Vanguard Backup
Self-hosted backup automation for Ubuntu and Debian servers with S3 storage, SSH-based file and database backup, and multi-channel notifications.
Vanguard is an open-source backup platform built with Laravel and PHP 8.3 that automates file and database backups on Ubuntu and Debian servers. It connects to remote machines over SSH using phpseclib3, compresses and encrypts backup archives, then streams them to S3-compatible storage or local destinations—all managed through a Livewire-powered web interface without requiring any agent software on target servers.
The application is built as a self-contained Laravel monolith with a queue-driven architecture: backup tasks run as Horizon-managed jobs with 30-minute timeouts, real-time status updates arrive via Laravel Reverb WebSockets, and notification results are dispatched through Email, Discord, Slack, and Pushover. A full REST API backed by Laravel Sanctum lets DevOps teams trigger backups programmatically, retrieve logs, and query upcoming scheduled runs from CI/CD pipelines or monitoring dashboards.
Vanguard targets teams and individuals who want transparent control over their backup infrastructure without vendor lock-in. The self-hosting model means you own the backup data, the encryption keys, and the scheduling logic. With OAuth login via GitHub, GitLab, or Bitbucket and optional two-factor authentication, access control meets modern security expectations while keeping the operational footprint on a single PHP server.
What You Get
- File and Database Backup Engine - Backs up filesystem directories and SQL databases (MySQL, PostgreSQL) over SSH with configurable retention policies, compression, and optional custom filename prefixes.
- S3-Compatible Cloud Storage - Streams encrypted backup archives directly to Amazon S3 or any S3-compatible object store using your own credentials and bucket configuration.
- Multi-Channel Failure Alerts - Sends real-time notifications via Email, Discord, Slack, and Pushover on backup success, failure, or warning conditions so issues are caught immediately.
- SSH-Native Remote Connections - Connects to remote servers using phpseclib3 for pure-PHP SSH without requiring system-level ssh binaries or ssh-agent on the backup host.
- Pre/Post Backup Script Hooks - Runs arbitrary shell scripts before or after each backup task, enabling database freeze commands, service stops, or custom validation logic.
- REST API with Sanctum Authentication - Exposes a full API for triggering backups, retrieving logs, listing upcoming scheduled tasks, and integrating with CI/CD pipelines.
- Backup Statistics Dashboard - Visualizes backup history, success rates, storage consumption, and runtime performance using Chart.js graphs on the overview and statistics pages.
- OAuth Login and Two-Factor Auth - Supports GitHub, GitLab, and Bitbucket OAuth alongside TOTP-based two-factor authentication for secure team access management.
Common Use Cases
- WordPress site on a VPS - A solo developer schedules daily MySQL database and wp-content file backups to an S3 bucket, with Slack alerts on failure, and keeps 30 days of retention without any cron script maintenance.
- Multi-server managed hosting - A managed service provider deploys Vanguard to centrally schedule and monitor backups across dozens of client servers, using the REST API to pull backup status into a monitoring dashboard.
- Post-deployment database snapshots - A DevOps team calls the Vanguard API from their GitHub Actions workflow after each production deploy to capture a pre-rollback database snapshot tagged with the release version.
- Regulatory data retention - A compliance-conscious team configures 90-day S3 retention with encrypted storage and uses Vanguard’s statistics reports to demonstrate audit-ready backup coverage.
- Application with pre-backup maintenance mode - A developer uses Vanguard’s pre-backup script hooks to put a Laravel app into maintenance mode before the database dump and bring it back afterward, ensuring consistent backups.
Under The Hood
Architecture
Vanguard follows a layered Laravel monolith where HTTP controllers, Livewire UI components, and queue-dispatched Jobs each occupy distinct layers with minimal cross-cutting concerns. The backup engine is built around a template method pattern: AbstractBackupTask defines the lifecycle (initialize, perform, finalize, cleanup) and delegates the actual backup logic to FileBackupTask and DatabaseBackupTask subclasses. Storage backends—S3 and Local—implement a shared BackupDestinationInterface, and SSH connectivity is abstracted behind SFTPInterface, so the task layer never directly depends on transport or storage implementations. Horizon manages queued jobs with configurable concurrency, while Reverb delivers real-time log streaming to the Livewire frontend via WebSockets, creating a coherent event flow from job execution through to browser UI updates.
