All apps · 0 apps
BombVault
Docker app from junkerderprovinz's Repository
Overview
Readme
View on GitHub
Your Unraid data, sealed in a vault. Armed with a fuse.
BombVault backs up Docker containers, KVM VMs, appdata, the Unraid flash config — and even itself —
and restores everything with a single click. Containers automatically reappear in the
Docker tab, VMs automatically in the VM tab — no manual reinstall, no
reconfiguration, no drama.
Your data, locked in. Loss, locked out. Data loss doesn't stand a chance.
Powered by restic — deduplicated, incremental, always encrypted.
Status: one-click Docker container, KVM/libvirt VM, Unraid flash and app configuration backup & restore are all live (VMs over SSH — no libvirt mount), with off-site repos (SMB/NFS/rclone), per-source retention, file-level restore, integrity checks, pre/post-backup hooks, a protection-status dashboard with restore-verification drills, immutable/append-only off-site with tamper verification (ransomware-resistant), live restore progress + cancel, and notifications (webhook / Matrix / email / Unraid-native / Prometheus). A few niceties remain on the roadmap — marked (planned) below.
Table of Contents
- What is this?
- Screenshots
- Features
- How it works
- Security / trust model
- Requirements
- Install on Unraid
- Configuration
- Development
- Support this project
- Credits
1. What is this?
BombVault is a self-hosted, Unraid-native web app for backup and full disaster recovery of your Docker containers and KVM/libvirt VMs. It runs as a single Docker container, gives you a modern dark web UI, and handles the whole lifecycle:
- Backs up Docker appdata + container definitions, KVM/libvirt VM disks + XML (incl. UEFI NVRAM), the whole Unraid flash (
/boot), and its own/config(settings database + off-site credentials). - Restores automatically — containers are reinstalled and restarted so they reappear in the Docker tab exactly as before, and VMs are re-defined in the VM Manager with their disks + NVRAM reattached.
- Schedules incremental backups in the background (per domain) from the Plans tab — with one-click "include all in schedule" for containers and VMs, so you never have to think about it.
The core idea — one-click backup and automatic re-install of Docker containers — comes from VolumeVault by @Darkdragon14 (Apache-2.0). BombVault is a fresh, independent implementation with restic as the engine; see Credits.
2. Screenshots
Dashboard — RPO protection-status traffic lights per domain, last backups, run history, a backup-health heatmap and per-domain storage/dedup.
Containers — per-container backup with include-in-schedule toggle, backup folders/hooks, one-click backup and plain-tar export.
VMs — KVM/libvirt VM backups over SSH, graceful or live method, schedule inclusion and export.
Flash — whole-/boot USB flash backup with a live progress bar; restore downloads a ZIP and never touches the running flash.
Settings — backup paths, optional off-site copy (restic copy) and staggered local/off-site retention.
3. Features
Simple by default. The interface shows only the essentials (back up, restore, schedule). Flip the Advanced toggle in the sidebar to reveal the expert controls — retention, off-site copy, pre/post hooks, file-level restore, notifications, Prometheus metrics, integrity/maintenance tools and more. It's a per-browser preference, off by default, so newcomers get a clean UI and power users get everything.
Backup scope
| What | What is saved |
|---|---|
| Docker containers | Appdata directory + container definition (image, env vars, ports, labels, volumes) |
| KVM / libvirt VMs | VM disk image(s) + XML definition + UEFI NVRAM (graceful-shutdown or live-snapshot, over SSH). Live snapshots fall back to a graceful backup automatically if the snapshot can't be created, so a VM backup never just errors out |
| Unraid flash | The whole USB flash (/boot) — OS, license, array config, shares, network + plugin config. Restore is a one-click .zip download (never overwrites the live flash) |
| App configuration | BombVault's own /config — its settings database, off-site credentials (rclone.conf) and libvirt SSH keypair, snapshotted with SQLite VACUUM INTO so a WAL-mode database is never captured mid-write. No container stop. Restore is from the Recovery tab, staged and applied by a self-restart so the live database is never overwritten under an open handle |
Restore (the good part)
- One-click full restore — pick a snapshot, click Restore. Done.
- Restore from local or off-site — every backup browser (and the integrity/maintenance card) has a Local | Off-site switch, so if a local repo is lost or corrupt you can list and restore straight from the off-site replica. Delete is per-source: removing a backup only affects the copy you're viewing, never both.
