Initial commit

Author: Alik

README.md

@@ -0,0 +1,52 @@
+A small guide on how to build compact, silent and energy-efficient Linux home server that runs:
+
+- Docker
+- NFSv4 server secured with Kerberos
+- Unbound DNS server
+- SOCKS5 over VPN proxy server
+- Transmission over VPN
+- Nextcloud
+- ... and more
+
+The latest HTML version of the guide is hosted online using GitLab Pages
+and can be viewed here: https://kosheo.gitlab.io/silverbox-server
+
+# Compiling
+The guide is written in [AsciiDoc](https://en.wikipedia.org/wiki/AsciiDoc) format
+and can be compiled into different output formats, such as HTML or PDF.
+
+If you have Docker installed, you can use Asciidoctor Docker container.
+For example, to build HTML version:
+
+```
+git clone https://gitlab.com/kosheo/silverbox-server.git
+docker run -it --rm -v ./silverbox-server:/documents asciidoctor/docker-asciidoctor asciidoctor silverbox-server.adoc
+```
+
+Or to build a PDF:
+
+```
+docker run -it --rm -v ./silverbox-server:/documents asciidoctor/docker-asciidoctor asciidoctor-pdf silverbox-server.adoc
+```
+
+See [Generating Custom Document](https://kosheo.gitlab.io/silverbox-server.html#_generating_custom_document)
+section for more details.
+
+## Customizing Document
+Most of the configuration-specific parameters (such as IP addresses, host names, port numbers etc.)
+are not hardcoded, but defined using AsciiDoc attributes.
+This way you can redefine these attributes with your specific parameter values
+and build your very own version of this document.
+
+By default these parameter values contain simple placeholders,
+such as `{SERVER_IP_ADDR}` for the server local IP address.
+You can replace them with the values you want by editing `parameters.adoc` file and then compiling the document.
+
+# License
+This document is licensed under Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) License.
+
+For more details see:
+
+- https://creativecommons.org/licenses/by-nc/4.0
+- https://creativecommons.org/licenses/by-nc/4.0/legalcode
+

backup/backup.adoc

@@ -0,0 +1,16 @@
+== Backup
+This section describes how to configure secure automatic backup of valuable files
+from the server to external drive and to the cloud.
+
+include::overview.adoc[]
+
+include::disk-preparation.adoc[]
+
+include::configuration.adoc[]
+
+include::monitoring.adoc[]
+
+include::restore.adoc[]
+
+include::references.adoc[]
+

