Backup & restore¶
What survives a dead disk, what does not, and how to get back.
No automated backups yet
As of June 2026 no automated backup is configured anywhere in this homelab. Everything below the "Reproducible" line is currently unprotected. Fixing this is a roadmap item.
What is reproducible vs. what is data¶
Reproducible from the repo: the entire system configuration of every host. A machine can be rebuilt from scratch with the bootstrap runbook; no backup needed.
Actual data is the state that exists only on the hosts:
| Data | Host | Location (NixOS module defaults) | Loss impact |
|---|---|---|---|
| Vaultwarden DB + attachments | midgard | /var/lib/vaultwarden |
Critical: all passwords |
| Forgejo repos + DB | midgard | /var/lib/forgejo |
Critical: all Git history not pushed elsewhere |
| Uptime Kuma config/history | yggdrasil | /var/lib/private/uptime-kuma |
Annoying: checks recreated by hand |
| Grafana dashboards (non-provisioned) | yggdrasil | /var/lib/grafana |
Low: main dashboard is provisioned from the repo |
| Prometheus TSDB | yggdrasil | /var/lib/prometheus2 |
Acceptable: 15d retention metrics |
| Loki logs | yggdrasil | Loki dataDir |
Acceptable |
Keys. Two items deserve explicit care:
- Host SSH keys (
/etc/ssh/ssh_host_ed25519_key): also the sops age identity. If a host dies, its key dies with it; recovery relies on thepobyoperator key being a.sops.yamlrecipient (it is). After rebuild, register the new host key and re-encrypt (procedure). - The
pobyage key and SSH private key are the root of trust. Keep copies outside the homelab (e.g., in Vaultwarden's emergency kit, but note the circularity: not only in Vaultwarden).
Restore path (host loss)¶
- Rebuild the host: bootstrap runbook
- Re-join the tailnet (
sudo tailscale up); MagicDNS names recover - Re-key sops if the host key changed, redeploy
- Restore data directories from backup (once backups exist)
- Verify services per their pages, check Uptime Kuma goes green
Where this should go¶
The natural first steps, in order of value:
services.vaultwarden.backupDir: the module has built-in SQLite backup support; cheapest possible win- Forgejo dump or repo mirroring to an external remote
- A proper restic/borgbackup job for
/var/libstate on midgard, off-host (e.g., to alfheim or object storage)