in-house backup server

[OhYou_]

I need to build a backup server and was wondering if truenas scale was up to it.
It will be mostly dedicated to backing up a windows server, here's what I would ideally like though.
>provide a week long volume on the network for daily backups to be stored into
>ideally automated but could be manual way to easily load a backup into a vm and boot it for validation once a week
>every week, take the 7 backups for the week and put them in a long term storage volume, clear out the week volume for the next week
>long term volume is kept off the network and accessible only by a management VM which is also kept off the network
>once every month, write the month's backups to a single hard disk which is physically inserted and then removed and transported offsite (might do 2 week idk)

I want to basically overkill it because

 

[Electronics Wizardy]

Look into veeam its a program that can manage all these backups in a single program. I think their free version supports all of this.

 

How big are your backups going to be?

[OhYou_]

1 minute ago, Electronics Wizardy said:

Look into veeam its a program that can manage all these backups in a single program. I think their free version supports all of this.

 

How big are your backups going to be?

Veeam is most likely the software I will be using on the server to be backed up, but I still need the NAS to do the work of most of this because the data will be airgaped past 1 week.
I suppose I could run Veeam in an airgaped vm on the NAS and use that for all the backend copying, but I was more wondering if truenas or maybe something else could do it too, hexos, ect..

[Electronics Wizardy]

4 minutes ago, OhYou_ said:

Veeam is most likely the software I will be using on the server to be backed up, but I still need the NAS to do the work of most of this because the data will be airgaped past 1 week.
I suppose I could run Veeam in an airgaped vm on the NAS and use that for all the backend copying, but I was more wondering if truenas or maybe something else could do it too, hexos, ect..

I'd run veeam on the backup server/nas. It can manage all your additional copies of the data, and run sync jobs to other servers and rotated HDDs automatically. I'd simplify it by using veeam for as much as possible here.

[Needfuldoer]

TrueNAS is absolutely up to the task. What I'd do is set up ZFS snapshots on the NAS, which will create shadow copies of the store as files are changed or deleted. It's almost like Time Machine on MacOS.

 

https://www.truenas.com/docs/scale/24.10/scaleuireference/datasets/snapshotsscreens/

 

https://docs.oracle.com/cd/E19253-01/819-5461/gbciq/index.html

[OhYou_]

2 minutes ago, Needfuldoer said:

ZFS snapshots on the NAS

what is the restore process like worst case if everything gets torched and I have to restore from a backup hard drive. How would the snapshots be stored on the drive?
It's more of a backup in case of complete failure, not so much in case someone deleted one file or made an oops, that's their problem not mine.

 

16 minutes ago, Electronics Wizardy said:

I'd run veeam on the backup server/nas. It can manage all your additional copies of the data, and run sync jobs to other servers and rotated HDDs automatically. I'd simplify it by using veeam for as much as possible here.

yes, but what will be doing the weekly rotation? In this setup, I want absolutely nothing except for the NAS OS itself to have the ability to touch both the server network, and any backup older than 7 days.  That is the maximum affordable loss time.
I'm viewing this as a worst case if the server gets compromised, it cannot have a chance to spread to the vm running veeam or the long term volume. I will be hardening the nas os itself for this but I want to keep the exposure surface minimal.

[Electronics Wizardy]

Just now, OhYou_ said:

yes, but what will be doing the weekly rotation? In this setup, I want absolutely nothing except for the NAS OS itself to have the ability to touch both the server network, and any backup older than 7 days.  That is the maximum affordable loss time.
I'm viewing this as a worst case if the server gets compromised, it cannot have a chance to spread to the vm running veeam or the long term volume. I will be hardening the nas os itself for this but I want to keep the exposure surface minimal.

veeam can do this. Plug a HDD in, and it will detect it and copy the copies of the back you want. It supports rotated HDD backups like this well and I don't this for work without issue.

 

I see the rotated HDD as the everything got corrupted you still have backups copy.

 

2 minutes ago, OhYou_ said:

what is the restore process like worst case if everything gets torched and I have to restore from a backup hard drive. How would the snapshots be stored on the drive?
It's more of a backup in case of complete failure, not so much in case someone deleted one file or made an oops, that's their problem not mine.

It would be stored as a ZFS snapshot. Send/recieve the snapshot to get the data back or copy the files over.

 

 

Is this for work? Probably want to find a IT pro if its for work so you set this up right. Also look into cloud storage as you can set worm permissions.

[OhYou_]

2 hours ago, Electronics Wizardy said:

Plug a HDD in, and it will detect it and copy the copies of the back you want

For this alone if it does it seamlessly, that sounds like a good plan.

3 hours ago, Electronics Wizardy said:

Is this for work? Probably want to find a IT pro if its for work so yo

Yes but I am it for the pro side. The infrastructure is managed by a parent company, but I was specifically requested by my company to start backing up everything we use out of that infrastructure if you know what I mean.
So it is not critical, I am asked to simply do backups. I am choosing to go a few extra steps with it because I can and it's beneficial to my skills as well.

[LIGISTX]

ZFS snapshots are immutable. The only way to delete them is if you have access to TrueNAS (or whatever host your running ZFS on). They can presented over the network share as previous version copies, but they can not be altered any anything except the ZFS host. 
 

You then only allow the host (let’s just assume truenas) to be accessed via ssh or webUI by the management subnet. You do all SMB/NFS/iSCSI over other subnets. This way the only path into truenas itself is via the secured management network, and thus all snapshots are secured via that management network. You can host another Truenas machine at a remote location and use ZFS replication to have it send those snapshots across a VPN tunnel to the remote machine. Same rules apply, those snapshots can only be altered by the host itself. So that remote machine would need to then be logged into and the snapshots deleted for that data to be lost/changed/etc. 

 

Unless you have an actual requirement to air gap the data, I wouldn’t do that. Just making things more difficult for yourself. Properly architected networking and ZFS snapshots should be plenty….