• 4 Posts
  • 122 Comments
Joined 3 years ago
cake
Cake day: December 12th, 2023

help-circle
  • I’m going to post all the commands I use because I think that may be easier to follow. All the commands I’m posting will include the --dry-run option so if anyone tries to copy/paste this into their terminal, no actions will be taken. Instead it will show you what is going to happen if you ran the command without any changes.

    As I mentioned before, each partition will require it’s own command. The easiest way is using lsblk. Below is my current setup and here you can see I have 5 partitions. One partition is a swap so I will only be working with 4 partitions, /, /boot, /boot/efi and /home:

    dell:~ $ lsblk
    NAME                  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
    nvme0n1               259:0    0 953.9G  0 disk  
    ├─nvme0n1p1           259:1    0   500M  0 part  /boot/efi
    ├─nvme0n1p2           259:2    0  62.5G  0 part  
    │ └─luks1-dell        253:0    0  62.5G  0 crypt 
    │   ├─vg_dell-lv_boot 253:1    0   500M  0 lvm   /boot
    │   ├─vg_dell-lv_swap 253:2    0     8G  0 lvm   [SWAP]
    │   ├─vg_dell-lv_root 253:3    0    38G  0 lvm   /
    │   └─vg_dell-lv_home 253:4    0    16G  0 lvm   /home
    ├─nvme0n1p3           259:3    0   600G  0 part  
    ├─nvme0n1p4           259:4    0 270.9G  0 part  
    └─nvme0n1p5           259:5    0    20G  0 part 
    

    It’s good to first check what partitions you are using. My Raspberry Pi’s (ARM) only have / and /boot for example.

    The following rsync commands are what I use to make a complete backup of my system. I do exclude a number of directories because they are for temporary stuff like ram, processes or even devices/drives. It’s also important to exclude the specified backup directory to avoid recursing into the backup directory and filling up your storage space.

    I have a manual backup location and automated backup location. The following is for my manual backup location in /backup/main on my system. This location can be changed to wherever you want your backup.

    # Backup
    # /
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=/backup/* --exclude=/boot/* --exclude=home/* --exclude=proc/* --exclude=sys/* --exclude=dev/* --exclude=tmp/* --exclude=run/* --exclude=mnt/* --exclude=media/* '/' '/backup/main/'
    
    # /boot/
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found '/boot/' '/backup/main/boot/'
    
    # /boot/efi/
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found '/boot/efi/' '/backup/main/boot/efi/'
    
    # /home/
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found --exclude=.cache/* '/home/' '/backup/main/home/'
    
    rsync restore commands
    # Restore
    # /
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=/backup/* --exclude=/boot/* --exclude=home/* --exclude=proc/* --exclude=sys/* --exclude=dev/* --exclude=tmp/* --exclude=run/* --exclude=mnt/* --exclude=media/* '/backup/main/' '/'
    
    # /boot/
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found '/backup/main/boot/' '/boot/'
    
    #/boot/efi/
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found '/backup/main/boot/efi/' '/boot/efi/'
    
    # /home
    rsync --dry-run --archive --acls --one-file-system --xattrs --hard-links --sparse --verbose --human-readable --partial --progress --numeric-ids --delete --exclude=lost+found --exclude=.cache/* '/backup/main/home/' '/home/'
    

    It’s been a while since I last researched these options so I’ll give a brief explanation of the types of options I used. I’d suggest having a look online or at the man page to get a better idea of what each option does.

    Options:

    --dry-run Only displays what rsync will do, remove this once you are ready to commit any syncs/changes

    archive --acls --one-file-system --xattrs --hard-links --sparse Helps preserve file attributes and other information. I think hard-links is also used to reduce backup size. There are many rsync guides that will give a better explanation of how hard-links work

    verbose --human-readable --partial --progress will display visual data about what rsync will do

    --numeric-ids I use this because I store multiple device backups on a single drive which gets copied to other storage devices. This stores file ownership information as numeric values to prevent ownership issues when restoring

    --delete this will force the destination directory to match the source directory completely. If you delete a file from the source directory, when you perform a sync, it will delete the same fie in the destination directory. This can be dangerous if you are not prepared for it. This is why --dry-run is so important and useful.

