Best practices: Backing up my NAS, and adhering to the Principle of Least Privilege

Backing up my NAS with Duplicacy…

Here’s my setup;

  • NAS (Synology)
  • Spare laptop dedicated to running Duplicacy jobs
  • NAS is mapped as a network drive on the spare laptop using a READ-WRITE account on the NAS

To be clear: the NAS is a Duplicacy backup source and NOT a Duplicacy storage. My instinct is that the Duplicacy laptop should not have unlimited 24/7 access to the NAS.

My question: Can I restrict this dedicated Duplicacy laptop to a READ-ONLY account on the NAS?

TLDR; I want to ensure I am apply the Principle of least privilege to the dedicated laptop that runs my Duplicacy jobs.

E.g.: Principle of least privilege - Wikipedia * "Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job." – Jerome Saltzer

I may be misunderstanding, but isn’t the solution to map a network drive to a laptop using an account that has read-only rights to share? (set in Synology)

I think that’s what I want to do, because intuitively that makes the most sense to me from a “Principle of Least Privilege” perspective.

What I’d like to know:

  • Does Duplicacy need READ-WRITE on the backup source?
  • Can I simply map the drive with a new READ ONLY account, and all my existing Duplicacy jobs will work as normal for that backup source?
  • Is this a common, best-practices approach?



It depends. Generally, if there is a choice, like in your scenario — sure, make it readonly. Some run duplicacy in the container and there it’s trivial to mount the source as readonly. It’s a matter of omitting w in the mount point.

Running duplicacy under the restricted user account that can only read is another option.

But I would not go much furher beyond that. Duplicacy only reads the dataset so there is no reason to going out of your way preventing it from writing. It never will anyway. And if the trust is the issue — what if malicious someone replaces duplicacy with something destructive- well you already gave it access to all your data, this is much more damaging than something deleting your source (which you have backed up).

Ultimately, sure, backup readonly source.

In your situation however I would have nas backup itself, all the time, instead of some laptop that is not on 24/7. But I don’t know your other requirements that were driving this.

1 Like

In your situation however I would have nas backup itself, all the time, instead of some laptop that is not on 24/7. But I don’t know your other requirements that were driving this.

I think you may have revealed the situation to be a classic XY problem .

I set it up the way I did simply out of ignorance – I thought it was the thing to do – and I am open to better alternatives.

I thought backing up the NAS from a computer was the only way with Duplicacy. After all, Duplicacy Web GUI needs a Mac or Windows OS and a browser, no?

How do I get the (Synology) NAS to independently back itself up?

Lol usually it’s me who brings it up on forums — I like this write up better: XyProblem - Greg's Wiki

Right, duplicacy web does rely on web browser to render the interface. But it and the browser don’t have to be on the same machine. This requires changes in the settings to allows duplicacy to listen on the network interface other than localhost.

When I used Synology I ran it on it natively and controlled from another pc. Here is the write up Duplicacy Web on Synology Diskstation without Docker | Trinkets, Odds, and Ends. It describes things on DSM6 but someone in the comments there described the change for DSM7.

Another option is to run it on docker container. This is mine Docker Hub but I recommend against it: docker on Synology is a disaster and duplicacy does not benefit from dependencies isolations docker provides. Running it natively is better.

The only consideration here is how much ram do you have on the nas. You want to always keep a big of chunk of ram unoccupied (at least 8GB) to facilitate caching and ensure your nas stays responsive, and duplicacy can be quite memory hungry, forcing those caches to get evicted. I think the new version has some memory related optimizations so this may not be a problem anymore

1 Like

I like this write up better: XyProblem - Greg’s Wiki

Love it!

You want to always keep a big of chunk of ram unoccupied (at least 8GB)

You had me excited right up to that point! :slight_smile:

I’ve only got 4 GB. I’ve always planned to add more, and make it ECC. Never could find reliable, inexpensive sources of non-Synology branded ECC memory, so I gave up. Maybe it’s easier to find now, hmm.

Thanks for the thoughtful reply and the heads up about docker on Synology. Sometimes I wonder about Synology alternatives.

1 Like

eBay and/or Newegg is my go-to for memory (and other hardware). I just sort by price+shipping and pick the first, regardless of brand: today pretty much anyone can solder buy pick and place machine and actual ICs are made by three vendors anyway. No reason to overpay for branding.

