Backups
Coldrune backs up the entire SQLite database as an encrypted snapshot to S3-compatible storage.
Configure S3
Section titled “Configure S3”Add to your .env:
Works with Hetzner Object Storage, AWS S3, MinIO, and any S3-compatible provider.
If BACKUP_S3_ENDPOINT is not set, all backup features are disabled.
Manual backup
Section titled “Manual backup”Or via API:
Backup endpoints require superadmin access.
Scheduled backups
Section titled “Scheduled backups”Set to 0 to disable. The backup runs as a background task inside the server process.
Retention policy
Section titled “Retention policy”After each scheduled backup, the server cleans up old backups:
- Daily: keeps the most recent backup from each of the last N days
- Weekly: keeps one backup per ISO week for the last M weeks
- Anything older is deleted from S3
List backups
Section titled “List backups”Restore
Section titled “Restore”This downloads, decrypts, validates the SQLite header, and writes the restored database to {db_path}.restore.{id}.
Restore procedure
Section titled “Restore procedure”- Restore the backup:
coldrune backup restore --id <backup-id> - Stop the server:
sudo systemctl stop coldrune - Swap the database:
mv coldrune.db coldrune.db.old && mv coldrune.db.restore.<id> coldrune.db - Restart:
sudo systemctl start coldrune
Backup format
Section titled “Backup format”Backups use a custom binary format:
Encrypted with a key derived from the master key via HKDF-SHA256 (info: coldrune-backup-key), using AES-256-GCM. The backup is created using SQLite’s VACUUM INTO for a consistent snapshot without locking the database.
After key rotation
Section titled “After key rotation”Old backups remain encrypted with the old master key. After rotating keys, create a new backup immediately. Keep the old master key stored securely if you need to restore from pre-rotation backups.