SEQN Auth Backup and Restore

SEQN Auth backups cover Authentik state, Silver Auth Postgres state, Authentik media/templates/certs when present, and the deployment .env needed for disaster recovery. Backups intentionally do not include email-provider or payment-provider assets.

Assets

  • Local backup script: services/silver-auth-api/deploy/backup-local.sh
  • Local restore runbook: services/silver-auth-api/deploy/RESTORE.local.md
  • Offsite backup script: services/silver-auth-api/deploy/backup-offsite.sh
  • Offsite runbook: services/silver-auth-api/deploy/BACKUP.offsite.md

Local backup behavior

backup-local.sh writes timestamped backups under /srv/silver-auth/backups/<timestamp>/.

Each backup should contain:

  • authentik.sql
  • silver-auth.sql
  • authentik-files.tgz when Authentik files are present, or authentik-files.skip when they are absent
  • env.backup
  • MANIFEST.sha256

The script keeps BACKUP_RETENTION_COUNT local backup directories. The default is 14. Set BACKUP_RETENTION_COUNT=0 to disable local pruning.

Offsite backup behavior

backup-offsite.sh runs a fresh local backup, archives it, encrypts it when an age or GPG recipient is configured, writes a checksum, and uploads the archive plus checksum through rclone, rsync, or a local copy target.

Recommended production mode:


OFFSITE_BACKUP_METHOD=rclone
OFFSITE_BACKUP_TARGET=remote:silver-auth
OFFSITE_BACKUP_AGE_RECIPIENT=age1...
ALLOW_UNENCRYPTED_OFFSITE=false

The script refuses to upload unencrypted archives unless ALLOW_UNENCRYPTED_OFFSITE=true.

Schedule

Minimum schedule for a public SaaS deployment:

  • Local backups: every 6 hours.
  • Offsite encrypted backups: daily.
  • Restore drill: monthly until stable, then quarterly.
  • Backup encryption key review: quarterly.

Use systemd timers on the VPS instead of cron when possible. Templates live under:


services/silver-auth-api/deploy/systemd/

Recommended install flow:


sudo cp services/silver-auth-api/deploy/systemd/silver-auth-backup-*.service /etc/systemd/system/
sudo cp services/silver-auth-api/deploy/systemd/silver-auth-backup-*.timer /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now silver-auth-backup-local.timer
sudo systemctl enable --now silver-auth-backup-offsite.timer
systemctl list-timers 'silver-auth-backup-*'

Cron fallback:


17 */6 * * * cd /srv/silver-auth && ./deploy/backup-local.sh >/var/log/silver-auth-backup.log 2>&1
43 2 * * * cd /srv/silver-auth && ./deploy/backup-offsite.sh >/var/log/silver-auth-offsite-backup.log 2>&1

Restore priorities

1. Restore .env from env.backup or the secret store. 2. Start fresh containers and database volumes. 3. Restore Authentik Postgres. 4. Restore Silver Auth Postgres. 5. Restore Authentik media/templates/certs. 6. Restart the stack. 7. Run health, config, login, console, and backend-key smoke checks.

Recovery targets

Suggested SaaS targets:

  • RPO: 6 hours for local backup coverage, 24 hours for offsite disaster recovery.
  • RTO: 2 hours for local restore, 4 hours for offsite restore.

These are operational targets, not contractual guarantees.

Security notes

  • Treat env.backup as secret material.
  • Encrypt offsite archives by default.
  • Store backup private keys separately from the VPS.
  • Keep old backup private keys until encrypted backup retention expires.
  • Do not attach backup archives to support tickets or chat.