop. I still have no idea what happened.
This happened a few days before my domain name expired and I was planning to change my domain name to something shorter. Decided to hold off on remaking my server from scratch until I finish a few other projects.
The other projects will help me manage my network connected devices so it’s all working towards a common goal. Fortunately I am getting very close to finishing those projects. I am putting the final touches on my last project and should done within a few days.
Next I’ll reinstall my Pi 4 with HomeAssistant again to fix it’s networking issue. Only the terrarium grow lights are affected and my gecko chose to hibernate outside of the terrarium this winter so she’s unaffected (heat lamps are controlled by a separate, isolated device). After that I’ll fix my Pi 5 server and this time go with Podman over Docker.
- Comment on PSA: Don't use nextcloud's auto upload on the android app as a backup 7 months ago:
There’s a few things I backup from my phone.
- Music downloaded from Seeker
- Youtube audio downloaded from YTDLnis
- Backups of Termux
- Notes in plain text
- Backups from certain apps that make their own backup data
- Pictures that I have sorted and want to saved
I have an Android phone so I use Termux as a terminal emulator. I use ssh and passwordless keys to make transfers simpler and quicker.
Although this is closer to a backup process and not like SyncThing where it’s syncing a folder between two devices. I don’t believe rsync is capable of acting like SyncThing but I’m tempted to dig into rsync more and see if I can put something basic together one day.
- Comment on PSA: Don't use nextcloud's auto upload on the android app as a backup 7 months ago:
I do something similar using only
rsync. I’ve had nothing but headaches whenever I used automated file syncing programs. The bare bones aspect of just using rsync has made it a much more consistent experience.I found using automated file syncing programs have too much complexity under the hood that just seems to lead to more time troubleshooting issues.
- Comment on Selfhosting Sunday - What's up to date, selfhosters? 10 months ago:
I finally got Caddy’s TLS working with a custom module to handle DNS challenges. Turns out all I had to do was wait 10-15 minutes and everything would sort itself out.
Now on to the next puzzle. I started with Caddy in a Docker container and it’s working as intended. Now I want to replicate that in Rootful Podman Compose but I’m running into an issue. With the exact same setup (docker-compose.yml, Dockerfile and Caddyfile) I can get my TLS cert without issue but I can’t seem to connect to my website from any external browser. Not through my domain name or even through my home’s local network.
Once I figure out how I can access my website, I’ll be one step closer to where I want to be. Next will be to get Rootless Podman working, then I can finally set up the file server and kiwix instance instead of the test page I am currently using.
After that, I can finally spend time doing what I want to do and focus my time looking into the Gemeni Protocol.
Down the road I’ll look into hosting an IRC server and Snikket instant messenger but that’s super low priority. I like tinkering with my Raspberry Pi and my constant backup/restores wouldn’t be good for reliability for such services.