Tech Stack The backend runs on PHP 8.3 with Laravel 11.9, Livewire 3 with Volt for reactive server-rendered UI components, and Laravel Breeze for authentication scaffolding. Queue management is handled by Laravel Horizon, application monitoring by Laravel Pulse, and real-time events by Laravel Reverb. SSH and SFTP operations are performed entirely in PHP userland via phpseclib3, removing the dependency on system SSH binaries. S3 storage uses League Flysystem with the AWS S3 v3 adapter. The frontend is built with Vite 6.3, Tailwind CSS 3, Chart.js for visualizations, and Tippy.js for tooltips; Pusher-js and Laravel Echo connect to Reverb for live updates. Sentry handles error tracking in production.
Code Quality
The codebase maintains comprehensive test coverage across 146 test files using Pest PHP’s expressive API, spanning unit tests for models and services and feature tests for HTTP, Livewire components, jobs, and API endpoints. Every PHP file declares strict_types=1 and uses type-hinted method signatures throughout. Error handling is explicit and typed: named custom exceptions (SFTPConnectionException, DatabaseDumpException, BackupTaskRuntimeException) propagate distinct failure modes rather than swallowing errors in generic catch blocks. Larastan provides static analysis, Laravel Pint and Tighten Duster enforce code style, and Husky with Prettier manages frontend formatting. A GitHub Actions CI pipeline runs the full test suite and static analysis on every pull request.
What Makes It Unique Vanguard’s use of phpseclib3 for all SSH operations is a deliberate architectural choice that makes the backup host agnostic of system-level SSH configuration—no ssh-agent, no known_hosts management, no binary path assumptions. Pre and post-backup script hooks go beyond simple file copying to support arbitrary server-side operations like flushing caches or enabling maintenance modes before a dump. Laravel Pennant powers a user-facing Experiments panel that lets administrators toggle in-progress features without redeploying, treating experimental capabilities as first-class configuration rather than hidden flags. The Year-in-Review analytics feature generates personalized backup summaries from historical data, adding a transparency layer that most backup tools omit entirely.
Self-Hosting
Vanguard is released under the GNU Affero General Public License v3.0 (AGPL-3.0). This is a copyleft license that grants you the freedom to use, modify, and redistribute the software commercially. The critical implication for self-hosters is the network copyleft clause: if you modify Vanguard and expose it as a service to others over a network, you are required to make your modifications available under the same AGPL-3.0 terms. For teams running Vanguard solely for their own internal backup operations—the primary intended use case—this clause does not restrict you at all. You can customize the codebase freely without any open-source disclosure obligation as long as you are not offering the modified version as a service to third parties.
Running Vanguard in production requires a PHP 8.3 server (Ubuntu or Debian recommended) with a relational database for the application itself (MySQL or PostgreSQL), a Redis instance for queue management via Laravel Horizon, and a way to run the queue workers persistently. The official documentation covers installation step-by-step, but you are responsible for server provisioning, keeping PHP and dependencies updated, managing the Redis queue workers, and monitoring the Horizon dashboard for job failures. Backup storage costs are entirely your own, billed directly through whatever S3-compatible provider you configure. There is no managed hosting option, so operational burden—uptime, patching, scaling—rests with your team.
Vanguard has no official paid tier or commercial cloud product as of the latest release. This means you get the full feature set by self-hosting, but also means there is no vendor SLA, no professional support contract, and no managed upgrade path. Community support is available through the GitHub Discussions forum and email contact. If your team requires guaranteed uptime, SOC 2 compliance, or hands-off operational management for a backup system, you would need to either invest significantly in self-hosted infrastructure hardening or evaluate commercial backup solutions. The trade-off is straightforward: maximum data ownership and zero licensing cost in exchange for full operational responsibility.
Related Apps
Netdata
Monitoring · Devops
Real-time per-second metrics, ML-powered anomaly detection, and zero-config observability for any infrastructure.
Netdata
GPL 3.0Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0Docker (Moby)
Devops · Developer Tools
The open-source container engine at the heart of Docker — a modular toolkit of runtime, build, and networking components for assembling container-based systems.