Backup Domoticz with Duplicati

Step-by-step how-to guide install and configure Duplicati with the latest Raspbian Buster image and Domoticz.

Duplicati is a fantastic and very intuitive backup solution that support a wide range of backup targets. Combined with a webinterface, this makes it perfect for a backup solution for our beloved Domoticz installation.

Duplicati supports not only various online backup services like OneDrive, Amazon S3, Backblaze, Rackspace Cloud Files, Tahoe LAFS, and Google Drive, but also any servers that support SSH/SFTP, WebDAV, or FTP.

It does however need the mono framework as it is mainly written for the Windows platform and this makes it a bit heavy for Linux. Nonetheless, it’s one of my favorite open-source backup products.

Tip: Duplicati is more about making a backup of the most important files. If you are looking for a complete system backup solution, perhaps this is more what you are looking for:
https://www.hackviking.com/single-board-computers/raspberry-pi/automated-raspberry-pi-backup-complete-image/

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

This tutorial has been verified with:
Domoticz 2020.1

Prerequisites

Tested with

  • Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
  • Raspbian Buster Lite 4.19, Februari 2020
  • Domoticz Stable 2020.1 (compile date 22-3-2020)
  • Duplicati BETA v2.0.5.1-2.0.5.1_beta_2020-01-18

Step 1: Install the Mono Framework

This step can take a bit of time…

sudo apt install mono-complete ca-certificates-mono -y

Step 2: Sync the certificates

sudo cert-sync /etc/ssl/certs/ca-certificates.crt

Step 3: Install Duplicati

wget /var/tmp/ https://github.com/duplicati/duplicati/releases/download/v2.0.5.1-2.0.5.1_beta_2020-01-18/duplicati_2.0.5.1-1_all.deb
sudo apt-get install /var/tmp/duplicati_2.0.5.1-1_all.deb -y

Step 4: Install missing dependencies

Sometimes Raspbian is still missing some required dependencies.
Just to be sure, run the following command so we are not missing out on any:

sudo apt -f install -y

Step 5: Configure the service file

We need to edit the service file in order to make it possible to run this as a service. So go open the file with the nano text editor with the following command:

sudo nano /etc/systemd/system/duplicati.service 

Copy-paste the following configuration and save the file.
To exit and save the changes, press CTRL+X first and confirm to save the file with “Y”).

The duplicati.service file
[Unit]
Description=Duplicati web-server
After=network.target

[Service]
Nice=19
IOSchedulingClass=idle
EnvironmentFile=-/etc/default/duplicati
ExecStart=/usr/bin/duplicati-server $DAEMON_OPTS
Restart=always

[Install]
WantedBy=multi-user.target

Step 6: Configure the initscript file

Next is to edit the initscript file with the following command:

sudo nano /etc/default/duplicati

It should resemble the below configuration. You have to add the last “DAEMON_OPTS…” line to the file and save the changes. To exit and save the changes, press CTRL+X first and confirm to save the file with “Y”).

The duplicati initscript
# Defaults for duplicati initscript
# sourced by /etc/init.d/duplicati
# installed at /etc/default/duplicati by the maintainer scripts

#
# This is a POSIX shell fragment
#

# Additional options that are passed to the Daemon.
DAEMON_OPTS="--webservice-interface=any --webservice-port=8200 --portable-mode"

Step 7: Enable Duplicati service

Now its time to enable and start the service.
Execute the following commands:

sudo systemctl enable duplicati.service
sudo systemctl daemon-reload
sudo systemctl start duplicati.service	
sudo systemctl status duplicati.service

You should now have Duplicati up-and-running and see the below results of a running service:

Duplicati service is running correctly

Step 8: Open the Duplicati web-gui

Next is to navigate to the web interface/gui. It is configured in the initscript file to run on port 8200. In my case, the IP address of my Raspberry Pi is 10.1.3.51. So in order the reach the web gui, I have to open the following address in my browser:

http://10.1.3.51:8200
Duplicati First Run Setup

The first time you open the Duplicati interface, choose the first option “No, my machine has only a single account”.

