NextCloud & BackBlaze B2 secure backup script / howto I wanted to share my backup script with everyone. This is a script that syncs to Backblaze B2 all of your files (encrypted by NextCloud), all of your encryption keys (enclosed in a tarball encrypted by a separate GPG key) and SQL dumps (also encrypted with that GPG key).
“How To Backup Nextcloud” was originally written on 03 July 2019, but has been updated on 19 June 2020.
I recently wrote a guide on how to setup your own Nextcloud server; it’s a great way of ensuring your personal data is kept private. Portraitpro standard 19. However, it’s also important to backup Nextcloud too.
- If you are using an object storage service such as Backblaze B2, Minio can translate S3 API requests from NextCloud to B2 API requests, requiring no code changes or additional apps to be installed on your NextCloud instance. Although Minio is S3 compatible, like most other S3 compatible services, it is not 100% S3 compatible.
- How to transfer your photos and videos from Facebook to Backblaze B2; Quickstart Guide for JetStream; How to use Iperius Backup with B2 Cloud Storage; Chronosync- How to install and configure for B2; Copying Active Backup data to Backblaze B2 with Hyper Backup; How do I use NextCloud with B2 Cloud Storage; How to use s5cmd with B2; How to use.
Isn’t Nextcloud My Backup?
No it isn’t. Nextcloud is not a backup solution, it’s a way of syncing your data, but it’s not a backup. Think about it, if you delete a file from computer A, that deletion will immediately be synced everywhere via Nextcloud. There are protections in place, such as the trash bin and version control, but Nextcloud is not a backup solution.
Since building my own server I have come up with a pretty decent way of backing up my data that follows the 3-2-1 principle of backing data up.
At least 3 copies of your data, on 2 different storage media, 1 of which needs to be off-site.
— The 3-2-1 backup ruleRequirements
In order to effectively backup Nextcloud, there are a few pieces of hardware and software involved. There is an initial cost to the hardware, but it isn’t significant.
To backup Nextcloud you will need:
- An Ubuntu based server running the Nextcloud Snap
- A USB hard drive that is at least double the size of the data you’re backing up (I’d recommend getting the biggest you can afford)
- Duplicati backup software installed on your Nextcloud server
- A Backblaze B2 account
- Around 30-60 minutes to set it all up
At this point I will assume that you have connected and mounted your USB hard drive to the server. If you haven’t done that yet, take a look at my guide on how to mount a partition in Ubuntu.
Note: this process is designed around the Nextcloud Snap installation, not the manual installation.
Overview
Following this post, you will be able to do the following:
- Automatically backup your entire Nextcloud instance (including your database) every day
- Create a log file so you can see if the backup worked
- Sync the backup to B2 cloud storage (it will be encrypted before transmission)
- Delete old backups so your hard drive doesn’t fill up
- Receive email alerts once the backup completes
User Setup
I would reccomend using a dedicated user for backing up. This will allow us to keep the backup routine separate from the normal user account you use, making the setup more secure.
In this guide, I will be using
ncbackup
as the user account. You can use whatever username you feel is appropriate. Let’s start by creating the user and the directories we will need to store our backups.![Nextcloud backblaze b2 plus Nextcloud backblaze b2 plus](/uploads/1/1/8/0/118023186/961923202.png)
Now we have the directories setup, let’s create the script that will run our backups. In this example, I’m using nano, but feel free to use any text editor you like. To learn more about nano, click here.
We’re using the
usr/sbin
directory because it is used for system-wide binaries that require elevated privileges. You can store your script wherever you like, but usr/sbin
is good practice.Backup Nextcloud
Populate the file with the following, ensuring you change the username and path to whatever the appropriate values are for your setup.
