Restic: High-Availability Backup Strategy for Immich and Syncthing

Überblick

High-Availability
DiesBackup istStrategy einfor sauberes,Immich generischesand Template einer bewährten, einfachen Backup-Strategie mit einem dedizierten Vault-LXC und Restic mit REST-Server.

Separate Repositories für unterschiedliche Dienste, einfache User-Schleife, direktes Pruning – minimale Komplexität, maximale Zuverlässigkeit.
Syncthing

(~~Vereinfachte~~Simplified & ~~praktische~~Practical Edition – ~~generisches~~Generic Template)

InfrastrukturOverview

This is a clean, generic template of a proven, simple backup strategy using a dedicated Vault LXC and Restic with REST server.
Separate repositories for different services, easy user looping, and direct pruning — minimal complexity, maximum reliability.

Infrastructure (Beispiel-Example Layout)

Host / ~~Dienst~~Service	~~Beispiel-~~Example IP	~~Rolle~~Role	~~Beispiel-~~Example CTID
Proxmox VE Host	192.168.50.10	Hypervisor, ~~ZFS-Speicher~~ZFS storage	–-
Immich LXC	192.168.50.142	~~Produktive~~Production ~~Immich-Anwendung~~Immich application	142
Syncthing LXC	192.168.50.135	Multi-~~User-Syncthing-Instanz~~user Syncthing instance	135
Vault/Restic LXC	192.168.50.220	~~Backup-Controller~~Backup controller	220
NAS	192.168.50.80	Restic ~~REST-Server~~REST server (~~lauscht~~listening ~~auf~~on 10.20.20.80)	–-

Read-Only Mount-Mount Points imin Vault-Vault LXC

~~Beispiel-ZFS-~~Example ZFS Dataset ~~auf~~on Host	~~Mount-~~Mount Point imin ~~Vault-~~Vault LXC	~~Zweck~~Purpose
`/tank/subvol-142-disk-1`	`/source/immich`	~~Immich-Bibliothek/Uploads~~Immich library/uploads
`/tank/subvol-135-disk-2`	`/source/syncthing-alice`	~~Syncthing-Benutzer~~Syncthing user Alice
`/tank/subvol-135-disk-3`	`/source/syncthing-bob`	~~Syncthing-Benutzer~~Syncthing user Bob
`/tank/subvol-135-disk-4`	`/source/syncthing-charlie`	~~Syncthing-Benutzer~~Syncthing user Charlie

~~Konfiguriert~~Configured ~~auf~~on ~~dem~~Proxmox ~~Proxmox-Host~~host ~~mit~~with read-only ~~Mounts~~mounts (ro=1).

Restic REST-REST Server auf demon NAS (10.20.20.80:8000)

~~Zwei~~Two separate ~~Repositories:~~repositories:

/photos → ~~authentifiziert~~authenticated ~~mit~~with ~~Benutzer~~user photos-backup
/sync-main → ~~authentifiziert~~authenticated ~~mit~~with ~~Benutzer~~user sync-backup

--append-only ~~wird~~is ~~nicht~~not ~~verwendet,~~used, ~~damit~~allowing ~~der~~the ~~Backup-Client~~backup ~~das~~client ~~Pruning~~to ~~direkt~~handle ~~übernimmt.~~pruning directly.

GenerischesGeneric Backup-Script-Backup Script Template

~~Platziere~~Place ~~dieses~~this ~~Script~~in imthe ~~Vault-~~Vault LXC ~~unter~~as /root/backup-mountpoints.sh:

#!/bin/bash
# EinfachesSimple Backup-Script-Templatebackup fürscript template for Immich + Multi-User-multi-user Syncthing

# --- KONFIGURATION:CONFIGURATION: IMMICH ---
IMMICH_REPO="rest:http://photos-backup:StrongPhotoPass2025@10.20.20.80:8000/photos"
IMMICH_PASS="StrongPhotoPass2025"

# --- KONFIGURATION:CONFIGURATION: SYNCTHING ---
SYNC_REPO="rest:http://sync-backup:StrongSyncPass2025@10.20.20.80:8000/sync-main"
SYNC_PASS="StrongSyncPass2025"

echo "--- Backup gestartet:Started: $(date) ---"

