Linux as Time Machine backup server for MacOS systems
originally published: by justin #Two paths: Samba and Netatalk
Samba is faster at data transfer, but flakey with powernap and background tasks — backups will probably fail while your MacOS systems are asleep, but it’s what I started with and it will back up faster when it works. (an update with these details coming soon-ish)
Netatalk is slower but can host proper(ish?) Time Machine services over AFP, so your backups will actually work while your MacOS systems nap. this is how I’m currently running things.
Step zero: setting up the filesystem for backups
regardless which path you use, you'll need somewhere to put the backups. I mount a the physical disks that make up my network storage to /drivepool, then mount a fuse filesystem to /srv/share this is only important so that you have the context needed to translate these steps to your own machine.
at the end of the day, you just need a directory to put the backups into. It doesn't need to be encrypted: you're encrypting the Time Machine backups on the host side anyway.
the Netatalk way
first, a few acknowledgements
- main inspiration: Daniel P. Gross: Linux-based Time Machine backup server using Netatalk and ZFS
- and a bit from: Sam Hewitt: Using a Linux Server for Time Machine Backups
the overview:
- configure user(s) for backup directory access
- install and configure netatalk/AFP for Time Machine
- configure the firewall for netatalk time machine
- configure your MacOS systems to use the backup destination
configure user(s) for backup directory access
sudo useradd --no-create-home --home-dir /backup --shell /usr/sbin/nologin timemachinesudo chown -R timemachine:timemachine /srv/share/backupssudo chmod og-rwx /srv/share/backupsyou'll also want to set a password for the time machine user. This will be important when setting up your MacOS systems.
sudo passwd timemachineinstall and configure netatalk/AFP for Time Machine
install netatalk. as with all things this is easy unless your package manager ecosystem makes it hard (debian, alegedly)
sudo apt update && sudo apt install -y netatalkyou'll need to create a file for your netatalk config: /etc/netatalk/afp.conf
[Time Machine]
path = /srv/share/backup
time machine = yes
valid users = timemachinesave that config and restart netatalk
sudo service netatalk restart
and go ahead and add some enteries to systemctl
sudo systemctl enable netatalk.servicesudo systemctl start netatalk.servicesudo systemctl enable avahi-daemon.servicesudo systemctl start avahi-daemon.serviceConfiguring firewall for Netatalk and Time Machine
ht to Unix & Linux: What ports need to be open for netatalk to work as a Time Machine server on my LAN?
you'll, allegedly, need to following ports open, both tcp and udp (I haven't confirmed every item on this list, but I have them open and it's working):
| port | protocol |
|---|---|
| 7 | upd/tcp |
| 206 | upd/tcp |
| 548 | upd/tcp |
| 427 | upd/tcp |
| 1900 | upd/tcp |
| 1935 | upd/tcp |
| 5353 | upd/tcp |
UFW and Netatalk for Time Machine
I use UFW at the moment. you can create a file in /etc/ufw/applications.d/ to hold app or service related rules that can be enabled and disabled with ufw allow <service> and will show up cleanly in response to ufw status, like this:
justin@machine$ sudo ufw status
Status: active
To Action From
-- ------ ----
[...]
time machine ALLOW 192.168.1.0/24
[...]I, creatively, called mine timemachine
[time machine]
title=Time Machine via Netatalk
description=netatalk services for facilitating Time Machine backups
ports=7,206,427,548,1900,1935,5353/tcp|7,206,427,548,1900,1935,5353/udpenable the rule
sudo ufw allow from {IP adress}/{subnet mask} to any app note: <profile name> is, in this case "time machine" not timemachine as you might initially assume based on the file-based configuration.
for more on UFW rules:
- Ask Ubuntu: How do I add UFW rules and a comment/name?
- Ask Ubuntu: UFW: Allow app/profile only from specific IP
- how do you create an app profile for ufw?
- https://help.ubuntu.com/community/UFW
Configure your MacOS systems to use the Netatalk server backup destination
out of the box, MacOS may not want to show your fancy new Time Machine server. if that's the case, set your MacOS systems to show unofficial Time Machine destinations.
defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1configure Time Machine as usual, and use the username and password set when configuring users and access.
if you have existing backups (I did, as I was switching away from the Samba way), those sparsebundles will be there waiting for you unless you deleted them. Time Machine will ask if you want to use or erase the existing backup. If you want to keep your backups rolling, provide the password for your existing encrypted backups and be on your marry way.
if you get an error while attempting to use the existing backups, it's likely becasue you skipped the -R in chown -R above. ask me how I know.
an upside I hadn't considered with this path is your MacOS systems will not show the Time Machine share as a browseable folder. this might not be a benefit to you, or you may not care. I think it keep things cleaner and less likely that random files end up in the time machine directory.
the Samba way
coming soon