Now we need to make our backup script executable:
A lot of the commands in our script will require
sudo
access, but we don’t want to give full sudo
access to our ncbackup
user, as it doesn’t need elevated rights globally. However, we do want to be able to run the backup script with sudo
rights, and we want to do it without requiring a password.To accomplish this, we need to use
visudo
. We can configure visudo
to allow the ncbackup
user to run the backup script as sudo
, without a password. Crucially, the ncbackup
user will not be able to run anything else as sudo
.Enabling
sudo
access for the backup script introduces another potential security risk. The ncbackup
user can run the backup script as sudo
without a password. So a threat actor could potentially edit the script and run any command as sudo
without a password.Bad times.
However, we saved the script in
/usr/sbin
, which means the ncbackup
user will not be able to edit the ncbackup.sh
script. By doing so, we have prevented the system from becoming insecure.As an extra layer of security, we will stop the
ncbackup
user from being able to login to the server at all:If at a later date you need to be able to login using the
ncbackup
user, you can revert change this by running the following command:Schedule Backups
Now have the backup script setup, we need to schedule the backup to run automatically; for this, we will use Cron.
Free font juventus 2013 14. Run the following command to enter the Cron settings for the
ncbackup
user:Once you’re in
crontab
, you need to add the following lines to the bottom of the file:The settings above will run the backup script at 02:00am every day. You can change this to whatever value you like, but I would recommend running the backup every day.
The first value represents minutes, then hours, then days etc. So if you wanted to run the backup at 03:30am, your Crontab entry would look something like this:
Now Wait…
That’s most of the setup complete at this point. The next thing to do is to wait 24 hours for your backup to complete automatically (or you could run the script manually yourself).
Once the script has run, you should see a tar.gz file within your backup folder with a name that corresponds to the date the backup ran:
Within the Logs folder, you should also see a
<date>.txt
file that corresponds to the backup. You can open this to see how your backup went:With the echo statements we put in the script, you can see at what point in the backup things failed, if they do in fact fail.
Note: there are masses of improvements that can be added to this script, but this satisfies my needs. If you do add improvements, please let me know and I’ll post an update.
Setup Duplicati
You now have a single layer of backups for Nextcloud. However, if you want to abide by the 3-2-1 rule of backups (which I highly recommend), then we now need to use Duplicati to add additional layers to our backup routine.
To install Duplicati, go to this link and right click ‘copy link location‘ on the Ubuntu DEB. Then amend the commands below as appropriate.
We now need to enable the Systemd service for Duplicati so it runs automatically on boot:
By default the Duplicati service will only listen on localhost, so if you try to access the IP of the server from another device, you won’t get the Duplcati webGUI.
To fix this, edit the
DAEMON_OPTS
option within the Duplicati config to the following:Restart Duplicati so the config changes take affect:
You should now be able to access the Duplicati web interface by going to
http://server-ip:8200
. You will be asked to set a password for Duplicati when you first login, make sure this is a strong one!Security Note: My server is hosted at home, and I don’t expose port 8200 to the internet. If your server is not at home, then I would strongly suggest you configure something like IP Tables, or Digital Ocean firewall, to restrict access to port 8200.
Configure Duplicati Backups
Now its time to configure our backups in Duplicati. We will configure 2 backup routines – 1 to USB and another to Backblaze B2 for off-site.
Let’s do the USB backup first. Within the Duplicati webGUI, click on the
Add Backup
button to the left of the screen.This is a very straightforward process where you choose the destination (our USB drive), the source (the output from our backup script) and the schedule.
When creating your backup routines in Duplicati, always ensure you encrypt your backups and use a strong passphrase.
Also, always make sure your Duplicati backups run at different times to your other backups. Personally, I go for the following setup:
- 02:00 – Local Nextcloud backup script runs via Cron
- 03:00 – Duplicati backs up to USB
- 04:00 – Duplicati backs up to Backblaze B2
I always leave the Backblaze backup to run last, as it then has up to 22 hrs to complete the upload before the next backup starts, so they shouldn’t interfere with one another.
