Skip to content

Backup, HTTP routes and firewall

Jump to bottom
Davide Principi edited this page Nov 21, 2023 · 14 revisions

Backup

Cluster backup

First things first: setup a passphrase to encrypt the cluster backup. image

The cluster configuration backup is used to restore the system in case of a disaster. It contains also the configuration of data backup repositories.

⚠️ If you loose the passphrase of the cluster backup, you will not be able also to recover the data backup!

Data backup

Data backup are executed with restic: a new restic encryption key is randomly generated when a backup repositories is created. Create a new backup repository for local storage: image

You can attach the local storage to a custom disk.

🛠️ Prepare a fake disk to be attached to local backup repository:

dd if=/dev/zero of=/fakedisk bs=1M count=4096
mkfs.ext4  /fakedisk
podman volume create --label org.nethserver.role=backup --opt=device=/fakedisk --opt=o=noatime backup00
echo BACKUP_VOLUME=backup00 > /var/lib/nethserver/node/state/rclone-webdav.env
systemctl restart rclone-webdav.service
podman volume rm rclone-webdav

💁‍♂️ You can configure a custom restic encryption key during backup repository creation. image

Now schedule a backup:

  1. What

image

  1. Where

image

  1. When and how long

image

💁‍♂️ You can schedule multiple backup for one or more modules. Example: if Nextcloud data are very important to you, you can schedule a daily backup to a remote cloud provider and schedule an hourly backup to local storage.

Backup status and disk occupation are available from Backup page under Schedule section, example: image

💁‍♂️ You can search for backup logs directly from the System logs page: image

Backup a new module:

  • Access the Software Center page and install Dokuwiki, then configure the Dokuwiki instance If you want, just access the application and write something to the wiki
  • Configure a backup for Dokuwiki and execute it

🛠️ Verify the backup status from command line:

runagent -m dokuwiki1 /bin/bash
systemctl --user list-timers
systemctl --user status backup1.timer

Module restore

Access again the wiki and delete the page.

It's now time to restore the lost page from backup! Access the Backup page, on the bottom click on Restore an app: image

Select the app instance to restore and tick the Replace existing <xxx> instance: image

Select the destination and run restore. At the end, the dokuwiki1 instance should be replaced with the restored one.

⚠️ if you are still logged into the system as dokuwiki1, the restore will fail with the following error:

userdel: user dokuwiki1 is currently used by process 19853

HTTP routes

All web applications can be access from the Traefik HTTP proxy. Traefik is the TLS terminator for all web applications, it can request Let's Encrypt TLS certificates usable also inside other applications like the mail server.

There is a one HTTP proxy per node. You can see current configuration by accessing the Settings page and clicking the HTTP routes card. image

Rules created by modules can't be modified, but it's possible to create custom rules.

Create a custom rule for the the user portal:

  1. Access the "Domains and Users" section.
  2. Click on the label "N provider" for the domain you are interested in.
  3. Remember the name of the provider under the Providers section.
  4. Go to Settings -> Routes.
  5. Select the route with the provider's name you identified earlier, suffixed with -amld.
  6. Click on it and copy the URL field that appears in the modal.
  7. Use this URL to create the custom route.

⚠️ When configuring an application with Let's Encrypt certificate, such certificate can't be removed!

Firewall

NS8 comes with a built-in firewall to protect local running applications.

You can see the firewall rules from the nodes page: image

List of open ports: image

🛠️ You can list currently open port also from command line. Type as root:

firewall-cmd --list-all

Or:

nft list table inet firewalld

Change SSH port

# Make sshd listen on :22 and :2222
printf "Port 22\nPort 2222\n" > /etc/ssh/sshd_config.d/10-ports.conf
# Authorize sshd to listen port 2222
semanage port -a -t ssh_port_t -p tcp 2222
# Change Firewalld SSH service configuration to use port 2222
firewall-cmd --permanent --service=ssh --add-port=2222/tcp
firewall-cmd --permanent --service=ssh --remove-port=22/tcp
# Restart service and apply new firewall configuration
systemctl restart sshd
firewall-cmd --reload

Source: https://community.nethserver.org/t/ns8-change-node-ssh-port-22-permanently/22397/6?u=davidep

Cockpit

Can I use Cockpit on NS8? Maybe.

Quiz

  • Can I execute a backup to a machine in a LAN? What protocols are supported in this scenarios?

Q&A

❓ ❓ ❓ Questions? ❓ ❓ ❓

NS8 crash course

  1. Lab environment
  2. Multi-node architecture
  3. User domains
  4. Applications
  5. Backup, HTTP routes and firewall
  6. TLS, smarthost, module clone, OS updates
Clone this wiki locally