Zerobyte Deployment Guide on RamNode VPS | Encrypted Backup Automation

What Zerobyte Provides

Automated encrypted backups powered by Restic with compression and deduplication
Flexible scheduling with fine-grained retention policies (daily, weekly, monthly)
Multi-protocol volume support: local directories, NFS, SMB, WebDAV, and SFTP
S3-compatible, REST server, and rclone-based repository backends
Modern web dashboard for job monitoring, snapshot browsing, and one-click restores
Multi-user support with separate volume and repository management per user

Recommended RamNode VPS Specifications

Component	Recommendation
Plan	KVM SSD 2 GB ($10/month) or higher
CPU	1 vCPU (2+ for heavy workloads)
RAM	2 GB minimum (4 GB preferred for large repos)
Storage	20 GB+ SSD (depends on backup volume)
OS	Ubuntu 24.04 LTS (64-bit)
Network	1 Gbps unmetered bandwidth

💡 RamNode Advantage

New RamNode accounts receive up to $500 in annual credits. A $5/month KVM plan gives you everything you need to run Zerobyte alongside other lightweight services.

Initial Server Setup

Provision a fresh Ubuntu 24.04 LTS VPS from the RamNode dashboard and SSH into your server.

Connect via SSH

ssh root@YOUR_VPS_IP

Update System Packages

System update

apt update && apt upgrade -y
apt install -y curl wget git ufw software-properties-common

Create a Non-Root User

Running services as root is a security risk. Create a dedicated user:

Create user

adduser zerobyte
usermod -aG sudo zerobyte
su - zerobyte

Configure the Firewall

UFW setup

sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status

Security Note

Do not expose port 4096 directly to the internet. Zerobyte should always be accessed behind a reverse proxy with HTTPS or through a secure tunnel.

Install Docker and Docker Compose

Zerobyte runs as a Docker container. Install Docker Engine and the Compose plugin using the official repository.

Add Docker GPG key and repository

# Add Docker's official GPG key
sudo apt install -y ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
  | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg

# Add the Docker repository
echo "deb [arch=$(dpkg --print-architecture) \
  signed-by=/etc/apt/keyrings/docker.gpg] \
  https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo $VERSION_CODENAME) stable" \
  | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Install Docker packages

sudo apt update
sudo apt install -y docker-ce docker-ce-cli \
  containerd.io docker-buildx-plugin \
  docker-compose-plugin

Enable Docker for your user

sudo usermod -aG docker $USER
newgrp docker
docker --version
docker compose version

Deploy Zerobyte

Create the Project Directory

Create directory

mkdir -p ~/zerobyte && cd ~/zerobyte

Generate the Application Secret

Zerobyte requires a unique application secret for authentication and session management:

Generate secret

openssl rand -hex 32

Copy the output — you will use it as the APP_SECRET value below.

Create the Docker Compose File

docker-compose.yml

services:
  zerobyte:
    image: ghcr.io/nicotsx/zerobyte:v0.26
    container_name: zerobyte
    restart: unless-stopped
    cap_add:
      - SYS_ADMIN
    ports:
      - "127.0.0.1:4096:4096"
    devices:
      - /dev/fuse:/dev/fuse
    environment:
      - TZ=America/Chicago
      - BASE_URL=https://backups.example.com
      - APP_SECRET=YOUR_GENERATED_SECRET_HERE
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/lib/zerobyte:/var/lib/zerobyte

Important

Replace YOUR_GENERATED_SECRET_HERE with the output from the openssl command. Replace backups.example.com with your actual domain. The port binding 127.0.0.1:4096 ensures Zerobyte is only accessible locally.

Launch Zerobyte

Start container

cd ~/zerobyte
docker compose up -d

Verify container is running

docker compose logs -f zerobyte

You should see Zerobyte start up on port 4096. Press Ctrl+C to exit the log view.

Configure a Reverse Proxy with Caddy

Caddy provides automatic HTTPS with zero-configuration TLS certificate management, making it ideal for securing Zerobyte.

Install Caddy

sudo apt install -y debian-keyring debian-archive-keyring \
  apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \
  | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \
  | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install -y caddy

Configure the Caddyfile

Edit Caddyfile

sudo nano /etc/caddy/Caddyfile

/etc/caddy/Caddyfile

backups.example.com {
    reverse_proxy 127.0.0.1:4096
    encode gzip
}

Start Caddy

sudo systemctl restart caddy
sudo systemctl enable caddy
sudo systemctl status caddy

🌐 DNS Configuration

Make sure your domain has an A record pointing to your RamNode VPS IP address. Caddy will automatically obtain and renew certificates from Let's Encrypt.

