VPS BACKUP SYSTEM: Pangolin Docker#

Target VPS: 72.11.147.220
Backup LXC: Proxmox 102
Retention: 28 Files (14 Days)

1. VPS Configuration#

Run as root on VPS

User & Group Setup#

adduser --system --group --home /home/vps-backup --shell /bin/bash vps-backup
usermod -aG marc vps-backup
usermod -aG docker vps-backup
newgrp docker

Directory Permissions (ACLs)#

1. Basic Ownership#

chown root:vps-backup /home/marc/docker-compose/pangolin
chmod 750 /home/marc/docker-compose/pangolin

2. Recursive + Default ACLs#

setfacl -R -m "u:vps-backup:rX" /home/marc/docker-compose/pangolin
setfacl -Rd -m "u:vps-backup:rX" /home/marc/docker-compose/pangolin

3. Ensure Existing Files Are Readable#

find /home/marc/docker-compose/pangolin -type f -exec chmod 644 {} +

4. Lock Down acme.json#

setfacl -x "u:vps-backup" /home/marc/docker-compose/pangolin/config/letsencrypt/acme.json
chmod 600 /home/marc/docker-compose/pangolin/config/letsencrypt/acme.json

acme.json is intentionally excluded from rsync for safety.

5. Verify Log Directory Access#

setfacl -R -m "u:vps-backup:rX" /home/marc/docker-compose/pangolin/config/traefik/logs

SSH Security#

mkdir -p /home/vps-backup/.ssh
chmod 700 /home/vps-backup/.ssh
nano /home/vps-backup/.ssh/authorized_keys
chmod 600 /home/vps-backup/.ssh/authorized_keys
chown -R vps-backup:vps-backup /home/vps-backup/.ssh

2. LXC Configuration#

Run on Proxmox 102

Key Generation#

sudo -u vps-backup ssh-keygen -t ed25519 -f /home/vps-backup/.ssh/id_ed25519 -N ""
cat /home/vps-backup/.ssh/id_ed25519.pub

Copy the public key to the VPS.

Backup Storage Permissions#

chown -R vps-backup:vps-backup /mnt/VPSBackups
chmod 755 /mnt/VPSBackups

Backup Script Setup#

touch /home/vps-backup/RN-VPSPangoling_pull_backups.sh
chmod +x /home/vps-backup/RN-VPSPangoling_pull_backups.sh
sudo -u vps-backup nano /home/vps-backup/RN-VPSPangoling_pull_backups.sh

Automation (Crontab)#

sudo -u vps-backup crontab -e

Add:

0 12,20 * * * /bin/bash /home/vps-backup/RN-VPSPangoling_pull_backups.sh

3. Integrity Monitoring (Weekly Health Check)#

Script Setup#

touch /home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh
chown vps-backup:vps-backup /home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh
chmod +x /home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh

Manual Run & Logs#

sudo -u vps-backup /bin/bash /home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh
cat /home/vps-backup/VPSBackup-Integrity.log

Automation#

Add to crontab:

0 1 * * 0 /bin/bash /home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh

4. Verification Commands#

Check Disk Space (10GB Limit)#

df -h /mnt/VPSBackups

View Latest Heartbeat#

tail -n 10 /home/vps-backup/VPSBackup-Pangolin.log

Peek Inside Archive#

tar -tvf /mnt/VPSBackups/[FILENAME].tar.gz | head -n 20

5. Email Installation & Configuration#

Install Mail Packages#

apt update && apt install msmtp msmtp-mta mailutils -y

Create Configuration File#

nano /etc/msmtprc

Paste:

defaults
auth           on
tls            on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /var/log/msmtp.log

account        gmail
host           smtp.gmail.com
port           587
from           proxmox.app@gmail.com
user           proxmox.app@gmail.com
password       YOUR_16_DIGIT_PASSWORD
tls_starttls   on

account        default : gmail

Secure Permissions#

chmod 600 /etc/msmtprc
chown vps-backup:vps-backup /etc/msmtprc

Initialize Log File#

touch /var/log/msmtp.log
chown vps-backup:vps-backup /var/log/msmtp.log
chmod 664 /var/log/msmtp.log

Test Email#

echo "Hello Marc, this is a test." | mail -s "LXC Test Email" proxmox.app@gmail.com

6. Restoration Procedure (Emergency)#

Transfer to VPS#

scp /mnt/VPSBackups/2026-02-02_19h00_PangolinBackup.tar.gz root@72.11.147.220:/home/marc/docker-compose/

Unpack on VPS#

mkdir -p /home/marc/docker-compose/pangolin
tar -xzvf /home/marc/docker-compose/2026-02-02_19h00_PangolinBackup.tar.gz \
  -C /home/marc/docker-compose/pangolin --strip-components=1
chmod 600 /home/marc/docker-compose/pangolin/config/letsencrypt/acme.json

CrowdSec Repair (If Needed)#

docker exec crowdsec-pangolin cscli hub update
docker exec crowdsec-pangolin cscli hub upgrade --force
docker exec crowdsec-pangolin kill -HUP 1

Full Restore Script#

/home/marc/docker-compose/pangolin1/scripts/PangolinRestore.sh \
/home/marc/docker-compose/2026-02-08_15h03_PangolinBackup.tar.gz

If rebuilding a new VPS, install CrowdSec first:

apt install crowdsec

File Reference Map#

Path Purpose
/home/vps-backup/RN-VPSPangoling_pull_backups.sh Primary backup script
/home/vps-backup/RN-VPSPangoling_pull_backups_integrity_check.sh Weekly validation script
/home/vps-backup/VPSBackup-Pangolin.log Daily backup log
/home/vps-backup/VPSBackup-Integrity.log Weekly integrity log
/mnt/VPSBackups/live_mirror/ Local incremental mirror
/mnt/VPSBackups/*.tar.gz Archived backups (28 retained)

Manual Restore Examples#

scp /mnt/VPSBackups/2026-01-29_21h12_PangolinBackup.tar.gz \
root@72.11.147.220:/home/marc/docker-compose/
tar -xzf /home/marc/docker-compose/2026-01-29_10h21_PangolinBackup.tar.gz \
-C /home/marc/docker-compose/pangolin3

End of Master Copy.

Backward Proxmox Initial Hardening & Setup Markdown Guide Forward