You should now be able to configure a backup job!

A couple of tips when creating a backup job (see screenshots below for further guidance):

  • Include one of these directories:
    • /home/pi
    • /home/pi/domoticz
  • Enable automatic backup in the Domoticz setup menu so you get consistent backups of your database.
  • Keep your encryption password in a safe place that you can find back should you ever need it (or just do not use an encryption password)!!
  • You can also run scripts in advance or after the backup
  • Configure backup retention to automatically clean up old backups.
  • Enable e-mail notifications to keep track of your backups.
    See this forum post for the proper steps using Google Mail:
    https://forum.duplicati.com/t/how-to-configure-automatic-email-notifications-via-gmail-for-every-backup-job/869

Should you need to restore…

If you ever need to restore, you can do so easily by clicking on the job and selecting to restore files, as seen in the screenshot below.
Follow the steps with these instructions:

https://duplicati.readthedocs.io/en/latest/03-using-the-graphical-user-interface/#restoring-files-from-a-backup

Restore files with Duplicati
Restore files with Duplicati

Worstcase scenario

However, in the worst-case scenario, a F.U.B.A.R. situation, you don’t have a running pi anymore. For example, your SD-card or USB stick died…
First 2 steps are to get your pi running again with a fresh installation of raspbian and Domoticz. Next is to install Duplicati again the guide below. Another option is to just install Duplicati on your own system to retrieve your files. See this link for more information and instructions
https://duplicati.readthedocs.io/en/latest/03-using-the-graphical-user-interface/#restoring-files-if-your-duplicati-installation-is-lost

Further documentation

For more information on Duplicati, how to create a proper backup job and other documentation, you can visit this site:

https://duplicati.readthedocs.io/en/latest/

READ MORE

Securing Domoticz…

This post is about securing our Domoticz installation, should the need arise. There are several options for securing Domoticz. This how-to is divided into several separate how-to’s, each with its own option.

This article will be expanded over time with new how-to’s to protect Domoticz. Because this involves a lot of work, they are not immediately available, this takes some time. Thank your patience and understanding. Sign up for updates to get notified with new guides and how-to’s, should you wish to follow my endeavors.

In principle, the developers of Domoticz indicate that it is not advisable to access Domoticz directly on the internet. Domoticz would provide insufficient security for this and has not been extensively developed and tested in this area. But sometimes we the users see it differently and we see a need to do this anyway. Sometimes, we like to break rules :-).

Of course you could implement a VPN (LINK) solution yourself as an alternative, but this is often quickly complex. And therefore not always desirable or within reach.

If we still want to access Domoticz on the internet, let’s see if we can do this as safely as possible. This guide does not offer you an absolute guarantee but will considerably increase the safety of your Domoticz setup.

There are a number of steps that we can take that contribute to this:

  • Enable authentication in Domoticz
  • Implement fail2ban (brute force protection)
  • Configure your firewall (NAT port forwarding)
  • Provide extra security with a Let’s Encrypt SSL certificate
  • Change the root and pi user password (thanks Peter for the feedback!)
  • How to check your logs
  • Make back-ups!

Ultimately, security is and remains your own responsibility!
Should you at any moment not feel fully comfortable with these guides: Consider simply not to connect Domoticz to the internet…

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

This tutorial has been verified with:
Domoticz 2020.1

Prerequisites

  • Running Domoticz installation with stable Raspbian Buster release and SSH access. See my previous post for a how-to:
  • https://sancla.com/domoticz/raspberry-pi-4-with-domoticz/
  • For the Let’s Encrypt SSL certificate, a domain and basic understanding of DNS (DDNS/A-records).
  • For port forwarding, basic networking knowledge and ability to create a port forward with IPv4/NAT.

