# Ticket: Service backup standard ## Metadata - Type: Ticket - Status: Active - Project: Homelab Operations - Created: 2026-06-07 - Updated: 2026-06-07 - Priority: High ## Goal Define and implement a backup standard for running managed services beyond the Vaultwarden MVP. ## Why New services should not become fragile snowflakes. Vaultwarden backup/restore is proven, but a broader standard is needed for reverse proxy, DNS, dashboard, SearXNG, Nextcloud, and future services. ## Scope Included: - Define backup classes: experimental, standard, critical, manual-only. - Define snapshot vs application-level backup expectations. - Define encryption and off-host/offline expectations. - Integrate with VM/LXC service template. - Trial on at least one non-critical service. Not included: - Treating snapshots alone as sufficient for all data-bearing services. ## Acceptance Criteria This ticket is done when: - [x] Backup classes are documented. - [x] Default backup scope by service type is documented. - [x] At least one non-critical service has backup configured/verified. - [x] Restore-test expectations are documented. - [x] VM/LXC template and registry reflect backup class/status. ## Progress 2026-06-07: - Added `docs/service-backup-standard.md`. - Updated `docs/templates/vm-lxc-service-template.md` with backup status/off-guest fields. - Configured and verified first non-critical backup trial for Homepage dashboard. - Restore-tested Homepage backup using an isolated temporary Homepage container on CT 107. - Backfilled, verified, and restore-tested config-level backup for Unbound internal DNS. - Backfilled and verified Nginx route/config backup for reverse proxy; TLS private-key backup remains pending encrypted path. - Replaced SearXNG age-based config backup with sanitized config backup; `secret_key` is redacted and regenerated on restore, so SearXNG no longer requires age identity. - Documented retention and offline destination policy in `docs/service-backup-standard.md`. - Updated `runbooks/homepage-dashboard.md`, `infra/proxmox-registry.yaml`, and Ansible inventory with backup class/status. ## Follow-ups - Homepage and Unbound standard-class config backups have isolated restore-test evidence; expand restore testing to remaining standard services as dependencies allow. - Define encrypted backup handling for reverse-proxy TLS private keys/certificates before backing them up. - Perform SearXNG sanitized restore/rebuild test in an isolated target; generate a fresh `secret_key` during restore. - Implement per-service pruning according to the documented retention/offline policy once schedules are approved. ## Notes - Vaultwarden backup/restore is already handled by separate tickets; use it as a critical-service example.