The Wonderful World of Restic
Context
I recently decided to start using my own home server to store my dotfiles. The main reasons are simplicity, privacy, and security. I previously stored them in a repository on my GitHub account and installed them with Ansible, but I have increasingly found it cumbersome when trying to keep them updated and in sync. On GitHub, the changes (and mistakes!) I make to my dotfiles are publicly viewable; sometimes I’ll make changes several times a day, sometimes scrapping a change entirely when I later realize it was not such a good idea or breaks something in my activity flow. I also would love the convenience of keeping SSH keys and GPG keychains in sync and updated, and storing them on a public server is obviously not an option, nor even in a private repository hosted on GitHub or GitLab.
Cue Restic
My home server is basically just my old 2013 MacBook Pro running Fedora Server edition. It has a 250GB SSD, which is more than enough for what I need. I also have a 1TB external SSD which I will use to emulate redundancy. I installed and configure the rest-server software to act as a backend for my Restic backups.
Setting up the rest server
First build the rest-server binary and move it to a directory in PATH. This step requires Go 1.11 or higher. Optionally, you can download the latest compiled rest-server binary from its releases page.
1git clone https://github.com/restic/rest-server
2cd rest-server/
3CGO_ENABLED=0 go build -o rest-server ./cmd/rest-server
4sudo cp -v rest-server /usr/local/bin/ I also configured the systemd unit file so that rest-server runs on startup with the appropriate flags. I need only configure the options User, Group, ExecStart, and ReadWritePaths in the [Service] section:
1cd ~/rest-server/examples/systemd/
2ls . rest-server.service:
1[Service]
2Type=simple
3User=restic-data
4Group=restic-data
5ExecStart=/usr/local/bin/rest-server --path /opt/restic-backups --no-auth
6Restart=always
7RestartSec=5
8
9# Optional security enhancements
10NoNewPrivileges=yes
11PrivateTmp=yes
12ProtectSystem=strict
13ProtectHome=yes
14ReadWritePaths=/opt/restic-backups Since this is a local home server, I pass the --no-auth flag to the rest-server ExecStart command.
I now create the restic-data user and group.
- Ensure a default home directory is not created under /home by passing the
-Mflag. - Set a custom home directory for the user at /opt/restic-backups with the
-dflag. - Ensure the shell is assigned to
/sbin/nologin. - The restic-data user is not meant to be used for logging in, so we pass the
--systemflag.
1 sudo useradd -c "Restic Data" -M -d /opt/restic-backups -s /sbin/nologin --system restic-data - Ensure the backups path exists and has appropriate permissions.
- Copy the systemd unit file to a location where systemd will look for it.
- Enable and start the rest-server systemd service.
1 sudo mkdir /opt/restic-backups
2 sudo chown -R restic-data:restic-data /opt/restic-backups
3 sudo cp -v rest-server.service /etc/systemd/system/
4 sudo systemctl daemon-reload
5 sudo systemctl enable --now rest-server.service Since I’m using a firewall, I ensure the port the rest-server listens on is allowed locally:
1 sudo firewall-cmd --zone`FedoraServer --permanent --add-port`8000/tcp
2 sudo firewall-cmd --reload Now on the host, which in this case is my laptop, I have the Restic client installed from my distribution’s package repository.
- Initialize a Restic storage repository on the server from the host, and supply it with a password. This password will be used every time I attempt to access the storage repository.
- Backup my dotfiles
1 restic -r rest:http://local-server:8000/dotfiles init
2 restic -r rest:http://local-server:8000/dotfiles backup ~/dotfiles
3
4One of the best features of Restic is that it makes restory backups really simple. It also provides snapshot functionality, so I can restore different versions of specific files from other snapshots.
5```shell
6restic -r rest:http://local-server:8000/dotfiles snapshots
7
8enter password for repository:
9repository 9a280eb7 opened successfully, password is correct
10ID Time Host Tags Paths
11------------------------------------------------------------------------------
1211738fec 2021-04-12 09:13:17 toolbox /var/home/jeff/dotfiles
13dfc99aa3 2021-04-12 10:31:39 toolbox /var/home/jeff/dotfiles
14f951eedf 2021-04-12 11:25:21 toolbox /var/home/jeff/dotfiles
1562371897 2021-04-12 18:43:53 toolbox /var/home/jeff/dotfiles
16------------------------------------------------------------------------------
174 snapshots Since Restic saves the backup’s absolute path, restoring it to / will ensure it is restored to its original location on the local filesystem. To restore a snapshot:
1restic -r rest:http://local-server:8000/dotfiles restore dfc99aa3 --target / To list files in a snapshot:
1restic -r rest:http://local-server:8000/dotfiles ls dfc99aa3 Yay, very nice!