How does Synology Backup connect to the NAS?

It uses SMB/CIFS to mount the Synology share, with a credentials file and optional Tailscale for secure remote connectivity.

How do I change how long backups are kept?

Modify the retention value in ~/.openclaw/synology-backup.json and ensure the NAS has enough storage.

How can I verify backups and health?

Run scripts/status.sh to view the last backup time, snapshot count, total size, and mount health; use restore.sh with a date to validate restores.

Synology Backup

Verified

@pfrederiksen

npx machina-cli add skill @pfrederiksen/synology-backup --openclaw

Files (1)

SKILL.md

5.0 KB

Synology Backup

Backup OpenClaw data to a Synology NAS over SMB. Designed for secure, automated daily snapshots with configurable retention.

Setup

1. Network Connectivity

For VPS-to-NAS backups, use Tailscale for secure connectivity without exposing SMB to the internet:

Install Tailscale on the Synology (Package Center → search "Tailscale")
Install Tailscale on the VPS — see Tailscale's official install guide for your platform
Join both to the same tailnet
Use the Synology's Tailscale IP in config

For local network setups, use the NAS local IP directly.

2. Synology Preparation

Create a dedicated user on the Synology (e.g., openclaw-backup) with minimal permissions
Create or choose a shared folder (e.g., backups)
Grant the user read/write access to only that folder

3. Credentials File

Create an SMB credentials file with restricted permissions — never store credentials in config or scripts:

# Create the file and set permissions (replace placeholders with your values)
touch ~/.openclaw/.smb-credentials
chmod 600 ~/.openclaw/.smb-credentials
# Edit the file and add two lines:
#   username=<your-synology-user>
#   password=<your-synology-password>
nano ~/.openclaw/.smb-credentials

4. Configuration

Create ~/.openclaw/synology-backup.json:

{
  "host": "100.x.x.x",
  "share": "backups/openclaw",
  "mountPoint": "/mnt/synology",
  "credentialsFile": "~/.openclaw/.smb-credentials",
  "smbVersion": "3.0",
  "backupPaths": [
    "~/.openclaw/workspace",
    "~/.openclaw/openclaw.json",
    "~/.openclaw/cron",
    "~/.openclaw/agents"
  ],
  "includeSubAgentWorkspaces": true,
  "retention": 7,
  "schedule": "0 3 * * *"
}

Note on sensitive files: The .env file (containing API keys) is not included in the default backup paths. If you want to back it up, add "~/.openclaw/.env" to backupPaths — but ensure your Synology share has restricted access and the dedicated user has minimal permissions.

Field	Description	Default
`host`	Synology IP (Tailscale or local)	required
`share`	SMB share path	required
`mountPoint`	Local mount point	`/mnt/synology`
`credentialsFile`	Path to SMB credentials file	required
`smbVersion`	SMB protocol version	`3.0`
`backupPaths`	Paths to backup	workspace + config
`includeSubAgentWorkspaces`	Auto-include `workspace-*` dirs	`true`
`retention`	Days of snapshots to keep	`7`
`schedule`	Cron expression (host timezone)	`0 3 * * *`

5. Install Dependencies

apt-get install -y cifs-utils rsync

6. Mount Setup

For persistent mounts across reboots, add to /etc/fstab:

//<host>/<share> /mnt/synology cifs credentials=<credentials-file>,vers=3.0,_netdev,nofail 0 0

Usage

Backup Now

scripts/backup.sh

Runs an incremental backup. First run copies everything; subsequent runs only sync changes.

Restore a Snapshot

scripts/restore.sh [date]

Restores from a specific date's snapshot (e.g., 2026-02-20). Without a date, lists available snapshots.

Check Status

scripts/status.sh

Shows last backup time, snapshot count, total size, and mount health.

What Gets Backed Up

~/.openclaw/workspace/ — memory, SOUL, AGENTS, skills, all workspace files
~/.openclaw/workspace-*/ — all sub-agent workspaces (if enabled)
~/.openclaw/openclaw.json — main config
~/.openclaw/cron/ — cron job definitions
~/.openclaw/agents/ — agent configurations
~/.openclaw/.env — opt-in only (contains API keys — add to backupPaths manually if desired)

Snapshot Structure

backups/
├── 2026-02-20/
│   ├── manifest.json
│   ├── workspace/
│   ├── workspace-email/
│   ├── workspace-news/
│   ├── agents/
│   ├── cron/
│   └── openclaw.json
├── 2026-02-19/
└── ...

Security Notes

Credentials: Always use a dedicated credentials file with restricted permissions (chmod 600). Never inline secrets in config files, scripts, or fstab.
Network: Use Tailscale or a VPN for remote backups. Never expose SMB (port 445) to the public internet.
Sensitive data: The .env file contains API keys and is excluded from default backup paths. Only include it if your NAS share is properly secured with restricted user permissions.
NAS user: Create a dedicated Synology user with access to only the backup share — not an admin account.
Retention: Old snapshots are pruned by moving them to the Synology trash (if supported) or deleting them. Increase retention for critical environments.

Source

git clone https://clawhub.ai/pfrederiksen/synology-backupView on GitHub

Overview

Synology Backup automates saving OpenClaw workspace data, configs, and agent definitions to a Synology NAS over SMB. It supports secure remote backups with Tailscale, daily automated snapshots, and configurable retention to protect critical data.

How This Skill Works

Configure a dedicated Synology user and a shared backups folder, then store connection settings in ~/.openclaw/synology-backup.json. The backup pipeline mounts the SMB share using credentials from ~/.openclaw/.smb-credentials and rsync-based scripts to copy configured paths (workspace, openclaw.json, cron, agents), applying retention and scheduling rules.

When to Use It

Backing up OpenClaw workspace files and agent configs to a Synology NAS over SMB.
Restoring from a specific snapshot date to recover a previous state.
Checking backup status, snapshot count, total size, and mount health.
Setting up automated daily backups with a configurable retention period.
Establishing secure remote backups over Tailscale for VPS-to-NAS connectivity.

Quick Start

Step 1: Install a dedicated Synology user and create a backups shared folder; enable secure connectivity with Tailscale for remote VPS-to-NAS backups.
Step 2: Create ~/.openclaw/.smb-credentials with restricted permissions and populate username and password; create ~/.openclaw/synology-backup.json with host, share, mountPoint, credentialsFile, backupPaths, retention, and schedule.
Step 3: Install dependencies (cifs-utils, rsync), mount the SMB share, and run backup.sh (or status.sh / restore.sh as needed).

Best Practices

Create a dedicated Synology user with minimal permissions and use a dedicated shared folder for backups.
Store SMB credentials in a restricted file (e.g., ~/.openclaw/.smb-credentials) and never embed them in scripts.
Limit backup paths to workspace, config, and agent data to reduce risk and improve performance.
Regularly test restores from snapshots and verify integrity and completeness of backups.
Monitor retention settings and ensure the NAS mount remains healthy after reboots.

Example Use Cases

Daily incremental backups of ~/.openclaw/workspace, ~/.openclaw/openclaw.json, ~/.openclaw/cron, and ~/.openclaw/agents to backups/openclaw on a Synology NAS via SMB with Tailscale for secure remote access.
Restoring from a specific date such as 2026-02-20 to recover a workspace state after a misconfiguration.
Using scripts/status.sh to verify last backup time, snapshot count, total size, and mount health.
Switching from remote Tailnet access to local LAN by using the NAS local IP to reduce latency when available.
Optional backup of sensitive files like ~/.openclaw/.env only if the NAS share is secured and access is restricted.

Frequently Asked Questions

Add this skill to your agents