Off-Site Backups
When it comes to configuring your Backblaze backups, change the destination from Local to
B2 Cloud Storage
. You will need your B2 bucket information and application keys from to complete the config.Once you have entered your Backblaze Bucket information, click Test Connection to make sure Duplicati can write to your B2 bucket correctly.
Important note: You will need to add payment information to your Backblaze account before backing up, otherwise your backups will fail.
To give you an idea of what Backblaze costs, I’m currently backing up around 150GB of data to my Buckets, and I’m charged less than $1/month.
Personally, I only keep 7 days of backups on BackBlaze, as I only have it for disaster recovery, where all my local backups have failed. I don’t need data retention in the cloud, that’s what my USB drive is for.
Duplicati Email Notifications
You can configure email notifications for Duplicati backups, this way you will always know if your backups are working.
To do this, head into the Duplicati WebGUI and click on the
Settings
option to the left of screen, scroll all the way down to the bottom where it says Default options
. Click the option that says Edit as text
, the paste the following into the field:I personally use Amazon SES for this, but you should be able to use any SMTP server.
That’s It!
You’re done. That’s it. Finito. You now know how to backup Nextcloud in such a way that it abides by the cardinal 3-2-1 backup rule, and it lets you know when your backups have run.
⚠️ ⚠️ TEST YOUR BACKUPS! ⚠️ ⚠️
I can’t stress this enough. Once your backups have been running for a few days, make sure you run a test restore (not on your live system) to make sure you can get your data back. After all, there’s no point in having backups if you can’t restore from them!
To restore the backups you have made of Nextcloud into a vanilla Nextcloud snap installation, you need to decompress your backup to
/var/snap/nextcloud/common
then use the nextcloud.import
command to restore it:Yes, restoring your Nextcloud snap from backup really is that simple!
Conclusion
This is by no means the perfect way to backup Nextcloud, but it does work and it has worked for me for quite some time now. You may have a different/better way of backing up, if you do, please leave comment below, or get in touch with me.
Finally, I’d like to thank my friend Thomas from work, who helped improve my script a little and gave me a couple of ideas to improve to the security.
Thanks, Tom. ?
Recently I’ve started hosting a lot of my own data using Nextcloud. It is anexcellent alternative to likes of Dropbox & Google Drive and provides a lot ofgood features out of the box, e.g. a really great user interface, Calendar andContacts, RSS reader, etc. along with native apps for all the desktop and mobileOSes.
This is a good alternative to other cloud providers because overall it’s prettycheap when there’s a need to scale up, although I had to research and findrelatively cheap infrastructure providers which provided the features that Ineeded, without providing a lot of enterprisey features which a single user likeme won’t need (r/selfhosted really helped me with finding the alternatives). Inthe end, I started with Hetzner for hosting the server and Backblaze B2 forcheap backups. The combination has been working really well for last 4 months orso, without any downtime.
As an aside, Hetzner also provides Nextcloud boxes which are pretty cheap butsince I use my VPS for some other stuff I didn’t pick that option.
In this setup, I assume that you already have a Nextcloud server running on aVPS. I touch upon the details of my setup, but won’t go in-depth. Essentially, Icover how to provision a volume, use that to store NC data, encrypt and backthat up to Backblaze B2 using rclone (and cron).
Setting Up Hetzner (Optional)
Nextcloud Backblaze B2 Pro
First and foremost, one needs to create an account on Hetzner. The procedureover there is quite different as they require copy of the passport to be sentas part of their installation. Someone from their team checks it andactivates your account. They give the option of encrypting the passport copywith their gpg before sending them the passport. This helps in countering thefake accounts that crop up to use their inexpensive VPS solutions.
Changes to Nextcloud to use an External Volume
![Nextcloud backblaze b2 app Nextcloud backblaze b2 app](/uploads/1/1/8/0/118023186/891231397.png)
Once a VPS is procured, take it for a spin and install Nextcloud. As Imentioned, in my setup, I’ve created a volume to store all the nextclouddata.