Which Synology model do you use? From the ECc reference I presume something awesome like ds1618+?

The silver lining here is that Synology hardware weirdly depreciates very well… I mean, poorly…. I’m trying to say it keeps its resale value well. So selling it on eBay returns pretty much the original expense. Or more (like was in my case).

I’ve filed numerous bugs with middleware with Synology (none was fixed years later), filed horrible kernel bugs (got immediate attention from engineering team from Taiwan, who then proceeded to debug on my unit remotely for the next month) and walked on eggshells figuring out which combination of versions has unbroken services that I need. And by that I mostly mean SMB. NAS that has broken SMB every other version is an oxymoron and yet here we are. And then the whole reboot-on-nvme-timeout-with-SSD-caching-gimmick story happened and I lost all faith in the company. I then tried TrueNAS core on leftover gaming pc and was blow away. It worked flawlessly for couple of years (the plan was to try it there but then move to actual server hardware if I liked it - and yet even on a gaming crap it was magnificent in comparison) and literally yesterday my new shiny old recycled all scratched up supermicro server arrived from local surplus store and I’m looking forward moving the stuff to a proper chassis, with IPMI, and hot plug hdd caddies, ECC ram, and obnoxiously loud fans. For no reason other than why not.

What I’m trying to say with this offtopic detour — play with TrueNAS core in VM, see if you like it, then switch to it, and forget Synology as a bad dream. Doing so gets you access to much cheaper and much better hardware, cheap component (just ordered LSI HBA card for $30) and excellent stability: the QA process at iXSystems is top notch. I’ve still managed to switch to new release (not recommended for production) and reported samba crash, that was immediately noticed, someone contacted me, debugged and fixed the issue, provided new binaries, asked to retest and the patch was shortly released. (If Synology operated the same way as a whole (and not just their core team) it would have been unbeatable).

It’s also FreeBSD (even though there is Linux version -TrueNAS Scale, but it’s not stable enough), and I personally find FreeBSD easier to use, but that’s a matter of opinion of course. And ZFS — so no longer have to deal with the worst of both worlds with btrfs over mdadm.

It is memory hungry in a sense that you want to have way more ram than you might reasonably expect — but on the other hand second hand sever ram is cheap and abundant.

Bottom line — switch to TrueNAS, you won’t regret it :slight_smile:

WOW! This is amazing. I really appreciate your detailed reply. This is encouraging, and definitely a “next” project for me that sounds really fun.

From the ECc reference I presume something awesome like ds1618+?

Nothing quite that exotic I’m afraid, just a humble DS1819+ with some Ironwolfs.

play with TrueNAS core in VM

I’m familiar with VMs conceptually but it’s a road I’ve not yet travelled. (I never had a reason, but now I do!) On what would I run the VM? Which VM do you recommend? I looked into them casually a few years ago but was put off by the $$$$ cost.


This is the first time I’ve heard of iXSystems – looks like they also do, or primarily do (?), hardware. Curious – who’s their target customer? Mid-size companies who need on-prem, or can’t afford AWS/GCS/Azure?

It’s also FreeBSD

Oooh, FreeBSD. How neat. I tinkered version 2.x back in the day, and I’ve always regarded it highly, for the niche it serves.

second hand sever ram is cheap and abundant

Any ideas on where/what to look for?

Ballpark, how much would it cost to cobble something together?

Very, very interested.

Nice, it’s a next incarnation of the same platform. One of the best synology ever made. It went all downhill from there.

Mmm… They are free. Essentially it’s a hypervisor, that runs on your machine, and creates virtualized environment into which you can install another OS – the latter thinks it runs on a separate hardware. There are a number of options available: Virtual Box, VMWare Fusion (or VMWare Player for Windows hosts), Parallels, KVM, etc. I personally like VMWare Fusion – it’s free for personal use.

The whole point is that you can try another OS (including storage server in this case) without having actual separate hardware. Attach drives (virtual ones, represented by a file on a host), network devices (connected to a virtual switch) etc.

So my advice to try True NAS in VM would be – install VMWare Fusion on your Mac (or VMWare Player if on windows), create a virtual machine instance there, add extra virtual drives, configure about of ram etc, then download TrueNAS iso file and install it into that virtual instance. Suddenly, you have TrueNAS running in you network :slight_smile:

They make storage server software (free, opensoure) – TrueNAS (Formerly FreeNAS) that you can run on your own hardware and they also sell services and their own built hardware, if you want better integration and support. There is vibrant community and they have tons of guides on picking hardware when building the server for TrueNAS. Documentation (both from issystems and community) is top notch.

