Borg Backup
Overview
BorgBackup provides encrypted, deduplicated backups to Synology NAS. This is the primary backup mechanism for user data, configurations, and secrets.
Recovery Time Objective (RTO): 2-4 hours
Recovery Point Objective (RPO): 24 hours (daily backups)
Architecture
| Component | Value |
|---|---|
Backup Script |
|
NAS Target |
nas-01.inside.domusdigitalis.dev (DS3018xs) |
NFS Share |
|
Mount Point |
|
Repository |
|
Encryption |
repokey (passphrase required) |
Prerequisites
# Install required packages
sudo pacman -S borg nfs-utils
# Load NFS kernel module (required before mounting)
sudo modprobe nfs
# Make NFS module load on boot
echo "nfs" | sudo tee /etc/modules-load.d/nfs.conf
# Create mount point
sudo mkdir -p /mnt/synologyDaily Backup Procedure
# 1. Mount Synology NFS
sudo mount -t nfs nas-01.inside.domusdigitalis.dev:/volume1/borg_backups /mnt/synology
# 2. Load credentials
eval "$(dsec source d000 dev/storage)"
# 3. Run backup script (sudo -E preserves $HOME and env vars)
sudo -E BORG_PASSPHRASE="$BORG_PASSPHRASE" ~/.local/bin/borg-backup-synology.sh
# 4. Clear credentials
eval "$(dsec unsource)"
# 5. Optionally unmount
sudo umount /mnt/synology
Always use sudo -E to preserve HOME and BORG_PASSPHRASE environment variables. Without -E, sudo runs as root with /root as HOME, backing up the wrong directory.
|
What’s Backed Up
| Category | Paths | Size (Approx) |
|---|---|---|
Workspace |
|
4.3 GB |
Secrets |
|
5 MB |
Configs |
|
173 MB |
Local Data |
|
3.1 GB |
Dev Toolchains |
|
3.4 GB |
Applications |
|
1.2 GB |
Shell State |
History files, zcompdump |
~100 KB |
User Dirs |
|
Variable |
What’s Excluded
| Path | Reason |
|---|---|
|
Regenerated by applications |
|
Regenerated via npm install |
|
Rust build artifacts |
|
Python bytecode cache |
|
Git objects (repos are on remotes) |
List Archives
eval "$(dsec source d000 dev/storage)"
sudo BORG_PASSPHRASE="$BORG_PASSPHRASE" borg list /mnt/synology/borg-repo
eval "$(dsec unsource)"Restore Procedures
Mount and Browse (Read-Only)
eval "$(dsec source d000 dev/storage)"
sudo mkdir -p /tmp/borg-mount
sudo BORG_PASSPHRASE="$BORG_PASSPHRASE" borg mount \
/mnt/synology/borg-repo::ARCHIVE_NAME /tmp/borg-mount
# Browse and copy specific files
ls /tmp/borg-mount/home/evanusmodestus/
# Unmount when done
sudo borg umount /tmp/borg-mount
eval "$(dsec unsource)"Restore Single File
cd /
sudo BORG_PASSPHRASE="$BORG_PASSPHRASE" borg extract \
/mnt/synology/borg-repo::ARCHIVE_NAME \
home/evanusmodestus/path/to/filePrune Old Archives
eval "$(dsec source d000 dev/storage)"
sudo BORG_PASSPHRASE="$BORG_PASSPHRASE" borg prune \
--keep-daily=7 \
--keep-weekly=4 \
--keep-monthly=6 \
/mnt/synology/borg-repo --stats
eval "$(dsec unsource)"Verify Backup Integrity
eval "$(dsec source d000 dev/storage)"
# Check repository integrity
sudo BORG_PASSPHRASE="$BORG_PASSPHRASE" borg check /mnt/synology/borg-repo
# Test restore single file
sudo BORG_PASSPHRASE="$BORG_PASSPHRASE" borg extract \
--stdout /mnt/synology/borg-repo::ARCHIVE_NAME \
home/evanusmodestus/.profile > /tmp/test-profile
diff ~/.profile /tmp/test-profile && echo "VERIFIED"
eval "$(dsec unsource)"Credential Architecture
┌──────────────┐ ┌──────────────┐ ┌──────────────────────────┐
│ pass │───▶│ dsec │───▶│ Environment Variable │
│ (encrypted) │ │ (encrypted) │ │ (runtime only) │
└──────────────┘ └──────────────┘ └──────────────────────────┘
storage/ds3018xs/ d000 dev/storage $BORG_PASSPHRASE
├── borg-passphrase @BORG_PASSPHRASE $BORG_REPO
└── borg-key @BORG_REPO| Layer | Location | Purpose |
|---|---|---|
pass |
|
Master source (GPG encrypted) |
pass |
|
Repository key for disaster recovery |
dsec |
|
Session-based credential loading |
env |
|
Runtime variables (cleared after use) |
Troubleshooting
NFS Mount Fails
Symptom: mount.nfs: Protocol not supported
Cause: NFS kernel module not loaded (common after kernel update without reboot)
Resolution:
# Check if module loaded
lsmod | grep nfs
# Load module
sudo modprobe nfs
# If modprobe fails with "Module not found", reboot into new kernel
sudo reboot