Backup & Restore Strategy
What Gets Backed Up and Where
| What | Backup Method | Location | Schedule | Restore Doc |
|---|---|---|---|---|
| Forgejo LXC (git repos, wiki) | PBS container backup | PBS (192.168.1.223) | Nightly | Restore Proxmox Containers |
| Dispatcharr LXC 113 | PBS container backup | PBS | Nightly | Restore Proxmox Containers |
| All other PVE LXCs (Jellyfin, Paperless, etc.) | PBS container backup | PBS | Nightly | Restore Proxmox Containers |
| Komodo MongoDB | Bind-mount to Nexus HDD | /mnt/server/containers/komodo/backups/ |
Daily mongodump | — |
| Docker service data (bookstack, tandoor, etc.) | PBS Nexus snapshot | PBS | Nightly | — |
Service secrets (.env files) |
SOPS-encrypted .env.enc in git |
Forgejo homelab-docker repo |
On change | SOPS & Secrets |
| NAS media & data | Synology built-in snapshots | Hyperion (RAID) | Per Synology schedule | — |
| Frigate recordings | Rolling window on Nexus HDD | /mnt/server/containers/frigate/media/ |
21-day auto-rotation | — |
| Frigate gold archive | NFS to Hyperion | /mnt/nas/frigate-gold/ |
180-day retention | — |
The single most critical backup is Forgejo. It holds all git history, automation config, and this wiki. Verify the PBS backup job includes the Forgejo LXC container ID.
Restoring an LXC Container from PBS
See Restore Proxmox Containers for the step-by-step procedure.
The short version: Proxmox VE UI → Datacenter → Storage → PBS → Backups → find the backup → restore as new container ID (to keep the original untouched while testing).
Restoring Service Secrets (.env files)
If Nexus is rebuilt from scratch, the gitignored .env files are gone. Recover them from the SOPS-encrypted backups in git:
# On Nexus, after cloning the repo and setting up the age key
cd /home/matt/repos/homelab-docker
# Bookstack
sops -d --input-type dotenv --output-type dotenv bookstack/.env.enc > bookstack/.env
# Frigate
sops --decrypt frigate/.env.enc > frigate/.env
chmod 600 frigate/.env
# Wyze-Bridge
sops --decrypt wyze-bridge/.env.enc > wyze-bridge/.env
Requires the age private key at ~/.config/sops/age/keys.txt. See SOPS & Secrets.
⚠ Tandoor has no
.env.encbackup yet — tracked in issue #40. If Nexus needs to be rebuilt, Tandoor secrets must be re-created from scratch.
Komodo MongoDB Backup
Komodo stores its stack/procedure config in MongoDB. The database is bind-mounted and also backed up via a daily mongodump:
# Manual dump (runs inside the mongo container, output to bind-mounted /backups)
ssh matt@192.168.1.226 'docker exec komodo-mongo-1 mongodump --out /backups'
# Backups land at:
# /mnt/server/containers/komodo/backups/ on Nexus
These are also covered by the nightly PBS snapshot of Nexus.
Verifying Backups
# List recent PBS backups via Proxmox UI
# Datacenter → Storage → PBS → Backups → filter by LXC/VM
# Or from PVE shell
proxmox-backup-client snapshot list --repository <pbs-repo>
# Verify Komodo dump is current
ssh matt@192.168.1.226 'ls -lh /mnt/server/containers/komodo/backups/'
Disaster Recovery Order
If everything is lost:
- Restore Forgejo LXC from PBS — all repos and config are back
- Clone homelab-docker repo to Nexus:
git clone http://192.168.1.240:3000/matt/homelab-docker.git /home/matt/repos/homelab-docker - Restore SOPS age key to
~/.config/sops/age/keys.txton Nexus (from a secure password manager backup) - Decrypt
.envfiles from.env.encbackups in git (see above) - Start Komodo:
cd /home/matt/repos/homelab-docker/komodo && docker compose up -d - Reconfigure Komodo stacks (they're defined in Komodo's MongoDB; if that's gone, re-add via UI or API — compose files are all in git)
- Deploy all other services via Komodo or manually:
docker compose up -din each service directory
Automation
Infrastructure
Services
- Dashy
- Bookstack
- Tandoor
- Home Assistant
- Pinchflat
- FreshRSS
- Frigate
- Wyze-Bridge
- Mosquitto
- Dispatcharr
- Proxmox LXC Services
Operations
- How to Update Apps
- Backup & Restore Strategy
- Maintenance Schedule
- Useful Commands
- Restore Proxmox Containers
- NAS NFS Share for LXC
- SSH Public Key onto Nexus