There are 2 changes that I’ve done in my setup:
- Since
apache
runs aswww-data
user, this folder needs to give thepermissions to this user. I’ve also added a group calledcloud
which hasall the users who can read through the data of multiple other servicesrunning on my machine. - The config of nextcloud by default uses
datadirectory
as/var/www/nextcloud/data
and I’ve changed it to/mnt/volume-nbg1-1/nextcloud/data
. The file should be available in thenextcloud root directory in theconfig
folder.
Get a Backblaze B2 account.
Unlike Hetzner, these guys just need your email address and credit carddetails. Create an account over there, and then create a bucket. I generallyappend a guid to my bucket name as these have to be globally unique.
Once the bucket is created, create an Application key using the
App Keys
menu on the left. Note down the keyId
and applicationKey
.Setup A User To Backup Data
As mentioned before, and to keep a separation of different users, I created auser which has read access to services running on my machine. Let’s call thatuser
syncuser
. This user will be part of the cloud
group and thereforewill read access to the nextcloud data directory. Essentially, you’d need torun these commands.Setup rclone
rclone is an excellent sync utility with backends for (almost?) all the cloudproviders in existence. It is ultra fast and super simple to set up.
This step of setting rclone contains 2 substeps:
- This configuration uses the
keyid
andapplicationKey
which we savedwhile creating app keys for B2. Let’s assume that you named this backendb2
during the rclone configuration, then go ahead and sync acouple of files using the following commands:This should list outdir1
anddir2
.This backend doesn’t really encrypts the data. We need to setup a cryptbackend for encryption to actually work. - While doing the configuration for crypt, the setup asks for quite a fewthings. Here’s a list of values you might use, based on the steps we’vetaken till now:
- New remote -> name ->
b2-crypt
- Type of storage -> crypt
- Remote to encrypt/decrypt ->
b2-crypt:bucketname
- How to encrypt the filename -> “standard”
- Encrypt directory names -> “false”
- Password -> yes or generate
- Salt -> yes or generate
As listed above, the preference is to give it both the
backendName
andbucketName
in the form b2-crypt:bucketname
. This makes things easierfor syncing the folders inside the bucket. You can simple encrypt it usingb2-crypt:foldername
instead of the longerb2-crypt:bucketname/foldername
. I find this a bit cleaner as well.Backing it Up
So far, we’ve setup Nextcloud to use an external volume, created an user forsyncing the data and have created an encrypted backend with which we hope tosync the data to B2. Let’s turn that hope into reality.
The command that we’re going to do the syncing is:
dry-run
and v
are just there for debugging. In case everything runs fine,remove these options.We are going to setup a cron job with
clouduser
to read and sync the datadirectory to the encrypted backend, everyday at 3:05AM.Run the following command as a
sudo
user:This should open up a cron file in your default editor, add the following toit:
Further
As I mentioned, this post isn’t a complete walkthrough for the setup, butmore like a skeleton. There are a couple of things you should be doing tohave a stable and painless experience in case things go south:
Test the setup
Backup is not there for backing things up, but for restoring the datawhen the luck turns bad. So setup
rclone
in your local machine, syncsome data back, and try to decrypt it. It should work, if it doesn’t thensee where it went bad.Backup Nextcloud To Backblaze B2
Have more than one backup
One problem with encryption is either of bitrot or of lost keys. Since we’restoring our data in someone else’s computer, it might make sense to encryptit. But it’s always a good idea to have a local copy of it. With this setup,you have a (in case of Hetzner) triple replicated volume with non-encrypteddata and another encrypted backup at B2. Make sure you have another localcopy in your machine and/or external hard disk.
This blog post is just half backup
Nextcloud documentation says:
You must have both the database and data directory. You cannot completerestoration unless you have both of these.
So come up with a similar approach of backing up your Nextcloud’sdatabase. The details are in the documentation. In my setup, I have a weeklycron job that backups up my database to B2.