    Extra options: My automated scripts use 2 additional options. I keep a rolling set of 4 backups (One month of weekly backups). I create a new directory /backup/updating and use a symlink from/backup/latest that points to the most recent automated backup. After the backup is created, I rename /backup/updating to something with a timestamp like /backup/backup_2026-07-01_1782882013

    --mkpath will create any non existing directories specified in the command

    --link-dest=/backup/latest/ will use the unchanged files from this directory to help reduce backup sizes. I think this is called an incremental backup

    This has been the most reliable way to handle backups for myself. I do run into issues with docker/podman containers sometimes and will have to manually delete those directories. I haven’t figured out how to deal with that issue yet but fortunately it’s easy to find those directories. Running the command will give errors about what directories can’t be removed which makes it easy to hand delete them in another terminal window.


  • Timeshift is essentially a gui on top of rsync anyway, if you look at what it’s doing behind the scenes.

    That’s the reason why I chose to learn rsync. I was frustrated with Timeshift. It failed to restore some changes multiple times. It gave me issues with docker. It also had default excludes that were annoying to change as well.

    I then learned how to make a complete system backup with rsync itself. /, /boot/ and /boot/efi/ has to be done on separate rsync commands. Basically one command per partition.

    A restore involves flipping the source and destination in the rsync command. It also allows me to boot into a live USB and perform a restore in the event that I really mess up and can’t perform a restore normally through the installed OS.

    By leaving behind the GUI, I got a lot more flexibility. It’s also a lot more reliable and I’ve had a lot less restore issues.



  • I’ve been trying to find a balance between what I currently own, what I can do with it and using as little outside resources to self host. I’m also cautious about what has access to the internet which limits what I host.

    I have two Raspberry Pi’s. One is only accessible through my home’s local network through my WiFi Extender network. That WiFi extender also helps hide my personal network from my ISP which see’s everything connected to the main modem/router. This Pi is strictly for my IoT devices.

    My other Pi is a web facing server. It has Caddy and Kiwix. It hosts a static blog, simple file server which servers my git repositories, some survival ebooks, plain text recipes and a bunch of programming related resources. Kiwix has a bunch of wikis, Wikipedia to survival stuff, vegetarianism, coding stuff and things surrounding those topics generally. I generally avoid anything that uses databases because I don’t have the energy to learn, maintain and protect that. Plus I have a focus on small, low powered minimalism.

    Those Pi’s both use Alpine Linux. I chose Alpine because it’s small and uses less common tools. doas over sudo, OpenRC over SystemD, and Musl over glibc. It’s a bit of security by obscurity but I’ve also made efforts to harden Alpine Linux itself too. I’ve disabled a lot of kernel modules, made strict firewall rules, and made sure to include the use of apparmor. I’ve also written all my backup solutions and maintenance scripts myself and tested as thoroughly as I am capable of. I also avoid complexity by keeping things as minimal as possible to reduce the surface area of any possible attacks.

    I use podman containers to keep everything in the userspace. Caddy is my reverse proxy which means only one port is freely accessible to the internet. I also use a wildcard cert to obscure my publicly available information and use an uncommon port instead of the standard 80/433 ports. Because of the wildcard cert/uncommon port, I receive no bot traffic so I don’t feel the need to use Cloudflare or Anubis. I’m hidden enough and the only people I want on my blog/file server/Kiwix wiki’s are close friends.

    For SSH, I’ve hidden all those behind WireGuard so the second open port to my web server looks hidden from scanners (at least that’s how I understand it). I used to use a custom port which only got about 15 hits a week from bots appearing from the Netherlands. That number has since dropped to zero after setting up WireGuard. I’m sure the bots are attempting but they aren’t making any appearances in my logs and that’s good enough for me.

    I’m happy more talk about security has been popping up lately. So many websites focus on getting things running and just don’t take any time to talk about security. I had to switch from docker to podman because docker had so much control over iptables that never got reported to ufw which was a concern for me. That point is rarely talked about since it’s so easy to copy and run a docker-compose.yml file.


