Update Homelab Todo List; add Kopia Backup Setup

2026-04-20 11:48:54 +00:00
parent eb9962ca9a
commit b9335b8aae
2 changed files with 154 additions and 1 deletions
--- a/02_Projects/Homelab
+++ b/02_Projects/Homelab
@@ -31,7 +31,14 @@ Curated list of open homelab work across task history, memory, and second-brain
  - Blocker: hardware purchase decision
 - [ ] Define regular backup flow to parents' NAS
  - Depends on: backup matrix + parents' NAS target design
- [ ] Set up Kopia/Time Machine backup for Claudio's and Alena's machines
+- [x] Set up Kopia/Time Machine backup for Claudio's and Alena's machines
+  - Kopia server running on Debian VM (Proxmox), Synology NFS backend
+  - MacBook connected as `claudio@macbook-main`
+  - launchd job running `kopia snapshot create --all` every 6h
+  - Documented in `05_Resources/Kopia Backup Setup.md`
+- [ ] Set up weekly `kopia snapshot verify --verify-files-percent=100` cron with failure alert
+- [ ] Set up weekly full restore test cron job
+- [ ] Add Alena's machine as second Kopia user
  - Next action: choose destination and retention policy

 ### 2. Simplify the homelab and hosting architecture
--- a/05_Resources/Kopia
+++ b/05_Resources/Kopia
@@ -0,0 +1,146 @@
+# Kopia Backup Setup
+
+> Last updated: 2026-04-20
+
+## Architecture
+
+- **Hypervisor:** Proxmox (MacBook Pro 2017 Intel)
+- **Backup server runtime:** Debian VM on Proxmox
+- **Repository storage:** Synology NAS via NFS (`192.168.1.34:/volume1/kopia-repository`)
+- **Service:** Kopia Repository Server
+- **Access:** Tailscale / LAN
+- **TLS:** self-signed cert at `/etc/kopia/server.cert` + `/etc/kopia/server.key`
+- **First client:** MacBook (claudio@macbook-main)
+
+## Repository model
+
+The repository blobs live on Synology NFS. The Kopia Repository Server acts as the HTTP/S layer in front of it. Clients connect to the server, not directly to the NAS share.
+
+## Important paths (VM)
+
+| Purpose | Path |
+|---------|------|
+| NFS mountpoint | `/srv/kopia-repo` |
+| Repository blobs | `/srv/kopia-repo/repository` |
+| TLS cert | `/etc/kopia/server.cert` |
+| TLS key | `/etc/kopia/server.key` |
+| Env vars | `/etc/kopia-server.env` |
+| Systemd service | `/etc/systemd/system/kopia-server.service` |
+
+## Users
+
+| User | Identity | Machine |
+|------|----------|---------|
+| `claudio` | `claudio@macbook-main` | MacBook |
+
+## Passwords (stored in pass)
+
+All three passwords are stored in `pass`:
+- `KOPIA_REPO_PW` — repository encryption password
+- `KOPIA_SRV_CTRL_PW` — server control plane password
+- `KOPIA_SRV_PW` — web UI login password
+
+## How to get the cert fingerprint
+
+```bash
+openssl x509 -in /etc/kopia/server.cert -noout -fingerprint -sha256 | sed 's/://g' | cut -f 2 -d =
+```
+
+## Server commands
+
+```bash
+# Status
+sudo systemctl status kopia-server --no-pager
+
+# Logs
+sudo journalctl -u kopia-server -n 100 --no-pager
+
+# Check listening
+ss -ltnp | grep 51515
+
+# Refresh credentials (after adding users, etc.)
+kopia server refresh \
+ --address=https://127.0.0.1:51515 \
+ --server-control-username=control \
+ --server-control-password="$KOPIA_SRV_CTRL_PW" \
+ --server-cert-fingerprint=YOUR_FINGERPRINT
+```
+
+## MacBook client commands
+
+```bash
+# Repository status
+kopia repository status
+
+# List snapshots
+kopia snapshot list
+
+# Manual snapshot
+kopia snapshot create --all
+
+# Test restore
+mkdir -p ~/kopia-restore-test
+kopia restore latest ~/kopia-restore-test
+```
+
+## Automatic backups (launchd)
+
+A launchd job at `~/Library/LaunchAgents/com.claudio.kopia-backup.plist` runs `kopia snapshot create --all` every 6 hours.
+
+To reload after editing:
+```bash
+launchctl unload ~/Library/LaunchAgents/com.claudio.kopia-backup.plist 2>/dev/null || true
+launchctl load ~/Library/LaunchAgents/com.claudio.kopia-backup.plist
+launchctl list | grep kopia
+```
+
+## Known failure modes
+
+1. **"not connected to a direct repository"** on Mac — server is running but not connected to repo. Fix: make sure systemd service runs as the same user (`cef`) that created the repository.
+
+2. **`400 Bad Request: not connected`** on refresh — same root cause as above. Check `kopia repository status` as the service user.
+
+3. **Browser works but Mac client fails** — usually cert fingerprint mismatch or HTTPS listener issue. Check fingerprint on client matches server.
+
+4. **Shell quoting bug** — always use `"$VAR"` not `'$VAR'` in kopia commands.
+
+## Maintenance
+
+- `kopia repository status` — verify repo integrity
+- `kopia snapshot verify --verify-files-percent=100 --file-parallelism=10 --parallel=10` — full consistency check (runs weekly via cron)
+- Weekly restore test via cron job (see HEARTBEAT/backup task)
+- Certificate fingerprint must be re-entered after cert rotation
+
+## Adding a new user
+
+On the VM:
+```bash
+kopia server user add partner@hostname
+# set password when prompted
+kopia server refresh \
+ --address=https://127.0.0.1:51515 \
+ --server-control-username=control \
+ --server-control-password="$KOPIA_SRV_CTRL_PW" \
+ --server-cert-fingerprint=YOUR_FINGERPRINT
+```
+
+From the new client machine:
+```bash
+kopia repository connect server \
+ --url=https://YOUR_VM_IP:51515 \
+ --server-cert-fingerprint=YOUR_FINGERPRINT \
+ --override-username=partner \
+ --override-hostname=hostname
+```
+
+## Next steps
+
+- [ ] Finalize Mac backup roots (Documents, Desktop, project folders — avoid full ~/Library initially)
+- [ ] Set retention policies on real backup roots
+- [ ] Test automatic backups from the Mac
+- [ ] Add spouse's machine as second user
+- [ ] Test restore from spouse's machine
+- [ ] Weekly `kopia snapshot verify --verify-files-percent=100` cron job with failure alert
+- [ ] Weekly full restore test cron job
+- [ ] Off-site replication of the Kopia repository (parents' NAS?)
+- [ ] Keep Time Machine in parallel for full-machine restore