Once you figure out the type (e.g. DDR3 1600 ECC unbuffered) – search for that on eBay, Newegg, and

I can tell you exactly the prices I’ve just paid:

  • Supermicro CSE-825TQ-R720LPB 2u server enclosure, with dual 750W power supply, 8 hot swap disk bays, backplate, and all the cabling: (local surplus store via eBay, now they increased the price on the same seemingly case to $190): $130
  • Supermicro X9SCL±F Motherboard with Xeon E3-1230 v2 4-core 3.30GHz CPU and 8GB ram. Out of which I’m going to sell the 8GB it came with back on eBay (local surplus store via eBay): $87
  • 32G of DDR3 1600 ECC unbuffered (some refurbisher in Texas, found via google): $85
  • AOC-S2308L-L8i PCIe 3.0 6Gbps HBA (eBay): $30

So, total $332. And this is full cost, without drives, which I’ll move from my current setup.

Actually, it was supposed to be just the Supermicro case and a bunch of varying length SATA cables to backblane – my current motherboard (P8Z68vprogen3) has 8 SATA ports. But then I realized I would need front panel IO cable splitter, and fan splitter/extension; but why spend $40 in various adapters, when I can spend $80 and get the whole server motherboard with IPMI and matching front panel cable port, and ECC, and made by the same vendor to work with the PSU and the rest of equipment. So one thing led to another and here I am with an extra server.

BTW moving the TrueNAS install from one server to another is a breeze - the configuration save file is literally a script that takes the machine from vanilla to the current config. It’s magical.

And that thing can easily run plex, serve as a backup target, run backup to the cloud, run home bridge, storj node and not bother me with maintenance. And I know this precisely because it already does it all on slightly worse hardware.

(we went way too far off topic…)

1 Like


I run Duplicacy x64 on Synology using read-only access, and back up to Backblaze B2. Backup logs are written to a logs directory on the NAS.

This is AWESOME!

And for nearly half the price of PS5? I’m in!

Two thoughts:

  1. Power consumption – it’s my understanding that a selling point of Synology appliances is the optimization of energy consumption (in addition to depreciation!). Napkin math for energy cost for running a dual 750W server 24/7 would be interesting to calculate. A couple hundred dollars per year maybe?
  2. Duplicacy – how would it fit into this scenario? (i.e. backing up the server) Do you run Duplicacy in a VM on the TrueNAS OS? Or is there some other way?

(Off topics are sometimes the best topics, as is the case here :slight_smile: )

I really, really like this idea. I could probably fund the whole enterprise with the sale of my old Synology DS920+, and do it with 10 GbE .

1 Like

Synology uses low TDP processors, limited to max 15W of power consumption. They are not much different from their big counterpart otherwise. And all modern processors can power manage themselves pretty well – no load – clock down, there are the whole separate clock domains to manage power to unbelievable granularity. So in idle both Denverton and Xeon will have comparable power consumption. But under load – the former will be limited to max 15W, while Xeon would burn 90W, but also performing work so much faster.

I don’t think it will come close to 750watts in this scenario.

Hard drives consume the same - 5-10W. Power supplies are 80-90% efficient. My current server – gaming P8Z68 Asus board, + 4 HDD, +1 SSD + 1 Optane + 32GB DDR3 ram consumes 80-85 Watts, as measured by the UPS, and confirmed by the KillAWatt thingy. At $0.45/kwH this translates to $330/year in electricity costs where I live.

The 80W figure is a bit high, and I suspect is due to a bunch of devices on the motherboard wasting a lot of power – without drives it was consuming 40W at idle! And that after I reduced it by 8W via turning off most of unused onboard devices such as audio, bluethooth, esata, a bunch of USB3 controllers, and whatever else asus decided to cram there to pad the feature list. The remaining biggest consumer seems to be the chipset – it has a massive heatsink and is always too hot to touch.

