Restic: High-Availability Backup Strategy for Immich and Syncthing

High-Availability Backup Strategy for Immich and Syncthing

(Simplified & Practical Edition – Generic Template)

Overview

This ~~document~~is ~~outlines~~a ~~the~~clean, ~~high-availability~~generic template of a proven, simple backup strategy ~~for~~using ~~the~~a ~~Immich~~dedicated ~~photo~~Vault ~~server. To maximize security~~LXC and ~~performance,~~Restic wewith ~~utilize~~REST aserver.
~~Vault-Container~~Separate ~~architecture.~~repositories ~~This~~for ~~ensures~~different ~~that~~services, ~~the~~easy ~~primary~~user ~~application~~looping, ~~container~~and ~~has~~direct nopruning ~~network~~— ~~access~~minimal tocomplexity, ~~the~~maximum ~~backup storage, preventing data loss in the event of a service compromise.~~reliability.

Infrastructure Architecture(Example Layout)

~~Hypervisor:~~ ~~Proxmox VE 9.x (~~~~ProxmoxVE~~) ~~Primary Application:~~ ~~Immich (LXC ID:~~ 200) ~~Backup Controller:~~ ~~Alpine Vault (LXC ID:~~ 250) ~~Storage Target:~~ ~~TrueNAS, Synology running Rest Server (~~~~Vault-NAS~~) ~~Network Pipe:~~ ~~10.10.50.0/24 (Direct 2.5GbE Link)~~

Host / Service	~~Management IP~~

~~Storage~~Example IP Role Example CTID ~~ProxmoxVE~~Proxmox VE Host 192.168.~~1.50~~50.10 ~~10.10.50.1~~Hypervisor, ZFS storage ~~Proxmox Host~~- ~~Immich-App~~Immich LXC 192.168.~~1.200~~50.142 ~~N/A~~Production Immich application ~~Immich LXC (Production)~~142 ~~Vault-~~Syncthing LXC 192.168.~~1.250~~50.135 ~~10.10.50.5~~Multi-user Syncthing instance ~~Restic Backup Controller~~135 ~~Vault-~~Vault/Restic LXC 192.168.50.220 Backup controller 220 NAS 192.168.~~1.10~~ ~~10.10.~~50.1080 Restic REST ~~Server~~server (listening on 10.20.20.80) -

Read-Only

ConfigurationMount StepsPoints in Vault LXC

1.

Example ZFS ~~Data Mapping (Proxmox Host)~~

~~The live Immich data is passed from the ZFS tank to the Vault-LXC as a~~ ~~Read-Only~~ ~~mount point. This prevents the backup container from ever modifying or deleting live production data.~~

# ExecutedDataset on ProxmoxVEHost

~~Host~~Mount ~~pct~~Point ~~set~~in ~~250~~Vault ~~-mp0~~LXC Purpose /tank/subvol-200-142-disk-1,mp=1 /mnt/source/photos,immich Immich library/uploads /tank/subvol-135-disk-2 /source/syncthing-alice Syncthing user Alice /tank/subvol-135-disk-3 /source/syncthing-bob Syncthing user Bob /tank/subvol-135-disk-4 /source/syncthing-charlie Syncthing user Charlie

Configured on Proxmox host with read-only mounts (ro=1).

2.

Restic REST Server (NAS)

~~The~~on NAS ~~runs~~(10.20.20.80:8000) a

Two ~~Restic~~separate ~~REST~~repositories:

~~server~~

in/photos ~~Docker~~→ toauthenticated ~~handle~~with ~~incoming~~user ~~data.~~photos-backup ~~The~~/sync-main → authenticated with user sync-backup

--append-only ~~flag~~is ~~can~~not beused, ~~enabled~~allowing the backup client to ~~prevent~~handle ~~any~~pruning ~~networked client from deleting existing snapshots.~~directly.

~~Docker Compose Snippet:~~

services:
  restic-server:
    image: restic/rest-server:latest
    environment:
      - OPTIONS=--append-only --private-repos
    ports:
      - "8000:8000"
    volumes:
      - /mnt/storage/backups/restic:/data

3.

Generic Backup Script (Vault-LXC)

Template

~~The~~Place ~~script~~this ~~below~~in isthe ~~scheduled via~~ crontab ~~inside~~Vault LXC ~~250.~~as ~~It utilizes the high-speed 10.10.50.10 interface for data transfer.~~/root/backup-mountpoints.sh:

#!/bin/bash
# /root/scripts/backup-titan.shSimple exportbackup RESTIC_REPOSITORY=script template for Immich + multi-user Syncthing

# --- CONFIGURATION: IMMICH ---
IMMICH_REPO="rest:http://vault-user:Pass123@10.10.50.10:photos-backup:StrongPhotoPass2025@10.20.20.80:8000/titan"photos"
export RESTIC_PASSWORD=IMMICH_PASS="Encryption_Key_99"StrongPhotoPass2025"

# Perform--- incrementalCONFIGURATION: backupSYNCTHING ---
SYNC_REPO="rest:http://sync-backup:StrongSyncPass2025@10.20.20.80:8000/sync-main"
SYNC_PASS="StrongSyncPass2025"

echo "--- Backup Started: $(date) ---"

