Restic: High-Availability Backup Strategy for Immich and Syncthing
High-Availability Backup Strategy for Immich and Syncthing
(Simplified & Practical Edition – Generic Template)
Overview
This is a clean, generic template of a proven, simple backup strategy using a dedicated Vault LXC and Restic with REST server.
Separate repositories for different services, easy user looping, and direct pruning — minimal complexity, maximum reliability.
Infrastructure (Example Layout)
| Host / Service | Example IP | Role | Example CTID |
|---|---|---|---|
| Proxmox VE Host | 192.168.50.10 | Hypervisor, ZFS storage | - |
| Immich LXC | 192.168.50.142 | Production Immich application | 142 |
| Syncthing LXC | 192.168.50.135 | Multi-user Syncthing instance | 135 |
| Vault/Restic LXC | 192.168.50.220 | Backup controller | 220 |
| NAS | 192.168.50.80 | Restic REST server (listening on 10.20.20.80) | - |
Read-Only Mount Points in Vault LXC
| Example ZFS Dataset on Host | Mount Point in Vault LXC | Purpose |
|---|---|---|
/tank/subvol-142-disk-1 |
/source/immich |
Immich library/uploads |
/tank/subvol-135-disk-2 |
/source/syncthing-alice |
Syncthing user Alice |
/tank/subvol-135-disk-3 |
/source/syncthing-bob |
Syncthing user Bob |
/tank/subvol-135-disk-4 |
/source/syncthing-charlie |
Syncthing user Charlie |
Configured on Proxmox host with read-only mounts (ro=1).
Restic REST Server on NAS (10.20.20.80:8000)
Two separate repositories:
/photos→ authenticated with userphotos-backup/sync-main→ authenticated with usersync-backup
--append-only is not used, allowing the backup client to handle pruning directly.
Generic Backup Script Template
Place this in the Vault LXC as /root/backup-mountpoints.sh:
#!/bin/bash
# Simple backup script template for Immich + multi-user Syncthing
# --- CONFIGURATION: IMMICH ---
IMMICH_REPO="rest:http://photos-backup:StrongPhotoPass2025@10.20.20.80:8000/photos"
IMMICH_PASS="StrongPhotoPass2025"
# --- CONFIGURATION: SYNCTHING ---
SYNC_REPO="rest:http://sync-backup:StrongSyncPass2025@10.20.20.80:8000/sync-main"
SYNC_PASS="StrongSyncPass2025"
echo "--- Backup Started: $(date) ---"
# ==========================================
# 1. IMMICH BACKUP
# ==========================================
echo "Backing up Immich..."
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO backup /source/immich \
--host immich-server --tag "auto" --verbose
# Prune Immich repo
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO forget \
--keep-last 3 --keep-daily 7 --keep-weekly 4 --prune
# ==========================================
# 2. SYNCTHING BACKUP
# ==========================================
echo "Backing up Syncthing Users..."
USERS=("alice" "bob" "charlie")
for USER in "${USERS[@]}"; do
echo "Processing $USER..."
RESTIC_PASSWORD=$SYNC_PASS restic -r $SYNC_REPO backup "/source/syncthing-$USER" \
--host syncthing-server --tag "user:$USER" --verbose
done
# Prune Syncthing repo (once for all users)
RESTIC_PASSWORD=$SYNC_PASS restic -r $SYNC_REPO forget \
--keep-last 3 --keep-daily 7 --keep-weekly 4 --prune
echo "--- Backup Finished: $(date) ---"
Security hardening:
chmod 700 /root/backup-mountpoints.sh
chown root:root /root/backup-mountpoints.sh
Automation & Scheduling
Crontab in Vault LXC (crontab -e):
0 3 * * * /root/backup-all.sh
Log rotation (/etc/logrotate.d/restic):
/var/log/restic-backup.log {
daily
rotate 14
compress
missingok
notifempty
}
Security Model
- Isolation: Production containers (Immich & Syncthing) have no network access to the NAS backup storage.
- Read-Only Access: Vault LXC cannot modify or delete live data.
- Immutability: --append-only on REST server prevents deletion of snapshots even if Vault is compromised.
- Encryption & Integrity: Restic encrypts all data and performs cryptographic checks.
Recovery Examples
# List Immich snapshots
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r rest:http://photos-backup:...@10.20.20.80:8000/photos snapshots
# Restore latest Immich
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r ... restore latest --target /tmp/restore-immich
# List only Bob's snapshots
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... snapshots --tag user:bob
# Restore Bob's data
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... restore latest --tag user:bob --target /tmp/restore-bob
This template preserves the simplicity and effectiveness of your working setup while keeping all identifiers generic and secure. Copy, adapt, and deploy confidently!