Back up the NetBird control plane sqlite store

[koinsaari]

Summary

The self-hosted NetBird control plane stores all state (users, peers, setup keys, OAuth client config, group/policy rules) in a sqlite database with no backup. Loss of the VPS would mean re-enrolling every peer from scratch.

Context

The store lives in the Docker named volume stoganet-edge_netbird_netbird_data (mounted at /var/lib/netbird in the container). Recovery without a backup means a full rebuild: reinstall NetBird, generate fresh setup keys, re-enroll every peer, rebuild groups and access policies, reset users. Stoganet/infra already has a LUKS+rclone backup pipeline on the home box — the VPS has nothing.

Scope

• Daily sqlite snapshot using sqlite3 .backup (not a raw file copy of the live DB)
• Snapshot lands in a location that gets caught by an existing backup rotation
• Documented restore procedure
• One real restore test on a throwaway VM

Out of scope: backing up /etc/netbird/ agent state (re-enrollment is cheap), backing up Caddy data (certs can be reissued).

Acceptance criteria

• systemd timer (or equivalent) takes a .backup-style snapshot daily
• Snapshot is included in some off-VPS backup (home box rotation or remote)
• docs/ documents the restore procedure
• Restore tested end-to-end at least once

Notes

Options weighed:

1. Push to home box over NetBird, let Stoganet/infra's existing backup catch it. Composes with what we have.
2. rclone direct from VPS to remote object store. Independent of home box.
3. Local snapshot only. Doesn't survive VPS loss — insufficient.

Leaning option 1.