- Containers are automatically reinstalled: the container definition is replayed against the Docker API so the container reappears in the Unraid Docker tab exactly as it was — same image, same settings, same port mappings.
- VMs are automatically recreated: the XML definition is re-imported over SSH so the VM reappears in the VM Manager with its disk + UEFI NVRAM reattached, even after the VM was deleted. A VM deleted from the host shows under Not installed in the VM tab; if its entry is gone too (e.g. after a fresh install), Discover backups rebuilds it from storage — same as for containers.
- Individual restore — restore one container or one VM without touching the others.
- Flash restore is a
.zipdownload — pick a snapshot and it streams straight to your browser asflash-<id>.zip, ready to drop into the Unraid USB creator (or unzip onto a fresh USB). The live, running/bootis never touched, and because a zip carries no filesystem metadata there are no permission errors on the way out. - Scheduled flash zip export — turn it on and, after every flash backup, BombVault also writes the snapshot out as a plain
.zipto a folder you pick — either a singleflash-latest.zipthat's overwritten each time or a rolling history of timestamped zips. Point it at a Syncthing or rclone folder and your bootable-USB backup leaves the server automatically, so it's reachable even when the server itself won't boot. - Pre-flight conflict check — before anything is stopped or removed, restore verifies the container's static IP and published host ports are free; if another container already holds one, it aborts with a clear, actionable message instead of leaving you with a half-finished restore.
- File-level restore — expand a container snapshot's Files, filter, tick any number of files and folders, then restore the whole selection in place (original locations) or into a folder you pick.
- Restore keeps the run-state — a container (or VM) that was running when backed up comes back running; one that was stopped stays stopped. Tick Leave stopped after restore to recreate it without starting it, so you can rebuild a group of dependent containers one by one and start them yourself afterwards.
- Restore a whole stack — containers from the same Docker Compose project (via the
com.docker.compose.projectlabel) are grouped into a Stacks panel. Restore stack rebuilds every member from its latest backup left stopped, then optionally starts them independs_onorder — so a compose stack (e.g. managed with Dockhand) comes back without members racing ahead of their dependencies. - Live progress, cancel & busy feedback — a long restore shows a live percentage bar ("Restoring… NN%") instead of a bare spinner, and can be cancelled with a type-aware confirmation (a restore-to-a-folder cancels cleanly; an in-place restore warns it leaves the target partial). A cancelled restore is recorded as cancelled, not failed. And starting a backup while a restore (or a scheduled/maintenance op) holds a repository now shows a clear "a restore is running" hint instead of silently doing nothing.
- Guided recovery — a dedicated Recovery tab walks a fresh or rebuilt install through the disaster case: it restores BombVault's own settings first (so the backup paths, off-site targets and credentials the rest of the flow needs come pre-filled — applied via a self-restart over the Docker socket, so the live settings database is never overwritten under an open handle), checks BombVault can read your backups (the encryption-key gotcha up front), lets you point at your existing repo (local or off-site), discovers the containers and VMs stored in it, and restores them all (left stopped, so you start them deliberately) — with your recovery kit one click away. Everything a disaster recovery needs, in one place.
Storage & scheduling
- Incremental, deduplicated backups via restic — even large VM disks don't balloon the repo.
- Destinations: a local path, or off-site — SMB/CIFS & NFS (mount the share on Unraid and point a Backup Path at it), native restic backends without rclone (
s3:…,rest:http://host:8000/repo,b2:…,sftp:user@host:/repo) with their credentials stored encrypted under Settings → Cloud credentials, or rclone (any of its remotes) via Settings → Off-site (rclone:<remote>:<bucket>/path). All credentials are stored encrypted. - Off-site copy (local + remote): keep the fast local backup and add an off-site replica. Set a second repo per domain under Settings → Off-site copy; BombVault replicates new snapshots there with
restic copy(best-effort — an off-site hiccup never fails the local backup). The local repo stays primary. Each domain has its own off-site schedule: leave it blank to replicate after every local backup, or set a cadence (e.g.weekly Sun 03:00) to ship off-site less often than you back up locally — plus a Replicate now button for on-demand runs. While a replication is in flight, an off-site replication indicator shows which domain is running (on its page and the Dashboard); it is an active indicator, not a percentage bar, sincerestic copyexposes no machine-readable progress. - Configurable retention (Settings → Retention): keep-last / daily / weekly / monthly, pruned automatically after each backup. Set it per source — a separate policy for the local repo and the off-site repo, so you can keep off-site copies longer as an archive. Leave the off-site policy all-zero to never auto-trim off-site snapshots.
