When it comes to safeguarding your data, simplicity and reliability go a long way. In this post, we’ll walk through how you can set up automatic, secure backups from a Debian 12 server to Wasabi cloud storage using Restic, a powerful yet minimalistic tool.
Getting Started: What You Need
Before diving in, make sure you have:
- A server running Debian 12
- A Wasabi S3 bucket and access credentials
- Restic installed (
sudo apt install restic)
This guide assumes you have root or sudo access to your server.
Why This Combo Works
Restic is fast and secure. Every backup is encrypted, deduplicated, and verifiable. You don’t need to worry about managing complex configurations, just set your targets and go.
Wasabi makes a compelling cloud destination because of its predictable pricing and no-egress fees. It supports the S3 API, so it plugs right into Restic with no extra effort.
Debian 12 offers a stable foundation. It’s lean, long-term supported, and friendly to automation. A perfect base for a backup system that just works.
Step-by-Step Setup
1. Set Your Credentials
Create a secure file at /var/app/secret/.restic:
|
0 1 2 3 4 5 6 |
export AWS_ACCESS_KEY_ID=dummy-access-key export AWS_SECRET_ACCESS_KEY=dummy-secret-key export RESTIC_REPOSITORY=s3:https://s3.ap-northeast-2.wasabisys.com/my-backup-bucket export SERVER_NAME=vm-debian12-backup export LOCAL_REPOSITORY=/var/app |
Make sure it’s protected:
|
0 1 2 |
chmod 600 /var/app/secret/.restic |
You can also use aws configure --profile restic if you prefer storing credentials globally.
2. Create a Restic Password File
|
0 1 2 3 |
echo "SuperStrongBackupPassword" | sudo tee /var/app/secret/.restic-password > /dev/null chmod 600 /var/app/secret/.restic-password |
3. Initialize the Backup Repository
|
0 1 2 3 |
source /var/app/secret/.restic restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" init --password-file /var/app/secret/.restic-password |
You should see confirmation that the repo was created.
4. Prepare Inclusion and Exclusion Lists
Create a list of folders to back up:
|
0 1 2 |
echo -e "/var/www\n/etc\n/home" > /var/app/script/restic-backup-list.txt |
And what to exclude:
|
0 1 2 |
echo -e "*.log\n*.tmp\n/cache" > /var/app/script/restic-exclude-list.txt |
5. Write the Backup Script
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash source /var/app/secret/.restic if ! restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" cat config \ --password-file /var/app/secret/.restic-password > /dev/null 2>&1; then restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" init \ --password-file /var/app/secret/.restic-password fi restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" unlock \ --password-file /var/app/secret/.restic-password restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" backup \ --files-from /var/app/script/restic-backup-list.txt \ --exclude-file /var/app/script/restic-exclude-list.txt \ --tag "$SERVER_NAME" \ --password-file /var/app/secret/.restic-password restic -r "$RESTIC_REPOSITORY/$SERVER_NAME" forget \ --keep-last 7 --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune \ --password-file /var/app/secret/.restic-password |
Make it executable:
|
0 1 2 |
chmod +x /var/app/script/restic.sh |
6. Automate with Cron
Add this to your root crontab:
|
0 1 2 |
0 2 * * * bash /var/app/script/restic.sh >> /var/log/restic-backup.log 2>&1 |
Final Thoughts
By combining Restic, Wasabi, and Debian 12, you get a backup solution that’s simple, secure, and cost-effective. It’s easy to set up, scales well with your data, and gives you peace of mind that your backups are both safe and retrievable, without surprise costs.
If you want to build on this, you can add Telegram alerts, log monitoring, or even snapshot browsers. But this setup gives you a rock-solid foundation to start with.