My personal website and Gemini capsule
hyperreal.bsky.moonshadow.dev
1+++
2title = 'The Wonderful World of Restic'
3date = 2021-04-13
4tags = ['restic', 'backup']
5+++
6
7## Context
8
9I recently decided to start using my own home server to store my dotfiles. The main reasons are simplicity, privacy, and security. I previously stored them in a repository on my GitHub account and installed them with Ansible, but I have increasingly found it cumbersome when trying to keep them updated and in sync. On GitHub, the changes (and mistakes!) I make to my dotfiles are publicly viewable; sometimes I’ll make changes several times a day, sometimes scrapping a change entirely when I later realize it was not such a good idea or breaks something in my activity flow. I also would love the convenience of keeping SSH keys and GPG keychains in sync and updated, and storing them on a public server is obviously not an option, nor even in a private repository hosted on GitHub or GitLab.
10
11## Cue Restic
12
13My home server is basically just my old 2013 MacBook Pro running Fedora Server edition. It has a 250GB SSD, which is more than enough for what I need. I also have a 1TB external SSD which I will use to emulate redundancy. I installed and configure the rest-server software to act as a backend for my Restic backups.
14
15## Setting up the rest server
16
17First build the rest-server binary and move it to a directory in PATH. This step requires Go 1.11 or higher. Optionally, you can download the latest compiled rest-server binary from its releases page.
18
19* [GitHub :: restic/rest-server/releases](https://github.com/restic/rest-server/releases)
20
21```shell
22git clone https://github.com/restic/rest-server
23cd rest-server/
24CGO_ENABLED=0 go build -o rest-server ./cmd/rest-server
25sudo cp -v rest-server /usr/local/bin/
26```
27
28I also configured the systemd unit file so that rest-server runs on startup with the appropriate flags. I need only configure the options User, Group, ExecStart, and ReadWritePaths in the \[Service] section:
29
30```shell
31cd ~/rest-server/examples/systemd/
32ls .
33```
34
35rest-server.service:
36
37```systemd
38[Service]
39Type=simple
40User=restic-data
41Group=restic-data
42ExecStart=/usr/local/bin/rest-server --path /opt/restic-backups --no-auth
43Restart=always
44RestartSec=5
45
46# Optional security enhancements
47NoNewPrivileges=yes
48PrivateTmp=yes
49ProtectSystem=strict
50ProtectHome=yes
51ReadWritePaths=/opt/restic-backups
52```
53
54Since this is a local home server, I pass the `--no-auth` flag to the rest-server ExecStart command.
55
56I now create the restic-data user and group.
57
58* Ensure a default home directory is not created under /home by passing the `-M` flag.
59* Set a custom home directory for the user at /opt/restic-backups with the `-d` flag.
60* Ensure the shell is assigned to `/sbin/nologin`.
61* The restic-data user is not meant to be used for logging in, so we pass the `--system` flag.
62
63```shell
64 sudo useradd -c "Restic Data" -M -d /opt/restic-backups -s /sbin/nologin --system restic-data
65```
66
67* Ensure the backups path exists and has appropriate permissions.
68* Copy the systemd unit file to a location where systemd will look for it.
69* Enable and start the rest-server systemd service.
70
71```shell
72 sudo mkdir /opt/restic-backups
73 sudo chown -R restic-data:restic-data /opt/restic-backups
74 sudo cp -v rest-server.service /etc/systemd/system/
75 sudo systemctl daemon-reload
76 sudo systemctl enable --now rest-server.service
77```
78
79Since I'm using a firewall, I ensure the port the rest-server listens on is allowed locally:
80
81```shell
82 sudo firewall-cmd --zone`FedoraServer --permanent --add-port`8000/tcp
83 sudo firewall-cmd --reload
84```
85
86Now on the host, which in this case is my laptop, I have the Restic client installed from my distribution's package repository.
87
88* Initialize a Restic storage repository on the server from the host, and supply it with a password. This password will be used every time I attempt to access the storage repository.
89* Backup my dotfiles
90
91````shell
92 restic -r rest:http://local-server:8000/dotfiles init
93 restic -r rest:http://local-server:8000/dotfiles backup ~/dotfiles
94
95One of the best features of Restic is that it makes restory backups really simple. It also provides snapshot functionality, so I can restore different versions of specific files from other snapshots.
96```shell
97restic -r rest:http://local-server:8000/dotfiles snapshots
98
99enter password for repository:
100repository 9a280eb7 opened successfully, password is correct
101ID Time Host Tags Paths
102------------------------------------------------------------------------------
10311738fec 2021-04-12 09:13:17 toolbox /var/home/jeff/dotfiles
104dfc99aa3 2021-04-12 10:31:39 toolbox /var/home/jeff/dotfiles
105f951eedf 2021-04-12 11:25:21 toolbox /var/home/jeff/dotfiles
10662371897 2021-04-12 18:43:53 toolbox /var/home/jeff/dotfiles
107------------------------------------------------------------------------------
1084 snapshots
109````
110
111Since Restic saves the backup's absolute path, restoring it to / will ensure it is restored to its original location on the local filesystem. To restore a snapshot:
112
113```shell
114restic -r rest:http://local-server:8000/dotfiles restore dfc99aa3 --target /
115```
116
117To list files in a snapshot:
118
119```shell
120restic -r rest:http://local-server:8000/dotfiles ls dfc99aa3
121```
122
123Yay, very nice!
124
125* <https://restic.net/>
126* <https://github.com/restic/rest-server>