- Per-domain scheduling (daily / weekly / cron); per-backup-group scheduling is (planned).
- Off-site bandwidth limits (Settings → Off-site copy) — cap the
resticupload/download rate so replication doesn't saturate your WAN.
Insight, verification & monitoring
- Protection status (RPO) — the Dashboard shows a green / amber / red indicator per domain comparing the last successful backup against its schedule, so an overdue backup turns red instead of hiding in a log.
- Backup-health heatmap — a GitHub-contributions-style calendar of per-day backup outcomes per domain (green = all OK, red = a failure), with a Containers / VMs / Flash / Config toggle.
- Repository size & dedup trend — current repo size, deduplication ratio and snapshot count per domain, with a sparkline of how storage grows over time.
- Restore-verification drills — BombVault periodically proves your backups are restorable (
restic check --read-data-subset, bounded — never a disk-filling full restore) and shows a "last verified restorable" badge per domain (Settings → Verify). - Encryption-key recovery kit — one-click download of the master key, the derived restic password and the exact repo locations + commands, so you can restore without a running BombVault. A Dashboard reminder nags until you've stored it.
- Notifications — webhook (Discord / Slack / Gotify / ntfy), Matrix, Healthchecks.io, email (SMTP) and Unraid's native notification system (over the SSH link); policy per backup: never / on failure / always. Healthchecks gets the full lifecycle — a
/startping when a backup begins, then success //failon done — whenever a URL is set, independent of that policy, so it measures duration, catches a run that started but never finished, and stays green on success even with failure-only notifications. You can also give each domain (containers / VMs / flash / config) its own Healthchecks check for per-domain runtime and history, or leave them blank to share one global check. - Prometheus
/metrics— opt-in (default off, optional bearer token) for Grafana or Uptime Kuma; exposes backup status, sizes and timestamps, with no secrets or paths in the labels.
Ransomware protection
- Immutable (append-only) off-site — flag an off-site repo append-only so ransomware (or a compromised host) can't delete or rewrite your backups. The far side (a
restic/rest-serverin--append-onlymode) enforces it; BombVault only ever verifies it and never shows green on a configuration claim alone. - Tamper test — BombVault periodically proves the append-only guarantee by actually attempting a delete against the off-site repo (aimed at a non-existent object): refused = protected, accepted = not protected. An inconclusive result (server unreachable, auth error) never flips the stored verdict, and a real protected → unprotected flip fires a single alert.
- Guided off-site setup — a wizard walks you from backend choice (rest-server / rclone / S3) through a ready-to-paste rest-server deploy snippet, a connection test, the immutable toggle (which runs the tamper test immediately) and a retention strategy — so append-only off-site is reachable without hand-editing configs.
- DR drills (off-site) — beyond the local integrity drill, BombVault can restore a real target from the off-site repo into a throwaway sandbox, verify it file-for-file and byte-for-byte, then clean up — proving you can actually recover from off-site, not just that the repo answers.
- Ransomware-protection scorecard — a Dashboard card with a green / amber / red posture per domain and an age-stamped checklist (off-site configured, append-only verified, replication current, restore drill passed, encryption on, prune strategy set); every red row deep-links to the fix. The card and its chip only ever go green on verified facts, never on intent.
- Growth-budget alarm — for an immutable off-site (where old snapshots are deliberately never pruned), set a size budget and get alerted before it runs away.
Other
- Back up many at once — multi-select containers and hit Back up selected. The batch runs server-side, so it keeps going even if you close the tab, lose the connection, or back up the very container your browser is running in. Each container shows its own progress bar plus an overall batch indicator. BombVault never backs up (and so never stops) its own container.
- Snapshot browser with a restore-point list; delete individual backups you no longer want, and a collapsible folder tree for file-level restore.
- Repository maintenance per domain (Settings → Integrity & maintenance): Verify (
restic check), Unlock (clear a stale lock left by an interrupted run), and Prune — when a retention policy is set, Prune applies it (collapses snapshots per your keep-last/daily/weekly/monthly rules and reclaims space), so you can enforce a newly-changed policy on demand instead of waiting for the next backup; with no policy set it stays a plain space-reclaim. - Pre/post-backup hooks per container — shell commands run inside the container (e.g.
mysqldumpinto appdata before backup); a failing pre-hook aborts the backup. - Stop other containers during backup — name dependent containers (e.g. a database) to stop while this one is backed up and start again afterwards.
