Garage, an open-source distributed storage service you can self-host to fullfill many needs

Hi @timconsidine , I know I won't have time to do a PR anytime soon, so I'll drop a note here. Huge kudos on bringing the package forward.

The Garage state is stored entirely in SQLite databases. I can't remember the names of them... there's 2 or 3? So while you've spec'd the directories where they will live, that's only part of what needs to be done with them for a restoreable Garage installation on Cloudron.

https://docs.cloudron.io/packaging/addons/#sqlite

You'll want to make sure they're explicitly called out in the manifest. Doing so makes sure they get baked up safely.

If you don't, it is possible that a backup will fail to correctly capture all of the metadata about the Garage instance, and the result could be lost data upon restore. (That is, if a WAL file is not flushed, then the standard backup might capture the metadata DB in an inconsistent state, and if someone had to restore, they would have a corrupt and unrecoverable Garage installation.)

Depending on your appetite for loss, I would consider backups-in-depth. That is, one backup site is not a backup.

1. Use rsync-based backup over SSHFS to Hetzner or similar. You will want to select "use hardlinks" and, if you want it, encryption. The use of hardlinks is, essentially, your de-duplication. (See below.)
2. For a second layer of depth, I would consider a (daily? weekly? monthly?) backup of your primary backup site to a secondary. This could be a sync to AWS S3, for example. Note that any S3-based backup (B2, Cloudflare ObjectSomething, etc.) will have both a storage cost and an API cost. If you are dealing with millions of small files in your backups, the API costs will become real, because dedupe requires checking each object, and then possibly transferring it (multiple PUT/GET requests per file).
   1. S3 has the ability to automatically keep multiple versions of a file. You could use this to have an in-place rotation/update of files.
   2. If you are doing an S3 backup, you can use lifecycle rules to automatically move your S3 content to Glacier. This is much cheaper than "hot" S3 storage. But, you pay a penalty if you download/delete to early/too often.
3. As a third, cheap-ish option, go get a 2- or 4-bay NAS that can run TrueNAS, and put a pair of 8-12TB HDDs in it. Configure the disks in a ZFS mirrored pair. Run a cron job once per day/week to pull down the contents of the Hetzner box. (Your cron will want to, again, use rsync with hardlinks.) You now have a local machine mirroring your hot backups. It is arguably more expensive than some other options (~600USD up front), but you don't have any "we might run out of space" issues. And, because you're using it to pull, you don't have any weird networking problems: just SCP the data down. (Or, rsync it down over SSH.)

Whatever you are doing, consider targeting two different destinations at two different times (per day/alternating/etc.). Or, consider having some combination of backups that give you multiple copies at multiple sites. That could be Hetzner in two regions, with backups run on alternating days, or it could be you backup to a storage box and pull down a clone every day to a local NAS, or ... or ...

Ultimately, your 150GB is small. If you're increasing by a few GB per week, you're saying that you are likely to have 1TB/year. Not knowing your company's finances, this is generally considered a small amount of data. Trying to optimize for cost, immediately, is possibly less important than just getting the backups somewhere.

Other strategies could involve backing up to the NAS locally first, and then using a cron to borg or rsync to a remote host (possibly more annoying to set up), etc. But, you might have more "dedupe" options then. (borg has dedupe built in, I think, but...)

I have a suspicion that your desire to use object storage might be a red herring. But, again, I don't know your constraints/budget/needs/concerns.

---

Deduplication: If you use rsync with hardlinks, then each daily backup will automatically dedupe unchanged files. A hardlink is a pointer to a file. So, if you upload super_ai_outputs_day_1.md to your storage on Monday, and it remains unchanged for the rest of time, then each subsequent day is going to be a hardlink to that file. It will, for all intents and purposes, take up zero disk space. So, if you are backing up large numbers of small-to-medium sized files that do not change, SSHFS/rsync with hardlinks is going to naturally dedupe your unchanging old data.

This will not do binary deduplication of different files. So, if you're looking for a backup solution that would (say) identify that two, 1GB files where the middle 500GB are identical, and somehow dedupe that... you need more sophisticated tools and strategies. Rsync/hardlinks just makes sure that the same file, backed up every day, does not take (# days * size) space. It just takes the original size of the file plus an inode in the FS for each link.

