Create encrypted, incremental backups of your nSelf Postgres database and Docker volumes — then restore them locally or from a remote store.
# Create a full backup right now
nself backup create
# List all available backups
nself backup list
# Restore the most recent backup
nself backup restore latest
# Set up automatic nightly backups to S3
nself backup schedule --cron "0 2 * * *" --remote s3://my-bucket/nselfnself backup <SUBCOMMAND> [FLAGS] [ARGS]nself backup provides a complete data-protection layer for self-hosted nSelf deployments. All backups are encrypted at rest using an AES-256 key managed via nself backup init-key. Backups include:
pg_dump) compressed with zstd.env + nginx/conf.d/ configuration snapshotBackups are stored locally at ~/.nself/backups/ by default and can be mirrored to any S3-compatible store, SFTP target, or Hetzner Object Storage bucket using the --remote flag.
Use nself backup schedule to register a cron-based job that runs unattended. Use nself backup stream to pipe a live backup to stdout — useful for integrating with external backup orchestrators.
Create a new backup. Stops no services — uses Postgres MVCC consistency + volume snapshots.
nself backup create
# Backup ID: bkp_20260101T020000Z
# Postgres: done (423 MB → 87 MB compressed)
# Volumes: done (minio 1.2 GB → 310 MB)
# Encrypted: yes (key: ~/.nself/backup.key)
nself backup create --remote s3://my-bucket/nself
nself backup create --tag before-migration| Flag | Type | Default | Description |
|---|---|---|---|
--remote | string | Mirror backup to remote store (s3://, sftp://, hetzner://) | |
--tag | string | Label the backup for easy retrieval later | |
--no-volumes | bool | false | Skip Docker volume snapshots (Postgres only) |
--compress | string | zstd | Compression algorithm: zstd, gzip, none |
List all local (and optionally remote) backups with ID, timestamp, size, and tags.
nself backup list
# ID DATE SIZE TAG
# bkp_20260101T020000Z 2026-01-01 397 MB —
# bkp_20251231T020000Z 2025-12-31 391 MB before-migration
nself backup list --remote s3://my-bucket/nself
nself backup list --json| Flag | Type | Default | Description |
|---|---|---|---|
--remote | string | Also list backups from a remote store | |
--json | bool | false | Output as JSON |
Restore a backup by ID or use latest for the most recent one.
nself backup restore latest
nself backup restore bkp_20251231T020000Z
nself backup restore latest --no-volumes # DB only
nself backup restore latest --dry-run # preview without applying| Flag | Type | Default | Description |
|---|---|---|---|
--no-volumes | bool | false | Restore Postgres only, skip volumes |
--dry-run | bool | false | Show what would be restored without applying |
--force | bool | false | Skip the confirmation prompt |
Pull a backup from a remote store and restore it directly without storing it locally first.
nself backup restore-remote s3://my-bucket/nself/bkp_20251231T020000Z
nself backup restore-remote hetzner://my-bucket/nself latestVerify a backup's integrity by checking the encrypted archive checksum and decryption.
nself backup verify latest
# bkp_20260101T020000Z: OK (checksum verified, decryption ok)
nself backup verify bkp_20251231T020000ZDelete old backups according to a retention policy. Keeps the most recent N backups and any backup created within the last D days.
nself backup prune --keep 7
nself backup prune --keep 30 --older-than 90d
nself backup prune --dry-run| Flag | Type | Default | Description |
|---|---|---|---|
--keep | int | 7 | Number of recent backups to keep |
--older-than | string | Also prune backups older than this duration (e.g. 90d, 6mo) | |
--dry-run | bool | false | Show what would be deleted without deleting |
--remote | string | Also prune on the remote store |
Show or edit the backup configuration (local path, default remote, compression, retention).
nself backup config
nself backup config --set remote=s3://my-bucket/nself
nself backup config --set retention=30Show the last backup time, next scheduled run, and remote sync state.
nself backup status
# Last backup: 2026-01-01T02:00:00Z (14h ago)
# Next backup: 2026-01-02T02:00:00Z (in 10h)
# Remote sync: s3://my-bucket/nself (up to date)
# Schedule: 0 2 * * * (nightly at 02:00 UTC)Generate a new AES-256 backup encryption key and save it to ~/.nself/backup.key. Run this once during initial setup or when rotating keys.
nself backup init-key
# Key written to: ~/.nself/backup.key
# Store this key securely — backups cannot be restored without itPipe a live, encrypted backup archive to stdout. Useful for piping into external storage tools or S3 utilities directly.
nself backup stream | aws s3 cp - s3://my-bucket/nself/$(date +%Y%m%dT%H%M%SZ).tar.zst
nself backup stream > /mnt/nas/nself-backup.tar.zstResume an interrupted backup transfer to a remote store.
nself backup resume bkp_20260101T020000Z
nself backup resume latestRegister or update the cron-based automatic backup schedule. Writes a launchd plist (macOS) or systemd timer (Linux) that runs nself backup createunattended.
nself backup schedule --cron "0 2 * * *"
nself backup schedule --cron "0 2 * * *" --remote s3://my-bucket/nself
nself backup schedule --disable
nself backup schedule --status| Flag | Type | Default | Description |
|---|---|---|---|
--cron | string | Cron expression for the schedule (e.g. 0 2 * * *) | |
--remote | string | Mirror each backup to this remote store | |
--disable | bool | false | Remove the scheduled job |
--status | bool | false | Show current schedule without changing it |
nself backup init-key
nself backup schedule --cron "0 2 * * *" --remote hetzner://my-bucket/nselfnself backup create --tag pre-v110-migration
# Then run migrations...
nself migrate up
# If something goes wrong:
nself backup restore pre-v110-migrationnself backup verify latest && nself backup prune --keep 14 --dry-run
# Review dry-run output, then:
nself backup prune --keep 14nself backup stream | rclone rcat remote:nself/$(date +%Y%m%d).tar.zstNSELF_BACKUP_DIR — local backup storage path (default: ~/.nself/backups)NSELF_BACKUP_KEY_PATH — path to the encryption key (default: ~/.nself/backup.key)NSELF_BACKUP_REMOTE — default remote store URLAWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY — credentials for S3-compatible storesHETZNER_OBJECT_STORAGE_KEY — key for Hetzner Object Storage remotes0 — success1 — backup or restore failed (see stderr for details)2 — invalid arguments or backup key not found3 — remote store unreachable or authentication failed