- Exclude patterns per container — list subdirectories to skip inside a backed-up volume, one per line (e.g. Plex's regenerable
.../Plex Media Server/Cache), to shrink the backup while keeping the important data. Type the paths as you see them inside the container (/config/…); BombVault translates them to what restic stores so they match exactly, and a live preview shows what each line resolves to and warns when a line would exclude nothing. - Plain export — a per-container Export button writes a browsable, tool-free copy next to the repo:
<name>.tar.gzof the backup folders plus the Unraid<name>.xmltemplate (like the Appdata Backup plugin). Restic stays the engine; the export is an extra, unencrypted convenience copy. - VM plain export — VMs have the same Export (plain tar):
<name>.tar.gzof the disk image(s) plus<name>.xml(the persistent domain definition), restorable withvirsh define+ the disk, no BombVault or restic needed. - Restore to an alternate folder — restore a container snapshot (or individual files) to a different path instead of in place, for cloning or inspection.
- Snapshot diff & tags — compare two snapshots to see what changed (files added / changed / removed and the size delta), and tag snapshots to filter them.
- HTTPS out of the box (self-signed, or BYO cert behind a reverse proxy).
- Dark/light UI in 26 languages with a flag picker.
4. How it works
Browser ──HTTPS──> BombVault container
├─ Go binary: JSON API + embedded React UI
├─ Background worker (per-domain scheduler + job executor)
│
├─ /var/run/docker.sock ─> Docker API (container stop/inspect/recreate)
├─ qemu+ssh://host ─> libvirt / KVM on the HOST over SSH (no mount)
├─ /mnt/user/ ─> appdata, VM disks + restic repos (read/write)
├─ /boot/ ─> /host/boot ─> Unraid flash backup (whole USB)
├─ /config ─> BombVault's own settings + credentials (self-backup)
└─ <repo path> ─> restic repository (local; remote planned)
BombVault talks to the Docker socket to stop containers before backup and recreate them after restore. For VMs it runs virsh on the host over SSH (qemu+ssh://) to gracefully shut down or live-snapshot a domain — it never bind-mounts any libvirt path, so it can never interfere with the host VM Manager. All actual data movement goes through restic — BombVault is the orchestration and UI layer, not the storage engine.
Restore is the star: after copying data back from the restic snapshot, BombVault replays the saved container definition against the Docker API (docker run equivalent), so the container reappears in the Unraid Docker tab as if it had always been there. VMs get their XML re-defined over SSH and their disks + UEFI NVRAM reattached.
5. Security / trust model
[!WARNING] BombVault holds root-equivalent control of the host: via the Docker socket it can stop, remove and recreate containers and reads/writes appdata, and for VM backup it logs in to the host over SSH (
qemu+ssh://, root by default) to runvirsh. Anyone who can reach its web UI effectively has root on the host.
BombVault has optional built-in password protection (Settings → Security): set a password
to require login, clear it to disable. It is off by default for trusted-LAN use. Sessions are
signed (HMAC, derived from APP_KEY) and changing the password invalidates them; logins are
rate-limited to slow guessing. Regardless,
run BombVault only on a trusted, non-exposed network — never publish it directly to the
internet; for remote access put it behind a reverse proxy that adds authentication and TLS.
Responses carry baseline security headers (CSP, nosniff, X-Frame-Options, Referrer-Policy).
Because the password gate is opt-in, when it is unset the whole UI and API are reachable by anyone who can reach the port — including the off-site setup and tamper-test routes that mint or use append-only credentials, and the encryption-key recovery kit. Enable the password gate (Settings → Security), especially once off-site/immutable backups or encryption are in use, and never expose the port directly to the internet — reach it over a VPN or a reverse proxy that adds authentication.
Two caveats for the security-conscious: with HTTP_ONLY=true the session cookie loses its
Secure flag (it has to, to work over plain HTTP), so only enable the password behind a
TLS-terminating proxy if confidentiality matters. And the VM-backup SSH connection trusts the
host key on first connect (TOFU) and pins it thereafter — fine on a trusted LAN, but verify the
host's key out-of-band if your container↔host path isn't trusted.
Backups are encrypted by restic when encryption is enabled (Settings; on by default), with the
key derived from APP_KEY.