Tested with

  • Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
  • Raspbian Buster Lite 4.19, Februari 2020
  • Domoticz Stable 2020.1 (compile date 22-3-2020)

Authentication – LINK

This specific how-to goes further into the aspect of setting up authentication from Domoticz itself. You can choose to enable this protection for all connections other than your own home network, including the internet. It offers basic protection and is not a complete solution on its own if you want to connect Domoticz to the internet.

Fail2ban – LINK

This specific how-to involves applying fail2ban, which protects Domoticz against brute-force attacks from the outside. Brute-force attacks can be described as multiple and quick successive guessing of credentials until there is a positive hit that can be used to access your Domoticz. Basically, fail2ban is a rate limit solution where it protects Domoticz by limiting the login attempts within a given time.

READ MORE

Access your Domoticz folder from Windows

This post is about gaining samba access to our Domoticz installation. With Samba access, we can read, manipulate and backup our Domoticz files directly from Windows with our default file explorer.

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

This tutorial has been verified with:
Domoticz 2020.1

Prerequisites

Tested with

  • Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
  • Raspbian Buster Lite 4.19, Februari 2020
  • Domoticz Stable 2020.1 (compile date 22-3-2020)

Step 1: Install Samba

Connect with SSH to your Domoticz installation and follow these steps. Samba is installed and configured rather quickly so we should be done in no time…

Let’s start by installing Samba with the following commands:

sudo apt update && sudo apt install samba samba-common-bin cifs-utils -y

During installation you get the question if you wish to enable WINS. Although I know about only a handful occasions where this is still necessary (legacy situations), you do not need it in this case. WINS is a dinosaur from Microsoft that you should not need anymore…

Samba server and utilities configuration
Samba server and utilities configuration

Step 2: Create a dedicated samba account

The next step is to create a user account for authentication later on. For this example we are going to create the user “pi_samba” with password “sancla.com”.

sudo useradd pi_samba
sudo smbpasswd -a pi_samba
Creating the dedicated samba account
Creating the dedicated samba account

Step 3: Configure samba

Add the following lines to the samba “smb.conf” file. You can do this with the nano editor by executing the following command:

sudo nano /etc/samba/smb.conf

Next is to add these lines to the smb configuration file. Scroll all the way down and add the configuration lines below. If you have selected a different username at step 2, make sure to change this “valid users = ” value in below example. This configuration example gives you access to the “/home/pi” folder and not the full Raspbian root.
You can save the file with key combination “CTRL+O” and close the editor with “CTRL-X”.

[pi]
  browseable = yes
  writeable = yes
  path = /home/pi/
  revalidate = yes
  comment = Share to pi home folder
  valid users = pi_samba
  create mask=0777
  directory mask=0777
  available = yes

Should you wish to gain access to the root of your raspberry pi, you could add (or replace above example) with the following configuration:

[root]
  browseable = yes
  writeable = yes
  path = /
  revalidate = yes
  comment = Share to root
  valid users = pi_samba
  create mask=0777
  directory mask=0777
  available = yes

Your configuration file should resemble something like this (in this example I included the root configuration):

smb configuration file example
smb configuration file example

Step 5: Restart the service

Finally, before we connect to our Raspberry Pi Samba share, we need to restart the samba service so that it loads in our configuration changes.

sudo systemctl restart smbd

Step 4: Open shares with Windows Explorer

Now, in Windows you can use your regular Windows Explorer to access the network shares we just created. You can open Explorer like your are used to, but it is also possible with the key combination ” ⊞ Win + E”. Now surf in the address bar to your raspberry pi with the IP address like \\<ip-address> .
In my example the IP address of my Raspberry PI is 10.1.3.51, so I enter “\\10.1.3.51”.

When you try to open one of the shares we created, Windows asked your to authenticate. You can do so with the “pi_samba” user we created earlier on.

And we, we have access :-)!

READ MORE