macOS backups

In the spirit of “an ounce of prevention is better than a pound of cure”, everybody who already lost important files to either ransomware, accidental deletion or faulty hardware knows how important a proper backup strategy is.

I keep 4 copies of important files:

• one on my MacBook itself
• one that got synced onto a cloud service, i.e. Dropbox, iCloud etc.
• a third one that got encrypted and uploaded via rclone / Arq to AWS Glacier / Backblaze B2
• A fourth one, also encrypted, backed up via Time Machine to a local NAS

Let’s talk more about the fourth option, as it’s the most peculiar one to configure well.

On macOS, the logical option is to back up via Time Machine. It’s deeply integrated with the rest of the OS, free and well executed.

Time Machine allows you to back up to an external disk or their preconfigured Time Capsule (which are no longer sold).

My setup works like this:

• I have a Raspberry Pi (RPi) with an external hard disk attached to it.
• Via Samba and Avahi Daemon, I advertise the RPi to the Time Machine client running on my Mac as backup device.
• Time Machine on my Mac is configured to use the RPi as backup location and encrypt files before backup.
• To make sure I don’t spend unnecessary space and time on backing up dev dependencies for codebases, I use asimov.

With that setup, I have a rolling backup of my Mac, sitting on a low-power, versatile and cheap computer, all within my personal infrastructure.

Let’s walk through each step on how to replicate it.

Basic Raspberry Pi Setup

Before we can configure Time Machine, we need a device available on the network, with enough disk space to host a backup of your Mac. As a rule of thumb, I’d go with 1.5x - 2x the capacity of your Mac’s disk size.

Raspbian Lite is usually my operating system (OS) of choice, though DietPi works well too. Compared to Raspbian, DietPi comes with some handy CLI tools preinstalled, making administration of your RPi easier.

Whichever one you go with, after installing the OS, you’ll need to mount any external disk you’d want to use for storing the backup files created by Time Machine (*.sparsebundle).

This is best done via fstab, giving the external disk a permanent mount point, i.e. path, which you can then share via Samba (we’ll go through that in the next step).

I usually choose /mnt/external{number} as mount points for external disks, but the folder name itself is a matter of personal preference. After you’ve decided on a name, create the folder via sudo mkdir /mnt/yourfoldername.

Now that you’ve got the folder, you need to use it as a mount point for your disk. A quick guide how to set up automatic mounting via fstab can be found here.

After you’ve mounted the disk, it should be available via the path you’ve chosen earlier. I’ve created a subfolder inside called timemachine to be able to use the disk for other files besides just for backups.

Now that the basics are in place, let’s continue with the Time Machine setup itself.

Configuring the Raspberry Pi for Time Machine

To make our RPi visible to the Time Machine Utility on macOS, we need to put 3 things in place:

• Install Samba, a file (and print) server to handle file transfer between the two machines
• Install Avahi, a Bonjour server to advertise your RPi as Time Machine server on your local network
• Configure Samba to share the timemachine folder inside the mount as Time Machine-capable disk

Installing both Samba and Avahi is straightforward on either Raspbian Lite or DietPi: a simple sudo apt-get install samba avahi-daemon avahi-utils will do the job.

Now that both tools are installed, let’s configure them.

First, you’ll need to create a Samba password for your user via:

sudo smbpasswd -a your_rpi_username

For Samba, the config file is usually located under /etc/samba/smb.conf. Using nano, we can configure the Time Machine share as follows:

[global]
min protocol = SMB2
fruit:model = MacSamba
fruit:posix_rename = yes
fruit:veto_appledouble = no
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
fruit:nfs_aces = no
fruit:aapl = yes
vfs objects = catia fruit streams_xattr
security = user
inherit permissions = yes
guest ok = no
printable = no

[Time-Machine]
comment = Time Machine Backup
path = /mnt/external/timemachine
fruit:time machine = yes
writable = yes
browseable = yes
read only = no
inherit acls = yes
write list = your_rpi_username

If you want to dig deeper into the different configuration parameters Samba offers, check out their official documentation.

Beware that you need to change the username in the last line to your RPi username — or, any username on the RPi who has write access to the mount point. For more granular permissions and heightened security, you could e.g. create a separate user just for Time Machine backups who only has read & write access to this specific folder.

You can find a comprehensive overview of user permissions, user groups and general user management on Linux here.

A general note on system security: I’m not covering firewall permissions here, but needless to say that — unless you consciously want to and are aware of the risks that come with it — you definitely should not expose the port that Samba is listening to outside your local network. And even within your network, proper permissions and using a firewall like ufw are generally advised. I won’t cover this part specifically, but I do encourage you to check out this excellent Linux hardening guide.

With that out of the way, if you’ve set up Samba as described above, let’s restart the RPi for good measure and move onto setting up your Mac as a Time Machine client.

Configuring Time Machine on macOS

Time Machine has its own icon in System Preferences on macOS. Navigate there, and you should be able to select a disk.

If the setup on the RPi is correct, you’ll see your RPi’s hostname under “Available Disks”. This is Avahi doing its work in tandem with Samba.

Select the disk and tick the box “Encrypt Backups” for encrypted backups (the more secure option, in case your non-encrypted disk on the RPi gets compromised).

Confirm with “Use Disk”. You should be asked for a username and password now — those are your chosen username and password for Samba on the RPi.

Done 🎉 – you’ll now see Time Machine doing its thing in the menu bar, displaying information on the backup status of your Mac. You can also enter into a rolling backup of any folder on your Mac via “Enter Time Machine” in this menu.

Polishing & Maintenance

For more fine-grained control of Time Machine, macOS comes with tmutil, a CLI utility for its configuration, preinstalled. For a deeper overview on the ins & outs of tmutil, this excellent article has you covered.

To optimize the setup for developers, asimov is an excellent wrapper around the aforementioned tmutil, automatically excluding development dependencies from being backed up. Which makes a ton of sense considering they take up considerable space and time to sync.

In terms of maintenance, the setup is quietly doing what it’s supposed to do — in case backups haven’t been able to complete successfully, macOS will display a notification. For me, it was usually enough to restart the Samba daemon on the RPi (via sudo systemctl restart smbd.service) to get them working again.

And there you have it — a low-power, encrypted, on-premise backup-system with minimal configuration effort and maintenance required.