Note, though, if you involve a snapshot of your hardlinked backups to an object store, every file may take the full size of every file for every day. I'm possibly wrong on that, but I'm not confident that most tools would know what to do with those hardlinks when you're copying to an object store. I think you'd end up multiplying your disk usage significantly, because your backup tool will have to create a copy of each file into the object store. (Most object stores do not have a notion of symlinks/hardlinks.) An experiment with a subset of the data, or even a few files, will tell you the answer to that question.

If you have other questions, you can ask here, or DM me.

Consider this an upvote/+1, along with kudos on @marcusquinn 's packaging of NetBird.

Will do, James. I have not been able to recreate the held lock issue. I was starting/stopping jobs a fair bit at one point, and can't... be precise about where in the backup cycle those cancellations happened that a cleanup might not have happened. I will watch for it in the future.

When I said there was no RAM pressure, I meant that was true for the server. However, my jobs all had 1GB of RAM. Your suggestion clued me in; because that value must be set after you setup the backup job, I had never noticed it before... or, not realized how critical it might be. I have bumped them all to 6GB of RAM, and so far, I've been seeing backup successes.

Barring the question below, I'd say we could close this issue. The lesson learned is that I need to provide my backup tasks more RAM. Because I have some RAM to spare, I'm going aggressive, and giving things 6GB. I did not attempt to settle on a smaller amount, for anyone who comes along after--- I just gave the tasks a limit that I considered to be "a lot" in this context.

I still see some things like the errors below. The backup completes successfully, but I'm unclear why there would be errors like these sprinkled throughout the backup. Is the relative path full/snapshot/app_... actually correct? Or, should that be a full path (e.g. the base path I provided at setup time along with the relative path)? In the command that succeeds, it is a full path.

Feb 13 16:11:00 box:shell filesystem: ssh -o "StrictHostKeyChecking no" -i /tmp/identity_file_d82bc09e-a419-4d60-84bf-95d631fd0ebb -p 22 user@nas.lan cp -aRl full/snapshot/app_c74efccf-d273-46c9-8afe-3fd427bb78c1 full/2026-02-13-210356-064/app_git.jadud.com_v1.37.4 errored BoxError: ssh exited with code 1 signal null
Feb 13 16:11:00 at ChildProcess.<anonymous> (/home/yellowtent/box/src/shell.js:82:23)
Feb 13 16:11:00 at ChildProcess.emit (node:events:519:28)
Feb 13 16:11:00 at maybeClose (node:internal/child_process:1101:16)
Feb 13 16:11:00 at ChildProcess._handle.onexit (node:internal/child_process:304:5) {
Feb 13 16:11:00 reason: 'Shell Error',
Feb 13 16:11:00 details: {},
Feb 13 16:11:00 stdout: <Buffer >,
Feb 13 16:11:00 stdoutString: '',
Feb 13 16:11:00 stdoutLineCount: 0,
Feb 13 16:11:00 stderr: <Buffer 63 70 3a 20 63 61 6e 6e 6f 74 20 73 74 61 74 20 27 66 75 6c 6c 2f 73 6e 61 70 73 68 6f 74 2f 61 70 70 5f 63 37 34 65 66 63 63 66 2d 64 32 37 33 2d 34 ... 50 more bytes>,
Feb 13 16:11:00 stderrString: "cp: cannot stat 'full/snapshot/app_c74efccf-d273-46c9-8afe-3fd427bb78c1': No such file or directory\n",
Feb 13 16:11:00 stderrLineCount: 1,
Feb 13 16:11:00 code: 1,
Feb 13 16:11:00 signal: null,
Feb 13 16:11:00 timedOut: false,
Feb 13 16:11:00 terminated: false
Feb 13 16:11:00 }
Feb 13 16:11:00 box:storage/filesystem SSH remote copy failed, trying sshfs copy
Feb 13 16:11:00 box:shell filesystem: cp -aRl /mnt/managedbackups/1ec6c6b4-7566-4369-b2ce-466968b00d5d/full/snapshot/app_c74efccf-d273-46c9-8afe-3fd427bb78c1 /mnt/managedbackups/1ec6c6b4-7566-4369-b2ce-466968b00d5d/full/2026-02-13-210356-064/app_git.jadud.com_v1.37.4
Feb 13 16:11:07 box:backuptask copy: copied successfully to 2026-02-13-210356-064/app_git.jadud.com_v1.37.4. Took 7.889 seconds

OK. Solution so far:

1. I removed all backup sites and rebooted. (There's a question at the end.)
2. I added a CIFS point (instead of SSHFS) to the local NAS.
3. Gave the backup 5GB of RAM, and set the concurrency to 100
4. Waited an hour or two. Two? What is time.

