When it comes to safeguarding your data, simplicity and reliability go a long way. In this post, we’ll walk through how you can set up automatic, secure backups from a Debian 12 server to Wasabi cloud storage using Restic, a powerful yet minimalistic tool.
Getting Started: What You Need
Before diving in, make sure you have:
- A server running Debian 12
- A Wasabi S3 bucket and access credentials
- Restic installed (
sudo apt install restic)
This guide assumes you have root or sudo access to your server.
Why This Combo Works
Restic is fast and secure. Every backup is encrypted, deduplicated, and verifiable. You don’t need to worry about managing complex configurations, just set your targets and go.
Wasabi makes a compelling cloud destination because of its predictable pricing and no-egress fees. It supports the S3 API, so it plugs right into Restic with no extra effort.
Debian 12 offers a stable foundation. It’s lean, long-term supported, and friendly to automation. A perfect base for a backup system that just works.
Step-by-Step Setup
1. Set Your Credentials
Create a secure file at /var/app/secret/.restic:
export AWS_ACCESS_KEY_ID=dummy-access-key
export AWS_SECRET_ACCESS_KEY=dummy-secret-key
export RESTIC_REPOSITORY=s3:https://s3.ap-northeast-2.wasabisys.com/my-backup-bucket
export SERVER_NAME=vm-debian12-backup
export LOCAL_REPOSITORY=/var/app
Code language: JavaScript (javascript)Make sure it’s protected:
chmod 600 /var/app/secret/.restic
Code language: JavaScript (javascript)You can also use aws configure --profile restic if you prefer storing credentials globally.
2. Create a Restic Password File
echo "SuperStrongBackupPassword" | sudo tee /var/app/secret/.restic-password > /dev/null
chmod 600 /var/app/secret/.restic-password
Code language: JavaScript (javascript)3. Initialize the Backup Repository
source /var/app/secret/.restic
restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" init --password-file /var/app/secret/.restic-password
Code language: JavaScript (javascript)You should see confirmation that the repo was created.
4. Prepare Inclusion and Exclusion Lists
Create a list of folders to back up:
echo -e "/var/www\n/etc\n/home" > /var/app/script/restic-backup-list.txt
Code language: PHP (php)And what to exclude:
echo -e "*.log\n*.tmp\n/cache" > /var/app/script/restic-exclude-list.txt
Code language: PHP (php)5. Write the Backup Script
#!/bin/bash
source /var/app/secret/.restic
if ! restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" cat config \
--password-file /var/app/secret/.restic-password > /dev/null 2>&1; then
restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" init \
--password-file /var/app/secret/.restic-password
fi
restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" unlock \
--password-file /var/app/secret/.restic-password
restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" backup \
--files-from /var/app/script/restic-backup-list.txt \
--exclude-file /var/app/script/restic-exclude-list.txt \
--tag "$SERVER_NAME" \
--password-file /var/app/secret/.restic-password
restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" forget \
--keep-last 7 --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune \
--password-file /var/app/secret/.restic-password
Code language: JavaScript (javascript)Make it executable:
chmod +x /var/app/script/restic.sh
Code language: JavaScript (javascript)6. Automate with Cron
Add this to your root crontab:
0 2 * * * bash /var/app/script/restic.sh >> /var/log/restic-backup.log 2>&1
Code language: JavaScript (javascript)Final Thoughts
By combining Restic, Wasabi, and Debian 12, you get a backup solution that’s simple, secure, and cost-effective. It’s easy to set up, scales well with your data, and gives you peace of mind that your backups are both safe and retrievable, without surprise costs.
If you want to build on this, you can add Telegram alerts, log monitoring, or even snapshot browsers. But this setup gives you a rock-solid foundation to start with.