Initial Zerobyte Configuration

Open your browser and navigate to your configured domain (e.g., https://backups.example.com). You will be presented with the registration screen.

Create Your Admin Account

Enter a username and a strong password to create the first administrator account with full access to all Zerobyte features.

Add a Backup Repository

Repositories are where your encrypted backups are stored. Zerobyte supports:

Local directories (stored under /var/lib/zerobyte/repositories/ by default)
S3-compatible storage (Amazon S3, MinIO, Wasabi, DigitalOcean Spaces, Backblaze B2)
REST server (ideal for offsite backups to another VPS)
SFTP or rclone remotes (40+ cloud providers)

Critical

Store your repository encryption password in a secure location outside of Zerobyte (e.g., a password manager). If you lose this password, your backups cannot be decrypted.

Add Backup Volumes

Mount host directories into the Zerobyte container by adding volume mappings to docker-compose.yml:

Additional volume mappings

volumes:
  - /etc/localtime:/etc/localtime:ro
  - /var/lib/zerobyte:/var/lib/zerobyte
  - /home:/mnt/home:ro       # Host home directories
  - /etc:/mnt/etc:ro         # System configurations
  - /var/www:/mnt/www:ro     # Web application data

Recreate the container

cd ~/zerobyte
docker compose up -d

Create a Backup Schedule

With a repository and volumes configured, create a backup job:

Navigate to Backups and click Create Backup
Select the volume(s) to back up and the target repository
Configure the schedule (e.g., daily at 2:00 AM)
Set retention policies (e.g., keep 7 daily, 4 weekly, 12 monthly snapshots)
Optionally add exclude patterns for files you do not need

Optional — Configure rclone for Cloud Backends

If you want to back up to cloud providers (Google Drive, Dropbox, OneDrive, Backblaze B2, Hetzner Storage Box, etc.), install rclone on the host.

Install rclone

curl https://rclone.org/install.sh | sudo bash
rclone config

Follow the interactive prompts to configure your remote storage, then test the connection:

Test connection

rclone lsd myremote:

Mount rclone Config in Zerobyte

Add the rclone configuration directory to your docker-compose.yml:

rclone volume mapping

volumes:
  - /etc/localtime:/etc/localtime:ro
  - /var/lib/zerobyte:/var/lib/zerobyte
  - ~/.config/rclone:/root/.config/rclone:ro

Restart the container, then when creating a repository in Zerobyte, choose rclone as the type and select your configured remote.

Security Hardening

Keep Zerobyte Behind a Reverse Proxy

As configured in this guide, Zerobyte listens only on 127.0.0.1:4096. All external access goes through Caddy with automatic HTTPS. Never expose port 4096 directly to the internet.

Use Docker Secrets for Sensitive Values

Zerobyte supports dynamic secret resolution with these prefixes:

env://VAR_NAME — reads the secret from an environment variable
file://SECRET_NAME — reads from /run/secrets/SECRET_NAME (Docker Secrets)

Enable Automatic Security Updates

Unattended upgrades

sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Harden SSH Access

SSH hardening

sudo nano /etc/ssh/sshd_config
# Set: PasswordAuthentication no
# Set: PermitRootLogin no
sudo systemctl restart sshd

Updating Zerobyte

Update the Image Tag

Edit docker-compose.yml and update the image tag:

Update version

image: ghcr.io/nicotsx/zerobyte:v0.27  # Update version

Pull and Restart

Apply update

cd ~/zerobyte
docker compose pull
docker compose up -d
docker compose logs -f zerobyte

📌 Version Pinning

Always pin to a specific version tag (e.g., v0.26) rather than using latest. Zerobyte is in the 0.x series and may introduce breaking changes. Review the release notes before upgrading.

Restoring from Backups

When you need to recover data, Zerobyte makes restoration straightforward through its web interface:

Navigate to the Backups section and select the relevant backup job
Browse available snapshots and select the one to restore from
Choose to restore the full snapshot or select individual files and directories
Zerobyte will pull the selected data from Restic and restore it to the original paths

🧪 Restore Best Practice

Test your restores regularly. A backup you have never tested is a backup you cannot trust. Schedule quarterly restore drills to verify backup integrity.

Troubleshooting

🎉 Conclusion

You now have a production-ready Zerobyte backup system running on your RamNode VPS. Your data is protected with Restic's AES-256 encryption, automated on your schedule, and accessible through a modern web dashboard secured with HTTPS.

For ongoing management, bookmark the Zerobyte dashboard and check backup logs periodically. Enable notification integrations (email, Telegram) within Zerobyte to receive alerts on backup successes, failures, and warnings.

← More Deployment Guides View Cloud VPS Plans →

Deploying Zerobyte