The backup for Immich succeeded.

I may try an SSHFS backup with similar parameters, but I'll... be limited on the storage box with regards to concurrency. So, we'll see.

QUESTION: I have noticed when app backups fail, there's sometimes a stale lock. Where is that lock? I would like to be able to remove the lock without having to reboot. Is it in the DB? A file? Where does Box keep those app backup locks?

I'm not convinced I've solved my problem, but I'm starting to think the RAM for the backup(s) may matter, which I had never encountered before.

Interesting. I think I had missed that setting before.

I tried two things, but now need to head to work.

I created a SMB share on the NAS. I was able to establish a backup site... and, I just re-created an SSHFS mount per above, and gave it 6GB of RAM.

Feb 11 09:16:30 box:taskworker Starting task 9902. Logs are at /home/yellowtent/platformdata/logs/tasks/9902.log
Feb 11 09:16:30 box:taskworker Running task of type backup
Feb 11 09:16:30 box:backuptask fullBackup: skipped backup ...
Feb 11 09:16:30 box:tasks updating task 9902 with: {"percent":66.38461538461539,"message":"Backing up photos.jadud.com (17/23). Waiting for lock"}
Feb 11 09:16:30 box:locks write: current locks: {"full_backup_task_846414c7-0abc-4ae1-8432-2430e5008342":null,"app_backup_a6dc2056-829f-46c4-bf31-7a93cba4af11":"9902"}
Feb 11 09:16:30 box:locks acquire: app_backup_a6dc2056-829f-46c4-bf31-7a93cba4af11
Feb 11 09:16:30 box:backuptask fullBackup: app photos.jadud.com backup finished. Took 0.002 seconds
Feb 11 09:16:30 box:locks write: current locks: {"full_backup_task_846414c7-0abc-4ae1-8432-2430e5008342":null}
Feb 11 09:16:30 box:locks release: app_backup_a6dc2056-829f-46c4-bf31-7a93cba4af11
Feb 11 09:16:30 box:backuptask fullBackup: skipped backup ...
Feb 11 09:16:30 box:tasks setCompleted - 9902: {"result":[],"error":null,"percent":100}
Feb 11 09:16:30 box:tasks updating task 9902 with: {"completed":true,"result":[],"error":null,"percent":100}
Feb 11 09:16:30 box:taskworker Task took 0.066 seconds
Feb 11 09:16:30 Exiting with code 0

If I try and kick off the backup, it starts up and exits immediately. Is there a lock floating somewhere? (Is that the full backup task lock?)

No backups are running that I can see, but this is now a new behavior. I have rebooted the machine, and this does not change.

No doubt, I've created this problem through my iterations.

Good questions. The configuration locally is that the machines all live behind an OpnSense router. Cloudron is hosted on a VM on a small machine (and has 24GB of RAM allocated to it, and does not show signs of RAM pressure), and the NAS itself is running TrueNAS w/ 40GB of RAM available (it is never under RAM pressure, as far as I can tell).

cloudron.lan -> switch -> nas.lan

Both machines are local. The cables could be poor; I can check. This is why I think the SSHFS failure on the Cloudron -> NAS connection is so worrying; there's no good reason why it should fail, from what I can tell.

I can... understand that the SSHFS backup to the storage box might be troublesome, given the distances involved. The local connection, though, should "just work."

I'll dig more into possible memory issues.

@james , do you have any thoughts?

I had to reboot the server for updates yesterday; as a result, the Immich app is (again) trying to backup. It is now 14K into another attempt. I have every belief that it will fail some 250K files into the backup.

Do any of the strategies I've brainstormed sound better than the others from y'alls perspective?

We can leave this thread open as I explore, but I think the answer is "I can't backup my photos by simply adding an SSHFS backup location." I apparently have to solve this some other way.

I could also use the fstab to mount an SSHFS filesystem to the remotes, and let Cloudron backup via filesystem there. This would move the management of the mount out of the hands of Cloudron, and into the hands of the OS.

I don't know if that would help.

The Immich (photos) backup ended as follows.

