Professional Restic Strategy
A "backup" is not a strategy. A strategy involves retention, redundancy, automation, and verification. This guide presents a production-tested approach to building a resilient Restic backup system for any Linux server.
This strategy focuses on application-centric backups (Databases, Configs, User Data) rather than full OS imaging. It uses Restic's strength (deduplication) to keep a deep history of changes without consuming massive storage.
Strategy Goals
| Goal | Description |
|---|---|
| Immutable History | Protect against accidental deletion or ransomware by keeping read-only snapshots. |
| Efficient Storage | Use deduplication to store 365 days of history in roughly the space of 2 full backups. |
| Automated Hygiene | Automatically checking repository integrity (check) and cleaning up old data (prune). |
| 3-2-1 Compliance | Ensure data exists on: Production, Local Backup, and Offsite Cloud. |
The 3-2-1 Backup Rule with Restic
The industry standard adapts perfectly to Restic:
flowchart LR
Prod[Production Data] -->|restic backup| LocalRepo[Local Restic Repo]
LocalRepo -->|rclone sync| Cloud[Offsite Cloud Storage]
subgraph "On-Premise"
Prod
LocalRepo
end
subgraph "Offsite / Cloud"
Cloud
end
| Copy | Location | Mechanism | Recovery Speed |
|---|---|---|---|
| 1. Production | /var/www | Live Data | N/A |
| 2. Local Repo | /srv/backup-repo | restic backup | Instant (LAN speed) |
| 3. Offsite | S3 / B2 / Wasabi | rclone sync (Repo Sync) | Slow (WAN speed) |
Core Backup Layers
Layer 1: Database Dumps
Restic cannot back up running databases reliably. You must dump them to a file first.
# 1. Dump to a consistent path
mysqldump --all-databases > /var/backups/dumps/db.sql
# 2. Restic picks up the dump
restic backup /var/backups/dumps --tag database
Layer 2: Configuration & Code
Back up your /etc and /var/www directories.
restic backup /etc /var/www --tag system-config
Layer 3: Environment Variables
Restic snapshots preserve the file system, but often forget the environment variables that defined how the app runs.
restic backup /opt/app/.env --tag application
Retention Policy (GFS)
The Grandfather-Father-Son (GFS) rotation scheme is native to Restic. instead of manual rotation scripts (like with rsync or tar), you simply tell Restic what to keep.
The Policy
- Hourly: Keep last 24 (Quick rollback for mistakes)
- Daily: Keep last 7 (One week of daily history)
- Weekly: Keep last 4 (One month of weekly history)
- Monthly: Keep last 12 (One year of monthly history)
- Yearly: Keep last 10 (Long-term compliance)
The Command
restic forget \
--keep-hourly 24 \
--keep-daily 7 \
--keep-weekly 4 \
--keep-monthly 12 \
--keep-yearly 10 \
--prune
Operational Checklist
| Frequency | Action | Command |
|---|---|---|
| Hourly/Daily | Backup | restic backup ... |
| Weekly | Health Check | restic check --read-data-subset=5% |
| Monthly | Prune | restic forget --prune |
| Monthly | Restore Drill | restic restore latest --target /tmp/test |
A backup that hasn't been restored is just a hopeful file. Schedule a monthly restore drill. Even restoring a single index.php proves the encryption keys valid and the data readable.
Quick-Start: Production Backup Script
Save this as /usr/local/bin/backup-job.sh and run via Cron.
#!/bin/bash
set -e
# 1. Configuration
export RESTIC_REPOSITORY="/srv/restic-repo"
export RESTIC_PASSWORD_FILE="/etc/restic/password"
TAG="production"
# 2. Database Dump (Critical!)
echo "Dumping database..."
mysqldump --defaults-extra-file=/root/.my.cnf --all-databases \
| gzip > /var/backups/dumps/all-db.sql.gz
# 3. Restic Backup
echo "Starting Restic backup..."
restic backup \
/var/www \
/etc/nginx \
/var/backups/dumps \
--tag $TAG \
--exclude-file /etc/restic/excludes.txt
# 4. Retention (Apply Policy)
echo "Applying retention policy..."
restic forget \
--tag $TAG \
--keep-daily 7 \
--keep-weekly 4 \
--keep-monthly 6 \
--prune
# 5. Health Check (Lightweight)
echo "Checking integrity..."
restic check --read-data-subset=1%
echo "Backup Complete."
What's Next
Now that you have a strategy, explore:
- Core Commands — Deep dive into
backup,restore, andmount. - Troubleshooting — Handling repo locks and corruption.