# ==========================================
# 1. IMMICH BACKUP
# ==========================================
echo "Backing up Immich..."
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO backup /mnt/source/photosimmich \
    --host titan-immich-server --tag "automated"auto" --verbose

# MaintenancePrune Immich repo
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO forget \
    --keep-last 3 --keep-daily 7 --keep-weekly 4 --prune

# ==========================================
# 2. SYNCTHING BACKUP
# ==========================================
echo "Backing up Syncthing Users..."
USERS=(Note:"alice" Pruning"bob" must"charlie")

befor USER in "${USERS[@]}"; do
    echo "Processing $USER..."
    RESTIC_PASSWORD=$SYNC_PASS restic -r $SYNC_REPO backup "/source/syncthing-$USER" \
        --host syncthing-server --tag "user:$USER" --verbose
done

locally# onPrune NASSyncthing ifrepo append-only(once isfor active)all users)
RESTIC_PASSWORD=$SYNC_PASS restic snapshots-r $SYNC_REPO forget \
    --keep-last 3 --keep-daily 7 --keep-weekly 4 --prune

echo "--- Backup Finished: $(date) ---"

Security ~~Model~~

~~Isolation:~~hardening: ~~The Immich container (~~Titan-App~~) is restricted from seeing the NAS. Even a total "root" compromise of the web service provides no path to the backups.~~ ~~Immutability:~~ ~~By using the REST server's~~ --append-only ~~mode, the~~ Vault-LXC ~~can write new data but lacks the authority to "forget" or delete old snapshots.~~ ~~Integrity:~~ ~~Restic performs cryptographic hashing on every block. Periodic~~ restic check ~~commands ensure no bit-rot has occurred on the NAS disks.~~

Maintenance & Recovery

~~Daily Check:~~ ~~Verify successful exit codes in~~ /var/log/restic.log. ~~Pruning:~~ ~~Once weekly, a local task on the~~ ~~Vault-NAS~~ ~~runs~~ restic prune ~~to enforce a 7-day retention policy.~~ ~~Restoration:~~ ~~To restore, mount the repository inside~~ Vault-LXC ~~and copy files back to the production subvolume.~~

~~How to mount a Proxmox ZFS subvolume to another LXC~~

~~This~~

chmod video700 provides/root/backup-mountpoints.sh
achown visualroot:root guide/root/backup-mountpoints.sh
on managing Proxmox mount points and subvolumes, which is the foundational step for sharing your data between the production and backup containers.

~~To add this to your wiki, append the following section. This documentation will help you remember the logic behind the "Vault" architecture and how to maintain it.~~

Automation & Scheduling

ToCrontab ~~ensure~~in ~~the "Vault"~~Vault LXC ~~pulls data and pushes it to the NAS without manual intervention, we utilize the system~~ ~~cron~~ ~~daemon.~~

1. Crontab Configuration

~~The backup is scheduled for~~ ~~03:00 AM~~ ~~daily. This allows the primary application~~ (~~Immich/Syncthing) to complete its own internal maintenance and database dumps (scheduled at 01:00 and 02:00) before the backup begins.~~

~~Command to edit:~~ crontab -e

~~Crontab Entry:~~):

# m h  dom mon dow   command
0 3 * * * /root/immich-backup.backup-all.sh >> /var/log/restic-backup.log 2>&1

2. Log Management

~~Because the script redirects output to~~ /var/log/restic-backup.log~~, we must ensure the file doesn't consume all disk space over time.~~

Log ~~Rotation Rule~~rotation (/etc/logrotate.d/restic): ~~Create this file to keep logs for 7 days:~~

/var/log/restic-backup.log {
    daily
    rotate 714
    compress
    missingok
    notifempty
}

3.

Security Verification & Health Checks

~~Automated backups can fail silently if the network or NAS is down.~~

Model

~~Manual~~Isolation: ~~Log~~Production ~~Check:~~containers ~~Run~~(Immich tail& -nSyncthing) 20have /var/log/restic-backup.logno ~~to see the last result.~~

~~Snapshot List:~~ ~~Run~~ restic snapshots ~~to verify that new timestamps are appearing daily.~~ ~~Failed Backup Alerts:~~ ~~It is recommended to add a~~ curl ~~command at the end of the script to a service like~~ ~~Healthchecks.io~~~~. If the script doesn't run, you will receive an alert.~~

4. Security Lockdown

~~Since the script contains encryption passwords and NAS credentials,~~network access ~~must be restricted~~ to the ~~root~~NAS ~~user~~backup ~~only.~~

storage. Read-Only Access: Vault LXC cannot modify or delete live data. Immutability: --append-only on REST server prevents deletion of snapshots even if Vault is compromised. Encryption & Integrity: Restic encrypts all data and performs cryptographic checks.

Recovery Examples

chown# root:rootList Immich snapshots
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r rest:http://photos-backup:...@10.20.20.80:8000/photos snapshots

# Restore latest Immich
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r ... restore latest --target /root/immich-backup.shtmp/restore-immich

chmod# 700List only Bob's snapshots
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... snapshots --tag user:bob

# Restore Bob's data
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... restore latest --tag user:bob --target /root/immich-backup.shtmp/restore-bob

This template preserves the simplicity and effectiveness of your working setup while keeping all identifiers generic and secure. Copy, adapt, and deploy confidently!