Feb 10 03:11:21 box:backupformat/rsync sync: adding data/upload/upload/d354571e-1804-4798-bd79-e29690172c14/d9/d7/d9d762ae-5a69-461d-9387-84882f110276.jpg.xmp position 227458 try 1
Feb 10 03:11:21 box:backupformat/rsync sync: processing task: {"operation":"add","path":"data/upload/upload/d354571e-1804-4798-bd79-e29690172c14/d9/d7/d9d762ae-5a69-461d-9387-84882f110276.jpg.xmp","reason":"new","position":227458}
Feb 10 03:11:21 Exiting with code 70
Feb 10 03:11:21 box:taskworker Terminated
Feb 10 05:03:04 13:M 10 Feb 2026 10:03:04.004 * 10 changes in 300 seconds. Saving...
Feb 10 05:03:04 13:M 10 Feb 2026 10:03:04.004 * Background saving started by pid 298

I do not know for certain if this was the local or remote backup. Local, the snapshot folder dates Feb 9 03:13, and remote it dates Feb 9, 02:35. Those... appear to be the created times, using ls -ac.

According to logs, my music backup ran at Tuesday at 3AM, and it completed in 1m30s or thereabouts. So, that took place 10m before this failure. The music backup would be against the NAS.

Immich still wants to update.

Are there any thoughts as to what I should consider doing to get to a successful backup of my photos?

Absent a way for Cloudron to successfully backup Immich, I feel like the following are my options:

1. JuiceFS would probably let rsync complete and support hardlinks. I would create an SSHFS mount via Juice from a folder on my localhost -> the target system. Then, I would mount that folder as a local volume (filesystem). As far as Cloudron would be concerned, it would be a regular filesystem. Downside? It's a moving piece in-between me and my files, and a point for data loss.
2. I could use object storage, but I'm concerned about operation costs. An rsync -> object store approach with this many files means... probably hundreds of thousands of API calls for every backup. Depending on the provider, that ends up costing.
3. Use tar? I feel that a tarball is really inefficient, since the photos don't change often/at all.
4. Backup locally and rsync the backup. This would eat disk, but I have space to spare on the Cloudron host; it runs on a mirrored 8TB pair. If I keep three backups (monthly), I would end up with nearly a TB of data, but I could rsync that to the NAS and remote. The rotation would happen locally, I'd get off-site and local backups, and the cost would be that each photo takes 4x the space (original + 3x copies on the local filesystem for rsync rotation).

I would ask, for simplicity, that you require the developer to put the JSON in a fixed/predictable path, and allow the user to paste the URL for the main GH repo. Asking users to find the "raw" link is likely hard/confusing. Put the onus on the person packaging, not the person installing?

I'm 140k into another run. Took all day... will bump thread with results when there are results...

Ah. I see.

My apologies. I am very used to being the same user on both the host and the target system. And, I'm thinking in terms of scp or sftp, not an SSHFS mount. The difference matters a great deal; your answer is clear, and I see why I was confused/wrong.

My fog of confusion wafts away in the light of illumination. Thank you.

(I have a suspicion that this is a variation on this post from a while back.)

I have configured backups as follows:

backup set	encr?	target	day	time	files	size
bitwarden	Y	storage box	daily	20:00	800	7MB
photos	N	storage box	S	03:00	300K	200GB
photos	N	NAS	Su	03:00	300K	200GB
full (- music, -photos)	Y	NAS	MWF	03:00	18K	12GB
music	N	NAS	T	03:00	?	600GB

What I'm finding is that my Immich (photos) instance does not want to backup. To be more precise: Immich consistently fails a long way into the backup. In both the case where it is talking to a storage box (overseas, for me) and to my local NAS, it is configured as an SSHFS mount. In each location I have set up a folder called $HOME/backups, and used a subpath for each backup (e.g. photos, so that the full path becomes $HOME/backups/photos, $HOME/backups/vaults, etc.). In all cases, I'm using rsync with hardlinks.

I removed the photos (which is large/has many files) and the music from the full backup set, because I want to target them separately for backup. And, I want to make sure my full backup completes.

I can backup the bitwarden instance, because it is small. I have not yet seen the photos complete. I end up somewhere around 290K files, and there's an SSH error that drops. I don't know what the root cause is. (And, I'm now waiting for another backup, because Immich kicked off an update... so, I have to wait.)

I'll update this thread if/when it fails again. Possible root causes (that would be difficult for me to work around):

1. Too many files. I would think rsync would have no problems.
2. Files changing. Immich likes to touch things. Is it paused during backup? If not, could that be the problem? (There are tempfiles that get created as part of its processes; could those be in the set, then get processed/deleted before the backup gets to them, and then it breaks the backup? But, pausing during backups is disruptive/not appropriate for a live system, so... that's not actually a solution path. Ignore me.)
3. Not enough RAM. Do I need to give the backup process more RAM?

