Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/escomputers/personalcloud

Deploy a personal home cloud solution
https://github.com/escomputers/personalcloud

aws backup glacier homecloud nextcloud s3

Last synced: 1 day ago
JSON representation

Deploy a personal home cloud solution

Host: GitHub
URL: https://github.com/escomputers/personalcloud
Owner: escomputers
License: apache-2.0
Created: 2025-02-06T20:10:20.000Z (4 days ago)
Default Branch: main
Last Pushed: 2025-02-08T20:13:07.000Z (1 day ago)
Last Synced: 2025-02-08T21:22:10.950Z (1 day ago)
Topics: aws, backup, glacier, homecloud, nextcloud, s3
Language: Shell
Homepage:
Size: 11.7 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

## Minimum Requirements
* Ubuntu >=18 or Debian >=9
* CPU/Memory: 2 CPU/4GB RAM
* Storage: 100GB SSD hard drive
* DNS record A or Cloudflare Tunnel
* HTTP and HTTPS ports opened

## Usage
Run Nextcloud Docker compose
```bash
# Make sure to set NEXTCLOUD_DATADIR and NEXTCLOUD_MOUNT paths
sudo docker compose up -d
# Reference: https://github.com/nextcloud/all-in-one?tab=readme-ov-file#nextcloud-all-in-one
```

## Offsite Backup on S3 Glacier Deep Archive

### Server configuration
1. Install required packages on the server
```bash
sudo apt update && sudo apt install -y awscli jq restic

# Make sure to use the latest stable version of aws_signing_helper
wget https://rolesanywhere.amazonaws.com/releases/1.4.0/X86_64/Linux/aws_signing_helper
chmod +x aws_signing_helper
sudo mv aws_signing_helper /usr/local/bin/
```

2. Setup PKI
```bash
# Create a private key for CA certificate
openssl genrsa -out homecloud-root-ca.key 4096

# Create CA certificate (valid for 10 years) using an OpenSSL configuration file
# Make sure to change all values inside the [ dn ] SECTION before applying the following command
openssl req -x509 -new -nodes -config certificates/selfsigned-ca.cnf -key homecloud-root-ca.key -days 3650 -out homecloud-root-ca.crt

# Create a private key for client certificate
openssl genrsa -out homecloud-client.key 2048

### Create client certificate Signing Request
# Make sure that the --subj argument values match the [ dn ] SECTION inside the selfsigned-ca.cnf configuration file before applying the following command
openssl req -new -key homecloud-client.key -out homecloud-client.csr -subj "/C=IT/ST=Ragusa/L=Acate/O=HomeCloud/CN=homecloud.yourdomain.com"

### Sign client certificate using CA (valid for 1 year) and use an OpenSSL configuration file
# to apply certificate extensions required by AWS
openssl x509 -req -in homecloud-client.csr -CA homecloud-root-ca.crt -CAkey homecloud-root-ca.key -CAcreateserial -out homecloud-client.crt -days 365 -sha256 -extfile certificates/homecloud-client.cnf -extensions homecloudclient_extensions
```

### AWS configuration
1. Create a Roles Anywhere Trust Anchor to estabilish trust between the server and AWS using the Certificate Authority:
- Certificate authority (CA) source = External certificate bundle
- External certificate bundle = Paste the content of homecloud-root-ca.crt into the box
- (Optional) customize Notification settings for certificates expiration alerts

2. Create an S3 bucket and a Lifecycle Rule:
- Rule Scope = Apply to all objects in the bucket
- Lifecycle rule actions = Transition current versions of objects between storage classes
- Storage class transitions = select Glacier Deep Archive from the dropdown
- Days after object creation = set according to your liking (how many days before moving S3 objects to Glacier)

3. Create a [IAM Policy](iam/iam-role-policy.json) but change `s3bucketname` to match your S3 bucket name

4. Create a IAM Role:
- use Roles Anywhere as Service Principal
- attach the previously created permission policy to it
- add a [Trust Policy](iam/iam-role-trust-policy.json) but replace `rolesanywhere-trustanchor-arn` with the Trust Anchor ARN created before
- (Optional) customize Maximum session duration value according to your liking

5. Create a Roles Anywhere Profile:
- select the previously created IAM Role from the dropdown
- (Optional) customize Maximum session duration value according to your liking

### Backup configuration
1. Change the [ENV file](restic.env) according to your setup then move it to the proper path:
```bash
sudo mv restic.env /etc/restic.env
```

2. Initialize restic repository
```bash
chmod +x aws_login.sh && mv aws_login.sh /usr/local/bin/aws_login.sh
bash aws_login.sh --init
```

3. Set a retention on the server for deleting old backup files
```bash
# For example:
# keep Daily Snapshots for 7 days
# keep Weekly Snapshots for 4 weeks
# keep Monthly Snapshots for 6 months
# delete all the rest
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune
```

4. Set a lifecycle policy for .tar.gz files on S3

5. Set a Cronjob to automatically run the backup script
```bash
crontab -e
# Everyday at 2:00am
0 2 * * * /usr/local/bin/aws_login.sh --backup >> /var/log/aws_login.log 2>&1
```

## Restore backup files
```bash
# List S3 objects with StorageClass Glacier Deep Archive
aws s3api list-objects --bucket | grep "StorageClass" | grep DEEP_ARCHIVE

# Change object StorageClass
aws s3api restore-object \
--bucket nextcloud-backups-personal-864430642600 \
--key "file" \
--restore-request '{"Days":7, "GlacierJobParameters": {"Tier": "Standard"}}'

# Restore a snapshot (will ask for password)
restic snapshots
restic ls
restic restore --target /destination/path
```