Restic - High-Availability Backup Strategie für Immich und Syncthing

High-Availability

Überblick

~~Backup~~

Dies ~~Strategy~~ist ~~for~~ein ~~Immich~~sauberes, ~~and~~generisches ~~Syncthing~~Template einer bewährten, einfachen Backup-Strategie mit einem dedizierten Vault-LXC und Restic mit REST-Server.

Separate Repositories für unterschiedliche Dienste, einfache User-Schleife, direktes Pruning – minimale Komplexität, maximale Zuverlässigkeit.

(~~Simplified~~Vereinfachte & ~~Practical~~praktische Edition – ~~Generic~~generisches Template)

Overview

~~This is a clean, generic template of a proven, simple backup strategy using a dedicated Vault LXC and Restic with REST server.~~
~~Separate repositories for different services, easy user looping, and direct pruning — minimal complexity, maximum reliability.~~

InfrastructureInfrastruktur (Example Beispiel-Layout)

Host / ~~Service~~Dienst	~~Example~~ Beispiel-IP	~~Role~~Rolle	~~Example~~ Beispiel-CTID
Proxmox VE Host	192.168.50.10	Hypervisor, ~~ZFS storage~~ZFS-Speicher	-–
Immich LXC	192.168.50.142	~~Production~~Produktive ~~Immich application~~Immich-Anwendung	142
Syncthing LXC	192.168.50.135	Multi-~~user Syncthing instance~~User-Syncthing-Instanz	135
Vault/Restic LXC	192.168.50.220	~~Backup controller~~Backup-Controller	220
NAS	192.168.50.80	Restic ~~REST server~~REST-Server (~~listening~~lauscht onauf 10.20.20.80)	-–

Read-Only Mount Mount-Points inim Vault Vault-LXC

~~Example ZFS~~ Beispiel-ZFS-Dataset onauf Host	~~Mount~~ Mount-Point inim ~~Vault~~ Vault-LXC	~~Purpose~~Zweck
`/tank/subvol-142-disk-1`	`/source/immich`	~~Immich library/uploads~~Immich-Bibliothek/Uploads
`/tank/subvol-135-disk-2`	`/source/syncthing-alice`	~~Syncthing user~~Syncthing-Benutzer Alice
`/tank/subvol-135-disk-3`	`/source/syncthing-bob`	~~Syncthing user~~Syncthing-Benutzer Bob
`/tank/subvol-135-disk-4`	`/source/syncthing-charlie`	~~Syncthing user~~Syncthing-Benutzer Charlie

~~Configured~~Konfiguriert onauf ~~Proxmox~~dem ~~host~~Proxmox-Host ~~with~~mit read-only ~~mounts~~Mounts (ro=1).

Restic REST REST-Server onauf dem NAS (10.20.20.80:8000)

~~Two~~Zwei separate ~~repositories:~~Repositories:

/photos → ~~authenticated~~authentifiziert ~~with~~mit ~~user~~Benutzer photos-backup
/sync-main → ~~authenticated~~authentifiziert ~~with~~mit ~~user~~Benutzer sync-backup

--append-only iswird ~~not~~nicht ~~used,~~verwendet, ~~allowing~~damit ~~the~~der ~~backup~~Backup-Client ~~client~~das toPruning ~~handle~~direkt ~~pruning directly.~~übernimmt.

GenericGenerisches Backup Script Backup-Script-Template

~~Place~~Platziere ~~this~~dieses inScript ~~the~~im ~~Vault~~ Vault-LXC asunter /root/backup-mountpoints.sh:

#!/bin/bash
# SimpleEinfaches backupBackup-Script-Template script template forfür Immich + multi-user Multi-User-Syncthing
# --- CONFIGURATION:KONFIGURATION: IMMICH ---
IMMICH_REPO="rest:http://photos-backup:StrongPhotoPass2025@10.20.20.80:8000/photos"
IMMICH_PASS="StrongPhotoPass2025"
# --- CONFIGURATION:KONFIGURATION: SYNCTHING ---
SYNC_REPO="rest:http://sync-backup:StrongSyncPass2025@10.20.20.80:8000/sync-main"
SYNC_PASS="StrongSyncPass2025"

echo "--- Backup Started:gestartet: $(date) ---"