The NAS is a TrueNAS (therefore Debian) machine sitting next to the Cloudron host. Neither seems to be under any kind of RAM pressure that I can see. Neither is doing anything else of substance while the backups are happening.

Unrelated: I do not know what happens when Immich updates, because I am targeting it with two backup points. Does that mean an app update will trigger a backup to both locations? Will it do so sequentially, or simultaneously?

possible other solutions

I would like the SSHFS backup to "just work." But, I'm aware of the complexity of the systems involved.

Other solutions I could consider:

1. Use object storage. I don't like this one. When using rsync with many files, I discovered that (on B2) I could end up paying a lot for transactions if I had a frequent backup, because rsync likes to touch so many things. This was the point of getting the NAS.
2. Run my own object storage on the NAS. I really don't want to do that. And, it doesn't solve my off-site photos backup.
3. Introduce JuiceFS on the Cloudron host. I could put JuiceFS on the Cloudron host. I dislike this for all of the obvious reasons. But, it would let me set up an SSHFS mount to my remote host, and Cloudron/rsync would think it was a local filesystem. This might only be pushing the problems downwards, though.
4. Backup locally, and rsync the backup. I think I have the disk space for this. This is probably my most robust answer, but it is... annoying. It means I have to set up a secondary layer of rsync processes. On the other hand, I have confidence that if I set up a local volume, the Cloudron backup will "just work."

Ultimately, I'm trying to figure out how to reliably back things up. I think #4 is my best bet.

Hi @james ,

Fair enough. To be clear:

If you make the mistake of using $HOME for the target directory, then the behavior of allow_other changes the permissions on $HOME to 777. The .ssh directory must exist under a home directory that is either 755, 751, or 750. (It probably can be something else...) Point being, "fool me twice," I have made this mistake on more than one system, and wondered why it is so hard to set up an SSHFS mountpoint. It is because it works once, and then not a second time, because the home directory permissions have changed, "breaking" SSH on the target system.

Perhaps this is clearly described in the SSH mount docs, and I missed it, but it is a silent/invisible source of confusion when setting up SSHFS mountpoints.

(An aside: I still don't know why any user other than the user I assign would need to access the mountpoint: I provide a private key and a username. Only that user should be able to carry out the SSHFS mount, and all of the writes should happen as that user. Why would I ever need some other user to be able to read my backups on a remote system?)

We can re-close this as solved, because I more clearly understand Cloudron's behavior. Because two things can be true, I understand the behavior, and I still think it is incorrect: if I provide a private key and username, that is the user I expect all operations to happen as, and I do not expect permissions to be set so that any user of the remote system can read the files. But, expectations are tantamount to assumptions.

I'm struggling with this problem as well.

I'm finding when I try and SSHFS with my TrueNAS box...

1. Assuming the user is cloudback
2. The path is /home/pool/dataset/cloudback
3. I set my backup path to /home/pool/dataset/cloudback and my prefix to full

Cloudron always changes the permissions on the directory /home/pool/dataset/cloudback to 777. This seems... grossly insecure. And, worse, it breaks SSH, because you can't have a filesystem above the .ssh directory with permissions that open.

However, I also find that if I set the path deeper into the account (with no prefix), I avoid the permissions issue, and instead, I get backups that hang/lock, especially on Immich. (That could be unrelated.)

My single biggest question is why is Cloudron setting perms to 777 anywhere?

I'm trying again by creating a directory in the homedir, and using that as my base path. Then, within that, I'm using the "path" option to create subfolders. I don't have a reason I think this might help, but given comments above, I'm trying it.

I've eyed both

https://github.com/kanbn/kan

and

https://planka.app/community#strategy

as being potentially friendly to Cloudron packaging. kan.bn in particular just wants a Postgres database, which Cloudron happily provides.

I don't have a Synology, but can you use the Task Manager to run an rsync command periodically to pull copies of your backups from the VPS to your local NAS?

Or, if you're backing up to an object store from the VPS, you could use Cloud Sync to sync the S3-based backups to your local NAS?

These are two ideas that come from some googling. Perhaps they'll inspire additional thoughts.

Nevermind. It was temporary. I retried later.

@timconsidine , I'd like to look at combining your package and mine. Should https://git.cloudron.io/timconsidine/cloudron-garages3-ui be public? It just says Retry later.