Backup-Strategie mit Bareos: 3-2-1 Regel im Homelab

Die 3-2-1 Backup-Regel

3 Kopien deiner Daten
2 verschiedene Medien
1 Kopie Offsite

Diese einfache Regel hat schon unzählige Daten gerettet. In diesem Artikel zeige ich, wie ich sie mit Bareos umsetze.

Warum Bareos?

Nach Evaluierung verschiedener Lösungen (Veeam, Borg, Restic) habe ich mich für Bareos entschieden:

Vorteile:

• Open Source & kostenlos
• Enterprise-Features (Deduplication, Compression)
• Flexibles Tape-Support
• Katalog-Datenbank für schnelle Restores
• Web-UI verfügbar
• Aktive Community

Nachteile:

• Steile Lernkurve
• Konfiguration komplex
• Dokumentation manchmal veraltet

Meine Infrastruktur

Komponenten

Bareos Director (pve1)
├── Storage Daemon Local (alle Nodes)
├── Storage Daemon Synology (NAS)
└── Storage Daemon Offsite (Hetzner Storage Box)

File Daemons:
├── Proxmox Nodes (3×)
├── LXC Container (15×)
├── VMs (10×)
└── Synology NAS

Storage-Architektur

Tier 1 - Lokal (täglich, schnell)

• Location: SSDs auf Proxmox Nodes
• Retention: 7 Tage
• Compression: LZ4
• Encryption: Nein (lokal sicher)

Tier 2 - NAS (täglich, mittel)

• Location: Synology DS920+ mit NFS
• Retention: 30 Tage
• Compression: ZSTD
• Encryption: Ja (AES-256)

Tier 3 - Offsite (wöchentlich, langsam)

• Location: Hetzner Storage Box
• Retention: 365 Tage
• Compression: ZSTD
• Encryption: Ja (AES-256)

Installation & Setup

Bareos Director Installation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

# Debian Repository hinzufügen
wget -O /etc/apt/keyrings/bareos-keyring.gpg \
  https://download.bareos.com/bareos/release/latest/Debian_12/Release.key

echo "deb [signed-by=/etc/apt/keyrings/bareos-keyring.gpg] \
  https://download.bareos.com/bareos/release/latest/Debian_12/ /" > \
  /etc/apt/sources.list.d/bareos.list

# Installation
apt update
apt install bareos bareos-database-postgresql bareos-webui

# Datenbank initialisieren
su postgres -c /usr/lib/bareos/scripts/create_bareos_database
su postgres -c /usr/lib/bareos/scripts/make_bareos_tables
su postgres -c /usr/lib/bareos/scripts/grant_bareos_privileges

# Services starten
systemctl enable --now bareos-dir bareos-sd bareos-fd

File Daemon auf Clients

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Auf jedem Client
apt install bareos-filedaemon

# Director erlauben
cat > /etc/bareos/bareos-fd.d/director/bareos-dir.conf <<EOF
Director {
  Name = bareos-dir
  Password = "SUPER_SECRET_PASSWORD"
}
EOF

systemctl restart bareos-fd

Konfiguration

Director Hauptkonfiguration

# /etc/bareos/bareos-dir.d/director/bareos-dir.conf
Director {
  Name = bareos-dir
  QueryFile = "/usr/lib/bareos/scripts/query.sql"
  Maximum Concurrent Jobs = 20
  Password = "director-password"
  Messages = Daemon
  Auditing = yes
  
  # TLS für verschlüsselte Kommunikation
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = no
  TLS CA Certificate File = /etc/bareos/tls/ca.crt
  TLS Certificate = /etc/bareos/tls/server.crt
  TLS Key = /etc/bareos/tls/server.key
}

Job Definition - Proxmox VMs

# /etc/bareos/bareos-dir.d/job/backup-proxmox-vms.conf
Job {
  Name = "BackupProxmoxVMs"
  Type = Backup
  Level = Incremental
  Client = pve1-fd
  FileSet = "ProxmoxVMs"
  Storage = Local-Storage
  Pool = Daily-Pool
  Messages = Standard
  Priority = 10
  
  # Zeitsteuerung
  Schedule = "DailyCycle"
  
  # Full Backup einmal pro Woche
  Full Backup Pool = Weekly-Pool
  Differential Backup Pool = Daily-Pool
  Incremental Backup Pool = Daily-Pool
  
  # Compression & Encryption
  Accurate = yes
  
  # Scripts
  Run Before Job = "/etc/bareos/scripts/snapshot-create.sh"
  Run After Job = "/etc/bareos/scripts/snapshot-delete.sh"
}

FileSet für VMs

# /etc/bareos/bareos-dir.d/fileset/proxmox-vms.conf
FileSet {
  Name = "ProxmoxVMs"
  
  Include {
    Options {
      Signature = SHA1
      Compression = LZ4
      OneFS = no
      Sparse = yes
    }
    