# ==========================================
# 1. IMMICH BACKUP
# ==========================================
echo "Backing upSichere Immich..."
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO backup /source/immich \
    --host immich-server --tag "auto" --verbose

# Prune Immich repoImmich-Repo
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO forget \
    --keep-last 3 --keep-daily 7 --keep-weekly 4 --prune

# ==========================================
# 2. SYNCTHING BACKUP
# ==========================================
echo "BackingSichere up Syncthing Users.Syncthing-Benutzer..."
USERS=("alice" "bob" "charlie")
for USER in "${USERS[@]}"; do
    echo "ProcessingBearbeite $USER..."
    RESTIC_PASSWORD=$SYNC_PASS restic -r $SYNC_REPO backup "/source/syncthing-$USER" \
        --host syncthing-server --tag "user:$USER" --verbose
done

# Prune Syncthing repoSyncthing-Repo (onceeinmalig forfür allalle users)Benutzer)
RESTIC_PASSWORD=$SYNC_PASS restic -r $SYNC_REPO forget \
    --keep-last 3 --keep-daily 7 --keep-weekly 4 --prune

echo "--- Backup Finished:abgeschlossen: $(date) ---"

~~Security hardening:~~Sicherheitshärtung:

chmod 700 /root/backup-mountpoints.sh
chown root:root /root/backup-mountpoints.sh

AutomationAutomatisierung & SchedulingZeitplanung

Crontab inim ~~Vault~~ Vault-LXC (crontab -e):

0 3 * * * /root/backup-all.mountpoints.sh >> /var/log/restic-backup.log 2>&1

~~Log rotation~~Log-Rotation (/etc/logrotate.d/restic):

/var/log/restic-backup.log {
    daily
    rotate 14
    compress
    missingok
    notifempty
}

Security ModelSicherheitsmodell

~~Isolation:~~Isolation: ~~Production containers~~Produktions-Container (Immich & Syncthing) ~~have~~haben nokeinen ~~network~~Netzwerkzugriff ~~access~~auf toden ~~the NAS backup storage.~~NAS-Backup-Speicher.
Read-~~Only~~Only-Zugriff: ~~Access: Vault~~ Vault-LXC ~~cannot~~kann ~~modify~~Live-Daten ornicht ~~delete~~verändern ~~live~~oder ~~data.~~löschen.
~~Immutability:~~Immutability: --append-only onauf ~~REST~~dem ~~server~~REST-Server ~~prevents~~verhindert ~~deletion~~Löschung ofvon ~~snapshots~~Snapshots, ~~even~~selbst ifwenn Vault iskompromittiert ~~compromised.~~wird.
~~Encryption~~Verschlüsselung & ~~Integrity:~~Integrität: Restic ~~encrypts~~verschlüsselt ~~all~~alle ~~data~~Daten ~~and~~und ~~performs~~führt ~~cryptographic~~kryptografische ~~checks.~~Prüfungen durch.

Recovery ExamplesWiederherstellungs-Beispiele

# ListImmich-Snapshots Immich snapshotsauflisten
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r rest:http://photos-backup:...@10.20.20.80:8000/photos snapshots

# RestoreNeueste latestImmich-Version Immichwiederherstellen
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r ... restore latest --target /tmp/restore-immich

# ListNur onlySnapshots Bob'svon snapshotsBob auflisten
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... snapshots --tag user:bob

# RestoreBob-Daten Bob's datawiederherstellen
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... restore latest --tag user:bob --target /tmp/restore-bob

~~This~~Dieses ~~template~~Template ~~preserves~~bewahrt ~~the~~die ~~simplicity~~Einfachheit ~~and~~und ~~effectiveness~~Wirksamkeit ofdeines ~~your~~funktionierenden ~~working~~Setups, ~~setup~~hält ~~while~~aber ~~keeping~~alle ~~all~~Bezeichner ~~identifiers~~generisch ~~generic~~und ~~and~~sicher. ~~secure.~~Kopieren, ~~Copy,~~anpassen ~~adapt,~~und ~~and~~sicher ~~deploy confidently!~~einsetzen!