Restic: High-Availability Backup Strategy for Immich and Syncthing

High-Availability Backup Strategy for Immich and Syncthing

(Simplified & Practical Edition – Generic Template)

Overview

This ~~document~~is ~~outlines~~a ~~the~~clean, ~~high-availability~~generic template of a proven, simple backup strategy ~~for~~using ~~the~~a ~~Immich~~dedicated ~~photo~~Vault ~~server. To maximize security~~LXC and ~~performance,~~Restic wewith ~~utilize~~REST aserver.
~~Vault-Container~~Separate ~~architecture.~~repositories ~~This~~for ~~ensures~~different ~~that~~services, ~~the~~easy ~~primary~~user ~~application~~looping, ~~container~~and ~~has~~direct nopruning ~~network~~— ~~access~~minimal tocomplexity, ~~the~~maximum ~~backup storage, preventing data loss in the event of a service compromise.~~reliability.

Infrastructure Architecture(Example Layout)

~~Hypervisor:~~ ~~Proxmox VE 9.x (~~~~ProxmoxVE~~)

~~Primary Application:~~ ~~Immich (LXC ID:~~ 200)

~~Backup Controller:~~ ~~Alpine Vault (LXC ID:~~ 250)

~~Storage Target:~~ ~~TrueNAS, Synology running Rest Server (~~~~Vault-NAS~~)

~~Network Pipe:~~ ~~10.10.50.0/24 (Direct 2.5GbE Link)~~

Host / Service	~~Management IP~~	~~Storage~~Example IP	Role	Example CTID
~~ProxmoxVE~~Proxmox VE Host	192.168.~~1.50~~50.10	~~10.10.50.1~~Hypervisor, ZFS storage	~~Proxmox Host~~-
~~Immich-App~~Immich LXC	192.168.~~1.200~~50.142	~~N/A~~Production Immich application	~~Immich LXC (Production)~~142
~~Vault-~~Syncthing LXC	192.168.~~1.250~~50.135	~~10.10.50.5~~Multi-user Syncthing instance	~~Restic Backup Controller~~135
~~Vault-~~Vault/Restic LXC	192.168.50.220	Backup controller	220
NAS	192.168.~~1.10~~	~~10.10.~~50.1080	Restic REST ~~Server~~server (listening on 10.20.20.80)	-

Read-Only

ConfigurationMount StepsPoints in Vault LXC

1. ~~Host~~

Example ZFS ~~Data Mapping (Proxmox Host)~~ ~~The live Immich data is passed from the ZFS tank to the Vault-LXC as a~~ ~~Read-Only~~ ~~mount point. This prevents the backup container from ever modifying or deleting live production data.~~ `# ExecutedDataset on ProxmoxVEHost`	Mount ~~pct~~Point ~~set~~in ~~250~~Vault ~~-mp0~~LXC	Purpose
`/tank/subvol-200-142-disk-1,mp=1`	`/mnt/source/photos,immich`	Immich library/uploads
`/tank/subvol-135-disk-2`	`/source/syncthing-alice`	Syncthing user Alice
`/tank/subvol-135-disk-3`	`/source/syncthing-bob`	Syncthing user Bob
`/tank/subvol-135-disk-4`	`/source/syncthing-charlie`	Syncthing user Charlie

Configured on Proxmox host with read-only mounts (ro=1).

2.

Restic REST Server (NAS)

~~The~~on NAS ~~runs~~(10.20.20.80:8000) a

Two ~~Restic~~separate ~~REST~~repositories:

~~server~~

/photos ~~Docker~~→ toauthenticated ~~handle~~with ~~incoming~~user ~~data.~~photos-backup

~~The~~

/sync-main → authenticated with user sync-backup

--append-only ~~flag~~is ~~can~~not beused, ~~enabled~~allowing the backup client to ~~prevent~~handle ~~any~~pruning ~~networked client from deleting existing snapshots.~~directly.

~~Docker Compose Snippet:~~

services:
  restic-server:
    image: restic/rest-server:latest
    environment:
      - OPTIONS=--append-only --private-repos
    ports:
      - "8000:8000"
    volumes:
      - /mnt/storage/backups/restic:/data

3.

Generic Backup Script (Vault-LXC)

Template

~~The~~Place ~~script~~this ~~below~~in isthe ~~scheduled via~~ crontab ~~inside~~Vault LXC ~~250.~~as ~~It utilizes the high-speed 10.10.50.10 interface for data transfer.~~/root/backup-mountpoints.sh:

#!/bin/bash
# /root/scripts/backup-titan.shSimple exportbackup RESTIC_REPOSITORY=script template for Immich + multi-user Syncthing

# --- CONFIGURATION: IMMICH ---
IMMICH_REPO="rest:http://vault-user:Pass123@10.10.50.10:photos-backup:StrongPhotoPass2025@10.20.20.80:8000/titan"photos"
export RESTIC_PASSWORD=IMMICH_PASS="Encryption_Key_99"StrongPhotoPass2025"

# Perform--- incrementalCONFIGURATION: backupSYNCTHING ---
SYNC_REPO="rest:http://sync-backup:StrongSyncPass2025@10.20.20.80:8000/sync-main"
SYNC_PASS="StrongSyncPass2025"

echo "--- Backup Started: $(date) ---"