backup/configuration.adoc

@@ -0,0 +1,258 @@
+=== Configuration
+This section describes how to install all the necessary software and configure backup to the external drive and to the cloud.
+
+==== Borg Backup
+Borg backup will be used to backup valuable files from the server to the external drive.
+
+===== Installation
+Borg backup can be installed directly from the repositories:
+
+----
+sudo apt install borgbackup
+----
+
+===== Backup Repository Creation
+Borg backups files to what it calls repository, which is essentially a directory on disk.
+
+Initialize a new empty Borg repository on the external drive:
+
+----
+sudo borg init --encryption=repokey /mnt/backup/borgrepo
+----
+
+You'll be prompted for a passphrase that will be used to generate encryption key for the backups.
+
+IMPORTANT: Store this passphrase somewhere outside of the server,
+so that it can be used to decrypt backups in the case of total server failure.
+
+===== Automatic Backup Creation
+Create a directory where backup related scripts will be stored:
+
+----
+sudo mkdir /root/silverbox/backup
+sudo chmod 700 /root/silverbox/backup
+----
+
+Create the `/root/silverbox/backup/backup.sh` file with the following content:
+
+./root/silverbox/backup/backup.sh
+[source,bash]
+----
+#!/bin/sh
+
+if pidof -x borg >/dev/null; then
+    echo "borg is already running"
+    exit 1
+fi
+
+export BORG_PASSPHRASE='{BORG_PASSPHRASE}' # <1>
+
+# Create backup
+borg create -v --stats /mnt/backup/borgrepo::'{hostname}-{now:%Y-%m-%d}' \ # <2>
+    /etc/letsencrypt/archive \ # <3>
+    /srv/nextcloud \
+    /srv/nfs \
+    --exclude '/srv/nfs/torrents' \
+    --exclude '/srv/nextcloud/html' \
+    --exclude '/srv/nextcloud/data/*.log' \
+    --exclude '/srv/nextcloud/data/*/preview' \
+    --exclude '/srv/nextcloud/db/*.pid' \
+    --exclude '/srv/nextcloud/db/*.opts' \
+    --exclude '/srv/nextcloud/db/pg_stat_tmp'
+
+if [ "$?" -ne "0" ]; then
+    echo "borg create failed"
+    exit 2
+fi
+
+# Prune old backups
+borg prune -v --list /mnt/backup/borgrepo --keep-daily=3 --keep-weekly=4 --keep-monthly=6 # <4>
+
+if [ "$?" -ne "0" ]; then
+    echo "borg prune failed"
+    exit 3
+fi
+
+echo "backup completed"
+----
+<1> Set `\{BORG_PASSPHRASE}` to your Borg passphrase.
+<2> Feel free to adjust the mask controlling how backups will be names.
+<3> This list of what to backup is just an example, adjust it according to your needs.
+<4> Feel free to adjust backup retention settings according to your needs.
+
+Mark this file as executable and only accessible by root:
+
+----
+sudo chmod 700 /root/silverbox/backup/backup.sh
+----
+
+To run backup script automatically on a schedule a Systemd timer is used.
+Create the `/etc/systemd/system/borg-backup.service` file with the following content:
+
+./etc/systemd/system/borg-backup.service
+----
+[Unit]
+Description=Create backup using Borg backup
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/root/silverbox/backup/backup.sh"
+----
+
+Next, create the `/etc/systemd/system/borg-backup.timer` file with the following content:
+
+./etc/systemd/system/borg-backup.timer
+----
+[Unit]
+Description=Create backup using Borg backup
+
+[Timer]
+OnCalendar=*-*-* 00:00:00 # <1>
+AccuracySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+----
+<1> In this configuration backup is created daily at midnight.
+
+Enable and start the timer:
+
+----
+sudo systemctl daemon-reload
+sudo systemctl enable borg-backup.timer
+sudo systemctl start borg-backup.timer
+----
+
+To create the first backup and verify that everything works run the service manually:
+
+----
+sudo systemctl start borg-backup.service
+----
+
+The first backup creation may take very long time.
+
+==== Rclone
+Rclone is a tool that can synchronize local files with remote cloud storage.
+In this deployment it is used to sync backup files generated by Borg to remote cloud storage.
+
+The prerequisite to this section is to have cloud storage configured and ready for use.
+I chose to use OVH object storage, but you can chose any storage that is supported by Rclone
+(list of supported storages available on Rclone website, see link in the references section).
+
+===== Installation
+Rclone can be installed directly from the repositories:
+
+----
+sudo apt install rclone
+----
+
+===== Storage Configuration
+After installation, Rclone needs to be configured to work with your cloud storage.
+This can either be done by running `rclone config`
+or by putting configuration into the `/root/.config/rclone/rclone.conf` file.
+
+Since the configuration depends on what cloud provider you use, it is not described in this document.
+For OVH, there is a helpful article mentioned in the references to this section.
+
+Once Rclone is configured, you can test that it has access to the storage by doing:
+
+----
+sudo rclone ls {REMOTE_STORAGE}:{STORAGE_PATH} -v # <1>
+----
+<1> Replace `\{REMOTE_STORAGE}` and `\{STORAGE_PATH}` with remote storage that you configured and path respectively.
+
+===== Automatic Backup Sync
+Create the `/root/silverbox/backup/sync.sh` file with the following content:
+
+./root/silverbox/backup/sync.sh
+[source,bash]
+----
+#!/bin/sh
+
+if pidof -x borg >/dev/null; then
+    echo "borg is already running"
+    exit 1
+fi
+
+if pidof -x rclone >/dev/null; then
+    echo "rclone is already running"
+    exit 1
+fi
+
+export BORG_PASSPHRASE='{BORG_PASSPHRASE}' # <1>
+
+# Check backup for consistency before syncing to the cloud
+borg check -v /mnt/backup/borgrepo
+
+if [ "$?" -ne "0" ]; then
+    echo "borg check failed"
+    exit 2
+fi
+
+# Sync backup
+rclone -v sync /mnt/backup/borgrepo {REMOTE_STORAGE}:{STORAGE_PATH} # <2>
+
+if [ "$?" -ne "0" ]; then
+    echo "rclone sync failed"
+    exit 3
+fi
+
+echo "backup sync completed"
+----
+<1> Set `\{BORG_PASSPHRASE}` to your Borg passphrase.
+<2> Replace `\{REMOTE_STORAGE}` and `\{STORAGE_PATH}` with the actual values.
+
+Mark this file as executable and only accessible by root:
+
+----
+sudo chmod 700 /root/silverbox/backup/sync.sh
+----
+
+To run backup sync script automatically on a schedule a Systemd timer is used.
+Create the `/etc/systemd/system/sync-backup.service` file with the following content:
+
+./etc/systemd/system/sync-backup.service
+----
+[Unit]
+Description=Sync backup files to the cloud
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "/root/silverbox/backup/sync.sh"
+----
+
+Next, create the `/etc/systemd/system/sync-backup.timer` file with the following content:
+
+./etc/systemd/system/sync-backup.timer
+----
+[Unit]
+Description=Sync backup files to the cloud
+
+[Timer]
+OnCalendar=Mon *-*-* 03:00:00 # <1>
+AccuracySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+----
+<1> In this configuration backup is synced every Monday at 3 am.
+The reason sync is done only once a week is to save some bandwidth and data.
+
+Enable and start the timer:
+
+----
+sudo systemctl daemon-reload
+sudo systemctl enable sync-backup.timer
+sudo systemctl start sync-backup.timer
+----
+
+To run the initial sync and verify that everything works run the service manually:
+
+----
+sudo systemctl start sync-backup.service
+----
+
+The first sync may take very long time (depending on your internet bandwidth and backup size).
+