# ==========================================
# 1. IMMICH BACKUP
# ==========================================
echo "SichereBacking up Immich..."
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO backup /source/immich \
    --host immich-server --tag "auto" --verbose

# Prune Immich-RepoImmich repo
RESTIC_PASSWORD=$IMMICH_PASS restic -r $IMMICH_REPO forget \
    --keep-last 3 --keep-daily 7 --keep-weekly 4 --prune

# ==========================================
# 2. SYNCTHING BACKUP
# ==========================================
echo "SichereBacking Syncthing-Benutzer.up Syncthing Users..."
USERS=("alice" "bob" "charlie")

for USER in "${USERS[@]}"; do
    echo "BearbeiteProcessing $USER..."
    RESTIC_PASSWORD=$SYNC_PASS restic -r $SYNC_REPO backup "/source/syncthing-$USER" \
        --host syncthing-server --tag "user:$USER" --verbose
done

# Prune Syncthing-RepoSyncthing repo (einmaligonce fürfor alleall Benutzer)users)
RESTIC_PASSWORD=$SYNC_PASS restic -r $SYNC_REPO forget \
    --keep-last 3 --keep-daily 7 --keep-weekly 4 --prune

echo "--- Backup abgeschlossen:Finished: $(date) ---"

~~Sicherheitshärtung:~~Security hardening:

chmod 700 /root/backup-mountpoints.sh
chown root:root /root/backup-mountpoints.sh

AutomatisierungAutomation & ZeitplanungScheduling

Crontab imin ~~Vault-~~Vault LXC (crontab -e):

0 3 * * * /root/backup-mountpoints.all.sh >> /var/log/restic-backup.log 2>&1

~~Log-Rotation~~Log rotation (/etc/logrotate.d/restic):

/var/log/restic-backup.log {
    daily
    rotate 14
    compress
    missingok
    notifempty
}

SicherheitsmodellSecurity Model

~~Isolation~~:Isolation: ~~Produktions-Container~~Production containers (Immich & Syncthing) ~~haben~~have ~~keinen~~no ~~Netzwerkzugriff~~network ~~auf~~access ~~den~~to ~~NAS-Backup-Speicher.~~the NAS backup storage.
Read-~~Only-Zugriff~~:Only ~~Vault-~~Access: Vault LXC ~~kann~~cannot ~~Live-Daten~~modify ~~nicht~~or ~~verändern~~delete ~~oder~~live ~~löschen.~~data.
~~Immutability~~:Immutability: --append-only ~~auf~~on ~~dem~~REST ~~REST-Server~~server ~~verhindert~~prevents ~~Löschung~~deletion ~~von~~of ~~Snapshots,~~snapshots ~~selbst~~even ~~wenn~~if Vault ~~kompromittiert~~is ~~wird.~~compromised.
~~Verschlüsselung~~Encryption & ~~Integrität~~:Integrity: Restic ~~verschlüsselt~~encrypts ~~alle~~all ~~Daten~~data ~~und~~and ~~führt~~performs ~~kryptografische~~cryptographic ~~Prüfungen durch.~~checks.

Wiederherstellungs-BeispieleRecovery Examples

# Immich-SnapshotsList auflistenImmich snapshots
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r rest:http://photos-backup:...@10.20.20.80:8000/photos snapshots

# NeuesteRestore Immich-Versionlatest wiederherstellenImmich
RESTIC_PASSWORD=StrongPhotoPass2025 restic -r ... restore latest --target /tmp/restore-immich

# NurList Snapshotsonly vonBob's Bob auflistensnapshots
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... snapshots --tag user:bob

# Bob-DatenRestore wiederherstellenBob's data
RESTIC_PASSWORD=StrongSyncPass2025 restic -r ... restore latest --tag user:bob --target /tmp/restore-bob

~~Dieses~~This ~~Template~~template ~~bewahrt~~preserves ~~die~~the ~~Einfachheit~~simplicity ~~und~~and ~~Wirksamkeit~~effectiveness ~~deines~~of ~~funktionierenden~~your ~~Setups,~~working ~~hält~~setup ~~aber~~while ~~alle~~keeping ~~Bezeichner~~all ~~generisch~~identifiers ~~und~~generic ~~sicher.~~and ~~Kopieren,~~secure. ~~anpassen~~Copy, ~~und~~adapt, ~~sicher~~and ~~einsetzen!~~deploy confidently!