    # VM Disks
    File = /var/lib/vz/images
    
    # VM Configs
    File = /etc/pve/qemu-server
    File = /etc/pve/lxc
  }
  
  Exclude {
    # Temporäre Dateien
    File = /var/lib/vz/images/*/vm-*-cloudinit.qcow2
    
    # Swap Devices
    File = /var/lib/vz/images/*/vm-*-swap.qcow2
  }
}

Storage Pools

# /etc/bareos/bareos-dir.d/pool/daily.conf
Pool {
  Name = Daily-Pool
  Pool Type = Backup
  Recycle = yes
  AutoPrune = yes
  Volume Retention = 7 days
  Maximum Volume Bytes = 50G
  Maximum Volumes = 14
  Label Format = "Daily-${Year}-${Month:p/2/0/r}-${Day:p/2/0/r}-${Hour:p/2/0/r}-${Minute:p/2/0/r}"
  Volume Use Duration = 23h
  Storage = Local-Storage
}

Pool {
  Name = Weekly-Pool
  Pool Type = Backup
  Recycle = yes
  AutoPrune = yes
  Volume Retention = 30 days
  Maximum Volume Bytes = 0
  Maximum Volumes = 4
  Label Format = "Weekly-${Year}-${WeekOfYear:p/2/0/r}"
  Storage = NAS-Storage
}

Pool {
  Name = Monthly-Pool
  Pool Type = Backup
  Recycle = yes
  AutoPrune = yes
  Volume Retention = 365 days
  Maximum Volume Bytes = 0
  Maximum Volumes = 12
  Label Format = "Monthly-${Year}-${Month:p/2/0/r}"
  Storage = Offsite-Storage
}

Storage Definitions

# Local Storage
Storage {
  Name = Local-Storage
  Address = localhost
  Password = "storage-password"
  Device = LocalDisk
  Media Type = File
  Maximum Concurrent Jobs = 5
}

# NAS Storage
Storage {
  Name = NAS-Storage
  Address = synology.vlb2.local
  Password = "storage-password"
  Device = NAS-Disk
  Media Type = File
  Maximum Concurrent Jobs = 3
}

# Offsite Storage
Storage {
  Name = Offsite-Storage
  Address = u123456.your-storagebox.de
  Password = "storage-password"
  Device = Offsite-Disk
  Media Type = File
  Maximum Concurrent Jobs = 1
}

Schedule

# /etc/bareos/bareos-dir.d/schedule/daily-cycle.conf
Schedule {
  Name = "DailyCycle"
  
  # Incremental täglich um 23:00
  Run = Level=Incremental daily at 23:00
  
  # Differential Samstag 23:00
  Run = Level=Differential saturday at 23:00
  
  # Full Sonntag 22:00
  Run = Level=Full 1st sunday at 22:00
}

Snapshot-Integration

Pre-Backup Script

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

#!/bin/bash
# /etc/bareos/scripts/snapshot-create.sh

VMID=$1
SNAPSHOT="bareos-$(date +%Y%m%d-%H%M%S)"

if qm status "$VMID" | grep -q "running"; then
    echo "Creating snapshot for VM $VMID"
    qm snapshot "$VMID" "$SNAPSHOT" --description "Bareos Backup"
    
    # Snapshot-Namen für später speichern
    echo "$SNAPSHOT" > "/tmp/bareos-snapshot-$VMID"
fi

Post-Backup Script

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

#!/bin/bash
# /etc/bareos/scripts/snapshot-delete.sh

VMID=$1
SNAPSHOT_FILE="/tmp/bareos-snapshot-$VMID"

if [ -f "$SNAPSHOT_FILE" ]; then
    SNAPSHOT=$(cat "$SNAPSHOT_FILE")
    echo "Deleting snapshot $SNAPSHOT for VM $VMID"
    qm delsnapshot "$VMID" "$SNAPSHOT"
    rm -f "$SNAPSHOT_FILE"
fi

Monitoring & Alerting

Grafana Integration

Bareos exportiert Metriken via custom Exporter:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# /usr/local/bin/bareos-exporter.py
from prometheus_client import start_http_server, Gauge
import subprocess
import time

# Metrics
backup_success = Gauge('bareos_backup_success', 'Last backup success', ['job'])
backup_duration = Gauge('bareos_backup_duration_seconds', 'Backup duration', ['job'])
backup_bytes = Gauge('bareos_backup_bytes', 'Backup size bytes', ['job'])

def collect_metrics():
    # bconsole abfragen
    cmd = 'echo "list jobs" | bconsole'
    # ... parsing logic
    
if __name__ == '__main__':
    start_http_server(9101)
    while True:
        collect_metrics()
        time.sleep(60)

