We use an APC power controller on a schedule, and a set of USB drives each plugged into one controlled outlet.  We do initial backups to some space on a NAS, and use offsite/local replication to push to the "O:" drive, which is whichever of those USB drives is currently powered up by the APC power controller.  We run an agent procedure to "eject" the USB drive 5 minutes before the scheduled power-down/power up.

So:

Drive 1: power to APC port 1, USB to server

Drive 2: power to APC port 2, USB to server

etc.

All drives have been plugged in individually and set to be the O: drive.  This means we must never power on more than one of them at a time!

We have an offsite server process running, pointing at O:\AirGap

We have a local server process running, sourcing from \\NAS01\Serverbackups

The transfer schedule says "Midnight until 11:20pm"

Say it's Monday: APC Port 1 powered on, 2,3, all the rest "off"

At 11:25pm we run an agent procedure to "eject" the O: drive

at 11:30pm the APC's schedule powers off port 1.

at 11:35pm the APC's schedule powers on port 2

So what happens is this, as soon as "drive 2" powers on, it arrives on the server as O:

At midnight, replication resumes, cleans up the drive that is now the O: drive, and starts replicating everything from \\NAS01\Serverbackups to it.  If we had a terrible malware-encrypting-end-of-business-as-we-know-it crash, the USB drive hooked up (but powered off) on APC port 1 (and ports, 3, 4, ...) would all contain older sets of backups that couldn't be touched since they aren't physically powered on.

An 8-port power controller with 8 USB drives gives 7 "air gapped" days of complete backups at any given time, as long as nothing goes wrong... and of course if a drive starts to fail Kaseya monitoring will let us know in plenty of time to get it remedied.  It's totally hands-off, and as long as someone is minding the alarms, pretty bulletproof.