  • I often see claims that Alpine linux is just for embedded systems. I wanted to highlight to other people that there is far more to Alpine than embedded systems or being used for containers.

    It’s mininal like void but still very flexible and capable if people are willing to work with Musl, BusyBox or OpenRC. It’s a nice option for anyone who has issues with SystemD or may want to depend less on GNU tools.

    Like any distribution, it doesn’t fill everyone’s wants or needs but it seems to have grown more than serving just embedded systems.



  • Aaah that’s good to know. I’ve seen HAproxy mentioned before and this was the first time I looked at it.

    I am happy I went with Caddy because networking is not my strength and Caddy is quite simple in comparison to other reverse proxies. Nginx config files will forever look like scribbles to me.

    I don’t know about the limitations of using an uncommom port though because my needs are quite small and obscure by design. I do wonder if other people could benefit from using wildcard certs + uncommon ports. Watching bots/scrapers drop to zero attempts and stay zero has been really satisfying and I haven’t had the desire to use outside services like Anubis or Cloudflare.

    I know someone out there with itchy fingers is ready to warn that obscurity isn’t security and I wouldn’t deny that. However, I do believe obscurity layered with security is valid as long as security takes the main focus.


  • For the past year I’ve been learning to self host minimally on a used Raspberry Pi 5. I do have a Pi 4 as well but that’s dedicated to HomeAssistant for the small handful of lights and switches it controls.

    Both Pi’s run Alpine Linux with Podman containers. For my Pi 5 server it runs Caddy as my reverse proxy/SSL cert handler plus another contained for Kiwix. It’s super simple. Caddy also has a basic file server for me to host my git repositories as well as hosting my static site.

    The static site is based off a script I found called BashWrite but it hasn’t been updated in a year so I decided to add some of my own changes to it here. I also fixed up some of the English grammar since the original creater wasn’t an English native speaker.

    I’m still focusing on the background stuff but I’ve put a lot of effort into security and hardening. I’ve written all the maintenance (backup, keep-alive, updating) myself using POSIX portable scripts which can all be found on my codeberg page. It’s been a long process but I’m nearly there. I just have to switch from iptables to nftables and add secrets to my Caddyfile configuration to hide important keys that are currently sitting as plain text. After that I can focus on my blog/static site.

    Since I’m not doing this for a business, I’ve decided to use a wildcard domain for my SSL cert plus an uncommon port as a low effort way to hide myself from bots/scraper. Also I set up Wireguard infront of my SSH connection to also hide from bots. My log activity only shows my own activity which is comforting to know, especially since I’ve seen just how active bots and scrapers are in comparison to a year ago when I was just getting started and beginning to learn things.

    It’s really cool to see another minimal project like this and I think it’s refreshing to see. A lot of the times I see people with dozens on intensive services running and I feel a bit out of place with my scaled down self hosted project.

    My only question about your setup is about HAproxy. How important is a load balancer for your site? I don’t think I will need one for myself since the traffic will mostly be for myself and a few people I know personally but I am still curious about how it works and how effective it is for your setup.



  • This was a number of months ago so I doubt it would be remembered anywhere at this point. After that, a number of posts I commented in were also removed as well. It was very confusing because everything seemed appropriate for the community. I do look forward to seeing how this community grows/changes now.

    I’ve taken a very minimalist approach to self-hosting but I’ve given extra attention towards security. I feel like security doesn’t get talked about as much as it could be. It’s especially important these days with bots roaming around everywhere.

    I also use some unconventional methods that I’d like to share (layering security with obscurity with a focus on security first). It’s not a one size fits all solution but I can stay private while exposing my server with minimal tools. It works for me though and my logs haven’t shown any outside activity besides my own.


  • I stopped posting and commenting on this community because things kept getting deleted even though it was all very clearly about self-hosting. It was very disappointing because I spent a lot of time on my contributions. One post I made a while ago was about self-hosting security and had tons of activity only for all that information to be removed over rule 3. Very confusing and disappointing.

    I’m interested in seeing how the vibe around here changes going forward. Maybe I’ll be less cautious about participating.


  • I just use SSH+Rsync for everything. I traded two-way sync for minimalism and reliability. I’ve had nothing but headaches with anything else, especially Syncthing.

