VPS BACKUP SYSTEM: Pangolin Docker#

Target VPS: 72.11.147.220
Backup LXC: Proxmox 102
Retention: 28 Files (14 Days)

VPS Configuration#

Run as root on VPS

1 User & Group Setup#

adduser --system --group --home /home/vps-backup --shell /bin/bash vps-backup
usermod -aG marc vps-backup
usermod -aG docker vps-backup
newgrp docker

2 Directory Permissions (ACLs)#

2.1 Basic Ownership#

chown root:vps-backup /home/marc/docker-compose/pangolin
chmod 750 /home/marc/docker-compose/pangolin

2.2 Recursive + Default ACLs#

setfacl -R -m "u:vps-backup:rX" /home/marc/docker-compose/pangolin
setfacl -Rd -m "u:vps-backup:rX" /home/marc/docker-compose/pangolin

2.3 Ensure Existing Files Are Readable#

find /home/marc/docker-compose/pangolin -type f -exec chmod 644 {} +

2.4 Lock Down acme.json#

setfacl -x "u:vps-backup" /home/marc/docker-compose/pangolin/config/letsencrypt/acme.json
chmod 600 /home/marc/docker-compose/pangolin/config/letsencrypt/acme.json

acme.json is intentionally excluded from rsync for safety.

2.5 Verify Log Directory Access#

setfacl -R -m "u:vps-backup:rX" /home/marc/docker-compose/pangolin/config/traefik/logs

3 SSH Security#

mkdir -p /home/vps-backup/.ssh
chmod 700 /home/vps-backup/.ssh
nano /home/vps-backup/.ssh/authorized_keys
chmod 600 /home/vps-backup/.ssh/authorized_keys
chown -R vps-backup:vps-backup /home/vps-backup/.ssh

4 LXC Configuration#

Run on Proxmox 102

4.1 Key Generation#

sudo -u vps-backup ssh-keygen -t ed25519 -f /home/vps-backup/.ssh/id_ed25519 -N ""
cat /home/vps-backup/.ssh/id_ed25519.pub

Copy the public key to the VPS.

4.2 Backup Storage Permissions#

chown -R vps-backup:vps-backup /mnt/VPSBackups
chmod 755 /mnt/VPSBackups

4.3 Backup Script Setup#

touch /home/vps-backup/RN-VPSPangoling_pull_backups.sh
chmod +x /home/vps-backup/RN-VPSPangoling_pull_backups.sh
sudo -u vps-backup nano /home/vps-backup/RN-VPSPangoling_pull_backups.sh

4.4 Automation (Crontab)#

sudo -u vps-backup crontab -e
0 12,20 * * * /bin/bash /home/vps-backup/RN-VPSPangoling_pull_backups.sh

5 Integrity Monitoring (Weekly Health Check)#

5.1 Script Setup#

touch /home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh
chown vps-backup:vps-backup /home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh
chmod +x /home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh

5.2 Manual Run & Logs#

sudo -u vps-backup /bin/bash /home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh
cat /home/vps-backup/VPSBackup-Integrity.log

5.3 Automation#

Add to crontab:

0 1 * * 0 /bin/bash /home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh

6 Verification Commands#

6.1 Check Disk Space (10GB Limit)#

df -h /mnt/VPSBackups

6.2 View Latest Heartbeat#

tail -n 10 /home/vps-backup/VPSBackup-Pangolin.log

6.3 Peek Inside Archive#

tar -tvf /mnt/VPSBackups/FILENAME.tar.gz | head -n 20

7 Email Installation & Configuration#

7.1 Install Mail Packages#

apt update && apt install msmtp msmtp-mta mailutils -y

7.2 Create Configuration File#

nano /etc/msmtprc

Paste:

defaults
auth           on
tls            on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /var/log/msmtp.log

account        gmail
host           smtp.gmail.com
port           587
from           proxmox.app@gmail.com
user           proxmox.app@gmail.com
password       YOUR_16_DIGIT_PASSWORD
tls_starttls   on

account        default : gmail

7.3 Secure Permissions#

chmod 600 /etc/msmtprc
chown vps-backup:vps-backup /etc/msmtprc

7.4 Initialize Log File#

touch /var/log/msmtp.log
chown vps-backup:vps-backup /var/log/msmtp.log
chmod 664 /var/log/msmtp.log

7.5 Test Email#

echo "Hello Marc, this is a test." | mail -s "LXC Test Email" proxmox.app@gmail.com

8 Restoration Procedure (Emergency)#

8.1 Transfer to VPS#

scp /mnt/VPSBackups/2026-02-02_19h00_PangolinBackup.tar.gz root@72.11.147.220:/home/marc/docker-compose/

8.2 Unpack on VPS#

mkdir -p /home/marc/docker-compose/pangolin
tar -xzvf /home/marc/docker-compose/2026-02-02_19h00_PangolinBackup.tar.gz \
  -C /home/marc/docker-compose/pangolin --strip-components=1
chmod 600 /home/marc/docker-compose/pangolin/config/letsencrypt/acme.json

8.3 CrowdSec Repair (If Needed)#

docker exec crowdsec-pangolin cscli hub update
docker exec crowdsec-pangolin cscli hub upgrade --force
docker exec crowdsec-pangolin kill -HUP 1

8.4 Full Restore Script#

# Run restore script:
/home/marc/docker-compose/pangolin1/scripts/PangolinRestore.sh
# Target archive:
/home/marc/docker-compose/2026-03-06_19h00_PangolinBackup.tar.gz

If rebuilding a new VPS, install CrowdSec first:

apt install crowdsec

9 File Reference Map#

Path Purpose
/home/vps-backup/RN-VPSPangoling_pull_backups.sh Primary backup script
/home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh Weekly validation script
/home/vps-backup/VPSBackup-Pangolin.log Daily backup log
/home/vps-backup/VPSBackup-Integrity.log Weekly integrity log
/mnt/VPSBackups/live_mirror/ Local incremental mirror
/mnt/VPSBackups/*.tar.gz Archived backups (28 retained)

10 Manual Restore Examples#

scp /mnt/VPSBackups/2026-01-29_21h12_PangolinBackup.tar.gz \
root@72.11.147.220:/home/marc/docker-compose/
tar -xzf /home/marc/docker-compose/2026-01-29_10h21_PangolinBackup.tar.gz \
-C /home/marc/docker-compose/pangolin3
Backward Ollama & Stable Diffusion AI Guide Pangolin Tunnel - VPS Setup Forward