# ==========================================
# 1. IMMICH BACKUP
# ==========================================
echo "Backing up Immich..."
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO backup /mnt/source/photosimmich \
    --host titan-immich-server --tag "automated"auto" --verbose

# MaintenancePrune Immich repo
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO forget \
    --keep-last 3 --keep-daily 7 --keep-weekly 4 --prune

# ==========================================
# 2. SYNCTHING BACKUP
# ==========================================
echo "Backing up Syncthing Users..."
USERS=(Note:"alice" Pruning"bob" must"charlie")

befor USER in "${USERS[@]}"; do
    echo "Processing $USER..."
    RESTIC_PASSWORD=$SYNC_PASS restic -r $SYNC_REPO backup "/source/syncthing-$USER" \
        --host syncthing-server --tag "user:$USER" --verbose
done

locally# onPrune NASSyncthing ifrepo append-only(once isfor active)all users)
RESTIC_PASSWORD=$SYNC_PASS restic snapshots-r $SYNC_REPO forget \
    --keep-last 3 --keep-daily 7 --keep-weekly 4 --prune

echo "--- Backup Finished: $(date) ---"

Security Model

~~Isolation:~~hardening: ~~The Immich container (~~Titan-App~~) is restricted from seeing the NAS. Even a total "root" compromise of the web service provides no path to the backups.~~

~~Immutability:~~ ~~By using the REST server's~~ --append-only ~~mode, the~~ Vault-LXC ~~can write new data but lacks the authority to "forget" or delete old snapshots.~~

~~Integrity:~~ ~~Restic performs cryptographic hashing on every block. Periodic~~ restic check ~~commands ensure no bit-rot has occurred on the NAS disks.~~

~~Maintenance & Recovery~~

~~Daily Check:~~ ~~Verify successful exit codes in~~ /var/log/restic.log.

~~Pruning:~~ ~~Once weekly, a local task on the~~ ~~Vault-NAS~~ ~~runs~~ restic prune ~~to enforce a 7-day retention policy.~~

~~Restoration:~~ ~~To restore, mount the repository inside~~ Vault-LXC ~~and copy files back to the production subvolume.~~

~~How to mount a Proxmox ZFS subvolume to another LXC~~

~~This~~
chmod video700 provides/root/backup-mountpoints.sh achown visualroot:root guide/root/backup-mountpoints.sh on managing Proxmox mount points and subvolumes, which is the foundational step for sharing your data between the production and backup containers. To add this to your wiki, append the following section. This documentation will help you remember the logic behind the "Vault" architecture and how to maintain it.

Automation & Scheduling

ToCrontab ~~ensure~~in ~~the "Vault"~~Vault LXC ~~pulls data and pushes it to the NAS without manual intervention, we utilize the system~~ ~~cron~~ ~~daemon.~~

~~1. Crontab Configuration~~

~~The backup is scheduled for~~ ~~03:00 AM~~ ~~daily. This allows the primary application~~ (~~Immich/Syncthing) to complete its own internal maintenance and database dumps (scheduled at 01:00 and 02:00) before the backup begins.~~

~~Command to edit:~~ crontab -e

~~Crontab Entry:~~):

# m h dom mon dow command 0 3 * * * /root/immich-backup.backup-all.sh >> /var/log/restic-backup.log 2>&1

~~2. Log Management~~

~~Because the script redirects output to~~ /var/log/restic-backup.log~~, we must ensure the file doesn't consume all disk space over time.~~

Log ~~Rotation Rule~~rotation (/etc/logrotate.d/restic): ~~Create this file to keep logs for 7 days:~~

/var/log/restic-backup.log { daily rotate 714 compress missingok notifempty }

3.
Security ~~Verification & Health Checks~~

~~Automated backups can fail silently if the network or NAS is down.~~
Model

~~Manual~~Isolation: ~~Log~~Production ~~Check:~~containers ~~Run~~(Immich tail& -nSyncthing) 20have /var/log/restic-backup.logno ~~to see the last result.~~

~~Snapshot List:~~ ~~Run~~ restic snapshots ~~to verify that new timestamps are appearing daily.~~

~~Failed Backup Alerts:~~ ~~It is recommended to add a~~ curl ~~command at the end of the script to a service like~~ ~~Healthchecks.io~~~~. If the script doesn't run, you will receive an alert.~~

4. Security Lockdown

~~Since the script contains encryption passwords and NAS credentials,~~network access ~~must be restricted~~ to the ~~root~~NAS ~~user~~backup ~~only.~~

storage.

Read-Only Access: Vault LXC cannot modify or delete live data.

Immutability: --append-only on REST server prevents deletion of snapshots even if Vault is compromised.

Encryption & Integrity: Restic encrypts all data and performs cryptographic checks.

Recovery Examples

chown# root:rootList Immich snapshots
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r rest:http://photos-backup:...@10.20.20.80:8000/photos snapshots

# Restore latest Immich
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r ... restore latest --target /root/immich-backup.shtmp/restore-immich

chmod# 700List only Bob's snapshots
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... snapshots --tag user:bob

# Restore Bob's data
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... restore latest --tag user:bob --target /root/immich-backup.shtmp/restore-bob

This template preserves the simplicity and effectiveness of your working setup while keeping all identifiers generic and secure. Copy, adapt, and deploy confidently!