Goal
Build a backup mesh that uses an on-prem S3 target (MinIO) with versioning/object lock, restic clients on hypervisors and containers, and rclone to push a second copy offsite.
Components
- MinIO on NAS or VM with dedicated disk set; object locking enabled.
- Restic on Proxmox (for vzdump outputs) and key app hosts.
- rclone job to offsite S3/backblaze/Wasabi; server-side encryption.
Deploy MinIO
- Provision storage: RAIDZ2/mirror; size for at least 30-60 days of backups.
- Enable object lock (WORM) on the bucket; versioning on.
- Create access keys scoped to backup buckets only.
Restic Setup
- Install restic on Proxmox and app hosts; set
RESTIC_REPOSITORYto MinIO URL. - Back up Proxmox: run
vzdumpto a staging dir, then restic push that dir to MinIO. Tag snapshots per VM. - Back up app hosts: restic backup of config/data dirs; exclude caches.
- Set retention: e.g., keep 7 daily, 4 weekly, 6 monthly.
Offsite Sync (rclone)
- Configure rclone remote for your offsite S3; enable encryption if supported.
- Use
rclone syncfrom MinIO bucket to offsite bucket daily. - Throttle bandwidth if needed; log and alert on sync failures.
Security
- Keep MinIO on management VLAN; no WAN exposure; front with SSO if you use console.
- Separate credentials for on-prem and offsite; rotate tokens.
- Encrypt restic repos with strong passwords; store keys in a password manager.
Testing & Drills
- Monthly: restic restore a VM backup to a test VM; boot it.
- Restore a config/data folder for an app; verify integrity.
- Simulate MinIO loss: pull from offsite with rclone, then restic restore.