Email-Benachrichtigungen

# /etc/bareos/bareos-dir.d/messages/standard.conf
Messages {
  Name = Standard
  Director = bareos-dir = all
  
  # Mail bei Fehlern
  Mail = admin@vlb2.de = all, !skipped
  MailOnSuccess = admin@vlb2.de = all
  
  # Console
  Console = all, !skipped, !saved
  
  # Append zu Log
  Append = "/var/log/bareos/bareos.log" = all, !skipped
}

Restore-Prozedur

Einzelne Datei wiederherstellen

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# bconsole starten
bconsole

# Restore-Dialog
*restore
# Job auswählen
# Pfad angeben
# Mark files
# done
# yes

Komplette VM wiederherstellen

1
2
3
4
5
6
7
8

# VM aus Backup
qmrestore /mnt/backup/vzdump-qemu-100-*.vma.zst 100

# Oder über bconsole
*restore
*cd /var/lib/vz/images/100
*mark *
*done

Disaster Recovery - Bare Metal

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# 1. Proxmox neu installieren
# 2. Bareos File Daemon installieren
# 3. Bareos Bootstrap-File nutzen

*restore
*mod
*jobid=123
*yes

# 4. VMs aus Backup importieren
# 5. Cluster wieder aufbauen

Testing der Backups

Monatlicher Test:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

#!/bin/bash
# test-restore.sh

# Random VM auswählen
VMID=$(qm list | tail -n +2 | shuf -n 1 | awk '{print $1}')

# In Test-Pool wiederherstellen
echo "Testing restore of VM $VMID"
qmrestore --storage test-storage /backup/latest-vm-$VMID.vma 999

# VM starten
qm start 999

# Prüfen ob VM hochkommt
sleep 60
qm status 999

# Aufräumen
qm stop 999
qm destroy 999

echo "Restore test completed successfully"

Performance-Optimierung

Parallele Jobs

# Director
Maximum Concurrent Jobs = 20

# Storage
Maximum Concurrent Jobs = 5

# File Daemon  
Maximum Concurrent Jobs = 2

Deduplication

Bareos nutzt Block-Level Deduplication:

Job {
  Name = "DedupJob"
  Accurate = yes
  
  # Base Job für Incremental
  Base = PreviousFullJob
}

Bandwidth Limiting

1
2
3
4
5

# Für Offsite-Backups
Job {
  Name = "OffsiteBackup"
  Maximum Bandwidth = 10 MB/s
}

Kosten-Analyse

Storage-Kosten

Lokal: 2 TB SSD = ~150 € (einmalig)
NAS: 12 TB HDD = ~300 € (einmalig)
Offsite: Hetzner Storage Box 5 TB = ~10 €/Monat

Total: ~570 € + 120 €/Jahr

Zeit-Investition

• Setup: ~40 Stunden
• Wartung: ~2 Stunden/Monat
• Testing: ~4 Stunden/Monat

Best Practices

✅ Backup testen: Ungetestete Backups sind keine Backups
✅ 3-2-1 Regel: Immer befolgen
✅ Verschlüsselung: Für Offsite zwingend
✅ Monitoring: Fehlgeschlagene Backups sofort erkennen
✅ Retention: Klar definieren und einhalten
✅ Dokumentation: DR-Prozeduren schriftlich
✅ Automatisierung: Manuelle Backups werden vergessen

❌ Nur lokale Backups: Single Point of Failure
❌ Keine Tests: Murphy’s Law gilt
❌ Schwache Passwörter: Verschlüsselung ist nutzlos
❌ Ignorierte Fehler: Probleme früh beheben
❌ Keine Versionierung: Corrupted Files verbreiten sich

Erfahrungen & Lessons Learned

Was gut funktioniert

• Snapshot-Integration verhindert inkonsistente Backups
• Tiered Storage spart Kosten
• Automatische Tests geben Sicherheit
• Offsite via Hetzner ist zuverlässig

Was ich anders machen würde

• Früher mit Backup-Tests beginnen
• Monitoring von Anfang an integrieren
• Mehr Zeit in Dokumentation investieren
• Deduplizierung früher aktivieren

Zusammenfassung

Eine durchdachte Backup-Strategie ist Investment in Seelenfrieden. Bareos bietet Enterprise-Features für Homelabs.

Zeit-Investment: ~40 Stunden Setup
Laufende Kosten: ~10 €/Monat
Datensicherheit: Unbezahlbar

Weiterführende Artikel

In dieser Serie:

• Proxmox Cluster Setup
• Monitoring mit Grafana (coming soon)
• Disaster Recovery Tests (coming soon)

Ressourcen

• Bareos Documentation
• Bareos GitHub
• 3-2-1 Backup Rule

Fragen zur Backup-Strategie? Email mir!