Overview

This project documents the design and implementation of a production-grade backup system for a Linux workstation, replicating critical system directories to a Synology NAS.

The objectives were:

  • Fully automated operation
  • Safe execution from both CLI and scheduler
  • No overlapping runs
  • Protection against hung transfers
  • Reliable email reporting
  • Support for machines that are not always powered on

All hostnames, IP addresses, and email domains below are intentionally anonymised.

Architecture

Source: Linux workstation
Destination: Synology NAS (SSH, non-standard port)
Transport: rsync over SSH (key-based authentication)
Scheduler: anacron
Reporting: msmtp (sendmail-compatible)

Secure SSH Configuration

The NAS runs SSH on a non-standard port. A dedicated host entry ensures consistent behaviour:

Host backup-nas
    HostName 192.168.x.x
    User backupuser
    Port 2002
    IdentityFile ~/.ssh/id_ed25519

Key-based authentication removes password prompts and allows fully unattended execution.

Backup Strategy

The script mirrors the following directories:

  • /home
  • /root
  • /etc
  • /srv
  • /opt
  • /usr/local/bin

Key rsync flags:

rsync -avh   --delete   --partial   --numeric-ids   --timeout=300   --exclude-from=/usr/local/bin/backup_exclude   -e ssh

Why These Options?

  • --delete keeps destination in sync
  • --partial protects against interrupted transfers
  • --numeric-ids preserves system ownership
  • --timeout prevents stalled connections

Overlap Protection

To prevent multiple concurrent executions:

LOCK_FILE="/tmp/workstation_backup.lock"
exec 9>"$LOCK_FILE"
flock -n 9 || exit 0

This guarantees only one active run at a time.

Resource-Friendly Execution

Backups run at reduced system priority:

ionice -c2 -n7 nice -n10

This ensures minimal disruption to normal workstation usage.

Timeout Protection

Three layers of safety were implemented:

  1. Per-directory timeout (45m)
  2. Rsync inactivity timeout (300s)
  3. Global timeout applied via scheduler (2h)

This prevents runaway or stuck backup jobs.

Logging and Email Reporting

To avoid SMTP size limits:

  • A summary table is generated
  • Only the tail of the log is emailed
  • Full logs are stored locally and rotated

Example email structure:

Backup host: workstation
Destination: backup-nas:/volume1/backups/workstation
Exit code: 0

Directory           RC      Note
/home               0       OK
/etc                0       OK
...

Mail delivery is handled via msmtp-mta, providing a lightweight sendmail-compatible interface.

Anacron Scheduling

Because the workstation is not always online at 03:00, cron alone was insufficient.

An anacron entry ensures the job runs once per day if missed:

1   10   workstation-backup   timeout --foreground 2h /usr/local/bin/workstation_backup

This guarantees daily execution even after delayed boots.

Challenges Solved

  • Non-standard SSH port configuration
  • Root vs user SSH key handling
  • Rsync parent directory creation errors
  • SMTP message size limits
  • Subshell variable scoping issues
  • Permission errors when backing up system directories

Outcome

The final solution delivers:

  • Secure NAS replication
  • Clean unattended automation
  • Resource-conscious execution
  • Reliable reporting
  • Resilience against missed schedules
  • Clear operational logging

This implementation provides dependable workstation protection with minimal operational overhead.

Future Enhancements

  • Snapshot-based retention (--link-dest incremental scheme)
  • NAS free-space validation before execution
  • Restore verification script
  • systemd timer alternative to anacron
  • Offsite replication tier

Repository Structure

/usr/local/bin/workstation_backup
/usr/local/bin/backup_exclude
/home/user/logs/workstation_backup.log

Designed for reliability, simplicity, and long-term maintainability.