SayCyberOnceMore

  • 3 Posts
  • 145 Comments
Joined 2 years ago
cake
Cake day: June 17th, 2023

help-circle
  • The main point is that sync (like RAID) isn’t a backup. If ransomware got in and started encrypting all your files, how would you know / protect yourself…

    There’s a lot of focus on 3-2-1 backups, so offsite is good, but consider your G-F-S strategy too - as long as this remote copy isn’t your only long-term backup option, then sync might be ok for you

    So, syncthing / rsync / etc is fine… but maybe just point it to your monthly / weekly / daily backup folder(s) rather than the main files?

    You also had some other suggestions I think, like zfs / btrfs snapshots… which would be a point in time copy of your files.

    Or burn the photos to DVD / Bluray and store them at the other location? No power requirements there…


  • Wake on LAN won’t work remotely, so you’d either need to have access to a VPN at their location, or have a 2nd always on device that you can connect to and that could then WoL to your device… or… get a device with an IPMI which you remote into. (All non-VPN forms of remote connection are open to abuse)

    I suspect (guess) you’re not going to be able to setup a VPN, so perhaps an always on pi is going to be necessary - so maybe it’ll be that with drives set to spin down when idle?

    OpenMediaVault was my preferred choice until everything went docker on it which was getting too complex for a NAS… so I just created my own, which powers on at certain times of the day and off again when CPU / network IO was low enough.

    Data transfer with syncthing is great, but I don’t really recommend sync for snapshot backups… (consider your files are all corrupted, it’ll happily sync those corruptions) but I have enough space for a few versions of my files, so in theory I can roll back, but it’s cetainly not a Grandfather, Father, Son strategy.





  • Ansible is an automation tool to setup systems to a known desirable end state.

    TBH, for a single device, it’s overkill, but you seem like someone who keeps good notes and has some custom files to copy across… you could convert your setup note into an Ansible file, and it will also copy over your custom config files.

    For Ansible you define the desired outcome and it does “all” (kinda) the work for you… so… say you want Apache, MariaDB and PHP, it doesn’t matter if half are installed already, or not, or their dependencies - you just say:

    Do an update Install packages: A B C Copy my config files over Start the services Relax

    Yep, it’ll take 10 times as long to get it working up front, but the day you want to duplicate it / start on a fresh Pi / VM, it’s all there for you.

    I use it to setup all my Pi Zeros thr same way (they’re doing BLE presence detection) and for their regular updates

    I’ve also got some VMs setup that way

    But… I tried it on a laptop and as it’s a single device I just ended up setting it up manually and now the ansible script is woefully out of date… just some balanced feedback.






  • I commented elsewhere here, but E2E encryption is just between the server and the end user (ie a VPN)

    You’re thinking about encryption at rest, on the storage.

    Immich would have to setup a whole new design to be able to store all the metadata on a per-user basis… but… you could have multiple Immich instances if you were to host it for your friends, but I think we’re drifting into “why bother” now…