penal-colony/nixos-vps
2
0
Fork 1
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix(backup): correct backup paths and add missing services #2

Merged
ashie merged 1 commit from franz-kafka/nixos-vps:fix/backup-paths into main 2026-03-19 14:52:00 +00:00
Conversation 0 Commits 1 Files changed 1 +7 -1
franz-kafka commented 2026-03-19 14:50:41 +00:00
Owner
Copy link

Summary

Fixes stale and missing backup paths. Several services were not being backed up at all.

Changes

Path Status Why
/var/lib/vaultwarden Added Actual Vaultwarden SQLite DB (was using old bitwarden_rs path)
/var/backup/vaultwarden Kept Built-in sqlite backup snapshots
/var/lib/private/AdGuardHome Added DNS config, custom filters, query logs
/var/lib/sops-nix Added Age decryption key — critical, without this all secrets are unrecoverable
/var/lib/crowdsec Added CrowdSec state, ban decisions, custom parsers
/var/lib/bitwarden_rs Removed Stale path — Vaultwarden uses /var/lib/vaultwarden
/var/lib/forgejo Already covered Added dynamically by the Forgejo module

Still not backed up

  • OpenClaw Podman volume (openclaw-data) — named volumes need a separate approach, needs investigation of the host mount path

Recommendations

  • SOPS age key should have an offline backup too (USB drive, password manager, paper). B2 alone is a single point of failure for all secrets.
## Summary Fixes stale and missing backup paths. Several services were not being backed up at all. ### Changes | Path | Status | Why | |------|--------|-----| | `/var/lib/vaultwarden` | **Added** | Actual Vaultwarden SQLite DB (was using old `bitwarden_rs` path) | | `/var/backup/vaultwarden` | Kept | Built-in sqlite backup snapshots | | `/var/lib/private/AdGuardHome` | **Added** | DNS config, custom filters, query logs | | `/var/lib/sops-nix` | **Added** | Age decryption key — **critical**, without this all secrets are unrecoverable | | `/var/lib/crowdsec` | **Added** | CrowdSec state, ban decisions, custom parsers | | `/var/lib/bitwarden_rs` | **Removed** | Stale path — Vaultwarden uses `/var/lib/vaultwarden` | | `/var/lib/forgejo` | Already covered | Added dynamically by the Forgejo module | ### Still not backed up - **OpenClaw Podman volume** (`openclaw-data`) — named volumes need a separate approach, needs investigation of the host mount path ### Recommendations - **SOPS age key should have an offline backup too** (USB drive, password manager, paper). B2 alone is a single point of failure for all secrets.
franz-kafka added 1 commit 2026-03-19 14:50:41 +00:00 
- Replace stale /var/lib/bitwarden_rs with /var/lib/vaultwarden (correct DB path)
- Add /var/lib/private/AdGuardHome (DNS config, filters, query logs)
- Add /var/lib/sops-nix (age decryption key — critical for secret recovery)
- Add /var/lib/crowdsec (security engine state and decisions)
- Keep /var/backup/vaultwarden (built-in sqlite backup snapshots)

Note: Forgejo data path is still added dynamically by the forgejo module.
Note: OpenClaw Podman volume needs separate handling (named volume path on host).
ashie merged commit 2bc375ab86 into main 2026-03-19 14:52:00 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: penal-colony/nixos-vps#2
No description provided.
Delete branch "franz-kafka/nixos-vps:fix/backup-paths"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?