    My Computer and both Raspberry Pi servers both run Linux and I have Termux installed on my Android phone so OpenSSL and Rsync are easily available.

    I made a script that runs Rsync commands from files containing all the information which easily swaps source/target files so I can easily transfer in both directions with a simple command line option. It’s reliable and simple and I’ve had a lot less headaches troubleshooting the rarely occurring issues.


  • I got into programming within the last couple years and Codeberg was my first choice for a public git repository. I’m glad I made that decision back then.

    I keep a clone of my Codeberg repo’s on my server simply using Caddy’s built in file server. Unless someone takes interest in the projects I’m working on, I don’t really feel like hosting an instance of Forgejo myself. At the very least the code and git history is still available directly from my server and that makes me happy enough.


  • Since last time, I’ve finally learned how to make rootless podman work on Alpine Linux and it’s been pretty smooth so far.

    My Pi4 is quietly running HomeAssistant and I like to leave that untouched so I don’t have to worry about pooping in the dark. I learned that the container requires root in order to access the Zigbee USB dongle through dbus so I can’t really run it as a rootless container. It’s not web facing so it’s locked down to my local network which is good enough for me.

    My Pi5 is finally up and running again. Got a new, shorter domain name, managed to get the TLS set up in one go with Caddy which was nice. Right now I just have a bunch of wiki’s hosted with Kiwix and a file server using Caddy.

    I’m putting the final touches on my series of scripts I wrote meant for automating backups. rTransfer for the actual backup, remoff for rotating backups (I plan to keep 1 backup a week, over a months time), and containers-util(work in progress) to automatically start and stop containers in preparation for a backup.

    A bit crazy but I’ve been working on this whole backup process on and off for about a year now. It’s all POSIX portable except for a few commands like rsync and podman. Once I finish the last script, I’ll set up a blog and then my server will be secure to my liking and very low maintenance (my keep-alive script I also wrote has been working better than expected).

    I also wrote a Dynamic MOTD script which updates /etc/motd with some basic information about the machine so I can get a quick look at the machine I’m ssh’ing into. I’m quite happy with how it turned out too.

    I’ve been trying to use as few programs as possible and building my own when I can. It’s been quite the adventure this past year and a bit.




  • I keep everything I do as minimal as possible.

    Everything is documented using either sh scripts or markdown style plain text files. If I need anything more than that, I’m over complicating things for my brain.

    The upside to this approach is that it works anywhere because it’s all just text files and it’s very tiny in size. I am more interested in making low-power/low-spec things work so less is appropriate.


  • I have lots of scripts and aliases since I run a very mininal setup.

    The aliases are automatically set when I start a new shell and I have a shortcut command to cat the alias file so I can quickly view what aliases and functions I have saved.

    I also have a folder that contains all my notes and scripts. It’s all organized and it acts as a staging area before I move any scripts to the proper location or device.

    I found a hobby in writing scripts. I’ve been spending a lot of time writing my own backup system that uses rsync and it’s nearing completion which I’m excited about. It’s been something I’ve been working building on and off since the new year began.



  • Thanks, I’ve learned a lot about Linux focusing on learning POSIX portable scripts. It’s been an experience.

    I just have two containers. Caddy which handles let’s encrypt certificates and Kiwix to host Wikipedia plus about 10 other wikis, ranging from Linux coding to first aid, gardening, and other stuff meant for local self sufficiency.

    I also use Caddy as a basic file server. I have a number of self sufficiency books on there, POSIX coding references and all my scripts and notes on Alpine Linux. I also have a static blog site there simply using Caddy as well.

    I have a strong focus on minimalism so I don’t intend in going crazy with self hosted services. Also I have huge trust issues with so many self hosted projects so making my own projects when possible means less exposure to security vulnerabilities, AI or enablers of Authoritarian powers.

    I spent a lot of time making it secure with some added obscurity so only myself and those who I share my site with can feel safe connecting to my server. It’s been quite the learning adventure.

    Let me know if you have any issues with the motd script. I gather most of the information from /sys/ and /proc/ files so hopefully it’s consistent and accurate across other distributions. I’ve only tested it on Alpine Linux.