I expect server chipset to be more efficient (at least the attached heatsink is tiny), but that server case comes with three very beefy fans, so we’ll see where will the balance tip. I will literally know this by the end of the week once I put it all together. All parts are now sitting in the middle of the room in the enticing pile but I need to curve out few hours of uninterrupted time to move stuff there while minimizing downtime. Can’t wait :slight_smile:

There is FreeBSD duplciacy binary, both web UI and the CLI. You can run it as is, no need for vm. I would run it in jail - just as a matter of policy; I’ve made a TrueNAS iocage plugin here: GitHub - arrogantrabbit/iocage-plugin-duplicacy: This is a simple duplicacy_web plugin for TrueNAS Core to dumb down the installation and autoupdates as much as possible. Even though the plugins on TrueNAS are a bit abandonware and it’s best to just create a jail manually and configure things there, ether way is fine.

Yes! This is the ultimate conclusion that I came to. I bought Synology to have a hands off 'just works" device, ended up an expert navigating their bugs, gave up, moved to TrueNAS, which I avoided due to anticipated steep learning curve (I was wrong!) and that was happens to be hands off solution instead…

Sorry, I missed the notification for your post.
Now that some time has passed, I’m curious – did you get all your parts put together? I’m quite motivated to move on from Synology… sounding like a realistic 2023 project.

Oh, yea. The parts all worked together, minus a funny quirk: apparently SuperMicro motherboard bios has a bug that if the date is after 2021, and you try to enter BIOS you just see blue screen with red letters AS. LoL. The solution is to go to EFI shell, change date to the past, and then update the bios to the most recent one, which has the only change—to address this bug. :slight_smile:

Other than that—it “just worked”. I made a few backups, prepared to troubleshoot, import pool, figure out broken dependencies—but nope. Moved all disks, set the boot drive in Bios, and BAM—booted into my True NAS and continued as if nothing happened. Well, except now there is another menu item – IPMI. Nice touch.

Power consumption is within few watts of my old server. Which actually means it’s lower, but is compensated by the beefy fans.

IPMI with KVM is extremely useful. I did have to buy screws on eBay for drive caddies though. :slight_smile:

One more caveat – the server came with two power supplies, one – original supermicro, another – AbleCon. Turns out the AbleCon burns 10-15W of power more than Supermicro one. And is noisier. So if you are shopping for the chassis—check with the seller for it to have original power supplies. Not a big deal – they are under $20 on ebay – but why not save that $20.

So my experience has been fantastic so far. As the saying goes—my only regret is that I did not have done it sooner :).

That is awesome! I’m so glad to hear. Funny the BIOS bug!

Alright, I’m going to have to go down this path now. :slight_smile:

How do you anticipate using IPMI with KVM?

PS. Thanks for the heads up on that AbleCon! Curious, how are you measuring the power draw? Awesome you’re still inline with prior consumption.

Hopefully I don’t have to – but before, if something went bad – e.g., network config screwed up, or I needed to boot from external flash drive – i had to hauling the display, the keyboard to the machine; write the bootable image to the flash drive, connecting those, press physical button to reboot, etc.

Now—just open a browser (or, actually a Java app, or an iPad app), and I get remote access to the onboard graphics card output and the PS2 keyboard, and ability to mount images over network. And reboot the server if needed. I don’t have to be anywhere near it physically. I think that is huge.

This is how it looks like on my phone right now (i’ve connected to home via VPN to get screenshots; never mind the UPS and WireGuard warnings, I was messing with it, but that’s the graphics output from the server, and full keyboard):

UPS shows it on the front panel. Also, the KillAWatt thingy. I connected both power supplies to the UPS, then yanked out one from the server. Waited for the draw to stabilize. Recorded the min and max readings over few seconds. Then Plugged it back in, removed the other one, wait to stabilize, do the same. Repeat twice.

The first power supply was changing between 85-90, and the second—100-107, pretty consistently. And it was much noisier, but I can’t imagine 2" fan there consumed 15W :slight_smile:

We’re waay offtopic, hope other moderators split this thread because I’m not sure where it should go.

1 Like

Wow that IPMI setup is killer – seriously, that is so cool.

You really went the extra mile measuring those watts! Now I need to get a KillAWatt…

Sorry to be so off topic but I’ve enjoyed the chat! Maybe mods can setup a “clubhouse” forum for general chat. Fun to connect on like interests outside of troubleshooting the software. Reddit is so huge, there’s just no room for community or extended dialog.

1 Like