Backup & Restore

Back up and restore your Nefia configuration, state, and audit logs.

Your Nefia operator state includes configuration, cryptographic keys, audit logs, and schedule definitions. Losing any of these can disrupt your fleet management or break your audit trail. Regular backups ensure you can recover quickly.

What Gets Backed Up

A Nefia backup archive contains:

plaintext

nefia-backup-2026-02-24.tar.gz
├── manifest.json              # Integrity manifest with SHA-256 checksums
├── nefia.yaml                 # Configuration file
└── state/
    ├── audit/
    │   ├── 2026-02-22.jsonl   # Append-only audit logs (date-partitioned)
    │   ├── 2026-02-23.jsonl
    │   └── 2026-02-24.jsonl
    ├── sessions.json          # Session and connection state
    ├── schedules/
    │   ├── daily-sync.json    # Scheduled task definitions (.json / .yaml)
    │   └── weekly-report.yaml
    └── recordings/
        └── rec-2026-02-24.json  # Session recording metadata (JSON only)

Creating a Backup

Run nefia backup to create a compressed archive of your operator state:

bash

nefia backup

nefia backup

Backup written to nefia-backup-2026-02-24.tar.gz (4.3 MiB, 8 files)

Each backup archive includes a manifest.json as its first entry, containing the Nefia version, creation timestamp, and a SHA-256 checksum for every file. This enables integrity verification after transfer or storage.

Custom Output Path

Specify a destination path with --output:

bash

nefia backup --output /mnt/backups/nefia-$(date +%Y%m%d).tar.gz

Verifying Backup Integrity

Use nefia backup verify to validate that all files in an archive match their recorded SHA-256 checksums:

bash

nefia backup verify nefia-backup-2026-02-24.tar.gz

nefia backup verify

Archive: nefia-backup-2026-02-24.tar.gz Created: 2026-02-24T03:00:00Z (nefia v0.1.16)

PASS nefia.yaml PASS state/audit/2026-02-22.jsonl PASS state/audit/2026-02-23.jsonl PASS state/audit/2026-02-24.jsonl PASS state/sessions.json PASS state/schedules/daily-sync.json PASS state/schedules/weekly-report.yaml PASS state/recordings/rec-2026-02-24.json

All 8 files verified successfully.

The command exits with code 0 when all files pass, or code 1 if any file fails or is missing from the archive. This makes it safe to use in scripts and CI pipelines.

Restoring from a Backup

Restore your operator state from a backup archive:

bash

nefia restore ~/nefia-backup-2026-02-24.tar.gz

nefia restore

Restored 8 files: nefia.yaml state/audit/2026-02-22.jsonl state/audit/2026-02-23.jsonl state/audit/2026-02-24.jsonl state/sessions.json state/schedules/daily-sync.json state/schedules/weekly-report.yaml state/recordings/rec-2026-02-24.json

Dry Run

Preview what a restore would do without writing any files:

bash

nefia restore --dry-run ~/nefia-backup-2026-02-24.tar.gz

nefia restore --dry-run

Dry run: 8 files would be restored from nefia-backup-2026-02-24.tar.gz

new 1.2 KiB nefia.yaml overwrite 12.4 KiB state/audit/2026-02-22.jsonl overwrite 15.1 KiB state/audit/2026-02-23.jsonl new 8.7 KiB state/audit/2026-02-24.jsonl overwrite 2.3 KiB state/sessions.json new 456 B state/schedules/daily-sync.json new 312 B state/schedules/weekly-report.yaml new 1.1 KiB state/recordings/rec-2026-02-24.json

Each file is marked as either new (does not exist on disk) or overwrite (will replace an existing file), along with its size. The --dry-run flag skips the confirmation prompt and writes nothing to disk.

Force Overwrite

By default, nefia restore prompts for confirmation before overwriting existing files. Use --force to skip the prompt and overwrite without asking:

bash

nefia restore --force ~/nefia-backup-2026-02-24.tar.gz

This is useful in scripts or automated recovery workflows where interactive prompts are not possible.

Restore Behavior

Validation -- The archive is verified for integrity and expected structure before any files are written.

Conflict handling -- If a file already exists at the destination, the CLI prompts for confirmation before overwriting. Use --force to skip the prompt, or --dry-run to preview changes first.

Post-restore -- After a successful restore, the configuration is reloaded automatically. If the reload fails, a warning is logged but the restore is still considered successful.

Best Practices

Automate Backups with Scheduled Execution

Use Nefia's built-in scheduler to create daily backups automatically:

bash

nefia schedule create \
  --name "config-backup" \
  --cron "0 3 * * *" \
  --playbook backup-operator.yaml \
  --target localhost

Verify After Transfer

Always verify backup integrity after copying to remote storage:

bash

# Copy to remote storage
scp nefia-backup-2026-02-24.tar.gz backup-server:/backups/
 
# Verify on the remote host
ssh backup-server nefia backup verify /backups/nefia-backup-2026-02-24.tar.gz

Store Backups Off-Device

A backup stored on the same machine it protects is not a backup. Copy archives to cloud storage or an external drive.

Test Restores Periodically

Test by running a dry-run restore first, then a full restore on a non-production machine:

bash

# Preview what would be restored
nefia restore --dry-run ~/nefia-backup-2026-02-24.tar.gz
 
# Perform the actual restore
nefia restore ~/nefia-backup-2026-02-24.tar.gz

Retention Strategy

Frequency	Retention	Purpose
Daily	7 days	Quick recovery from recent changes
Weekly	4 weeks	Recovery from gradual configuration drift
Monthly	12 months	Long-term audit compliance

MCP Tools

Backup and restore operations are available via MCP:

Tool	Description
`nefia.backup.list`	List available backup archives.
`nefia.backup.create`	Create a new backup of config, state, sessions, and audit logs.
`nefia.backup.verify`	Verify the integrity of a backup archive.
`nefia.backup.restore`	Restore configuration and state from a backup archive.

Scheduled Execution

Automate recurring tasks with cron-based scheduling.

CLI Commands

Full reference for all Nefia CLI commands and flags.