I want to run Linkwarden, Navidrome, and Immich, but where are the databases stored and all the data directories? I looked it up and it seems like I should be backing up /var/lib? Right now I don’t run any and only need to backup my home folder if I need to reinstall NixOS. Would it be a good idea to change all their data directories to be inside my home folder?
Not really since you would then need to give random services access to your home folder. Plus many services set ProtectHome so you’d have to do extra work setting them to no, then that affects all other users on the system as well (if any). And with any services with DynamicUser enabled, that setting would have to be disabled too… it’s just a long thread of bad data management practices that isn’t worth pulling.
Just back up the data you care about.
1 Like
Which directories should I back up?
I don’t know what services you run or where they store their data.
You’ll have to check their docs and so on.
Storing sensitive data in your home folder is not ideal, as it has permissive permissions. What i do to back up data is set these directories to /mnt, since they are stored on filesystem with redundancy (raidz). I back up /mnt nightly. This is my immich config.
I’d still suggest staying away from moving the storage directories of services in general.
You’re giving up a bunch of the nice systemd management features doing so, and potential support from default hardening features that set additional permissions on well-known paths, while making your configuration more complex - and in general for no real reason, you can just mount your super special file systems to the directory in /var/lib that your state is stored in, too, while avoiding breaking fhs standards.
Using /mnt for persistent storage is especially bad, it’s intended for temporary mounts. You don’t have to care about standards, of course, but it means that software you use might integrate poorly with your system.
You might not be aware of standards, but NixOS modules generally are, so unless you’re certain you know better, just use the defaults.
As for the actual question here, @waffle8946 is correct, you have to read the documentation of the services you’re deploying. Just copying the directory at random times will leave you with half-written state and hence potentially unrecoverable backups. Generally, you need to at least turn off the service to ensure no database writes occur; though some applications have maintenance modes.
See for example the immich backup docs, since you mention it. Of course, upstream docs usually don’t apply cleanly, so you really also have to read the NixOS module you use, and then match the two up together, maybe experiment a little. Also, has anyone mentioned to you that backups should be periodically tested?
Good backup management is unfortunately not just automatic, brainless work - it takes some actual design and understanding to get it right.
That said, let me leave you with some more concrete help. This is the configuration I use for my immich backups: tlaternet-server/configuration/services/immich/backups.nix at master - tlaternet/tlaternet-server - Forgejo: Beyond coding. We Forge.
services.backups doesn’t exist in NixOS, that’s my own backup module, which is quite specific and really needs a rewrite; you probably can’t use it as-is. I think the interface is pretty legible, though, and should tell you roughly what I do for my immich backups, and give you some ideas as to what scripts you might want to write.
Caveat emptor: I did actually read the immich backup docs and make some choices, these might not work for you. Read the docs yourself as well, and make your own choices.
2 Likes