6. Requirements
| Requirement | Notes |
|---|---|
| Unraid 6.12+ | Earlier versions not tested |
| Restic repo location | Local path (recommended: your array or cache), SMB, NFS, or any rclone backend |
| Docker socket | Mounted by the template automatically (/var/run/docker.sock) |
Unraid flash (/boot) |
Mounted whole by the template automatically (/boot → /host/boot). Powers Flash backup of the entire USB, and lets a restored container reappear as a normal, editable Unraid app (via the templates folder under /boot) instead of a "third-party" container |
| KVM VMs (opt-in) | VM backup talks to libvirt over SSH — no libvirt mount. Set it up in Settings → see below |
[!IMPORTANT] VM backup uses SSH, not a libvirt mount. BombVault never bind-mounts any libvirt path (mounting the host's libvirt socket/runtime on Unraid is fragile — the VM Manager owns those paths and toggling "Enable VMs" can leave libvirt unable to start). Instead it runs
virshon the host over SSH (qemu+ssh://), so it can never affect your host VM Manager. Setup: Settings → VM Backup over SSH → copy the shown public key → append it to Unraid's/root/.ssh/authorized_keys→ click Test connection. The template adds--add-host=host.docker.internal:host-gatewayso the container reaches the host; setLIBVIRT_HOSTto your Unraid LAN IP if that name doesn't resolve (e.g. when the container runs on a custombr0.xnetwork). If you changed Unraid's SSH port, setLIBVIRT_SSH_PORTto match (default22). The SSH key grants root on the host — the same trust level as the docker.sock BombVault already uses. Live snapshots additionally need the qemu guest agent in the VM and the disk on/mnt/cache(not/mnt/user).Full setup + networking guide: docs/vm-backup-ssh-setup.md.
7. Install on Unraid
Install via Community Applications — search for BombVault.
Or add the template manually:
- In Unraid, go to Docker → Add Container → Template repositories and add:
https://github.com/junkerderprovinz/unraid-apps - Search for BombVault in Templates.
- Set the required variables (see Configuration) and click Apply.
8. Configuration
| Variable | Required | Description |
|---|---|---|
APP_KEY |
Yes | 32-byte hex secret (64 hex chars) used to derive the restic repo password. Generate with openssl rand -hex 32. Keep this safe — losing it makes encrypted backups unrecoverable. |
LIBVIRT_HOST |
For VMs | Unraid host reached over SSH for VM backup (default host.docker.internal; set to the host LAN IP on a custom br0.x network). |
LIBVIRT_SSH_PORT |
No | Host SSH port for VM backup (default 22). |
LIBVIRT_SSH_USER |
No | SSH user on the host for VM backup (default root). |
PORT |
No | HTTP port (default 3000). |
HTTPS_PORT |
No | HTTPS port (default 3443; the template maps it to 3001). |
HTTP_ONLY |
No | Set true to disable the self-signed HTTPS listener and serve plain HTTP only. |
TZ |
No | Timezone for the scheduler (e.g. Europe/Berlin). |
Mount the Docker socket, your appdata and a backup directory as shown in the CA template. Backup repository paths are configured in the app (Settings → Backup paths) — not via env — and default to /mnt/user/bombvault/{container,vms,flash,config}, created on the first backup (change the location any time in Settings). VM backup needs no mount: see §6 and docs/vm-backup-ssh-setup.md.
[!NOTE] Host integration check: open
/spikein the web UI after the container starts. It probes every mount and CLI (Docker socket, libvirt, restic, qemu-img, rclone) and reports any missing pieces.
9. Development
BombVault is a single static Go binary that serves a JSON API and an embedded
React/Vite SPA (go:embed). Build the SPA first, then run the binary:
npm --prefix web ci
npm --prefix web run build # outputs web/dist (embedded into the binary)
export APP_KEY=$(openssl rand -hex 32)
go test ./... # Go unit + integration tests (real restic roundtrip)
golangci-lint run ./... # lint
go run ./cmd/bombvault # serves https://localhost:3443 (self-signed cert)
Real Docker, libvirt and Unraid behavior cannot be tested in CI (no KVM, no Unraid on runners). Use the host integration check (/spike in the web UI) to validate mounts, restic and the VM SSH connection on your actual Unraid host before submitting a PR.
10. Support this project
Questions, bugs, ideas? Unraid support thread → (or open a GitHub issue).
