# How I Back Up My VPS with Syncthing

#### This guide documents how I use Syncthing to back up my VPS's critical BookStack data folder (`/opt/bookstack_backups`) to my personal workstation automatically and securely.

---

## 📂 Backup Directory

I use a dedicated folder on my VPS for storing compressed BookStack backups:

```bash
/opt/bookstack_backups

```

Each backup is generated nightly via a cron job and includes both the database and uploaded content.

---

## 🔄 Syncthing Folder Setup

On both the VPS and my workstation:

- Syncthing is installed and configured as a **systemd service**
- The `/opt/bookstack_backups` folder is shared
- Sync is **one-way from VPS to workstation** for integrity

To enable and start the system-wide Syncthing service (replace `yourusername`):

```bash
sudo systemctl enable syncthing@yourusername.service
sudo systemctl start syncthing@yourusername.service

```

To verify the service is running:

```bash
systemctl status syncthing@yourusername.service

```

> ⚠️ Tip: If Syncthing is installed system-wide or runs under root, use the appropriate service name or create a dedicated user account just for it.

---

## 🔐 UFW Firewall Rule with DDNS Lockdown

To limit Syncthing access to my workstation only, I use a dynamic DDNS-resolved UFW rule.

Example IP update script:

```bash
/opt/scripts/update-syncthing-ufw.sh

```

This script:

- Resolves the current DDNS IP
- Checks for existing UFW rules
- Updates UFW only when changes are detected

Example UFW rule:

```bash
sudo ufw allow from 123.45.67.89 to any port 22000 proto tcp

```

Blocked access attempts are logged and managed with Fail2Ban.

---

## 📜 Backup Cron Job

The backup script runs daily at **2:00 AM** using cron.

Crontab entry:

```bash
0 2 * * * /opt/scripts/bookstack-backup.sh

```

**Script actions:**

- Dumps the MySQL database
- Archives the uploaded files
- Compresses to `.tar.gz` with the date in the filename

---

## 📁 Local Redundancy Strategy

Once synced to my local system:

- Backups are **rotated weekly**
- A cleanup script deletes older archives
- Restores can be performed with:

```bash
tar -xzvf bookstack-backup-YYYY-MM-DD.tar.gz -C /restore/location

```

---

## 🛠️ Supporting Scripts

These scripts make the entire backup and security process seamless:

<table id="bkmrk-script-name-purpose-"><thead><tr><th>Script Name</th><th>Purpose</th></tr></thead><tbody><tr><td>`bookstack-backup.sh`</td><td>Creates nightly backups</td></tr><tr><td>`update-syncthing-ufw.sh`</td><td>Updates UFW with resolved DDNS IP</td></tr><tr><td>`syncthing-log-summary.sh`</td><td>Parses and displays UFW-blocked Syncthing traffic</td></tr><tr><td>`bookstack-logrotate.conf`</td><td>Handles log file cleanup</td></tr></tbody></table>

---

## 🧠 Key Takeaways

- Daily automated backup process
- Synced offsite to a secure system
- DDNS + UFW keeps access tightly controlled
- Full restore with a single `tar` command