11. Credits
- VolumeVault by @Darkdragon14 (Apache-2.0) — the original idea that sparked BombVault: one-click backup and automatic re-install of Docker containers. Thank you. BombVault is an independent rewrite (Go + restic) that extends the concept to VMs and the Unraid flash.
- restic — the fast, secure, deduplicating backup engine BombVault orchestrates.
- rclone — off-site cloud backends.
Part of a family of self-hosted Unraid apps + plugins by junkerderprovinz — see them all at github.com/junkerderprovinz, or install from Community Applications.
Install BombVault on Unraid in a few clicks.
Find BombVault in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.
Categories
Download Statistics
Related apps
Explore more like this
Explore allLinks
Details
junkerderprovinz/bombvault:latestRuntime arguments
- Web UI
https://[IP]:[PORT:3443]/- Network
bridge- Shell
bash- Privileged
- false
- Extra Params
--restart unless-stopped --add-host=host.docker.internal:host-gateway
Template configuration
The BombVault WebUI (HTTPS, self-signed cert out of the box). This is the port you open.
- Target
- 3443
- Default
- 3443
- Value
- 3443
Plain-HTTP port. Only used when HTTP_ONLY is set to true (i.e. behind a TLS-terminating reverse proxy). Leave at the default otherwise.
- Target
- 3000
- Default
- 3000
- Value
- 3000
Serve plain HTTP instead of HTTPS — only for use behind a TLS-terminating reverse proxy. false = HTTPS (recommended); true = plain HTTP on the HTTP port above. NOTE: when true, the WebUI link still points to HTTPS — open http://[IP]:[PORT:3000]/ instead (or set the container's WebUI to it).
- Default
- false|true
- Value
- false
REQUIRED. 64 lowercase hex chars: openssl rand -hex 32. Master key for secrets and the derived restic password; losing it makes encrypted backups unrecoverable.
BombVault's own state (SQLite DB, TLS cert, restic cache).
- Target
- /config
- Default
- /mnt/user/appdata/bombvault
- Value
- /mnt/user/appdata/bombvault
Your Unraid storage root /mnt — covers the user share AND cache/pool mounts, so any container's appdata (wherever it lives) is reachable. Backup SOURCES (container appdata) and DESTINATIONS both live here; pick the exact subpaths in the WebUI under Settings. Read for backup, written on restore.
- Target
- /host/user
- Default
- /mnt
- Value
- /mnt
The Unraid USB flash, mounted whole. Powers two things: (1) Flash backup (Settings - Domains - Flash) of the entire /boot - Unraid OS, license, array config, shares, network and plugin config; and (2) capturing/restoring a container's Unraid template (under /boot/config/plugins/dockerMan/templates-user) so a restored container reappears as a NORMAL, editable Unraid app instead of a 'third-party' container. Leave at the default. Flash RESTORE never overwrites the live flash - it extracts to a folder you then copy onto a fresh USB.
- Target
- /host/boot
- Default
- /boot
- Value
- /boot
Root-equivalent host control: stop/start/recreate containers around backup/restore. Together with the broad /mnt mount this gives BombVault root-equivalent access to your host, so run it only on a trusted, non-exposed network.
- Target
- /var/run/docker.sock
- Default
- /var/run/docker.sock
- Value
- /var/run/docker.sock
The HOST path mounted as 'Host Data' (default /mnt). BombVault translates the bind-mount sources Docker reports (e.g. /mnt/user/appdata/x) into paths under this mount. Change only if you mounted a different host root than /mnt.
- Default
- /mnt
- Value
- /mnt
The name of THIS container, so BombVault never backs up (and thus stops) itself. Defaults to BombVault and normally needs no change — auto-detected via the hostname on bridge networking. Set it to match the container name if you renamed the container or run it with host networking.
- Default
- BombVault
- Value
- BombVault
VM backup only. Set this to your Unraid host's LAN IP (the IP you open the web UI on, e.g. 192.168.x.x) — replace the placeholder. On simple bridge networking you may instead use host.docker.internal. Leave the placeholder if you don't use VM backup.
- Target
- LIBVIRT_HOST
- Default
- 192.168.x.x
- Value
- 192.168.x.x
VM backup only. Unraid's SSH port. Change only if you changed it from 22.
- Target
- LIBVIRT_SSH_PORT
- Default
- 22
- Value
- 22
VM backup only. SSH user on the host. Leave as root.
- Target
- LIBVIRT_SSH_USER
- Default
- root
- Value
- root